display ip subscriber abnormal-logout [ interface interface-type interface-number ] [ { mac mac-address | ip-type ipv4 } } * | ip ipv4-address ] [ verbose ] [ slot slot-number ]

In IRF mode:

display ip subscriber abnormal-logout [ interface interface-type interface-number ] [ { mac mac-address | ip-type ipv4 } } * | ip ipv4-address } ] [ verbose ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac-address mac-address: Specifies a MAC address in the format of H-H-H.

ip-type: Specifies an IP address type.

ipv4: Specifies IPv4 addresses.

ip ipv4-address: Specifies an IPv4 address.

verbose: Specifies detailed user information.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays information about abnormally logged out DHCP users for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about abnormally logged out DHCP users for all cards. (In IRF mode.)

Examples

# (In standalone mode.) Display brief information about abnormally logged out DHCP users on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber abnormal-logout interface gigabitethernet 3/1/1

Slot 3:

Interface IP address MAC address

GE3/1/1 1.1.1.1 000d-88f8-0eab

Table 1 Command output

Field	Description
Interface	Name of the interface where the user resides.
IP address	IP address of the user.
MAC address	MAC address of the user.

# (In standalone mode.) Display detailed information about abnormally logged out DHCP users on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber abnormal-logout verbose

Slot 3:

IP address : 1.1.1.1

MAC address : 000d-88f8-0eab

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

Offline reason : Admin reset

Aging : May 9 10:05:29 2017

Table 2 Command output

Field	Description
IP address	IP address of the user.
MAC address	MAC address of the user.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the user.
Offline reason	Reason why the user is abnormally logged out. For more information, see the log manual for IPoE logins and logouts.
Aging	Time when the entry for the abnormally logged out user will age out. N/A means that the entry never ages out.

Related commands

ip subscriber initiator arp enable

ip subscriber initiator dhcp enable

ip subscriber initiator unclassified-ip enable

reset ip subscriber abnormal-logout

display ip subscriber chasten user auth-failed

Use display ip subscriber chasten user auth-failed to display information about IPoE individual users with authentication failure records that have not met the blocking conditions.

Syntax

In standalone mode:

display ip subscriber chasten user auth-failed [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address | user-type { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 | static } ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

ip ip-address: Specifies the source IPv4 address of an IPoE individual user.

ipv6 ipv6-address: Specifies the source IPv6 address of an IPoE individual user.

mac mac-address: Specifies the MAC address of an IPoE individual user, in the format of H-H-H.

user-type: Specifies a user type. If you do not specify a user type, this command displays information about all types of IPoE individual users.

dhcp: Specifies DHCPv4 users.

dhcpv6: Specifies DHCPv6 users.

ndrs: Specifies IPv6 ND RS users.

unclassified-ip: Specifies unclassified-IPv4 users.

unclassified-ipv6: Specifies unclassified-IPv6 users.

static: Specifies static individual users.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays information for all cards. (In standalone mode.)

Examples

# Display brief information about the IPoE individual users with authentication failure records that have not met the blocking conditions on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber chasten user auth-failed interface gigabitethernet 3/1/1

Interface IP address MAC address SVLAN/CVLAN Failures

GE3/1/1 6.6.6.2 248c-c3d1-0406 -/- 7

Table 3 Command output

Field	Description
Interface	Interface that connects the user.
IP address	IP address of the user.
MAC address	MAC address of the user.
SVLAN/CVLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Failures	Number of consecutive authentication failures of the user. N/A indicates the entry is to age out.

Related commands

ip subscriber authentication chasten

ip subscriber timer quiet

display ip subscriber chasten user quiet

Use display ip subscriber chasten user quiet to display information about blocked IPoE individual users.

Syntax

In standalone mode:

display ip subscriber chasten user quiet [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address | user-type { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 | static } ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

ip ip-address: Specifies the source IPv4 address of a blocked IPoE individual user.

ipv6 ipv6-address: Specifies the source IPv6 address of a blocked IPoE individual user.

mac mac-address: Specifies the MAC address of a blocked IPoE individual user, in the format of H-H-H.

user-type: Specifies a user type.

dhcp: Specifies DHCPv4 users.

dhcpv6: Specifies DHCPv6 users.

ndrs: Specifies IPv6 ND RS users.

unclassified-ip: Specifies unclassified-IPv4 users.

unclassified-ipv6: Specifies unclassified-IPv6 users.

static: Specifies static individual users.

verbose: Displays detailed information about blocked IPoE individual users. If this keyword is not specified, this command displays brief information about blocked IPoE individual users.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays information for all cards. (In standalone mode.)

Examples

# Display brief information about the blocked IPoE individual users on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber chasten user quiet interface gigabitethernet 3/1/1

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type Aging(s)

GE3/1/1 6.6.6.2 248c-c3d1-0406 U 7

Table 4 Command output

Field	Description
Interface	Interface that connects the user.
IP address	IP address of the user.
MAC address	MAC address of the user.
Type	IPoE user type: · D—DHCP user. · S—Static individual user. · U—Unclassified-IP user. · N—IPv6 ND RS user.
Aging(s)	Remaining aging time in seconds for the user.

# (In standalone mode.) Display detailed information about all blocked IPoE individual users.

<Sysname> display ip subscriber chasten user quiet verbose

Username : 1.1.1.10

Domain : dm0

IP address : 1.1.1.10

MAC address : 4649-e2cf-0216

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

Service node : Slot 3 CPU 0

Access Type : Unclassified-IP

Aging : 41 sec

Table 5 Command output

Field	Description
Username	Username for authentication.
Domain	ISP domain of the user for authentication.
IP address	IP address of the user.
MAC address	MAC address of the user.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the user.
Service node	Slot number and CPU number of the card that connects the user.
Access Type	IPoE user type: · DHCP—DHCP user. · Unclassified-IP—Unclassified-IP user. · NDRS—IPv6 ND RS user. · Static—Static individual user.
Aging	Remaining aging time for the user, in seconds.

Related commands

ip subscriber timer quiet

display ip subscriber interface-leased

Use display ip subscriber interface-leased to display interface-leased user session information.

Syntax

In standalone mode:

display ip subscriber interface-leased [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

display ip subscriber interface-leased [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays information for all cards. (In standalone mode.)

Examples

# (In standalone mode.) Display interface-leased user session information on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber interface-leased interface gigabitethernet 3/1/1

Basic:

Access interface : GE3/1/1

VPN instance : N/A

Username : a

User ID : 0x30060000

State : Online

Service node : Slot 3 CPU 0

Domain : radius

Online time (hh:mm:ss) : 00:16:37

IPv4 total users : 10

IPv6 total users : 10

AAA:

ITA policy name : ipoe

IP pool : N/A

IPv6 pool : N/A

Primary DNS server : N/A

Secondary DNS server : N/A

Primary IPv6 DNS server : N/A

Secondary IPv6 DNS server : N/A

Session idle cut : N/A

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Acct start-fail action : Online

Acct update-fail action : Online

Acct quota-out action : Offline

Dual-stack accounting mode : Merge

Max IPv4 multicast addresses : 4

IPv4 multicast address list : N/A

Max IPv6 multicast addresses : 4

IPv6 multicast address list : N/A

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes (active)

Outbound CAR : CIR 3000kbps PIR 4000kbps CBS 4100bytes (active)

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Flow statistic:

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

ITA:

Acct merge : Disabled

Acct quota-out action : Offline

Denied level : None

Level-1 Inbound CAR : CIR 126976000kbps PIR 126976000kbps (active)

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Level-2 Inbound CAR : N/A

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Table 6 Command output

Field	Description
Basic	Basic session information.
Access interface	Interface that connects the user.
VPN instance	MPLS L3VPN instance of the user. If the user is not in a VPN, this field displays N/A.
Username	Username for authentication.
User ID	User ID assigned after the user came online. If no user ID is assigned, this field displays 0xffffffff.
State	User session state: · Init—The user is being initiated. · Offline—The user is going offline. · Auth—The user is being authenticated. · AuthFail—The user failed authentication. · AuthPass—The user passed authentication. · AssignedIP—The user has an IP address. · Online—The user is online. · Backup—The user is backed up to the local end from the peer end.
Service node	Slot number and CPU number of the card that connects the user.
Domain	ISP domain of the user for authentication.
Login time	Time when the user passed authentication and logged in, in the format of MM DD hh:mm:ss YYYY.
Online time (hh:mm:ss)	Online duration of the user.
IPv4 total users	Total number of IPv4 interface-leased subusers.
IPv6 total users	Total number of IPv6 interface-leased subusers.
Failure reason	Reason for failing to issue the session to the driver (this field is displayed only when the session fails to be issued to the driver): · Not support—The driver does not support the session. · No resource—The hardware resources are insufficient. · Unknown—The failure reason is unknown.
AAA	AAA authorization information.
ITA policy name	AAA-authorized ITA policy name. If no ITA policy name is authorized, this field displays N/A.
IP pool	AAA-authorized DHCPv4 address pool. If no DHCPv4 address pool is authorized, this field displays N/A.
IP pool group	AAA-authorized DHCPv4 address pool group. This field is displayed only when AAA has authorized a DHCPv4 address pool group and has not authorized a DHCPv4 address pool. This field will not be displayed at the same time as the IP pool field.
IPv6 pool	AAA-authorized DHCPv6 address pool. If no DHCPv6 address pool is authorized, this field displays N/A.
IPv6 pool group	AAA-authorized DHCPv6 address pool group. This field is displayed only when AAA has authorized a DHCPv6 address pool group and has not authorized a DHCPv6 address pool. This field will not be displayed at the same time as the IPv6 pool field.
Primary DNS server	AAA-authorized primary IPv4 DNS server address. If no primary IPv4 DNS server address pool is authorized, this field displays N/A.
Secondary DNS server	AAA-authorized secondary IPv4 DNS server address. If no secondary IPv4 DNS server address pool is authorized, this field displays N/A.
Primary IPv6 DNS server	AAA-authorized primary IPv6 DNS server address. If no primary IPv6 DNS server address is authorized, this field displays N/A.
Secondary IPv6 DNS server	AAA-authorized secondary IPv6 DNS server address. If no secondary IPv6 DNS server address is authorized, this field displays N/A.
Session idle cut	Period and traffic threshold for idle cut. If traffic does not reach the threshold in bytes within the period in seconds, the user is logged out. If the user can remain idle without being logged out, this field displays N/A.
direction	Direction of traffic to be used by idle cut: · Both—Inbound and outbound traffic. · Inbound—Inbound traffic. · Outbound—Outbound traffic.
Session duration	AAA-authorized IPoE session duration in seconds: · N/A—No IPoE session duration is authorized. · Unlimited—The IPoE session duration is unlimited.
remaining	Remaining AAA-authorized IPoE session duration. If no session duration is authorized, this field displays N/A. For users on Layer 3 Ethernet interfaces and subinterfaces, this field displays the remaining time or Unlimited. For users on Layer 3 aggregate interfaces and subinterfaces, this field displays the remaining time or Unlimited only when the slot or interface is specified. If you do not specify the slot or interface, this field displays N/A.
Traffic quota	AAA-authorized traffic in bytes. If no traffic is authorized, this field displays N/A.
Traffic remained	Remaining AAA-authorized traffic in bytes. If no traffic is authorized or the authorized traffic has been used out, this field displays N/A.
Acct start-fail action	Actions to take after accounting fails to start: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct update-fail action	Actions to take after accounting fails to update: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct quota-out action	Actions to take after the traffic quota is exhausted: · Online—Keeps the user online. · Offline—Forces the user offline.
Dual-stack accounting mode	Accounting mode of dual-stack users: · Merge—Reports the IPv4 and IPv6 traffic of dual-stack users as a whole to the accounting server. · Separate—Reports the IPv4 and IPv6 traffic of dual-stack users to the accounting server separately. · N/A—No dual-stack accounting mode is authorized.
Max IPv4 multicast addresses	Maximum number of AAA-authorized IPv4 multicast groups that a user can join.
IPv4 multicast address list	List of AAA-authorized IPv4 multicast group addresses. If no IPv4 multicast group is authorized, this field displays N/A.
Max IPv6 multicast addresses	Maximum number of AAA-authorized IPv6 multicast groups that a user can join.
IPv6 multicast address list	List of AAA-authorized IPv6 multicast group addresses. If no IPv6 multicast group is authorized, this field displays N/A.
QoS	QoS information.
User profile	Name of the AAA-authorized user profile. N/A means that no user profile is authorized. The user profile has the following states: · inactive—User profile authorization failed or the user profile does not exist on the BRAS. · active—The user profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
User group ACL	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. If the authorization result has not been updated, nothing is displayed.
Inbound CAR	Inbound CIR and PIR in kbps, and CBS in bytes. N/A means that no inbound CAR is authorized. The inbound CAR has the following states: · inactive—Inbound CAR is not authorized successfully. · active—Inbound CAR is authorized successfully.
Outbound CAR	Outbound CIR and PIR in kbps, and CBS in bytes. N/A means that no outbound CAR is authorized. The outbound CAR has the following states: · inactive—Outbound CAR is not authorized successfully. · active—Outbound CAR is authorized successfully.
Inbound user priority	AAA-authorized inbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no inbound user priority is authorized. The inbound user priority has the following states: · inactive—Inbound user priority is not authorized successfully. · active—Inbound user priority is authorized successfully.
Outbound user priority	AAA-authorized outbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no outbound user priority is authorized. The outbound user priority has the following states: · inactive—Outbound user priority is not authorized successfully. · active—Outbound user priority is authorized successfully.
Flow statistic	Session flow statistics.
Uplink packets/bytes	Total number and size of uplink packets. This field displays the total number and size of uplink IPv4 and IPv6 packets in Merge accounting mode. Otherwise, this field displays the total number and size of uplink IPv4 packets.
Downlink packets/bytes	Total number and size of downlink packets. This field displays the total number and size of downlink IPv4 and IPv6 packets in Merge accounting mode. Otherwise, this field displays the total number and size of downlink IPv4 packets.
IPv6 uplink packets/bytes	Total number and size of uplink IPv6 packets.
IPv6 downlink packets/bytes	Total number and size of downlink IPv6 packets.
ITA	ITA information.
Acct merge	ITA state: · Enabled. · Disabled.
Denied level	Level of the traffic being denied. If no traffic is denied, this field displays None. Traffic is classified into 8 levels (from 1 to 8).
Level-n Inbound CAR	AAA-authorized uplink CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Inbound CAR state: · active—Inbound CAR is authorized successfully. · inactive—Inbound CAR is not authorized successfully. · N/A—Inbound CAR is not authorized.
Outbound CAR	AAA-authorized downlink CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Outbound CAR state: · active—Outbound CAR is authorized successfully. · inactive—Outbound CAR is not authorized successfully. · N/A—Outbound CAR is not authorized.
Traffic separate	State of separating ITA service traffic from the overall traffic for accounting: · Enabled · Disabled

Related commands

ip subscriber enable

display ip subscriber interface-leased statistics

Use display ip subscriber interface-leased statistics to display interface-leased user session statistics.

Syntax

In standalone mode:

display ip subscriber interface-leased statistics [ domain domain-name ] [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

display ip subscriber interface-leased statistics [ domain domain-name ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays interface-leased user session statistics for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays interface-leased user session statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays interface-leased user session statistics for all cards. (In IRF mode.)

Examples

# Display IPoE session statistics for all interface-leased users on the BRAS.

<Sysname> display ip subscriber interface-leased statistics

Total sessions : 100

Init : 0

Authenticating : 20

Authenticate fail : 0

Authenticate pass : 20

Assigned IP : 10

Online : 50

Backup : 0

Table 7 Command output

Field	Description
Total sessions	Total number of sessions on the interface.
Init	Number of sessions that were being initiated.
Authenticating	Number of sessions being authenticated.
Authenticate fail	Number of sessions that failed authentication.
Authenticate pass	Number of sessions that passed authentication.
Assigned IP	Number of sessions that have IP addresses.
Online	Number of online sessions.
Backup	Number of sessions whose information was backed up.

Related commands

ip subscriber enable

display ip subscriber interface-leased user

Use display ip subscriber interface-leased user to display interface-leased subuser session information.

Syntax

In standalone mode:

display ip subscriber interface-leased user [ interface interface-type interface-number [ ip ipv4-address | ipv6 ipv6-address | mac mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays interface-leased subuser session information for all interfaces.

ip ipv4-address: Specifies the source IPv4 address of an interface-leased subuser.

ipv6 ipv6-address: Specifies the source IPv6 address of an interface-leased subuser.

mac mac-address: Specifies the source MAC address of an interface-leased subuser, in the format of H-H-H.

s-vlan svlan-id: Specifies the service provider VLAN ID of an interface-leased subuser. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of an interface-leased subuser. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of an interface-leased subuser. The value range for the vxlan-id argument is 0 to 16777215.

verbose: Displays detailed information about interface-leased subusers. If this keyword is not specified, this command displays brief information about interface-leased subusers.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays interface-leased subuser session information for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays interface-leased subuser session information for all cards. (In IRF mode.)

Usage guidelines

This command takes effect only in Layer 2 access mode.

Examples

# Display brief session information about the interface-leased subusers on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber interface-leased user interface gigabitethernet 3/1/1

Interface IP address MAC address SVLAN/CVLAN User ID

GE3/1/1 100.1.1.3 0010-9400-0003 -/- 0x380800b5

GE3/1/1 100::1 0010-9400-0004 -/- 0x380800b6

Table 8 Command output

Field	Description
Interface	Interface that connects the subuser.
IP address	IP address of the subuser.
MAC address	MAC address of the subuser.
SVLAN/CVLAN	SVLAN and CVLAN of the subuser. If the subuser traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
User ID	Subuser ID assigned after the subuser came online. If no subuser ID is assigned, this field displays 0xffffffff.

# (In standalone mode.) Display detailed session information about the interface-leased subusers on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber interface-leased user interface gigabitethernet 3/1/1 verbose

Interface: Gigabitethernet 3/1/1

IP address : 100.1.1.3

MAC address : 0010-9400-0003

User ID : 0x380800b5

VPN instance : vpn1

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

VPI/VCI(for ATM) : -/-

DNS servers : N/A

DHCP lease : 86400 sec

DHCP remain lease : 86380 sec

Service node : Slot 3 CPU 0

Type : DHCP

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Interface: Gigabitethernet 3/1/1

IP address : 100::1

MAC address : 0010-9400-0004

User ID : 0x380800b6

VPN instance : vpn1

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

VPI/VCI(for ATM) : -/-

DNS servers : N/A

DHCP lease : 86400 sec

DHCP remain lease : 86380 sec

Service node : Slot 3 CPU 0

Type : DHCP

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Table 9 Command output

Field	Description
Interface	Interface that connects the subuser.
IP address	IP address of the subuser.
MAC address	MAC address of the subuser.
User ID	Subuser ID assigned after the subuser came online. If no subuser ID is assigned, this field displays 0xffffffff.
VPN instance	MPLS L3VPN instance of the subuser. If the subuser is not in a VPN, this field displays N/A.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the subuser. If the subuser traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the subuser.
VPI/VCI(for ATM)	ATM PVC information of the subuser. If the subuser traffic does not have PVC information, this field displays a hyphen (-).
DNS servers	DNS server addresses assigned to the subuser. · When the number of the assigned addresses is 0, this field displays N/A, which indicates no DNS server addresses are assigned. · When the number of the assigned addresses is 1 or 2, this field displays the actual DNS server addresses. · When the number of the assigned addresses is greater than 2, this field displays only the first two DNS server addresses.
DHCP lease	DHCP-authorized IP lease in seconds: · N/A—No IP lease is authorized. Unlimited—The IP lease is unlimited.
DHCP remain lease	Remaining DHCP-authorized IP lease in seconds. This field is displayed only on the card that connects the subuser. On other cards, this field displays N/A.
Login time	Time when the subuser passed authentication and logged in, in the format of MM DD hh:mm:ss YYYY.
Service node	Slot number and CPU number of the card that connects the subuser.
Type	Subuser type: · Unclassified-IP—Unclassified-IP subuser. · DHCP—DHCP subuser. · NDRS—IPv6 ND RS subuser.
QoS	QoS information.
User profile	Name of the AAA-authorized user profile. N/A means that no user profile is authorized. The user profile has the following states: · inactive—User profile authorization failed or the user profile does not exist on the BRAS. · active—The user profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
User group ACL	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. If the authorization result has not been updated, nothing is displayed.
Inbound user priority	AAA-authorized inbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no inbound user priority is authorized. The inbound user priority has the following states: · inactive—Inbound user priority is not authorized successfully. · active—Inbound user priority is authorized successfully.
Outbound user priority	AAA-authorized outbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no outbound user priority is authorized. The outbound user priority has the following states: · inactive—Outbound user priority is not authorized successfully. · active—Outbound user priority is authorized successfully.

Related commands

ip subscriber enable

display ip subscriber interface-leased user ip-type

Use display ip subscriber interface-leased user ip-type to display interface-leased subuser session information of the specified IP protocol type.

Syntax

In standalone mode:

display ip subscriber interface-leased user ip-type { ipv4 | ipv6 } [ interface interface-type interface-number [ mac mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Specifies IPv4 interface-leased subusers.

ipv6: Specifies IPv6 interface-leased subusers.

mac mac-address: Specifies the source MAC address of an interface-leased subuser, in the format of H-H-H.

s-vlan svlan-id: Specifies the service provider VLAN ID of an interface-leased subuser. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of an interface-leased subuser. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of an interface-leased subuser. The value range for the vxlan-id argument is 0 to 16777215.

verbose: Displays detailed session information about interface-leased subusers. If this keyword is not specified, this command displays brief session information about interface-leased subusers.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays interface-leased subuser session information for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays interface-leased subuser session information for all cards. (In IRF mode.)

Usage guidelines

This command takes effect only in Layer 2 access mode.

Examples

# Display brief session information about the IPv4 interface-leased subusers on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber interface-leased user ip-type interface gigabitethernet 3/1/1

<Sysname> display ip subscriber interface-leased user ip-type ipv4

Interface IP address MAC address SVLAN/CVLAN User ID

GE3/1/1 100.1.1.3 0010-9400-0003 -/- 0x380800b5

Table 10 Command output

Field	Description
Interface	Interface that connects the subuser.
IP address	IP address of the subuser.
MAC address	MAC address of the subuser.
SVLAN/CVLAN	SVLAN and CVLAN of the subuser. If the subuser traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
User ID	Subuser ID assigned after the subuser came online. If no subuser ID is assigned, this field displays 0xffffffff.

# (In standalone mode.) Display detailed session information about the IPv4 interface-leased subusers on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber interface-leased user ip-type ipv4 interface gigabitethernet 3/1/1 verbose

Interface: Gigabitethernet 3/1/1

IP address : 100.1.1.3

MAC address : 0010-9400-0003

User ID : 0x380800b5

VPN instance : vpn1

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

VPI/VCI(for ATM) : -/-

DNS servers : N/A

DHCP lease : 86400 sec

DHCP remain lease : 86380 sec

Service node : Slot 3 CPU 0

Type : DHCP

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound user priority : N/A

Outbound user priority : N/A

Table 11 Command output

Field	Description
Interface	Interface that connects the subuser.
IP address	IP address of the subuser.
MAC address	MAC address of the subuser.
User ID	Subuser ID assigned after the subuser came online. If no subuser ID is assigned, this field displays 0xffffffff.
VPN instance	MPLS L3VPN instance of the subuser. If the subuser is not in a VPN, this field displays N/A.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the subuser. If the subuser traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the subuser.
VPI/VCI(for ATM)	ATM PVC information of the subuser. If the subuser traffic does not have PVC information, this field displays a hyphen (-).
DNS servers	DNS server addresses assigned to the subuser. · When the number of the assigned addresses is 0, this field displays N/A which indicates no DNS server addresses are assigned. · When the number of the assigned addresses is 1 or 2, this field displays the actual DNS server addresses. · When the number of the assigned addresses is greater than 2, this field displays only the first two DNS server addresses.
DHCP lease	DHCP-authorized IP lease in seconds: · N/A—No IP lease is authorized. Unlimited—The IP lease is unlimited.
DHCP remain lease	Remaining DHCP-authorized IP lease in seconds.
Login time	Time when the subuser passed authentication and logged in, in the format of MM DD hh:mm:ss YYYY.
Service node	Slot number and CPU number of the card that connects the subuser.
Type	Subuser type: · Unclassified-IP—Unclassified-IP subuser. · DHCP—DHCP subuser. · NDRS—IPv6 ND RS subuser.
QoS	QoS information.
User profile	Name of the AAA-authorized user profile. N/A means that no user profile is authorized. The user profile has the following states: · inactive—User profile authorization failed or the user profile does not exist on the BRAS. · active—The user profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
User group ACL	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. If the authorization result has not been updated, nothing is displayed.
Inbound user priority	AAA-authorized inbound subuser priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no inbound subuser priority is authorized. The inbound subuser priority has the following states: · inactive—Inbound subuser priority is not authorized successfully. · active—Inbound subuser priority is authorized successfully.
Outbound user priority	AAA-authorized outbound subuser priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no outbound subuser priority is authorized. The outbound subuser priority has the following states: · inactive—Outbound subuser priority is not authorized successfully. · active—Outbound subuser priority is authorized successfully.

Related commands

ip subscriber enable

display ip subscriber l2vpn-leased

Use display ip subscriber l2vpn-leased to display L2VPN-leased user session information.

Syntax

In standalone mode:

display ip subscriber l2vpn-leased [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

display ip subscriber l2vpn-leased [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays L2VPN-leased user session information for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays L2VPN-leased user session information for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays L2VPN-leased user session information for all cards. (In IRF mode.)

Examples

# (In standalone mode.) Display L2VPN-leased user session information on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber l2vpn-leased interface gigabitethernet 3/1/1

Basic:

Access interface : GE3/1/1

VPN instance : N/A

Username : a

User ID : 0x30000000

State : Online

Service node : Slot 3 CPU 0

Domain : radius

Online time (hh:mm:ss) : 00:16:37

AAA:

ITA policy name : ipoe

IP pool : N/A

IPv6 pool : N/A

Primary DNS server : N/A

Secondary DNS server : N/A

Primary IPv6 DNS server : N/A

Secondary IPv6 DNS server : N/A

Session idle cut : N/A

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Acct start-fail action : Online

Acct update-fail action : Online

Acct quota-out action : Offline

Dual-stack accounting mode : N/A

Max IPv4 multicast addresses: 0

IPv4 multicast address list : N/A

Max IPv6 multicast addresses: 0

IPv6 multicast address list : N/A

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Flow statistic:

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

ITA:

Acct merge : Enabled

Acct quota-out action : Offline

Denied level : N/A

Level-1 Inbound CAR : CIR 126976000kbps PIR 126976000kbps (active)

Outbound CAR : N/A

Traffic separate : Disable

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Level-2 Inbound CAR : N/A

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Table 12 Command output

Field	Description
Basic	Basic session information.
Access interface	Interface that connects the user.
VPN instance	MPLS L3VPN instance of the user. This field displays N/A for L2VPN-leased users because the users do not support MPLS L3VPN instances.
Username	Username for authentication.
User ID	User ID assigned after the user came online. If no user ID is assigned, this field displays 0xffffffff.
State	User session state: · Init—The user is being initiated. · Offline—The user is going offline. · Auth—The user is being authenticated. · AuthFail—The user failed authentication. · AuthPass—The user passed authentication. · AssignedIP—The user has an IP address. · Online—The user is online. · Backup—The user is backed up to the local end from the peer end.
Service node	Slot number and CPU number of the card that connects the user.
Domain	ISP domain of the user for authentication.
Login time	Time when the user passed authentication and logged in, in the format of MM DD hh:mm:ss YYYY.
Online time (hh:mm:ss)	Online duration of the user.
Failure reason	Reason for failing to issue the session to the driver (this field is displayed only when the session fails to be issued to the driver): · Not support—The driver does not support the session. · No resource—The hardware resources are insufficient. · Unknown—The failure reason is unknown.
AAA	AAA authorization information of IPoE sessions.
ITA policyname	AAA-authorized ITA policy name. If no ITA policy name is authorized, this field displays N/A.
IP pool	AAA-authorized DHCPv4 address pool. If no DHCPv4 address pool is authorized, this field displays N/A.
IP pool group	AAA-authorized DHCPv4 address pool group. This field is displayed only when AAA has authorized a DHCPv4 address pool group and has not authorized a DHCPv4 address pool. This field will not be displayed at the same time as the IP pool field.
IPv6 pool	AAA-authorized DHCPv6 address pool. If no DHCPv6 address pool is authorized, this field displays N/A.
IPv6 pool group	AAA-authorized DHCPv6 address pool group. This field is displayed only when AAA has authorized a DHCPv6 address pool group and has not authorized a DHCPv6 address pool. This field will not be displayed at the same time as the IPv6 pool field.
Primary DNS server	AAA-authorized primary IPv4 DNS server address. If no primary IPv4 DNS server address is authorized, this field displays N/A.
Secondary DNS server	AAA-authorized secondary IPv4 DNS server address. If no secondary IPv4 DNS server address is authorized, this field displays N/A.
Primary IPv6 DNS server	AAA-authorized primary IPv6 DNS server address. If no primary IPv6 DNS server address is authorized, this field displays N/A.
Secondary IPv6 DNS server	AAA-authorized secondary IPv6 DNS server address. If no secondary IPv6 DNS server address is authorized, this field displays N/A.
Session idle cut	Period and traffic threshold for idle cut. If traffic does not reach the threshold in bytes within the period in seconds, the user is logged out. If the user can remain idle without being logged out, this field displays N/A. This field displays N/A for L2VPN-leased users because the users do not support idle cut.
direction	Direction of traffic to be used by idle cut: · Both—Inbound and outbound traffic. · Inbound—Inbound traffic. · Outbound—Outbound traffic.
Session duration	AAA-authorized IPoE session duration in seconds: · N/A—No IPoE session duration is authorized. · Unlimited—The IPoE session duration is unlimited.
remaining	Remaining AAA-authorized IPoE session duration. If no session duration is authorized, this field displays N/A. For users on Layer 3 Ethernet interfaces and subinterfaces, this field displays the remaining time or Unlimited. For users on Layer 3 aggregate interfaces and subinterfaces, this field displays the remaining time or Unlimited only when the slot or interface is specified. If you do not specify the slot or interface, this field displays N/A.
Traffic quota	AAA-authorized traffic in bytes. If no traffic is authorized, this field displays N/A.
Traffic remained	Remaining AAA-authorized traffic in bytes. If no traffic is authorized or the authorized traffic has been used out, this field displays N/A.
Acct start-fail action	Actions to take after accounting fails to start: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct update-fail action	Actions to take after accounting fails to update: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct quota-out action	Actions to take after the traffic quota is exhausted: · Online—Keeps the user online. · Offline—Forces the user offline.
Dual-stack accounting mode	This field displays N/A for L2VPN-leased users because the users do not support dual-stack accounting.
Max IPv4 multicast addresses	Maximum number of AAA-authorized IPv4 multicast groups that a user can join.
IPv4 multicast address list	List of AAA-authorized IPv4 multicast group addresses. If no IPv4 multicast group is authorized, this field displays N/A.
Max IPv6 multicast addresses	Maximum number of AAA-authorized IPv6 multicast groups that a user can join.
IPv6 multicast address list	List of AAA-authorized IPv6 multicast group addresses. If no IPv6 multicast group is authorized, this field displays N/A.
User profile	Name of the AAA-authorized user profile. N/A means that no user profile is authorized. The user profile has the following states: · inactive—User profile authorization failed or the user profile does not exist on the BRAS. · active—The user profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
User group ACL	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. If the authorization result has not been updated, nothing is displayed.
Inbound CAR	Inbound CIR and PIR in kbps, and CBS in bytes. N/A means that no inbound CAR is authorized. The inbound CAR has the following states: · inactive—Inbound CAR is not authorized successfully. · active—Inbound CAR is authorized successfully.
Outbound CAR	Outbound CIR and PIR in kbps, and CBS in bytes: · N/A—Outbound CAR is not authorized. · inactive—Outbound CAR is not authorized successfully. · active—Outbound CAR is authorized successfully.
Inbound user priority	AAA-authorized inbound subuser priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no inbound subuser priority is authorized. The inbound subuser priority has the following states: · inactive—Inbound subuser priority is not authorized successfully. · active—Inbound subuser priority is authorized successfully.
Outbound user priority	AAA-authorized outbound subuser priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no outbound subuser priority is authorized. The outbound subuser priority has the following states: · inactive—Outbound subuser priority is not authorized successfully. · active—Outbound subuser priority is authorized successfully.
Flow statistic	Session flow statistics.
Uplink packets/bytes	This field displays the total number and size of uplink IPv4 packets because L2VPN-leased users do not support dual-stack accounting.
Downlink packets/bytes	This field displays the total number and size of downlink IPv4 packets because L2VPN interface-leased users do not support dual-stack accounting.
IPv6 uplink packets/bytes	Total number and size of uplink IPv6 packets.
IPv6 downlink packets/bytes	Total number and size of downlink IPv6 packets .
Acct merge	ITA state: · Enabled. · Disabled.
Denied level	Level of the traffic being denied. If no traffic is denied, this field displays None. Traffic is classified into 8 levels (from 1 to 8).
Level-n Inbound CAR	AAA-authorized uplink CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Inbound CAR state: · active—Inbound CAR is authorized successfully. · inactive—Inbound CAR is not authorized successfully. · N/A—Inbound CAR is not authorized.
Outbound CAR	AAA-authorized downlink CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Outbound CAR state: · active—Outbound CAR is authorized successfully. · inactive—Outbound CAR is not authorized successfully. · N/A—Outbound CAR is not authorized.
Traffic separate	State of separating ITA service traffic from the overall traffic for accounting: · Enabled · Disabled

Related commands

ip subscriber enable

display ip subscriber l2vpn-leased statistics

Use display ip subscriber l2vpn-leased statistics to display L2VPN-leased user session statistics.

Syntax

In standalone mode:

display ip subscriber l2vpn-leased statistics [ domain domain-name ] [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

display ip subscriber l2vpn-leased statistics [ domain domain-name ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays L2VPN-leased user session statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays L2VPN-leased user session statistics for all cards. (In IRF mode.)

Examples

# Display L2VPN-leased user session statistics on the BRAS.

<Sysname> display ip subscriber l2vpn-leased statistics

Total sessions : 100

Init : 0

Authenticating : 20

Authenticate fail : 0

Authenticate pass : 20

Assigned IP : 10

Online : 50

Backup : 0

Table 13 Command output

Field	Description
Total sessions	Total number of sessions on the interface.
Init	Number of sessions that were being initiated.
Authenticating	Number of sessions being authenticated.
Authenticate fail	Number of sessions that failed authentication.
Authenticate pass	Number of sessions that passed authentication.
Assigned IP	Number of sessions that have IP addresses.
Online	Number of online sessions.
Backup	Number of sessions whose information was backed up.

Related commands

ip subscriber enable

display ip subscriber offline statistics

Use display ip subscriber offline statistics to display offline statistics for IPoE user sessions.

Syntax

display ip subscriber offline statistics [ bind | web [ pre-auth ] ] [ ip-type { ipv4 | ipv6 } ] [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

bind: Specifies the bind authentication method.

web: Specifies the Web authentication method and Web MAC authentication method.

pre-auth: Specifies the preauthentication before the Web authentication. If this keyword is not specified, this command displays offline statistics for IPoE user sessions in both the preauthentication and Web authentication phases.

ip-type: Specifies an IP protocol type. If this keyword is not specified, this command displays offline statistics for IPoE user sessions of all IP protocol types.

ipv4: Specifies the IPv4 IPoE user sessions.

ipv6: Specifies the IPv6 IPoE user sessions.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays offline statistics for IPoE user sessions for all interfaces.

Usage guidelines

Both the Web authentication process and the Web MAC authentication process include two phases: preauthentication and Web authentication.

If you do not specify an authentication method, this command displays offline statistics for IPoE user sessions using any authentication methods.

Examples

# Display offline statistics for IPoE user sessions on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber offline statistics interface gigabitethernet 3/1/1

IP-type : IPv4

Bind:

Total sessions : 100

User request : 0

DHCP lease expire : 0

AAA lease expire : 0

Command cut : 80

AAA terminate : 0

Authenticate fail : 0

Authorization fail : 0

Idle timeout : 10

Detect fail : 10

Not enough resource : 0

Interface down : 0

Interface shutdown : 0

VSRP event : 0

DHCP notify : 0

User Group notify : 0

NAT notify : 0

Other : 0

Web pre-auth:

Total sessions : 0

User request : 0

DHCP lease expire : 0

AAA lease expire : 0

Command cut : 0

AAA terminate : 0

Authenticate fail : 0

Authorization fail : 0

Idle timeout : 0

Detect fail : 0

Not enough resource : 0

Interface down : 0

Interface shutdown : 0

VSRP event : 0

DHCP notify : 0

User Group notify : 0

NAT notify : 0

Other : 0

Web:

Total sessions : 0

User request : 0

DHCP lease expire : 0

AAA lease expire : 0

Command cut : 0

AAA terminate : 0

Authenticate fail : 0

Authorization fail : 0

Idle timeout : 0

Detect fail : 0

Not enough resource : 0

Interface down : 0

Interface shutdown : 0

VSRP event : 0

DHCP notify : 0

User Group notify : 0

NAT notify : 0

Portal notify : 0

Other : 0

IP-type : IPv6

Bind:

Total sessions : 100

User request : 0

DHCP lease expire : 0

AAA lease expire : 0

Command cut : 80

AAA terminate : 0

Authenticate fail : 0

Authorization fail : 0

Idle timeout : 10

Detect fail : 10

Not enough resource : 0

Interface down : 0

Interface shutdown : 0

VSRP event : 0

DHCP notify : 0

User Group notify : 0

NAT notify : 0

Other : 0

Web pre-auth:

Total sessions : 0

User request : 0

DHCP lease expire : 0

AAA lease expire : 0

Command cut : 0

AAA terminate : 0

Authenticate fail : 0

Authorization fail : 0

Idle timeout : 0

Detect fail : 0

Not enough resource : 0

Interface down : 0

Interface shutdown : 0

VSRP event : 0

DHCP notify : 0

User Group notify : 0

NAT notify : 0

Other : 0

Web:

Total sessions : 0

User request : 0

DHCP lease expire : 0

AAA lease expire : 0

Command cut : 0

AAA terminate : 0

Authenticate fail : 0

Authorization fail : 0

Idle timeout : 0

Detect fail : 0

Not enough resource : 0

Interface down : 0

Interface shutdown : 0

VSRP event : 0

DHCP notify : 0

User Group notify : 0

NAT notify : 0

Portal notify : 0

Other : 0

Table 14 Command output

Field	Description
IP-type	IP protocol type: · IPv4—IPv4 IPoE user sessions. · IPv4—IPv6 IPoE user sessions.
Bind	Offline statistics for bind authentication.
Web pre-auth	Offline statistics in the Web preauthentication phase.
Web	Offline statistics in the Web authentication phase.
Total sessions	Total number of offline sessions.
User request	Number of sessions requesting to go offline.
DHCP lease expire	Number of sessions with expired DHCP leases.
AAA lease expire	Number of sessions with expired AAA leases.
Command cut	Number of sessions logged out by commands.
AAA terminate	Number of sessions logged out by AAA.
Authenticate fail	Number of sessions who failed authentication.
Authorization fail	Number of sessions who failed authorization.
Idle timeout	Number of sessions with an expired idle timeout timer.
Detect fail	Number of sessions who failed online detection.
Not enough resource	Number of sessions with insufficient hardware resources.
Interface down	Number of sessions on an interface that went down.
Interface shutdown	Number of sessions on an interface that was shut down.
VSRP event	Number of sessions disconnected by the VSRP event. This field is not supported in the current software version.
DHCP notify	Number of sessions disconnected by DHCP.
User Group notify	Number of sessions disconnected by the user group.
NAT notify	Number of sessions disconnected by NAT.
Portal notify	Number of sessions disconnected by portal.
Other	Number of sessions disconnected from the network because of unknown causes.

Related commands

reset ip subscriber offline statistics

display ip subscriber session

Use display ip subscriber session to display IPoE individual session information.

Syntax

In standalone mode:

display ip subscriber session [ interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ] [ { { domain domain-name | mac mac-address | static | username name | auth-type { bind | web [ pre-auth | mac-auth | mac-trigger ] } } | ip-type { ipv4 | ipv6 | dual-stack } } * | { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays IPoE individual session information for all interfaces.

s-vlan svlan-id: Specifies the service provider VLAN ID of an IPoE dynamic individual session. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of an IPoE dynamic individual session. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of an IPoE individual session. The value range for the vxlan-id argument is 0 to 16777215.

mac mac-address: Specifies the MAC address of an IPoE individual session, in the format of H-H-H.

static: Specifies IPoE static sessions. If this keyword is not specified, this command displays information about static and dynamic individual sessions.

username name: Specifies a username for authentication, a case-sensitive string of 1 to 255 characters.

auth-type: Specifies an authentication type for IPoE individual users.

bind: Specifies the bind authentication method.

web: Specifies the Web authentication method. If none of the pre-auth, mac-auth, and mac-trigger keywords is specified, this command displays information about all IPoE individual sessions during the Web authentication phase of all Web authentication methods (including common Web authentication, Web MAC authentication, and MAC-trigger authentication).

pre-auth: Specifies the preauthentication phase.

mac-auth: Specifies the Web authentication phase of Web MAC authentication.

mac-trigger: Specifies the Web authentication phase of MAC-trigger authentication.

ip-type: Specifies an IP protocol type for IPoE individual users.

ipv4: Specifies the IPv4 IPoE individual sessions.

ipv6: Specifies the IPv6 IPoE individual sessions.

dual-stack: Specifies the dual-stack IPoE individual sessions.

ip ipv4-address: Specifies the source IPv4 address of an IPoE individual session.

ip ipv6-address: Specifies the source IPv6 address of an IPoE individual session.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays IPoE individual session information on the public network.

verbose: Displays detailed IPoE individual session information. If this keyword is not specified, this command displays brief session information.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays IPoE individual session information for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPoE individual session information for all cards. (In IRF mode.)

Examples

# Display brief IPoE individual session information on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber session interface gigabitethernet 3/1/1

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1 1.1.1.1 000d-88f8-0eab D/U Online

1::1 -/- -

User1

GE3/1/1 1.1.1.2 001d-88f8-0eab D/U Online

1::2 -/- -

User2

Table 15 Command output

Field	Description
Interface	Interface that connects the user.
Username	Username for authentication.
IP address	IPv4 address of the user. A hyphen (-) indicates that no IPv4 user is online.
IPv6 address	IPv6 address of the user. A hyphen (-) indicates that no IPv6 user is online. For an ND RS user that comes online through prefix authorization by an ND prefix pool, this field displays the IPv6 ND prefix in the brief information and is not displayed in the detailed information.
MAC address	MAC address of the user.
SVLAN/CVLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Type	IPoE user type: · D—DHCP user. · S—Static individual user. · U—Unclassified-IP user. · N—IPv6 ND RS user.
VXLAN	VXLAN ID of the user. A hyphen (-) indicates that the user has no VXLAN information.
state	User session state: · Init—The user is being initiated. · Offline—The user is going offline. · Auth—The user is being authenticated. · AuthFail—The user failed authentication. · AuthPass—The user passed authentication. · AssignedIP—The user has an IP address. · Online—The user is online. · Backup—The user is backed up to the local end from the peer end.

# (ITA) (In standalone mode.) Display detailed IPoE individual session information.

<Sysname> display ip subscriber session verbose

Basic:

Description : -

Username : abc

Domain : radius

VPN instance : vpn1

IP address : 1.1.1.1

IPv6 address : 1::1

User address type : private-ipv4

MAC address : 000d-88f8-0eab

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

User ID : 0x380800b5

VPI/VCI(for ATM) : -/-

VSI Index : -

VSI link ID : -

VXLAN ID : -

DNS servers : N/A

IPv6 DNS servers : N/A

DHCP lease : N/A

DHCP remain lease : N/A

DHCPv6 lease : N/A

DHCPv6 remain lease : N/A

Access time : May 9 08:56:29 2014

Online time (hh:mm:ss) : 00:16:37

Service node : Slot 3 CPU 0

Authentication type : Bind

IPv4 access type : DHCP

IPv6 access type : DHCP

IPv4 detect state : N/A

IPv6 detect state : N/A

State : Online

AAA:

ITA policy name : ipoe

IP pool : N/A

IPv6 pool : N/A

Primary DNS server : N/A

Secondary DNS server : N/A

Primary IPv6 DNS server : N/A

Secondary IPv6 DNS server : N/A

Session idle cut : N/A

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Acct start-fail action : Online

Acct update-fail action : Online

Acct quota-out action : Offline

Dual-stack accounting mode : Merge

Max IPv4 multicast addresses: 4

IPv4 multicast address list : N/A

Max IPv6 multicast addresses: 4

IPv6 multicast address list : N/A

Accounting start time : May 9 08:56:29 2014

Subscriber ID : -

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes (active)

Outbound CAR : CIR 3000kbps PIR 4000kbps CBS 4100bytes (active)

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

NAT:

Global IP address : 111.8.0.234

Port block : 1024-1033

Extended port block : 2024-2033/3024-3033/4024-4033/5024-5033/6024-6033

Flow statistic:

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

ITA:

Acct merge : Disabled

Acct quota-out action : Offline

Denied level : None

Level-1 Inbound CAR : CIR 126976000kbps PIR 126976000kbps (active)

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Level-2 Inbound CAR : N/A

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

# (EDSG) (In standalone mode.) Display detailed IPoE individual session information.

<Sysname> display ip subscriber session verbose

Basic:

Description : -

Username : abc

Domain : radius

VPN instance : vpn1

IP address : 1.1.1.1

IPv6 address : 1::1

User address type : private-ipv4

MAC address : 000d-88f8-0eab

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

User ID : 0x380800b5

VPI/VCI(for ATM) : -/-

VSI Index : -

VSI link ID : -

VXLAN ID : -

DNS servers : N/A

IPv6 DNS servers : N/A

DHCP lease : N/A

DHCP remain lease : N/A

DHCPv6 lease : N/A

DHCPv6 remain lease : N/A

Access time : May 9 08:56:29 2014

Online time (hh:mm:ss) : 00:16:37

Service node : Slot 3 CPU 0

Authentication type : Bind

IPv4 access type : DHCP

IPv6 access type : DHCP

IPv4 detect state : N/A

IPv6 detect state : N/A

State : Online

AAA:

ITA policy name : N/A

IP pool : N/A

IPv6 pool : N/A

Primary DNS server : N/A

Secondary DNS server : N/A

Primary IPv6 DNS server : N/A

Secondary IPv6 DNS server : N/A

Session idle cut : N/A

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Acct start-fail action : Online

Acct update-fail action : Online

Acct quota-out action : Offline

Dual-stack accounting mode : Merge

Max IPv4 multicast addresses: 4

IPv4 multicast address list : N/A

Max IPv6 multicast addresses: 4

IPv6 multicast address list : N/A

Accounting start time : May 9 08:56:29 2014

Subscriber ID : -

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes (active)

Outbound CAR : CIR 3000kbps PIR 4000kbps CBS 4100bytes (active)

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

NAT:

Global IP address : 111.8.0.234

Port block : 1024-1033

Extended port block : 2024-2033/3024-3033/4024-4033/5024-5033/6024-6033

Flow statistic:

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Service policy: s2m

Service ID : 1

Username(EDSG) : 200.1.1.1

Service rate-limit mode : Merge

Traffic statistics mode : Separate

Dual-stack rate limit mode : Merge

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Quota-out action : Service deactivate

Priority : 0

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes EBS 200bytes (active)

Outbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes EBS 200bytes (active)

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Table 16 Command output

Field	Description
Basic	Basic session information.
Description	Description of the session. A hyphen (-) indicates that the session has no description.
Username	Username for authentication.
Domain	ISP domain of the user.
VPN instance	MPLS L3VPN instance of the user. If the user is not in a VPN, this field displays N/A.
IP address	IP address of the user. For dynamic individual sessions, this field is displayed for only online IPv4 users. For static individual sessions, this field is displayed depending on the configuration.
IPv6 address	IPv6 address of the user. For dynamic individual sessions, this field is displayed for only online IPv6 users. For static individual sessions, this field is displayed depending on the configuration. For an ND RS user that comes online through prefix authorization by an ND prefix pool, this field displays the IPv6 ND prefix in the brief information and is not displayed in the detailed information.
IPv6 ND Prefix	IPv6 ND prefix of the user. This field is displayed only for an ND RS user that comes online through prefix authorization by an ND prefix pool.
IPv6 PD Prefix	IPv6 prefix binding information. This field is displayed only when DHCPv6 is used to create prefix binding information for the allocated prefix.
User address type	AAA-authorized user address type: · private-ds—Private dual-stack address. · private-ipv4—Private IPv4 address. · public-ds—Public dual-stack address. · public-ipv4—Public IPv4 address. · ds-lite—Lite dual-stack address. · ipv6—IPv6 address. · nat64—NAT64 address. · N/A—If no IPv4 user address type is authorized, this field displays N/A.
MAC address	MAC address of the user.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the user.
User ID	User ID assigned after the user came online. If no user ID is assigned, this field displays 0xffffffff.
VPI/VCI(for ATM)	ATM PVC information of the user. If the user traffic does not have PVC information, this field displays a hyphen (-).
VSI Index	VSI ID.
DNS servers	DNS server addresses assigned to the user. · When the number of the assigned addresses is 0, this field displays N/A which indicates no DNS server addresses are assigned. · When the number of the assigned addresses is 1 or 2, this field displays the actual DNS server addresses. · When the number of the assigned addresses is greater than 2, this field displays only the first two DNS server addresses.
IPv6 DNS servers	IPv6 DNS server addresses assigned to the user. · When the number of the assigned addresses is 0, this field displays N/A which indicates no IPv6 DNS server addresses are assigned. · When the number of the assigned addresses is 1 or 2, this field displays the actual IPv6 DNS server addresses. · When the number of the assigned addresses is greater than 2, this field displays only the first two IPv6 DNS server addresses.
DHCP lease	DHCPv4-authorized IP lease in seconds: · N/A—No IP lease is authorized. · Unlimited—The IP lease is unlimited.
DHCP remain lease	Remaining DHCPv4-authorized IP lease in seconds. This field is displayed only on the card that connects the user. On other cards, this field displays N/A.
DHCPv6 lease	DHCPv6-authorized IP lease in seconds: · N/A—No IP lease is authorized. · Unlimited—The IP lease is unlimited.
DHCPv6 remain lease	Remaining DHCPv6-authorized IP lease in seconds. This field is displayed only on the card that connects the user. On other cards, this field displays N/A.
Access time	Time when a DHCP user obtained the DHCP allocated IP address, or time when a non-DHCP user passed authentication and logged in.
Online time (hh:mm:ss)	Online duration of the user.
Failure reason	Reason for failing to issue the session to the driver (this field is displayed only when the session fails to be issued to the driver): · Not support—The driver does not support the session. · No resource—The hardware resources are insufficient. · Unknown—The failure reason is unknown.
Service node	Slot number and CPU number of the card that connects the user.
Authentication type	Authentication types: · Bind—Bind authentication. · Web pre-auth—Preauthentication before Web authentication. · Web—Common Web authentication. · Web mac-auth—Web MAC authentication. · Web mac-trigger—MAC-trigger authentication.
IPv4 access type	IPv4 IPoE individual session initiation method: · DHCP—DHCP packet initiation. · Unclassified-IP—Unclassified-IP packet initiation. · Static—Static configuration. For dynamic individual sessions, this field is displayed for only online IPv4 users. For static individual sessions, this field is always displayed.
IPv6 access type	IPv6 IPoE individual session initiation method: · DHCP—DHCP packet initiation. · Unclassified-IP—Unclassified-IP packet initiation. · Static—Static configuration. · NDRS—IPv6 ND RS packet initiation. For dynamic individual sessions, this field is displayed for only online IPv6 users. For static individual sessions, this field is always displayed.
IPv4 detect state	IPv4 IPoE detection state: · Detecting—Detecting. · Failed—Detection failed. · N/A—Detection is not performed. For dynamic individual sessions, this field is displayed for only online IPv4 users. For static individual sessions, this field is displayed is always displayed.
IPv6 detect state	IPv6 IPoE detection state: · Detecting—Detecting.. · Failed—Detection failed. · N/A—Detection is not performed. For dynamic individual sessions, this field is displayed for only online IPv6 users. For static individual sessions, this field is displayed is always displayed.
State	User session state: · Init—The user is being initiated. · Offline—The user is going offline. · Auth—The user is being authenticated. · AuthFail—The user failed authentication. · AuthPass—The user passed authentication. · AssignedIP—The user has an IP address. · Online—The user is online. · Backup—The user is backed up to the local end from the peer end.
AAA	AAA authorization information.
ITA policy name	AAA-authorized ITA policy name. If no ITA policy name is authorized, this field displays N/A.
IP pool	AAA-authorized DHCPv4 address pool. If no DHCPv4 address pool is authorized, this field displays N/A.
IP pool group	AAA-authorized DHCPv4 address pool group. This field is displayed only when AAA has authorized a DHCPv4 address pool group and has not authorized a DHCPv4 address pool. This field will not be displayed at the same time as the IP pool field.
IPv6 pool	AAA-authorized DHCPv6 address pool. If no DHCPv6 address pool is authorized, this field displays N/A.
IPv6 pool group	AAA-authorized DHCPv6 address pool group. This field is displayed only when AAA has authorized a DHCPv6 address pool group and has not authorized a DHCPv6 address pool. This field will not be displayed at the same time as the IPv6 pool field.
Primary DNS server	AAA-authorized primary IPv4 DNS server address. If no primary IPv4 DNS server address is authorized, this field displays N/A.
Secondary DNS server	AAA-authorized secondary IPv4 DNS server address. If no secondary IPv4 DNS server address is authorized, this field displays N/A.
Primary IPv6 DNS server	AAA-authorized primary IPv6 DNS server address. If no primary IPv6 DNS server address is authorized, this field displays N/A.
Secondary IPv6 DNS server	AAA-authorized secondary IPv6 DNS server address. If no secondary IPv6 DNS server address is authorized, this field displays N/A.
Session idle cut	Period and traffic threshold for idle cut. If traffic does not reach the threshold in bytes within the period in seconds, the user is logged out. If the user can remain idle without being logged out, this field displays N/A.
direction	Direction of traffic to be used by idle cut: · Both—Inbound and outbound traffic. · Inbound—Inbound traffic. · Outbound—Outbound traffic.
Session duration	AAA-authorized IPoE session duration in seconds: · N/A—No IPoE session duration is authorized. · Unlimited—The IPoE session duration is unlimited.
remaining	Remaining AAA-authorized IPoE session duration. If no session duration is authorized, this field displays N/A. For users on Layer 3 Ethernet interfaces and subinterfaces, this field displays the remaining time or Unlimited. For users on Layer 3 aggregate interfaces and subinterfaces, this field displays the remaining time or Unlimited only when the slot or interface is specified. If you do not specify the slot or interface, this field displays N/A.
Traffic quota	AAA-authorized traffic in bytes. If no traffic is authorized, this field displays N/A.
Traffic remained	Remaining AAA-authorized traffic in bytes. If no traffic is authorized or the authorized traffic has been used out, this field displays N/A.
Acct start-fail action	Actions to take after accounting fails to start: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct update-fail action	Actions to take after accounting fails to update: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct quota-out action	Actions to take after the traffic quota is exhausted: · Online—Keeps the user online. · Offline—Forces the user offline.
Dual-stack accounting mode	Accounting mode of dual-stack users: · Merge—Reports the IPv4 and IPv6 traffic of dual-stack users as a whole to the accounting server. · Separate—Reports the IPv4 and IPv6 traffic of dual-stack users to the accounting server separately. · N/A—No dual-stack accounting mode is authorized.
Max IPv4 multicast addresses	Maximum number of AAA-authorized IPv4 multicast groups that a user can join.
IPv4 multicast address list	List of AAA-authorized IPv4 multicast group addresses. If no IPv4 multicast group is authorized, this field displays N/A.
Max IPv6 multicast addresses	Maximum number of AAA-authorized IPv6 multicast groups that a user can join.
IPv6 multicast address list	List of AAA-authorized IPv6 multicast group addresses. If no IPv6 multicast group is authorized, this field displays N/A.
Accounting start time	Time when the accounting starts.
Redirect URL	This field is displayed only for Web authentication. If no URL is authorized or users cannot be redirected to the authorized URL, this field displays N/A. · In the Web preauthentication phase, this field indicates the authorized Web server URL. · In the Web authentication phase, this field indicates the authorized redirect URL, which pushes a Web page to users. For example, the redirect URL can push an advertisement or notification page to a user that accesses the network for the first time after passing authentication.
Subscriber ID	Subscriber ID authorized to the user. If no subscriber ID is authorized, this field displays a hyphen (-).
QoS	QoS information.
User profile	Name of the AAA-authorized user profile. N/A means that no user profile is authorized. The user profile has the following states: · inactive—User profile authorization failed or the user profile does not exist on the BRAS. · active—The user profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
User group ACL	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. If the authorization result has not been updated, nothing is displayed.
Inbound CAR	Inbound CIR and PIR in kbps, and CBS in bytes. N/A means that no inbound CAR is authorized. The inbound CAR has the following states: · inactive—Inbound CAR is not authorized successfully. · active—Inbound CAR is authorized successfully.
Outbound CAR	Outbound CIR and PIR in kbps, and CBS in bytes. N/A means that no outbound CAR is authorized. The outbound CAR has the following states: · inactive—Outbound CAR is not authorized successfully. · active—Outbound CAR is authorized successfully.
Inbound user priority	AAA-authorized inbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no inbound user priority is authorized. The inbound user priority has the following states: · inactive—Inbound user priority is not authorized successfully. · active—Inbound user priority is authorized successfully.
Outbound user priority	AAA-authorized outbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no outbound user priority is authorized. The outbound user priority has the following states: · inactive—Outbound user priority is not authorized successfully. · active—Outbound user priority is authorized successfully.
NAT	Session NAT information. This field is available only for IPoE-NAT collaboration.
Global IP address	Public network IP address.
Port block	Port block in the format of start port number-end port number.
Extended port block	Extended port block, which contains multiple port blocks in the format of start port number-end port number. These port blocks are separated by using slashes (/). This field is displayed only when dynamic port block mapping is used and extended port blocks are configured.
Flow statistic	Session flow statistics.
Uplink packets/bytes	Total number and size of uplink packets. This field displays the total number and size of uplink IPv4 and IPv6 packets in Merge accounting mode. Otherwise, this field displays the total number and size of uplink IPv4 packets.
Downlink packets/bytes	Total number and size of downlink packets. This field displays the total number and size of downlink IPv4 and IPv6 packets in Merge accounting mode. Otherwise, this field displays the total number and size of downlink IPv4 packets.
IPv6 uplink packets/bytes	Total number and size of uplink IPv6 packets.
IPv6 downlink packets/bytes	Total number and size of downlink IPv6 packets.
ITA	ITA information.
Acct merge	ITA state: · Enabled. · Disabled.
Denied level	Level of the traffic being denied. If no traffic is denied, this field displays None. Traffic is classified into 8 levels (from 1 to 8).
Level-n Inbound CAR	AAA-authorized uplink CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Inbound CAR state: · active—Inbound CAR is authorized successfully. · inactive—Inbound CAR is not authorized successfully. · N/A—Inbound CAR is not authorized.
Outbound CAR	AAA-authorized downlink CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Outbound CAR state: · active—Outbound CAR is authorized successfully. · inactive—Outbound CAR is not authorized successfully. · N/A—Outbound CAR is not authorized.
Traffic separate	State of separating ITA service traffic from the overall traffic for accounting: · Enabled · Disabled
Service policy	Name of the EDSG service policy.
Service ID	ID of the EDSG service policy.
Username (EDSG)	Username for EDSG service authentication.
Service rate-limit mode	Traffic rate limit mode of the EDSG service: · Merge—Performs rate limit on EDSG service traffic and common service traffic, and preferentially forwards the EDSG service. · Separate—Performs rate limit on EDSG service traffic independently without affecting the bandwidth of common service traffic.
Traffic statistics mode	Traffic statistics mode of the EDSG service: · Merge—Counts EDSG service traffic and common service traffic as a whole in the total user traffic. · Separate—Counts EDSG service traffic and common service traffic separately, and excludes EDSG service traffic in the total user traffic.
Dual-stack rate limit mode	Traffic rate limit mode of the EDSG dual-stack service: · Merge—Merges IPv4 traffic and IPv6 traffic and performs rate limit on them as a whole. · Separate—Performs rate limit on IPv4 traffic and IPv6 traffic separately.
Session duration	AAA-authorized EDSG session duration in seconds: · N/A—No EDSG session duration is authorized. · Unlimited—The EDSG session duration is unlimited.
Quota-out action	Actions to take after the traffic quota is exhausted: · Service deactivate—Deactivates the service. Only this action is supported in the current software version. · Redirect—Redirects packets. · Flow drop—Drops packets. · Flow forward—Forwards packets.
Priority	EDSG service priority in the range of 0 to 7. The bigger the number, the higher the priority. In the current software version, the EDSG service priority is fixed at 0.

Related commands

ip subscriber session

display ip subscriber session statistics

Use display ip subscriber session statistics to display IPoE individual session statistics.

Syntax

In standalone mode:

display ip subscriber session statistics [ bind [ session-type { dhcp | dhcpv6 | ndrs | static | unclassified-ip | unclassified-ipv6 } ] | web [ pre-auth | mac-auth | mac-trigger ] ] [ domain domain-name ] [ interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

bind: Specifies the bind authentication method.

session-type: Specifies a user type. If you do not specify a user type, this command displays session statistics for all types of IPoE individual sessions.

dhcp: Specifies DHCPv4 users.

dhcpv6: Specifies DHCPv6 users.

ndrs: Specifies IPv6 ND RS users.

static: Specifies static users.

unclassified-ip: Specifies unclassified-IPv4 users.

unclassified-ipv6: Specifies unclassified-IPv6 users.

web: Specifies the Web authentication method. If none of the pre-auth, mac-auth, and mac-trigger keywords is specified, this command displays all IPoE individual session statistics during the preauthentication phase or Web authentication phase of all Web authentication methods (including common Web authentication, Web MAC authentication, and MAC-trigger authentication).

pre-auth: Specifies the preauthentication phase.

mac-auth: Specifies the Web authentication phase of Web MAC authentication.

mac-trigger: Specifies the Web authentication phase of MAC-trigger authentication.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays IPoE individual session statistics for all interfaces.

s-vlan svlan-id: Specifies the service provider VLAN ID of an IPoE dynamic individual session. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of an IPoE dynamic individual session. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of an IPoE individual session. The value range for the vxlan-id argument is 0 to 16777215.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays IPoE individual session statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPoE individual session statistics for all cards. (In IRF mode.)

Usage guidelines

Both the Web authentication process and Web MAC authentication process include two phases: preauthentication and Web authentication.

If you do not specify an authentication method, this command displays IPoE individual session statistics of any authentication methods.

Examples

# Display IPoE individual session statistics on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber session statistics interface gigabitethernet 3/1/1

Total sessions : 100

Bind:

Init : 0

Authenticating : 20

Authenticate fail : 0

Authenticate pass : 20

Assigned IP : 10

Online : 50

Backup : 0

Web pre-auth:

Init : 0

Authenticating : 0

Authenticate fail : 0

Authenticate pass : 0

Assigned IP : 0

Online : 0

Backup : 0

Web:

Init : 0

Authenticating : 0

Authenticate fail : 0

Authenticate pass : 0

Assigned IP : 0

Online : 0

Backup : 0

# Display IPoE individual session statistics during the Web authentication phase of Web MAC authentication.

<Sysname> display ip subscriber session statistics web mac-auth

Total sessions : 100

Web mac-auth:

Init : 0

Authenticating : 20

Authenticate fail : 0

Authenticate pass : 20

Assigned IP : 10

Online : 50

Backup : 0

# Display IPoE individual session statistics during the Web authentication phase of MAC-trigger authentication.

<Sysname> display ip subscriber session statistics web mac-trigger

Total sessions : 100

Web mac-trigger:

Init : 0

Authenticating : 20

Authenticate fail : 0

Authenticate pass : 20

Assigned IP : 10

Online : 50

Backup : 0

Table 17 Command output

Field	Description
Total sessions	Total number of individual sessions on the interface.
Bind	Individual session statistics for bind authentication.
Web pre-auth	Individual session statistics in the Web preauthentication phase.
Web	Individual session statistics in the Web authentication phase of all Web authentication methods.
Web mac-auth	Individual session statistics in the Web authentication phase of Web MAC authentication.
Web mac-trigger	Individual session statistics in the Web authentication phase of MAC-trigger authentication.
Init	Number of individual sessions being initiated.
Authenticating	Number of individual sessions being authenticated.
Authenticate fail	Number of individual sessions who failed authentication.
Authenticate pass	Number of individual sessions who passed authentication.
Assigned IP	Number of individual sessions who have IP addresses.
Online	Number of online individual sessions.
Backup	Number of individual sessions whose information was backed up.

Related commands

reset ip subscriber session

display ip subscriber session statistics ip-type

Use display ip subscriber session statistics ip-type to display IPoE individual session statistics of the specified IP protocol type.

Syntax

In standalone mode:

display ip subscriber session statistics ip-type { ipv4 | ipv6 | dual-stack } [ bind | web [ pre-auth | mac-auth | mac-trigger ] ] [ domain domain-name ] [ interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Displays IPv4 IPoE individual session statistics.

ipv6: Displays IPv6 IPoE individual session statistics.

dual-stack: Displays dual-stack IPoE individual session statistics.

bind: Specifies the bind authentication method.

pre-auth: Specifies the preauthentication phase.

mac-auth: Specifies the Web authentication phase of Web MAC authentication.

mac-trigger: Specifies the Web authentication phase of MAC-trigger authentication.

s-vlan svlan-id: Specifies the service provider VLAN ID of an IPoE dynamic individual session. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of an IPoE dynamic individual session. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of an IPoE individual session. The value range for the vxlan-id argument is 0 to 16777215.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays IPoE individual session statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPoE individual session statistics for all cards. (In IRF mode.)

Examples

# Display IPv4 IPoE individual session statistics on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber session statistics ip-type ipv4 interface gigabitethernet 3/1/1

Total sessions : 100

Bind:

Init : 0

Authenticating : 20

Authenticate fail : 0

Authenticate pass : 20

Assigned IP : 10

Online : 50

Backup : 0

Web pre-auth:

Init : 0

Authenticating : 0

Authenticate fail : 0

Authenticate pass : 0

Assigned IP : 0

Online : 0

Backup : 0

Web:

Init : 0

Authenticating : 0

Authenticate fail : 0

Authenticate pass : 0

Assigned IP : 0

Online : 0

Backup : 0

# Display IPv4 IPoE individual session statistics during the Web authentication phase of Web MAC authentication.

<Sysname> display ip subscriber session statistics ip-type ipv4 web mac-auth

Total sessions : 100

Web mac-auth:

Init : 0

Authenticating : 20

Authenticate fail : 0

Authenticate pass : 20

Assigned IP : 10

Online : 50

Backup : 0

# Display IPv4 IPoE individual session statistics during the Web authentication phase of MAC-trigger authentication.

<Sysname> display ip subscriber session statistics ip-type ipv4 web mac-trigger

Total sessions : 100

Web mac-trigger:

Init : 0

Authenticating : 20

Authenticate fail : 0

Authenticate pass : 20

Assigned IP : 10

Online : 50

Backup : 0

Table 18 Command output

Field	Description
Total sessions	Total number of individual sessions on the interface.
Bind	Individual session statistics for bind authentication.
Web pre-auth	Individual session statistics in the Web preauthentication phase.
Web	Individual session statistics in the Web authentication phase of all Web authentication methods.
Web mac-auth	Individual session statistics in the Web authentication phase of Web MAC authentication.
Web mac-trigger	Individual session statistics in the Web authentication phase of MAC-trigger authentication.
Init	Number of individual sessions being initiated.
Authenticating	Number of individual sessions being authenticated.
Authenticate fail	Number of individual sessions who failed authentication.
Authenticate pass	Number of individual sessions who passed authentication.
Assigned IP	Number of individual sessions who have IP addresses.
Online	Number of online individual sessions.
Backup	Number of individual sessions whose information was backed up.

Related commands

reset ip subscriber session ip-type

display ip subscriber subnet-leased

Use display ip subscriber subnet-leased to display IPoE subnet-leased user session information.

Syntax

In standalone mode:

display ip subscriber subnet-leased [ interface interface-type interface-number ] [ ip ipv4-address mask-length | ipv6 ipv6-address prefix-length | ip-type { ipv4 | ipv6 } ] [ slot slot-number ]

In IRF mode:

display ip subscriber subnet-leased [ interface interface-type interface-number ] [ ip ipv4-address mask-length | ipv6 ipv6-address prefix-length | ip-type { ipv4 | ipv6 } ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

ip ipv4-address mask-length: Specifies an IPv4 subnet by an IPv4 address and a mask length in the range of 1 to 31.

ipv6 ipv6-address prefix-length: Specifies an IPv6 subnet by an IPv6 address and a prefix length in the range of 1 to 127.

ip-type: Specifies an IP protocol type.

ipv4: Specifies the IPv4 IPoE subnet-leased users.

ipv6: Specifies the IPv6 IPoE subnet-leased users.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays information for all cards. (In standalone mode.)

Examples

# (In standalone mode.) Display IPoE subnet-leased user session information on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber subnet-leased interface gigabitethernet 3/1/1

Basic:

Access interface : GE3/1/1

VPN instance : N/A

Username : a

Network : 11.11.11.0/24

User ID : 0x30060001

State : Online

Service node : Slot 3 CPU 0

Domain : radius

Online time (hh:mm:ss) : 00:16:37

IPv4 total users : 10

AAA:

ITA policy name : ipoe

IP pool : N/A

Primary DNS server : N/A

Secondary DNS server : N/A

Session idle cut : N/A

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Acct start-fail action : Online

Acct update-fail action : Online

Acct quota-out action : Offline

Dual-stack accounting mode : N/A

Max IPv4 multicast addresses : 4

IPv4 multicast address list : N/A

QoS:

User profile : cc (active)

Session group profile : N/A

User group ACL : N/A

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes (active)

Outbound CAR : CIR 3000kbps PIR 4000kbps CBS 4100bytes (active)

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Flow statistic:

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

ITA:

Acct merge : Enabled

Acct quota-out action : Offline

Denied level : None

Level-1 Inbound CAR : CIR 126976000kbps PIR 126976000kbps (active)

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

Level-2 Inbound CAR : N/A

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

Basic:

Access interface : GE3/1/1

VPN instance : N/A

Username : a

Network : 11::/64

User ID : 0x30040002

State : Online

Service node : Slot 3 CPU 0

Domain : radius

Online time (hh:mm:ss) : 00:16:37

IPv6 total users : 10

AAA:

ITA policy name : ipoe

IPv6 pool : N/A

Primary IPv6 DNS server : N/A

Secondary IPv6 DNS server : N/A

Session idle cut : N/A

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Acct start-fail action : Online

Acct update-fail action : Online

Acct quota-out action : Offline

Dual-stack accounting mode : N/A

Max IPv6 multicast addresses : 4

IPv6 multicast address list : N/A

QoS:

User profile : cc (active)

Session group profile : N/A

User group ACL : N/A

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes (active)

Outbound CAR : CIR 3000kbps PIR 4000kbps CBS 4100bytes (active)

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Flow statistic:

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

ITA:

Acct merge : Enabled

Acct quota-out action : Offline

Denied level : None

Level-1 Inbound CAR : CIR 126976000kbps PIR 126976000kbps (active)

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Level-2 Inbound CAR : N/A

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Table 19 Command output

Field	Description
Basic	Basic session information.
Access interface	Interface that connects the user.
VPN instance	MPLS L3VPN instance of the user. If the user is not in a VPN, this field displays N/A.
Username	Username for authentication.
Network	Subnet of the user.
User ID	User ID assigned after the user came online. If no user ID is assigned, this field displays 0xffffffff.
State	User session state: · Init—The user is being initiated. · Offline—The user is going offline. · Auth—The user is being authenticated. · AuthFail—The user failed authentication. · AuthPass—The user passed authentication. · AssignedIP—The user has an IP address. · Online—The user is online. · Backup—The user is backed up to the local end from the peer end.
Service node	Slot number and CPU number of the card that connects the user.
Domain	ISP domain of the user.
Login time	Time when the user passed authentication and logged in, in the format of MM DD hh:mm:ss YYYY.
Online time (hh:mm:ss)	Online duration of the user.
IPv4 total users	Total number of IPv4 subnet-leased subusers.
IPv6 total users	Total number of IPv6 subnet-leased subusers.
Failure reason	Reason for failing to issue the session to the driver (this field is displayed only when the session fails to be issued to the driver): · Not support—The driver does not support the session. · No resource—The hardware resources are insufficient. · Unknown—The failure reason is unknown.
AAA	AAA authorization information.
ITA policy name	AAA-authorized ITA policy name. If no ITA policy name is authorized, this field displays N/A.
IP pool	AAA-authorized DHCPv4 address pool. If no DHCPv4 address pool is authorized, this field displays N/A.
IP pool group	AAA-authorized DHCPv4 address pool group. This field is displayed only when AAA has authorized a DHCPv4 address pool group and has not authorized a DHCPv4 address pool. This field will not be displayed at the same time as the IP pool field.
IPv6 pool	AAA-authorized DHCPv6 address pool. If no DHCPv6 address pool is authorized, this field displays N/A.
IPv6 pool group	AAA-authorized DHCPv6 address pool group. This field is displayed only when AAA has authorized a DHCPv6 address pool group and has not authorized a DHCPv6 address pool. This field will not be displayed at the same time as the IPv6 pool field.
Primary DNS server	AAA-authorized primary IPv4 DNS server address. If no primary IPv4 DNS server address is authorized, this field displays N/A.
Secondary DNS server	AAA-authorized secondary IPv4 DNS server address. If no secondary IPv4 DNS server address is authorized, this field displays N/A.
Primary IPv6 DNS server	AAA-authorized primary IPv6 DNS server address. If no primary IPv6 DNS server address is authorized, this field displays N/A.
Secondary IPv6 DNS server	AAA-authorized secondary IPv6 DNS server address. If no secondary IPv6 DNS server address is authorized, this field displays N/A.
Session idle cut	Period and traffic threshold for idle cut. If traffic does not reach the threshold in bytes within the period in seconds, the user is logged out. If the user can remain idle without being logged out, this field displays N/A.
direction	Direction of traffic to be used by idle cut: · Both—Inbound and outbound traffic. · Inbound—Inbound traffic. · Outbound—Outbound traffic.
Session duration	AAA-authorized IPoE session duration in seconds: · N/A—No IPoE session duration is authorized. · Unlimited—The IPoE session duration is unlimited.
remaining	Remaining AAA-authorized IPoE session duration. If no session duration is authorized, this field displays N/A. For users on Layer 3 Ethernet interfaces and subinterfaces, this field displays the remaining time or Unlimited. For users on Layer 3 aggregate interfaces and subinterfaces, this field displays the remaining time or Unlimited only when the slot or interface is specified. If you do not specify the slot or interface, this field displays N/A.
Traffic quota	AAA-authorized traffic in bytes. If no traffic is authorized, this field displays N/A.
Traffic remained	Remaining AAA-authorized traffic in bytes. If no traffic is authorized or the authorized traffic has been used out, this field displays N/A.
Acct start-fail action	Actions to take after accounting fails to start: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct update-fail action	Actions to take after accounting fails to update: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct quota-out action	Actions to take after the traffic quota is exhausted: · Online—Keeps the user online. · Offline—Forces the user offline.
Dual-stack accounting mode	This field displays N/A for subnet-leased users because the users do not support dual-stack accounting.
Max IPv4 multicast addresses	Maximum number of AAA-authorized IPv4 multicast groups that a user can join.
IPv4 multicast address list	List of AAA-authorized IPv4 multicast group addresses. If no IPv4 multicast group is authorized, this field displays N/A.
Max IPv6 multicast addresses	Maximum number of AAA-authorized IPv6 multicast groups that a user can join.
IPv6 multicast address list	List of AAA-authorized IPv6 multicast group addresses. If no IPv6 multicast group is authorized, this field displays N/A.
QoS	QoS information.
User profile	Name of the AAA-authorized user profile. N/A means that no user profile is authorized. The user profile has the following states: · inactive—User profile authorization failed or the user profile does not exist on the BRAS. · active—The user profile is authorized successfully. · N/A—On a CP in IPoE session entry control mode, the authorized user profile is insignificant. The state of the user profile is always displayed as N/A. If the authorization result has not been updated, nothing is displayed.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. · N/A—On a CP in IPoE session entry control mode, the authorized session group profile is insignificant. The state of the session group profile is always displayed as N/A. If the authorization result has not been updated, nothing is displayed.
User group ACL	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. · N/A—On a CP in IPoE session entry control mode, the authorized user group ACL is insignificant. The state of the user group ACL is always displayed as N/A. If the authorization result has not been updated, nothing is displayed.
Inbound CAR	Inbound CIR and PIR in kbps, and CBS in bytes. N/A means that no inbound CAR is authorized. The inbound CAR has the following states: · inactive—Inbound CAR is not authorized successfully. · active—Inbound CAR is authorized successfully. · N/A—On a CP in IPoE session entry control mode, the authorized inbound CAR is insignificant. The state of the inbound CAR is always displayed as N/A.
Outbound CAR	Outbound CIR and PIR in kbps, and CBS in bytes. N/A means that no outbound CAR is authorized. The outbound CAR has the following states: · inactive—Outbound CAR is not authorized successfully. · active—Outbound CAR is authorized successfully. · N/A—On a CP in IPoE session entry control mode, the authorized outbound CAR is insignificant. The state of the outbound CAR is always displayed as N/A.
Inbound user priority	AAA-authorized inbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no inbound user priority is authorized. The inbound user priority has the following states: · inactive—Inbound user priority is not authorized successfully. · active—Inbound user priority is authorized successfully. · N/A—On a CP in IPoE session entry control mode, the authorized inbound user priority is insignificant. The state of the inbound user priority is always displayed as N/A.
Outbound user priority	AAA-authorized outbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no outbound user priority is authorized. The outbound user priority has the following states: · inactive—Outbound user priority is not authorized successfully. · active—Outbound user priority is authorized successfully. · N/A—On a CP in IPoE session entry control mode, the authorized outbound user priority is insignificant. The state of the outbound user priority is always displayed as N/A.
Flow statistic	Session flow statistics.
Uplink packets/bytes	This field displays the total number and size of uplink IPv4 packets because subnet-leased users do not support dual-stack accounting.
Downlink packets/bytes	This field displays the total number and size of downlink IPv4 packets because subnet-leased users do not support dual-stack accounting.
IPv6 uplink packets/bytes	Total number and size of uplink IPv6 packets.
IPv6 downlink packets/bytes	Total number and size of downlink IPv6 packets.
ITA	ITA information.
Acct merge	ITA state: · Enabled. · Disabled.
Denied level	Level of the traffic being denied. If no traffic is denied, this field displays None. Traffic is classified into 8 levels (from 1 to 8).
Level-n Inbound CAR	AAA-authorized uplink CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Inbound CAR state: · active—Inbound CAR is authorized successfully. · inactive—Inbound CAR is not authorized successfully. · N/A—Inbound CAR is not authorized.
Outbound CAR	AAA-authorized downlink CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Outbound CAR state: · active—Outbound CAR is authorized successfully. · inactive—Outbound CAR is not authorized successfully. · N/A—Outbound CAR is not authorized.
Traffic separate	State of separating ITA service traffic from the overall traffic for accounting: · Enabled · Disabled

Related commands

ip subscriber enable

display ip subscriber subnet-leased statistics

Use display ip subscriber subnet-leased statistics to display IPoE subnet-leased user session statistics.

Syntax

In standalone mode:

display ip subscriber subnet-leased statistics [ domain domain-name ] [ ip-type { ipv4 | ipv6 } ] [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

display ip subscriber subnet-leased statistics [ domain domain-name ] [ ip-type { ipv4 | ipv6 } ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip-type: Specifies an IP protocol type. If this keyword is not specified, this command displays statistics of all IP protocol types.

ipv4: Specifies the IPv4 IPoE subnet-leased users.

ipv6: Specifies the IPv6 IPoE subnet-leased users.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays statistics for all cards. (In standalone mode.)

Examples

# Display IPoE subnet-leased user session statistics on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber subnet-leased statistics interface gigabitethernet 3/1/1

IP-type : IPv4

Total sessions : 1

Bind:

Init : 1

Authenticating : 0

Authenticate fail : 0

Authenticate pass : 0

Assigned IP : 0

Online : 0

Backup : 0

IP-type : IPv6

Total sessions : 1

Bind:

Init : 1

Authenticating : 0

Authenticate fail : 0

Authenticate pass : 0

Assigned IP : 0

Online : 0

Backup : 0

Table 20 Command output

Field	Description
IP-type	IP protocol type: · IPv4—IPv4 IPoE subnet-leased users. · IPv6—IPv6 IPoE subnet-leased users.
Total sessions	Total number of IPoE subnet-leased user sessions.
Bind	Subnet-leased user session statistics for bind authentication.
Init	Number of sessions being initiated.
Authenticating	Number of sessions being authenticated.
Authenticate fail	Number of sessions who failed authentication.
Authenticate pass	Number of sessions who passed authentication.
Assigned IP	Number of sessions who have IP addresses.
Online	Number of online sessions.
Backup	Number of sessions whose information was backed up.

Related commands

ip subscriber enable

display ip subscriber subnet-leased user

Use display ip subscriber interface-leased user to display IPoE subnet-leased subuser session information.

Syntax

In standalone mode:

display ip subscriber subnet-leased user [ interface interface-type interface-number [ ip { ipv4-address mask-length | ipv4-address } | ipv6 { ipv6-address prefix-length | ipv6-address } | s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

ip ipv4-address mask-length: Specifies an IPv4 subnet by an IPv4 address and a mask length in the range of 1 to 31.

ip ipv4-address: Specifies the source IPv4 address of a subnet-leased subuser.

ipv6 ipv6-address prefix-length: Specifies an IPv6 subnet by an IPv6 address and a prefix length in the range of 1 to 127.

ipv6 ipv6-address: Specifies the source IPv6 address of a subnet-leased subuser.

s-vlan svlan-id: Specifies the service provider VLAN ID of a subnet-leased subuser. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of a subnet-leased subuser. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of a subnet-leased subuser. The value range for the vxlan-id argument is 0 to 16777215.

verbose: Displays detailed information of subnet-leased subusers. If this keyword is not specified, this command displays brief information.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays information for all cards. (In standalone mode.)

Usage guidelines

This command takes effect only in Layer 2 access mode.

Examples

# Display brief session information about IPoE subnet-leased subusers on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber subnet-leased user interface gigabitethernet 3/1/1

Interface IP address MAC address SVLAN/CVLAN User ID

GE3/1/1 100.1.1.3 0010-9400-0003 -/- 0x380800b5

GE3/1/1 100::4 0010-9400-0004 -/- 0x380800b6

Table 21 Command output

Field	Description
Interface	Interface that connects the subuser.
IP address	IP address of the subuser.
MAC address	MAC address of the subuser.
SVLAN/CVLAN	SVLAN and CVLAN of the subuser. If the subuser traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
User ID	Subuser ID assigned after the subuser came online. If no subuser ID is assigned, this field displays 0xffffffff.

# (In standalone mode.) Display detailed session information about the IPoE subnet-leased subusers on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber subnet-leased user interface gigabitethernet 3/1/1 verbose

Interface: Gigabitethernet 3/1/1

IP address : 100.1.1.3

MAC address : 0010-9400-0003

User ID : 0x380800b5

VPN instance : vpn1

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

VPI/VCI(for ATM) : -/-

DNS servers : N/A

DHCP lease : N/A

DHCP remain lease : N/A

Service node : Slot 3 CPU 0

Type : Unclassified-IP

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Interface: Gigabitethernet 3/1/1

IP address : 100::4

MAC address : 0010-9400-0004

User ID : 0x380800b6

VPN instance : vpn1

Service-VLAN/Customer-VLAN : 100/-

Access interface : GE3/1/1

VPI/VCI(for ATM) : -/-

DNS servers : N/A

DHCP lease : N/A

DHCP remain lease : N/A

Service node : Slot 3 CPU 0

Type : Unclassified-IP

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Table 22 Command output

Field	Description
Interface	Interface that connects the subuser.
IP address	IP address of the subuser.
MAC address	MAC address of the subuser.
User ID	Subuser ID assigned after the subuser came online. If no subuser ID is assigned, this field displays 0xffffffff.
VPN instance	MPLS L3VPN instance of the subuser. If the subuser is not in a VPN, this field displays N/A.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the subuser. If the subuser traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the subuser.
VPI/VCI(for ATM)	ATM PVC information of the subuser. If the subuser traffic does not have PVC information, this field displays a hyphen (-).
DNS servers	DNS server addresses assigned to the subuser. · When the number of the assigned addresses is 0, this field displays N/A, which indicates no DNS server addresses are assigned. · When the number of the assigned addresses is 1 or 2, this field displays the actual DNS server addresses. · When the number of the assigned addresses is greater than 2, this field displays only the first two DNS server addresses.
DHCP lease	DHCP-authorized IP lease in seconds: · N/A—No IP lease is authorized. · Unlimited—The IP lease is unlimited.
DHCP remain lease	Remaining DHCP-authorized IP lease. This field is displayed only on the card that connects the subuser. On other cards, this field displays N/A.
Login time	Time when the subuser passed authentication and logged in, in the format of MM DD hh:mm:ss YYYY.
Service node	Slot number and CPU number of the card that connects the subuser.
Type	Subuser type. The value of Unclassified-IP indicates that the subuser is an unclassified-IP subuser.
QoS	QoS information.
User profile	Name of the AAA-authorized user profile. N/A means that no user profile is authorized. The user profile has the following states: · inactive—User profile authorization failed or the user profile does not exist on the BRAS. · active—The user profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
User group ACL	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. If the authorization result has not been updated, nothing is displayed.
Inbound user priority	AAA-authorized inbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no inbound user priority is authorized. The inbound user priority has the following states: · inactive—Inbound user priority is not authorized successfully. · active—Inbound user priority is authorized successfully.
Outbound user priority	AAA-authorized outbound user priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no outbound user priority is authorized. The outbound user priority has the following states: · inactive—Outbound user priority is not authorized successfully. · active—Outbound user priority is authorized successfully.

display ip subscriber subnet-leased user ip-type

Use display ip subscriber interface-leased user ip-type to display IPoE subnet-leased subuser session information of the specified IP protocol type.

Syntax

In standalone mode:

display ip subscriber subnet-leased user ip-type { ipv4 | ipv6 } [ interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Specifies IPv4 IPoE subnet-leased subusers.

ipv6: Specifies IPv6 IPoE subnet-leased subusers.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

s-vlan svlan-id: Specifies the service provider VLAN ID of a subnet-leased subuser. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of a subnet-leased subuser. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of a subnet-leased subuser. The value range for the vxlan-id argument is 0 to 16777215.

verbose: Displays detailed information of subnet-leased subusers. If this keyword is not specified, this command displays brief information.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays information for all cards. (In standalone mode.)

Usage guidelines

This command takes effect only in Layer 2 access mode.

Examples

# Display brief session information about IPv4 IPoE subnet-leased subusers on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber subnet-leased user ip-type ipv4 interface gigabitethernet 3/1/1

Interface IP address MAC address SVLAN/CVLAN User ID

GE3/1/1 100.1.1.3 0010-9400-0003 -/- 0x380800b5

GE3/1/1 100.1.1.4 0010-9400-0004 -/- 0x380800b6

Table 23 Command output

Field	Description
Interface	Interface that connects the subuser.
IP address	IP address of the subuser.
MAC address	MAC address of the subuser.
SVLAN/CVLAN	SVLAN and CVLAN of the subuser. If the subuser traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
User ID	Subuser ID assigned after the subuser came online. If no subuser ID is assigned, this field displays 0xffffffff.

# (In standalone mode.) Display detailed session information about the IPv4 IPoE subnet-leased subusers on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber subnet-leased user ip-type ipv4 interface gigabitethernet 3/1/1 verbose

Interface: Gigabitethernet 3/1/1

IP address : 100.1.1.3

MAC address : 0010-9400-0003

User ID : 0x380800b5

VPN instance : vpn1

Service-VLAN/Customer-VLAN : -/-

Access interface : GE3/1/1

VPI/VCI(for ATM) : -/-

DNS servers : N/A

DHCP lease : N/A

DHCP remain lease : N/A

Service node : Slot 3 CPU 0

Type : Unclassified-IP

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

Table 24 Command output

Field	Description
Interface	Interface that connects the subuser.
IP address	IP address of the subuser.
MAC address	MAC address of the subuser.
User ID	Subuser ID assigned after the subuser came online. If no subuser ID is assigned, this field displays 0xffffffff.
VPN instance	MPLS L3VPN instance of the subuser. If the subuser is not in a VPN, this field displays N/A.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the subuser. If the subuser traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the subuser.
VPI/VCI(for ATM)	ATM PVC information of the subuser. If the subuser traffic does not have PVC information, this field displays a hyphen (-).
DNS servers	DNS server addresses assigned to the subuser. · When the number of the assigned addresses is 0, this field displays N/A, which indicates no DNS server addresses are assigned. · When the number of the assigned addresses is 1 or 2, this field displays the actual DNS server addresses. · When the number of the assigned addresses is greater than 2, this field displays only the first two DNS server addresses.
DHCP lease	DHCP-authorized IP lease in seconds: · N/A—No IP lease is authorized. · Unlimited—The IP lease is unlimited.
DHCP remain lease	Remaining DHCP-authorized IP lease. This field is displayed only on the card that connects the subuser. On other cards, this field displays N/A.
Login time	Time when the subuser passed authentication and logged in, in the format of MM DD hh:mm:ss YYYY.
Service node	Slot number and CPU number of the card that connects the subuser.
Type	Subuser type. The value of Unclassified-IP indicates that the subuser is an unclassified-IP subuser.
QoS	QoS information.
User profile	Name of the AAA-authorized user profile. N/A means that no user profile is authorized. The user profile has the following states: · inactive—User profile authorization failed or the user profile does not exist on the BRAS. · active—The user profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. If the authorization result has not been updated, nothing is displayed.
User group ACL	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. If the authorization result has not been updated, nothing is displayed.
Inbound user priority	AAA-authorized inbound subuser priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no inbound subuser priority is authorized. The inbound subuser priority has the following states: · inactive—Inbound subuser priority is not authorized successfully. · active—Inbound subuser priority is authorized successfully.
Outbound user priority	AAA-authorized outbound subuser priority, which can be a number in the range of 0 to 7, 15, and N/A. N/A or 15 means that no outbound subuser priority is authorized. The outbound subuser priority has the following states: · inactive—Outbound subuser priority is not authorized successfully. · active—Outbound subuser priority is authorized successfully.

display ip subscriber tcp-connection

Use display ip subscriber tcp-connection to display the number of TCP connections established by IPoE users.

Syntax

display ip subscriber tcp-connection interface interface-type interface-number session-id session-id

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

session-id session-id: Specifies a session by its ID in the range of 1 to ffffffff.

Examples

# Display the number of TCP connections established by users with session ID 1 on GigabitEthernet 3/1/1.

<Sysname> display ip subscriber tcp-connection interface gigabitethernet 3/1/1 session-id 1

Total uplink TCP connections: 0

Total downlink TCP connections: 0

Table 25 Command output

Field	Description
Total uplink TCP connections	Total number of uplink TCP connections established by IPoE users.
Total downlink TCP connections	Total number of downlink TCP connections established by IPoE users.

display trace access-user

Use display trace access-user to display service tracing object configuration information.

Syntax

display trace access-user [ object object-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

object object-id: Specifies a service tracing object by its ID, in the range of 1 to 5. If you do not specify a tracing object, this command displays configuration information for all service tracing objects.

Usage guidelines

This command displays configuration information for only service tracing objects whose tracing time has not expired.

Examples

# Display configuration information for service tracing object 1.

<Sysname> display trace access-user object 1

Object ID: 1

Access mode: IPoE

User name: aaa

Access interface: GigabitEthernet3/1/1.1

IP address: 1.1.1.2

MAC address: 0001-0002-0003

Service VLAN: 3

Customer VLAN: 2

Output direction: VTY

Aging time: 0 min

Table 26 Command output

Field	Description
Object ID	ID of the service tracing object.
Access mode	Access mode of the service tracing object.
User name	Username of the access user.
Access interface	Access interface of the access user.
IP address	IP address of the access user.
MAC address	MAC address of the access user.
Service VLAN	Outer VLAN ID of the access user.
Customer VLAN	Inner VLAN ID of the access user.
Output direction	Location to which the service tracing object information is output.
Aging time	Tracing time of the service tracing object.

Related commands

trace access-user

ip subscriber 8021p

Use ip subscriber 8021p to bind an ISP domain to IPoE users who send IP packets with the specified 802.1p values.

Use undo ip subscriber 8021p to remove the binding between an ISP domain and IPoE users who send IP packets with the specified 802.1p values.

Syntax

ip subscriber 8021p 8021p-list domain domain-name

undo ip subscriber 8021p 8021p-list

Default

No ISP domain is bound to IPoE users who send IP packets with the specified 802.1p values.

Views

Layer 3 aggregate subinterface view

Layer 3 Ethernet subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

8021p-list: Specifies a space-separated list of up to eight 802.1p value items. Each item specifies a 802.1p value or a range of 802.1p values in the form of start-802.1p-value to end-802.1p-value. The 802.1p value is in the range of 0 to 7.

Usage guidelines

For this command, IPoE users include DHCP users, unclassified-IP users, and static individual users.

For the ip subscriber 8021p command to take effect, you must first execute the ip subscriber service-identify 8021p command to configure the 802.1p priority as the service identifier.

For how an authentication domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an authentication domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an authentication domain is selected for a static IPoE user, see the ip subscriber session static command.

For how an authentication domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an authentication domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an authentication domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

Examples

# Configure ISP domain 1pdm for IPoE users who send IP packets with 802.1p values 2 to 5 on GigabitEthernet 3/1/1.100.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.100

[Sysname-GigabitEthernet3/1/1.100] ip subscriber service-identify 8021p second-vlan

[Sysname-GigabitEthernet3/1/1.100] ip subscriber 8021p 2 to 5 domain 1pdm

Related commands

ip subscriber service-identify

ip subscriber access-block

Use ip subscriber access-block to forbid IPoE users from coming online.

Use undo ip subscriber access-block to restore the default.

Syntax

In standalone mode:

ip subscriber access-block [ interface interface-type interface-number | slot slot-number ]

undo ip subscriber access-block [ interface interface-type interface-number | slot slot-number ]

In IRF mode:

ip subscriber access-block [ interface interface-type interface-number | chassis chassis-number slot slot-number ]

undo ip subscriber access-block [ interface interface-type interface-number | chassis chassis-number slot slot-number ]

Default

IPoE users are allowed to come online.

Views

System view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Usage guidelines

With this command configured, the device directly drops received online request packets of IPoE users to forbid new IPoE users from coming online through this interface.

This command does not affect existing IPoE users, including IPoE Web users in online state during the preauthentication phase.

If you do not specify any parameter for this command, this command forbids all new IPoE users from coming online.

Examples

# Forbid IPoE users on interface GigabitEthernet 3/1/1 from coming online.

<Sysname> system-view

[Sysname] ip subscriber access-block interface gigabitethernet 3/1/1

ip subscriber access-delay

Use ip subscriber access-delay to set the response delay time for IPoE users on an interface.

Use undo ip subscriber access-delay to restore the default.

Syntax

ip subscriber access-delay delay-time [ even-mac | odd-mac ]

undo ip subscriber access-delay

Default

No response delay time is set for IPoE users on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

delay-time: Specifies the response delay time for IPoE users, in the range of 10 to 25500 milliseconds.

even-mac: Specifies users with even MAC addresses.

odd-mac: Specifies users with odd MAC addresses.

Usage guidelines

With this command configured, the system delays response to the IPoE user online requests according to the configured delay time.

You can separately specify different response delay times for even-MAC users and odd-MAC users.

If you do not specify any keyword, this command sets the response delay time for all users that come online through this interface.

If you first configure this command with the even-mac or odd-mac keyword specified and then configure this command without specifying any keyword, the latter configuration takes effect, and vice versa.

This command takes effect only on IPoE users on interfaces in Layer 2 access mode. More specifically:

· On an interface using bind authentication, this command takes effect only on IPoE individual users and leased subusers.

· On an interface using Web authentication, this command takes effect only on users in the preauthentication phase and does not take effect on users in the Web authentication phase.

Examples

# Set the response delay time for IPoE users to 1000 milliseconds on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber access-delay 1000

ip subscriber a ccess-line-id circuit-id trans-format

Use ip subscriber access-line-id circuit-id trans-format command to configure the IPoE parsing format for the circuit ID in the DHCP option.

Use undo ip subscriber access-line-id circuit-id trans-format to restore the default.

Syntax

ip subscriber access-line-id circuit-id trans-format { ascii | hex }

undo ip subscriber access-line-id circuit-id trans-format

Default

The IPoE parsing format for the circuit ID in the DHCP option is ASCII.

Views

Layer 3 aggregate subinterface view

Layer 3 Ethernet subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the ASCII parsing format.

hex: Specifies the hex parsing format.

Usage guidelines

For IPoE to correctly parse information in the circuit ID, use this command to set a proper parsing format according to the format of the circuit ID information sent by downstream devices.

The ip subscriber access-line-id circuit-id trans-format command configuration takes effect only after the ip subscriber trust command is configured to trust the specified option.

Examples

# Set the IPoE parsing format for the circuit ID in the DHCP option to hex.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber access-line-id circuit-id trans-format hex

Related commands

ip subscriber access-line-id remote-id trans-format

ip subscriber trust

ip subscriber access-line-id remote-id trans-format

Use ip subscriber access-line-id remote-id trans-format command to configure the IPoE parsing format for the remote ID in the DHCP option.

Use undo ip subscriber access-line-id remote-id trans-format to restore the default.

Syntax

ip subscriber access-line-id remote-id trans-format { ascii | hex }

undo ip subscriber access-line-id remote-id trans-format

Default

The IPoE parsing format for the remote ID in the DHCP option is ASCII.

Views

Layer 3 aggregate subinterface view

Layer 3 Ethernet subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the ASCII parsing format.

hex: Specifies the hex parsing format.

Usage guidelines

For IPoE to correctly parse information in the remote ID, use this command to set a proper parsing format according to the format of the remote ID information sent by downstream devices.

The ip subscriber access-line-id remote-id trans-format command configuration takes effect only after the ip subscriber trust command is configured to trust the specified option.

Examples

# Set the IPoE parsing format for the remote ID in the DHCP option to hex.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber access-line-id remote-id trans-format hex

Related commands

ip subscriber access-line-id remote-id trans-format

ip subscriber trust

ip subscriber access-out

Use ip subscriber access-out to enable IPoE access-out authentication for IPoE users.

Use undo ip subscriber access-out to restore the default.

Syntax

ip subscriber access-out

undo ip subscriber access-out

Default

IPoE access-out authentication is disabled for IPoE users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

In a dual-authentication network, one device performs access-in authentication and another device performs access-out authentication. Users who pass access-in authentication can access the intranet and users who pass access-out authentication can access the extranet.

Examples

# Enable IPoE access-out authentication for IPoE users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber access-out

ip subscriber access-trigger loose

Use ip subscriber access-trigger loose to specify the loose access duration for the IPoE users after the system or the slot where the access interface resides is rebooted.

Use undo ip subscriber access-trigger loose to restore the default.

Syntax

ip subscriber access-trigger loose { loose-time | all-time }

undo ip subscriber access-trigger loose

Default

IPoE users cannot access in loose mode after the system or the slot where the access interface resides is rebooted.

Views

System view

Predefined user roles

network-admin

Parameters

loose-time: Specifies the loose access duration for the IPoE users after the system or the slot where the access interface resides is rebooted, in the range of 1 to 4294967295 minutes.

all-time: Specifies that the IPoE users can access in loose mode all time after the system or the slot where the access interface resides is rebooted.

Usage guidelines

When the sessions of online IPoE users are deleted because the system or the slot where the access interface resides is rebooted, DHCP users will not send DHCP packets to trigger access again because these user cannot sense the reboot. As a result, the access device cannot regenerate DHCP sessions for these users. To solve this problem, you can specify IPoE users to access in loose mode.

For users accessing in loose mode through a global interface or physical interface, the definition of reboot is different as follows:

· For users accessing through a global interface: After the system is rebooted, IPoE users can use IP packets and ARP packets to trigger access and generating DHCP sessions within the duration specified by the loose-time argument or all time.

· For users accessing through a physical interface: After the slot where the physical interface resides is rebooted, IPoE users can use IP packets and ARP packets to trigger access and generating DHCP sessions within the duration specified by the loose-time argument or all time.

IPoE DHCP users can access in loose mode only when all the following conditions exist:

· The Layer 2 access mode is configured on the access interface.

· DHCPv4 packet initiation is enabled on the access interface.

· A DHCPv4 address pool is assigned to users through the authentication domain or AAA server.

· To use IP packet initiation, you must configure the ip subscriber initiator unclassified-ip enable command on the access interface, and as a best practice, specify the matching-user keyword.

· To use ARP packet initiation, you must configure the ip subscriber initiator arp enable command and the ip subscriber initiator unclassified-ip enable command on the access interface, and as a best practice, specify the matching-user keyword.

In the current software version, only dynamic IPv4 IPoE users can access in loose mode.

For IPoE Web authentication users that access in loose mode, only the sessions in the preauthentication domain can be regenerated. To come online in the Web authentication phase, these users must follow the normal Web authentication procedure.

For IPoE to operate properly when IPoE users access in loose mode, do not configure portal on access interfaces of these IPoE users.

Examples

# Specify the loose access duration as 300 minutes for the IPoE users after the system or the slot where the access interface resides is rebooted

<Sysname> system-view

[Sysname] ip subscriber access-trigger loose 300

Related commands

ip subscriber dhcp domain

ip subscriber dhcp password

ip subscriber dhcp username

ip subscriber initiator arp enable

ip subscriber initiator dhcp enable

ip subscriber initiator unclassified-ip enable

ip subscriber access-user log enable

Use ip subscriber access-user log enable to enable logging for IPoE users.

Use undo ip subscriber access-user log enable to disable logging for IPoE users.

Syntax

ip subscriber access-user log enable [ successful-login | failed-login | logout [ normal ] [ abnormal ] ] *

undo ip subscriber access-user log enable [ successful-login | failed-login | logout [ normal ] [ abnormal ] ] *

Default

Logging is disabled for IPoE users.

Views

System view

Predefined user roles

network-admin

Parameters

successful-login: Specifies login success logs.

failed-login: Specifies login failure logs.

logout: Specifies logout logs.

normal: Specifies normal logout logs.

abnormal: Specifies abnormal logout logs.

Usage guidelines

IMPORTANT:

As a best practice, disable this feature to prevent excessive IPoE log output.

The IPoE logging feature enables the device to generate IPoE logs and send them to the information center. Logs are generated after a user comes online successfully, fails to come online, normally goes offline, or abnormally goes offline. A log entry contains information such as the username, IP address, interface name, inner VLAN, outer VLAN, MAC address, and failure causes. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

When you configure this command without specifying any keyword, this command enables or disables logging for login successes, login failures, normal logouts, and abnormal logouts.

Examples

# Enable logging for IPoE users.

<Sysname> system-view

[Sysname] ip subscriber access-user log enable

ip subscriber authentication chasten

Use ip subscriber authentication chasten to configure the authentication failure limit in the specified authentication period.

Use undo ip subscriber authentication chasten to restore the default.

Syntax

ip subscriber authentication chasten auth-failure auth-period

undo ip subscriber authentication chasten

Default

One authentication failure immediately triggers the quiet timer for the user.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

auth-failure: Specifies the maximum number of consecutive authentication failures in the specified authentication period that triggers the quiet timer. The value range is 1 to 10000.

auth-period: Specifies an authentication period in the range of 1 to 3600 seconds.

Usage guidelines

If this command is used, the quiet timer starts when the number of authentication failures of a user reaches the limit in the specified authentication period. During the quiet time, packets from the user are dropped. After the quiet timer expires, IPoE performs authentication upon receiving a packet from the user. This command prevents password attacks.

If a dual-stack IPoE session is generated for a dual-stack user, the authentication failures of the two protocol stacks are counted together. The dual-stack user is quieted when the number of consecutive authentication failures reaches the limit in the specified period.

This command takes effect only after the ip subscriber timer quiet command is executed on the interface.

Examples

# Configure GigabitEthernet 3/1/1 to block an IPoE user on the interface for 100 seconds if the user fails authentication for five consecutive times within one minute.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber timer quiet 100

[Sysname-GigabitEthernet3/1/1] ip subscriber authentication chasten 5 60

Related commands

display ip subscriber chasten user auth-failed

display ip subscriber chasten user quiet

ip subscriber timer quiet

ip subscriber authentication-method

Use ip subscriber authentication-method to configure an IPoE authentication method.

Use undo ip subscriber authentication-method to restore the default.

Syntax

ip subscriber authentication-method { bind | web [ mac-auth ] }

undo ip subscriber authentication-method

Default

IPoE uses bind authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

bind: Specifies the bind authentication method.

web: Specifies the Web authentication method.

mac-auth: Specifies the Web MAC authentication method.

Usage guidelines

When using bind authentication, the BRAS automatically generates usernames and passwords for users based on the user access location. Users are not required to enter usernames and passwords.

When using Web authentication, the BRAS requires users to enter usernames and passwords on the Web authentication page.

When using Web MAC authentication, a user needs to enter the username and password only for the first login. Then, the user can access the network without entering the username and password.

When you switch the authentication method from bind authentication to Web authentication or Web MAC authentication, the device performs operations depending on the session type:

· For IPoE dynamic individual sessions, the device deletes all IPoE dynamic individual sessions on the interface and logs out users.

· For interface-level IPoE static individual sessions:

? the device initializes all IPoE static individual sessions on the interface and logs out users.

· For global IPoE static individual sessions, the device deletes all global IPoE static individual sessions on the interface and logs out users.

· For IPoE leased sessions:

? the device initializes all IPoE leased sessions on the interface and logs out users.

When you switch the authentication method from Web authentication or Web MAC authentication to bind authentication or between Web authentication and Web MAC authentication on an interface, the device performs the following operations:

· Deletes DHCP dynamic individual sessions and global static individual sessions on the interface and initializes the static individual sessions on the interface.

· Logs out users.

Examples

# Configure the Web authentication method for IPoE users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber authentication-method web

The operation may cut all users on this interface. Continue?[Y/N]:y

Related commands

ip subscriber enable

ip subscriber captive-bypass enable

Use ip subscriber captive-bypass enable to enable the captive-bypass feature.

Use undo ip subscriber captive-bypass enable to disable the captive-bypass feature.

Syntax

ip subscriber captive-bypass enable [ android | ios ] [ optimize ]

undo ip subscriber captive-bypass enable

Default

The captive-bypass feature is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

android: Specifies Android users.

ios: Specifies iOS users.

optimize: Enables captive-bypass optimization.

Usage guidelines

By default, the device automatically pushes the Web authentication page to the iOS devices and some Android devices when they are connected to the network with IPoE Web authentication enabled. With the captive-bypass feature enabled, the device does not automatically push the Web authentication page to iOS devices and some Android devices when they are connected to the network. The device pushes the Web authentication page only when the user accesses the Internet by using a browser.

The captive-bypass optimization feature takes effect only on iOS users and does not take effect on Android users.

With the captive-bypass optimization feature enabled, when an iOS user uses a browser to access the Internet, the Web authentication page automatically opens. When the user does not perform authentication and presses the home button to return to the home screen, the Wi-Fi connection is not disconnected.

When you execute this command without specifying any keyword, this command enables the captive-bypass feature for both Android users and iOS users. If you specify only the optimize keyword, this command enables the captive-bypass feature for Android users and the captive-bypass optimization feature for iOS users.

When you execute the undo form of this command, this command disables the captive-bypass feature for both Android users and iOS users.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable the captive-bypass feature.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber captive-bypass enable

# Enable the captive-bypass optimization feature for iOS users.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber captive-bypass enable ios optimize

# Enable the captive-bypass feature for Android users.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber captive-bypass enable android

ip subscriber dhcp domain

Use ip subscriber dhcp domain to configure an ISP domain for DHCP users.

Use undo ip subscriber dhcp domain to restore the default.

Syntax

ip subscriber dhcp domain domain-name [ force ]

undo ip subscriber dhcp domain

Default

No ISP domain is configured for DHCP users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

force: Specifies the ISP domain as the forced domain with the highest priority. If this keyword is not specified, the ISP domain is a non-forced domain.

Usage guidelines

This command configures an ISP domain for DHCP users. The specified ISP domain must exist on the BRAS.

For IPoE to operate properly when IPoE users access in loose mode, do not configure portal on access interfaces of these IPoE users. When DHCPv4 packet initiation is enabled on an interface, the ISP domains are used in the following order:

1. Forced ISP domain specified by using this command. If the ISP domain does not exist, proceed with step 4.

2. Service-specific ISP domain. If the ISP domain does not exist, proceed with step 4.

3. Non-forced ISP domain specified by this command. If the ISP domain does not exist, proceed with step 4.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

A DHCPv4 user accessing in non-loose mode can obtain an ISP domain in various ways. For how an ISP domain is determined when DHCPv4 packet initiation is enabled and portal authentication is configured, see "ip subscriber dhcp option60 match."

For users accessing in non-loose mode, if DHCPv4 packet initiation is enabled, portal authentication is not configured, and multiple ISP domains are available, the ISP domains are used in the following order:

1. Forced ISP domain specified by using this command. If the ISP domain does not exist, proceed with step 9.

2. ISP domain generated based on the domain name generation rule configured by the ip subscriber dhcp domain include command if the following conditions exist:

? The string selected from Option 60 contains the trusted domain.

? The BRAS trusts Option 60.

? The interface is configured with the ip subscriber dhcp domain include command.

If the ISP domain does not exist, proceed with step 7.

3. Trusted ISP domain configured by the ip subscriber dhcp option60 match command if the following conditions exist:

? The string selected from Option 60 contains the trusted domain.

? The BRAS trusts Option 60.

? The interface is not configured with the ip subscriber dhcp domain include command.

If the ISP domain does not exist, proceed with step 7.

4. ISP domain selected according to the rule for packets that do not carry Option 60 if the following conditions exist:

? The BRAS trusts Option 60.

? The string selected from Option 60 does not contain the trusted domain.

In this case, the contents of Option 60 are ignored and not used for generating a domain name.

If the ISP domain does not exist, proceed with step 7.

5. ISP domain generated based on the domain name generation rule configured by the ip subscriber dhcp domain include command if the following conditions exist:

? The BRAS trusts Option 60.

? The interface is not configured with the ip subscriber dhcp option60 match command.

? Option 60 does not contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

? The interface is configured with the ip subscriber dhcp domain include command.

If the ISP domain does not exist, proceed with step 7.

6. ISP domain automatically selected from Option 60 if the following conditions exist:

? The BRAS trusts Option 60.

? The interface is not configured with the ip subscriber dhcp option60 match or ip subscriber dhcp domain include command.

? All information in Option 60 does not contain invalid characters.

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

If the ISP domain does not exist, proceed with step 7.

7. Service-specific ISP domain. If the ISP domain does not exist, proceed with step 9.

8. Non-forced ISP domain specified by this command. If the ISP domain does not exist, proceed with step 9.

9. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For users to pass authentication successfully, make sure the ISP domains selected for users exist on the device and are completely configured.

When the contents in an option are used as ISP domains, make sure the ISP domain names exist on the device. Otherwise, these ISP domains are considered as unavailable.

Make sure Option 60 does not contain null terminators or non-printable characters.

A DHCPv6 user can obtain an ISP domain in various ways.

Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

For how an ISP domain is determined when DHCPv6 packet initiation is enabled and portal authentication is configured, see "ip subscriber dhcpv6 match."

If DHCPv6 packet initiation is enabled, portal authentication is not configured, and multiple ISP domains are available, the ISP domains are used in the following order:

1. Forced ISP domain specified by using this command. If the ISP domain does not exist, proceed with step 7.

2. Trusted ISP domain configured by the ip subscriber dhcpv6 option16 match command if the following conditions exist:

? The string selected from Option 16 contains the trusted domain.

? The BRAS trusts Option 16.

If the ISP domain does not exist, proceed with step 5.

3. ISP domain selected according to the case that the packets do not carry Option 16 if the following conditions exist:

? The BRAS trusts Option 16.

? The interface is configured with the ip subscriber dhcpv6 option16 match command, but the specified string cannot be matched in the specified position of Option 16.

If the ISP domain does not exist, proceed with step 5.

4. ISP domain automatically selected from Option 16 if the following conditions exist:

? The BRAS trusts Option 16.

? The interface is not configured with the ip subscriber dhcpv6 option16 match command.

? All information in Option 16 does not contain invalid characters.

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

If the ISP domain does not exist, proceed with step 5.

5. Service-specific ISP domain. If the ISP domain does not exist, proceed with step 7.

6. Non-forced ISP domain specified by this command. If the ISP domain does not exist, proceed with step 7.

7. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Make sure Option 16 does not contain null terminators or non-printable characters.

Examples

# Configure ISP domain dm1 for DHCPv4 users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcp domain dm1

Related commands

ip subscriber access-trigger loose

ip subscriber dhcp domain include

ip subscriber dhcp option60 match

ip subscriber dhcpv6 match

ip subscriber initiator dhcp enable

ip subscriber trust

ip subscriber dhcp domain include

Use ip subscriber dhcp domain include to configure a domain name generation rule for DHCPv4 users.

Use undo ip subscriber dhcp domain include to restore the default.

Syntax

ip subscriber dhcp domain include vendor-class [ separator separator ] { second-vlan [ separator separator ] | string string [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber dhcp domain include

Default

No domain name generation rule for DHCPv4 users is configured.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

vendor-class: Uses the Option 60 information in DHCPv4 packets for generating a domain name.

separator separator: Specifies a case-insensitive character for separating an option and the option that follows. It cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

second-vlan: Uses the inner VLAN in authentication packets for generating a domain name.

string string: Specifies a case-sensitive string of 1 to 64 characters for generating a domain name. It cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

vlan: Uses the outer VLAN in authentication packets for generating a domain name.

Usage guidelines

You can configure this command when the following conditions exist:

· DHCP users use the information in Option 60 as ISP domains.

· Differentiated authentication is required for DHCP users that have the same Option 60 and come online through the same interface.

For example, user A and user B belong to different VLANs but have the same Option 60 and come online through the same interface. To assign user A and user B to different ISP domains and authorize different address pools based on ISP domains, configure this command to generate ISP domain names by using the Option 60 + VLAN combination.

If this command is configured when the DHCP users use information in Option 60 as the ISP domains, the generated ISP domain name is as follows: String selected from the Option 60 as an ISP domain + parameters configured by using this command. For information about selecting ISP domains, see "ip subscriber dhcp domain."

This command takes effect only when DHCP users use information in the Option 60 as ISP domains.

For the device to parse information in Option 60 correctly and generate correct ISP domain names, make sure Option 60 does not contain null terminators or non-printable characters.

Examples

# Configure a domain name generation rule on GigabitEthernet 3/1/1.1 as follows: trusted string from the Option 60 field in DHCP packets (ipoe) + separator (#) + customer VLAN (suppose the customer VLAN is 10). The finally generated domain name is ipoe#10.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.1

[Sysname-GigabitEthernet3/1/1.1] ip subscriber trust option60

[Sysname-GigabitEthernet3/1/1.1] ip subscriber dhcp option60 match ipoe

[Sysname-GigabitEthernet3/1/1.1] ip subscriber dhcp domain include vendor-class separator # vlan

# Configure a domain name generation rule on GigabitEthernet 3/1/1.1 as follows: the whole Option 60 field in DHCP packets (suppose all information in Option 60 is domain123456) + separator (#) + customer VLAN (suppose the customer VLAN is 10). The finally generated domain name is domain123456#10.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.1

[Sysname-GigabitEthernet3/1/1.1] ip subscriber trust option60

[Sysname-GigabitEthernet3/1/1.1] ip subscriber dhcp domain include vendor-class separator # vlan

Related commands

ip subscriber dhcp domain

ip subscriber dhcp option60 match

ip subscriber trust

ip subscriber dhcp max-session

Use ip subscriber dhcp max-session to set the IPoE session limit for DHCPv4 packet initiation on an interface.

Use undo ip subscriber dhcp max-session to restore the default.

Syntax

ip subscriber dhcp max-session max-number

undo ip subscriber dhcp max-session

Default

The IPoE session limit for DHCPv4 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for DHCPv4 packet initiation in the range of 1 to 64000.

Usage guidelines

If the IPoE session limit for DHCPv4 packet initiation is reached, no more IPoE session can be initiated by DHCPv4 packets. IPoE sessions initiated by DHCPv4 packets include IPv4 single-stack sessions and dual-stack sessions.

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber dhcpv6 max-session command.

If the configured limit is smaller than the number of existing sessions on an interface, the configuration succeeds and the existing sessions are not affected. However, new sessions cannot be initiated on the interface.

When this command is configured together with the ip subscriber max-session command, the two commands both take effect. The two commands control sessions in different perspectives, and the number of sessions is controlled by both commands. A new session can be established only when neither limit is reached.

Examples

# Set the IPoE session limit to 100 for DHCPv4 packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcp max-session 100

Related commands

display ip subscriber session

ip subscriber initiator dhcp enable

ip subscriber max-session

reset ip subscriber session

ip subscriber dhcp option60 match

Use ip subscriber dhcp option60 match to configure trusted ISP domains for DHCPv4 users.

Use undo ip subscriber dhcp option60 match to restore the default.

Syntax

ip subscriber dhcp option60 match string [ offset offset ] [ length length ]

undo ip subscriber dhcp option60 match string

Default

No trusted ISP domains are configured for DHCPv4 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

string: Specifies a trusted ISP domain by its name, a case-insensitive string of 1 to 255 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

offset offset: Specifies an offset for the string starting byte, in the range of 1 to 63. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used to match the trusted ISP domain.

Usage guidelines

A DHCPv4 user can obtain an ISP domain in various ways. For how an ISP domain is determined when DHCPv4 packet initiation is enabled and portal authentication is not configured, see "ip subscriber dhcp domain."

If DHCPv4 packet initiation is enabled and portal authentication is configured, the following situations occur:

· If the string selected from Option 60 contains the trusted ISP domain, DHCPv4 packet initiation triggers IPoE authentication and selects an ISP domain for IPoE authentication in the following order:

a. Forced ISP domain configured by using the ip subscriber dhcp domain command. If the ISP domain does not exist, proceed with step d.

b. If the string selected from Option 60 contains the trusted ISP domain:

- When the interface is configured with the subscriber dhcp domain include command, the ISP domain name generated according to the domain name generation rule is used for authentication.

- When the interface is not configured with the subscriber dhcp domain include command, the DHCPv4 user uses the trusted ISP domain for IPoE authentication.

c. When the interface is not configured to trust Option 60 in DHCPv4 packets, for how to select an ISP domain, see "ip subscriber dhcp domain."

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· If the string selected from Option 60 does not contain the trusted ISP domain, DHCPv4 packet initiation triggers portal authentication. For more information about portal authentication, see portal configuration in BRAS Services Configuration Guide.

Make sure Option 60 does not include null terminators or non-printable characters.

You can use this command multiple times.

Examples

# On GigabitEthernet3/1/1, configure trusted ISP domain ipoe to match the string with an offset of 1 and a length of 10 bytes from Option 60.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcp option60 match ipoe offset 1 length 10

Related commands

ip subscriber dhcp domain

ip subscriber dhcp domain include

ip subscriber trust

ip subscriber dhcp password

Use ip subscriber dhcp password to specify a string from DHCPv4 packets as the password for DHCPv4 users.

Use undo ip subscriber dhcp password to restore the default.

Syntax

ip subscriber dhcp password { circuit-id mac | option60 [ offset offset ] [ length length ] | user-class }

undo ip subscriber dhcp password

Default

The BRAS does not use the password specified in DHCPv4 packets for DHCPv4 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

circuit-id: Specifies the DHCPv4 Option82 sub-option1 field in DHCPv4 packets.

mac: Uses the MAC address in the Circuit-ID (Option82 sub-option1) field as the password.

option60: Uses a string from Option 60 in DHCPv4 packets as the password.

offset offset: Specifies an offset for the password starting byte, in the range of 1 to 63. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the password string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used as the password.

user-class: Uses a string from Option 77 in DHCPv4 packets as the password.

Usage guidelines

Passwords configured by the ip subscriber dhcp password command are used for authentication, and must be the same as those configured on the AAA server.

A DHCPv4 user can obtain a password in various ways.

For a DHCPv4 user accessing in loose mode, the passwords are used in the following order:

1. Password configured by using the ip subscriber password command.

2. Default password: vlan.

For a DHCPv4 user accessing in non-loose mode, the passwords are used in the following order:

1. Password configured by using the ip subscriber dhcp password user-class command if the following conditions exist:

? The ip subscriber dhcp password user-class command is configured.

? The ip subscriber trust option77 command is configured. Option 77 does not contain null terminators or non-printable characters.

2. Password configured by using the ip subscriber dhcp password option60 command if the BRAS trusts Option 60 and Option 60 does not contain null terminators or non-printable characters.

3. Password configured by using the ip subscriber dhcp password circuit-id mac command if the BRAS trusts Option 82 and the MAC address in the Circuit-ID carried in DHCPv4 packets does not contain null terminators or non-printable characters.

4. Password configured by using the ip subscriber password command.

5. Default password: vlan.

Examples

# Specify the string with an offset of 10 and a length of 20 bytes from Option 60 as the password for DHCPv4 users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcp password option60 offset 10 length 20

Related commands

ip subscriber access-trigger loose

ip subscriber initiator dhcp enable

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

Use ip subscriber dhcp username to configure an authentication user naming convention for DHCP users.

Use undo ip subscriber dhcp username to restore the default.

Syntax

ip subscriber dhcp username include { circuit-id [ mac ] [ separator separator ] | client-id [ separator separator ] | hostname [ original ] [ separator separator ] | nas-port-id [ separator separator ] | port [ separator separator ] | remote-id [ separator separator ] | second-vlan [separator separator ] | slot [ separator separator ] | source-mac [ address-separator address-separator ] [ separator separator ] | string string [ separator separator ] | subslot [separator separator ] | sysname [separator separator ] | vendor-class [ absent-replace | original ] * [ separator separator ] | vendor-specific [ separator separator ] | vlan [separator separator ] } *

undo ip subscriber dhcp username

Default

No authentication user naming convention is configured for DHCP users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

circuit-id: Includes the DHCPv4 Option 82 sub-option 1 or DHCPv6 Option 18 information in a username.

mac: Includes the MAC address in the Circuit-ID (Option82 sub-option1) field in the username. If this keyword is not specified, all information in the Circuit-ID (Option82 sub-option1) field is included in the username.

client-id: Includes the DHCPv4 Option 61 or DHCPv6 Option 1 information in a username.

hostname: Includes the DHCPv4 Option12 in a username.

nas-port-id: Includes the NAS-Port-ID attribute carried in the authentication request packet in a username.

port: Includes the number of the port that receives the user packets in a username.

remote-id: Includes the DHCPv4 Option 82 sub-option 2 or DHCPv6 Option 37 information in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-mac: Includes the source MAC address in a username.

address-separator address-separator: Specifies any printable character as the separator for the MAC address. For example, if you specify a hyphen (-) as the separator, the username is the hyphen-separated MAC address (xxxx-xxxx-xxxx). If you do not specify a separator, the username is the non-separated MAC address (xxxxxxxxxxxx). Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

string string: Includes the specified string in a username, a case-sensitive string of 1 to 64 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vendor-class: Includes the DHCPv4 Option 60 or DHCPv6 Option 16 information in a username.

absent-replace: Uses the authentication domain name of a user to replace the inexistent option in the username when the DHCPv4 Option60 or DHCPv6 Option16 field does not exist in DHCP packets. If you do not specify this keyword, the option part in the username is empty.

vendor-specific: Includes the DHCPv4 Option 82 sub-option 9 or DHCPv6 Option 17 information in a username.

vlan: Includes the outer VLAN ID in a username.

original: Directly uses the original information in the DHCPv4 Option 12, the DHCPv4 Option 60, or DHCPv6 Option 16 field in DHCP packets as the username and passes it to the authentication server for authentication. If this keyword is not specified, when Option 12, Option 60, or Option 16 contains non-printable characters, the device will translate the non-printable characters into printable characters and then passes the translated information to the authentication server for authentication.

separator separator: Specifies a character for separating an option and the option that follows. Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

Usage guidelines

Usernames obtained based on the naming convention are used for authentication, authorization, and accounting, and must be the same as those configured on the AAA server.

For DHCPv4 users accessing in loose mode, the packets do not carry DHCP Option information. Therefore, the circuit-id, mac, client-id, remote-id, vendor-class, absent-replace, original, or vendor-specific keyword does not take effect. Even these keywords are specified, usernames are generated according to the situation where these keywords are not specified. DHCPv6 users cannot access in loose mode.

You can specify one or more keywords in a naming convention. If you use a combination of keywords, a username obtained based on the naming convention includes the specified options in the configuration order.

Options used as the username information cannot include null terminators or non-printable characters.

Examples

# Configure information carried in the Client Identifier Option as the authentication usernames for DHCP users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcp username include client-id

# Configure an authentication user naming convention for DHCP users on GigabitEthernet 3/1/1. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcp username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber access-trigger loose

ip subscriber initiator dhcp enable

ip subscriber initiator dhcpv6 enable

ip subscriber password

ip subscriber trust

ip subscriber dhcpv6 match

Use ip subscriber dhcpv6 match to configure trusted ISP domains for DHCPv6 users.

Use undo ip subscriber dhcpv6 match to restore the default.

Syntax

ip subscriber dhcpv6 { option16 | option17 } match string [ offset offset ] [ length length ]

undo ip subscriber dhcpv6 { option16 | option17 } match string

Default

No trusted ISP domains are configured for DHCPv6 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

option16: Specifies Option 16 in DHCPv6 packets.

option17: Specifies Option 17 in DHCPv6 packets.

offset offset: Specifies an offset for the string starting byte, in the range of 1 to 63. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used to match the trusted ISP domain.

Usage guidelines

A DHCPv6 user can obtain an ISP domain in various ways.

Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

For how an ISP domain is determined when DHCPv6 packet initiation is enabled and portal authentication is not configured, see "ip subscriber dhcp domain."

If DHCPv6 packet initiation is enabled and portal authentication is configured, the following situations occur:

· If the string selected from Option 16 contains the trusted ISP domain, DHCPv6 packet initiation triggers IPoE authentication and selects an ISP domain for IPoE authentication in the following order:

a. Forced ISP domain configured by using the ip subscriber dhcp domain command. If the ISP domain does not exist, proceed with step d.

b. Trusted string when the interface is configured to trust Option 16 in DHCPv6 packets.

c. When the interface is not configured to trust Option 16 in DHCPv6 packets, for how to select an ISP domain, see "ip subscriber dhcp domain."

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· If the string selected from Option 16 does not contain the trusted ISP domain, DHCPv6 packet initiation triggers portal authentication. For more information about portal authentication, see portal configuration in BRAS Services Configuration Guide.

Make sure Option 16 does not include null terminators or non-printable characters.

You can use this command multiple times.

You can only select a string from the first 255 characters of Option 16 to match the trusted ISP domain. If the selected string contains characters that do not belong to the first 255 characters, the match fails.

Examples

# On GigabitEthernet3/1/1, configure trusted ISP domain ipoe to match the string with an offset of 1 and a length of 10 bytes from Option 16.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcpv6 option16 match ipoe offset 1 length 10

Related commands

ip subscriber dhcpv6 domain

ip subscriber trust

ip subscriber dhcpv6 max-session

Use ip subscriber dhcpv6 max-session to set the IPoE session limit for DHCPv6 packet initiation on an interface.

Use undo ip subscriber dhcp max-session to restore the default.

Syntax

ip subscriber dhcpv6 max-session max-number

undo ip subscriber dhcpv6 max-session

Default

The IPoE session limit for DHCPv6 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for DHCPv6 packet initiation, in the range of 1 to 64000.

Usage guidelines

If the IPoE session limit for DHCPv6 packet initiation is reached, no more IPoE session can be initiated by DHCPv6 packets. IPoE sessions initiated by DHCPv6 packets include IPv6 single-stack sessions and dual-stack sessions.

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber dhcp max-session command.

Examples

# Set the IPoE session limit to 100 for DHCPv6 packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcpv6 max-session 100

Related commands

display ip subscriber session

ip subscriber initiator dhcpv6 enable

ip subscriber max-session

reset ip subscriber session

ip subscriber dhcpv6 password option16

Use ip subscriber dhcpv6 password option16 to specify a string from Option 16 or Option 17 as the password for DHCPv6 users.

Use undo ip subscriber dhcpv6 password option16 to restore the default.

Syntax

ip subscriber dhcpv6 password option16 [ offset offset ] [ length length ]

undo ip subscriber dhcpv6 password option16

Default

The BRAS does not use the password specified in Option 16 or Option 17 for DHCPv6 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

offset offset: Specifies an offset for the password starting byte, in the range of 1 to 63. If you do not specify this option, the first byte of Option 16 or Option 17 is the starting byte.

length length: Specifies the length of the password string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used as the password.

Usage guidelines

Passwords configured by using this command are used for authentication, and must be the same as those configured on the AAA server.

A DHCPv6 user can obtain a password in various ways. If multiple passwords are available for an DHCPv6 user, the passwords are used in the following order:

1. Password configured by using this command if the BRAS trusts Option 16 or Option 17 and Option 16 or Option 17 does not contain null terminators or non-printable characters.

2. Password configured by using the ip subscriber password command.

3. Default password: vlan.

Examples

# Specify the string with an offset of 10 and a length of 20 bytes from Option 16 or Option 17 as the password for DHCPv6 users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber dhcpv6 password option16 offset 10 length 20

Related commands

ip subscriber initiator dhcpv6 enable

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber dscp

Use ip subscriber dscp to bind an ISP domain to IPoE users who send IP packets with the specified DSCP values.

Use undo ip subscriber dscp to remove the binding between an ISP domain and IPoE users who send IP packets with the specified DSCP values.

Syntax

ip subscriber dscp dscp-value-list domain domain-name

undo ip subscriber dscp dscp-value-list

Default

No ISP domain is bound to IPoE users who send IP packets with the specified DSCP values.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

dscp-value-list: Specifies a space-separated list of up to eight DSCP value items. Each item specifies a DSCP value or a range of DSCP values in the form of start-DSCP-value to end-DSCP-value. The DSCP value is in the range of 0 to 63.

Usage guidelines

For this command, IPoE users include DHCP users, unclassified-IP users, and static individual users.

For how an authentication domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an authentication domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an authentication domain is selected for a static IPoE user, see the ip subscriber session static command.

For how an authentication domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an authentication domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an authentication domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

For the ip subscriber dscp command to take effect, you must first execute the ip subscriber service-identify dscp command to configure the DSCP value as the service identifier.

Examples

# Configure ISP domain dscpdm for IPoE users who send IP packets with DSCP values 1 to 4 on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber service-identify dscp

[Sysname-GigabitEthernet3/1/1] ip subscriber dscp 1 to 4 domain dscpdm

Related commands

ip subscriber service-identify

ip subscriber enable

Use ip subscriber enable to enable IPoE and configure an IPoE access mode for users.

Use undo ip subscriber enable to disable IPoE for users.

Syntax

ip subscriber { l2-connected | routed } enable [ ipv4 | ipv6 ]

undo ip subscriber { l2-connected | routed } enable

Default

IPoE is disabled for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

l2-connected: Specifies the Layer 2 access mode.

routed: Specifies the Layer 3 access mode.

ipv4: Enables IPoE for the IPv4 protocol stack.

ipv6: Enables IPoE for the IPv6 protocol stack.

Usage guidelines

If you do not specify the ipv4 or ipv6 keyword, this command enables IPoE for both IPv4 and IPv6 protocol stacks.

IPoE configurations for the IPv4 or IPv6 protocol stack take effect on an interface only when IPoE is enabled on the interface for the IPv4 or IPv6 protocol stack. For interface-leased users, L2VPN-leased users, and dual-stack static users to come online, you must enable IPoE for both IPv4 and IPv6 protocol stacks.

To change the IPoE access mode on an interface, you must disable IPoE, and then enable IPoE with a new IPoE access mode.

If you do not change the IPoE access mode, you can execute this command multiple times to modify the protocol stack for IPoE as follows:

· Single to dual—No matter whether the current protocol stack has online IPoE sessions, you can execute this command to modify the current protocol stack from single to dual.

· Dual to single/IPv4 to IPv6/IPv6 to IPv4 (without IPoE sessions in the current stack)—If the current protocol stack does not have IPoE sessions, you can execute this command directly to modify the current protocol stack to the specified protocol stack.

· Dual to single/IPv4 to IPv6/IPv6 to IPv4 (with IPoE sessions in the current stack)—If the current protocol stack has online IPoE sessions, perform the following tasks:

a. Execute the ip subscriber access-block command to forbid IPoE users from coming online.

b. For individual users, execute the corresponding reset commands to reset or delete all IPoE sessions in the current protocol stack. For leased users, execute the corresponding undo commands to delete leased user configuration.

c. Execute the ip subscriber enable command to enable IPoE for the specified protocol stack.

d. Execute the undo ip subscriber access-block command to allow IPoE users to come online.

When you change dual stack or IPv6 single stack to IPv4 single stack on an interface, IPoE sessions exist in the current protocol stack if one of the following conditions exists:

· Interface-leased, L2VPN-leased, IPv6 subnet-leased, IPv6 dynamic individual (including dual-stack), or IPv6 global static individual (including dual-stack) sessions in any state exist.

· IPv6 interface-level static individual sessions (including dual-stack) in a state other than Init exist.

When you change dual stack or IPv4 single stack to IPv6 single stack on an interface, IPoE sessions exist in the current protocol stack if one of the following conditions exists:

· Interface-leased, L2VPN-leased, IPv4 subnet-leased, IPv4 dynamic individual (including dual-stack), or IPv4 global static individual (including dual-stack) sessions in any state exist.

· IPv4 interface-level static individual sessions (including dual-stack) in a state other than Init exist.

To ensure successful traffic statistics in aggregate interface view, use the service command to specify a service card for traffic statistics. For more information about the service command, see Layer 2—LAN Switching Command Reference.

For IPoE configuration to take effect on an interface, make sure the qos apply user-profile command has not been executed on the interface. For more information about the qos apply user-profile command, see user profiles commands in BRAS Services Command Reference.

Examples

# Enable IPoE and configure the Layer 2 access mode for both IPv4 and IPv6 protocol stacks on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber l2-connected enable

Related commands

qos apply user-profile (BRAS Services Command Reference)

reset ip subscriber interface-leased

reset ip subscriber session

reset ip subscriber subnet-leased

service (Layer 2—LAN Switching Command Reference)

ip subscriber http-fast-reply enable

Use ip subscriber http-fast-reply enable to enable HTTP packet fast reply on an interface.

Use undo ip subscriber http-fast-reply enable to disable HTTP packet fast reply on an interface.

Syntax

ip subscriber http-fast-reply enable

undo ip subscriber http-fast-reply enable

Default

HTTP packet fast reply is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

This command is available only on CSPEX cards (except CSPEX-1204 and CSPEX-1104-E) and CEPC cards.

When a user using a browser to perform Web authentication does not access the portal Web server, the access device will redirect the HTTP requests to the CPU. Then, the CPU pushes the Web authentication page of the portal Web server to the user. If an attacker sends a large number of HTTP requests to the device, the device suffers DoS attacks.

With this feature enabled on an interface, the device uses hardware to recognize HTTP requests and automatically responds with HTTP replies. This feature reduces the workload of the CPU and prevents DoS attacks.

This feature does not immediately take effect on users that have passed preauthentication and come online before this feature is enabled. This feature takes effect only when these users go offline and come online again after passing preauthentication or return to the preauthentication domain after passing Web authentication.

With both this feature and transparent authentication configured, a user first attempts to come online through transparent authentication. The hardware responds and pushes the Web authentication page if the user fails to come online through transparent authentication for one of the following reasons:

· Transparent authentication binding query request times out.

· The portal server returns a message showing that the user is not bound.

· The AAA server returns authentication failure.

Examples

# Enable HTTP packet fast replay on interface GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber http-fast-reply enable

Related commands

ip subscriber authentication-method

ip subscriber if-match

Use ip subscriber if-match to configure a match rule for IPoE URL redirection.

Use undo ip subscriber if-match to delete an IPoE URL redirection match rule.

Syntax

ip subscriber if-match { original-url url-string redirect-url url-string [ url-param-encryption { aes | des } key { cipher | simple } string ] | user-agent user-agent redirect-url url-string }

undo ip subscriber if-match { original-url url-string | user-agent user-agent }

Default

No IPoE URL redirection match rule is configured.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in Web access requests. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP or HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.

redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

url-param-encryption: Specifies an encryption algorithm to encrypt the parameters carried in the redirection URL. If you do not specify an encryption algorithm, the parameters carried in the redirection URL are not encrypted.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

· If des cipher is specified, the string length is 41 characters.

· If des simple is specified, the string length is 8 characters.

· If aes cipher is specified, the string length is 1 to 73 characters.

· If aes simple is specified, the string length is 1 to 31 characters.

Usage guidelines

A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL.

For a user to successfully access the redirection URL, configure a preauthentication domain user group ACL to allow HTTP or HTTPS requests destined for the redirection URL to pass.

You can configure the web-server url command in an ISP domain and the ip subscriber if-match command for URL redirection. The web-server url command redirects all HTTP or HTTPS requests from unauthenticated users to the Web server for authentication. The ip subscriber if-match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are executed, the ip subscriber if-match command takes priority to perform URL redirection.

Examples

# Configure a match rule to redirect HTTP requests destined for the URL http://www.abc.com.cn to the URL http://192.168.0.1 and use DES to encrypt the parameters carried in this redirection URL.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber if-match original-url http://www.abc.com.cn redirect-url http://192.168.0.1 url-param-encryption des key simple 12345678

# Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1

Related commands

web-server url (BRAS Services Command Reference)

ip subscriber initiator arp enable

Use ip subscriber initiator arp enable to enable ARP packet initiation.

Use undo ip subscriber initiator arp enable to disable ARP packet initiation.

Syntax

ip subscriber initiator arp enable

undo ip subscriber initiator arp enable

Default

ARP packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

With ARP packet initiation enabled, a BRAS allows static IPoE users to initiate IPoE sessions by using ARP packets and records abnormally logged out DHCP users. When the BRAS receives ARP packets from abnormally logged out DHCP users, the BRAS can restore the IPoE sessions for these users based on the recorded information.

A DHCP user is abnormally logged out if the IPoE session of the user is deleted for a reason except the user actively releases its IP address.

When an interface receives ARP packets from a user, the interface processes the packets in the following order:

1. If the ARP packets match a configured IPoE static session, the user is processed as a static user.

2. If the ARP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

3. If the ARP packets match a roaming-capable user, the user is processed as a roaming user.

4. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

5. If the ARP packets match neither of the above information, the ARP packets are dropped and the user cannot initiate a session by using ARP packets.

For a static individual user to initiate sessions by using ARP packets, make sure the following requirements are met:

· ARP packet initiation is enabled.

· The gateway IP address allocated to the static individual users must be one of the following IP addresses:

? The IP address of the access interface.

? A gateway address from the gateway address list specified by using the gateway-list export-route command.

Disabling ARP packet initiation does not affect online ARP-initiated static individual sessions.

Examples

# Enable ARP packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber initiator arp enable

Related commands

display ip subscriber session

ip subscriber access-trigger loose

ip subscriber enable

ip subscriber initiator dhcp enable

ip subscriber initiator dhcpv6 enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator ndrs enable

ip subscriber roaming enable

reset ip subscriber session

ip subscriber initiator dhcp enable

Use ip subscriber initiator dhcp enable to enable DHCPv4 packet initiation.

Use undo ip subscriber initiator dhcp enable to disable DHCPv4 packet initiation.

Syntax

ip subscriber initiator dhcp enable

undo ip subscriber initiator dhcp enable

Default

DHCPv4 packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

If you enable DHCPv4 packet initiation on an interface, the first DHCP Discover or the DHCP Request packet initiates the IPoE session. If you disable DHCPv4 packet initiation on an interface, DHCPv4 packets cannot initiate IPoE sessions, but existing IPoE sessions initiated by DHCPv4 packets are not deleted.

You can enable DHCPv4 packet initiation and unclassified-IPv4 packet initiation on the same interface.

Examples

# Enable DHCPv4 packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber initiator dhcp enable

Related commands

display ip subscriber session

ip subscriber enable

ip subscriber initiator arp enable

ip subscriber initiator dhcpv6 enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator ndrs enable

reset ip subscriber session

ip subscriber initiator dhcpv6 enable

Use ip subscriber initiator dhcpv6 enable to enable DHCPv6 packet initiation.

Use undo ip subscriber initiator dhcpv6 enable to disable DHCPv6 packet initiation.

Syntax

ip subscriber initiator dhcpv6 enable

undo ip subscriber initiator dhcpv6 enable

Default

DHCPv6 packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

If you enable DHCPv6 packet initiation on an interface, the first DHCP Solicitor or the DHCP Request packet initiates the IPoE session. If you disable DHCPv6 packet initiation on an interface, DHCPv6 packets cannot initiate IPoE sessions, but existing IPoE sessions initiated by DHCPv6 packets are not deleted.

You can enable DHCPv6 packet initiation, IPv6 ND RS packet initiation, and unclassified-IPv6 packet initiation on the same interface.

Examples

# Enable DHCPv6 packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber initiator dhcpv6 enable

Related commands

display ip subscriber session

ip subscriber enable

ip subscriber initiator arp enable

ip subscriber initiator dhcp enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator ndrs enable

reset ip subscriber session

ip subscriber initiator ndrs enable

Use ip subscriber initiator ndrs enable to enable IPv6 ND RS packet initiation.

Use undo ip subscriber initiator ndrs enable to disable IPv6 ND RS packet initiation.

Syntax

ip subscriber initiator ndrs enable

undo ip subscriber initiator ndrs enable

Default

IPv6 ND RS packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

If you enable IPv6 ND RS packet initiation on an interface, the first IPv6 ND RS packet initiates the IPoE session. If you disable IPv6 ND RS packet initiation on an interface, ND RS packets cannot initiate IPoE sessions. However, existing IPoE sessions initiated by ND RS packets are not deleted.

You can enable DHCPv6 packet initiation, IPv6 ND RS packet initiation, and unclassified-IPv6 packet initiation on the same interface.

Examples

# Enable IPv6 ND RS packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber initiator ndrs enable

Related commands

display ip subscriber session

ip subscriber enable

ip subscriber initiator arp enable

ip subscriber initiator dhcp enable

ip subscriber initiator dhcpv6 enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

reset ip subscriber session

ip subscriber initiator nsna enable

Use ip subscriber initiator nsna enable to enable NS/NA packet initiation.

Use undo ip subscriber initiator nsna enable to disable NS/NA packet initiation.

Syntax

ip subscriber initiator nsna enable

undo ip subscriber initiator nsna enable

Default

NS/NA packet initiation is disabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

With this command executed, when the interface receives NS packets with the source IP address as a global unicast address or NA packets with the source or target address as a global unicast address from a user, the interface processes the packets in the following order:

1. If the packets match a configured static IPoE session, the user is processed as a static user.

2. If the packets match a roaming user, the user is processed as a roaming user.

3. If the packets match neither of the above information, the user cannot initiate a session by using NS/NA packets.

For a user to initiate a session by using NS/NA packets, execute one of the following commands:

· Execute the ip subscriber initiator unclassified-ipv6 enable command to enable unclassified-IPv6 packet initiation.

· Execute the ip subscriber initiator nsna enable command to enable NS/NA packet initiation.

When both commands are configured, the following rules apply:

· In Layer 2 access mode, if the source IPv6 address of received NS or NA packets is a global unicast address and the target IPv6 address is a non-multicast address, unclassified-IP packet initiation is used. Otherwise, matching NS or NA packets can initiate sessions, and unmatching NS or NA packets are dropped.

· In Layer 3 access mode, NS or NA packets can only initiate sessions by using the NS/NA packet initiation method and cannot initiate sessions by using the unclassified-IPv6 initiation method.

With this feature disabled on an interface, the users that have come online by using the NS/NA packet initiation method on the interface are still online and not affected.

Examples

# Enable NS/NA packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber initiator nsna enable

Related commands

display ip subscriber session

ip subscriber initiator unclassified-ipv6 enable

ip subscriber roaming enable

reset ip subscriber session

ip subscriber initiator unclassified-ip enable

Use ip subscriber initiator unclassified-ip enable to enable unclassified-IPv4 packet initiation.

Use undo ip subscriber initiator unclassified-ip enable to disable unclassified-IPv4 packet initiation.

Syntax

ip subscriber initiator unclassified-ip enable [ matching-user ]

undo ip subscriber initiator unclassified-ip enable

Default

Unclassified-IPv4 packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

matching-user: Allows only matching static users, abnormally logged out DHCP users, roaming users, and users accessing in loose mode to log in.

Usage guidelines

With unclassified-IPv4 packet initiation enabled, a BRAS allows IPoE users to initiate IPoE sessions by using unclassified-IP packets and records abnormally logged out DHCP users. When the BRAS receives IP packets from abnormally logged out DHCP users, the BRAS can restore the IPoE sessions for these users based on the recorded information.

A DHCP user is abnormally logged out if the IPoE session of the user is deleted for a reason except the user actively releases its IP address.

If the matching-user keyword is specified, an interface processes the IP packets received from a user in the following order:

1. If the IP packets match a configured IPoE static session, the user is processed as a static user.

2. If the IP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

3. If the IP packets match a roaming-capable user, the user is processed as a roaming user.

4. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

5. If the IP packets match neither of the above information, the IP packets are dropped and the user cannot initiate a session by using unclassified-IP packets.

If the matching-user keyword is not specified, an interface processes the packets received from a user in the following order:

1. If the IP packets match a configured IPoE static session, the user is processed as a static user.

2. If the IP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

3. If the IP packets match a roaming-capable user, the user is processed as a roaming user.

4. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

5. If the IP packets match neither of the above information, the user initiates a session by using unclassified-IP packets.

If you disable unclassified-IPv4 packet initiation on an interface, existing IPoE sessions initiated by unclassified-IPv4 packets are not deleted.

You can enable DHCPv4 packet initiation and unclassified-IPv4 packet initiation on the same interface.

Examples

# Enable unclassified-IPv4 packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber initiator unclassified-ip enable

Related commands

display ip subscriber session

ip subscriber access-trigger loose

ip subscriber enable

ip subscriber initiator arp enable

ip subscriber initiator dhcp enable

ip subscriber initiator dhcpv6 enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator ndrs enable

ip subscriber roaming enable

reset ip subscriber session

ip subscriber initiator unclassified-ipv6 enable

Use ip subscriber initiator unclassified-ipv6 enable to enable unclassified-IPv6 packet initiation.

Use undo ip subscriber initiator unclassified-ipv6 enable to disable unclassified-IPv6 packet initiation.

Syntax

ip subscriber initiator unclassified-ipv6 enable [ matching-user ]

undo ip subscriber initiator unclassified-ipv6 enable

Default

Unclassified-IPv6 packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

matching-user: Allows only matching static users and roaming users to log in.

Usage guidelines

With unclassified-IPv6 packet initiation enabled, a BRAS allows IPoE users to initiate IPoE sessions by using unclassified-IPv6 packets. The function of recording abnormally logged out DHCPv6 users is not supported in the current software version.

If the matching-user keyword is specified, the interface processes the IPv6 packets received from a user in the following order:

1. If the IPv6 packets match a configured IPoE static session, the user is processed as a static user.

2. If the IPv6 packets match a roaming-capable user, the user is processed as a roaming user.

3. If the IPv6 packets do not match a configured IPoE static session, the user cannot initiate a session by using unclassified-IPv6 packets.

If the matching-user keyword is not specified, the interface processes the IPv6 packets received from a user in the following order:

1. If the IPv6 packets match a configured IPoE static session, the user is processed as a static user.

2. If the IPv6 packets match a roaming-capable user, the user is processed as a roaming user.

3. If the IPv6 packets do not match a configured IPoE static session, the user initiates a session by using unclassified-IPv6 packets.

For the processing procedure when the interface receives NS/NA packets, see the ip subscriber initiator nsna enable command.

If you disable unclassified-IPv6 packet initiation on an interface, existing IPoE sessions initiated by unclassified-IPv6 packets are not deleted.

You can enable DHCPv6 packet initiation, IPv6 ND RS packet initiation, and unclassified-IPv6 packet initiation on the same interface.

Examples

# Enable unclassified-IPv6 packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber initiator unclassified-ipv6 enable

Related commands

display ip subscriber session

ip subscriber initiator nsna enable

ip subscriber roaming enable

reset ip subscriber session

ip subscriber interface-leased

Use ip subscriber interface-leased to configure an interface-leased user.

Use undo ip subscriber interface-leased to restore the default.

Syntax

ip subscriber interface-leased username name password { ciphertext | plaintext } string [ domain domain-name ]

undo ip subscriber interface-leased

Default

No interface-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

username name: Specifies a username for authentication, a case-sensitive string of 1 to 255 characters.

password ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

password plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

domain domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). If you do not specify an ISP domain, the default system domain is used. For more information about the default system domain, see BRAS Services Configuration Guide.

Usage guidelines

An interface-leased user represents all access users of the interface.

With IPoE enabled for both IPv4 and IPv6 protocol stacks on an interface in up state, the BRAS creates an IPoE interface-leased session based on the ip subscriber interface-leased command configuration. After the session is set up, the session does not need to be initiated by user traffic. The BRAS actively initiates authentication by using the configured username and password. After the authentication succeeds for users, traffic of all users on the interface is permitted, and the users share one IPoE session. The BRAS performs interface-level authorization and accounting for all users on the interface.

You can configure only one interface-leased user on each interface. To change the parameters of an existing interface-leased user, use the undo form to delete the user, and then reconfigure it with new parameter settings.

You cannot configure an interface-leased user on an interface configured with individual users, a subnet-leased users, or an L2VPN-leased user.

An ISP domain is selected for an IPoE interface-leased user in the following order:

1. Service-specific ISP domain. If the ISP domain does not exist, proceed with step 4.

2. ISP domain specified by using the domain domain-name option in this command. If the ISP domain does not exist, proceed with step 4.

3. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain does not exist, proceed with step 4.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Examples

# Configure an interface-leased user with a username of intuser and a plaintext password of pw123 on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber interface-leased username intuser password plaintext pw123

Related commands

display ip subscriber interface-leased

ip subscriber l2vpn-leased

Use ip subscriber l2vpn-leased to configure an L2VPN-leased user.

Use undo ip subscriber l2vpn-leased to restore the default.

Syntax

ip subscriber l2vpn-leased username name password { ciphertext | plaintext } string [ domain domain-name ]

undo ip subscriber l2vpn-leased

Default

No L2VPN-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

username name: Specifies a username for authentication, a case-sensitive string of 1 to 255 characters.

password ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

Usage guidelines

An L2VPN-leased user is a group of hosts that rent the same interface and share the same IPoE session on an L2VPN network. The BRAS authenticates, authorizes, and accounts all hosts of the same L2VPN-leased user.

For L2VPN-leased users to come online, you must enable IPoE for both IPv4 and IPv6 protocol stacks.

You can configure only one L2VPN-leased user on one interface. To change the parameters of an existing L2VPN-leased user, use the undo form to delete the user, and then reconfigure it with new parameter settings.

You cannot configure an L2VPN-leased user on an interface configured with individual users, an interface-leased user, or a subnet-leased user.

On a Layer 3 Ethernet or aggregate subinterface, the IPoE L2VPN-leased user configuration is mutually exclusive with the packet statistics collection feature. For more information about packet statistics collection on Layer 3 Ethernet interfaces, see Ethernet interface configuration in Interface Configuration Guide. For more information about packet statistics collection on Layer 3 aggregate subinterfaces, see Ethernet link aggregation configuration in Layer 2—LAN Switching Configuration Guide.

An ISP domain is selected for an IPoE L2VPN-leased user in the following order:

1. Service-specific ISP domain. If the ISP domain does not exist, proceed with step 3.

2. ISP domain specified by using the domain domain-name option in this command. If the ISP domain does not exist, proceed with step 3.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Examples

# Configure an L2VPN-leased user with a username of intuser and a plaintext password of pw123 on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber l2vpn-leased username intuser password plaintext pw123

ip subscriber lease-end-time original

Use ip subscriber lease-end-time original to configure the lease expiration time as the time when the user is logged out when the abnormally logged out user logs in again.

Use undo subscriber lease-end-time original to restore the default.

Syntax

ip subscriber lease-end-time original

undo ip subscriber lease-end-time original

Default

The lease expiration time is renewed when the abnormally logged out user logs in again.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

By default, the lease expiration time is renewed when the abnormally logged out user logs in again. With this command configured, when an abnormally logged out client recovers and logs in again, the lease expiration time is the same as the time recorded in the client.

Examples

# Configure the lease expiration time as the lease expiration time when the user is logged out when the abnormally logged out user logs in again

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber lease-end-time original

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

display ip subscriber abnormal-logout

ip subscriber mac-auth domain

Use ip subscriber mac-auth domain to configure the domain for MAC authentication.

Use undo ip subscriber mac-auth domain to restore the default.

Syntax

ip subscriber mac-auth domain domain-name

undo ip subscriber mac-auth domain

Default

No domain is configured for MAC authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

When Web MAC authentication is configured with multiple types of domains, a domain is selected in the following order during the Web authentication phase:

1. If the ip subscriber mac-auth domain command is used to specify a MAC authentication domain, the device first obtains the domain in the username and operates as follows:

? If the username carries a domain and the carried domain exists, the domain carried in the username is used. If the domain does not exist, proceed with step 3.

? If the username does not carry a domain, the MAC authentication domain specified by using the ip subscriber mac-auth domain command is used. If the specified domain does not exist, proceed with step 3.

2. If the ip subscriber web-auth domain command is used to specify a Web authentication domain, the device first obtains the domain in the username and operates as follows:

? If the username carries a domain and the carried domain exists, the domain carried in the username is used. If the domain does not exist, proceed with step 3.

? If the username does not carry a domain, the Web authentication domain specified by using the ip subscriber web-auth domain command is used. If the specified domain does not exist, proceed with step 3.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selected during the Web authentication phase when Web authentication is used, see the ip subscriber web-auth domain command.

The ISP domain for MAC authentication is used for transparent MAC authentication during the Web authentication phase for only individual users using Web MAC authentication.

The ISP domain modification for MAC authentication takes effect only on new users.

Examples

# Specify ISP domain dm1 for MAC authentication on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber mac-auth domain dm1

Related commands

ip subscriber authentication-method

ip subscriber web-auth domain

ip subscriber max-session

Use ip subscriber max-session to set the maximum number of individual sessions and leased subuser sessions on an interface.

Use undo ip subscriber max-session to restore the default.

Syntax

ip subscriber max-session max-number

undo ip subscriber max-session

Default

The maximum number of individual sessions and leased subuser sessions is not set on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of individual sessions and leased subuser sessions allowed on an interface. The value range for this argument is 1 to 64000.

Usage guidelines

When the number of individual sessions and leased subuser sessions on an interface has reached the limit, new IPoE sessions cannot be established. The number of IPoE sessions created includes the number of IPv4 single-stack users, the number of IPv6 single-stack users, and the number of dual-stack sessions. A single-stack user occupies one session resource, and a dual-stack user occupies one session resource. If a single-stack user has come online successfully, the other stack of the same user can directly come online, and the two stacks share one session resource.

When this command is configured together with the ip subscriber { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 } max-session command, the two commands both take effect. The two commands control sessions in different perspectives, and the number of sessions is controlled by both commands. A new session can be established only when neither limit is reached.

Examples

# Set the maximum number of individual sessions and leased subuser sessions on GigabitEthernet 3/1/1 to 100.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber max-session 100

Related commands

ip subscriber dhcp max-session

ip subscriber dhcpv6 max-session

ip subscriber ndrs max-session

ip subscriber unclassified-ip max-session

ip subscriber unclassified-ipv6 max-session

ip subscriber nas-port-id format

Use ip subscriber nas-port-id format to configure the NAS-Port-ID format for IPoE users.

Use undo ip subscriber nas-port-id format to restore the default.

Syntax

ip subscriber nas-port-id format cn-telecom { version1.0 | version2.0 | version3.0 | version4.0 }

undo ip subscriber nas-port-id format

Default

NAS-Port-IDs for IPoE users are encapsulated in the version 1.0 format.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

version1.0: Specifies the China Telecom format.

· The version 1.0 format varies by interface type.

Table 27 Version 1.0 formats

Interface type	Encapsulation format
Layer 3 Ethernet interface and Layer 3 aggregate interface	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=0
Layer 3 Ethernet subinterface and Layer 3 aggregate subinterface (single VLAN tag)	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=vlan_id
Layer 3 Ethernet subinterface and Layer 3 aggregate subinterface (Dual VLAN tags)	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=inner-vlan;vlanid2=outer-vlan

· Version 1.0 format parameters

Table 28 Version 1.0 format parameter description

Parameter	Description
NAS_slot	Specifies the slot number of the access interface on the BRAS.
NAS_subslot	Specifies the subslot number of the access interface on the BRAS.
NAS_port	Specifies the port number of the access interface on the BRAS.
vlan_id	Specifies the ID of the user's VLAN.
inner-vlan	Specifies the ID of the inner VLAN.
outer-vlan	Specifies the ID of the outer VLAN.
vpi	Specifies the VPI of the access interface on the BRAS.
vci	Specifies the VCI of the access interface on the BRAS.

If the aaa nas-port-id vlanid uppercase command has not been executed, vlanid and vlanid2 in Table 27 are lower case. If the aaa nas-port-id vlanid uppercase command has been executed, vlanid and vlanid2 in Table 27 are upper case, VLANID and VLANID2. For more information about the aaa nas-port-id vlanid uppercase command, see AAA commands in BRAS Services Command Reference.

version2.0: Specifies the format described in YDT 2275-2011 Subscriber Access Loop (Port) Identification in Broadband Access Networks.

When the received DHCPv4 packets carry Option 82 Circuit-ID and Option 82 is trusted or the received DHCPv6 packets carry Option 18 and Option 18 is trusted, see "ip subscriber nas-port-id nasinfo-insert" for the version 2.0 format. Otherwise, the version 2.0 format is {eth|trunk|atm} NAS_slot/NAS_subslot/NAS_port:svlan.cvlan AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port. The NAS information (NAS_slot/NAS_subslot/NAS_port:svlan.cvlan) and AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port (modified to 0/0/0/0/0/0) are encapsulated in the NAS-Port-ID field. Table 29 describes the version 2.0 format parameters.

· Version 2.0 format:

{eth|trunk|atm} NAS_slot/NAS_subslot/NAS_port:svlan.cvlan AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port

· Version 2.0 format parameters:

Table 29 Version 2.0 format parameter description

Parameter	Description
{eth\|trunk\|atm}	Specifies the type of the access interface on the BRAS as Ethernet, trunk, or ATM.
NAS_slot	Specifies the slot number of the access interface on the BRAS.
NAS_subslot	Specifies the subslot number of the access interface on the BRAS.
NAS_port	Specifies the port number of the access interface on the BRAS.
svlan	Specifies the ID of the user's SVLAN.
cvlan	Specifies the ID of the user's CVLAN.
AccessNodeIdentifier	Specifies the identifier of the access node.
ANI_rack	Specifies the rack number of the access node.
ANI_frame	Specifies the frame number of the access node.
ANI_slot	Specifies the slot number of the access node.
ANI_subslot	Specifies the subslot number of the access node.
ANI_port	Specifies the port number of the access node.

In the version 2.0 format, for users accessing without VLAN tags, both svlan and cvlan are fixed at 4096. For users accessing with a single layer of VLAN tags, svlan is fixed at 4096 and cvlan is the actual VLAN carried. For more information, see the examples.

version3.0: Specifies the version 3.0 format SlotID/00/IfNO/VlanID, where the forward slash (/) is not displayed. Table 30 describes the meaning of each field.

Table 30 Version 3.0 encapsulation format

Parameter		Description
SlotID	ID of the slot that the user accesses. A minimum of two bits. The empty bits are padded with 0s in the front.
00	Specific field required by the specification.
IFNO	Interface number of the user. A minimum of three bits. The empty bits are padded with 0s in the front.
VlanID	VLAN ID of the user. A minimum of nine bits. The empty bits are padded with 0s in the front.

In the version 3.0 format, for users accessing without VLAN tags, VlanID is fixed at 0. For users accessing with a single layer of VLAN tags, VlanID is the actual VLAN carried. For users with two layers of VLAN tags, VlanID is the actual CVLAN carried. For more information, see the examples.

version4.0: Specifies the version 4.0 format. The format adds the following information to the NAS-Port-ID in version 3.0.

· For IPv4 users, the DHCP Option 82 Circuit-ID is added. The encapsulation format is SlotID/00/IfNO/VlanID/Option82 Circuit-ID, where the forward slash (/) is not displayed.

· For IPv6 users, the DHCP Option18 is added. The encapsulation format is SlotID/00/IfNO/VlanID/Option18, where the forward slash (/) is not displayed.

Examples

Version 1.0 format

· Access without VLAN tags

# Configure Layer 3 aggregate interface 1 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. The users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Route-Aggregation1] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

RAGG1 4.4.4.4 1a65-c9ac-0206 S/- Online

- -/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="slot=0;subslot=0;port=1;vlanid=0;"

· Access with a single layer of VLAN tags

# Configure GigabitEthernet 3/1/1.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.2

[Sysname-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-GigabitEthernet3/1/1.2] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1.2 4.4.4.4 1a65-c9ac-0209 S/- Online

- 400/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="slot=3;subslot=1;port=1;vlanid=400;"

· Access with two layers of VLAN tags

# Configure GigabitEthernet 3/1/1.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.2

[Sysname-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-GigabitEthernet3/1/1.2] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1.2 4.4.4.4 1a65-c9ac-0209 S/- Online

- 400/500 -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="slot=3;subslot=1;port=1;vlanid=500;vlanid2=400;"

version 2.0 format

· Access without VLAN tags

? Access through a Layer 3 aggregate interface

# Configure Layer 3 aggregate interface 1 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

RAGG1 4.4.4.4 1a65-c9ac-0206 S/- Online

- -/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="trunk 0/0/1:4096.4096 0/0/0/0/0/0"

? Access through a Layer 3 Ethernet interface

# Configure GigabitEthernet 3/1/1 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-GigabitEthernet3/1/1] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1 4.4.4.4 1a65-c9ac-0209 S/- Online

- -/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:4096.4096 0/0/0/0/0/0"

· Access with a single layer of VLAN tags

# Configure GigabitEthernet 3/1/1.2 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.2

[Sysname-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-GigabitEthernet3/1/1.2] quit

[Sysname]display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1.2 4.4.4.4 1a65-c9ac-0209 S/- Online

- 400/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:4096.400 0/0/0/0/0/0"

· Access with two layers of VLAN tags

# Configure GigabitEthernet 3/1/1.2 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.2

[Sysname-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-GigabitEthernet3/1/1.2] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1.2 4.4.4.4 1a65-c9ac-0209 S/- Online

- 400/500 -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:400.500 0/0/0/0/0/0"

version 3.0 format

· Access without VLAN tags

# Configure Layer 3 aggregate interface 1 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-Route-Aggregation1] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

RAGG1 4.4.4.4 1a65-c9ac-0206 S/- Online

- -/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="0000001000000000"

· Access with a single layer of VLAN tags

# Configure GigabitEthernet 3/1/1.2 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.2

[Sysname-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-GigabitEthernet3/1/1.2] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1.2 4.4.4.4 1a65-c9ac-0209 S/- Online

- 400/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="0300001000000400"

· Access with two layers of VLAN tags

# Configure GigabitEthernet 3/1/1.2 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.2

[Sysname-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-GigabitEthernet3/1/1.2] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1.2 4.4.4.4 1a65-c9ac-0209 S/- Online

- 400/500 -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="0300001000000500"

version 4.0 format

# Configure GigabitEthernet 3/1/1.2 to use the version 4.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags, and DHCP packets carry Option82 Circuit-ID as aaa be cd ef g.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.2

[Sysname-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version4.0

[Sysname-GigabitEthernet3/1/1.2] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1.2 4.4.4.4 1a65-c9ac-0209 S/- Online

- 400/500 -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="0300001000000500aaa be cd ef g"

Related commands

aaa nas-port-id vlanid-uppercase (BRAS Services Command Reference)

dp (Security Command Reference)

ip subscriber initiator dhcp enable

ip subscriber initiator dhcpv6 enable

ip subscriber trust

ip subscriber nas-port-id interface

ip subscriber nas-port-id nasinfo-insert

ip subscriber nas-port-id interface

Use ip subscriber nas-port-id interface to configure the device to use information of the specified interface to fill in the NAS-Port-ID attribute.

Use undo ip subscriber nas-port-id interface to restore the default.

Syntax

ip subscriber nas-port-id interface interface-type interface-number

undo ip subscriber nas-port-id interface

Default

The device uses information of the interface through which the user comes online to fill in the NAS-Port-ID attribute.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. The specified interface must be the IPoE user's access interface. In the current software version, the interface number can contain one, two, three, or four tiers. In each tier, the number is in the range of 0 to 65534. For example, for a 3-tier interface number, the minimum interface number is 0/0/0, and the maximum interface number is 65534/65534/65534. Specify the interface number according to the actual conditions.

Usage guidelines

A device uses information about the interface through which a user comes online to fill in the NAS-Port-ID attribute and sends it to the RADIUS server by default. In some special applications, when you need to manually specify the access interface information to be filled in the NAS-Port-ID attribute, you can use this command. For example, suppose the RADIUS server restricts user A's access to only interface A. When user A accesses through interface B and you do not want to modify the RADIUS server configuration, you can configure this command to use information about interface A to fill in the NAS-Port-ID attribute for user A and send the attribute to the RADIUS server.

When version 1.0 is specified as the NAS-Port-ID format, information of the specified access interface will be used to fill in the access interface information chassis=NAS_chassis;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

When version 2.0 is specified as the NAS-Port-ID format, information of the specified access interface will be used to fill in the NAS information {eth|trunk|atm} NAS_chassis/NAS_slot/NAS_subslot/NAS_port.

When version 3.0 is specified as the NAS-Port-ID format, information of the specified access interface will be used to fill in the NAS information SlotID/IfNO.

When version 4.0 is specified as the NAS-Port-ID format, information of the specified access interface will be used to fill in the following NAS information:

· For IPv4 users: SlotID/IfNO/Option82.

· For IPv6 users: SlotID/IfNO/Option18.

Examples

# Configure the device to use information of GigabitEthernet 3/1/1.2 to fill in the NAS-Port-ID attribute. Configure GigabitEthernet 3/1/1.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/2.1

[Sysname-GigabitEthernet3/1/2.1] ip subscriber nas-port-id interface gigabitethernet 3/1/1.2

[Sysname-GigabitEthernet3/1/2.1] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-GigabitEthernet3/1/2.1] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

GE3/1/1.2 4.4.4.4 1a65-c9ac-0209 S/- Online

- 400/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID="slot=3;subslot=1;port=1;vlanid=400;"

Related commands

ip subscriber nas-port-id format

ip subscriber nas-port-id nasinfo-insert

Use ip subscriber nas-port-id nasinfo-insert to include NAS information and information obtained from DHCPv4 Option 82 or DHCPv6 Option 18 in the NAS-Port-ID.

Use undo ip subscriber nas-port-id nasinfo-insert to restore the default.

Syntax

ip subscriber nas-port-id nasinfo-insert

undo ip subscriber nas-port-id nasinfo-insert

Default

The BRAS uses information obtained from DHCPv4 Option 82 or DHCPv6 Option 18 as the NAS-Port-ID.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Configure version 2.0 format and the trusted DHCP option before you use this command.

· If DHCPv4 packets contain Option 82 Circuit-ID, this command parses Option 82 Circuit-ID, extracts information from Circuit-ID (ignoring the first two spaces), and encapsulates the extracted information and NAS information in the NAS-Port-ID in the version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 82 Circuit-ID. This command does not affect Option 82.

· If DHCPv6 packets contain Option 18, this command parses Option 18, extracts information from Option 18 (ignoring the first two spaces), and encapsulates the extracted information and NAS information in the NAS-Port-ID in the version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 18. This command does not affect Option 18.

· If DHCPv4 packets do not contain Option 82 Circuit-ID, this command includes NAS information in the NAS-Port-ID and sets non-NAS parts to zeros in the following format:

NAS_slot/NAS_subslot/NAS_port:svlan.cvlan 0/0/0/0/0/0

· If DHCPv6 packets do not contain Option 18, this command includes NAS information in the NAS-Port-ID and sets non-NAS parts to zeros in the following format:

NAS_slot/NAS_subslot/NAS_port:svlan.cvlan 0/0/0/0/0/0

Examples

# Configure Layer 3 aggregate interface 1 to include NAS information and information extracted from DHCPv4 Option 82 in the NAS-Port-ID, encapsulate the NAS-Port-ID in the version 2.0 format, and trust Option 82. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

RAGG1 4.4.4.4 1a65-c9ac-0206 S/- Online

- -/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID=" trunk 0/0/1:4096.4096 cd ef g"

# Configure Layer 3 aggregate interface 1 to include information extracted from DHCPv4 Option 82 in the NAS-Port-ID, encapsulate the NAS-Port-ID in the version 2.0 format, and trust Option 82. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] undo ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display ip subscriber session

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

Username

RAGG1 4.4.4.4 1a65-c9ac-0206 S/- Online

- -/- -

4.4.4.4

In the RADIUS debugging information, NAS-Port-ID=" aaa be cd ef g"

Related commands

ip subscriber initiator dhcpv4 enable

ip subscriber initiator dhcpv6 enable

ip subscriber trust

ip subscriber nas-port-id format

ip subscriber nas-port-type

Use ip subscriber nas-port-type to configure the NAS-Port-Type for an interface.

Use undo ip subscriber nas-port-type to restore the default.

Syntax

ip subscriber nas-port-type { 802.11 | adsl-cap | adsl-dmt | async | cable | ethernet | g.3-fax | hdlc | idsl | isdn-async-v110 | isdn-async-v120 | isdn-sync | piafs | sdsl | sync | virtual | wireless-other | x.25 | x.75 | xdsl }

undo ip subscriber nas-port-type

Default

The NAS-Port-Type for an interface is Ethernet.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

802.11: Specifies the port type complying with Wireless-IEEE 802.11. The type ID is 19.

adsl-cap: Specifies the ADSL-CAP port type, including Asymmetric DSL and Carrierless Amplitude Phase Modulation. The type ID is 12.

adsl-dmt: Specifies the ADSL-DMT port type, including Asymmetric DSL and Discrete Multi-Tone. The type ID is 13.

async: Specifies the Async port type with a type ID of 0.

cable: Specifies the Cable port type with a type ID of 17.

ethernet: Specifies the Ethernet port type with a type ID of 15.

g.3-fax: Specifies the G.3 Fax port type with a type ID of 10.

hdlc: Specifies the HDLC port type with a type ID of 7.

idsl: Specifies the IDSL port type with a type ID of 14.

isdn-async-v110: Specifies the ISDN Async V.110 port type with a type ID of 4.

ISDN Async V.110: Specifies the ISDN Async V.120 port type with a type ID of 3.

isdn-sync: Specifies the ISDN Sync port type with a type ID of 2.

piafs: Specifies the port type complying with PIAFS. The type ID is 6.

sdsl: Specifies the SDSL port type with a type ID of 11.

sync: Specifies the Sync port type with a type ID of 1.

virtual: Specifies the Virtual port type with a type ID of 5.

wireless-other: Specifies the Wireless-other port type with a type ID of 18.

x.25: Specifies the X.25 port type with a type ID of 8.

x.75: Specifies the X.75 port type with a type ID of 9.

xdsl: Specifies the XDSL port type with a type ID of 16.

Usage guidelines

The NAS-Port-Type attribute carries information about the access interface. The BRAS includes the configured NAS-Port-Type in RADIUS requests sent to the RADIUS server.

Examples

# Configure the port type as sdsl for GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber nas-port-type sdsl

ip subscriber ndrs domain

Use ip subscriber ndrs domain to configure an ISP domain for IPv6 ND RS users.

Use undo ip subscriber ndrs domain to restore the default.

Syntax

ip subscriber ndrs domain domain-name

undo ip subscriber ndrs domain

Default

No ISP domain is specified for IPv6 ND RS users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

This command specifies an ISP domain for IPv6 ND RS users. The specified ISP domain must exist on the BRAS.

An IPv6 ND RS user can obtain ISP domains in multiple ways. An ISP domain is selected for an IPv6 ND RS user in the following order:

1. ISP domain specified by using the ip subscriber ndrs domain command. If the ISP domain does not exist, proceed with step 2.

2. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Examples

# Configure ISP domain ipoe for IPv6 ND RS users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber ndrs domain ipoe

Related commands

ip subscriber initiator ndrs enable

ip subscriber ndrs max-session

Use ip subscriber ndrs max-session to set the IPoE session limit for IPv6 ND RS packet initiation on an interface.

Use undo ip subscriber ndrs max-session to restore the default.

Syntax

ip subscriber ndrs max-session max-number

undo ip subscriber ndrs max-session

Default

The IPoE session limit for IPv6 ND RS packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for IPv6 ND RS packet initiation in the range of 1 to 64000.

Usage guidelines

If the IPoE session limit for IPv6 ND RS packet initiation is reached, no more IPoE session can be initiated by IPv6 ND RS packets. IPoE sessions initiated by IPv6 ND RS packets include the single-stack IPv6 sessions and dual-stack sessions.

Examples

# Set the IPoE session limit to 100 for IPv6 ND RS packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber ndrs max-session 100

Related commands

display ip subscriber session

ip subscriber initiator ndrs enable

ip subscriber max-session

reset ip subscriber session

ip subscriber ndrs username

Use ip subscriber ndrs username to configure an authentication user naming convention for IPv6 ND RS users.

Use undo ip subscriber ndrs username to restore the default.

Syntax

ip subscriber ndrs username include { nas-port-id [ separator separator ] | port [ separator separator ] | second-vlan [ separator separator ] | string string [ separator separator ] | slot [ separator separator ] | source-mac [ address-separator address-separator ] [ separator separator ] | subslot [ separator separator ] | sysname [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber ndrs username

Default

No authentication user naming convention is configured for IPv6 ND RS users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

nas-port-id: Includes the NAS-Port-ID attribute in a username.

port: Includes the number of the port that receives the user packets in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-mac: Includes the source MAC address in a username.

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vlan: Includes the outer VLAN ID in a username.

Usage guidelines

Usernames obtained based on the naming convention are used for authentication and must be the same as those configured on the AAA server.

Examples

# Configure the source MAC addresses as the authentication usernames for IPv6 ND RS users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber ndrs username include source-mac

# Configure an authentication user naming convention for IPv6 ND RS users on GigabitEthernet 3/1/1. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber ndrs username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber initiator ndrs enable

ip subscriber password

Use ip subscriber password to set the password for individual users.

Use undo ip subscriber password to restore the default.

Syntax

ip subscriber password { mac-address [ address-separator address-separator ] [ lowercase | uppercase ] | { ciphertext | plaintext } string

undo ip subscriber password

Default

No password is set for individual users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

mac-address: Uses a MAC address as the username. The MAC address of the user is preferentially used. If the user MAC address cannot be obtained, the source MAC address of packets is used. By default, the letters in a MAC address are lower-case and a MAC address do not have hyphens.

lowercase: Specifies the letters in the MAC address as lower-case.

uppercase: Specifies the letters in the MAC address as upper-case.

ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

Usage guidelines

To avoid configuring passwords for each initiation method separately when multiple individual session initiation methods are configured on an interface, you can use this command to uniformly configure authentication passwords for all individual users on an interface.

For individual users using bind authentication, passwords are selected in the following order:

1. Password obtained by using the ip subscriber dhcp password and ip subscriber dhcpv6 password option16 commands. (Applicable to only DHCP users.)

2. User MAC address when the password mac keyword is specified in the ip subscriber session static command. (Applicable to only static users.)

3. Password configured by using the ip subscriber password command.

4. The string vlan.

For Web authentication and Web MAC authentication in the preauthentication phase, passwords are selected for individual users in the same order passwords are selected for individual users using bind authentication.

For Web authentication in the Web authentication phase, passwords are selected in the following order for individual users:

1. Password that the user enters when logging in.

2. Password configured by using the ip subscriber password command.

3. The string vlan.

For Web MAC authentication in the Web authentication phase, passwords are selected in the following order for individual users:

1. Password configured by using the ip subscriber password command.

2. The string vlan.

Examples

# Configure the plaintext password as 123 for individual users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber password plaintext 123

Related commands

ip subscriber dhcp username

ip subscriber unclassified-ip username

ip subscriber dhcp password

ip subscriber dhcpv6 password option16

ip subscriber pre-auth domain

Use ip subscriber pre-auth domain to specify a preauthentication domain.

Use ip subscriber pre-auth domain to restore the default.

Syntax

ip subscriber pre-auth domain domain-name

undo ip subscriber pre-auth domain

Default

No preauthentication domain is specified.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

This command takes effect only for DHCP users and static individual users using the Web authentication method and the Web MAC authentication method.

You can modify the preauthentication domain. By default, a preauthentication domain is selected in the following order:

· For dynamic DHCP users:

a. Service-specific domain. If the domain does not exist, proceed with step c.

b. Preauthentication domain configured by using the ip subscriber pre-auth domain command. If the domain does not exist, proceed with step c.

c. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· For static users:

a. Authentication domain configured by using the ip subscriber session static command. If the domain does not exist, proceed with step e.

b. Preauthentication domain configured by using the ip subscriber pre-auth domain command. If the domain does not exist, proceed with step e.

c. Service-specific domain. If the domain does not exist, proceed with step e.

d. Domain configured by using the ip subscriber unclassified-ip domain command. If the domain does not exist, proceed with step e.

e. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

If you specify a preauthentication domain, users must pass the preauthentication before obtaining IP addresses (applicable to only DHCP users) and authorization attributes configured for the preauthentication domain. Users will obtain new authorization information after passing the Web authentication.

For Web authentication users, preauthentication is required every time they come online. The user information is deleted upon a preauthentication failure.

New settings in the preauthentication domain do not take effect for users who have passed the preauthentication.

You must configure the Web server URL and user group authorization attributes in the preauthentication domain for redirecting users to the Web authentication page. For more information about the Web server URL and user group, see AAA configuration in BRAS Services Configuration Guide.

Examples

# Specify ISP domain dm1 as the preauthentication domain on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber pre-auth domain dm1

Related commands

authorization-attribute user-group (BRAS Services Command Reference)

domain default enable (BRAS Services Command Reference)

ip subscriber authentication-method

web-server url (BRAS Services Command Reference)

ip subscriber pre-auth track

Use ip subscriber pre-auth track to associate a fail-permit user group with a track entry.

Use undo ip subscriber pre-auth track to restore the default.

Syntax

ip subscriber pre-auth track track-entry-number fail-permit user-group group-name

undo ip subscriber pre-auth track

Default

A fail-permit user group is not associated with a track entry.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

track track-entry-number: Specifies a track entry by its ID in the range of 1 to 1024.

user-group group-name: Specifies a fail-permit user group by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

With this command configured, when the device detects that the Web authentication server or AAA server is unreachable, the device allows users to access network resources without Web authentication. This process is called Web authentication fail-permit.

You can implement Web authentication fail-permit by associating a fail-permit user group with a track entry.

By default, the Web authentication users that come online in the preauthentication domain belong to the user group authorized by AAA or authorized in the ISP domain when the users come online. After a fail-permit user group is associated with a track entry, the following rules apply:

· When the status of the track entry becomes Negative, the access device moves all online users in the current preauthentication domain from the authorized user group to the fail-permit user group. Then, the users can access network resources according to the privilege of the fail-permit user group.

· When the status of the track entry becomes Positive, the access device will move all online users in the current preauthentication domain back to the authorized user group. Then, the users can access network resources only after passing Web authentication.

To monitor the status of multiple servers, you can configure the tracked object list. For more information about track, see track configuration in High Availability Configuration Guide.

This command takes effect only on users in the preauthentication domain.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Associate fail-permit user group web with track entry 1 on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber pre-auth track 1 fail-permit user-group web

Related commands

authorization-attribute user-group (BRAS Services Command Reference)

ip subscriber roaming enable

Use ip subscriber roaming enable to enable roaming for IPoE individual users on an interface.

Use ip subscriber roaming enable to disable roaming for IPoE individual users on an interface.

Syntax

ip subscriber roaming enable [ roam-group roam-group-name ]

undo ip subscriber roaming enable

Default

Roaming is disabled for IPoE individual users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

roam-group roam-group-name: Specifies a roaming group by its name, a case-sensitive string of 1 to 15 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). If you do not specify this option, all roaming-enabled interfaces belong to the default roaming group, which does not have a name.

Usage guidelines

Online IPoE individual users can roam between different interfaces or different VLANs of the same subinterface.

To reduce roaming users' impact on other users, you can limit the roaming range by using a roaming group. An online user can roam only within the roaming group of the interface through which the user comes online. For example, user A and user B both use the IP address 1.1.1.1/24 and belong to the same VPN instance. User A first comes online on interface A through unclassified-IP packet initiation. Both interface A and interface B are enabled with roaming but not configured with roaming groups. In this case, when user B comes online on interface B through unclassified-packet initiation, the device will log off user A. For user A and user B to come online simultaneously, you can configure different roaming groups for interface A and interface B. This configuration isolates the roaming range of user A from the roaming range of user B.

In a DHCP relay agent network, you must execute the dhcp select relay proxy command on the DHCP relay agent interface to enable DHCP server proxy on the relay agent. For more information about DHCP relay agents, see DHCP configuration in BRAS Services Configuration Guide.

Make sure the user access interfaces before and after the roaming have IPoE enabled for the same protocol stacks and are configured with the same IPoE authentication method, authentication domain, and roaming group.

The following events might lead to failures in the process of roaming:

· The user IP address that the user belongs to is changed.

· The target interface is not configured with the same IPoE session initiation method as the interface before roaming. For example, suppose interface A is configured with DHCP packet initiation. For roaming between interface A and interface B to succeed, interface B must be configured with DHCP packet initiation.

· The target interface and the current interface are not in the same roaming group.

· For dynamic individual users:

? A VPN instance is authorized to the roaming user. The target interface is bound to a different VPN instance.

? No VPN instance is authorized to the roaming user. The interface before roaming is bound to a VPN instance. The target interface is bound to a different VPN instance.

· For global static individual users:

? A VPN instance is authorized to the roaming user, and no VPN instance is specified in the static session. The target interface is bound to a VPN instance different from the authorized VPN instance.

? No VPN instance is authorized to the roaming user, and no VPN instance is specified in the static session. The interface before roaming is bound to a VPN instance. The target interface is bound to a different VPN instance.

If the roaming fails, the user must perform authentication again on the destination interface in order to come online.

For static individual users, roaming takes effect as follows:

· For interface-level static individual users, roaming is supported only when you configure IPoE static sessions in subinterface view by using the ip subscriber session static command without specifying a VLAN. In this case, only roaming across different VLANs of the subinterface is supported.

· For global static individual users, when you configure the ip subscriber session static command in system view, the following rules apply:

? If a user access interface is specified but no VLAN is specified, roaming across different VLANs of the interface is supported.

? If no user access interface is specified and a user comes online through a roaming-enabled interface, roaming across all roaming-enabled interfaces.

Examples

# Enable roaming for IPoE individual users and specify roaming group roam1 on subinterface GigabitEthernet 3/1/1.1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.1

[Sysname-GigabitEthernet3/1/1.1] ip subscriber roaming enable roam-group roam1

Related commands

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber service-identify

Use ip subscriber service-identify to configure the service identifier for users.

Use undo ip subscriber service-identify to restore the default.

Syntax

Layer 3 Ethernet interface view, Layer 3 aggregate interface view, L3VE interface view:

ip subscriber service-identify dscp

undo ip subscriber service-identify

Layer 3 Ethernet subinterface view, Layer 3 aggregate subinterface view, L3VE subinterface view:

ip subscriber service-identify { 8021p { second-vlan | vlan } | dscp | second-vlan | vlan }

undo ip subscriber service-identify

Default

No service identifier is configured for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

8021p second-vlan: Specifies the 802.1p value of the inner VLAN tag in QinQ mode as the service identifier.

8021p vlan: Specifies the 802.1p value of the VLAN tag or the 802.1p value of the outer VLAN tag in QinQ mode as the service identifier.

dscp: Specifies the DSCP value as the service identifier.

second-vlan: Specifies the inner VLAN ID in QinQ mode as the service identifier.

vlan: Specifies the VLAN ID or the outer VLAN ID in QinQ mode as the service identifier.

Usage guidelines

Users include DHCPv4 users, DHCPv6 users, unclassified-IP users, and static individual users.

You must specify an identifier for a service before you bind an ISP domain to the service. Otherwise, the binding does not take effect.

Users whose IP packets contain the specified service identifier will be assigned a service-specific ISP domain.

For DHCPv4 users, the trusted Option 60 configuration takes precedence over the global service identifier configuration.

For DHCPv6 users, the trusted Option 16 or Option 17 configuration takes precedence over the global service identifier configuration.

You can configure only one service identifier on each interface.

Examples

# Configure the DSCP value as the service identifier for users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber service-identify dscp

Related commands

ip subscriber 8021p

ip subscriber dscp

ip subscriber vlan

ip subscriber session static (interface view)

Use ip subscriber session static to configure IPoE static individual sessions on an interface.

Use undo ip subscriber session static to delete IPoE static individual sessions on an interface.

Syntax

IPv4:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online ] [ description string ] [ gateway ip ipv4-address ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ vpn-instance vpn-instance-name ]

IPv6:

ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online ] [ description string ] [ gateway ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]

Dual-stack:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online { ip | ipv6 } ] [ description string ] [ gateway { ip ipv4-address | ipv6 ipv6-address } * ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]

Default

No IPoE static individual sessions exist on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ipv4-address: Specifies a start user IPv4 address.

end-ipv4-address: Specifies an end user IPv4 address, which cannot be lower than the start-ipv4-address argument. All users with IP addresses between start-ipv4-address and end-ipv4-address are specified as static users. If you do not specify the end-ipv4-address argument or the specified end-ipv4-address argument is the same as the start-ipv4-address argument, only one IP address is specified.

start-ipv6-address: Specifies a start user IPv6 address.

end-ipv6-address: Specifies an end user IPv6 address, which cannot be lower than the start-ipv6-address argument. All users with IPv6 addresses between start-ipv6-address and end-ipv6-address are specified as static users. If you do not specify the end-ipv6-address argument or the specified end-ipv6-address argument is the same as the start-ipv6-address argument, only one IPv6 address is specified.

vlan vlan-id: Specifies an outer VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

second-vlan vlan-id: Specifies an inner VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

mac mac-address: Specifies a user MAC address in the form of H-H-H.

password: Specifies the password used for user authentication.

mac: Uses the user MAC address as the authentication password in the format of HH:HH:HH:HH:HH:HH.

request-online: Specifies the device to actively send ARP, ICMP, ND NS, or ICMPv6 requests to request users to come online. If this keyword is not specified, a user must actively send ARP, ND NS, IPv4, or IPv6 packets to come online.

ip: Specifies the device to actively send IPv4 packets to request users to come online. In Layer 2 access mode, ARP packets are sent. In Layer 3 access mode, ICMP packets are sent.

ipv6: Specifies the device to actively send IPv6 packets to request users to come online. In Layer 2 access mode, ND NS packets are sent. In Layer 3 access mode, ICMPv6 packets are sent.

description string: Specifies the static session description, a case-insensitive string of 1 to 31 characters. If this option is not specified, the static session does not have a description. The description cannot contain the following characters: forward slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).

gateway: Specifies the gateway address for users. When the device actively sends online requests to users, the device preferentially uses the address as the source IP address of online requests. If you do not specify this keyword, the device uses the default gateway address as the source IP address of online requests. This keyword takes effect only when the request-online keyword is specified.

ip ipv4-address: Specifies the gateway address for the IPv4 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the IPv4 address of the access interface or the gateway address specified by using the gateway-list export-route command for a DHCPv4 address pool.

ipv6 ipv6-address: Specifies the gateway address for the IPv6 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the global unicast address or link-local address of the access interface in Layer 2 access mode or the global unicast address of the access interface in Layer 3 access mode.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to be bound to static users by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the static users are in the public network. Support for this option depends on the device model.

keep-online: Performs no online detection for users even when online detection is enabled. If you do not specify this keyword, users are forced to go offline when online detection fails for users.

Usage guidelines

For dual-stack static users to come online, you must enable IPoE for both IPv4 and IPv6 protocol stacks.

IPoE static sessions have higher priority than IPoE dynamic sessions. If a user IP packet matches a IPoE static session, the IPoE static session overwrites the existing IPoE dynamic session.

When the IP addresses specified for a static session overlap with the assignable IP addresses in the DHCP pool, follow these guidelines:

· For a DHCPv4 pool, use the dhcp server forbidden-ip or forbidden-ip command to exclude the overlapping IP addresses from dynamic allocation.

· For a DHCPv6 pool, use the ipv6 dhcp server forbidden-address command to exclude the overlapping IPv6 addresses from dynamic allocation.

For more information about excluding IP addresses from dynamic allocation, see DHCP commands and DHCPv6 commands in BRAS Services Command Reference.

In the public network or the same VPN instance, a maximum of one IPoE session can be configured for one IP address. You cannot use the ip subscriber session static command to modify an IPoE static session configured with the mac, domain, or request-online keyword. To modify such an IPoE session, use the undo form of the command to delete the session, and then reconfigure it with new parameter settings.

For interface-level static sessions and global static sessions with interfaces specified, the IP address and interface combination of an IPoE static session must be unique in the public network and all VPN instances.

You cannot configure an IPoE static individual user on an interface configured with an interface-leased, subnet-leased user, or L2VPN-leased user.

When a session is configured with an IP address range, the system automatically converts the configuration into multiple static session configurations, each with a separate IP address.

For the device to automatically request users to come online, you must configure a static session with the request-online keyword on an interface. Then, the following rules apply:

· For single-stack IPv4 static users:

? In Layer 2 access mode, the device uses ARP packets to requests users to come online. In this case, you must enable ARP packet initiation.

? In Layer 3 access mode, the device uses ICMP packets to request users to come online. In this case, you must enable unclassified-IPv4 packet initiation and configure an IPv4 address for the access interface of the user.

· For single-stack IPv6 static users:

? In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

? In Layer 3 access mode, the device uses ICMPv6 packets to request users to come online. In this case, you must enable unclassified-IPv6 packet initiation and configure an IPv6 address for the access interface of the user.

· For dual-stack static users:

? If a dual-stack static user is configured with the request-online ip keywords:

- In Layer 2 access mode, the device uses ARP packets to request users to come online. In this case, you must enable ARP packet initiation.

- In Layer 3 access mode, the device uses ICMP packets to request users to come online. In this case, you must enable unclassified-IPv4 packet initiation and configure an IPv4 address for the access interface of the user.

? If a dual-stack static user is configured with the request-online ipv6 keywords:

- In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

- In Layer 3 access mode, the device uses ICMPv6 packets to request users to come online. In this case, you must enable unclassified-IPv6 packet initiation and configure an IPv6 address for the access interface of the user.

· For static users on a subinterface configured with ambiguous Dot1q termination or ambiguous QinQ termination, for the device to properly request the static users to come online, you must specify VLANs when configuring static sessions or configure the vlan-termination broadcast enable command on the subinterface. As a best practice, specify VLANs when configuring static sessions.

To perform unified accounting for dual-stack users, you must configure the IPv4 addresses and IPv6 addresses of these dual-stack users in one ip subscriber session-static command. The IPv4 addresses and IPv6 addresses must be in one-to-one mapping relationship. After the configuration, the device forms the first dual-stack static individual session by using the first IPv4 address and the first IPv6 address. The device forms the second dual-stack static individual session by using the second IPv4 address and the second IPv6 address, and so on.

If you configure multiple ISP domains for a static individual user, an ISP domain is selected for the user in the following order:

· When bind authentication is used:

a. ISP domain specified by using the domain domain-name option in this command. If the domain does not exist, proceed with step d.

b. Service-specific domain. If the domain does not exist, proceed with step d.

c. ISP domain configured by using the ip subscriber unclassified-ip domain command. If the domain does not exist, proceed with step d.

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· When Web authentication is used:

? For how an ISP domain is selected in the preauthentication phase, see the ip subscriber pre-auth domain command.

? For how an ISP domain is selected in the Web authentication phase, see the ip subscriber web-auth domain command.

If you configure multiple passwords for a static individual user, the passwords are used in the following order:

1. MAC address if the password mac option is specified in this command.

2. Password specified by using the ip subscriber password command.

3. Default password: vlan.

You can bind static IPoE users to VPN instances by using one of the following methods:

· Method 1: Specify the vpn-instance parameter in this command.

· Method 2: Authorize VPN instances to users by using AAA.

· Method 3: Use the ip binding vpn-instance command to bind a VPN instance to the interface through which users come online.

When methods 1 and 2 are both configured, for users to come online successfully, make sure you specify the same VPN instance. If the VPN instance specified by using method 1 or 2 is different from the VPN instance specified by using method 3, the VPN instance specified by using method 1 or 2 is used.

Examples

# Configure an IPv4 IPoE static session with an IP address of 1.1.1.1 and an ISP domain of dm1 on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber session static ip 1.1.1.1 domain dm1

Related commands

display ip subscriber session

ip subscriber password

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber static-session request-online interval

ip subscriber session static (system view)

Use ip subscriber session static to configure global IPoE static individual sessions.

Use undo ip subscriber session static to delete global IPoE static individual sessions.

Syntax

IPv4:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online ] ] [ description string ] [ gateway ip ipv4-address ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

IPv6:

ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online ] ] [ description string ] [ gateway ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

Dual-stack:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online { ip | ipv6 } ] ] [ description string ] [ gateway { ip ipv4-address | ipv6 ipv6-address } * ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

Default

No global IPoE static individual sessions exist.

Views

System view

Predefined user roles

network-admin

Parameters

start-ipv4-address: Specifies a start user IPv4 address.

start-ipv6-address: Specifies a start user IPv6 address.

mac mac-address: Specifies a user MAC address in the form of H-H-H.

password: Specifies the password used for user authentication.

mac: Uses the user MAC address as the authentication password in the format of HH:HH:HH:HH:HH:HH.

interface interface-type interface-number: Specifies an interface by its type and number. If you specify an interface, an IPoE static session is initiated only when packets from the specified interface match the manually configured IPoE static session. If you do not specify an interface, an IPoE static session is initiated when packets from any interfaces match the manually configured IPoE static session.

vlan vlan-id: Specifies an outer VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

second-vlan vlan-id: Specifies an inner VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

request-online: Specifies the device to actively send ARP or ICMP requests to request users to come online. If this keyword is not specified, a user must actively send ARP or IP packets to come online.

ip: Specifies the device to actively send IPv4 packets to request users to come online. In Layer 2 access mode, ARP packets are sent. In Layer 3 access mode, ICMP packets are sent.

ipv6: Specifies the device to actively send IPv6 packets to request users to come online. In Layer 2 access mode, ND NS packets are sent. In Layer 3 access mode, ICMPv6 packets are sent.

keep-online: Performs no online detection for users even when online detection is enabled. If you do not specify this keyword, users are forced to go offline when online detection fails for users.

Usage guidelines

For dual-stack static users to come online, you must enable IPoE for both IPv4 and IPv6 protocol stacks.

IPoE static sessions have higher priority than IPoE dynamic sessions. If a user IP packet matches a IPoE static session, the IPoE static session overwrites the existing IPoE dynamic session.

When the IP addresses specified for a static session overlap with the assignable IP addresses in the DHCP pool, follow these guidelines:

· For a DHCPv4 pool, use the dhcp server forbidden-ip or forbidden-ip command to exclude the overlapping IP addresses from dynamic allocation.

· For a DHCPv6 pool, use the ipv6 dhcp server forbidden-address command to exclude the overlapping IPv6 addresses from dynamic allocation.

For more information about excluding IP addresses from dynamic allocation, see DHCP commands and DHCPv6 commands in BRAS Services Command Reference.

In the public network or the same VPN instance, a maximum of one IPoE static session can be configured for one IP address. You cannot use the ip subscriber session static command to modify an IPoE static session configured with the mac, domain, interface, or request-online keyword. To modify such an IPoE session, use the undo form of the command to delete the session, and then reconfigure it with new parameter settings.

For global static sessions without interfaces specified, the IP address of a global IPoE static session must be unique in the public network and all VPN instances.

To delete a session, the IP address or range in the undo form must be the same as that in the ip subscriber session static command. To delete sessions for an IP address or range that belongs to an IP address range, delete the sessions for the entire address range.

Interface-level IPoE static sessions take precedence over global IPoE static sessions.

For the device to automatically request users to come online, you must configure a static session with the request-online and interface keywords. Then, the following rules apply:

· For single-stack IPv4 static users:

? In Layer 2 access mode, the device uses ARP packets to requests users to come online. In this case, you must enable ARP packet initiation.

· For single-stack IPv6 static users:

? In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

· For dual-stack static users:

? If a dual-stack static user is configured with the request-online ip keywords:

- In Layer 2 access mode, the device uses ARP packets to request users to come online. In this case, you must enable ARP packet initiation.

? If a dual-stack static user is configured with the request-online ipv6 keywords:

- In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

To perform unified accounting for dual-stack users, you must configure the IPv4 addresses and IPv6 addresses of these dual-stack users in one ip subscriber session-static command. The IPv4 addresses and IPv6 addresses must be in one-to-one mapping relationship. After the configuration, the device forms the first static dual-stack individual session by using the first IPv4 address and the first IPv6 address. The device forms the second dual-stack static individual session by using the second IPv4 address and the second IPv6 address, and so on.

If you configure multiple ISP domains for a static individual user, an ISP domain is selected for the user in the following order:

· When bind authentication is used:

a. ISP domain specified by using the domain domain-name option in this command. If the domain does not exist, proceed with step d.

b. Service-specific domain. If the domain does not exist, proceed with step d.

c. ISP domain configured by using the ip subscriber unclassified-ip domain command. If the domain does not exist, proceed with step d.

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· When Web authentication is used:

? For how an ISP domain is selected in the preauthentication phase, see the ip subscriber pre-auth domain command.

? For how an ISP domain is selected in the Web authentication phase, see the ip subscriber web-auth domain command.

If you configure multiple passwords for a static individual user, the passwords are used in the following order:

1. MAC address if the password mac option is specified in this command.

2. Password specified by using the ip subscriber password command.

3. Default password: vlan.

You can bind static IPoE users to VPN instances by using one of the following methods:

· Method 1: Specify the vpn-instance parameter in this command.

· Method 2: Authorize VPN instances to users by using AAA.

· Method 3: Use the ip binding vpn-instance command to bind a VPN instance to the interface through which users come online.

Examples

# Configure a global IPoE static session with an IP address of 1.1.1.1 and an ISP domain of dm1.

<Sysname> system-view

[Sysname] ip subscriber session static ip 1.1.1.1 domain dm1

Related commands

display ip subscriber session

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber password

ip subscriber static-session request-online interval

Use ip subscriber static-session request-online interval to configure the interval at which the device sends online requests to IPoE static individual users.

Use undo ip subscriber static-session request-online interval to restore the default.

Syntax

ip subscriber static-session request-online interval seconds

undo ip subscriber static-session request-online interval

Default

The interval at which the device sends online requests to IPoE static individual users is 180 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the interval at which the device sends online requests to IPoE static individual users. The value range is 60 to 3600 seconds.

Usage guidelines

Set the request interval when the device actively sends ARP, ICMP, ND NS, or ICMPv6 packets to request IPoE static individual users to come online. To configure the device to actively send online requests, use the ip subscriber session static command in system or interface view.

Examples

# Set the interval at which the device sends online requests to IPoE static individual users to 60 seconds.

<Sysname> system-view

[Sysname] ip subscriber static-session request-online interval 60

Related commands

ip subscriber session static

ip subscriber subnet-leased

Use ip subscriber subnet-leased to configure a subnet-leased user.

Use undo ip subscriber subnet-leased to delete a subnet-leased user.

Syntax

ip subscriber subnet-leased ip ipv4-address { mask | mask-length } username name password { ciphertext | plaintext } string [ domain domain-name ]

undo ip subscriber subnet-leased ip ipv4-address { mask | mask-length }

ip subscriber subnet-leased ipv6 ipv6-address prefix-length username name password { ciphertext | plaintext } string [ domain domain-name ]

undo ip subscriber subnet-leased ipv6 ipv6-address prefix-length

Default

No subnet-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a user IPv4 address.

mask: Specifies an IPv4 address mask in dotted decimal notation.

mask-length: Specifies a mask length, an integer in the range of 1 to 31.

ipv6 ipv6-address: Specifies a user IPv6 address.

prefix-length: Specifies the IPv6 prefix length in the range of 1 to 127.

username name: Specifies a username for authentication, a case-sensitive string of 1 to 255 characters.

password: Specifies a password for authentication.

ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

Usage guidelines

A subnet-leased user represents all access users in a subnet of the interface.

With IPoE enabled for both IPv4 and IPv6 protocol stacks on an interface in up state, the BRAS creates an IPoE subnet-leased session based on the ip subscriber subnet-leased command configuration. After the session is set up, the session does not need to be initiated by user traffic. The BRAS initiates authentication by using the configured username and password. After the authentication succeeds, traffic of all users in the subnet of the interface is permitted, and the users share one IPoE session. The BRAS performs authorization and accounting for all users in the subnet.

You can configure only one subnet-leased user on each subnet.

You cannot configure a subnet-leased user on an interface configured with individual users, an interface-leased user, or an L2VPN-leased user.

An ISP domain is selected for an IPoE subnet-leased user in the following order:

1. Service-specific ISP domain. If the ISP domain does not exist, proceed with step 4.

2. ISP domain specified by using the domain domain-name option in this command. If the ISP domain does not exist, proceed with step 4.

3. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain does not exist, proceed with step 4.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Examples

# Configure a subnet-leased user for subnet 1.1.1.1/24 with a username of netuser and a plaintext password of pw123 on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber subnet-leased ip 1.1.1.1 24 username netuser password plaintext pw123

Related commands

display ip subscriber subnet-leased

ip subscriber timer quiet

Use ip subscriber timer quiet to enable the quiet timer and set the quiet time period for users.

Use undo ip subscriber timer quiet to restore the default.

Syntax

ip subscriber timer quiet time

undo ip subscriber timer quiet

Default

The quite timer is disabled for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

time: Specifies the quiet timer period in the range of 10 to 3600 seconds.

Usage guidelines

With this command configured, IPoE starts the quiet timer after the number of consecutive authentication failures of a user reaches the limit in the specified period. The BRAS drops packets from the user during the quiet timer period. After the quiet timer expires, the BRAS performs authentication upon receiving a packet from the user.

When a user that comes online through a global interface is blocked and the slot where the session of the blocked user resides is switched, the device will initiate authentication again for the user. If the user successfully passes authentication before reaching the maximum number of consecutive authentication failures, the user will be unblocked. Otherwise, the user will be blocked again.

Examples

# Enable the quiet timer and set the quiet timer period to 100 seconds for users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber timer quiet 100

Related commands

display ip subscriber chasten user auth-failed

display ip subscriber chasten user quiet

ip subscriber authentication chasten

ip subscriber timer traffic

Use ip subscriber timer traffic to set the traffic statistics update timer for IPoE sessions.

Use undo ip subscriber timer traffic to restore the default.

Syntax

ip subscriber timer traffic value

undo ip subscriber timer traffic

Default

The traffic statistics update timer for IPoE sessions is 1000 milliseconds.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies the traffic statistics update timer for IPoE sessions, a multiple of 100 in the range of 100 to 1200000 milliseconds.

Usage guidelines

When the timer times out, IPoE updates traffic statistics for static and dynamic sessions.

Updating traffic statistics for IPoE sessions consumes certain system resources. As a best practice, use the default traffic statistics update timer. You can set the traffic statistics update timer for IPoE sessions based on the statistic frequency requirement.

When the network has a large number of online users authorized with the idle-cut attribute, adjust the traffic statistics update timer according to the authorized idle-cut attribute to prevent users from being logged out because the idle timer times out.

Examples

# Set the traffic statistics update timer for IPoE sessions to 300 milliseconds.

<Sysname> system-view

[Sysname] ip subscriber timer traffic 300

ip subscriber trust

Use ip subscriber trust to configure a trusted option for DHCP users.

Use undo ip subscriber trust to cancel a trusted option.

Syntax

ip subscriber trust { option12 | option60 | option77 | option82 | option16 | option17 | option18 | option37 }

undo ip subscriber trust { option12 | option60 | option77 | option82 | option16 | option17 | option18 | option37 }

Default

No trusted options are configured for DHCP users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

option12: Specifies Option 12 as the trusted option.

option60: Specifies Option 60 as the trusted option.

Option77: Specifies Option 77 as the trusted option.

option82: Specifies Option 82 as the trusted option.

option16: Specifies Option 16 as the trusted option.

option17: Specifies Option 17 as the trusted option.

option18: Specifies Option 18 as the trusted option.

option37: Specifies Option 37 as the trusted option.

Usage guidelines

In a DHCP relay agent network, the BRAS can obtain the Option 60 information from DHCP Discover packets. If the BRAS trusts Option 60 and the ip subscriber dhcp domain or ip subscriber dhcp option60 match command is not configured, the following information is used as the ISP domain:

· All information in Option 60 if the option does not contain invalid characters or the at sign (@).

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

· Information that follows the last at sign (@) if the option contains at signs (@) and does not contain invalid characters.

When the string selected by using the ip subscriber trust option60 command is used as the ISP domain for authentication and the ip subscriber dhcp domain include command is configured, the domain name generated according to the domain name generation rule is used. For more information about the domain name generation rules, see "ip subscriber dhcp domain include."

For more information about how an ISP domain is determined when the ip subscriber dhcp domain command is configured, see "ip subscriber dhcp domain."

For more information about how an ISP domain is determined when the ip subscriber dhcp option60 match command is configured, see "ip subscriber dhcp option60 match."

For more information about how an ISP domain is determined when the BRAS does not trust DHCPv4 Option 60, see "ip subscriber dhcp domain."

In a DHCP relay agent network, the BRAS can obtain the Option 82 information from DHCP Discover packets. If the BRAS trusts DHCPv4 Option 82, it obtains the following information from the option, parses the information in the configured parsing format (ASCII by default), and uses the information to encapsulate RADIUS attributes:

· Obtains the Circuit-ID information and uses it to encapsulate NAS-Port-ID that adopts version 2.0 as the encapsulation format.

· Obtains the Circuit-ID information and uses it to encapsulate DSL_AGENT_CIRCUIT_ID.

· Obtains the Remote-ID information and uses it to encapsulate DSL_AGENT_REMOTE_ID.

If the BRAS does not trust DHCPv4 Option 82, it does not use the Option 82 to encapsulate RADIUS attributes.

In a DHCPv6 network, the BRAS can obtain the ISP domain information from Option 16 or Option 17. Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

If the BRAS trusts Option 16 and the ip subscriber dhcp domain or ip subscriber dhcpv6 option16 match command is not configured, the following information is used as the ISP domain:

· All information in Option 16 if the option does not contain invalid characters or the at sign (@).

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

· Information that follows the last at sign (@) if the option contains at signs (@) and does not contain invalid characters.

For more information about how an ISP domain is determined when the ip subscriber dhcp domain command is configured, see "ip subscriber dhcp domain."

For more information about how an ISP domain is determined when the ip subscriber dhcpv6 option16 match command is configured, see "ip subscriber dhcp domain."

For more information about how an ISP domain is determined when the BRAS does not trust DHCPv6 Option 16, see "ip subscriber dhcp domain."

In a DHCP relay agent network, the BRAS can obtain the specified Option information from DHCPv6 packets. If the BRAS trusts DHCPv6 Option 18 or Option 37, it obtains the following information from the option, parses the information in the configured parsing format (ASCII by default), and uses the information to encapsulate RADIUS attributes:

· Obtains information from Option 18 and uses it to encapsulate NAS-Port-ID that uses the version 2.0 encapsulation format.

· Obtains information from Option 18 and uses it to encapsulate DSL_AGENT_CIRCUIT_ID.

· Obtains information from Option 37 and uses it to encapsulate DSL_AGENT_REMOTE_ID.

On the same interface, you can execute this command multiple times to configure multiple trusted options. However, you cannot configure the interface to trust both Option 16 and Option 17. For example, if you have configured Option 16 as a trusted option, you cannot configure Option 17 as a trusted option.

Examples

# Configure DHCPv4 Option 82 as a trusted option on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber trust option82

Related commands

ip subscriber access-line-id circuit-id trans-format

ip subscriber access-line-id remote-id trans-format

ip subscriber dhcp domain

ip subscriber dhcp domain include

ip subscriber dhcp option60 match

ip subscriber dhcpv6 match

ip subscriber initiator dhcp enable

ip subscriber nas-port-id format

ip subscriber nas-port-id nasinfo-insert

ip subscriber unclassified-ip domain

Use ip subscriber unclassified-ip domain to configure an ISP domain for users.

Use undo ip subscriber unclassified-ip domain to restore the default.

Syntax

ip subscriber unclassified-ip domain domain-name

undo ip subscriber unclassified-ip domain

Default

No ISP domain is configured for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

This command configures an ISP domain for unclassified-IP users, static individual users, and subnet/interface-leased users.

An ISP domain is selected for an unclassified-IP user in the following order:

1. Service-specific ISP domain. If the ISP domain does not exist, proceed with step 3.

2. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain does not exist, proceed with step 3.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selected for an IPoE static user, see the ip subscriber session static command.

For how an ISP domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an ISP domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

Examples

# Configure ISP domain dm1 for users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber unclassified-ip domain dm1

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber service-identify

ip subscriber unclassified-ip ip match

Use ip subscriber unclassified-ip ip match to configure trusted source IPv4 addresses for unclassified-IPv4 users.

Use undo ip subscriber unclassified-ip ip match to restore the default.

Syntax

ip subscriber unclassified-ip ip match start-ip-address [ end-ip-address ]

undo ip subscriber unclassified-ip ip match start-ip-address [ end-ip-address ]

Default

No trusted source IPv4 addresses are configured. When unclassified-IPv4 packet initiation is enabled on an interface, all unclassified-IPv4 packets can initiate IPoE authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IPv4 address.

end-ip-address: Specifies the end IPv4 address. The end IPv4 address must be higher than the start IPv4 address. If you specify this option, IPv4 addresses in the IPv4 address range are used as the source IPv4 addresses. If you do not specify this option or the end IPv4 address and start IPv4 address are the same, the start IPv4 address is used as the source IPv4 address.

Usage guidelines

When unclassified-IPv4 packet initiation is enabled and portal authentication is configured, a user comes online as a static IPoE user if the unclassified-IPv4 packets match a static IPoE session. Otherwise, the following rules apply:

· If this command is configured, IPoE authentication is available only for unclassified-IPv4 users who send packets with the trusted source IPv4 addresses. Portal authentication is available for unclassified-IPv4 users who send packets with untrusted source IPv4 addresses.

· If this command is not configured, all unclassified-IPv4 users use portal authentication.

For more information about portal authentication, see BRAS Services Configuration Guide.

If unclassified-IPv4 packet initiation is enabled but portal authentication is not configured on an interface, a user comes online as a static IPoE user if the unclassified-IPv4 packets match a static IPoE session. Otherwise, the following rules apply:

· If this command is configured, unclassified-IPv4 packets with untrusted source IPv4 addresses are dropped. Only unclassified-IPv4 packets with trusted source IPv4 addresses can initiate IPoE authentication.

· If this command is not configured, the user comes online as an unclassified-IPv4 user.

To cancel trust configuration for an IPv4 address or range belonging to a trusted IPv4 address range, cancel trust configuration for the entire IPv4 address range.

You can use this command multiple times to configure multiple trusted IPv4 addresses or IPv4 address ranges.

Examples

# Configure a trusted IPv4 address range of 192.168.1.10 to 192.168.1.100 for IPv4 users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber unclassified-ip ip match 192.168.1.10 192.168.1.100

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber unclassified-ip ipv6 match

Use ip subscriber unclassified-ip ipv6 match to configure trusted source IPv6 addresses for unclassified-IPv6 users.

Use undo ip subscriber unclassified-ip ipv6 match to restore the default.

Syntax

ip subscriber unclassified-ip ipv6 match start-ipv6-address [ end-ipv6-address ]

undo ip subscriber unclassified-ip ipv6 match start-ipv6-address [ end-ipv6-address ]

Default

No trusted source IPv6 addresses are configured. When unclassified-IPv6 packet initiation is enabled on an interface, all unclassified-IPv6 packets can initiate IPoE authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ipv6-address: Specifies the start IPv6 address.

end-ipv6-address: Specifies the end IPv6 address. The end IPv6 address must be higher than the start IPv6 address. If you specify this option, IPv6 addresses in the IPv6 address range are used as the source IPv6 addresses. If you do not specify this option, the start IPv6 address is used as the source IPv6 address.

Usage guidelines

If unclassified-IPv6 packet initiation is enabled and portal authentication is configured, the following rules apply:

· If this command is configured, IPoE authentication is available only for unclassified-IPv6 users who send packets with the trusted source IPv6 addresses. Portal authentication is available for unclassified-IPv6 users who send packets with untrusted source IPv6 addresses.

· If this command is not configured, all unclassified-IPv6 users use portal authentication.

For more information about portal authentication, see BRAS Services Configuration Guide.

If unclassified-IPv6 packet initiation is enabled but portal authentication is not configured on an interface, unclassified-IPv6 packets with untrusted source IPv6 addresses are dropped. Only unclassified-IPv6 packets with trusted source IPv6 addresses can initiate IPoE authentication.

To cancel trust configuration for an IPv6 address or range belonging to a trusted IPv6 address range, cancel trust configuration for the entire IPv6 address range.

You can use this command multiple times to configure multiple trusted IPv6 addresses or IPv6 address ranges.

Examples

# Configure a trusted IPv6 address range of 2001::1:10 to 2001::1:100 for unclassified-IPv6 users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber unclassified-ip ipv6 match 2001::1:10 2001::1:100

Related commands

ip subscriber initiator unclassified-ipv6 enable

ip subscriber unclassified-ip max-session

Use ip subscriber unclassified-ip max-session to set the IPoE session limit for unclassified-IPv4 packet initiation on an interface.

Use undo ip subscriber unclassified-ip max-session to restore the default.

Syntax

ip subscriber unclassified-ip max-session max-number

undo ip subscriber unclassified-ip max-session

Default

The IPoE session limit for unclassified-IPv4 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for unclassified-IPv4 packet initiation, in the range of 1 to 64000.

Usage guidelines

If the IPoE session limit for unclassified-IPv4 packet initiation is reached, no more IPoE session can be initiated by unclassified-IPv4 packets. IPoE sessions initiated by unclassified-IPv4 packets include single-stack IPv4 sessions and dual-stack sessions.

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber unclassified-ipv6 max-session command.

Examples

# Set the IPoE session limit to 100 for unclassified-IPv4 packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber unclassified-ip max-session 100

Related commands

display ip subscriber session

ip subscriber initiator unclassified-ip enable

ip subscriber max-session

reset ip subscriber session

ip subscriber unclassified-ip username

Use ip subscriber unclassified-ip username to configure an authentication user naming convention for unclassified-IP users and static individual users.

Use undo ip subscriber unclassified-ip username to restore the default.

Syntax

ip subscriber unclassified-ip username include { nas-port-id [ separator separator ] | port [ separator separator ] | second-vlan [separator separator ] | slot [ separator separator ] | source-ip [ address-separator address-separator ] [ separator separator ] | source-mac [ address-separator address-separator ] [ separator separator ] | string string [ separator separator ] | subslot [ separator separator ] | sysname [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber unclassified-ip username

Default

No authentication user naming convention is configured for unclassified-IP users and static individual users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

nas-port-id: Includes the NAS-Port-ID attribute in a username.

port: Includes the number of the port that receives the user packets in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-ip: Includes the source IP address in a username.

address-separator address-separator: Specifies any printable character as the separator for the IPv4 address. For example, if you specify a hyphen (-) as the separator, the username is the hyphen-separated IPv4 address (xxxx-xxxx-xxxx) or colon-separated IPv6 address (x::x:x). If you do not specify a separator, the username is the dot-separated IP address (x.x.x.x). Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

source-mac: Includes the source MAC address in a username.

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vlan: Includes the outer VLAN ID in a username.

Usage guidelines

Usernames obtained based on the naming convention are used for authentication and must be the same as those configured on the AAA server.

Examples

# Configure the source IP address as the authentication usernames for unclassified-IP users and static individual users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber unclassified-ip username include source-ip

# Configure an authentication user naming convention for unclassified-IP users and static individual users on GigabitEthernet 3/1/1. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber unclassified-ip username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber password

ip subscriber unclassified-ipv6 max-session

Use ip subscriber unclassified-ipv6 max-session to set the IPoE session limit for unclassified-IPv6 packet initiation on an interface.

Use undo ip subscriber unclassified-ipv6 max-session to restore the default.

Syntax

ip subscriber unclassified-ipv6 max-session max-number

undo ip subscriber unclassified-ipv6 max-session

Default

The IPoE session limit for unclassified-IPv6 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for unclassified-IPv6 packet initiation, in the range of 1 to 64000.

Usage guidelines

If the IPoE session limit for unclassified-IPv6 packet initiation is reached, no more IPoE session can be initiated by unclassified-IPv6 packets. IPoE sessions initiated by unclassified-IPv6 packets include single-stack IPv6 sessions and dual-stack IPoE sessions.

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber unclassified-ip max-session command.

Examples

# Set the IPoE session limit to 100 for unclassified-IPv6 packet initiation on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber unclassified-ipv6 max-session 100

Related commands

display ip subscriber session

ip subscriber initiator unclassified-ipv6 enable

ip subscriber max-session

reset ip subscriber session

ip subscriber username

Use ip subscriber username to configure the username for an IPoE individual user.

Use undo ip subscriber username to restore the default.

Syntax

ip subscriber username { mac-address [ address-separator address-separator ] [ lowercase | uppercase ] | string string }

undo ip subscriber username

Default

No username is configured for an IPoE individual user.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

lowercase: Specifies the letters in the MAC address as lower-case.

uppercase: Specifies the letters in the MAC address as upper-case.

string string: Uses the specified string as the username, a case-sensitive string of 1 to 64 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

To avoid configuring usernames for each initiation method separately when multiple individual session initiation methods are configured on an interface, you can use this command to uniformly configure authentication usernames for all individual users on an interface.

For individual users using bind authentication, usernames are selected in the following order:

1. Username configured by using the command specific to the users.

? For DHCP users, username obtained by using the ip subscriber dhcp username command.

? For ND RS users, username obtained by using the ip subscriber ndrs username command.

? For unclassified-IP users and static individual users, username obtained by using the ip subscriber unclassified-ip username command.

2. Username configured by using the ip subscriber username command.

3. Default user name.

? For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

? For ND RS users, source MAC address of packets.

? For unclassified-IP users and static individual users, source IP address of packets.

For Web authentication and Web MAC authentication in the preauthentication phase, usernames are selected for individual users in the order usernames are selected for individual users using bind authentication.

For Web authentication in the Web authentication phase, usernames are selected in the following order for individual users:

1. Username that the user enters when logging in.

2. Username configured by using the ip subscriber username command.

3. Default user name.

? For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

? For ND RS users, source MAC address of packets.

? For static individual users, source IP address of packets.

For Web MAC authentication in the Web authentication phase, usernames are selected in the following order for individual users:

1. Username configured by using the ip subscriber username command.

2. Default user name.

? For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

? For ND RS users, source MAC address of packets.

? For static individual users, source IP address of packets.

Examples

# Use the MAC address of an IPoE individual user as the username on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber username mac-address

ip subscriber user-detect ip

Use ip subscriber user-detect ip to configure online detection for IPv4 protocol stack users.

Use undo ip subscriber user-detect ip to restore the default.

Syntax

ip subscriber user-detect ip { arp | icmp } retry retries interval interval [ no-datacheck ]

undo ip subscriber user-detect ip

Default

For leased subusers, no matter whether user uplink traffic is updated within a detection timer period, the BRAS sends packets to detect the online status of users after the detection timer expires.

For other users, no detection packets are sent after the detection timer expires if user uplink traffic is updated within a detection timer period. If user uplink traffic is not updated within a detection timer period, the BRAS uses the ARP request packets to detect IPv4 protocol stack users.

The BRAS performs a maximum of five detection attempts after the first detection failure. The detection timer is 120 seconds.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

arp: Specifies the ARP request packet as detection packets.

icmp: Specifies the icmp request packet as detection packets.

retry retries: Specifies the maximum number of detection attempts following the first detection attempt, in the range of 2 to 255.

interval interval: Configures the detection timer for each attempt, in the range of 30 to 1200 seconds.

no-datacheck: Specifies sending detection packets after the detection timer expires no matter whether user uplink traffic is updated within a detection timer period. If this keyword is not specified, no detection packets are sent after the detection timer expires if user uplink traffic is updated within a detection timer period. Otherwise, detection packets are sent. When the accounting mode is merge for dual-stack users, the sum of IPv4 uplink traffic and IPv6 uplink traffic is used to determine whether the user uplink traffic is updated. This keyword does not take effect on leased subusers.

Usage guidelines

Online detection enables the BRAS to periodically detect the status of an IPv4 protocol stack user. It uses ARP or ICMP requests to detect IPv4 protocol stack users. If IPv4 protocol stack users and the interface are in different subnets, only ICMP request packets can be used for detection.

After you configure online detection, the BRAS starts a detection timer to detect online users. If the BRAS does not receive user packets before the detection timer expires, it sends a detection packet to the user.

· If the BRAS receives user packets within the maximum detection attempts, the BRAS assumes that the user is online. It resets the detection timer, and starts the next detection attempt.

· If the BRAS receives no user packets after detection attempts reach the maximum, the BRAS assumes the user is offline and deletes the session.

Do not configure both ARP and ICMP detection methods to detect the IPv4 protocol stack users.

The IPv4 protocol stack in this command includes the single IPv4 protocol stack and the IPv4 stack in the dual stack. For the single IPv4 protocol stack, this feature supports only leased subusers in Layer 2 access mode and individual users. For the dual stack, this feature supports only individual users.

Examples

# Configure online detection for IPv4 protocol stack users on GigabitEthernet 3/1/1. The maximum number of detection attempts is 5 after the first failure, the detection timer is 100 seconds, and the detection packet type is ARP.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber user-detect ip arp retry 5 interval 100

Related commands

ip subscriber enable

ip subscriber user-detect ipv6

Use ip subscriber user-detect ipv6 to configure online detection for IPv6 protocol stack users.

Use undo ip subscriber user-detect ipv6 to disable online detection for IPv6 protocol stack users.

Syntax

ip subscriber user-detect ipv6 { icmp | nd } retry retries interval interval [ no-datacheck ]

undo ip subscriber user-detect ipv6

Default

For leased subusers, no matter whether user uplink traffic is updated within a detection timer period, the BRAS sends packets to detect the online status of users after the detection timer expires.

The BRAS performs a maximum of five detection attempts after the first detection failure. The detection timer is 120 seconds.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

icmp: Specifies the ICMPv6 request packet as detection packets. For detection to succeed when this keyword is specified, you must configure a global unicast address on the access interface.

nd: Specifies the NS packets of the ND protocol as detection packets.

retry retries: Specifies the maximum number of detection attempts following the first detection attempt, in the range of 2 to 255.

interval interval: Configures the detection timer in the range of 30 to 1200 seconds.

Usage guidelines

Online detection enables the BRAS to periodically detect the status of an IPv6 protocol stack user. It uses NS packets of the ND protocol or ICMPv6 requests to detect IPv6 protocol stack users. If IPv6 protocol stack users and the interface are in different subnets, only ICMPv6 request packets can be used for detection.

· If the BRAS receives user packets within the maximum detection attempts, the BRAS assumes that the user is online. It resets the detection timer, and starts the next detection attempt.

· If the BRAS receives no user packets after detection attempts reach the maximum, the BRAS assumes the user is offline and deletes the session.

Do not configure both ICMPv6 and ND detection methods to detect the IPv6 protocol stack users.

The IPv6 protocol stack in this command includes the single IPv6 protocol stack and the IPv6 stack in the dual stack. For the single IPv6 protocol stack, this feature supports only leased subusers in Layer 2 access mode and individual users. For the dual stack, this feature supports only individual users.

Examples

# Configure online detection for IPv6 protocol stack users on GigabitEthernet 3/1/1. The maximum number of detection attempts is 3 after the first failure, the detection timer is 50 seconds, and the detection packet type is ND.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber user-detect ipv6 nd retry 3 interval 50

Related commands

ip subscriber enable

ip subscriber user-policy interface-down

Use ip subscriber user-policy interface-down to configure the interface-down policy for IPoE users on an interface.

Use undo ip subscriber user-policy interface-down to restore the default.

Syntax

ip subscriber user-policy interface-down online [ no-user-detect ]

undo ip subscriber user-policy interface-down

Default

IPoE users on an interface are forced to go offline after the interface goes down.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

online: Keeps the users online after the interface goes down.

no-user-detect: Disables online detection when the interface goes down. If you do not specify this keyword, online detection still takes effect when the interface goes down and forces users to go offline when the detection fails.

Usage guidelines

To prevent users from frequently coming online and going offline because the interface frequently comes up and goes down, you can use this command to keep users online after the interface goes down.

To prevent users from being forced to go offline because online detection fails during the period of restoring a down interface to the up state, specify the no-user-detect keyword in this command.

Examples

# Allow IPoE users on GigabitEthernet 3/1/1 to keep online after the interface goes down.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber user-policy interface-down online

Related commands

ip subscriber user-detect ip

ip subscriber user-detect ipv6

ip subscriber vlan

Use ip subscriber vlan to bind an ISP domain to IPoE users who send packets with the specified VLAN IDs.

Use undo ip subscriber vlan to remove the binding between an ISP domain and IPoE users who send packets with the specified VLAN IDs.

Syntax

ip subscriber vlan vlan-list domain domain-name

undo ip subscriber vlan vlan-list

Default

No ISP domain is bound to IPoE users who send packets with the specified VLAN IDs.

Views

Layer 3 aggregate subinterface view

Layer 3 Ethernet subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

vlan-list: Specifies a space-separated list of up to 10 VLAN ID items. Each item specifies a VLAN by its ID or a range of VLANs in the form of start-VLAN-ID to end-VLAN-ID. The VLAN ID is in the range of 1 to 4094.

Usage guidelines

This command configures an ISP domain for DHCP users, unclassified-IP users, and static individual users who send IP packets with the specified VLAN IDs.

For how an ISP domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an ISP domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an ISP domain is selected for an IPoE static user, see the ip subscriber session static command.

For how an ISP domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an ISP domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an ISP domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

For the ip subscriber vlan command to take effect, you must first execute the ip subscriber service-identify { second-vlan | vlan } command to configure the corresponding service identifier.

Examples

# Configure an ISP domain for users who send IP packets with VLAN IDs 2 to 100 on GigabitEthernet 3/1/1.100.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1.100

[Sysname-GigabitEthernet3/1/1.100] ip subscriber service-identify second-vlan

[Sysname-GigabitEthernet3/1/1.100] ip subscriber vlan 2 to 100 domain vlandm

Related commands

ip subscriber service-identify

ip subscriber web-auth domain

Use ip subscriber web-auth domain to configure the domain for Web authentication.

Use undo ip subscriber web-auth domain to restore the default.

Syntax

ip subscriber web-auth domain domain-name

undo ip subscriber web-auth domain

Default

No domain is configured for Web authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

When Web MAC authentication is configured with multiple types of domains, a domain is selected in the following order during the Web authentication phase:

1. If the ip subscriber web-auth domain command is used to specify a Web authentication domain, the device first obtains the domain in the username and operates as follows:

? If the username carries a domain and the carried domain exists, the domain carried in the username is used. If the domain does not exist, proceed with step 2.

If no domain is specified for Web authentication, proceed with step 2.

2. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selecting during the Web authentication phase when Web MAC authentication is used, see the ip subscriber mac-auth domain command.

The ISP domain configured for Web authentication applies to only individual users using Web authentication and Web MAC authentication during the Web authentication phase.

The ISP domain modification for Web authentication takes effect only on new users.

Examples

# Specify ISP domain dm1 for Web authentication on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] ip subscriber web-auth domain dm1

Related commands

ip subscriber authentication-method

ip subscriber mac-auth domain

reset ip subscriber abnormal-logout

Use reset ip subscriber abnormal-logout command to clear information about abnormally logged out DHCP users.

Syntax

In standalone mode:

reset ip subscriber abnormal-logout [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

reset ip subscriber abnormal-logout [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears information about abnormally logged out DHCP users for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command clears information about abnormally logged out DHCP users for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears information about abnormally logged out DHCP users for all cards. (In IRF mode.)

Usage guidelines

This command clears information about abnormally logged out DHCP users. If you do not specify any option, this command clears information about all abnormally logged out DHCP users

Examples

# Clears information about abnormally logged out DHCP users on GigabitEthernet 3/1/1.

<Sysname> reset ip subscriber abnormal-logout interface gigabitethernet 3/1/1

Related commands

display ip subscriber abnormal-logout

reset ip subscriber interface-leased

Use reset ip subscriber interface-leased to initialize or delete interface-leased user sessions and log out users.

Syntax

reset ip subscriber interface-leased [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command initializes or deletes interface-leased user sessions for all interfaces.

Usage guidelines

This command initializes interface-leased user sessions and logs out users on the interface. The BRAS automatically reauthenticates the users by the usernames and passwords configured by using the ip subscriber interface-leased command.

Examples

# Initialize or delete interface-leased user sessions and log out the users on GigabitEthernet 3/1/1.

<Sysname> reset ip subscriber interface-leased interface gigabitethernet 3/1/1

Related commands

display ip subscriber interface-leased

reset ip subscriber interface-leased user

Use reset ip subscriber interface-leased user to delete interface-leased subuser sessions and log out the subusers.

Syntax

reset ip subscriber interface-leased user [ interface interface-type interface-number [ ip ipv4-address | ipv6 ipv6-address | mac mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command deletes interface-leased subuser sessions for all interfaces.

ip ipv4-address: Specifies the source IPv4 address of an IPv4 interface-leased subuser.

ipv6 ipv6-address: Specifies the source IPv6 address of an IPv6 interface-leased subuser.

mac mac-address: Specifies the source MAC address of an interface-leased subuser, in the format of H-H-H.

s-vlan svlan-id: Specifies the service provider VLAN ID of an interface-leased user. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of an interface-leased user. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of an interface-leased user. The value range for the vxlan-id argument is 0 to 16777215.

Usage guidelines

This command takes effect only in Layer 2 access mode.

If you do not specify any parameters, this command deletes interface-leased subuser sessions and logs out subusers.

Examples

# Delete interface-leased subuser sessions and log out the subusers on GigabitEthernet 3/1/1.

<Sysname> reset ip subscriber interface-leased user interface gigabitethernet 3/1/1

Related commands

display ip subscriber interface-leased user

reset ip subscriber interface-leased user ip-type

Use reset ip subscriber interface-leased user ip-type to delete interface-leased subuser sessions of the specified IP protocol type and log out the subusers.

Syntax

reset ip subscriber interface-leased user ip-type { ipv4 | ipv6 } [ interface interface-type interface-number [ mac mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ]

Views

User view

Predefined user roles

network-admin

Parameters

ipv4: Specifies IPv4 IPoE interface-leased subusers.

ipv6: Specifies IPv6 IPoE interface-leased subusers.

mac mac-address: Specifies the source MAC address of an interface-leased subuser, in the format of H-H-H. If you do not specify a MAC address, this command deletes all interface-leased subuser sessions of the specified IP protocol type on the specified interface.

s-vlan svlan-id: Specifies the service provider VLAN ID of an interface-leased subuser. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of an interface-leased subuser. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of an interface-leased subuser. The value range for the vxlan-id argument is 0 to 16777215.

Usage guidelines

This command takes effect only in Layer 2 access mode.

If you do not specify any parameters, this command deletes interface-leased subuser sessions of the specified IP protocol type and logs out subusers.

Examples

# Delete IPv4 interface-leased subuser sessions and log out the subusers on GigabitEthernet 3/1/1.

<Sysname> reset ip subscriber interface-leased user ip-type ipv4 interface gigabitethernet 3/1/1

Related commands

display ip subscriber interface-leased user

reset ip subscriber offline statistics

Use reset ip subscriber offline statistics to remove offline statistics for users.

Syntax

reset ip subscriber offline statistics [ ip-type { ipv4 | ipv6 } ] [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

ip-type: Specifies an IP protocol type. If you do not specify an IP protocol type, this command removes offline statistics for users of any IP protocol type.

ipv4: Specifies IPv4 IPoE users.

ipv6: Specifies IPv6 IPoE users.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command removes offline statistics for users for all interfaces.

Examples

# Remove offline statistics for all users on GigabitEthernet 3/1/1.

<Sysname> reset ip subscriber offline statistics interface gigabitethernet 3/1/1

Related commands

display ip subscriber offline statistics

reset ip subscriber session

Use reset ip subscriber session to delete IPoE dynamic individual sessions and global static individual sessions, initialize interface-level static individual sessions, and log out users.

Syntax

reset ip subscriber session [ interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ] [ { { domain domain-name | mac mac-address | username name } | ip-type { ipv4 | ipv6 | dual-stack } } * | { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command performs the operation for all interfaces.

s-vlan svlan-id: Specifies the service provider VLAN ID of the IPoE sessions to be deleted. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of the IPoE sessions to be deleted. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of the IPoE sessions to be deleted. The value range for the vxlan-id argument is 0 to 16777215.

mac mac-address: Specifies the MAC address of an IPoE session to be deleted, in the format of H-H-H.

username name: Specifies the username of the IPoE session to be deleted, a case-sensitive string of 1 to 255 characters.

ip-type: Specifies the IP protocol type of the IPoE sessions to be deleted. If you do not specify an IP protocol, this command performs the operation for sessions of any IP protocol type.

ipv4: Specifies IPv4 sessions.

ipv6: Specifies IPv6 sessions.

dual-stack: Specifies dual-stack sessions.

ip ipv4-address: Specifies the IPv4 address of an IPoE session to be deleted.

ipv6 ipv6-address: Specifies the IPv6 address of an IPoE session to be deleted.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command performs the operation on the public network.

Usage guidelines

This command deletes dynamic individual sessions and global static individual sessions, initializes interface-level static individual sessions, and logs out the users. If you do not specify any parameters, this command deletes all dynamic individual sessions and global static individual sessions and initializes all interface-level static individual sessions.

Examples

# Delete dynamic individual sessions and global static individual sessions, initialize interface-level static individual sessions on GigabitEthernet 3/1/1, and log out the users.

<Sysname> reset ip subscriber session interface gigabitethernet 3/1/1

Related commands

display ip subscriber session

reset ip subscriber subnet-leased

Use reset ip subscriber subnet-leased to initialize or delete subnet-leased user sessions.

Syntax

reset ip subscriber subnet-leased [ interface interface-type interface-number ] [ ip ipv4-address mask-length | ipv6 ipv6-address prefix-length } | ip-type { ipv4 | ipv6 } ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command initializes or deletes subnet-leased user sessions for all interfaces.

ip ipv4-address mask-length: Specifies an IPv4 subnet by an IPv4 address and its mask length. The mask length is in the range of 1 to 31.

ipv6 ipv6-address prefix-length: Specifies an IPv6 subnet by an IPv6 address and its prefix length. The prefix length is in the range of 1 to 127.

ip-type: Specifies an IP protocol type. If you do not specify an IP protocol type, this command initializes or deletes IPoE subnet-leased user sessions of any IP protocol type.

ipv4: Specifies IPv4 IPoE subnet-leased users.

ipv6: Specifies IPv6 IPoE subnet-leased users.

Usage guidelines

This command initializes subnet-leased user sessions and logs out the users. The BRAS automatically reauthenticates the users by the usernames and passwords configured by using the ip subscriber subnet-leased command.

Examples

# Initialize or delete subnet-leased user sessions and log out the users on GigabitEthernet 3/1/1.

<Sysname> reset ip subscriber subnet-leased interface gigabitethernet 3/1/1

Related commands

display ip subscriber subnet-leased

reset ip subscriber subnet-leased user

Use reset ip subscriber subnet-leased user to delete IPoE subnet-leased subuser sessions and log out the subusers.

Syntax

reset ip subscriber subnet-leased user [ interface interface-type interface-number [ ip { ipv4-address mask-length | ipv4-address } | ipv6 { ipv6-address prefix-length | ipv6-address } | s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command deletes IPoE subnet-leased subuser sessions for all interfaces.

ip ipv4-address mask-length: Specifies an IPv4 subnet by an IPv4 address and a mask length in the range of 1 to 31.

ip ipv4-address: Specifies the source IPv4 address of an IPv4 subnet-leased subuser.

ipv6 ipv6-address prefix-length: Specifies an IPv6 subnet by an IPv6 address and a prefix length in the range of 1 to 127.

ipv6 ipv6-address: Specifies the source IPv6 address of an IPv6 subnet-leased subuser.

s-vlan svlan-id: Specifies the service provider VLAN ID of a subnet-leased subuser. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of a subnet-leased subuser. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of a subnet-leased subuser. The value range for the vxlan-id argument is 0 to 16777215.

Usage guidelines

This command takes effect only in Layer 2 access mode.

If you do not specify any parameters, this command deletes subnet-leased subuser sessions and logs out subusers.

Examples

# Delete subnet-leased subuser sessions and log out the subusers on GigabitEthernet 3/1/1.

<Sysname> reset ip subscriber subnet-leased user interface gigabitethernet 3/1/1

Related commands

display ip subscriber subnet-leased user

reset ip subscriber subnet-leased user ip-type

Use reset ip subscriber subnet-leased user ip-type to delete IPoE subnet-leased subuser sessions of the specified IP protocol type and log out the subusers.

Syntax

reset ip subscriber subnet-leased user ip-type { ipv4 | ipv6 } [ interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] ] [ vxlan vxlan-id ]

Views

User view

Predefined user roles

network-admin

Parameters

ipv4: Specifies IPv4 IPoE users.

ipv6: Specifies IPv6 IPoE users.

s-vlan svlan-id: Specifies the service provider VLAN ID of a subnet-leased subuser. The value range for the svlan-id argument is 1 to 4094.

c-vlan cvlan-id: Specifies the customer VLAN ID of a subnet-leased subuser. The value range for the cvlan-id argument is 1 to 4094.

vxlan vxlan-id: Specifies the VXLAN ID of a subnet-leased subuser. The value range for the vxlan-id argument is 0 to 16777215.

Usage guidelines

This command takes effect only in Layer 2 access mode.

Examples

# Delete IPv4 subnet-leased subuser sessions and log out the subusers on GigabitEthernet 3/1/1.

<Sysname> reset ip subscriber subnet-leased user ip—type ipv4 interface gigabitethernet 3/1/1

Related commands

display ip subscriber subnet-leased user ip-type

slot-user-warning-threshold

Use slot-user-warning-threshold to configure the per-slot user count alarm threshold.

Use undo slot-user-warning-threshold to restore the default.

Syntax

slot-user-warning-threshold threshold-value

undo slot-user-warning-threshold

Default

The per-slot user count alarm threshold is 100.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the per-slot user count alarm threshold in percentage (the percentage of the user count on a slot to the per-slot maximum user count allowed), in the range of 1 to 100.

Usage guidelines

You can use this command to set the per-slot user count alarm threshold. When the user count on a slot exceeds the threshold, an alarm is triggered automatically. Then, the administrator can promptly know the online user conditions of the network.

This feature counts only the number of IPoE users and PPPoE users.

· A dual-stack PPPoE user is counted as one user.

· A dual-stack IPoE user is counted as two users.

· For IPoE leased users, one interface-leased user is counted as two users, and one subnet-leased user is counted as one user.

· For IPoE leased subusers, one subuser is counted as one user.

Suppose the per-slot maximum user count allowed is a and the per-slot user count alarm threshold is b. The following rules apply:

· When the user count on a slot exceeds a×b, the alarm information is output.

· When the user count on a slot drops within the normal range, the alarm clearing information is output.

In some special cases, the user count on a slot frequently changes in the critical range, which causes frequent output of alarm information and alarm clearing information. To avoid this problem, the system introduces a buffer area when the user count on a slot drops below the threshold. The buffer area size is 10% of the threshold set. Suppose the buffer area size is c. Then, c=a×b÷10. When the user count on a slot drops below a×b-c, the alarm clearing information is output.

For example, suppose a is 1000 and b is 80%. Then, c= a×b÷10=1000×80%÷10=80.

· When the user count on a slot exceeds a×b=1000×80%=800, the alarm information is output.

· When the user count on a slot drops below a×b-c=800-80=720, the alarm clearing information is output.

The alarm information and alarm clearing information output both contain the logs and traps. For traps to be correctly sent to the NMS host, you must execute the snmp-agent trap enable slot-user-warning-threshold command in addition to configuring the SNMP alarm feature correctly.

Examples

# Set the per-slot user count threshold to 80.

<Sysname> system-view

[Sysname] slot-user-warning-threshold 80

Related commands

snmp-agent trap enable slot-user-warning-threshold

Use snmp-agent trap enable slot-user-warning-threshold to enable the per-slot user count trap feature.

Use undo snmp-agent trap enable slot-user-warning-threshold to disable the per-slot user count trap feature.

Syntax

snmp-agent trap enable slot-user-warning-threshold

undo snmp-agent trap enable slot-user-warning-threshold

Default

The per-slot user count trap feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

With the per-slot user count trap feature enabled, when the user count on a slot exceeds the set threshold or drops within the normal range, a trap is generated. The generated trap will be sent to the SNMP module of the device. You can set the trap sending parameters in SNMP to determine how the traps are output. For more information about traps, see Network Management and Monitoring Configuration Guide.

This feature takes effect only when the per-slot user count alarm threshold is set.

Examples

# Enable the per-slot user count trap feature.

<Sysname> system-view

[Sysname] snmp-agent trap enable slot-user-warning-threshold

Related commands

slot-user-warning-threshold

trace access-user

Use trace access-user to create a service tracing object.

Use undo trace access-user to delete a service tracing object.

Syntax

trace access-user object object-id { access-mode ipoe | c-vlan vlan-id | interface interface-type interface-number | ip-address ip-address | mac-address mac-address | s-vlan vlan-id | username user-name } * [ aging time | output { file file-name | syslog-server server-ip-address | vty } ] *

undo trace access-user { all | object object-id }

Default

No service tracing object exists.

Views

System view

Predefined user roles

network-admin

Parameters

object object-id: Specifies a service tracing object ID, in the range of 1 to 5.

access-mode ipoe: Creates a service tracing object based on the IPoE access mode.

c-vlan vlan-id: Creates a service tracing object based on an inner VLAN ID in the range of 1 to 4094.

interface interface-type interface-number: Creates a service tracing object based on the specified interface. With this option specified, the service tracing object becomes ineffective when the slot or subslot that hosts the specified interface is rebooted.

ip-address ip-address: Creates a service tracing object based an IP address.

mac-address mac-address: Creates a service tracing object based on a MAC address.

s-vlan vlan-id: Creates a service tracing object based on an outer VLAN ID in the range of 1 to 4094.

username user-name: Creates a service tracing object based on a username, a case-sensitive string of 1 to 253 characters.

aging time: Specifies the maximum length of the tracing time in the range of 0 to 60 minutes. The default is 15. The tracing time is calculated from the time when this command is configured. The service object is no longer traced after the tracing time expires. The value of 0 indicates that the tracing time never expires and the device will always trace the service object. To stop tracing a service object, delete the service tracing object by using the undo form or shut down the VTY where the command is executed.

output: Specifies the location to which the service tracing object information is output. By default, the service tracing object information is output to the VTY monitor terminal.

file file-name: Outputs the service tracing information to a file in the root directory of the flash storage medium on the device. The file-name argument represents the name of the file storing the service tracing information in the storage medium, a case-sensitive string of 1 to 63 characters.

syslog-server server-ip-address: Outputs the service tracing information to the log server specified by its IP address.

vty: Outputs the service tracing information to the current VTY monitor terminal.

all: Specifies all service tracing objects.

Usage guidelines

You can create service tracing objects to trace access user information, such as login and logout information. By specifying match parameters, you can trace the specific access users.

This command is resource intensive. As a best practice, use this command only when troubleshooting devices.

When the syslog-server server-ip-address option is specified, make sure the device and the specified log server can reach each other and the log server configuration is correct.

An active/standby switchover causes the command to be ineffective.

Examples

# Create service tracing object 1.

<Sysname> system-view

[Sysname] trace access-user object 1 access-mode ipoe interface gigabitethernet 3/1/1.1 ip-address 1.1.1.2 mac-address 1-2-3 c-vlan 2 s-vlan 3

Related commands

display trace access-user

16-BRAS Services Command Reference

IPoE commands

display ip subscriber chasten user auth-failed

ip subscriber access-line-id circuit-id trans-format

ip subscriber dhcp max-session

Version 1.0 format

version 2.0 format

version 3.0 format

version 4.0 format

ip subscriber nas-port-type

ip subscriber session static (interface view)

ip subscriber timer traffic

ip subscriber unclassified-ip ip match

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us

ip subscriber a ccess-line-id circuit-id trans-format