H3C CR16000-F Routers BRAS Campus Network Configuration Examples-R795x-6W100

HomeSupportRoutersCR16000-F SeriesConfigure & DeployConfiguration ExamplesH3C CR16000-F Routers BRAS Campus Network Configuration Examples-R795x-6W100

 

H3C BRAS Campus Network

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2020 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.


Contents

Introduction· 1

Prerequisites· 1

General restrictions and guidelines· 1

Example: Configuring access-in and access-out separation in a BRAS campus network  2

Network configuration· 2

Analysis· 3

Restrictions and guidelines· 4

Procedures· 4

Configuring the RADIUS server 4

Configuring IP addresses and routes· 4

Configuring the DHCP server 4

Configuring access-in BRAS A· 5

Configuring access-out BRAS B· 9

Configuring Switch A· 10

Configuring Switch B· 10

Configuring Switch C· 10

Verifying the configuration· 11

Configuration files· 13

Example: Configuring IPoE common MAC authentication for dual-stack users  17

Network configuration· 17

Analysis· 18

Restrictions and guidelines· 18

Procedures· 19

Configuring IP addresses and routes· 19

Configuring the DNS server 19

Configuring the DHCP server 19

Configuring the BRAS· 20

Configuring the RADIUS server 27

Configuring the portal server 30

Verifying the configuration· 34

Configuration files· 38

Example: Configuring IPoE transparent MAC authentication for dual-stack users  42

Network configuration· 42

Analysis· 43

Restrictions and guidelines· 43

Procedures· 44

Configuring IP addresses and routes· 44

Configuring the DNS server 44

Configuring the DHCP server 44

Configuring the BRAS· 45

Configuring the RADIUS server 53

Configuring the portal server 53

Verifying the configuration· 57

Configuration files· 63

Example: Configuring multiple egress VPNs and ITA in a BRAS campus network (inline) 68

Network configuration· 68

Analysis· 70

Restrictions and guidelines· 70

Procedures· 70

Configuring the RADIUS server 70

Configuring MPLS L3VPN· 71

Configuring the DHCP server 78

Configuring the BRAS· 78

Configuring Switch A· 86

Configuring Switch B· 86

Configuring Switch C· 87

Verifying the configuration· 87

Configuration files· 92

Example: Configuring multiple egress VPNs and ITA in a BRAS campus network (hairpin) 102

Network configuration· 102

Analysis· 104

Restrictions and guidelines· 104

Procedures· 104

Configuring the RADIUS server 104

Configuring MPLS L3VPN· 105

Configuring the DHCP server 112

Configuring the BRAS· 113

Configuring Switch A· 121

Configuring Switch B· 122

Configuring Switch C· 122

Verifying the configuration· 122

Configuration files· 127

Example: Configuring multiple egress user groups in a BRAS campus network (remote authorization) 137

Network configuration· 137

Requirements analysis· 139

Restrictions and guidelines· 139

Procedures· 139

Configuring the RADIUS server and portal server (applicable to only remote AAA authentication) 139

Configuring the DNS servers· 142

Configuring IP addresses and routes· 142

Configuring the BRAS· 142

Configuring Router B (NAT device) 145

Verifying the configuration· 146

Configuration files· 152

Example: Configuring multi egress user groups in a BRAS campus network (local authorization) 155

Network configuration· 155

Requirements analysis· 156

Restrictions and guidelines· 157

Procedure· 157

Configuring the RADIUS server and portal server (applicable to only remote AAA authentication) 157

Configuring IP addresses and routes· 159

Configuring the BRAS· 159

Verifying the configuration· 163

Configuration files· 169

Example: Configuring ITA in a BRAS campus network· 172

Network configuration· 172

Requirements analysis· 173

Restrictions and guidelines· 175

Procedures· 175

Configuring the RADIUS server and portal server 175

Configuring IP addresses and routes· 179

Configuring the BRAS· 179

Verifying the configuration· 182

Configuration files· 187

Example: Configuring IPv6 direct portal authentication· 189

Network configuration· 189

Requirements analysis· 189

Restrictions and guidelines· 190

Procedures· 190

Configuring the RADIUS server and portal server 190

Configuring IPv4/IPv6 addresses and routes· 191

Configuring the BRAS· 191

Verifying the configuration· 193

Configuration files· 194

Related documentation· 195

 


Introduction

The following information provides Broadband Remote Access Server (BRAS) configuration examples in campus network applications.

Prerequisites

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of PPPoE, IPoE, portal, QoS, VLAN termination, and QinQ.

General restrictions and guidelines

This feature is supported only when the devices operate in standard mode. For more information about the system operating mode, see device management configuration in Fundamentals Configuration Guide.

Only CSPEX (except CSPEX-1104-E)/CEPC cards support PPPoE, IPoE, and portal.

Only CSPEX (except CSPEX-1104-E)/CEPC cards support ITA, and ITA takes effect only on PPPoE, IPoE, and portal users. For different types of users, the number of traffic accounting levels is different, as shown in Table 1.

Table 1 Number of traffic accounting levels

ITA users

Number of traffic accounting levels that can be configured

CSPEX-1204 cards

CSPEX (except CSPEX-1204 and CSPEX-1104-E) and CEPC cards

Portal users accessing through a VLAN interface

7

7

·     Portal users accessing through a Layer 3 Ethernet interface/subinterface or Layer 3 aggregate interface/subinterface

·     IPoE users

·     PPPoE users

1 (only level 1 is supported in the current software version)

4 (only levels 1 through 4 are supported in the current software version)

 

The subinterface on an H3C BRAS can terminate VLANs 1 to 4094. To ensure proper BRAS operation, make sure the VLAN ID in a packet sent from a downstream device to a BRAS subinterface is in the range of 1 to 4094 when planning the network.

Example: Configuring access-in and access-out separation in a BRAS campus network

Network configuration

As shown in Figure 1, the dormitory area and office area of a campus network are directly attached to BRAS A. BRAS A acts as the access-in BRAS for users in the dormitory area and office area to access the campus network. BRAS B acts as the access-out BRAS for users in the campus network to access the Internet. Configure the BRAS campus network to meet the following requirements:

·     Users in both the dormitory area and office area use PPPoE authentication and use the dialup client in the operating systems.

·     A user cannot access the campus network or Internet before performing a PPPoE dialup.

·     After a user passes PPPoE dialup authentication, the user can access only the internal network with the rate limit of 50 Mbps. Accounting is not performed for the user accessing the internal network.

·     To access the Internet, a user must perform authentication again on BRAS B. After passing authentication, the user can access the Internet. The authentication process is transparent for the user. The school provides three monthly Internet access plans, with the speeds of 20 Mbps, 50 Mbps, and 100 Mbps separately. In this example, suppose users A, B, and C select the 20 Mbps, 50 Mbps, and 100 Mbps plans, respectively.

Figure 1 Network diagram

 

Analysis

·     Because BRAS A has performed VLAN termination on users, BRAS B cannot identify users based on VLANs. Therefore, the QoS policy for Internet access must be deployed on BRAS A. Additionally, apply a QoS policy to the access interface on BRAS A to control the access speeds of users.

·     For users to be transparently authenticated on BRAS B when accessing the Internet, configure IPoE authentication on BRAS B to use user IP addresses as usernames to initiate authentication on the RADIUS server. The RADIUS server automatically associates the second authentication with the first authentication to implement transparent second authentication.

·     After IPoE access-out authentication is enabled on BRAS B, the attributes that IPoE reports to the RADIUS server carry the newly added private RADIUS attributes. After the RADIUS server receives user authentication requests with the private attribute, the RADIUS server parses the IP address in the username, and looks up the IP address in the access-in authentication data. If the IP address is found, the user is valid and allowed to access the Internet. Otherwise, the user is not allowed to access the Internet. For the RADIUS server, an IPoE user initiating unclassified-IP authentication must be a PPPoE user that has passed authentication on BRAS A. Therefore, you do not need to configure the username and password information for IPoE users on the RADIUS server.

·     To prevent BRAS B from maintaining sessions of idle users, which wastes resources, configure the idle-cut feature to automatically log out idle users.

·     To distinguish the internal network traffic and Internet traffic, you can use an ACL (ACL 3000 in this example) to match the specific internal network traffic, and then use an ACL (ACL 3001 in this example) to match traffic except internal traffic (the Internet traffic by default).

·     When a PPPoE access user goes offline, the DHCP relay agent needs to look up the relay user address entry of the user. If the entry exists, the DHCP relay agent sends Release packets to the DHCP server to notify the DHCP server to release the user's address lease. For this purpose, execute the dhcp relay client-information record command to enable recording client information in relay entries.

Restrictions and guidelines

·     As a best practice, use the H3C IMC server as the RADIUS server to cooperate with BRAS B to implement IPoE access-out authentication.

·     If authorization attributes (for example, address pool) are configured both on the RADIUS server and in an ISP domain, the attributes configured on the RADIUS server apply. If the idle-cut attribute is configured both on the RADIUS server and in an ISP domain, the configuration in the ISP domain on the BRAS applies. In this example, all the authorization attributes have been configured in ISP domains. In a live network, configure the RADIUS server to authorize attributes or configure attributes in ISP domains as needed.

·     Configure the usernames to carry ISP domain names on the IMC authentication server. If PPPoE access users and IPoE access users use different ISP domains, you must select both the PPPoE access ISP domain and IPoE access ISP domain for users on the IMC authentication server.

·     In this example, both PPPoE users and IPoE users use ISP domain isp1.

·     On the system parameters page in IMC, you must select Disable for Log off Duplicate Account.

·     Set the Max. Concurrent Logins parameter to be no smaller than 2.

Procedures

Configuring the RADIUS server

# Configure PPPoE access users on IMC. (Details not shown.)

Configuring IP addresses and routes

As shown in Figure 1, configure IP addresses for interfaces, and make sure the BRASs and servers can reach each other at Layer 3. (Details not shown.)

Configuring the DHCP server

# Enable DHCP.

<DHCP> system-view

[DHCP] dhcp enable

# Create DHCP address pool pool1, which is to be used by users passing PPPoE dialup authentication.

[DHCP] dhcp server ip-pool pool1

# Specify primary subnet 3.3.0.0/16 for dynamic allocation in the address pool. Specify gateway address 3.3.3.1 and DNS server address 8.8.8.8 in the address pool.

[DHCP-dhcp-pool-pool1] network 3.3.0.0 16

[DHCP-dhcp-pool-pool1] gateway-list 3.3.3.1

[DHCP-dhcp-pool-pool1] dns-list 8.8.8.8

# Exclude IP address 3.3.3.1 from dynamic allocation.

[DHCP-dhcp-pool-pool1] forbidden-ip 3.3.3.1

[DHCP-dhcp-pool-pool1] quit

# Configure the default route to the PPPoE server (BRAS A).

[DHCP] ip route-static 0.0.0.0 0 4.4.4.1

Configuring access-in BRAS A

Configuring a user group

# Create user group g1.

<BRASA> system-view

[BRASA] user-group g1

New user group added.

[BRASA-ugroup-web] quit

Configuring a QoS policy to rate-limit the traffic to 50 Mbps but not perform accounting for internal network access traffic

This example uses user network segment 3.3.0.0/16 and server network segment 4.4.4.0/24 as the internal network segment.

# Configure ACL 3000.

[BRASA] acl advanced 3000

# Configure rules to match traffic between users and servers after users pass PPPoE dialup authentication.

[BRASA-acl-ipv4-adv-3000] rule 0 permit ip source 3.3.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g1

[BRASA-acl-ipv4-adv-3000] rule 10 permit ip source 4.4.4.0 0.0.0.255 destination 3.3.0.0 0.0.255.255 user-group g1

# Configure a rule to match traffic between users after users pass PPPoE dialup authentication.

[BRASA-acl-ipv4-adv-3000] rule 20 permit ip source 3.3.0.0 0.0.255.255 destination 3.3.0.0 0.0.255.255 user-group g1

[BRASA-acl-ipv4-adv-3000] quit

 

 

NOTE:

Because the default of an ACL rule is none (neither permit nor deny), traffic that does not match any rule is not processed. Therefore, do not add a rule to deny all traffic (for example, rule 30 deny ip) behind the last rule in ACL 3000. Otherwise, when the device executes QoS policy nei_waiwang_share, the class-behavior associations after the classifier 3000 behavior 3000 association cannot match any traffic.

 

# Configure class 3000 to match packets matching ACL 3000 and from authenticated users.

[BRASA] traffic classifier 3000 operator and

[BRASA-classifier-3000] if-match acl 3000

[BRASA-classifier-3000] if-match authenticated-user

[BRASA-classifier-3000] quit

# Configure behavior 3000 to count traffic in bytes and rate-limit the traffic to 50000 kbps.

[BRASA] traffic behavior 3000

[BRASA-behavior-3000] accounting byte

[BRASA-behavior-3000] car cir 50000

[BRASA-behavior-3000] quit

# Create QoS policy nei_waiwang_share and associate class 3000 with behavior 3000.

[BRASA] qos policy nei_waiwang_share

[BRASA-qospolicy-nei_waiwang_share] classifier 3000 behavior 3000

[BRASA-qospolicy-nei_waiwang_share] quit

Configuring a QoS policy to rate-limit and perform accounting for Internet access traffic

# Configure ACL 3001.

[BRASA] acl advanced 3001

# Configure a rule to match all packets.

[BRASA-acl-ipv4-adv-3001] rule 30 permit ip user-group g1

[BRASA-acl-ipv4-adv-3001] quit

# Configure class cl_user1 to match packets carrying CVLAN 11, matching ACL 3001, and from authenticated users.

[BRASA] traffic classifier cl_user1 operator and

[BRASA-classifier-cl_user1] if-match customer-vlan-id 11

[BRASA-classifier-cl_user1] if-match acl 3001

[BRASA-classifier-cl_user1] if-match authenticated-user

[BRASA-classifier-cl_user1] quit

# Configure class cl_user2 to match packets carrying CVLAN 12, matching ACL 3001, and from authenticated users.

[BRASA] traffic classifier cl_user2 operator and

[BRASA-classifier-cl_user2] if-match customer-vlan-id 12

[BRASA-classifier-cl_user2] if-match acl 3001

[BRASA-classifier-cl_user2] if-match authenticated-user

[BRASA-classifier-cl_user2] quit

# Configure class cl_user3 to match packets carrying CVLAN 13, matching ACL 3001, and from authenticated users.

[BRASA] traffic classifier cl_user3 operator and

[BRASA-classifier-cl_user3] if-match customer-vlan-id 13

[BRASA-classifier-cl_user3] if-match acl 3001

[BRASA-classifier-cl_user3] if-match authenticated-user

[BRASA-classifier-cl_user3] quit

# Configure class cl_user4 to match packets carrying CVLAN 14, matching ACL 3001, and from authenticated users.

[BRASA] traffic classifier cl_user4 operator and

[BRASA-classifier-cl_user4] if-match customer-vlan-id 14

[BRASA-classifier-cl_user4] if-match acl 3001

[BRASA-classifier-cl_user4] if-match authenticated-user

[BRASA-classifier-cl_user4] quit

# Configure behavior be_20M to count traffic in bytes and rate-limit the traffic to 20000 kbps.

[BRASA] traffic behavior be_20M

[BRASA-behavior-be_20M] accounting byte

[BRASA-behavior-be_20M] car cir 20000

[BRASA-behavior-be_20M] quit

# Configure behavior be_50M to count traffic in bytes and rate-limit the traffic to 50000 kbps.

[BRASA] traffic behavior be_50M

[BRASA-behavior-be_50M] accounting byte

[BRASA-behavior-be_50M] car cir 50000

[BRASA-behavior-be_50M] quit

# Configure behavior be_100M to count traffic in bytes and rate-limit the traffic to 100000 kbps.

[BRASA] traffic behavior be_100M

[BRASA-behavior-be_100M] accounting byte

[BRASA-behavior-be_100M] car cir 100000

[BRASA-behavior-be_100M] quit

# Associate classes with behaviors in QoS policy nei_waiwang_share.

[BRASA] qos policy nei_waiwang_share

[BRASA-qospolicy-nei_waiwang_share] classifier cl_user1 behavior be_20M

[BRASA-qospolicy-nei_waiwang_share] classifier cl_user2 behavior be_50M

[BRASA-qospolicy-nei_waiwang_share] classifier cl_user3 behavior be_50M

[BRASA-qospolicy-nei_waiwang_share] classifier cl_user4 behavior be_100M

[BRASA-qospolicy-nei_waiwang_share] quit

Applying the QoS policy

# Enter the view of interface GigabitEthernet 3/1/1.1.

[BRASA] interface gigabitethernet 3/1/1.1

# Apply QoS policy nei_waiwang_share to the interface.

[BRASA–GigabitEthernet3/1/1.1] qos apply policy nei_waiwang_share inbound

[BRASA–GigabitEthernet3/1/1.1] qos apply policy nei_waiwang_share outbound

[BRASA–GigabitEthernet3/1/1.1] quit

Configuring a RADIUS scheme

# Create RADIUS scheme rs1, and enter its view.

[BRASA] radius scheme rs1

# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.

[BRASA-radius-rs1] primary authentication 4.4.4.3

[BRASA-radius-rs1] primary accounting 4.4.4.3

[BRASA-radius-rs1] key authentication simple 123456

[BRASA-radius-rs1] key accounting simple 123456

# Enable accounting-on for RADIUS scheme rs1.

[BRASA-radius-rs1] accounting-on enable

[BRASA-radius-rs1] quit

# Specify the DAC as 4.4.4.3. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

[BRASA] radius dynamic-author server

[BRASA-radius-da-server] client ip 4.4.4.3 key simple 123456

[BRASA-radius-da-server] quit

Configuring the DHCP relay agent

# Enable DHCP.

[BRASA] dhcp enable

# Enable recording client information in relay entries.

[BRASA] dhcp relay client-information record

# Enter the view of interface GigabitEthernet 3/1/1.1.

[BRASA] interface gigabitethernet 3/1/1.1

# Enable the DHCPv4 relay agent on the interface.

[BRASA–GigabitEthernet3/1/1.1] dhcp select relay proxy

[BRASA–GigabitEthernet3/1/1.1] quit

# Create DHCP relay address pool pool1, and specify gateway addresses and the DHCP server for the address pool.

[BRASA] dhcp server ip-pool pool1

[BRASA-dhcp-pool-pool1] gateway-list 3.3.3.1 export-route

[BRASA-dhcp-pool-pool1] remote-server 4.4.4.5

[BRASA-dhcp-pool-pool1] quit

Configuring an ISP domain

# Create ISP domain isp1, and enter its view.

[BRASA] domain name isp1

# Configure PPP users to use RADIUS scheme rs1 for authentication, authorization, and accounting.

[BRASA-isp-isp1] authentication ppp radius-scheme rs1

[BRASA-isp-isp1] authorization ppp radius-scheme rs1

[BRASA-isp-isp1] accounting ppp radius-scheme rs1

# Specify IPv4 address pool pool1 as the authorization IPv4 address pool and user group g1 as the authorization user group for users in ISP domain isp1.

[BRASA-isp-isp1] authorization-attribute ip-pool pool1

[BRASA-isp-isp1] authorization-attribute user-group g1

[BRASA-isp-isp1] quit

Configuring a Virtual-Template interface

# Create interface Virtual-Template 1, and enable PPP accounting and CHAP authentication on the interface.

[BRASA] interface virtual-template 1

[BRASA-Virtual-Template1] ppp account-statistics enable

[BRASA-Virtual-Template1] ppp authentication-mode chap domain isp1

[BRASA-Virtual-Template1] quit

Configuring VLAN termination

# Configure VLAN termination on GigabitEthernet 3/1/1.1, and bind the interface to Virtual-Template 1.

[BRASA] interface gigabitethernet 3/1/1.1

[BRASA-GigabitEthernet3/1/1.1] vlan-type dot1q vid 101 second-dot1q 11 to 14

[BRASA-GigabitEthernet3/1/1.1] pppoe-server bind virtual-template 1

Configuring access-out BRAS B

Configuring a RADIUS scheme

# Create RADIUS scheme rs1, and enter its view.

[BRASB] radius scheme rs1

# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.

[BRASB-radius-rs1] primary authentication 4.4.4.3

[BRASB-radius-rs1] primary accounting 4.4.4.3

[BRASB-radius-rs1] key authentication simple 123456

[BRASB-radius-rs1] key accounting simple 123456

# Enable accounting-on for RADIUS scheme rs1.

[BRASB-radius-rs1] accounting-on enable

[BRASB-radius-rs1] quit

# Specify the DAC as 4.4.4.3. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

[BRASB] radius dynamic-author server

[BRASB-radius-da-server] client ip 4.4.4.3 key simple 123456

[BRASB-radius-da-server] quit

Configuring the authentication domain for IPoE

# Create ISP domain isp1, and enter its view.

[BRASB] domain name isp1

# Configure IPoE users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRASB-isp-isp1] authentication ipoe radius-scheme rs1

[BRASB-isp-isp1] authorization ipoe radius-scheme rs1

[BRASB-isp-isp1] accounting ipoe radius-scheme rs1

# Specify an idle timeout period of 30 minutes in the ISP domain. The traffic size generated within the idle time period is 10240 bytes. 

[BRASB-isp-isp1] authorization-attribute idle-cut 30 10240

[BRASB-isp-isp1] quit

Configuring IPoE authentication

# Enter the view of interface GigabitEthernet 3/1/1.

[BRASB] interface gigabitethernet 3/1/1

# Enable IPoE and configure the Layer 3 access mode.

[BRASB–GigabitEthernet3/1/1] ip address 5.5.5.2 24

[BRASB–GigabitEthernet3/1/1] ip subscriber routed enable

# Enable unclassified-IP packet initiation.

[BRASB–GigabitEthernet3/1/1] ip subscriber initiator unclassified-ip enable

# Configure ISP domain isp1 for IPv4 unclassified-IP users.

[BRASB–GigabitEthernet3/1/1] ip subscriber unclassified-ip domain isp1

# Enable IPoE access-out authentication for IPv4 users.

[BRASB–GigabitEthernet3/1/1] ip subscriber access-out

[BRASB-GigabitEthernet3/1/1] quit

Configuring Switch A

# Create SVLAN 101.

<SwitchA> system-view

[SwitchA] vlan 101

[SwitchA-vlan101] quit

# Configure GigabitEthernet 3/0/1 as a hybrid port and assign it to SVLAN 101 as a tagged member.

[SwitchA] interface gigabitethernet 3/0/1

[SwitchA-GigabitEthernet3/0/1] port link-type hybrid

[SwitchA-GigabitEthernet3/0/1] port hybrid vlan 101 tagged

[SwitchA-GigabitEthernet3/0/1] quit

# Configure GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 as trunk ports and assign them to SVLAN 101.

[SwitchA] interface range gigabitethernet 3/0/2 to gigabitethernet 3/0/3

[SwitchA-if-range] port link-type trunk

[SwitchA-if-range] port trunk permit vlan 101

# Configure SVLAN 101 as the PVID for GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 and enable QinQ on them.

[SwitchA-if-range] port trunk pvid vlan 101

[SwitchA-if-range] qinq enable

[SwitchA-if-range] quit

Configuring Switch B

# Create VLANs 11 and 12.

[SwitchB] vlan 11 to 12

# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to VLANs 11 and 12.

[SwitchB] interface gigabitethernet 3/0/1

[SwitchB-GigabitEthernet3/0/1] port link-type trunk

[SwitchB-GigabitEthernet3/0/1] port trunk permit vlan 11 12

[SwitchB-GigabitEthernet3/0/1] quit

# Assign GigabitEthernet 3/0/2 to VLAN 11.

[SwitchB] interface gigabitethernet 3/0/2

[SwitchB-GigabitEthernet3/0/2] port access vlan 11

[SwitchB-GigabitEthernet3/0/2] quit

# Assign GigabitEthernet 3/0/3 to VLAN 12.

[SwitchB] interface gigabitethernet 3/0/3

[SwitchB-GigabitEthernet3/0/3] port access vlan 12

[SwitchB-GigabitEthernet3/0/3] quit

Configuring Switch C

# Create VLANs 13 and 14.

[SwitchC] vlan 13 to 14

# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to VLANs 13 and 14.

[SwitchC] interface gigabitethernet 3/0/1

[SwitchC-GigabitEthernet3/0/1] port link-type trunk

[SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 13 14

[SwitchC-GigabitEthernet3/0/1] quit

# Assign GigabitEthernet 3/0/2 to VLAN 13.

[SwitchC] interface gigabitethernet 3/0/2

[SwitchC-GigabitEthernet3/0/2] port access vlan 13

[SwitchC-GigabitEthernet3/0/2] quit

# Assign GigabitEthernet 3/0/3 to VLAN 14.

[SwitchC] interface gigabitethernet 3/0/3

[SwitchC-GigabitEthernet3/0/3] port access vlan 14

[SwitchC-GigabitEthernet3/0/3] quit

Verifying the configuration

# Use Host A as an example. Install the PPPoE client software on the host, and use username User1@isp1 and password pass1 to dial to BRAS A.

# Execute the display dhcp relay client-information command to view the relay entries on the relay agent.

[BRASA] display dhcp relay client-information

Total number of client-information items: 1

Total number of dynamic items: 1

Total number of temporary items: 0

IP address       MAC address      Type        Interface            VPN name

3.3.3.2          e839-3563-fb21   Dynamic     BAS0                 N/A

The output shows that Host A has obtained an IP address.

# View detailed information about user User1@isp1.

[BRASA] display ppp access-user username User1@isp1 verbose

Basic:

  Interface: BAS0

  PPP index: 0x140000105

  User ID: 0x20000001

  Username: User1@isp1                //Username used for PPPoE dialup

  Domain: isp1                        //ISP domain to which the dialup user belongs

  Access interface:  GE3/1/1.1         //Access interface of the dialup user

  Service-VLAN/Customer-VLAN:  101/11  //SVLAN and CVLAN encapsulated in packets of the dialup user

  VXLAN ID: -

  MAC address:  e839-3563-fb21         //Host MAC address of the dialup user

  IP address:  3.3.3.2                 //IP address assigned to the user by the DHCP server

  Primary DNS server: 8.8.8.8

  IPv6 address: -

  IPv6 PD prefix: -

  IPv6 ND prefix: -

  User address type: N/A

  VPN instance: -

  Access type:  PPPoE                 //Access type of the user

  Authentication type:  CHAP          //Authentication type of the access user

 

PPPoE:

  Session ID: 1

 

AAA:

  Authentication state: Authenticated

  Authorization state: Authorized

  Realtime accounting switch: Open

  Realtime accounting interval: 900s

  Login time: 2014-11-6  8:31:31:725

  Accounting start time: 2014-11-6  8:31:32:275

  Online time(hh:mm:ss): 0:3:46

  Accounting state: Accounting

  Acct start-fail action: Online

  Acct update-fail action: Online

  Acct quota-out action: Offline

  Dual-stack accounting mode: Merge

  Idle cut: 0 sec  0 byte, direction: Both

  Session timeout: -

  Time remained: -

  Traffic quota: -

  Traffic remained: -

  Redirect WebURL: -

  ITA policy name: -

  MRU: 1480 bytes

  IPv4 MTU: 1480 bytes

  IPv6 MTU: 1480 bytes

  Subscriber ID: -

 

ACL&QoS:

  User profile: -

  Session group profile: -

  User group acl: g1 (active)

  Inbound CAR: -

  Outbound CAR: -

  User inbound priority: -

  User outbound priority: -

 

Flow Statistic:

  IPv4 uplink   packets/bytes: 508/53292

  IPv4 downlink packets/bytes: 285/26198

  IPv6 uplink   packets/bytes: 0/0

  IPv6 downlink packets/bytes: 0/0

The output shows that Host A has successfully dialed to BRAS A and obtained IP address 3.3.3.2 dynamically.

# After the user passes authentication, execute the display ip subscriber session command on BRAS B to view the corresponding IPoE user information.

[BRASB] display ip subscriber session

Type: D-DHCP   S-Static     U-Unclassified-IP   N-NDRS

Interface            IP address                MAC address    Type  State

                     IPv6 address              SVLAN/CVLAN    VXLAN

                     Username

GE3/1/1              3.3.3.2                   e839-3563-fb21 U/-   Online

                     -                         -/-            -

                     3.3.3.2

The output shows that the user has passed IPoE access-out authentication on BRAS B.

Configuration files

·     DHCP server:

#

 dhcp enable

#

dhcp server ip-pool pool1

 network 3.3.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

 forbidden-ip 3.3.3.1

 gateway-list 3.3.3.1

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 4.4.4.5 255.255.255.0

#

ip route-static 0.0.0.0 0 4.4.4.1

#

·     BRAS A:

#

dhcp enable

dhcp relay client-information record

#

traffic classifier 3000 operator and

 if-match acl 3000

 if-match authenticated-user

#

traffic classifier cl_user1 operator and

 if-match customer-vlan-id 11

 if-match acl 3001

 if-match authenticated-user

#

traffic classifier cl_user2 operator and

 if-match customer-vlan-id 12

 if-match acl 3001

 if-match authenticated-user

#

traffic classifier cl_user3 operator and

 if-match customer-vlan-id 13

 if-match acl 3001

 if-match authenticated-user

#

traffic classifier cl_user4 operator and

 if-match customer-vlan-id 14

 if-match acl 3001

 if-match authenticated-user

#

traffic behavior 3000

 accounting byte

 car cir 50000 cbs 3125000 ebs 0 green pass red discard yellow pass

#

traffic behavior be_100M

 accounting byte

 car cir 100000 cbs 6250000 ebs 0 green pass red discard yellow pass

#

traffic behavior be_20M

 accounting byte

 car cir 20000 cbs 1250000 ebs 0 green pass red discard yellow pass

#

traffic behavior be_50M

 accounting byte

 car cir 50000 cbs 3125000 ebs 0 green pass red discard yellow pass

#

qos policy nei_waiwang_share

 classifier 3000 behavior 3000

 classifier cl_user1 behavior be_20M

 classifier cl_user2 behavior be_50M

 classifier cl_user3 behavior be_50M

 classifier cl_user4 behavior be_100M

#

dhcp server ip-pool pool1

 gateway-list 3.3.3.1 export-route

 remote-server 4.4.4.5

#

interface Virtual-Template1

 ppp authentication-mode chap

 ppp account-statistics enable

#

interface GigabitEthernet3/1/1

 port link-mode route

#

interface GigabitEthernet3/1/1.1

 qos apply policy nei_waiwang_share inbound

 qos apply policy nei_waiwang_share outbound

 vlan-type dot1q vid 101 second-dot1q 11 to 14

 pppoe-server bind virtual-template 1

#

interface GigabitEthernet3/1/2

 port link-mode route

 ip address 5.5.5.1 255.255.255.0

#

interface GigabitEthernet3/1/3

 port link-mode route

 ip address 4.4.4.1 255.255.255.0

#

acl advanced 3000

 rule 0 permit ip source 3.3.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g1

 rule 10 permit ip source 4.4.4.0 0.0.0.255 destination 3.3.0.0 0.0.255.255 user-group g1

 rule 20 permit ip source 3.3.0.0 0.0.255.255 destination 3.3.0.0 0.0.255.255 user-group g1

#

acl advanced 3001

 rule 30 permit ip user-group g1

#

radius scheme rs1

 primary authentication 4.4.4.3

 primary accounting 4.4.4.3

 accounting-on enable

 key authentication cipher $c$3$XqHhm+QZo4fEaQkP+ltqssWYq0o4hhJp/g==

 key accounting cipher $c$3$ahutaD/6BL3qG0F5fyjBc8qI0vmptwNsmw==

#

radius dynamic-author server

 client ip 4.4.4.3 key cipher $c$3$Td30doCnLkhF7bhiYp4bk9DU96+XBStLkA==

#

domain name isp1

 authorization-attribute user-group g1

 authorization-attribute ip-pool pool1

 authentication ppp radius-scheme rs1

 authorization ppp radius-scheme rs1

 accounting ppp radius-scheme rs1

#

user-group g1

#

·     BRAS B:

#

interface GigabitEthernet3/1/1

 port link-mode route

 ip address 5.5.5.2 255.255.255.0

 ip subscriber routed enable

 ip subscriber initiator unclassified-ip enable

 ip subscriber unclassified-ip domain isp1

 ip subscriber access-out

#

interface GigabitEthernet3/1/2

 port link-mode route

 ip address 6.6.6.1 255.255.255.0

#

interface GigabitEthernet3/1/3

 port link-mode route

 ip address 4.4.4.2 255.255.255.0

#

radius scheme rs1

 primary authentication 4.4.4.3

 primary accounting 4.4.4.3

 accounting-on enable

 key authentication cipher $c$3$DjpIVXm7T/Agf8WLNpF11mEYtx7lb2m51w==

 key accounting cipher $c$3$4/FLMIce3DXgzHnY/oNl8SITZPze34E+cQ==

#

radius dynamic-author server

 client ip 4.4.4.3 key cipher $c$3$Td30doCnLkhF7bhiYp4bk9DU96+XBStLkA==

#

domain name isp1

 authorization-attribute idle-cut 30 10240

 authentication ipoe radius-scheme rs1

 authorization ipoe radius-scheme rs1

 accounting ipoe radius-scheme rs1

#

·     Switch A:

#

vlan 101

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type hybrid

 port hybrid vlan 101 tagged

 port hybrid vlan 1 untagged

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 101

 port trunk pvid vlan 101

 qinq enable

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 101

 port trunk pvid vlan 101

 qinq enable

#

·     Switch B:

#

vlan 11 to 12

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 11 12

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port access vlan 11

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port access vlan 12

#

·     Switch C:

#

vlan 13 to 14

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 13 14

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port access vlan 13

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port access vlan 14

#

Example: Configuring IPoE common MAC authentication for dual-stack users

Network configuration

As shown in Figure 2:

·     The host accesses the BRAS as a DHCP client though a Layer 2 device. It obtains configuration information from the DHCP server through the BRAS.

·     The BRAS performs AAA for the host through the RADIUS server.

·     A server installed with H3C IMC acts as the RADIUS server, portal authentication server, and the portal Web server.

·     The FTP server is an internal network server.

·     Limit the access rate to 5 Mbps for the user after passing Web authentication.

Figure 2 Network diagram

Analysis

To meet bandwidth requirements of users, this example authorizes user profiles for rate limiting.

To improve the forwarding efficiency, classify the traffic in the IPoE preauthentication domain into HTTP traffic, HTTPS traffic, and common IP packets and assign them to different queues. Configure three class-behavior associations to process the traffic to be sent to the CPU:

·     Configure a class to match HTTP traffic from the user group created in the preauthentication domain, and associate the class with a behavior containing the redirect http-to-cpu action.

·     Configure a class to match HTTPS traffic from the user group created in the preauthentication domain, and associate the class with a behavior containing the redirect https-to-cpu action.

·     Configure a class to match IP traffic from the user group created in the preauthentication domain, and associate the class with a behavior containing the redirect cpu action.

When a BRAS access user goes offline, the DHCP relay agent needs to query the relay user address entry of the user. If the entry exists, the DHCP relay agent sends Release packets to the DHCP server to notify the DHCP server to release the user's address lease. For this purpose, execute the dhcp relay client-information record command to enable recording client information in relay entries.

Restrictions and guidelines

The DHCP server in this example is simulated by a device. As a best practice, use a dedicated DHCP server in actual applications.

By default, the HTTPS redirect listening port number is not configured. To configure the HTTPS port number, execute the http-redirect https-port command. Make sure the listening port number does not conflict with existing port numbers.

Procedures

Configuring IP addresses and routes

As shown in Figure 2, configure IP addresses for interfaces, and make sure the BRAS and servers can reach each other at Layer 3.

Configuring the DNS server

Configure the DNS server properly, so that the server can parse the IPv4 URL or IPv6 URL corresponding to the Web authentication page http://www.h3c.web.com according to the first protocol stack that comes online of the IPoE dual-stack user. (Details not shown.)

Configuring the DHCP server

Configuring a DHCPv4 address pool

# Enable DHCP.

<DHCP> system-view

[DHCP] dhcp enable

# Create a DHCPv4 address pool named pool1 and enter its view.

[DHCP] dhcp server ip-pool pool1

# Specify primary subnet 192.168.0.0/24 for dynamic allocation in address pool pool1.

[DHCP-dhcp-pool-pool1] network 192.168.0.0 24

# Specify gateway address 192.168.0.1 in address pool pool1.

[DHCP-dhcp-pool-pool1] gateway-list 192.168.0.1

# Exclude DHCP address 192.168.0.1 from dynamic allocation in address pool pool1.

[DHCP-dhcp-pool-pool1] forbidden-dhcp 192.168.0.1

[DHCP-dhcp-pool-pool1] quit

# Configure a static route to specify the next hop of DHCPv4 replies destined to network segment 192.168.0.0 as the IP address of the interface connected to the DHCPv4 client, 4.4.4.2.

[DHCP] ip route-static 192.168.0.0 24 4.4.4.2

Configuring a DHCPv6 address pool

# Create a DHCPv6 address pool named pool2 and enter its view.

[DHCP] ipv6 dhcp pool pool2

# Specify primary subnet 192::0/64 for dynamic allocation in address pool pool2.

[DHCP-dhcpv6-pool-pool2] network 192::0/64

[DHCP-dhcpv6-pool-pool2] quit

# Exclude IP address 192::1 from dynamic allocation in address pool pool2.

[DHCP] ipv6 dhcp server forbidden-address 192::1

# Enable the DHCPv6 server on GigabitEthernet 3/1/1.

[DHCP] interface gigabitethernet 3/1/1

[DHCP-GigabitEthernet3/1/1] ipv6 dhcp select server

[DHCP-GigabitEthernet3/1/1] quit

# Configure a static route to specify the next hop of DHCPv6 replies destined to network segment 192::0 as the IP address of the interface connected to the DHCPv6 client, 4::2.

[DHCP] ipv6 route-static 192::0 64 4::2

Configuring the BRAS

Configuring the DHCP relay agent

# Enable DHCP.

[BRAS] dhcp enable

# Enable recording client information in relay entries.

[BRAS] dhcp relay client-information record

# Disable the DHCP relay agent to periodically refresh dynamic relay entries.

[BRAS] undo dhcp relay client-information refresh enable

# Create a DHCP relay address pool named pool1.

[BRAS] dhcp server ip-pool pool1

# Specify the gateway address in address pool pool1.

[BRAS-dhcp-pool-pool1] gateway-list 192.168.0.1 24 export-route

# Specify DHCP server 4.4.4.3 in address pool pool1.

[BRAS-dhcp-pool-pool1] remote-server 4.4.4.3

[BRAS-dhcp-pool-pool1] quit

# Create a DHCP relay address pool named pool2.

[BRAS] ipv6 dhcp pool pool2

# Specify gateway address 192::1 in address pool pool2.

[BRAS-dhcpv6-pool-pool2] gateway-list 192::1

# Specify DHCP server 4::3 in DHCP relay address pool pool2.

[BRAS-dhcpv6-pool-pool2] remote-server 4::3

[BRAS-dhcpv6-pool-pool2] quit

# Enable the DHCPv4 relay agent on GigabitEthernet 3/1/2.

[BRAS] interface gigabitethernet 3/1/2

[BRAS–GigabitEthernet3/1/2] dhcp select relay proxy

# Automatically generate a link-local address for GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] ipv6 address auto link-local

# Enable the DHCPv6 relay agent on GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] ipv6 dhcp select relay

# Enable recording client information in DHCPv6 relay entries.

[BRAS–GigabitEthernet3/1/2] ipv6 dhcp relay client-information record

# Enable IPv6 release notification.

[BRAS–GigabitEthernet3/1/2] ipv6 dhcp relay release-agent

# Disable RA message suppression on GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent. Then, the host uses a DHCPv6 server to obtain IPv6 addresses.

[BRAS–GigabitEthernet3/1/2] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent. Then, the host uses a DHCPv6 server to obtain configuration information other than IPv6 addresses.

[BRAS–GigabitEthernet3/1/2] ipv6 nd autoconfig other-flag

# Disable GigabitEthernet 3/1/2 from advertising the specified prefix in RA messages, preventing the endpoint from obtaining a temporary IPv6 address. In an IPv6 network, an endpoint might use a temporary IPv6 address for IPoE Web authentication, which will cause authentication failure.

[BRAS–GigabitEthernet3/1/2] ipv6 nd ra prefix 192::/64 no-advertise

[BRAS–GigabitEthernet3/1/2] quit

Configuring the portal servers

# Configure the IP address of the IPv4 portal authentication server newpt1 as 4.4.4.5 and the plaintext key 123456.

[BRAS] portal server newpt1

[BRAS-portal-server-newpt1] ip 4.4.4.5 key simple 123456

[BRAS-portal-server-newpt1] quit

# Configure the IPv6 address of the IPv6 portal authentication server newpt2 as 4::5 and the plaintext key 123456.

[BRAS] portal server newpt2

[BRAS-portal-server-newpt2] ipv6 4::5 key simple 123456

[BRAS-portal-server-newpt2] quit

Specifying the HTTPS redirect listening port number

# Specify 11111 as the HTTPS redirect listening port number.

[BRAS] http-redirect https-port 11111

Creating a local user group

# Create a local user group named web.

[BRAS] user-group web

New user group added.

[BRAS-ugroup-web] quit

Configuring QoS

1.     Configure ACLs for preauthentication:

# Create an IPv4 and IPv6 advanced ACL named web_permit separately. Configure a rule to permit all packets destined for the portal server from users in user group web.

[BRAS] acl advanced name web_permit

[BRAS-acl-ipv4-adv-web_permit] rule 0 permit ip destination 4.4.4.5 0 user-group web

[BRAS-acl-ipv4-adv-web_permit] quit

[BRAS] acl ipv6 advanced name web_permit

[BRAS-acl-ipv6-adv-web_permit] rule 0 permit ipv6 destination 4::5 128 user-group web

[BRAS-acl-ipv6-adv-web_permit] quit

# Create an IPv4 and IPv6 advanced ACL named neiwang separately. Configure a rule to permit all packets destined for the internal network server from users in user group web.

[BRAS] acl advanced name neiwang

[BRAS-acl-ipv4-adv-neiwang] rule 0 permit ip destination 4.4.4.1 0 user-group web

[BRAS-acl-ipv4-adv-neiwang] quit

[BRAS] acl ipv6 advanced name neiwang

[BRAS-acl-ipv6-adv-neiwang] rule 0 permit ipv6 destination 4::1 128 user-group web

[BRAS-acl-ipv6-adv-neiwang] quit

# Create an IPv4 and IPv6 advanced ACL named web_http separately. Configure a rule to permit TCP packets with the destination port 80 (HTTP packets) from users in user group web.

[BRAS] acl advanced name web_http

[BRAS-acl-ipv4-adv-web_http] rule 0 permit tcp destination-port eq www user-group web

[BRAS-acl-ipv4-adv-web_http] quit

[BRAS] acl ipv6 advanced name web_http

[BRAS-acl-ipv6-adv-web_http] rule 0 permit tcp destination-port eq www user-group web

[BRAS-acl-ipv6-adv-web_http] quit

# Create an IPv4 and IPv6 advanced ACL named web_https separately, and configure a rule to permit TCP packets with the destination port 443 (HTTPS packets) from users in user group web.

[BRAS] acl advanced name web_https

[BRAS-acl-ipv4-adv-web_https] rule 0 permit tcp destination-port eq 443 user-group web

[BRAS-acl-ipv4-adv-web_https] quit

[BRAS] acl ipv6 advanced name web_https

[BRAS-acl-ipv6-adv-web_https] rule 0 permit tcp destination-port eq 443 user-group web

[BRAS-acl-ipv6-adv-web_https] quit

# Create an IPv4 and IPv6 advanced ACL named ip separately, and configure a rule to permit IP packets from users in user group web.

[BRAS] acl advanced name ip

[BRAS-acl-ipv4-adv-ip] rule 0 permit ip user-group web

[BRAS-acl-ipv4-adv-ip] quit

[BRAS] acl ipv6 advanced name ip

[BRAS-acl-ipv6-adv-ip] rule 0 permit ipv6 user-group web

[BRAS-acl-ipv6-adv-ip] quit

# Create an IPv4 and IPv6 advanced ACL named neiwang_out separately, and configure a rule to permit IP packets from the internal network server in user group web.

[BRAS] acl advanced name neiwang_out

[BRAS-acl-ipv4-adv-neiwang_out] rule 0 permit ip source 4.4.4.1 0 user-group web

[BRAS-acl-ipv4-adv-neiwang_out] quit

[BRAS] acl ipv6 advanced name neiwang_out

[BRAS-acl-ipv6-adv-neiwang_out] rule 0 permit ipv6 source 4::1 128 user-group web

[BRAS-acl-ipv6-adv-neiwang_out] quit

# Create an IPv4 and IPv6 advanced ACL named web_out separately, and configure a rule to permit IP packets from the portal server in user group web.

[BRAS] acl advanced name web_out

[BRAS-acl-ipv4-adv-web_out] rule 0 permit ip source 4.4.4.5 0 user-group web

[BRAS-acl-ipv4-adv-web_out] quit

[BRAS] acl ipv6 advanced name web_out

[BRAS-acl-ipv6-adv-web_out] rule 0 permit ipv6 source 4::5 128 user-group web

[BRAS-acl-ipv6-adv-web_out] quit

2.     Configure QoS traffic classes for preauthentication users:

# Create the traffic class web_permit and specify ACL web_permit as the match criterion.

[BRAS] traffic classifier web_permit operator or

[BRAS-classifier-web_permit] if-match acl name web_permit

[BRAS-classifier-web_permit] if-match acl ipv6 name web_permit

[BRAS-classifier-web_permit] quit

# Create the traffic class neiwang and specify ACL neiwang as the match criterion.

[BRAS] traffic classifier neiwang operator or

[BRAS-classifier-neiwang] if-match acl name neiwang

[BRAS-classifier-neiwang] if-match acl ipv6 name neiwang

[BRAS-classifier-neiwang] quit

# Create the traffic class web_http and specify ACL web_http as the match criterion.

[BRAS] traffic classifier web_http operator or

[BRAS-classifier-web_http] if-match acl name web_http

[BRAS-classifier-web_http] if-match acl ipv6 name web_http

[BRAS-classifier-web_http] quit

# Create the traffic class web_https and specify ACL web_https as the match criterion.

[BRAS] traffic classifier web_https operator or

[BRAS-classifier-web_https] if-match acl name web_https

[BRAS-classifier-web_https] if-match acl ipv6 name web_https

[BRAS-classifier-web_https] quit

# Create the traffic class web_deny and specify ACL ip as the match criterion.

[BRAS] traffic classifier web_deny operator or

[BRAS-classifier-web_deny] if-match acl name ip

[BRAS-classifier-web_deny] if-match acl ipv6 name ip

[BRAS-classifier-web_deny] quit

# Create the traffic class neiwang_out and specify ACL neiwang_out as the match criterion.

[BRAS] traffic classifier neiwang_out operator or

[BRAS-classifier-neiwang_out] if-match acl name neiwang_out

[BRAS-classifier-neiwang_out] if-match acl ipv6 name neiwang_out

[BRAS-classifier-neiwang_out] quit

# Create the traffic class web_out and specify ACL web_out as the match criterion.

[BRAS] traffic classifier web_out operator or

[BRAS-classifier-web_out] if-match acl name web_out

[BRAS-classifier-web_out] if-match acl ipv6 name web_out

[BRAS-classifier-web_out] quit

3.     Configure QoS traffic behaviors:

# Configure the traffic behavior web_permit to permit traffic to pass through without rate limiting or accounting.

[BRAS] traffic behavior web_permit

[BRAS-behavior-web_permit] filter permit

[BRAS-behavior-web_permit] free account

[BRAS-behavior-web_permit] quit

# Configure the traffic behavior neiwang to permit traffic to pass through.

[BRAS] traffic behavior neiwang

[BRAS-behavior-neiwang] filter permit

[BRAS-behavior-neiwang] quit

# Configure the traffic behavior web_http to redirect HTTP packets to the CPU.

[BRAS] traffic behavior web_http

[BRAS-behavior-web_http] redirect http-to-cpu

[BRAS-behavior-web_http] quit

# Configure the traffic behavior web_https to redirect HTTPS packets to the CPU.

[BRAS] traffic behavior web_https

[BRAS-behavior-web_https] redirect https-to-cpu

[BRAS-behavior-web_https] quit

# Configure the traffic behavior web_deny to deny traffic.

[BRAS] traffic behavior web_deny

[BRAS-behavior-web_deny] filter deny

[BRAS-behavior-web_deny] free account

[BRAS-behavior-web_deny] quit

# Configure the traffic behavior neiwang_out to permit traffic to pass through.

[BRAS] traffic behavior neiwang_out

[BRAS-behavior-neiwang_out] filter permit

[BRAS-behavior-neiwang_out] quit

# Configure the traffic behavior web_out to permit traffic without rate limiting or traffic accounting.

[BRAS] traffic behavior web_out

[BRAS-behavior-web_out] filter permit

[BRAS-behavior-web_out] free account

[BRAS-behavior-web_out] quit

4.     Configure the QoS policies:

# Create a QoS policy named web.

[BRAS] qos policy web

# Associate the traffic class web_permit with the traffic behavior web_permit.

[BRAS-qospolicy-web] classifier web_permit behavior web_permit

# Associate the traffic class neiwang with the traffic behavior neiwang.

[BRAS-qospolicy-web] classifier neiwang behavior neiwang

# Associate the traffic class web_http with the traffic behavior web_http.

[BRAS-qospolicy-web] classifier web_http behavior web_http

# Associate the traffic class web_https with the traffic behavior web_https.

[BRAS-qospolicy-web] classifier web_https behavior web_https

# Associate the traffic class web_deny with the traffic behavior web_deny.

[BRAS-qospolicy-web] classifier web_deny behavior web_deny

[BRAS-qospolicy-web] quit

# Configure a QoS policy named out.

[BRAS] qos policy out

# Associate the traffic class web_out with the traffic behavior web_out. Associate the traffic class neiwang_out with the traffic behavior neiwang_out. Associate the traffic class web_deny with the traffic behavior web_deny.

[BRAS-qospolicy-out] classifier web_out behavior web_out

[BRAS-qospolicy-out] classifier neiwang_out behavior neiwang_out

[BRAS-qospolicy-out] classifier web_deny behavior web_deny

[BRAS-qospolicy-out] quit

5.     Apply the QoS policies:

# Apply the QoS Policy web to the inbound traffic globally.

[BRAS] qos apply policy web global inbound

# Apply the QoS Policy out to the outbound traffic globally.

[BRAS] qos apply policy out global outbound

6.     Verify that the applied QoS policies take effect:

# Display the configuration and running status of the QoS policy applied to the inbound traffic globally.

[BRAS] display qos policy global slot 3 inbound

Direction: Inbound

  Policy: web

   Classifier: web_permit

     Operator: OR

     Rule(s) :

      If-match acl name web_permit

      If-match acl ipv6 name web_permit

     Behavior: web_permit

      Filter enable: Permit

      Free account enable

   Classifier: neiwang

     Operator: OR

     Rule(s) :

      If-match acl name neiwang

      If-match acl ipv6 name neiwang

     Behavior: neiwang

      Filter enable: Permit

   Classifier: web_http

     Operator: OR

     Rule(s) :

      If-match acl name web_http

      If-match acl ipv6 name web_http

     Behavior: web_http

      Redirecting:

        Redirect http to CPU

   Classifier: web_https

     Operator: OR

     Rule(s) :

      If-match acl name web_https

      If-match acl ipv6 name web_https

     Behavior: web_https

      Redirecting:

        Redirect https to CPU

   Classifier: web_deny

     Operator: OR

     Rule(s) :

      If-match acl name ip

      If-match acl ipv6 name ip

     Behavior: web_deny

      Filter enable: Deny

      Free account enable

# Display the configuration and running status of the QoS policy applied to the outbound traffic globally.

[BRAS] display qos policy global slot 3 outbound

Direction: Outbound

  Policy: out

   Classifier: neiwang_out

     Operator: OR

     Rule(s) :

      If-match acl name neiwang_out

      If-match acl ipv6 name neiwang_out

     Behavior: neiwang_out

      Filter enable: Permit

   Classifier: web_out

     Operator: OR

     Rule(s) :

      If-match acl name web_out

      If-match acl ipv6 name web_out

     Behavior: web_out

      Filter enable: Permit

      Free account enable

   Classifier: web_deny

     Operator: OR

     Rule(s) :

      If-match acl name ip

      If-match acl ipv6 name ip

     Behavior: web_deny

      Filter enable: Deny

      Free account enable

Configuring a RADIUS scheme

# Create a RADIUS scheme named rs1 and enter its view.

[BRAS] radius scheme rs1

# Configure primary servers and keys for authentication and accounting.

[BRAS-radius-rs1] primary authentication 4.4.4.5

[BRAS-radius-rs1] primary accounting 4.4.4.5

[BRAS-radius-rs1] key authentication simple radius

[BRAS-radius-rs1] key accounting simple radius

# Exclude the ISP name from the username sent to the RADIUS server.

[BRAS-radius-rs1] user-name-format without-domain

[BRAS-radius-rs1] quit

# Set the IP address of the RADIUS DAE client to 4.4.4.5, and set the shared key to radius for the RADIUS DAE client to exchange DAE packets. Make sure the plaintext shared key is the same on both ends.

[BRAS] radius dynamic-author server

[BRAS-radius-da-server] client ip 4.4.4.5 key simple radius

[BRAS-radius-da-server] quit

Configuring the user profile

# Create a user profile named car. Configure the user profile to perform traffic policing for incoming traffic of online users, with the CIR as 5210 kbps and CBS as 325625 bytes.

[BRAS] user-profile car

[BRAS-user-profile-car] qos car inbound any cir 5210 cbs 325625

[BRAS-user-profile-car] quit

Configuring the preauthentication ISP domain and Web authentication ISP domain

# Configure the ISP domain dm1 for IPoE user preauthentication.

[BRAS] domain name dm1

[BRAS-isp-dm1] authentication ipoe none

[BRAS-isp-dm1] authorization ipoe none

[BRAS-isp-dm1] accounting ipoe none

# Configure the authorized user group and IP address pools in preauthentication ISP domain dm1.

[BRAS-isp-dm1] authorization-attribute user-group web

[BRAS-isp-dm1] authorization-attribute ip-pool pool1

[BRAS-isp-dm1] authorization-attribute ipv6-pool pool2

# Configure the Web authentication page URL in ISP domain dm1.

[BRAS-isp-dm1] web-server url http://www.h3c.web.com

[BRAS-isp-dm1] quit

# Configure the ISP domain dm2 for IPoE user Web authentication.

[BRAS] domain name dm2

[BRAS-isp-dm2] authentication ipoe radius-scheme rs1

[BRAS-isp-dm2] authorization ipoe radius-scheme rs1

[BRAS-isp-dm2] accounting ipoe radius-scheme rs1

[BRAS-isp-dm2] authorization-attribute user-profile car

[BRAS-isp-dm2] quit

Configuring IPoE

# Enable IPoE and configure Layer 2 access mode on GigabitEthernet 3/1/2.

[BRAS] interface gigabitethernet 3/1/2

[BRAS–GigabitEthernet3/1/2] ip subscriber l2-connected enable

# Configure Web authentication for IPoE users on GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] ip subscriber authentication-method web

The operation may cut all users on this interface. Continue?[Y/N]:y

# Configure the ISP domain dm1 for preauthentication and the ISP domain dm2 for Web authentication on GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] ip subscriber pre-auth domain dm1

[BRAS–GigabitEthernet3/1/2] ip subscriber web-auth domain dm2

[BRAS–GigabitEthernet3/1/2] quit

Configuring the RADIUS server

The following section uses an IMC server as an example to describe how to configure the RADIUS server. The configuration procedure might vary by IMC version. For the exact configuration procedure, see the guide for the specific IMC version. The configuration procedure in this section is only for your reference.

1.     Configure the access device:

a.     Log in to the IMC platform and click the User tab.

b.     Select User Access Policy > Access Device Management > Access Device from the navigation tree to open the access device configuration page.

c.     Click Add to open the page as shown in Figure 3.

d.     Enter the shared key radius.

e.     Use the default settings for other parameters.

Figure 3 Adding an access device

 

a.     Click Add Manually in the Device List area to open the page as shown in Figure 4.

b.     Enter the access device's IP address 4.4.4.2.

c.     Click OK.

Figure 4 Manually adding an access device

 

2.     Add an access policy:

a.     Select User Access Policy > Access Policy from the navigation tree to open the access policy page.

b.     Click Add to open the page as shown in Figure 5.

c.     Enter the access policy name AccessPolicy.

d.     Use the default settings for other parameters.

Figure 5 Adding an access policy

 

3.     Add an access service:

a.     Select User Access Policy > Access Service from the navigation tree to open the access service page.

b.     Click Add to open the page as shown in Figure 6.

c.     Enter the service name IPoE_Server.

d.     Select AccessPolicy from the default access policy list.

e.     Use the default settings for other parameters.

Figure 6 Adding an access service

 

4.     Add a user:

a.     Select User Management > Add User from the navigation tree to open the adding user page, as shown in Figure 7.

b.     Enter the username IPoE_Web001 and the user ID 001.

c.     Click OK.

Figure 7 Adding a user

 

5.     Add an access user:

a.     Select Access User > All Access Users from the navigation tree to open the access user page.

b.     Click Add to open the page as shown in Figure 8.

c.     Select IPoE_Web001 for the username.

d.     Enter the account name user1.

e.     Enter the password pass1.

f.     Select the access service IPoE_Server.

Figure 8 Adding an access user

 

Configuring the portal server

The following section uses an IMC server as an example to describe how to configure the portal server. The configuration procedure might vary by IMC version. For the exact configuration procedure, see the guide for the specific IMC version. The configuration procedure in this section is only for your reference.

1.     Configure the portal homepage:

a.     Select User Access Policy > Portal Service > Server from the navigation tree to open the portal server configuration page, as shown in Figure 9.

b.     Click OK.

Figure 9 Portal server configuration page

 

2.     Configure portal authentication source IP address range:

a.     Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page.

b.     Click Add to open the page as shown in Figure 10.

c.     Enter the IP group name IPoE_Web_User.

d.     Enter the start IP address (192.168.0.1) and end IP address (192.168.0.255) of the IP group. Make sure the host IP address is in the IP group.

e.     Click OK.

Figure 10 Adding an IP address group (IPv4)

 

a.     Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page.

b.     Click Add to open the page as shown in Figure 11.

c.     Enter the IP group name IPoE_Web_User-2.

d.     Select Yes from the IPv6 list.

e.     Enter the start IP address (192::1) and end IP address (192::FFFF) of the IP group. Make sure the host IPv6 address is in the IP group.

f.     Click OK.

Figure 11 Adding an IP address group (IPv6)

 

3.     Add a portal device:

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click Add to open the page as shown in Figure 12.

c.     Enter the device name NAS.

d.     Enter the IP address of the portal packets' outgoing interface GigabitEthernet 3/1/1 (4.4.4.2).

e.     Enter the key 123456.

f.     Select Directly Connect for access method.

g.     Click OK.

Figure 12 Adding a portal device (IPv4)

 

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click Add to open the page as shown in Figure 13.

c.     Enter the device name NAS-2.

d.     Select Portal 3.0 from the Version list.

e.     Enter the IP address of the portal packets' outgoing interface GigabitEthernet 3/1/1 (4::2).

f.     Enter the key 123456.

g.     Select Directly Connect for access method.

h.     Click OK.

Figure 13 Adding a portal device (IPv6)

 

4.     Associate the portal device with the IP address group:

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click the icon in the Port Group Information Management column of device NAS to open the port group configuration page, as shown in Figure 14.

c.     Click Add to open the page as shown in Figure 15.

d.     Enter the port group name group.

e.     Select the configured IP address group IPoE_Web_User. Make sure the IP address used by the user to access the network is within this IP address group.

f.     Click OK.

Figure 14 Device list

 

Figure 15 Port group configuration (IPv4)

 

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click the icon in the Port Group Information Management column of device NAS-2 to open the port group configuration page, as shown in Figure 14.

c.     Click Add to open the page as shown in Figure 16.

d.     Enter the port group name group-2.

e.     Select the configured IP address group IPoE_Web_User-2. Make sure the IPv6 address used by the user to access the network is within this IPv6 address group.

f.     Click OK.

Figure 16 Port group configuration (IPv6)

 

Verifying the configuration

# Display IPoE session information to verify that the host has passed preauthentication and obtained IPv4 address 192.168.0.2 and IPv6 address 192::2.

[BRAS] display ip subscriber session verbose

Basic:

  Description                 : -

  Username                    : 001b21a80949

  Domain                      : dm1

  VPN instance                : N/A

  IP address                  : 192.168.0.2

  IPv6 address                : 192::2

  User address type           : N/A

  MAC address                 : 001b-21a8-0949

  Service-VLAN/Customer-VLAN  : -/-

  Access interface            : GE3/1/2

  User ID                     : 0x30000004

  VPI/VCI(for ATM)            : -/-

  VSI Index                   : -

  VSI link ID                 : -

  VXLAN ID                    : -

  DNS servers                 : N/A

  IPv6 DNS servers            : N/A

  DHCP lease                  : 86400 sec

  DHCP remain lease           : 86383 sec

  DHCPv6 lease                : 2592000 sec

  DHCPv6 remain lease         : 2591981 sec

  Access time                 : May 27 00:48:51 2018

  Online time(hh:mm:ss)       : 00:00:19

  Service node                : Slot 3 CPU 0

  Authentication type         : Web pre-auth

  IPv4 access type            : DHCP

  IPv6 access type            : DHCP

  IPv4 detect state           : Detecting

  IPv6 detect state           : Detecting

  State                       : Online

AAA:

  ITA policy name             : N/A

  IP pool                     : pool1

  IPv6 pool                   : pool2

  IPv6 nd prefix pool         : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : N/A

  Session duration            : N/A, remaining: N/A

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : May 27 00:48:51 2018

  Redirect URL                : http://www.h3c.web.com

  Subscriber ID               : -

QoS:

  User profile                : N/A

  Session group profile       : N/A

  User group ACL              : web (active)

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

Flow statistic:

  Uplink   packets/bytes      : 0/0

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

As shown in Figure 17, the Web login page opens after preauthentication. Enter the username and password on the page.

Figure 17 Web login page

 

# Display IPoE session information to verify that the host has passed Web authentication and come online.

[BRAS] display ip subscriber session verbose

Basic:

  Description                 : -

  Username                    : user1@dm2

  Domain                      : dm2

  VPN instance                : N/A

  IP address                  : 192.168.0.2

  IPv6 address                : 192::2

  User address type           : N/A

  MAC address                 : 001b-21a8-0949

  Service-VLAN/Customer-VLAN  : -/-

  Access interface            : GE3/1/2

  User ID                     : 0x30000004

  VPI/VCI(for ATM)            : -/-

  VSI Index                   : -

  VSI link ID                 : -

  VXLAN ID                    : -

  DNS servers                 : N/A

  IPv6 DNS servers            : N/A

  DHCP lease                  : 86400 sec

  DHCP remain lease           : 86356 sec

  DHCPv6 lease                : 2592000 sec

  DHCPv6 remain lease         : 2591954 sec

  Access time                 : May 27 00:48:51 2018

  Online time(hh:mm:ss)       : 00:00:04

  Service node                : Slot 3 CPU 0

  Authentication type         : Web

  IPv4 access type            : DHCP

  IPv6 access type            : DHCP

  IPv4 detect state           : Detecting

  IPv6 detect state           : Detecting

  State                       : Online

AAA:

  ITA policy name             : N/A

  IP pool                     : pool1

  IPv6 pool                   : pool2

  IPv6 nd prefix pool         : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : N/A

  Session duration            : 86400 sec, remaining: 86395 sec

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : May 27 00:49:32 2018

  Subscriber ID               : -

QoS:

  User profile                : car (active)

  Session group profile       : N/A

  User group ACL              : N/A

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

Flow statistic:

  Uplink   packets/bytes      : 0/0

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

Configuration files

·     DHCP server:

#

 dhcp enable

#

 ipv6 dhcp server forbidden-address 192::1

#

dhcp server ip-pool pool1

 gateway-list 192.168.0.1

 network 192.168.0.0 mask 255.255.255.0

 forbidden-ip 192.168.0.1

#

ipv6 dhcp pool pool2

 network 192::/64

#

interface GigabitEthernet3/1/1

 port link-mode route

 ip address 4.4.4.3 255.255.255.0

 ipv6 dhcp select server

 ipv6 address 4::3/64

#

 ip route-static 192.168.0.0 24 4.4.4.2

 ipv6 route-static 192:: 64 4::2

#

·     Router A (BRAS):

#

 dhcp enable

 dhcp relay client-information record

 undo dhcp relay client-information refresh enable

#

traffic classifier neiwang operator or

 if-match acl name neiwang

 if-match acl ipv6 name neiwang

#

traffic classifier neiwang_out operator or

 if-match acl name neiwang_out

 if-match acl ipv6 name neiwang_out

#

traffic classifier web_deny operator or

 if-match acl name ip

 if-match acl ipv6 name ip

#

traffic classifier web_http operator or

 if-match acl name web_http

 if-match acl ipv6 name web_http

#

traffic classifier web_https operator or

 if-match acl name web_https

 if-match acl ipv6 name web_https

#

traffic classifier web_out operator or

 if-match acl name web_out

 if-match acl ipv6 name web_out

#

traffic classifier web_permit operator or

 if-match acl name web_permit

 if-match acl ipv6 name web_permit

#

traffic behavior neiwang

 filter permit

#

traffic behavior neiwang_out

 filter permit

#

traffic behavior web_deny

 filter deny

 free account

#

traffic behavior web_http

 redirect http-to-cpu

#

traffic behavior web_https

 redirect https-to-cpu

#

traffic behavior web_out

 filter permit

 free account

#

traffic behavior web_permit

 filter permit

 free account

#

qos policy out

 classifier web_out behavior web_out

 classifier neiwang_out behavior neiwang_out

 classifier web_deny behavior web_deny

#

qos policy web

 classifier web_permit behavior web_permit

 classifier neiwang behavior neiwang

 classifier web_http behavior web_http

 classifier web_https behavior web_https

 classifier web_deny behavior web_deny

#

interface GigabitEthernet3/1/1

 ip address 4.4.4.2 255.255.255.0

 ipv6 address 4::2/64

#

interface GigabitEthernet3/1/2

port link-mode route

 dhcp select relay proxy

 ipv6 dhcp select relay

 ipv6 dhcp relay client-information record

 ipv6 dhcp relay release-agent

 ipv6 nd ra prefix 192::/64 no-advertise

 ipv6 address auto link-local

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

 undo ipv6 nd ra halt

 ip subscriber l2-connected enable

 ip subscriber authentication-method web

 ip subscriber pre-auth domain dm1

 ip subscriber web-auth domain dm2

#

 qos apply policy web global inbound

 qos apply policy out global outbound

#

dhcp server ip-pool pool1

 gateway-list 192.168.0.1 export-route

 remote-server 4.4.4.3

#

ipv6 dhcp pool pool2

 gateway-list 192::1

 remote-server 4::3

#

acl advanced name ip

 rule 0 permit ip user-group web

#

acl advanced name neiwang

 rule 0 permit ip destination 4.4.4.1 0 user-group web

#

acl advanced name neiwang_out

 rule 0 permit ip source 4.4.4.1 0 user-group web

#

acl advanced name web_http

 rule 0 permit tcp destination-port eq www user-group web

#

acl advanced name web_https

 rule 0 permit tcp destination-port eq 443 user-group web

#

acl advanced name web_out

 rule 0 permit ip source 4.4.4.5 0 user-group web

#

acl advanced name web_permit

 rule 0 permit ip destination 4.4.4.5 0 user-group web

#

acl ipv6 advanced name ip

 rule 0 permit ipv6 user-group web

#

acl ipv6 advanced name neiwang

 rule 0 permit ipv6 destination 4::1/128 user-group web

#

acl ipv6 advanced name neiwang_out

 rule 0 permit ipv6 source 4::1/128 user-group web

#

acl ipv6 advanced name web_http

 rule 0 permit tcp destination-port eq www user-group web

#

acl ipv6 advanced name web_https

 rule 0 permit tcp destination-port eq 443 user-group web

#

acl ipv6 advanced name web_out

 rule 0 permit ipv6 source 4::5/128 user-group web

#

acl ipv6 advanced name web_permit

 rule 0 permit ipv6 destination 4::5/128 user-group web

#

user-profile car

 qos car inbound any cir 5210 cbs 325625 ebs 0

#

radius scheme rs1

 primary authentication 4.4.4.5

 primary accounting 4.4.4.5

 key authentication cipher $c$3$FhQVcgn3kq1exL0CdTzatcgc9xF9vL3ZOw==

 key accounting cipher $c$3$ntIHBRM4ZkG+2JRZQTdKmNl0kYJmhZz5Zg==

 user-name-format without-domain

#

radius dynamic-author server

 client ip 4.4.4.5 key cipher $c$3$lYC2ERe8ts2gtE6M2xfoDDB8NmGw6J9v/Q==

#

domain name dm1

 authorization-attribute user-group web

 authorization-attribute ip-pool pool1

 authorization-attribute ipv6-pool pool2

 authentication ipoe none

 authorization ipoe none

 accounting ipoe none

 web-server url http://www.h3c.web.com

#

domain name dm2

 authorization-attribute user-profile car

 authentication ipoe radius-scheme rs1

 authorization ipoe radius-scheme rs1

 accounting ipoe radius-scheme rs1

#

user-group web

#

portal server newpt1

 ip 4.4.4.5 key cipher $c$3$UnoFeLybwld9jDwLnHJQptDE7YZry2EVlw==

#

portal server newpt2

 ipv6 4::5 key cipher $c$3$HxisNWeML9fhYRS+7umwGbYwAkL+KGiCjw==

#

 http-redirect https-port 11111

#

Example: Configuring IPoE transparent MAC authentication for dual-stack users

Network configuration

As shown in Figure 18:

·     The host accesses the BRAS as a DHCP client though a Layer 2 device. It obtains configuration information from the DHCP server through the BRAS.

·     The BRAS performs AAA for the host through the RADIUS server.

·     A server installed with H3C IMC acts as the portal authentication server and the portal Web server.

·     A RADIUS server that supports MAC binding acts as the authentication, authorization, and accounting server and performs MAC binding.

·     The FTP server is an internal network server.

·     Limit the access rate to 5 Mbps for the user after passing Web authentication.

Figure 18 Network diagram

Analysis

To meet bandwidth requirements of users, this example authorizes user profiles for rate limiting.

To improve the forwarding efficiency, classify the traffic in the IPoE preauthentication domain into HTTP traffic, HTTPS traffic, and common IP packets and assign them to different queues. Configure three class-behavior associations to process the traffic to be sent to the CPU:

·     Configure a class to match HTTP traffic from the user group created in the preauthentication domain, and associate the class with a behavior containing the redirect http-to-cpu action.

·     Configure a class to match HTTPS traffic from the user group created in the preauthentication domain, and associate the class with a behavior containing the redirect https-to-cpu action.

·     Configure a class to match IP traffic from the user group created in the preauthentication domain, and associate the class with a behavior containing the redirect cpu action.

When a BRAS access user goes offline, the DHCP relay agent needs to query the relay user address entry of the user. If the entry exists, the DHCP relay agent sends Release packets to the DHCP server to notify the DHCP server to release the user's address lease. For this purpose, execute the dhcp relay client-information record command to enable recording client information in relay entries.

Restrictions and guidelines

The DHCP server in this example is simulated by a device. As a best practice, use a dedicated DHCP server in actual applications.

By default, the HTTPS redirect listening port number is not configured. To configure the HTTPS port number, execute the http-redirect https-port command. Make sure the listening port number does not conflict with existing port numbers.

Procedures

Configuring IP addresses and routes

As shown in Figure 18, configure IP addresses for interfaces, and make sure the BRAS and servers can reach each other at Layer 3.

Configuring the DNS server

Configure the DNS server properly, so that the server can parse the IPv4 URL or IPv6 URL corresponding to the Web authentication page http://www.h3c.web.com according to the first protocol stack that comes online of the IPoE dual-stack user. (Details not shown.)

Configuring the DHCP server

Configuring a DHCPv4 address pool

# Enable DHCP.

<DHCP> system-view

[DHCP] dhcp enable

# Create a DHCPv4 address pool named pool1 and enter its view.

[DHCP] dhcp server ip-pool pool1

# Specify primary subnet 192.168.0.0/24 for dynamic allocation in address pool pool1.

[DHCP-dhcp-pool-pool1] network 192.168.0.0 24

# Specify gateway address 192.168.0.1 in address pool pool1.

[DHCP-dhcp-pool-pool1] gateway-list 192.168.0.1

# Exclude DHCP address 192.168.0.1 from dynamic allocation in address pool pool1.

[DHCP-dhcp-pool-pool1] forbidden-dhcp 192.168.0.1

[DHCP-dhcp-pool-pool1] quit

# Configure a static route to specify the next hop of DHCPv4 replies destined to network segment 192.168.0.0 as the IP address of the interface connected to the DHCPv4 client, 4.4.4.2.

[DHCP] ip route-static 192.168.0.0 24 4.4.4.2

Configuring a DHCPv6 address pool

# Create a DHCPv6 address pool named pool2 and enter its view.

[DHCP] ipv6 dhcp pool pool2

# Specify primary subnet 192::0/64 for dynamic allocation in address pool pool2.

[DHCP-dhcpv6-pool-pool2] network 192::0/64

[DHCP-dhcpv6-pool-pool2] quit

# Exclude IP address 192::1 from dynamic allocation in address pool pool2.

[DHCP] ipv6 dhcp server forbidden-address 192::1

# Enable the DHCPv6 server on GigabitEthernet 3/1/1.

[DHCP] interface gigabitethernet 3/1/1

[DHCP-GigabitEthernet3/1/1] ipv6 dhcp select server

[DHCP-GigabitEthernet3/1/1] quit

# Configure a static route to specify the next hop of DHCPv6 replies destined to network segment 192::0 as the IP address of the interface connected to the DHCPv6 client, 4::2.

[DHCP] ipv6 route-static 192::0 64 4::2

Configuring the BRAS

Configuring the DHCP relay agent

# Enable DHCP.

[BRAS] dhcp enable

# Enable recording client information in relay entries.

[BRAS] dhcp relay client-information record

# Disable the DHCP relay agent to periodically refresh dynamic relay entries.

[BRAS] undo dhcp relay client-information refresh enable

# Create a DHCP relay address pool named pool1.

[BRAS] dhcp server ip-pool pool1

# Specify the gateway address in address pool pool1.

[BRAS-dhcp-pool-pool1] gateway-list 192.168.0.1 24 export-route

# Specify DHCP server 4.4.4.3 in address pool pool1.

[BRAS-dhcp-pool-pool1] remote-server 4.4.4.3

[BRAS-dhcp-pool-pool1] quit

# Create a DHCP relay address pool named pool2.

[BRAS] ipv6 dhcp pool pool2

# Specify gateway address 192::1 in address pool pool2.

[BRAS-dhcpv6-pool-pool2] gateway-list 192::1

# Specify DHCP server 4::3 in DHCP relay address pool pool2.

[BRAS-dhcpv6-pool-pool2] remote-server 4::3

[BRAS-dhcpv6-pool-pool2] quit

# Enable the DHCPv4 relay agent on GigabitEthernet 3/1/2.

[BRAS] interface gigabitethernet 3/1/2

[BRAS–GigabitEthernet3/1/2] dhcp select relay proxy

# Automatically generate a link-local address for GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] ipv6 address auto link-local

# Enable the DHCPv6 relay agent on GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] ipv6 dhcp select relay

# Enable recording client information in DHCPv6 relay entries.

[BRAS–GigabitEthernet3/1/2] ipv6 dhcp relay client-information record

# Enable IPv6 release notification.

[BRAS–GigabitEthernet3/1/2] ipv6 dhcp relay release-agent

# Disable RA message suppression on GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent. Then, the host uses a DHCPv6 server to obtain IPv6 addresses.

[BRAS–GigabitEthernet3/1/2] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent. Then, the host uses a DHCPv6 server to obtain configuration information other than IPv6 addresses.

[BRAS–GigabitEthernet3/1/2] ipv6 nd autoconfig other-flag

# Disable GigabitEthernet 3/1/2 from advertising the specified prefix in RA messages, preventing the endpoint from obtaining a temporary IPv6 address. In an IPv6 network, an endpoint might use a temporary IPv6 address for IPoE Web authentication, which will cause authentication failure.

[BRAS–GigabitEthernet3/1/2] ipv6 nd ra prefix 192::/64 no-advertise

[BRAS–GigabitEthernet3/1/2] quit

Configuring the portal servers

# Configure the IP address of the IPv4 portal authentication server newpt1 as 4.4.4.5 and the plaintext key 123456.

[BRAS] portal server newpt1

[BRAS-portal-server-newpt1] ip 4.4.4.5 key simple 123456

[BRAS-portal-server-newpt1] quit

# Configure the IPv6 address of the IPv6 portal authentication server newpt2 as 4::5 and the plaintext key 123456.

[BRAS] portal server newpt2

[BRAS-portal-server-newpt2] ipv6 4::5 key simple 123456

[BRAS-portal-server-newpt2] quit

Specifying the HTTPS redirect listening port number

# Specify 11111 as the HTTPS redirect listening port number.

[BRAS] http-redirect https-port 11111

Creating a local user group

# Create a local user group named web.

[BRAS] user-group web

New user group added.

[BRAS-ugroup-web] quit

Configuring QoS

1.     Configure ACLs for preauthentication:

# Create an IPv4 and IPv6 advanced ACL named web_permit separately. Configure a rule to permit all packets destined for the portal server from users in user group web.

[BRAS] acl advanced name web_permit

[BRAS-acl-ipv4-adv-web_permit] rule 0 permit ip destination 4.4.4.5 0 user-group web

[BRAS-acl-ipv4-adv-web_permit] quit

[BRAS] acl ipv6 advanced name web_permit

[BRAS-acl-ipv6-adv-web_permit] rule 0 permit ipv6 destination 4::5 128 user-group web

[BRAS-acl-ipv6-adv-web_permit] quit

# Create an IPv4 and IPv6 advanced ACL named neiwang separately. Configure a rule to permit all packets destined for the internal network server from users in user group web.

[BRAS] acl advanced name neiwang

[BRAS-acl-ipv4-adv-neiwang] rule 0 permit ip destination 4.4.4.6 0 user-group web

[BRAS-acl-ipv4-adv-neiwang] quit

[BRAS] acl ipv6 advanced name neiwang

[BRAS-acl-ipv6-adv-neiwang] rule 0 permit ipv6 destination 4::6 128 user-group web

[BRAS-acl-ipv6-adv-neiwang] quit

# Create an IPv4 and IPv6 advanced ACL named web_http separately. Configure a rule to permit TCP packets with the destination port 80 (HTTP packets) from users in user group web.

[BRAS] acl advanced name web_http

[BRAS-acl-ipv4-adv-web_http] rule 0 permit tcp destination-port eq www user-group web

[BRAS-acl-ipv4-adv-web_http] quit

[BRAS] acl ipv6 advanced name web_http

[BRAS-acl-ipv6-adv-web_http] rule 0 permit tcp destination-port eq www user-group web

[BRAS-acl-ipv6-adv-web_http] quit

# Create an IPv4 and IPv6 advanced ACL named web_https separately, and configure a rule to permit TCP packets with the destination port 443 (HTTPS packets) from users in user group web.

[BRAS] acl advanced name web_https

[BRAS-acl-ipv4-adv-web_https] rule 0 permit tcp destination-port eq 443 user-group web

[BRAS-acl-ipv4-adv-web_https] quit

[BRAS] acl ipv6 advanced name web_https

[BRAS-acl-ipv6-adv-web_https] rule 0 permit tcp destination-port eq 443 user-group web

[BRAS-acl-ipv6-adv-web_https] quit

# Create an IPv4 and IPv6 advanced ACL named ip separately, and configure a rule to permit IP packets from users in user group web.

[BRAS] acl advanced name ip

[BRAS-acl-ipv4-adv-ip] rule 0 permit ip user-group web

[BRAS-acl-ipv4-adv-ip] quit

[BRAS] acl ipv6 advanced name ip

[BRAS-acl-ipv6-adv-ip] rule 0 permit ipv6 user-group web

[BRAS-acl-ipv6-adv-ip] quit

# Create an IPv4 and IPv6 advanced ACL named neiwang_out separately, and configure a rule to permit IP packets from the internal network server in user group web.

[BRAS] acl advanced name neiwang_out

[BRAS-acl-ipv4-adv-neiwang_out] rule 0 permit ip source 4.4.4.6 0 user-group web

[BRAS-acl-ipv4-adv-neiwang_out] quit

[BRAS] acl ipv6 advanced name neiwang_out

[BRAS-acl-ipv6-adv-neiwang_out] rule 0 permit ipv6 source 4::6 128 user-group web

[BRAS-acl-ipv6-adv-neiwang_out] quit

# Create an IPv4 and IPv6 advanced ACL named web_out separately, and configure a rule to permit IP packets from the portal server in user group web.

[BRAS] acl advanced name web_out

[BRAS-acl-ipv4-adv-web_out] rule 0 permit ip source 4.4.4.5 0 user-group web

[BRAS-acl-ipv4-adv-web_out] quit

[BRAS] acl ipv6 advanced name web_out

[BRAS-acl-ipv6-adv-web_out] rule 0 permit ipv6 source 4::5 128 user-group web

[BRAS-acl-ipv6-adv-web_out] quit

2.     Configure QoS traffic classes for preauthentication users:

# Create the traffic class web_permit and specify ACL web_permit as the match criterion.

[BRAS] traffic classifier web_permit operator or

[BRAS-classifier-web_permit] if-match acl name web_permit

[BRAS-classifier-web_permit] if-match acl ipv6 name web_permit

[BRAS-classifier-web_permit] quit

# Create the traffic class neiwang and specify ACL neiwang as the match criterion.

[BRAS] traffic classifier neiwang operator or

[BRAS-classifier-neiwang] if-match acl name neiwang

[BRAS-classifier-neiwang] if-match acl ipv6 name neiwang

[BRAS-classifier-neiwang] quit

# Create the traffic class web_http and specify ACL web_http as the match criterion.

[BRAS] traffic classifier web_http operator or

[BRAS-classifier-web_http] if-match acl name web_http

[BRAS-classifier-web_http] if-match acl ipv6 name web_http

[BRAS-classifier-web_http] quit

# Create the traffic class web_https and specify ACL web_https as the match criterion.

[BRAS] traffic classifier web_https operator or

[BRAS-classifier-web_https] if-match acl name web_https

[BRAS-classifier-web_https] if-match acl ipv6 name web_https

[BRAS-classifier-web_https] quit

# Create the traffic class ip_cpu and specify ACL ip as the match criterion.

[BRAS] traffic classifier ip_cpu operator or

[BRAS-classifier-ip_cpu] if-match acl name ip

[BRAS-classifier-ip_cpu] if-match acl ipv6 name ip

[BRAS-classifier-ip_cpu] quit

# Create the traffic class ip_deny and specify ACL ip as the match criterion.

[BRAS] traffic classifier ip_deny operator or

[BRAS-classifier-ip_deny] if-match acl name ip

[BRAS-classifier-ip_deny] if-match acl ipv6 name ip

[BRAS-classifier-ip_deny] quit

# Create the traffic class neiwang_out and specify ACL neiwang_out as the match criterion.

[BRAS] traffic classifier neiwang_out operator or

[BRAS-classifier-neiwang_out] if-match acl name neiwang_out

[BRAS-classifier-neiwang_out] if-match acl ipv6 name neiwang_out

[BRAS-classifier-neiwang_out] quit

# Create the traffic class web_out and specify ACL web_out as the match criterion.

[BRAS] traffic classifier web_out operator or

[BRAS-classifier-web_out] if-match acl name web_out

[BRAS-classifier-web_out] if-match acl ipv6 name web_out

[BRAS-classifier-web_out] quit

3.     Configure QoS traffic behaviors:

# Configure the traffic behavior web_permit to permit traffic to pass through without rate limiting or accounting.

[BRAS] traffic behavior web_permit

[BRAS-behavior-web_permit] filter permit

[BRAS-behavior-web_permit] free account

[BRAS-behavior-web_permit] quit

# Configure the traffic behavior neiwang to permit traffic to pass through.

[BRAS] traffic behavior neiwang

[BRAS-behavior-neiwang] filter permit

[BRAS-behavior-neiwang] quit

# Configure the traffic behavior web_http to redirect HTTP packets to the CPU.

[BRAS] traffic behavior web_http

[BRAS-behavior-web_http] redirect http-to-cpu

[BRAS-behavior-web_http] quit

# Configure the traffic behavior web_https to redirect HTTPS packets to the CPU.

[BRAS] traffic behavior web_https

[BRAS-behavior-web_https] redirect https-to-cpu

[BRAS-behavior-web_https] quit

# Configure the traffic behavior web_cpu to redirect IP packets to the CPU.

[BRAS] traffic behavior web_cpu

[BRAS-behavior-web_cpu] redirect cpu

[BRAS-behavior-web_cpu] quit

# Configure the traffic behavior web_deny to deny traffic.

[BRAS] traffic behavior web_deny

[BRAS-behavior-web_deny] filter deny

[BRAS-behavior-web_deny] free account

[BRAS-behavior-web_deny] quit

# Configure the traffic behavior neiwang_out to permit traffic to pass through.

[BRAS] traffic behavior neiwang_out

[BRAS-behavior-neiwang_out] filter permit

[BRAS-behavior-neiwang_out] quit

# Configure the traffic behavior web_out to permit traffic without rate limiting or traffic accounting.

[BRAS] traffic behavior web_out

[BRAS-behavior-web_out] filter permit

[BRAS-behavior-web_out] free account

[BRAS-behavior-web_out] quit

4.     Configure the QoS policies:

# Create a QoS policy named web.

[BRAS] qos policy web

# Associate the traffic class web_permit with the traffic behavior web_permit.

[BRAS-qospolicy-web] classifier web_permit behavior web_permit

# Associate the traffic class neiwang with the traffic behavior neiwang.

[BRAS-qospolicy-web] classifier neiwang behavior neiwang

# Associate the traffic class web_http with the traffic behavior web_http.

[BRAS-qospolicy-web] classifier web_http behavior web_http

# Associate the traffic class web_https with the traffic behavior web_https.

[BRAS-qospolicy-web] classifier web_https behavior web_https

# Associate the traffic class ip_cpu with the traffic behavior web_cpu.

[BRAS-qospolicy-web] classifier ip_cpu behavior web_cpu

# Associate the traffic class ip_deny with the traffic behavior web_deny.

[BRAS-qospolicy-web] classifier ip_deny behavior web_deny

[BRAS-qospolicy-web] quit

# Configure a QoS policy named out.

[BRAS] qos policy out

# Associate the traffic class web_out with the traffic behavior web_out. Associate the traffic class neiwang_out with the traffic behavior neiwang_out. Associate the traffic class ip_deny with the traffic behavior web_deny.

[BRAS-qospolicy-out] classifier web_out behavior web_out

[BRAS-qospolicy-out] classifier neiwang_out behavior neiwang_out

[BRAS-qospolicy-out] classifier ip_deny behavior web_deny

[BRAS-qospolicy-out] quit

5.     Apply the QoS policies:

# Apply the QoS Policy web to the inbound traffic globally.

[BRAS] qos apply policy web global inbound

# Apply the QoS Policy out to the outbound traffic globally.

[BRAS] qos apply policy out global outbound

6.     Verify that the applied QoS policies take effect:

# Display the configuration and running status of the QoS policy applied to the inbound traffic globally.

[BRAS] display qos policy global slot 3 inbound

Direction: Inbound

  Policy: web

   Classifier: web_permit

     Operator: OR

     Rule(s) :

      If-match acl name web_permit

      If-match acl ipv6 name web_permit

     Behavior: web_permit

      Filter enable: Permit

      Free account enable

   Classifier: neiwang

     Operator: OR

     Rule(s) :

      If-match acl name neiwang

      If-match acl ipv6 name neiwang

     Behavior: neiwang

      Filter enable: Permit

   Classifier: web_http

     Operator: OR

     Rule(s) :

      If-match acl name web_http

      If-match acl ipv6 name web_http

     Behavior: web_http

      Redirecting:

        Redirect http to CPU

   Classifier: web_https

     Operator: OR

     Rule(s) :

      If-match acl name web_https

      If-match acl ipv6 name web_https

     Behavior: web_https

      Redirecting:

        Redirect https to CPU

   Classifier: ip_cpu

     Operator: OR

     Rule(s) :

      If-match acl name ip

      If-match acl ipv6 name ip

     Behavior: web_cpu

      Redirecting:

        Redirect to the CPU

   Classifier: ip_deny

     Operator: OR

     Rule(s) :

      If-match acl name ip

      If-match acl ipv6 name ip

     Behavior: web_deny

      Filter enable: Deny

      Free account enable

# Display the configuration and running status of the QoS policy applied to the outbound traffic globally.

[BRAS] display qos policy global slot 3 outbound

Direction: Outbound

  Policy: out

   Classifier: web_out

     Operator: OR

     Rule(s) :

      If-match acl name web_out

      If-match acl ipv6 name web_out

     Behavior: web_out

      Filter enable: Permit

      Free account enable

   Classifier: neiwang_out

     Operator: OR

     Rule(s) :

      If-match acl name neiwang_out

      If-match acl ipv6 name neiwang_out

     Behavior: neiwang_out

      Filter enable: Permit

   Classifier: ip_deny

     Operator: OR

     Rule(s) :

      If-match acl name ip

      If-match acl ipv6 name ip

     Behavior: web_deny

      Filter enable: Deny

      Free account enable

Configuring a RADIUS scheme

# Create a RADIUS scheme named rs1 and enter its view.

[BRAS] radius scheme rs1

# Configure primary servers and keys for authentication and accounting.

[BRAS-radius-rs1] primary authentication 4.4.4.1

[BRAS-radius-rs1] primary accounting 4.4.4.1

[BRAS-radius-rs1] key authentication simple radius

[BRAS-radius-rs1] key accounting simple radius

# Exclude the ISP name from the username sent to the RADIUS server.

[BRAS-radius-rs1] user-name-format without-domain

[BRAS-radius-rs1] quit

# Set the IP address of the RADIUS DAE client to 4.4.4.1, and set the shared key to radius for the RADIUS DAE client to exchange DAE packets.

[BRAS] radius dynamic-author server

[BRAS-radius-da-server] client ip 4.4.4.1 key simple radius

[BRAS-radius-da-server] quit

Configuring the user profile

# Create a user profile named car. Configure the user profile to perform traffic policing for incoming traffic of online users, with the CIR as 5210 kbps and CBS as 325625 bytes.

[BRAS] user-profile car

[BRAS-user-profile-car] qos car inbound any cir 5210 cbs 325625

[BRAS-user-profile-car] quit

Configuring the preauthentication ISP domain and Web authentication ISP domain

# Configure the ISP domain dm1 for IPoE user preauthentication.

[BRAS] domain name dm1

[BRAS-isp-dm1] authentication ipoe none

[BRAS-isp-dm1] authorization ipoe none

[BRAS-isp-dm1] accounting ipoe none

# Configure the authorized user group and IP address pools in preauthentication ISP domain dm1.

[BRAS-isp-dm1] authorization-attribute user-group web

[BRAS-isp-dm1] authorization-attribute ip-pool pool1

[BRAS-isp-dm1] authorization-attribute ipv6-pool pool2

# Configure the Web authentication page URL in ISP domain dm1.

[BRAS-isp-dm1] web-server url http://www.h3c.web.com

[BRAS-isp-dm1] quit

# Configure the ISP domain dm2 for IPoE user Web authentication.

[BRAS] domain name dm2

[BRAS-isp-dm2] authentication ipoe radius-scheme rs1

[BRAS-isp-dm2] authorization ipoe radius-scheme rs1

[BRAS-isp-dm2] accounting ipoe radius-scheme rs1

[BRAS-isp-dm2] authorization-attribute user-profile car

[BRAS-isp-dm2] quit

Configuring IPoE

# Enable IPoE and configure Layer 2 access mode on GigabitEthernet 3/1/2.

[BRAS] interface gigabitethernet 3/1/2

[BRAS–GigabitEthernet3/1/2] ip subscriber l2-connected enable

# Configure Web MAC authentication for IPoE users on GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] ip subscriber authentication-method web mac-auth

The operation may cut all users on this interface. Continue?[Y/N]:y

# Configure the ISP domain dm1 for preauthentication and the ISP domain dm2 for Web authentication and Web MAC authentication on GigabitEthernet 3/1/2.

[BRAS–GigabitEthernet3/1/2] ip subscriber pre-auth domain dm1

[BRAS–GigabitEthernet3/1/2] ip subscriber web-auth domain dm2

[BRAS–GigabitEthernet3/1/2] ip subscriber mac-auth domain dm2

[BRAS–GigabitEthernet3/1/2] quit

Configuring the RADIUS server

For how to configure AAA and MAC binding on the RADIUS server, see the RADIUS server configuration guide.

Configuring the portal server

The following section uses an IMC server as an example to describe how to configure the portal server. The configuration procedure might vary by IMC version. For the exact configuration procedure, see the guide for the specific IMC version. The configuration procedure in this section is only for your reference.

1.     Configure the portal homepage:

a.     Select User Access Policy > Portal Service > Server from the navigation tree to open the portal server configuration page, as shown in Figure 19.

b.     Click OK.

Figure 19 Portal server configuration page

 

2.     Configure portal authentication source IP address range:

a.     Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page.

b.     Click Add to open the page as shown in Figure 20.

c.     Enter the IP group name IPoE_Web_User.

d.     Enter the start IP address (192.168.0.1) and end IP address (192.168.0.255) of the IP group. Make sure the host IP address is in the IP group.

e.     Click OK.

Figure 20 Adding an IP address group (IPv4)

 

a.     Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page.

b.     Click Add to open the page as shown in Figure 21.

c.     Enter the IP group name IPoE_Web_User-2.

d.     Select Yes from the IPv6 list.

e.     Enter the start IP address (192::1) and end IP address (192::FFFF) of the IP group. Make sure the host IPv6 address is in the IP group.

f.     Click OK.

Figure 21 Adding an IP address group (IPv6)

 

3.     Add a portal device:

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click Add to open the page as shown in Figure 22.

c.     Enter the device name NAS.

d.     Enter the IP address of the portal packets' outgoing interface GigabitEthernet 3/1/1 (4.4.4.2).

e.     Enter the key 123456.

f.     Select Directly Connect for access method.

g.     Click OK.

Figure 22 Adding a portal device (IPv4)

 

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click Add to open the page as shown in Figure 23.

c.     Enter the device name NAS-2.

d.     Select Portal 3.0 from the Version list.

e.     Enter the IP address of the portal packets' outgoing interface GigabitEthernet 3/1/1 (4::2).

f.     Enter the key 123456.

g.     Select Directly Connect for access method.

h.     Click OK.

Figure 23 Adding a portal device (IPv6)

 

4.     Associate the portal device with the IP address group:

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click the icon in the Port Group Information Management column of device NAS to open the port group configuration page, as shown in Figure 24.

c.     Click Add to open the page as shown in Figure 25.

d.     Enter the port group name group.

e.     Select the configured IP address group IPoE_Web_User. Make sure the IP address used by the user to access the network is within this IP address group.

f.     Click OK.

Figure 24 Device list

 

Figure 25 Port group configuration (IPv4)

 

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click the icon in the Port Group Information Management column of device NAS-2 to open the port group configuration page, as shown in Figure 24.

c.     Click Add to open the page as shown in Figure 26.

d.     Enter the port group name group-2.

e.     Select the configured IP address group IPoE_Web_User-2. Make sure the IPv6 address used by the user to access the network is within this IPv6 address group.

f.     Click OK.

Figure 26 Port group configuration (IPv6)

 

5.     From the navigation tree, select User Access Manager > Service Parameters > Validate System Configuration to validate the settings.

Verifying the configuration

# Display IPoE session information to verify that the host has passed preauthentication and obtained IPv4 address 192.168.0.2 and IPv6 address 192::2.

[BRAS] display ip subscriber session verbose

Basic:

  Description                 : -

  Username                    : 001b21a80949

  Domain                      : dm1

  VPN instance                : N/A

  IP address                  : 192.168.0.2

  IPv6 address                : 192::2

  User address type           : N/A

  MAC address                 : 001b-21a8-0949

  Service-VLAN/Customer-VLAN  : -/-

  Access interface            : GE3/1/2

  User ID                     : 0x30000004

  VPI/VCI(for ATM)            : -/-

  VSI Index                   : -

  VSI link ID                 : -

  VXLAN ID                    : -

  DNS servers                 : N/A

  IPv6 DNS servers            : N/A

  DHCP lease                  : 86400 sec

  DHCP remain lease           : 86383 sec

  DHCPv6 lease                : 2592000 sec

  DHCPv6 remain lease         : 2591981 sec

  Access time                 : May 27 00:48:51 2018

  Online time(hh:mm:ss)       : 00:00:19

  Service node                : Slot 3 CPU 0

  Authentication type         : Web pre-auth

  IPv4 access type            : DHCP

  IPv6 access type            : DHCP

  IPv4 detect state           : Detecting

  IPv6 detect state           : Detecting

  State                       : Online

AAA:

  ITA policy name             : N/A

  IP pool                     : pool1

  IPv6 pool                   : pool2

  IPv6 nd prefix pool         : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : N/A

  Session duration            : N/A, remaining: N/A

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : May 27 00:48:51 2018

  Redirect URL                : http://www.h3c.web.com

  Subscriber ID               : -

QoS:

  User profile                : N/A

  Session group profile       : N/A

  User group ACL              : web (active)

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

Flow statistic:

  Uplink   packets/bytes      : 0/0

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

As shown in Figure 27, the Web login page opens after preauthentication. Enter the username and password on the page.

Figure 27 Web login page

 

# Display IPoE session information to verify that the host has passed Web authentication and come online.

[BRAS] display ip subscriber session verbose

Basic:

  Description                 : -

  Username                    : user1@dm2

  Domain                      : dm2

  VPN instance                : N/A

  IP address                  : 192.168.0.2

  IPv6 address                : 192::2

  User address type           : N/A

  MAC address                 : 001b-21a8-0949

  Service-VLAN/Customer-VLAN  : -/-

  Access interface            : GE3/1/2

  User ID                     : 0x30000004

  VPI/VCI(for ATM)            : -/-

  VSI Index                   : -

  VSI link ID                 : -

  VXLAN ID                    : -

  DNS servers                 : N/A

  IPv6 DNS servers            : N/A

  DHCP lease                  : 86400 sec

  DHCP remain lease           : 86356 sec

  DHCPv6 lease                : 2592000 sec

  DHCPv6 remain lease         : 2591954 sec

  Access time                 : May 27 00:49:20 2018

  Online time(hh:mm:ss)       : 00:00:04

  Service node                : Slot 3 CPU 0

  Authentication type         : Web

  IPv4 access type            : DHCP

  IPv6 access type            : DHCP

  IPv4 detect state           : Detecting

  IPv6 detect state           : Detecting

  State                       : Online

AAA:

  ITA policy name             : N/A

  IP pool                     : pool1

  IPv6 pool                   : pool2

  IPv6 nd prefix pool         : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : N/A

  Session duration            : 86400 sec, remaining: 86395 sec

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : May 27 00:49:20 2018

  Subscriber ID               : -

QoS:

  User profile                : car (active)

  Session group profile       : N/A

  User group ACL              : N/A

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

Flow statistic:

  Uplink   packets/bytes      : 0/0

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

# Click Log Out on the Web login page as shown in Figure 27.

# Verify that the user returns to the preauthentication status.

[BRAS] display ip subscriber session verbose

Basic:

  Description                 : -

  Username                    : 001b21a80949

  Domain                      : dm1

  VPN instance                : N/A

  IP address                  : 192.168.0.2

  IPv6 address                : 192::2

  User address type           : N/A

  MAC address                 : 001b-21a8-0949

  Service-VLAN/Customer-VLAN  : -/-

  Access interface            : GE3/1/2

  User ID                     : 0x30000004

  VPI/VCI(for ATM)            : -/-

  VSI Index                   : -

  VSI link ID                 : -

  VXLAN ID                    : -

  DNS servers                 : N/A

  IPv6 DNS servers            : N/A

  DHCP lease                  : 86400 sec

  DHCP remain lease           : 86383 sec

  DHCPv6 lease                : 2592000 sec

  DHCPv6 remain lease         : 2591981 sec

  Access time                 : May 27 00:49:30 2018

  Online time(hh:mm:ss)       : 00:00:19

  Service node                : Slot 3 CPU 0

  Authentication type         : Web pre-auth

  IPv4 access type            : DHCP

  IPv6 access type            : DHCP

  IPv4 detect state           : Detecting

  IPv6 detect state           : Detecting

  State                       : Online

AAA:

  ITA policy name             : N/A

  IP pool                     : pool1

  IPv6 pool                   : pool2

  IPv6 nd prefix pool         : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : N/A

  Session duration            : N/A, remaining: N/A

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : May 27 00:49:30 2018

  Redirect URL                : http://www.h3c.web.com

  Subscriber ID               : -

QoS:

  User profile                : N/A

  Session group profile       : N/A

  User group ACL              : web (active)

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

Flow statistic:

  Uplink   packets/bytes      : 0/0

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

# Open the browser, and enter an address randomly, for example, http://63.1.1.240.

# Verify that the user has come online through IPoE Web MAC authentication.

[BRAS] display ip subscriber session verbose

Basic:

  Description                 : -

  Username                    : web

  Domain                      : dm2

  VPN instance                : N/A

  IP address                  : 192.168.0.2

  IPv6 address                : 192::2

  User address type           : N/A

  MAC address                 : 001b-21a8-0949

  Service-VLAN/Customer-VLAN  : -/-

  Access interface            : GE3/1/2

  User ID                     : 0x30000004

  VPI/VCI(for ATM)            : -/-

  VSI Index                   : -

  VSI link ID                 : -

  VXLAN ID                    : -

  DNS servers                 : N/A

  IPv6 DNS servers            : N/A

  DHCP lease                  : 86400 sec

  DHCP remain lease           : 86356 sec

  DHCPv6 lease                : 2592000 sec

  DHCPv6 remain lease         : 2591954 sec

  Access time                 : May 27 00:50:01 2018

  Online time(hh:mm:ss)       : 00:00:04

  Service node                : Slot 3 CPU 0

  Authentication type         : Web mac-auth

  IPv4 access type            : DHCP

  IPv6 access type            : DHCP

  IPv4 detect state           : Detecting

  IPv6 detect state           : Detecting

  State                       : Online

AAA:

  ITA policy name             : N/A

  IP pool                     : pool1

  IPv6 pool                   : pool2

  IPv6 nd prefix pool         : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : N/A

  Session duration            : 86400 sec, remaining: 86395 sec

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : May 27 00:50:01 2018

  Subscriber ID               : -

QoS:

  User profile                : car (active)

  Session group profile       : N/A

  User group ACL              : N/A

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

Flow statistic:

  Uplink   packets/bytes      : 0/0

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

Configuration files

·     DHCP server:

#

 dhcp enable

#

 ipv6 dhcp server forbidden-address 192::1

#

dhcp server ip-pool pool1

 gateway-list 192.168.0.1

 network 192.168.0.0 mask 255.255.255.0

 forbidden-ip 192.168.0.1

#

ipv6 dhcp pool pool2

 network 192::/64

#

interface GigabitEthernet3/1/1

 port link-mode route

 ip address 4.4.4.3 255.255.255.0

 ipv6 dhcp select server

 ipv6 address 4::3/64

#

 ip route-static 192.168.0.0 24 4.4.4.2

 ipv6 route-static 192:: 64 4::2

#

·     Router A (BRAS):

#

 dhcp enable

 dhcp relay client-information record

 undo dhcp relay client-information refresh enable

#

traffic classifier ip_cpu operator or

 if-match acl name ip

 if-match acl ipv6 name ip

#

traffic classifier ip_deny operator or

 if-match acl name ip

 if-match acl ipv6 name ip

#

traffic classifier neiwang operator or

 if-match acl name neiwang

 if-match acl ipv6 name neiwang

#

traffic classifier neiwang_out operator or

 if-match acl name neiwang_out

 if-match acl ipv6 name neiwang_out

#

traffic classifier web_http operator or

 if-match acl name web_http

 if-match acl ipv6 name web_http

#

traffic classifier web_https operator or

 if-match acl name web_https

 if-match acl ipv6 name web_https

#

traffic classifier web_out operator or

 if-match acl name web_out

 if-match acl ipv6 name web_out

#

traffic classifier web_permit operator or

 if-match acl name web_permit

 if-match acl ipv6 name web_permit

#

traffic behavior neiwang

 filter permit

#

traffic behavior neiwang_out

 filter permit

#

traffic behavior web_cpu

 redirect cpu

#

traffic behavior web_deny

 filter deny

 free account

#

traffic behavior web_http

 redirect http-to-cpu

#

traffic behavior web_https

 redirect https-to-cpu

#

traffic behavior web_out

 filter permit

 free account

#

traffic behavior web_permit

 filter permit

 free account

#

qos policy out

 classifier web_out behavior web_out

 classifier neiwang_out behavior neiwang_out

 classifier ip_deny behavior web_deny

#

qos policy web

 classifier web_permit behavior web_permit

 classifier neiwang behavior neiwang

 classifier web_http behavior web_http

 classifier web_https behavior web_https

 classifier ip_cpu behavior web_cpu

 classifier ip_deny behavior web_deny

#

interface GigabitEthernet3/1/1

 ip address 4.4.4.2 255.255.255.0

 ipv6 address 4::2/64

#

interface GigabitEthernet3/1/2

 port link-mode route

 dhcp select relay proxy

 ipv6 dhcp select relay

 ipv6 dhcp relay client-information record

 ipv6 dhcp relay release-agent

 ipv6 nd ra prefix 192::/64 no-advertise

 ipv6 address auto link-local

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

 undo ipv6 nd ra halt

 ip subscriber l2-connected enable

 ip subscriber authentication-method web mac-auth

 ip subscriber pre-auth domain dm1

 ip subscriber mac-auth domain dm2

 ip subscriber web-auth domain dm2

#

 qos apply policy web global inbound

 qos apply policy out global outbound

#

dhcp server ip-pool pool1

 gateway-list 192.168.0.1 export-route

 remote-server 4.4.4.3

#

ipv6 dhcp pool pool2

 gateway-list 192::1

 remote-server 4::3

#

acl advanced name ip

 rule 0 permit ip user-group web

#

acl advanced name neiwang

 rule 0 permit ip destination 4.4.4.6 0 user-group web

#

acl advanced name neiwang_out

 rule 0 permit ip source 4.4.4.6 0 user-group web

#

acl advanced name web_http

 rule 0 permit tcp destination-port eq www user-group web

#

acl advanced name web_https

 rule 0 permit tcp destination-port eq 443 user-group web

#

acl advanced name web_out

 rule 0 permit ip source 4.4.4.5 0 user-group web

#

acl advanced name web_permit

 rule 0 permit ip destination 4.4.4.5 0 user-group web

#

acl ipv6 advanced name ip

 rule 0 permit ipv6 user-group web

#

acl ipv6 advanced name neiwang

 rule 0 permit ipv6 destination 4::6/128 user-group web

#

acl ipv6 advanced name neiwang_out

 rule 0 permit ipv6 source 4::6/128 user-group web

#

acl ipv6 advanced name web_http

 rule 0 permit tcp destination-port eq www user-group web

#

acl ipv6 advanced name web_https

 rule 0 permit tcp destination-port eq 443 user-group web

#

acl ipv6 advanced name web_out

 rule 0 permit ipv6 source 4::5/128 user-group web

#

acl ipv6 advanced name web_permit

 rule 0 permit ipv6 destination 4::5/128 user-group web

#

user-profile car

 qos car inbound any cir 5210 cbs 325625 ebs 0

#

radius scheme rs1

 primary authentication 4.4.4.1

 primary accounting 4.4.4.1

 key authentication cipher $c$3$FhQVcgn3kq1exL0CdTzatcgc9xF9vL3ZOw==

 key accounting cipher $c$3$ntIHBRM4ZkG+2JRZQTdKmNl0kYJmhZz5Zg==

 user-name-format without-domain

#

radius dynamic-author server

 client ip 4.4.4.1 key cipher $c$3$lYC2ERe8ts2gtE6M2xfoDDB8NmGw6J9v/Q==

#

domain name dm1

 authorization-attribute user-group web

 authorization-attribute ip-pool pool1

 authorization-attribute ipv6-pool pool2

 authentication ipoe none

 authorization ipoe none

 accounting ipoe none

 web-server url http://www.h3c.web.com

#

domain name dm2

 authorization-attribute user-profile car

 authentication ipoe radius-scheme rs1

 authorization ipoe radius-scheme rs1

 accounting ipoe radius-scheme rs1

#

user-group web

#

portal server newpt1

 ip 4.4.4.5 key cipher $c$3$UnoFeLybwld9jDwLnHJQptDE7YZry2EVlw==

#

portal server newpt2

 ipv6 4::5 key cipher $c$3$HxisNWeML9fhYRS+7umwGbYwAkL+KGiCjw==

#

 http-redirect https-port 11111

#

Example: Configuring multiple egress VPNs and ITA in a BRAS campus network (inline)

Network configuration

As shown in Figure 28, the dormitory area and office area of a campus network are directly attached to BRAS. As the border device, PE2 is connected to different service providers ISP1 and ISP2. Configure the BRAS campus network to meet the following requirements:

·     Before a user in the dormitory area or office area passes PPPoE dialup authentication, the user can access only the internal network with the rate limit of 5 Mbps. Accounting is not performed for the user accessing the internal network.

·     After passing the PPPoE dialup authentication, the user can access both the internal network and the Internet. The rate limit for accessing the internal network is still 5 Mbps and no accounting is performed. The school provides three monthly Internet access plans, with the speeds of 2 Mbps, 5 Mbps, and 10 Mbps separately. In this example, suppose users A, B, C, and D select the 2 Mbps, 5 Mbps, 5 Mbps, and 10 Mbps plans, respectively.

·     Users use the dialup client in the operating systems for PPPoE dialup authentication.

·     When a user performs PPPoE dialup, the username carries the ISP domain name by adding a suffix @ISP1 or @ISP2. BRAS specifies a fixed ISP egress interface for the user according to the domain name of the user.

Figure 28 Network diagram

 

Device

Interface

IP address

Device

Interface

IP address

RADIUS server

-

4.4.4.2/24

PE2

Loop0

3.3.3.9/32

DHCP server

GE3/0/1

4.4.4.3/24

GE3/0/1

10.1.4.2/24

PE1 (BRAS)

Loop0

1.1.1.9/32

GE3/0/2

101.1.1.1/24

GE3/1/1.1

5.5.5.1/24

GE3/0/3

202.1.1.1/24

GE3/1/2

10.1.1.1/24

CE1

GE3/0/1

101.1.1.2/24

GE3/1/3

4.4.4.1/24

CE2

GE3/0/1

202.1.1.2/24

P

Loop0

2.2.2.9/32

GE3/0/1

10.1.4.1/24

GE3/0/2

10.1.1.2/24

 

Analysis

·     For BRAS to select an ISP egress interface for a user according to the domain name carried in the username, you can authorize a VPN to the user in the ISP domain and assign different ISP egress interfaces to different VPNs.

·     To implement differentiated accounting policies for users, define four accounting levels in ITA (for example, specify levels 1 through 4 for the internal network access of 5 Mbps, Internet access of 2 Mbps, Internet access of 5 Mbps, and Internet access of 10 Mbps) separately, and define different prices for different ITA levels.

·     To distinguish the internal network traffic and Internet traffic after users pass PPPoE dialup authentication, you can use an ACL (ACL 3001 in this example) to match the specific internal network traffic, and then use an ACL (ACL 3002 in this example) to match traffic except internal traffic (the Internet traffic by default).

·     When a PPPoE access user goes offline, the DHCP relay agent needs to query the relay user address entry of the user. If the entry exists, the DHCP relay agent sends Release packets to the DHCP server to notify the DHCP server to release the user's address lease. For this purpose, execute the dhcp relay client-information record command to enable recording client information in relay entries.

Restrictions and guidelines

·     When an interface is bound to a VPN instance, the settings (including IP address) on the interface will be cleared. Therefore, first bind an interface to a VPN instance, and then configure other settings on the interface.

·     The class-behavior associations in a QoS policy are executed in the order they are configured. To ensure preferential processing of the internal network traffic, make sure the class-behavior associations for internal network traffic are configured before the class-behavior associations for Internet traffic.

·     If authorization attributes (for example, address pool, user group, and VPN) are configured both on the RADIUS server and in an ISP domain, the attributes configured on the RADIUS server apply. If the idle-cut attribute is configured both on the RADIUS server and in an ISP domain, the configuration in the ISP domain on the BRAS applies. In this example, all the authorization attributes have been configured in ISP domains. In a live network, configure the RADIUS server to authorize attributes or configure attributes in ISP domains as needed.

Procedures

Configuring the RADIUS server

This section uses the Linux Free RADIUS server as an example.

# Configure the RADIUS client. Add the following contents to the clients.conf file.

client 4.4.4.1/32 {

ipaddr = 4.4.4.1

netmask=32

secret=123456

}

The contents above configure the RADIUS client IP address as 4.4.4.1 and configure the shared key as 123456.

# Configure users. Add the following contents to the users file.

User1@isp1  Cleartext-Password :="pass1"

User1@isp2  Cleartext-Password :="pass1"

User2@isp1  Cleartext-Password :="pass2"

User2@isp2  Cleartext-Password :="pass2"

User3@isp1  Cleartext-Password :="pass3"

User3@isp2  Cleartext-Password :="pass3"

User4@isp1  Cleartext-Password :="pass4"

User4@isp2  Cleartext-Password :="pass4"

The contents above show that Host A, Host B, Host C, and Host D can select to use suffix @isp1 or @isp2 for PPPoE dialup.

Configuring MPLS L3VPN

In this example, Router A acts as PE1 in the MPLS L3VPN configuration and acts as the PPPoE server in the BRAS configuration. For ease of understanding, Router A is described as PE1 in the MPLS L3VPN configuration section and described as BRAS in the BRAS configuration section.

Configure an IGP protocol (OSPF in this example) on the MPLS backbone to ensure IP connectivity within the backbone

1.     Configure PE 1:

# Configure IP addresses for the loopback interface and the backbone network interface.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface gigabitethernet 3/1/2

[PE1-GigabitEthernet3/1/2] ip address 10.1.1.1 24

[PE1-GigabitEthernet3/1/2] quit

# Enable OSPF on the interfaces attached to the backbone network side in the area.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

2.     Configure the P device:

# Configure IP addresses for the loopback interface and the backbone network interface.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface gigabitethernet 3/0/2

[P-GigabitEthernet3/0/2] ip address 10.1.1.2 24

[P-GigabitEthernet3/0/2] quit

[P] interface gigabitethernet 3/0/1

[P-GigabitEthernet3/0/1] ip address 10.1.4.1 24

[P-GigabitEthernet3/0/1] quit

# Enable OSPF on the interfaces attached to the backbone network side in the area.

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

3.     Configure PE 2:

# Configure IP addresses for the loopback interface and the backbone network interface.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface gigabitethernet 3/0/1

[PE2-GigabitEthernet3/0/1] ip address 10.1.4.2 24

[PE2-GigabitEthernet3/0/1] quit

# Enable OSPF on the interfaces attached to the backbone network side in the area.

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

4.     Execute the display ospf peer command to verify that OSPF adjacencies in Full state have been established between PE 1, P, and PE 2. Execute the display ip routing-table command to verify that the PEs have learned the routes to the loopback interfaces of each other.

Use PE1 as an example.

[PE1] display ospf peer verbose

 

          OSPF Process 1 with Router ID 1.1.1.9

                  Neighbors

 

 Area 0.0.0.0 interface 10.1.1.1(GE3/1/2)'s neighbors

 Router ID: 2.2.2.9          Address: 10.1.1.2        GR State: Normal

   State: Full  Mode: Nbr is Master  Priority: 1

   DR: 10.1.1.2  BDR: 10.1.1.1  MTU: 0

   Options is 0x02 (-|-|-|-|-|-|E|-)

   Dead timer due in 38  sec

   Neighbor is up for 17:30:25

   Authentication Sequence: [ 0 ]

   Neighbor state change count: 6

   BFD status: Disabled

[PE1] display ip routing-table protocol ospf

 

Summary Count : 5

 

OSPF Routing table Status : <Active>

Summary Count : 3

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

2.2.2.9/32         O_INTRA 10  1           10.1.1.2        GE3/1/2

3.3.3.9/32         O_INTRA 10  2           10.1.1.2        GE3/1/2

10.1.4.0/24        O_INTRA 10  2           10.1.1.2        GE3/1/2

 

OSPF Routing table Status : <Inactive>

Summary Count : 2

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

1.1.1.9/32         O_INTRA 10  0           1.1.1.9         Loop0

10.1.1.0/24        O_INTRA 10  1           10.1.1.1        GE3/0/2

Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs

1.     Configure PE 1:

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface gigabitethernet 3/1/2

[PE1-GigabitEthernet3/1/2] mpls enable

[PE1-GigabitEthernet3/1/2] mpls ldp enable

[PE1-GigabitEthernet3/1/2] quit

2.     Configure the P device:

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface gigabitethernet 3/0/2

[P-GigabitEthernet3/0/2] mpls enable

[P-GigabitEthernet3/0/2] mpls ldp enable

[P-GigabitEthernet3/0/2] quit

[P] interface gigabitethernet 3/0/1

[P-GigabitEthernet3/0/1] mpls enable

[P-GigabitEthernet3/0/1] mpls ldp enable

[P-GigabitEthernet3/0/1] quit

3.     Configure PE 2:

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface gigabitethernet 3/0/1

[PE2-GigabitEthernet3/0/1] mpls enable

[PE2-GigabitEthernet3/0/1] mpls ldp enable

[PE2-GigabitEthernet3/0/1] quit

4.     Execute the display mpls ldp peer command to verify that LDP sessions in Operational state have been established between PE 1, P, and PE 2. Execute the display mpls ldp lsp command to verify that the LSPs have been established by LDP.

Use PE1 as an example.

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID             State         Role     GR   MD5  KA Sent/Rcvd

2.2.2.9:0               Operational   Passive  Off  Off  5/5

[PE1] display mpls ldp lsp

Status Flags: * - stale, L - liberal, B - backup

FECs: 4            Ingress: 1          Transit: 1      Egress: 3

 

FEC                In/Out Label        Nexthop         OutInterface

1.1.1.9/32         3/-

                   -/1151(L)

2.2.2.9/32         -/3                 10.1.1.2        GE3/1/2

                   1151/3              10.1.1.2        GE3/1/2

3.3.3.9/32         -/1150              10.1.1.2        GE3/1/2

                   1150/1150           10.1.1.2        GE3/1/2

Configuring VPN instances on PEs to allow CE access

1.     Configure PE 1:

# Create VPN instance named vpn_isp1 for ISP 1.

[PE1] ip vpn-instance vpn_isp1

# Configure the RD as 100:1 for the VPN instance. The RD is used for generating VPNv4 routes and distinguishing routes of different users on the same network segment.

[PE1-vpn-instance-vpn_isp1] route-distinguisher 100:1

# Configure import target 111:1 and export target 222:1 for the VPN instance. (To differentiate the meanings of export target and import target, this section uses different values for the two targets. For ease of management, you can configure the same value for the two targets. )

[PE1-vpn-instance-vpn_isp1] vpn-target 111:1 import-extcommunity

[PE1-vpn-instance-vpn_isp1] vpn-target 222:1 export-extcommunity

[PE1-vpn-instance-vpn_isp1] quit

# Create VPN instance named vpn_isp2 for ISP 2. Configure RD 200:1, import target 333:1, and export target 444:1 for the VPN instance.

[PE1] ip vpn-instance vpn_isp2

[PE1-vpn-instance-vpn_isp2] route-distinguisher 200:1

[PE1-vpn-instance-vpn_isp2] vpn-target 333:1 import-extcommunity

[PE1-vpn-instance-vpn_isp2] vpn-target 444:1 export-extcommunity

[PE1-vpn-instance-vpn_isp2] quit

 

 

NOTE:

After a user successfully passes PPPoE dialup authentication, PE 1 will add the host route of the user to the routing table of the user's VPN instance. Therefore, you do not need to bind the user access interface to a VPN instance on PE 1.

 

2.     Configure PE 2:

# Create VPN instance named vpn_isp1 for ISP 2 on PE 2.

[PE2] ip vpn-instance vpn_isp1

# Configure an RD for the VPN instance. For ease of identification, as a best practice, set the same RD as that on PE 1.

[PE2-vpn-instance-vpn_isp1] route-distinguisher 100:1

# Configure the import target and export target for the VPN instance, which must be the same as the export target and import target on PE 1.

[PE2-vpn-instance-vpn_isp1] vpn-target 222:1 import-extcommunity

[PE2-vpn-instance-vpn_isp1] vpn-target 111:1 export-extcommunity

[PE2-vpn-instance-vpn_isp1] quit

# Create VPN instance named vpn_isp2 for ISP 2. Configure RD 200:1, import target 444:1, and export target 333:1 for the VPN instance.

[PE2] ip vpn-instance vpn_isp2

[PE2-vpn-instance-vpn_isp2] route-distinguisher 200:1

[PE2-vpn-instance-vpn_isp2] vpn-target 444:1 import-extcommunity

[PE2-vpn-instance-vpn_isp2] vpn-target 333:1 export-extcommunity

[PE2-vpn-instance-vpn_isp2] quit

# Bind GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 to VPN instance vpn_isp1 and VPN instance vpn_isp2, respectively.

[PE2] interface gigabitethernet 3/0/2

[PE2-GigabitEthernet3/0/2] ip binding vpn-instance vpn_isp1

[PE2-GigabitEthernet3/0/2] ip address 101.1.1.1 24

[PE2-GigabitEthernet3/0/2] quit

[PE2] interface gigabitethernet 3/0/3

[PE2-GigabitEthernet3/0/3] ip binding vpn-instance vpn_isp2

[PE2-GigabitEthernet3/0/3] ip address 202.1.1.1 24

[PE2-GigabitEthernet3/0/3] quit

3.     Configure IP addresses for interfaces on the CE as shown in Figure 28. (Details not shown.)

Establishing EBGP peer relationships between PEs and CEs, and redistributing VPN routes into BGP

1.     Configure PE 1:

# Create BGP process 100 on PE 1.

[PE1] bgp 100

 

 

NOTE:

After a user successfully passes PPPoE dialup authentication, the BRAS acting as PE 1 adds the host route corresponding to the IP address assigned to the user to the routing table of the VPN instance to which the user belongs. Therefore, you only need to redistribute the direct routes of the host into the routing table of the BGP-VPN instance.

 

# Redistribute the direct routes in the routing table of VPN instance vpn_isp1 on PE 1 into the routing table of the BGP-VPN instance.

[PE1-bgp-default] ip vpn-instance vpn_isp1

[PE1-bgp-default-vpn_isp1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn_isp1] import-route direct

[PE1-bgp-default-ipv4-vpn_isp1] quit

[PE1-bgp-default-vpn_isp1] quit

# Redistribute the direct routes in the routing table of VPN instance vpn_isp2 on PE 1 into the routing table of the BGP-VPN instance.

[PE1-bgp-default] ip vpn-instance vpn_isp2

[PE1-bgp-default-vpn_isp2] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn_isp2] import-route direct

[PE1-bgp-default-ipv4-vpn_isp2] quit

[PE1-bgp-default-vpn_isp2] quit

[PE1-bgp-default] quit

2.     Configure PE 2:

# Create BGP process 100 on PE 2.

[PE2] bgp 100

# Specify CE 1 as the peer. Redistribute the direct routes in the routing table of PE 2 into the routing table of the BGP-VPN instance.

[PE2-bgp-default] ip vpn-instance vpn_isp1

[PE2-bgp-default-vpn_isp1] peer 101.1.1.2 as-number 65430

[PE2-bgp-default-vpn_isp1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn_isp1] peer 101.1.1.2 enable

[PE2-bgp-default-ipv4-vpn_isp1] import-route direct

[PE2-bgp-default-ipv4-vpn_isp1] quit

[PE2-bgp-default-vpn_isp1] quit

# Specify CE 2 as the peer. Redistribute the direct routes in the routing table of PE 2 into the routing table of the BGP-VPN instance.

[PE2-bgp-default] ip vpn-instance vpn_isp2

[PE2-bgp-default-vpn_isp2] peer 202.1.1.2 as-number 65430

[PE2-bgp-default-vpn_isp2] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn_isp2] peer 202.1.1.2 enable

[PE2-bgp-default-ipv4-vpn_isp2] import-route direct

[PE2-bgp-default-ipv4-vpn_isp2] quit

[PE2-bgp-default-vpn_isp2] quit

[PE2-bgp-default] quit

3.     Configure CE 1:

# Create BGP process 65430 on CE 1. Specify PE 1 as the peer with AS number 100.

<CE1> system-view

[CE1] bgp 65430

[CE1-bgp-default] peer 101.1.1.1 as-number 100

#  Enable CE 1 to exchange routing information for an address family with peer 101.1.1.1.

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 101.1.1.1 enable

# Redistribute the direct route connected to the host on CE 1 into EBGP.

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

4.     Configure CE 2:

# Create BGP process 65430 on CE 2. Specify PE 2 as the peer with AS number 100.

<CE2> system-view

[CE2] bgp 65430

[CE2-bgp-default] peer 202.1.1.1 as-number 100

#  Enable CE 2 to exchange routing information for an address family with peer 202.1.1.1.

[CE2-bgp-default] address-family ipv4 unicast

[CE2-bgp-default-ipv4] peer 202.1.1.1 enable

# Redistribute the direct route connected to the host on CE 2 into EBGP.

[CE2-bgp-default-ipv4] import-route direct

[CE2-bgp-default-ipv4] quit

[CE2-bgp-default] quit

Establishing MP-IBGP peer relationships between PEs

1.     Configure PE 1:

# On PE 1, specify PE 2 as the BGP peer, and specify loopback 0 as the source interface for TCP connections to the peer.

[PE1] bgp 100

[PE1-bgp-default] peer 3.3.3.9 as-number 100

[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0

# Enter BGP VPNv4 address family view, and specify PE 2 as the peer.

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

2.     Configure PE 2:

# On PE 2, specify PE 1 as the BGP peer, and specify loopback 0 as the source interface for TCP connections to the peer.

[PE2] bgp 100

[PE2-bgp-default] peer 1.1.1.9 as-number 100

[PE2-bgp-default] peer 1.1.1.9 connect-interface loopback 0

# Enter BGP VPNv4 address family view, and specify PE 1 as the peer.

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-default-vpnv4] quit

[PE2-bgp-default] quit

3.     After the configuration is completed, execute the display bgp peer vpnv4 command to verify that the BGP peer relationships have been established between PEs and are in Established state.

[PE1] display bgp peer vpnv4

 

 BGP local router ID: 1.1.1.9

 Local AS number: 100

 Total number of peers: 1                  Peers in established state: 1

 

  Peer                    AS  MsgRcvd  MsgSent OutQ PrefRcv Up/Down  State

 

  3.3.3.9                100        8        8    0       0 00:00:08 Established

4.     Execute the display ip routing-table vpn-instance command on a PE to view the route destined to the peer CE 1.

Use vpn_isp1 as an example on PE1.

[PE1] display ip routing-table vpn-instance vpn_isp1

 

Destinations : 9        Routes : 9

 

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

0.0.0.0/32          Direct 0    0            127.0.0.1       InLoop0

101.1.1.0/24        BGP    255  0            3.3.3.9         GE3/1/2

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.0/32        Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

127.255.255.255/32  Direct 0    0            127.0.0.1       InLoop0

224.0.0.0/4         Direct 0    0            0.0.0.0         NULL0

224.0.0.0/24        Direct 0    0            0.0.0.0         NULL0

255.255.255.255/32  Direct 0    0            127.0.0.1       InLoop0

Configuring the DHCP server

# Configure IP addresses for GigabitEthernet 3/0/1 as shown in Figure 28. (Details not shown.)

# Enable DHCP.

<DHCP> system-view

[DHCP] dhcp enable

# Create address pool pool1, which is used by users before performing authentication.

[DHCP] dhcp server ip-pool pool1

# Specify primary subnet 5.5.0.0/16 for dynamic allocation in the address pool. Specify gateway address 5.5.5.1 and DNS server address 8.8.8.8 in the address pool.

[DHCP-dhcp-pool-pool1] network 5.5.0.0 16

[DHCP-dhcp-pool-pool1] gateway-list 5.5.5.1

[DHCP-dhcp-pool-pool1] dns-list 8.8.8.8

# Exclude IP address 5.5.5.1 from dynamic allocation.

[DHCP-dhcp-pool-pool1] forbidden-ip 5.5.5.1

[DHCP-dhcp-pool-pool1] quit

# Create address pool pool2 for users in ISP domain isp1.

[DHCP] dhcp server ip-pool pool2

# Specify primary subnet 6.6.0.0/16 for dynamic allocation in the address pool. Specify gateway address 6.6.6.1 and DNS server address 8.8.8.8 in the address pool.

[DHCP-dhcp-pool-pool2] network 6.6.0.0 16

[DHCP-dhcp-pool-pool2] gateway-list 6.6.6.1

[DHCP-dhcp-pool-pool2] dns-list 8.8.8.8

# Exclude IP address 6.6.6.1 from dynamic allocation.

[DHCP-dhcp-pool-pool2] forbidden-ip 6.6.6.1

[DHCP-dhcp-pool-pool2] quit

# Create address pool pool3 for users in ISP domain isp2.

[DHCP] dhcp server ip-pool pool3

# Specify primary subnet 7.7.0.0/16 for dynamic allocation in the address pool. Specify gateway address 7.7.7.1 and DNS server address 8.8.8.8 in the address pool.

[DHCP-dhcp-pool-pool3] network 7.7.0.0 16

[DHCP-dhcp-pool-pool3] gateway-list 7.7.7.1

[DHCP-dhcp-pool-pool3] dns-list 8.8.8.8

# Exclude IP address 7.7.7.1 from dynamic allocation.

[DHCP-dhcp-pool-pool3] forbidden-ip 7.7.7.1

[DHCP-dhcp-pool-pool3] quit

# Configure the default route to the PPPoE server (BRAS).

[DHCP] ip route-static 0.0.0.0 0 4.4.4.1

Configuring the BRAS

Configuring a user group

# Create user group g1 for ISP1.

<BRAS> system-view

[BRAS] user-group g1

New user group added.

[BRAS-ugroup-web] quit

# Create user group g2 for ISP2.

<BRAS> system-view

[BRAS] user-group g2

New user group added.

[BRAS-ugroup-web] quit

Configuring a QoS policy to rate-limit the traffic to 5 Mbps but not perform accounting for internal network access traffic

This example uses user network segments (including 5.5.0.0/16 for users before PPPoE authentication, 6.6.0.0/16 for users in vpn_isp1, and 7.7.0.0/16 for users in vpn_isp2) and server network segment 4.4.4.0/24 as the internal network segments.

1.     Configure the QoS policy for users before PPPoE dialup authentication:

# Configure ACL 3000.

[BRAS] acl advanced 3000

# Configure rules to match the packets between users (on network segment 5.5.0.0/16) and servers (on 4.4.4.0/24) before PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3000] rule 0 permit ip source 5.5.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255

[BRAS-acl-ipv4-adv-3000] rule 10 permit ip source 4.4.4.0 0.0.0.255 destination 5.5.0.0 0.0.255.255

# Configure a rule to match the packets between users (on network segment 5.5.0.0/16) before PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3000] rule 20 permit ip source 5.5.0.0 0.0.255.255 destination 5.5.0.0 0.0.255.255

[BRAS-acl-ipv4-adv-3000] quit

# Configure class 3000 to match packets matching ACL 3000.

[BRAS] traffic classifier 3000 operator and

[BRAS-classifier-3000] if-match acl 3000

[BRAS-classifier-3000] quit

# Configure behavior 3000 to count traffic in bytes and rate-limit the traffic to 5000 kbps.

[BRAS] traffic behavior 3000

[BRAS-behavior-3000] accounting byte

[BRAS-behavior-3000] car cir 5000

[BRAS-behavior-3000] quit

# Create QoS policy nei_waiwang_share and associate class 3000 with behavior 3000.

[BRAS] qos policy nei_waiwang_share

[BRAS-qospolicy-nei_waiwang_share] classifier 3000 behavior 3000

[BRAS-qospolicy-nei_waiwang_share] quit

2.     Configure the QoS policy for users passing PPPoE dialup authentication:

# Configure ACL 3001.

[BRAS] acl advanced 3001

# Configure rules to match the packets between users in vpn_isp1 (on network segment 6.6.0.0/16) and servers (on 4.4.4.0/24) after PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3001] rule 10 permit ip source 6.6.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g1

[BRAS-acl-ipv4-adv-3001] rule 20 permit ip source 4.4.4.0 0.0.0.255 destination 6.6.0.0 0.0.255.255 user-group g1

# Configure a rule to match the packets between users in vpn_isp1 (on network segment 6.6.0.0/16) after PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3001] rule 30 permit ip source 6.6.0.0 0.0.255.255 destination 6.6.0.0 0.0.255.255 user-group g1

# Configure rules to match the packets between users in vpn_isp2 (on network segment 7.7.0.0/16) and servers (on 4.4.4.0/24) after PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3001] rule 40 permit ip source 7.7.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g2

[BRAS-acl-ipv4-adv-3001] rule 50 permit ip source 4.4.4.0 0.0.0.255 destination 7.7.0.0 0.0.255.255 user-group g2

# Configure a rule to match the packets between users in vpn_isp2 (on network segment 7.7.0.0/16) after PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3001] rule 60 permit ip source 7.7.0.0 0.0.255.255 destination 7.7.0.0 0.0.255.255 user-group g2

[BRAS-acl-ipv4-adv-3001] quit

 

 

NOTE:

Because the default of an ACL rule is none (neither permit nor deny), traffic that does not match any rule is not processed. Therefore, do not add a rule to deny all traffic (for example, rule 70 deny ip) behind the last rule in ACL 3001. Otherwise, when the device executes QoS policy nei_waiwang_share, the class-behavior associations after the classifier 3001 behavior 3001 association cannot match any traffic.

 

# Configure class 3001 to match packets matching ACL 3001 and from authenticated users.

[BRAS] traffic classifier 3001 operator and

[BRAS-classifier-3001] if-match acl 3001

[BRAS-classifier-3001] if-match authenticated-user

[BRAS-classifier-3001] quit

# Configure behavior 3001 to mark traffic with accounting level 1 and count traffic in bytes.

[BRAS] traffic behavior 3001

[BRAS-behavior-3001] remark account-level 1

[BRAS-behavior-3001] accounting byte

[BRAS-behavior-3001] quit

# Create QoS policy nei_waiwang_share and associate class 3000 with behavior 3000.

[BRAS] qos policy nei_waiwang_share

[BRAS-qospolicy-nei_waiwang_share] classifier 3001 behavior 3001

[BRAS-qospolicy-nei_waiwang_share] quit

Configuring a QoS policy to rate limit and perform accounting for Internet access traffic

# Configure ACL 3002.

[BRAS] acl advanced 3002

# Configure rules to match all packets.

[BRAS-acl-ipv4-adv-3002] rule 0 permit ip user-group g1

[BRAS-acl-ipv4-adv-3002] rule 10 permit ip user-group g2

[BRAS-acl-ipv4-adv-3002] quit

# Configure class cl_user1 to match packets carrying CVLAN 11, matching ACL 3002, and from authenticated users.

[BRAS] traffic classifier cl_user1 operator and

[BRAS-classifier-cl_user1] if-match customer-vlan-id 11

[BRAS-classifier-cl_user1] if-match acl 3002

[BRAS-classifier-cl_user1] if-match authenticated-user

[BRAS-classifier-cl_user1] quit

# Configure class cl_user2 to match packets carrying CVLAN 12, matching ACL 3002, and from authenticated users.

[BRAS] traffic classifier cl_user2 operator and

[BRAS-classifier-cl_user2] if-match customer-vlan-id 12

[BRAS-classifier-cl_user2] if-match acl 3002

[BRAS-classifier-cl_user2] if-match authenticated-user

[BRAS-classifier-cl_user2] quit

# Configure class cl_user3 to match packets carrying CVLAN 13, matching ACL 3002, and from authenticated users.

[BRAS] traffic classifier cl_user3 operator and

[BRAS-classifier-cl_user3] if-match customer-vlan-id 13

[BRAS-classifier-cl_user3] if-match acl 3002

[BRAS-classifier-cl_user3] if-match authenticated-user

[BRAS-classifier-cl_user3] quit

# Configure class cl_user4 to match packets carrying CVLAN 14, matching ACL 3002, and from authenticated users.

[BRAS] traffic classifier cl_user4 operator and

[BRAS-classifier-cl_user4] if-match customer-vlan-id 14

[BRAS-classifier-cl_user4] if-match acl 3002

[BRAS-classifier-cl_user4] if-match authenticated-user

[BRAS-classifier-cl_user4] quit

# Configure traffic behavior be_2M to mark traffic with accounting level 2 and count traffic in bytes.

[BRAS] traffic behavior be_2M

[BRAS-behavior-be_2M] remark account-level 2

[BRAS-behavior-be_2M] accounting byte

[BRAS-behavior-be_2M] quit

# Configure traffic behavior be_5M to mark traffic with accounting level 3 and count traffic in bytes.

[BRAS] traffic behavior be_5M

[BRAS-behavior-be_5M] remark account-level 3

[BRAS-behavior-be_5M] accounting byte

[BRAS-behavior-be_5M] quit

# Configure traffic behavior be_10M to mark traffic with accounting level 4 and count traffic in bytes.

[BRAS] traffic behavior be_10M

[BRAS-behavior-be_10M] remark account-level 4

[BRAS-behavior-be_10M] accounting byte

[BRAS-behavior-be_10M] quit

# Associate classes with behaviors in QoS policy nei_waiwang_share.

[BRAS] qos policy nei_waiwang_share

[BRAS-qospolicy-nei_waiwang_share] classifier cl_user1 behavior be_2M

[BRAS-qospolicy-nei_waiwang_share] classifier cl_user2 behavior be_5M

[BRAS-qospolicy-nei_waiwang_share] classifier cl_user3 behavior be_5M

[BRAS-qospolicy-nei_waiwang_share] classifier cl_user4 behavior be_10M

[BRAS-qospolicy-nei_waiwang_share] quit

Applying the QoS policy

# Enter the view of interface GigabitEthernet 3/1/1.1.

[BRAS] interface gigabitethernet 3/1/1.1

# Apply QoS policy nei_waiwang_share to the interface.

[BRAS–GigabitEthernet3/1/1.1] qos apply policy nei_waiwang_share inbound

[BRAS–GigabitEthernet3/1/1.1] qos apply policy nei_waiwang_share outbound

[BRAS–GigabitEthernet3/1/1.1] quit

Configuring a RADIUS scheme

# Create RADIUS scheme rs1, and enter its view.

[BRAS] radius scheme rs1

# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.

[BRAS-radius-rs1] primary authentication 4.4.4.2

[BRAS-radius-rs1] primary accounting 4.4.4.2

[BRAS-radius-rs1] key authentication simple 123456

[BRAS-radius-rs1] key accounting simple 123456

# Enable accounting-on for RADIUS scheme rs1.

[BRAS-radius-rs1] accounting-on enable

[BRAS-radius-rs1] quit

# Specify the DAC as 4.4.4.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

[BRAS] radius dynamic-author server

[BRAS-radius-da-server] client ip 4.4.4.2 key simple 123456

[BRAS-radius-da-server] quit

Configuring an ITA policy

# Create ITA policy pl_ita, and use RADIUS scheme rs1 for accounting.

[BRAS] ita policy pl_ita

[BRAS-ita-policy-pl_ita] accounting-method radius-scheme rs1

# Configure the accounting levels and their rate limits.

[BRAS-ita-policy-pl_ita] accounting-level 1 ipv4 car inbound cir 5000 outbound cir 5000

[BRAS-ita-policy-pl_ita] accounting-level 2 ipv4 car inbound cir 2000 outbound cir 2000

[BRAS-ita-policy-pl_ita] accounting-level 3 ipv4 car inbound cir 5000 outbound cir 5000

[BRAS-ita-policy-pl_ita] accounting-level 4 ipv4 car inbound cir 10000 outbound cir 10000

Configuring the DHCP relay agent

# Enable DHCP.

[BRAS] dhcp enable

# Enter the view of interface GigabitEthernet 3/1/1.1.

[BRAS] interface gigabitethernet 3/1/1.1

# Enable recording client information in relay entries.

[BRAS] dhcp relay client-information record

# Create DHCP relay address pool pool1, and specify gateway addresses and the DHCP server for the address pool.

[BRAS] dhcp server ip-pool pool1

[BRAS-dhcp-pool-pool1] gateway-list 6.6.6.1 export-route

[BRAS-dhcp-pool-pool1] remote-server 4.4.4.3

# Apply DHCP relay address pool pool1 to VPN instance vpn_isp1.

[BRAS-dhcp-pool-pool1] vpn-instance vpn_isp1

[BRAS-dhcp-pool-pool1] quit

# Create DHCP relay address pool pool2, and specify gateway addresses and the DHCP server for the address pool.

[BRAS] dhcp server ip-pool pool2

[BRAS-dhcp-pool-pool2] gateway-list 7.7.7.1 export-route

[BRAS-dhcp-pool-pool2] remote-server 4.4.4.3

# Apply DHCP relay address pool pool2 to VPN instance vpn_isp2.

[BRAS-dhcp-pool-pool2] vpn-instance vpn_isp2

[BRAS-dhcp-pool-pool2] quit

Configuring an ISP domain

# Create ISP domain isp1, and enter its view.

[BRAS] domain name isp1

# Configure PPP users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRAS-isp-isp1] authentication ppp radius-scheme rs1

[BRAS-isp-isp1] authorization ppp radius-scheme rs1

[BRAS-isp-isp1] accounting ppp radius-scheme rs1

# Configure ISP domain isp1 to use ITA policy pl_ita.

[BRAS-isp-isp1] ita-policy pl_ita

# Specify IPv4 address pool pool1 as the authorization IPv4 address pool pool1 and user group g1 as the authorization user group for users in ISP domain isp1.

[BRAS-isp-isp1] authorization-attribute ip-pool pool1

[BRAS-isp-isp1] authorization-attribute user-group g1

# Specify VPN instance vpn_isp1 as the authorization VPN instance for users in ISP domain isp1.

[BRAS-isp-isp1] authorization-attribute vpn-instance vpn_isp1

[BRAS-isp-isp1] quit

# Create ISP domain isp2, and enter its view.

[BRAS] domain name isp2

# Configure PPP users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRAS-isp-isp2] authentication ppp radius-scheme rs1

[BRAS-isp-isp2] authorization ppp radius-scheme rs1

[BRAS-isp-isp2] accounting ppp radius-scheme rs1

# Configure ISP domain isp2 to use ITA policy pl_ita.

[BRAS-isp-isp2] ita-policy pl_ita

# Specify IPv4 address pool pool2 as the authorization IPv4 address pool pool1 and user group g2 as the authorization user group for users in ISP domain isp2.

[BRAS-isp-isp2] authorization-attribute ip-pool pool2

[BRAS-isp-isp2] authorization-attribute user-group g2

# Specify VPN instance vpn_isp2 as the authorization VPN instance for users in ISP domain isp2.

[BRAS-isp-isp2] authorization-attribute vpn-instance vpn_isp2

[BRAS-isp-isp2] quit

Configuring a VT interface

# Create interface Virtual-Template 1, and enable PPP accounting and CHAP authentication.

[BRAS] interface virtual-template 1

[BRAS-Virtual-Template1] ppp account-statistics enable

[BRAS-Virtual-Template1] ppp authentication-mode chap

[BRAS-Virtual-Template1] quit

Configuring VLAN termination

# Configure VLAN termination on GigabitEthernet 3/1/1.1, and bind the interface to Virtual-Template 1.

[BRAS] interface gigabitethernet 3/1/1.1

[BRAS-GigabitEthernet3/1/1.1] vlan-type dot1q vid 101 second-dot1q 11 to 14

[BRAS-GigabitEthernet3/1/1.1] pppoe-server bind virtual-template 1

Configuring PBR policies

To ensure traffic forwarding between VPNs, you must configure static routes and policy-based routes.

1.     Configure static routes to forward traffic in the DHCP request direction in the VPN instances to the DHCP server:

# Configure a static route to redirect traffic in the DHCP request direction in VPN instance vpn_isp1 to the DHCP server.

[BRAS] ip route-static vpn-instance vpn_isp1 4.4.4.0 24 4.4.4.3 public

# Configure a static route to redirect traffic in the DHCP request direction in VPN instance vpn_isp2 to the DHCP server.

[BRAS] ip route-static vpn-instance vpn_isp2 4.4.4.0 24 4.4.4.3 public

2.     Configure PBR to forward the response traffic from the DHCP server to the VPN instances of DHCP clients:

# Create ACL 3010 to match packets destined to network segment 6.6.0.0/16.

[BRAS] acl advanced 3010

[BRAS-acl-ipv4-adv-3010] rule 0 permit ip destination 6.6.0.0 0.0.255.255 user-group g1

[BRAS-acl-ipv4-adv-3010] quit

# Create ACL 3020 to match packets destined to network segment 7.7.0.0/16.

[BRAS] acl advanced 3020

[BRAS-acl-ipv4-adv-3020] rule 0 permit ip destination 7.7.0.0 0.0.255.255 user-group g2

[BRAS-acl-ipv4-adv-3020] quit

# Create PBR policy named dhcp_to_bras, and configure permit-mode node 0 in the policy to forward packets matching ACL 3010 in VPN instance vpn_isp1.

[BRAS] policy-based-route dhcp_to_bras permit node 0

[BRAS-pbr-dhcp_to_bras-0] if-match acl 3010

[BRAS-pbr-dhcp_to_bras-0] apply access-vpn vpn-instance vpn_isp1

[BRAS-pbr-dhcp_to_bras-0] quit

# In PBR policy named dhcp_to_bras, configure permit-mode node 2 to forward packets matching ACL 3020 in VPN instance  vpn_isp2 .

[BRAS] policy-based-route dhcp_to_bras permit node 1

[BRAS-pbr-dhcp_to_bras-1] if-match acl 3020

[BRAS-pbr-dhcp_to_bras-1] apply access-vpn vpn-instance vpn_isp2

[BRAS-pbr-dhcp_to_bras-1] quit

# Apply policy dhcp_to_bras to GigabitEthernet 3/1/3.

[BRAS] interface gigabitethernet 3/1/3

[BRAS–GigabitEthernet3/1/3] ip policy-based-route dhcp_to_bras

[BRAS–GigabitEthernet3/1/3] quit

 

 

NOTE:

·     To ensure traffic forwarding between VPN instances and the public network instance (ensure that users passing PPPoE dialup authentication can access resources in the campus network, for example, access loopback0 address 2.2.2.9 of the P device), configure static routes and policy-based routes.

·     For VPN instances and the public network instance to communicate bidirectionally, make sure the static routes configured in step 3 correspond to the network segment matched by ACLs in step 4 on a one-to-one basis.

 

3.     Configure static routes to forward traffic accessing the public network instance in the VPN instances to the public network instance:

# Configure a static route to allow users in VPN instance vpn_isp1 to access network segment 2.2.2.0/24 in the public network instance.

[BRAS] ip route-static vpn-instance vpn_isp1 2.2.2.0 24 10.1.1.2 public

# Configure a static route to allow users in VPN instance vpn_isp1 to access network segment 3.3.0.0/16 in the public network instance.

[BRAS] ip route-static vpn-instance vpn_isp1 3.3.0.0 16 10.1.1.2 public

# Configure a static route to allow users in VPN instance vpn_isp2 to access network segment 2.2.2.0/24 in the public network instance.

[BRAS] ip route-static vpn-instance vpn_isp2 2.2.2.0 24 10.1.1.2 public

# Configure a static route to allow users in VPN instance vpn_isp2 to access network segment 3.3.0.0/16 in the public network instance.

[BRAS] ip route-static vpn-instance vpn_isp2 3.3.0.0 16 10.1.1.2 public

4.     Configure PBR to forward the public network instance's response to traffic in step 3 to the corresponding VPN instances:

# Create ACL 3030 to match packets sourced from network segment 2.2.2.0/24 or 3.3.0.0/16 and destined to network segment 6.6.0.0/16.

[BRAS] acl advanced 3030

[BRAS-acl-ipv4-adv-3030] rule permit ip source 2.2.2.0 0.0.0.255 destination 6.6.0.0 0.0.255.255 user-group g1

[BRAS-acl-ipv4-adv-3030] rule permit ip source 3.3.0.0 0.0.255.255 destination 6.6.0.0 0.0.255.255 user-group g1

[BRAS-acl-ipv4-adv-3030] quit

# Create ACL 3040 to match packets sourced from network segment 2.2.2.0/24 or 3.3.0.0/16 and destined to network segment 7.7.0.0/16.

[BRAS] acl advanced 3040

[BRAS-acl-ipv4-adv-3040] rule permit ip source 2.2.2.0 0.0.0.255 destination 7.7.0.0 0.0.255.255 user-group g2

[BRAS-acl-ipv4-adv-3040] rule permit ip source 3.3.0.0 0.0.255.255 destination 7.7.0.0 0.0.255.255 user-group g2

[BRAS-acl-ipv4-adv-3040] quit

# Create PBR policy named vpn_public, and configure permit-mode node 0 in the policy to forward packets matching ACL 3030 in VPN instance vpn_isp1.

[BRAS] policy-based-route vpn_public permit node 0

[BRAS-pbr-vpn_public-0] if-match acl 3030

[BRAS-pbr-vpn_public-0] apply access-vpn vpn-instance vpn_isp1

[BRAS-pbr-vpn_public-0] quit

# In PBR policy named vpn_public, configure permit-mode node 1 to forward packets matching ACL 3040 in VPN instance  vpn_isp2.

[BRAS] policy-based-route vpn_public permit node 1

[BRAS-pbr-vpn_public-1] if-match acl 3040

[BRAS-pbr-vpn_public-1] apply access-vpn vpn-instance vpn_isp2

[BRAS-pbr-vpn_public-1] quit

# Apply policy vpn_public to GigabitEthernet 3/1/2.

[BRAS] interface gigabitethernet 3/1/2

[BRAS–GigabitEthernet3/1/2] ip policy-based-route vpn_public

[BRAS–GigabitEthernet3/1/2] quit

5.     Enable OSPF on the interface attached to network 5.5.0.0/16 in OSPF area 0 on PE 1, so that P and PE 2 can learn the routes.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 5.5.0.0 0.0.255.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

6.     Configure static routes to network segments 6.6.0.0/16 and 7.7.0.0/16 on the P device.

[P] ip route-static 6.6.0.0 16 10.1.1.1

[P] ip route-static 7.7.0.0 16 10.1.1.1

7.     Configure static routes to network segments 6.6.0.0/16 and 7.7.0.0/16 on PE 2.

[PE2] ip route-static 6.6.0.0 16 10.1.4.1

[PE2] ip route-static 7.7.0.0 16 10.1.4.1

Configuring Switch A

# Create SVLAN 101.

<SwitchA> system-view

[SwitchA] vlan 101

[SwitchA-vlan101] quit

# Configure GigabitEthernet 3/0/1 as a hybrid port and assign it to SVLAN 101 as a tagged member.

[SwitchA] interface gigabitethernet 3/0/1

[SwitchA-GigabitEthernet3/0/1] port link-type hybrid

[SwitchA-GigabitEthernet3/0/1] port hybrid vlan 101 tagged

[SwitchA-GigabitEthernet3/0/1] quit

# Configure GigabitEthernet 3/0/2 through GigabitEthernet 3/0/3 as trunk ports and assign them to SVLAN 101.

[SwitchA] interface range gigabitethernet 3/0/2 to gigabitethernet 3/0/3

[SwitchA-if-range] port link-type trunk

[SwitchA-if-range] port trunk permit vlan 101

# Configure SVLAN 101 as the PVID for GigabitEthernet 3/0/2 through GigabitEthernet 3/0/3 and enable QinQ on them.

[SwitchA-if-range] port trunk pvid vlan 101

[SwitchA-if-range] qinq enable

[SwitchA-if-range] quit

Configuring Switch B

# Create VLANs 11 and 12.

[SwitchB] vlan 11 to 12

# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to VLANs 11 and 12.

[SwitchB] interface gigabitethernet 3/0/1

[SwitchB-GigabitEthernet3/0/1] port link-type trunk

[SwitchB-GigabitEthernet3/0/1] port trunk permit vlan 11 12

[SwitchB-GigabitEthernet3/0/1] quit

# Assign GigabitEthernet 3/0/2 to VLAN 11.

[SwitchB] interface gigabitethernet 3/0/2

[SwitchB-GigabitEthernet3/0/2] port access vlan 11

[SwitchB-GigabitEthernet3/0/2] quit

# Assign GigabitEthernet 3/0/3 to VLAN 12.

[SwitchB] interface gigabitethernet 3/0/3

[SwitchB-GigabitEthernet3/0/3] port access vlan 12

[SwitchB-GigabitEthernet3/0/3] quit

Configuring Switch C

# Create VLANs 13 and 14.

[SwitchC] vlan 13 to 14

# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to VLANs 13 and 14.

[SwitchC] interface gigabitethernet 3/0/1

[SwitchC-GigabitEthernet3/0/1] port link-type trunk

[SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 13 14

[SwitchC-GigabitEthernet3/0/1] quit

# Assign GigabitEthernet 3/0/2 to VLAN 13.

[SwitchC] interface gigabitethernet 3/0/2

[SwitchC-GigabitEthernet3/0/2] port access vlan 13

[SwitchC-GigabitEthernet3/0/2] quit

# Assign GigabitEthernet 3/0/3 to VLAN 14.

[SwitchC] interface gigabitethernet 3/0/3

[SwitchC-GigabitEthernet3/0/3] port access vlan 14

[SwitchC-GigabitEthernet3/0/3] quit

Verifying the configuration

Use Host A as an example.

1.     Before Host A performs PPPoE dialup authentication, execute the display dhcp relay client-information command to view the relay entries on the relay agent.

<BRAS> display dhcp relay client-information

Total number of client-information items: 1

Total number of dynamic items: 1

Total number of temporary items: 0

IP address       MAC address      Type        Interface            VPN name

5.5.5.2          e839-3563-fb21   Dynamic     GE3/1/1              N/A

The output shows that Host A has obtained dynamic IP address 5.5.5.2 before performing PPPoE dialup authentication. The user can use this IP address only to access the internal network.

2.     After Host A uses username User1@isp1 and password pass1 to dial to BRAS, perform the following tasks:

# Execute the display dhcp relay client-information command to view the relay entries on the relay agent.

<BRAS> display dhcp relay client-information

Total number of client-information items: 2

Total number of dynamic items: 2

Total number of temporary items: 0

IP address       MAC address      Type        Interface            VPN name

5.5.5.2          e839-3563-fb21   Dynamic     GE3/1/1.1            N/A

6.6.6.2          e839-3563-fb21   Dynamic     BAS0                 vpn_isp1

The output shows that Host A has obtained dynamic IP address 6.6.6.2 after performing PPPoE dialup authentication by using a username with suffix @isp1.

# View detailed information about user User1@isp1.

<BRAS> display ppp access-user username user1@isp1 verbose

Basic:

  Interface: BAS0

  PPP index: 0x140000105

  User ID: 0x20000001

  Username: User1@isp1                //Username used for PPPoE dialup

  Domain: isp1                        //ISP domain to which the dialup user belongs

  Access interface: GE3/1/1.1         //Access interface of the dialup user

  Service-VLAN/Customer-VLAN: 101/11  //SVLAN and CVLAN encapsulated in packets of the dialup user

  VXLAN ID: -

  MAC address: e839-3563-fb21         //Host MAC address of the dialup user

  IP address: 6.6.6.2                 //IP address assigned to the user by the DHCP server

  Primary DNS server: 8.8.8.8

  IPv6 address: -

  IPv6 PD prefix: -

  IPv6 ND prefix: -

  User address type: N/A

  VPN instance: vpn_isp1                        //VPN instance to which the dialup user belongs

  Access type: PPPoE                 //Access type of the user

  Authentication type: CHAP          //Authentication type of the access user

 

PPPoE:

  Session ID: 1

 

AAA:

  Authentication state: Authenticated

  Authorization state: Authorized

  Realtime accounting switch: Closed

  Realtime accounting interval: -

  Login time: 2022-2-3  16:8:50:841

  Accounting start time: 2022-2-3  16:8:50:861

  Online time(hh:mm:ss): 0:0:7

  Accounting state: Accounting

  Acct start-fail action: Online

  Acct update-fail action: Online

  Acct quota-out action: Offline

  Dual-stack accounting mode: Merge

  Idle cut: 0 sec  0 byte, direction: Both

  Session timeout: -

  Time remained: -

  Traffic quota: -

  Traffic remained: -

  Redirect WebURL: -

  ITA policy name: pl_ita

  MRU: 1480 bytes

  IPv4 MTU: 1480 bytes

  IPv6 MTU: 1480 bytes

  Subscriber ID: -

 

ACL&QoS:

  User profile: -

  Session group profile: -

  User group acl: g1 (active)

  Inbound CAR: -

  Outbound CAR: -

  User inbound priority: -

  User outbound priority: -

 

Flow Statistic:

  IPv4 uplink   packets/bytes: 119/11753

  IPv4 downlink packets/bytes: 73/6350

  IPv6 uplink   packets/bytes: 0/0

  IPv6 downlink packets/bytes: 0/0

 

ITA:

  Level-1 uplink   packets/bytes: 109/11653

          downlink packets/bytes: 0/0

  Level-2 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  Level-3 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  Level-4 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

# View the routes in VPN instance vpn_isp1.

<BRAS> display ip routing-table vpn-instance vpn_isp1

 

Destinations : 20        Routes : 20

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0

2.2.2.0/24         Static  60  0           10.1.1.2        GE3/1/2

3.3.0.0/16         Static  60  0           10.1.1.2        GE3/1/2

4.4.4.0/24         Static  60  0           4.4.4.3         GE3/1/3

6.6.6.1/32         Direct  0   0           127.0.0.1       InLoop0

6.6.6.2/32         Direct  0   0           6.6.6.2         BAS0

10.1.1.0/24        Static  60  0           10.1.1.2        GE3/1/2

10.1.4.0/24        Static  60  0           10.1.1.2        GE3/1/2

101.1.1.0/24       BGP     255 0           3.3.3.9         GE3/1/2

101.101.101.0/24   Direct  0   0           101.101.101.101 BAS0

101.101.101.0/32   Direct  0   0           101.101.101.101 BAS0

101.101.101.101/32 Direct  0   0           127.0.0.1       InLoop0

101.101.101.255/32 Direct  0   0           101.101.101.101 BAS0

127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0

127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0

127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0

127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0

224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0

255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

The output above shows that routes to the internal network (for example, user network segment 2.2.2.0/24) and Internet (network segment 101.1.1.0/24) exist in VPN instance vpn_isp1, and the user can use the obtained IP address 6.6.6.2 to access the internal network and Internet at the same time. When the user accesses the Internet, the egress of ISP1 is used.

3.     After Host A uses username User1@isp2 and password pass1 to dial to BRAS, perform the following tasks:

# Execute the display dhcp relay client-information command to view the relay entries on the relay agent.

<BRAS> display dhcp relay client-information

Total number of client-information items: 2

Total number of dynamic items: 2

Total number of temporary items: 0

IP address       MAC address      Type        Interface            VPN name

5.5.5.2          e839-3563-fb21   Dynamic     GE3/1/1.1            N/A

7.7.7.2          e839-3563-fb21   Dynamic     BAS0                  vpn_isp2

The output shows that Host A has obtained dynamic IP address 7.7.7.2 after performing PPPoE dialup authentication by using a username with suffix @isp2.

# View detailed information about user User1@isp2.

<BRAS> display ppp access-user username user1@isp2 verbose

Basic:

  Interface: BAS0

  PPP index: 0x140000105

  User ID: 0x20000001

  Username: User1@isp2                //Username used for PPPoE dialup

  Domain: isp2                        //ISP domain to which the dialup user belongs

  Access interface: GE3/1/1.1         //Access interface of the dialup user

  Service-VLAN/Customer-VLAN: 101/11  //SVLAN and CVLAN encapsulated in packets of the dialup user

  VXLAN ID: -

  MAC address: e839-3563-fb21         //Host MAC address of the dialup user

  IP address: 7.7.7.2                 //IP address assigned to the user by the DHCP server

  Primary DNS server: 8.8.8.8

  IPv6 address: -

  IPv6 PD prefix: -

  IPv6 ND prefix: -

  User address type: N/A

  VPN instance: vpn_isp2                        //VPN instance to which the dialup user belongs

  Access type: PPPoE                 //Access type of the user

  Authentication type: CHAP          //Authentication type of the access user

 

PPPoE:

  Session ID: 1

 

AAA:

  Authentication state: Authenticated

  Authorization state: Authorized

  Realtime accounting switch: Closed

  Realtime accounting interval: -

  Login time: 2022-2-3  16:10:37:389

  Accounting start time: 2022-2-3  16:10:37:412

  Online time(hh:mm:ss): 0:0:4

  Accounting state: Accounting

  Acct start-fail action: Online

  Acct update-fail action: Online

  Acct quota-out action: Offline

  Dual-stack accounting mode: Merge

  Idle cut: 0 sec  0 byte, direction: Both

  Session timeout: -

  Time remained: -

  Traffic quota: -

  Traffic remained: -

  Redirect WebURL: -

  ITA policy name: pl_ita

  MRU: 1480 bytes

  IPv4 MTU: 1480 bytes

  IPv6 MTU: 1480 bytes

  Subscriber ID: -

 

ACL&QoS:

  User profile: -

  Session group profile: -

  User group acl: g2 (active)

  Inbound CAR: -

  Outbound CAR: -

  User inbound priority: -

  User outbound priority: -

 

Flow Statistic:

  IPv4 uplink   packets/bytes: 56/5676

  IPv4 downlink packets/bytes: 0/0

  IPv6 uplink   packets/bytes: 0/0

  IPv6 downlink packets/bytes: 0/0

 

ITA:

  Level-1 uplink   packets/bytes: 46/5576

          downlink packets/bytes: 0/0

  Level-2 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  Level-3 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  Level-4 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

# View the routes in VPN instance vpn_isp2.

<BRAS> display ip routing-table vpn-instance vpn_isp2

 

Destinations : 20        Routes : 20

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0

2.2.2.0/24         Static  60  0           10.1.1.2        GE3/1/2

3.3.0.0/16         Static  60  0           10.1.1.2        GE3/1/2

4.4.4.0/24         Static  60  0           4.4.4.3         GE3/1/3

7.7.7.1/32         Direct  0   0           127.0.0.1       InLoop0

7.7.7.2/32         Direct  0   0           7.7.7.2         BAS0

10.1.1.0/24        Static  60  0           10.1.1.2        GE3/1/2

10.1.4.0/24        Static  60  0           10.1.1.2        GE3/1/2

101.101.101.0/24   Direct  0   0           101.101.101.101 BAS0

101.101.101.0/32   Direct  0   0           101.101.101.101 BAS0

101.101.101.101/32 Direct  0   0           127.0.0.1       InLoop0

101.101.101.255/32 Direct  0   0           101.101.101.101 BAS0

127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0

127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0

127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0

127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

202.1.1.0/24       BGP     255 0           3.3.3.9         GE3/1/2

224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0

224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0

255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

[PE1]

The output above shows that routes to the internal network (for example, user network segment 2.2.2.0/24) and Internet (network segment 202.1.1.0/24) exist in VPN instance ISP2, and the user can use the obtained IP address 7.7.7.2 to access the internal network and Internet at the same time. When the user accesses the Internet, the egress of ISP2 is used.

Configuration files

·     DHCP server:

#

 dhcp enable

#

dhcp server ip-pool pool1

 gateway-list 5.5.5.1

 network 5.5.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

 forbidden-ip 5.5.5.1

#

dhcp server ip-pool pool2

 gateway-list 6.6.6.1

 network 6.6.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

 forbidden-ip 6.6.6.1

#

dhcp server ip-pool pool3

 gateway-list 7.7.7.1

 network 7.7.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

 forbidden-ip 7.7.7.1

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 4.4.4.3 255.255.255.0

#

 ip route-static 0.0.0.0 0 4.4.4.1

#

·     PE 1 (BRAS):

#

ip vpn-instance vpn_isp1

 route-distinguisher 100:1

 vpn-target 111:1 import-extcommunity

 vpn-target 222:1 export-extcommunity

#

ip vpn-instance vpn_isp2

 route-distinguisher 200:1

 vpn-target 333:1 import-extcommunity

 vpn-target 444:1 export-extcommunity

#

ospf 1

 area 0.0.0.0

  network 1.1.1.9 0.0.0.0

  network 5.5.0.0 0.0.255.255

  network 10.1.1.0 0.0.0.255

#

 mpls lsr-id 1.1.1.9

#

 dhcp enable

 dhcp relay client-information record

#

traffic classifier 3000 operator and

 if-match acl 3000

#

traffic classifier 3001 operator and

 if-match acl 3001

 if-match authenticated-user

#

traffic classifier cl_user1 operator and

 if-match customer-vlan-id 11

 if-match acl 3002

 if-match authenticated-user

#

traffic classifier cl_user2 operator and

 if-match customer-vlan-id 12

 if-match acl 3002

 if-match authenticated-user

#

traffic classifier cl_user3 operator and

 if-match customer-vlan-id 13

 if-match acl 3002

 if-match authenticated-user

#

traffic classifier cl_user4 operator and

 if-match customer-vlan-id 14

 if-match acl 3002

 if-match authenticated-user

#

traffic behavior 3000

 accounting byte

 car cir 5000 cbs 312500 ebs 0 green pass red discard yellow pass

#

traffic behavior 3001

 accounting byte

 remark account-level 1

#

traffic behavior be_10M

 accounting byte

 remark account-level 4

#

traffic behavior be_2M

 accounting byte

 remark account-level 2

#

traffic behavior be_5M

 accounting byte

 remark account-level 3

#

qos policy nei_waiwang_share

 classifier 3000 behavior 3000

 classifier 3001 behavior 3001

 classifier cl_user1 behavior be_2M

 classifier cl_user2 behavior be_5M

 classifier cl_user3 behavior be_5M

 classifier cl_user4 behavior be_10M

#

dhcp server ip-pool pool1

 vpn-instance vpn_isp1

 gateway-list 6.6.6.1 export-route

 remote-server 4.4.4.3

#

dhcp server ip-pool pool2

 vpn-instance vpn_isp2

 gateway-list 7.7.7.1 export-route

 remote-server 4.4.4.3

#

policy-based-route dhcp_to_bras permit node 0

 if-match acl 3010

 apply access-vpn vpn-instance vpn_isp1

#

policy-based-route dhcp_to_bras permit node 1

 if-match acl 3020

 apply access-vpn vpn-instance vpn_isp2

#

policy-based-route vpn_public permit node 0

 if-match acl 3030

 apply access-vpn vpn-instance vpn_isp1

#

policy-based-route vpn_public permit node 1

 if-match acl 3040

 apply access-vpn vpn-instance vpn_isp2

#

mpls ldp

#

interface Virtual-Template1

 ppp authentication-mode chap

 ppp account-statistics enable

#

interface LoopBack0

 ip address 1.1.1.9 255.255.255.255

#

interface GigabitEthernet3/1/1

 port link-mode route

#

interface GigabitEthernet3/1/1.1

 qos apply policy nei_waiwang_share inbound

 qos apply policy nei_waiwang_share outbound

 vlan-type dot1q vid 101 second-dot1q 11 to 14

 pppoe-server bind virtual-template 1

#

interface GigabitEthernet3/1/2

 port link-mode route

 ip address 10.1.1.1 255.255.255.0

 mpls enable

 mpls ldp enable

 ip policy-based-route vpn_public

#

interface GigabitEthernet3/1/3

 port link-mode route

 ip address 4.4.4.1 255.255.255.0

 ip policy-based-route dhcp_to_bras

#

bgp 100

 peer 3.3.3.9 as-number 100

 peer 3.3.3.9 connect-interface LoopBack0

 #

 address-family vpnv4

  peer 3.3.3.9 enable

 #

 ip vpn-instance vpn_isp1

  #

  address-family ipv4 unicast

   import-route direct

 #

 ip vpn-instance vpn_isp2

  #

  address-family ipv4 unicast

   import-route direct

#

 ip route-static vpn-instance vpn_isp1 2.2.2.0 24 10.1.1.2 public

 ip route-static vpn-instance vpn_isp1 3.3.0.0 16 10.1.1.2 public

 ip route-static vpn-instance vpn_isp1 4.4.4.0 24 4.4.4.3 public

 ip route-static vpn-instance vpn_isp2 2.2.2.0 24 10.1.1.2 public

 ip route-static vpn-instance vpn_isp2 3.3.0.0 16 10.1.1.2 public

 ip route-static vpn-instance vpn_isp2 4.4.4.0 24 4.4.4.3 public

#

acl advanced 3000

 rule 0 permit ip source 5.5.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255

 rule 10 permit ip source 4.4.4.0 0.0.0.255 destination 5.5.0.0 0.0.255.255

 rule 20 permit ip source 5.5.0.0 0.0.255.255 destination 5.5.0.0 0.0.255.255

#

acl advanced 3001

 rule 10 permit ip source 6.6.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g1

 rule 20 permit ip source 4.4.4.0 0.0.0.255 destination 6.6.0.0 0.0.255.255 user-group g1

 rule 30 permit ip source 6.6.0.0 0.0.255.255 destination 6.6.0.0 0.0.255.255 user-group g1

 rule 40 permit ip source 7.7.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g2

 rule 50 permit ip source 4.4.4.0 0.0.0.255 destination 7.7.0.0 0.0.255.255 user-group g2

 rule 60 permit ip source 7.7.0.0 0.0.255.255 destination 7.7.0.0 0.0.255.255 user-group g2

#

acl advanced 3002

 rule 0 permit ip user-group g1

 rule 0 permit ip user-group g2

#

acl advanced 3010

 rule 0 permit ip destination 6.6.0.0 0.0.255.255 user-group g1

#

acl advanced 3020

 rule 0 permit ip destination 7.7.0.0 0.0.255.255 user-group g2

#

acl advanced 3030

 rule 0 permit ip source 2.2.2.0 0.0.0.255 destination 6.6.0.0 0.0.255.255 user-group g1

 rule 5 permit ip source 3.3.0.0 0.0.255.255 destination 6.6.0.0 0.0.255.255 user-group g1

#

acl advanced 3040

 rule 0 permit ip source 2.2.2.0 0.0.0.255 destination 7.7.0.0 0.0.255.255 user-group g2

 rule 5 permit ip source 3.3.0.0 0.0.255.255 destination 7.7.0.0 0.0.255.255 user-group g2

#

radius scheme rs1

 primary authentication 4.4.4.2

 primary accounting 4.4.4.2

 accounting-on enable

 key authentication cipher $c$3$qUtzXCwq7r8LLcMkFSoDGWZBL/icMl9CLA==

 key accounting cipher $c$3$n/0PcnYaWjXNFtKUpBYlof6r0doKH/fVig==

#

radius dynamic-author server

 client ip 4.4.4.2 key cipher $c$3$Td30doCnLkhF7bhiYp4bk9DU96+XBStLkA==

#

ita policy pl_ita

 accounting-method radius-scheme rs1

 accounting-level 1 ipv4 car inbound cir 5000 outbound cir 5000

 accounting-level 2 ipv4 car inbound cir 2000 outbound cir 2000

 accounting-level 3 ipv4 car inbound cir 5000 outbound cir 5000

 accounting-level 4 ipv4 car inbound cir 10000 outbound cir 10000

#

domain name isp1

 authorization-attribute user-group g1

 authorization-attribute ip-pool pool1

 authorization-attribute vpn-instance vpn_isp1

 ita-policy pl_ita

 authentication ppp radius-scheme rs1

 authorization ppp radius-scheme rs1

 accounting ppp radius-scheme rs1

#

domain name isp2

 authorization-attribute user-group g2

 authorization-attribute ip-pool pool2

 authorization-attribute vpn-instance vpn_isp2

 ita-policy pl_ita

 authentication ppp radius-scheme rs1

 authorization ppp radius-scheme rs1

 accounting ppp radius-scheme rs1

#

user-group g1

#

user-group g2

#

·     P:

#

ospf 1

 area 0.0.0.0

  network 2.2.2.9 0.0.0.0

  network 10.1.1.0 0.0.0.255

  network 10.1.4.0 0.0.0.255

#

 mpls lsr-id 2.2.2.9

#

mpls ldp

#

interface LoopBack0

 ip address 2.2.2.9 255.255.255.255

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 10.1.4.1 255.255.255.0

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet3/0/2

 port link-mode route

 ip address 10.1.1.2 255.255.255.0

 mpls enable

 mpls ldp enable

#

 ip route-static 6.6.0.0 16 10.1.1.1

 ip route-static 7.7.0.0 16 10.1.1.1

#

·     PE 2:

#

ip vpn-instance vpn_isp1

 route-distinguisher 100:1

 vpn-target 111:1 export-extcommunity

 vpn-target 222:1 import-extcommunity

#

ip vpn-instance vpn_isp2

 route-distinguisher 200:1

 vpn-target 333:1 export-extcommunity

 vpn-target 444:1 import-extcommunity

#

ospf 1

 area 0.0.0.0

  network 10.1.4.0 0.0.0.255

  network 3.3.3.9 0.0.0.0

#

 mpls lsr-id 3.3.3.9

#

mpls ldp

#

interface LoopBack0

 ip address 3.3.3.9 255.255.255.255

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 10.1.4.2 255.255.255.0

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet3/0/2

 port link-mode route

 ip binding vpn-instance vpn_isp1

 ip address 101.1.1.1 255.255.255.0

#

interface GigabitEthernet3/0/3

 port link-mode route

 ip binding vpn-instance vpn_isp2

 ip address 202.1.1.1 255.255.255.0

#

bgp 100

peer 1.1.1.9 as-number 100

 peer 1.1.1.9 connect-interface LoopBack0

 #

address-family vpnv4

  peer 1.1.1.9 enable

#

ip vpn-instance vpn_isp1

  peer 101.1.1.2 as-number 65430

#

 address-family ipv4 unicast

  import-route direct

peer 101.1.1.2 enable

 #

ip vpn-instance vpn_isp2

  peer 202.1.1.2 as-number 65430

  #

 address-family ipv4 unicast

  import-route direct

peer 202.1.1.2 enable

 #

#

 ip route-static 6.6.0.0 16 10.1.4.1

 ip route-static 7.7.0.0 16 10.1.4.1

#

·     CE 1:

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 101.1.1.2 255.255.255.0

#

bgp 65430

 peer 101.1.1.1 as-number 100

#

address-family ipv4 unicast

  import-route direct

  peer 101.1.1.1 enable

#

·     CE 2:

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 202.1.1.2 255.255.255.0

#

bgp 65430

peer 202.1.1.1 as-number 100

#

address-family ipv4 unicast

  import-route direct

  peer 202.1.1.1 enable

#

·     Switch A:

#

vlan 4001

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type hybrid

 port hybrid vlan 4001 tagged

 port hybrid vlan 1 untagged

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 4001

 port trunk pvid vlan 4001

 qinq enable

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 4001

 port trunk pvid vlan 4001

 qinq enable

#

·     Switch B:

#

vlan 11 to 12

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 11 12

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port access vlan 11

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port access vlan 12

#

·     Switch C:

#

vlan 13 to 14

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 13 14

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port access vlan 13

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port access vlan 14

#

Example: Configuring multiple egress VPNs and ITA in a BRAS campus network (hairpin)

Network configuration

As shown in Figure 29, BRAS in the campus network is connected to the core switch in hairpin mode. The core switch is uplinked to PE 2. As the border device, PE2 is connected to different service providers ISP1 and ISP2. Configure BRAS to meet the following requirements:

·     Before a user in the dormitory area or office area passes PPPoE dialup authentication, the user can access only the internal network with the rate limit of 5 Mbps. Accounting is not performed for the user accessing the internal network.

·     After passing the PPPoE dialup authentication, the user can access both the internal network and the Internet. The rate limit for accessing the internal network is still 5 Mbps and no accounting is performed. The school provides three monthly Internet access plans, with the speeds of 2 Mbps, 5 Mbps, and 10 Mbps separately. In this example, suppose users A, B, C, and D select the 2 Mbps, 5 Mbps, 5 Mbps, and 10 Mbps plans, respectively.

·     Users use the dialup client in the operating systems for PPPoE dialup authentication.

·     When a user performs PPPoE dialup, the username carries the ISP domain name by adding a suffix @ISP1 or @ISP2. BRAS specifies a fixed ISP egress interface for the user according to the domain name of the user.

Figure 29 Network diagram

 

Device

Interface

IP address

Device

Interface

IP address

RADIUS server

-

4.4.4.2/24

PE2

Loop0

3.3.3.9/32

DHCP server

GE3/0/1

4.4.4.3/24

GE3/0/1

10.1.4.2/24

PE1 (BRAS)

Loop0

1.1.1.9/32

GE3/0/2

101.1.1.1/24

GE3/1/1

-

GE3/0/3

202.1.1.1/24

GE3/1/1.1

5.5.5.1/24

CE1

GE3/0/1

101.1.1.2/24

GE3/1/1.2

10.1.1.1/24

CE2

GE3/0/1

202.1.1.2/24

P (Core Switch)

Loop0

2.2.2.9/32

Vlan-int100

10.1.1.2/24

Vlan-int200

10.1.4.1/24

Vlan-int300

4.4.4.1/24

 

Analysis

·     Compared to the inline mode, the hairpin mode is different mainly in networking. In the hairpin mode, a traffic loopback process exists, P-to (at Layer 2)-BRAS-to (at Layer 3)-P. The inline mode does not have the traffic loopback process.

·     For BRAS to select an ISP egress interface for a user according to the domain name carried in the username, you can authorize a VPN to the user in the ISP domain and assign different ISP egress interfaces to different VPNs.

·     To implement differentiated accounting policies for users, define four accounting levels in ITA (for example, specify levels 1 through 4 for the internal network access of 5 Mbps, Internet access of 2 Mbps, Internet access of 5 Mbps, and Internet access of 10 Mbps) separately, and define different prices for different ITA levels.

·     To distinguish the internal network traffic and Internet traffic after users pass PPPoE dialup authentication, you can use an ACL (ACL 3001 in this example) to match the specific internal network traffic, and then use an ACL (ACL 3002 in this example) to match traffic except internal traffic (the Internet traffic by default).

·     When a PPPoE access user goes offline, the DHCP relay agent needs to query the relay user address entry of the user. If the entry exists, the DHCP relay agent sends Release packets to the DHCP server to notify the DHCP server to release the user's address lease. For this purpose, execute the dhcp relay client-information record command to enable recording client information in relay entries.

Restrictions and guidelines

·     When an interface is bound to a VPN instance, the settings (including IP address) on the interface will be cleared. Therefore, first bind an interface to a VPN instance, and then configure other settings on the interface.

·     The class-behavior associations in a QoS policy are executed in the order they are configured. To ensure preferential processing of the internal network traffic, make sure the class-behavior associations for internal network traffic are configured before the class-behavior associations for Internet traffic.

·     If authorization attributes (for example, address pool, user group, and VPN) are configured both on the RADIUS server and in an ISP domain, the attributes configured on the RADIUS server apply. If the idle-cut attribute is configured both on the RADIUS server and in an ISP domain, the configuration in the ISP domain on the BRAS applies. In this example, all the authorization attributes have been configured in ISP domains. In a live network, configure the RADIUS server to authorize attributes or configure attributes in ISP domains as needed.

Procedures

Configuring the RADIUS server

This section uses the Linux Free RADIUS server as an example.

# Configure the RADIUS client. Add the following contents to the clients.conf file.

client 4.4.4.1/32 {

ipaddr = 4.4.4.1

netmask=32

secret=123456

}

The contents above configure the RADIUS client IP address as 4.4.4.1 and configure the shared key as 123456.

# Configure users. Add the following contents to the users file.

User1@isp1  Cleartext-Password :="pass1"

User1@isp2  Cleartext-Password :="pass1"

User2@isp1  Cleartext-Password :="pass2"

User2@isp2  Cleartext-Password :="pass2"

User3@isp1  Cleartext-Password :="pass3"

User3@isp2  Cleartext-Password :="pass3"

User4@isp1  Cleartext-Password :="pass4"

User4@isp2  Cleartext-Password :="pass4"

The contents above show that Host A, Host B, Host C, and Host D can select to use suffix @isp1 or @isp2 for PPPoE dialup.

Configuring MPLS L3VPN

In this example, Router A acts as PE1 in the MPLS L3VPN configuration and acts as the PPPoE server in the BRAS configuration. For ease of understanding, Router A is described as PE1 in the MPLS L3VPN configuration section and described as BRAS in the BRAS configuration section.

Configure an IGP protocol (OSPF in this example) on the MPLS backbone to ensure IP connectivity within the backbone

1.     Configure PE 1:

# Configure IP addresses for the loopback interface and the backbone network interface.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface gigabitethernet 3/1/1.2

[PE1-GigabitEthernet3/1/1.2] ip address 10.1.1.1 24

[PE1-GigabitEthernet3/1/1.2] quit

# Configure GigabitEthernet 3/1/1.2 to terminate VLAN tag 100 (the peer interface is VLAN-interface 100).

[PE1-GigabitEthernet3/1/1.2] vlan-type dot1q vid 100

[PE1-GigabitEthernet3/1/1.2] quit

# Enable OSPF on the interfaces attached to the backbone network side in the area.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

2.     Configure the P device:

# Create SVLAN 101.

<P> system-view

[P] vlan 101

[P-vlan101] quit

# Create VLANs 100, 200, and 300.

<P> system-view

[P] vlan 100

[P-vlan100] quit

[P] vlan 200

[P-vlan200] quit

[P] vlan 300

[P-vlan300] quit

# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to SVLAN 101.

[SwitchB] interface gigabitethernet 3/0/1

[SwitchB-GigabitEthernet3/0/1] port link-type trunk

[SwitchB-GigabitEthernet3/0/1] port trunk permit vlan 101

[SwitchB-GigabitEthernet3/0/1] quit

# Configure GigabitEthernet 3/0/2 as a hybrid port and assign it to SVLANs 100 and 101 (outer VLAN tags of user traffic) as a tagged member.

[P] interface gigabitethernet 3/0/1

[P-GigabitEthernet3/0/1] port link-type hybrid

[P-GigabitEthernet3/0/1] port hybrid vlan 100 101 tagged

[P-GigabitEthernet3/0/1] quit

# Assign GigabitEthernet 3/0/3 to VLAN 200.

[P] interface gigabitethernet 3/0/3

[P-GigabitEthernet3/0/3] port access vlan 200

[P-GigabitEthernet3/0/3] quit

# Assign GigabitEthernet 3/0/4 to VLAN 300.

[P] interface gigabitethernet 3/0/4

[P-GigabitEthernet3/0/4] port access vlan 300

[P-GigabitEthernet3/0/4] quit

# Create VLAN-interface 100 for connecting to BRAS, and assign an IP address to it.

[P] interface vlan-interface 100

[P-Vlan-interface100] ip address 10.1.1.2 24

[P-Vlan-interface100] quit

# Create VLAN-interface 200 for connecting to PE 2, and assign an IP address to it.

[P] interface vlan-interface 200

[P-Vlan-interface200] ip address 10.1.4.1 24

[P-Vlan-interface200] quit

# Create VLAN-interface 300 for connecting to servers, and assign an IP address to it.

[P] interface vlan-interface 300

[P-Vlan-interface300] ip address 4.4.4.1 24

[P-Vlan-interface300] quit

# Configure an IP address for the loopback interface.

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

# Enable OSPF on the interfaces attached to the backbone network side in the area.

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 4.4.4.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

3.     Configure PE 2:

# Configure IP addresses for the loopback interface and the backbone network interface.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface gigabitethernet 3/0/1

[PE2-GigabitEthernet3/0/1] ip address 10.1.4.2 24

[PE2-GigabitEthernet3/0/1] quit

# Enable OSPF on the interfaces attached to the backbone network side in the area.

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

4.     Execute the display ospf peer command to verify that OSPF adjacencies in Full state have been established between PE 1, P, and PE 2. Execute the display ip routing-table command to verify that the PEs have learned the routes to the loopback interfaces of each other.

Use PE1 as an example.

[PE1] display ospf peer verbose

 

          OSPF Process 1 with Router ID 1.1.1.9

                  Neighbors

 

 Area 0.0.0.0 interface 10.1.1.1(GE3/1/1.2)'s neighbors

 Router ID: 2.2.2.9          Address: 10.1.1.2        GR State: Normal

   State: Full  Mode: Nbr is Master  Priority: 1

   DR: 10.1.1.2  BDR: 10.1.1.1  MTU: 0

   Options is 0x02 (-|-|-|-|-|-|E|-)

   Dead timer due in 38  sec

   Neighbor is up for 17:30:25

   Authentication Sequence: [ 0 ]

   Neighbor state change count: 6

   BFD status: Disabled

[PE1] display ip routing-table protocol ospf

 

Summary Count : 6

 

OSPF Routing table Status : <Active>

Summary Count : 4

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

2.2.2.9/32         O_INTRA 10  1           10.1.1.2        GE3/1/1.2

3.3.3.9/32         O_INTRA 10  2           10.1.1.2        GE3/1/1.2

4.4.4.0/24         O_INTRA 10  2           10.1.1.2        GE3/1/1.2

10.1.4.0/24        O_INTRA 10  2           10.1.1.2        GE3/1/1.2

 

OSPF Routing table Status : <Inactive>

Summary Count : 2

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

1.1.1.9/32         O_INTRA 10  0           1.1.1.9         Loop0

10.1.1.0/24        O_INTRA 10  1           10.1.1.1        GE3/0/2

Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs

1.     Configure PE 1:

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface gigabitethernet 3/1/1.2

[PE1-GigabitEthernet3/1/1.2] mpls enable

[PE1-GigabitEthernet3/1/1.2] mpls ldp enable

[PE1-GigabitEthernet3/1/1.2] quit

2.     Configure the P device:

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface vlan-interface 100

[P-Vlan-interface100] mpls enable

[P-Vlan-interface100] mpls ldp enable

[P-Vlan-interface100] quit

[P] interface vlan-interface 200

[P-Vlan-interface200] mpls enable

[P-Vlan-interface200] mpls ldp enable

[P-Vlan-interface200] quit

3.     Configure PE 2:

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface gigabitethernet 3/0/1

[PE2-GigabitEthernet3/0/1] mpls enable

[PE2-GigabitEthernet3/0/1] mpls ldp enable

[PE2-GigabitEthernet3/0/1] quit

4.     Execute the display mpls ldp peer command to verify that LDP sessions in Operational state have been established between PE 1, P, and PE 2. Execute the display mpls ldp lsp command to verify that the LSPs have been established by LDP.

Use PE1 as an example.

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID             State         Role     GR   MD5  KA Sent/Rcvd

2.2.2.9:0               Operational   Passive  Off  Off  5/5

[PE1] display mpls ldp lsp

Status Flags: * - stale, L - liberal, B - backup

FECs: 4            Ingress: 1          Transit: 1      Egress: 3

 

FEC                In/Out Label        Nexthop         OutInterface

1.1.1.9/32         3/-

                   -/1151(L)

2.2.2.9/32         -/3                 10.1.1.2        GE3/1/1.2

                   1151/3              10.1.1.2        GE3/1/1.2

3.3.3.9/32         -/1150              10.1.1.2        GE3/1/1.2

                   1150/1150           10.1.1.2        GE3/1/1.2

Configuring VPN instances on PEs to allow CE access

1.     Configure PE 1:

# Create VPN instance named vpn_isp1 for ISP 1.

[PE1] ip vpn-instance vpn_isp1

# Configure the RD as 100:1 for the VPN instance. The RD is used for generating VPNv4 routes and distinguishing routes of different users on the same network segment.

[PE1-vpn-instance-vpn_isp1] route-distinguisher 100:1

# Configure import target 111:1 and export target 222:1 for the VPN instance. (To differentiate the meanings of export target and import target, this section uses different values for the two targets. For ease of management, you can configure the same value for the two targets. )

[PE1-vpn-instance-vpn_isp1] vpn-target 111:1 import-extcommunity

[PE1-vpn-instance-vpn_isp1] vpn-target 222:1 export-extcommunity

[PE1-vpn-instance-vpn_isp1] quit

# Create VPN instance named vpn_isp2 for ISP 2. Configure RD 200:1, import target 333:1, and export target 444:1 for the VPN instance.

[PE1] ip vpn-instance vpn_isp2

[PE1-vpn-instance-vpn_isp2] route-distinguisher 200:1

[PE1-vpn-instance-vpn_isp2] vpn-target 333:1 import-extcommunity

[PE1-vpn-instance-vpn_isp2] vpn-target 444:1 export-extcommunity

[PE1-vpn-instance-vpn_isp2] quit

 

 

NOTE:

After a user successfully passes PPPoE dialup authentication, PE 1 will add the host route of the user to the routing table of the user's VPN instance. Therefore, you do not need to bind the user access interface to a VPN instance on PE 1.

 

2.     Configure PE 2:

# Create VPN instance named vpn_isp1 for ISP 2 on PE 2.

[PE2] ip vpn-instance vpn_isp1

# Configure an RD for the VPN instance. For ease of identification, as a best practice, set the same RD as that on PE 1.

[PE2-vpn-instance-vpn_isp1] route-distinguisher 100:1

# Configure the import target and export target for the VPN instance, which must be the same as the export target and import target on PE 1.

[PE2-vpn-instance-vpn_isp1] vpn-target 222:1 import-extcommunity

[PE2-vpn-instance-vpn_isp1] vpn-target 111:1 export-extcommunity

[PE2-vpn-instance-vpn_isp1] quit

# Create VPN instance named vpn_isp2 for ISP 2. Configure RD 200:1, import target 444:1, and export target 333:1 for the VPN instance.

[PE2] ip vpn-instance vpn_isp2

[PE2-vpn-instance-vpn_isp2] route-distinguisher 200:1

[PE2-vpn-instance-vpn_isp2] vpn-target 444:1 import-extcommunity

[PE2-vpn-instance-vpn_isp2] vpn-target 333:1 export-extcommunity

[PE2-vpn-instance-vpn_isp2] quit

# Bind GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 to VPN instance vpn_isp1 and VPN instance vpn_isp2, respectively.

[PE2] interface gigabitethernet 3/0/2

[PE2-GigabitEthernet3/0/2] ip binding vpn-instance vpn_isp1

[PE2-GigabitEthernet3/0/2] ip address 101.1.1.1 24

[PE2-GigabitEthernet3/0/2] quit

[PE2] interface gigabitethernet 3/0/3

[PE2-GigabitEthernet3/0/3] ip binding vpn-instance vpn_isp2

[PE2-GigabitEthernet3/0/3] ip address 202.1.1.1 24

[PE2-GigabitEthernet3/0/3] quit

3.     Configure IP addresses for interfaces on the CE as shown in Figure 29. (Details not shown.)

Establishing EBGP peer relationships between PEs and CEs, and redistributing VPN routes into BGP

1.     Configure PE 1:

# Create BGP process 100 on PE 1.

[PE1] bgp 100

 

 

NOTE:

After a user successfully passes PPPoE dialup authentication, the BRAS acting as PE 1 adds the host route corresponding to the IP address assigned to the user to the routing table of the VPN instance to which the user belongs. Therefore, you only need to redistribute the direct routes of the host into the routing table of the BGP-VPN instance.

 

# Redistribute the direct routes in the routing table of VPN instance vpn_isp1 on PE 1 into the routing table of the BGP-VPN instance.

[PE1-bgp-default] ip vpn-instance vpn_isp1

[PE1-bgp-default-vpn_isp1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn_isp1] import-route direct

[PE1-bgp-default-ipv4-vpn_isp1] quit

[PE1-bgp-default-vpn_isp1] quit

# Redistribute the direct routes in the routing table of VPN instance vpn_isp2 on PE 1 into the routing table of the BGP-VPN instance.

[PE1-bgp-default] ip vpn-instance vpn_isp2

[PE1-bgp-default-vpn_isp2] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn_isp2] import-route direct

[PE1-bgp-default-ipv4-vpn_isp2] quit

[PE1-bgp-default-vpn_isp2] quit

[PE1-bgp-default] quit

2.     Configure PE 2:

# Create BGP process 100 on PE 2.

[PE2] bgp 100

# Specify CE 1 as the peer. Redistribute the direct routes in the routing table of PE 2 into the routing table of the BGP-VPN instance.

[PE2-bgp-default] ip vpn-instance vpn_isp1

[PE2-bgp-default-vpn_isp1] peer 101.1.1.2 as-number 65430

[PE2-bgp-default-vpn_isp1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn_isp1] peer 101.1.1.2 enable

[PE2-bgp-default-ipv4-vpn_isp1] import-route direct

[PE2-bgp-default-ipv4-vpn_isp1] quit

[PE2-bgp-default-vpn_isp1] quit

# Specify CE 2 as the peer. Redistribute the direct routes in the routing table of PE 2 into the routing table of the BGP-VPN instance.

[PE2-bgp-default] ip vpn-instance vpn_isp2

[PE2-bgp-default-vpn_isp2] peer 202.1.1.2 as-number 65430

[PE2-bgp-default-vpn_isp2] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn_isp2] peer 202.1.1.2 enable

[PE2-bgp-default-ipv4-vpn_isp2] import-route direct

[PE2-bgp-default-ipv4-vpn_isp2] quit

[PE2-bgp-default-vpn_isp2] quit

[PE2-bgp-default] quit

3.     Configure CE 1:

# Create BGP process 65430 on CE 1. Specify PE 1 as the peer with AS number 100.

<CE1> system-view

[CE1] bgp 65430

[CE1-bgp-default] peer 101.1.1.1 as-number 100

#  Enable CE 1 to exchange routing information for an address family with peer 101.1.1.1.

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 101.1.1.1 enable

# Redistribute the direct route connected to the host on CE 1 into EBGP.

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

4.     Configure CE 2:

# Create BGP process 65430 on CE 2. Specify PE 2 as the peer with AS number 100.

<CE2> system-view

[CE2] bgp 65430

[CE2-bgp-default] peer 202.1.1.1 as-number 100

#  Enable CE 2 to exchange routing information for an address family with peer 202.1.1.1.

[CE2-bgp-default] address-family ipv4 unicast

[CE2-bgp-default-ipv4] peer 202.1.1.1 enable

# Redistribute the direct route connected to the host on CE 2 into EBGP.

[CE2-bgp-default-ipv4] import-route direct

[CE2-bgp-default-ipv4] quit

[CE2-bgp-default] quit

Establishing MP-IBGP peer relationships between PEs

1.     Configure PE 1:

# On PE 1, specify PE 2 as the BGP peer, and specify loopback 0 as the source interface for TCP connections to the peer.

[PE1] bgp 100

[PE1-bgp-default] peer 3.3.3.9 as-number 100

[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0

# Enter BGP VPNv4 address family view, and specify PE 2 as the peer.

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

2.     Configure PE 2:

# On PE 2, specify PE 1 as the BGP peer, and specify loopback 0 as the source interface for TCP connections to the peer.

[PE2] bgp 100

[PE2-bgp-default] peer 1.1.1.9 as-number 100

[PE2-bgp-default] peer 1.1.1.9 connect-interface loopback 0

# Enter BGP VPNv4 address family view, and specify PE 1 as the peer.

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-default-vpnv4] quit

[PE2-bgp-default] quit

3.     After the configuration is completed, execute the display bgp peer vpnv4 command to verify that the BGP peer relationships have been established between PEs and are in Established state.

[PE1] display bgp peer vpnv4

 

 BGP local router ID: 1.1.1.9

 Local AS number: 100

 Total number of peers: 1                  Peers in established state: 1

 

  Peer                    AS  MsgRcvd  MsgSent OutQ PrefRcv Up/Down  State

 

  3.3.3.9                100        8        8    0       0 00:00:08 Established

4.     Execute the display ip routing-table vpn-instance command on a PE to view the route destined to the peer CE 1.

Use vpn_isp1 as an example on PE1.

[PE1] display ip routing-table vpn-instance vpn_isp1

 

Destinations : 9        Routes : 9

 

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

0.0.0.0/32          Direct 0    0            127.0.0.1       InLoop0

101.1.1.0/24        BGP    255  0            3.3.3.9         GE3/1/1.2

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.0/32        Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

127.255.255.255/32  Direct 0    0            127.0.0.1       InLoop0

224.0.0.0/4         Direct 0    0            0.0.0.0         NULL0

224.0.0.0/24        Direct 0    0            0.0.0.0         NULL0

255.255.255.255/32  Direct 0    0            127.0.0.1       InLoop0

Configuring the DHCP server

# Configure IP addresses for GigabitEthernet 3/0/1 as shown in Figure 29. (Details not shown.)

# Enable DHCP.

<DHCP> system-view

[DHCP] dhcp enable

# Create address pool pool1, which is used by users before performing authentication.

[DHCP] dhcp server ip-pool pool1

# Specify primary subnet 5.5.0.0/16 for dynamic allocation in the address pool. Specify gateway address 5.5.5.1 and DNS server address 8.8.8.8 in the address pool.

[DHCP-dhcp-pool-pool1] network 5.5.0.0 16

[DHCP-dhcp-pool-pool1] gateway-list 5.5.5.1

[DHCP-dhcp-pool-pool1] dns-list 8.8.8.8

# Exclude IP address 5.5.5.1 from dynamic allocation.

[DHCP-dhcp-pool-pool1] forbidden-ip 5.5.5.1

[DHCP-dhcp-pool-pool1] quit

# Create address pool pool2 for users in ISP domain isp1.

[DHCP] dhcp server ip-pool pool2

# Specify primary subnet 6.6.0.0/16 for dynamic allocation in the address pool. Specify gateway address 6.6.6.1 and DNS server address 8.8.8.8 in the address pool.

[DHCP-dhcp-pool-pool2] network 6.6.0.0 16

[DHCP-dhcp-pool-pool2] gateway-list 6.6.6.1

[DHCP-dhcp-pool-pool2] dns-list 8.8.8.8

# Exclude IP address 6.6.6.1 from dynamic allocation.

[DHCP-dhcp-pool-pool2] forbidden-ip 6.6.6.1

[DHCP-dhcp-pool-pool2] quit

# Create address pool pool3 for users in ISP domain isp2.

[DHCP] dhcp server ip-pool pool3

# Specify primary subnet 7.7.0.0/16 for dynamic allocation in the address pool. Specify gateway address 7.7.7.1 and DNS server address 8.8.8.8 in the address pool.

[DHCP-dhcp-pool-pool3] network 7.7.0.0 16

[DHCP-dhcp-pool-pool3] gateway-list 7.7.7.1

[DHCP-dhcp-pool-pool3] dns-list 8.8.8.8

# Exclude IP address 7.7.7.1 from dynamic allocation.

[DHCP-dhcp-pool-pool3] forbidden-ip 7.7.7.1

[DHCP-dhcp-pool-pool3] quit

# Configure the default route to the PPPoE server (BRAS).

[DHCP] ip route-static 0.0.0.0 0 4.4.4.1

Configuring the BRAS

Configuring a user group

# Create user group g1 for ISP1.

<BRAS> system-view

[BRAS] user-group g1

New user group added.

[BRAS-ugroup-web] quit

# Create user group g2 for ISP2.

<BRAS> system-view

[BRAS] user-group g2

New user group added.

[BRAS-ugroup-web] quit

Configuring a QoS policy to rate-limit the traffic to 5 Mbps but not perform accounting for internal network access traffic

This example uses user network segments (including 5.5.0.0/16 for users before PPPoE authentication, 6.6.0.0/16 for users in vpn_isp1, and 7.7.0.0/16 for users in vpn_isp2) and server network segment 4.4.4.0/24 as the internal network segments.

1.     Configure the QoS policy for users before PPPoE dialup authentication:

# Configure ACL 3000.

[BRAS] acl advanced 3000

# Configure rules to match the packets between users (on network segment 5.5.0.0/16) and servers (on 4.4.4.0/24) before PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3000] rule 0 permit ip source 5.5.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255

[BRAS-acl-ipv4-adv-3000] rule 10 permit ip source 4.4.4.0 0.0.0.255 destination 5.5.0.0 0.0.255.255

# Configure a rule to match the packets between users (on network segment 5.5.0.0/16) before PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3000] rule 20 permit ip source 5.5.0.0 0.0.255.255 destination 5.5.0.0 0.0.255.255

[BRAS-acl-ipv4-adv-3000] quit

# Configure class 3000 to match packets matching ACL 3000.

[BRAS] traffic classifier 3000 operator and

[BRAS-classifier-3000] if-match acl 3000

[BRAS-classifier-3000] quit

# Configure behavior 3000 to count traffic in bytes and rate-limit the traffic to 5000 kbps.

[BRAS] traffic behavior 3000

[BRAS-behavior-3000] accounting byte

[BRAS-behavior-3000] car cir 5000

[BRAS-behavior-3000] quit

# Create QoS policy nei_waiwang_share and associate class 3000 with behavior 3000.

[BRAS] qos policy nei_waiwang_share

[BRAS-qospolicy-nei_waiwang_share] classifier 3000 behavior 3000

[BRAS-qospolicy-nei_waiwang_share] quit

2.     Configure the QoS policy for users passing PPPoE dialup authentication:

# Configure ACL 3001.

[BRAS] acl advanced 3001

# Configure rules to match the packets between users in vpn_isp1 (on network segment 6.6.0.0/16) and servers (on 4.4.4.0/24) after PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3001] rule 10 permit ip source 6.6.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g1

[BRAS-acl-ipv4-adv-3001] rule 20 permit ip source 4.4.4.0 0.0.0.255 destination 6.6.0.0 0.0.255.255 user-group g1

# Configure a rule to match the packets between users in vpn_isp1 (on network segment 6.6.0.0/16) after PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3001] rule 30 permit ip source 6.6.0.0 0.0.255.255 destination 6.6.0.0 0.0.255.255 user-group g1

# Configure rules to match the packets between users in vpn_isp2 (on network segment 7.7.0.0/16) and servers (on 4.4.4.0/24) after PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3001] rule 40 permit ip source 7.7.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g2

[BRAS-acl-ipv4-adv-3001] rule 50 permit ip source 4.4.4.0 0.0.0.255 destination 7.7.0.0 0.0.255.255 user-group g2

# Configure a rule to match the packets between users in vpn_isp2 (on network segment 7.7.0.0/16) after PPPoE dialup authentication.

[BRAS-acl-ipv4-adv-3001] rule 60 permit ip source 7.7.0.0 0.0.255.255 destination 7.7.0.0 0.0.255.255 user-group g2

[BRAS-acl-ipv4-adv-3001] quit

 

 

NOTE:

Because the default of an ACL rule is none (neither permit nor deny), traffic that does not match any rule is not processed. Therefore, do not add a rule to deny all traffic (for example, rule 70 deny ip) behind the last rule in ACL 3001. Otherwise, when the device executes QoS policy nei_waiwang_share, the class-behavior associations after the classifier 3001 behavior 3001 association cannot match any traffic.

 

# Configure class 3001 to match packets matching ACL 3001 and from authenticated users.

[BRAS] traffic classifier 3001 operator and

[BRAS-classifier-3001] if-match acl 3001

[BRAS-classifier-3001] if-match authenticated-user

[BRAS-classifier-3001] quit

# Configure behavior 3001 to mark traffic with accounting level 1 and count traffic in bytes.

[BRAS] traffic behavior 3001

[BRAS-behavior-3001] remark account-level 1

[BRAS-behavior-3001] accounting byte

[BRAS-behavior-3001] quit

# Create QoS policy nei_waiwang_share and associate class 3000 with behavior 3000.

[BRAS] qos policy nei_waiwang_share

[BRAS-qospolicy-nei_waiwang_share] classifier 3001 behavior 3001

[BRAS-qospolicy-nei_waiwang_share] quit

Configuring a QoS policy to rate limit and perform accounting for Internet access traffic

# Configure ACL 3002.

[BRAS] acl advanced 3002

# Configure rules to match all packets.

[BRAS-acl-ipv4-adv-3002] rule 0 permit ip user-group g1

[BRAS-acl-ipv4-adv-3002] rule 10 permit ip user-group g2

[BRAS-acl-ipv4-adv-3002] quit

# Configure class cl_user1 to match packets carrying CVLAN 11, matching ACL 3002, and from authenticated users.

[BRAS] traffic classifier cl_user1 operator and

[BRAS-classifier-cl_user1] if-match customer-vlan-id 11

[BRAS-classifier-cl_user1] if-match acl 3002

[BRAS-classifier-cl_user1] if-match authenticated-user

[BRAS-classifier-cl_user1] quit

# Configure class cl_user2 to match packets carrying CVLAN 12, matching ACL 3002, and from authenticated users.

[BRAS] traffic classifier cl_user2 operator and

[BRAS-classifier-cl_user2] if-match customer-vlan-id 12

[BRAS-classifier-cl_user2] if-match acl 3002

[BRAS-classifier-cl_user2] if-match authenticated-user

[BRAS-classifier-cl_user2] quit

# Configure class cl_user3 to match packets carrying CVLAN 13, matching ACL 3002, and from authenticated users.

[BRAS] traffic classifier cl_user3 operator and

[BRAS-classifier-cl_user3] if-match customer-vlan-id 13

[BRAS-classifier-cl_user3] if-match acl 3002

[BRAS-classifier-cl_user3] if-match authenticated-user

[BRAS-classifier-cl_user3] quit

# Configure class cl_user4 to match packets carrying CVLAN 14, matching ACL 3002, and from authenticated users.

[BRAS] traffic classifier cl_user4 operator and

[BRAS-classifier-cl_user4] if-match customer-vlan-id 14

[BRAS-classifier-cl_user4] if-match acl 3002

[BRAS-classifier-cl_user4] if-match authenticated-user

[BRAS-classifier-cl_user4] quit

# Configure traffic behavior be_2M to mark traffic with accounting level 2 and count traffic in bytes.

[BRAS] traffic behavior be_2M

[BRAS-behavior-be_2M] remark account-level 2

[BRAS-behavior-be_2M] accounting byte

[BRAS-behavior-be_2M] quit

# Configure traffic behavior be_5M to mark traffic with accounting level 3 and count traffic in bytes.

[BRAS] traffic behavior be_5M

[BRAS-behavior-be_5M] remark account-level 3

[BRAS-behavior-be_5M] accounting byte

[BRAS-behavior-be_5M] quit

# Configure traffic behavior be_10M to mark traffic with accounting level 4 and count traffic in bytes.

[BRAS] traffic behavior be_10M

[BRAS-behavior-be_10M] remark account-level 4

[BRAS-behavior-be_10M] accounting byte

[BRAS-behavior-be_10M] quit

# Associate classes with behaviors in QoS policy nei_waiwang_share.

[BRAS] qos policy nei_waiwang_share

[BRAS-qospolicy-nei_waiwang_share] classifier cl_user1 behavior be_2M

[BRAS-qospolicy-nei_waiwang_share] classifier cl_user2 behavior be_5M

[BRAS-qospolicy-nei_waiwang_share] classifier cl_user3 behavior be_5M

[BRAS-qospolicy-nei_waiwang_share] classifier cl_user4 behavior be_10M

[BRAS-qospolicy-nei_waiwang_share] quit

Applying the QoS policy

# Enter the view of interface GigabitEthernet 3/1/1.1.

[BRAS] interface gigabitethernet 3/1/1.1

# Apply QoS policy nei_waiwang_share to the interface.

[BRAS–GigabitEthernet3/1/1.1] qos apply policy nei_waiwang_share inbound

[BRAS–GigabitEthernet3/1/1.1] qos apply policy nei_waiwang_share outbound

[BRAS–GigabitEthernet3/1/1.1] quit

Configuring a RADIUS scheme

# Create RADIUS scheme rs1, and enter its view.

[BRAS] radius scheme rs1

# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.

[BRAS-radius-rs1] primary authentication 4.4.4.2

[BRAS-radius-rs1] primary accounting 4.4.4.2

[BRAS-radius-rs1] key authentication simple 123456

[BRAS-radius-rs1] key accounting simple 123456

# Enable accounting-on for RADIUS scheme rs1.

[BRAS-radius-rs1] accounting-on enable

[BRAS-radius-rs1] quit

# Specify the DAC as 4.4.4.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

[BRAS] radius dynamic-author server

[BRAS-radius-da-server] client ip 4.4.4.2 key simple 123456

[BRAS-radius-da-server] quit

Configuring an ITA policy

# Create ITA policy pl_ita, and use RADIUS scheme rs1 for accounting.

[BRAS] ita policy pl_ita

[BRAS-ita-policy-pl_ita] accounting-method radius-scheme rs1

# Configure the accounting levels and their rate limits.

[BRAS-ita-policy-pl_ita] accounting-level 1 ipv4 car inbound cir 5000 outbound cir 5000

[BRAS-ita-policy-pl_ita] accounting-level 2 ipv4 car inbound cir 2000 outbound cir 2000

[BRAS-ita-policy-pl_ita] accounting-level 3 ipv4 car inbound cir 5000 outbound cir 5000

[BRAS-ita-policy-pl_ita] accounting-level 4 ipv4 car inbound cir 10000 outbound cir 10000

Configuring the DHCP relay agent

# Enable DHCP.

[BRAS] dhcp enable

# Enter the view of interface GigabitEthernet 3/1/1.1.

[BRAS] interface gigabitethernet 3/1/1.1

# Enable recording client information in relay entries.

[BRAS] dhcp relay client-information record

# Create DHCP relay address pool pool1, and specify gateway addresses and the DHCP server for the address pool.

[BRAS] dhcp server ip-pool pool1

[BRAS-dhcp-pool-pool1] gateway-list 6.6.6.1 export-route

[BRAS-dhcp-pool-pool1] remote-server 4.4.4.3

# Apply DHCP relay address pool pool1 to VPN instance vpn_isp1.

[BRAS-dhcp-pool-pool1] vpn-instance vpn_isp1

[BRAS-dhcp-pool-pool1] quit

# Create DHCP relay address pool pool2, and specify gateway addresses and the DHCP server for the address pool.

[BRAS] dhcp server ip-pool pool2

[BRAS-dhcp-pool-pool2] gateway-list 7.7.7.1 export-route

[BRAS-dhcp-pool-pool2] remote-server 4.4.4.3

# Apply DHCP relay address pool pool2 to VPN instance vpn_isp2.

[BRAS-dhcp-pool-pool2] vpn-instance vpn_isp2

[BRAS-dhcp-pool-pool2] quit

Configuring an ISP domain

# Create ISP domain isp1, and enter its view.

[BRAS] domain name isp1

# Configure PPP users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRAS-isp-isp1] authentication ppp radius-scheme rs1

[BRAS-isp-isp1] authorization ppp radius-scheme rs1

[BRAS-isp-isp1] accounting ppp radius-scheme rs1

# Configure ISP domain isp1 to use ITA policy pl_ita.

[BRAS-isp-isp1] ita-policy pl_ita

# Specify IPv4 address pool pool1 as the authorization IPv4 address pool pool1 and user group g1 as the authorization user group for users in ISP domain isp1.

[BRAS-isp-isp1] authorization-attribute ip-pool pool1

[BRAS-isp-isp1] authorization-attribute user-group g1

# Specify VPN instance vpn_isp1 as the authorization VPN instance for users in ISP domain isp1.

[BRAS-isp-isp1] authorization-attribute vpn-instance vpn_isp1

[BRAS-isp-isp1] quit

# Create ISP domain isp2, and enter its view.

[BRAS] domain name isp2

# Configure PPP users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRAS-isp-isp2] authentication ppp radius-scheme rs1

[BRAS-isp-isp2] authorization ppp radius-scheme rs1

[BRAS-isp-isp2] accounting ppp radius-scheme rs1

# Configure ISP domain isp2 to use ITA policy pl_ita.

[BRAS-isp-isp2] ita-policy pl_ita

# Specify IPv4 address pool pool2 as the authorization IPv4 address pool pool1 and user group g2 as the authorization user group for users in ISP domain isp2.

[BRAS-isp-isp2] authorization-attribute ip-pool pool2

[BRAS-isp-isp2] authorization-attribute user-group g2

# Specify VPN instance vpn_isp2 as the authorization VPN instance for users in ISP domain isp2.

[BRAS-isp-isp2] authorization-attribute vpn-instance vpn_isp2

[BRAS-isp-isp2] quit

Configuring a VT interface

# Create interface Virtual-Template 1, and enable PPP accounting and CHAP authentication.

[BRAS] interface virtual-template 1

[BRAS-Virtual-Template1] ppp account-statistics enable

[BRAS-Virtual-Template1] ppp authentication-mode chap

[BRAS-Virtual-Template1] quit

Configuring VLAN termination

# Configure VLAN termination on GigabitEthernet 3/1/1.1, and bind the interface to Virtual-Template 1.

[BRAS] interface gigabitethernet 3/1/1.1

[BRAS-GigabitEthernet3/1/1.1] vlan-type dot1q vid 101 second-dot1q 11 to 14

[BRAS-GigabitEthernet3/1/1.1] pppoe-server bind virtual-template 1

Configuring PBR policies

To ensure traffic forwarding between VPNs, you must configure static routes and policy-based routes.

1.     Configure static routes to forward traffic in the DHCP request direction in the VPN instances to the DHCP server:

# Configure a static route to redirect traffic in the DHCP request direction in VPN instance vpn_isp1 to the DHCP server.

[BRAS] ip route-static vpn-instance vpn_isp1 4.4.4.0 24 4.4.4.3 public

# Configure a static route to redirect traffic in the DHCP request direction in VPN instance vpn_isp2 to the DHCP server.

[BRAS] ip route-static vpn-instance vpn_isp2 4.4.4.0 24 4.4.4.3 public

2.     Configure PBR to forward the response traffic from the DHCP server to the VPN instances of DHCP clients:

# Create ACL 3010 to match packets destined to network segment 6.6.0.0/16.

[BRAS] acl advanced 3010

[BRAS-acl-ipv4-adv-3010] rule 0 permit ip destination 6.6.0.0 0.0.255.255 user-group g1

[BRAS-acl-ipv4-adv-3010] quit

# Create ACL 3020 to match packets destined to network segment 7.7.0.0/16.

[BRAS] acl advanced 3020

[BRAS-acl-ipv4-adv-3020] rule 0 permit ip destination 7.7.0.0 0.0.255.255 user-group g2

[BRAS-acl-ipv4-adv-3020] quit

# Create PBR policy named P_to_Bras, and configure permit-mode node 0 in the policy to forward packets matching ACL 3010 in VPN instance vpn_isp1.

[BRAS] policy-based-route P_to_Bras permit node 0

[BRAS-pbr-P_to_Bras-0] if-match acl 3010

[BRAS-pbr-P_to_Bras-0] apply access-vpn vpn-instance vpn_isp1

[BRAS-pbr-P_to_Bras-0] quit

# In PBR policy named P_to_Bras, configure permit-mode node 2 to forward packets matching ACL 3020 in VPN instance  vpn_isp2 .

[BRAS] policy-based-route P_to_Bras permit node 1

[BRAS-pbr-P_to_Bras-1] if-match acl 3020

[BRAS-pbr-P_to_Bras-1] apply access-vpn vpn-instance vpn_isp2

[BRAS-pbr-P_to_Bras-1] quit

# Apply policy P_to_Bras to GigabitEthernet 3/1/1.2.

[BRAS] interface gigabitethernet 3/1/1.2

[BRAS–GigabitEthernet3/1/1.2] ip policy-based-route P_to_Bras

[BRAS–GigabitEthernet3/1/1.2] quit

 

 

NOTE:

·     To ensure traffic forwarding between VPN instances and the public network instance (ensure that users passing PPPoE dialup authentication can access resources in the campus network, for example, access loopback0 address 2.2.2.9 of the P device), configure static routes and policy-based routes.

·     For VPN instances and the public network instance to communicate bidirectionally, make sure the static routes configured in step 3 correspond to the network segment matched by ACLs in step 4  on a one-to-one basis.

 

3.     Configure static routes to forward traffic accessing the public network instance in the VPN instances to the public network instance:

# Configure a static route to allow users in VPN instance vpn_isp1 to access network segment 2.2.2.0/24 in the public network instance.

[BRAS] ip route-static vpn-instance vpn_isp1 2.2.2.0 24 10.1.1.2 public

# Configure a static route to allow users in VPN instance vpn_isp1 to access network segment 3.3.0.0/16 in the public network instance.

[BRAS] ip route-static vpn-instance vpn_isp1 3.3.0.0 16 10.1.1.2 public

# Configure a static route to allow users in VPN instance vpn_isp2 to access network segment 2.2.2.0/24 in the public network instance.

[BRAS] ip route-static vpn-instance vpn_isp2 2.2.2.0 24 10.1.1.2 public

# Configure a static route to allow users in VPN instance vpn_isp2 to access network segment 3.3.0.0/16 in the public network instance.

[BRAS] ip route-static vpn-instance vpn_isp2 3.3.0.0 16 10.1.1.2 public

4.     Configure PBR to forward the public network instance's response to traffic in step 3  to the corresponding VPN instances:

# Create ACL 3030 to match packets sourced from network segment 2.2.2.0/24 or 3.3.0.0/16 and destined to network segment 6.6.0.0/16.

[BRAS] acl advanced 3030

[BRAS-acl-ipv4-adv-3030] rule permit ip source 2.2.2.0 0.0.0.255 destination 6.6.0.0 0.0.255.255 user-group g1

[BRAS-acl-ipv4-adv-3030] rule permit ip source 3.3.0.0 0.0.255.255 destination 6.6.0.0 0.0.255.255 user-group g1

[BRAS-acl-ipv4-adv-3030] quit

# Create ACL 3040 to match packets sourced from network segment 2.2.2.0/24 or 3.3.0.0/16 and destined to network segment 7.7.0.0/16.

[BRAS] acl advanced 3040

[BRAS-acl-ipv4-adv-3040] rule permit ip source 2.2.2.0 0.0.0.255 destination 7.7.0.0 0.0.255.255 user-group g2

[BRAS-acl-ipv4-adv-3040] rule permit ip source 3.3.0.0 0.0.255.255 destination 7.7.0.0 0.0.255.255 user-group g2

[BRAS-acl-ipv4-adv-3040] quit

 

 

NOTE:

Because only subinterface GigabitEthernet 3/1/1.2 on BRAS is connected to the P device at Layer 3 and only one policy can be deployed on one subinterface, the returning traffic from P to BRAS in step 4 and the DHCP response packets in step 2 must share one PBR policy P_to_Bras.

 

# In PBR policy named P_to_Bras, configure permit-mode node 2 in the policy to forward packets matching ACL 3030 in VPN instance vpn_isp1.

[BRAS] policy-based-route P_to_Bras permit node 2

[BRAS-pbr-P_to_Bras-2] if-match acl 3030

[BRAS-pbr-P_to_Bras-2] apply access-vpn vpn-instance vpn_isp1

[BRAS-pbr-P_to_Bras-2] quit

# In PBR policy named P_to_Bras, configure permit-mode node 3 to forward packets matching ACL 3040 in VPN instance  vpn_isp2.

[BRAS] policy-based-route P_to_Bras permit node 3

[BRAS-pbr-P_to_Bras-3] if-match acl 3040

[BRAS-pbr-P_to_Bras-3] apply access-vpn vpn-instance vpn_isp2

[BRAS-pbr-P_to_Bras-3] quit

# Apply policy P_to_Bras to GigabitEthernet 3/1/1.2.

[BRAS] interface gigabitethernet 3/1/1.2

[BRAS–GigabitEthernet3/1/1.2] ip policy-based-route P_to_Bras

[BRAS–GigabitEthernet3/1/1.2] quit

5.     Enable OSPF on the interface attached to network 5.5.0.0/16 in OSPF area 0 on PE 1, so that P and PE 2 can learn the routes.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 5.5.0.0 0.0.255.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

6.     Configure static routes to network segments 6.6.0.0/16 and 7.7.0.0/16 on the P device.

[P] ip route-static 6.6.0.0 16 10.1.1.1

[P] ip route-static 7.7.0.0 16 10.1.1.1

7.     Configure static routes to network segments 6.6.0.0/16 and 7.7.0.0/16 on PE 2.

[PE2] ip route-static 6.6.0.0 16 10.1.4.1

[PE2] ip route-static 7.7.0.0 16 10.1.4.1

Configuring Switch A

# Create SVLAN 101.

<SwitchA> system-view

[SwitchA] vlan 101

[SwitchA-vlan101] quit

# Configure GigabitEthernet 3/0/1 as a hybrid port and assign it to SVLAN 101 as a tagged member.

[SwitchA] interface gigabitethernet 3/0/1

[SwitchA-GigabitEthernet3/0/1] port link-type hybrid

[SwitchA-GigabitEthernet3/0/1] port hybrid vlan 101 tagged

[SwitchA-GigabitEthernet3/0/1] quit

# Configure GigabitEthernet 3/0/2 through GigabitEthernet 3/0/3 as trunk ports and assign them to SVLAN 101.

[SwitchA] interface range gigabitethernet 3/0/2 to gigabitethernet 3/0/3

[SwitchA-if-range] port link-type trunk

[SwitchA-if-range] port trunk permit vlan 101

# Configure SVLAN 101 as the PVID for GigabitEthernet 3/0/2 through GigabitEthernet 3/0/3 and enable QinQ on them.

[SwitchA-if-range] port trunk pvid vlan 101

[SwitchA-if-range] qinq enable

[SwitchA-if-range] quit

Configuring Switch B

# Create VLANs 11 and 12.

[SwitchB] vlan 11 to 12

# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to VLANs 11 and 12.

[SwitchB] interface gigabitethernet 3/0/1

[SwitchB-GigabitEthernet3/0/1] port link-type trunk

[SwitchB-GigabitEthernet3/0/1] port trunk permit vlan 11 12

[SwitchB-GigabitEthernet3/0/1] quit

# Assign GigabitEthernet 3/0/2 to VLAN 11.

[SwitchB] interface gigabitethernet 3/0/2

[SwitchB-GigabitEthernet3/0/2] port access vlan 11

[SwitchB-GigabitEthernet3/0/2] quit

# Assign GigabitEthernet 3/0/3 to VLAN 12.

[SwitchB] interface gigabitethernet 3/0/3

[SwitchB-GigabitEthernet3/0/3] port access vlan 12

[SwitchB-GigabitEthernet3/0/3] quit

Configuring Switch C

# Create VLANs 13 and 14.

[SwitchC] vlan 13 to 14

# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to VLANs 13 and 14.

[SwitchC] interface gigabitethernet 3/0/1

[SwitchC-GigabitEthernet3/0/1] port link-type trunk

[SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 13 14

[SwitchC-GigabitEthernet3/0/1] quit

# Assign GigabitEthernet 3/0/2 to VLAN 13.

[SwitchC] interface gigabitethernet 3/0/2

[SwitchC-GigabitEthernet3/0/2] port access vlan 13

[SwitchC-GigabitEthernet3/0/2] quit

# Assign GigabitEthernet 3/0/3 to VLAN 14.

[SwitchC] interface gigabitethernet 3/0/3

[SwitchC-GigabitEthernet3/0/3] port access vlan 14

[SwitchC-GigabitEthernet3/0/3] quit

Verifying the configuration

Use Host A as an example.

1.     Before Host A performs PPPoE dialup authentication, execute the display dhcp relay client-information command to view the relay entries on the relay agent.

<BRAS> display dhcp relay client-information

Total number of client-information items: 1

Total number of dynamic items: 1

Total number of temporary items: 0

IP address       MAC address      Type        Interface            VPN name

5.5.5.2          e839-3563-fb21   Dynamic     GE3/1/1.1              N/A

The output shows that Host A has obtained dynamic IP address 5.5.5.2 before performing PPPoE dialup authentication. The user can use this IP address only to access the internal network.

2.     After Host A uses username User1@isp1 and password pass1 to dial to BRAS, perform the following tasks:

# Execute the display dhcp relay client-information command to view the relay entries on the relay agent.

<BRAS> display dhcp relay client-information

Total number of client-information items: 2

Total number of dynamic items: 2

Total number of temporary items: 0

IP address       MAC address      Type        Interface            VPN name

5.5.5.2          e839-3563-fb21   Dynamic     GE3/1/1.1            N/A

6.6.6.2          e839-3563-fb21   Dynamic     BAS0                 vpn_isp1

The output shows that Host A has obtained dynamic IP address 6.6.6.2 after performing PPPoE dialup authentication by using a username with suffix @isp1.

# View detailed information about user User1@isp1.

<BRAS> display ppp access-user username user1@isp1 verbose

Basic:

  Interface: BAS0

  PPP index: 0x140000105

  User ID: 0x20000001

  Username: User1@isp1                //Username used for PPPoE dialup

  Domain: isp1                        //ISP domain to which the dialup user belongs

  Access interface: GE3/1/1.1         //Access interface of the dialup user

  Service-VLAN/Customer-VLAN: 101/11  //SVLAN and CVLAN encapsulated in packets of the dialup user

  VXLAN ID: -

  MAC address: e839-3563-fb21         //Host MAC address of the dialup user

  IP address: 6.6.6.2                 //IP address assigned to the user by the DHCP server

  Primary DNS server: 8.8.8.8

  IPv6 address: -

  IPv6 PD prefix: -

  IPv6 ND prefix: -

  User address type: N/A

  VPN instance: vpn_isp1                        //VPN instance to which the dialup user belongs

  Access type: PPPoE                 //Access type of the user

  Authentication type: CHAP          //Authentication type of the access user

PPPoE:

  Session ID: 1

AAA:

  Authentication state: Authenticated

  Authorization state: Authorized

  Realtime accounting switch: Closed

  Realtime accounting interval: -

  Login time: 2022-2-3  16:8:50:841

  Accounting start time: 2022-2-3  16:8:50:861

  Online time(hh:mm:ss): 0:0:7

  Accounting state: Accounting

  Acct start-fail action: Online

  Acct update-fail action: Online

  Acct quota-out action: Offline

  Dual-stack accounting mode: Merge

  Idle cut: 0 sec  0 byte, direction: Both

  Session timeout: -

  Time remained: -

  Traffic quota: -

  Traffic remained: -

  Redirect WebURL: -

  ITA policy name: pl_ita

  MRU: 1480 bytes

  IPv4 MTU: 1480 bytes

  IPv6 MTU: 1480 bytes

  Subscriber ID: -

ACL&QoS:

  User profile: -

  Session group profile: -

  User group acl: g1 (active)

  Inbound CAR: -

  Outbound CAR: -

  User inbound priority: -

  User outbound priority: -

Flow Statistic:

  IPv4 uplink   packets/bytes: 119/11753

  IPv4 downlink packets/bytes: 73/6350

  IPv6 uplink   packets/bytes: 0/0

  IPv6 downlink packets/bytes: 0/0

ITA:

  Level-1 uplink   packets/bytes: 109/11653

          downlink packets/bytes: 0/0

  Level-2 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  Level-3 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  Level-4 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

# View the routes in VPN instance vpn_isp1.

<BRAS> display ip routing-table vpn-instance vpn_isp1

Destinations : 20        Routes : 20

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0

2.2.2.0/24         Static  60  0           10.1.1.2        GE3/1/1.2

3.3.0.0/16         Static  60  0           10.1.1.2        GE3/1/1.2

4.4.4.0/24         Static  60  0           4.4.4.3         GE3/1/1.2

6.6.6.1/32         Direct  0   0           127.0.0.1       InLoop0

6.6.6.2/32         Direct  0   0           6.6.6.2         BAS0

10.1.1.0/24        Static  60  0           10.1.1.2        GE3/1/1.2

10.1.4.0/24        Static  60  0           10.1.1.2        GE3/1/1.2

101.1.1.0/24       BGP     255 0           3.3.3.9         GE3/1/1.2

101.101.101.0/24   Direct  0   0           101.101.101.101 BAS0

101.101.101.0/32   Direct  0   0           101.101.101.101 BAS0

101.101.101.101/32 Direct  0   0           127.0.0.1       InLoop0

101.101.101.255/32 Direct  0   0           101.101.101.101 BAS0

127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0

127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0

127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0

127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0

224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0

255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

The output above shows that routes to the internal network (for example, user network segment 2.2.2.0/24) and Internet (network segment 101.1.1.0/24) exist in VPN instance vpn_isp1, and the user can use the obtained IP address 6.6.6.2 to access the internal network and Internet at the same time. When the user accesses the Internet, the egress of ISP1 is used.

3.     After Host A uses username User1@isp2 and password pass1 to dial to BRAS, perform the following tasks:

# Execute the display dhcp relay client-information command to view the relay entries on the relay agent.

<BRAS> display dhcp relay client-information

Total number of client-information items: 2

Total number of dynamic items: 2

Total number of temporary items: 0

IP address       MAC address      Type        Interface            VPN name

5.5.5.2          e839-3563-fb21   Dynamic     GE3/1/1.1            N/A

7.7.7.2          e839-3563-fb21   Dynamic     BAS0                  vpn_isp2

The output shows that Host A has obtained dynamic IP address 7.7.7.2 after performing PPPoE dialup authentication by using a username with suffix @isp2.

# View detailed information about user User1@isp2.

<BRAS> display ppp access-user username user1@isp2 verbose

Basic:

  Interface: BAS0

  PPP index: 0x140000105

  User ID: 0x20000001

  Username: User1@isp2                //Username used for PPPoE dialup

  Domain: isp2                        //ISP domain to which the dialup user belongs

  Access interface: GE3/1/1.1         //Access interface of the dialup user

  Service-VLAN/Customer-VLAN: 101/11  //SVLAN and CVLAN encapsulated in packets of the dialup user

  VXLAN ID: -

  MAC address: e839-3563-fb21         //Host MAC address of the dialup user

  IP address: 7.7.7.2                 //IP address assigned to the user by the DHCP server

  Primary DNS server: 8.8.8.8

  IPv6 address: -

  IPv6 PD prefix: -

  IPv6 ND prefix: -

  User address type: N/A

  VPN instance: vpn_isp2                        //VPN instance to which the dialup user belongs

  Access type: PPPoE                 //Access type of the user

  Authentication type: CHAP          //Authentication type of the access user

PPPoE:

  Session ID: 1

AAA:

  Authentication state: Authenticated

  Authorization state: Authorized

  Realtime accounting switch: Closed

  Realtime accounting interval: -

  Login time: 2022-2-3  16:10:37:389

  Accounting start time: 2022-2-3  16:10:37:412

  Online time(hh:mm:ss): 0:0:4

  Accounting state: Accounting

  Acct start-fail action: Online

  Acct update-fail action: Online

  Acct quota-out action: Offline

  Dual-stack accounting mode: Merge

  Idle cut: 0 sec  0 byte, direction: Both

  Session timeout: -

  Time remained: -

  Traffic quota: -

  Traffic remained: -

  Redirect WebURL: -

  ITA policy name: pl_ita

  MRU: 1480 bytes

  IPv4 MTU: 1480 bytes

  IPv6 MTU: 1480 bytes

  Subscriber ID: -

ACL&QoS:

  User profile: -

  Session group profile: -

  User group acl: g2 (active)

  Inbound CAR: -

  Outbound CAR: -

  User inbound priority: -

  User outbound priority: -

Flow Statistic:

  IPv4 uplink   packets/bytes: 56/5676

  IPv4 downlink packets/bytes: 0/0

  IPv6 uplink   packets/bytes: 0/0

  IPv6 downlink packets/bytes: 0/0

ITA:

  Level-1 uplink   packets/bytes: 46/5576

          downlink packets/bytes: 0/0

  Level-2 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  Level-3 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  Level-4 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

# View the routes in VPN instance vpn_isp2.

<BRAS> display ip routing-table vpn-instance vpn_isp2

Destinations : 20        Routes : 20

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0

2.2.2.0/24         Static  60  0           10.1.1.2        GE3/1/1.2

3.3.0.0/16         Static  60  0           10.1.1.2        GE3/1/1.2

4.4.4.0/24         Static  60  0           4.4.4.3         GE3/1/1.2

7.7.7.1/32         Direct  0   0           127.0.0.1       InLoop0

7.7.7.2/32         Direct  0   0           7.7.7.2         BAS0

10.1.1.0/24        Static  60  0           10.1.1.2        GE3/1/1.2

10.1.4.0/24        Static  60  0           10.1.1.2        GE3/1/1.2

101.101.101.0/24   Direct  0   0           101.101.101.101 BAS0

101.101.101.0/32   Direct  0   0           101.101.101.101 BAS0

101.101.101.101/32 Direct  0   0           127.0.0.1       InLoop0

101.101.101.255/32 Direct  0   0           101.101.101.101 BAS0

127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0

127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0

127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0

127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

202.1.1.0/24       BGP     255 0           3.3.3.9         GE3/1/1.2

224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0

224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0

255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

The output above shows that routes to the internal network (for example, user network segment 2.2.2.0/24) and Internet (network segment 202.1.1.0/24) exist in VPN instance ISP2, and the user can use the obtained IP address 7.7.7.2 to access the internal network and Internet at the same time. When the user accesses the Internet, the egress of ISP2 is used.

Configuration files

·     DHCP server:

#

 dhcp enable

#

dhcp server ip-pool pool1

 gateway-list 5.5.5.1

 network 5.5.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

 forbidden-ip 5.5.5.1

#

dhcp server ip-pool pool2

 gateway-list 6.6.6.1

 network 6.6.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

 forbidden-ip 6.6.6.1

#

dhcp server ip-pool pool3

 gateway-list 7.7.7.1

 network 7.7.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

 forbidden-ip 7.7.7.1

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 4.4.4.3 255.255.255.0

#

 ip route-static 0.0.0.0 0 4.4.4.1

#

·     PE 1 (BRAS):

#

ip vpn-instance vpn_isp1

 route-distinguisher 100:1

 vpn-target 111:1 import-extcommunity

 vpn-target 222:1 export-extcommunity

#

ip vpn-instance vpn_isp2

 route-distinguisher 200:1

 vpn-target 333:1 import-extcommunity

 vpn-target 444:1 export-extcommunity

#

ospf 1

 area 0.0.0.0

  network 1.1.1.9 0.0.0.0

  network 5.5.0.0 0.0.255.255

  network 10.1.1.0 0.0.0.255

#

 mpls lsr-id 1.1.1.9

#

 dhcp enable

 dhcp relay client-information record

#

traffic classifier 3000 operator and

 if-match acl 3000

#

traffic classifier 3001 operator and

 if-match acl 3001

 if-match authenticated-user

#

traffic classifier cl_user1 operator and

 if-match customer-vlan-id 11

 if-match acl 3002

 if-match authenticated-user

#

traffic classifier cl_user2 operator and

 if-match customer-vlan-id 12

 if-match acl 3002

 if-match authenticated-user

#

traffic classifier cl_user3 operator and

 if-match customer-vlan-id 13

 if-match acl 3002

 if-match authenticated-user

#

traffic classifier cl_user4 operator and

 if-match customer-vlan-id 14

 if-match acl 3002

 if-match authenticated-user

#

traffic behavior 3000

 accounting byte

 car cir 5000 cbs 312500 ebs 0 green pass red discard yellow pass

#

traffic behavior 3001

 accounting byte

 remark account-level 1

#

traffic behavior be_10M

 accounting byte

 remark account-level 4

#

traffic behavior be_2M

 accounting byte

 remark account-level 2

#

traffic behavior be_5M

 accounting byte

 remark account-level 3

#

qos policy nei_waiwang_share

 classifier 3000 behavior 3000

 classifier 3001 behavior 3001

 classifier cl_user1 behavior be_2M

 classifier cl_user2 behavior be_5M

 classifier cl_user3 behavior be_5M

 classifier cl_user4 behavior be_10M

#

dhcp server ip-pool pool1

 vpn-instance vpn_isp1

 gateway-list 6.6.6.1 export-route

 remote-server 4.4.4.3

#

dhcp server ip-pool pool2

 vpn-instance vpn_isp2

 gateway-list 7.7.7.1 export-route

 remote-server 4.4.4.3

#

policy-based-route P_to_Bras permit node 0

 if-match acl 3010

 apply access-vpn vpn-instance vpn_isp1

#

policy-based-route P_to_Bras permit node 1

 if-match acl 3020

 apply access-vpn vpn-instance vpn_isp2

#

policy-based-route P_to_Bras permit node 2

 if-match acl 3030

 apply access-vpn vpn-instance vpn_isp1

#

policy-based-route P_to_Bras permit node 3

 if-match acl 3040

 apply access-vpn vpn-instance vpn_isp2

#

mpls ldp

#

interface Virtual-Template1

 ppp authentication-mode chap

 ppp account-statistics enable

#

interface LoopBack0

 ip address 1.1.1.9 255.255.255.255

#

interface GigabitEthernet3/1/1

 port link-mode route

#

interface GigabitEthernet3/1/1.1

 qos apply policy nei_waiwang_share inbound

 qos apply policy nei_waiwang_share outbound

 vlan-type dot1q vid 101 second-dot1q 11 to 14

 pppoe-server bind virtual-template 1

#

interface GigabitEthernet3/1/1.2

 ip address 10.1.1.1 255.255.255.0

 mpls enable

 mpls ldp enable

 vlan-type dot1q vid 100

 ip policy-based-route P_to_Bras

#

bgp 100

 peer 3.3.3.9 as-number 100

 peer 3.3.3.9 connect-interface LoopBack0

 #

 address-family vpnv4

  peer 3.3.3.9 enable

 #

 ip vpn-instance vpn_isp1

  #

  address-family ipv4 unicast

   import-route direct

 #

 ip vpn-instance vpn_isp2

  #

  address-family ipv4 unicast

   import-route direct

#

 ip route-static vpn-instance vpn_isp1 2.2.2.0 24 10.1.1.2 public

 ip route-static vpn-instance vpn_isp1 3.3.0.0 16 10.1.1.2 public

 ip route-static vpn-instance vpn_isp1 4.4.4.0 24 4.4.4.3 public

 ip route-static vpn-instance vpn_isp2 2.2.2.0 24 10.1.1.2 public

 ip route-static vpn-instance vpn_isp2 3.3.0.0 16 10.1.1.2 public

 ip route-static vpn-instance vpn_isp2 4.4.4.0 24 4.4.4.3 public

#

acl advanced 3000

 rule 0 permit ip source 5.5.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255

 rule 10 permit ip source 4.4.4.0 0.0.0.255 destination 5.5.0.0 0.0.255.255

 rule 20 permit ip source 5.5.0.0 0.0.255.255 destination 5.5.0.0 0.0.255.255

#

acl advanced 3001

 rule 10 permit ip source 6.6.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g1

 rule 20 permit ip source 4.4.4.0 0.0.0.255 destination 6.6.0.0 0.0.255.255 user-group g1

 rule 30 permit ip source 6.6.0.0 0.0.255.255 destination 6.6.0.0 0.0.255.255 user-group g1

 rule 40 permit ip source 7.7.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255 user-group g2

 rule 50 permit ip source 4.4.4.0 0.0.0.255 destination 7.7.0.0 0.0.255.255 user-group g2

 rule 60 permit ip source 7.7.0.0 0.0.255.255 destination 7.7.0.0 0.0.255.255 user-group g2

#

acl advanced 3002

 rule 0 permit ip user-group g1

 rule 10 permit ip user-group g2

#

acl advanced 3010

 rule 0 permit ip destination 6.6.0.0 0.0.255.255 user-group g1

#

acl advanced 3020

 rule 0 permit ip destination 7.7.0.0 0.0.255.255 user-group g2

#

acl advanced 3030

 rule 0 permit ip source 2.2.2.0 0.0.0.255 destination 6.6.0.0 0.0.255.255 user-group g1

 rule 5 permit ip source 3.3.0.0 0.0.255.255 destination 6.6.0.0 0.0.255.255 user-group g1

#

acl advanced 3040

 rule 0 permit ip source 2.2.2.0 0.0.0.255 destination 7.7.0.0 0.0.255.255 user-group g2

 rule 5 permit ip source 3.3.0.0 0.0.255.255 destination 7.7.0.0 0.0.255.255 user-group g2

#

radius scheme rs1

 primary authentication 4.4.4.2

 primary accounting 4.4.4.2

 accounting-on enable

 key authentication cipher $c$3$qUtzXCwq7r8LLcMkFSoDGWZBL/icMl9CLA==

 key accounting cipher $c$3$n/0PcnYaWjXNFtKUpBYlof6r0doKH/fVig==

#

radius dynamic-author server

 client ip 4.4.4.2 key cipher $c$3$Td30doCnLkhF7bhiYp4bk9DU96+XBStLkA==

#

ita policy pl_ita

 accounting-method radius-scheme rs1

 accounting-level 1 ipv4 car inbound cir 5000 outbound cir 5000

 accounting-level 2 ipv4 car inbound cir 2000 outbound cir 2000

 accounting-level 3 ipv4 car inbound cir 5000 outbound cir 5000

 accounting-level 4 ipv4 car inbound cir 10000 outbound cir 10000

#

domain name isp1

 authorization-attribute user-group g1

 authorization-attribute ip-pool pool1

 authorization-attribute vpn-instance vpn_isp1

 ita-policy pl_ita

 authentication ppp radius-scheme rs1

 authorization ppp radius-scheme rs1

 accounting ppp radius-scheme rs1

#

domain name isp2

 authorization-attribute user-group g2

 authorization-attribute ip-pool pool2

 authorization-attribute vpn-instance vpn_isp2

 ita-policy pl_ita

 authentication ppp radius-scheme rs1

 authorization ppp radius-scheme rs1

 accounting ppp radius-scheme rs1

#

user-group g1

#

user-group g2

#

·     P (core switch):

#

ospf 1

 area 0.0.0.0

  network 2.2.2.9 0.0.0.0

  network 4.4.4.0 0.0.0.255

  network 10.1.1.0 0.0.0.255

  network 10.1.4.0 0.0.0.255

#

 mpls lsr-id 2.2.2.9

#

vlan 100 to 101

#

vlan 200

#

vlan 300

#

mpls ldp

#

interface LoopBack0

 ip address 2.2.2.9 255.255.255.255

#

interface Vlan-interface100

 ip address 10.1.1.2 255.255.255.0

 mpls enable

 mpls ldp enable

#

interface Vlan-interface200

 ip address 10.1.4.1 255.255.255.0

 mpls enable

 mpls ldp enable

#

interface Vlan-interface300

 ip address 4.4.4.1 255.255.255.0

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 101

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port link-type hybrid

 port hybrid vlan 100 101 tagged

 port hybrid vlan 1 untagged

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port access vlan 200

#

interface GigabitEthernet3/0/4

 port link-mode bridge

 port access vlan 300

#

 ip route-static 6.6.0.0 16 10.1.1.1

 ip route-static 7.7.0.0 16 10.1.1.1

#

·     PE 2:

#

ip vpn-instance vpn_isp1

 route-distinguisher 100:1

 vpn-target 111:1 export-extcommunity

 vpn-target 222:1 import-extcommunity

#

ip vpn-instance vpn_isp2

 route-distinguisher 200:1

 vpn-target 333:1 export-extcommunity

 vpn-target 444:1 import-extcommunity

#

ospf 1

 area 0.0.0.0

  network 10.1.4.0 0.0.0.255

  network 3.3.3.9 0.0.0.0

#

 mpls lsr-id 3.3.3.9

#

mpls ldp

#

interface LoopBack0

 ip address 3.3.3.9 255.255.255.255

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 10.1.4.2 255.255.255.0

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet3/0/2

 port link-mode route

 ip binding vpn-instance vpn_isp1

 ip address 101.1.1.1 255.255.255.0

#

interface GigabitEthernet3/0/3

 port link-mode route

 ip binding vpn-instance vpn_isp2

 ip address 202.1.1.1 255.255.255.0

#

bgp 100

peer 1.1.1.9 as-number 100

 peer 1.1.1.9 connect-interface LoopBack0

 #

address-family vpnv4

  peer 1.1.1.9 enable

#

ip vpn-instance vpn_isp1

  peer 101.1.1.2 as-number 65430

#

 address-family ipv4 unicast

  import-route direct

peer 101.1.1.2 enable

 #

ip vpn-instance vpn_isp2

  peer 202.1.1.2 as-number 65430

  #

 address-family ipv4 unicast

  import-route direct

peer 202.1.1.2 enable

 #

 ip route-static 6.6.0.0 16 10.1.4.1

 ip route-static 7.7.0.0 16 10.1.4.1

#

·     CE 1:

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 101.1.1.2 255.255.255.0

#

bgp 65430

 peer 101.1.1.1 as-number 100

#

address-family ipv4 unicast

  import-route direct

  peer 101.1.1.1 enable

#

·     CE 2:

#

interface GigabitEthernet3/0/1

 port link-mode route

 ip address 202.1.1.2 255.255.255.0

#

bgp 65430

peer 202.1.1.1 as-number 100

#

address-family ipv4 unicast

  import-route direct

  peer 202.1.1.1 enable

#

·     Switch A:

#

vlan 4001

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type hybrid

 port hybrid vlan 4001 tagged

 port hybrid vlan 1 untagged

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 4001

 port trunk pvid vlan 4001

 qinq enable

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 4001

 port trunk pvid vlan 4001

 qinq enable

#

·     Switch B:

#

vlan 11 to 12

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 11 12

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port access vlan 11

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port access vlan 12

#

·     Switch C:

#

vlan 13 to 14

#

interface GigabitEthernet3/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 13 14

#

interface GigabitEthernet3/0/2

 port link-mode bridge

 port access vlan 13

#

interface GigabitEthernet3/0/3

 port link-mode bridge

 port access vlan 14

#

Example: Configuring multiple egress user groups in a BRAS campus network (remote authorization)

Network configuration

As shown in Figure 30, the dormitory area and office area of a campus network are directly attached to BRAS. As the border device, BRAS is connected to different service providers ISP1 and ISP2. Configure the BRAS campus network to meet the following requirements:

·     Users in the dormitory area and office area access through portal. Before passing portal authentication, the users can access only the portal Web server. After passing portal authentication, the users can access the Internet.

·     Printers in the office area access through static IPoE and are not allowed to access the Internet.

·     Suffix @ISP1 or @ISP2 is added to portal usernames when users come online. BRAS specifies an ISP egress interface for a user according to the user group corresponding to the user. 

·     When a user accesses the network resources through a domain name, the user is assigned an optimal IP address. The user uses the DNS server of the ISP to which the user belongs.

·     Implement multiple egress user groups through using a AAA server to remotely authorize user groups.

Figure 30 Network diagram

 

Device

Interface

IP address

Device

Interface

IP address

RADIUS server

-

4.4.4.2/24

Router A (BRAS)

GE3/1/1

2.1.1.1/16

Portal server

-

4.4.4.2/24

GE3/1/2

3.3.3.1/24

DNS Server 1

-

3.3.3.2/24

GE3/1/3

5.5.5.1/24

DNS Server 2

-

5.5.5.2/24

GE3/1/4

4.4.4.1/24

Router B

GE3/1/5

-

 

GE3/1/5

-

 

GE3/1/5.100

6.6.100.2/24

 

GE3/1/5.100

6.6.100.1/24

 

GE3/1/5.200

6.6.200.2/24

 

GE3/1/5.200

6.6.200.1/24

 

GE3/1/6

7.7.7.2/24

 

GE3/1/6

7.7.7.1/24

 

Requirements analysis

·     Configure the access device on the RADIUS server, and add usernames and passwords for users.

·     To use the SRun software as the portal server, set the portal protocol and portal password on the page for adding an access device.

·     To perform portal authentication for users accessing the campus network, configure the portal server and enable portal authentication on BRAS.

·     To use RADIUS to perform authentication, authorization, and accounting for portal users, configure a RADIUS scheme on BRAS, specify the authentication, authorization, and accounting servers for it, and apply it to the ISP domain to which the portal users belongs.

·     To securely exchange keys between BRAS and the RADIUS server and identify whether RADIUS response packets have been tampered on BRAS, set the shared key (123456 in this example) for exchanging packets between BRAS and the RADIUS server.

·     To ensure multiple egress user groups, configure user groups group1 and group2 that correspond to users in ISP1 and users in ISP2, respectively, and then configure PBR policies to forward traffic from user groups to the corresponding egress interfaces.

·     To enable a user to use the DNS server of the user’s ISP for obtaining the optimal IP address, redirect the DNS query packets and perform NAT translation based on the user’s ISP. Then, the DNS query packets from a user can be forwarded to the DNS server of the user's ISP for obtaining an IP address. In this example, Router B is an SR6608 router and acts as a NAT device.

·     To implement multiple egress user groups through using a AAA server to remotely authorize user groups, you must add RADIUS attributes group1 and group2 on the RADIUS server and set the RADIUS attributes, control strategies, and product strategies.

·     To disable printers in the office area from accessing the Internet, filter the packets sent out of GE 3/1/2 and GE 3/1/3 on BRAS.

Restrictions and guidelines

To avoid service unavailability caused by port number conflicts, make sure the internal listening port number is not used by any well-known protocol and is not used by a TCP-based service. To view the TCP port numbers used by other services, execute the display tcp command.

Procedures

Configuring the RADIUS server and portal server (applicable to only remote AAA authentication)

IMPORTANT

IMPORTANT:

This section uses the SRun software of version 4.0.9 as an example to describe how to configure basic settings of the RADIUS server and portal server.

 

1.     Enter http://4.4.4.2:8081 in the address bar of a browser to log in to the server.

2.     Add devices:

a.     Select Device from the navigation tree. Click the Add Device tab.

b.     On the tab, click Add.

c.     On the page that opens, perform the following tasks:

-     Set the device name to BRAS.

-     Set the NAS IP to 4.4.4.1.

-     Set the IP to 4.4.4.2.

-     Select Huawei, H3C, SRun Gateway from the NAS type list.

-     Set the DM port to 3799.

-     Set the RADIUS key to 123456.

-     Select No from the Whether to discard flow list.

-     Select H3C,HUAWEI(h3c v1.2) from the portal protocol list.

-     Set the portal key to 123456.

Figure 31 Adding an access device

 

3.     Set the RADIUS trust:

a.     Select Radius from the navigation tree.

b.     Click the Radius Trust Setting link to enter the Radius trust setting page.

c.     Click Generate in the upper right corner until the trust is successfully generated.

4.     Click the Radius Service Setting tab, and specify the device to carry the ISP domain name in the username sent to the RADIUS server (select with domain from the Username verification list).

5.     Add RADIUS attributes group1 and group2 (this section uses group1 as an example):

a.     Select Radius from the navigation tree.

b.     Click the Add RADIUS Attributes tab.

c.     Click Add.

d.     On the page that opens, perform the following tasks:

-     Set the name to gp1. (For RADIUS attribute group2, set the name to gp2.)

-     Set the attribute name to group1. (For RADIUS attribute group2, set the attribute name to group2.)

-     Set the vendor ID to 25506.

-     Set the vendor name to H3C.

-     Set the attribute ID to 140.

-     Set the value type to String.

-     Specify the dictionary file dictionary.h3c.

-     Select Huawei, H3C, SRun Gateway from the NAS type list.

-     Set the transmission condition to Normal user send.

-     Set the format to %s.

-     Set the variable value to No (using a fixed value).

-     Set the fixed value to  group1. (For RADIUS attribute group2, set the fixed value to group2.)

Figure 32 Setting RADIUS attributes

 

6.     Enter https://4.4.4.2:8080 in the address bar of a browser to log in to the server.

7.     Configure control strategies group1 and group2:

a.     Navigate to the Strategy > Control page.

b.     Click Add.

c.     Set the control strategy name to group1. (For control strategy group2, set the name to group2.)

d.     Specify attribute group1 as the custom attribute to be deployed by RADIUS. (For control strategy group2, select attribute group2.)

8.     Configure product strategies policy1 and policy2:

a.     Navigate to the Strategy > Product page.

b.     Click Add to add product strategies policy1 and policy2. (This section uses product strategy policy1 as an example.)

c.     Set the product name to policy1. (For product strategy policy2, set the name to policy2.)

d.     Select the billing mode Free Strategy.

e.     Select control strategy group1. (For product strategy policy2, select group2.)

9.     Add organizations:

a.     Navigate to the Setting > Permission > Organization structure page.

b.     Click the  icon.

c.     Add organizations Dormitory Area and Office Area.

10.     Add users:

a.     Navigate to the Account > Add page. Click Add.

b.     Add user user1: set the account to user1@isp1, set the password to pass1, select organization Dormitory Area, and select product strategy policy1.

c.     Add user user2: set the account to user2@isp2, set the password to pass2, select organization Dormitory Area, and select product strategy policy2.

d.     Add user user3: set the account user3@isp1, set the password to pass3, select organization Office Area, and select product strategy policy1.

e.     Add user user4: set the account user4@isp2, set the password to pass4, select organization Office Area, and select product strategy policy2.

Configuring the DNS servers

This section uses Windows Server 2003 to add DNS servers.

1.     In DNS Server1, add domain list www.test1.com------100.1.1.1. (Details not shown.)

2.     In DNS Server2, add domain list www.test2.com------200.1.1.1. (Details not shown.)

Configuring IP addresses and routes

As shown in Figure 30, configure IP addresses for interfaces, and make sure the BRAS, Router B, and servers can reach each other at Layer 3. (Details not shown.)

Configuring the BRAS

Configuring a RADIUS scheme

# Create RADIUS scheme rs1, and enter its view.

[BRAS] radius scheme rs1

# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.

[BRAS-radius-rs1] primary authentication 4.4.4.2

[BRAS-radius-rs1] primary accounting 4.4.4.2

[BRAS-radius-rs1] key authentication simple 123456

[BRAS-radius-rs1] key accounting simple 123456

# Specify a source IP address for outgoing RADIUS packets.

[BRAS-radius-rs1] nas-ip 4.4.4.1

[BRAS-radius-rs1] quit

Configuring user groups

# Create user group group1.

<BRAS> system-view

[BRAS] user-group group1

[BRAS-ugroup-group1] quit

# Create user group group2.

[BRAS] user-group group2

[BRAS-ugroup-group2] quit

# Configure ACL 3000 to match packets of users in user group group1.

[BRAS] acl advanced 3000

[BRAS-acl-ipv4-adv-3000] rule 5 permit ip user-group group1

[BRAS-acl-ipv4-adv-3000] quit

# Configure ACL 3001 to match packets of users in user group group2.

[BRAS] acl advanced 3001

[BRAS-acl-ipv4-adv-3001] rule 5 permit ip user-group group2

[BRAS-acl-ipv4-adv-3001] quit

# Configure ACL 3020 to match DNS packets that users in user group group1 send to destination IP address 1.1.1.1.

[BRAS] acl advanced 3020

[BRAS-acl-ipv4-adv-3020] rule 5 permit udp destination 1.1.1.1 0 destination-port eq dns user-group group1

[BRAS-acl-ipv4-adv-3020] quit

# Configure ACL 3030 to match DNS packets that users in user group group2 send to destination IP address 1.1.1.1.

[BRAS] acl advanced 3030

[BRAS-acl-ipv4-adv-3030] rule 5 permit udp destination 1.1.1.1 0 destination-port eq dns user-group group2

[BRAS-acl-ipv4-adv-3030] quit

Configuring local user Printer

[BRAS] local-user Printer class network

[BRAS-luser-network-Printer] service-type ipoe

[BRAS-luser-network-Printer] password simple pass5

[BRAS-luser-network-Printer] quit

Configuring ISP domains

# Create ISP domain isp1, and enter its view.

[BRAS] domain name isp1

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in ISP domain isp1.

[BRAS-isp-isp1] authentication portal radius-scheme rs1

[BRAS-isp-isp1] authorization portal radius-scheme rs1

[BRAS-isp-isp1] accounting portal radius-scheme rs1

[BRAS-isp-isp1] quit

# Create ISP domain isp2, and enter its view.

[BRAS] domain name isp2

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in ISP domain isp2.

[BRAS-isp-isp2] authentication portal radius-scheme rs1

[BRAS-isp-isp2] authorization portal radius-scheme rs1

[BRAS-isp-isp2] accounting portal radius-scheme rs1

[BRAS-isp-isp2] quit

# Create ISP domain isp3, and enter its view.

[BRAS] domain name isp3

# Configure IPoE users to use local authentication, authorization, and accounting in ISP domain isp3.

[BRAS-isp-isp3] authentication ipoe local

[BRAS-isp-isp3] authorization ipoe local

[BRAS-isp-isp3] accounting ipoe local

[BRAS-isp-isp3] quit

Configuring static IPoE user access

# Configure ACL 3002 to match packets from the printer.

[BRAS] acl advanced 3002

[BRAS-acl-ipv4-adv-3002] rule 5 deny ip source 2.1.6.1 0

[BRAS-acl-ipv4-adv-3002] quit

# Enable IPoE and configure the Layer 3 access mode.

[BRAS] interface gigabitethernet 3/1/1

[BRAS–GigabitEthernet3/1/1] ip subscriber routed enable

# Enable unclassified-IP packet initiation.

[BRAS–GigabitEthernet3/1/1] ip subscriber initiator unclassified-ip enable matching-user

# Configure the plaintext password as pass5 for IPv4 individual users.

[BRAS–GigabitEthernet3/1/1] ip subscriber password plaintext pass5

# Configure an IPv4 static IPoE session with IP address 2.1.6.1/16 and ISP domain isp3.

[BRAS–GigabitEthernet3/1/1] ip subscriber session static ip 2.1.6.1 domain isp3

[BRAS–GigabitEthernet3/1/1] quit

# Apply ACL 3002 to filter the packets sourced from the printer on GigabitEthernet 3/1/2 to prevent the printer from accessing the Internet through GigabitEthernet 3/1/2.

[BRAS] interface gigabitethernet 3/1/2

[BRAS–GigabitEthernet3/1/2] packet-filter 3002 outbound

[BRAS–GigabitEthernet3/1/2] quit

# Apply ACL 3002 to filter the packets sourced from the printer on GigabitEthernet 3/1/3 to prevent the printer from accessing the Internet through GigabitEthernet 3/1/3.

[BRAS] interface gigabitethernet 3/1/3

[BRAS–GigabitEthernet3/1/3] packet-filter 3002 outbound

[BRAS–GigabitEthernet3/1/3] quit

Configuring portal authentication

# Configure the portal authentication server: name newpt, IP address 4.4.4.2, plaintext password 123456, and portal packet listening port number 50100.

[BRAS] portal server newpt

[BRAS-portal-server-newpt] ip 4.4.4.2 key simple 123456

[BRAS-portal-server-newpt] port 50100

[BRAS-portal-server-newpt] quit

# Configure the portal Web server URL as http://4.4.4.2/index_9.html. The URL must be the same as the portal redirection page URL in the device table after devices are added to the server.

[BRAS] portal web-server newpt

[BRAS-portal-websvr-newpt] url http://4.4.4.2/index_9.html

[BRAS-portal-websvr-newpt] quit

# Configure the HTTPS redirect listening port number.

[BRAS] http-redirect https-port 8888

# Enable direct IPv4 portal authentication on GigabitEthernet 3/1/1.

[BRAS] interface gigabitethernet 3/1/1

[BRAS–GigabitEthernet3/1/1] portal enable method direct

# Specify portal Web server newpt on GigabitEthernet 3/1/1 for portal authentication.

[BRAS–GigabitEthernet3/1/1] portal apply web-server newpt

# Configure the BAS-IP attribute carried in the portal packets sent to the portal authentication server as 2.1.1.1 on GigabitEthernet 3/1/1.

[BRAS–GigabitEthernet3/1/1] portal bas-ip 2.1.1.1

[BRAS–GigabitEthernet3/1/1] quit

Configuring PBR policies

# Create PBR policy policy1. Configure permit-mode node 1 in the policy to forward packets matching ACL 3020 (DNS packets that users in user group group1 send to destination IP address 1.1.1.1) to subinterface GigabitEthernet 3/1/5.100 of Router B.

[BRAS] policy-based-route policy1 permit node 1

[BRAS-pbr-policy1-1] if-match acl 3020

[BRAS-pbr-policy1-1] apply next-hop 6.6.100.2

[BRAS-pbr-policy1-1] quit

# In PBR policy policy1, configure permit-mode node 2 to forward packets matching ACL 3030 (DNS packets that users in user group group2 send to destination IP address 1.1.1.1) to subinterface GigabitEthernet 3/1/5.200 of Router B.

[BRAS] policy-based-route policy1 permit node 2

[BRAS-pbr-policy1-2] if-match acl 3030

[BRAS-pbr-policy1-2] apply next-hop 6.6.200.2

[BRAS-pbr-policy1-2] quit

# In PBR policy policy1, configure permit-mode node 3 to forward packets matching ACL 3000 (packets of user group group1 except DNS packets that users in user group group1 send to destination IP address 1.1.1.1) in ISP1.

[BRAS] policy-based-route policy1 permit node 3

[BRAS-pbr-policy1-3] if-match acl 3000

[BRAS-pbr-policy1-3] apply output-interface GigabitEthernet3/1/2

[BRAS-pbr-policy1-3] quit

# In PBR policy policy1, configure permit-mode node 4 to forward packets matching ACL 3001 (packets of user group group2 except DNS packets that users in user group group2 send to destination IP address 1.1.1.1) in ISP2.

[BRAS] policy-based-route policy1 permit node 4

[BRAS-pbr-policy1-4] if-match acl 3001

[BRAS-pbr-policy1-4] apply output-interface GigabitEthernet3/1/3

[BRAS-pbr-policy1-4] quit

# Apply PBR policy policy1 to GigabitEthernet 3/1/1.

[BRAS] interface gigabitethernet 3/1/1

[BRAS-GigabitEthernet3/1/1] ip policy-based-route policy1

[BRAS-GigabitEthernet3/1/1] quit

Configuring Router B (NAT device)

IMPORTANT

IMPORTANT:

·     This section uses an SR6608 router as an example. For NAT to take effect on an interface when you use an CR16000-F router as the NAT device, you must additionally execute the nat service command to specify a traffic processing slot for the NAT interface. For more information about the nat service command, see the command references for the router used.

·     For DNS requests and replies to be correctly forwarded, make sure the Layer 3 outgoing interfaces to user network segment 2.1.0.0/16 are only GigabitEthernet 3/1/5.100 and GigabitEthernet 3/1/5.200 and the Layer 3 outgoing interface to the DNS server is only GigabitEthernet 3/1/6 on Router B.

 

Configuring NAT for internal servers

# Configure the internal NAT server on GigabitEthernet 3/1/5.100 to translate the destination IP address from 1.1.1.1 to 3.3.3.2 for incoming packets and translate the source IP address from 3.3.3.2 to 1.1.1.1 for outgoing packets.

[RouterB] interface gigabitethernet 3/1/5.100

[RouterB-GigabitEthernet3/1/5.100] nat server protocol udp global 1.1.1.1 53 inside 3.3.3.2 53

# Configure GigabitEthernet 3/1/5.100 to terminate packets with outermost VLAN tag 100.

[RouterB-GigabitEthernet3/1/5.100] vlan-type dot1q vid 100

[RouterB-GigabitEthernet3/1/5.100] quit

# Configure the internal NAT server on GigabitEthernet 3/1/5.200 to translate the destination IP address from 1.1.1.1 to 5.5.5.2 for incoming packets and translate the source IP address from 5.5.5.2 to 1.1.1.1 for outgoing packets.

[RouterB] interface gigabitethernet 3/1/5.200

[RouterB-GigabitEthernet3/1/5.200] nat server protocol udp global 1.1.1.1 53 inside 5.5.5.2 53

# Configure GigabitEthernet 3/1/5.200 to terminate packets with outermost VLAN tag 200.

[RouterB-GigabitEthernet3/1/5.200] vlan-type dot1q vid 200

[RouterB-GigabitEthernet3/1/5.200] quit

Configuring outbound NAT

# Configure ACL 3000 to match DNS packets sourced from user network segment 2.1.0.0/16 and packets sourced from DNS server 3.3.3.2 or 5.5.5.2.

[RouterB] acl advanced 3000

[RouterB-acl-ipv4-adv-3000] rule 5 permit udp source 2.1.0.0 0.0.255.255 source-port eq dns

[RouterB-acl-ipv4-adv-3000] rule 10 permit udp source 3.3.3.2 0 source-port eq dns

[RouterB-acl-ipv4-adv-3000] rule 15 permit udp source 5.5.5.2 0 source-port eq dns

[RouterB-acl-ipv4-adv-3000] quit

# Create address group 1, and add members 7.7.7.100 through 7.7.7.254 to the group.

[RouterB] nat address-group 1

[RouterB-address-group-1] address 7.7.7.100 7.7.7.254

[RouterB-address-group-1] quit

# Configure an outbound dynamic PAT rule on interface GigabitEthernet 3/1/6 to translate the source addresses of outgoing packets permitted by ACL 3000 into the addresses in address group 1. Use UDP port information during translation.

[RouterB] interface gigabitethernet 3/1/6

[RouterB-GigabitEthernet3/1/6] nat outbound 3000 address-group 1

[RouterB-GigabitEthernet3/1/6] quit

Verifying the configuration

# Before passing portal authentication, the users can access only the Web authentication homepage of the portal Web server.

# After passing portal authentication, the users can access the Internet. For example, Host A uses username user1@isp1 and password pass1 to log in successfully.

# View detailed information about user user1@isp1.

[BRAS] display portal user ip 172.17.0.3 verbose

Basic:

  Current IP address: 2.1.2.1

  Original IP address: 2.1.2.1

  Username: user1@isp1

  User ID: 0x10000009

  Session-ID: 678900123456790123456788901234534578901266789001234567890

  Access interface: GigabitEthernet3/1/1

  Service-VLAN/Customer-VLAN: -/-

  MAC address: 001b-21c6-95c1

  Domain name: isp1

  VPN instance: N/A

  Status: Online

  Portal server: newpt

  Portal authentication method: Direct

 

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Login time: 2016-03-24 17:12:02 UTC

  Online time: 3:4:10

  ITA policy name: N/A

  DHCP IP pool: N/A

 

ACL&QoS&Multicast:

  Inbound CAR: N/A

  Outbound CAR: N/A

  Inbound priority: N/A

  Outbound priority: N/A

  ACL number: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

  Multicast address list: N/A

  User group: group1 (Id=4)

 

Flow statistic:

  Uplink   packets/bytes      : 43/5179

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

# Display interface PBR configuration and statistics.

[BRAS] display ip policy-based-route interface GigabitEthernet 3/1/1

Policy based routing information for interface GigabitEthernet3/1/1:

Policy name: 1

  node 1 permit:

    if-match acl 3020

    apply next-hop 6.6.100.2

  Matched: 10

  node 2 permit:

    if-match acl 3030

    apply next-hop 6.6.200.2

  Matched: 0

  node 3 permit:

    if-match acl 3000

    apply output-interface GigabitEthernet3/1/2

  Matched: 906

  node 4 permit:

    if-match acl 3001

    apply output-interface GigabitEthernet3/1/3

  Matched: 0

Total matched: 916

The output shows that user user1 in ISP1 uses the egress interface of ISP1 after passing portal authentication. When you determine the egress interface, this output is for reference only. For exact information, view information on the egress device.

# Enable debugging for NAT packets on Router B.

<RouterB> terminal monitor

<RouterB> terminal debugging

<RouterB> debugging nat packet

# Ping www.test1.com on Host A.

C:\Users>ping www.test1.com

Pinging www.test1.com [100.1.1.1] with 32 bytes of data:

Reply from 100.1.1.1: Bytes=32 time=1ms TTL=127

Reply from 100.1.1.1: Bytes=32 time=1ms TTL=127

Reply from 100.1.1.1: Bytes=32 time=1ms TTL=127

Reply from 100.1.1.1: Bytes=32 time=1ms TTL=127

Ping statistics for 100.1.1.1:

    Packets Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip time in milli-seconds:

    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Users>

# The following debugging for NAT packets is displayed on Router B.

<RouterB>*Apr 10 19:35:23:097 2017 H3C NAT/7/COMMON: -MDC=1-Slot=3;

 PACKET: (GigabitEthernet3/1/5.100-in-config) Protocol: UDP

         2.1.2.1:64192 -         1.1.1.1:   53(VPN:    0) ------>

         2.1.2.1:64192 -         3.3.3.2:   53(VPN:    0)

*Apr 10 19:35:23:097 2017 H3C NAT/7/COMMON: -MDC=1-Slot=3;

 PACKET: (GigabitEthernet3/1/6-out-config) Protocol: UDP

         2.1.2.1:64192 -         3.3.3.2:   53(VPN:    0) ------>

       7.7.7.116: 1754 -         3.3.3.2:   53(VPN:    0)

*Apr 10 19:35:23:098 2017 H3C NAT/7/COMMON: -MDC=1-Slot=3;

 PACKET: (GigabitEthernet3/1/6-in-session) Protocol: UDP

         3.3.3.2:   53 -       7.7.7.116: 1754(VPN:    0) ------>

         3.3.3.2:   53 -         2.1.2.1:64192(VPN:    0)

*Apr 10 19:35:23:098 2017 H3C NAT/7/COMMON: -MDC=1-Slot=3;

 PACKET: (GigabitEthernet3/1/5.100-out-session) Protocol: UDP

         3.3.3.2:   53 -         2.1.2.1:64192(VPN:    0) ------>

         1.1.1.1:   53 -         2.1.2.1:64192(VPN:    0)

The output shows that, when Host A accesses domain name www.test1.com by using username user1@isp1, the packets that the user sends to destination IP address 1.1.1.1 are redirected to Router B. After a series of NAT translations on Router B, the DNS packets are sent to DNS server 1 of ISP1, and DNS server 1 translates the optimal IP address 100.1.1.1 for Host A.

# After Host B uses username user2@isp2 and password pass2 to pass portal authentication, the user can access the Internet. (Details not shown.)

# View detailed information about user user2@isp2.

[BRAS]display portal user ip 2.1.3.1 verbose

Basic:

  Current IP address: 2.1.3.1

  Original IP address: 2.1.3.1

  Username: user2@isp2

  User ID: 0x10000010

  Session-ID: 678900123456790123456788901234534578901266789001234567890

  Access interface: GigabitEthernet3/1/1

  Service-VLAN/Customer-VLAN: -/-

  MAC address: 011c-22d6-95e3

  Domain name: isp2

  VPN instance: N/A

  Status: Online

  Portal server: newpt

  Portal authentication method: Direct

 

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Login time: 2016-03-24 17:15:02 UTC

  Online time: 3:4:10

  ITA policy name: N/A

  DHCP IP pool: N/A

 

ACL&QoS&Multicast:

  Inbound CAR: N/A

  Outbound CAR: N/A

  Inbound priority: N/A

  Outbound priority: N/A

  ACL number: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

  Multicast address list: N/A

  User group: group2 (Id=6)

 

Flow statistic:

  Uplink   packets/bytes      : 43/5179

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

# Display interface PBR configuration and statistics.

[BRAS] display ip policy-based-route interface GigabitEthernet 3/1/1

Policy based routing information for interface GigabitEthernet3/1/1:

Policy name: 1

  node 1 permit:

    if-match acl 3020

    apply next-hop 6.6.100.2

  Matched: 10

  node 2 permit:

    if-match acl 3030

    apply next-hop 6.6.200.2

  Matched: 20

  node 3 permit:

    if-match acl 3000

    apply output-interface GigabitEthernet3/1/2

  Matched: 906

  node 4 permit:

    if-match acl 3001

    apply output-interface GigabitEthernet3/1/3

  Matched: 804

Total matched: 1740

The output shows that user user2 in ISP2 uses the egress interface of ISP2 after passing portal authentication. When you determine the egress interface, this output is for reference only. For exact information, view information on the egress device.

# Enable debugging for NAT packets on Router B.

<RouterB> terminal monitor

<RouterB> terminal debugging

<RouterB> debugging nat packet

# Ping www.test2.com on Host A.

C:\Users>ping www.test2.com

Pinging www.test2.com [200.1.1.1] with 32 bytes of data:

Reply from 200.1.1.1: Bytes=32 time=1ms TTL=127

Reply from 200.1.1.1: Bytes=32 time=1ms TTL=127

Reply from 200.1.1.1: Bytes=32 time=1ms TTL=127

Reply from 200.1.1.1: Bytes=32 time=1ms TTL=127

Ping statistics for 200.1.1.1:

    Packets Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip time in milli-seconds:

    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Users>

# Enable debugging for NAT packets on Router B.

<RouterB>*Apr 10 19:35:23:097 2017 H3C NAT/7/COMMON: -MDC=1-Slot=3;

 PACKET: (GigabitEthernet3/1/5.200-in-config) Protocol: UDP

         2.1.3.1:64192 -         1.1.1.1:   53(VPN:    0) ------>

         2.1.3.1:64192 -         5.5.5.2:   53(VPN:    0)

*Apr 10 19:35:23:097 2017 H3C NAT/7/COMMON: -MDC=1-Slot=3;

 PACKET: (GigabitEthernet3/1/6-out-config) Protocol: UDP

         2.1.3.1:64192 -         5.5.5.2:   53(VPN:    0) ------>

       7.7.7.117: 1754 -         5.5.5.2:   53(VPN:    0)

*Apr 10 19:35:23:098 2017 H3C NAT/7/COMMON: -MDC=1-Slot=3;

 PACKET: (GigabitEthernet3/1/6-in-session) Protocol: UDP

         5.5.5.2:   53 -       7.7.7.117: 1754(VPN:    0) ------>

         5.5.5.2:   53 -         2.1.3.1:64192(VPN:    0)

*Apr 10 19:35:23:098 2017 H3C NAT/7/COMMON: -MDC=1-Slot=3;

 PACKET: (GigabitEthernet3/1/5.200-out-session) Protocol: UDP

         5.5.5.2:   53 -         2.1.3.1:64192(VPN:    0) ------>

         1.1.1.1:   53 -         2.1.3.1:64192(VPN:    0)

The output shows that, when Host B accesses domain name www.test2.com by using username user2@isp2, the packets that the user sends to destination IP address 1.1.1.1 are redirected to Router B. After a series of NAT translations on Router B, the DNS packets are sent to DNS server 2 of ISP2, and DNS server 2 translates the optimal IP address 200.1.1.1 for Host A.

# View detailed information about static IPoE user Printer.

<BRAS> display ip subscriber session static verbose

Basic:

  Description                 : -

  Username                    : Printer@isp3       //Username of the printer

  Domain                      : isp3               //ISP domain of the printer

  VPN instance                : N/A

  IP address                  : 2.1.6.1         //Static IP address of the printer

  User address type           : N/A

  MAC address                 : 000c-29b6-c756    //MAC address of the printer

  Service-VLAN/Customer-VLAN  : 12/-            //VLANs of the printer

  Access interface            : RAGG1.1           //Access interface of the printer

  User ID                     : 0x38080000

  VPI/VCI(for ATM)            : -/-

  VSI Index                   : -

  VSI link ID                 : -

  VXLAN ID                    : -

  DNS servers                 : N/A

  IPv6 DNS servers            : N/A

  DHCP lease                  : N/A

  DHCP remain lease           : N/A

  Access time                 : Mar 21 13:27:21 2016

  Online time(hh:mm:ss)       : 00:00:49

  Service node                : Chassis 1 Slot 3 CPU 0

  Authentication type         : Bind

  IPv4 access type            : Static                  //IPoE access type of the printer user

  IPv4 detect state           : Detecting

  State                       : Online

 

AAA:

  ITA policy name             : N/A

  IP pool                     : N/A

  IPv6 pool                   : N/A

  IPv6 nd prefix pool         : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : 1800 sec, 10240 bytes, direction: Both

  Session duration            : N/A, remaining: N/A

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : Mar 21 13:27:21 2016

  Subscriber ID               : -

 

QoS:

  User profile                : N/A

  Session group profile       : N/A

  User group ACL              : N/A

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

 

Flow statistic:

  Uplink   packets/bytes      : 43/5179

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

Configuration files

·     BRAS:

#

policy-based-route policy1 permit node 1

 if-match acl 3020

 apply next-hop 6.6.100.2

#

policy-based-route policy1 permit node 2

 if-match acl 3030

 apply next-hop 6.6.200.2

#

policy-based-route policy1 permit node 3

 if-match acl 3000

 apply output-interface GigabitEthernet3/1/2

#

policy-based-route policy1 permit node 4

 if-match acl 3001

 apply output-interface GigabitEthernet3/1/3

#

interface GigabitEthernet3/1/1

port link-mode route

 ip address 2.1.1.1 255.255.0.0

 ip subscriber routed enable

 ip subscriber initiator unclassified-ip enable matching-user

 ip subscriber session static ip 2.1.6.1 domain isp3

 ip subscriber password ciphertext $c$3$1rLGh6nEBOtDFpoLMDy3H3Ea9ISlNcIm

portal enable method direct

 portal bas-ip 2.1.1.1

 portal apply web-server newpt

#

interface GigabitEthernet3/1/2

port link-mode route

 ip address 3.3.3.1 255.255.255.0

 packet-filter 3002 outbound

#

interface GigabitEthernet3/1/3

port link-mode route

 ip address 5.5.5.1 255.255.255.0

 packet-filter 3002 outbound

#

acl advanced 3000

 rule 5 permit ip user-group group1

#

acl advanced 3001

 rule 5 permit ip user-group group2

#

acl advanced 3002

 rule 5 deny ip source 2.1.6.1 0

#

acl advanced 3020

 rule 5 permit udp destination 1.1.1.1 0 destination-port eq dns user-group group1

#

acl advanced 3030

 rule 5 permit udp destination 1.1.1.1 0 destination-port eq dns user-group group2

#

radius scheme rs1

 primary authentication 4.4.4.2

 primary accounting 4.4.4.2

 key authentication cipher $c$3$wGjbug1lhbFGrVn4aNfeW+mO+NJY6XgfkA==

 key accounting cipher $c$3$KeUGL49Crr0vXXmFPdMbZXmpk2MPrELBcw==

 nas-ip 4.4.4.1

#

domain name isp1

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

domain name isp2

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

domain name isp3

 authentication ipoe local

 authorization ipoe local

 accounting ipoe local

#

domain name system

#

user-group group1

#

user-group group2

#

user-group system

#

local-user Printer class network

 password cipher $c$3$Cd19WGFBD9vqzPCdstPIEgc8p/4T6TB9

 service-type ipoe

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

portal web-server newpt

 url http://4.4.4.2/index_9.html

#

portal server newpt

 ip 4.4.4.2 key cipher $c$3$RDd9CsN6tGVV+NKXun9z5Br9InR4qp4NWQ==

#

·     Router B (NAT device):

#

nat address-group 1

 address 7.7.7.100 7.7.7.254

#

interface GigabitEthernet3/1/5

 port link-mode route

#

interface GigabitEthernet3/1/5.100

 ip address 6.6.100.2 255.255.255.0

 nat server protocol udp global 1.1.1.1 53 inside 3.3.3.2 53

 vlan-type dot1q vid 100

#

interface GigabitEthernet3/1/5.200

 ip address 6.6.200.2 255.255.255.0

 nat server protocol udp global 1.1.1.1 53 inside 5.5.5.2 53

 vlan-type dot1q vid 200

#

interface GigabitEthernet3/1/6

 port link-mode route

 ip address 7.7.7.2 255.255.255.0

 nat outbound 3000 address-group 1

#

acl advanced 3000

 rule 5 permit udp source 2.1.0.0 0.0.255.255 source-port eq dns

 rule 10 permit udp source 3.3.3.2 0 source-port eq dns

 rule 15 permit udp source 5.5.5.2 0 source-port eq dns

#

Example: Configuring multi egress user groups in a BRAS campus network (local authorization)

Network configuration

As shown in Figure 33, the dormitory area and office area of a campus network are directly attached to BRAS. As the border device, BRAS is connected to different service providers ISP1 and ISP2. Configure the BRAS campus network to meet the following requirements:

·     Users in the dormitory area access through portal. Before passing portal authentication, the users can access only the portal Web server. After passing portal authentication, the users can access the Internet.

·     Users in the office area can access the Internet without portal authentication. User on network segment 2.1.4.0/24 can use only ISP1, and users on network segment 2.1.5.0/24 can use only ISP2.

·     Printers in the office area access through static IPoE and are not allowed to access the Internet.

·     Suffix @ISP1 or @ISP2 is added to portal usernames when users come online. BRAS specifies an ISP egress interface for a user according to the user group corresponding to the user.

·     Implement multiple egress user groups through using local authorization.

Figure 33 Network diagram

 

Device

Interface

IP address

Device

Interface

IP address

RADIUS server

-

4.4.4.2/24

Router A (BRAS)

GE3/1/1

2.1.1.1/24

Portal server

-

4.4.4.2/24

GE3/1/2

3.3.3.1/24

Router B

GE3/1/1

3.3.3.2/24

GE3/1/3

5.5.5.1/24

Router C

GE3/1/1

5.5.5.2/24

GE3/1/4

4.4.4.1/24

 

Requirements analysis

·     Configure the access device on the RADIUS server, and add usernames and passwords for users.

·     To use the SRun software as the portal server, set the portal protocol and portal password on the page for adding an access device.

·     To perform portal authentication for users accessing the campus network, configure the portal server and enable portal authentication on BRAS.

·     For users in the office area to access the Internet without portal authentication, execute the free account command in the behavior for traffic on the network segments where users in the office area reside to permit traffic from users in the office area.

·     For users on network segment 2.1.4.0/24 in the office area to access the Internet through only ISP1, configure redirecting traffic to ISP1 in the behavior for traffic on the network segment.

·     For users on network segment 2.1.5.0/24 in the office area to access the Internet through only ISP2, configure redirecting traffic to ISP2 in the behavior for traffic on the network segment.

·     To use RADIUS to perform authentication, authorization, and accounting for portal users, configure a RADIUS scheme on BRAS, specify the authentication, authorization, and accounting servers for it, and apply it to the ISP domain to which the portal users belongs.

·     To securely exchange keys between BRAS and the RADIUS server and identify whether RADIUS response packets have been tampered on BRAS, set the shared key (123456 in this example) for exchanging packets between BRAS and the RADIUS server.

·     To ensure multiple egress user groups, configure user groups group1 and group2 that correspond to users ISP1 and in users in ISP2, respectively, and then configure PBR policies to forward traffic from user groups to the corresponding egress interfaces.

·     To implement multiple egress user groups through using local authorization, configure authorization user groups in the ISP domains.

·     To disable printers in the office area from accessing the Internet, filter the packets sent out of GE 3/1/2 and GE 3/1/3 on BRAS.

Restrictions and guidelines

To avoid service unavailability caused by port number conflicts, make sure the internal listening port number is not used by any well-known protocol and is not used by a TCP-based service. To view the TCP port numbers used by other services, execute the display tcp command.

Procedure

Configuring the RADIUS server and portal server (applicable to only remote AAA authentication)

IMPORTANT

IMPORTANT:

This section uses the SRun software of version 4.0.9 as an example to describe how to configure basic settings of the RADIUS server and portal server.

 

1.     Enter http://4.4.4.2:8081 in the address bar of a browser to log in to the server.

2.     Add access devices.

a.     Select Device from the navigation tree.

b.     Click the Add Device tab.

c.     On the tab, click Add.

d.     On the page that opens, perform the following tasks:

-     Set the device name to BRAS.

-     Set the NAS IP to 4.4.4.1.

-     Set the IP to 4.4.4.2.

-     Select Huawei, H3C, SRun Gateway from the NAS type list.

-     Set the DM port to 3799.

-     Set the RADIUS key to 123456.

-     Select No from the Whether to discard flow list.

-     Select H3C,HUAWEI(h3c v1.2) from the portal protocol list.

-     Set the portal key to 123456.

Table 2 Adding an access device

 

3.     Set the RADIUS trust:

a.     Select Radius from the navigation tree.

b.     Click the Radius Trust Setting link to enter the Radius trust setting page.

c.     Click Generate in the upper right corner until the trust is successfully generated.

4.     Click the Radius Service Setting tab, and specify the device to carry the ISP domain name in the username sent to the RADIUS server (select with domain from the Username verification list).

5.     Enter https://4.4.4.2:8080 in the address bar of a browser to log in to the server.

6.     Add organizations:

a.     Navigate to the Setting > Permission > Organization structure page.

b.     Click the  icon.

c.     Add organizations Dormitory Area and Office Area.

7.     Add users:

a.     Navigate to the Account > Add page. Click Add.

b.     Add user user1: set the account to user1@isp1, set the password to pass1, and select organization Dormitory Area.

c.     Add user user2: set the account to user2@isp2, set the password to pass2, and select organization Dormitory Area.

d.     Add user user3: set the account user3@isp1, set the password to pass3, and select organization Office Area.

e.     Add user user4: set the account user4@isp2, set the password to pass4, and select organization Dormitory Area.

Configuring IP addresses and routes

As shown in Figure 33, configure IP addresses for interfaces, and make sure the BRAS and servers can reach each other at Layer 3. (Details not shown.)

Configuring the BRAS

Configuring a RADIUS scheme

# Create RADIUS scheme  rs1, and enter its view.

[BRAS] radius scheme rs1

# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.

[BRAS-radius-rs1] primary authentication 4.4.4.2

[BRAS-radius-rs1] primary accounting 4.4.4.2

[BRAS-radius-rs1] key authentication simple 123456

[BRAS-radius-rs1] key accounting simple 123456

# Specify a source IP address for outgoing RADIUS packets.

[BRAS-radius-rs1] nas-ip 4.4.4.1

[BRAS-radius-rs1] quit

Configuring user groups

# Create user group group1.

[BRAS] user-group group1

[BRAS-ugroup-group1] quit

# Create user group group2.

[BRAS] user-group group2

[BRAS-ugroup-group2] quit

Configuring an QoS policy

1.     Configure ACLs:

# Configure ACL 3010 to match packets from users on network segment 2.1.4.0/24 in the office area.

<BRAS> system-view

[BRAS] acl advanced 3010

[BRAS-acl-ipv4-adv-3010] rule 5 permit ip source 2.1.4.0 0.0.0.255

[BRAS-acl-ipv4-adv-3010] quit

# Configure ACL 3020 to match packets from users on network segment 2.1.5.0/24 in the office area.

[BRAS] acl advanced 3020

[BRAS-acl-ipv4-adv-3020] rule 5 permit ip source 2.1.5.0 0.0.0.255

[BRAS-acl-ipv4-adv-3020] quit

# Configure ACL 3030 to match packets of users in user group group1.

[BRAS] acl advanced 3030

[BRAS-acl-ipv4-adv-3030] rule 5 permit ip user-group group1

[BRAS-acl-ipv4-adv-3030] quit

# Configure ACL 3040 to match packets of users in user group group2.

[BRAS] acl advanced 3040

[BRAS-acl-ipv4-adv-3040] rule 5 permit ip user-group group2

[BRAS-acl-ipv4-adv-3040] quit

2.     Configure classes:

# Configure class 3010 to match packets matching ACL 3010.

[BRAS] traffic classifier 3010

[BRAS-classifier-3010] if-match acl 3010

[BRAS-classifier-3010] quit

# Configure class 3020 to match packets matching ACL 3020.

[BRAS] traffic classifier 3020

[BRAS-classifier-3020] if-match acl 3020

[BRAS-classifier-3020] quit

# Configure class 3030 to match packets matching ACL 3030.

[BRAS] traffic classifier 3030

[BRAS-classifier-3030] if-match acl 3030

[BRAS-classifier-3030] quit

# Configure class 3040 to match packets matching ACL 3040.

[BRAS] traffic classifier 3040

[BRAS-classifier-3040] if-match acl 3040

[BRAS-classifier-3040] quit

3.     Configure traffic behaviors:

# Configure traffic behavior 3010 to count traffic in packets, permit the traffic to pass through without portal authentication, and redirect the traffic to ISP1.

[BRAS] traffic behavior 3010

[BRAS-behavior-3010] accounting packet

[BRAS-behavior-3010] free account

[BRAS-behavior-3010] redirect next-hop 3.3.3.2

[BRAS-behavior-3010] quit

# Configure traffic behavior 3020 to count traffic in packets, permit the traffic to pass through without portal authentication, and redirect the traffic to ISP2.

[BRAS] traffic behavior 3020

[BRAS-behavior-3020] accounting packet

[BRAS-behavior-3020] free account

[BRAS-behavior-3020] redirect next-hop 5.5.5.2

[BRAS-behavior-3020] quit

# Configure traffic behavior 3030 to count traffic in packets and redirect the traffic to ISP1.

[BRAS] traffic behavior 3030

[BRAS-behavior-3030] accounting packet

[BRAS-behavior-3030] redirect next-hop 3.3.3.2

[BRAS-behavior-3030] quit

# Configure traffic behavior 3040 to count traffic in packets and redirect the traffic to ISP2.

[BRAS] traffic behavior 3040

[BRAS-behavior-3040] accounting packet

[BRAS-behavior-3040] redirect next-hop 5.5.5.2

[BRAS-behavior-3040] quit

4.     Configure a QoS policy:

# Create QoS policy plcy and associate classes with behaviors.

[BRAS] qos policy plcy

[BRAS-qospolicy-plcy] classifier 3010 behavior 3010

[BRAS-qospolicy-plcy] classifier 3020 behavior 3020

[BRAS-qospolicy-plcy] classifier 3030 behavior 3030

[BRAS-qospolicy-plcy] classifier 3040 behavior 3040

[BRAS-qospolicy-plcy] quit

5.     Apply QoS policy plcy to the inbound traffic of GigabitEthernet 3/1/1.

[BRAS] interface gigabitethernet 3/1/1

[BRAS–GigabitEthernet3/1/1] qos apply policy plcy inbound

[BRAS–GigabitEthernet3/1/1] quit

Configuring local user Printer

[BRAS] local-user Printer class network

[BRAS-luser-network-Printer] service-type ipoe

[BRAS-luser-network-Printer] password simple pass5

[BRAS-luser-network-Printer] quit

Configuring an ISP domain

# Create ISP domain isp1, and enter its view.

[BRAS] domain name isp1

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in ISP domain isp1.

[BRAS-isp-isp1] authentication portal radius-scheme rs1

[BRAS-isp-isp1] authorization portal radius-scheme rs1

[BRAS-isp-isp1] accounting portal radius-scheme rs1

# Specify user group group1 as the authorization user group for users in ISP domain isp1.

[BRAS-isp-isp1] authorization-attribute user-group group1

[BRAS-isp-isp1] quit

# Create ISP domain isp2, and enter its view.

[BRAS] domain name isp2

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in ISP domain isp2.

[BRAS-isp-isp2] authentication portal radius-scheme rs1

[BRAS-isp-isp2] authorization portal radius-scheme rs1

[BRAS-isp-isp2] accounting portal radius-scheme rs1

# Specify user group group2 as the authorization user group for users in ISP domain isp2.

[BRAS-isp-isp2] authorization-attribute user-group group2

[BRAS-isp-isp2] quit

# Create ISP domain isp3, and enter its view.

[BRAS] domain name isp3

# Configure IPoE users to use local authentication, authorization, and accounting in ISP domain isp3.

[BRAS-isp-isp3] authentication ipoe local

[BRAS-isp-isp3] authorization ipoe local

[BRAS-isp-isp3] accounting ipoe local

[BRAS-isp-isp3] quit

Configuring static IPoE user access

# Configure ACL 3002 to match packets from printers.

[BRAS] acl advanced 3002

[BRAS-acl-ipv4-adv-3002] rule 5 deny ip source 2.1.6.1 0

[BRAS-acl-ipv4-adv-3002] quit

# Enable IPoE and configure the Layer 3 access mode.

[BRAS] interface gigabitethernet 3/1/1

[BRAS–GigabitEthernet3/1/1] ip address 2.1.1.1 16

[BRAS–GigabitEthernet3/1/1] ip subscriber routed enable

# Enable unclassified-IP packet initiation.

[BRAS–GigabitEthernet3/1/1] ip subscriber initiator unclassified-ip enable matching-user

# Configure the authentication user name as Printer for IPv4 individual users.

[BRAS–GigabitEthernet3/1/1] ip subscriber unclassified-ip username include string Printer

# Configure the plaintext password as pass5 for IPv4 individual users.

[BRAS–GigabitEthernet3/1/1] ip subscriber password plaintext pass5

# Configure an IPv4 static IPoE session with IP address 2.1.6.1/24 and ISP domain isp3.

[BRAS–GigabitEthernet3/1/1] ip subscriber session static ip 2.1.6.1 domain isp3

[BRAS–GigabitEthernet3/1/1] quit

# Apply ACL 3002 to filter the outgoing packets on GigabitEthernet 3/1/2.

[BRAS] interface gigabitethernet 3/1/2

[BRAS–GigabitEthernet3/1/2] packet-filter 3002 outbound

[BRAS–GigabitEthernet3/1/2] quit

# Apply ACL 3002 to filter the outgoing packets on GigabitEthernet 3/1/3.

[BRAS] interface gigabitethernet 3/1/3

[BRAS–GigabitEthernet3/1/3] packet-filter 3002 outbound

[BRAS–GigabitEthernet3/1/3] quit

Configuring portal authentication

# Configure the portal authentication server: name newpt, IP address 4.4.4.2, plaintext password 123456, and portal packet listening port number 50100.

[BRAS] portal server newpt

[BRAS-portal-server-newpt] ip 4.4.4.2 key simple 123456

[BRAS-portal-server-newpt] port 50100

[BRAS-portal-server-newpt] quit

# Configure the portal Web server URL as http://4.4.4.2/index_9.html. The URL must be the same as the portal redirection page URL in the device table after devices are added to the server.

[BRAS] portal web-server newpt

[BRAS-portal-websvr-newpt] url http://4.4.4.2/index_9.html

[BRAS-portal-websvr-newpt] quit

# Configure the HTTPS redirect listening port number.

[BRAS] http-redirect https-port 8888

# Enable direct IPv4 portal authentication on GigabitEthernet 3/1/1.

[BRAS] interface gigabitethernet 3/1/1

[BRAS–GigabitEthernet3/1/1] portal enable method direct

# Specify portal Web server newpt on GigabitEthernet 3/1/1 for portal authentication.

[BRAS–GigabitEthernet3/1/1] portal apply web-server newpt

# Configure the BAS-IP attribute carried in the portal packets sent to the portal authentication server as 2.1.1.1 on GigabitEthernet 3/1/1.

[BRAS–GigabitEthernet3/1/1] portal bas-ip 2.1.1.1

[BRAS–GigabitEthernet3/1/1] quit

Verifying the configuration

# Before passing portal authentication, the users in the dormitory area can access only the Web authentication homepage of the portal Web server.

# Before a user passes portal authentication, ping 3.3.3.2 of ISP1 from Host C.

C:\Users>ping 3.3.3.2

Pinging 3.3.3.2 with 32 bytes of data:

Reply from 3.3.3.2: Bytes=32 time=1ms TTL=127

Reply from 3.3.3.2: Bytes=32 time=1ms TTL=127

Reply from 3.3.3.2: Bytes=32 time=1ms TTL=127

Reply from 3.3.3.2: Bytes=32 time=1ms TTL=127

Ping statistics for 3.3.3.2:

    Packets Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip time in milli-seconds:

    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Users>

# Ping 5.5.5.2 of ISP2 from Host C.

C:\Users\>ping 5.5.5.2

Pinging 5.5.5.2 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 5.5.5.2:

    Packets Sent = 4, Received = 4, Lost = 4 (100% loss),

C:\Users\>

The output above shows that Host C can access the Internet through ISP1 (rather than ISP2) without passing portal authentication.

# Before Host D passes portal authentication, ping 3.3.3.2 of ISP1 from Host D.

C:\Users\>ping 3.3.3.2

Pinging 3.3.3.2 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 3.3.3.2:

    Packets Sent = 4, Received = 4, Lost = 4 (100% loss),

C:\Users\>

# Ping 5.5.5.2 of ISP2 from Host D.

C:\Users>ping 5.5.5.2

Pinging 5.5.5.2 with 32 bytes of data:

Reply from 5.5.5.2: Bytes=32 time=1ms TTL=127

Reply from 5.5.5.2: Bytes=32 time=1ms TTL=127

Reply from 5.5.5.2: Bytes=32 time=1ms TTL=127

Reply from 5.5.5.2: Bytes=32 time=1ms TTL=127

Ping statistics for 5.5.5.2:

    Packets Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip time in milli-seconds:

    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Users>

The output above shows that Host D can access the Internet through ISP2 (rather than ISP1) without passing portal authentication.

# Verify that users in the dormitory area can access the Internet after passing portal authentication. For example, Host A uses username user1@isp1 and password pass1 to log in successfully.

# View detailed information about user user1@isp1.

[BRAS]display portal user ip 172.17.0.3 verbose

Basic:

  Current IP address: 2.1.2.1

  Original IP address: 2.1.2.1

  Username: user1@isp1

  User ID: 0x10000009

  Access interface: GigabitEthernet3/1/1

  Session-ID: 678900123456790123456788901234534578901266789001234567890

  Service-VLAN/Customer-VLAN: -/-

  MAC address: 001b-21c6-95c1

  Domain name: isp1

  VPN instance: N/A

  Status: Online

  Portal server: newpt

  Portal authentication method: Direct

 

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Login time: 2016-03-24 17:12:02 UTC

  Online time: 3:4:10

  ITA policy name: N/A

  DHCP IP pool: N/A

 

ACL&QoS&Multicast:

  Inbound CAR: N/A

  Outbound CAR: N/A

  Inbound priority: N/A

  Outbound priority: N/A

  ACL number: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

  Multicast address list: N/A

  User group: group1 (Id=4)

 

Flow statistic:

  Uplink   packets/bytes      : 43/5179

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

# Display QoS policy configuration on an interface.

<BRAS> display qos policy interface GigabitEthernet 3/1/1

Interface: GigabitEthernet3/1/1

  Direction: Inbound

  Policy: plcy

   Classifier: 3010

     Operator: AND

     Rule(s) :

      If-match acl 3010

     Behavior: 3010

      Accounting enable:

        5 (Packets)

      Redirecting:

        Redirect to next-hop 3.3.3.2

      Free account enable

   Classifier: 3020

     Operator: AND

     Rule(s) :

      If-match acl 3020

     Behavior: 3020

      Accounting enable:

        5 (Packets)

      Redirecting:

        Redirect to next-hop 5.5.5.2

      Free account enable

   Classifier: 3030

     Operator: AND

     Rule(s) :

      If-match acl 3030

     Behavior: 3030

      Accounting enable:

        10 (Packets)

      Redirecting:

        Redirect to next-hop 3.3.3.2

   Classifier: 3040

     Operator: AND

     Rule(s) :

      If-match acl 3040

     Behavior: 3040

      Accounting enable:

        0 (Packets)

      Redirecting:

        Redirect to next-hop 5.5.5.2

The output shows that user user1 in ISP1 uses the egress interface of ISP1 after passing portal authentication. When you determine the egress interface, this output is for reference only. For exact information, view information on the egress device.

# After Host B uses username user2@isp2 and password pass2 to pass portal authentication, the user can access the Internet. (Details not shown.)

# View detailed information about user user2@isp2.

[BRAS]display portal user ip 2.1.3.1 verbose

Basic:

  Current IP address: 2.1.3.1

  Original IP address: 2.1.3.1

  Username: user2@isp2

  User ID: 0x10000010

  Session-ID: 678900123456790123456788901234534578901266789001234567890

  Access interface: GigabitEthernet3/1/1

  Service-VLAN/Customer-VLAN: -/-

  MAC address: 011c-22d6-95e3

  Domain name: isp2

  VPN instance: N/A

  Status: Online

  Portal server: newpt

  Portal authentication method: Direct

 

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Login time: 2016-03-24 17:15:02 UTC

  Online time: 3:4:10

  ITA policy name: N/A

  DHCP IP pool: N/A

 

ACL&QoS&Multicast:

  Inbound CAR: N/A

  Outbound CAR: N/A

  Inbound priority: N/A

  Outbound priority: N/A

  ACL number: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

  Multicast address list: N/A

  User group: group2 (Id=6)

 

Flow statistic:

  Uplink   packets/bytes      : 43/5179

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

# Display QoS policy configuration on an interface.

<BRAS> display qos policy interface GigabitEthernet 3/1/1

Interface: GigabitEthernet3/1/1

  Direction: Inbound

  Policy: plcy

   Classifier: 3010

     Operator: AND

     Rule(s) :

      If-match acl 3010

     Behavior: 3010

      Accounting enable:

        5 (Packets)

      Redirecting:

        Redirect to next-hop 3.3.3.2

      Free account enable

   Classifier: 3020

     Operator: AND

     Rule(s) :

      If-match acl 3020

     Behavior: 3020

      Accounting enable:

        5 (Packets)

      Redirecting:

        Redirect to next-hop 5.5.5.2

      Free account enable

   Classifier: 3030

     Operator: AND

     Rule(s) :

      If-match acl 3030

     Behavior: 3030

      Accounting enable:

        15 (Packets)

      Redirecting:

        Redirect to next-hop 3.3.3.2

   Classifier: 3040

     Operator: AND

     Rule(s) :

      If-match acl 3040

     Behavior: 3040

      Accounting enable:

        30 (Packets)

      Redirecting:

        Redirect to next-hop 5.5.5.2

The output shows that user user2 in ISP2 uses the egress interface of ISP2 after passing portal authentication. When you determine the egress interface, this output is for reference only. For exact information, view information on the egress device.

# View detailed information about static IPoE user Printer.

<BRAS> display ip subscriber session static verbose

Basic:

  Description                 : -

  Username                    : Printer@isp3       //Username of the printer

  Domain                      : isp3               //ISP domain of the printer

  VPN instance                : N/A

  IP address                  : 2.1.6.1         //Static IP address of the printer

  User address type           : N/A

  MAC address                 : 000c-29b6-c756    //MAC address of the printer

  Service-VLAN/Customer-VLAN  : -/-            //VLANs of the printer

  Access interface            : GE3/1/1           //Access interface of the printer

  User ID                     : 0x38080000

  VPI/VCI(for ATM)            : -/-

  VSI Index                   : -

  VSI link ID                 : -

  VXLAN ID                    : -

  DNS servers                 : N/A

  IPv6 DNS servers            : N/A

  DHCP lease                  : N/A

  DHCP remain lease           : N/A

  Access time                 : Mar 21 13:27:21 2016

  Online time(hh:mm:ss)       : 00:00:49

  Service node                : Chassis 1 Slot 3 CPU 0

  Authentication type         : Bind

  IPv4 access type            : Static                  //IPoE access type of the printer user

  IPv4 detect state           : Detecting

  State                       : Online

 

AAA:

  ITA policy name             : N/A

  IP pool                     : N/A

  IPv6 pool                   : N/A

  IPv6 nd prefix pool         : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : 1800 sec, 10240 bytes, direction: Both

  Session duration            : N/A, remaining: N/A

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : Mar 21 13:27:21 2016

  Subscriber ID               : -

 

QoS:

  User profile                : N/A

  Session group profile       : N/A

  User group ACL              : N/A

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

 

Flow statistic:

  Uplink   packets/bytes      : 43/5179

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

Configuration files

#

traffic classifier 3010 operator and

 if-match acl 3010

#

traffic classifier 3020 operator and

 if-match acl 3020

#

traffic classifier 3030 operator and

 if-match acl 3030

#

traffic classifier 3040 operator and

 if-match acl 3040

#

traffic behavior 3010

 accounting packet

 free account

 redirect next-hop 3.3.3.2

#

traffic behavior 3020

 accounting packet

 free account

 redirect next-hop 5.5.5.2

#

traffic behavior 3030

 accounting packet

 redirect next-hop 3.3.3.2

#

traffic behavior 3040

 accounting packet

 redirect next-hop 5.5.5.2

#

qos policy plcy

 classifier 3010 behavior 3010

 classifier 3020 behavior 3020

 classifier 3030 behavior 3030

 classifier 3040 behavior 3040

#

interface GigabitEthernet3/1/1

 port link-mode route

 ip address 2.1.1.1 255.255.0.0

 qos apply policy plcy inbound

 ip subscriber routed enable

 ip subscriber initiator unclassified-ip enable matching-user

 ip subscriber session static ip 2.1.6.1 domain isp3

 ip subscriber password ciphertext $c$3$1rLGh6nEBOtDFpoLMDy3H3Ea9ISlNcIm

 portal enable method direct

 portal bas-ip 2.1.1.1

 portal apply web-server newpt

#

interface GigabitEthernet3/1/2

port link-mode route

 ip address 3.3.3.1 255.255.255.0

 packet-filter 3002 outbound

#

interface GigabitEthernet3/1/3

port link-mode route

 ip address 5.5.5.1 255.255.255.0

 packet-filter 3002 outbound

#

acl advanced 3002

 rule 5 deny ip source 2.1.6.1 0

#

acl advanced 3010

 rule 5 permit ip source 2.1.4.0 0.0.0.255

#

acl advanced 3020

 rule 5 permit ip source 2.1.5.0 0.0.0.255

#

acl advanced 3030

 rule 5 permit ip user-group group1

#

acl advanced 3040

 rule 5 permit ip user-group group2

#

radius scheme rs1

 primary authentication 4.4.4.2

 primary accounting 4.4.4.2

 key authentication cipher $c$3$wGjbug1lhbFGrVn4aNfeW+mO+NJY6XgfkA==

 key accounting cipher $c$3$KeUGL49Crr0vXXmFPdMbZXmpk2MPrELBcw==

 nas-ip 4.4.4.1

#

domain name isp1

 authorization-attribute user-group group1

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

domain name isp2

 authorization-attribute user-group group2

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

domain name isp3

 authentication ipoe local

 authorization ipoe local

 accounting ipoe local

#

domain name system

#

user-group group1

#

user-group group2

#

user-group system

#

local-user Printer class network

 password cipher $c$3$Cd19WGFBD9vqzPCdstPIEgc8p/4T6TB9

 service-type ipoe

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

portal web-server newpt

 url http://4.4.4.2/index_9.html

#

portal server newpt

 ip 4.4.4.2 key cipher $c$3$RDd9CsN6tGVV+NKXun9z5Br9InR4qp4NWQ==

#

Example: Configuring ITA in a BRAS campus network

Network configuration

As shown in Figure 34, the dormitory area and office area in a campus network are deployed under BRAS, and the campus network has a large number of internal servers. Configure the BRAS campus network to meet the following requirements:

·     Users in the dormitory area and office area all access through portal. Before passing portal authentication, the users can access only the Web authentication homepage of the portal Web server. After passing portal authentication, the users can access the Internet.

·     After user A in the dormitory area passes portal authentication, the user can access the internal network with non-ITA accounting and the fixed rate limit of 5 Mbps, and access the Internet with non-ITA accounting and the AAA-authorized rate limit of 10 Mbps.

·     After user B in the dormitory area passes portal authentication, the user can access the internal network with ITA accounting and the fixed rate limit of 5 Mbps, and access the Internet with ITA accounting and the AAA-authorized rate limit of 10 Mbps.

·     After user C in the office area passes portal authentication, the user can access the internal network without accounting and with the fixed rate limit of 5 Mbps, and access the Internet with non-ITA accounting and the AAA-authorized rate limit of 10 Mbps.

·     After user D in the office area passes portal authentication, the user can access the internal network with ITA accounting and the AAA-authorized rate limit of 5 Mbps, and access the Internet with ITA accounting and the AAA-authorized rate limit of 10 Mbps.

·     After the Internet access charge of user A, B, or C is overdue, the user can still access the internal network.

·     Apply ITA policies in different ways: Apply ITA policies to users A, B, and C in ISP domains, and apply an ITA policy to user D through AAA.

Figure 34 Network diagram

 

Device

Interface

IP address

Device

Interface

IP address

RADIUS server

-

4.4.4.2/24

Router (BRAS)

GE3/1/1

2.1.1.1/24

Portal server

-

4.4.4.2/24

GE3/1/2

3.3.3.1/24

File server

-

4.4.4.3/24

GE3/1/3

4.4.4.1/24

 

Requirements analysis

·     Configure the access devices, RADIUS attributes, accounting policies, control strategies (for example, dynamically authorize a rate limit of 10 Mbps through AAA), and product strategies on the RADIUS server, and add usernames and passwords for users.

·     For the RADIUS server to also act as the portal server, set the portal protocol and portal password on the page for adding an access device.

·     To perform portal authentication for users accessing the campus network, configure the portal server and enable portal authentication on BRAS.

·     To use RADIUS to perform authentication, authorization, and accounting for portal users, configure a RADIUS scheme on BRAS, specify the authentication, authorization, and accounting servers for it, and apply it to the ISP domain to which the portal users belongs.

·     To securely exchange keys between BRAS and the RADIUS server and identify whether RADIUS response packets have been tampered on BRAS, set the shared key (123456 in this example) for exchanging packets between BRAS and the RADIUS server.

·     To perform rate limiting and accounting for internal network access traffic and Internet access traffic separately, configure ACLs, QoS policies, and ITA policies on BRAS. Mark internal network access traffic with accounting level 2. The device will automatically mark the other traffic with accounting level 1.

·     For the purpose that user A can access the internal network with non-ITA accounting and the fixed rate limit of 5 Mbps and access the Internet with non-ITA accounting and the AAA-authorized rate limit of 10 Mbps after passing portal authentication, configure an ITA policy for user A as follows:

¡     For the internal network access traffic (traffic with accounting level 2), do not specify the accounting type (do not specify the ipv4 keyword) so that ITA accounting will not be performed, and configure the CIR as 5000 kbps.

¡     Do not configure the accounting type or rate limit for Internet traffic on the device.

·     For the purpose that user B can access the internal network with ITA accounting and the fixed rate limit of 5 Mbps and access the Internet with ITA accounting and the AAA-authorized rate limit of 10 Mbps after passing portal authentication, configure an ITA policy for user B as follows:

¡     For the internal network access traffic (traffic with accounting level 2), specify the accounting type as IPv4 (specify the ipv4 keyword) so that ITA accounting will be performed, and configure the CIR as 5000 kbps.

¡     For Internet traffic, specify the accounting type as IPv4 (specify the ipv4 keyword) so that ITA accounting will be performed, and do not configure the CIR. 

¡     Exclude the amount of ITA traffic from the overall traffic statistics that are sent to the accounting server.

·     For the purpose that user C can access the internal network without accounting and with the fixed rate limit of 5 Mbps and access the Internet with non-ITA accounting and the AAA-authorized rate limit of 10 Mbps after passing portal authentication, configure an ITA policy for user C as follows:

¡     For the internal network access traffic (traffic with accounting level 2), do not specify the accounting type (do not specify the ipv4 keyword) so that ITA accounting will not be performed, and configure the CIR as 5000 kbps.

¡     Do not configure the accounting type or rate limit for Internet traffic on the device.

¡     Exclude the amount of ITA traffic from the overall traffic statistics that are sent to the accounting server.

·     For the purpose that user D can access the internal network with ITA accounting and the AAA-authorized rate limit of 5 Mbps and access the Internet with ITA accounting and the AAA-authorized rate limit of 10 Mbps after passing portal authentication, configure an ITA policy for user D as follows:

¡     Issue the ITA policy on the AAA server.

¡     For the internal network access traffic (traffic with accounting level 2), specify the accounting type as IPv4 (specify the ipv4 keyword) so that ITA accounting will be performed, and configure the CIR as 5000 kbps.

¡     For the Internet access traffic, specify the accounting type as IPv4 (specify the ipv4 keyword) and configure the CIR as 10000 kbps.

·     For the purpose that user A, B, or C can still access the internal network after the Internet access charge of the user is overdue, specify the conditions of using up to 42949672960 bytes for accessing the Internet in the Internet access control strategy con_pl1. After 42949672960 bytes for accessing the Internet are used out, the internal network control strategy con_pl2 is used, so the user can still access the internal network.

Restrictions and guidelines

To avoid service unavailability caused by port number conflicts, make sure the internal listening port number is not used by any well-known protocol and is not used by a TCP-based service. To view the TCP port numbers used by other services, execute the display tcp command.

Procedures

Configuring the RADIUS server and portal server

IMPORTANT

IMPORTANT:

This section uses the SRun software of version 4.0.9 as an example to describe how to configure basic settings of the RADIUS server and portal server.

 

1.     Enter http://4.4.4.2:8081 in the address bar of a browser to log in to the server.

2.     Add access devices:

a.     Select Device from the navigation tree.

b.     Click the Add Device tab.

c.     On the tab, click Add.

d.     On the page that opens, perform the following tasks:

-     Set the device name to BRAS.

-     Set the NAS IP to 4.4.4.1.

-     Set the IP to 4.4.4.2.

-     Select H3C 88X from the NAS type list.

-     Set the DM port to 3799.

-     Set the RADIUS key to 123456.

-     Select No from the Whether to discard flow list.

-     Select H3C,HUAWEI(h3c v1.2) from the portal protocol list.

-     Set the portal key to 123456.

Figure 35 Adding an access device

 

3.     Set the RADIUS trust:

a.     Select Radius from the navigation tree.

b.     Click the Radius Trust Setting link to enter the Radius trust setting page.

c.     Click Generate in the upper right corner until the trust is successfully generated.

4.     Add RADIUS attributes RADIUS attribute1 and RADIUS attribute2 (this section uses RADIUS attribute1 as an example):

a.     Select Radius from the navigation tree.

b.     Click the Add RADIUS Attributes tab, and click Add.

c.     On the page that opens, perform the following tasks:

-     Set the name to RADIUS attribute1. (For RADIUS attribute RADIUS attribute2, set the name to RADIUS attribute2.)

-     Set the attribute name to H3C-Accounting-Level.

-     Set the vendor ID to 25506.

-     Set the vendor name to H3C.

-     Set the attribute ID to 215.

-     Set the value type to Integer.

-     Specify the dictionary file dictionary.h3c.

-     Select H3C 88X from the NAS type list.

-     Set the transmission condition to Unconditional send.

-     Set the format to %d.

-     Set the variable value to No (using a fixed value).

-     Set the fixed value to 1. (For RADIUS attribute RADIUS attribute2, set the fixed value to 2.)

Figure 36 Setting RADIUS attribute1

 

5.     Add RADIUS attribute ITA policy:

a.     Access the Add RADIUS Attributes tab, and click Add.

b.     On the page that opens, perform the following tasks:

-     Set the name to ITA policy.

-     Set the attribute name to H3C-Ita-Policy.

-     Set the vendor ID to 25506.

-     Set the vendor name to H3C.

-     Set the attribute ID to 216.

-     Set the value type to String.

-     Specify the dictionary file dictionary.h3c.

-     Select H3C 88X from the NAS type list.

-     Set the transmission condition to Unconditional send.

-     Set the format to %s.

-     Set the variable value to No (using a fixed value).

-     Set the fixed value to ita_pl4.

Figure 37 Setting RADIUS attribute ITA policy

 

6.     Click the Radius Service Setting tab, and specify the device to carry the ISP domain name in the username sent to the RADIUS server (select with domain from the Username verification list).

7.     Enter https://4.4.4.2:8080 in the address bar of a browser to log in to the server.

8.     Configure a billing strategy:

a.     Click the Billing tab, and click Add.

b.     Select a billing mode, for example 5 Yuan/GB.

c.     Set the consumption to 100 Yuan.

Figure 38 Setting the billing strategy

 

9.     Configure the Internet access control strategy con_pl1 for users A, B, and C:

a.     Access the Strategy > Control page, and click Add.

b.     Configure control strategy con_pl1.

c.     Select the download bandwidth 10 Mbps.

d.     Select the upload bandwidth 10 Mbps.

e.     Select the switch mode as online change and distribute built-in COA to change bandwidth.

f.     Select Yes from the distribute built-in attributes list.

g.     Select Yes from the COA distribute built-in attributes list.

h.     Select attribute RADIUS attribute1 as the custom attribute to be deployed by RADIUS.

i.     Specify the conditions of using the control strategy as sum_bytes<=42949672960. Then, when the traffic for accessing the Internet does not exceed 42949672960 bytes, this control strategy is used.

10.     Configure the internal network access control strategy con_pl2 for users A, B, and C:

a.     Access the Strategy > Control page, and click Add.

b.     Configure control strategy con_pl2.

c.     Select the switch mode as online change and distribute built-in COA to change bandwidth.

d.     Select Yes from the distribute built-in attributes list.

e.     Select Yes from the COA distribute built-in attributes.

f.     Select attribute RADIUS attribute2 as the custom attribute to be deployed by RADIUS.

11.     Configure control strategy con_pl3 for user D:

a.     Navigate to the Strategy > Control page. Click Add to add control strategy con_pl3.

b.     Set the control strategy name to con_pl3.

c.     Select the download bandwidth to unlimited.

d.     Select the upload bandwidth to unlimited.

e.     Select attribute ITA policy as the custom attribute to be deployed by RADIUS.

12.     Configure product strategies policy1 and policy2 for users A, B, and C:

a.     Navigate to the Strategy > Product page. Click Add to add product strategies policy1 and policy2. This section uses product strategy policy1 as an example.

b.     Set the product name to policy1. (For product strategy policy2, set the name to policy2.)

c.     Select the billing mode Traffic-Based Accounting.

d.     Select control strategy con_pl1. (For product strategy con_pl2, select group2.)

13.     Configure product strategy policy3 for user D:

a.     Navigate to the Strategy > Product page. Click Add to add product strategy policy3.

b.     Set the product strategy name to policy3.

c.     Select the billing mode Traffic-Based Accounting.

d.     Select the control strategy con_pl3.

14.     Add an organization structure:

a.     Navigate to the Setting > Permission > Organization structure page.

b.     Click the  icon.

c.     Add organizations Dormitory Area and Office Area.

15.     Add users:

a.     Navigate to the Account > Add page. Click Add.

b.     Add user user1: set the account to user1@portal1_dm, set the password to pass1, select organization Dormitory Area, and select product strategies policy1 and policy2.

c.     Add user user2: set the account to user2@portal2_dm, set the password to pass2, select organization Dormitory Area, and select product strategies policy1 and policy2.

d.     Add user user3: set the account user3@portal3_dm, set the password to pass3, select organization Office Area, and select product strategies policy1 and policy2.

e.     Add user user4: set the account user4@portal4_dm, set the password to pass4, select organization Office Area, and select product strategy policy3.

Configuring IP addresses and routes

As shown in Figure 34, configure IP addresses for interfaces, and make sure the BRAS and servers can reach each other at Layer 3. (Details not shown.)

Configuring the BRAS

Configuring DHCP

# Enable DHCP.

[BRAS] dhcp enable

# Create DHCP address pool pool1.

[BRAS] dhcp server ip-pool pool1

# Specify primary subnet 2.1.0.0/16 for dynamic allocation in the address pool. Specify gateway address 2.1.1.1 and DNS server address 8.8.8.8 in the address pool.

[BRAS-dhcp-pool-pool1] network 2.1.0.0 16

[BRAS-dhcp-pool-pool1] gateway-list 2.1.1.1

[BRAS-dhcp-pool-pool1] dns-list 8.8.8.8

# Exclude IP address 2.1.1.1 from dynamic allocation.

[BRAS-dhcp-pool-pool1] forbidden-ip 2.1.1.1

[BRAS-dhcp-pool-pool1] quit

Configuring ACLs and QoS policies

# Configure ACL 3000.

[BRAS] acl advanced 3000

# Configure rules to match the packets between users (on network segment 2.1.0.0/16) and servers (on network segment 4.4.4.0/24).

[BRAS-acl-ipv4-adv-3000] rule 10 permit ip source 2.1.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255

[BRAS-acl-ipv4-adv-3000] rule 20 permit ip source 4.4.4.0 0.0.0.255 destination 2.1.0.0 0.0.255.255

# Configure a rule to match the packets between users on network segment 2.1.6.0/16.

[BRAS-acl-ipv4-adv-3000] rule 30 permit ip source 2.1.0.0 0.0.255.255 destination 2.1.0.0 0.0.255.255

[BRAS-acl-ipv4-adv-3000] quit

# Configure class cl_usern to match packets matching ACL 3000.

[BRAS] traffic classifier cl_usern

[BRAS-classifier-cl_usern] if-match acl 3000

[BRAS-classifier-cl_usern] quit

# Configure traffic behavior be_usern to mark traffic with accounting level 2.

[BRAS] traffic behavior be_usern

[BRAS-behavior-be_usern] remark account-level 2

[BRAS-behavior-be_usern] quit

# Create QoS policy policy_share and associate classes with behaviors in the QoS policy.

[BRAS] qos policy policy_share

[BRAS-qospolicy-policy_share] classifier cl_usern behavior be_usern

[BRAS-qospolicy-policy_share] quit

# Apply the QoS policy to GigabitEthernet 3/1/1.

[BRAS] interface gigabitethernet 3/1/1

[BRAS-GigabitEthernet3/1/1] qos apply policy policy_share inbound

[BRAS-GigabitEthernet3/1/1] qos apply policy policy_share outbound

[BRAS–GigabitEthernet3/1/1] quit

Configuring a RADIUS scheme

# Create RADIUS scheme rs1, and enter its view.

[BRAS] radius scheme rs1

# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.

[BRAS-radius-rs1] primary authentication 4.4.4.2

[BRAS-radius-rs1] primary accounting 4.4.4.2

[BRAS-radius-rs1] key authentication simple 123456

[BRAS-radius-rs1] key accounting simple 123456

# Specify a source IP address for outgoing RADIUS packets.

[BRAS-radius-rs1] nas-ip 4.4.4.1

[BRAS-radius-rs1] quit

# Specify the DAC as 4.4.4.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

[BRAS] radius dynamic-author server

[BRAS-radius-da-server] client ip 4.4.4.2 key simple 123456

[BRAS-radius-da-server] quit

Configuring an ITA policy

1.     Configure an ITA policy for user A:

# Configure ITA policy ita_pl1.

[BRAS] ita policy ita_pl1

[BRAS-ita-policy-ita_pl1] accounting-method radius-scheme rs1

# Configure accounting levels.

[BRAS-ita-policy-ita_pl1] accounting-level 2 car inbound cir 5000 outbound cir 5000

[BRAS-ita-policy-ita_pl1] quit

2.     Configure an ITA policy for user B:

# Configure ITA policy ita_pl2.

[BRAS] ita policy ita_pl2

[BRAS-ita-policy-ita_pl2] accounting-method radius-scheme rs1

# Configure accounting levels.

[BRAS-ita-policy-ita_pl2] accounting-level 1 ipv4

[BRAS-ita-policy-ita_pl2] accounting-level 2 ipv4 car inbound cir 5000 outbound cir 5000

# Exclude the amount of ITA traffic from the overall traffic statistics that are sent to the accounting server.

[BRAS-ita-policy-ita_pl2] traffic-separate enable

[BRAS-ita-policy-ita_pl2] quit

3.     Configure an ITA policy for user C:

# Configure ITA policy ita_pl3.

[BRAS] ita policy ita_pl3

[BRAS-ita-policy-ita_pl3] accounting-method radius-scheme rs1

# Configure accounting levels.

[BRAS-ita-policy-ita_pl3] accounting-level 2 car inbound cir 5000 outbound cir 5000

# Exclude the amount of ITA traffic from the overall traffic statistics that are sent to the accounting server.

[BRAS-ita-policy-ita_pl3] traffic-separate enable

[BRAS-ita-policy-ita_pl3] quit

4.     Configure an ITA policy for user D:

# Configure ITA policy ita_pl4.

[BRAS] ita policy ita_pl4

[BRAS-ita-policy-ita_pl4] accounting-method radius-scheme rs1

# Configure accounting levels.

[BRAS-ita-policy-ita_pl4] accounting-level 1 ipv4 car inbound cir 10000 outbound cir 10000

[BRAS-ita-policy-ita_pl4] accounting-level 2 ipv4 car inbound cir 5000 outbound cir 5000

[BRAS-ita-policy-ita_pl4] quit

Configuring an ISP domain

# Create ISP domain portal1_dm, and enter its view.

[BRAS] domain name portal1_dm

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRAS-isp-portal1_dm] authentication portal radius-scheme rs1

[BRAS-isp-portal1_dm] authorization portal radius-scheme rs1

[BRAS-isp-portal1_dm] accounting portal radius-scheme rs1

# Configure ISP domain portal1_dm to use ITA policy ita_pl1.

[BRAS-isp-portal1_dm] ita-policy ita_pl1

# Create ISP domain portal2_dm, and enter its view.

[BRAS] domain name portal2_dm

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRAS-isp-portal2_dm] authentication portal radius-scheme rs1

[BRAS-isp-portal2_dm] authorization portal radius-scheme rs1

[BRAS-isp-portal2_dm] accounting portal none

# Configure ISP domain portal2_dm to use ITA policy ita_pl2.

[BRAS-isp-portal2_dm] ita-policy ita_pl2

# Create ISP domain portal3_dm, and enter its view.

[BRAS] domain name portal3_dm

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRAS-isp-portal3_dm] authentication portal radius-scheme rs1

[BRAS-isp-portal3_dm] authorization portal radius-scheme rs1

[BRAS-isp-portal3_dm] accounting portal radius-scheme rs1

# Configure ISP domain portal3_dm to use ITA policy ita_pl3.

[BRAS-isp-portal3_dm] ita-policy ita_pl3

# Create ISP domain portal4_dm, and enter its view.

[BRAS] domain name portal4_dm

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[BRAS-isp-portal4_dm] authentication portal radius-scheme rs1

[BRAS-isp-portal4_dm] authorization portal radius-scheme rs1

[BRAS-isp-portal4_dm] accounting portal radius-scheme rs1

Configuring portal authentication

# Configure the portal authentication server: name newpt, IP address 4.4.4.2, plaintext password 123456, and portal packet listening port number 50100.

[BRAS] portal server newpt

[BRAS-portal-server-newpt] ip 4.4.4.2 key simple 123456

[BRAS-portal-server-newpt] port 50100

[BRAS-portal-server-newpt] quit

# Configure the portal Web server URL as http://4.4.4.2/index_9.html. The URL must be the same as the portal redirection page URL in the device table after devices are added to the server.

[BRAS] portal web-server newpt

[BRAS-portal-websvr-newpt] url http://4.4.4.2/index_9.html

[BRAS-portal-websvr-newpt] quit

# Configure the HTTPS redirect listening port number.

[BRAS] http-redirect https-port 8888

# Enable direct IPv4 portal authentication on GigabitEthernet 3/1/1.

[BRAS] interface gigabitethernet 3/1/1

[BRAS–GigabitEthernet3/1/1] portal enable method direct

# Specify portal Web server newpt on GigabitEthernet 3/1/1 for portal authentication.

[BRAS–GigabitEthernet3/1/1] portal apply web-server newpt

# Configure the BAS-IP attribute carried in the portal packets sent to the portal authentication server as 2.1.1.1 on GigabitEthernet 3/1/1.

[BRAS–GigabitEthernet3/1/1] portal bas-ip 2.1.1.1

[BRAS–GigabitEthernet3/1/1] quit

Verifying the configuration

# Before a user passes portal authentication, the user can access only the Web authentication page of the portal web server.

# After passing portal authentication, the users can access the Internet. For example, user A uses username user1@portal1_dm and password pass1 to log in successfully.

# View detailed information about user A.

[BRAS] display portal user ip 2.1.0.1 verbose

Basic:

  Current IP address: 2.1.0.1

  Original IP address: 2.1.0.1

  Username: user1@portal1_dm

  User ID: 0x10000024

  Session-ID: 678900123456790123456788901234534578901266789001234567890

  Access interface: GigabitEthernet3/0/1

  Service-VLAN/Customer-VLAN: -/-

  MAC address: 001b-21c6-95c1

  Domain name: portal1_dm

  VPN instance: N/A

  Status: Online

  Portal server: sl

  Portal authentication method: Direct

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Login time: 2016-03-25 15:44:09 UTC

  Online time: 3:4:10

  ITA policy name: ita_pl1

  DHCP IP pool: N/A

ACL&QoS&Multicast:

  Inbound CAR: CIR 10485760 bps PIR 10485760 bps CBS N/A (active)

  Outbound CAR: CIR 10485760 bps PIR 10485760 bps CBS N/A (active)

  Level-2 Inbound CAR: CIR 5120000 bps PIR 5120000 bps

          Outbound CAR: CIR 5120000 bps PIR 5120000 bps

  Inbound priority: N/A

  Outbound priority: N/A

  ACL number: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

  Multicast address list: N/A

  User group: N/A

Flow statistic:

  Uplink   packets/bytes: 1069/132646

  Downlink packets/bytes: 630/120000

  Level-2 uplink   packets/bytes: 500/64000

          downlink packets/bytes: 365/34200

ITA:

  level-2 uplink   packets/bytes: 4/32

          downlink packets/bytes: 2/12

The output shows that user A can access the Internet with non-ITA accounting and the AAA-authorized rate limit of 10 Mbps and access the internal network with non-ITA accounting and the fixed rate limit of 5 Mbps.

# View detailed information about user B.

[BRAS] display portal user ip 2.1.0.10 verbose

Basic:

  Current IP address: 2.1.0.10

  Original IP address: 2.1.0.10

  Username: user2@portal2_dm

  User ID: 0x10000023

  Session-ID: 678900123456790123456788901234534578901266789001234567890

  Access interface: GigabitEthernet3/0/1

  Service-VLAN/Customer-VLAN: -/-

  MAC address: 002c-22c7-99d3

  Domain name: portal2_dm

  VPN instance: N/A

  Status: Online

  Portal server: sl

  Portal authentication method: Direct

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Login time: 2016-03-25 14:53:33 UTC

  Online time: 3:4:10

  ITA policy name: ita_pl2

  DHCP IP pool: N/A

ACL&QoS&Multicast:

  Inbound CAR: CIR 10485760 bps PIR 10485760 bps CBS N/A (active)

  Outbound CAR: CIR 10485760 bps PIR 10485760 bps CBS N/A (active)

  Level-2 Inbound CAR: CIR 5120000 bps PIR 5120000 bps

          Outbound CAR: CIR 5120000 bps PIR 5120000 bps

  Inbound priority: N/A

  Outbound priority: N/A

  ACL number: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

  Multicast address list: N/A

  User group: N/A

Flow statistic:

  Uplink   packets/bytes: 3782/223924

  Downlink packets/bytes: 2629/154291

  Level-1 uplink   packets/bytes: 3074/211168

          downlink packets/bytes: 2060/143268

  Level-2 uplink   packets/bytes: 698/12756

          downlink packets/bytes: 569/11023

ITA:

  level-1 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  level-2 uplink   packets/bytes: 4/32

          downlink packets/bytes: 2/12

The output shows that user B can access the Internet with ITA accounting and the AAA-authorized rate limit of 10 Mbps and access the internal network with ITA accounting and the fixed rate limit of 5 Mbps.

# View detailed information about user C.

[BRAS] display portal user ip 2.1.0.20 verbose

Basic:

  Current IP address: 2.1.0.20

  Original IP address: 2.1.0.20

  Username: user3@portal3_dm

  User ID: 0x1000002b

  Session-ID: 678900123456790123456788901234534578901266789001234567890

  Access interface: GigabitEthernet3/0/1

  Service-VLAN/Customer-VLAN: -/-

  MAC address: 005d-23e5-95f5

  Domain name: portal3_dm

  VPN instance: N/A

  Status: Online

  Portal server: sl

  Portal authentication method: Direct

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Login time: 2016-03-25 17:15:47 UTC

  ITA policy name: ita_pl3

  Online time: 3:4:10

  DHCP IP pool: N/A

ACL&QoS&Multicast:

  Inbound CAR: CIR 10485760 bps PIR 10485760 bps CBS N/A (active)

  Outbound CAR: CIR 10485760 bps PIR 10485760 bps CBS N/A (active)

  Level-2 Inbound CAR: CIR 5120000 bps PIR 5120000 bps

          Outbound CAR: CIR 5120000 bps PIR 5120000 bps

  Inbound priority: N/A

  Outbound priority: N/A

  ACL number: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

  Multicast address list: N/A

  User group: N/A

Flow statistic:

  Uplink   packets/bytes: 15500/50142

  Downlink packets/bytes: 139/6763

  Level-2 uplink   packets/bytes: 1623/3450

          downlink packets/bytes: 65/153

ITA:

  level-2 uplink   packets/bytes: 4/32

          downlink packets/bytes: 2/12

The output shows that user C can access the Internet with non-ITA accounting and the AAA-authorized rate limit of 10 Mbps and access the internal network with non-ITA accounting and the fixed rate limit of 5 Mbps.

# View detailed information about user D. The rate limit for accessing the Internet is AAA-authorized 10 Mbps, and the rate limit for accessing the internal network is fixed at 5 Mbps.

[BRAS] display portal user ip 2.1.0.30 verbose

Basic:

  Current IP address: 2.1.0.30

  Original IP address: 2.1.0.30

  Username: user4@portal4_dm

  User ID: 0x1000002e

  Session-ID: 678900123456790123456788901234534578901266789001234567890

  Access interface: GigabitEthernet3/0/1

  Service-VLAN/Customer-VLAN: -/-

  MAC address: 008f-65f8-97d6

  Domain name: portal4_dm

  VPN instance: N/A

  Status: Online

  Portal server: sl

  Portal authentication method: Direct

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Login time: 2016-03-25 17:48:30 UTC

  Online time: 3:4:10

  ITA policy name: ita_pl4

  DHCP IP pool: N/A

ACL&QoS&Multicast:

  Inbound CAR: N/A

  Outbound CAR: N/A

  Level-1 Inbound CAR: CIR 10240000 bps PIR 10240000 bps

          Outbound CAR: CIR 10240000 bps PIR 10240000 bps

  Level-2 Inbound CAR: CIR 5120000 bps PIR 5120000 bps

          Outbound CAR: CIR 5120000 bps PIR 5120000 bps

  Inbound priority: N/A

  Outbound priority: N/A

  ACL number: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

  Multicast address list: N/A

  User group: N/A

Flow statistic:

  Uplink   packets/bytes: 1746/56780

  Downlink packets/bytes: 2218/39684

  Level-1 uplink   packets/bytes: 256/16780

          downlink packets/bytes: 250/26340

  Level-2 uplink   packets/bytes: 120/12300

          downlink packets/bytes: 210/15027

ITA:

  level-1 uplink   packets/bytes: 0/0

          downlink packets/bytes: 0/0

  level-2 uplink   packets/bytes: 4/32

          downlink packets/bytes: 2/12

The output shows that user D can access the Internet with ITA accounting and the AAA-authorized rate limit of 10 Mbps and access the internal network with ITA accounting and the fixed rate limit of 5 Mbps.

Configuration files

#

 dhcp enable

#

traffic classifier cl_usern operator and

 if-match acl 3000

#

traffic behavior be_usern

 remark account-level 2

#

qos policy policy_share

 classifier cl_usern behavior be_usern

#

dhcp server ip-pool pool1

 gateway-list 2.1.1.1

 network 2.1.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

 forbidden-ip 2.1.1.1

#

interface GigabitEthernet3/1/1

 port link-mode route

 ip address 2.1.1.1 255.255.0.0

 qos apply policy policy_share inbound

 qos apply policy policy_share outbound

 portal enable method direct

 portal bas-ip 2.1.1.1

 portal apply web-server newpt

#

 

#

acl advanced 3000

 rule 10 permit ip source 2.1.0.0 0.0.255.255 destination 4.4.4.0 0.0.0.255

 rule 20 permit ip source 4.4.4.0 0.0.0.255 destination 2.1.0.0 0.0.255.255

 rule 30 permit ip source 2.1.0.0 0.0.255.255 destination 2.1.0.0 0.0.255.255

#

radius scheme rs1

 primary authentication 4.4.4.2

 primary accounting 4.4.4.2

 key authentication cipher $c$3$pu+zPzqQg+Eh9/KZTPXoXufp7EEMmCMpSw==

 key accounting cipher $c$3$CKtV37dXqv5zE+EJZbjz2c1xsrQaXYXTog==

 nas-ip 4.4.4.1

#

radius dynamic-author server

 client ip 4.4.4.2 key cipher $c$3$8HFjFX3mSr3v8uEXPro6G3ArmE0L6dGJFQ==

#

ita policy ita_pl1

 accounting-method radius-scheme rs1

 accounting-level 2 car inbound cir 5000 outbound cir 5000

#

ita policy ita_pl2

 accounting-method radius-scheme rs1

 accounting-level 1 ipv4

 accounting-level 2 ipv4 car inbound cir 5000 outbound cir 5000

 traffic-separate enable

#

ita policy ita_pl3

 accounting-method radius-scheme rs1

 accounting-level 2 car inbound cir 5000 outbound cir 5000

 traffic-separate enable

#

ita policy ita_pl4

 accounting-method radius-scheme rs1

 accounting-level 1 ipv4 car inbound cir 10000 outbound cir 10000

 accounting-level 2 ipv4 car inbound cir 5000 outbound cir 5000

#

domain name portal1_dm

 ita-policy ita_pl1

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

domain name portal2_dm

 ita-policy ita_pl2

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal none

#

domain name portal3_dm

 ita-policy ita_pl3

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

domain name portal4_dm

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

domain name system

#

portal web-server newpt

 url http://4.4.4.2/index_9.html

#

portal server newpt

 ip 4.4.4.2 key cipher $c$3$Xf8y+egjtWzvz6vWp3DHn79F2+i3vQOEZQ==

#

Example: Configuring IPv6 direct portal authentication

Network configuration

As shown in Figure 39, the user host is directly connected to Router (access device). Router is directly connected to the IPv4 portal authentication server, IPv6 portal Web server, and RADIUS server. Configure direct portal authentication to meet the following requirements:

·     The user can obtain a public network IPv6 address through DHCP for authentication. Before the user passes portal authentication, the user can access only the IPv6 portal Web server. After the user passes portal authentication, the user can use the IPv6 address to access the unlimited resources of the Internet.

·     Use the SRun software as the authentication-accounting server and portal server.

Figure 39 Network diagram

 

Requirements analysis

·     Configure the access device on the RADIUS server, and add usernames and passwords for users.

·     To use the SRun software as the portal server, set the portal protocol and portal password on the page for adding an access device.

·     To perform IPv6 portal authentication for the user host, configure the portal server and enable portal authentication on BRAS.

·     To use RADIUS to perform authentication, authorization, and accounting for portal users, configure a RADIUS scheme on BRAS, specify the authentication, authorization, and accounting servers for it, and apply it to the ISP domain to which the portal users belongs.

·     To securely exchange keys between BRAS and the RADIUS server and identify whether RADIUS response packets have been tampered on BRAS, set the shared key (123456 in this example) for exchanging packets between BRAS and the RADIUS server.

Restrictions and guidelines

·     In the IPv6 portal scenario, if you use the SRun software as the authentication-accounting server, follow these restrictions and guidelines:

¡     When adding a device on the server, specify an IPv4 address rather than an IPv6 address.

¡     When selecting a protocol on the server, select H3C V3.0, which is supported by both IPv4 and IPv6.

·     To avoid service unavailability caused by port number conflicts, make sure the internal listening port number is not used by any well-known protocol and is not used by a TCP-based service. To view the TCP port numbers used by other services, execute the display tcp command.

Procedures

Configuring the RADIUS server and portal server

IMPORTANT

IMPORTANT:

This section uses the SRun software of version 4.10 as an example to describe how to configure basic settings of the RADIUS server and portal server.

 

1.     Enter http://4.4.4.2:8081 in the address bar of a browser to log in to the server.

2.     Add access devices:

a.     Select Device from the navigation tree.

b.     Click the Add Device tab.

c.     On the tab, click Add.

d.     On the page that opens, perform the following tasks:

-     Set the device name to BRAS.

-     Set the NAS IP to 4.4.4.1.

-     Set the IP to 4.4.4.2.

-     Select Huawei, H3C, SRun Gateway from the NAS type list.

-     Set the DM port to 3799.

-     Set the RADIUS key to 123456.

-     Select No from the Whether to discard flow list.

-     Select H3C,HUAWEI(h3c v1.2) from the portal protocol list.

-     Set the portal key to 123456.

Figure 40 Adding an access device

 

3.     Set the RADIUS trust:

a.     Select Radius from the navigation tree.

b.     Click the Radius Trust Setting link to enter the Radius trust setting page.

c.     Click Generate in the upper right corner until the trust is successfully generated.

4.     Click the Radius Service Setting tab, and specify the device to carry the ISP domain name in the username sent to the RADIUS server (select with domain from the Username verification list).

5.     Enter https://4.4.4.2:8080 in the address bar of a browser to log in to the server.

6.     Add users:

a.     Navigate to the Account > Add page.

b.     Click Add.

c.     Add user user1, set the account User1, and set the password to pass.

Configuring IPv4/IPv6 addresses and routes

As shown in Figure 39, configure IPv4/IPv6 addresses for interfaces, and make sure the BRAS and servers can reach each other at Layer 3. (Details not shown.)

Configuring the BRAS

Configuring DHCPv6

# Configure IPv6 addresses for interfaces on the DHCPv6 server. Enable the interface to advertise RA messages. Set the M flag bit to 1. When the M flag is set to 1 in RA advertisements, hosts obtain IPv6 addresses from an DHCPv6 server. Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent. When the O flag is set to 1 in RA advertisements, hosts obtain configuration information other than IPv6 addresses  from an DHCPv6 server.

<Router> system-view

[Router] interface gigabitethernet 3/1/2

[Router-GigabitEthernet3/1/2] ipv6 address 1::1/64

[Router-GigabitEthernet3/1/2] undo ipv6 nd ra halt

[Router-GigabitEthernet3/1/2] ipv6 nd autoconfig managed-address-flag

[Router-GigabitEthernet3/1/2] ipv6 nd autoconfig other-flag

[Router-GigabitEthernet3/1/2] quit

# Enable the DHCPv6 server on the interface.

[Router] interface gigabitethernet 3/1/2

[Router-GigabitEthernet3/1/2] ipv6 dhcp select server

[Router-GigabitEthernet3/1/2] quit

# Exclude the DNS server address from dynamic allocation.

[Router] ipv6 dhcp server forbidden-address 1::2

# Configure DHCPv6 address pool 1, specify IPv6 subnet 1::/64 for dynamic allocation, and specify other parameters for the address pool.

[Router] ipv6 dhcp pool 1

[Router-dhcp6-pool-1] network 1::/64 preferred-lifetime 172800 valid-lifetime 345600

[Router-dhcp6-pool-1] dns-server 1::2

[Router-dhcp6-pool-1] quit

Configuring a RADIUS scheme

# Create RADIUS scheme rs1, and enter its view.

<Router> system-view

[Router] radius scheme rs1

# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.

[Router-radius-rs1] primary authentication 4.4.4.2

[Router-radius-rs1] primary accounting 4.4.4.2

[Router-radius-rs1] key authentication simple 123456

[Router-radius-rs1] key accounting simple 123456

# Specify the device to remove the ISP domain name in the username sent to the RADIUS server.

[Router-radius-rs1] user-name-format without-domain

[Router-radius-rs1] quit

# Enable the RADIUS session-control feature.

[Router] radius session-control enable

Configuring an ISP domain

# Create ISP domain dm1, and enter its view.

[Router] domain name dm1

# Configure portal users to use RADIUS scheme rs1 for authentication, authorization, and accounting in the ISP domain.

[Router-isp-dm1] authentication portal radius-scheme rs1

[Router-isp-dm1] authorization portal radius-scheme rs1

[Router-isp-dm1] accounting portal radius-scheme rs1

[Router-isp-dm1] quit

# Configure ISP domain dm1 as the system default ISP domain. All access users use the authentication and accounting method in the ISP domain. When a user enters a username without an ISP domain to log in, the user uses the authentication scheme in the default ISP domain.

[Router] domain default enable dm1

Configuring portal authentication

# Configure the portal authentication server: name newpt, IP address 4.4.4.2, plaintext password portal, and portal packet listening port number 50100.

[Router] portal server newpt

[Router-portal-server-newpt] ip 4.4.4.2 key simple 123456

[Router-portal-server-newpt] port 50100

[Router-portal-server-newpt] quit

# Configure the portal Web server URL as http://2::2/index_9.html. The URL must be the same as the portal redirection page URL in the device table after devices are added to the server.

[Sysname] portal web-server newpt

[Router-portal-websvr-newpt] url http://2::2/index_9.html

[Router-portal-websvr-newpt] quit

# Configure the HTTPS redirect listening port number.

[Router] http-redirect https-port 8888

# Enable direct IPv6 portal authentication on GigabitEthernet 3/1/2.

[Router] interface GigabitEthernet3/1/2

[Router–GigabitEthernet3/1/2] portal ipv6 enable method direct

# Specify portal Web server newpt on GigabitEthernet 3/1/2 for portal authentication.

[Router–GigabitEthernet3/1/2] portal ipv6 apply web-server newpt

# Configure the BAS-IP attribute carried in the portal packets sent to the portal authentication server as 4.4.4.1 on GigabitEthernet 3/1/2.

[Router–GigabitEthernet3/1/2] portal bas-ip 4.4.4.1

[Router–GigabitEthernet3/1/2] quit

Verifying the configuration

# Display portal configuration and portal running state on GigabitEthernet 3/1/2.

[Router] display portal interface GigabitEthernet3/1/2

 Portal information of GigabitEthernet3/1/2

     NAS-ID profile: Not configured

     VSRP instance : Not configured

     VSRP state    : N/A

     Authorization : Strict checking

     ACL           : Disabled

     User profile  : Disabled

 IPv4:

     Portal status: Disabled

     Portal authentication method: Disabled

     Portal web server: Not configured

     Portal mac-trigger-server: Not configured

     Authentication domain: Not configured

     Pre-auth domain: Not configured

     User-dhcp-only: Disabled

     Pre-auth IP pool: Not configured

     Max Portal users: Not configured

     Bas-ip: 4.4.4.1

     User detection:  Not configured

     Action for server detection:

         Server type    Server name                        Action

         --             --                                 --

     Layer3 source network:

         IP address               Mask

 

     Destination authenticate subnet:

         IP address               Mask

IPv6:

     Portal status: Enabled

     Portal authentication method: Direct

     Portal web server: newpt

     Portal mac-trigger-server: Not configured

     Authentication domain: Not configured

     Pre-auth domain: Not configured

     User-dhcp-only: Disabled

     Pre-auth IP pool: Not configured

     Max Portal users: Not configured

     Bas-ipv6: Not configured

     User detection: Not configured

     Action for server detection:

         Server type    Server name                        Action

         --             --                                 --

     Layer3 source network:

         IP address                                        Prefix length

 

     Destination authenticate subnet:

         IP address                                        Prefix length

# Before passing portal authentication, the users can access only the Web authentication homepage of the IPv6 portal Web server.

# After the user enters username User1 and password pass to pass IPv6 portal authentication and logs in successfully, the user can access the Internet.

# Display information about portal users on the router after the user passes authentication.

[Router] display portal user interface GigabitEthernet3/1/2

Total portal users: 1

Username: User1

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC                IP                 VLAN   Interface

  0015-e9a6-7cfe     1::3               --     GigabitEthernet3/1/2

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

Configuration files

#

ipv6 dhcp pool 1

 network 1::/64 preferred-lifetime 172800 valid-lifetime 345600

 dns-server 1::2

#

 ipv6 dhcp server forbidden-address 1::2

#

 radius session-control enable

#

 domain default enable dm1

#

qos policy policy_share

 classifier cl_usern behavior be_usern

#

dhcp server ip-pool pool1

 gateway-list 2.1.1.1

 network 2.1.0.0 mask 255.255.0.0

 dns-list 8.8.8.8

#

interface GigabitEthernet3/1/2

 ipv6 address 1::1/64

 undo ipv6 nd ra halt

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

 ipv6 dhcp select server

 portal ipv6 enable method direct

 portal ipv6 apply web-server newpt

 portal bas-ip 4.4.4.1

radius scheme rs1

 primary authentication 4.4.4.2

 primary accounting 4.4.4.2

 key authentication simple 123456

 key accounting simple 123456

 user-name-format without-domain

#

domain name dm1

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

portal server newpt

 ip 4.4.4.2 key simple 123456

 port 50100

#

portal web-server newpt

 url http://2::2/index_9.html

#

Related documentation

·     H3C CR16000-F Router Series BRAS Services Configuration Guide -R7951P01

·     H3C CR16000-F Router Series BRAS Services Command Reference -R7951P01

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网