Point-to-Point Protocol (PPP) is a point-to-point link layer protocol. It provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension.

PPP includes the following protocols:

· Link control protocol (LCP)—Establishes, tears down, and monitors data links.

· Network control protocol (NCP)—Negotiates the packet format and type for data links.

· Authentication protocols—Authenticate users. Protocols include the following:

? Password Authentication Protocol (PAP).

? Challenge Handshake Authentication Protocol (CHAP).

? Microsoft CHAP (MS-CHAP).

? Microsoft CHAP Version 2 (MS-CHAP-V2).

PPP link establishment process

Figure 1 shows the PPP link establishment process.

Figure 1 PPP link establishment process

1. Initially, PPP is in Link Dead phase. After the physical layer goes up, PPP enters the Link Establishment phase (Establish).

2. In the Link Establishment phase, the LCP negotiation is performed. The LCP configuration options include Authentication-Protocol, Async-Control-Character-Map (ACCM), Maximum-Receive-Unit (MRU), Magic-Number, Protocol-Field-Compression (PFC), Address-and-Control-Field-Compression (ACFC), and MP.

? If the negotiation fails, LCP reports a Fail event, and PPP returns to the Dead phase.

? If the negotiation succeeds, LCP enters the Opened state and reports an Up event, indicating that the underlying layer link has been established. At this time, the PPP link is not established for the network layer, and network layer packets cannot be transmitted over the link.

3. If authentication is configured, the PPP link enters the Authentication phase, where PAP, CHAP, MS-CHAP, or MS-CHAP-V2 authentication is performed.

? If the client fails to pass the authentication, LCP reports a Fail event and enters the Link Termination phase. In this phase, the link is torn down and LCP goes down.

? If the client passes the authentication, LCP reports a Success event.

4. If a network layer protocol is configured, the PPP link enters the Network-Layer Protocol phase for NCP negotiation, such as IPCP negotiation and IPv6CP negotiation.

? If the NCP negotiation succeeds, the link goes up and becomes ready to carry negotiated network-layer protocol packets.

? If the NCP negotiation fails, NCP reports a Down event and enters the Link Termination phase.

If the interface is configured with an IP address, the IPCP negotiation is performed. IPCP configuration options include IP addresses and DNS server IP addresses. After the IPCP negotiation succeeds, the link can carry IP packets.

5. After the NCP negotiation is performed, the PPP link remains active until either of the following events occurs:

? Explicit LCP or NCP frames close the link.

? Some external events take place (for example, the intervention of a user).

For more information about PPP, see RFC 1661.

PPP authentication

PPP supports the following authentication methods:

· PAP—PAP is a two-way handshake authentication protocol using the username and password.

PAP sends username/password pairs in plain text over the network. If authentication packets are intercepted in transit, network security might be threatened. For this reason, it is suitable only for low-security environments.

· CHAP—CHAP is a three-way handshake authentication protocol.

CHAP transmits usernames but not passwords over the network. It transmits the result calculated from the password and random packet ID by using the MD5 algorithm. It is more secure than PAP. The authenticator may or may not be configured with a username. H3C recommends that you configure a username for the authenticator, which makes it easier for the peer to verify the identity of the authenticator.

· MS-CHAP—MS-CHAP is a three-way handshake authentication protocol.

MS-CHAP differs from CHAP as follows:

? MS-CHAP uses CHAP Algorithm 0x80.

? MS-CHAP provides authentication retry. If the peer fails authentication, it is allowed to retransmit authentication information to the authenticator for reauthentication. The authenticator allows a peer to retransmit a maximum of three times.

· MS-CHAP-V2—MS-CHAP-V2 is a three-way handshake authentication protocol.

MS-CHAP-V2 differs from CHAP as follows:

? MS-CHAP-V2 uses CHAP Algorithm 0x81.

? MS-CHAP-V2 provides two-way authentication by piggybacking a peer challenge on the Response packet and an authenticator response on the Acknowledge packet.

? MS-CHAP-V2 supports authentication retry. If the peer fails authentication, it is allowed to retransmit authentication information to the authenticator for reauthentication. The authenticator allows a peer to retransmit a maximum of three times.

? MS-CHAP-V2 supports password change. If the peer fails authentication because of an expired password, it will send the new password entered by the user to the authenticator for reauthentication.

PPP for IPv4

On IPv4 networks, PPP negotiates the IP address and DNS server address during IPCP negotiation.

IP address negotiation

IP address negotiation enables one end to assign an IP address to the other.

An interface can act as a client or a server during IP address negotiation:

· Client—Obtains an IP address from the server. Use the client mode when the device accesses the Internet through an ISP.

· Server—Assigns an IP address to the client. Before you configure the IP address of the server, you must perform one of the following tasks:

? Configure a local address pool and associate the pool with the ISP domain.

? Specify an IP address or an address pool for the client on the interface.

When IP address negotiation is enabled on a client, the server selects an IP address for the client in the following sequence:

1. If the AAA server configures an IP address or address pool for the client, the server selects that IP address or an IP address from the pool. The IP address or address pool is configured on the AAA server instead of the PPP server. For information about AAA, see Security Configuration Guide.

2. If an address pool is associated with the ISP domain used during client authentication, the server selects an IP address from the pool.

3. If an IP address or address pool is specified for the client on the interface of the server, the server selects that IP address or an IP address from that pool.

DNS server address negotiation

IPCP negotiation can determine the DNS server IP address.

When the device is connected to a host, configure the device as the server to assign the DNS server IP address to the host.

When the device is connected to an ISP access server, configure the device as the client. Then, the device can obtain the DNS server IP address from the ISP access server.

PPP for IPv6

On IPv6 networks, PPP negotiates only the IPv6 interface identifier instead of the IPv6 address and IPv6 DNS server address during IPv6CP negotiation.

IPv6 address assignment

PPP cannot negotiate the IPv6 address.

The client can get an IPv6 global unicast address through the following methods:

· Method 1—The client obtains an IPv6 prefix in an RA message. The client then generates an IPv6 global unicast address by combining the IPv6 prefix and the negotiated IPv6 interface identifier. The IPv6 prefix in the RA message is determined in the following sequence:

? IPv6 prefix authorized by AAA.

? RA prefix configured on the interface.

? Prefix of the IPv6 global unicast address configured on the interface.

For information about the ND protocol, see Layer 3—IP Services Configuration Guide.

· Method 2—The client requests an IPv6 global unicast address through DHCPv6. The server assigns an IPv6 address to the client from the address pool authorized by AAA. If no AAA-authorized address pool exists, DHCPv6 uses the address pool that matches the server's IPv6 address to assign an IPv6 address to the client.

· Method 3—The client requests prefixes through DHCPv6 and assigns them to downstream hosts. The hosts then uses the prefixes to generate global IPv6 addresses. This method uses the same principle of selecting address pools as method 2.

The device can assign a host an IPv6 address in either of the following ways:

· When the host connects to the device directly or through a bridge device, the device can use method 1 or method 2.

· When the host accesses the device through a router, the device can use method 3 to assign an IPv6 prefix to the router. The router assigns the prefix to the host to generate an IPv6 global unicast address.

IPv6 DNS server address assignment

On IPv6 networks, two methods are available for the IPv6 DNS address assignment:

· AAA authorizes the IPv6 DNS address and assigns this address to the host through RA messages.

· The DHCPv6 client requests an IPv6 DNS address from the DHCPv6 server.

Feature and hardware compatibility

Hardware series	Model	PPP compatibility
WX1800H series	WX1804H WX1810H WX1820H	Yes
WX2500H series	WX2510H WX2540H WX2560H	Yes
WX3000H series	WX3010H WX3010H-F WX3010H-X WX3024H	Yes
WX3000H series	WX3010H-L WX3024H-L	No
WX3500H series	WX3508H WX3510H WX3520H WX3540H	Yes
WX5500E series	WX5510E WX5540E	Yes
WX5500H series	WX5540H WX5560H WX5580H	Yes
Access controller modules	EWPXM1MAC0F EWPXM1WCME0 EWPXM2WCMD0F LSQM1WCMX20 LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT	Yes

PPP configuration task list

Tasks at a glance
(Optional.) Configuring PPP authentication
(Optional.) Configuring the polling feature
(Optional.) Configuring PPP negotiation
(Optional.) Enabling IP header compression
(Optional.) Enabling PPP accounting
(Optional.) Configuring the nas-port-type attribute

Configuring PPP authentication

You can configure several authentication modes simultaneously. In LCP negotiation, the authenticator negotiates with the peer in the sequence of configured authentication modes until the LCP negotiation succeeds. If the response packet from the peer carries a recommended authentication mode, the authenticator directly uses the authentication mode if it finds the mode configured.

Configuring PAP authentication

To configure the authenticator:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
1. Enter interface view.	interface interface-type interface-number	N/A
2. Configure the authenticator to authenticate the peer by using PAP.	ppp authentication-mode pap [ [ call-in ] domain isp-name ]	By default, PPP authentication is disabled.
3. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username and password configured for the peer must be the same as those configured on the peer. By default, ciphertext and plaintext passwords are displayed in cipher text.

To configure the peer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the PAP username and password sent from the peer to the authenticator when the peer is authenticated by the authenticator by using PAP.	ppp pap local-user username password { cipher \| simple } password	By default, when being authenticated by the authenticator by using PAP, the peer sends null username and password to the authenticator.

Configuring CHAP authentication

Depending on whether the authenticator is configured with a username, the configuration of CHAP authentication includes the following types:

· Configuring CHAP authentication when the authenticator name is configured

To configure the authenticator:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using CHAP.	ppp authentication-mode chap [ [ call-in ] domain isp-name ]	By default, PPP authentication is disabled.
4. Configure a username for the CHAP authenticator.	ppp chap user username	The default setting is null. The username you configure for the authenticator must be the same as the local username you configure for the authenticator on the peer.
5. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username configured for the peer must be the same as that configured on the peer. The passwords configured for the authenticator and peer must be the same.

To configure the peer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure a username for the CHAP peer.	ppp chap user username	The default setting is null. The username you configure for the peer here must be the same as the local username you configure for the peer on the authenticator.
4. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the authenticator must be configured on the peer. For remote AAA authentication, the username and password of the authenticator must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username configured for the authenticator must be the same as that configured on the authenticator. The passwords configured for the authenticator and peer must be the same.

· Configuring CHAP authentication when no authenticator name is configured

To configure the authenticator:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using CHAP.	ppp authentication-mode chap [ [ call-in ] domain isp-name ]	By default, PPP authentication is disabled.
4. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username configured for the peer must be the same as that configured on the peer. The passwords configured for the authenticator and peer must be the same.

To configure the peer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure a username for the CHAP peer.	ppp chap user username	The default setting is null. The username you configure on the peer must be the same as the local username you configure for the peer on the authenticator.
4. Set the CHAP authentication password.	ppp chap password { cipher \| simple } password	The default setting is null. The password you set on the peer must be the same as the password you set for the peer on the authenticator. By default, ciphertext and plaintext passwords are displayed in cipher text.

Configuring MS-CHAP or MS-CHAP-V2 authentication

When you configure MS-CHAP or MS-CHAP-V2 authentication, follow these guidelines:

· The device can only act as an authenticator for MS-CHAP or MS-CHAP-V2 authentication.

· L2TP supports only MS-CHAP authentication.

· MS-CHAP-V2 authentication supports password change only when using RADIUS.

To configure MS-CHAP or MS-CHAP-V2 authentication when the authenticator name is configured:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2.	ppp authentication-mode { ms-chap \| ms-chap-v2 } [ [ call-in ] domain isp-name ]	By default, PPP authentication is disabled.
4. Configure a username for the MS-CHAP or MS-CHAP-V2 authenticator.	ppp chap user username	The username for the authenticator must be the same on the local and peer devices.
5. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer.

To configure MS-CHAP or MS-CHAP-V2 authentication when no authenticator name is configured:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2.	ppp authentication-mode { ms-chap \| ms-chap-v2 } [ [ call-in ] domain isp-name ]	By default, PPP authentication is disabled.
4. Configure local or remote AAA authentication.	For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide.	The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer.

Configuring the polling feature

The polling feature checks PPP link state.

On an interface that uses PPP encapsulation, the link layer sends keepalives at keepalive intervals to detect the availability of the peer. If the interface fails to receive keepalives when the keepalive retry limit is reached, it tears down the link and reports a link layer down event.

To set the keepalive retry limit, use the timer-hold retry command.

On a slow link, increase the keepalive interval to prevent false shutdown of the interface. This situation might occur when keepalives are delayed because a large packet is being transmitted on the link.

To disable sending of keepalives, set the keepalive interval to 0.

To configure the polling feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the keepalive interval.	timer-hold seconds	The default setting is 10 seconds.
4. Set the keepalive retry limit.	timer-hold retry retry	The default setting is 5.

Configuring PPP negotiation

PPP negotiation includes the following parameters:

· Negotiation timeout time.

· IP address negotiation.

· IP segment match.

· DNS server IP address negotiation.

Configuring the PPP negotiation timeout time

The device starts the PPP negotiation timeout timer after sending a packet. If no response is received before the timer expires, the device sends the packet again.

If two ends of a PPP link vary greatly in the LCP negotiation packet processing rate, configure the delay timer on the end with a higher processing rate. The LCP negotiation delay timer prevents frequent LCP negotiation packet retransmissions. After the physical layer comes up, PPP starts LCP negotiation when the delay timer expires. If PPP receives LCP negotiation packets before the delay timer expires, it starts LCP negotiation immediately.

To configure the PPP negotiation timeout time:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the negotiation timeout time.	ppp timer negotiate seconds	The default setting is 3 seconds.
4. (Optional.) Configure the LCP negotiation delay timer.	ppp lcp delay milliseconds	By default, PPP starts LCP negotiation after the physical layer is up.

Configuring IP address negotiation

To configure the device as the client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable IP address negotiation.	ip address ppp-negotiate	By default, IP address negotiation is not enabled. This command is mutually exclusive with the ip address command. For more information about the ip address command, see Layer 3—IP Services Command Reference.

Configure the server to assign an IP address to a client by using the following methods:

· Method 1: Specify an IP address for the client on the server interface.

· Method 2: Specify a PPP or DHCP address pool on the server interface.

· Method 3: Associate a PPP or DHCP address pool with an ISP domain.

For clients requiring no authentication, you can use either method 1 or method 2, but not both.

For clients requiring authentication, you can use one or more of the three methods, but cannot use method 1 and method 2 at the same time. When multiple methods are configured, method 3 takes precedence over method 1 or method 2.

PPP supports IP address assignment from a PPP or DHCP address pool. If you use a pool name that identifies both a PPP address pool and a DHCP address pool, the system uses the PPP address pool.

To configure the device as the server (Method 1):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the interface to assign an IP address to the peer.	remote address ip-address	By default, an interface does not assign an IP address to the peer.
4. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface.

To configure the device as the server (Method 2: Specify a PPP address pool):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a PPP address pool.	ip pool pool-name start-ip-address [ end-ip-address ] [ group group-name ]	By default, no PPP address pool is configured.
3. (Optional.) Configure a gateway address for the PPP address pool.	ip pool pool-name gateway ip-address	By default, the PPP address pool is not configured with a gateway address.
4. (Optional.) Configure a PPP address pool route.	ppp ip-pool route ip-address { mask-length \| mask }	By default, no PPP address pool route exists. The destination network of the PPP address pool route must include the PPP address pool.
5. Enter interface view.	interface interface-type interface-number	N/A
6. Configure the interface to assign an IP address from the configured PPP address pool to the peer.	remote address pool pool-name	By default, an interface does not assign an IP address to the peer.
7. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface. This command is optional when the PPP address pool has been configured with a gateway address.

To configure the device as the server (Method 2: Specify a DHCP address pool):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the interface to assign an IP address from the configured DHCP address pool to the peer.	remote address pool pool-name	By default, an interface does not assign an IP address to the peer.
4. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface.
5. (Optional.) Use the PPP usernames as the DHCP client IDs.	remote address dhcp client-identifier username	By default, the PPP usernames are not used as the DHCP client IDs.

To configure the device as the server (Method 3: Associate a PPP address pool with an ISP domain):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a PPP address pool.	ip pool pool-name start-ip-address [ end-ip-address ] [ group group-name ]	By default, no PPP address pool is configured.
3. (Optional.) Configure a gateway address for the PPP address pool.	ip pool pool-name gateway ip-address	By default, the PPP address pool is not configured with a gateway address.
4. (Optional.) Configure a PPP address pool route.	ppp ip-pool route ip-address { mask-length \| mask }	By default, no PPP address pool route exists. The destination network of the PPP address pool route must include the PPP address pool.
5. Enter ISP domain view.	domain isp-name	N/A
6. Associate the ISP domain with the configured PPP address pool for address assignment.	authorization-attribute ip-pool pool-name	By default, no PPP address pool is associated. For more information about this command, see Security Command Reference.
7. Return to system view.	quit	N/A
8. Enter interface view.	interface interface-type interface-number	N/A
9. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface. This command is optional when the PPP address pool is configured with a gateway address.

To configure the device as the server (Method 3: Associate a DHCP address pool with an ISP domain):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Associate the ISP domain with the configured DHCP address pool for address assignment.	authorization-attribute ip-pool pool-name	By default, no DHCP address pool is associated. For more information about this command, see Security Command Reference.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Configure an IP address for the interface.	ip address ip-address	By default, no IP address is configured on an interface.
6. (Optional.) Use the PPP usernames as the DHCP client IDs.	remote address dhcp client-identifier username	By default, the PPP usernames are not used as the DHCP client IDs.

Enabling IP segment match

This feature enables the local interface to check whether its IP address and the IP address of the remote interface are in the same network segment. If they are not, IPCP negotiation fails.

To enable IP segment match:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable IP segment match.	ppp ipcp remote-address match	By default, this feature is disabled.

Configuring DNS server IP address negotiation

Configure DNS server settings depending on the role of your device in PPP negotiation.

· Configuring the local end as the client

During PPP negotiation, the server will assign a DNS server IP address only for a client configured with the ppp ipcp dns request command. For some special devices to forcibly assign DNS server IP addresses to clients that do not initiate requests, configure the ppp ipcp dns admit-any command on these devices.

To configure the local end as the client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable the device to request the peer for a DNS server IP address.	ppp ipcp dns request	By default, a client does not request its peer for a DNS server IP address.
4. Configure the device to accept the DNS server IP addresses assigned by the peer even though it does not request the peer for the DNS server IP addresses.	ppp ipcp dns admit-any	By default, a device does not accept the DNS server IP addresses assigned by the peer if it does not request the peer for the DNS server IP addresses. This command is not necessary if the ppp ipcp dns request command is configured.

· Configuring the local end as the server

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Specify the primary and secondary DNS server IP addresses to be allocated to the peer in PPP negotiation.	ppp ipcp dns primary-dns-address [ secondary-dns-address ]	By default, a device does not allocate DNS server IP addresses to its peer if the peer does not request them.

Enabling IP header compression

IP header compression (IPHC) compresses packet headers to speed up packet transmission. IPHC is often used for voice communications over low-speed links.

IPHC provides the following compression features:

· RTP header compression—Compresses the IP header, UDP header, and RTP header of an RTP packet, which have a total length of 40 bytes.

· TCP header compression—Compresses the IP header and TCP header of a TCP packet, which have a total length of 40 bytes.

To use IPHC, you must enable it on both sides of a PPP link.

Enabling or disabling IPHC on a VT or dialer interface does not immediately take effect. You must execute the shutdown and undo shutdown commands on the interface or the bound physical interface to apply the new setting.

After you enable IPHC, you can configure the maximum number of connections for RTP or TCP header compression. The configuration takes effect after you execute the shutdown and undo shutdown command on the interface. The configuration is removed after IPHC is disabled.

To configure IPHC:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable IP header compression.	ppp compression iphc enable [ nonstandard ]	By default, IP header compression is disabled. The nonstandard option must be specified when the device communicates with a non-H3C device.
4. Set the maximum number of connections for which an interface can perform RTP header compression.	ppp compression iphc rtp-connections number	The default setting is 16.
5. Set the maximum number of connections for which an interface can perform TCP header compression.	ppp compression iphc tcp-connections number	The default setting is 16.

Enabling PPP accounting

PPP accounting collects PPP statistics, including the numbers of received and sent PPP packets and bytes. AAA can use the PPP statistics for accounting. For more information about AAA, see Security Configuration Guide.

To enable PPP accounting:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable PPP accounting.	ppp account-statistics enable [ acl { acl-number \| name acl-name } ]	By default, PPP accounting is disabled.

Configuring the nas-port-type attribute

The nas-port-type attribute is used for RADIUS authentication and accounting. For information about the nas-port-type attribute, see RFC 2865.

To configure the nas-port-type attribute:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VT interface view.	interface virtual-template number	N/A
3. Configure the nas-port-type attribute.	nas-port-type { 802.11 \| adsl-cap \| adsl-dmt \| async \| cable \| ethernet \| g.3-fax \| hdlc \| idsl \| isdn-async-v110 \| isdn-async-v120 \| isdn-sync \| piafs \| sdsl \| sync \| virtual \| wireless-other \| x.25 \| x.75 \| xdsl }	By default, the nas-port-type attribute is determined by the service type and link type of the PPP user (see Table 1).

Table 1 Default nas-port-type attribute

Service type	Link type	Nas-port-type attribute
PPPoE	Layer 3 virtual Ethernet interface	xdsl
PPPoE	Other interfaces	ethernet
PPPoA	Any	xdsl
L2TP	Any	virtual

Displaying and maintaining PPP

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about PPP access users.	display ppp access-user { interface interface-type interface-number [ count ] \| ip-address ip-address \| ipv6-address ipv6-address \| username user-name \| user-type { lac \| lns \| pppoa \| pppoe } [ count ] }
Display PPP address pools.	display ip pool [ pool-name ] [ group group-name ]
Display IPHC statistics.	display ppp compression iphc { rtp \| tcp } [ interface interface-type interface-number ]
Display information about VT interfaces.	display interface [ virtual-template [ interface-number ] ] [ brief [ description \| down ] ]
Display information about VA interfaces on a VT interface.	display interface [ virtual-access [ interface-number ] ] [ brief [ description \| down ] ]
Clear IPHC statistics.	reset ppp compression iphc [ rtp \| tcp ] [ interface interface-type interface-number ]
Log off a PPP user.	reset ppp access-user { ip-address ip-address \| ipv6-address ipv6-address \| username user-name }
Clear the statistics for VA interfaces.	reset counters interface [ virtual-access [ interface-number ] ]

Configuring PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP frames encapsulated in Ethernet over point-to-point links.

PPPoE specifies the methods for establishing PPPoE sessions and encapsulating PPP frames over Ethernet. PPPoE requires a point-to-point relationship between peers instead of a point-to-multipoint relationship as in multi-access environments such as Ethernet. PPPoE provides Internet access for the hosts in an Ethernet through a remote access device and implement access control, authentication, and accounting on a per-host basis. Integrating the low cost of Ethernet and scalability and management functions of PPP, PPPoE gained popularity in various application environments, such as residential access networks.

For more information about PPPoE, see RFC 2516.

PPPoE network structure

PPPoE uses the client/server model. The PPPoE client initiates a connection request to the PPPoE server. After session negotiation between them is complete, a session is established between them, and the PPPoE server provides access control, authentication, and accounting to the PPPoE client.

Depending on the starting point of the PPPoE session, the following network structures are available:

· As shown in Figure 2, the PPPoE session is established between routers (Router A and Router B). All hosts share one PPPoE session for data transmission without being installed with PPPoE client software. This network structure is typically used by enterprises.

Figure 2 Network structure 1

· As shown in Figure 3, a PPPoE session is established between each host (PPPoE client) and the carrier router (PPPoE server). The service provider assigns an account to each host for billing and control. The host must be installed with PPPoE client software.

Figure 3 Network structure 2

Configuring the PPPoE server

The following matrix shows the feature and hardware compatibility:

Hardware series	Model	PPPoE server compatibility
WX1800H series	WX1804H WX1810H WX1820H	Yes
WX2500H series	WX2510H WX2540H WX2560H	Yes
WX3000H series	WX3010H WX3010H-F WX3010H-X WX3024H	Yes
WX3000H series	WX3010H-L WX3024H-L	No
WX3500H series	WX3508H WX3510H WX3520H WX3540H	Yes
WX5500E series	WX5510E WX5540E	Yes
WX5500H series	WX5540H WX5560H WX5580H	Yes
Access controller modules	EWPXM1MAC0F EWPXM1WCME0 EWPXM2WCMD0F LSQM1WCMX20 LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT	Yes

Configuring a PPPoE session

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VT interface and enter VT interface view.	interface virtual-template number	N/A
3. Set PPP parameters.	See "Configuring PPP."	If authentication is needed, use the PPPoE server as the authenticator.
4. Enable MRU verification.	ppp lcp echo mru verify [ minimum value ]	By default, MRU verification is disabled.
5. Return to system view.	quit	N/A
6. Enter VLAN interface view.	interface interface-type interface-number	N/A
7. Enable the PPPoE server on the interface and bind this interface to the specified VT interface.	pppoe-server bind virtual-template number	By default, the PPPoE server is disabled on the interface.
8. (Optional.) Configure an access controller (AC) name for the PPPoE server.	pppoe-server tag ac-name name	By default, the AC name for the PPPoE server is the device name. PPPoE clients can choose a PPPoE server according to the AC name. The PPPoE client on H3C devices do not support this feature.
9. (Optional.) Enable the PPPoE server to support the ppp-max-payload tag and specify a range for the PPP maximum payload.	pppoe-server tag ppp-max-payload [ minimum minvalue maximum maxvalue ]	By default, The PPPoE server does not support the ppp-max-payload tag.
10. (Optional.) Set a service name for the PPPoE server	pppoe-server tag service-name name	By default, the PPPoE server does not have a service name.
11. (Optional) Set the response delay time for user access.	pppoe-server access-delay delay-time	By default, no response delay time is set.
12. Return to system view.	quit	N/A
13. Configure the PPPoE server to perform authentication, authorization, and accounting for PPP users.	See Security Configuration Guide.	N/A

Setting the maximum number of PPPoE sessions

PPPoE can establish a session when none of the following maximum numbers are reached:

· The maximum number of PPPoE sessions for a user on an interface.

· The maximum number of PPPoE sessions for a VLAN on an interface.

· The maximum number of PPPoE sessions on an interface.

· The maximum number of PPPoE sessions on an IRF member device.

New maximum number settings apply only to subsequently established PPPoE sessions.

The total maximum number of PPPoE sessions set for all IRF member devices cannot be set greater than the maximum number of PPPoE sessions supported by the device.

To configure the maximum number of PPPoE sessions:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN interface view.	interface interface-type interface-number	The PPPoE server is enabled on the interface.
3. Set the maximum number of PPPoE sessions on the interface.	pppoe-server session-limit number	By default, the number of PPPoE sessions on an interface is not limited.
4. Set the maximum number of PPPoE sessions for a VLAN on an interface.	pppoe-server session-limit per-vlan number	By default, the number of PPPoE sessions for a VLAN on an interface is not limited.
5. Set the maximum number of PPPoE sessions for a user on the interface.	pppoe-server session-limit per-mac number	By default, a user is allowed to create a maximum of 100 PPPoE sessions.
6. Return to system view.	quit	N/A
7. Set the maximum number of PPPoE sessions on the IRF member device.	pppoe-server session-limit slot slot-number total number	By default, the number of PPPoE sessions on an IRF member device is not limited.

Limiting the PPPoE access rate

The device can limit the rate at which a user (identified by an MAC address) can create PPPoE sessions on an interface. If the number of PPPoE requests within the monitoring time exceeds the configured threshold, the device discards the excessive requests, and outputs log messages. If the blocking time is set to 0, the device does not block any requests, and it only outputs log messages.

The device uses a monitoring table and a blocking table to control PPP access rates:

· Monitoring table—Stores a maximum of 8000 monitoring entries. Each entry records the number of PPPoE sessions created by a user within the monitoring time. When the monitoring entries reach the maximum, the system stops monitoring and blocking session requests from new users. The aging time of monitoring entries is determined by the session-request-period argument. When the timer expires, the system starts a new round of monitoring for the user.

· Blocking table—Stores a maximum of 8000 blocking entries. The system creates a blocking entry if the access rate of a user reaches the threshold, and blocks requests from that user. When the blocking entries reach the maximum number, the system stops blocking session requests from new users and it only outputs log messages. The aging time of the blocking entries is determined by the blocking-period argument. When the timer expires, the system starts a new round of monitoring for the user.

If the access rate setting is changed, the system removes all monitoring and blocking entries, and uses the new settings to limit PPPoE access rates.

To limit the PPPoE access rate:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN interface view.	interface interface-type interface-number	The PPPoE server is enabled on the interface.
3. Set the PPPoE access limit.	pppoe-server throttle per-mac session-requests session-request-period blocking-period	By default, the PPPoE access rate is not limited.
4. Display information about blocked users.	display pppoe-server throttled-mac { slot slot-number \| interface interface-type interface-number }	Available in any view.

Configuring the nas-port-id attribute

The PPPoE server on a BAS device uses the RADIUS nas-port-id attribute to send the access line ID received from a DSLAM device to the RADIUS server. The access line ID includes the circuit-id and remote-id. The RADIUS server compares the received nas-port-id attribute with the local line ID information to verify the location of the user.

You can configure the content of the nas-port-id attribute that the PPPoE server sends to the RADIUS server.

To configure the nas-port-id attribute:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN interface view.	interface interface-type interface-number	The PPPoE server is enabled on the interface.
3. Configure the content of the nas-port-id attribute.	pppoe-server access-line-id content { all [ separator ] \| circuit-id \| remote-id }	By default, the nas-port-id attribute contains only the circuit-id.
4. Configure the nas-port-id attribute to include the BAS information automatically.	pppoe-server access-line-id bas-info [ cn-163 ]	By default, the nas-port-id attribute does not include the BAS information automatically.
5. Configure the PPPoE server to trust the access line ID in received packets.	pppoe-server access-line-id trust	By default, the PPPoE server does not trust the access line ID in received packets.
6. Configure the format that is used to parse the circuit-id.	pppoe-server access-line-id circuit-id parse-mode { cn-telecom \| tr-101 }	The default mode is TR-101.
7. Configure the transmission format for the circuit-id.	pppoe-server access-line-id circuit-id trans-format { ascii \| hex }	The default format is a string of characters.
8. Configure the transmission format for the remote-id.	pppoe-server access-line-id remote-id trans-format { ascii \| hex }	The default format is a string of characters.

Configuring a VA pool

The PPPoE server creates a VA interface for a PPPoE session to transmit packets between PPPoE and PPP. It removes the VA interface when the user goes offline. Creating and removing VA interfaces take time. If a large number of users are going online or offline, the performance of PPPoE session establishment and termination will be degraded.

You can configure a VA pool to improve the performance. A VA pool contains a group of VA interfaces. The PPPoE server selects a VA interface from the pool for a requesting user and release the VA interface when the user goes offline. This feature speeds up the establishment and termination of PPPoE sessions. When a VA pool is exhausted, the system creates a VA interface for a PPPoE session, and removes it when the user goes offline.

When you configure a VA pool, follow these guidelines:

· A VT interface can be associated with only one global VA pool, and an IRF member device can be associated with only one regional VA pool. Users on an Ethernet interface can only use the VA pool associated with the VT interface that is bound to the Ethernet interface. To change the capacity for a VA pool, delete the previous configuration, and reconfigure the VA pool.

· Creating or removing a VA pool takes time. During the process of creating or removing a VA pool, users can go online or offline, but the VA pool does not take effect.

· The system might create a VA pool that contains VA interfaces less than the specified number because of insufficient resources. In this case, you can use the display pppoe-server va-pool command to view the number of available VA interfaces and current state of the VA pool.

· Deleting a VA pool does not log off the users who are using VA interfaces in the VA pool.

To configure a VA pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VA pool.	pppoe-server virtual-template template-number [ slot slot-number ] va-pool va-volume	By default, no VA pool exists.

Clearing PPPoE sessions

To clear PPPoE sessions on the PPPoE server:

Step	Command	Remarks
1. Enter user view.	user-view	N/A
2. Clear PPPoE sessions.	reset pppoe-server { all \| interface interface-type interface-number \| virtual-template number }	N/A

Configuring a PPPoE client

The following matrix shows the feature and hardware compatibility:

Hardware series	Model	PPPoE client compatibility
WX1800H series	WX1804H WX1810H WX1820H	Yes
WX2500H series	WX2510H WX2540H WX2560H	Yes
WX3000H series	WX3010H WX3010H-F WX3010H-X WX3024H	Yes
WX3000H series	WX3010H-L WX3024H-L	No
WX3500H series	WX3508H WX3510H WX3520H WX3540H	No
WX5500E series	WX5510E WX5540E	No
WX5500H series	WX5540H WX5560H WX5580H	No
Access controller modules	EWPXM1MAC0F EWPXM1WCME0 EWPXM2WCMD0F LSQM1WCMX20 LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT	No

PPPoE client configuration includes dialer interface configuration and PPPoE session configuration.

A PPPoE session can operate in one of the following modes:

· Permanent mode—A PPPoE session is established immediately when the line is physically up. This type of session remains until the physical link comes down or until the session is disconnected.

· On-demand mode—A PPPoE session is established when there is a demand for data transmission instead of when the line is physically up. It is terminated when idled for a specific period of time.

· Diagnostic mode—A PPPoE session is established immediately after the device configurations finish. The device automatically terminates the PPPoE session and then tries to re-establish a PPPoE session at a pre-configured interval. By establishing and terminating PPPoE sessions periodically, you can monitor the operating status of the PPPoE link.

The PPPoE session operating mode is determined by your configuration on the dialer interface:

· Permanent mode—Used when you set the link idle time to 0 by using the dialer timer idle command and do not configure the dialer diagnose command.

· On-demand mode—Used when you set the link idle time to a non-zero value by using the dialer timer idle command and do not configure the dialer diagnose command.

· Diagnostic mode—Used when you configure the dialer diagnose command.

Configuring a dialer interface

Before establishing a PPPoE session, you must first create a dialer interface and configure bundle DDR on the interface. Each PPPoE session uniquely corresponds to a dialer bundle, and each dialer bundle uniquely corresponds to a dialer interface. A PPPoE session uniquely corresponds to a dialer interface.

Configuring a dialer interface for a PPPoE client

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a dialer access group and configure a dial access control rule.	dialer-group dialer-group rule { protocol-name { deny \| permit } \| acl { acl-number \| name acl-number }	By default, no dialer group exists.
3. Create a dialer interface and enter its view.	interface dialer number	N/A
4. Assign an IP address to the interface.	ip address { address mask \| ppp-negotiate }	By default, no IP address is configured.
5. Enable bundle DDR on the interface.	dialer bundle enable	By default, no DDR is enabled.
6. Associate the interface with the dial access control rule by associating the interface with the corresponding dialer access group.	dialer-group group-number	By default, a dialer interface is not assigned to any dialer group.
7. Configure the link-idle timeout timer.	dialer timer idle idle [ in \| in-out ]	The default setting is 120 seconds. When this timer is set to 0 seconds, the PPPoE session operates in permanent mode. Otherwise, the PPPoE session operates in on-demand mode.
8. Configure the DDR application to operate in diagnostic mode.	dialer diagnose [ interval interval ]	By default, the DDR application operates in non-diagnostic mode. When DDR operates in diagnostic mode, the link-idle timeout timer is ignored.
9. Set the auto-dial interval.	dialer timer autodial autodial-interval	The default setting is 300 seconds. In permanent or diagnostic mode, DDR starts the auto-dial timer after the link is disconnected and originates a new call when the auto-dial timer expires. H3C recommends that you set a shorter auto-dial interval for DDR to soon originate a new call.
10. Set the MTU for the dialer interface	mtu size	By default, the MTU on a dialer interface is 1500 bytes. The dialer interface fragments a packet that exceeds the configured MTU, and adds a 2-byte PPP header and a 6-byte PPPoE header to each fragment. You should modify the MTU of a dialer interface to make sure the total length of any fragment packet is less than the MTU of the physical interface.

Configuring a PPPoE session

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet interface/subinterface or VLAN interface view.	interface interface-type interface-number	N/A
3. Create a PPPoE session and specify a dialer bundle for the session.	pppoe-client dial-bundle-number number [ no-hostuniq ]	By default, no PPPoE sessions are created. The number argument in this command must take the same value as the configured dialer interface number.

Resetting a PPPoE session

After you reset a PPPoE session in permanent mode, the device establishes a new PPPoE session when the autodial timer expires.

After you reset a PPPoE session in on-demand mode, the device establishes a new PPPoE session when there is a demand for data transmission.

To reset a PPPoE session:

Step	Command	Remarks
1. Reset a PPPoE session.	reset pppoe-client { all \| dial-bundle-number number }	Available in user view.

Displaying and maintaining PPPoE

Displaying and maintaining PPPoE server

Execute display commands in any view.

Task	Command
Display summary information for PPPoE sessions.	display pppoe-server session summary { slot slot-number \| interface interface-type interface-number }
Display packet statistics for PPPoE sessions.	display pppoe-server session packet { slot slot-number \| interface interface-type interface-number }
Display information about blocked users.	display pppoe-server throttled-mac { slot slot-number \| interface interface-type interface-number }
Display VA pool information.	display pppoe-server va-pool

Displaying and maintaining PPPoE client

Execute display commands in any view and reset commands in user view.

Task	Command
Display summary information for a PPPoE session.	display pppoe-client session summary [ dial-bundle-number number ]
Display the protocol packet statistics for a PPPoE session.	display pppoe-client session packet [ dial-bundle-number number ]
Clear the protocol packet statistics for a PPPoE session.	reset pppoe-client session packet [ dial-bundle-number number ]

PPPoE configuration examples

PPPoE client in permanent mode configuration example

Network requirements

As shown in Figure 4, configure the device as a PPPoE server, and configure the AC as a PPPoE client operating in permanent mode.

Figure 4 Network diagram

Configuration procedure

1. Configure the device as the PPPoE server:

# Configure an IP address for interface Virtual-Template 1 and specify an IP address for the peer.

<Device> system-view

[Device] interface virtual-template 1

[Device-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[Device-Virtual-Template1] remote address 1.1.1.2

[Device-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/0/5, and bind the interface to Virtual-Template 1.

[Device] interface gigabitethernet 1/0/5

[Device-GigabitEthernet1/0/5] pppoe-server bind virtual-template 1

[Device-GigabitEthernet1/0/5] quit

2. Configure the AC as the PPPoE client:

# Create dialer access group 1 and configure a dial access control rule for it.

<AC> system-view

[AC] dialer-group 1 rule ip permit

# Enable bundle DDR on interface Dialer 1.

[AC] interface dialer 1

[AC-Dialer1] dialer bundle enable

# Associate Dialer 1 with dialer access group 1.

[AC-Dialer1] dialer-group 1

[AC-Dialer1] quit

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[AC-Dialer1] ip address ppp-negotiate

[AC-Dialer1] quit

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to interface Dialer 1).

[AC] interface gigabitethernet 1/0/5

[AC-GigabitEthernet1/0/5] pppoe-client dial-bundle-number 1

[AC-GigabitEthernet1/0/5] quit

# Configure the PPPoE session to operate in permanent mode.

[AC] interface dialer 1

[AC-Dialer1] dialer timer idle 0

# Set the DDR auto-dial interval to 60 seconds.

[AC-Dialer1] dialer timer autodial 60

[AC-Dialer1] quit

# Configure a static route.

[AC] ip route-static 1.1.1.1 255.0.0.0 dialer 1

Verifying the configuration

# Display summary information about the PPPoE session established between the AC and the device (PPPoE server).

[AC-Dialer1] display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 GE1/0/5 VA0 00e0-1400-4300 00e0-1500-4100 SESSION

PPPoE client in on-demand mode configuration example

Network requirements

As shown in Figure 5, perform the following tasks:

· Configure the device as a PPPoE server.

· Configure the AC as a PPPoE client operating in on-demand mode, and set the link idle-timeout timer to 150 seconds.

Figure 5 Network diagram

Configuration procedure

1. Configure the device as the PPPoE server:

# Configure an IP address for interface Virtual-Template 1 and specify an IP address for the peer.

<Device> system-view

[Device] interface virtual-template 1

[Device-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[Device-Virtual-Template1] remote address 1.1.1.2

[Device-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/0/5, and bind the interface to Virtual-Template 1.

[Device] interface gigabitethernet 1/0/5

[Device-GigabitEthernet1/0/5] pppoe-server bind virtual-template 1

[Device-GigabitEthernet1/0/5] quit

2. Configure the AC as the PPPoE client.

# Create dialer access group 1 and configure a dial access control rule for it.

<AC> system-view

[AC] dialer-group 1 rule ip permit

# Enable bundle DDR on interface Dialer 1.

[AC] interface dialer 1

[AC-Dialer1] dialer bundle enable

# Associate Dialer 1 with dialer access group 1.

[AC-Dialer1] dialer-group 1

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[AC-Dialer1] ip address ppp-negotiate

[AC-Dialer1] quit

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to Dialer 1).

[AC] interface gigabitethernet 1/0/5

[AC-GigabitEthernet1/0/5] pppoe-client dial-bundle-number 1

[AC-GigabitEthernet1/0/5] quit

# Configure a static route.

[AC] ip route-static 1.1.1.1 255.0.0.0 dialer 1

# Set the link-idle timeout timer to 150 seconds.

[AC] interface dialer 1

[AC-Dialer1] dialer timer idle 150

[AC-Dialer1] quit

Verifying the configuration

# Display summary information about the PPPoE session established between the AC and the device (PPPoE server).

[AC-Dialer1] display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 GE1/0/5 VA0 00e0-1400-4300 00e0-1500-4100 SESSION

PPPoE client in diagnostic mode configuration example

Network requirements

As shown in Figure 6, perform the following tasks:

· Configure the device as a PPPoE server.

· Configure the AC as a PPPoE client operating in diagnostic mode, and set the diagnostic interval to 200 seconds.

Figure 6 Network diagram

Configuration procedure

1. Configure the device as the PPPoE server:

# Configure an IP address for interface Virtual-Template 1 and specify an IP address for the peer.

<Device> system-view

[Device] interface virtual-template 1

[Device-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[Device-Virtual-Template1] remote address 1.1.1.2

[Device-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/0/5, and bind the interface to Virtual-Template 1.

[Device] interface gigabitethernet 1/0/5

[Device-GigabitEthernet1/0/5] pppoe-server bind virtual-template 1

[Device-GigabitEthernet1/0/5] quit

2. Configure the AC as the PPPoE client.

# Create dialer access group 1 and configure a dial access control rule for it.

<AC> system-view

[AC] dialer-group 1 rule ip permit

# Enable bundle DDR on interface Dialer 1.

[AC] interface dialer 1

[AC-Dialer1] dialer bundle enable

# Associate Dialer 1 with dialer access group 1.

[AC-Dialer1] dialer-group 1

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[AC-Dialer1] ip address ppp-negotiate

[AC-Dialer1] quit

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to Dialer 1).

[AC] interface gigabitethernet 1/0/5

[AC-GigabitEthernet1/0/5] pppoe-client dial-bundle-number 1

[AC-GigabitEthernet1/0/5] quit

# Configure the PPPoE session to operate in diagnostic mode, and set the diagnostic interval to 200 seconds.

[AC] interface dialer 1

[AC-Dialer1] dialer diagnose interval 200

# Set the DDR auto-dial interval to 10 seconds.

[AC-Dialer1] dialer timer autodial 10

Verifying the configuration

# Display summary information about the PPPoE session established between the AC and the device (PPPoE server).

[AC-Dialer1] display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 GE1/0/5 VA0 00e0-1400-4300 00e0-1500-4100 SESSION

Configuration example for connecting a LAN to the Internet through an ADSL modem

Network requirements

As shown in Figure 7, configure PPPoE to meet the following requirements:

· The AC provides Internet access for Host A, Host B, and Host C. It connects to the DSLAM through an ADSL modem and a permanent PPPoE session.

· The username and password of the ADSL account are user1 and 123456.

· The AC acts as a PPPoE client, and it allows the hosts in the LAN to access the Internet without PPPoE client software.

· The device acts as the PPPoE server. It performs RADIUS authentication, authorization, and accounting.

Figure 7 Network diagram

Configuration procedure

1. Configure the AC as a PPPoE client:

# Create dialer access group 1 and configure a dial access control rule for it.

<AC> system-view

[AC] dialer-group 1 rule ip permit

# Enable bundle DDR on interface Dialer 1.

[AC] interface dialer 1

[AC-Dialer1] dialer bundle enable

# Associate Dialer 1 with dialer access group 1.

[AC-Dialer1] dialer-group 1

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[AC-Dialer1] ip address ppp-negotiate

# Configure the PPPoE session to operate in permanent mode.

[AC-Dialer1] dialer timer idle 0

# Configure the PAP username and password.

[AC-Dialer1] ppp pap local-user user1 password simple 123456

[AC-Dialer1] quit

# Configure a PPPoE session.

[AC] interface gigabitethernet 1/0/5

[AC-GigabitEthernet1/0/5] pppoe-client dial-bundle-number 1

[AC-GigabitEthernet1/0/5] quit

# Configure an IP address for the LAN interface.

[AC] interface gigabitethernet 1/0/6

[AC-GigabitEthernet1/0/6] ip address 192.168.1.1 255.255.255.0

[AC-GigabitEthernet1/0/6] quit

# Configure a default route.

[AC] ip route-static 0.0.0.0 0 dialer 1

If the hosts in the LAN use private addresses, configure NAT on AC.

2. Configure the device as the PPPoE server:

# Configure virtual template 1 to use PAP for authentication and use a PPP address pool to assign IP addresses.

<Device> system-view

[Device] interface virtual-template 1

[Device-Virtual-Template1] ppp authentication-mode pap domain system

[Device-Virtual-Template1] remote address pool 1

[Device-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[Device-Virtual-Template1] quit

# Configure a local PPP address pool that contains nine assignable IP addresses.

[Device] ip pool 1 1.1.1.2 1.1.1.10

# Enable the PPPoE server on the virtual Ethernet interface.

[Device] interface virtual-ethernet 1

[Device-Virtual-Ethernet1] mac-address 0001-0000-0001

[Device-Virtual-Ethernet1] pppoe-server bind virtual-template 1

[Device-Virtual-Ethernet1] quit

# Configure an ATM interface.

[Device] interface atm 2/4/0.1

[Device-ATM2/4/0.1] pvc to_adsl_a 0/60

[Device-ATM2/4/0.1-pvc-to_adsl_a-0/60] map bridge virtual-ethernet 1

[Device-ATM2/4/0.1-pvc-to_adsl_a-0/60] quit

[Device-ATM2/4/0.1] quit

# Configure the default ISP domain system to use the RADIUS scheme for authentication, authorization, and accounting.

[Device] domain system

[Device-isp-system] authentication ppp radius-scheme cams

[Device-isp-system] authorization ppp radius-scheme cams

[Device-isp-system] accounting ppp radius-scheme cams

[Device-isp-system] quit

# Configure a RADIUS scheme, and assign an IP address and port number for the RADIUS server.

[Device] radius scheme cams

[Device-radius-cams] primary authentication 11.110.91.146 1812

[Device-radius-cams] primary accounting 11.110.91.146 1813

# Set the shared keys for secure communication with the RADIUS server to expert in plain text.

[Device-radius-cams] key authentication simple expert

[Device-radius-cams] key accounting simple expert

[Device-radius-cams] quit

3. Configure the RADIUS server:

# Configure the authentication and accounting passwords as expert.

# Add a PPPoE user with username user1 and password 123456.

For more information about RADIUS, see Security Configuration Guide.

Verifying the configuration

# Display summary information for the PPPoE session between the AC and the device.

[AC] display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 GE1/0/5 VA0 0001-0000-0001 00e0-1500-4100 SESSION

Host A, Host B, and Host C can thus access the Internet. For example, they can browse a web page through IE.

05-Layer 2 - WAN Access

Configuring PPP

IP address negotiation

DNS server address negotiation

IPv6 address assignment

IPv6 DNS server address assignment

Configuring PAP authentication

Configuring CHAP authentication

Configuring PPP negotiation

Configuring the PPP negotiation timeout time

Enabling IP header compression

Configuring PPPoE

Setting the maximum number of PPPoE sessions

Configuring the nas-port-id attribute

Configuring a PPPoE client

Configuring a dialer interface for a PPPoE client

Resetting a PPPoE session

PPPoE configuration examples

Network requirements

Configuration procedure

Verifying the configuration

Verifying the configuration

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us