Point-to-Point Protocol (PPP) is a point-to-point link layer protocol. It provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension.

PPP includes the following protocols:

· Link control protocol (LCP)—Establishes, tears down, and monitors data links.

· Network control protocol (NCP)—Negotiates the packet format and type for data links.

· Authentication protocols—Authenticate users. Protocols include the following:

¡ Password Authentication Protocol (PAP).

¡ Challenge Handshake Authentication Protocol (CHAP).

¡ Microsoft CHAP (MS-CHAP).

¡ Microsoft CHAP Version 2 (MS-CHAP-V2).

PPP link establishment process

Figure 1 shows the PPP link establishment process.

Figure 1 PPP link establishment process

1. Initially, PPP is in Link Dead phase. After the physical layer goes up, PPP enters the Link Establishment phase (Establish).

2. In the Link Establishment phase, the LCP negotiation is performed. The LCP configuration options include Authentication-Protocol, Async-Control-Character-Map (ACCM), Maximum-Receive-Unit (MRU), Magic-Number, Protocol-Field-Compression (PFC), Address-and-Control-Field-Compression (ACFC), and MP.

¡ If the negotiation fails, LCP reports a Fail event, and PPP returns to the Dead phase.

¡ If the negotiation succeeds, LCP enters the Opened state and reports an Up event, indicating that the underlying layer link has been established. At this time, the PPP link is not established for the network layer, and network layer packets cannot be transmitted over the link.

3. If authentication is configured, the PPP link enters the Authentication phase, where PAP, CHAP, MS-CHAP, or MS-CHAP-V2 authentication is performed.

¡ If the client fails to pass the authentication, LCP reports a Fail event and enters the Link Termination phase. In this phase, the link is torn down and LCP goes down.

¡ If the client passes the authentication, LCP reports a Success event.

4. If a network layer protocol is configured, the PPP link enters the Network-Layer Protocol phase for NCP negotiation, such as IPCP negotiation and IPv6CP negotiation.

¡ If the NCP negotiation succeeds, the link goes up and becomes ready to carry negotiated network-layer protocol packets.

¡ If the NCP negotiation fails, NCP reports a Down event and enters the Link Termination phase.

If the interface is configured with an IP address, the IPCP negotiation is performed. IPCP configuration options include IP addresses and DNS server IP addresses. After the IPCP negotiation succeeds, the link can carry IP packets.

5. After the NCP negotiation is performed, the PPP link remains active until either of the following events occurs:

¡ Explicit LCP or NCP frames close the link.

¡ Some external events take place (for example, the intervention of a user).

For more information about PPP, see RFC 1661.

PPP authentication

PPP supports the following authentication methods:

· PAP—PAP is a two-way handshake authentication protocol using the username and password.

PAP sends username/password pairs in plain text over the network. If authentication packets are intercepted in transit, network security might be threatened. For this reason, it is suitable only for low-security environments.

· CHAP—CHAP is a three-way handshake authentication protocol.

CHAP transmits usernames but not passwords over the network. It transmits the result calculated from the password and random packet ID by using the MD5 algorithm. It is more secure than PAP. The authenticator may or may not be configured with a username. As a best practice, configure a username for the authenticator, which makes it easier for the peer to verify the identity of the authenticator.

· MS-CHAP—MS-CHAP is a three-way handshake authentication protocol.

MS-CHAP differs from CHAP as follows:

¡ MS-CHAP uses CHAP Algorithm 0x80.

¡ MS-CHAP provides authentication retry. If the peer fails authentication, it is allowed to retransmit authentication information to the authenticator for reauthentication. The authenticator allows a peer to retransmit a maximum of three times.

· MS-CHAP-V2—MS-CHAP-V2 is a three-way handshake authentication protocol.

MS-CHAP-V2 differs from CHAP as follows:

¡ MS-CHAP-V2 uses CHAP Algorithm 0x81.

¡ MS-CHAP-V2 provides two-way authentication by piggybacking a peer challenge on the Response packet and an authenticator response on the Acknowledge packet.

¡ MS-CHAP-V2 supports authentication retry. If the peer fails authentication, it is allowed to retransmit authentication information to the authenticator for reauthentication. The authenticator allows a peer to retransmit a maximum of three times.

¡ MS-CHAP-V2 supports password change. If the peer fails authentication because of an expired password, it will send the new password entered by the user to the authenticator for reauthentication.

PPP for IPv4

On IPv4 networks, PPP negotiates the IP address and DNS server address during IPCP negotiation.

IP address negotiation

IP address negotiation enables one end to assign an IP address to the other.

An interface can act as a client or a server during IP address negotiation:

· Client—Obtains an IP address from the server. Use the client mode when the device accesses the Internet through an ISP.

· Server—Assigns an IP address to the client. Before you configure the IP address of the server, you must perform one of the following tasks:

¡ Configure a local address pool and associate the pool with the ISP domain.

¡ Specify an IP address or an address pool for the client on the interface.

When IP address negotiation is enabled on a client, the server selects an IP address for the client in the following sequence:

1. If the AAA server configures an IP address or address pool for the client, the server selects that IP address or an IP address from the pool. The IP address or address pool is configured on the AAA server instead of the PPP server. For information about AAA, see Security Configuration Guide.

2. If an address pool is associated with the ISP domain used during client authentication, the server selects an IP address from the pool.

3. If an IP address or address pool is specified for the client on the interface of the server, the server selects that IP address or an IP address from that pool.

DNS server address negotiation

IPCP negotiation can determine the DNS server IP address.

When the device is connected to a host, configure the device as the server to assign the DNS server IP address to the host.

When the device is connected to an ISP access server, configure the device as the client. Then, the device can obtain the DNS server IP address from the ISP access server.

PPP for IPv6

On IPv6 networks, PPP negotiates only the IPv6 interface identifier instead of the IPv6 address and IPv6 DNS server address during IPv6CP negotiation.

IPv6 address assignment

PPP cannot negotiate the IPv6 address.

The client can get an IPv6 global unicast address through the following methods:

· Method 1—The client obtains an IPv6 prefix in an RA message. The client then generates an IPv6 global unicast address by combining the IPv6 prefix and the negotiated IPv6 interface identifier. The IPv6 prefix in the RA message is determined in the following sequence:

¡ IPv6 prefix authorized by AAA.

¡ RA prefix configured on the interface.

¡ Prefix of the IPv6 global unicast address configured on the interface.

For information about the ND protocol, see Layer 3—IP Services Configuration Guide.

· Method 2—The client requests an IPv6 global unicast address through DHCPv6. The server assigns an IPv6 address to the client from the address pool authorized by AAA. If no AAA-authorized address pool exists, DHCPv6 uses the address pool that matches the server's IPv6 address to assign an IPv6 address to the client. For information about DHCPv6, see Layer 3—IP Services Configuration Guide.

· Method 3—The client requests prefixes through DHCPv6 and assigns them to downstream hosts. The hosts then uses the prefixes to generate global IPv6 addresses. This method uses the same principle of selecting address pools as method 2.

The device can assign a host an IPv6 address in either of the following ways:

· When the host connects to the device directly or through a bridge device, the device can use method 1 or method 2.

· When the host accesses the device through a router, the device can use method 3 to assign an IPv6 prefix to the router. The router assigns the prefix to the host to generate an IPv6 global unicast address.

IPv6 DNS server address assignment

On IPv6 networks, two methods are available for the IPv6 DNS address assignment:

· AAA authorizes the IPv6 DNS address and assigns this address to the host through RA messages.

· The DHCPv6 client requests an IPv6 DNS address from the DHCPv6 server.

MP overview

Multilink PPP (MP) allows you to bind multiple PPP links into one MP bundle for increasing bandwidth. If a packet is larger than the minimum packet size for fragmentation, MP fragments the packet and distributes the fragments across multiple PPP links to the peer. The peer reassembles them into one packet and passes the packet to the network layer.

In addition to increasing bandwidth, MP also provides link-layer load sharing, which can implement backup. MP fragmentation can reduce transmission delay, especially on low-speed links.

MP is available to all physical or virtual interfaces with PPP encapsulation enabled, including serial and PPPoX (PPPoE or PPPoFR) interfaces. In MP configuration, as a best practice, include only one type of interfaces in an MP bundle.

Configuring PPP

PPP configuration task list

Tasks at a glance
(Required.) Enabling PPP encapsulation on an interface
(Optional.) Configuring PPP authentication
(Optional.) Configuring the polling feature
(Optional.) Configuring PPP negotiation
(Optional.) Enabling IP header compression
(Optional.) Enabling PPP link quality monitoring
(Optional.) Enabling PPP accounting
(Optional.) Configuring the nas-port-type attribute

Enabling PPP encapsulation on an interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable PPP encapsulation on the interface.	link-protocol ppp	By default, all interfaces except Ethernet interfaces and VLAN interfaces use PPP as the link layer protocol.

Configuring PPP authentication

You can configure several authentication modes simultaneously. In LCP negotiation, the authenticator negotiates with the peer in the sequence of configured authentication modes until the LCP negotiation succeeds. If the response packet from the peer carries a recommended authentication mode, the authenticator directly uses the authentication mode if it finds the mode configured.

Configuring PAP authentication

To configure the authenticator:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using PAP.	ppp authentication-mode pap [ [ call-in ] domain { isp-name \| default enable isp-name } ]	By default, PPP authentication is disabled.
4. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username and password configured for the peer must be the same as those configured on the peer.

To configure the peer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the PAP username and password sent from the peer to the authenticator when the peer is authenticated by the authenticator by using PAP.	ppp pap local-user username password { cipher \| simple } string	By default, when being authenticated by the authenticator by using PAP, the peer sends null username and password to the authenticator. For security purposes, the password specified in plaintext form and ciphertext form will be stored in encrypted form.

Configuring CHAP authentication

Depending on whether the authenticator is configured with a username, the configuration of CHAP authentication includes the following types:

· Configuring CHAP authentication when the authenticator name is configured

To configure the authenticator:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using CHAP.	ppp authentication-mode chap [ [ call-in ] domain { isp-name \| default enable isp-name } ]	By default, PPP authentication is disabled.
4. Configure a username for the CHAP authenticator.	ppp chap user username	The default setting is null. The username you configure for the authenticator must be the same as the local username you configure for the authenticator on the peer.
5. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username configured for the peer must be the same as that configured on the peer. The passwords configured for the authenticator and peer must be the same.

To configure the peer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure a username for the CHAP peer.	ppp chap user username	The default setting is null. The username you configure for the peer here must be the same as the local username you configure for the peer on the authenticator.
4. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the authenticator must be configured on the peer. For remote AAA authentication, the username and password of the authenticator must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username configured for the authenticator must be the same as that configured on the authenticator. The passwords configured for the authenticator and peer must be the same.

· Configuring CHAP authentication when no authenticator name is configured

To configure the authenticator:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using CHAP.	ppp authentication-mode chap [ [ call-in ] domain { isp-name \| default enable isp-name } ]	By default, PPP authentication is disabled.
4. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username configured for the peer must be the same as that configured on the peer. The passwords configured for the authenticator and peer must be the same.

To configure the peer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure a username for the CHAP peer.	ppp chap user username	The default setting is null. The username you configure on the peer must be the same as the local username you configure for the peer on the authenticator.
4. Set the CHAP authentication password.	ppp chap password { cipher \| simple } string	The default setting is null. The password you set on the peer must be the same as the password you set for the peer on the authenticator. For security purposes, the password specified in plaintext form and ciphertext form will be stored in encrypted form.

Configuring MS-CHAP or MS-CHAP-V2 authentication

When you configure MS-CHAP or MS-CHAP-V2 authentication, follow these guidelines:

· The device can only act as an authenticator for MS-CHAP or MS-CHAP-V2 authentication.

· L2TP supports only MS-CHAP authentication.

· MS-CHAP-V2 authentication supports password change only when using RADIUS.

· As a best practice, do not set the authentication method for PPP users to none when MS-CHAP-V2 authentication is used.

To configure MS-CHAP or MS-CHAP-V2 authentication when the authenticator name is configured:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2.	ppp authentication-mode { ms-chap \| ms-chap-v2 } [ [ call-in ] domain { isp-name \| default enable isp-name } ]	By default, PPP authentication is disabled.
4. Configure a username for the MS-CHAP or MS-CHAP-V2 authenticator.	ppp chap user username	The username for the authenticator must be the same on the local and peer devices.
5. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer.

To configure MS-CHAP or MS-CHAP-V2 authentication when no authenticator name is configured:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2.	ppp authentication-mode { ms-chap \| ms-chap-v2 } [ [ call-in ] domain { isp-name \| default enable isp-name } ]	By default, PPP authentication is disabled.
4. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer.

Configuring the polling feature

The polling feature checks PPP link state.

On an interface that uses PPP encapsulation, the link layer sends keepalives at keepalive intervals to detect the availability of the peer. If the interface fails to receive keepalives when the keepalive retry limit is reached, it tears down the link and reports a link layer down event.

To set the keepalive retry limit, use the timer-hold retry command.

On a slow link, increase the keepalive interval to prevent false shutdown of the interface. This situation might occur when keepalives are delayed because a large packet is being transmitted on the link.

The keepalive interval must be smaller than the negotiation timeout time.

To disable sending of keepalives, set the keepalive interval to 0.

To configure the polling feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the keepalive interval.	timer-hold seconds	The default setting is 10 seconds.
4. Set the keepalive retry limit.	timer-hold retry retries	The default setting is 5.

Configuring PPP negotiation

PPP negotiation includes the following parameters:

· Negotiation timeout time.

· IP address negotiation.

· IP segment match.

· DNS server IP address negotiation.

· ACFC negotiation.

· PFC negotiation.

Configuring the PPP negotiation timeout time

The device starts the PPP negotiation timeout timer after sending a packet. If no response is received before the timer expires, the device sends the packet again.

If two ends of a PPP link vary greatly in the LCP negotiation packet processing rate, configure the delay timer on the end with a higher processing rate. The LCP negotiation delay timer prevents frequent LCP negotiation packet retransmission. After the physical layer comes up, PPP starts LCP negotiation when the delay timer expires. If PPP receives LCP negotiation packets before the delay timer expires, it starts LCP negotiation immediately.

To configure the PPP negotiation timeout time:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the negotiation timeout time.	ppp timer negotiate seconds	The default setting is 3 seconds.
4. (Optional.) Configure the LCP negotiation delay timer.	ppp lcp delay milliseconds	By default, PPP starts LCP negotiation after the physical layer is up.

Configuring IP address negotiation

To configure the device as the client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable IP address negotiation.	ip address ppp-negotiate	By default, IP address negotiation is not enabled. If you execute the ip address ppp-negotiate and ip address commands multiple times, the most recent configuration takes effect. For more information about the ip address command, see Layer 3—IP Services Command Reference.

Configure the server to assign an IP address to a client by using the following methods:

· Method 1: Specify an IP address for the client on the server interface.

· Method 2: Specify a PPP or DHCP address pool on the server interface.

· Method 3: Associate a PPP or DHCP address pool with an ISP domain.

For clients requiring no authentication, you can use either method 1 or method 2. When both method 1 and method 2 are configured, the most recent configuration takes effect.

For clients requiring authentication, you can use one or more of the three methods. When multiple methods are configured, method 3 takes precedence over method 1 or method 2. When both method 1 and method 2 are configured, the most recent configuration takes effect.

PPP supports IP address assignment from a PPP or DHCP address pool. If you use a pool name that identifies both a PPP address pool and a DHCP address pool, the system uses the PPP address pool. When assigning IP address to users through a PPP address pool, make sure the PPP address pool excludes the gateway IP address of the PPP address pool.

To configure the device as the server (Method 1):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the interface to assign an IP address to the peer.	remote address ip-address	By default, an interface does not assign an IP address to the peer.
4. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface.

To configure the device as the server (Method 2: Specify a PPP address pool):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a PPP address pool.	ip pool pool-name start-ip-address [ end-ip-address ] [ group group-name ]	By default, no PPP address pool is configured.
3. (Optional.) Configure a gateway address for the PPP address pool.	ip pool pool-name gateway ip-address [ vpn-instance vpn-instance-name ]	By default, the PPP address pool is not configured with a gateway address.
4. (Optional.) Configure a PPP address pool route.	ppp ip-pool route ip-address { mask-length \| mask } [ vpn-instance vpn-instance-name ]	By default, no PPP address pool route exists. The destination network of the PPP address pool route must include the PPP address pool.
5. Enter interface view.	interface interface-type interface-number	N/A
6. Configure the interface to assign an IP address from the configured PPP address pool to the peer.	remote address pool pool-name	By default, an interface does not assign an IP address to the peer.
7. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface. This command is optional when the PPP address pool has been configured with a gateway address.

To configure the device as the server (Method 2: Specify a DHCP address pool):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure DHCP.	· If the server acts as a DHCP server, configure the DHCP server and a DHCP address pool on the server. · If the server acts as a DHCP relay agent, configure the DHCP relay agent on the server, and configure a DHCP address pool on the remote DHCP server. In addition, you must enable the DHCP relay agent to record relay entries, and configure a DHCP relay address pool.	For information about configuring DHCP, see Layer 3 IP Services Configuration Guide.
3. Enter interface view.	interface interface-type interface-number	N/A
4. Configure the interface to assign an IP address from the configured DHCP address pool to the peer.	remote address pool pool-name	By default, an interface does not assign an IP address to the peer.
5. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface.
6. (Optional.) Use the PPP usernames as the DHCP client IDs.	remote address dhcp client-identifier username	By default, the PPP usernames are not used as the DHCP client IDs.

To configure the device as the server (Method 3: Associate a PPP address pool with an ISP domain):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a PPP address pool.	ip pool pool-name start-ip-address [ end-ip-address ] [ group group-name ]	By default, no PPP address pool is configured.
3. (Optional.) Configure a gateway address for the PPP address pool.	ip pool pool-name gateway ip-address [ vpn-instance vpn-instance-name ]	By default, the PPP address pool is not configured with a gateway address.
4. (Optional.) Configure a PPP address pool route.	ppp ip-pool route ip-address { mask-length \| mask } [ vpn-instance vpn-instance-name ]	By default, no PPP address pool route exists. The destination network of the PPP address pool route must include the PPP address pool.
5. Enter ISP domain view.	domain isp-name	N/A
6. Associate the ISP domain with the configured PPP address pool for address assignment.	authorization-attribute ip-pool pool-name	By default, no PPP address pool is associated. For more information about this command, see Security Command Reference.
7. Return to system view.	quit	N/A
8. Enter interface view.	interface interface-type interface-number	N/A
9. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface. This command is optional when the PPP address pool is configured with a gateway address.

To configure the device as the server (Method 3: Associate a DHCP address pool with an ISP domain):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure DHCP.	· If the server acts as a DHCP server, configure the DHCP server and a DHCP address pool on the server. · If the server acts as a DHCP relay agent, configure the DHCP relay agent on the server, and configure a DHCP address pool on the remote DHCP server. In addition, you must enable the DHCP relay agent to record relay entries, and configure a DHCP relay address pool.	For information about configuring DHCP, see Layer 3 IP Services Configuration Guide.
3. Enter ISP domain view.	domain isp-name	N/A
4. Associate the ISP domain with the configured DHCP address pool for address assignment.	authorization-attribute ip-pool pool-name	By default, no DHCP address pool is associated. For more information about this command, see Security Command Reference.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface.
8. (Optional.) Use the PPP usernames as the DHCP client IDs.	remote address dhcp client-identifier username	By default, the PPP usernames are not used as the DHCP client IDs.

Enabling IP segment match

This feature enables the local interface to check whether its IP address and the IP address of the remote interface are in the same network segment. If they are not, IPCP negotiation fails.

To enable IP segment match:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable IP segment match.	ppp ipcp remote-address match	By default, this feature is disabled.

Configuring DNS server IP address negotiation

Configure DNS server settings depending on the role of your device in PPP negotiation.

· Configuring the local end as the client

During PPP negotiation, the server will assign a DNS server IP address only for a client configured with the ppp ipcp dns request command. For some special devices to forcibly assign DNS server IP addresses to clients that do not initiate requests, configure the ppp ipcp dns admit-any command on these devices.

To configure the local end as the client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable the device to request the peer for a DNS server IP address.	ppp ipcp dns request	By default, a client does not request its peer for a DNS server IP address.
4. Configure the device to accept the DNS server IP addresses assigned by the peer even though it does not request the peer for the DNS server IP addresses.	ppp ipcp dns admit-any	By default, a device does not accept the DNS server IP addresses assigned by the peer if it does not request the peer for the DNS server IP addresses. This command is not necessary if the ppp ipcp dns request command is configured.

· Configuring the local end as the server

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Specify the primary and secondary DNS server IP addresses to be allocated to the peer in PPP negotiation.	ppp ipcp dns primary-dns-address [ secondary-dns-address ]	By default, a device does not allocate DNS server IP addresses to its peer if the peer does not request them.

Configuring ACFC negotiation

PPP can compress the address and control fields of PPP packets to increase the payload size.

ACFC negotiation notifies the peer that the local end can receive packets carrying compressed address and control fields.

ACFC negotiation is implemented at the LCP negotiation stage. After the ACFC negotiation succeeds, PPP does not include the address and control fields in non-LCP packets. To ensure successful LCP negotiation, PPP does not apply the compression to LCP packets.

As a best practice, use the ACFC configuration option on low-speed links.

To configure the local end to send ACFC requests:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the local end to send ACFC requests by including the ACFC option in outbound LCP negotiation requests.	ppp acfc local request	By default, the local end does not include the ACFC option in outbound LCP negotiation requests.

To configure the local end to reject ACFC requests received from the peer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the local end to reject ACFC requests received from the peer.	ppp acfc remote-reject	By default, the local end accepts the ACFC requests from the remote peer, and performs ACFC on frames sent to the peer.

Configuring PFC negotiation

PPP can compress the protocol field of PPP packets from 2 bytes to 1 byte to increase the payload size.

PFC negotiation notifies the peer that the local end can receive packets with a single-byte protocol field.

PFC negotiation is implemented at the LCP negotiation stage. After PFC negotiation is completed, the device compresses the protocol field of sent non-LCP packets. If the first eight bits of the protocol field are all zeros, the device does not add those bits into the packet. To ensure successful LCP negotiation, PPP does not apply the compression to LCP packets.

As a best practice, use this configuration option on low-speed links.

To configure the local end to send PFC requests:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the local end to send PFC requests by including the PFC option in outbound LCP negotiation requests.	ppp pfc local request	By default, the local end does not include the PFC option in outbound LCP negotiation requests.

To configure the local end to reject PFC requests received from the peer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the local end to reject PFC requests received from the peer.	ppp pfc remote-reject	By default, the device accepts PFC requests received from the peer, and performs PFC on frames sent to the peer.

Enabling IP header compression

IP header compression (IPHC) compresses packet headers to speed up packet transmission. IPHC is often used for voice communications over low-speed links.

IPHC provides the following compression features:

· RTP header compression—Compresses the IP header, UDP header, and RTP header of an RTP packet, which have a total length of 40 bytes.

· TCP header compression—Compresses the IP header and TCP header of a TCP packet, which have a total length of 40 bytes.

To use IPHC, you must enable it on both sides of a PPP link.

Enabling or disabling IPHC on a VT interface does not immediately take effect. You must execute the shutdown and undo shutdown commands on the interface or the bound physical interface to apply the new setting.

After you enable IPHC, you can configure the maximum number of connections for RTP or TCP header compression. The configuration takes effect after you execute the shutdown and undo shutdown command on the interface. The configuration is removed after IPHC is disabled.

To configure IPHC:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable IP header compression.	ppp compression iphc enable [ nonstandard ]	By default, IP header compression is disabled. The nonstandard option must be specified when the device communicates with a non-H3C device. When the nonstandard keyword is specified, only RTP header compression is supported and TCP header compression is not supported.
4. Set the maximum number of connections for which an interface can perform RTP header compression.	ppp compression iphc rtp-connections number	The default setting is 16.
5. Set the maximum number of connections for which an interface can perform TCP header compression.	ppp compression iphc tcp-connections number	The default setting is 16.

Enabling PPP link quality monitoring

PPP link quality monitoring (LQM) monitors the quality (packet loss ratio and packet error ratio) of PPP links (including those in MP bundles) in real time.

If PPP LQM is not enabled, each end of a PPP link periodically sends keepalives to its peer. If PPP LQM is enabled, Link Quality Reports (LQRs) packets replace keepalives to monitor the link.

The system uses received LQR packets to measure the link quality. If two consecutive measured results are below the close-percentage, the system shuts down the link. Then the system measures the link quality at an interval that is ten times the LQR interval. If three consecutive measured results are higher than the PPP LQM resume-percentage, the system brings up the link.

A shut-down link must experience a minimum of 30 keepalive intervals before it can come up again. As a best practice, do not set the keepalive interval to a large value.

If you enable PPP LQM on both sides of a PPP link, make sure both sides have the same PPP LQM settings. Typically, there is no need to enable PPP LQM on both sides of a PPP link.

To enable PPP LQM:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable PPP LQM.	ppp lqm close-percentage close-percentage [ resume-percentage resume-percentage ]	By default, PPP LQM is disabled.
4. Configure the interface to periodically send LCP echo packets when LQM detects a low quality link.	ppp lqm lcp-echo [ packet size ] [ interval seconds ]	By default, the interface does not send LCP echo packets when LQM detects a low quality link.

Enabling PPP accounting

PPP accounting collects PPP statistics, including the numbers of received and sent PPP packets and bytes. AAA can use the PPP statistics for accounting. For more information about AAA, see Security Configuration Guide.

To enable PPP accounting:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable PPP accounting.	ppp account-statistics enable [ acl { acl-number \| name acl-name } ]	By default, PPP accounting is disabled.

Configuring the nas-port-type attribute

The nas-port-type attribute is used for RADIUS authentication and accounting. For information about the nas-port-type attribute, see RFC 2865.

To configure the nas-port-type attribute:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VT interface view.	interface virtual-template number	N/A
3. Configure the nas-port-type attribute.	nas-port-type { 802.11 \| adsl-cap \| adsl-dmt \| async \| cable \| ethernet \| g.3-fax \| hdlc \| idsl \| isdn-async-v110 \| isdn-async-v120 \| isdn-sync \| piafs \| sdsl \| sync \| virtual \| wireless-other \| x.25 \| x.75 \| xdsl }	By default, the nas-port-type attribute is determined by the service type and link type of the PPP user (see Table 1). The idsl, isdn-async-v110, isdn-async-v120, and isdn-sync keywords are not supported in the current software version.

Table 1 Default nas-port-type attribute

Service type	Link type	Nas-port-type attribute
	Other interfaces	ethernet
PPPoA	Any	xdsl
L2TP	Any	virtual

Configuring MP

MP supports binding interfaces on the same LPU rather than on different LPUs.

You can configure MP by using virtual template (VT) or MP-group interfaces:

· VT interfaces—VT interfaces are used to configure VA interfaces. After binding multiple PPP links into an MP link, you must create a VA interface for the MP link to exchange data with the peers.

VT interfaces support authentication. The device finds a VT interface for a peer according to the username provided by the peer. The device then creates a bundle that corresponds to an MP link based on the VT settings.

MP can create multiple bundles using the same VT interface. Each bundle is an MP link. From the perspective of the network layer, these links form a point-to-multipoint topology.

The system uses usernames or terminal descriptors to distinguish multiple MP links under one VT interface. The following binding modes are available:

¡ authentication—Binds links by using authentication usernames. Each authentication username corresponds to one bundle. The username is sent by the peer to the authenticator in PAP, CHAP, MS-CHAP, or MS-CHAP-V2 authentication.

¡ descriptor—Binds links by using descriptors. Each descriptor corresponds to one bundle. A descriptor is received from the peer during LCP negotiation and uniquely identifies the peer.

¡ both—Binds links by using both the authentication username and descriptor.

· MP-group interfaces—MP-group interfaces are intended only for MP. On an MP-group interface, only one bundle is allowed, and links cannot be bundled according to the peer descriptor. Compared with VT interfaces, the configuration of MP-group interfaces is more efficient and easier to configure and understand.

MP configuration task list

Tasks at a glance
(Required.) Perform either task: · Configuring MP by using a VT interface · Configuring MP through an MP-group interface
(Optional.) Configuring software MP
(Optional.) Configuring short sequence number header format negotiation
(Optional.) Configuring the MP endpoint descriptor
(Optional.) Configuring LFI

Configuring MP by using a VT interface

You can use either of the following methods to configure MP by using a VT interface:

· Bind physical interfaces to the VT interface by using the ppp mp virtual-template command.

¡ If authentication is not configured, the system binds links according to the descriptor of the peer.

¡ If authentication is configured, the system binds links according to the username, the descriptor of the peer, or both.

· Associate a username with the VT interface. After the user passes authentication, the system finds the VT interface associated with the username and bundles links according to the username and the descriptor of the peer. To ensure a successful link negotiation, configure the ppp mp command and two-way authentication (PAP, CHAP, MS-CHAP, or MS-CHAP-V2) on the bundled interfaces.

When you configure MP by using a VT interface, follow these guidelines:

· If you execute the ppp mp and ppp mp virtual-template commands multiple times, the most recent configuration takes effect.

· You must use the same method to configure the interfaces to be bundled .

· To use one-way authentication, associate physical interfaces with a VT interface on one end and associate a username with the VT interface on the other end.

· Configure a VT interface to provide only one service, such as MP, L2TP, or PPPoE.

Configuring MP by using a VT interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VT interface and enter its view.	interface virtual-template number	If the VT interface already exists, you enter its view directly.
3. (Optional.) Set the interface description.	description text	By default, the description of a VT interface is interface name Interface, for example, Virtual-Template1 Interface.
4. Set the keepalive interval.	timer-hold seconds	The default setting is 10 seconds.
5. Set the keepalive retry limit.	timer-hold retry retries	The default setting is 5.
6. Set the MTU size of the interface.	mtu size	The default setting is 1500 bytes.
7. Set the expected bandwidth of the VT interface.	bandwidth bandwidth-value	By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
8. (Optional.) Restore the default settings for the VT interface.	default	N/A
9. Return to system view.	quit	N/A
10. Associate a physical interface or a username with the VT interface.	· (Method 1) Bind a physical interface to the VT interface: a. Enter interface view: interface interface-type interface-number b. Bind the interface to the specified VT interface, and enable MP for the interface: ppp mp virtual-template number c. (Optional.) Configure PPP authentication (see "Configuring PPP authentication.") · (Method 2) Associate a username to the VT interface: d. Associate a VT interface to a username: ppp mp user username bind virtual-template number e. Enter interface view: interface interface-type interface-number f. Enable MP for the interface: ppp mp g. Configure PPP authentication (see "Configuring PPP authentication.")	By default, a physical interface is enabled with PPP and not bound to any VT interface. PPP authentication does not affect MP when Method 1 is used. By default, a VT interface is not bound to any username.
11. Configure other MP parameters.	See "Configuring other optional parameters."	N/A

Configuring other optional parameters

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MP VT interface view.	interface virtual-template number	N/A
3. Set the binding mode.	ppp mp binding-mode { authentication \| both \| descriptor }	By default, both the username and the descriptor are used for MP binding.
4. (Optional.) Set the maximum number of links in an MP bundle.	ppp mp max-bind max-bind-num	The default setting is 16.
5. Set the minimum size of MP fragments.	ppp mp min-fragment size	The default setting is 128 bytes.
6. Configure the MP sort buffer size factor.	ppp mp sort-buffer-size size	The default setting is 1.
7. (Optional.) Configure the timer for MP to wait for the expected fragment.	ppp mp timer lost-fragment seconds	By default, the timer is 30 seconds.
8. (Optional.) Disable MP fragmentation.	ppp mp fragment disable	By default, MP fragmentation is enabled. When this command is configured on an interface, the ppp mp lfi enable and ppp mp min-fragment commands do not take effect on the interface.

Configuring MP through an MP-group interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an MP-group interface and enter its view.	interface mp-group mp-number	If the MP-group interface already exists, you enter its view directly.
3. (Optional.) Set the maximum number of links in an MP bundle.	ppp mp max-bind max-bind-num	The default setting is 16. For this command to take effect on an MP bundle, you must re-enable all the physical interfaces in the MP bundle by executing the shutdown command and then the undo shutdown command.
4. Set the minimum MP packet size for fragmentation.	ppp mp min-fragment size	The default setting is 128 bytes.
5. Configure the MP sort buffer size factor.	ppp mp sort-buffer-size size	The default setting is 1.
6. (Optional.) Start the timer for waiting for the expected fragment.	ppp mp timer lost-fragment seconds	By default, the timer is not started.
7. (Optional.) Disable MP fragmentation.	ppp mp fragment disable	By default, MP fragmentation is enabled. After you configure this command on an interface, the settings configured with the ppp mp lfi enable and ppp mp min-fragment commands do not take effect on the interface.
8. (Optional.) Set the interface description.	description text	Optional. The default setting is interface name Interface, for example, MP-group1/1/0 Interface.
9. Set the keepalive interval.	timer-hold seconds	The default setting is 10 seconds.
10. Set the keepalive retry limit.	timer-hold retry retries	The default setting is 5.
11. Set the MTU size of the interface.	mtu size	The default setting is 1500 bytes.
12. Set the expected bandwidth of the interface.	bandwidth bandwidth-value	By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
13. (Optional.) Restore the default settings for the interface.	default	N/A
14. Bring up the interface.	undo shutdown	By default, an interface is up.
15. Return to system view.	quit	N/A
16. Enter interface view.	interface interface-type interface-number	N/A
17. Assign the interface to a specified MP-group interface, and enable MP for the interface.	ppp mp mp-group mp-number	By default, an interface is enabled with PPP.

Configuring software MP

Software MP uses the CPU rather than hardware to fragment and reassemble packets. It is less efficient than hardware MP. This feature is available only for interfaces that support both hardware MP and software MP.

Hardware MP cannot bind different CPOS interfaces on a CPOS E1/T1 subcard. It can only bind synchronous serial interfaces created for channels on the same CPOS interface. To bind synchronous serial interfaces created for channels on different CPOS interfaces, you must configure software MP.

An interface in hardware MP cannot be bound to an interface in software MP. To bind interfaces that support only software MP to interfaces that support both, you must configure software MP on those interfaces in hardware MP.

To configure software MP for an interface:

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Enter sync serial interface view.	interface interface-type interface-number	N/A
3. Configure software MP for the interface.	ppp mp soft-binding	By default, hardware MP is used.

Configuring short sequence number header format negotiation

By default, an MP bundle receives and transmits fragments with long sequence numbers.

· To receive fragments with short sequence numbers, the local end should request the peer to transmit short sequence numbers during LCP negotiation. After the negotiation succeeds, the peer transmits fragments with short sequence numbers.

· To transmit fragments with short sequence numbers, the local end should ask the peer to send a request for receiving short sequence numbers during LCP negotiation. After the negotiation succeeds, the local end transmits fragments with short sequence numbers.

The sequence number format (long or short) of an MP bundle depends on the configuration of the first channel joining the MP bundle.

To negotiate the use of short sequence numbers on a common MP bundle, use the command on all its channels. Note that the command will cause PPP re-negotiation.

To configure short sequence number header format negotiation for MP:

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Trigger MP short sequence number header negotiation, specifying that the interface receive fragments with short sequence numbers after the negotiation succeeds.	ppp mp short-sequence	By default, long sequence number header format negotiation is performed.

Configuring the MP endpoint descriptor

When MP is configured by using a VT interface, an MP endpoint makes link binding decisions based on the remote endpoint descriptors. It assigns the links that receive the same endpoint descriptor to the same bundle. To avoid incorrect link binding on a VT interface, make sure the link descriptors used by different devices are unique. You must re-configure an endpoint descriptor for a device if the default endpoint descriptor (device name) cannot uniquely identify the MP bundle at the remote end.

When MP is configured by using an MP-group interface, the negotiating endpoints do not base their binding decisions on the endpoint descriptor. By default, the endpoint descriptor of an interface in an MP-group is the MP-group interface name. When you configure an endpoint descriptor for the interface, the configured MP endpoint descriptor takes effect.

If the endpoint descriptor exceeds 20 bytes, the first 20 bytes are taken as the endpoint descriptor.

To configure the MP endpoint descriptor of an interface for LCP negotiation:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the MP endpoint descriptor.	ppp mp endpoint endpoint	N/A

Configuring LFI

Real-time packets, such as Telnet and VoIP packets, might be blocked or delayed on a low-speed interface.

To reduce delays and jitters on low-speed links, LFI fragments large packets into small fragments. The fragments are reassembled at the destination.

Figure 2 illustrates the LFI process. When large packets and small voice packets arrive at a WFQ-enabled interface, LFI performs the following operations:

· Fragments the large packets into small fragments.

· Adds the fragments to the queues along with the voice packets.

Figure 2 LFI

To configure LFI:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VT interface or MP-group interface view.	interface { mp-group \| virtual-template } mp-number	N/A
3. Enable LFI.	ppp mp lfi enable	By default, LFI is disabled. Disabling LFI also removes the user-configured settings of the maximum LFI fragment delay and size.
4. Set the maximum LFI fragment transmission delay and the maximum LFI fragment size (in bytes).	· ppp mp lfi delay-per-frag time · ppp mp lfi size-per-frag size	By default, the maximum LFI fragment transmission delay is 10 ms, and the maximum LFI fragment size is the expected bandwidth of the interface times the maximum delay divided by 8.

Displaying and maintaining PPP and MP

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about PPP access users.	display ppp access-user { interface interface-type interface-number [ count ] \| ip-address ip-address \| ipv6-address ipv6-address \| username user-name \| user-type { lac \| lns \| pppoe } [ count ] }
Display PPP address pools.	display ip pool [ pool-name \| group group-name ]
Display IPHC statistics.	display ppp compression iphc { rtp \| tcp } [ interface interface-type interface-number ]
Display information about VT interfaces.	display interface [ virtual-template [ interface-number ] ] [ brief [ description \| down ] ]
Display information about VA interfaces on a VT interface.	display interface [ virtual-access [ interface-number ] ] [ brief [ description \| down ] ]
Display information about one or all MP-group interfaces.	display interface [ mp-group [ interface-number ] ] [ brief [ description \| down ] ]
Display MP information.	display ppp mp [ interface interface-type interface-number ]
Clear IPHC statistics.	reset ppp compression iphc [ rtp \| tcp ] [ interface interface-type interface-number ]
Log off a PPP user.	reset ppp access-user { ip-address ipv4-ip-address [ vpn-instance ipv4-vpn-instance-name ] \| ipv6-address ipv6-address [ vpn-instance ipv6-vpn-instance-name ] \| username user-name }
Clear the statistics for VA interfaces.	reset counters interface [ virtual-access [ interface-number ] ]
Clear the statistics for MP-group interfaces.	reset counters interface [ mp-group [ interface-number ] ]

PPP and MP configuration examples

One-way PAP authentication configuration example

Network requirements

As shown in Figure 3, configure Router A to authenticate Router B by using PAP, but Router B not to authenticate Router A.

Figure 3 Network diagram

Configuration procedure

1. Configure Router A:

# Create a user account for Router B.

<RouterA> system-view

[RouterA] local-user userb class network

# Set a password for the user account.

[RouterA-luser-network-userb] password simple passb

# Set the service type of the user account to PPP.

[RouterA-luser-network-userb] service-type ppp

[RouterA-luser-network-userb] quit

# Enable PPP encapsulation on Serial 1/1/0. By default, an interface uses PPP encapsulation.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] link-protocol ppp

# Set the authentication mode to PAP.

[RouterA-Serial1/1/0] ppp authentication-mode pap domain system

# Assign an IP address to Serial 1/1/0.

[RouterA-Serial1/1/0] ip address 200.1.1.1 16

[RouterA-Serial1/1/0] quit

# Configure local authentication for the PPP users in the default ISP domain (system).

[RouterA] domain system

[RouterA-isp-system] authentication ppp local

2. Configure Router B:

# Enable PPP encapsulation on Serial 1/1/0. By default, an interface uses PPP encapsulation.

<RouterB> system-view

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] link-protocol ppp

# Configure the PAP username and password sent from Router B to Router A when Router B is authenticated by Router A using PAP.

[RouterB-Serial1/1/0] ppp pap local-user userb password simple passb

# Assign an IP address to Serial 1/1/0 of Router B.

[RouterB-Serial1/1/0] ip address 200.1.1.2 16

Verifying the configuration

# Use the display interface serial command to display information about Serial 1/1/0 of Router B.

[RouterB-Serial1/1/0] display interface serial 1/1/0

Serial1/1/0

Current state: UP

Line protocol state: UP

Description: Serial1/1/0 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1500

Internet Address: 200.1.1.2/16 Primary

Link layer protocol: PPP

LCP: opened, IPCP: opened

...

The output shows that:

· The physical layer status and link layer status of the interface are both up.

· The states of LCP and IPCP are both Opened, indicating that PPP negotiation has succeeded.

# Verify that Router A and Router B can ping each other.

[RouterB-Serial1/1/0] ping 200.1.1.1

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss Ping 200.1.1.1 (200.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 200.1.1.1: icmp_seq=0 ttl=128 time=3.197 ms

56 bytes from 200.1.1.1: icmp_seq=1 ttl=128 time=2.594 ms

56 bytes from 200.1.1.1: icmp_seq=2 ttl=128 time=2.739 ms

56 bytes from 200.1.1.1: icmp_seq=3 ttl=128 time=1.738 ms

56 bytes from 200.1.1.1: icmp_seq=4 ttl=128 time=1.744 ms

--- Ping statistics for 200.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.738/2.402/3.197/0.576 ms

Two-way PAP authentication configuration example

Network requirements

As shown in Figure 4, configure Router A and Router B to authenticate each other.

Figure 4 Network diagram

Configuration procedure

1. Configure Router A:

# Create a user account for Router B.

<RouterA> system-view

[RouterA] local-user userb class network

# Set a password for the user account.

[RouterA-luser-network-userb] password simple passb

# Set the service type of the user account to PPP.

[RouterA-luser-network-userb] service-type ppp

[RouterA-luser-network-userb] quit

# Enable PPP encapsulation on Serial 1/1/0. By default, an interface uses PPP encapsulation.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] link-protocol ppp

# Set the authentication mode to PAP.

[RouterA-Serial1/1/0] ppp authentication-mode pap domain system

# Configure the PAP username and password sent from Router A to Router B when Router A is authenticated by Router B using PAP.

[RouterA-Serial1/1/0] ppp pap local-user usera password simple passa

# Assign an IP address to Serial 1/1/0 of Router A.

[RouterA-Serial1/1/0] ip address 200.1.1.1 16

[RouterA-Serial1/1/0] quit

# Configure local authentication for the PPP users in the default ISP domain (system).

[RouterA] domain system

[RouterA-isp-system] authentication ppp local

2. Configure Router B:

# Create a user account for Router A on Router B.

<RouterB> system-view

[RouterB] local-user usera class network

# Set a password for the user account.

[RouterB-luser-network-usera] password simple passa

# Set the service type of the user account to PPP.

[RouterB-luser-network-usera] service-type ppp

[RouterB-luser-network-usera] quit

# Enable PPP encapsulation on Serial 1/1/0. By default, an interface uses PPP encapsulation.

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] link-protocol ppp

# Set the authentication mode to PAP.

[RouterB-Serial1/1/0] ppp authentication-mode pap domain system

# Configure the PAP username and password sent from Router B to Router A when Router B is authenticated by Router A using PAP.

[RouterB-Serial1/1/0] ppp pap local-user userb password simple passb

# Assign an IP address to Serial 1/1/0.

[RouterB-Serial1/1/0] ip address 200.1.1.2 16

[RouterB-Serial1/1/0] quit

# Configure local authentication for the PPP users in the default ISP domain (system).

[RouterB] domain system

[RouterB-isp-system] authentication ppp local

Verifying the configuration

# Use the display interface serial command to display information about Serial 1/1/0 of Router B.

[RouterB-isp-system] display interface serial 1/1/0

Serial1/1/0

Current state: UP

Line protocol state: UP

Description: Serial1/1/0 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1500

Internet Address: 200.1.1.2/16 Primary

Link layer protocol: PPP

LCP opened, IPCP opened

...

The output shows that:

· The physical layer status and link layer status of the interface are both up.

· The states of LCP and IPCP are both Opened, indicating that PPP negotiation has succeeded.

# Verify that Router B can successfully ping Router A.

[RouterB-isp-system] ping 200.1.1.1

Ping 200.1.1.1 (200.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 200.1.1.1: icmp_seq=0 ttl=128 time=3.197 ms

56 bytes from 200.1.1.1: icmp_seq=1 ttl=128 time=2.594 ms

56 bytes from 200.1.1.1: icmp_seq=2 ttl=128 time=2.739 ms

56 bytes from 200.1.1.1: icmp_seq=3 ttl=128 time=1.738 ms

56 bytes from 200.1.1.1: icmp_seq=4 ttl=128 time=1.744 ms

--- Ping statistics for 200.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.738/2.402/3.197/0.576 ms

One-way CHAP authentication configuration example

Network requirements

As shown in Figure 5, configure Router A to authenticate Router B by using CHAP.

Figure 5 Network diagram

Configuration procedure

(Method 1) The authenticator configured with a username authenticates the peer by using CHAP.

1. Configure Router A:

# Create a user account for Router B.

<RouterA> system-view

[RouterA] local-user userb class network

# Set a password for the user account.

[RouterA-luser-network-userb] password simple hello

# Set the service type of the user account to PPP.

[RouterA-luser-network-userb] service-type ppp

[RouterA-luser-network-userb] quit

# Enable PPP encapsulation on Serial 1/1/0. By default, an interface uses PPP encapsulation.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] link-protocol ppp

# Configure the username for Router A when Router A authenticates Router B.

[RouterA-Serial1/1/0] ppp chap user usera

# Set the authentication mode to CHAP.

[RouterA-Serial1/1/0] ppp authentication-mode chap domain system

# Assign an IP address to Serial 1/1/0.

[RouterA-Serial1/1/0] ip address 200.1.1.1 16

[RouterA-Serial1/1/0] quit

# Configure local authentication for the PPP users in the default ISP domain (system).

[RouterA] domain system

[RouterA-isp-system] authentication ppp local

2. Configure Router B:

# Create a user account for Router A on Router B.

<RouterB> system-view

[RouterB] local-user usera class network

# Set a password for the user account.

[RouterB-luser-network-usera] password simple hello

# Set the service type of the user account to PPP.

[RouterB-luser-network-usera] service-type ppp

[RouterB-luser-network-usera] quit

# Enable PPP encapsulation on Serial 1/1/0. By default, an interface uses PPP encapsulation.

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] link-protocol ppp

# Configure the username for Router B when Router B is authenticated.

[RouterB-Serial1/1/0] ppp chap user userb

# Assign an IP address to Serial 1/1/0 of Router B.

[RouterB-Serial1/1/0] ip address 200.1.1.2 16

(Method 2) The authenticator with no username configured authenticates the peer by using CHAP.

1. Configure Router A:

# Create a user account for Router B.

<RouterA> system-view

[RouterA] local-user userb class network

# Set a password for the user account.

[RouterA-luser-network-userb] password simple hello

# Set the service type of the user account to PPP.

[RouterA-luser-network-userb] service-type ppp

[RouterA-luser-network-userb] quit

# Set the authentication mode to CHAP.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] ppp authentication-mode chap domain system

# Assign an IP address to Serial 1/1/0.

[RouterA-Serial1/1/0] ip address 200.1.1.1 16

[RouterA-Serial1/1/0] quit

# Configure local authentication for the PPP users in the default ISP domain (system).

[RouterA] domain system

[RouterA-isp-system] authentication ppp local

2. Configure Router B:

# Configure the username of Router B when Router B is authenticated.

<RouterB> system-view

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] ppp chap user userb

# Set the default CHAP password.

[RouterB-Serial1/1/0] ppp chap password simple hello

# Assign an IP address to Serial 1/1/0.

[RouterB-Serial1/1/0] ip address 200.1.1.2 16

3. Verify the configuration:

# Use the display interface serial command to display information about Serial 1/1/0 of Router B.

[RouterB-Serial1/1/0] display interface serial 1/1/0

Serial1/1/0

Current state: UP

Line protocol state: UP

Description: Serial1/1/0 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1500

Internet Address: 200.1.1.2/16 Primary

Link layer protocol: PPP

LCP opened, IPCP opened

...

The output shows that:

¡ The physical layer status and link layer status of the interface are both up.

¡ The states of LCP and IPCP are both Opened, indicating that PPP negotiation has succeeded.

# Verify that Router A and Router B can ping each other.

[RouterB-Serial1/1/0] ping 200.1.1.1

Ping 200.1.1.1 (200.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 200.1.1.1: icmp_seq=0 ttl=128 time=3.197 ms

56 bytes from 200.1.1.1: icmp_seq=1 ttl=128 time=2.594 ms

56 bytes from 200.1.1.1: icmp_seq=2 ttl=128 time=2.739 ms

56 bytes from 200.1.1.1: icmp_seq=3 ttl=128 time=1.738 ms

56 bytes from 200.1.1.1: icmp_seq=4 ttl=128 time=1.744 ms

--- Ping statistics for 200.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.738/2.402/3.197/0.576 ms

IP address negotiation configuration examples

Specifying an IP address for the client on the server interface

Network requirements

As shown in Figure 6, configure Router A to allocate an IP address to Serial 1/1/0 of Router B through PPP negotiation. The IP address is specified on Serial 1/1/0 of Router A.

Figure 6 Network diagram

Configuration procedure

1. Configure Router A:

# Configure an IP address to be assigned to the peer interface on Serial 1/1/0.

<RouterA> system-view

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] remote address 200.1.1.10

# Configure an IP address for Serial 1/1/0.

[RouterA-Serial1/1/0] ip address 200.1.1.1 16

2. Enable IP address negotiation on Serial 1/1/0 of Router B.

<RouterB> system-view

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] ip address ppp-negotiate

3. Verify the configuration:

# Display summary information about Serial 1/1/0 on Router B.

[RouterB-Serial1/1/0] display interface serial 1/1/0 brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

S1/1/0 UP UP 200.1.1.10

The output shows Serial 1/1/0 obtains IP address 200.1.1.10 through PPP negotiation.

# Verify that Router B can ping Serial 1/1/0 of Router A.

[RouterB-Serial1/1/0] ping 200.1.1.1

Ping 200.1.1.1 (200.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 200.1.1.1: icmp_seq=0 ttl=128 time=3.197 ms

56 bytes from 200.1.1.1: icmp_seq=1 ttl=128 time=2.594 ms

56 bytes from 200.1.1.1: icmp_seq=2 ttl=128 time=2.739 ms

56 bytes from 200.1.1.1: icmp_seq=3 ttl=128 time=1.738 ms

56 bytes from 200.1.1.1: icmp_seq=4 ttl=128 time=1.744 ms

--- Ping statistics for 200.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.738/2.402/3.197/0.576 ms

Specifying a PPP address pool on the server interface

Network requirements

As shown in Figure 7, configure Router A to allocate an IP address from the PPP address pool on Serial 1/1/0 of Router A to Serial 1/1/0 of Router B through PPP negotiation.

Figure 7 Network diagram

Configuration procedure

1. Configure Router A:

# Configure PPP address pool aaa that contains IP addresses 200.1.1.10 through 200.1.1.20 for group AAA.

<RouterA> system-view

[RouterA] ip pool aaa 200.1.1.10 200.1.1.20 group AAA

# Configure a PPP address pool route.

[RouterA] ppp ip-pool route 200.1.1.1 24

# Configure Serial 1/1/0 to assign an IP address from aaa to the peer interface.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] remote address pool aaa

# Configure an IP address for Serial 1/1/0.

[RouterA-Serial1/1/0] ip address 200.1.1.1 16

2. Enable IP address negotiation on Serial 1/1/0 of Router B.

<RouterB> system-view

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] ip address ppp-negotiate

3. Verify the configuration:

# Display summary information about Serial 1/1/0 on Router B.

[RouterB-Serial1/1/0] display interface serial 1/1/0 brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

S1/1/0 UP UP 200.1.1.10

The output shows that Serial 1/1/0 has obtained IP address 200.1.1.10 through PPP negotiation.

# Verify that Router B can ping Serial 1/1/0 of Router A.

[RouterB-Serial1/1/0] ping 200.1.1.1

Ping 200.1.1.1 (200.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 200.1.1.1: icmp_seq=0 ttl=128 time=3.197 ms

56 bytes from 200.1.1.1: icmp_seq=1 ttl=128 time=2.594 ms

56 bytes from 200.1.1.1: icmp_seq=2 ttl=128 time=2.739 ms

56 bytes from 200.1.1.1: icmp_seq=3 ttl=128 time=1.738 ms

56 bytes from 200.1.1.1: icmp_seq=4 ttl=128 time=1.744 ms

--- Ping statistics for 200.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.738/2.402/3.197/0.576 ms

# Display PPP address pool aaa on Serial 1/1/0 of Router A.

[RouterA-Serial1/1/0] display ip pool aaa

Group name: AAA

Pool name Start IP address End IP address Free In use

aaa 200.1.1.10 200.1.1.20 10 1

In use IP addresses:

IP address Interface

200.1.1.10 S1/1/0

The output shows that one IP address has been assigned.

Using the PPP address pool associated with an ISP domain

Network requirements

As shown in Figure 8, configure Router A to allocate an IP address from the PPP address pool associated with the ISP domain to Serial 1/1/0 of Router B through PPP negotiation.

Figure 8 Network diagram

Configuration procedure

1. Configure Router A:

# Configure PPP address pool aaa that contains IP addresses 200.1.1.10 through 200.1.1.20 for the group AAA.

<RouterA> system-view

[RouterA] ip pool aaa 200.1.1.10 200.1.1.20 group AAA

# Configure a PPP address pool route.

[RouterA] ppp ip-pool route 200.1.1.1 24

# Create a local user for Router B.

[RouterA] local-user userb class network

# Set a password for the local user.

[RouterA-luser-network-userb] password simple 123

# Set the service type to PPP for the local user.

[RouterA-luser-network-userb] service-type ppp

[RouterA-luser-network-userb] quit

# Create ISP domain bbb and associate aaa with bbb.

[RouterA] domain bbb

[RouterA-isp-bbb] authorization-attribute ip-pool aaa

[RouterA-isp-bbb] quit

# Configure Serial 1/1/0 to authenticate the peer interface in bbb by using PAP.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] ppp authentication-mode pap domain bbb

# Configure an IP address for Serial 1/1/0.

[RouterA-Serial1/1/0] ip address 200.1.1.1 16

2. Configure Router B:

# Configure the username and password for PAP authentication by Router A.

<RouterB> system-view

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] ppp pap local-user userb password simple 123

# Enable IP address negotiation on Serial 1/1/0.

<RouterB> system-view

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] ip address ppp-negotiate

3. Verify the configuration:

# Display summary information about Serial 1/1/0 on Router B.

[RouterB-Serial1/1/0] display interface serial 1/1/0 brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

S1/1/0 UP UP 200.1.1.10

The output shows that Serial 1/1/0 has obtained IP address 200.1.1.10 through PPP negotiation.

# Verify that Router B can ping Serial 1/1/0 of Router A.

[RouterB-Serial1/1/0] ping 200.1.1.1

Ping 200.1.1.1 (200.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 200.1.1.1: icmp_seq=0 ttl=128 time=3.197 ms

56 bytes from 200.1.1.1: icmp_seq=1 ttl=128 time=2.594 ms

56 bytes from 200.1.1.1: icmp_seq=2 ttl=128 time=2.739 ms

56 bytes from 200.1.1.1: icmp_seq=3 ttl=128 time=1.738 ms

56 bytes from 200.1.1.1: icmp_seq=4 ttl=128 time=1.744 ms

--- Ping statistics for 200.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.738/2.402/3.197/0.576 ms

# Display the address pools on Serial 1/1/0 of Router A.

[RouterA-Serial1/1/0] display ip pool aaa

Group name: AAA

Pool name Start IP address End IP address Free In use

aaa 200.1.1.10 200.1.1.20 10 1

In use IP addresses:

IP address Interface

200.1.1.10 S1/1/0

The output shows that one IP address of aaa has been assigned.

MP binding mode configuration examples

Network requirements

As shown in Figure 9, to enable MP for Serial 1/1/0 and Serial 1/1/1, use one of the following methods:

· Bind the physical interfaces to a VT interface.

· Associate remote usernames with a VT interface.

· Configure an MP-group interface.

Figure 9 Network diagram

Configuration procedure

(Method 1) Binding the physical interfaces to a VT interface

1. Configure Router A:

# Create a VT interface, and configure an IP address for it.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ip address 8.1.1.1 24

[RouterA-Virtual-Template1] quit

# Configure Serial 1/1/1.

[RouterA] interface serial 1/1/1

[RouterA-Serial1/1/1] link-protocol ppp

[RouterA-Serial1/1/1] ppp mp virtual-template 1

[RouterA-Serial1/1/1] quit

# Configure Serial 1/1/0.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] link-protocol ppp

[RouterA-Serial1/1/0] ppp mp virtual-template 1

[RouterA-Serial1/1/0] quit

2. Configure Router B:

# Create a VT interface, and configure an IP address for it.

<RouterB> system-view

[RouterB] interface virtual-template 1

[RouterB-Virtual-Template1] ip address 8.1.1.2 24

[RouterB-Virtual-Template1] quit

# Configure Serial 1/1/1.

[RouterB] interface serial 1/1/1

[RouterB-Serial1/1/1] link-protocol ppp

[RouterB-Serial1/1/1] ppp mp virtual-template 1

[RouterB-Serial1/1/1] quit

# Configure Serial 1/1/0.

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] link-protocol ppp

[RouterB-Serial1/1/0] ppp mp virtual-template 1

[RouterB-Serial1/1/0] quit

3. Verify the configuration:

# Display MP information on Router A.

[RouterA] display ppp mp

Template: Virtual-Template1

max-bind: 16, fragment: enabled, min-fragment: 128

Master link: Virtual-Access0, Active members: 2, Bundle H3C

Peer's endPoint descriptor: H3C

Sequence format: long (rcv)/long (sent)

Bundle Up Time: 2013/01/10 07:13:10:723

0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved

Sequence: 0 (rcv)/0 (sent)

Active member channels: 2 members

Serial1/1/1 Up-Time:2013/01/10 07:13:10:724

Serial1/1/0 Up-Time:2013/01/10 07:13:11:945

# Display the status of the VA interface on Router A.

[RouterA] display interface virtual-access

Virtual-Access0

Current state: UP

Line protocol state: UP

Description: Virtual-Access0 Interface

Bandwidth: 128kbps

Maximum Transmit Unit: 1500

Hold timer: 10 seconds, retry times: 5

Internet Address is 8.1.1.1/24 Primary

Link layer protocol: PPP

LCP: opened, MP: opened, IPCP: opened

Physical: MP, baudrate: 128000 bps

Main interface: Virtual-Template1

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 2 packets, 80 bytes, 0 drops

Output: 2 packets, 24 bytes, 0 drops

4. Ping IP address 8.1.1.1 on Router B.

[RouterB] ping 8.1.1.1

Ping 8.1.1.1 (8.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 8.1.1.1: icmp_seq=0 ttl=255 time=4.000 ms

56 bytes from 8.1.1.1: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 8.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 8.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 8.1.1.1: icmp_seq=4 ttl=255 time=1.000 ms

--- Ping statistics for 8.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms

(Method 2) Associating remote usernames with a VT interface

5. Configure Router A:

# Configure the usernames, and passwords of remote users.

<RouterA> system-view

[RouterA] local-user usera class network

[RouterA-luser-network-usera] password simple aaa

[RouterA-luser-network-usera] service-type ppp

[RouterA-luser-network-usera] quit

[RouterA] local-user userb class network

[RouterA-luser-network-userb] password simple bbb

[RouterA-luser-network-userb] service-type ppp

[RouterA-luser-network-userb] quit

# Bind a VT interface to users.

[RouterA] ppp mp user usera bind virtual-template 1

[RouterA] ppp mp user userb bind virtual-template 1

# Create the VT interface and configure its IP address.

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ip address 8.1.1.1 24

[RouterA-Virtual-Template1] ppp mp binding-mode authentication

[RouterA-Virtual-Template1] quit

# Configure Serial 1/1/1.

[RouterA] interface serial 1/1/1

[RouterA-Serial1/1/1] link-protocol ppp

[RouterA-Serial1/1/1] ppp authentication-mode pap

[RouterA-Serial1/1/1] ppp pap local-user userc password simple ccc

[RouterA-Serial1/1/1] ppp mp

[RouterA-Serial1/1/1] quit

# Configure Serial 1/1/0.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] link-protocol ppp

[RouterA-Serial1/1/0] ppp authentication-mode pap

[RouterA-Serial1/1/0] ppp pap local-user userd password simple ddd

[RouterA-Serial1/1/0] ppp mp

[RouterA-Serial1/1/0] quit

6. Configure Router B:

# Configure the usernames, and passwords of remote users.

<RouterB> system-view

[RouterB] local-user userc class network

[RouterB-luser-network-userc] password simple ccc

[RouterB-luser-network-userc] service-type ppp

[RouterB-luser-network-userc] quit

[RouterB] local-user userd class network

[RouterB-luser-network-userd] password simple ddd

[RouterB-luser-network-userd] service-type ppp

[RouterB-luser-network-userd] quit

# Bind a VT interface to users.

[RouterB] ppp mp user userc bind virtual-template 1

[RouterB] ppp mp user userd bind virtual-template 1

# Create the VT interface and configure its IP address.

[RouterB] interface virtual-template 1

[RouterB-Virtual-Template1] ip address 8.1.1.2 24

[RouterB-Virtual-Template1] ppp mp binding-mode authentication

[RouterB-Virtual-Template1] quit

# Configure Serial 1/1/1.

[RouterB] interface serial 1/1/1

[RouterB-Serial1/1/1] link-protocol ppp

[RouterB-Serial1/1/1] ppp authentication-mode pap

[RouterB-Serial1/1/1] ppp pap local-user usera password simple aaa

[RouterB-Serial1/1/1] ppp mp

[RouterB-Serial1/1/1] quit

# Configure Serial 1/1/0.

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] link-protocol ppp

[RouterB-Serial1/1/0] ppp authentication-mode pap

[RouterB-Serial1/1/0] ppp pap local-user userb password simple bbb

[RouterB-Serial1/1/0] ppp mp

[RouterB-Serial1/1/0] quit

7. Verify the configuration:

# Display the MP information on Router A.

[RouterA] display ppp mp

Template: Virtual-Template1

max-bind: 16, fragment: enabled, min-fragment: 128

Master link: Virtual-Access0, Active members: 1, Bundle usera

Peer's endPoint descriptor: H3C

Sequence format: long (rcv)/long (sent)

Bundle Up Time: 2013/01/10 08:02:34:881

0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved

Sequence: 0 (rcv)/0 (sent)

Active member channels: 1 members

Serial1/1/1 Up-Time:2013/01/10 08:02:34:881

Master link: Virtual-Access1, Active members: 1, Bundle userb

Peer's endPoint descriptor: H3C

Sequence format: long (rcv)/long (sent)

Bundle Up Time: 2013/01/10 08:06:26:633

0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved

Sequence: 0 (rcv)/0 (sent)

Active member channels: 1 members

Serial1/1/0 Up-Time:2013/01/10 08:06:26:634

# Display the MP information on Router B.

[RouterB] display ppp mp

Template: Virtual-Template1

max-bind: 16, fragment: enabled, min-fragment: 128

Master link: Virtual-Access2, Active members: 1, Bundle userc

Peer's endPoint descriptor: H3C

Sequence format: long (rcv)/long (sent)

Bundle Up Time: 2013/01/10 12:31:13:391

0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved

Sequence: 0 (rcv)/0 (sent)

Active member channels: 1 members

Serial1/1/1 Up-Time:2013/01/10 12:31:13:392

Master link: Virtual-Access3, Active members: 1, Bundle userd

Peer's endPoint descriptor: H3C

Sequence format: long (rcv)/long (sent)

Bundle Up Time: 2013/01/10 12:35:05:88

0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved

Sequence: 0 (rcv)/0 (sent)

Active member channels: 1 members

Serial1/1/0 Up-Time:2013/01/10 12:35:05:89

# Display the status of the VA interfaces on Router B.

[RouterB] display interface virtual-access

Virtual-Access2

Current state: UP

Line protocol state: UP

Description: Virtual-Access2 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1500

Hold timer: 10 seconds, retry times: 5

Internet Address is 8.1.1.2/24 Primary

Link layer protocol: PPP

LCP: opened, MP: opened, IPCP: opened

Physical: MP, baudrate: 64000 bps

Main interface: Virtual-Template1

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 2 packets, 80 bytes, 0 drops

Output: 2 packets, 24 bytes, 0 drops

Virtual-Access3

Current state: UP

Line protocol state: UP

Description: Virtual-Access3 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1500

Hold timer: 10 seconds, retry times: 5

Internet Address is 8.1.1.2/24 Primary

Link layer protocol: PPP

LCP: opened, MP: opened, IPCP: opened

Physical: MP, baudrate: 64000 bps

Main interface: Virtual-Template1

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 2 packets, 80 bytes, 0 drops

Output: 2 packets, 24 bytes, 0 drops

# Ping IP address 8.1.1.1 on Router B.

[RouterB] ping 8.1.1.1

Ping 8.1.1.1 (8.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 8.1.1.1: icmp_seq=0 ttl=255 time=0.000 ms

56 bytes from 8.1.1.1: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 8.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 8.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 8.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 8.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.400/1.000/0.490 ms

(Method 3) Configuring an MP-group interface

8. Configure Router A:

# Create an MP-group interface, and configure an IP address for it.

<RouterA> system-view

[RouterA] interface mp-group 1/1/0

[RouterA-MP-group1/1/0] ip address 1.1.1.1 24

# Configure interface Serial 1/1/1.

[RouterA-MP-group1/1/0] quit

[RouterA] interface serial 1/1/1

[RouterA-Serial1/1/1] link-protocol ppp

[RouterA-Serial1/1/1] ppp mp mp-group 1/1/0

[RouterA-Serial1/1/1] shutdown

[RouterA-Serial1/1/1] undo shutdown

[RouterA-Serial1/1/1] quit

# Configure interface Serial 1/1/0.

[RouterA] interface serial 1/1/0

[RouterA-Serial1/1/0] link-protocol ppp

[RouterA-Serial1/1/0] ppp mp mp-group 1/1/0

[RouterA-Serial1/1/0] shutdown

[RouterA-Serial1/1/0] undo shutdown

[RouterA-Serial1/1/0] quit

9. Configure Router B:

# Create an MP-group interface, and configure an IP address for it.

[RouterB] interface mp-group 1/1/0

[RouterB-Mp-group1/1/0] ip address 1.1.1.2 24

[RouterB-Mp-group1/1/0] quit

# Configure interface Serial 1/1/1.

[RouterB] interface serial 1/1/1

[RouterB-Serial1/1/1] link-protocol ppp

[RouterB-Serial1/1/1] ppp mp mp-group 1/1/0

[RouterB-Serial1/1/1] shutdown

[RouterB-Serial1/1/1] undo shutdown

[RouterB-Serial1/1/1] quit

# Configure interface Serial 1/1/0.

[RouterB] interface serial 1/1/0

[RouterB-Serial1/1/0] link-protocol ppp

[RouterB-Serial1/1/0] ppp mp mp-group 1/1/0

[RouterB-Serial1/1/0] shutdown

[RouterB-Serial1/1/0] undo shutdown

[RouterB-Serial1/1/0] quit

10. Verify the configuration:

# Display MP information on Router A.

[RouterA] display ppp mp

Template: MP-group1/1/0

max-bind: 16, fragment: enabled, min-fragment: 128

Master link: MP-group1/1/0, Active members: 2, Bundle Multilink

Peer's endPoint descriptor: MP-group1/1/0

Sequence format: short (rcv)/long (sent)

Bundle Up Time: 2012/11/04 09:03:16:612

0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved

Sequence: 0 (rcvd)/0 (sent)

Active member channels: 2 members

Serial1/1/1 Up-Time:2012/11/04 09:03:16:613

Serial1/1/0 Up-Time:2012/11/04 09:03:42:945

# Display information about interface MP-group 1/1/0 on Router A.

[RouterA] display interface mp-group 1/1/0

MP-group1/1/0

Current state: UP

Line protocol state: UP

Description: MP-group1/1/0 Interface

Bandwidth: 2048kbps

Maximum Transmit Unit: 1500

Hold timer: 10 seconds, retry times: 5

Internet Address is 1.1.1.1/24 Primary

Link layer protocol: PPP

LCP: opened, MP: opened, IPCP: opened

Physical: MP, baudrate: 2048000 bps

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last link flapping: Never

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 2 packets, 80 bytes, 0 drops

Output: 2 packets, 24 bytes, 0 drops

# Ping Router B from Router A.

[RouterA] ping 1.1.1.2

Ping 1.1.1.2 (1.1.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 1.1.1.2: icmp_seq=0 ttl=255 time=4.000 ms

56 bytes from 1.1.1.2: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 1.1.1.2: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 1.1.1.2: icmp_seq=3 ttl=255 time=7.000 ms

56 bytes from 1.1.1.2: icmp_seq=4 ttl=255 time=1.000 ms

--- Ping statistics for 1.1.1.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/2.600/7.000/2.577 ms

Configuring PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP frames encapsulated in Ethernet over point-to-point links.

PPPoE specifies the methods for establishing PPPoE sessions and encapsulating PPP frames over Ethernet. PPPoE requires a point-to-point relationship between peers instead of a point-to-multipoint relationship as in multi-access environments such as Ethernet. PPPoE provides Internet access for the hosts in an Ethernet through a remote access device and implement access control, authentication, and accounting on a per-host basis. Integrating the low cost of Ethernet and scalability and management functions of PPP, PPPoE gained popularity in various application environments, such as residential access networks.

For more information about PPPoE, see RFC 2516.

PPPoE network structure

PPPoE uses the client/server model. The PPPoE client initiates a connection request to the PPPoE server. After session negotiation between them is complete, a session is established between them, and the PPPoE server provides access control, authentication, and accounting to the PPPoE client.

Depending on the starting point of the PPPoE session, the following network structures are available:

· As shown in Figure 10, the PPPoE session is established between routers (Router A and Router B). All hosts share one PPPoE session for data transmission without being installed with PPPoE client software. This network structure is typically used by enterprises.

Figure 10 Network structure 1

· As shown in Figure 11, a PPPoE session is established between each host (PPPoE client) and the carrier router (PPPoE server). The service provider assigns an account to each host for billing and control. The host must be installed with PPPoE client software.

Figure 11 Network structure 2

Configuring the PPPoE server

Configuring a PPPoE session

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VT interface and enter VT interface view.	interface virtual-template number	N/A
3. Set PPP parameters.	See "Configuring PPP."	If authentication is needed, use the PPPoE server as the authenticator.
4. Enable MRU verification.	ppp lcp echo mru verify [ minimum value ]	By default, MRU verification is disabled.
5. Return to system view.	quit	N/A
6. Enter Layer 3 Ethernet interface/subinterface, VLAN interface, Layer 3 aggregate interface/subinterface, or L3VE interface view.	interface interface-type interface-number	N/A
7. Enable the PPPoE server on the interface and bind this interface to the specified VT interface.	pppoe-server bind virtual-template number	By default, the PPPoE server is disabled on the interface.
8. (Optional.) Configure an access concentrator (AC) name for the PPPoE server.	pppoe-server tag ac-name name	By default, the AC name for the PPPoE server is the device name. PPPoE clients can choose a PPPoE server according to the AC name. The device does not support this feature.
9. (Optional.) Enable the PPPoE server to support the ppp-max-payload tag and specify a range for the PPP maximum payload.	pppoe-server tag ppp-max-payload [ minimum minvalue maximum maxvalue ]	By default, The PPPoE server does not support the ppp-max-payload tag.
10. (Optional.) Set a service name for the PPPoE server	pppoe-server tag service-name name	By default, the PPPoE server does not have a service name.
11. (Optional) Set the response delay time for user access.	pppoe-server access-delay delay-time	By default, no response delay time is set.
12. Return to system view.	quit	N/A
13. Configure the PPPoE server to perform authentication, authorization, and accounting for PPP users.	See Security Configuration Guide.	N/A

Setting the maximum number of PPPoE sessions

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· Limit on an IRF member device.

New maximum number settings apply only to subsequently established PPPoE sessions.

To configure the maximum number of PPPoE sessions:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet interface/subinterface, VLAN interface, Layer 3 aggregate interface/subinterface, or L3VE interface view.	interface interface-type interface-number	The PPPoE server is enabled on the interface.
3. Set the maximum number of PPPoE sessions on an interface.	pppoe-server session-limit number	By default, the number of PPPoE sessions on an interface is not limited.
4. Set the maximum number of PPPoE sessions for a VLAN on an interface.	pppoe-server session-limit per-vlan number	By default, the number of PPPoE sessions for a VLAN on an interface is not limited.
5. Set the maximum number of PPPoE sessions for a user on an interface.	pppoe-server session-limit per-mac number	By default, a user is allowed to create a maximum of 100 PPPoE sessions.
6. Return to system view.	quit	N/A
7. Set the maximum number of PPPoE sessions on the specified device (in standalone mode).	pppoe-server session-limit slot slot-number total number	By default, the number of PPPoE sessions on a device is not limited.
8. Set the maximum number of PPPoE sessions on an IRF member device (in standalone mode).	pppoe-server session-limit slot slot-number total number	By default, the number of PPPoE sessions on an IRF member device is not limited.

Limiting the PPPoE access rate

The device can limit the rate at which a user (identified by an MAC address) can create PPPoE sessions on an interface. If the number of PPPoE requests within the monitoring time exceeds the configured threshold, the device discards the excessive requests, and outputs log messages. If the blocking time is set to 0, the device does not block any requests, and it only outputs log messages.

The device uses a monitoring table and a blocking table to control PPP access rates:

· Monitoring table—Stores a maximum of 8000 monitoring entries. Each entry records the number of PPPoE sessions created by a user within the monitoring time. When the monitoring entries reach the maximum, the system stops monitoring and blocking session requests from new users. The aging time of monitoring entries is determined by the session-request-period argument. When the timer expires, the system starts a new round of monitoring for the user.

· Blocking table—Stores a maximum of 8000 blocking entries. The system creates a blocking entry if the access rate of a user reaches the threshold, and blocks requests from that user. When the blocking entries reach the maximum number, the system stops blocking session requests from new users and it only outputs log messages. The aging time of the blocking entries is determined by the blocking-period argument. When the timer expires, the system starts a new round of monitoring for the user.

If the access rate setting is changed, the system removes all monitoring and blocking entries, and uses the new settings to limit PPPoE access rates.

To limit the PPPoE access rate:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet interface/subinterface, VLAN interface, Layer 3 aggregate interface/subinterface, or L3VE interface view.	interface interface-type interface-number	The PPPoE server is enabled on the interface.
3. Set the PPPoE access limit.	pppoe-server throttle per-mac session-requests session-request-period blocking-period	By default, the PPPoE access rate is not limited.
4. Display information about blocked users (in standalone mode).	display pppoe-server throttled-mac { slot slot-number \| interface interface-type interface-number }	Available in any view.
5. Display information about blocked users (in IRF mode).	display pppoe-server throttled-mac { chassis chassis-number slot slot-number \| interface interface-type interface-number }	Available in any view.

Configuring the nas-port-id attribute

The PPPoE server on a BAS device uses the RADIUS nas-port-id attribute to send the access line ID received from a DSLAM device to the RADIUS server. The access line ID includes the circuit-id and remote-id. The RADIUS server compares the received nas-port-id attribute with the local line ID information to verify the location of the user.

You can configure the content of the nas-port-id attribute that the PPPoE server sends to the RADIUS server.

To configure the nas-port-id attribute:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet interface/subinterface, VLAN interface, Layer 3 aggregate interface/subinterface, or L3VE interface view.	interface interface-type interface-number	The PPPoE server is enabled on the interface.
3. Configure the content of the nas-port-id attribute.	pppoe-server access-line-id content { all [ separator ] \| circuit-id \| remote-id }	By default, the nas-port-id attribute contains only the circuit-id.
4. Configure the nas-port-id attribute to include the BAS information automatically.	pppoe-server access-line-id bas-info [ cn-163 ]	By default, the nas-port-id attribute does not include the BAS information automatically.
5. Configure the PPPoE server to trust the access line ID in received packets.	pppoe-server access-line-id trust	By default, the PPPoE server does not trust the access line ID in received packets.
6. Configure the format that is used to parse the circuit-id.	pppoe-server access-line-id circuit-id parse-mode { cn-telecom \| tr-101 }	The default mode is TR-101.
7. Configure the transmission format for the circuit-id.	pppoe-server access-line-id circuit-id trans-format { ascii \| hex }	The default format is a string of characters.
8. Configure the transmission format for the remote-id.	pppoe-server access-line-id remote-id trans-format { ascii \| hex }	The default format is a string of characters.

Configuring a VA pool

The PPPoE server creates a VA interface for a PPPoE session to transmit packets between PPPoE and PPP, and removes the VA interface when the user goes offline. Creating and removing VA interfaces take time.

You can configure VA pools to improve the performance of PPPoE session establishment and termination. A VA pool contains a group of automatically numbered VA interfaces. The PPPoE server selects a VA interface from the pool for a requesting user and release the VA interface when the user goes offline. When a VA pool is exhausted, the system creates VA interfaces for new PPPoE sessions, and removes those VA interfaces when the users go offline.

On a VT interface, you can create one global VA pool and one regional VA pool per member device for interfaces bound with the VT interface.

· The global VA pool contains VA interfaces for logical interfaces that might span multiple devices, such as Ethernet aggregate interfaces.

· The regional VA pool contains VA interfaces for interfaces that do not span multiple devices, such as Ethernet interfaces.

When you configure a VA pool, follow these guidelines:

· To change the capacity of a VA pool, you must delete the previous configuration, and reconfigure the VA pool.

· Creating or removing a VA pool takes time. During the process of creating or removing a VA pool, users can go online or offline, but the VA pool does not take effect.

· If the system fails to create a VA pool because of insufficient resources, you can view the available resources by using the display pppoe-server va-pool command.

· VA pools are memory intensive. Set their capacity depending on your network requirements.

· Deleting a VA pool does not log off the users who are using VA interfaces in the VA pool.

To configure a VA pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VA pool (in standalone mode).	pppoe-server virtual-template template-number [ slot slot-number ] va-pool va-volume	By default, no VA pool exists.
3. Create a VA pool (in IRF mode).	pppoe-server virtual-template template-number [ chassis chassis-number slot slot-number ] va-pool va-volume	By default, no VA pool exists.

Clearing PPPoE sessions

To clear PPPoE sessions on the PPPoE server:

Step	Command	Remarks
1. Enter user view.	user-view	N/A
2. Clear PPPoE sessions.	reset pppoe-server { all \| interface interface-type interface-number \| virtual-template number }	N/A

Configuring a PPPoE client

PPPoE client configuration includes dialer interface configuration and PPPoE session configuration.

A PPPoE session can operate in one of the following modes:

· Permanent mode—A PPPoE session is established immediately when the line is physically up. This type of session remains until the physical link comes down or until the session is disconnected.

· On-demand mode—A PPPoE session is established when there is a demand for data transmission instead of when the line is physically up. It is terminated when idled for a specific period of time.

· Diagnostic mode—A PPPoE session is established immediately after the device configurations finish. The device automatically terminates the PPPoE session and then tries to re-establish a PPPoE session at a pre-configured interval. By establishing and terminating PPPoE sessions periodically, you can monitor the operating status of the PPPoE link.

The PPPoE session operating mode is determined by your configuration on the dialer interface:

· Permanent mode—Used when you set the link idle time to 0 by using the dialer timer idle command and do not configure the dialer diagnose command.

· On-demand mode—Used when you set the link idle time to a non-zero value by using the dialer timer idle command and do not configure the dialer diagnose command.

· Diagnostic mode—Used when you configure the dialer diagnose command.

Configuring a dialer interface

Before establishing a PPPoE session, you must first create a dialer interface and configure bundle DDR on the interface. Each PPPoE session uniquely corresponds to a dialer bundle, and each dialer bundle uniquely corresponds to a dialer interface. A PPPoE session uniquely corresponds to a dialer interface.

For more information about configuring dialer interfaces, bundle DDR, and dialer bundles, see "Configuring DDR."

Configuring a dialer interface for a PPPoE client

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a dialer access group and configure a dial access control rule.	dialer-group group-number rule { ip \| ipv6 } { deny \| permit \| acl { acl-number \| name acl-name } }	By default, no dialer group exists.
3. Create a dialer interface and enter its view.	interface dialer number	N/A
4. Assign an IP address to the interface.	ip address { address mask \| ppp-negotiate }	By default, no IP address is configured.
5. Enable bundle DDR on the interface.	dialer bundle enable	By default, no DDR is enabled.
6. Associate the interface with the dial access control rule by associating the interface with the corresponding dialer access group.	dialer-group group-number	By default, a dialer interface is not assigned to any dialer group.
7. Configure the link-idle timeout timer.	dialer timer idle idle [ in \| in-out ]	The default setting is 120 seconds. When this timer is set to 0 seconds, the PPPoE session operates in permanent mode. Otherwise, the PPPoE session operates in on-demand mode.
8. Configure the DDR application to operate in diagnostic mode.	dialer diagnose [ interval interval ]	By default, the DDR application operates in non-diagnostic mode. When DDR operates in diagnostic mode, the link-idle timeout timer is ignored.
9. Set the auto-dial interval.	dialer timer autodial autodial-interval	The default setting is 300 seconds. In permanent or diagnostic mode, DDR starts the auto-dial timer after the link is disconnected and originates a new call when the auto-dial timer expires. As a best practice, set a shorter auto-dial interval for DDR to soon originate a new call.
10. Set the MTU for the dialer interface	mtu size	By default, the MTU on a dialer interface is 1500 bytes. The dialer interface fragments a packet that exceeds the configured MTU, and adds a 2-byte PPP header and a 6-byte PPPoE header to each fragment. You should modify the MTU of a dialer interface to make sure the total length of any fragment packet is less than the MTU of the physical interface.

Configuring a PPPoE session

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet interface/subinterface view, view, or VLAN interface view.	interface interface-type interface-number	N/A
3. Create a PPPoE session and specify a dialer bundle for the session.	pppoe-client dial-bundle-number number [ no-hostuniq ]	By default, no PPPoE sessions are created. The number argument in this command must take the same value as the configured dialer interface number.

Resetting a PPPoE session

After you reset a PPPoE session in permanent mode, the device establishes a new PPPoE session when the autodial timer expires.

After you reset a PPPoE session in on-demand mode, the device establishes a new PPPoE session when there is a demand for data transmission.

To reset a PPPoE session:

Step	Command	Remarks
1. Reset a PPPoE session.	reset pppoe-client { all \| dial-bundle-number number }	Available in user view.

Displaying and maintaining PPPoE

Displaying and maintaining PPPoE server

Execute display commands in any view.

Task	Command
Display summary information for PPPoE sessions (in standalone mode).	display pppoe-server session summary { slot slot-number \| interface interface-type interface-number }
Display summary information for PPPoE sessions (in IRF mode).	display pppoe-server session summary { chassis chassis-number slot slot-number \| interface interface-type interface-number }
Display packet statistics for PPPoE sessions (in standalone mode).	display pppoe-server session packet { slot slot-number \| interface interface-type interface-number }
Display packet statistics for PPPoE sessions (in IRF mode).	display pppoe-server session packet { chassis chassis-number slot slot-number \| interface interface-type interface-number }
Display information about blocked users (in standalone mode).	display pppoe-server throttled-mac { slot slot-number \| interface interface-type interface-number }
Display information about blocked users (in IRF mode).	display pppoe-server throttled-mac { chassis chassis-number slot slot-number \| interface interface-type interface-number }
Display VA pool information.	display pppoe-server va-pool

Displaying and maintaining PPPoE client

Execute display commands in any view and reset commands in user view.

Task	Command
Display summary information for a PPPoE session.	display pppoe-client session summary [ dial-bundle-number number ]
Display the protocol packet statistics for a PPPoE session.	display pppoe-client session packet [ dial-bundle-number number ]
Clear the protocol packet statistics for a PPPoE session.	reset pppoe-client session packet [ dial-bundle-number number ]

PPPoE configuration examples

PPPoE server configuration example

Network requirements

As shown in Figure 12, Host A and Host B run PPPoE client dialup software. The PPPoE server on the router performs local authentication and assigns IP addresses to the clients.

Figure 12 Network diagram

Configuration procedure

# Create a PPPoE user.

<Router> system-view

[Router] local-user user1 class network

[Router-luser-network-user1] password simple pass1

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# Configure Virtual-Template 1 to use CHAP for authentication and use a PPP address pool for IP address assignment.

[Router] interface virtual-template 1

[Router-Virtual-Template1] ppp authentication-mode chap domain system

[Router-Virtual-Template1] ppp chap user user1

[Router-Virtual-Template1] remote address pool 1

[Router-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[Router-Virtual-Template1] quit

# Configure a PPP address pool that contains nine assignable IP addresses.

[Router] ip pool 1 1.1.1.2 1.1.1.10

# Enable the PPPoE server on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 1.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] pppoe-server bind virtual-template 1

[Router-GigabitEthernet1/1/1] quit

# Configure local authentication for the default ISP domain (system).

[Router] domain system

[Router-isp-system] authentication ppp local

[Router-isp-system] quit

Verifying the configuration

# Verify that Host A and Host B can access the Internet by using username user1 and password pass1. (Details not shown.)

PPPoE server IP address assignment through the local DHCP server configuration example

Network requirements

As shown in Figure 13, configure the PPPoE server as a DHCP server to assign an IP address to the host.

Figure 13 Network diagram

Configuration procedure

# Configure Virtual-Template 10 to use PAP for authentication and use a DHCP address pool for IP address assignment, and configure an IP address for Virtual-Template 10.

<Router> system-view

[Router] interface virtual-template 10

[Router-Virtual-Template10] ppp authentication-mode pap

[Router-Virtual-Template10] remote address pool pool1

[Router-Virtual-Template10] ip address 1.1.1.1 255.255.255.0

[Router-Virtual-Template10] quit

# Enable the PPPoE server on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 10.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] pppoe-server bind virtual-template 10

[Router-GigabitEthernet1/1/1] quit

# Enable DHCP.

[Router] dhcp enable

# Configure DHCP address pool pool1.

[Router] dhcp server ip-pool pool1

[Router-dhcp-pool-pool1] network 1.1.1.0 24

[Router-dhcp-pool-pool1] quit

# Create a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple pass1

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

Verifying the configuration

# Log in to the router by using username user1 and password pass1.

# Display information about IP addresses assigned by the DHCP server.

[Router] display dhcp server ip-in-use

IP address Client identifier/ Lease expiration Type

Hardware address

1.1.1.2 3030-3030-2e30-3030- Unlimited Auto(C)

662e-3030-3033-2d45-

7468-6572-6e65-74

The output shows that the router has assigned an IP address to the host.

PPPoE server IP address assignment through a remote DHCP server configuration example

Network requirements

As shown in Figure 14, configure the PPPoE server as a DHCP relay agent to relay an IP address from the DHCP server to the host.

Figure 14 Network diagram

Configuration procedure

1. Configure Router A as the PPPoE server:

# Configure Virtual-Template 10 to use PAP for authentication and use a DHCP address pool for IP address assignment, and configure an IP address for Virtual-Template 10.

<RouterA> system-view

[RouterA] interface virtual-template 10

[RouterA-Virtual-Template10] ppp authentication-mode pap

[RouterA-Virtual-Template10] remote address pool pool1

[RouterA-Virtual-Template10] ip address 2.2.2.1 255.255.255.0

[RouterA-Virtual-Template10] quit

# Enable the PPPoE server on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 10.

[RouterA] interface gigabitethernet 1/1/1

[RouterA-GigabitEthernet1/1/1] pppoe-server bind virtual-template 10

[RouterA-GigabitEthernet1/1/1] quit

# Enable DHCP.

[RouterA] dhcp enable

# Enable recording of relay entries on the relay agent.

[RouterA] dhcp relay client-information record

# Create DHCP relay address pool pool1.

[RouterA] dhcp server ip-pool pool1

# Specify a gateway address for the clients in pool1.

[RouterA-dhcp-pool-pool1] gateway-list 2.2.2.2 export-route

# Specify a DHCP server for pool1.

[RouterA-dhcp-pool-pool1] remote-server 10.1.1.1

[RouterA-dhcp-pool-pool1] quit

# Specify an IP address for GigabitEthernet 1/1/2.

[RouterA] interface gigabitethernet 1/1/2

[RouterA-GigabitEthernet1/1/2] ip address 10.1.1.2 24

[RouterA-GigabitEthernet1/1/2] quit

# Create a PPPoE user.

[RouterA] local-user user1 class network

[RouterA-luser-network-user1] password simple pass1

[RouterA-luser-network-user1] service-type ppp

[RouterA-luser-network-user1] quit

2. Configure Router B as a DHCP server.

# Enable DHCP.

<RouterB> system-view

[RouterB] dhcp enable

# Create DHCP address pool pool1, and specify a primary subnet and a gateway address for DHCP clients.

[RouterB] dhcp server ip-pool pool1

[RouterB-dhcp-pool-pool1] network 2.2.2.0 24

[RouterB-dhcp-pool-pool1] gateway-list 2.2.2.1

[RouterB-dhcp-pool-pool1] quit

# Specify an IP address for GigabitEthernet 1/1/1.

[RouterB] interface gigabitethernet 1/1/1

[RouterB-GigabitEthernet1/1/1] ip address 10.1.1.1 24

[RouterB-GigabitEthernet1/1/1] quit

# Configure a static route to the PPPoE server.

[RouterB] ip route-static 2.2.2.0 24 10.1.1.2

Verifying the configuration

# Log in to Router A by using username user1 and password pass1.

# Display relay entries on the DHCP relay agent on Router A.

[RouterA] display dhcp relay client-information

Total number of client-information items: 1

Total number of dynamic items: 1

Total number of temporary items: 0

IP address MAC address Type Interface VPN name

2.2.2.3 00e0-0000-0001 Dynamic VA1 N/A

# Display information about the assigned IP addresses on Router B.

[RouterB] display dhcp server ip-in-use

IP address Client identifier/ Lease expiration Type

Hardware address

2.2.2.3 00e0-0000-0001 Unlimited Auto(C)

The output shows that Router B has assigned an IP address to the host.

PPPoE server IPv6 address assignment through ND and IPv6CP negotiation configuration example

Network requirements

As shown in Figure 15, configure the PPPoE server to advertise the following information to the host:

· IPv6 prefix in RA messages.

· IPv6 interface identifier during IPv6CP negotiation.

The host uses the IPv6 prefix and IPv6 interface identifier to generate an IPv6 global unicast address.

Figure 15 Network diagram

Configuration procedure

# Create Virtual-Template 10.

<Router> system-view

[Router] interface virtual-template 10

# Configure Virtual-Template 10 to use PAP to authenticate the peer.

[Router-Virtual-Template10] ppp authentication-mode pap domain system

# Configure an IPv6 address for Virtual-Template 10.

[Router-Virtual-Template10] ipv6 address 2001::1 64

# Enable Virtual-Template 10 to advertise RA messages.

[Router-Virtual-Template10] undo ipv6 nd ra halt

[Router-Virtual-Template10] quit

# Enable the PPPoE sever on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 10.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] pppoe-server bind virtual-template 10

[Router-GigabitEthernet1/1/1] quit

# Configure a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple pass1

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# Configure an IPv6 prefix authorized to the user in the ISP domain.

[Router] domain system

[Router-isp-system] authorization-attribute ipv6-prefix 2003:: 64

[Router-isp-system] quit

Verifying the configuration

# Display PPP user information on GigabitEthernet 1/1/1.

[Router] display ppp access-user interface gigabitethernet 1/1/1

Interface Username MAC address IP address IPv6 address IPv6 PDPrefix

VA0 user1 0000-5e08-9d00 - 2003::9CBC:3898:0:605 -

PPPoE server IPv6 address assignment through DHCPv6 configuration example

Network requirements

As shown in Figure 16, configure the PPPoE server to assign an IPv6 address to the host through DHCPv6.

Figure 16 Network diagram

Configuration procedure

# Create Virtual-Template 10.

<Router> system-view

[Router] interface virtual-template 10

# Configure Virtual-Template 10 to use PAP to authenticate the peer.

[Router-Virtual-Template10] ppp authentication-mode pap domain system

# Configure an IPv6 address for Virtual-Template 10.

[Router-Virtual-Template10] ipv6 address 3001::1 64

# Enable Virtual-Template 10 to advertise RA messages.

[Router-Virtual-Template10] undo ipv6 nd ra halt

# Configure the host to use the DHCPv6 protocol to obtain IPv6 addresses.

[Router-Virtual-Template10] ipv6 nd autoconfig managed-address-flag

# Enable the DHCPv6 server feature.

[Router-Virtual-Template10] ipv6 dhcp select server

[Router-Virtual-Template10] quit

# Enable the PPPoE sever on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 10.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] pppoe-server bind virtual-template 10

[Router-GigabitEthernet1/1/1] quit

# Configure DHCPv6 address pool 1 with network 3001::/32.

[Router] ipv6 dhcp pool pool1

[Router-dhcp6-pool-pool1] network 3001::/32

[Router-dhcp6-pool-pool1] quit

# Configure a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple pass1

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# Configure an IPv6 pool attribute authorized to the user in the ISP domain.

[Router] domain system

[Router-isp-system] authorization-attribute ipv6-pool pool1

[Router-isp-system] quit

Verifying the configuration

# Display PPP user information on GigabitEthernet 1/1/1.

[Router] display ppp access-user interface gigabitethernet 1/1/1

Interface Username MAC address IP address IPv6 address IPv6 PDPrefix

VA0 user1 0000-5e08-9d00 - 3001::2 -

Example for configuring PPPoE server IPv6 address assignment through prefix delegation by DHCPv6

Network requirements

As shown in Figure 17, configure the PPPoE server to assign a prefix to Router A through DHCPv6. Router A then assigns the prefix to the host for it to generate an IPv6 address.

Figure 17 Network diagram

Configuration procedure

# Create Virtual-Template 10.

<RouterB> system-view

[RouterB] interface virtual-template 10

# Configure Virtual-Template 10 to use PAP to authenticate the peer.

[RouterB-Virtual-Template10] ppp authentication-mode pap domain system

# Configure an IPv6 address for Virtual-Template 10.

[RouterB-Virtual-Template10] ipv6 address 2001::1 64

# Enable Virtual-Template 10 to advertise RA messages.

[RouterB-Virtual-Template10] undo ipv6 nd ra halt

# Enable the DHCPv6 server feature.

[RouterB-Virtual-Template10] ipv6 dhcp select server

[RouterB-Virtual-Template10] quit

# Enable the PPPoE sever on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 10.

[RouterB] interface gigabitethernet 1/1/1

[RouterB-GigabitEthernet1/1/1] pppoe-server bind virtual-template 10

[RouterB-GigabitEthernet1/1/1] quit

# Create prefix pool 6, and specify prefix 4001::/32 with assigned prefix length 42.

[RouterB] ipv6 dhcp prefix-pool 6 prefix 4001::/32 assign-len 42

# Create address pool 1, specify the subnet 4001::/64 for dynamic allocation in pool 1, and apply prefix pool 6 to address pool 1.

[RouterB] ipv6 dhcp pool pool1

[RouterB-dhcp6-pool-pool1] network 4001::/64

[RouterB-dhcp6-pool-pool1] prefix-pool 6

[Router-dhcp6-pool-pool1] quit

# Configure a PPPoE user.

[RouterB] local-user user1 class network

[RouterB-luser-network-user1] password simple pass1

[RouterB-luser-network-user1] service-type ppp

[RouterB-luser-network-user1] quit

# Configure an IPv6 pool attribute authorized to the user in the ISP domain.

[RouterB] domain system

[RouterB-isp-system] authorization-attribute ipv6-pool pool1

Verifying the configuration

# Verify that Router B has assigned a prefix to Router A.

[RouterB] display ipv6 dhcp server pd-in-use

Pool: 1

IPv6 prefix Type Lease expiration

4001::1/42 Auto(O) Jul 10 19:45:01 2013

Then, Router A can assign the prefix 4001::1/42 to the host who uses the prefix to generate an IPv6 global unicast address.

PPPoE server RADIUS-based IP address assignment configuration example

Network requirements

As shown in Figure 18, configure the PPPoE server to meet the following requirements:

· The PPPoE server uses the RADIUS server to perform authentication, authorization, and accounting for access users

· The RADIUS server assigns access users a PPP address pool named pool1 and a VPN instance named vpn1.

· Users in vpn1 obtain IP addresses from PPP address pool pool1.

Figure 18 Network diagram

Configuration procedure

1. Configure the MPLS L3VPN feature.

For the two ends of VPN 1 to communicate with each other, specify the same route target attributes on the two PEs (Router A and Router B). This example describes only the authentication-related configuration on the PE that is connected to the PPPoE client. For information about configuring MPLS L3VPN, see MPLS Configuration Guide.

2. Configure the RADIUS server:

This example uses Free RADIUS that runs in the Linux operating system.

# Add the following text to the client.conf file to configure RADIUS client information.

client 10.1.1.1/24 {

secret = radius

shortname = sr88

}

Where, secret represents the shared key for authentication, authorization, and accounting.

# Add the following text to the users.conf file to configure legal user information.

user1 Auth-Type == CHAP,User-Password := pass1

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-IPv6-Pool = "pool1",

H3C-VPN-Instance = "vpn1",

3. Configure Router A:

a. Configure the PPPoE server:

# Configure Virtual-Template 1 to use CHAP for authentication and use ISP domain dm1 as the authentication domain.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ppp authentication-mode chap domain dm1

[RouterA-Virtual-Template1] quit

# Create a PPP address pool that contains nine assignable IP addresses.

[RouterA] ip pool pool1 1.1.1.2 1.1.1.10 group 1

# Specify gateway address 1.1.1.1 and VPN instance vpn1 for pool1.

[RouterA] ip pool pool1 gateway 1.1.1.1 vpn-instance vpn1

# Configure a PPP address pool route for pool1.

[RouterA] ppp ip-pool route 1.1.1.1 24 vpn-instance vpn1

# Enable the PPPoE server on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 1.

[RouterA] interface gigabitethernet 1/1/1

[RouterA-GigabitEthernet1/1/1] pppoe-server bind virtual-template 1

[RouterA-GigabitEthernet1/1/1] quit

b. Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1, and enter its view.

[RouterA] radius scheme rs1

# Specify the primary authentication server and the primary accounting server.

[RouterA-radius-rs1] primary authentication 10.1.1.2

[RouterA-radius-rs1] primary accounting 10.1.1.2

# Set the shared key for secure communication with the server to radius in plain text.

[RouterA-radius-rs1] key authentication simple radius

[RouterA-radius-rs1] key accounting simple radius

# Exclude domain names in the usernames sent to the RADIUS server.

[RouterA-radius-rs1] user-name-format without-domain

[RouterA-radius-rs1] quit

c. Configure an authentication domain:

# Create an ISP domain named dm1.

[RouterA] domain dm1

# In ISP domain dm1, perform RADIUS authentication, authorization, and accounting for users based on scheme rs1.

[RouterA-isp-dm1] authentication ppp radius-scheme rs1

[RouterA-isp-dm1] authorization ppp radius-scheme rs1

[RouterA-isp-dm1] accounting ppp radius-scheme rs1

[RouterA-isp-dm1] quit

Verifying the configuration

# Verify that Host A can successfully ping CE. (Details not shown.)

# Verify that the PPPoE client has obtained an IP address from pool1.

[RouterA] display ip pool pool1

Group name: 1

Pool name Start IP address End IP address Free In use

pool1 1.1.1.2 1.1.1.10 8 1

In use IP addresses:

IP address Interface

1.1.1.2 VA0

PPPoE client in permanent mode configuration example

Network requirements

As shown in Figure 19, Router A serves as a PPPoE server. Configure Router B as a PPPoE client operating in permanent mode.

Figure 19 Network diagram

Configuration procedure

1. Configure Router A as the PPPoE server:

# Configure an IP address for Virtual-Template 1 and specify an IP address for the peer.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterA-Virtual-Template1] remote address 1.1.1.2

[RouterA-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 1.

[RouterA] interface gigabitethernet 1/1/1

[RouterA-GigabitEthernet1/1/1] pppoe-server bind virtual-template 1

[RouterA-GigabitEthernet1/1/1] quit

2. Configure Router B as the PPPoE client:

# Enable bundle DDR on Dialer 1.

<RouterB> system-view

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer bundle enable

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[RouterB-Dialer1] ip address ppp-negotiate

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to Dialer 1).

[RouterB] interface gigabitethernet 1/1/1

[RouterB-GigabitEthernet1/1/1] pppoe-client dial-bundle-number 1

[RouterB-GigabitEthernet1/1/1] quit

# Configure the PPPoE session to operate in permanent mode.

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer timer idle 0

# Set the DDR auto-dial interval to 60 seconds.

[RouterB-Dialer1] dialer timer autodial 60

[RouterB-Dialer1] quit

# Configure a static route.

[RouterB] ip route-static 1.1.1.1 255.0.0.0 dialer 1

Verifying the configuration

# Display summary information about the PPPoE session established between Router B and Router A (PPPoE server).

[RouterB-Dialer1] display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 GE1/1/1 VA0 00e0-1400-4300 00e0-1500-4100 SESSION

PPPoE client in on-demand mode configuration example

Network requirements

As shown in Figure 20, Router A serves as a PPPoE server. Configure Router B as a PPPoE client operating in on-demand mode, and set the link idle-timeout timer to 150 seconds.

Figure 20 Network diagram

Configuration procedure

1. Configure Router A as the PPPoE server:

# Configure an IP address for Virtual-Template 1 and specify an IP address for the peer.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterA-Virtual-Template1] remote address 1.1.1.2

[RouterA-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 1.

[RouterA] interface gigabitethernet 1/1/1

[RouterA-GigabitEthernet1/1/1] pppoe-server bind virtual-template 1

[RouterA-GigabitEthernet1/1/1] quit

2. Configure Router B as the PPPoE client.

# Create dialer access group 1 and configure a dial access control rule for it.

<RouterB> system-view

[RouterB] dialer-group 1 rule ip permit

# Enable bundle DDR on Dialer 1.

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer bundle enable

# Associate Dialer 1 with dialer access group 1.

[RouterB-Dialer1] dialer-group 1

[RouterB-Dialer1] quit

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[RouterB-Dialer1] ip address ppp-negotiate

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to Dialer 1).

[RouterB] interface gigabitethernet 1/1/1

[RouterB-GigabitEthernet1/1/1] pppoe-client dial-bundle-number 1

[RouterB-GigabitEthernet1/1/1] quit

# Configure a static route.

[RouterB] ip route-static 1.1.1.1 255.0.0.0 dialer 1

# Set the link-idle timeout timer to 150 seconds.

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer timer idle 150

[RouterB-Dialer1] quit

Verifying the configuration

# Display summary information about the PPPoE session established between Router B and Router A (PPPoE server).

[RouterB-Dialer1] display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 GE1/1/1 VA0 00e0-1400-4300 00e0-1500-4100 SESSION

PPPoE client in diagnostic mode configuration example

Network requirements

As shown in Figure 21, Router A serves as a PPPoE server. Configure Router B as a PPPoE client operating in diagnostic mode, and set the diagnostic interval to 200 seconds.

Figure 21 Network diagram

Configuration procedure

1. Configure Router A as the PPPoE server:

# Configure an IP address for Virtual-Template 1 and specify an IP address for the peer.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterA-Virtual-Template1] remote address 1.1.1.2

[RouterA-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/1/1, and bind the interface to Virtual-Template 1.

[RouterA] interface gigabitethernet 1/1/1

[RouterA-GigabitEthernet1/1/1] pppoe-server bind virtual-template 1

[RouterA-GigabitEthernet1/1/1] quit

2. Configure Router B as the PPPoE client.

# Enable bundle DDR on Dialer 1.

<RouterB> system-view

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer bundle enable

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[RouterB-Dialer1] ip address ppp-negotiate

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to Dialer 1).

[RouterB] interface gigabitethernet 1/1/1

[RouterB-GigabitEthernet1/1/1] pppoe-client dial-bundle-number 1

[RouterB-GigabitEthernet1/1/1] quit

# Configure the PPPoE session to operate in diagnostic mode, and set the diagnostic interval to 200 seconds.

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer diagnose interval 200

# Set the DDR auto-dial interval to 10 seconds.

[RouterB-Dialer1] dialer timer autodial 10

Verifying the configuration

# Display summary information about the PPPoE session established between Router B and Router A (PPPoE server).

[RouterB-Dialer1] display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 GE1/1/1 VA0 00e0-1400-4300 00e0-1500-4100 SESSION

1. Configure Router A as a PPPoE client:

# Enable bundle DDR on Dialer 1.

<RouterA> system-view

[RouterA] interface dialer 1

[RouterA-Dialer1] dialer bundle enable

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[RouterA-Dialer1] ip address ppp-negotiate

# Configure the PPPoE session to operate in permanent mode.

[RouterA-Dialer1] dialer timer idle 0

# Configure the PAP username and password.

[RouterA-Dialer1] ppp pap local-user user1 password simple 123456

[RouterA-Dialer1] quit

# Configure a PPPoE session.

[RouterA] interface gigabitethernet 1/1/1

[RouterA-GigabitEthernet1/1/1] pppoe-client dial-bundle-number 1

[RouterA-GigabitEthernet1/1/1] quit

# Configure an IP address for the LAN interface.

[RouterA] interface gigabitethernet 1/1/2

[RouterA-GigabitEthernet1/1/2] ip address 192.168.1.1 255.255.255.0

[RouterA-GigabitEthernet1/1/2] quit

# Configure a default route.

[RouterA] ip route-static 0.0.0.0 0 dialer 1

If the hosts in the LAN use private addresses, configure NAT on Router A. For more information about NAT, see Layer 3—IP Services Configuration Guide.

2. Configure Router B as the PPPoE server:

# Configure Virtual-Template 1 to use PAP for authentication and use a PPP address pool to assign IP addresses.

<RouterB> system-view

[RouterB] interface virtual-template 1

[RouterB-Virtual-Template1] ppp authentication-mode pap domain system

[RouterB-Virtual-Template1] remote address pool 1

[RouterB-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterB-Virtual-Template1] quit

# Configure a local PPP address pool that contains nine assignable IP addresses.

[RouterB] ip pool 1 1.1.1.2 1.1.1.10

# Enable the PPPoE server on GigabitEthernet 1/1/1.

[RouterB] interface gigabitethernet 1/1/1

[RouterB-GigabitEthernet1/1/1] pppoe-server bind virtual-template 1

[RouterB-GigabitEthernet1/1/1] quit

# Configure the default ISP domain (system) to use the RADIUS scheme for authentication, authorization, and accounting.

[RouterB] domain system

[RouterB-isp-system] authentication ppp radius-scheme cams

[RouterB-isp-system] authorization ppp radius-scheme cams

[RouterB-isp-system] accounting ppp radius-scheme cams

[RouterB-isp-system] quit

# Configure a RADIUS scheme, and assign an IP address and port number for the RADIUS server.

[RouterB] radius scheme cams

[RouterB-radius-cams] primary authentication 11.110.91.146 1812

[RouterB-radius-cams] primary accounting 11.110.91.146 1813

# Set the shared keys for secure communication with the RADIUS server to expert in plain text.

[RouterB-radius-cams] key authentication simple expert

[RouterB-radius-cams] key accounting simple expert

[RouterB-radius-cams] quit

3. Configure the RADIUS server:

# Configure the authentication and accounting passwords as expert.

# Add a PPPoE user with username user1 and password 123456.

For more information about RADIUS, see Security Configuration Guide.

Verifying the configuration

# Display summary information for the PPPoE session between Router A and Router B.

[RouterA] display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 GE1/1/1 VA0 0001-0000-0001 00e0-1500-4100 SESSION

Host A, Host B, and Host C can thus access the Internet. For example, they can browse a web page through IE.

05-Layer 2 - WAN Access Configuration Guide

Configuring PPP and MP

IP address negotiation

DNS server address negotiation

IPv6 address assignment

IPv6 DNS server address assignment

Configuring PAP authentication

Configuring CHAP authentication

Configuring PPP negotiation

Configuring the PPP negotiation timeout time

Enabling IP segment match

Configuring DNS server IP address negotiation

Configuring PFC negotiation

Enabling IP header compression

Enabling PPP link quality monitoring

Configuring MP by using a VT interface

PPP and MP configuration examples

One-way PAP authentication configuration example

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

One-way CHAP authentication configuration example

Network requirements

Configuration procedure

IP address negotiation configuration examples

Specifying an IP address for the client on the server interface

Specifying a PPP address pool on the server interface

Using the PPP address pool associated with an ISP domain

MP binding mode configuration examples

Network requirements

Configuration procedure

Configuring PPPoE

Configuring a dialer interface for a PPPoE client

Displaying and maintaining PPPoE

PPPoE configuration examples

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

PPPoE client in permanent mode configuration example

Network requirements

Configuration procedure

Verifying the configuration

Verifying the configuration

Verifying the configuration

Verifying the configuration

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us