05-Layer 2—WAN Access Configuration Guide

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsConfigure & DeployConfiguration GuidesH3C VSR Series Virtual Services Routers Configuration Guides(V7)-R0621-6W30005-Layer 2—WAN Access Configuration Guide
01-PPP configuration
Title Size Download
01-PPP configuration 299.66 KB

Contents

Configuring PPP·· 1

About PPP· 1

PPP protocols· 1

PPP link establishment process· 1

PPP authentication· 2

PPP for IPv4· 3

PPP for IPv6· 3

Protocols and standards· 4

PPP tasks at a glance· 4

Configuring PPP authentication· 5

About PPP authentication· 5

Configuring PAP authentication· 5

Configuring CHAP authentication (authenticator name is configured) 6

Configuring CHAP authentication (authenticator name is not configured) 7

Configuring MS-CHAP or MS-CHAP-V2 authentication· 8

Configuring the polling feature· 8

Configuring PPP negotiation· 9

Configuring the PPP negotiation timeout time· 9

Configuring IP address negotiation on the client 10

Configuring IP address negotiation on the server 10

Enabling IP segment match· 13

Configuring DNS server IP address negotiation on the client 14

Configuring DNS server IP address negotiation on the server 14

Configuring ACFC negotiation· 14

Configuring PFC negotiation· 15

Enabling IP header compression· 16

Configuring the NAS-Port-Type attribute· 17

Enabling PPP accounting· 17

Enabling PPP user logging· 18

Display and maintenance commands for PPP· 18

Configuring PPPoE·· 20

About PPPoE· 20

PPPoE network structure· 20

Protocols and standards· 21

Configuring a PPPoE client 21

Operation mode· 21

PPPoE client tasks at a glance· 21

Configuring a dialer interface· 22

Configuring a PPPoE session· 23

Resetting a PPPoE session· 23

Display and maintenance commands for PPPoE· 23

Display and maintenance commands for PPPoE client 23

PPPoE configuration examples· 24

Example: Configuring a PPPoE client in permanent mode· 24

Example: Configuring a PPPoE client in on-demand mode· 25

Example: Configuring a PPPoE client in diagnostic mode· 26

 


Configuring PPP

About PPP

Point-to-Point Protocol (PPP) is a point-to-point link layer protocol. It provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension.

PPP protocols

PPP includes the following protocols:

·     Link control protocol (LCP)—Establishes, tears down, and monitors data links.

·     Network control protocol (NCP)—Negotiates the packet format and type for data links.

·     Authentication protocols—Authenticate users. Protocols include the following:

¡     Password Authentication Protocol (PAP).

¡     Challenge Handshake Authentication Protocol (CHAP).

¡     Microsoft CHAP (MS-CHAP).

¡     Microsoft CHAP Version 2 (MS-CHAP-V2).

PPP link establishment process

Figure 1 shows the PPP link establishment process.

Figure 1 PPP link establishment process

1.     Initially, PPP is in Link Dead phase. After the physical layer goes up, PPP enters the Link Establishment phase (Establish).

2.     In the Link Establishment phase, the LCP negotiation is performed. The LCP configuration options include Authentication-Protocol, Async-Control-Character-Map (ACCM), Maximum-Receive-Unit (MRU), Magic-Number, Protocol-Field-Compression (PFC), Address-and-Control-Field-Compression (ACFC), and MP.

¡     If the negotiation fails, LCP reports a Fail event, and PPP returns to the Dead phase.

¡     If the negotiation succeeds, LCP enters the Opened state and reports an Up event, indicating that the underlying layer link has been established. At this time, the PPP link is not established for the network layer, and network layer packets cannot be transmitted over the link.

3.     If authentication is configured, the PPP link enters the Authentication phase, where PAP, CHAP, MS-CHAP, or MS-CHAP-V2 authentication is performed.

¡     If the client fails to pass the authentication, LCP reports a Fail event and enters the Link Termination phase. In this phase, the link is torn down and LCP goes down.

¡     If the client passes the authentication, LCP reports a Success event.

4.     If a network layer protocol is configured, the PPP link enters the Network-Layer Protocol phase for NCP negotiation, such as IPCP negotiation and IPv6CP negotiation.

¡     If the NCP negotiation succeeds, the link goes up and becomes ready to carry negotiated network-layer protocol packets.

¡     If the NCP negotiation fails, NCP reports a Down event and enters the Link Termination phase.

If the interface is configured with an IP address, the IPCP negotiation is performed. IPCP configuration options include IP addresses and DNS server IP addresses. After the IPCP negotiation succeeds, the link can carry IP packets.

5.     After the NCP negotiation is performed, the PPP link remains active until either of the following events occurs:

¡     Explicit LCP or NCP frames close the link.

¡     Some external events take place (for example, the intervention of a user).

PPP authentication

PPP supports the following authentication methods:

PAP

PAP is a two-way handshake authentication protocol using the username and password.

PAP sends username/password pairs in plain text over the network. If authentication packets are intercepted in transit, network security might be threatened. For this reason, it is suitable only for low-security environments.

CHAP

CHAP is a three-way handshake authentication protocol.

CHAP transmits usernames but not passwords over the network. It transmits the result calculated from the password and random packet ID by using the MD5 algorithm. It is more secure than PAP. The authenticator may or may not be configured with a username. As a best practice, configure a username for the authenticator, which makes it easier for the peer to verify the identity of the authenticator.

MS-CHAP

MS-CHAP is a three-way handshake authentication protocol.

MS-CHAP differs from CHAP as follows:

·     MS-CHAP uses CHAP Algorithm 0x80.

·     MS-CHAP provides authentication retry. If the peer fails authentication, it is allowed to retransmit authentication information to the authenticator for reauthentication. The authenticator allows a peer to retransmit a maximum of three times.

MS-CHAP-V2

MS-CHAP-V2 is a three-way handshake authentication protocol.

MS-CHAP-V2 differs from CHAP as follows:

·     MS-CHAP-V2 uses CHAP Algorithm 0x81.

·     MS-CHAP-V2 provides two-way authentication by piggybacking a peer challenge on the Response packet and an authenticator response on the Acknowledge packet.

·     MS-CHAP-V2 supports authentication retry. If the peer fails authentication, it is allowed to retransmit authentication information to the authenticator for reauthentication. The authenticator allows a peer to retransmit a maximum of three times.

·     MS-CHAP-V2 supports password change. If the peer fails authentication because of an expired password, it will send the new password entered by the user to the authenticator for reauthentication.

PPP for IPv4

On IPv4 networks, PPP negotiates the IP address and DNS server address during IPCP negotiation.

IP address negotiation

IP address negotiation enables one end to assign an IP address to the other.

An interface can act as a client or a server during IP address negotiation:

·     Client—Obtains an IP address from the server. Use the client mode when the device accesses the Internet through an ISP.

·     Server—Assigns an IP address to the client. Before you configure the IP address of the server, you must perform one of the following tasks:

¡     Configure a local address pool and associate the pool with the ISP domain.

¡     Specify an IP address or an address pool for the client on the interface.

When IP address negotiation is enabled on a client, the server selects an IP address for the client in the following sequence:

1.     If the AAA server configures an IP address or address pool for the client, the server selects that IP address or an IP address from the pool. The IP address or address pool is configured on the AAA server instead of the PPP server. For information about AAA, see Security Configuration Guide.

2.     If an address pool is associated with the ISP domain used during client authentication, the server selects an IP address from the pool.

3.     If an IP address or address pool is specified for the client on the interface of the server, the server selects that IP address or an IP address from that pool.

DNS server address negotiation

IPCP negotiation can determine the DNS server IP address.

When the device is connected to a host, configure the device as the server to assign the DNS server IP address to the host.

When the device is connected to an ISP access server, configure the device as the client. Then, the device can obtain the DNS server IP address from the ISP access server.

PPP for IPv6

On IPv6 networks, PPP negotiates only the IPv6 interface identifier instead of the IPv6 address and IPv6 DNS server address during IPv6CP negotiation.

IPv6 address assignment

PPP cannot negotiate the IPv6 address.

The client can get an IPv6 global unicast address through the following methods:

·     Method 1—The client obtains an IPv6 prefix in an RA message. The client then generates an IPv6 global unicast address by combining the IPv6 prefix and the negotiated IPv6 interface identifier. The IPv6 prefix in the RA message is determined in the following sequence:

¡     IPv6 prefix authorized by AAA.

¡     RA prefix configured on the interface.

¡     Prefix of the IPv6 global unicast address configured on the interface.

For information about the ND protocol, see Layer 3—IP Services Configuration Guide.

·     Method 2—The client requests an IPv6 global unicast address through DHCPv6. The server assigns an IPv6 address to the client from the address pool authorized by AAA. If no AAA-authorized address pool exists, DHCPv6 uses the address pool that matches the server's IPv6 address to assign an IPv6 address to the client. For information about DHCPv6, see Layer 3—IP Services Configuration Guide.

·     Method 3—The client requests prefixes through DHCPv6 and assigns them to downstream hosts. The hosts then uses the prefixes to generate global IPv6 addresses. This method uses the same principle of selecting address pools as method 2.

The device can assign a host an IPv6 address in either of the following ways:

·     When the host connects to the device directly or through a bridge device, the device can use method 1 or method 2.

·     When the host accesses the device through a router, the device can use method 3 to assign an IPv6 prefix to the router. The router assigns the prefix to the host to generate an IPv6 global unicast address.

IPv6 DNS server address assignment

On IPv6 networks, two methods are available for the IPv6 DNS address assignment:

·     AAA authorizes the IPv6 DNS address and assigns this address to the host through RA messages.

·     The DHCPv6 client requests an IPv6 DNS address from the DHCPv6 server.

Protocols and standards

RFC 1661: The Point-to-Point Protocol (PPP)

PPP tasks at a glance

To configure PPP, perform the following tasks:

1.     Configuring PPP authentication

Choose one of the following tasks:

¡     Configuring PAP authentication

¡     Configuring CHAP authentication (authenticator name is configured)

¡     Configuring CHAP authentication (authenticator name is not configured)

¡     Configuring MS-CHAP or MS-CHAP-V2 authentication

Configure PPP authentication for high-security environments.

2.     (Optional.) Configuring the polling feature

3.     (Optional.) Configuring PPP negotiation

¡     Configuring the PPP negotiation timeout time

¡     Configuring IP address negotiation on the client

¡     Configuring IP address negotiation on the server

¡     Enabling IP segment match

¡     Configuring DNS server IP address negotiation on the client

¡     Configuring DNS server IP address negotiation on the server

¡     Configuring ACFC negotiation

¡     Configuring PFC negotiation

4.     (Optional.) Enabling IP header compression

IPHC is often used for voice communications over low-speed links.

5.     (Optional.) Configuring the NAS-Port-Type attribute

6.     (Optional.) Enabling PPP accounting

7.     (Optional.) Enabling PPP user logging

Configuring PPP authentication

About PPP authentication

You can configure several authentication modes simultaneously. In LCP negotiation, the authenticator negotiates with the peer in the sequence of configured authentication modes until the LCP negotiation succeeds. If the response packet from the peer carries a recommended authentication mode, the authenticator directly uses the authentication mode if it finds the mode configured.

Configuring PAP authentication

Restrictions and guidelines for PAP authentication

For local AAA authentication, the username and password of the peer must be configured on the authenticator.

For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.

The username and password configured for the peer must be the same as those configured on the peer by using the ppp pap local-user command.

Configuring the authenticator

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the authenticator to authenticate the peer by using PAP.

ppp authentication-mode pap [ [ call-in ] domain { isp-name | default enable isp-name } ]

By default, PPP authentication is disabled.

4.     Configure local or remote AAA authentication.

For more information about AAA authentication, see Security Configuration Guide.

Configuring the peer

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the PAP username and password sent from the peer to the authenticator when the peer is authenticated by the authenticator by using PAP.

ppp pap local-user username password { cipher | simple } string

By default, when being authenticated by the authenticator by using PAP, the peer sends null username and password to the authenticator.

For security purposes, the password specified in plaintext form and ciphertext form will be stored in encrypted form.

Configuring CHAP authentication (authenticator name is configured)

Restrictions and guidelines for CHAP authentication (authenticator name is configured)

When you configure the authenticator, follow these guidelines:

·     For local AAA authentication, the username and password of the peer must be configured on the authenticator.

·     For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.

·     The username and password configured for the peer must meet the following requirements:

¡     The username configured for the peer must be the same as that configured on the peer by using the ppp chap user command.

¡     The passwords configured for the authenticator and peer must be the same.

When you configure the peer, follow these guidelines:

·     For local AAA authentication, the username and password of the authenticator must be configured on the peer.

·     For remote AAA authentication, the username and password of the authenticator must be configured on the remote AAA server.

·     The username and password configured for the authenticator must meet the following requirements:

¡     The username configured for the authenticator must be the same as that configured on the authenticator by using the ppp chap user command.

¡     The passwords configured for the authenticator and peer must be the same.

·     The peer does not support the CHAP authentication password configured by using the ppp chap password command. CHAP authentication (authenticator name is configured) will apply even if the authentication name is configured.

Configuring the authenticator

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the authenticator to authenticate the peer by using CHAP.

ppp authentication-mode chap [ [ call-in ] domain { isp-name | default enable isp-name } ]

By default, PPP authentication is disabled.

4.     Configure a username for the CHAP authenticator.

ppp chap user username

The default setting is null.

5.     Configure local or remote AAA authentication.

For more information about AAA authentication, see Security Configuration Guide.

Configuring the peer

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure a username for the CHAP peer.

ppp chap user username

The default setting is null.

4.     Configure local or remote AAA authentication.

For more information about AAA authentication, see Security Configuration Guide.

Configuring CHAP authentication (authenticator name is not configured)

Restrictions and guidelines for CHAP authentication (authenticator name is not configured)

For local AAA authentication, the username and password of the peer must be configured on the authenticator.

For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.

The username and password configured for the peer must meet the following requirements:

·     The username configured for the peer must be the same as that configured on the peer by using the ppp chap user command.

·     The password configured for the peer must be the same as that configured on the peer by using the ppp chap password command.

Configuring the authenticator

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the authenticator to authenticate the peer by using CHAP.

ppp authentication-mode chap [ [ call-in ] domain { isp-name | default enable isp-name } ]

By default, PPP authentication is disabled.

4.     Configure local or remote AAA authentication.

For more information about AAA authentication, see Security Configuration Guide.

Configuring the peer

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure a username for the CHAP peer.

ppp chap user username

The default setting is null.

4.     Set the CHAP authentication password.

ppp chap password { cipher | simple } string

The default setting is null.

For security purposes, the password specified in plaintext form and ciphertext form will be stored in encrypted form.

Configuring MS-CHAP or MS-CHAP-V2 authentication

Restrictions and guidelines for MS-CHAP or MS-CHAP-V2 authentication

The device can only act as an authenticator for MS-CHAP or MS-CHAP-V2 authentication.

MS-CHAP-V2 authentication supports password change only when using RADIUS.

As a best practice, do not set the authentication method for PPP users to none when MS-CHAP-V2 authentication is used.

For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer.

If authentication name is configured, the username configured for the authenticator on the peer must be the same as that configured on the authenticator by using the ppp chap user command.

Configuring MS-CHAP or MS-CHAP-V2 authentication (authenticator name is configured)

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2.

ppp authentication-mode { ms-chap | ms-chap-v2 } [ [ call-in ] domain { isp-name | default enable isp-name } ]

By default, PPP authentication is disabled.

4.     Configure a username for the MS-CHAP or MS-CHAP-V2 authenticator.

ppp chap user username

5.     Configure local or remote AAA authentication.

For more information about AAA authentication, see Security Configuration Guide.

Configuring MS-CHAP or MS-CHAP-V2 authentication (authenticator name is not configured)

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2.

ppp authentication-mode { ms-chap | ms-chap-v2 } [ [ call-in ] domain { isp-name | default enable isp-name } ]

By default, PPP authentication is disabled.

4.     Configure local or remote AAA authentication.

For more information about AAA authentication, see Security Configuration Guide.

Configuring the polling feature

About this task

The polling feature checks PPP link state.

On an interface that uses PPP encapsulation, the link layer sends keepalive packets at keepalive intervals to detect the availability of the peer. If the interface receives no response to keepalive packets when the keepalive retry limit is reached, it determines that the link fails and reports a link layer down event.

To set the keepalive retry limit, use the timer-hold retry command.

The value 0 disables an interface from sending keepalive packets. In this case, the interface can respond to keepalive packets from the peer.

Restrictions and guidelines

On a slow link, increase the keepalive interval to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.

In an MP bundle, only channels support the polling feature, and the MP bundle does not support polling. Even if you configure polling on an MP bundle, polling does take effect on the MP bundle.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the keepalive interval.

timer-hold seconds

The default setting is 10 seconds.

4.     Set the keepalive retry limit.

timer-hold retry retries

The default setting is 5.

Configuring PPP negotiation

Configuring the PPP negotiation timeout time

About this task

The device starts the PPP negotiation timeout timer after sending a packet. If no response is received before the timer expires, the device sends the packet again.

If two ends of a PPP link vary greatly in the LCP negotiation packet processing rate, configure this command on the end with a higher processing rate. The LCP negotiation delay timer prevents frequent LCP negotiation packet retransmission. After the physical layer comes up, PPP starts LCP negotiation when the delay timer expires. If PPP receives LCP negotiation packets before the delay timer expires, it starts LCP negotiation immediately.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the negotiation timeout time.

ppp timer negotiate seconds

The default setting is 3 seconds.

4.     (Optional.) Set the LCP negotiation delay timer.

ppp lcp delay milliseconds

By default, PPP starts LCP negotiation immediately after the physical layer comes up.

Configuring IP address negotiation on the client

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable IP address negotiation.

ip address ppp-negotiate

By default, IP address negotiation is not enabled.

If you execute this command and the ip address command multiple times, the most recent configuration takes effect. For more information about the ip address command, see Layer 3—IP Services Command Reference.

Configuring IP address negotiation on the server

About this task

Configure the server to assign an IP address to a client by using the following methods:

·     Method 1: Specify an IP address for the client on the server interface.

·     Method 2: Specify a PPP or DHCP address pool on the server interface.

·     Method 3: Associate a PPP or DHCP address pool with an ISP domain.

Restrictions and guidelines for IP address negotiation on the server

For clients requiring no authentication, you can use either method 1 or method 2. When both method 1 and method 2 are configured, the most recent configuration takes effect.

For clients requiring authentication, you can use one or more of the three methods. When multiple methods are configured, method 3 takes precedence over method 1 or method 2. When both method 1 and method 2 are configured, the most recent configuration takes effect.

PPP supports IP address assignment from a PPP or DHCP address pool. If you use a pool name that identifies both a PPP address pool and a DHCP address pool, the system uses the PPP address pool.

When assigning IP address to users through a PPP address pool, make sure the PPP address pool excludes the gateway IP address of the PPP address pool.

Specifying an IP address for the client on the server interface

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the interface to assign an IP address to the peer.

remote address ip-address

By default, an interface does not assign an IP address to the peer.

4.     Configure an IP address for the interface.

ip address ip-address

By default, no IP address is configured on an interface.

Specifying a PPP address pool on the server interface

1.     Enter system view.

system-view

2.     Configure a PPP address pool.

ip pool pool-name start-ip-address [ end-ip-address ] [ group group-name ]

3.     (Optional.) Configure a gateway address for the PPP address pool.

ip pool pool-name gateway ip-address [ vpn-instance vpn-instance-name ]

By default, the PPP address pool is not configured with a gateway address.

4.     (Optional.) Configure a PPP address pool route.

ppp ip-pool route ip-address { mask-length | mask } [ vpn-instance vpn-instance-name ]

By default, no PPP address pool route exists.

The destination network of the PPP address pool route must include the PPP address pool.

5.     Enter interface view.

interface interface-type interface-number

6.     Configure the interface to assign an IP address from the configured PPP address pool to the peer.

remote address pool pool-name

By default, an interface does not assign an IP address to the peer.

7.     Configure an IP address for the interface.

ip address ip-address

By default, no IP address is configured on an interface.

Specifying a DHCP address pool on the server interface

1.     Enter system view.

system-view

2.     Configure DHCP.

¡     If the server acts as a DHCP server, perform the following tasks:

-     Configure the DHCP server.

-     Configure a DHCP address pool on the server.

¡     If the server acts as a DHCP relay agent, perform the following tasks:

-     Configure the DHCP relay agent on the server.

-     Configure a DHCP address pool on the remote DHCP server.

-     Enable the DHCP relay agent to record relay entries.

-     Configure a DHCP relay address pool.

For information about configuring a DHCP server and a DHCP relay agent, see Layer 3—IP Services Configuration Guide.

3.     Enter interface view.

interface interface-type interface-number

4.     Configure the interface to assign an IP address from the configured DHCP address pool to the peer.

remote address pool pool-name

By default, an interface does not assign an IP address to the peer.

5.     (Optional.) Configure the DHCP client IDs for PPP users acting as DHCP clients.

remote address dhcp client-identifier { callingnum | username }

By default, no DHCP client IDs are configured for PPP users acting as DHCP clients.

When PPP usernames are used as DHCP client IDs, make sure different users use different PPP usernames to come online.

6.     Configure an IP address for the interface.

ip address ip-address

By default, no IP address is configured on an interface.

Associating a PPP address pool with an ISP domain

1.     Enter system view.

system-view

2.     Configure a PPP address pool.

ip pool pool-name start-ip-address [ end-ip-address ] [ group group-name ]

By default, no PPP address pool is configured.

3.     (Optional.) Configure a gateway address for the PPP address pool.

ip pool pool-name gateway ip-address [ vpn-instance vpn-instance-name ]

By default, the PPP address pool is not configured with a gateway address.

4.     (Optional.) Configure a PPP address pool route.

ppp ip-pool route ip-address { mask-length | mask } [ vpn-instance vpn-instance-name ]

By default, no PPP address pool route exists.

The destination network of the PPP address pool route must include the PPP address pool.

5.     Enter ISP domain view.

domain isp-name

6.     Associate the ISP domain with the configured PPP address pool for address assignment.

authorization-attribute ip-pool pool-name

By default, no PPP address pool is associated.

For more information about this command, see Security Command Reference.

7.     Return to system view.

quit

8.     Enter interface view.

interface interface-type interface-number

9.     Configure an IP address for the interface.

ip address ip-address

By default, no IP address is configured on an interface.

Associating a DHCP address pool with an ISP domain

1.     Enter system view.

system-view

2.     Configure DHCP.

¡     If the server acts as a DHCP server, perform the following tasks:

-     Configure the DHCP server.

-     Configure a DHCP address pool on the server.

¡     If the server acts as a DHCP relay agent, perform the following tasks:

-     Configure the DHCP relay agent on the server.

-     Configure a DHCP address pool on the remote DHCP server.

-     Enable the DHCP relay agent to record relay entries.

-     Configure a DHCP relay address pool.

For information about configuring a DHCP server and a DHCP relay agent, see Layer 3—IP Services Configuration Guide.

3.     Enter ISP domain view.

domain isp-name

4.     Associate the ISP domain with the configured DHCP address pool or DHCP relay address pool for address assignment.

authorization-attribute ip-pool pool-name

By default, no DHCP address pool or DHCP relay address pool is associated.

For more information about this command, see Security Command Reference.

5.     Return to system view.

quit

6.     Enter interface view.

interface interface-type interface-number

7.     (Optional.) Configure the DHCP client IDs for PPP users acting as DHCP clients.

remote address dhcp client-identifier { callingnum | username }

By default, no DHCP client IDs are configured for PPP users acting as DHCP clients.

When PPP usernames are used as DHCP client IDs, make sure different users use different PPP usernames to come online.

8.     Configure an IP address for the interface.

ip address ip-address

By default, no IP address is configured on an interface.

Enabling IP segment match

About this task

This feature enables the local interface to check whether its IP address and the IP address of the remote interface are in the same network segment. If they are not, IPCP negotiation fails.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable IP segment match.

ppp ipcp remote-address match

By default, this feature is disabled.

Configuring DNS server IP address negotiation on the client

About this task

During PPP negotiation, the server will assign a DNS server IP address only for a client configured with the ppp ipcp dns request command. For some special devices to forcibly assign DNS server IP addresses to clients that do not initiate requests, configure the ppp ipcp dns admit-any command on these devices.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the device to request the peer for a DNS server IP address.

ppp ipcp dns request

By default, a client does not request its peer for a DNS server IP address.

4.     Configure the device to accept the DNS server IP addresses assigned by the peer even though it does not request the peer for the DNS server IP addresses.

ppp ipcp dns admit-any

By default, a device does not accept the DNS server IP addresses assigned by the peer if it does not request the peer for the DNS server IP addresses.

This command is not necessary if the ppp ipcp dns request command is configured.

Configuring DNS server IP address negotiation on the server

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify the primary and secondary DNS server IP addresses to be allocated to the peer in PPP negotiation.

ppp ipcp dns primary-dns-address [ secondary-dns-address ]

By default, a device does not allocate DNS server IP addresses to its peer if the peer does not request them.

After this command is configured, the server allocate DNS server IP addresses to a client that initiates requests.

Configuring ACFC negotiation

About this task

PPP can compress the address and control fields of PPP packets to increase the payload size.

ACFC negotiation notifies the peer that the local end can receive packets carrying compressed address and control fields.

ACFC negotiation is implemented at the LCP negotiation stage. After the ACFC negotiation succeeds, PPP does not include the address and control fields in non-LCP packets. To ensure successful LCP negotiation, PPP does not apply the compression to LCP packets.

Restrictions and guidelines for ACFC negotiation

As a best practice, use the ACFC configuration option on low-speed links.

Configuring the local end to send ACFC requests

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the local end to send ACFC requests by including the ACFC option in outbound LCP negotiation requests.

ppp acfc local request

By default, the local end does not include the ACFC option in outbound LCP negotiation requests.

Configuring local end to reject ACFC requests received from the peer

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the local end to reject ACFC requests received from the peer.

ppp acfc remote-reject

By default, the local end accepts the ACFC requests from the remote peer, and performs ACFC on frames sent to the peer.

Configuring PFC negotiation

About this task

PPP can compress the protocol field of PPP packets from 2 bytes to 1 byte to increase the payload size.

PFC negotiation notifies the peer that the local end can receive packets with a single-byte protocol field.

PFC negotiation is implemented at the LCP negotiation stage. After PFC negotiation is completed, the device compresses the protocol field of sent non-LCP packets. If the first eight bits of the protocol field are all zeros, the device does not add those bits into the packet. To ensure successful LCP negotiation, PPP does not apply the compression to LCP packets.

Restrictions and guidelines for PFC negotiation

As a best practice, use this configuration option on low-speed links.

Configuring the local end to send PFC requests

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the local end to send PFC requests by including the PFC option in outbound LCP negotiation requests.

ppp pfc local request

By default, the local end does not include the PFC option in outbound LCP negotiation requests.

Configuring the local end to reject PFC requests received from the peer

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the local end to reject PFC requests received from the peer.

ppp pfc remote-reject

By default, the device accepts PFC requests received from the peer, and performs PFC on frames sent to the peer.

Enabling IP header compression

About this task

IP header compression (IPHC) compresses packet headers to speed up packet transmission. IPHC is often used for voice communications over low-speed links.

IPHC provides the following compression features:

·     RTP header compressionCompresses the IP header, UDP header, and RTP header of an RTP packet, which have a total length of 40 bytes.

·     TCP header compression—Compresses the IP header and TCP header of a TCP packet, which have a total length of 40 bytes.

Restrictions and guidelines

To use IPHC, you must enable it on both sides of a PPP link.

Enabling or disabling IPHC on a VT, dialer, or ISDN interface does not immediately take effect. You must execute the shutdown and undo shutdown commands on the interface or the bound physical interface to apply the new setting.

After you enable IPHC, you can configure the maximum number of connections for RTP or TCP header compression. The configuration takes effect after you execute the shutdown and undo shutdown command on the interface. The configuration is removed after IPHC is disabled.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable IP header compression.

ppp compression iphc enable [ nonstandard ]

By default, IP header compression is disabled.

The nonstandard option must be specified when the device communicates with a non-H3C device.

When the nonstandard keyword is specified, only RTP header compression is supported and TCP header compression is not supported.

4.     Set the maximum number of connections for which an interface can perform RTP header compression.

ppp compression iphc rtp-connections number

The default setting is 16.

5.     Set the maximum number of connections for which an interface can perform TCP header compression.

ppp compression iphc tcp-connections number

The default setting is 16.

Configuring the NAS-Port-Type attribute

About this task

The NAS-Port-Type attribute is used for RADIUS authentication and accounting. For information about the NAS-Port-Type attribute, see RFC 2865.

Restrictions and guidelines

The configuration of this feature does not affect existing users.

Procedure

1.     Enter system view.

system-view

2.     Enter VT interface view.

interface virtual-template number

3.     Configure the NAS-Port-Type attribute.

nas-port-type { 802.11 | adsl-cap | adsl-dmt | async | cable | ethernet | g.3-fax | idsl | isdn-async-v110 | isdn-async-v120 | isdn-sync | piafs | sdsl | sync | virtual | wireless-other | x.25 | x.75 | xdsl }

By default, the NAS-Port-Type attribute is determined by the service type and link type of the

PPP user as follows:

¡     When the service type is PPPoE, the NAS-Port-Type attribute is xdsl for VEth interfaces and ethernet for other interfaces.

¡     When the service type is PPPoA, the NAS-port-type attribute is xdsl.

 

Enabling PPP accounting

About this task

PPP accounting collects PPP statistics, including the numbers of received and sent PPP packets and bytes. AAA can use the PPP statistics for accounting. For more information about AAA, see Security Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable PPP accounting.

ppp account-statistics enable [ acl { acl-number | name acl-name } ]

By default, PPP accounting is disabled.

Enabling PPP user logging

About this task

The PPP user logging feature enables the device to generate PPP logs and send them to the information center. Logs are generated after a user comes online, goes offline, or fails to come online. A log entry contains information such as the username, IP address, interface name, inner VLAN, outer VLAN, MAC address, and failure causes. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

Typically, disable this feature to prevent excessive PPP log output.

Procedure

1.     Enter system view.

system-view

2.     Enable PPP user logging.

ppp access-user log enable [ successful-login | failed-login | normal-logout | abnormal-logout ] *

By default, PPP user logging is disabled.

Display and maintenance commands for PPP

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display information about VA interfaces.

display interface [ virtual-access [ interface-number ] ] [ brief [ description | down ] ]

Display information about VT interfaces.

display interface [ virtual-template [ interface-number ] ] [ brief [ description | down ] ]

Display PPP address pools.

display ip pool [ pool-name | group group-name ]

Display information about PPP access users.

display ppp access-user { domain domain-name | interface interface-type interface-number [ count ] | ip-address ipv4-address | ipv6-address ipv6-address | username user-name | user-type { lac | lns | pppoa | pppoe } [ count ] }

Display PPP negotiation packet statistics.

In standalone mode:

display ppp packet statistics

In IRF mode:

display ppp packet statistics [ slot slot-number ]

Display IPHC statistics.

display ppp compression iphc { rtp | tcp } [ interface interface-type interface-number ]

Clear the statistics for VA interfaces.

reset counters interface [ virtual-access [ interface-number ] ]

Log off a PPP user.

reset ppp access-user { ip-address ipv4-address [ vpn-instance ipv4-vpn-instance-name ] | ipv6-address ipv6-address [ vpn-instance ipv6-vpn-instance-name ] | username user-name }

Clear IPHC statistics.

reset ppp compression iphc [ rtp | tcp ] [ interface interface-type interface-number ]

Clear PPP negotiation packet statistics.

In standalone mode:

reset ppp packet statistics

In IRF mode:

reset ppp packet statistics [ slot slot-number ]


Configuring PPPoE

About PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP frames encapsulated in Ethernet over point-to-point links.

PPPoE specifies the methods for establishing PPPoE sessions and encapsulating PPP frames over Ethernet. PPPoE requires a point-to-point relationship between peers instead of a point-to-multipoint relationship as in multi-access environments such as Ethernet. PPPoE provides Internet access for the hosts in an Ethernet through a remote access device and implement access control, authentication, and accounting on a per-host basis. Integrating the low cost of Ethernet and scalability and management functions of PPP, PPPoE gained popularity in various application environments, such as residential access networks.

For more information about PPPoE, see RFC 2516.

PPPoE network structure

PPPoE uses the client/server model. The PPPoE client initiates a connection request to the PPPoE server. After session negotiation between them is complete, a session is established between them, and the PPPoE server provides access control, authentication, and accounting to the PPPoE client.

PPPoE network structures are classified into router-initiated and host-initiated network structures depending on the starting point of the PPPoE session.

Router-initiated network structure

As shown in Figure 2, the PPPoE session is established between devices (Device A and Device B). All hosts share one PPPoE session for data transmission without being installed with PPPoE client software. This network structure is typically used by enterprises.

Figure 2 Router-initiated network structure

Host-initiated network structure

As shown in Figure 3, a PPPoE session is established between each host (PPPoE client) and the carrier device (PPPoE server). The service provider assigns an account to each host for billing and control. The host must be installed with PPPoE client software.

Figure 3 Host-initiated network structure

Protocols and standards

RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE)

Configuring a PPPoE client

Operation mode

A PPPoE session can operate in one of the following modes:

·     Permanent mode—A PPPoE session is established immediately when the line is physically up. This type of session remains until the physical link comes down or until the session is disconnected.

·     On-demand mode—A PPPoE session is established when there is a demand for data transmission instead of when the line is physically up. It is terminated when idled for a specific period of time.

·     Diagnostic mode—A PPPoE session is established immediately after the device configurations finish. The device automatically terminates the PPPoE session and then tries to re-establish a PPPoE session at a pre-configured interval. By establishing and terminating PPPoE sessions periodically, you can monitor the operating status of the PPPoE link.

The PPPoE session operating mode is determined by your configuration on the dialer interface:

·     Permanent mode—Used when you set the link idle time to 0 by using the dialer timer idle command and do not configure the dialer diagnose command.

·     On-demand mode—Used when you set the link idle time to a non-zero value by using the dialer timer idle command and do not configure the dialer diagnose command.

·     Diagnostic mode—Used when you configure the dialer diagnose command.

PPPoE client tasks at a glance

To configure a PPPoE client, perform the following tasks:

1.     Configuring a dialer interface

2.     Configuring a PPPoE session

3.     (Optional.) Resetting a PPPoE session

Configuring a dialer interface

About this task

Before establishing a PPPoE session, you must first create a dialer interface and configure bundle DDR on the interface. Each PPPoE session uniquely corresponds to a dialer bundle, and each dialer bundle uniquely corresponds to a dialer interface. A PPPoE session uniquely corresponds to a dialer interface.

Procedure

1.     Enter system view.

system-view

2.     Create a dialer group and configure a dial rule.

dialer-group group-number rule { ip | ipv6 } { deny | permit | acl { acl-number | name acl-name } }

Configure this command only when the PPPoE session operates in on-demand mode.

3.     Create a dialer interface and enter its view.

interface dialer number

4.     Assign an IP address to the interface.

ip address { address mask | ppp-negotiate }

By default, no IP address is configured.

5.     Enable bundle DDR on the interface.

dialer bundle enable

By default, bundle DDR is disabled.

6.     Associate the interface with the dial rule by associating the interface with the corresponding dialer group.

dialer-group group-number

By default, a dialer interface is not assigned to any dialer group.

Configure this command only when the PPPoE session operates in on-demand mode.

7.     Configure the link-idle timeout timer.

dialer timer idle idle [ in | in-out ]

The default setting is 120 seconds.

When this timer is set to 0 seconds, the PPPoE session operates in permanent mode. Otherwise, the PPPoE session operates in on-demand mode.

8.     Configure the DDR application to operate in diagnostic mode.

dialer diagnose [ interval interval ]

By default, the DDR application operates in non-diagnostic mode.

Execute this command only when the PPPoE session operates in diagnostic mode.

9.     (Optional.) Set the auto-dial interval.

dialer timer autodial autodial-interval

The default setting is 300 seconds.

DDR starts the auto-dial timer after the link is disconnected and originates a new call when the auto-dial timer expires.

As a best practice, set a shorter auto-dial interval for DDR to soon originate a new call.

10.     (Optional.) Set the MTU for the dialer interface

mtu size

By default, the MTU on a dialer interface is 1500 bytes.

The dialer interface fragments a packet that exceeds the configured MTU, and adds a 2-byte PPP header and a 6-byte PPPoE header to each fragment. You should modify the MTU of a dialer interface to make sure the total length of any fragment packet is less than the MTU of the physical interface.

Configuring a PPPoE session

About this task

After a PPPoE session is successfully established, the system automatically creates a VA interface for exchanging packets with the peer. To display information about VA interfaces, execute the display interface virtual-access command. VA interfaces cannot be manually configured.

After the PPPoE session is terminated, the corresponding VA interface is automatically deleted.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Create a PPPoE session and specify a dialer bundle for the session.

pppoe-client dial-bundle-number number [ no-hostuniq ]

The number argument in this command must take the same value as the configured dialer interface number.

Resetting a PPPoE session

About this task

After you reset a PPPoE session in permanent mode, the device establishes a new PPPoE session when the autodial timer expires.

After you reset a PPPoE session in on-demand mode, the device establishes a new PPPoE session when there is a demand for data transmission.

Procedure

To reset a PPPoE session, execute the following command in user view:

reset pppoe-client { all | dial-bundle-number number }

Display and maintenance commands for PPPoE

Display and maintenance commands for PPPoE client

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display summary information for a PPPoE session.

display pppoe-client session summary [ dial-bundle-number number ]

Display the protocol packet statistics for a PPPoE session.

display pppoe-client session packet [ dial-bundle-number number ]

Clear the protocol packet statistics for a PPPoE session.

reset pppoe-client session packet [ dial-bundle-number number ]

PPPoE configuration examples

Example: Configuring a PPPoE client in permanent mode

Network configuration

As shown in Figure 4, Router A serves as a PPPoE server. Configure Router B as a PPPoE client operating in permanent mode.

Figure 4 Network diagram

Procedure

1.     Configure Router A as the PPPoE server:

# Configure an IP address for Virtual-Template 1 and specify an IP address for the peer.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterA-Virtual-Template1] remote address 1.1.1.2

[RouterA-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/0, and bind the interface to Virtual-Template 1.

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] pppoe-server bind virtual-template 1

[RouterA-GigabitEthernet1/0] quit

2.     Configure Router B as the PPPoE client:

# Enable bundle DDR on Dialer 1.

<RouterB> system-view

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer bundle enable

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[RouterB-Dialer1] ip address ppp-negotiate

[RouterB-Dialer1] quit

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to Dialer 1).

[RouterB] interface gigabitethernet 1/0

[RouterB-GigabitEthernet1/0] pppoe-client dial-bundle-number 1

[RouterB-GigabitEthernet1/0] quit

# Configure the PPPoE session to operate in permanent mode.

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer timer idle 0

# Set the DDR auto-dial interval to 60 seconds.

[RouterB-Dialer1] dialer timer autodial 60

[RouterB-Dialer1] quit

# Configure a static route.

[RouterB] ip route-static 1.1.1.1 255.0.0.0 dialer 1

Verifying the configuration

# Display summary information about the PPPoE session established between Router B and Router A (PPPoE server).

[RouterB-Dialer1] display pppoe-client session summary

Bundle ID    Interface    VA          RemoteMAC      LocalMAC       State

1      1     GE1/0      VA0         00e0-1400-4300 00e0-1500-4100 SESSION

Example: Configuring a PPPoE client in on-demand mode

Network configuration

As shown in Figure 5, Router A serves as a PPPoE server. Configure Router B as a PPPoE client operating in on-demand mode, and set the link idle-timeout timer to 150 seconds.

Figure 5 Network diagram

Procedure

1.     Configure Router A as the PPPoE server:

# Configure an IP address for Virtual-Template 1 and specify an IP address for the peer.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterA-Virtual-Template1] remote address 1.1.1.2

[RouterA-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/0, and bind the interface to Virtual-Template 1.

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] pppoe-server bind virtual-template 1

[RouterA-GigabitEthernet1/0] quit

2.     Configure Router B as the PPPoE client.

# Create dialer group 1 and configure a dial rule for it.

<RouterB> system-view

[RouterB] dialer-group 1 rule ip permit

# Enable bundle DDR on Dialer 1.

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer bundle enable

# Associate Dialer 1 with dialer group 1.

[RouterB-Dialer1] dialer-group 1

[RouterB-Dialer1] quit

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[RouterB-Dialer1] ip address ppp-negotiate

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to Dialer 1).

[RouterB] interface gigabitethernet 1/0

[RouterB-GigabitEthernet1/0] pppoe-client dial-bundle-number 1

[RouterB-GigabitEthernet1/0] quit

# Configure a static route.

[RouterB] ip route-static 1.1.1.1 255.0.0.0 dialer 1

# Set the link-idle timeout timer to 150 seconds.

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer timer idle 150

[RouterB-Dialer1] quit

Verifying the configuration

# Display summary information about the PPPoE session established between Router B and Router A (PPPoE server).

[RouterB-Dialer1] display pppoe-client session summary

Bundle ID    Interface    VA          RemoteMAC      LocalMAC       State

1      1     GE1/0      VA0         00e0-1400-4300 00e0-1500-4100 SESSION

Example: Configuring a PPPoE client in diagnostic mode

Network configuration

As shown in Figure 6, Router A serves as a PPPoE server. Configure Router B as a PPPoE client operating in diagnostic mode, and set the diagnostic interval to 200 seconds.

Figure 6 Network diagram

Procedure

1.     Configure Router A as the PPPoE server:

# Configure an IP address for Virtual-Template 1 and specify an IP address for the peer.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterA-Virtual-Template1] remote address 1.1.1.2

[RouterA-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 1/0, and bind the interface to Virtual-Template 1.

[RouterA] interface gigabitethernet 1/0/

[RouterA-GigabitEthernet1/0] pppoe-server bind virtual-template 1

[RouterA-GigabitEthernet1/0] quit

2.     Configure Router B as the PPPoE client.

# Enable bundle DDR on Dialer 1.

<RouterB> system-view

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer bundle enable

# Configure Dialer 1 to obtain an IP address through PPP negotiation.

[RouterB-Dialer1] ip address ppp-negotiate

[RouterB-Dialer1] quit

# Configure a PPPoE session that corresponds to dialer bundle 1 (dialer bundle 1 corresponds to Dialer 1).

[RouterB] interface gigabitethernet 1/0

[RouterB-GigabitEthernet1/0] pppoe-client dial-bundle-number 1

[RouterB-GigabitEthernet1/0] quit

# Configure the PPPoE session to operate in diagnostic mode, and set the diagnostic interval to 200 seconds.

[RouterB] interface dialer 1

[RouterB-Dialer1] dialer diagnose interval 200

# Set the DDR auto-dial interval to 10 seconds.

[RouterB-Dialer1] dialer timer autodial 10

Verifying the configuration

# Display summary information about the PPPoE session established between Router B and Router A (PPPoE server).

[RouterB-Dialer1] display pppoe-client session summary

Bundle ID    Interface    VA          RemoteMAC      LocalMAC       State

1      1     GE1/0      VA0         00e0-1400-4300 00e0-1500-4100 SESSION