No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPoE Access Services

Configuring IPoE Access Services

In IPoE accessshuo, users can access the Internet by sending packets without using the client dial-in software for dialing in.

Usage Scenario

The IPoE access service is an access authentication service. In IPoE access, a user accesses the Internet by using the Ethernet or asymmetric digital subscriber line (ADSL). The user uses a fixed IP address or obtains an IP address by using the Dynamic Host Configuration Protocol (DHCP). The system then authenticates the user by using Web authentication, fast authentication, or binding authentication.

The IPoE services can be classified into the IPoE service, IPoEoVLAN service, IPoEoQ service in different networking.

Pre-configuration Tasks

Before configuring the IPoE access service, complete the following tasks:

  • Configuring Authorization, Authentication, and Accounting (AAA) schemes
  • Configuring an IPv4 address pool
  • Configuring a domain

Configuration Procedures

To configure the IPoE access service, perform the following procedures.

NOTE:

Configuring an AAA scheme, Configuring RADIUS, Configuring an IPv4 address pool, and Configuring a domain are not provided here because all the procedures are described in other chapters.

Figure 6-1 Configuration procedures for IPoE

Binding a Sub-interface to a VLAN

The NE40E processes received tagged user packets from different types of users in different manners to ensure that different types of packets are properly forwarded.

Context

If users access the network by using a sub-interface, the sub-interface needs to be bound to a VLAN.

You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding a sub-interface to a VLAN, you need the following parameters:

  • Sub-interface number
  • VLAN ID
  • QinQ ID
NOTE:
  • On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-interface, any-other cannot be set together with start-vlan nor qinq.
  • If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a sub-interface, the user-vlan cannot be configured on this sub-interface.
  • Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.

Perform the following steps on the NE40E:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number.subinterface-number

    A sub-interface is created and the sub-interface view is displayed.

  3. For Layer 2 subscriber access, run:

    user-vlan { start-vlan [ end-vlan ] [ dot1q start-qinq-id [ end-qinq-id ] ] | any-other }

    A user-side VLAN is created.

    For Layer 3 subscriber access, run:

    vlan-type dot1q vlan-id

    A user-side VLAN is created.

  4. Run commit

    The configuration is committed.

(Optional) Activating the BRAS Access Function on Interfaces

This section describes how to activate the BRAS access function on interfaces.

Context

Before you activate the BRAS access function on interfaces, run the active port-base command to activate the interface-specific basic software license files on the board.

Before running the bas command to create a BAS interface on the GE and Eth-Trunk interface, you must activate the BRAS access function on the interface first.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run license

    The license view is created and displayed.

  3. Run active port-bras slot slot-id card card-id port port-list

    The BRAS access function is activated on interfaces.

  4. Run commit

    The configuration is committed.

Follow-up Procedure

After the BRAS access function is activated on interfaces, run the display license resource usage port-bras command to view information about license authorization of the BRAS access function on the interfaces.

<HUAWEI> display license resource usage port-bras all
 FeatureName Descriptions:
====================================================================================
FeatureName            Description                                                  
------------------------------------------------------------------------------------
LCR5S40NBAS0P          NE40E 100G PPPoE/IPoE Port License(per 100G)          
LCR5S40XBAS0P         NE40E 10G PPPoE/IPoE Port License(per 10G)            
LCR5S40GBAS0P          NE40E 1G PPPoE/IPoE Port License(per 1G)              
Global license information:
====================================================================================
FeatureName            Offline     Allocated     Activated     Available     Total  
------------------------------------------------------------------------------------
LCR5S40GBAS0P          0           0             0             10            10     
LCR5S40XBAS0P          0           0             0             2             2      
LCR5S40NBAS0P          0           0             0             2             2     
 License detailed information:
====================================================================================
Physical Position    FeatureName     Needed Count    Used Count      Active Status  
------------------------------------------------------------------------------------
 1/0/1                                         LCR5S40XBAS0P   1               0               No allocated    
 1/0/2                                         LCR5S40XBAS0P   1               0               No allocated   
 1/0/3                                         LCR5S40XBAS0P   1               0               No allocated   
 2/0/1                                         LCR5S40XBAS0P   1               0               No allocated   
 2/0/2                                         LCR5S40XBAS0P   1               0               No allocated   
 2/0/3                                         LCR5S40XBAS0P   1               0               No allocated   

Configuring a BAS Interface

When an interface is used for broadband access, you need to configure it as a BAS interface, and then specify the user access type and attributes for the interface.

Context

When configuring a BAS interface, you need the following parameters:

  • BAS interface number

  • Access type and authentication scheme

  • (Optional) Maximum number of users that are allowed access through the BAS interface and maximum number of users that are allowed access through a specified VLAN

  • (Optional) Default domain, roaming domain, and domains that users are allowed to access

  • (Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting packet copy, IP packet trigger-online, and user-based multicast replication

  • (Optional) Whether to trust the access-line-id information reported by clients, user detection parameters, VPN instances of non-PPP users, and BAS interface name

Perform the following steps on NE40E:

NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • For security purposes, you are advised to configure a password in ciphertext mode and periodically change the password.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number [ .subinterface-number ]

    The interface view is displayed.

    NOTE:
    In scenarios with BRAS access through L2VPN termination, run the ve-group ve-group-id l2-terminate command to configure the VE interface as an L2VE interface to terminate an L2VPN and bind the interface to a VE group. In scenarios with BRAS access through L3VPN termination, run the ve-group ve-group-id l3-terminate command to configure the VE interface as an L3VE interface to terminate an L3VPN and bind the interface to a VE group. The preceding commands are configured in the VE interface view. Only Layer 3 static user access is supported in scenarios with BRAS access through L3VPN termination. For details, see Example for Configuring BRAS Access Through L3VPN Termination.

  3. Run bas

    A BAS interface is created, and the BAS interface view is displayed.

    You can configure an interface as the BAS interface by running the bas command in the interface view. You can configure an Ethernet interface or its sub-interface, a VE interface or its sub-interface, an ATM interface or its sub-interface, or an Eth-Trunk interface or its sub-interface as a BAS interface.

  4. Run access-type layer2-subscriber [ default-domain { [ authentication [ force | replace ] dname ] [ pre-authentication predname ] } ]

    The access type is set to Layer 2 subscriber access and the attributes of this access type are configured.

    Or run access-type layer3-subscriber [ default-domain { [ pre-authentication predname ] authentication [ force | replace ] dname } ]

    The access type is set to Layer 3 subscriber access and the attributes of this access type are configured.

    When setting the access type on the BAS interface, you can set the service attributes of the access users at the same time. You can also set these attributes in later configurations.

    When configuring Layer 3 subscriber access, you can run the layer3-subscriber start-ip-address end-ip-address [ vpn-instance instance-name ] domain-name domain-name command and the layer3-subscriber ip-address any domain-name domain-name command in the system view to specify an IP address segment and authentication domain name.

    The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk interface. You can configure the access type of such an Ethernet interface only on the associated Eth-Trunk interface.

    When configuring static routes for Layer 3 users, specify the next hop as the user IP address and do not specify the outbound interface. Otherwise, network-to-user traffic may fail to be forwarded.

    Run access-type layer2-leased-line user-name uname password { cipher password | simple password } [ bas-interface-name bname | default-domain authentication dname | accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } ] *

    The access type is set to Layer 2 leased line access and the attributes of this access type are configured.

    Run access-type layer3-leased-line { user-name uname | user-name-template } password { cipher password | simple password } [ default-domain authentication dname | bas-interface-name bname | accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } | mac-address mac-address | client-id client-id ] *

    The access type is set to Layer 3 leased line access and the attributes of this access type are configured.

    If there is an online user on the BAS interface, you can change the access type on the interface only when the online user is a leased line user.

    After the access type is set to leased line access, the NE40E performs authentication on the leased line users immediately.

  5. (Optional) Run access leased-line connection chasten request-session request-period blocking-period quickoffline

    Suppression of leased line user access is enabled.

    If the duration or traffic volume quota delivered by the RADIUS server to a leased line user is 0, the leased line user can go online but will go offline immediately. This results in frequent login and logout of leased line users.

    The command can be run to configure the maximum number of connection requests allowed, the interval at which connection requests can be sent, and a blocking period.

  6. (Optional) Run trust 8021p-protocol

    The 802.1p priority of user packets is set to be trusted.

    The trust 8021p-protocol command can be configured only when the access type is set to Layer 2 subscriber access.

  7. (Optional) Run access-limit number [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinq-vlan ] [ user-type { ipoe | pppoe } ] ]

    The number of users that are allowed access through the interface is configured.

    • If the access-limit command is configured on a sub-interface enabled with BAS, the number of VLAN users that access the sub-interface is limited.
    • If the access-limit command is configured on a main interface enabled with BAS and the VLAN range is not specified in the command, the total number of VLAN users that access the main interface is limited. Note that the configuration of access-limit on a sub-interface takes precedence over that on the corresponding main interface.
    • You can also specify the user-type parameter to limit the maximum number of access users based on access types.

  8. (Optional) Run default-domain pre-authentication domain-name

    The default pre-authentication domain is specified.

    • Or run default-domain authentication [ force | replace ] domain-name

      The default authentication domain is specified.

    • Or run permit-domain domain-name &<1-16>

      The domain in which users are allowed to access is specified.

      Or run deny-domain domain-name&<1-16>

      The domain in which users are denied to access is specified.

      The permit-domain command cannot be configured together with the deny-domain command, deny-domain-list command, or permit-domain-list command on a BAS interface.

    • Or run permit-domain-list

      The list of domains whose users are allowed to access is specified.

      Or run deny-domain-list

      The list of domains whose users are denied to access is specified.

  9. (Optional) Run client-option82 [ { basinfo-insert { cn-telecom | version3 } | version1 } ]

    The NE40E is configured to trust the access-line-id information reported by clients.

    Or, run basinfo-insert cn-telecom

    The NE40E is configured to insert the access-line-id information in the format defined by China Telecom insteading of trusting the access-line-id information reported by clients.

    Or run basinfo-insert version2

    The NE40E is configured to insert the access-line-id information in the format defined by version2 insteading of trusting the access-line-id information reported by clients.

    The router will parse and transmit access-line-id information based on the following configurations:

    • Run the option82-relay-mode dslam { auto-identify | config-identify } command to allow the router to extract information from the access-line-id field in the packet sent from the DSLAM and add the information to Agent-CircuitID and Agent-RemoteID attributes sent to the RADIUS server. Or run the option82-relay-mode include { allvalue | { agent-circuit-id | agent-remote-id [ separator ] } * } command to allow the NAS-Port-Id attribute sent to the RADIUS server to contain access-line-id information.
    • Run the option82-relay-mode subopt { agent-circuit-id { hex | string } | agent-remote-id { hex | string } command to configure the format of Agent-CircuitID or Agent-RemoteID information.

    Or run vbas vbas-mac-address [ auth-mode { ignore | reject } ]

    The function of locating a user through the virtual BAS (VBAS) is enabled.

  10. (Optional) Run client-option60

    The router is configured to trust the Option 60 information reported by clients.

    If user domain information is obtained from the Option 60 information, the character string following the domain name delimiter (defaulting to @) in the Option 60 field is used as the domain name. If no user domain information is obtained from the Option 60 information, the router performs the following procedure to continue searching for the information. If there is no domain name delimiter in the field, the router performs a fuzzy or exact match of the domain name information based on the configured mode. The procedure will stop if user domain information is obtained.

    1. Check whether the client-option60 command is configured on the BAS interface. If the command is configured, obtain user domain information from the command configuration.
    2. Check whether the dhcp option-60 command is configured in the system view. If the command is configured, obtain user domain information from the command configuration.
    3. Use the authentication domain configured on the BAS interface as the user domain.

  11. (Optional) Run option37-relay-mode include remote-id

    The DHCP6ACC component is enabled to remove enterprise number information from Option 37 in a Solicit or Request message to be sent to the UM component.

    The following operations must have been performed:

    • Run the client-option37 [ basinfo-insert ft-telecom ] command to enable the NE40E to trust the information in the Option 37 field of DHCPv6 messages sent by clients.
    • Run the client-option18 command to enable the server to trust the information in the Option 18 field of DHCPv6 messages sent by clients.

  12. (Optional) Run accounting-copy radius-server radius-name

    The accounting packet copy function is enabled.

  13. (Optional) Run link-account resolve

    An accounting request packet that the NE40E sends to a RADIUS server is allowed to carry the link-account attribute.

    Before running the command, set the access type to Layer 2 subscriber access.

    The command affects RADIUS No. 25 attribute in accounting request packets sent by the NE40E to a RADIUS accounting server.

    An interface fills the link-account information in the RADIUS No. 25 attribute class if both the following situations are met:
    • Users getting online from the interface do not need to be authenticated, and RADIUS accounting is configured on the interface.
    • For common Layer 2 users, VLANs and VLAN descriptions are configured on the interface.

  14. Perform the following configurations by service type:

    • For IPoE access services:

      Run the ip-trigger command to enable user access triggered by IP packets. Or run the arp-trigger command to enable user access triggered by ARP packets.

    • For IPoEv6 access services:

      Run the ipv6-trigger command to enable user access triggered by IPv6 packets. Or run the nd-trigger command to enable user access triggered by NS/NA packets.

  15. (Optional) Run wlan-switch enable [ switch-group switch-group-name ]

    WLAN user roaming switchover is enabled.

    After WLAN user roaming switchover is enabled on a BAS interface, you need to configure the interface to use received user packets to trigger roaming procedures for WLAN users. Perform the following configurations based on the actual roaming scenarios:
    • If users do not pass through Wi-Fi blind spots when roaming between different APs, run either the ip-trigger or arp-trigger command or both to configure the interface to trigger roaming procedures for the WLAN users based on the received IP or ARP packets, or run the ipv6–trigger command to configure the interface to trigger roaming procedures for Layer 2 IPv6 users based on the received IPv6 packets.
    • If users pass through Wi-Fi blind spots when roaming between different APs, run the dhcp session-mismatch action roam { ipv4 | ipv6 } * command to configure the interface to allow users to send DHCPv4 Discover or Request messages or DHCPv6 Solicit messages to re-log in.
      NOTE:
      • The dhcp session-mismatch action roam { ipv4 | ipv6 } * and dhcp session-mismatch action offline commands override one another. If the two commands are run on the same interface, the command run later takes effect.
      • The dhcp session-mismatch action roam { ipv4 | ipv6 } * command can be configured together with the ip-trigger, the arp-trigger and the ipv6-trigger commands.

    After the preceding steps are performed, WLAN users do not need to be re-authenticated for login after being logged out when roaming between different APs. This ensures that services are not interrupted.

  16. (Optional) Run user detect retransmit num interval time [ no-datacheck ] or user detect no-datacheck

    User detection parameters are configured.

  17. (Optional) Run dhcp session-mismatch action offline

    Online users whose physical location information is changed but MAC addresses remain unchanged are logged out when they resend DHCP or ND login requests.

  18. (Optional) Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ]

    The BAS interface is blocked.

  19. Run authentication-method { bind | { ppp } * }

    The authentication mode is configured.

    You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple authentication modes can be configured on an interface but you should note the following:

    • Bind authentication conflicts with other authentication modes.

  20. (Optional) Run dhcp-reply trust broadcast-flag

    The device is enabled to use the broadcast flag value in a DHCP request packet to determine the destination MAC address type for a DHCP response packet.

    NOTE:

    After the dhcp-reply trust broadcast-flag command is run, if the broadcast flag value in a DHCP request packet is 1, the device replies with a DHCP response packet that carries the broadcast address of all Fs as the destination MAC address; if the broadcast flag value in a DHCP request packet is 0, the device replies with a DHCP response packet that carries the user MAC address as the destination MAC address.

    The dhcp-reply trust broadcast-flag command applies only to Layer 2 access users.

    The dhcp-reply trust broadcast-flag command is mutually exclusive with the dhcp-broadcast command.

  21. (Optional) Run dhcpv6 user-identify-policy { option79-option38 | option38-option79 | option79 | option38 } [ no-exist-action offline ]

    A method is configured for obtaining MAC addresses of Layer 3 DHCPv6 users during login.

  22. Run commit

    The configuration is committed.

(Optional) Configuring Access Control on a BAS Interface

Configure a BAS interface to filter users that attempt to go online so that only specified users are allowed to access the router.

Context

To filter users based on source MAC addresses, configure an ACL rule. When a DHCP or PPP user attempts to go online, match the user's source MAC address against the ACL rule. If matched, the user is allowed to go online.

Perform the following steps on the NE40E:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-acl-number } [ match-order { config | auto } ]

    The ACL view is displayed.

  3. Run rule [ rule-id ] { deny | permit } source-mac source-mac sourcemac-mask

    An ACL rule is configured.

    NOTE:

    BAS interfaces support only ACLs in the range 4000 to 4999,

    and the ACL rules can only define users' source MAC addresses. The source MAC address for DHCP users is the hardware address carried in DHCP packets.

    When a BAS interface uses a filter-policy to filter users, note the following:
    • If the action specified in the ACL rule is permit, only users matching the rule are allowed to access the router.

    • If the action specified in the ACL rule is deny, users matching the rule are not allowed to access the router, and the other users are allowed to access the router.

    • If the ACL does not have any rules, the BAS interface that references this ACL does not filter access users based on users' MAC addresses.

    • If the ACL referenced by the BAS interface does not exist, the BAS interface does not filter access users based on users' MAC addresses.

  4. Run quit

    Return to the system view.

  5. (Optional) Run ppp keepalive slow acl acl-num source-mac

    PPP slow reply is configured for PPP echo packets with a specified MAC address.

  6. Run interface interface-type interface-number [ .subinterface-number ]

    The interface view is displayed.

  7. Run bas

    A BAS interface is created and the BAS interface view is displayed.

  8. Run filter-policy acl acl-number ppp

    The function of filtering DHCP users that attempt to go online based on ACL rules on a BAS interface is configured.

    NOTE:
    • Before running the filter-policy acl command, the BAS interface must already have the access-type command configured.

    • An access type can be bound to only one ACL on an interface.

    • Because IP addresses are assigned to DHCP users based on the MAC addresses contained in user DHCP packets, if you run the filter-policy acl acl-number dhcp command to filter users, the command filters users based on source MAC addresses contained in the DHCP packets, rather than those contained in the Ethernet headers. This command cannot filter out attackers whose MAC addresses contained in Ethernet headers are inconsistent with those contained in DHCP packets. To protect the device from this type of attack, run the dhcp check chaddr command.
    • The filter-policy acl acl-number ppp command applies to PPPoE, PPoEoA, and L2TP users.

  9. Run commit

    The configuration is committed.

(Optional) Enabling One-to-Many Mapping Between One MAC Address and Many Sessions

Context

When the NE40E functions as a BRAS or DHCP server, it can assign IP addresses only to IPoE users with different MAC addresses. If you want the NE40E to assign IP addresses to users with the same MAC address, configure one-to-many mapping between one MAC address and many sessions. These users with the same MAC address must have different VLAN IDs or interface numbers, and different circuit IDs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipoe-server multi-sessions per-mac enable

    One-to-many mapping between one MAC address and many sessions is enabled for IPoE users to allow the NE40E to assign IP addresses to IPoE users with the same MAC address.

  3. Run commit

    The configuration is committed.

(Optional) Configuring Flexible Access to VPNs

Service priorities can be identified based on 802.1p values of service packets and then transmitted to corresponding VPNs.

Context

On the network shown in Figure 6-2, service packets carry 802.1p values to identify their priorities. The BRAS can identify service priorities based on the 802.1p values of received Layer 2 service packets and transmit the service packets to corresponding VPNs. To allow this, enable a BAS interface to transmit packets to different VPNs based on 802.1p priorities of the packets and also bind VPN instances to different 802.1p priorities.

Figure 6-2 Flexible access to VPNs

Procedure

  1. Create a VPN instance. (Both user and service VPN instances must be configured.)
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      A VPN instance is created, and the VPN instance view is displayed.

    3. Run ipv4-family

      The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address family view is displayed.

    4. Run route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

    5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      VPN targets are configured for the VPN instance IPv4 address family.

    6. Run quit

      Return to the VPN instance view.

    7. Run quit

      Return to the system view.

  2. Create a local address pool.
    1. Run ip pool pool-name [ bas { local [ rui-slave ] | remote [ overlap | rui-slave ] | dynamic } ]

      An address pool is created.

    2. Run vpn-instance vpn-instance-name

      A VPN instance is specified for the address pool.

      The VPN instance specified for the address pool must be the user VPN instance configured in Step 1.

    3. Run gateway ip-address { mask | mask-length }

      The gateway IP address and subnet mask are configured for the address pool.

    4. Run section section-num start-ip-address [ end-ip-address ]

      An address segment is configured for the address pool.

    5. Run import vpn-instance vpn-instance-name

      A VPN instance is imported to the address pool.

      The VPN instance imported to the address pool must be the service VPN instance created in Step 1.

    6. Run quit

      Return to the system view.

  3. Configure a user domain.
    1. Run aaa

      The AAA view is displayed.

    2. Run domain domain-name

      A domain is created, and the domain view is displayed.

    3. Run authentication-scheme authentication-scheme-name

      An authentication domain is configured for the domain.

    4. Run accounting-scheme accounting-scheme-name

      An accounting scheme is configured for the domain.

    5. Run ip-pool pool-name

      An address pool is bound to the domain.

    6. Run quit

      Return to the AAA view.

    7. Run quit

      Return to the system view.

  4. Configure a user access interface.
    1. Run interface interface-type interface-number

      A sub-interface is created.

    2. Run user-vlan { { start-vlan-id [ end-vlan-id ] [ qinq start-pe-vlan [ end-pe-vlan ] ] } }

      A user-VLAN sub-interface is configured.

    3. Run 802.1p 802.1p-prioirty binding vpn-instance vpn-instance-name

      A VPN instance is bound to an 802.1p priority.

      The VPN instance bound to the 802.1p priority must be the service VPN instance created in Step 1.

      NOTE:

      The binding between VPN instances and 802.1p priorities cannot be modified or deleted if the BAS interface has online users.

    4. Run quit

      Return to the sub-interface view.

    5. Run bas

      The sub-interface is configured as a BAS interface, and the BAS interface view is displayed.

    6. Run access-type layer2-subscriber [ default-domain { authentication [ force | replace ] dname | pre-authentication predname } * | bas-interface-name bname | accounting-copy radius-server rd-name ] *

      The access type of the BAS interface is configured as Layer 2 subscriber access.

    7. Run authentication-method { bind | { fast | web } }

      An authentication method is configured for the BAS interface.

    8. Run 802.1p-to-vpn

      The BAS interface is enabled to transmit packets to different VPNs based on the 802.1p priorities of the packets.

    9. Run quit

      Return to the sub-interface view.

    10. Run quit

      Return to the system view.

  5. Configure a network-side ACL and define redirection for the ACL.
    1. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

      A basic ACL is created.

    2. Run rule [ rule-id ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

      A rule is created for the ACL.

    3. Run quit

      Return to the system view.

    4. Run vpn-group vpn-group-name [ vpn-instance vpn-name [ vpn-name ] &<1-8> ]

      A VPN group is created, and a VPN instance is added to the VPN group.

      The VPN instance added to the VPN group must be the user VPN instance created in Step 1.

    5. Run traffic behavior behavior-name

      A traffic behavior is configured, and the traffic behavior view is displayed.

    6. Run redirect vpn-group vpn-group-name

      Packet redirection to a specified VPN group is configured.

      The VPN group to which packets are redirected must be the one created in Step d.

    7. Run quit

      Return to the system view.

    8. Run traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is configured, and the traffic classifier view is displayed.

    9. Run if-match acl acl { acl-number | name acl-name }

      An IPv4 ACL is specified for MF classification.

    10. Run quit

      Return to the system view.

    11. Run traffic-policy policy-name

      A traffic policy is configured.

    12. Run share-mode

      The shared mode is specified for the traffic policy.

    13. Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]

      A traffic behavior is specified for a traffic classifier in the traffic policy.

    14. Run quit

      Return to the system view.

  6. Configure a network-side interface.
    1. Run interface interface-type interface-number

      A sub-interface is created.

    2. Run vlan-type dot1q vlanid { 8021p { 8021p-value1 [ to 8021p-value2 ] } &<1-8> | dscp { dscp-value1 [ to dscp-value2 ] } &<1-10> | default | eth-type pppoe }

      The dot1q VLAN type is configured for the sub-interface.

    3. Run ip binding vpn-instance vpn-instance-name

      A VPN instance is bound to the sub-interface.

      The VPN instance bound to the sub-interface must be the service VPN instance created in Step 1.

    4. Run ip address ip-address { mask | mask-length }

      An IP address is configured for the sub-interface.

    5. Run traffic-policy policy-name { inbound | outbound }

      The traffic policy is applied to the sub-interface.

Verifying the IPoE Access Service Configuration

After configuring IPoE access, you can view information about the IPoE access service.

Procedure

  • Run the display access-user command to check information about online users. To view information about specific users, you can configure parameters in the command to specify users.
  • Run the display web-auth-server configuration command to check the configuration of the Web authentication server.
  • Run the display domain command to check the configuration of the domain.
  • Run the display acl command to check the configuration of the ACL.
  • Run the display interface command to check the status of the VE interface.

Example

Run the display access-user command. If the IPoE access service is configured successfully, and you can view information about all access users.
<HUAWEI> display access-user
 ------------------------------------------------------------------------------
  Total users                        : 9
  IPv4 users                         : 9
  IPv6 users                         : 0
  Dual-Stack users                   : 0
  Lac users                          : 0
  RUI local users                    : 0
  RUI remote users                   : 0
  Wait authen-ack                    : 0
  Authentication success             : 9
  Accounting ready                   : 9
  Accounting state                   : 0
  Wait leaving-flow-query            : 0
  Wait accounting-start              : 0
  Wait accounting-stop               : 0
  Wait authorization-client          : 0
  Wait authorization-server          : 0
  ------------------------------------------------------------------------------
  Domain-name                        Online-user
  ------------------------------------------------------------------------------
  default0                           : 0
  default1                           : 0
  default_admin                      : 0
  wq                                 : 0
  chen                               : 0
  isp7                               : 0
  gaoli                              : 0
  ly                                 : 0
  test                               : 0
  lsh                                : 9
  ------------------------------------------------------------------------------
  The used CID table are             :
  20-28
  ------------------------------------------------------------------------------

After the configuration is complete, you can run the display web-auth-server configuration command to view the configuration of the Web authentication server.

<HUAWEI> display web-auth-server configuration
  Source interface      : -
  Listening port        : 2000
  Portal                : version 1, version 2, version 3
  Display reply message : enabled
  ------------------------------------------------------------------------
           Server  Share-Password     Port  NAS-IP  Vpn-instance
  ------------------------------------------------------------------------
    192.168.3.140  ******            50100   NO
  ------------------------------------------------------------------------
  1 Web authentication server(s) in total

After the configuration is complete, you can run the display acl command to view the configuration of the ACL.

<HUAWEI> display acl 3100
Advanced ACL  3100, 3 rules,
 rule 0 permit icmp (2 times matched)
 rule 1 permit ip source 10.1.1.1 0 destination 10.2.2.2 0 (0 times matched)
 rule 2 permit tcp source 10.110.0.0 0.0.255.255 (0 times matched)
After the configuration is complete, you can run the display interface command to view the status of the VE interface.
<HUAWEI> display interface virtual-ethernet 1/0/0
Virtual-Ethernet1/0/0 current state : UP
Line protocol current state : UP
Last up time: 2007-11-17, 17:23:43
Description:Virtual-Ethernet81/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.0.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc97-a4ab
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17599

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next