No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Limit on the Number of Access Users

Configuring the Limit on the Number of Access Users

Limiting the number of access users can prevent unauthorized users from accessing the network.

Context

Perform the following steps on the router:

Procedure

  • Restricting the number of access users in a single VLAN

    By default, no more than 3k (3000) users in a single VLAN are allowed to go online. If more than 3k access users exist in a single VLAN, run the vlan-host-car command to limit the rate at which user packets with the same VLAN ID are sent to the CPU.

    NOTE:

    The router supports CAR rate limit to defend against user attacks. The router is enabled with some CAR functions by default and has some default CAR parameter values. For detailed configuration procedures, see Configuring CAR for CPU-destined User Packets By default, the router sets the CIR 256 kbit/s, PIR 256 kbit/s, CBS 128000 bytes, and PBS 128000 bytes for user packets with the same VLAN ID to be sent to the CPU. Therefore, no more than 3k (3072) users in a single VLAN are allowed to go online.

  • Restricting the access of PPP users
    1. Run system-view

      The system view is displayed.

    2. Run ppp-user-slot-warning-threshold threshold-value

      The alarm threshold for PPP users allowed to access an interface board is configured. If the percentage of PPP users currently accessing the interface board exceeds the threshold, an alarm is generated.

    3. Run ppp-user-warning-threshold threshold-value

      The alarm threshold for PPP users allowed to access the entire NE40E is configured. If the percentage of PPP users currently accessing the entire NE40E exceeds the threshold, an alarm is generated.

    4. Run ppp connection chasten[ option105 ] request-sessions request-period blocking-period [ padi-discard ] [ quickoffline ] or ppp connection chasten request-sessions request-period blocking-period [ padi-discard ] [ quickoffline ] [ multi-sessions-permac ]

      The number of PPP access attempts is limited.

      Restricting the number of access attempts can prevent unauthorized users from using a brute force attack to crack the password of the authorized user. If a user fails to pass the authentication for N times during the specified period, the user account is frozen for a period of time, thwarting unauthorized users' efforts in cracking the password of the authorized user.

      In a scenario in which a large number of users go offlilne immediately after they go online, the CPU may be overloaded and the RADIUS server may even go Down. To prevent this problem, you can configure the quickoffline parameter to restrict the number of times a PPP user goes offline within a specified time. If the PPP user immediately goes offline after going online for request-sessions times within a request-period, the user account is frozen for blocking-period seconds.

      In the system view, this command takes effect on all users that access the NE40E. In the VLAN view, the command takes effect only on VLAN users that access the interface where the VLAN resides. If this command is configured in both the system and VLAN views, the command that first meets the restriction condition takes effect.

      The maximum number of access users is set to more than 1 for a MAC address using the pppoe-server max-sessions remote-mac command, and option105 is not specified in the ppp connection chasten command. In this scenario, MAC address-based restriction on the number of connection requests from a PPP user does not take effect. To enable this function to take effect, specify the multi-sessions-permac parameter. If option105 is specified in the ppp connection chasten command, option105-based restriction on the number of connection requests from a PPP user takes effect.

    5. Run pppoe-server slot-number max-sessions session-number

      The maximum number of users that are allowed to access from the interface board is configured.

    6. Run pppoe-server max-sessions remote-mac session-number

      The maximum number of users that are allowed to access from a MAC address is configured.

      NOTE:

      After the maximum number of access users is set to more than 1 using the pppoe-server max-sessions remote-mac command and option105 is not specified in the ppp connection chasten command, restriction on the number of connection requests from a PPP user does not take effect. If option105 is specified in the ppp connection chasten command, restriction on the number of connection requests from a PPP user takes effect.

    7. Run pppoe-server same-user forbid

      The function to deny a user's login request if another user having the same MAC address has gone online from the same physical location is enabled when each MAC address maps a unique session.

    8. Run aaa

      The AAA view is displayed.

    9. Run ppp username check

      The function of the device to check whether a login request from a PPP user contains a user name and to deny the request if it does not contain a user name is configured.

    10. Run commit

      The configuration is committed.

  • Restricting the number of IP addresses for PPP users

    To balance the traffic load of users among different boards and interfaces, configure the maximum number of IP addresses for PPP users allowed to log in from a specified board or BAS interface. When the number of PPP users reaches the maximum number, the board or interface stops responding the PADO packets of PPP users, and no additional users can log in.

    The configuration applies only to PPPoE and L2TP users. The single-stack users are counted as one user, and dual-stack users are counted as two users. When the number of login PPP users reaches the maximum value configured on a BAS interface or board, the interface or board stops responding PADO packets of new access PPP users.

    If the number of PPP users logging in from a BAS interface reaches the maximum number of IP addresses for PPP users configured on a board, the BAS interface stops responding PADO packets of new access PPP users. However, the BAS interfaces configured with exclude have no such limitation.

    1. Run system-view

      The system view is displayed.

    2. Run slot slot-id

      The slot view is displayed.

    3. Run access-ip-limit max-number user-type ppp

      The number of IP addresses for PPP users is configured on a board

    4. Run quit

      The system view is displayed.

    5. Run interface interface-type interface-number

      The interface view is displayed.

    6. Run bas

      The bas interface view is displayed.

    7. Run access-type layer2-subscriber [ bas-interface-name name | default-domain { pre-authentication domain-name | authentication [ force | replace ] domain-name } * | accounting-copyradius-server radius-name ] *

      The access type is set to Layer 2 subscriber access and the attributes of this access type are configured.

    8. Run access-ip-limit max-number user-type ppp [ exclude ]

      The number of IP addresses for PPP users is configured on a BAS interface.

    9. Run commit

      The configuration is committed.

  • Restricting the number of users' access packets

    If the device is attacked by a large number of ARP/IP/IPv6/ND packets or unauthorized users repeatedly send ARP/IP/IPv6/ND packets to go online, the MPU's CPU usage goes high. To configure a limit on the number of ARP/IP/IPv6/ND packets that can be sent to the MPU, run the access trigger packet-limit command so that the device discard packets that exceed the configured limit.

    1. Run system-view

      The system view is displayed.

    2. Run slot slot-id

      The slot view is displayed.

    3. Run access trigger packet-limit packets-num time seconds

      The number of ARP/IP/IPv6/ND packets that can be sent to the MPU is configured on a board

    4. Run quit

      The system view is displayed.

    5. Run commit

      The configuration is committed.

  • Restricting the access of DHCP users
    1. Run system-view

      The system view is displayed.

    2. Run dhcp-user-slot-warning-threshold threshold-value

      The alarm threshold for DHCP users allowed to access an interface board is configured. If the percentage of DHCP users currently accessing the interface board exceeds the threshold, an alarm is generated.

    3. Run dhcp-user-warning-threshold threshold-value

      The alarm threshold for DHCP users allowed to access the entire NE40E is configured. If the percentage of DHCP users currently accessing the entire NE40E exceeds the threshold, an alarm is generated.

    4. Run dhcp connection chasten { authen-packets authen-packets | request-packets request-packets } * check-period check-period restrain-period restrain-period [ slot slotid ]

      The number of DHCP access attempts is limited.

      • Run display dhcp chasten-user slot slotid [ mac-address mac-address ] [ state { restrain | check } ]

        You can view information about users whose attempts to set up DHCP connections are limited.

    5. Run commit

      The configuration is committed.

  • Restricting the access of users allowed to access an interface board
    1. Run system-view

      The system view is displayed.

    2. Run slot-warning-threshold threshold-value

      The alarm threshold for users allowed to access an interface board is configured. If the percentage of users currently accessing the interface board exceeds the threshold, an alarm is generated on the router.

  • Restricting the access response delay
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run access-delay step step-value minimum minimum-time maximum maximum-time [ slot slot-id ]

      The access response delay function is enabled, and set the maximum and minimum access response delays.

      NOTE:

      If the access response delay function is configured globally and on a BAS interface, the configuration on the interface rather than the global configuration takes effect.

      The access response delay depends on the number of access users, and the configured parameters including the step, maximum access response delay, and minimum access response delay.

      • If the value obtained by dividing the number of access users by the step and then adding the integer part of the result to the minimum access response delay is smaller than or equal to the maximum access response delay, you can obtain the access response delay for the users by multiplying this final value with 10 ms.

      • If the value obtained by dividing the number of access users by the step and then adding the integer part of the result to the minimum access response delay is greater than the maximum access response delay, you can obtain the access response delay for the users by multiplying maximum access response delay with 10 ms.

      Assume that the step is 3000, the maximum access response delay is 7, and the minimum access response delay is 3. Then, the delay for access users numbered 0 to 2999 is 3 x 10 ms; the delay for access users numbered 3000 to 5999 is 4 x 10 ms; the delay for access users numbered 6000 to 8999 is 5 x 10 ms; the delay for access users numbered 9000 to 11999 is 6 x 10 ms; the delay for access users numbered 12000 to 10 and numbers after 14999 is 7 x 10 ms.

    4. Run quit

      The system view is displayed.

    5. (Optional) Run access delay load-balance group groupname [ delay-time ]

      A load balancing group for BAS interfaces is configured.

      If two devices with the same configuration are deployed, users can go online from any of the two devices that work in master/backup mode. If load balancing groups are configured on both the master and backup devices, run the access delay load-balance group group-name delay-time command to configure a response delay policy for the load balancing group on the backup device. In this way, even if an interface on the backup device is selected in a Hash operation, the interface will not respond to user login requests until the time specified by delay-time elapses. This ensures that users go online preferentially through an interface on the master device. Users will go online through an interface on the backup device only when the master device is faulty.

    6. Run interface interface-type interface-number

      The interface view is displayed.

    7. Run bas

      A BAS interface is created, and the BAS interface view is displayed.

    8. (Optional) Run access-delay delay-time load-balance-group group-name

      The BAS interface is added to the load balancing group. After the configurations are complete, BAS interfaces in the load balancing group either immediately respond to or delay responding to the received login requests for a configured period of time in accordance with MAC-address-based Hash results to implement inter-board load balancing.

      If no response delay time is configured for the load balancing group:

      • If the interface through which users go online is selected in a Hash operation, the interface immediately responds to the received login requests.
      • If the interface through which users go online is not selected in a Hash operation, the interface responds to the received login requests after the delay time configured for the BAS interface elapses.
      If a response delay time is configured for the load balancing group:
      • If the interface through which users go online is selected in a Hash operation, the interface responds to the received login requests after the delay time configured for the load balancing group elapses.
      • If the interface through which users go online is not selected in a Hash operation, the interface responds to the received login requests after the delay time configured for the load balancing group plus the delay time configured for the BAS interface elapses.

    9. (Optional) Run access-delay delay-time [ circuit-id-include text-value | even-mac | odd-mac ]

      A response delay policy is configured for access users on the BAS interface.

      If circuit-id-include is specified, you must run the client-option82 command in the BAS interface view to configure the device to trust the DHCP Option 82 field (for a DHCP user) or the PPPoE+ field (for a PPP user) for the response delay to take effect.

  • Restricting the user packets of a specific type
    1. Run system-view

      The system view is displayed.

    2. Run access packet strict-check { all | { nd | dhcpv6 | dhcp | ppp | l2tp | dot1x } * }

      The user packets of a specific type are strictly checked by the router.

  • Configure a device to dynamically adjust the number of access users based on the system status.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run access-speed adjustment system-state enable [ strict-check ]

      The device is configured to adjust the user access rate based on the system status.

    4. Run access-speed adjustment system-state threshold { main-cpu-usage | main-memory-usage | access-usage | slot-cpu-usage | slot-memory-usage | ppp-cpcar-drop | ppp-receive-queue | pppoe-receive-queue | l2tp-queue | dhcp-slot-queue } alarm threshold-value resume threshold-value

      The system status thresholds for decreasing and restoring the user access rate are configured.

    5. Run access-speed adjustment system-state user-type { { dhcp | pppoe | ipv4-trigger | ipv6-trigger | dot1x } * | none }

      The type of users for whom the device adjusts the user access rate based on the system status is configured.

    6. Run access-speed adjustment system-state time interval adjust-interval delay-count adjust-delay-count [ slot ]

      An interval at which the system status is detected for adjusting the user access rate and the minimum number of detection intervals after which the user access rate is increased are configured.

    7. Run commit

      The configuration is committed.

  • Configure the device to preferentially allocate CPU resources to users who request to go online.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run access-speed adjustment edsg-queue enable

      The device is enabled to preferentially allocate CPU resources to users who request to go online and temporarily delay the activation of EDSG services that enter the activation queue.

  • Configure the alarm and clear alarm function for the user resource and CPU usage.
    1. Run system-view

      The system view is displayed.

    2. Run access-user exhaust warning enable

      The system is enabled to generate an alarm when the user resource or CPU usage reaches the alarm threshold or generate a clear alarm when the user resource or CPU usage falls below the clear alarm threshold.

    3. Run access-user exhaust threshold-alarm { main-resource-usage | slot-resource-usage | main-cpu-usage | slot-cpu-usage } upper-limit upper-limit lower-limit lower-limit

      The alarm and clear alarm thresholds for the user resource or CPU usage are configured.

    4. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17486

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next