Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-PPP commands | 208.28 KB |
Contents
display interface virtual-template
display ppp chasten statistics
display ppp keepalive packet-loss-ratio
ppp accept remote-ipv6-address
ppp authentication chasten per-mac
ppp keepalive fast-reply enable
remote address dhcp client-identifier
reset ppp chasten blocked-user
reset ppp chasten per-mac blocked
reset ppp keepalive packet-loss-ratio
PPP commands
PPP in this chapter serves only PPPoE and L2TP applications. For more information about PPPoE and L2TP, see “Configuring PPPoE” and “Configuring L2TP.”
bandwidth
Use bandwidth to set the expected bandwidth of an interface.
Use undo bandwidth to restore the default.
Syntax
bandwidth bandwidth-value
undo bandwidth
Default
The expected bandwidth (in kbps) is the interface baud rate divided by 1000.
Views
VT interface view
Predefined user roles
network-admin
Parameters
bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.
Usage guidelines
The expected bandwidth of an interface affects the link costs in OSPF, OSPFv3, and IS-IS. For more information, see Layer 3—IP Routing Configuration Guide.
Examples
# Set the expected bandwidth of Virtual-Template 10 to 1000 kbps.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] bandwidth 1000
default
Use default to restore the default settings for a VT interface.
Syntax
default
Views
VT interface view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command before using it on a live network. |
This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use the undo forms of these commands or follow the command reference to individually restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.
Examples
# Restore the default settings of Virtual-Template 10.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] default
description
Use description to configure the description of an interface.
Use undo description to restore the default.
Syntax
description text
undo description
Default
The description for a VT interface is interface name Interface (for example, Virtual-Template1 Interface).
Views
VT interface view
Predefined user roles
network-admin
Parameters
text: Specifies the interface description, a case-sensitive string of 1 to 255 characters.
Examples
# Set the description for Virtual-Template 10 to virtual-interface.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] description virtual-interface
display interface virtual-template
Use display interface virtual-template to display information about VT interfaces.
Syntax
display interface [ virtual-template [ interface-number ] ] [ brief [ description | down ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
virtual-template [ interface-number ]: Specifies an existing VT interface by its number. If you do not specify the virtual-template keyword, the command displays information about all interfaces on the device. If you specify the virtual-template keyword without the interface-number argument, the command displays information about all existing VT interfaces.
brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.
description: Displays complete interface description. If you do not specify this keyword, the command displays only the first 27 characters of the interface description if the description contains more than 27 characters.
down: Displays information about interfaces in physically down state and the causes. If you do not specify this keyword, the command displays information about all interfaces.
Examples
# Display detailed information about Virtual-Template 1.
<Sysname> display interface virtual-template 1
Virtual-Template1
Current state: DOWN
Line protocol state: DOWN
Description: Virtual-Template1 Interface
Bandwidth: 100000kbps
Maximum transmission unit: 1500
Hold timer: 10 seconds, retry times: 5
Internet address: 192.168.1.200/24 (primary)
Link layer protocol: PPP
LCP: initial
Physical: None, baudrate: 100000000 bps
# Display brief information about Virtual-Template 1.
<Sysname> display interface virtual-template 1 brief
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
VT1 DOWN DOWN --
# Display brief information about the VT interfaces in physically down state and the causes.
<Sysname> display interface Virtual-Template brief down
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Interface Link Cause
VT0 DOWN Not connected
VT12 DOWN Not connected
VT1023 DOWN Not connected
Table 1 Command output
|
Field |
Description |
|
Current state |
Physical link state of the interface: · DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). · UP—The interface is both administratively and physically up. This field for a VT interface can only be DOWN. |
|
Line protocol state |
Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. · UP—The data link layer protocol is up. · DOWN—The data link layer protocol is down. This field for a VT interface can only be DOWN. |
|
Description |
Description of the interface. |
|
Bandwidth |
Expected bandwidth of the interface. |
|
Hold timer |
Interval at which the interface sends keepalive packets. |
|
retry times |
Maximum number of keepalive retransmission attempts. A link is removed after the maximum number of retransmission attempts is reached. |
|
Internet protocol processing: Disabled |
The interface is not assigned an IP address and cannot process IP packets. |
|
Internet address: 192.168.1.200/24 (primary) |
Primary IP address of the interface. |
|
LCP initial |
LCP initialization is complete. |
|
Physical |
Physical type of the interface. |
|
Brief information on interfaces in route mode |
Brief information about Layer 3 interfaces. |
|
Interface |
Abbreviated interface name. |
|
Link |
Physical link state of the interface: · UP—The interface is physically up. · DOWN—The interface is physically down. · ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Stby—The interface is a backup interface in standby state. This field for a VT interface can only be DOWN. |
|
Protocol |
Data link layer protocol state of the interface: · UP—The data link layer protocol of the interface is up. · DOWN—The data link layer protocol of the interface is down. · UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces. This field for a VT interface can only be DOWN. |
|
Primary IP |
Primary IP address of the interface. This field displays two hyphens (--) if the interface does not have an IP address. |
|
Cause |
Cause for the physical link state of an interface to be DOWN. Not connected indicates no physical link exists (possibly because the network cable is disconnected or faulty). |
display ppp chasten per-mac
Use display ppp chasten per-mac to display per-MAC blocking information about PPP users.
Syntax
display ppp chasten per-mac { auth-failed | blocked } [ mac mac-address ] [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
auth-failed: Displays information about users who failed authentication but do not meet the blocking conditions.
blocked: Displays information about blocked users.
mac mac-address: Specifies a user by its MAC address. The mac-address argument is in the format of H-H-H.
interface interface-type interface-number: Specifies an interface by its type and number.
Examples
# Display information about blocked PPP users.
<Sysname> display ppp chasten per-mac blocked
MAC address S-/C-VLAN Interface Aging(S)
0001-0001-0001 -/- XGE3/0/1 89
0002-0002-0002 -/- XGE3/0/1 10
# Display information about PPP users who failed authentication but do not meet the blocking conditions.
<Sysname> display ppp chasten per-mac auth-failed
MAC address S-/C-VLAN Interface Auth-failures
0001-0001-0003 -/- XGE3/0/1 3
0002-0002-0004 -/- XGE3/0/1 2
Table 2 Command output
|
Field |
Description |
|
MAC address |
MAC address of a detected PPP user. |
|
S-/C-VLAN |
SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-). |
|
Interface |
User access interface. |
|
Aging(S) |
Remaining blocking time in seconds for a blocked user. |
|
Auth-failures |
Number of consecutive authentication failures for a PPP user who failed authentication but does not meet the blocking conditions during the detection period. |
Related commands
ppp authentication chasten per-mac
reset ppp chasten per-mac blocked
display ppp chasten statistics
Use display ppp chasten user to display statistics about PPP user blocking.
Syntax
display ppp chasten statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display statistics about PPP user blocking.
<Sysname> display ppp chasten statistics
Blocked users : 1
Auth-failed users : 1
Table 3 Command output
|
Field |
Description |
|
Blocked users |
Total number of blocked PPP users. |
|
Auth-failed users |
Number of PPP users who failed authentication but do not meet the blocking conditions. |
Related commands
display ppp chasten user
ppp authentication chasten
display ppp chasten user
Use display ppp chasten user to display blocking information about PPP users.
Syntax
display ppp chasten user { auth-failed | blocked } [ username user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
auth-failed: Displays information about users who failed authentication but do not meet the blocking conditions.
blocked: Displays information about blocked users.
username user-name: Specifies a username string for fuzzy matching usernames, a case-sensitive string of 1 to 80 characters. For example, if the user-name argument is abc, information about users whose usernames contain abc will be displayed. If you do not specify a username, this command displays blocking information about all PPP users.
Examples
# Display information about blocked PPP users.
<Sysname> display ppp chasten user blocked
Username Domain Aging(S)
aaa aaa 34
# Display information about PPP users who failed authentication but do not meet the blocking conditions.
<Sysname> display ppp chasten user auth-failed
Username Domain Auth-failures
bbb bbb 5
Table 4 Command output
|
Field |
Description |
|
Username |
Username of a PPP user. |
|
Domain |
Domain to which the PPP user belongs. This field displays N/A when the domain of the PPP user is not obtained. |
|
Aging(S) |
Remaining blocking time in seconds for a blocked user. |
|
Auth-failures |
Number of consecutive authentication failures for a PPP user who failed authentication but does not meet the blocking conditions during the detection period. |
Related commands
display ppp chasten statistics
ppp authentication chasten
display ppp keepalive packet-loss-ratio
Use display ppp keepalive packet-loss-ratio to display the packet loss ratio statistics for the PPP user detection packets.
Syntax
display ppp keepalive packet-loss-ratio [ interface interface-type interface-number [ s-vlan svlan-id ] ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays entries of all interfaces.
s-vlan svlan-id: Specifies a SVLAN by its ID. The value range for the svlan-id argument is in the range of 1 to 4094.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards.
Usage guidelines
After PPP online user detection is enabled on an interface, the device will automatically record the number of sent detection packets and received packets. You can use this command to view the packet loss ratio statistics for detection packets.
If you execute the display ppp keepalive packet-loss-ratio command at a time point within a 30-second timer, this command displays the packet loss ratio statistics collected at the specified time point within the 30-second timer. For example, if you execute this display command at the 10th second within a 30-second timer, this command displays the packet loss ratio statistics collected within the 10 seconds.
This command can be used only to display the packet loss ratio statistics for PPPoE and L2TP user detection packets.
Examples
# Display the packet loss ratio statistics for the PPP user detection packets on all interfaces.
<Sysname> display ppp keepalive packet-loss-ratio
Slot 0:
Interface BAS-interface1:
Keepalive : 11%
Slot 3:
Interface Ten-GigabitEthernet3/0/2:
Keepalive : 11%
# Display the packet loss ratio statistics for the PPP user detection packets on the specified interface.
<Sysname> display ppp keepalive packet-loss-ratio interface ten-gigabitethernet 3/0/1.1
Slot 3:
Interface Ten-GigabitEthernet3/0/1.1:
Keepalive : 11%
S-VLAN: 100
Keepalive : 11%
S-VLAN: 200
Keepalive : 11%
Table 5 Command output
|
Field |
Description |
|
Interface |
Detected interface. For L2TP users, the detection is performed on BAS interfaces. |
|
S-VLAN |
Service provider VLAN. |
|
Keepalive |
Packet loss ratio of PPP user detection packets. |
Related commands
access-user user-detect packet-loss-ratio-threshold (BRAS Services Command Reference)
reset ppp keepalive packet-loss-ratio
display ppp packet statistics
Use display ppp packet statistics to display PPP negotiation packet statistics.
Syntax
display ppp packet statistics [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards.
Examples
# Display PPP negotiation packet statistics for the specified slot.
<Sysname> display ppp packet statistics slot 1
PPP packet statistics in slot 1:
-------------------------------LCP------------------------------------
SEND_LCP_CON_REQ : 0 RECV_LCP_CON_REQ : 0
SEND_LCP_CON_NAK : 0 RECV_LCP_CON_NAK : 0
SEND_LCP_CON_REJ : 0 RECV_LCP_CON_REJ : 0
SEND_LCP_CON_ACK : 0 RECV_LCP_CON_ACK : 0
SEND_LCP_CODE_REJ : 0 RECV_LCP_CODE_REJ : 0
SEND_LCP_PROT_REJ : 0 RECV_LCP_PROT_REJ : 0
SEND_LCP_TERM_REQ : 0 RECV_LCP_TERM_REQ : 0
SEND_LCP_TERM_ACK : 0 RECV_LCP_TERM_ACK : 0
SEND_LCP_ECHO_REQ : 0 RECV_LCP_ECHO_REQ : 0
SEND_LCP_ECHO_REP : 0 RECV_LCP_ECHO_REP : 0
SEND_LCP_FAIL : 0 SEND_LCP_CON_REQ_RETRAN : 0
-------------------------------IPCP-----------------------------------
SEND_IPCP_CON_REQ : 0 RECV_IPCP_CON_REQ : 0
SEND_IPCP_CON_NAK : 0 RECV_IPCP_CON_NAK : 0
SEND_IPCP_CON_REJ : 0 RECV_IPCP_CON_REJ : 0
SEND_IPCP_CON_ACK : 0 RECV_IPCP_CON_ACK : 0
SEND_IPCP_CODE_REJ : 0 RECV_IPCP_CODE_REJ : 0
SEND_IPCP_PROT_REJ : 0 RECV_IPCP_PROT_REJ : 0
SEND_IPCP_TERM_REQ : 0 RECV_IPCP_TERM_REQ : 0
SEND_IPCP_TERM_ACK : 0 RECV_IPCP_TERM_ACK : 0
SEND_IPCP_FAIL : 0
-------------------------------IPV6CP---------------------------------
SEND_IPV6CP_CON_REQ : 0 RECV_IPV6CP_CON_REQ : 0
SEND_IPV6CP_CON_NAK : 0 RECV_IPV6CP_CON_NAK : 0
SEND_IPV6CP_CON_REJ : 0 RECV_IPV6CP_CON_REJ : 0
SEND_IPV6CP_CON_ACK : 0 RECV_IPV6CP_CON_ACK : 0
SEND_IPV6CP_CODE_REJ : 0 RECV_IPV6CP_CODE_REJ : 0
SEND_IPV6CP_PROT_REJ : 0 RECV_IPV6CP_PROT_REJ : 0
SEND_IPV6CP_TERM_REQ : 0 RECV_IPV6CP_TERM_REQ : 0
SEND_IPV6CP_TERM_ACK : 0 RECV_IPV6CP_TERM_ACK : 0
SEND_IPV6CP_FAIL : 0
-------------------------------OSICP---------------------------------
SEND_OSICP_CON_REQ : 0 RECV_OSICP_CON_REQ : 0
SEND_OSICP_CON_NAK : 0 RECV_OSICP_CON_NAK : 0
SEND_OSICP_CON_REJ : 0 RECV_OSICP_CON_REJ : 0
SEND_OSICP_CON_ACK : 0 RECV_OSICP_CON_ACK : 0
SEND_OSICP_CODE_REJ : 0 RECV_OSICP_CODE_REJ : 0
SEND_OSICP_PROT_REJ : 0 RECV_OSICP_PROT_REJ : 0
SEND_OSICP_TERM_REQ : 0 RECV_OSICP_TERM_REQ : 0
SEND_OSICP_TERM_ACK : 0 RECV_OSICP_TERM_ACK : 0
SEND_OSICP_FAIL : 0
-------------------------------MPLSCP---------------------------------
SEND_MPLSCP_CON_REQ : 0 RECV_MPLSCP_CON_REQ : 0
SEND_MPLSCP_CON_NAK : 0 RECV_MPLSCP_CON_NAK : 0
SEND_MPLSCP_CON_REJ : 0 RECV_MPLSCP_CON_REJ : 0
SEND_MPLSCP_CON_ACK : 0 RECV_MPLSCP_CON_ACK : 0
SEND_MPLSCP_CODE_REJ : 0 RECV_MPLSCP_CODE_REJ : 0
SEND_MPLSCP_PROT_REJ : 0 RECV_MPLSCP_PROT_REJ : 0
SEND_MPLSCP_TERM_REQ : 0 RECV_MPLSCP_TERM_REQ : 0
SEND_MPLSCP_TERM_ACK : 0 RECV_MPLSCP_TERM_ACK : 0
SEND_MPLSCP_FAIL : 0
--------------------------------AUTH ----------------------------------
SEND_PAP_AUTH_REQ : 0 RECV_PAP_AUTH_REQ : 0
SEND_PAP_AUTH_ACK : 0 RECV_PAP_AUTH_ACK : 0
SEND_PAP_AUTH_NAK : 0 RECV_PAP_AUTH_NAK : 0
SEND_CHAP_AUTH_CHALLENGE : 0 RECV_CHAP_AUTH_CHALLENGE : 0
SEND_CHAP_AUTH_RESPONSE : 0 RECV_CHAP_AUTH_RESPONSE : 0
SEND_CHAP_AUTH_ACK : 0 RECV_CHAP_AUTH_ACK : 0
SEND_CHAP_AUTH_NAK : 0 RECV_CHAP_AUTH_NAK : 0
SEND_PAP_AUTH_FAIL : 0 SEND_CHAP_AUTH_FAIL : 0
|
Field |
Description |
|
LCP |
LCP packet statistics. · SEND_LCP_CON_REQ—Number of sent link configuration request packets. · RECV_LCP_CON_REQ—Number of received link configuration request packets. · SEND_LCP_CON_NAK—Number of sent link configuration NAK packets. · RECV_LCP_CON_NAK—Number of received link configuration NAK packets. · SEND_LCP_CON_REJ—Number of sent link configuration reject packets. · RECV_LCP_CON_REJ—Number of received link configuration reject packets. · SEND_LCP_CON_ACK—Number of sent link configuration ACK packets. · RECV_LCP_CON_ACK—Number of received link configuration ACK packets. · SEND_LCP_CODE_REJ—Number of sent link configuration code reject packets. · RECV_LCP_CODE_REJ—Number of received link configuration code reject packets. · SEND_LCP_PROT_REJ—Number of sent link configuration protocol reject packets. · RECV_LCP_PROT_REJ—Number of received link configuration protocol reject packets. · SEND_LCP_TERM_REQ—Number of sent link termination request packets. · RECV_LCP_TERM_REQ—Number of received link termination request packets. · SEND_LCP_TERM_ACK—Number of sent link termination ACK packets. · RECV_LCP_TERM_ACK—Number of received link termination ACK packets. · SEND_LCP_ECHO_REQ—Number of sent LCP echo request packets. · RECV_LCP_ECHO_REQ—Number of received LCP echo request packets. · SEND_LCP_ECHO_REP—Number of sent LCP echo reply packets. · RECV_LCP_ECHO_REP—Number of received LCP echo reply packets. · SEND_LCP_FAIL—Number of sent link failure packets. · SEND_LCP_CON_REQ_RETRAN—Number of retransmitted link configuration request packets. |
|
IPCP |
IPCP packet statistics. · SEND_IPCP_CON_REQ—Number of sent IP address negotiation request packets. · RECV_IPCP_CON_REQ—Number of received IP address negotiation request packets. · SEND_IPCP_CON_NAK—Number of sent IP address negotiation NAK packets. · RECV_IPCP_CON_NAK—Number of received IP address negotiation NAK packets. · SEND_IPCP_CON_REJ—Number of sent IP address negotiation reject packets. · RECV_IPCP_CON_REJ—Number of received IP address negotiation reject packets. · SEND_IPCP_CON_ACK—Number of sent IP address negotiation ACK packets. · RECV_IPCP_CON_ACK—Number of received IP address negotiation ACK packets. · SEND_IPCP_CODE_REJ—Number of sent IP address negotiation code reject packets. · RECV_IPCP_CODE_REJ—Number of received IP address negotiation code reject packets. · SEND_IPCP_PROT_REJ—Number of sent IP address negotiation protocol reject packets. · RECV_IPCP_PROT_REJ—Number of received IP address negotiation protocol reject packets. · SEND_IPCP_TERM_REQ—Number of sent IP address negotiation termination request packets. · RECV_IPCP_TERM_REQ—Number of received IP address negotiation termination request packets. · SEND_IPCP_TERM_ACK—Number of sent IP address negotiation termination ACK packets. · RECV_IPCP_TERM_ACK—Number of received IP address negotiation termination ACK packets. · SEND_IPCP_FAIL—Number of sent IP address negotiation failure packets. |
|
IPV6CP |
IPv6CP packet statistics. · SEND_IPV6CP_CON_REQ—Number of sent IPv6 address negotiation request packets. · RECV_IPV6CP_CON_REQ—Number of received IPv6 address negotiation request packets. · SEND_IPV6CP_CON_NAK—Number of sent IPv6 address negotiation NAK packets. · RECV_IPV6CP_CON_NAK—Number of received IPv6 address negotiation NAK packets. · SEND_IPV6CP_CON_REJ—Number of sent IPv6 address negotiation reject packets. · RECV_IPV6CP_CON_REJ—Number of received IPv6 address negotiation reject packets. · SEND_IPV6CP_CON_ACK—Number of sent IPv6 address negotiation ACK packets. · RECV_IPV6CP_CON_ACK—Number of received IPv6 address negotiation ACK packets. · SEND_IPV6CP_CODE_REJ—Number of sent IPv6 address negotiation code reject packets. · RECV_IPV6CP_CODE_REJ—Number of received IPv6 address negotiation code reject packets. · SEND_IPV6CP_PROT_REJ—Number of sent IPv6 address negotiation protocol reject packets. · RECV_IPV6CP_PROT_REJ—Number of received IPv6 address negotiation protocol reject packets. · SEND_IPV6CP_TERM_REQ—Number of sent IPv6 address negotiation termination request packets. · RECV_IPV6CP_TERM_REQ—Number of received IPv6 address negotiation termination request packets. · SEND_IPV6CP_TERM_ACK—Number of sent IPv6 address negotiation termination ACK packets. · RECV_IPV6CP_TERM_ACK—Number of received IPv6 address negotiation termination ACK packets. · SEND_IPV6CP_FAIL—Number of sent IPv6 address negotiation failure packets. |
|
OSICP |
OSICP packet statistics. · SEND_OSICP_CON_REQ—Number of sent OSI address negotiation request packets. · RECV_OSICP_CON_REQ—Number of received OSI address negotiation request packets. · SEND_OSICP_CON_NAK—Number of sent OSI address negotiation NAK packets. · RECV_OSICP_CON_NAK—Number of received OSI address negotiation NAK packets. · SEND_OSICP_CON_REJ—Number of sent OSI address negotiation reject packets. · RECV_OSICP_CON_REJ—Number of received OSI address negotiation reject packets. · SEND_OSICP_CON_ACK—Number of sent OSI address negotiation ACK packets. · RECV_OSICP_CON_ACK—Number of received OSI address negotiation ACK packets. · SEND_OSICP_CODE_REJ—Number of sent OSI address negotiation code reject packets. · RECV_OSICP_CODE_REJ—Number of received OSI address negotiation code reject packets. · SEND_OSICP_PROT_REJ—Number of sent OSI address negotiation protocol packets. · RECV_OSICP_PROT_REJ—Number of received OSI address negotiation protocol reject packets. · SEND_OSICP_TERM_REQ—Number of sent OSI address negotiation termination request packets. · RECV_OSICP_TERM_REQ—Number of received OSI address negotiation termination request packets. · SEND_OSICP_TERM_ACK—Number of sent OSI address negotiation termination ACK packets. · RECV_OSICP_TERM_ACK—Number of received OSI address negotiation termination ACK packets. · SEND_OSICP_FAIL—Number of sent OSI address negotiation failure packets. |
|
MPLSCP |
MPLSCP packet statistics. · SEND_MPLSCP_CON_REQ—Number of sent MPLS address negotiation request packets. · RECV_MPLSCP_CON_REQ—Number of received MPLS address negotiation request packets. · SEND_MPLSCP_CON_NAK—Number of sent MPLS address negotiation NAK packets. · RECV_MPLSCP_CON_NAK—Number of received MPLS address negotiation NAK packets. · SEND_MPLSCP_CON_REJ—Number of sent MPLS address negotiation reject packets. · RECV_MPLSCP_CON_REJ—Number of received MPLS address negotiation reject packets. · SEND_MPLSCP_CON_ACK—Number of sent MPLS address negotiation ACK packets. · RECV_MPLSCP_CON_ACK—Number of received MPLS address negotiation ACK packets. · SEND_MPLSCP_CODE_REJ—Number of sent MPLS address negotiation code reject packets. · RECV_MPLSCP_CODE_REJ—Number of received MPLS address negotiation code reject packets. · SEND_MPLSCP_PROT_REJ—Number of sent MPLS address negotiation protocol packets. · RECV_MPLSCP_PROT_REJ—Number of received MPLS address negotiation protocol reject packets. · SEND_MPLSCP_TERM_REQ—Number of sent MPLS address negotiation termination request packets. · RECV_MPLSCP_TERM_REQ—Number of received MPLS address negotiation termination request packets. · SEND_MPLSCP_TERM_ACK—Number of sent MPLS address negotiation termination ACK packets. · RECV_MPLSCP_TERM_ACK—Number of received MPLS address negotiation termination ACK packets. · SEND_MPLSCP_FAIL—Number of sent MPLS address negotiation failure packets. |
|
AUTH |
Authentication packet statistics. · SEND_PAP_AUTH_REQ—Number of sent PAP authentication request packets. · RECV_PAP_AUTH_REQ—Number of received PAP authentication request packets. · SEND_PAP_AUTH_ACK—Number of sent PAP authentication ACK packets. · RECV_PAP_AUTH_ACK—Number of received PAP authentication ACK packets. · SEND_PAP_AUTH_NAK—Number of sent PAP authentication NAK packets. · RECV_PAP_AUTH_NAK—Number of received PAP authentication NAK packets. · SEND_CHAP_AUTH_CHALLENGE—Number of sent CHAP authentication request packets. · RECV_CHAP_AUTH_CHALLENGE—Number of received CHAP authentication request packets. · SEND_CHAP_AUTH_RESPONSE—Number of sent CHAP authentication response packets. · RECV_CHAP_AUTH_RESPONSE—Number of received CHAP authentication response packets. · SEND_CHAP_AUTH_ACK—Number of sent CHAP authentication ACK packets. · RECV_CHAP_AUTH_ACK—Number of received CHAP authentication ACK packets. · SEND_CHAP_AUTH_NAK—Number of sent CHAP authentication NAK packets. · RECV_CHAP_AUTH_NAK—Number of received CHAP authentication NAK packets. · SEND_PAP_AUTH_FAIL—Number of sent PAP authentication failure packets. · SEND_CHAP_AUTH_FAIL—Number of sent CHAP authentication failure packets. |
Related commands
reset ppp packet statistics
interface virtual-template
Use interface virtual-template to create a VT interface and enter its view, or enter the view of an existing VT interface.
Use undo interface virtual-template to remove a VT interface.
Syntax
interface virtual-template number
undo interface virtual-template number
Default
No VT interfaces exist.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies a VT interface by its number. The value range for this argument is 0 to 1023.
Usage guidelines
To remove a VT interface, make sure all the corresponding VA interfaces are removed and the VT interface is not in use.
Examples
# Create interface Virtual-Template 10.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10]
ip address ppp-negotiate
Use ip address ppp-negotiate to enable IP address negotiation on an interface, so that the interface can accept the IP address allocated by the server.
Use undo ip address ppp-negotiate to restore the default.
Syntax
ip address ppp-negotiate
undo ip address ppp-negotiate
Default
IP address negotiation is disabled on an interface.
Views
Virtual-PPP interface view
Predefined user roles
network-admin
Usage guidelines
If you execute the ip address ppp-negotiate and ip address commands multiple times, the most recent configuration takes effect.
Examples
# Enable IP address negotiation on Virtual-PPP 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] ip address ppp-negotiate
ip address (Layer 3—IP Services Command Reference)
remote address
ppp accept remote-ip-address
Use ppp accept remote-ip-address to configure a BRAS to allow a remote user to come online by using a self-configured static IP address.
Use undo ppp accept remote-ip-address to restore the default.
Syntax
ppp accept remote-ip-address
undo ppp accept remote-ip-address
Default
A BRAS does not allow a remote user to come online by using a self-configured static IP address.
Views
VT interface view
Predefined user roles
network-admin
Usage guidelines
This feature applies to only PPPoE users in the BRAS access scenario.
By default, a PPPoE user must use an IP address dynamically allocated by the BRAS (PPPoE server) or authorized by the AAA server during the onboarding process, and a BRAS does not allow a user to come online by using a self-configured static IP address.
For a user to come online by using a self-configured static IP address on some networks, configure this feature. With this feature configured, a BRAS to allow a remote user to come online by using a self-configured static IP address. After the user passes authentication and comes online, the BRAS will maintain session information for the user based on the static IP address.
To avoid IP conflicts between users, plan the IP addresses reasonably. Make sure the dynamically allocated IP addresses do not contain static IP addresses used by access users and the static IP address of each access user is unique. If you cannot do that, the user cannot come online in the IPv4 protocol stack because of IP address conflicts.
Examples
# Configure the BRAS on Virtual-Template 1 to allow a remote user to come online by using a self-configured static IP address.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp accept remote-ip-address
ppp accept remote-ipv6-address
Use ppp accept remote-ipv6-address to configure a BRAS to allow a remote user to come online by using a self-configured static IPv6 global unicast address.
Use undo ppp accept remote-ipv6-address to restore the default.
Syntax
ppp accept remote-ipv6-address
undo ppp accept remote-ipv6-address
Default
A BRAS does not allow a remote user to come online by using a self-configured static IPv6 global unicast address.
Views
VT interface view
Predefined user roles
network-admin
Usage guidelines
This feature applies to only PPPoE users in the BRAS access scenario.
By default, a PPPoE user must use an IPv6 global unicast address dynamically allocated by the BRAS (PPPoE server) or authorized by the AAA server during the onboarding process, and a BRAS does not allow a user to come online by using a self-configured static IPv6 global unicast address.
For a user to come online by using a self-configured static IPv6 global unicast address on some networks, configure this feature. With this feature configured, a BRAS to allow a remote user to come online by using a self-configured static IPv6 global unicast address. After the user passes authentication and comes online, the BRAS will maintain session information for the user based on the static IPv6 global unicast address.
To avoid static IPv6 global unicast address conflicts between users, plan the IPv6 global unicast addresses reasonably. Make sure the dynamically allocated IPv6 global unicast addresses do not contain static IPv6 global unicast addresses used by access users and the static IPv6 global unicast address of each access user is unique. If you cannot do that, the user cannot come online in the IPv6 protocol stack because of IPv6 address conflicts.
Examples
# Configure the BRAS on Virtual-Template 1 to allow a remote user to come online by using a self-configured static IPv6 global unicast address.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp accept remote-ipv6-address
mtu
Use mtu to set the MTU size of an interface.
Use undo mtu to restore the default.
Syntax
mtu size
undo mtu
Default
The MTU is 1492 bytes for a VT interface.
Views
VT interface view
Predefined user roles
network-admin
Parameters
size: Specifies the MTU size. The value range varies by device model.
Usage guidelines
The MTU size setting of an interface affects the fragmentation and reassembly of IP packets on that interface.
Examples
# Set the MTU size of Virtual-Template 10 to 1400 bytes.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] mtu 1400
ppp authentication chasten
Use ppp authentication chasten to enable PPP user blocking.
Use undo ppp authentication chasten to disable PPP user blocking.
Syntax
ppp authentication chasten auth-failure auth-period blocking-period
undo ppp authentication chasten
Default
A PPP user will be blocked for 300 seconds if the user fails authentication consecutively for six times within 60 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
auth-failure: Specifies the maximum number of consecutive PPP authentication failures allowed in the detection period. The value range is 1 to 1000.
auth-period: Specifies the detection period of consecutive PPP authentication failures, in the range of 1 to 3600 seconds.
blocking-period: Specifies the blocking period in the range of 0 to 3600 seconds.
Usage guidelines
This feature blocks a PPP user for a period if the user fails authentication consecutively for the specified number of times within the detection period. Packets from the blocked users will be discarded during the blocking period. This feature helps prevent illegal users from using the method of exhaustion to obtain the password, and reduces authentication packets sent to the authentication server.
For example, the device is configured to block a user if the user fails authentication consecutively for five times within 60 seconds. If the user fails authentication at the 100th second and the user fails authentication consecutively for five times within the latest detection period (from the 40th second to the 100th second), the user will be blocked.
Packets from the blocked users will be processed when the blocking period expires.
This feature identifies users by username and domain name. Users that have the same username but belong to different domains are processed as different users.
Examples
# Configure the device to block a user for 1000 seconds if the consecutive authentication failures of the user reach 100 times within 500 seconds.
<Sysname> system-view
[Sysname] ppp authentication chasten 100 500 1000
Related commands
display ppp chasten statistics
display ppp chasten user
ppp authentication chasten per-mac
Use ppp authentication chasten per-mac to enable per-MAC PPP user blocking.
Use undo authentication chasten per-mac to disable per-MAC PPP user blocking.
Syntax
ppp authentication chasten per-mac [ multi-sessions ] auth-failure auth-period blocking-period
undo authentication chasten per-mac
Default
Per-MAC PPP user blocking is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
multi-sessions: Specifies that this feature takes effect on a PPP user that establish multiple sessions simultaneously. If you do not specify this keyword, this feature takes effect only on a PPP user that can establish only one session simultaneously. When a MAC address can establish more than one PPP session, to enable per-MAC PPP user blocking, you must specify this keyword for this feature to take effect on such PPP users.
auth-failure: Specifies the maximum number of consecutive PPP authentication failures allowed in the detection period. The value range is 1 to 1000.
auth-period: Specifies the detection period of consecutive PPP authentication failures, in the range of 1 to 3600 seconds.
blocking-period: Specifies the blocking period in the range of 0 to 3600 seconds.
Usage guidelines
A small home router with the charge overdue can repeatedly perform PPPoE dialup through automatically, frequently changing usernames. To avoid this problem, you can enable per-MAC PPP user blocking. This feature uniquely identifies a blocked user by its MAC address, inner VLAN, outer VLAN, and access interface.
This feature blocks PPP users using the same MAC address for a period if these users fails authentication consecutively for the specified number of times within the detection period. Packets from the blocked users will be discarded during the blocking period. This feature helps prevent illegal users from using the method of exhaustion to obtain the password, and reduces authentication packets sent to the authentication server. For example, the device is configured to block a user if the user fails authentication consecutively for five times within 60 seconds. If the user fails authentication at the 100th second and the user fails authentication consecutively for five times within the latest detection period (from the 40th second to the 100th second), the user will be blocked. Packets from the blocked users will be processed when the blocking period expires.
The device supports attack defense for PPP users through the following commands. When both commands are executed, they both take effect.
· The ppp authentication chasten command uniquely identifies a blocked user by username and domain name.
· The ppp authentication chasten per-mac command uniquely identifies a blocked user by its MAC address, inner VLAN, outer VLAN, and access interface.
In the current software version, this feature applies to only PPPoE users.
Examples
# Configure the device to block a user for 1000 seconds if the consecutive authentication failures of the user reach 100 times within 500 seconds.
<Sysname> system-view
[Sysname] ppp authentication chasten per-mac 100 500 1000
Related commands
display ppp chasten per-mac
reset ppp chasten per-mac blocked
ppp authentication-mode
Use ppp authentication-mode to configure PPP authentication on an interface.
Use undo ppp authentication-mode to restore the default.
Syntax
ppp authentication-mode { chap | ms-chap | ms-chap-v2 | pap } * [ domain { isp-name | default enable isp-name } ]
undo ppp authentication-mode
Default
PPP authentication is disabled on an interface.
Views
Virtual-template interface view
Predefined user roles
network-admin
Parameters
chap: Uses CHAP authentication.
ms-chap: Uses MS-CHAP authentication.
ms-chap-v2: Uses MS-CHAP-V2 authentication.
pap: Uses PAP authentication.
domain isp-name: Specifies the forced PPP authentication domain by its name, a case-insensitive string of 1 to 255 characters. The isp-name argument cannot be d, de, def, defa, defau, defaul, or default.
default enable isp-name: Specifies the non-forced PPP authentication domain by its name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
PPP authentication includes the following categories:
· PAP—Two-way handshake authentication. The password is in plain text or cipher text.
· CHAP—Three-way handshake authentication. The password is in plain text or cipher text.
· MS-CHAP—Three-way handshake authentication. The password is in cipher text.
· MS-CHAP-V2—Three-way handshake authentication. The password is in cipher text.
You can configure multiple authentication modes.
In any PPP authentication mode, AAA determines whether a user can pass the authentication through a local authentication database or an AAA server. For more information about AAA authentication, see BRAS Services Configuration Guide .
If multiple ISP domains are available, the ISP domains are used in the following order:
1. If the ppp authentication-mode command is executed to specify an authentication domain, a domain is selected as follows:
¡ If a forced PPP authentication domain is specified and the domain exists, the forced PPP authentication domain is used. Otherwise, proceed with step 2.
¡ If a non-forced PPP authentication domain is specified, the device first obtains the domain in the username and operates as follows:
- If the username carries a domain and the domain exists, the domain carried in the username is used. If the domain carried in the username does not exist, proceed with step 2.
- If the username does not carry a domain, the non-forced PPP authentication domain is used. If the non-forced PPP authentication domain does not exist, proceed with step 2.;
2. Use the authentication domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide .
Examples
# Configure Virtual-Template 10 to authenticate the peer by using PAP.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] ppp authentication-mode pap
local-user (BRAS Services Command Reference)
ppp chap password
ppp chap user
ppp pap local-user
ppp chap password
Use ppp chap password to set the password for CHAP authentication on an interface.
Use undo ppp chap password to restore the default.
Syntax
ppp chap password { cipher | simple } string
undo ppp chap password
Default
No password is set for CHAP authentication on an interface.
Views
Virtual-PPP interface view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.
Examples
# Set the password for CHAP authentication to plaintext password sysname on Virtual-PPP 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] ppp chap password simple sysname
ppp authentication-mode chap
ppp chap user
Use ppp chap user to set the username for CHAP authentication on an interface.
Use undo ppp chap user to restore the default.
Syntax
ppp chap user username
undo ppp chap user
Default
The username for CHAP authentication is null on an interface.
Views
Virtual-PPP interface view
Predefined user roles
network-admin
Parameters
username: Specifies the username for CHAP authentication, a case-sensitive string of 1 to 80 characters. The username is sent to the peer for the local device to be authenticated.
Usage guidelines
To pass CHAP authentication, the username/password of one side must be the local username/password on the peer.
Examples
# Set the username for CHAP authentication to Root on Virtual-PPP 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] ppp chap user Root
ppp authentication-mode chap
ppp ipcp dns
Use ppp ipcp dns to configure the primary and secondary DNS server IP addresses to be allocated in PPP negotiation on an interface.
Use undo ppp ipcp dns to delete the primary and secondary DNS server IP addresses to be allocated in PPP negotiation on an interface.
Syntax
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
undo ppp ipcp dns primary-dns-address [ secondary-dns-address ]
Default
The DNS server IP addresses to be allocated in PPP negotiation are not configured on an interface.
Views
Virtual-template interface view
Predefined user roles
network-admin
Parameters
primary-dns-address: Specifies a primary DNS server IP address.
secondary-dns-address: Specifies a secondary DNS server IP address.
Usage guidelines
A device can assign DNS server IP addresses to its peer during PPP negotiation when the peer initiates requests.
To check the allocated DNS server IP addresses, execute the winipcfg or ipconfig /all command on the host.
Examples
# Set the primary and secondary DNS server IP addresses to 100.1.1.1 and 100.1.1.2 for the pee on Virtual-Template 1.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp ipcp dns 100.1.1.1 100.1.1.2
ppp ipcp remote-address match
Use ppp ipcp remote-address match to enable the IP segment match feature for PPP IPCP negotiation on an interface.
Use undo ppp ipcp remote-address match to restore the default.
Syntax
ppp ipcp remote-address match
undo ppp ipcp remote-address match
Default
The IP segment match feature is disabled for PPP IPCP negotiation on an interface.
Views
Virtual-PPP interface view
Virtual-template interface view
Predefined user roles
network-admin
Usage guidelines
This command enables the local interface to check whether its IP address and the IP address of the remote interface are in the same network segment. If they are not, IPCP negotiation fails.
Examples
# Enable the IP segment match feature on Virtual-Template 1.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp ipcp remote-address match
ppp keepalive datacheck
Use ppp keepalive datacheck to configure a VT interface not to perform keepalive detection when the uplink traffic of PPP users is updated.
Use undo ppp keepalive datacheck to restore the default.
Syntax
ppp keepalive datacheck
undo ppp keepalive datacheck
Default
No matter whether the uplink traffic of PPP users is updated within a keepalive interval, keepalive packets are sent to detect online users after the keepalive interval expires.
Views
VT interface view
Predefined user roles
network-admin
Usage guidelines
By default, if the configured keepalive interval (timer-hold seconds) or keepalive retry limit (timer-hold retry retries) is small, users might go offline because the interface cannot receive keepalive packets from the peer when congestion occurs in the network. To prevent keepalive packets from making the congestion deteriorate or causing users to frequently go offline, execute the ppp keepalive datacheck command.
With this command executed, if the uplink traffic of PPP users is updated within a keepalive interval, the keepalive timer is reset, and online detection will not be performed. Otherwise, keepalive packets are sent to detect online users after the keepalive interval expires. For example, suppose you set the keepalive interval to 10 seconds by using the timer-hold command. If uplink traffic of PPP users is updated at the 5th second, the keepalive timer is reset. In this way, the sending of keepalive packets is delayed. If uplink traffic is updated within the next keepalive interval (10 seconds), the keepalive timer is reset again.
Examples
# Configure Virtual-Template 1 not to perform keepalive detection when the uplink traffic of PPP users is updated.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp keepalive datacheck
Related commands
timer-hold
timer-hold retry
ppp keepalive fast-reply enable
Use ppp keepalive fast-reply enable to enable fast reply for keepalive packets.
Use undo ppp keepalive fast-reply enable to disable fast reply for keepalive packets.
Syntax
ppp keepalive fast-reply enable
undo ppp keepalive fast-reply enable
Default
Fast reply is enabled for keepalive packets.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature allows the hardware to automatically identify and reply to incoming keepalive requests. This feature can prevent DDoS attacks.
As a best practice, do not disable this feature.
Examples
# Enable fast reply for keepalive packets.
<Sysname> system-view
[Sysname] ppp keepalive fast-reply enable
ppp lcp delay
Use ppp lcp delay to set the LCP negotiation delay timer.
Use undo ppp lcp delay to restore the default.
Syntax
ppp lcp delay milliseconds
undo ppp lcp delay
Default
PPP starts LCP negotiation immediately after the physical layer comes up.
Views
Virtual-PPP interface view
Virtual-template interface view
Predefined user roles
network-admin
Parameters
milliseconds: Specifies the LCP negotiation delay timer in the range of 1 to 10000 milliseconds.
Usage guidelines
If two ends of a PPP link vary greatly in the LCP negotiation packet processing rate, execute this command on the end with a higher processing rate. The LCP negotiation delay timer prevents frequent LCP negotiation packet retransmission. After the physical layer comes up, PPP starts LCP negotiation when the delay timer expires. If PPP receives LCP negotiation packets before the delay timer expires, it starts LCP negotiation immediately.
Examples
# Set the LCP negotiation delayer timer to 130 milliseconds on Virtual-Template 1.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp delay 130
ppp magic-number-check
Use ppp magic-number-check to enable magic number check for PPP.
Use undo ppp magic-number-check to disable magic number check for PPP.
Syntax
ppp magic-number-check
undo ppp magic-number-check
Default
Magic number check is disabled for PPP.
Views
Virtual-PPP interface view
Virtual-template interface view
Predefined user roles
network-admin
Usage guidelines
In the PPP link establishment process, the magic number is negotiated. After the negotiation, both the local end and the peer end save their magic numbers locally.
The local end sends Echo-Request packets carrying its own magic number. When magic number check is enabled on both the local end and the peer end, the peer end will compare its own magic number with the magic number in the received Echo-Request packets. If they are the same, the link status is considered as normal, and the peer end replies with Echo-Reply packets carrying its own magic number. The local end also compares its own magic number with the magic number carried in the received Echo-Reply packets.
A link is disconnected and LCP negotiation is restarted when either of the following events occurs on either end:
· When fast reply for keepalive packets is enabled:
¡ The magic number check fails for five Echo-Request packets in total.
¡ The magic number check fails for five consecutive Echo-Reply packets.
· When fast reply for keepalive packets is disabled, the magic number check fails for five consecutive Echo-Request or Echo-Reply packets.
Only the end with magic number check enabled can check the magic number in received Echo-Request or Echo-Reply packets.
Examples
# Enable magic number check for PPP on Virtual-Template 1.
<Sysname> system
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp magic-number-check
ppp keepalive fast-reply enable
ppp mru-check enable
Use ppp mru-check enable to enable maximum receive unit (MRU) check for PPP packets.
Use undo ppp mru-check enable to disable MRU check for PPP packets.
Syntax
ppp mru-check enable
undo ppp mru-check enable
Default
MRU check for PPP packets is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
In PPP Link Establishment phase, the MRU value is negotiated in the LCP negotiation. When the MTUs of interfaces on the two end of a link are different, PPP uses the smaller MTU as the link MTU.
By default, the device does not perform MRU check if the MTU in a received PPP packet is larger than the negotiated MRU. With MRU check enabled, the device discards a received PPP packet if the MTU in the packet is larger than the negotiated MRU.
As a best practice to enhance system security, enable MRU check. Otherwise, a fake peer might attack the device by sending a large number of PPP packets with MTUs larger than the negotiated MRU.
Examples
# Enable MRU check for PPP packets.
<Sysname> system-view
[Sysname] ppp mru-check enable
ppp pap local-user
Use ppp pap local-user to set the local username and password for PAP authentication on an interface.
Use undo ppp pap local-user to restore the default.
Syntax
ppp pap local-user username password { cipher | simple } string
undo ppp pap local-user
Default
The local username and password for PAP authentication are blank on an interface.
Views
Virtual-PPP interface view
Predefined user roles
network-admin
Parameters
username: Specifies the username of the local device for PAP authentication, a case-sensitive string of 1 to 80 characters.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.
Usage guidelines
For the local device to pass PAP authentication on the peer, make sure the username and password configured for the local device are also configured on the peer. You can configure the peer's username and password by using the local-user username and password { cipher | simple } string commands, respectively.
Examples
# Set the local username and password for PAP authentication to user1 and plaintext pass1 on Virtual-PPP 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] ppp pap local-user user1 password simple pass1
local-user (BRAS Services Command Reference )
password (BRAS Services Command Reference )
ppp session-threshold
Use ppp session-threshold to configure the online PPP session count alarm thresholds on the device.
Use undo ppp session-threshold to restore the default.
Syntax
ppp session-threshold { lower-limit lower-limit-value | upper-limit upper-limit-value }
undo ppp session-threshold { lower-limit | upper-limit }
Default
On the device, the upper online PPP session count alarm threshold is 100, and the lower online PPP session count alarm threshold is 0.
Views
System view
Predefined user roles
network-admin
Parameters
lower-limit lower-limit-value: Specifies the lower online PPP session count alarm threshold in the range of 0 to 99. The configured value is a percentage of the maximum number of online PPP sessions allowed.
upper-limit upper-limit-value: Specifies the upper online PPP session count alarm threshold in the range of 1 to 100. The configured value is a percentage of the maximum number of online PPP sessions allowed.
Usage guidelines
The online PPP session count on the device refers to the total number of online PPP sessions on the device.
You can use this command to set the upper alarm threshold and lower alarm threshold for the PPP session count. When the PPP session count exceeds the upper alarm threshold or drops below the lower threshold, an alarm is triggered automatically. Then, the administrator can promptly know the online user conditions of the network. Additionally, the administrator can use the display access-user command to view the total number of online PPP sessions.
The user session count alarm function counts only PPPoE user sessions that occupy session resources. Either a single-stack PPPoE user or dual-stack PPPoE user occupies one session resource.
Suppose the maximum number of online PPP sessions allowed is a, the upper alarm threshold is b, and the lower alarm threshold is c. The following rules apply:
· When the online PPP session count exceeds a×b or drops below a×c, the corresponding alarm information is output.
· When the online PPP session count returns between the upper alarm threshold and lower alarm threshold, the alarm clearing information is output.
In some special cases, the online PPP session count frequently changes in the critical range, which causes frequent output of alarm information and alarm clearing information. To avoid this problem, the system introduces a buffer area when the online PPP session count recovers from the upper or lower threshold. The buffer area size is 10% of the difference between the upper threshold and the lower threshold. Suppose the buffer area size is d. Then, d=a×(b-c)÷10. When the online PPP session count drops below a×b-d or exceeds a×c+d, the alarm clearing information is output.
For example, suppose a is 1000, b is 80%, and c is 20%. Then, d= a×(b-c)÷10=1000×(80%-20%)÷10=1000×60%÷10=600÷10=60.
When the online PPP session count exceeds the upper threshold a×b=1000×80%=800, the upper threshold alarm is output. When the online PPP session count restores to be smaller than a×b-d=800-60=740, the alarm clearing information is output.
When the online PPP session count drops below the lower threshold a×c=1000×20%=200, the lower threshold alarm is output. When the online PPP session count restores to be greater than a×c+d=200+60=260, the alarm clearing information is output.
The upper threshold alarm information output and the alarm clearing information output both contain logs and traps. For traps to be correctly sent to the NMS host, you must execute the snmp-agent trap enable user-warning-threshold command in addition to configuring the SNMP alarm feature correctly.
Examples
# Set the upper online PPP session count threshold to 80% on the device.
<Sysname> system-view
[Sysname] ppp session-threshold upper-limit 80
Related commands
snmp-agent trap enable user-warning-threshold (BRAS Services Command Reference)
ppp timer negotiate
Use ppp timer negotiate to set the PPP negotiation timeout time on an interface.
Use undo ppp timer negotiate to restore the default.
Syntax
ppp timer negotiate seconds
undo ppp timer negotiate
Default
The PPP negotiation timeout time is 3 seconds on an interface.
Views
Virtual-PPP interface view
Virtual-template interface view
Predefined user roles
network-admin
Parameters
seconds: Specifies the negotiation timeout time in the range of 1 to 10 seconds.
Usage guidelines
In PPP negotiation, if the local device receives no response from the peer during the timeout time after it sends a packet, the local device sends the last packet again.
Examples
# Set the PPP negotiation timeout time to 5 seconds on Virtual-Template 10.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] ppp timer negotiate 5
ppp username check
Use ppp username check to specify that PPP users cannot come online successfully if the online requests do not carry usernames.
Use undo ppp username check to restore the default.
Syntax
ppp username check
undo ppp username check
Default
PPP users can come online successfully if the online requests do not carry usernames.
Views
VT interface view
Predefined user roles
network-admin
Usage guidelines
The username format is userid@isp-name. A username is considered as empty when both the user ID and ISP domain name are empty. If the user ID is empty but the ISP domain name is not empty, the username is considered as non-empty.
By default, when PPP user online requests do not carry the usernames (the usernames are empty), the following rules apply:
· For PPPoE users, the user MAC addresses in the requests are used as the usernames.
· For L2TP users, the calling numbers in the requests are used as the usernames.
When the device uses the user MAC addresses or calling numbers in the requests as the usernames for AAA authentication, neither the contents nor the format of the information will be modified.
If the network environment needs strictly checking the username validity, you can execute this command. With this command executed, when the device receives online requests without usernames from PPPoE or L2TP users, the device does not use the user MAC addresses or calling numbers in the requests as usernames for AAA authentication, and the device directly returns authentication failure to users.
Examples
# Specify that PPP users cannot come online successfully if the online requests do not carry usernames on Virtual-Template 1.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp username check
remote address
Use remote address to configure an interface to assign an IP address to the client.
Use undo remote address to restore the default.
Syntax
remote address pool pool-name
undo remote address
Default
An interface does not assign an IP address to the client.
Views
Virtual-template interface view
Predefined user roles
network-admin
Parameters
pool pool-name: Specifies an IP address pool by its name from which an IP address is assigned to the client. The pool name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command can be used when the local interface is configured with an IP address, but the peer has no IP address. To enable the peer to accept the IP address assigned by the local interface (server), configure the ip address ppp-negotiate command on the peer. Then, the peer acts as a client.
This command enables the local interface to forcibly assign an IP address to the peer. If the peer is not configured with the ip address ppp-negotiate command but configured with an IP address, the peer will not accept the assigned address. This results in an IPCP negotiation failure.
To make the configuration of the remote address command take effect, execute this command before the ip address command, which triggers IPCP negotiation. If you execute the remote address command after the ip address command, the server assigns an IP address to the client during the next IPCP negotiation.
After you configure the remote address command, you can execute this command again or the undo form for the peer. However, the new configuration does not take effect until the next IPCP negotiation.
Examples
# Configure Virtual-Template 10 to assign an IP address from address pool aaa to the client.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] remote address pool aaa
Related commands
ip address ppp-negotiate
ip pool
remote address dhcp client-identifier
Use remote address dhcp client-identifier to configure the method of generating DHCP client IDs when PPP users act as DHCP clients.
Use undo remote address dhcp client-identifier to restore the default.
Syntax
remote address dhcp client-identifier { { callingnum | username } [ session-info ] | session-info }
undo remote address dhcp client-identifier
Default
The method of generating DHCP client IDs when PPP users act as DHCP clients is not configured.
Views
Virtual-PPP interface view
Virtual-template interface view
Predefined user roles
network-admin
Parameters
callingnum: Generates DHCP client IDs based on calling numbers. The calling numbers are carried by calling number AVP in L2TP negotiation packets. A calling number contains the MAC address of a user, the user access interface on the LAC, and the VLANs to which the user belongs. For a user with MAC address 000f-e235-dc71, user access interface XGE3/0/1.1, and belonging to outer VLAN 1 and inner VLAN 2, the calling number is 000f-e235-dc71 XGE3/0/1.1:0001.0002. If the session-info keyword is also specified, the DHCP client IDs are generated based on the calling numbers and PPP sessions.
username: Generates DHCP client IDs based on the PPP usernames. If the session-info keyword is also specified, the DHCP client IDs are generated based on the PPP usernames and PPP sessions.
session-info: Generates DHCP client IDs based on PPP sessions. If only this keyword is specified, the DHCP client IDs are generated based on the user MAC addresses, user VLANs, and PPP sessions.
Usage guidelines
By default, a PPP client selects a new DHCP client ID each time the PPP client requests an IP address through DHCP. The DHCP server then cannot assign the specific IP addresses to the specific clients according to the client IDs. This command generates DHCP client IDs based on calling numbers or PPP usernames for address assignment.
When DHCP client IDs are generated based on PPP usernames, make sure different users use different PPP usernames to come online.
When a user accesses multiple times, PPP will establish multiple sessions for the user. These sessions have the same username, user MAC, and user VLAN. As a result, DHCP will assign the same IP address to these sessions, and DHCPv6 will assign the same ND prefixes when using the one prefix per user method. When the session-info keyword is configured, the DHCP client IDs are generated also based on the PPP sessions. Then, different PPP sessions can be assigned different IP addresses or ND prefixes.
Examples
# Use the PPP usernames as the DHCP client IDs on Virtual-Template 10 when PPP users act as DHCP clients.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] remote address dhcp client-identifier username
reset ppp chasten blocked-user
Use reset ppp chasten blocked-user to unblock users.
Syntax
reset ppp chasten blocked-user [ username user-name ]
Views
User view
Predefined user roles
network-admin
Parameters
username user-name: Specifies a PPP user by its name, a string of 1 to 336 characters. The user-name argument can be in the format of username or username@domain name. The username is a case-sensitive string of 1 to 80 characters. The domain name is a case-insensitive string of 1 to 255 characters. This argument is exactly matched. Only the user exacting matching the specified username is unblocked. For example, if you specify username abc@dm1, only the user named abc in domain dm1 is unblocked. If you specify the username abc, the user named abc in the system default domain is unblocked. If the username contains multiple at signs (@), you must specify the domain for the user. If the username user-name option is not specified, all PPP users are unblocked.
Usage guidelines
By default, a blocked user can be unblocked only when the blocking period expires. During the blocking period, packets from the blocked user are dropped.
This command allows you to manually unblock a PPP user. After a user is unblocked, packets from the user can be processed by the device.
Examples
# Unblock user abc in domain dm1.
<Sysname> reset ppp chasten blocked-user username abc@dm1
# Unblock user abc in the system default domain system.
<Sysname> reset ppp chasten blocked-user username abc
Or
<Sysname> reset ppp chasten blocked-user username abc@system
# Unblock user abc@ppp in domain dm1.
<Sysname> reset ppp chasten blocked-user username abc@ppp@dm1
# Unblock user abc@ppp in the system default domain system.
<Sysname> reset ppp chasten blocked-user username abc@ppp@system
Related commands
display ppp chasten statistics
display ppp chasten user
ppp authentication chasten
reset ppp chasten per-mac blocked
Use reset ppp chasten per-mac blocked to unblock PPP users blocked by per-MAC PPP user blocking.
Syntax
reset ppp chasten per-mac blocked [ mac mac-address [ s-vlan vlan-id [ c-vlan vlan-id ] ] ] [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
mac mac-address: Specifies a user by its MAC address. The mac-address argument is in the format of H-H-H.
s-vlan vlan-id: Specifies an outer VLAN. The value range for the vlan-id argument is 1 to 4094.
c-vlan vlan-id: Specifies an inner VLAN. The value range for the vlan-id argument is 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number.
Usage guidelines
By default, a blocked user can be unblocked only when the blocking period expires. During the blocking period, packets from the blocked user are dropped.
This command allows you to manually unblock a PPP user. After a user is unblocked, packets from the user can be processed by the device.
If you do specify any parameter, this command unblocks all PPP users blocked by per-MAC PPP user blocking.
Examples
# Unblock all PPP users blocked by per-MAC PPP user blocking.
<Sysname> reset ppp chasten per-mac blocked
Related commands
display ppp chasten per-mac
ppp authentication chasten per-mac
reset ppp keepalive packet-loss-ratio
Use reset ppp keepalive packet-loss-ratio to clear the packet loss ratio statistics for the PPP user detection packets.
Syntax
reset ppp keepalive packet-loss-ratio [ interface interface-type interface-number ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears entries of all interfaces.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards.
Usage guidelines
This command can be used only to clear the packet loss ratio statistics for PPPoE and L2TP user detection packets.
After you execute the reset ppp keepalive packet-loss-ratio command to clear the packet loss ratio statistics for detection packets, the device will re-calculate the packet loss ratio and the continuous intervals. When the packet loss ratio meets the alarm conditions continuously for three intervals, an alarm will be output. For more information, see the access-user user-detect packet-loss-ratio-threshold command.
Examples
# Clear the packet loss ratio statistics for the PPP user detection packets on all interfaces.
<Sysname> reset ppp keepalive packet-loss-ratio
Related commands
access-user user-detect packet-loss-ratio-threshold (BRAS Services Command Reference)
display ppp keepalive packet-loss-ratio
reset ppp packet statistics
Use reset ppp packet statistics to clear PPP negotiation packet statistics.
Syntax
reset ppp packet statistics [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards.
Examples
# Clear PPP negotiation packet statistics for the specified slot.
<Sysname> reset ppp packet statistics slot 1
Related commands
timer-hold
Use timer-hold to set the keepalive interval on an interface.
Use undo timer-hold to restore the default.
Syntax
timer-hold seconds
undo timer-hold
Default
The keepalive interval is 10 seconds for a virtual-PPP interface and 60 seconds for a VT interface.
Views
Virtual-PPP interface view
Virtual-template interface view
Predefined user roles
network-admin
Parameters
seconds: Specifies the interval for sending keepalive packets, in the range of 0 to 32767 seconds. The value 0 disables an interface from sending keepalive packets. In this case, the interface can respond to keepalive packets from the peer.
Usage guidelines
An interface sends keepalive packets at keepalive intervals to detect the availability of the peer. If the interface has received no response to keepalive packets when the keepalive retry limit is reached, it determines that the link has failed and reports a link layer down event.
To set the keepalive retry limit, use the timer-hold retry command.
On a slow link, increase the keepalive interval to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.
Set the keepalive interval on the VT interface to no less than 60 seconds when the following requirements are met:
· You need to separate the accounting for IPv4 and IPv6 traffic of a PPPoE user.
· The PPPoE user goes online through a Layer 3 aggregate interface or a Layer 3 aggregate subinterface.
Examples
# Set the keepalive interval to 20 seconds on Virtual-Template 10.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] timer-hold 20
Related commands
timer-hold retry
timer-hold retry
Use timer-hold retry to set the keepalive retry limit on an interface.
Use undo timer-hold retry to restore the default.
Syntax
timer-hold retry retries
undo timer-hold retry
Default
The keepalive retry limit is 5 for a virtual-PPP interface and 3 for a VT interface.
Views
Virtual-PPP interface view
Virtual-template interface view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of keepalive attempts in the range of 1 to 255.
Usage guidelines
An interface sends keepalive packets at keepalive intervals to detect the availability of the peer. If the interface has received no response to keepalive packets from the peer when the keepalive retry limit is reached, it determines that the link has failed and reports a link layer down event.
To set the keepalive interval, use the timer-hold command.
On a slow link, increase the keepalive retry limit to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.
Examples
# Set the keepalive retry limit to 10 for Virtual-Template 10.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] timer-hold retry 10
Related commands
timer-hold
