Contents

PPP commands· 2

bandwidth· 2

default 2

description· 3

display interface virtual-template· 4

display ppp chasten per-mac· 6

display ppp chasten statistics· 7

display ppp chasten user 8

display ppp keepalive packet-loss-ratio· 9

display ppp packet statistics· 10

interface virtual-template· 15

ip address ppp-negotiate· 16

ppp accept remote-ip-address· 17

ppp accept remote-ipv6-address· 18

mtu· 18

ppp authentication chasten· 19

ppp authentication chasten per-mac· 20

ppp authentication-mode· 21

ppp chap password· 23

ppp chap user 23

ppp ipcp dns· 24

ppp ipcp remote-address match· 25

ppp keepalive datacheck· 25

ppp keepalive fast-reply enable· 26

ppp lcp delay· 27

ppp magic-number-check· 28

ppp mru-check enable· 28

ppp pap local-user 29

ppp session-threshold· 30

ppp timer negotiate· 31

ppp username check· 32

remote address· 33

remote address dhcp client-identifier 34

reset ppp chasten blocked-user 35

reset ppp chasten per-mac blocked· 36

reset ppp keepalive packet-loss-ratio· 37

reset ppp packet statistics· 38

timer-hold· 38

timer-hold retry· 39

 

 

PPP commands

On a CUPS network, this device acts only as a UP. When executing operation commands in this chapter (commands except the display commands), follow these restrictions and guidelines:

·     If a command is tagged with (UPs), this command can be executed only on a UP. Before executing this command on a UP, make sure you are fully aware of the impact of this command on the current network and prevent configuration errors from causing network failures.

·     If a command does not have any tag, this command can be executed only on a CP by default. To execute this command on a UP, do that under the guidance of professionals, make sure you are fully aware of the impact of this command on the current network, and prevent configuration errors from causing network failures.

PPP in this chapter serves only PPPoE and L2TP applications. For more information about PPPoE and L2TP, see “Configuring PPPoE” and “Configuring L2TP.”

bandwidth

Use bandwidth to set the expected bandwidth of an interface.

Use undo bandwidth to restore the default.

Syntax

bandwidth bandwidth-value

undo bandwidth

Default

The expected bandwidth (in kbps) is the interface baud rate divided by 1000.

Views

VT interface view

Predefined user roles

network-admin

Parameters

bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.

Usage guidelines

The expected bandwidth of an interface affects the link costs in OSPF, OSPFv3, and IS-IS. For more information, see Layer 3—IP Routing Configuration Guide.

Examples

# Set the expected bandwidth of Virtual-Template 10 to 1000 kbps.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] bandwidth 1000

default

Use default to restore the default settings for a VT interface.

Syntax

default

Views

VT interface view

Predefined user roles

network-admin

Usage guidelines

	CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command before using it on a live network.

 

This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use the undo forms of these commands or follow the command reference to individually restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.

Examples

# Restore the default settings of Virtual-Template 10.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] default

description

Use description to configure the description of an interface.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The description for a VT interface is interface name Interface (for example, Virtual-Template1 Interface).

Views

VT interface view

Predefined user roles

network-admin

Parameters

text: Specifies the interface description, a case-sensitive string of 1 to 255 characters.

Examples

# Set the description for Virtual-Template 10 to virtual-interface.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] description virtual-interface

display interface virtual-template

Use display interface virtual-template to display information about VT interfaces.

Syntax

display interface [ virtual-template [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

virtual-template [ interface-number ]: Specifies an existing VT interface by its number. If you do not specify the virtual-template keyword, the command displays information about all interfaces on the device. If you specify the virtual-template keyword without the interface-number argument, the command displays information about all existing VT interfaces.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface description. If you do not specify this keyword, the command displays only the first 27 characters of the interface description if the description contains more than 27 characters.

down: Displays information about interfaces in physically down state and the causes. If you do not specify this keyword, the command displays information about all interfaces.

Examples

# Display detailed information about Virtual-Template 1.

<Sysname> display interface virtual-template 1

Virtual-Template1

Current state: DOWN

Line protocol state: DOWN

Description: Virtual-Template1 Interface

Bandwidth: 100000kbps

Maximum transmission unit: 1500

Hold timer: 10 seconds, retry times: 5

Internet address: 192.168.1.200/24 (primary)

Link layer protocol: PPP

LCP: initial

Physical: None, baudrate: 100000000 bps

# Display brief information about Virtual-Template 1.

<Sysname> display interface virtual-template 1 brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP        Description

VT1                  DOWN DOWN     --

# Display brief information about the VT interfaces in physically down state and the causes.

<Sysname> display interface Virtual-Template brief down

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface            Link Cause

VT0                  DOWN Not connected

VT12                 DOWN Not connected

VT1023               DOWN Not connected

Table 1 Command output

Field	Description
Current state	Physical link state of the interface: ·     DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). ·     UP—The interface is both administratively and physically up. This field for a VT interface can only be DOWN.
Line protocol state	Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. ·     UP—The data link layer protocol is up. ·     DOWN—The data link layer protocol is down. This field for a VT interface can only be DOWN.
Description	Description of the interface.
Bandwidth	Expected bandwidth of the interface.
Hold timer	Interval at which the interface sends keepalive packets.
retry times	Maximum number of keepalive retransmission attempts. A link is removed after the maximum number of retransmission attempts is reached.
Internet protocol processing: Disabled	The interface is not assigned an IP address and cannot process IP packets.
Internet address: 192.168.1.200/24 (primary)	Primary IP address of the interface.
LCP initial	LCP initialization is complete.
Physical	Physical type of the interface.
Brief information on interfaces in route mode	Brief information about Layer 3 interfaces.
Interface	Abbreviated interface name.
Link	Physical link state of the interface: ·     UP—The interface is physically up. ·     DOWN—The interface is physically down. ·     ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. ·     Stby—The interface is a backup interface in standby state. This field for a VT interface can only be DOWN.
Protocol	Data link layer protocol state of the interface: ·     UP—The data link layer protocol of the interface is up. ·     DOWN—The data link layer protocol of the interface is down. ·     UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces. This field for a VT interface can only be DOWN.
Primary IP	Primary IP address of the interface. This field displays two hyphens (--) if the interface does not have an IP address.
Cause	Cause for the physical link state of an interface to be DOWN. Not connected indicates no physical link exists (possibly because the network cable is disconnected or faulty).

 

display ppp chasten per-mac

Use display ppp chasten per-mac to display per-MAC blocking information about PPP users.

Syntax

display ppp chasten per-mac { auth-failed | blocked } [ mac mac-address ] [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

auth-failed: Displays information about users who failed authentication but do not meet the blocking conditions.

blocked: Displays information about blocked users.

mac mac-address: Specifies a user by its MAC address. The mac-address argument is in the format of H-H-H.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display information about blocked PPP users.

<Sysname> display ppp chasten per-mac blocked

MAC address       S-/C-VLAN    Interface       Aging(S)

0001-0001-0001    -/-          XGE3/1/1        89

0002-0002-0002    -/-          XGE3/1/1        10

# Display information about PPP users who failed authentication but do not meet the blocking conditions.

<Sysname> display ppp chasten per-mac auth-failed

MAC address       S-/C-VLAN    Interface       Auth-failures

0001-0001-0003    -/-          XGE3/1/1        3

0002-0002-0004    -/-          XGE3/1/1        2

Table 2 Command output

Field	Description
MAC address	MAC address of a detected PPP user.
S-/C-VLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-).
Interface	User access interface.
Aging(S)	Remaining blocking time in seconds for a blocked user.
Auth-failures	Number of consecutive authentication failures for a PPP user who failed authentication but does not meet the blocking conditions during the detection period.

 

Related commands

ppp authentication chasten per-mac

reset ppp chasten per-mac blocked

display ppp chasten statistics

Use display ppp chasten user to display statistics about PPP user blocking.

Syntax

display ppp chasten statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display statistics about PPP user blocking.

<Sysname> display ppp chasten statistics

Blocked users           : 1

Auth-failed users       : 1

Table 3 Command output

Field	Description
Blocked users	Total number of blocked PPP users.
Auth-failed users	Number of PPP users who failed authentication but do not meet the blocking conditions.

 

Related commands

display ppp chasten user

ppp authentication chasten

display ppp chasten user

Use display ppp chasten user to display blocking information about PPP users.

Syntax

display ppp chasten user { auth-failed | blocked } [ username user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

auth-failed: Displays information about users who failed authentication but do not meet the blocking conditions.

blocked: Displays information about blocked users.

username user-name: Specifies a username string for fuzzy matching usernames, a case-sensitive string of 1 to 80 characters. For example, if the user-name argument is abc, information about users whose usernames contain abc will be displayed. If you do not specify a username, this command displays blocking information about all PPP users.

Examples

# Display information about blocked PPP users.

<Sysname> display ppp chasten user blocked

Username                    Domain                             Aging(S)

aaa                         aaa                                34

# Display information about PPP users who failed authentication but do not meet the blocking conditions.

<Sysname> display ppp chasten user auth-failed

Username                    Domain                        Auth-failures

bbb                         bbb                           5

Table 4 Command output

Field	Description
Username	Username of a PPP user.
Domain	Domain to which the PPP user belongs. This field displays N/A when the domain of the PPP user is not obtained.
Aging(S)	Remaining blocking time in seconds for a blocked user.
Auth-failures	Number of consecutive authentication failures for a PPP user who failed authentication but does not meet the blocking conditions during the detection period.

 

Related commands

display ppp chasten statistics

ppp authentication chasten

display ppp keepalive packet-loss-ratio

Use display ppp keepalive packet-loss-ratio to display the packet loss ratio statistics for the PPP user detection packets.

Syntax

In standalone mode:

display ppp keepalive packet-loss-ratio [ interface interface-type interface-number [ s-vlan svlan-id ] ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display ppp keepalive packet-loss-ratio [ interface interface-type interface-number [ s-vlan svlan-id ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays entries of all interfaces.

s-vlan svlan-id: Specifies a SVLAN by its ID. The value range for the svlan-id argument is in the range of 1 to 4094.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot. 

Usage guidelines

After PPP online user detection is enabled on an interface, the device will automatically record the number of sent detection packets and received packets. You can use this command to view the packet loss ratio statistics for detection packets.

If you execute the display ppp keepalive packet-loss-ratio command at a time point within a 30-second timer, this command displays the packet loss ratio statistics collected at the specified time point within the 30-second timer. For example, if you execute this display command at the 10th second within a 30-second timer, this command displays the packet loss ratio statistics collected within the 10 seconds.

This command can be used only on the unified network to display the packet loss ratio statistics for PPPoE and L2TP user detection packets.

On a CUPS network, use the display access-user user-detect packet-loss-ratio command to display the packet loss ratio statistics for PPPoE and L2TP user detection packets.

Examples

# Display the packet loss ratio statistics for the PPP user detection packets on all interfaces.

<Sysname> display ppp keepalive packet-loss-ratio

Slot 0:

Interface BAS-interface1:

Keepalive   : 11%

 

Slot 3:

Interface Ten-GigabitEthernet3/1/2:

Keepalive   : 11%

# Display the packet loss ratio statistics for the PPP user detection packets on the specified interface.

<Sysname> display ppp keepalive packet-loss-ratio interface ten-gigabitethernet 3/1/1.1

Slot 3:

Interface Ten-GigabitEthernet3/1/1.1:

Keepalive   : 11%

 

S-VLAN: 100

Keepalive   : 11%

 

S-VLAN: 200

Keepalive   : 11%

Table 5 Command output

Field	Description
Interface	Detected interface. For L2TP users, the detection is performed on BAS interfaces.
S-VLAN	Service provider VLAN.
Keepalive	Packet loss ratio of PPP user detection packets.

 

Related commands

access-user user-detect packet-loss-ratio-threshold (BRAS Services Command Reference)

reset ppp keepalive packet-loss-ratio

display ppp packet statistics

Use display ppp packet statistics to display PPP negotiation packet statistics.

Syntax

In standalone mode:

display ppp packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display ppp packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. (In IRF mode.)  

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display PPP negotiation packet statistics for the specified slot.

<Sysname> display ppp packet statistics slot 1

PPP packet statistics in slot 1:

-------------------------------LCP------------------------------------

SEND_LCP_CON_REQ      : 0           RECV_LCP_CON_REQ      : 0

SEND_LCP_CON_NAK      : 0           RECV_LCP_CON_NAK      : 0

SEND_LCP_CON_REJ      : 0           RECV_LCP_CON_REJ      : 0

SEND_LCP_CON_ACK      : 0           RECV_LCP_CON_ACK      : 0

SEND_LCP_CODE_REJ     : 0           RECV_LCP_CODE_REJ     : 0

SEND_LCP_PROT_REJ     : 0           RECV_LCP_PROT_REJ     : 0

SEND_LCP_TERM_REQ     : 0           RECV_LCP_TERM_REQ     : 0

SEND_LCP_TERM_ACK     : 0           RECV_LCP_TERM_ACK     : 0

SEND_LCP_ECHO_REQ     : 0           RECV_LCP_ECHO_REQ     : 0

SEND_LCP_ECHO_REP     : 0           RECV_LCP_ECHO_REP     : 0

SEND_LCP_FAIL         : 0           SEND_LCP_CON_REQ_RETRAN : 0

-------------------------------IPCP-----------------------------------

SEND_IPCP_CON_REQ     : 0           RECV_IPCP_CON_REQ     : 0

SEND_IPCP_CON_NAK     : 0           RECV_IPCP_CON_NAK     : 0

SEND_IPCP_CON_REJ     : 0           RECV_IPCP_CON_REJ     : 0

SEND_IPCP_CON_ACK     : 0           RECV_IPCP_CON_ACK     : 0

SEND_IPCP_CODE_REJ    : 0           RECV_IPCP_CODE_REJ    : 0

SEND_IPCP_PROT_REJ    : 0           RECV_IPCP_PROT_REJ    : 0

SEND_IPCP_TERM_REQ    : 0           RECV_IPCP_TERM_REQ    : 0

SEND_IPCP_TERM_ACK    : 0           RECV_IPCP_TERM_ACK    : 0

SEND_IPCP_FAIL        : 0

-------------------------------IPV6CP---------------------------------

SEND_IPV6CP_CON_REQ   : 0           RECV_IPV6CP_CON_REQ   : 0

SEND_IPV6CP_CON_NAK   : 0           RECV_IPV6CP_CON_NAK   : 0

SEND_IPV6CP_CON_REJ   : 0           RECV_IPV6CP_CON_REJ   : 0

SEND_IPV6CP_CON_ACK   : 0           RECV_IPV6CP_CON_ACK   : 0

SEND_IPV6CP_CODE_REJ  : 0           RECV_IPV6CP_CODE_REJ  : 0

SEND_IPV6CP_PROT_REJ  : 0           RECV_IPV6CP_PROT_REJ  : 0

SEND_IPV6CP_TERM_REQ  : 0           RECV_IPV6CP_TERM_REQ  : 0

SEND_IPV6CP_TERM_ACK  : 0           RECV_IPV6CP_TERM_ACK  : 0

SEND_IPV6CP_FAIL      : 0

-------------------------------OSICP---------------------------------

SEND_OSICP_CON_REQ    : 0           RECV_OSICP_CON_REQ    : 0

SEND_OSICP_CON_NAK    : 0           RECV_OSICP_CON_NAK    : 0

SEND_OSICP_CON_REJ    : 0           RECV_OSICP_CON_REJ    : 0

SEND_OSICP_CON_ACK    : 0           RECV_OSICP_CON_ACK    : 0

SEND_OSICP_CODE_REJ   : 0           RECV_OSICP_CODE_REJ   : 0

SEND_OSICP_PROT_REJ   : 0           RECV_OSICP_PROT_REJ   : 0

SEND_OSICP_TERM_REQ   : 0           RECV_OSICP_TERM_REQ   : 0

SEND_OSICP_TERM_ACK   : 0           RECV_OSICP_TERM_ACK   : 0

SEND_OSICP_FAIL       : 0

-------------------------------MPLSCP---------------------------------

SEND_MPLSCP_CON_REQ   : 0           RECV_MPLSCP_CON_REQ   : 0

SEND_MPLSCP_CON_NAK   : 0           RECV_MPLSCP_CON_NAK   : 0

SEND_MPLSCP_CON_REJ   : 0           RECV_MPLSCP_CON_REJ   : 0

SEND_MPLSCP_CON_ACK   : 0           RECV_MPLSCP_CON_ACK   : 0

SEND_MPLSCP_CODE_REJ  : 0           RECV_MPLSCP_CODE_REJ  : 0

SEND_MPLSCP_PROT_REJ  : 0           RECV_MPLSCP_PROT_REJ  : 0

SEND_MPLSCP_TERM_REQ  : 0           RECV_MPLSCP_TERM_REQ  : 0

SEND_MPLSCP_TERM_ACK  : 0           RECV_MPLSCP_TERM_ACK  : 0

SEND_MPLSCP_FAIL      : 0

--------------------------------AUTH ----------------------------------

SEND_PAP_AUTH_REQ        : 0           RECV_PAP_AUTH_REQ        : 0

SEND_PAP_AUTH_ACK        : 0           RECV_PAP_AUTH_ACK        : 0

SEND_PAP_AUTH_NAK        : 0           RECV_PAP_AUTH_NAK        : 0

SEND_CHAP_AUTH_CHALLENGE : 0           RECV_CHAP_AUTH_CHALLENGE : 0

SEND_CHAP_AUTH_RESPONSE  : 0           RECV_CHAP_AUTH_RESPONSE  : 0

SEND_CHAP_AUTH_ACK       : 0           RECV_CHAP_AUTH_ACK       : 0

SEND_CHAP_AUTH_NAK       : 0           RECV_CHAP_AUTH_NAK       : 0

SEND_PAP_AUTH_FAIL       : 0           SEND_CHAP_AUTH_FAIL      : 0

Table 6 Command output

Field	Description
LCP	LCP packet statistics. ·     SEND_LCP_CON_REQ—Number of sent link configuration request packets. ·     RECV_LCP_CON_REQ—Number of received link configuration request packets. ·     SEND_LCP_CON_NAK—Number of sent link configuration NAK packets. ·     RECV_LCP_CON_NAK—Number of received link configuration NAK packets. ·     SEND_LCP_CON_REJ—Number of sent link configuration reject packets. ·     RECV_LCP_CON_REJ—Number of received link configuration reject packets. ·     SEND_LCP_CON_ACK—Number of sent link configuration ACK packets. ·     RECV_LCP_CON_ACK—Number of received link configuration ACK packets. ·     SEND_LCP_CODE_REJ—Number of sent link configuration code reject packets. ·     RECV_LCP_CODE_REJ—Number of received link configuration code reject packets. ·     SEND_LCP_PROT_REJ—Number of sent link configuration protocol reject packets. ·     RECV_LCP_PROT_REJ—Number of received link configuration protocol reject packets. ·     SEND_LCP_TERM_REQ—Number of sent link termination request packets. ·     RECV_LCP_TERM_REQ—Number of received link termination request packets. ·     SEND_LCP_TERM_ACK—Number of sent link termination ACK packets. ·     RECV_LCP_TERM_ACK—Number of received link termination ACK packets. ·     SEND_LCP_ECHO_REQ—Number of sent LCP echo request packets. ·     RECV_LCP_ECHO_REQ—Number of received LCP echo request packets. ·     SEND_LCP_ECHO_REP—Number of sent LCP echo reply packets. ·     RECV_LCP_ECHO_REP—Number of received LCP echo reply packets. ·     SEND_LCP_FAIL—Number of sent link failure packets. ·     SEND_LCP_CON_REQ_RETRAN—Number of retransmitted link configuration request packets.
IPCP	IPCP packet statistics. ·     SEND_IPCP_CON_REQ—Number of sent IP address negotiation request packets. ·     RECV_IPCP_CON_REQ—Number of received IP address negotiation request packets. ·     SEND_IPCP_CON_NAK—Number of sent IP address negotiation NAK packets. ·     RECV_IPCP_CON_NAK—Number of received IP address negotiation NAK packets. ·     SEND_IPCP_CON_REJ—Number of sent IP address negotiation reject packets. ·     RECV_IPCP_CON_REJ—Number of received IP address negotiation reject packets. ·     SEND_IPCP_CON_ACK—Number of sent IP address negotiation ACK packets. ·     RECV_IPCP_CON_ACK—Number of received IP address negotiation ACK packets. ·     SEND_IPCP_CODE_REJ—Number of sent IP address negotiation code reject packets. ·     RECV_IPCP_CODE_REJ—Number of received IP address negotiation code reject packets. ·     SEND_IPCP_PROT_REJ—Number of sent IP address negotiation protocol reject packets. ·     RECV_IPCP_PROT_REJ—Number of received IP address negotiation protocol reject packets. ·     SEND_IPCP_TERM_REQ—Number of sent IP address negotiation termination request packets. ·     RECV_IPCP_TERM_REQ—Number of received IP address negotiation termination request packets. ·     SEND_IPCP_TERM_ACK—Number of sent IP address negotiation termination ACK packets. ·     RECV_IPCP_TERM_ACK—Number of received IP address negotiation termination ACK packets. ·     SEND_IPCP_FAIL—Number of sent IP address negotiation failure packets.
IPV6CP	IPv6CP packet statistics. ·     SEND_IPV6CP_CON_REQ—Number of sent IPv6 address negotiation request packets. ·     RECV_IPV6CP_CON_REQ—Number of received IPv6 address negotiation request packets. ·     SEND_IPV6CP_CON_NAK—Number of sent IPv6 address negotiation NAK packets. ·     RECV_IPV6CP_CON_NAK—Number of received IPv6 address negotiation NAK packets. ·     SEND_IPV6CP_CON_REJ—Number of sent IPv6 address negotiation reject packets. ·     RECV_IPV6CP_CON_REJ—Number of received IPv6 address negotiation reject packets. ·     SEND_IPV6CP_CON_ACK—Number of sent IPv6 address negotiation ACK packets. ·     RECV_IPV6CP_CON_ACK—Number of received IPv6 address negotiation ACK packets. ·     SEND_IPV6CP_CODE_REJ—Number of sent IPv6 address negotiation code reject packets. ·     RECV_IPV6CP_CODE_REJ—Number of received IPv6 address negotiation code reject packets. ·     SEND_IPV6CP_PROT_REJ—Number of sent IPv6 address negotiation protocol reject packets. ·     RECV_IPV6CP_PROT_REJ—Number of received IPv6 address negotiation protocol reject packets. ·     SEND_IPV6CP_TERM_REQ—Number of sent IPv6 address negotiation termination request packets. ·     RECV_IPV6CP_TERM_REQ—Number of received IPv6 address negotiation termination request packets. ·     SEND_IPV6CP_TERM_ACK—Number of sent IPv6 address negotiation termination ACK packets. ·     RECV_IPV6CP_TERM_ACK—Number of received IPv6 address negotiation termination ACK packets. ·     SEND_IPV6CP_FAIL—Number of sent IPv6 address negotiation failure packets.
OSICP	OSICP packet statistics. ·     SEND_OSICP_CON_REQ—Number of sent OSI address negotiation request packets. ·     RECV_OSICP_CON_REQ—Number of received OSI address negotiation request packets. ·     SEND_OSICP_CON_NAK—Number of sent OSI address negotiation NAK packets. ·     RECV_OSICP_CON_NAK—Number of received OSI address negotiation NAK packets. ·     SEND_OSICP_CON_REJ—Number of sent OSI address negotiation reject packets. ·     RECV_OSICP_CON_REJ—Number of received OSI address negotiation reject packets. ·     SEND_OSICP_CON_ACK—Number of sent OSI address negotiation ACK packets. ·     RECV_OSICP_CON_ACK—Number of received OSI address negotiation ACK packets. ·     SEND_OSICP_CODE_REJ—Number of sent OSI address negotiation code reject packets. ·     RECV_OSICP_CODE_REJ—Number of received OSI address negotiation code reject packets. ·     SEND_OSICP_PROT_REJ—Number of sent OSI address negotiation protocol packets. ·     RECV_OSICP_PROT_REJ—Number of received OSI address negotiation protocol reject packets. ·     SEND_OSICP_TERM_REQ—Number of sent OSI address negotiation termination request packets. ·     RECV_OSICP_TERM_REQ—Number of received OSI address negotiation termination request packets. ·     SEND_OSICP_TERM_ACK—Number of sent OSI address negotiation termination ACK packets. ·     RECV_OSICP_TERM_ACK—Number of received OSI address negotiation termination ACK packets. ·     SEND_OSICP_FAIL—Number of sent OSI address negotiation failure packets.
MPLSCP	MPLSCP packet statistics. ·     SEND_MPLSCP_CON_REQ—Number of sent MPLS address negotiation request packets. ·     RECV_MPLSCP_CON_REQ—Number of received MPLS address negotiation request packets. ·     SEND_MPLSCP_CON_NAK—Number of sent MPLS address negotiation NAK packets. ·     RECV_MPLSCP_CON_NAK—Number of received MPLS address negotiation NAK packets. ·     SEND_MPLSCP_CON_REJ—Number of sent MPLS address negotiation reject packets. ·     RECV_MPLSCP_CON_REJ—Number of received MPLS address negotiation reject packets. ·     SEND_MPLSCP_CON_ACK—Number of sent MPLS address negotiation ACK packets. ·     RECV_MPLSCP_CON_ACK—Number of received MPLS address negotiation ACK packets. ·     SEND_MPLSCP_CODE_REJ—Number of sent MPLS address negotiation code reject packets. ·     RECV_MPLSCP_CODE_REJ—Number of received MPLS address negotiation code reject packets. ·     SEND_MPLSCP_PROT_REJ—Number of sent MPLS address negotiation protocol packets. ·     RECV_MPLSCP_PROT_REJ—Number of received MPLS address negotiation protocol reject packets. ·     SEND_MPLSCP_TERM_REQ—Number of sent MPLS address negotiation termination request packets. ·     RECV_MPLSCP_TERM_REQ—Number of received MPLS address negotiation termination request packets. ·     SEND_MPLSCP_TERM_ACK—Number of sent MPLS address negotiation termination ACK packets. ·     RECV_MPLSCP_TERM_ACK—Number of received MPLS address negotiation termination ACK packets. ·     SEND_MPLSCP_FAIL—Number of sent MPLS address negotiation failure packets.
AUTH	Authentication packet statistics. ·     SEND_PAP_AUTH_REQ—Number of sent PAP authentication request packets. ·     RECV_PAP_AUTH_REQ—Number of received PAP authentication request packets. ·     SEND_PAP_AUTH_ACK—Number of sent PAP authentication ACK packets. ·     RECV_PAP_AUTH_ACK—Number of received PAP authentication ACK packets. ·     SEND_PAP_AUTH_NAK—Number of sent PAP authentication NAK packets. ·     RECV_PAP_AUTH_NAK—Number of received PAP authentication NAK packets. ·     SEND_CHAP_AUTH_CHALLENGE—Number of sent CHAP authentication request packets. ·     RECV_CHAP_AUTH_CHALLENGE—Number of received CHAP authentication request packets. ·     SEND_CHAP_AUTH_RESPONSE—Number of sent CHAP authentication response packets. ·     RECV_CHAP_AUTH_RESPONSE—Number of received CHAP authentication response packets. ·     SEND_CHAP_AUTH_ACK—Number of sent CHAP authentication ACK packets. ·     RECV_CHAP_AUTH_ACK—Number of received CHAP authentication ACK packets. ·     SEND_CHAP_AUTH_NAK—Number of sent CHAP authentication NAK packets. ·     RECV_CHAP_AUTH_NAK—Number of received CHAP authentication NAK packets. ·     SEND_PAP_AUTH_FAIL—Number of sent PAP authentication failure packets. ·     SEND_CHAP_AUTH_FAIL—Number of sent CHAP authentication failure packets.

 

Related commands

reset ppp packet statistics

interface virtual-template

Use interface virtual-template to create a VT interface and enter its view, or enter the view of an existing VT interface.

Use undo interface virtual-template to remove a VT interface.

Syntax

interface virtual-template number

undo interface virtual-template number

Default

No VT interfaces exist.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies a VT interface by its number. The value range for this argument is 0 to 1023.

Usage guidelines

To remove a VT interface, make sure all the corresponding VA interfaces are removed and the VT interface is not in use.

Examples

# Create interface Virtual-Template 10.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10]

ip address ppp-negotiate

Use ip address ppp-negotiate to enable IP address negotiation on an interface, so that the interface can accept the IP address allocated by the server.

Use undo ip address ppp-negotiate to restore the default.

Syntax

ip address ppp-negotiate

undo ip address ppp-negotiate

Default

IP address negotiation is disabled on an interface.

Views

Virtual-PPP interface view

Predefined user roles

network-admin

Usage guidelines

If you execute the ip address ppp-negotiate and ip address commands multiple times, the most recent configuration takes effect.

Examples

# Enable IP address negotiation on Virtual-PPP 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] ip address ppp-negotiate

Related commands

ip address (Layer 3—IP Services Command Reference)

remote address

ppp accept remote-ip-address

Use ppp accept remote-ip-address to configure a BRAS to allow a remote user to come online by using a self-configured static IP address.

Use undo ppp accept remote-ip-address to restore the default.

Syntax

ppp accept remote-ip-address

undo ppp accept remote-ip-address

Default

A BRAS does not allow a remote user to come online by using a self-configured static IP address.

Views

VT interface view

Predefined user roles

network-admin

Usage guidelines

This feature applies to only PPPoE users in the BRAS access scenario.

By default, a PPPoE user must use an IP address dynamically allocated by the BRAS (PPPoE server) or authorized by the AAA server during the onboarding process, and a BRAS does not allow a user to come online by using a self-configured static IP address.

For a user to come online by using a self-configured static IP address on some networks, configure this feature. With this feature configured, a BRAS to allow a remote user to come online by using a self-configured static IP address. After the user passes authentication and comes online, the BRAS will maintain session information for the user based on the static IP address.

To avoid IP conflicts between users, plan the IP addresses reasonably. Make sure the dynamically allocated IP addresses do not contain static IP addresses used by access users and the static IP address of each access user is unique. If you cannot do that, the user cannot come online in the IPv4 protocol stack because of IP address conflicts.

This feature is supported only on unified networks, and is not supported on CUPS networks.

Examples

# Configure the BRAS on Virtual-Template 1 to allow a remote user to come online by using a self-configured static IP address.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp accept remote-ip-address

ppp accept remote-ipv6-address

Use ppp accept remote-ipv6-address to configure a BRAS to allow a remote user to come online by using a self-configured static IPv6 global unicast address.

Use undo ppp accept remote-ipv6-address to restore the default.

Syntax

ppp accept remote-ipv6-address

undo ppp accept remote-ipv6-address

Default

A BRAS does not allow a remote user to come online by using a self-configured static IPv6 global unicast address.

Views

VT interface view

Predefined user roles

network-admin

Usage guidelines

This feature applies to only PPPoE users in the BRAS access scenario.

By default, a PPPoE user must use an IPv6 global unicast address dynamically allocated by the BRAS (PPPoE server) or authorized by the AAA server during the onboarding process, and a BRAS does not allow a user to come online by using a self-configured static IPv6 global unicast address.

For a user to come online by using a self-configured static IPv6 global unicast address on some networks, configure this feature. With this feature configured, a BRAS to allow a remote user to come online by using a self-configured static IPv6 global unicast address. After the user passes authentication and comes online, the BRAS will maintain session information for the user based on the static IPv6 global unicast address.

To avoid static IPv6 global unicast address conflicts between users, plan the IPv6 global unicast addresses reasonably. Make sure the dynamically allocated IPv6 global unicast addresses do not contain static IPv6 global unicast addresses used by access users and the static IPv6 global unicast address of each access user is unique. If you cannot do that, the user cannot come online in the IPv6 protocol stack because of IPv6 address conflicts.

This feature is supported only on unified networks, and is not supported on CUPS networks.

Examples

# Configure the BRAS on Virtual-Template 1 to allow a remote user to come online by using a self-configured static IPv6 global unicast address.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp accept remote-ipv6-address

mtu

Use mtu to set the MTU size of an interface.

Use undo mtu to restore the default.

Syntax

mtu size

undo mtu

Default

The MTU is 1492 bytes for a VT interface.

Views

VT interface view

Predefined user roles

network-admin

Parameters

size: Specifies the MTU size. The value range varies by device model.

Usage guidelines

The MTU size setting of an interface affects the fragmentation and reassembly of IP packets on that interface.

Examples

# Set the MTU size of Virtual-Template 10 to 1400 bytes.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] mtu 1400

ppp authentication chasten

Use ppp authentication chasten to enable PPP user blocking.

Use undo ppp authentication chasten to disable PPP user blocking.

Syntax

ppp authentication chasten auth-failure auth-period blocking-period

undo ppp authentication chasten

Default

A PPP user will be blocked for 300 seconds if the user fails authentication consecutively for six times within 60 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

auth-failure: Specifies the maximum number of consecutive PPP authentication failures allowed in the detection period. The value range is 1 to 1000.

auth-period: Specifies the detection period of consecutive PPP authentication failures, in the range of 1 to 3600 seconds.

blocking-period: Specifies the blocking period in the range of 0 to 3600 seconds.

Usage guidelines

This feature blocks a PPP user for a period if the user fails authentication consecutively for the specified number of times within the detection period. Packets from the blocked users will be discarded during the blocking period. This feature helps prevent illegal users from using the method of exhaustion to obtain the password, and reduces authentication packets sent to the authentication server.

For example, the device is configured to block a user if the user fails authentication consecutively for five times within 60 seconds. If the user fails authentication at the 100th second and the user fails authentication consecutively for five times within the latest detection period (from the 40th second to the 100th second), the user will be blocked.

Packets from the blocked users will be processed when the blocking period expires.

This feature identifies users by username and domain name. Users that have the same username but belong to different domains are processed as different users.

Examples

# Configure the device to block a user for 1000 seconds if the consecutive authentication failures of the user reach 100 times within 500 seconds.

<Sysname> system-view

[Sysname] ppp authentication chasten 100 500 1000

Related commands

display ppp chasten statistics

display ppp chasten user

ppp authentication chasten per-mac

Use ppp authentication chasten per-mac to enable per-MAC PPP user blocking.

Use undo authentication chasten per-mac to disable per-MAC PPP user blocking.

Syntax

ppp authentication chasten per-mac [ multi-sessions ] auth-failure auth-period blocking-period

undo authentication chasten per-mac

Default

A PPP user will be blocked for 300 seconds if the user fails authentication consecutively for six times within 60 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

multi-sessions: Specifies that this feature takes effect on a PPP user that establish multiple sessions simultaneously. If you do not specify this keyword, this feature takes effect only on a PPP user that can establish only one session simultaneously. When a MAC address can establish more than one PPP session, to enable per-MAC PPP user blocking, you must specify this keyword for this feature to take effect on such PPP users.

auth-failure: Specifies the maximum number of consecutive PPP authentication failures allowed in the detection period. The value range is 1 to 1000.

auth-period: Specifies the detection period of consecutive PPP authentication failures, in the range of 1 to 3600 seconds.

blocking-period: Specifies the blocking period in the range of 0 to 3600 seconds.

Usage guidelines

A small home router with the charge overdue can repeatedly perform PPPoE dialup through automatically, frequently changing usernames. To avoid this problem, you can enable per-MAC PPP user blocking. This feature uniquely identifies a blocked user by its MAC address, inner VLAN, outer VLAN, and access interface.

This feature blocks PPP users using the same MAC address for a period if these users fails authentication consecutively for the specified number of times within the detection period. Packets from the blocked users will be discarded during the blocking period. This feature helps prevent illegal users from using the method of exhaustion to obtain the password, and reduces authentication packets sent to the authentication server. For example, the device is configured to block a user if the user fails authentication consecutively for five times within 60 seconds. If the user fails authentication at the 100th second and the user fails authentication consecutively for five times within the latest detection period (from the 40th second to the 100th second), the user will be blocked. Packets from the blocked users will be processed when the blocking period expires.

The device supports attack defense for PPP users through the following commands. When both commands are executed, they both take effect.

·     The ppp authentication chasten command uniquely identifies a blocked user by username and domain name.

·     The ppp authentication chasten per-mac command uniquely identifies a blocked user by its MAC address, inner VLAN, outer VLAN, and access interface.

In the current software version, this feature applies to only PPPoE users.

Examples

# Configure the device to block a user for 1000 seconds if the consecutive authentication failures of the user reach 100 times within 500 seconds.

<Sysname> system-view

[Sysname] ppp authentication chasten per-mac 100 500 1000

 Related commands

display ppp chasten per-mac

reset ppp chasten per-mac blocked

ppp authentication-mode

Use ppp authentication-mode to configure PPP authentication on an interface.

Use undo ppp authentication-mode to restore the default.

Syntax

ppp authentication-mode { chap | ms-chap | ms-chap-v2 | pap } * [ domain { isp-name | default enable isp-name } ]

undo ppp authentication-mode

Default

PPP authentication is disabled on an interface.

Views

Virtual-template interface view

Predefined user roles

network-admin

Parameters

chap: Uses CHAP authentication.

ms-chap: Uses MS-CHAP authentication.

ms-chap-v2: Uses MS-CHAP-V2 authentication.

pap: Uses PAP authentication.

domain isp-name: Specifies the forced PPP authentication domain by its name, a case-insensitive string of 1 to 255 characters. The isp-name argument cannot be d, de, def, defa, defau, defaul, or default.

default enable isp-name: Specifies the non-forced PPP authentication domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

PPP authentication includes the following categories:

·     PAP—Two-way handshake authentication. The password is in plain text or cipher text.

·     CHAP—Three-way handshake authentication. The password is in plain text or cipher text.

·     MS-CHAP—Three-way handshake authentication. The password is in cipher text.

·     MS-CHAP-V2—Three-way handshake authentication. The password is in cipher text.

You can configure multiple authentication modes.

In any PPP authentication mode, AAA determines whether a user can pass the authentication through a local authentication database or an AAA server. For more information about AAA authentication, see BRAS Services Configuration Guide .

If multiple ISP domains are available, the ISP domains are used in the following order:

1.     If the ppp authentication-mode command is executed to specify an authentication domain, a domain is selected as follows:

¡     If a forced PPP authentication domain is specified and the domain exists, the forced PPP authentication domain is used. Otherwise, proceed with step 2.

¡     If a non-forced PPP authentication domain is specified, the device first obtains the domain in the username and operates as follows:

-     If the username carries a domain and the domain exists, the domain carried in the username is used. If the domain carried in the username does not exist, proceed with step 2.

-     If the username does not carry a domain, the non-forced PPP authentication domain is used. If the non-forced PPP authentication domain does not exist, proceed with step 2.;

2.     Use the authentication domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide .

Examples

# Configure Virtual-Template 10 to authenticate the peer by using PAP.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] ppp authentication-mode pap

Related commands

local-user (BRAS Services Command Reference)

ppp chap password

ppp chap user

ppp pap local-user

ppp chap password

Use ppp chap password to set the password for CHAP authentication on an interface.

Use undo ppp chap password to restore the default.

Syntax

ppp chap password { cipher | simple } string

undo ppp chap password

Default

No password is set for CHAP authentication on an interface.

Views

Virtual-PPP interface view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

Examples

# Set the password for CHAP authentication to plaintext password sysname on Virtual-PPP 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] ppp chap password simple sysname

Related commands

ppp authentication-mode chap

ppp chap user

Use ppp chap user to set the username for CHAP authentication on an interface.

Use undo ppp chap user to restore the default.

Syntax

ppp chap user username

undo ppp chap user

Default

The username for CHAP authentication is null on an interface.

Views

Virtual-PPP interface view

Predefined user roles

network-admin

Parameters

username: Specifies the username for CHAP authentication, a case-sensitive string of 1 to 80 characters. The username is sent to the peer for the local device to be authenticated.

Usage guidelines

To pass CHAP authentication, the username/password of one side must be the local username/password on the peer.

Examples

# Set the username for CHAP authentication to Root on Virtual-PPP 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] ppp chap user Root

Related commands

ppp authentication-mode chap

ppp ipcp dns

Use ppp ipcp dns to configure the primary and secondary DNS server IP addresses to be allocated in PPP negotiation on an interface.

Use undo ppp ipcp dns to delete the primary and secondary DNS server IP addresses to be allocated in PPP negotiation on an interface.

Syntax

ppp ipcp dns primary-dns-address [ secondary-dns-address ]

undo ppp ipcp dns primary-dns-address [ secondary-dns-address ]

Default

The DNS server IP addresses to be allocated in PPP negotiation are not configured on an interface.

Views

Virtual-template interface view

Predefined user roles

network-admin

Parameters

primary-dns-address: Specifies a primary DNS server IP address.

secondary-dns-address: Specifies a secondary DNS server IP address.

Usage guidelines

A device can assign DNS server IP addresses to its peer during PPP negotiation when the peer initiates requests.

To check the allocated DNS server IP addresses, execute the winipcfg or ipconfig /all command on the host.

Examples

# Set the primary and secondary DNS server IP addresses to 100.1.1.1 and 100.1.1.2 for the pee on Virtual-Template 1.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp ipcp dns 100.1.1.1 100.1.1.2

ppp ipcp remote-address match

Use ppp ipcp remote-address match to enable the IP segment match feature for PPP IPCP negotiation on an interface.

Use undo ppp ipcp remote-address match to restore the default.

Syntax

ppp ipcp remote-address match

undo ppp ipcp remote-address match

Default

The IP segment match feature is disabled for PPP IPCP negotiation on an interface.

Views

Virtual-PPP interface view

Virtual-template interface view

Predefined user roles

network-admin

Usage guidelines

This command enables the local interface to check whether its IP address and the IP address of the remote interface are in the same network segment. If they are not, IPCP negotiation fails.

Examples

# Enable the IP segment match feature on Virtual-Template 1.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp ipcp remote-address match

ppp keepalive datacheck

Use ppp keepalive datacheck to configure a VT interface not to perform keepalive detection when the uplink traffic of PPP users is updated.

Use undo ppp keepalive datacheck to restore the default.

Syntax

ppp keepalive datacheck

undo ppp keepalive datacheck

Default

No matter whether the uplink traffic of PPP users is updated within a keepalive interval, keepalive packets are sent to detect online users after the keepalive interval expires.

Views

VT interface view

Predefined user roles

network-admin

Usage guidelines

By default, if the configured keepalive interval (timer-hold seconds) or keepalive retry limit (timer-hold retry retries) is small, users might go offline because the interface cannot receive keepalive packets from the peer when congestion occurs in the network. To prevent keepalive packets from making the congestion deteriorate or causing users to frequently go offline, execute the ppp keepalive datacheck command.

With this command executed, if the uplink traffic of PPP users is updated within a keepalive interval, the keepalive timer is reset, and online detection will not be performed. Otherwise, keepalive packets are sent to detect online users after the keepalive interval expires. For example, suppose you set the keepalive interval to 10 seconds by using the timer-hold command. If uplink traffic of PPP users is updated at the 5th second, the keepalive timer is reset. In this way, the sending of keepalive packets is delayed. If uplink traffic is updated within the next keepalive interval (10 seconds), the keepalive timer is reset again.

Examples

# Configure Virtual-Template 1 not to perform keepalive detection when the uplink traffic of PPP users is updated.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp keepalive datacheck

Related commands

timer-hold

timer-hold retry

ppp keepalive fast-reply enable

Use ppp keepalive fast-reply enable to enable fast reply for keepalive packets.

Use undo ppp keepalive fast-reply enable to disable fast reply for keepalive packets.

Syntax

In standalone mode:

ppp keepalive fast-reply enable slot slot-number [ cpu cpu-number ]

undo ppp keepalive fast-reply enable slot slot-number [ cpu cpu-number ]

In IRF mode:

ppp keepalive fast-reply enable chassis chassis-number slot slot-number [ cpu cpu-number ]

undo ppp keepalive fast-reply enable chassis chassis-number slot slot-number [ cpu cpu-number ]

Default

Fast reply is enabled for keepalive packets.

Views

System view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if CPUs are available on the specified slot.

Usage guidelines

This feature allows the hardware to automatically identify and reply to incoming keepalive requests. This feature can prevent DDoS attacks.

As a best practice, do not disable this feature.

Examples

# (In standalone mode.) Enable fast reply for keepalive packets on the specified slot.

<Sysname> system-view

[Sysname] ppp keepalive fast-reply enable slot 3

ppp lcp delay

Use ppp lcp delay to set the LCP negotiation delay timer.

Use undo ppp lcp delay to restore the default.

Syntax

ppp lcp delay milliseconds

undo ppp lcp delay

Default

PPP starts LCP negotiation immediately after the physical layer comes up.

Views

Virtual-PPP interface view

Virtual-template interface view

Predefined user roles

network-admin

Parameters

milliseconds: Specifies the LCP negotiation delay timer in the range of 1 to 10000 milliseconds.

Usage guidelines

If two ends of a PPP link vary greatly in the LCP negotiation packet processing rate, execute this command on the end with a higher processing rate. The LCP negotiation delay timer prevents frequent LCP negotiation packet retransmission. After the physical layer comes up, PPP starts LCP negotiation when the delay timer expires. If PPP receives LCP negotiation packets before the delay timer expires, it starts LCP negotiation immediately.

Examples

# Set the LCP negotiation delayer timer to 130 milliseconds on Virtual-Template 1.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp lcp delay 130

ppp magic-number-check

Use ppp magic-number-check to enable magic number check for PPP.

Use undo ppp magic-number-check to disable magic number check for PPP.

Syntax

ppp magic-number-check

undo ppp magic-number-check

Default

Magic number check is disabled for PPP.

Views

Virtual-PPP interface view

Virtual-template interface view

Predefined user roles

network-admin

Usage guidelines

In the PPP link establishment process, the magic number is negotiated. After the negotiation, both the local end and the peer end save their magic numbers locally.

The local end sends Echo-Request packets carrying its own magic number. When magic number check is enabled on both the local end and the peer end, the peer end will compare its own magic number with the magic number in the received Echo-Request packets. If they are the same, the link status is considered as normal, and the peer end replies with Echo-Reply packets carrying its own magic number. The local end also compares its own magic number with the magic number carried in the received Echo-Reply packets.

A link is disconnected and LCP negotiation is restarted when either of the following events occurs on either end:

·     When fast reply for keepalive packets is enabled:

¡     The magic number check fails for five Echo-Request packets in total.

¡     The magic number check fails for five consecutive Echo-Reply packets.

·     When fast reply for keepalive packets is disabled, the magic number check fails for five consecutive Echo-Request or Echo-Reply packets.

Only the end with magic number check enabled can check the magic number in received Echo-Request or Echo-Reply packets.

Examples

# Enable magic number check for PPP on Virtual-Template 1.

<Sysname> system

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp magic-number-check

Related commands

ppp keepalive fast-reply enable

ppp mru-check enable

Use ppp mru-check enable to enable maximum receive unit (MRU) check for PPP packets.

Use undo ppp mru-check enable to disable MRU check for PPP packets.

Syntax

ppp mru-check enable

undo ppp mru-check enable

Default

MRU check for PPP packets is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

In PPP Link Establishment phase, the MRU value is negotiated in the LCP negotiation. When the MTUs of interfaces on the two end of a link are different, PPP uses the smaller MTU as the link MRU.

By default, the device does not perform MRU check if the MTU in a received PPP packet is larger than the negotiated MRU. With MRU check enabled, the device discards a received PPP packet if the MTU in the packet is larger than the negotiated MRU.

As a best practice to enhance system security, enable MRU check. Otherwise, a fake peer might attack the device by sending a large number of PPP packets with MTUs larger than the negotiated MRU.

Examples

# Enable MRU check for PPP packets.

<Sysname> system-view

[Sysname] ppp mru-check enable

ppp pap local-user

Use ppp pap local-user to set the local username and password for PAP authentication on an interface.

Use undo ppp pap local-user to restore the default.

Syntax

ppp pap local-user username password { cipher | simple } string

undo ppp pap local-user

Default

The local username and password for PAP authentication are blank on an interface.

Views

Virtual-PPP interface view

Predefined user roles

network-admin

Parameters

username: Specifies the username of the local device for PAP authentication, a case-sensitive string of 1 to 80 characters.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

Usage guidelines

For the local device to pass PAP authentication on the peer, make sure the username and password configured for the local device are also configured on the peer. You can configure the peer's username and password by using the local-user username and password { cipher | simple } string commands, respectively.

Examples

# Set the local username and password for PAP authentication to user1 and plaintext pass1 on Virtual-PPP 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] ppp pap local-user user1 password simple pass1

Related commands

local-user (BRAS Services Command Reference )

password (BRAS Services Command Reference )

ppp session-threshold

Use ppp session-threshold to configure the online PPP session count alarm thresholds on the device.

Use undo ppp session-threshold to restore the default.

Syntax

ppp session-threshold { lower-limit lower-limit-value | upper-limit upper-limit-value }

undo ppp session-threshold { lower-limit | upper-limit }

Default

On the device, the upper online PPP session count alarm threshold is 100, and the lower online PPP session count alarm threshold is 0.

Views

System view

Predefined user roles

network-admin

Parameters

lower-limit lower-limit-value: Specifies the lower online PPP session count alarm threshold in the range of 0 to 99. The configured value is a percentage of the maximum number of online PPP sessions allowed.

upper-limit upper-limit-value: Specifies the upper online PPP session count alarm threshold in the range of 1 to 100. The configured value is a percentage of the maximum number of online PPP sessions allowed.

Usage guidelines

(In standalone mode.) The online PPP session count on the device refers to the total number of online PPP sessions on the device.

(In IRF mode.)  The online PPP session count on the device refers to the total number of online PPP sessions on the whole IRF system.

You can use this command to set the upper alarm threshold and lower alarm threshold for the PPP session count. When the PPP session count exceeds the upper alarm threshold or drops below the lower threshold, an alarm is triggered automatically. Then, the administrator can promptly know the online user conditions of the network. Additionally, the administrator can use the display access-user command to view the total number of online PPP sessions.

The user session count alarm function counts only PPPoE user sessions that occupy session resources. Either a single-stack PPPoE user or dual-stack PPPoE user occupies one session resource.

Suppose the maximum number of online PPP sessions allowed is a, the upper alarm threshold is b, and the lower alarm threshold is c. The following rules apply:

·     When the online PPP session count exceeds a×b or drops below a×c, the corresponding alarm information is output.

·     When the online PPP session count returns between the upper alarm threshold and lower alarm threshold, the alarm clearing information is output.

In some special cases, the online PPP session count frequently changes in the critical range, which causes frequent output of alarm information and alarm clearing information. To avoid this problem, the system introduces a buffer area when the online PPP session count recovers from the upper or lower threshold. The buffer area size is 10% of the difference between the upper threshold and the lower threshold. Suppose the buffer area size is d. Then, d=a×(b-c)÷10. When the online PPP session count drops below a×b-d or exceeds a×c+d, the alarm clearing information is output.

For example, suppose a is 1000, b is 80%, and c is 20%. Then, d= a×(b-c)÷10=1000×(80%-20%)÷10=1000×60%÷10=600÷10=60.

When the online PPP session count exceeds the upper threshold a×b=1000×80%=800, the upper threshold alarm is output. When the online PPP session count restores to be smaller than a×b-d=800-60=740, the alarm clearing information is output.

When the online PPP session count drops below the lower threshold a×c=1000×20%=200, the lower threshold alarm is output. When the online PPP session count restores to be greater than a×c+d=200+60=260, the alarm clearing information is output.

The upper threshold alarm information output and the alarm clearing information output both contain logs and traps. For traps to be correctly sent to the NMS host, you must execute the snmp-agent trap enable user-warning-threshold command in addition to configuring the SNMP alarm feature correctly.

Examples

# Set the upper online PPP session count threshold to 80% on the device.

<Sysname> system-view

[Sysname] ppp session-threshold upper-limit 80

Related commands

snmp-agent trap enable user-warning-threshold (BRAS Services Command Reference)

ppp timer negotiate

Use ppp timer negotiate to set the PPP negotiation timeout time on an interface.

Use undo ppp timer negotiate to restore the default.

Syntax

ppp timer negotiate seconds

undo ppp timer negotiate

Default

The PPP negotiation timeout time is 3 seconds on an interface.

Views

Virtual-PPP interface view

Virtual-template interface view

Predefined user roles

network-admin

Parameters

seconds: Specifies the negotiation timeout time in the range of 1 to 10 seconds.

Usage guidelines

In PPP negotiation, if the local device receives no response from the peer during the timeout time after it sends a packet, the local device sends the last packet again.

Examples

# Set the PPP negotiation timeout time to 5 seconds on Virtual-Template 10.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] ppp timer negotiate 5

ppp username check

Use ppp username check to specify that PPP users cannot come online successfully if the online requests do not carry usernames.

Use undo ppp username check to restore the default.

Syntax

ppp username check

undo ppp username check

Default

PPP users can come online successfully if the online requests do not carry usernames.

Views

VT interface view

Predefined user roles

network-admin

Usage guidelines

The username format is userid@isp-name. A username is considered as empty when both the user ID and ISP domain name are empty. If the user ID is empty but the ISP domain name is not empty, the username is considered as non-empty.

By default, when PPP user online requests do not carry the usernames (the usernames are empty), the following rules apply:

·     For PPPoE users, the user MAC addresses in the requests are used as the usernames.

·     For L2TP users, the calling numbers in the requests are used as the usernames.

When the device uses the user MAC addresses or calling numbers in the requests as the usernames for AAA authentication, neither the contents nor the format of the information will be modified.

If the network environment needs strictly checking the username validity, you can execute this command. With this command executed, when the device receives online requests without usernames from PPPoE or L2TP users, the device does not use the user MAC addresses or calling numbers in the requests as usernames for AAA authentication, and the device directly returns authentication failure to users.

Examples

# Specify that PPP users cannot come online successfully if the online requests do not carry usernames on Virtual-Template 1.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp username check

remote address

Use remote address to configure an interface to assign an IP address to the client.

Use undo remote address to restore the default.

Syntax

remote address pool pool-name

undo remote address

Default

An interface does not assign an IP address to the client.

Views

Virtual-template interface view

Predefined user roles

network-admin

Parameters

pool pool-name: Specifies an IP address pool by its name from which an IP address is assigned to the client. The pool name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

This command can be used when the local interface is configured with an IP address, but the peer has no IP address. To enable the peer to accept the IP address assigned by the local interface (server), configure the ip address ppp-negotiate command on the peer. Then, the peer acts as a client.

This command enables the local interface to forcibly assign an IP address to the peer. If the peer is not configured with the ip address ppp-negotiate command but configured with an IP address, the peer will not accept the assigned address. This results in an IPCP negotiation failure.

To make the configuration of the remote address command take effect, execute this command before the ip address command, which triggers IPCP negotiation. If you execute the remote address command after the ip address command, the server assigns an IP address to the client during the next IPCP negotiation.

After you configure the remote address command, you can execute this command again or the undo form for the peer. However, the new configuration does not take effect until the next IPCP negotiation.

Examples

# Configure Virtual-Template 10 to assign an IP address from address pool aaa to the client.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] remote address pool aaa

Related commands

ip address ppp-negotiate

ip pool

remote address dhcp client-identifier

Use remote address dhcp client-identifier to configure the method of generating DHCP client IDs when PPP users act as DHCP clients.

Use undo remote address dhcp client-identifier to restore the default.

Syntax

remote address dhcp client-identifier { { callingnum | username } [ session-info ] | session-info }

undo remote address dhcp client-identifier

Default

The method of generating DHCP client IDs when PPP users act as DHCP clients is not configured.

Views

Virtual-PPP interface view

Virtual-template interface view

Predefined user roles

network-admin

Parameters

callingnum: Generates DHCP client IDs based on calling numbers. The calling numbers are carried by calling number AVP in L2TP negotiation packets. A calling number contains the MAC address of a user, the user access interface on the LAC, and the VLANs to which the user belongs. For a user with MAC address 000f-e235-dc71, user access interface XGE3/1/1.1, and belonging to outer VLAN 1 and inner VLAN 2, the calling number is 000f-e235-dc71 XGE3/1/1.1:0001.0002. If the session-info keyword is also specified, the DHCP client IDs are generated based on the calling numbers and PPP sessions.

username: Generates DHCP client IDs based on the PPP usernames. If the session-info keyword is also specified, the DHCP client IDs are generated based on the PPP usernames and PPP sessions.

session-info: Generates DHCP client IDs based on PPP sessions. If only this keyword is specified, the DHCP client IDs are generated based on the user MAC addresses, user VLANs, and PPP sessions.

Usage guidelines

By default, a PPP client selects a new DHCP client ID each time the PPP client requests an IP address through DHCP. The DHCP server then cannot assign the specific IP addresses to the specific clients according to the client IDs. This command generates DHCP client IDs based on calling numbers or PPP usernames for address assignment.

When DHCP client IDs are generated based on PPP usernames, make sure different users use different PPP usernames to come online.

When a user accesses multiple times, PPP will establish multiple sessions for the user. These sessions have the same username, user MAC, and user VLAN. As a result, DHCP will assign the same IP address to these sessions, and DHCPv6 will assign the same ND prefixes when using the one prefix per user method. When the session-info keyword is configured, the DHCP client IDs are generated also based on the PPP sessions. Then, different PPP sessions can be assigned different IP addresses or ND prefixes.

Examples

# Use the PPP usernames as the DHCP client IDs on Virtual-Template 10 when PPP users act as DHCP clients.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] remote address dhcp client-identifier username

reset ppp chasten blocked-user

Use reset ppp chasten blocked-user to unblock users.

Syntax

reset ppp chasten blocked-user [ username user-name ]

Views

User view

Predefined user roles

network-admin

Parameters

username user-name: Specifies a PPP user by its name, a string of 1 to 336 characters. The user-name argument can be in the format of username or username@domain name. The username is a case-sensitive string of 1 to 80 characters. The domain name is a case-insensitive string of 1 to 255 characters. This argument is exactly matched. Only the user exacting matching the specified username is unblocked. For example, if you specify username abc@dm1, only the user named abc in domain dm1 is unblocked. If you specify the username abc, the user named abc in the system default domain is unblocked. If the username contains multiple at signs (@), you must specify the domain for the user. If the username user-name option is not specified, all PPP users are unblocked.

Usage guidelines

By default, a blocked user can be unblocked only when the blocking period expires. During the blocking period, packets from the blocked user are dropped.

This command allows you to manually unblock a PPP user. After a user is unblocked, packets from the user can be processed by the device.

Examples

# Unblock user abc in domain dm1.

<Sysname> reset ppp chasten blocked-user username abc@dm1

# Unblock user abc in the system default domain system.

<Sysname> reset ppp chasten blocked-user username abc

Or

<Sysname> reset ppp chasten blocked-user username abc@system

# Unblock user abc@ppp in domain dm1.

<Sysname> reset ppp chasten blocked-user username abc@ppp@dm1

# Unblock user abc@ppp in the system default domain system.

<Sysname> reset ppp chasten blocked-user username abc@ppp@system

Related commands

display ppp chasten statistics

display ppp chasten user

ppp authentication chasten

reset ppp chasten per-mac blocked

Use reset ppp chasten per-mac blocked to unblock PPP users blocked by per-MAC PPP user blocking.

Syntax

reset ppp chasten per-mac blocked [ mac mac-address [ s-vlan vlan-id [ c-vlan vlan-id ] ] ] [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

mac mac-address: Specifies a user by its MAC address. The mac-address argument is in the format of H-H-H.

s-vlan vlan-id: Specifies an outer VLAN. The value range for the vlan-id argument is 1 to 4094.

c-vlan vlan-id: Specifies an inner VLAN. The value range for the vlan-id argument is 1 to 4094.

interface interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

By default, a blocked user can be unblocked only when the blocking period expires. During the blocking period, packets from the blocked user are dropped.

This command allows you to manually unblock a PPP user. After a user is unblocked, packets from the user can be processed by the device.

If you do specify any parameter, this command unblocks all PPP users blocked by per-MAC PPP user blocking.

Examples

# Unblock all PPP users blocked by per-MAC PPP user blocking.

<Sysname> reset ppp chasten per-mac blocked

Related commands

display ppp chasten per-mac

ppp authentication chasten per-mac

reset ppp keepalive packet-loss-ratio

Use reset ppp keepalive packet-loss-ratio to clear the packet loss ratio statistics for the PPP user detection packets.

Syntax

In standalone mode:

reset ppp keepalive packet-loss-ratio [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset ppp keepalive packet-loss-ratio [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears entries of all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot. 

Usage guidelines

This command can be used only on the unified network to clear the packet loss ratio statistics for PPPoE and L2TP user detection packets.

On a CUPS network, use the reset access-user user-detect packet-loss-ratio command to clear the packet loss ratio statistics for PPPoE and L2TP user detection packets.

After you execute the reset ppp keepalive packet-loss-ratio command to clear the packet loss ratio statistics for detection packets, the device will re-calculate the packet loss ratio and the continuous intervals. When the packet loss ratio meets the alarm conditions continuously for three intervals, an alarm will be output. For more information, see the access-user user-detect packet-loss-ratio-threshold command.

Examples

# Clear the packet loss ratio statistics for the PPP user detection packets on all interfaces.

<Sysname> reset ppp keepalive packet-loss-ratio

Related commands

access-user user-detect packet-loss-ratio-threshold (BRAS Services Command Reference)

display ppp keepalive packet-loss-ratio

reset ppp packet statistics

Use reset ppp packet statistics to clear PPP negotiation packet statistics.

Syntax

In standalone mode:

reset ppp packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset ppp packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries on all cards. (In IRF mode.)  

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.  

Examples

# (In standalone mode.) Clear PPP negotiation packet statistics for the specified slot.

<Sysname> reset ppp packet statistics slot 1

Related commands

display ppp packet statistics

timer-hold

Use timer-hold to set the keepalive interval on an interface.

Use undo timer-hold to restore the default.

Syntax

timer-hold seconds

undo timer-hold

Default

The keepalive interval is 10 seconds for a virtual-PPP interface and 60 seconds for a VT interface.

Views

Virtual-PPP interface view

Virtual-template interface view

Predefined user roles

network-admin

Parameters

seconds: Specifies the interval for sending keepalive packets, in the range of 0 to 32767 seconds. The value 0 disables an interface from sending keepalive packets. In this case, the interface can respond to keepalive packets from the peer.

Usage guidelines

An interface sends keepalive packets at keepalive intervals to detect the availability of the peer. If the interface has received no response to keepalive packets when the keepalive retry limit is reached, it determines that the link has failed and reports a link layer down event.

To set the keepalive retry limit, use the timer-hold retry command.

On a slow link, increase the keepalive interval to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.

Set the keepalive interval on the VT interface to no less than 60 seconds when the following requirements are met:

·     You need to separate the accounting for IPv4 and IPv6 traffic of a PPPoE user.

·     The PPPoE user goes online through a Layer 3 aggregate interface or a Layer 3 aggregate subinterface.

Examples

# Set the keepalive interval to 20 seconds on Virtual-Template 10.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] timer-hold 20

Related commands

timer-hold retry

timer-hold retry

Use timer-hold retry to set the keepalive retry limit on an interface.

Use undo timer-hold retry to restore the default.

Syntax

timer-hold retry retries

undo timer-hold retry

Default

The keepalive retry limit is 5 for a virtual-PPP interface and 3 for a VT interface.

Views

Virtual-PPP interface view

Virtual-template interface view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of keepalive attempts in the range of 1 to 255.

Usage guidelines

An interface sends keepalive packets at keepalive intervals to detect the availability of the peer. If the interface has received no response to keepalive packets from the peer when the keepalive retry limit is reached, it determines that the link has failed and reports a link layer down event.

To set the keepalive interval, use the timer-hold command.

On a slow link, increase the keepalive retry limit to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.

Examples

# Set the keepalive retry limit to 10 for Virtual-Template 10.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] timer-hold retry 10

Related commands

timer-hold