No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring vCPE Access

Configuring vCPE Access

This section describes how to configure vCPE access.

Usage Scenario

Virtual Customer Premise Equipment (vCPE) is a technology that moves legacy CPE functions to carrier devices

so that user-end CPEs perform only Layer 2 functions. User terminals apply for addresses directly from carrier devices, such as the BRAS, DHCP server, and RADIUS server, which then assign addresses to user terminals and translate between private and public IP addresses.

Figure 9-1 Typical application of vCPE

Pre-configuration Tasks

Before configuring vCPE, complete the following tasks:

  • Configure basic BAS services.
  • Establish a GRE tunnel between the BRAS and NAT device.

Configuration Procedures

Figure 9-2 Flowchart for configuring vCPE

Configuring a Session Group Template

To implement authentication, accounting, and control management for a home that has multiple sessions, logically classify the sessions into a session group.

Context

In vCPE scenarios, the NE40E can identify user terminals in each home. To logically classify user terminals, create a session group template so that user terminals in the same home can be identified by one session group. Then service policies, such as authentication, accounting, and control management, can be applied to the user terminals as a whole on the service plane and uniform traffic policies can be performed.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run access session-group template template-name

    A session group template is created, and its view is displayed.

  3. Run grouping-identifierincludepevlancevlan

    A session group identification mode is configured.

  4. Run service-mode vcpe

    A session group service mode is configured.

  5. (Optional)Run ipv6 temporary-address limit limit-num

    The maximum number of temporary IPv6 addresses for clients in a session group is configured.

  6. (Optional)Run access-limit limit-num

    The maximum allowable number of access terminals in a home is configured.

  7. (Optional)Run user default { gateway ip-address | netmask { mask | mask-length }*

    The default user gateway address is configured.

    NOTE:

    The user gateway address must use the loopback interface address to ensure that DHCP response packets from the DHCP server are sent to the router for processing.

  8. Run commit

    The configuration is committed.

Configuring a GRE Tunnel Group

Usage Scenario

Legacy CPEs are integrated with control plane functions, such as DHCP, Universal Plug and Play (UPnP), TR069, and user management, and forwarding plane functions, such as NAT and routing. These functions are supported by the CPE hardware. When carriers deploy new services, such as IPv6 services, the CPEs used for homes distributed everywhere must have their software and hardware upgraded, which increases costs. The O&M and management costs for CPEs on the live network are also increased because a CPE has multiple functions integrated.

To solve these problems, vCPE is developed to delegate CPE functions to different devices. Then the L2 CPE only needs to provide basic Layer 2 forwarding functions, which facilitates upgrade and maintenance. The BRAS implements user management and data forwarding functions previously provided by a legacy CPE. On the network shown in Figure 9-3, the BRAS has to manage L2 CPEs as home users and transmit traffic from different L2 CPEs over different GRE tunnels to a CGN device. To enhance service transmission reliability, the GRE tunnels between the BRAS and CGN devices must work in primary/backup mode. To achieve this, configure a GRE tunnel group on the BRAS, set the group working mode to vCPE, and bind the GRE tunnels to this group. After being bound to the GRE tunnel group, the two GRE tunnels work in primary/backup mode. The primary tunnel is preferentially used to forward services. If the primary tunnel fails, the backup tunnel takes over service forwarding. If the primary tunnel recovers, services will be switched back to the primary tunnel.

Figure 9-3 GRE tunnel group

Pre-configuration Tasks

Before configuring a GRE tunnel group, configure GRE tunnels.
NOTE:

In vCPE scenarios, only GRE tunnels bound to vCPE GRE tunnel groups can forward services properly.

Only a GRE tunnel named in the interface ID format, such as Tunnel 1, can be bound to a GRE tunnel group.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run gre-group

    A GRE tunnel group is created, and the GRE tunnel group view is displayed.

  3. Run interface interface-type interface-number { master | backup }

    A GRE tunnel is bound to the GRE tunnel group.

  4. Run commit

    The configuration is committed.

Checking the Configurations

# Run the display tunnel gre-group [ group-name ] command. The command output shows GRE tunnel group parameters.

<HUAWEI> display tunnel gre-group
hw's state information is:
Working Mode: vCPE 
Interface        Mode           Status          
-------------------------------------------
Tunnel11         Master         UP    

Configuring a User Address Pool

It is essential to configure the user address pool for vCPE users.

Prerequisites

When the NE40E functions as a DHCP relay agent for address assignment, a remote overlapping address pool must be configured. Before configuring such an address pool, create a DHCPv4 server group.

Context

In legacy networking, a CPE is used to assign private IP addresses to user terminals. In vCPE networking, the NE40E is used to assign private IP addresses to user terminals in a home. The private IP addresses of user terminals in different homes can be overlapped.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ip pool pool-name bas remote overlap

    An address pool is created, and its view is displayed.

  3. Run dhcp-server group group-name

    A DHCPv4 server group is associated with the address pool.

  4. Run quit

    The AAA view is displayed.

  5. Run aaa

    The AAA view is displayed.

  6. Run domain domain-name

    The domain view is displayed.

  7. Run ip-pool pool-name [ move-to position ]

    IPv4 address pools are specified for the domain.

(Optional) Activating the BRAS Access Function on Interfaces

This section describes how to activate the BRAS access function on interfaces.

Context

Before you activate the BRAS access function on interfaces, run the active port-base command to activate the interface-specific basic software license files on the board.

Before running the bas command to create a BAS interface on the GE and Eth-Trunk interface, you must activate the BRAS access function on the interface first.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run license

    The license view is created and displayed.

  3. Run active port-bras slot slot-id card card-id port port-list

    The BRAS access function is activated on interfaces.

  4. Run commit

    The configuration is committed.

Follow-up Procedure

After the BRAS access function is activated on interfaces, run the display license resource usage port-bras command to view information about license authorization of the BRAS access function on the interfaces.

<HUAWEI> display license resource usage port-bras all
 FeatureName Descriptions:
====================================================================================
FeatureName            Description                                                  
------------------------------------------------------------------------------------
LCR5S40NBAS0P          NE40E 100G PPPoE/IPoE Port License(per 100G)          
LCR5S40XBAS0P         NE40E 10G PPPoE/IPoE Port License(per 10G)            
LCR5S40GBAS0P          NE40E 1G PPPoE/IPoE Port License(per 1G)              
Global license information:
====================================================================================
FeatureName            Offline     Allocated     Activated     Available     Total  
------------------------------------------------------------------------------------
LCR5S40GBAS0P          0           0             0             10            10     
LCR5S40XBAS0P          0           0             0             2             2      
LCR5S40NBAS0P          0           0             0             2             2     
 License detailed information:
====================================================================================
Physical Position    FeatureName     Needed Count    Used Count      Active Status  
------------------------------------------------------------------------------------
 1/0/1                                         LCR5S40XBAS0P   1               0               No allocated    
 1/0/2                                         LCR5S40XBAS0P   1               0               No allocated   
 1/0/3                                         LCR5S40XBAS0P   1               0               No allocated   
 2/0/1                                         LCR5S40XBAS0P   1               0               No allocated   
 2/0/2                                         LCR5S40XBAS0P   1               0               No allocated   
 2/0/3                                         LCR5S40XBAS0P   1               0               No allocated   

Configuring vCPE on a BAS Interface

When an interface is used for vCPE access, you need to configure vCPE on a BAS Interface.

Context

  • After vCPE is configured for a BAS interface, access users on this interface are identified as vCPE users.

  • If the BRAS detects that a login vCPE user has the same MAC address as an online vCPE user, the BRAS logs out the online vCPE user and allows the login vCPE user to go online.

  • When vCPE static users go online by sending IP and ARP packets, the device does not check the IP address validity of users based on static user configurations and unexpected logout backup entries. Instead, the device checks the IP address validity of users based on the subnet range for vCPE home users after the users are authenticated.

  • Overlapping private IP addresses are assigned to vCPE users in different homes, and traffic from vCPE users is transmitted over the GRE tunnel to the CGN device, where the private IP addresses are translated to public IP addresses before the traffic is sent out.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run bas

    A BAS interface is created, and its view is displayed.

  4. Run access session-group-template template-name

    A session group template is bound to the BAS interface.

    NOTE:

    The BAS interface for vCPE users must be bound to a session group template in which the vCPE mode is configured as the service group service mode. Otherwise, user access fails.

  5. Run basinfo-insert vcpe version1

    The BAS interface is configured to insert the Option 82 field in version 1 format to vCPE user packets when the BAS interface does not trust the Option 82 field carried in the user packets.

    After the basinfo-insert vcpe version1 command is run, the BAS interface inserts the Option 82 field with the tunnel ID carried in Suboption1.

  6. (Optional) Run trouble-shooting enable

    The BAS interface is configured as a diagnostic interface.

    If a vCPE home terminal fails, a diagnostic server is required to simulate the user login through a diagnostic interface for troubleshooting.

    After a BAS interface is configured as a diagnostic interface, access users on this interface are considered diagnostic users. Diagnostic users belong to the same home as users with the same VLAN information but accessing through other types of interfaces.

    NOTE:

    vCPE diagnostic users are not counted in home user specifications.

    vCPE diagnostic users do not consume home user bandwidth, but are charged together with the homes with the same VLAN IDs.

  7. (Optional) Run user vcpe detect retransmit retransmit-num interval interval-time protocol ipv6-nd

    The vCPE ND detection is configured on an interface.

  8. Run commit

    The configuration is committed.

(Optional) Configuring Alarm Thresholds for Users

You can configure the alarm threshold for users to strengthen the administrator's capability to monitor vCPE services in real time.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run session-group user-warning-threshold { upper-limit upper-limit-value | lower-limit lower-limit-value }

    An upper or lower alarm threshold is configured for home users.

  3. Run user-stack warning-threshold

    An upper or lower alarm threshold is configured for terminal users.

    NOTE:

    A dual-stack user is counted as two users, and a single stack user is counted as one.

  4. Run commit

    The configuration is committed.

(Optional) Configuring the UPnP Agent Function

Context

Universal Plug and Play (UPnP) is a set of protocols that support zero configuration networking and automatic discovery of multiple devices.

In vCPE scenarios, a CPE provides only Layer 2 functions, and packets that need to be processed by a Layer 3 UPnP device cannot be forwarded. UPnP information can be multicast to a BRAS, and therefore the BRAS must function as a UPnP agent for communication. To enable a user in a session group to communicate with the UPnP agent, create a search target template containing UPnP information and bind it to the session group.

Procedure

  1. Create a search target template and configure parameters for it.
    1. Run system-view

      The system view is displayed.

    2. Run access search-target template template-name

      A search target template is created.

    3. Run st st-value uuid uuid-value

      An ST field and UUID field are configured for an ST whitelist in the search target template.

    4. Run os os-value

      An OS field is configured for the search target template.

    5. Run location location-value

      A location field is configured for the search target template. This field indicates the URL of a UPnP device.

  2. Bind a session group to the search target template.
    1. Run system-view

      The system view is displayed.

    2. Run access session-group template template-name

      The session group view is displayed.

    3. Run access search-target-template template-name

      The session group is bound to the search target template.

  3. Run commit

    The configuration is committed.

Verifying the vCPE Configuration

After configuring the vCPE functions, you can run display commands to check the configuration.

Prerequisites

vCPE functions have been configured.

NOTE:

If information about vCPE users is queried by a condition other than a CID or MAC address, home user information is displayed.

Procedure

  • Run the display access user gre-group tunnel-group-name command in any view to check information about online vCPE users in a GRE tunnel group.
  • Run the display access user vcpe-family-id vcpe-family-id [ verbose ] command in any view to check information about online vCPE users with a specified home ID.
  • Run the display access-user vcpe-family-id vcpe-family-id client-index client-index command in any view to check the information about a vCPE family user's client.
  • Run the display access user command in any view to check information about online users.
  • Run the display access user interface interface-type interface-num option { [ vlanpvc ] | [ accesstime ] } * command in any view to check information about online users on a specified interface.
  • Run the display access user user-id user-id [ verbose ] command in any view to check information about the user with a specified user ID.
  • Run the display access user domain domain-name [ verbose ] command in any view to check information about users in a specified domain.
  • Run the display access-user user-type vcpe-session-group command in any view to check brief information about vCPE family members.

Example

Run the display access user user-id user-id [ verbose ] command to view information about a home user with a specified user ID.

<HUAWEI> display access-user user-id 29
  -------------------------------------------------------------------
  User access index             : 29
  State                         : Used
  User name                     : R04-08007001200012@default1
  Domain name                   : default1
  User backup state             : No
  RUI user state                : -
  User access interface         : GigabitEthernet8/0/7.5
  User access PeVlan/CeVlan     : 12/12
  User access slot              : 8
  User MAC                      : -
  User IP address               : -
  User IP netmask               : 255.255.255.0(Radius)
  User gateway address          : 192.168.0.1(Radius)
  User Authen IP Type           : ipv4/-/-
  User Basic IP Type            : -/-/-
  Server IP                     : 15.7.7.1        
  User lease                    : 2014-07-18 10:21:09---2014-07-21 10:21:09
  Remain lease(sec)             : 259177
  User MSIDSN name              : -
  EAP user                      : No
  MD5 end                       : No
  MTU                           : 1500
  Vpn-Instance                  : -
  User access type              : vCPE_session_group
  VCPE family id                : 123(Radius)
  GER tunnel group              : test(Radius)
  Session group template        : test
  User authentication type      : Bind authentication
  RADIUS-server-template        : test 
  Server-template of second acct: -
  Agent-Circuit-Id                 : -
  Agent-Remote-Id                  : -
  Access-line-id Information(dhcpv4 option82): -
  Current authen method         : RADIUS authentication
  Authen result                 : Success
  Current author method         : Idle
  Author result                 : Success
  Action flag                   : Idle
  Authen state                  : Authed
  Author state                  : Idle
  Configured accounting method  : RADIUS accounting
  Quota-out                     : Offline
  Current accounting method     : RADIUS accounting
  Realtime-accounting-switch            : Close     
  Realtime-accounting-interval(sec)     : -
  Realtime-accounting-send-update       : No                  
  Realtime-accounting-traffic-update    : No                  
  Access start time             : 2014-07-18 10:10:42
  Accounting start time         : 2014-07-18 10:10:42
  Online time (h:min:sec)       : 00:01:10
  Accounting state              : Accounting
  Idle-cut direction            : Both
  Idle-cut-data (time,rate,idle): 0 sec, 60 kbyte/min, 0 min 0 sec
  Ipv4 Realtime speed           : 0 kbyte/min
  Ipv4 Realtime speed inbound   : 0 kbyte/min
  Ipv4 Realtime speed outbound  : 0 kbyte/min
  Link bandwidth auto adapt     : Disable
  UpPriority                    : Unchangeable
  DownPriority                  : Unchangeable
  Multicast-profile             : - 
  Multicast-profile-ipv6        : - 
  Max Multicast List Number     : 4
  IGMP enable                   : Yes
  User-Group                    : - 
  Next-hop                      : - 
  Policy-route-IPV6-address     : - 
  If flow info contain l2-head  : Yes
  Flow-Statistic-Up             : Yes
  Flow-Statistic-Down           : Yes
  Up packets number(high,low)   : (0,0)
  Up bytes number(high,low)     : (0,0)
  Down packets number(high,low) : (0,0)
  Down bytes number(high,low)   : (0,0)
  IPV6 Up packets number(high,low)     : (0,0)
  IPV6 Up bytes number(high,low)       : (0,0)
  IPV6 Down packets number(high,low)   : (0,0)
  IPV6 Down bytes number(high,low)     : (0,0)
  Service-type                  : -
  -------------------------------------------------------------------
  User(s) list of this session-group:  
  ------------------------------------------------------------------
  ID         IP address        MAC              VLAN    
  ------------------------------------------------------------------
  30         192.168.0.253        0001-0101-0101   12/12           
  31         192.168.0.252        0001-0101-0103   12/12           
  32         192.168.0.251        0001-0101-0105   12/12           

  Total 3,3 printed

Run the display access user vcpe-family-id vcpe-family-id [ verbose ] command to view information about a home user with a specified home ID.

<HUAWEI> display access-user vcpe-family-id 123 verbose
 -------------------------------------------------------------------                                                               
Basic:                                                                                                                              
  User access index             : 6560                                                                                              
  State                         : Used                                                                                              
  User name                     : R18-01010000100010@yin                                                                            
  Domain name                   : yin                                                                                               
  User backup state             : No                                                                                                
  User access interface         : GigabitEthernet1/0/10.2                                                                           
  User access PeVlan/CeVlan     : 1/10                                                                                              
  User access slot              : 1                                                                                                 
  User MAC                      : -                                                                                                 
  User Authen IP Type           : ipv4/-/-                                                                                          
  User Basic IP Type            : -/-/-                                                                                             
  User access type              : Session-Group                                                                                     
  User authentication type      : Bind authentication                                                                               
  Agent-Circuit-Id              : -                                                                                                 
  Agent-Remote-Id               : -                                                                                                 
  Access-line-id Information(dhcpv4 option82): -                                                                                    
  Access start time             : 2014-07-01 16:17:03                                                                               
  User-Group                    : -                                                                                                 
  Next-hop                      : -                                                                                                 
  Policy-route-IPV6-address     : -                                                                                                 
                                                                                                                                    
AAA:                                                                                                                                
  RADIUS-server-template        : yin                                                                                               
  Server-template of second acct: -                                                                                                 
  Current authen method         : RADIUS authentication                                                                             
  Authen result                 : Success                                                                                           
  Current author method         : Idle                                                                                              
  Author result                 : Success                                                                                           
  Action flag                   : Idle                                                                                              
  Authen state                  : Authed                                                                                            
  Author state                  : Idle                                                                                              
  Configured accounting method  : No accounting                                                                                     
  Quota-out                     : Offline                                                                                           
  Current accounting method     : No accounting                                                                                     
  Realtime-accounting-switch            : Close                                                                                     
  Realtime-accounting-interval(sec)     : -                                                                                         
  Realtime-accounting-send-update       : No                                                                                        
  Realtime-accounting-traffic-update    : No                                                                                        
  Accounting start time         : 2014-07-01 16:17:04                                                                               
  Online time (h:min:sec)       : 00:37:42                                                                                          
  Accounting state              : Ready                                                                                             
  MTU                           : 1500                                                                                              
  Idle-cut direction            : Both                                                                                              
  Idle-cut-data (time,rate,idle): 0 sec, 60 kbyte/min, 0 min 0 sec                                                                  
  Ipv4 Realtime speed           : 0 kbyte/min                                                                                       
  Ipv4 Realtime speed inbound   : 0 kbyte/min                                                                                       
  Ipv4 Realtime speed outbound  : 0 kbyte/min                                                                                       
                                                                                                                                    
Dot1X:                                                                                                                              
  User MSIDSN name              : -                                                                                                 
  EAP user                      : No                                                                                                
  MD5 end                       : No                                                                                                
                                                                                                                                    
VPN&Polcy-route:                                                                                                                   
                                                                                                                                    
Multicast Service:                                                                                                                  
  Multicast-profile             : -                                                                                                 
  Multicast-profile-ipv6        : -                                                                                                 
  Max Multicast List Number     : 4                                                                                                 
  IGMP enable                   : Yes                                                                                               
                                                                                                                                    
ACL&Qos:                                                                                                                            
  Link bandwidth auto adapt     : Disable                                                                                           
  UpPriority                    : Unchangeable                                                                                      
  DownPriority                  : Unchangeable                                                                                      
  L2 UpPriority                 : Unchangeable                                                                                      
                                                                                                                                    
Flow Statistic:                                                                                                                     
  If flow info contain l2-head  : Yes                                                                                               
  Flow-Statistic-Up             : Yes                                                                                               
  Flow-Statistic-Down           : Yes                                                                                               
  Up packets number(high,low)   : (0,0)                                                                                             
  Up bytes number(high,low)     : (0,0)                                                                                             
  Down packets number(high,low) : (0,0)                                                                                             
  Down bytes number(high,low)   : (0,0)                                                                                             
  L2 Up packets number(high,low)       : (0,0)                                                                                      
  L2 Up bytes number(high,low)         : (0,0)                                                                                      
  L2 Down packets number(high,low)     : (0,0)                                                                                      
  L2 Down bytes number(high,low)       : (0,0)                                                                                      
                                                                                                                                    
Dslam information :                                                                                                                 
  Circuit ID                       :-                                                                                               
  Remote ID                        :-                                                                                               
  Actual datarate upstream         :0(Kbps)                                                                                         
  Actual datarate downstream       :0(Kbps)                                                                                         
  Min datarate upstream            :0(Kbps)                                                                                         
  Min datarate downstream          :0(Kbps)                                                                                         
  Attainable datarate upstream     :0(Kbps)                                                                                         
  Attainable datarate downstream   :0(Kbps)                                                                                         
  Max datarate upstream            :0(Kbps)                                                                                         
  Max datarate downstream          :0(Kbps)                                                                                         
  Min lowpower datarate upstream   :0(Kbps)                                                                                         
  Min lowpower datarate downstream :0(Kbps)                                                                                         
  Max delay upstream               :0(s)                                                                                            
  Max delay downstream             :0(s)                                                                                            
  Actual delay upstream            :0(s)                                                                                            
  Actual delay downstream          :0(s)                                                                                            
  Access loop encapsulation        :0x000000                                                                                        
                                                                                                                                    
Session Group                                                                                                                       
  Session group template              : 123                                                                                         
  Service mode                        : vcpe                                                                                        
  VCPE family id                      : 4294967295                                                                                  
  GRE group                           : 123                                                                                         
  Search-target template              : 123                                                                                         
  Authentication interface            : GigabitEthernet1/0/10.2                                                                     
  Trouble-shooting interface          : Eth-Trunk123.1                                                                              
  --------------------------------------------------------------------
  User(s) list of this session-group(TR:TROUBLE-SHOOTING):
  --------------------------------------------------------------------
  ID   IP address        MAC                 VLAN         TR  CID
  --------------------------------------------------------------------
  1    192.168.255.255   0002-0203-cd01      1/10         N   2097440
       2001:0:0:123:1234:4567:1234:ab01
       2001:0:0:123:1234:4567:1235:ab02
       2001:0:0:123:1234:4567:1236:ab03
  2    192.168.1.3       0002-0204-cd02      1/10         N   2097441
       2001:0:0:123:1224:4567:1235:ab04
       2001:0:0:123:1224:4567:1236:ab05
  3    -                 0002-0204-cd03      1/10         N   2097442
       2001:0:0:123:1223:4567:1235:ab7a                                                                                                                                    


  Total 3, 3 printed            

Run the display access user gre-group tunnel-group-name command to view information about online users in a specified GRE tunnel group.

<HUAWEI> display access-user gre-group test
  ------------------------------------------------------------------------------
  UserID  Username     Interface      Vlan     FamilyID    Access type
  ------------------------------------------------------------------------------
  33      user1@ma     Eth-Trunk2.1  1/3      100        session-group 
  34      user2@ma     Eth-Trunk2.2  1/5      101        session-group
  ------------------------------------------------------------------------------
  Normal users                       : 2
  RUI Local users                    : 0
  RUI Remote users                   : 0
  Total users                        : 2
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17324

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next