On a CUPS network, this device acts only as a UP. When executing operation commands in this chapter (commands except the display commands), follow these restrictions and guidelines:

· If a command is tagged with (UPs), this command can be executed only on a UP. Before executing this command on a UP, make sure you are fully aware of the impact of this command on the current network and prevent configuration errors from causing network failures.

· If a command does not have any tag, this command can be executed only on a CP by default. To execute this command on a UP, do that under the guidance of professionals, make sure you are fully aware of the impact of this command on the current network, and prevent configuration errors from causing network failures.

PPPoE server commands

display pppoe-server chasten configuration

Use display pppoe-server chasten configuration to display PPPoE user blocking configuration information.

Syntax

display pppoe-server chasten configuration [ global | interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

global: Displays global PPPoE user blocking configuration information.

interface interface-type interface-number: Displays PPPoE user blocking configuration information on an interface specified by its type and number. Make sure the interface has PPPoE user blocking enabled. Otherwise, information is not displayed for the interface.

Usage guidelines

If you do not specify any parameter, this command displays global PPPoE user blocking configuration information and the PPPoE user blocking configuration information of all interfaces.

Examples

# Display PPPoE user blocking configuration information.

<Sysname> display pppoe-server chasten configuration

Global configuration:

Method: MAC Quickoffline: Y

Multi-sessions-permac: Y Requests: 6

Request-period(S): 60 Blocking-period(S): 300

Global configuration:

Method: Option105 Quickoffline: N

Multi-sessions-permac: Y Requests: 6

Request-period(S): 60 Blocking-period(S): 300

Interface: XGE3/1/1

Method: MAC Quickoffline: Y

Multi-sessions-permac: Y Requests: 6

Request-period(S): 60 Blocking-period(S): 300

Interface: XGE3/1/2

Method: Option105 Quickoffline: N

Multi-sessions-permac: N Requests: 10

Request-period(S): 100 Blocking-period(S): 1000

Table 1 Command output

Field	Description
Global configuration	Global PPPoE user blocking configuration information.
Interface	PPPoE user blocking configuration information on the interface.
Method	Detection type of PPPoE user blocking: · MAC—MAC-based PPPoE user blocking. · Option105—Option105-based PPPoE user blocking.
Quickoffline	Blocking type: · Y—The users are blocked because the number of times users go offline immediately after coming online reach the limit during the detection period. · N—The users are blocked because the connection requests reach the limit during the detection period.
Multi-sessions-permac	When PPPoE users are blocked based on MAC address, whether a single user is permitted to establish multiple PPPoE sessions: · Y—Permitted. · N—Not permitted.
Requests	Times of PPPoE connection requests.
Request-period(S)	Detection period in seconds.
Blocking-period(S)	PPPoE user blocking period in seconds.

Related commands

pppoe-server connection chasten

pppoe-server connection chasten option105

display pppoe-server chasten per-interface

Use display pppoe-server chasten per-interface to display the PPPoE protocol packet attack prevention entries.

Syntax

In standalone mode:

display pppoe-server chasten per-interface [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-server chasten per-interface [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the PPPoE protocol packet attack prevention entries of all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameter, this command displays the PPPoE protocol packet attack prevention entries of all interfaces.

Examples

# (In IRF mode.) Display the PPPoE protocol packet attack prevention entries of all interfaces.

<Sysname> display pppoe-server chasten per-interface

Slot 3:

Interface Lifetime(S) Agetime(S) DrvStatus Drops

XGE3/1/1 1200 2000 Active 3000

XGE3/1/2 1000 1500 Inactive 0

Table 2 Command output

Field	Description
Interface	Interface name.
Lifetime(S)	Lifetime of the attack prevention entry, in seconds.
Agetime(S)	Aging time of the attack prevention entry (remaining aging time of a rate-limited user), in seconds. After the timer times out, rate-limiting on PPPoE protocol packets received on the interface is canceled.
DrvStatus	Status of issuing the attack prevention entry to the driver: · Active—The entry is successfully issued to the driver. Only entries in this state take effect. · Inactive—The entry failed to be issued to the driver, or the entry is not issued to the driver because the device does not support this entry.
Drops	Number of PPPoE protocol packets dropped on the interface.

Related commands

pppoe-server connection chasten per-interface

display pppoe-server chasten per-interface configuration

Use display pppoe-server chasten per-interface configuration to display the PPPoE protocol packet attack prevention configuration information.

Syntax

display pppoe-server chasten per-interface configuration [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

Examples

#Display the PPPoE protocol packet attack prevention configuration information of al interfaces.

<Sysname> display pppoe-server chasten per-interface configuration

Interface Number Interval(S) Rate-limit-period(S)

XGE3/1/1 6 60 300

XGE3/1/2 10 100 1000

Table 3 Command output

Field	Description
Interface	Interface name.
Number	Number of PPPoE protocol packets received.
Interval(S)	Detection interval of the PPPoE protocol packet attack prevention feature, in seconds.
Rate-limit-period(S)	Period for which the PPPoE protocol packets are rate-limited, in seconds.

Related commands

pppoe-server connection chasten per-interface

display pppoe-server chasten statistics

Use display pppoe-server chasten user to display statistics about PPPoE user blocking.

Syntax

In standalone mode:

display pppoe-server chasten statistics [ mac-address | option105 ] [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-server chasten statistics [ mac-address | option105 ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address: Specifies MAC-based user blocking information.

option105: Specifies option105-based user blocking information.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, the command displays PPPoE user blocking statistics for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any keywords, the command displays all PPPoE user blocking statistics. For a blocked PPPoE user, this command displays the blocking entries generated for the user on all slots. For how blocking entries are generated, see the pppoe-server connection chasten command and the pppoe-server connection chasten option105 command.

Examples

#Display PPPoE user blocking statistics on Ten-GigabitEthernet 3/1/1.

<Sysname> display pppoe-server chasten statistics interface ten-gigabitethernet 3/1/1

Statistics of users possibly to be blocked:

Non-quickoffline by MAC : 0

Quickoffline by MAC : 0

Non-quickoffline by Option105 : 0

Quickoffline by Option105 : 0

Statistics of users blocked:

Non-quickoffline by MAC : 0

Quickoffline by MAC : 1

Non-quickoffline by Option105 : 0

Quickoffline by Option105 : 0

Table 4 Command output

Field	Description
Statistics of users possibly to be blocked	Statistics of users possibly to be blocked (the blocking feature has detected these users but the blocking conditions have not been met).
Non-quickoffline by MAC	Number of MAC-based users blocked because the PPP connection requests reach the limit during the detection period.
Quickoffline by MAC	Number of MAC-based users blocked because the number of times users go offline immediately after coming online reach the limit during the detection period.
Non-quickoffline by Option105	Number of option105-based users blocked because the connection requests reach the limit during the detection period.
Quickoffline by Option105	Number of option105-based users blocked because the number of times users go offline immediately after coming online reach the limit during the detection period.

Related commands

display pppoe-server chasten user

pppoe-server connection chasten

pppoe-server connection chasten option105

display pppoe-server chasten user

Use display pppoe-server chasten user to display information about blocked PPPoE users.

Syntax

In standalone mode:

display pppoe-server chasten user [ mac-address [ mac-address ] | option105 [ circuit-id circuit-id ] [ remote-id remote-id ] ] [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address: Specifies the MAC-based blocked PPPoE users..

mac-address: Specifies a user's MAC address in the format of H-H-H. If you specify the mac-address keyword but do not specify this argument, the command displays information about all MAC-based blocked PPPoE users.

option105: Specifies option105-based blocked PPPoE users.

circuit-id circuit-id: Specifies fuzzy matching of a circuit ID, a case-sensitive string of 1 to 127 characters. For example, if the circuit-id argument is abc, information about users whose circuit IDs contain abc will be displayed.

remote-id remote-id: Specifies fuzzy matching of a remote ID, a case-sensitive string of 1 to 127 characters. For example, if the remote-id argument is abc, information about users whose remote IDs contain abc will be displayed.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, the command displays information about blocked PPPoE users on all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about blocked PPPoE users.

Usage guidelines

If you do not specify any keywords, the command displays brief information about all blocked PPPoE users.

Examples

# (In standalone mode.) Display brief information about all blocked PPPoE users.

<Sysname> display pppoe-server chasten user slot 3

Slot 3:

Type: N-non-Quickoffline Q-Quickoffline

MAC/Option105 VLAN ID Interface Aging(S) Type Drops

0001-0001-0001 N/A XGE3/1/1 89 N 1000

circuitid:123 N/A XGE3/1/1 10 Q 1000

remoteid:abcde

# (In standalone mode.) Display detailed information about all blocked PPPoE users.

<Sysname> display pppoe-server chasten user interface ten-gigabitethernet 3/1/1 verbose

Slot 3:

MAC address: 0001-0001-0001

VLAN ID: N/A

Interface: XGE3/1/1

Aging(S): 89

Type: Non-Quickoffline

Drops: 1000

Lifetime(S): 1000

DrvStatus: Active

Option105: (circuitid:123 remoteid:abcde)

Vlan ID: N/A

Interface: XGE3/1/1

Aging(S): 10

Type: Quickoffline

Drops: 1000

Lifetime(S): 1000

DrvStatus: Inactive

Table 5 Command output

Field	Description
MAC/Option105	MAC-based or option105-based blocked PPPoE users: · For a MAC-based user, the MAC address is displayed. · For an option105-based user, the circuit ID and remote ID are displayed.
VLAN ID	VLAN to which a blocked user belongs. This field displays only the outermost VLAN information if the user has multiple VLAN tags. This field displays N/A for a user that does not have VLAN information, for example, an option105-based user.
Interface	Access interface for a blocked user.
Aging(S)	On devices in common mode or CP and UP separation (CUPS) mode, this field indicates the remaining blocking time for a blocked user (remaining aging time of a blocked user). When the timer times out, the user is unblocked. On devices in data plane mode, this field is insignificant and displays 0.
Type	Blocking type: · N (or Non-Quickoffline)—Non-quickoffline users, the users that are blocked because the connection requests reach the limit during the detection period. · Q (or Quickoffline)—Quickoffline users, the users that are blocked because the number of times users go offline immediately after coming online reach the limit during the detection period.
Drops	Number of PPPoE protocol packets that have been dropped for a blocked user.
Lifetime(S)	Lifetime of the attack prevention entry, in seconds.
DrvStatus	Status of issuing the attack prevention entry to the driver: · Active—The entry is successfully issued to the driver. Only entries in this state take effect. · Inactive—The entry is not issued to the driver or the entry fails to be issued to the driver.

Related commands

display pppoe-server chasten statistics

pppoe-server connection chasten

pppoe-server connection chasten option105

reset pppoe-server chasten user

display pppoe-server packet statistics

Use display pppoe-server packet statistics to display PPPoE server negotiation packet statistics.

Syntax

In standalone mode:

display pppoe-server packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-server packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display PPPoE server negotiation packet statistics for the specified slot.

<Sysname> display pppoe-server packet statistics slot 1

PPPoE server packet statistics in slot 1:

RECV_PADI_PKT : 10 DISCARD_PADI_PKT : 0

SEND_PADO_PKT : 10

RECV_PADR_PKT : 10 DISCARD_PADR_PKT : 0

SEND_PADS_PKT : 10

RECV_PADT_PKT : 9 DISCARD_PADT_PKT : 0

SEND_PADT_PKT : 9

Table 6 Command output

Field	Description
RECV_PADI_PKT	Number of received PADI packets.
DISCARD_PADI_PKT	Number of discarded PADI packets.
SEND_PADO_PKT	Number of sent PADO packets.
RECV_PADR_PKT	Number of received PADR packets.
DISCARD_PADR_PKT	Number of discarded PADR packets.
SEND_PADS_PKT	Number of sent PADS packets.
RECV_PADT_PKT	Number of received PADT packets.
DISCARD_PADT_PKT	Number of discarded PADT packets.
SEND_PADT_PKT	Number of sent PADT packets.

Related commands

pppoe-server block

reset pppoe-server packet statistics

display pppoe-server session summary

Use display pppoe-server session summary to display summary PPPoE session information.

Syntax

In standalone mode:

display pppoe-server session summary [ [ interface interface-type interface-number | slot slot-number [ cpu cpu-number ] ] | mac-address mac-address ] *

In IRF mode:

display pppoe-server session summary [ [ interface interface-type interface-number | chassis chassis-number slot slot-number [ cpu cpu-number ] ] | mac-address mac-address ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

mac-address mac-address: Specifies a PPPoE user by its MAC address in the format of H-H-H.

Usage guidelines

Summary PPPoE session information on a physical interface can be displayed only on the card where the interface resides. Summary PPPoE session information on a logical interface can be displayed on all cards.

Examples

#Display summary PPPoE session information on Ten-GigabitEthernet 3/1/1.

<Sysname> display pppoe-server session summary interface ten-gigabitethernet 3/1/1

Total PPPoE sessions: 2

Ethernet interface: XGE3/1/1 Session ID: 1

PPP index: 0x140000105 State: PADR_RCVD

Remote MAC: 00e0-1500-7100 Local MAC: 00e0-1400-7300

Service VLAN: N/A Customer VLAN: N/A

Ethernet interface: XGE3/1/1 Session ID: 2

PPP index: 0x150000105 State: OPEN

Remote MAC:00e0-1600-7200 Local MAC: 00e0-1400-7300

Service VLAN: N/A Customer VLAN: N/A

# (In standalone mode.) Display summary PPPoE session information on the MPU in the specified slot.

<Sysname> display pppoe-server session summary slot 3

Total PPPoE sessions on slot 3: 2

Local PPPoE sessions on slot 3: 1

Ethernet interface: XGE3/1/2 Session ID: 1

PPP index: 0x140000105 State: OPEN

Remote MAC: 0000-0000-0005 Local MAC: 0000-5e00-0101

Service VLAN: N/A Customer VLAN: N/A

Ethernet interface: RAGG1 Session ID: 2

PPP index: 0x150000105 State: OPEN

Remote MAC: 0050-56c0-0005 Local MAC: 0000-5e00-0102

Service VLAN: N/A Customer VLAN: N/A

Table 7 Command output

Field	Description
Total PPPoE sessions	Total number of PPPoE sessions. When a slot is specified in this command, this field displays the total number of PPPoE sessions coming online through physical interfaces in the slot and all global PPPoE sessions in the system.
Local PPPoE sessions	Total number of PPPoE sessions. · The PPPoE sessions coming online through a physical interface are counted on the slot of the physical interface. · (In standalone mode.) The PPPoE sessions coming online through a global interface are counted on the slot of the active MPU. · (In IRF mode.) The PPPoE sessions coming online through a global interface are counted on the slot of the global active MPU. When an interface is specified, this field is not displayed.
Ethernet interface	Interface where the PPPoE session is present.
Session ID	PPPoE session ID.
PPP index	Index of the PPP session.
PPP interface	Virtual access interface created for the PPPoE session.
State	PPPoE session state: · PADR RCVD—The PPPoE session is being negotiated. · Open—The PPPoE session has been successfully established. · OFFLINE—The PPPoE session is being deleted.
RemoteMAC	MAC address of the remote end.
LocalMAC	MAC address of the local end.
Service VLAN	Service provider VLAN. N/A means no service provider VLAN is available.
Customer VLAN	Customer VLAN. N/A means no customer VLAN is available.

Related commands

reset pppoe-server

display pppoe-server throttled-mac

Use display pppoe-server throttled-mac to display information about blocked users.

Syntax

In standalone mode:

display pppoe-server throttled-mac { slot slot-number [ cpu cpu-number ] | interface interface-type interface-number }

In IRF mode:

display pppoe-server throttled-mac { chassis chassis-number slot slot-number [ cpu cpu-number ] | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

#Display information about blocked users on Ten-GigabitEthernet 3/1/1.

<Sysname> display pppoe-server throttled-mac interface ten-gigabitethernet 3/1/1

Total 3 client MACs:

Interface Remote MAC Start time Remaining time(s)

XGE3/1/1 00e0-1500-4100 2019-12-01,12:10:30 55

XGE3/1/1 00e0-1500-4000 2019-12-01,12:10:40 65

XGE3/1/1 00e0-1500-3300 2019-12-01,12:10:50 75

Table 8 Command output

Field	Description
Interface	Interface at which the user is blocked.
Remote MAC	MAC address of the user.
Start time	Time to start blocking users.
Remaining time(s)	Time left for blocking users, in seconds.

Related commands

pppoe-server throttle per-mac

pppoe-server access-delay

Use pppoe-server access-delay to set the response delay time for PPPoE users on an interface.

Use undo pppoe-server access-delay to restore the default.

Syntax

pppoe-server access-delay delay-time [ even-mac | odd-mac ]

undo pppoe-server access-delay

Default

No response delay time is set for PPPoE users on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

delay-time: Specifies the response delay time for PPPoE users, in the range of 10 to 25500 milliseconds.

even-mac: Specifies users with even MAC addresses.

odd-mac: Specifies users with odd MAC addresses.

Usage guidelines

With this command executed, the system delays response to the PPPoE user online requests according to the configured delay time.

You can separately specify different response delay times for even-MAC users and odd-MAC users.

If you do not specify any keyword, this command sets the response delay time for all users that come online through this interface.

If you first execute this command with the even-mac or odd-mac keyword specified and then execute this command without specifying any keyword, the latter configuration takes effect, and vice versa.

Examples

#Set the response delay time for PPPoE users to 100 milliseconds on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-delay 100

pppoe-server access-line-id bas-info

Use pppoe-server access-line-id bas-info to configure the NAS-Port-ID attribute to automatically include BAS information on an interface.

Use undo pppoe-server access-line-id bas-info to restore the default.

Syntax

pppoe-server access-line-id bas-info [ cn-163 | cn-163-redback ]

undo pppoe-server access-line-id bas-info

Default

The NAS-Port-ID attribute does not automatically include BAS information on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

cn-163: Specifies the China-Telecom 163 format for the BAS information.

cn-163-redback: Specifies the China-Telecom 163 Redback format for the BAS information.

Usage guidelines

If you do not specify any keyword, BAS information in the China-Telecom format is included.

The BAS information formats include the following formats:

· China-Telecom format—The China-Telecom format is {eth|trunk|atm} NAS_slot/NAS_subslot/NAS_port:XPI.XCI. The format refers to the user access interface information on the BRAS, including upstream interface, VLAN, and VPI/VCI information:

¡ When Ethernet/DSL is used, XPI.XCI refers to VLAN information.

¡ When ATM/DSL is used, XPI.XCI refers to VPI/VCI information.

For example, eth 3/1/1:4096.2345 includes the following user access interface information:

¡ The type of the upstream interface is Ethernet interface.

¡ The interface is located at slot 3, subslot 1, and port 1 .

¡ The outer VLAN ID is 4096 (which means an invalid VLAN), and the inner VLAN ID is 2345.

In a non-CUPS network, the device uses three-dimensional interfaces to communicate with servers by default. On an IRF fabric, when you need to specify the access IRF member device of a user on the AAA server, use the access-user four-dimension-mode enable command to configure the device to use four-dimensional interfaces to communicate with AAA servers. In this case, the BAS information in China Telecom format is {eth|trunk|atm} NAS_chassis/NAS_slot/NAS_subslot/NAS_port:XPI.XCI.

In a CUPS network, the device uses three-dimensional interfaces to communicate with servers by default. If the access-user four-dimension-mode enable command is executed, when a PPPoE user accesses through a UP, the UP ID information is added before the NAS_slot in the BAS information. In this case, the BAS information in China-Telecom format is {eth|trunk|atm} UP_ID/NAS_slot/NAS_subslot/NAS_port:XPI.XCI.

· China-Telecom 163 format—Table 9 shows the China-Telecom 163 format, where:

¡ NAS_slot, NAS_subslot, and NAS_port refer to the numbering information of the PPPoE user access interface on the BRAS.

¡ vpi and vci refer to VPI and VCI information.

¡ vlanid and vlanid2 refer to inner VLAN and outer VLAN, respectively. Value for the vlanid of the primary interface is fixed at 0.

In a non-CUPS network, the device uses three-dimensional interfaces to communicate with servers by default. On an IRF fabric, when you need to specify the access IRF member device of a user on the AAA server, use the access-user four-dimension-mode enable command to configure the device to use four-dimensional interfaces to communicate with AAA servers. For example, for a main interface on an IRF fabric, the BAS information is China Telecom 163 format is: chassis=NAS_chassis;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=VLAN id.

In a CUPS network, the device uses three-dimensional interfaces to communicate with servers by default. If the access-user four-dimension-mode enable command is executed, when a PPPoE user accesses through a UP, the UP ID information is added before slot in the BAS information. In this case, for a main interface in a CUPS network, the BAS information in China-Telecom 163 format is chassis=UP_ID;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=VLAN id.

Table 9 BAS information in China-Telecom 163 format

Interface type	Format
ATM interface	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vpi=XPI;vci=XCI;
Primary interface or interface that does not carry inner VLAN or outer VLAN information.	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=VLAN id;
Interface that carries inner VLAN and outer VLAN information.	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=VLAN id;vlanid2=VLAN id2;

· China-Telecom 163 Redback format—The China-Telecom 163 Redback format is the same as the China-Telecom 163 format except in the VLAN information. In the China-Telecom 163 Redback format, the vlanid and vlanid2 fields refer to outer VLAN and inner VLAN, respectively. In the other sections, both BAS information in the China-Telecom 163 format and BAS information in the China-Telecom 163 Redback format are described in the China-Telecom 163 format as an example.

This command specifies whether to automatically insert BAS information into the NAS-Port-ID attribute:

· If you disable the function of automatically inserting BAS information, for information about the content in the NAS-Port-ID attribute that the BRAS sends to the RADIUS server, see the pppoe-server access-line-id content command.

· If you enable the function of automatically inserting BAS information and execute the pppoe-server access-line-id trust command, the contents are generated as follows for the NAS-Port-ID attribute that the BRAS sends to the RADIUS server:

¡ If BAS information in China Telecom 163 format is inserted, the BAS information is inserted before the circuit-id field. The BAS information+circuit-id combination is sent to the RADIUS server as the NAS-Port-ID attribute.

¡ If BAS information in China Telecom format is inserted, the BAS information and the user access information on the DSLAM in the original circuit-id information are used to construct the circuit-id in China Telecom format. The circuit-id in China Telecom format is sent to the RADIUS server as the NAS-Port-ID attribute.

· If you enable the function of automatically inserting BAS information but do not execute the pppoe-server access-line-id trust command, the device does not send the circuit-id or remote-id in packets to the NAS-Port-ID attribute. In this case, the NAS-Port-ID attribute sent to the RADIUS server contains only the BAS information as follows:

¡ If BAS information in China Telecom 163 format is inserted, the BAS information in China Telecom 163 format is sent to the RADIUS server as the NAS-Port-ID attribute.

¡ If BAS information in China Telecom format is inserted, the BAS information in China Telecom format is sent to the RADIUS server as the NAS-Port-ID attribute.

The RADIUS server cannot correctly parse a NAS-Port-ID attribute that includes the remote-id and BAS information. When you execute this command together with the pppoe-server access-line-id trust command, make sure the NAS-Port-ID attribute sent to the RADIUS sever does not include the remote-id.

Examples

#Configure the NAS-Port-ID attribute to automatically include BAS information on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id bas-info

Related commands

access-user four-dimension-mode enable (BRAS Services Command Reference)

pppoe-server access-line-id content

pppoe-server access-line-id trust

pppoe-server nas-port-id interface

pppoe-server access-line-id circuit-id trans-format

Use pppoe-server access-line-id circuit-id trans-format to configure the transmission format for the circuit-id in access line ID on an interface.

Use undo pppoe-server access-line-id circuit-id trans-format to restore the default.

Syntax

pppoe-server access-line-id circuit-id trans-format { ascii | hex }

undo pppoe-server access-line-id circuit-id trans-format

Default

The transmission format for the circuit-id in access line ID is a string of characters on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the character string format. For example, the circuit-id 00010002 is transmitted in the form of 01 08 30 30 30 31 30 30 30 32.

hex: Specifies the hexadecimal format. For example, the circuit-id 00010002 is transmitted in the form of 01 04 00 01 00 02.

Examples

#Configure Ten-GigabitEthernet 3/1/1 to use the hexadecimal format to transmit the circuit-id.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id circuit-id trans-format hex

pppoe-server access-line-id content

Use pppoe-server access-line-id content to configure the content of the NAS-Port-ID attribute delivered to the RADIUS server on an interface.

Use undo pppoe-server access-line-id content to restore the default.

Syntax

pppoe-server access-line-id content { all [ separator ] | circuit-id | remote-id }

undo pppoe-server access-line-id content

Default

The NAS-Port-ID attribute contains only the circuit-id on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

all: Sends both the circuit-id and remote-id.

separator: Specifies a separator that is one character long. By default, the value is a blank space. The circuit-id and remote-id are connected by the separator.

circuit-id: Sends only the circuit-id.

remote-id: Sends only the remote-id.

Usage guidelines

The PPPoE server on a BRAS uses the RADIUS NAS-Port-ID attribute to copy and send the access line ID received from a DSLAM device to the RADIUS server. The access line ID contains the circuit-id and remote-id. The RADIUS server compares the received NAS-Port-ID attribute with the local line ID information to verify the location of the user.

Do not use a character that exists in the circuit-id or remote-id as the separator. Otherwise, the RADIUS server might fail to parse the ID information.

This command takes effect only when the pppoe-server access-line-id trust command is executed.

When the pppoe-server access-line-id bas-info command is not executed, the following rules apply:

· If the pppoe-server access-line-id trust command is executed, the following rules apply:

¡ If the circuit-id or remote-id configured in the pppoe-server access-line-id content command is effective (non-null), the specified circuit-id or remote-id is sent to the RADIUS server as the NAS-Port-ID attribute.

¡ If the circuit-id or remote-id configured in the pppoe-server access-line-id content command is null, the BAS information in China Telecom 163 format is sent to the RADIUS server as the NAS-Port-ID attribute. For more information, see the pppoe-server access-line-id bas-info command.

· If the pppoe-server access-line-id trust command is not executed, the BAS information in China Telecom 163 format is sent to the RADIUS server as the NAS-Port-ID attribute. For more information, see the pppoe-server access-line-id bas-info command.

If the pppoe-server access-line-id bas-info command is executed, this command determines the content of the NAS-Port-ID attribute.

Examples

#Configure Ten-GigabitEthernet 3/1/1 to deliver only the circuit-id to the RADIUS server.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id content circuit-id

Related commands

pppoe-server access-line-id bas-info

pppoe-server access-line-id remote-id trans-format

Use pppoe-server access-line-id remote-id trans-format to configure the transmission format for the remote-id in the access line ID on an interface.

Use undo pppoe-server access-line-id remote-id trans-format to restore the default.

Syntax

pppoe-server access-line-id remote-id trans-format { ascii | hex }

undo pppoe-server access-line-id remote-id trans-format

Default

The transmission format for the remote-id is a string of characters on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the character string format.

hex: Specifies the hexadecimal format.

Usage guidelines

The remote-id is the system MAC address of a PPPoE relay device (for example, DSLAM). It can be transmitted in character strings or hexadecimal format.

Examples

#Configure Ten-GigabitEthernet 3/1/1 to use the hexadecimal format to transmit the remote-id.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id remote-id trans-format hex

pppoe-server access-line-id trust

Use pppoe-server access-line-id trust to configure the PPPoE server to trust the access line ID in received packets on an interface.

Use undo pppoe-server access-line-id trust to restore the default.

Syntax

pppoe-server access-line-id trust

undo pppoe-server access-line-id trust

Default

The PPPoE server does not trust the access line ID in received packets on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

This command enables the PPPoE server to copy the circuit-id and remote-id in a received packet to the NAS-Port-ID attribute.

If this command is not executed, the PPPoE server does not copy the circuit-id and remote-id in a received packet to the NAS-Port-ID attribute.

Examples

#Configure Ten-GigabitEthernet 3/1/1 to trust the access line ID in received packets.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id trust

Related commands

pppoe-server access-line-id bas-info

pppoe-server access-line-id vxlan-info enable

Use pppoe-server access-line-id vxlan-info enable to insert the VXLAN information in the NAS-Port-ID attribute.

Use undo pppoe-server access-line-id vxlan-info enable to restore the default.

Syntax

pppoe-server access-line-id vxlan-info enable

undo pppoe-server access-line-id vxlan-info enable

Default

The VXLAN information is not inserted into the NAS-Port-ID attribute.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

The VXLAN information is inserted into the following fields in the NAS-Port-ID attribute:

· BAS information is China Telecom format.

· DSLAM uplink interface information in the circuit ID in China Telecom format.

The two fields above are in the same format. For more information, see the pppoe-server access-line-id bas-info command.

For example, if the information is ge 3/1/1:4075.2345 before the VXLAN information is inserted, the information is ge 3/1/1: 4294967295.4075.2345 after the VXLAN information is inserted. The newly added 4294967295 is a VXLAN ID. 4294967295 indicates an invalid VXLAN.

Examples

#Insert the VXLAN information into the NAS-Port-ID attribute on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id vxlan-info enable

Related commands

pppoe-server access-line-id bas-info

pppoe-server bind

Use pppoe-server bind to enable the PPPoE server on an interface and bind the interface to a VT interface.

Use undo pppoe-server bind to disable the PPPoE server on an interface.

Syntax

pppoe-server bind virtual-template number

undo pppoe-server bind

Default

The PPPoE server is disabled on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

virtual template number: Specifies a VT interface by its number. The value range for the number argument is 0 to 1023.

Usage guidelines

A PPPoE server-enabled interface must be bound to an existing VT interface.

When online PPPoE users exist on an interface, you cannot directly use the undo pppoe-server bind command to disable the PPPoE server on the interface. To do that, first log out all online PPPoE users on the interface, and then execute the undo pppoe-server bind command.

If the interface has been bound to a VT interface, you cannot use this command to bind the interface to another VT interface. To do that, disable the PPPoE server on the interface first.

You cannot enable the PPPoE server on a device configured to operate in user plane mode by using the work-mode user-plane command.

On an interface, the pppoe-server bind command and the pppoe-agency bind command are mutually exclusive.

Examples

#Enable the PPPoE server on Ten-GigabitEthernet 3/1/1 and bind the interface to interface Virtual-Template 1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

Related commands

work-mode user-plane (BRAS Services Command Reference)

pppoe-server block

Use pppoe-server block to forbid PPPoE users on an interface from coming online.

Use undo pppoe-server block to restore the default.

Syntax

pppoe-server block

undo pppoe-server block

Default

PPPoE users on an interface are permitted to come online.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

With this command executed on an interface, the interface directly drops received PADI and PADR packets to forbid users from coming online through this interface.

This command does not affect existing PPPoE users.

Examples

#Forbid PPPoE users on Ten-GigabitEthernet 3/1/1 from coming online.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server block

Related commands

display pppoe-server packet statistics

pppoe-server connection chasten

Use pppoe-server connection chasten to enable MAC-based user blocking.

Use undo pppoe-server connection chasten to disable MAC-based user blocking.

Syntax

pppoe-server connection chasten [ quickoffline ] [ multi-sessions-permac ] requests request-period blocking-period

undo pppoe-server connection chasten [ quickoffline ]

Default

In interface view, MAC-based user blocking is disabled.

In system view, a MAC-based PPPoE user will be blocked for 300 seconds if the user fails authentication consecutively for 120 times within 60 seconds.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

quickoffline: Specifies the users that go offline immediately after coming online. If you specify this keyword, users that go offline immediately after coming online for requests times within request-period seconds will be blocked for blocking-period seconds. If you do not specify this keyword, users that send PPPoE requests for requests times within request-period seconds will be blocked for blocking-period seconds.

multi-sessions-permac: Specifies a user that establishes multiple PPPoE sessions. You must specify this keyword if multiple sessions exist on a MAC address.

requests: Specifies the number of PPPoE connection requests, in the range of 1 to 10000.

request-period: Specifies the detection period in the range of 1 to 3600 seconds.

blocking-period: Specifies the blocking period in the range of 0 to 3600 seconds. The value of 0 means that users will not be blocked even when they meet the blocking conditions.

Usage guidelines

Operating mechanism

If you execute this command, the device uniquely identifies a blocked user by using its MAC address, the outermost VLAN ID, and the access interface.

In the unified scenario, when the blocking conditions are met, blocking entries are generated only for the slots hosting interfaces actually receiving packets. For example, when a user accessing a Layer 3 aggregate interface meets the blocking conditions, the blocking entries are generated only on the slots hosting member ports of the Layer 3 aggregate interface.

In the CUPS scenario, when the blocking conditions are met for a user accessing a global interface on a UP, the blocking entries are generated on the master BRAS-VM managing the UP and all slots of the UP. For a user accessing a local interface on a UP, the blocking entries are generated on the master BRAS-VM managing the UP and the slot hosting the local interface on the UP.

Restrictions and guidelines

The following commands can be executed on the same interface or subinterface:

· pppoe-server connection chasten quickoffline [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten [ multi-sessions-permac ] requests request-period blocking-period

The pppoe-server connection chasten quickoffline [ multi-sessions-permac ] requests request-period blocking-period command will override existing configuration of the following commands:

· pppoe-server connection chasten quickoffline [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten option105 quickoffline requests request-period blocking-period

The pppoe-server connection chasten [ multi-sessions-permac ] requests request-period blocking-period command will override existing configuration of the following commands:

· pppoe-server connection chasten [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten option105 requests request-period blocking-period

If you execute this command in system view, the command applies to all PPPoE users. If you execute this command in interface view, the command applies to PPPoE users accessing the interface. If you execute this command in both system view and interface view, a user is blocked in the view whose blocking conditions are met first.

When the administrator executes this command to modify the configuration, the new configuration does not take effect on existing blocked users. For example, for a blocked user whose blocking period has not expired, even if the administrator executes this command to modify the blocking-period value, the remaining aging time of the blocked user still ages out according to the aging time before configuration modification.

Examples

# Configure the device to block a user for 1000 seconds by its MAC address if the user sends 100 PPPoE connection requests within 500 seconds.

<Sysname> system-view

[Sysname] pppoe-server connection chasten 100 500 1000

Related commands

display pppoe-server chasten statistics

display pppoe-server chasten user

pppoe-server connection chasten option105

pppoe-server session-limit per-mac

reset pppoe-server chasten user

pppoe-server connection chasten option105

Use pppoe-server connection chasten option105 to enable option105-based user blocking.

Use undo pppoe-server connection chasten option105 to disable option105-based user blocking.

Syntax

pppoe-server connection chasten option105 [ quickoffline ] requests request-period blocking-period

undo pppoe-server connection chasten option105 [ quickoffline ]

Default

Option105-based user blocking is disabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

quickoffline: Specifies the users that come online. If you specify this keyword, users that come online for requests times within request-period seconds will be blocked for blocking-period seconds. If you do not specify this keyword, users that send PPPoE connection requests for requests times within request-period seconds will be blocked for blocking-period seconds.

requests: Specifies the number of PPPoE connection requests, in the range of 1 to 10000.

request-period: Specifies the detection period in the range of 1 to 3600 seconds.

blocking-period: Specifies the blocking period in the range of 0 to 3600 seconds. The value of 0 means that users will not be blocked even when they meet the blocking conditions.

Usage guidelines

Operating mechanism

If you execute this command, the device uniquely identifies a blocked user by using its circuit ID, remote ID, and the access interface.

In the CUPS scenario, when the blocking conditions are met for a user accessing a global interface or local interface on a UP, the blocking entries are generated on the master BRAS-VM managing the UP but not on the UP.

Restrictions and guidelines

The following commands can be executed on the same interface or subinterface:

· pppoe-server connection chasten option105 quickoffline requests request-period blocking-period

· pppoe-server connection chasten option105 requests request-period blocking-period

The pppoe-server connection chasten option105 quickoffline requests request-period blocking-period command will override existing configuration of the following commands:

· pppoe-server connection chasten quickoffline [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten option105 quickoffline requests request-period blocking-period

The pppoe-server connection chasten option105 requests request-period blocking-period command will override existing configuration of the following commands:

· pppoe-server connection chasten [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten option105 requests request-period blocking-period

When the administrator executes this command to modify the configuration, the new configuration does not take effect on existing blocked users. For example, for a blocked user whose blocking period has not expired, even if the administrator executes this command to modify the blocking-period value, the blocked user still ages out according to the old configuration.

Examples

# Configure the device to block a user for 1000 seconds by its option105 if the user sends 100 PPPoE connection requests within 500 seconds.

<Sysname> system-view

[Sysname] pppoe-server connection chasten option105 100 500 1000

Related commands

display pppoe-server chasten statistics

display pppoe-server chasten user

pppoe-server connection chasten

pppoe-server session-limit per-mac

reset pppoe-server chasten user

pppoe-server connection chasten per-interface

Use pppoe-server connection chasten per-interface to enable PPPoE protocol packet attack prevention.

Use undo pppoe-server connection chasten per-interface to disable PPPoE protocol packet attack prevention.

Syntax

pppoe-server connection chasten per-interface number interval rate-limit-period

undo pppoe-server connection chasten per-interface

Default

PPPoE protocol packet attack prevention is disabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

System view

Predefined user roles

network-admin

Parameters

number: Specifies the number of PPPoE protocol packets received, in the range of 1 to 10000.

interval: Specifies the detection interval of the PPPoE protocol packet attack prevention feature, in the range of 1 to 3600 seconds.

rate-limit-period: Specifies the period for which the PPPoE protocol packets are rate-limited, in the range of 0 to 3600 seconds. The value of 0 means that users are not rate-limited even when the conditions are met.

Usage guidelines

Application scenarios

In the Discovery phase of the PPPoE link establishment process, the PPPoE client sends PADI or PADR packets to find the PPPoE server that can provide the access service. After the PPPoE session is established, the PPPoE client can send PADT packets at any time to terminate the PPPoE session.

To prevent a large number of users frequently coming online and going offline or illegal users from initiating protocol packet attacks, which will occupy a large number of system resources, you can configure the PPPoE protocol packet attack prevention feature.

Operating mechanism

With this feature configured, if the number of protocol packets that the PPPoE server receives within the detection interval exceeds the specified number, the PPPoE protocol packets received from the interface will be rate-limited. During the rate-limiting period, the excess PPPoE protocol packets are dropped. At the same time, the device still performs attack prevention detection for the interface within the rate-limiting period. If the number of PPPoE protocol packets dropped meets the formula (number of dropped packets × interval ≥ number ×rate-limit-period) before the rate-limiting period expires, one more rate-limiting period is added. After the rate-limiting period expires, the rate-limiting on the PPPoE protocol packets received from the interface is cancelled.

Restrictions and guidelines

You can execute this command in system view and in interface view. The configuration in system view takes effect on all interfaces, and the configuration in interface view takes effect only on the current interface. If this command is executed in both system view and interface view, the command in interface view takes priority.

If the administrator executes this command to modify the rate-limit-period configuration before the rate limiting period of a rate-limited user expires, the remaining aging time of the rate-limited user is immediately reset to the new rate limiting period no matter whether the other parameters in the new configuration changes. For example, the old configuration is pppoe-server connection chasten per-interface 100 500 3000, with a rate-limiting period of 3000 seconds. When the remaining aging time is 2000 seconds, the administrator executes the pppoe-server connection chasten per-interface 100 500 2500 command to configure the rate-limiting period as 2500 seconds. In this case, the remaining aging time of the rate-limited user will be immediately reset to 2500 seconds.

Examples

#Configure PPPoE protocol attack prevention on Ten-GigabitEthernet 3/1/1. When the number of PPPoE protocol packets received from the interface exceeds 1000 within 60 seconds, the packets received from the interface will be rate-limited for 300 seconds.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server connection chasten per-interface 1000 60 300

Related commands

display pppoe-server chasten per-interface

reset pppoe-server chasten per-interface

pppoe-server log enable

Use pppoe-server log enable to enable the PPPoE logging feature.

Use undo pppoe-server log enable to disable the PPPoE logging feature.

Syntax

pppoe-server log enable

undo pppoe-server log enable

Default

The PPPoE logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

IMPORTANT:

As a best practice, disable this feature to prevent excessive PPPoE log output.

You can enable the PPPoE logging feature to meet the security audit (for example, source tracing) requirements. The PPPoE logging feature enables the device to generate PPPoE logs and send them to the information center. Logs are generated when the following requirements are met:

· The number of PPPoE sessions reaches the upper limit for an interface, user, VLAN, or the system.

· New users request to come online.

A log entry records the interface-based, MAC-based, VLAN-based, or system-based session limit. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable the PPPoE logging feature.

<Sysname> system-view

[Sysname] pppoe-server log enable

pppoe-server nas-port-id interface

Use pppoe-server nas-port-id interface to configure a device to use information of the specified interface to fill in the NAS-Port-ID attribute.

Use undo pppoe-server nas-port-id to restore the default.

Syntax

pppoe-server nas-port-id interface interface-type interface-number

undo pppoe-server nas-port-id

Default

Information about the interface through which the user comes online is used to fill in the NAS-Port-ID attribute.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. The specified interface must be the PPPoE user's access interface. In the current software version, the interface number can contain one, two, three, or four tiers. In each tier, the number is in the range of 0 to 65534. For example, for a 3-tier interface number, the minimum interface number is 0/0/0, and the maximum interface number is 65534/65534/65534. Specify the interface number according to the actual conditions.

Usage guidelines

a device uses information about the interface through which a user comes online to fill in the NAS-Port-ID attribute and sends it to the RADIUS server by default. In some special applications, when you need to manually specify the access interface information to be filled in the NAS-Port-ID attribute, you can use this command. For example, suppose the RADIUS server restricts user A's access to only interface A. When user A accesses through interface B and you do not want to modify the RADIUS server configuration, you can execute this command to use information about interface A to fill in the NAS-Port-ID attribute for user A and send the attribute to the RADIUS server.

In a CUPS network, the interface specified in this command must be the access interface of PPPoE users on the UP. The interface number is in the format of UP ID/actual interface number on the UP. For example, if a user accesses through Ten-GigabitEthernet 3/1/1 on UP 1024, the interface number specified in this command must be 1024/3/1/1.

When the BAS information format is China-Telecom 163 and the pppoe-server nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute:

¡ On a non-CUPS network: chassis=NAS_chassis;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

¡ On a CUPS network: chassis=UP_ID;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

· If the access-user four-dimension-mode enable command is not executed, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute: slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

When the BAS information format is China-Telecom and the pppoe-server nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following NAS information field in the NAS-PORT-ID attribute:

¡ On a non-CUPS network: {eth|trunk|atm} NAS_chassis/NAS_slot/NAS_subslot/NAS_port.

¡ On a CUPS network: {eth|trunk|atm} UP_ID/NAS_slot/NAS_subslot/NAS_port.

This command takes effect only when the pppoe-server access-line-id bas-info command is configured on the device.

Examples

# Configure the device to use information of Ten-GigabitEthernet 3/1/2 to fill in the NAS-Port-ID attribute.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server nas-port-id interface ten-gigabitethernet 3/1/2

Related commands

access-user four-dimension-mode enable (BRAS Services Command Reference)

pppoe-server access-line-id bas-info

pppoe-server padi-limit (unified devices)

Use pppoe-server padi-limit to set the maximum number of PADI packets that the device can receive per second.

Use undo pppoe-server padi-limit to restore the default.

Syntax

In standalone mode:

pppoe-server padi-limit slot slot-number [ cpu cpu-number ] number

undo pppoe-server padi-limit slot slot-number

In IRF mode:

pppoe-server padi-limit chassis chassis-number slot slot-number [ cpu cpu-number ] number

undo pppoe-server padi-limit chassis chassis-number slot slot-number

Default

The default settings vary by MPU model. For more information, see the configuration guide.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the PADI packet receiving rate limit in the range of 1 to 6000.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

When device reboot or version update is performed, the burst of online requests might affect the device performance. To avoid device performance degradation and make sure the device can process PADI packets correctly, use this command to adjust the PADI packet receiving rate limit.

Examples

# (In standalone mode.) Set the maximum number of PADI packets that slot 3 can receive per second to 100.

<Sysname> system-view

[Sysname] pppoe-server padi-limit slot 3 100

pppoe-server padi-limit per-slot (UPs)

Use pppoe-server padi-limit to set the maximum number of PADI packets that each slot of a UP can receive per second.

Use undo pppoe-server padi-limit to restore the default.

Syntax

pppoe-server padi-limit per-slot number

undo pppoe-server padi-limit per-slot

Default

Each slot of a UP can receive a maximum of 2000 PADI packets per second.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the PADI packet receiving rate limit in the range of 1 to 6000.

Usage guidelines

In the CUPS scenario, when device reboot or version update is performed, the burst of online requests might affect the device performance. To avoid device performance degradation and make sure the device can process PADI packets correctly, use this command to adjust the PADI packet receiving rate limit on each slot of a UP.

Examples

# Set the maximum number of PADI packets that each slot of UP 1024 can receive per second to 100.

<Sysname> system-view

[Sysname] pppoe-server padi-limit per-slot 100

pppoe-server service-name-tag exact-match

Use pppoe-server service-name-tag exact-match to set the service name matching mode to exact match for the PPPoE server on an interface.

Use undo pppoe-server service-name-tag exact-match to restore the default.

Syntax

pppoe-server service-name-tag exact-match

undo pppoe-server service-name-tag exact-match

Default

The service name matching mode for the PPPoE server on an interface is fuzzy match.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Upon receiving a PADI or a PADR packet from a PPPoE client, the PPPoE server compares its service name with the service-name tag field of the packet. The server accepts the session establishment request only if the field matches the service name. Table 10 describes different matching rules in different matching modes.

Table 10 Service name matching rules

Matching mode	PPPoE client	PPPoE server	Result
Exact match	No service name is specified.	The number of configured service names is less than 8.	Success
	No service name is specified.	The number of configured service names is 8.	Failure
	A service name is specified.	A service name that is the same as that of the client is configured.	Success
	A service name is specified.	A service name that is the same as that of the client is not configured.	Failure
Fuzzy match	No service name is specified.	Any configuration.	Success
	A service name is specified.	A service name that is the same as that of the client is configured, or the number of configured service names is less than 8.	Success
	A service name is specified.	A service name that is the same as that of the client is not configured, or the number of configured service names is 8.	Failure

Examples

#Set the service name matching mode to exact match for the PPPoE server on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server service-name-tag exact-match

Related commands

pppoe-server tag service-name

pppoe-server session-limit

Use pppoe-server session-limit to set the maximum number of PPPoE sessions on an interface.

Use undo pppoe-server session-limit to restore the default.

Syntax

pppoe-server session-limit number

undo pppoe-server session-limit

Default

The number of PPPoE sessions on an interface is not limited.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of PPPoE sessions on an interface, in the range of 1 to 65534.

Usage guidelines

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· Limit on a card.

If the configured limit is smaller than the number of existing online sessions on the interface, the configuration succeeds. The configuration does not affect the existing online sessions. However, new sessions cannot be established on the interface.

Examples

#Set the maximum number of PPPoE sessions on Ten-GigabitEthernet 3/1/1 to 50.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server session-limit 50

Related commands

pppoe-server session-limit per-mac

pppoe-server session-limit per-vlan

pppoe-server session-limit total

pppoe-server session-limit per-mac

Use pppoe-server session-limit per-mac to set the maximum number of PPPoE sessions for a user on an interface.

Use undo pppoe-server session-limit per-mac to restore the default.

Syntax

pppoe-server session-limit per-mac number

undo pppoe-server session-limit per-mac

Default

A user can create a maximum of one PPPoE session on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of PPPoE sessions for a user, in the range of 1 to 65534.

Usage guidelines

A user is identified by a MAC address.

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· Limit on a card.

If the number argument is set to 1, when the device receives a PADR packet whose MAC address is the same as an online user, the following happens:

· If the online user has finished NCP negotiation for less than 30 seconds, the device discards the received PADR packet and the user remains online.

· If the online user has finished NCP negotiation for more than 30 seconds, the device sends a PADT packet to notify the user to go offline and deletes the session.

To generate DHCP client IDs based on PPP sessions, execute the remote address dhcp client-identifier command with the session-info keyword when the following requirements are met:

· The number argument is set to 2 or greater than 2.

· PPPoE users obtain IP addresses from the IP address pool.

Examples

#Set the maximum number of PPPoE sessions for a user on Ten-GigabitEthernet 3/1/1.1 to 50.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.1

[Sysname-Ten-GigabitEthernet3/1/1.1] pppoe-server session-limit per-mac 50

Related commands

pppoe-server session-limit

pppoe-server session-limit per-vlan

pppoe-server session-limit total

remote address dhcp client-identifier

pppoe-server session-limit per-vlan

Use pppoe-server session-limit per-vlan to set the maximum number of PPPoE sessions for a VLAN on an interface.

Use undo pppoe-server session-limit per-vlan to restore the default.

Syntax

pppoe-server session-limit per-vlan number

undo pppoe-server session-limit per-vlan

Default

The number of PPPoE sessions for a VLAN on an interface is not limited.

Views

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of PPPoE sessions for a VLAN, in the range of 1 to 65534.

Usage guidelines

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· Limit on a card.

Examples

#Set the maximum number of PPPoE sessions for a VLAN on Ten-GigabitEthernet 3/1/1.1 to 50.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.1

[Sysname-Ten-GigabitEthernet3/1/1.1] pppoe-server session-limit per-vlan 50

Related commands

pppoe-server sessions limit

pppoe-server sessions limit per-mac

pppoe-server sessions limit total

pppoe-server session-limit total

Use pppoe-server session-limit total to set the maximum number of PPPoE sessions on a device.

Use undo pppoe-server session-limit total to restore the default.

Syntax

In standalone mode:

pppoe-server session-limit slot slot-number [ cpu cpu-number ] total number

undo pppoe-server session-limit slot slot-number total

In IRF mode:

pppoe-server session-limit chassis chassis-number slot slot-number [ cpu cpu-number ] total number

undo pppoe-server session-limit chassis chassis-number slot slot-number total

Default

The number of PPPoE sessions on a card is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

total number: Specifies the maximum number of PPPoE sessions on a device, in the range of 1 to 2147483647.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· (In standalone mode.) (In IRF mode.) Limit on a card.

Examples

# (In standalone mode.) Set the maximum number of PPPoE sessions on the specified slot to 3000.

[Sysname] pppoe-server session-limit slot 1 total 3000

Related commands

pppoe-server session-limit

pppoe-server session-limit per-mac

pppoe-server session-limit per-vlan

pppoe-server tag ac-name

Use pppoe-server tag ac-name to set the access concentrator (AC) name for the PPPoE server on an interface.

Use undo pppoe-server tag ac-name to restore the default.

Syntax

pppoe-server tag ac-name name

undo pppoe-server tag ac-name

Default

The AC name for the PPPoE server is the device name on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

name: Specifies an AC name, a case-sensitive string of 1 to 64 characters.

Usage guidelines

The PPPoE server sends its AC name in PADO packets. PPPoE clients choose a PPPoE server by AC name.

The device does not support an AC name comprised of all blank spaces.

Examples

#Specify the AC name for the PPPoE server on Ten-GigabitEthernet 3/1/1 as pppoes.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server tag ac-name pppoes

pppoe-server tag ppp-max-payload

Use pppoe-server tag ppp-max-payload to enable the PPPoE server to support the ppp-max-payload tag and set a range for the tag on an interface.

Use undo pppoe-server tag ppp-max-payload to restore the default.

Syntax

pppoe-server tag ppp-max-payload [ minimum min-number maximum max-number ]

undo pppoe-server tag ppp-max-payload

Default

The PPPoE server does not support ppp-max-payload tag on an interface. The PPPoE server ignores the ppp-max-payload tag in PADI or PADS packets from clients, and returns a PADO or PADS packets without the ppp-max-payload tag.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

minimum min-number: Specifies the minimum value for the PPP maximum payload, in the range of 64 to 9600 bytes. The default value is 1492 bytes.

maximum max-number: Specifies the maximum value for the PPP maximum payload, in the range of 64 to 9600 bytes. The default value is 1500 bytes. The max-number argument must be equal or greater than the min-number argument.

Usage guidelines

This command enables the PPPoE server to forward large PPP packets with a payload larger than 1492 bytes and reduces fragmentation. If the ppp-max-payload tag sent by the PPPoE client is within the tag range, the PPPoE server returns a PADO or PADS packet that includes the tag. If not, the PPPoE server determines that the received packets are invalid, and it does not return a PADO or PADS packet.

The jumboframe enable command can change the size of jumbo frames supported by the interface. The maximum size of the jumbo frames configured by the jumboframe enable command should be larger than the maximum value configured by the pppoe-server tag ppp-max-payload command.

Examples

#Enable the PPPoE server to support the ppp-max-payload tag and set the value for the PPP maximum payload to be in the range of 1494 to 1580 bytes on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server tag ppp-max-payload minimum 1494 maximum 1508

Related commands

jumboframe enable (Interface Command References)

pppoe-server tag service-name

Use pppoe-server tag service-name to set a service name for a PPPoE server on an interface.

Use undo pppoe-server tag service-name to delete the specified service name.

Syntax

pppoe-server tag service-name name

undo pppoe-server tag service-name name

Default

A PPPoE server does not have a service name.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

name: Specifies a service name, a case-sensitive string of 1 to 64 characters.

Usage guidelines

Service names identify the traffic destined for PPPoE servers when multiple PPPoE servers are providing services on the network.

Upon receiving a PADI or a PADR packet from a PPPoE client, the PPPoE server compares its service name with the service-name tag field of the packet. The server accepts the session establishment request only if the field matches the service name. Service names support fuzzy match and exact match. For information about the match rules of fuzzy match and exact match, see the pppoe-server service-name-tag exact-match command.

Up to eight service names can be configured on an interface.

Examples

#Set the service name to pppoes for the PPPoE server on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server tag service-name pppoes

Related commands

pppoe-server service-name-tag exact-match

pppoe-server throttle per-mac

Use pppoe-server throttle per-mac to set the PPPoE access limit on an interface.

Use undo pppoe-server throttle per-mac to restore the default.

Syntax

pppoe-server throttle per-mac session-requests session-request-period blocking-period

undo pppoe-server throttle per-mac

Default

The PPPoE access rate is not limited on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

session-requests: Specifies the maximum number of PPPoE session requests from a user within the monitoring time. The value range is 1 to 100000.

session-request-period: Specifies the monitoring time in the range of 1 to 3600 seconds.

blocking-period: Specifies the blocking time in the range of 1 to 3600 seconds.

Usage guidelines

This command limits the rate at which a user (identified by MAC address) can create PPPoE sessions on an interface. If the number of PPPoE requests within the monitoring time reaches the configured threshold, the device discards the excessive requests, and outputs log messages. If the blocking time is set to 0, the device does not block any requests, and it only outputs log messages.

The device uses a monitoring table and a blocking table to control PPP access rates.

· Monitoring table—Stores a maximum of 8000 monitoring entries. Each entry records the number of PPPoE sessions created by a user within the monitoring time. When the monitoring entries reach the maximum, the system stops monitoring and blocking session requests from new users. The aging time of monitoring entries is determined by the session-request-period argument. When the timer expires, the system starts a new round of monitoring for the user.

· Blocking table—Stores a maximum of 8000 blocking entries. The system creates a blocking entry if the access rate of a user reaches the threshold, and blocks requests from that user. When the blocking entries reach the maximum, the system stops blocking session requests from new users and it only outputs log messages. The aging time of the blocking entries is determined by the blocking-period argument. When the timer expires, the system starts a new round of monitoring for the user.

If the access rate setting is changed, the system removes all monitoring and blocking entries, and uses the new settings to limit PPPoE access rates.

Examples

#Block PPPoE session requests of a PPPoE user for 10 seconds when the PPPoE user sends 100 requests within 80 seconds on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server throttle per-mac 100 80 10

Related commands

display pppoe-server throttled-mac

reset pppoe-server

Use reset pppoe-server to clear PPPoE sessions on the PPPoE server.

Syntax

reset pppoe-server { all | [ interface interface-type interface-number | mac-address mac-address ] * | virtual-template number }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all PPPoE sessions.

interface interface-type interface-number: Specifies an interface by its type and number.

mac-address mac-address: Specifies a PPPoE user by its MAC address in the format of H-H-H.

virtual-template number: Specifies a VT interface by its number.

Usage guidelines

This command clears PPPoE sessions and forcibly logs out the corresponding users.

Examples

# Clear established sessions on Virtual-template 1 on the PPPoE server.

<Sysname> reset pppoe-server virtual-template 1

Related commands

display pppoe-server session summary

reset pppoe-server chasten per-interface

Use reset pppoe-server chasten per-interface to clear PPPoE protocol packet attack prevention entry information.

Syntax

In standalone mode:

reset pppoe-server chasten per-interface [ packets ] [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset pppoe-server chasten per-interface [ packets ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

packets: Clears only dropped packet statistics of PPPoE protocol packet attack prevention entries. If you do not specify this keyword, this command clears information of PPPoE protocol packet attack prevention entries.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears PPPoE protocol packet attack prevention entry information of all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you specify only the packets keyword, this command clears dropped packet statistics in PPPoE protocol packet attack prevention entry information of all interfaces.

If you do not specify any parameter, this command clears PPPoE protocol packet attack prevention entry information of all interfaces.

Examples

#Clear PPPoE protocol packet attack prevention entry information on Ten-GigabitEthernet 3/1/1.

<Sysname> reset pppoe-server chasten per-interface interface ten-gigabitethernet 3/1/1

Related commands

pppoe-server connection chasten per-interface

reset pppoe-server chasten user

Use reset pppoe-server chasten user to clear information of blocked PPPoE users.

Syntax

In standalone mode:

reset pppoe-server chasten user [ packets ] [ mac-address [ mac-address ] | option105 [ circuit-id circuit-id ] [ remote-id remote-id ] ] [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

Views

User view

Predefined user roles

network-admin

Parameters

packets: Clears only dropped packet statistics of blocked PPPoE users. If you do not specify this keyword, this command clears information of blocked PPPoE users.

mac-address [ mac-address ]: Specifies a MAC address in the H-H-H format. If you do not specify the mac-address argument, this command clears information of PPPoE users blocked based on MAC address.

option105: Clears information of PPPoE users blocked based on option 105.

circuit-id circuit-id: Specifies fuzzy matching of a circuit ID, a case-sensitive string of 1 to 127 characters. For example, if the circuit-id argument is abc, information of blocked PPPoE users whose circuit IDs contain abc will be cleared.

remote-id remote-id: Specifies fuzzy matching of a remote ID, a case-sensitive string of 1 to 127 characters. For example, if the remote-id argument is abc, information of blocked PPPoE users whose remote IDs contain abc will be cleared.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, this command clears information of blocked PPPoE users on all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

By default, the blocking state of blocked users are not cleared until the blocking period times out. During the blocking period, packets from these PPPoE users are dropped.

Use this command without specifying the packets keyword to clear the blocking state of blocked users. Then, the users can perform authentication to come online when the device receives packets from these users.

If you specify only the packets keyword, this command clears dropped packet statistics of all blocked PPPoE users.

If you do not specify any parameter, this command clears information of all blocked PPPoE users.

Examples

#Clear information of blocked PPPoE users on interface Ten-GigabitEthernet 3/1/1.

<Sysname> reset pppoe-server chasten user interface ten-gigabitethernet 3/1/1

Related commands

display pppoe-server chasten statistics

display pppoe-server chasten user

pppoe-server connection chasten

pppoe-server connection chasten option105

reset pppoe-server packet statistics

Use reset pppoe-server packet statistics to clear PPPoE server negotiation packet statistics.

Syntax

In standalone mode:

reset pppoe-server packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset pppoe-server packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Clear PPPoE server negotiation packet statistics for the specified slot.

<Sysname> reset pppoe-server packet statistics slot 1

Related commands

display pppoe-server packet statistics

PPPoE agency commands

display pppoe-agency acl statistics

Use display pppoe-agency acl statistics to display statistics of packets matching ACLs in the PPPoE agency application.

Syntax

In standalone mode:

display pppoe-agency { ipv4 | ipv6 } acl statistics user-group user-group-name slot slot-number [ cpu cpu-number ]

In IRF mode:

display pppoe-agency { ipv4 | ipv6 } acl statistics user-group user-group-name chassis chassis-number slot slot-number [ cpu cpu-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Specifies IPv4 ACLs.

ipv6: Specifies IPv6 ACLs.

user-group user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if CPUs are available on the specified slot.

Usage guidelines

This command displays only statistics of incoming packets matching ACL rules with the counting keyword specified.

To use this command to display statistics of matching packets in the PPPoE agency application, make sure the ACL rules specified in the pppoe-agency forward command in a user group have the counting keyword specified.

Examples

# (In standalone mode.) Display statistics of incoming packets of the specified slot matching IPv4 ACLs in user group group001 in the PPPoE agency application.

<Sysname> display pppoe-agency ipv4 acl statistics user-group group001 slot 1

User-group: group001

Inbound policy:

IPv4 ACL 3001, Hardware-count

rule 0 permit destination 2.2.2.2 0 counting (2 packets 203 Bytes)

rule 5 permit destination 1.1.1.1 0 counting (5 packets 603 Bytes)

rule 10 permit destination 3.3.3.3 0 counting (No Counting Resource)

Table 11 Command output

Field	Description
User-group	User group name.
IPv4 ACL acl-number	IPv4 ACL acl-number was successfully applied.
IPv6 ACL acl-number	IPv6 ACL acl-number was successfully applied.
Hardware-count	ACL rule match counting in hardware has been successfully enabled.
Hardware-count (Failed)	The device has failed to enable counting ACL rule matches in hardware.
Hardware-count(Not enough resources to complete the operation.)	The device has failed to enable counting ACL rule matches in hardware because the resources are insufficient.
Hardware-count(The operation is not supported.)	The device has failed to enable counting ACL rule matches in hardware because this operation is not supported.
2 packets 203 Bytes	Two packets (containing 203 bytes) match the rule.

‌

Related commands

reset pppoe-agency acl statistics

display pppoe-agency packet statistics

Use display pppoe-agency packet statistics to display the PPPoE agency negotiation packet statistics.

Syntax

In standalone mode:

display pppoe-agency packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-agency packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display the PPPoE agency negotiation packet statistics of the specified slot.

<Sysname> display pppoe-agency packet statistics slot 1

PPPoE agency packet statistics in slot 1:

SEND_PADI_PKT : 0

RECV_PADO_PKT : 0 DISCARD_PADO_PKT : 0

SEND_PADR_PKT : 0

RECV_PADS_PKT : 0 DISCARD_PADS_PKT : 0

RECV_PADT_PKT : 0 DISCARD_PADT_PKT : 0

SEND_PADT_PKT : 0

Table 12 Command output

Field	Description
SEND_PADI_PKT	Number of PADI packets sent.
RECV_PADO_PKT	Number of PADO packets received.
DISCARD_PADO_PKT	Number of dropped PADO packets received.
SEND_PADR_PKT	Number of PADR packets sent.
RECV_PADS_PKT	Number of PADS packets received.
DISCARD_PADS_PKT	Number of dropped PADS packets received.
RECV_PADT_PKT	Number of PADT packets received.
DISCARD_PADT_PKT	Number of dropped PADT packets received.
SEND_PADT_PKT	Number of PADT packets sent.

‌

display pppoe-agency session summary

Use display pppoe-agency session summary to display summary information of the PPPoE agency user sessions.

Syntax

In standalone mode:

display pppoe-agency session summary [ interface interface-type interface-number | slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-agency session summary [ interface interface-type interface-number | chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option on a centralized device, this command displays entries for all interfaces.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if CPUs are available on the specified slot.

Usage guidelines

Session information of PPPoE agency users coming online through a physical interface is displayed only on the card hosting the physical interface and the MPU. Session information of global PPPoE agency users coming online through a logical interface is displayed on all cards.

Examples

# Display summary information of the PPPoE agency user sessions on Ten-GigabitEthernet 3/1/1.

<Sysname> display pppoe-agency session summary interface ten-gigabitethernet 3/1/1

Total PPPoE agency sessions: 2

Ethernet interface: XGE3/1/1 Session ID: 1

PPP index: 0x140000105 State: PADR_SEND

Remote MAC: 00e0-1500-7100 Local MAC: 00e0-1400-7300

Service VLAN: N/A Customer VLAN: N/A

Local session ID: 1

Ethernet interface: XGE3/1/1 Session ID: 2

PPP index: 0x150000105 State: OPEN

Remote MAC: 00e0-1600-7200 Local MAC: 00e0-1400-7300

Service VLAN: N/A Customer VLAN: N/A

Local session ID: 2

# (In standalone mode.) Display summary information of the PPPoE agency user sessions on the specified slot.

<Sysname> display pppoe-agency session summary slot 1

Total PPPoE agency sessions on slot 1: 2

Local PPPoE agency sessions on slot 1: 1

Ethernet interface: XGE3/1/2 Session ID: 1

PPP index: 0x140000105 State: OPEN

Remote MAC: 0000-0000-0005 Local MAC: 0000-5e00-0101

Service VLAN: N/A Customer VLAN: N/A

Local session ID: 1

Ethernet interface: RAGG1 Session ID: 2

PPP index: 0x150000105 State: OPEN

Remote MAC: 0050-56c0-0005 Local MAC: 0000-5e00-0102

Service VLAN: N/A Customer VLAN: N/A

Local session ID: 2

Table 13 Command output

Field	Description
Total PPPoE agency sessions	Total number of PPPoE agency user sessions. When a slot is specified in this command, this command displays the total number of PPPoE agency user sessions coming online through physical interfaces in the specified slot and all global PPPoE agency user sessions in the system.
Local PPPoE agency sessions	Number of local PPPoE agency user sessions. For this field, the following rules apply: · The statistics of sessions of PPPoE agency users coming online through a physical interface are displayed on the slot hosting the physical interface. · The statistics of sessions of PPPoE agency users coming online through a global interface are displayed on the slot hosting the active MPU. (In standalone mode) · The statistics of sessions of PPPoE agency users coming online through a global interface are displayed on the slot hosting the global active MPU. (In IRF mode) (This field is not displayed if an interface is specified in this command.)
Ethernet interface	Interface bound to a PPPoE agency user session.
Session ID	ID of a PPPoE agency user session.
PPP index	PPP session index information
State	State of a PPPoE agency user session: · PADI_SEND—The PPPoE session is being created and in the session discovery phase. · PADR_SEND—The PPPoE session is being created and in the session negotiation phase. · OPEN—The PPPoE session is open. · OFFLINE—The PPPoE session is being deleted. · INIT—The PPPoE session is to be activated.
Remote MAC	Remote MAC address.
Local MAC	Local MAC address.
Service VLAN	Service provider VLAN. This field displays N/A if no service VLAN is available.
Customer VLAN	Customer VLAN. This field displays N/A if no customer VLAN is available.
Local session ID	ID of a local PPPoE agency session.

‌

pppoe-agency authentication domain

Use pppoe-agency authentication domain to configure the authentication domain for PPPoE agency users.

Use undo pppoe-agency authentication to restore the default.

Syntax

pppoe-agency authentication domain domain-name

undo pppoe-agency authentication

Default

No authentication domain is configured for PPPoE agency users.

Views

User group view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a PPPoE agency user authentication domain, a case-insensitive string of 1 to 255 characters. The domain name cannot contain the following special characters: /\|”:*?<>@.

Usage guidelines

When a campus BRAS simulates a PPPoE client and initiates PPPoE dialup for network access to the PPPoE server of the corresponding ISP according to the PPPoE agency group name carried in the COA messages, the BRAS first authenticates the PPPoE agency user according to the authentication domain specified in the pppoe-agency authentication domain command. If no authentication domain is specified by the pppoe-agency authentication domain command or the specified authentication domain does not exist, the BRAS uses the authentication domain selected by the AAA module, and the username and password used for authentication are issued by the AAA service through COA messages. PPPoE agency can succeed only when the campus BRAS successfully authenticates the PPPoE agency user and the ISP PPPoE server successfully authenticates the PPPoE client. If the authentication on any end fails, PPPoE agency fails. In this case, the user can access only the internal network, and cannot access the external network.

Examples

# Configure authentication domain dm1 for PPPoE agency users in user group group1.

<Sysname> system-view

[Sysname] user-group group1

[Sysname-ugroup-group1] pppoe-agency authentication domain dm1

Related commands

domain (BRAS Services Command Reference)

pppoe-agency bind

Use pppoe-agency bind to enable the PPPoE agency on an interface and bind the interface to a PPPoE agency group.

Use undo pppoe-agency bind to disable the PPPoE agency on an interface and unbind the interface from the PPPoE agency group.

Syntax

pppoe-agency bind virtual-template number pppoe-agency-group pppoe-agency-group-name

undo pppoe-agency bind

Default

The PPPoE agency is disabled on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

virtual-template number: Specifies a VT interface by its number. The value range for this field is 0 to 1023.

pppoe-agency-group pppoe-agency-group-name: Specifies a PPPoE agency group by its name, a case-insensitive string of 1 to 31 characters. The name uniquely identifies the ISP to which the PPPoE agency users belong. The PPPoE agency group name can only be authorized by the AAA server through the Framed-Pool attribute. The value for the pppoe-agency-group-name argument specified in this command must be the same as the value for the Framed-Pool attribute authorized by the AAA server to the PPPoE agency users.

Usage guidelines

Working mechanism

With this feature configured, when a campus BRAS user initiates the agency process, the campus BRAS will select one interface that matches the PPPoE agency group name carried in COA messages from the interfaces with the pppoe-agency bind command executed (PPPoE agency interfaces), and use the interface to simulate a PPPoE client and initiate PPPoE dialup for network access to the PPPoE server of the corresponding ISP.

If the PPPoE agency group name carried in the COA messages authorized to a user matches the pppoe-agency-group-name argument value configured on multiple interfaces, the device will select the interface with the least online PPPoE agency users to simulate a PPPoE client for the user to perform PPPoE agency dialup. If multiple interfaces meet the requirements, the device randomly selects one from them.

Restrictions and cautions

When the PPPoE agency is enabled on an interface, the VT interface bound to the interface must exist.

When online PPPoE agency users exist on an interface, you cannot directly use the undo pppoe-agency bind command to disable the PPPoE agency on the interface. To do that, first log out all online PPPoE agency users on the interface, and then execute the undo pppoe-agency bind command.

If an interface has the PPPoE agency enabled and is bound to a VT interface, you cannot directly use this command to bind the interface to a new VT interface. To do that, first disable the PPPoE agency on the interface, and then re-enable the PPPoE agency on the interface and bind it to a new VT interface.

If both the PPPoE client and PPPoE agency are enabled on an interface, the PPPoE client does not take effect.

When the device is configured to operate in user plane mode by using the work-mode user-plane command, you cannot enable the PPPoE agency on any interface of the device.

On an interface, the pppoe-server bind command and the pppoe-agency bind command are mutually exclusive.

Examples

# Enable the PPPoE agency on Ten-GigabitEthernet 3/1/1, and bind Ten-GigabitEthernet 3/1/1 to VT interface 1 and PPPoE agency group 1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-agency bind virtual-template 1 pppoe-agency-group 1

pppoe-agency forward

Use pppoe-agency forward to configure a PPPoE agency forwarding policy.

Use undo pppoe-agency forward to restore the default.

Syntax

pppoe-agency forward { ipv4 | ipv6 } acl { acl-number | name acl-name }

undo pppoe-agency forward { ipv4 | ipv6 }

Default

No PPPoE agency forwarding policy is configured.

Views

User group view

Predefined user roles

network-admin

Parameters

ipv4: Specifies IPv4 ACLs.

ipv6: Specifies IPv6 ACLs.

acl: Performs PPPoE agency forwarding for traffic based on ACLs. Traffic matching the specified ACL is considered as internal network traffic and directly forwarded. Traffic not matching the specified ACL is considered as external network traffic and forwarded through the PPPoE agency.

· acl-number: Specifies an ACL by its number, in the range of 3000 to 3999 (advanced ACL) .

· name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, it cannot be all.

Usage guidelines

When specifying an ACL, follow these restrictions and guidelines:

· Do not specify the user-group keyword in any ACL rule. If you do that, the PPPoE agency function based on the ACL is not available.

· If the specified ACL does not exist or does not have any rules, all traffic is external network traffic and must be forwarded through the PPPoE agency.

· In the specified ACL, the following rules apply:

¡ If a rule has the vpn-instance keyword specified, the rule takes effect only on users in the specified VPN instance, and user traffic matching the ACL rule in the specified VPN instance is considered as internal network traffic and directly forwarded.

¡ If a rule does not have the vpn-instance keyword specified, the rule takes effect only on all users (including users in VPN instances). When user traffic is compared with the ACL rule, its VPN attributes are ignored. User traffic matching the ACL rule is considered as internal network traffic and directly forwarded.

Examples

# Configure user group group1 to directly forward traffic matching IPv4 ACL 3000 and forward non-matching traffic through the PPPoE agency or drop the non-matching traffic.

<Sysname> system-view

[Sysname] user-group group1

[Sysname-ugroup-group1] pppoe-agency forward ipv4 acl 3000

Related commands

pppoe-agency bind

user-group (BRAS Services Command Reference)

pppoe-agency log enable

Use pppoe-agency log enable to enable the PPPoE agency logging feature.

Use undo pppoe-agency log enable to disable the PPPoE agency logging feature.

Syntax

pppoe-agency log enable

undo pppoe-agency log enable

Default

The PPPoE agency logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You can enable the PPPoE agency logging feature to meet the security audit (for example, source tracing) requirements. This feature records the mappings between the internal IP addresses of internal campus users and the IP addresses that ISPs allocate to PPPoE agency users.

With this feature enabled, when a PPPoE agency user comes online, the BRAS in the campus will generate log messages about the mapping between the internal IP address of the internal campus user and the IP address that the ISP allocates to the PPPoE agency user. The generated PPPoE agency log messages by the device will be sent to the information center. The information center configuration specifies the log message sending rule and destination. For more information about the information center, see Network Management and Monitoring Configuration Guide.

To prevent the device from generating too many PPPoE agency logs, as a best practice, disable this feature typically.

Examples

# Enable the PPPoE agency logging feature.

<Sysname> system-view

[Sysname] pppoe-agency log enable

reset pppoe-agency

Use reset pppoe-agency to clear the PPPoE agency sessions on the PPPoE agency.

Syntax

reset pppoe-agency { all | interface interface-type interface-number | virtual-template number }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all PPPoE agency sessions.

interface interface-type interface-number: Specifies an interface by its type and number.

virtual-template number: Specifies a VT interface by its number.

Usage guidelines

This command clears PPPoE agency sessions and forcibly logs out agency users.

Examples

# Clear the PPPoE agency sessions on Virtual-Template 1 on the PPPoE agency.

<Sysname> reset pppoe-agency virtual-template 1

Related commands

display pppoe-agency session summary

reset pppoe-agency acl statistics

Use reset pppoe-agency acl statistics to clear statistics of packets matching ACLs in the PPPoE agency application.

Syntax

In standalone mode:

reset pppoe-agency { ipv4 | ipv6 } acl statistics user-group user-group-name slot slot-number [ cpu cpu-number ]

In IRF mode:

reset pppoe-agency { ipv4 | ipv6 } acl statistics user-group user-group-name chassis chassis-number slot slot-number [ cpu cpu-number ]

Views

User view

Predefined user roles

network-admin

Parameters

ipv4: Specifies IPv4 ACLs.

ipv6: Specifies IPv6 ACLs.

user-group user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if CPUs are available on the specified slot.

Examples

# (In standalone mode.) Clear statistics of packets of the specified slot matching IPv4 ACLs in user group group001.

<Sysname> reset pppoe-agency ipv4 acl statistics user-group group001 slot 1

Related commands

display pppoe-agency acl statistics

reset pppoe-agency packet statistics

Use reset pppoe-agency packet statistics to clear the PPPoE agency negotiation packet statistics.

Syntax

In standalone mode:

reset pppoe-agency packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset pppoe-agency packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries for the active MPU. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Clear the PPPoE agency negotiation packet statistics on the device.

<Sysname> reset pppoe-agency packet statistics

17-BRAS Services Command Reference

display pppoe-server session summary

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

pppoe-server padi-limit (unified devices)

Working mechanism

Restrictions and cautions

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

Company Information

News & Events

Contact Us