No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPoEv6 Access Services

Configuring IPoEv6 Access Services

IPoEv6 access users can access the Internet by sending packets without dialing up. Therefore, dial-up software does not need to be installed on the client.

Context

IPoEv6 access refers to a packet-triggering access mode in which users access the NE40E by using DHCPv6, ND, or IPv6 packets.

IPoEv6 access services include IPoEv6, IPoEoVLANv6, and IPoEoQv6 services. These services differ in terms of the protocol stack. In IPoEv6 access mode, users can directly access the Internet using Web browsers, without having to install client dial-up software on their PCs.

The service models of different carriers may differ, and the operating modes of home gateways may also differ on a broadband access network. A home gateway may operate in bridging mode, numbered routing mode, or unnumbered routing mode.

Pre-configuration Tasks

Before configuring the IPoEv6 access service, complete the following tasks:

  • Loading the BRAS license (For details, see the HUAWEI NetEngine40E Universal Service Router Configuration Guide-System Management.)

  • Configuring AAA Schemes to configure authentication, authorization, and accounting schemes

  • Configuring RADIUS, based on the protocol used by the AAA schemes

  • Configuring an AAA Scheme for a Domain to bind authentication, authorization, and accounting schemes to the user domain

  • Configuring Servers for a Domain to bind a RADIUS or HWTACACS server to the user domain

  • Enabling IPv6 on the device as well as interfaces and configuring IPv6 addresses (link-local addresses for Layer 2 access) on IPv6 interfaces

NOTE:

If the link-local address is deleted or IPv6 is disabled either from an interface or globally, IPv6 on the BAS interface goes Down, and IPv4/IPv6 dual-stack users who access the BAS interface are logged out.

Configuring an Authentication Mode

This section describes several authentication modes, which can be chosen based on networking requirements.

Context

NOTE:

IPv4 and IPv6 authentication modes (bind authentication) for an IPv4/IPv6 dual-stack user must be the same.

  • Bind authentication

    For configuration details, see Configuring Binding Authentication.

    DHCPv4 options are used in bind authentication mode on an IPv4 network. If the network is upgraded to an IPv6 network, using the DHCPv6 protocol to allocate IPv6 addresses is recommended. Authentication information can be added to DHCPv6 options, remaining unchanged after the network is upgraded from IPv4 to IPv6.

Configuring an Address Allocation Mode

The address allocation modes supported by the NE40E include NDRA, DHCPv6(IA_NA), DHCPv6(IA_PD), DHCPv6(IA_NA)+PD(IA_PD), and NDRA+DHCPv6(IA_PD). One of them can be configured based on networking conditions.

Context

The address allocation mode varies according to the CPE working mode. For details, see the following table.
CPE Working Mode Scenario: IPv6 Address Configuration Mode
Bridging mode The host initiates a connection request. The CPE transparently forwards the user request packet, and the NE40E allocates an IPv6 address to the host. NDRA
DHCPv6(IA_NA)
Unnumbered routing mode The CPE initiates a connection request. After receiving the request, the NE40E allocates a prefix to the CPE to generate IPv6 addresses for the hosts attached to the CPE. DHCPv6(IA_PD)
Numbered routing mode The CPE initiates a connection request. After receiving the request, the NE40E allocates an IPv6 address to the WAN interface on the CPE and a prefix to generate IPv6 addresses for the hosts attached to the CPE. DHCPv6(IA_NA)+PD(IA_PD)
NDRA+DHCPv6(IA_PD)
NOTE:
  • Layer 3 users of a leased line obtain their addresses from the access router. The NE40E is in charge of only authentication and accounting, not address allocation.

If an IPv4 network is upgraded to an IPv6 network, the CPE working mode and authentication mode do not need to be changed unless there are special service requirements. In PPP authentication mode, either ND or DHCPv6 can be used for address authentication. In bind authentication mode, using DHCPv6 for address allocation is recommended. In 802.1X or web authentication mode, using DHCPv6 for address allocation is recommended if user terminals support ND+PD. The IPv6 addresses assigned using ND to the WAN interfaces on CPEs can be used to communicate with the BRAS, while prefixes assigned using PD allow CPEs to generate IPv6 addresses for the attached terminals. By default, the assigned PD addresses and the IPv6 addresses assigned using ND are released at the same time. To allow a device to release only the assigned PD addresses and not the IPv6 addresses assigned using ND for communicating with CPEs, you can configure the device to separately release PD addresses for IPoE users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    The AAA domain view is displayed.

  4. Run ipv6 pd-address-release separate user-type ipoe

    The device is enabled to release only the assigned PD addresses in scenarios where CPEs work in numbered routing mode.

  5. Run commit

    The configuration is committed.

Binding a Sub-interface to a VLAN

The NE40E processes received tagged user packets from different types of users in different manners to ensure that different types of packets are properly forwarded.

Context

If users access the network by using a sub-interface, the sub-interface needs to be bound to a VLAN.

You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding a sub-interface to a VLAN, you need the following parameters:

  • Sub-interface number
  • VLAN ID
  • QinQ ID
NOTE:
  • On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-interface, any-other cannot be set together with start-vlan nor qinq.
  • If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a sub-interface, the user-vlan cannot be configured on this sub-interface.
  • Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.

Perform the following steps on the NE40E:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number.subinterface-number

    A sub-interface is created and the sub-interface view is displayed.

  3. For Layer 2 subscriber access, run:

    user-vlan { start-vlan [ end-vlan ] [ dot1q start-qinq-id [ end-qinq-id ] ] | any-other }

    A user-side VLAN is created.

    For Layer 3 subscriber access, run:

    vlan-type dot1q vlan-id

    A user-side VLAN is created.

  4. Run commit

    The configuration is committed.

Configuring a BAS Interface

When an interface is used for broadband access, you need to configure it as a BAS interface, and then specify the user access type and attributes for the interface.

Context

When configuring a BAS interface, you need the following parameters:

  • BAS interface number

  • Access type and authentication scheme

  • (Optional) Maximum number of users that are allowed access through the BAS interface and maximum number of users that are allowed access through a specified VLAN

  • (Optional) Default domain, roaming domain, and domains that users are allowed to access

  • (Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting packet copy, IP packet trigger-online, and user-based multicast replication

  • (Optional) Whether to trust the access-line-id information reported by clients, user detection parameters, VPN instances of non-PPP users, and BAS interface name

Perform the following steps on NE40E:

NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • For security purposes, you are advised to configure a password in ciphertext mode and periodically change the password.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number [ .subinterface-number ]

    The interface view is displayed.

    NOTE:
    In scenarios with BRAS access through L2VPN termination, run the ve-group ve-group-id l2-terminate command to configure the VE interface as an L2VE interface to terminate an L2VPN and bind the interface to a VE group. In scenarios with BRAS access through L3VPN termination, run the ve-group ve-group-id l3-terminate command to configure the VE interface as an L3VE interface to terminate an L3VPN and bind the interface to a VE group. The preceding commands are configured in the VE interface view. Only Layer 3 static user access is supported in scenarios with BRAS access through L3VPN termination. For details, see Example for Configuring BRAS Access Through L3VPN Termination.

  3. Run bas

    A BAS interface is created, and the BAS interface view is displayed.

    You can configure an interface as the BAS interface by running the bas command in the interface view. You can configure an Ethernet interface or its sub-interface, a VE interface or its sub-interface, an ATM interface or its sub-interface, or an Eth-Trunk interface or its sub-interface as a BAS interface.

  4. Run access-type layer2-subscriber [ default-domain { [ authentication [ force | replace ] dname ] [ pre-authentication predname ] } ]

    The access type is set to Layer 2 subscriber access and the attributes of this access type are configured.

    Or run access-type layer3-subscriber [ default-domain { [ pre-authentication predname ] authentication [ force | replace ] dname } ]

    The access type is set to Layer 3 subscriber access and the attributes of this access type are configured.

    When setting the access type on the BAS interface, you can set the service attributes of the access users at the same time. You can also set these attributes in later configurations.

    When configuring Layer 3 subscriber access, you can run the layer3-subscriber start-ip-address end-ip-address [ vpn-instance instance-name ] domain-name domain-name command and the layer3-subscriber ip-address any domain-name domain-name command in the system view to specify an IP address segment and authentication domain name.

    The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk interface. You can configure the access type of such an Ethernet interface only on the associated Eth-Trunk interface.

    When configuring static routes for Layer 3 users, specify the next hop as the user IP address and do not specify the outbound interface. Otherwise, network-to-user traffic may fail to be forwarded.

    Run access-type layer2-leased-line user-name uname password { cipher password | simple password } [ bas-interface-name bname | default-domain authentication dname | accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } ] *

    The access type is set to Layer 2 leased line access and the attributes of this access type are configured.

    Run access-type layer3-leased-line { user-name uname | user-name-template } password { cipher password | simple password } [ default-domain authentication dname | bas-interface-name bname | accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } | mac-address mac-address | client-id client-id ] *

    The access type is set to Layer 3 leased line access and the attributes of this access type are configured.

    If there is an online user on the BAS interface, you can change the access type on the interface only when the online user is a leased line user.

    After the access type is set to leased line access, the NE40E performs authentication on the leased line users immediately.

  5. (Optional) Run access leased-line connection chasten request-session request-period blocking-period quickoffline

    Suppression of leased line user access is enabled.

    If the duration or traffic volume quota delivered by the RADIUS server to a leased line user is 0, the leased line user can go online but will go offline immediately. This results in frequent login and logout of leased line users.

    The command can be run to configure the maximum number of connection requests allowed, the interval at which connection requests can be sent, and a blocking period.

  6. (Optional) Run trust 8021p-protocol

    The 802.1p priority of user packets is set to be trusted.

    The trust 8021p-protocol command can be configured only when the access type is set to Layer 2 subscriber access.

  7. (Optional) Run access-limit number [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinq-vlan ] [ user-type { ipoe | pppoe } ] ]

    The number of users that are allowed access through the interface is configured.

    • If the access-limit command is configured on a sub-interface enabled with BAS, the number of VLAN users that access the sub-interface is limited.
    • If the access-limit command is configured on a main interface enabled with BAS and the VLAN range is not specified in the command, the total number of VLAN users that access the main interface is limited. Note that the configuration of access-limit on a sub-interface takes precedence over that on the corresponding main interface.
    • You can also specify the user-type parameter to limit the maximum number of access users based on access types.

  8. (Optional) Run default-domain pre-authentication domain-name

    The default pre-authentication domain is specified.

    • Or run default-domain authentication [ force | replace ] domain-name

      The default authentication domain is specified.

    • Or run permit-domain domain-name &<1-16>

      The domain in which users are allowed to access is specified.

      Or run deny-domain domain-name&<1-16>

      The domain in which users are denied to access is specified.

      The permit-domain command cannot be configured together with the deny-domain command, deny-domain-list command, or permit-domain-list command on a BAS interface.

    • Or run permit-domain-list

      The list of domains whose users are allowed to access is specified.

      Or run deny-domain-list

      The list of domains whose users are denied to access is specified.

  9. (Optional) Run client-option82 [ { basinfo-insert { cn-telecom | version3 } | version1 } ]

    The NE40E is configured to trust the access-line-id information reported by clients.

    Or, run basinfo-insert cn-telecom

    The NE40E is configured to insert the access-line-id information in the format defined by China Telecom insteading of trusting the access-line-id information reported by clients.

    Or run basinfo-insert version2

    The NE40E is configured to insert the access-line-id information in the format defined by version2 insteading of trusting the access-line-id information reported by clients.

    The router will parse and transmit access-line-id information based on the following configurations:

    • Run the option82-relay-mode dslam { auto-identify | config-identify } command to allow the router to extract information from the access-line-id field in the packet sent from the DSLAM and add the information to Agent-CircuitID and Agent-RemoteID attributes sent to the RADIUS server. Or run the option82-relay-mode include { allvalue | { agent-circuit-id | agent-remote-id [ separator ] } * } command to allow the NAS-Port-Id attribute sent to the RADIUS server to contain access-line-id information.
    • Run the option82-relay-mode subopt { agent-circuit-id { hex | string } | agent-remote-id { hex | string } command to configure the format of Agent-CircuitID or Agent-RemoteID information.

    Or run vbas vbas-mac-address [ auth-mode { ignore | reject } ]

    The function of locating a user through the virtual BAS (VBAS) is enabled.

  10. (Optional) Run client-option60

    The router is configured to trust the Option 60 information reported by clients.

    If user domain information is obtained from the Option 60 information, the character string following the domain name delimiter (defaulting to @) in the Option 60 field is used as the domain name. If no user domain information is obtained from the Option 60 information, the router performs the following procedure to continue searching for the information. If there is no domain name delimiter in the field, the router performs a fuzzy or exact match of the domain name information based on the configured mode. The procedure will stop if user domain information is obtained.

    1. Check whether the client-option60 command is configured on the BAS interface. If the command is configured, obtain user domain information from the command configuration.
    2. Check whether the dhcp option-60 command is configured in the system view. If the command is configured, obtain user domain information from the command configuration.
    3. Use the authentication domain configured on the BAS interface as the user domain.

  11. (Optional) Run option37-relay-mode include remote-id

    The DHCP6ACC component is enabled to remove enterprise number information from Option 37 in a Solicit or Request message to be sent to the UM component.

    The following operations must have been performed:

    • Run the client-option37 [ basinfo-insert ft-telecom ] command to enable the NE40E to trust the information in the Option 37 field of DHCPv6 messages sent by clients.
    • Run the client-option18 command to enable the server to trust the information in the Option 18 field of DHCPv6 messages sent by clients.

  12. (Optional) Run accounting-copy radius-server radius-name

    The accounting packet copy function is enabled.

  13. (Optional) Run link-account resolve

    An accounting request packet that the NE40E sends to a RADIUS server is allowed to carry the link-account attribute.

    Before running the command, set the access type to Layer 2 subscriber access.

    The command affects RADIUS No. 25 attribute in accounting request packets sent by the NE40E to a RADIUS accounting server.

    An interface fills the link-account information in the RADIUS No. 25 attribute class if both the following situations are met:
    • Users getting online from the interface do not need to be authenticated, and RADIUS accounting is configured on the interface.
    • For common Layer 2 users, VLANs and VLAN descriptions are configured on the interface.

  14. Perform the following configurations by service type:

    • For IPoE access services:

      Run the ip-trigger command to enable user access triggered by IP packets. Or run the arp-trigger command to enable user access triggered by ARP packets.

    • For IPoEv6 access services:

      Run the ipv6-trigger command to enable user access triggered by IPv6 packets. Or run the nd-trigger command to enable user access triggered by NS/NA packets.

  15. (Optional) Run wlan-switch enable [ switch-group switch-group-name ]

    WLAN user roaming switchover is enabled.

    After WLAN user roaming switchover is enabled on a BAS interface, you need to configure the interface to use received user packets to trigger roaming procedures for WLAN users. Perform the following configurations based on the actual roaming scenarios:
    • If users do not pass through Wi-Fi blind spots when roaming between different APs, run either the ip-trigger or arp-trigger command or both to configure the interface to trigger roaming procedures for the WLAN users based on the received IP or ARP packets, or run the ipv6–trigger command to configure the interface to trigger roaming procedures for Layer 2 IPv6 users based on the received IPv6 packets.
    • If users pass through Wi-Fi blind spots when roaming between different APs, run the dhcp session-mismatch action roam { ipv4 | ipv6 } * command to configure the interface to allow users to send DHCPv4 Discover or Request messages or DHCPv6 Solicit messages to re-log in.
      NOTE:
      • The dhcp session-mismatch action roam { ipv4 | ipv6 } * and dhcp session-mismatch action offline commands override one another. If the two commands are run on the same interface, the command run later takes effect.
      • The dhcp session-mismatch action roam { ipv4 | ipv6 } * command can be configured together with the ip-trigger, the arp-trigger and the ipv6-trigger commands.

    After the preceding steps are performed, WLAN users do not need to be re-authenticated for login after being logged out when roaming between different APs. This ensures that services are not interrupted.

  16. (Optional) Run user detect retransmit num interval time [ no-datacheck ] or user detect no-datacheck

    User detection parameters are configured.

  17. (Optional) Run dhcp session-mismatch action offline

    Online users whose physical location information is changed but MAC addresses remain unchanged are logged out when they resend DHCP or ND login requests.

  18. (Optional) Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ]

    The BAS interface is blocked.

  19. Run authentication-method { bind | { ppp } * }

    The authentication mode is configured.

    You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple authentication modes can be configured on an interface but you should note the following:

    • Bind authentication conflicts with other authentication modes.

  20. (Optional) Run dhcp-reply trust broadcast-flag

    The device is enabled to use the broadcast flag value in a DHCP request packet to determine the destination MAC address type for a DHCP response packet.

    NOTE:

    After the dhcp-reply trust broadcast-flag command is run, if the broadcast flag value in a DHCP request packet is 1, the device replies with a DHCP response packet that carries the broadcast address of all Fs as the destination MAC address; if the broadcast flag value in a DHCP request packet is 0, the device replies with a DHCP response packet that carries the user MAC address as the destination MAC address.

    The dhcp-reply trust broadcast-flag command applies only to Layer 2 access users.

    The dhcp-reply trust broadcast-flag command is mutually exclusive with the dhcp-broadcast command.

  21. (Optional) Run dhcpv6 user-identify-policy { option79-option38 | option38-option79 | option79 | option38 } [ no-exist-action offline ]

    A method is configured for obtaining MAC addresses of Layer 3 DHCPv6 users during login.

  22. Run commit

    The configuration is committed.

(Optional) Enabling One-to-Many Mapping Between One MAC Address and Many Sessions

Context

When the NE40E functions as a BRAS or DHCP server, it can assign IP addresses only to IPoE users with different MAC addresses. If you want the NE40E to assign IP addresses to users with the same MAC address, configure one-to-many mapping between one MAC address and many sessions. These users with the same MAC address must have different VLAN IDs or interface numbers, and different circuit IDs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipoe-server multi-sessions per-mac enable

    One-to-many mapping between one MAC address and many sessions is enabled for IPoE users to allow the NE40E to assign IP addresses to IPoE users with the same MAC address.

  3. (Optional) Run dhcpv6-server replace client-duid

    The NE40E that functions as a DHCPv6 relay agent is configured to replace the client DUID in a DHCPv6 message sent from a client with the one it generates for that client before sending the message to a server.

    This command is required for uniquely identifying clients if they have the same client DUID.

  4. Run commit

    The configuration is committed.

Verifying the IPoEv6 Access Service Configuration

After configuring the IPoEv6 access service, you can view the IPoEv6 access configurations.

Procedure

  • Run the display access-user command to check information about online users. To view information about specific users, you can configure parameters in the command to specify users.
  • Run the display bas-interface command to check BAS interface configurations.
  • Run the display dhcp upgrade command to check the lease configuration for DHCPv6 users to determine the time when the device restarts.
  • Run the display vendor-class dhcpv6 command in the system view to check the mapping between the vendor-class attribute and a DHCPv6 option as well as the configured offset value.

Example

Run the display access-user command. If the IPoEv6 access service is configured successfully, and you can view information about all access users.
<HUAWEI> display access-user
 ------------------------------------------------------------------------------
  Total users                        : 9
  IPv4 users                         : 9
  IPv6 users                         : 0
  Dual-Stack users                   : 0
  Lac users                          : 0
  RUI local users                    : 0
  RUI remote users                   : 0
  Wait authen-ack                    : 0
  Authentication success             : 9
  Accounting ready                   : 9
  Accounting state                   : 0
  Wait leaving-flow-query            : 0
  Wait accounting-start              : 0
  Wait accounting-stop               : 0
  Wait authorization-client          : 0
  Wait authorization-server          : 0
  ------------------------------------------------------------------------------
  Domain-name                        Online-user
  ------------------------------------------------------------------------------
  default0                           : 0
  default1                           : 0
  default_admin                      : 0
  wq                                 : 0
  chen                               : 0
  isp7                               : 0
  gaoli                              : 0
  ly                                 : 0
  test                               : 0
  lsh                                : 9
  ------------------------------------------------------------------------------
  The used CID table are             :
  20-28
  ------------------------------------------------------------------------------

Run the display bas-interface command, and you can view information to check BAS interface configurations.

<HUAWEI> display bas-interface
---------------------------------------------------------------------------
   Interface                BASIF-access-type       config-state   access-number
  ---------------------------------------------------------------------------
   Eth-Trunk0               Layer2-subscriber       Updated        0
   Eth-Trunk0.1             Layer2-subscriber       Updated        1
   Eth-Trunk0.1234          Layer2-subscriber       Updated        0
  ----------------------------------------------------------------------
  Total 3 BASIF is configured                                          

Run the display dhcpv6 upgrade command, and you can view the lease configuration for DHCPv6 users to determine the time when the device restarts.

<HUAWEI> display dhcpv6 upgrade
DHCPv6 upgrade: enable.
Preferred lifetime: 0days 0hours 30minutes
Valid lifetime: 0days 1hours 0minutes
Renew time percent: 50%
Rebind time percent:80%
Renew time: 0days 0hours 15minutes
Rebind time: 0days 0hours 24minutes
Access DHCPv6 user count of new lifetime: 100 
Access DHCPv6 user count of old lifetime: 100
Access DHCPv6 user count of infinite lifetime: 10
Max interval from current for old lifetime DHCPv6 user renew: 0days 0hours 15minutes

Run the display vendor-class dhcpv6 command in the system view, and you can view the mapping between the vendor-class attribute and a DHCPv6 option as well as the configured offset value.

<HUAWEI> display vendor-class dhcpv6
Vendor-class DHCPv6: enable.
DHCPv6 option code: 17.
DHCPv6 offset : 4
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17121

Downloads: 69

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next