On a CUPS network, this device acts only as a UP. When executing operation commands in this chapter (commands except the display commands), follow these restrictions and guidelines:

· If a command is tagged with (UPs), this command can be executed only on a UP. Before executing this command on a UP, make sure you are fully aware of the impact of this command on the current network and prevent configuration errors from causing network failures.

· If a command does not have any tag, this command can be executed only on a CP by default. To execute this command on a UP, do that under the guidance of professionals, make sure you are fully aware of the impact of this command on the current network, and prevent configuration errors from causing network failures.

add interface

Use add interface to add an interface to a static user interface list.

Use undo add interface to remove an interface from a static user interface list.

Syntax

add interface interface-type interface-number

undo add interface interface-type interface-number

Default

An interface is not added to a static user interface list.

Views

Static user interface list view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

When multiple static IPoE users on the same subnet need to come online through multiple access interfaces, you must first execute the static-user interface-list command to create a static user interface list, and then execute the add interface command to add interfaces that allow static users to access to the static user interface list.

An interface can be added to up to one static user interface list.

Examples

#Add interface Ten-GigabitEthernet3/1/1 to static user interface list 2.

<Sysname> system-view

[Sysname] static-user interface-list 2

[Sysname-static-interface-list2] add interface ten-gigabitethernet 3/1/1

Related commands

display static-user interface-list

static-user interface-list

display ip subscriber abnormal-logout

Use display ip subscriber abnormal-logout to display entry information about abnormally logged out IPoE users.

Syntax

In standalone mode:

display ip subscriber abnormal-logout [ access-type { dhcpv4 | dhcpv6 | ndrs } | { mac mac-address | ip-type { ipv4 | ipv6 } } * | { ip ipv4-address | ipv6 ipv6-address | ipv6-prefix prefix-address/prefix-length } ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

access-type: Specifies a type of abnormally logged out users.

· dhcpv4: Specifies abnormally logged out DHCPv4 users.

· dhcpv6: Specifies abnormally logged out DHCPv6 users.

· ndrs: Specifies abnormally logged out ND RS users.

mac-address mac-address: Specifies a MAC address in the format of H-H-H.

ip-type: Specifies an IP address type.

ipv4: Specifies IPv4 addresses.

ipv6: Specifies IPv6 addresses.

ip ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

ipv6-prefix prefix-address/prefix-length: Specifies an IPv6 address prefix or prefix length.

verbose: Specifies detailed user information. If this keyword is not specified, this command displays brief entry information about abnormally logged out IPoE users.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on the active MPU. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on the global active MPU. (In IRF mode.)

up-id-list up-id-list: Specifies a space-separated list of up to 1024 UP items. Each item specifies a UP or a range of UPs in the form of up-id1 to up-id2. The value for up-id2 must be greater than or equal to the value for up-id1. The value range for the up-id argument varies by device model. Only BRAS-VMs support this option.

Usage guidelines

When an IPoE-enabled access interface goes down or is mistakenly operated (for example, has the cut access-user command executed), the sessions for IPoE users on the interface are deleted. The device will automatically record entry information of these abnormally logged out IPoE users. To view information of these users, execute the display ip subscriber abnormal-logout command.

For abnormally logged out IPoE users to come online again through packet initiation, you must configure the corresponding packet initiation method. For more information, see Layer 2—WAN Access Configuration Guide.

Examples

#Display brief entry information about abnormally logged out IPoE users on the specified slot.

<Sysname> display ip subscriber abnormal-logout slot 0

Total entries: 2

IP/IPv6 address MAC address S-/C-VLAN

2.2.2.3 000c-1983-7712 -/-

2::3 000c-1983-7712 -/-

Table 1 Command output

Field	Description
Total entries	Total number of entries for abnormally logged out users. For each abnormally logged out IPoE user, up to three entries are recorded, including IPv4, IPv6 (including PD prefix), and ND RS entries.
IP/IPv6 address	IPv4 or IPv6 address of the user.
MAC address	MAC address of the user.
S-/C-VLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-).

#Display detailed entry information about all abnormally logged out IPoE users.

<Sysname> display ip subscriber abnormal-logout verbose

IP address : 1.1.1.1

IPv6 PD Prefix : -

IPv6 ND Prefix : -

MAC address : 000d-88f8-0eab

S-VLAN/C-VLAN : -/-

Access type : DHCPv4

Access interface : Ten-GigabitEthernet3/1/1

Virtual MAC address : -

Offline reason : cut command

Aging : May 9 10:05:29 2019

VSRP instance : N/A

UP ID : -

UP backup profile : -

IPv6 address : 1::1

IPv6 PD Prefix : -

IPv6 ND Prefix : -

MAC address : 000d-88f8-0eab

S-VLAN/C-VLAN : -/-

Access type : DHCPv6

Access interface : Ten-GigabitEthernet3/1/1

Virtual MAC address : -

Offline reason : cut command

Aging : May 9 10:05:29 2019

VSRP instance : N/A

UP ID : -

UP backup profile : -

Table 2 Command output

Field	Description
IP address	IPv4 address of the user.
IPv6 address	IPv6 address of the user.
IPv6 PD Prefix	IPv6 PD prefix of the user. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
IPv6 ND Prefix	IPv6 ND prefix of the user. If the user does not have an IPv6 ND prefix, this field displays a hyphen (-).
MAC address	MAC address of the user.
S-VLAN/C-VLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Access interface of the user. On a UP backup network, this field displays the main interface or the subinterface corresponding to the main interface configured in the UP backup profile.
Virtual MAC address	Virtual MAC address of the access interface of the user. This field is significant only in 1:N warm load balancing mode on a UP backup network. This field displays a hyphen (-) in any other cases.
Offline reason	Reason why the user is abnormally logged out. For more information, see the log manual for UCM logins and logouts.
Aging	Time when the entry for the abnormally logged out user will age out. N/A means that the entry never ages out. If you modify the system time before the entry ages out, to make the aging time unchanged, the device automatically adjusts this time according to the modified system time.
VSRP instance	This field is not supported in the current software version. Name of a VSRP instance. When no VSRP instance is available, this field displays N/A.
UP ID	This field is not supported in the current software version. UP ID of the abnormally logged out user. When no UP ID is available (for example, on a non-vBRAS-CP), this field displays a hyphen (-).
UP backup profile	This field is not supported in the current software version. UP backup profile ID. When no UP backup profile ID is available (for example, on a non-vBRAS-CP), this field displays a hyphen (-).

Related commands

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

reset ip subscriber abnormal-logout

display ip subscriber chasten user auth-failed

Use display ip subscriber chasten user auth-failed to display information about IPoE individual users with authentication failure records that have not met the blocking conditions.

Syntax

In standalone mode:

display ip subscriber chasten user auth-failed [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address | user-type { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 | static } ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

ip ip-address: Specifies the source IPv4 address of an IPoE individual user.

ipv6 ipv6-address: Specifies the source IPv6 address of an IPoE individual user.

mac mac-address: Specifies the MAC address of an IPoE individual user, in the format of H-H-H.

user-type: Specifies a user type. If you do not specify a user type, this command displays information about all types of IPoE individual users.

dhcp: Specifies DHCPv4 users.

dhcpv6: Specifies DHCPv6 users.

ndrs: Specifies IPv6 ND RS users.

unclassified-ip: Specifies unclassified-IPv4 users.

unclassified-ipv6: Specifies unclassified-IPv6 users.

static: Specifies static users.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

In a CP and UP separation (CUPS) IPoE network, this command takes effect only when it is executed on CPs.

Examples

#Display brief information about the IPoE individual users with authentication failure records that have not met the blocking conditions on Ten-GigabitEthernet 3/1/1.

<Sysname> display ip subscriber chasten user auth-failed interface ten-gigabitethernet 3/1/1

Interface IP address MAC address SVLAN/CVLAN Failures

XGE3/1/1 6.6.6.2 248c-c3d1-0406 -/- 7

Table 3 Command output

Field	Description
Interface	Interface that connects the user.
IP address	IP address of the user.
MAC address	MAC address of the user.
SVLAN/CVLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Failures	Number of consecutive authentication failures of the user. This field displays N/A for entries to age out.

Related commands

ip subscriber authentication chasten

ip subscriber timer quiet

reset ip subscriber chasten user auth-failed

display ip subscriber chasten user quiet

Use display ip subscriber chasten user quiet to display information about blocked IPoE users.

Syntax

In standalone mode:

display ip subscriber chasten user quiet [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address | user-type { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 | static } ] [ verbose ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

ip ip-address: Specifies the source IPv4 address of a blocked IPoE user.

ipv6 ipv6-address: Specifies the source IPv6 address of a blocked IPoE user.

mac mac-address: Specifies the MAC address of a blocked IPoE user, in the format of H-H-H.

user-type: Specifies a user type.

· dhcp: Specifies DHCPv4 users.

· dhcpv6: Specifies DHCPv6 users.

· ndrs: Specifies IPv6 ND RS users.

· unclassified-ip: Specifies unclassified-IPv4 users.

· unclassified-ipv6: Specifies unclassified-IPv6 users.

· static: Specifies static users.

verbose: Displays detailed information about blocked IPoE users. If this keyword is not specified, this command displays brief information about blocked IPoE users.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

In a CUPS IPoE network, this command takes effect only when it is executed on CPs.

Examples

#Display brief information about the blocked IPoE users on Ten-GigabitEthernet 3/1/1.

<Sysname> display ip subscriber chasten user quiet interface ten-gigabitethernet 3/1/1

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type Aging(s)

XGE3/1/1 6.6.6.2 248c-c3d1-0406 U 7

Table 4 Command output

Field	Description
Interface	Interface that connects the user.
IP address	IP address of the user.
MAC address	MAC address of the user.
Type	IPoE user type: · D—DHCP user. · S—Static user. · U—Unclassified-IP user. · N—IPv6 ND RS user.
Aging(s)	Remaining aging time in seconds for the user.

# (In standalone mode.) Display detailed information about all blocked IPoE users on Ten-GigabitEthernet 3/1/1.

<Sysname> display ip subscriber chasten user quiet interface ten-gigabitethernet 3/1/1 verbose

Username : 1.1.1.10

Domain : dm0

IP address : 1.1.1.10

MAC address : 4649-e2cf-0216

Service-VLAN/Customer-VLAN : -/-

Access interface : XGE3/1/1

Service node : Slot 3

Access Type : Unclassified-IP

Aging : 41 sec

Table 5 Command output

Field	Description
Username	Username for authentication.
Domain	ISP domain of the user for authentication.
IP address	IP address of the user.
MAC address	MAC address of the user.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the user.
Service node	Slot number and CPU number of the card that connects the user.
Access Type	IPoE user type: · DHCP—DHCP user. · Unclassified-IP—Unclassified-IP user. · NDRS—IPv6 ND RS user. · Static—Static user.
Aging	Remaining aging time for the user, in seconds.

Related commands

ip subscriber timer quiet

reset ip subscriber chasten user quiet

display ip subscriber auto-save

Use display ip subscriber auto-save to display information about auto backed-up IPoE users.

Syntax

In standalone mode:

display ip subscriber auto-save { access-type { dhcpv4 | dhcpv6 | ndrs } | domain domain-name | ip-type { ipv4 | ipv6 | dual-stack } | mac-address mac-address | online | wait-recover } [ interface interface-type interface-number [ s-vlan s-vlan [ c-vlan c-vlan ] ] ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

access-type: Specifies a type of IPoE access users.

· dhcpv4: Specifies DHCPv4 access users.

· dhcpv6: Specifies DHCPv6 access users.

· ndrs: Specifies ND RS access users.

domain domain-name: Specifies an ISP domain by its name. The domain-name argument specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain the following special characters: /\|“:*?<>@.

ip-type: Specifies the IP version of IPoE users.

· ipv4: Specifies IPv4 users.

· ipv6: Specifies IPv6 users.

· dual-stack: Specifies dual-stack users.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

online: Displays brief information about online IPoE users.

wait-recover: Displays brief information about IPoE users waiting to recover.

interface interface-type interface-number: Specifies an interface by its type and number.

· s-vlan s-vlan: Specifies the SVLAN of an IPoE user. The value range for this argument is 1 to 4094.

· c-vlan c-vlan: Specifies the CVLAN of an IPoE user. The value range for this argument is 1 to 4094.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on the active MPU. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display brief information about auto backed-up online IPoE users.

<Sysname> display ip subscriber auto-save online

MAC address IP address Interface S-/C-VLAN

IPv6 address

000c-1983-6712 2.2.2.3 XGE3/1/3 -/-

000c-1983-6713 2.2.2.4 XGE3/1/3 -/-

000c-1983-6714 2.2.2.5 XGE3/1/3 -/-

000c-1983-6715 2.2.2.6 XGE3/1/3 -/-

a6f7-a29f-0206 2.2.2.11 XGE3/1/2 -/-

1::2

Table 6 Command output

Field	Description
MAC address	MAC address of the user.
IP address	IPv4 address of the user. If the user does not have an IPv4 address, this field displays a hyphen (-).
Interface	Access interface of the user.
S-/C-VLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays -/-.
IPv6 address	IPv6 address of the user. If the user does not have an IPv6 address, this field displays a hyphen (-).

# Display detailed information about an auto backed-up IPoE user specified by its MAC address.

<Sysname> display ip subscriber auto-save mac-address a6f7-a29f-0206

Basic Info:

MAC address: a6f7-a29f-0206

IP address: 2.2.2.11

IPv6 address: 1::2

Interface: XGE3/1/2

Service-VLAN/Customer-VLAN: -/-

VPN instance: N/A

Domain: dm1

Status: Online

DHCPv4 Info:

DHCP remaining lease: 85557 seconds

DHCPv6 Info:

DHCPv6 remaining lease: 2588825 seconds

IPv6 PD prefix: -

PD prefix length: 0

IA Type: IANA

IANA ID: 33554432

IAPD ID: 0

Option1:

0003 0001 a6f7 a29f 0200

# Display detailed information about an auto backed-up IPoE user specified by its MAC address.

<Sysname> display ip subscriber auto-save mac-address 30c8-46a3-0506

Basic Info:

MAC address: 30c8-46a3-0506

IP address: -

IPv6 address: -

IPv6 ND prefix: 5:6::/64

Interface: XGE3/1/2

Service-VLAN/Customer-VLAN: -/-

VPN instance: N/A

Domain: dm1

Status: Online

DHCPv6 Info:

DHCPv6 remaining lease: 2592000 seconds

IPv6 PD prefix: 2020:2021::

PD prefix length: 40

IA Type: IAPD

IANA ID: 0

IAPD ID: 1

Option1:

0003 0001 30c8 46a3 0500

Table 7 Command output

Field	Description
Basic Info	Basic information of the auto backed-up user.
MAC address	MAC address of the user.
IP address	IPv4 address of the user. If the user does not have an IPv4 address, this field displays a hyphen (-).
IPv6 address	IPv6 address of the user. If the user does not have an IPv6 address, this field displays a hyphen (-).
IPv6 ND prefix	IPv6 ND prefix of the user. If the user does not have an IPv6 ND prefix, this field displays a hyphen (-).
Interface	Access interface of the user.
Service-VLAN/Customer-VLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays -/-.
VPN instance	VPN instance of the user. If the user belongs to the public network, this field displays N/A.
Domain	ISP domain name used for authentication.
Status	User status: · Online. · Wait-Recover—The user is waiting to recover. When a user abnormally goes offline because of failure, the device sets the status of the user backed up in the memory to Wait-Recover.
DHCPv4 Info	DHCPv4 information. This field is displayed only when a user obtains IPv4 addresses.
DHCP remaining lease	Remaining IPv4 address lease duration of the user, in seconds. · Hyphen (-)—The user does not have a DHCP lease. · Unlimited—The lease duration is unlimited.
Optionn: [m]	DHCPv4 option information. This field is displayed only when the user carries the corresponding option when coming online. The option contents are displayed in hexadecimal format. n is the option serial number, and m is the suboption serial number (if any). Possible values include: · Option12—DHCPv4 option12. · Option55—DHCPv4 option55. · Option60—DHCPv4 option60. · Option61—DHCPv4 option61. · Option77—DHCPv4 option77. · Option82—DHCPv4 option82, which contains suboptions. ¡ 1—The first suboption of DHCPv4 option82. ¡ 2—The second suboption of DHCPv4 option82. ¡ 9—The ninth suboption of DHCPv4 option82.
DHCPv6 Info	DHCPv4 information. This field is displayed only when a user obtains IPv6 global unicast addresses or IPv6 prefixes.
DHCPv6 remaining lease	Remaining IPv6 address lease duration of the user, in seconds. · Hyphen (-)—The user does not have a DHCP lease. · Unlimited—The lease duration is unlimited.
IPv6 PD prefix	IPv6 PD prefix of the user. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
PD prefix length	IPv6 PD prefix length of the user. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
IA type	Identity Association (IA) type: · IANA—The user applies for a global unicast address through DHCPv6 (IA_NA). · IAPD—The user applies for a global unicast address through DHCPv6 (IA_PD). · IANA_IAPD—The user applies for a global unicast address through DHCPv6 (IA_NA) and applies for an IPv6 PD prefix through DHCPv6 (IA_PD).
IANA ID	ID in the IANA option.
IAPD ID	ID in the IAPD option.
Optionn	DHCPv6 option information. This field is displayed only when the user carries the corresponding option when coming online. The option contents are displayed in hexadecimal format. n is the option serial number. Possible values include: · Option1—DHCPv6 option1. · Option16—DHCPv6 option16. · Option17—DHCPv6 option17. · Option18—DHCPv6 option18. · Option37—DHCPv6 option37.

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-save max-user

display ip subscriber auto-save file-status

Use display ip subscriber auto-save file-status to display the state of the file specified for automatic IPoE user backup.

Syntax

display ip subscriber auto-save file-status

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

Use this command to view the saving and recovery information of the backup file. For example, before rebooting the device, use this command to identify whether all user data in the memory has been backed up to the backup file.

Recovering user data from the backup file includes the following two phases:

1. Recover the user data from the backup file to the memory, and set the state to wait-recover for these users.

You can execute the display ip subscriber auto-save command with the wait-recover keyword specified to view detailed information about users in the wait-recover state.

2. After all user data in the backup file is recovered to the memory, the recovery delay timer starts. The recovery delay timer is 5 seconds by default and can be configured by using the recover-delay keyword in the ip subscriber auto-recover speed command. After the recovery delay timer expires, the state is restored to online for users in the wait-recover state in the memory.

You can execute the display ip subscriber auto-save command with the online keyword specified to view detailed information about users in the online state.

This command displays the real-time data running on the global active MPU. The data will be cleared after the whole device is rebooted or an active/standby MPU switchover is performed.

Examples

# Display the state of the file specified for automatic IPoE user backup.

<Sysname> display ip subscriber auto-save file-status

File saving status : Saved

Last file saved users : 1

Last file saved from : 2021-01-24 20:14:22

File recovering status : Recovered

Last file recovered wait-recover users : 0

Last file recovered from : 2021-01-24 20:08:38

Remaining time to bring wait-recover users online : 0

Table 8 Command output

Field	Description
File saving status	Backup file saving state: · Hyphen (-)—The system has never performed file backup. · Saving—The system is saving user data in the memory to the file. · Saved—The system has saved user data in the memory to the file.
Last file saved users	Total number of users backed up in the backup file after the last backup was completed.
Last file saved from	Time when the last backup started. This field displays a hyphen (-) if the system has never performed file backup.
File recovering status	Backup file recovery state: · Hyphen (-)—The system has never recovered users from the backup file. · Recovering—The system is recovering users from the file. · Recovered—The system has recovered users in the file.
Last file recovered wait-recover users	Total number of users recovered from the backup file to the memory after the last recovery was completed.
Last file recovered from	Time when the system started to recover user data in the backup file to the memory. This field displays a hyphen (-) if the system has never recovered user data from the backup file.
Remaining time to bring wait-recover users online	Remaining recovery delay time for bringing online the users in the wait-recover state after the last operation of recovering user data in the backup file to the memory was completed. The recovery delay timer is 5 seconds by default and can be configured by using the recover-delay keyword in the ip subscriber auto-recover speed command.

Related commands

display ip subscriber auto-save

display ip subscriber auto-save statistics

ip subscriber auto-recover speed

display ip subscriber auto-save statistics

Use display ip subscriber auto-save statistics to display statistics about auto backed-up IPoE users.

Syntax

In standalone mode:

display ip subscriber auto-save statistics [ slot slot-number ]

In IRF mode:

display ip subscriber auto-save statistics [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

Examples

# Display statistics about auto backed-up IPoE users.

<Sysname> display ip subscriber auto-save statistics

Max backup users : 8000

Current online users : 5

Current wait-recover users : 4

Table 9 Command output

Field	Description
Max backup user number	Maximum number of IPoE users that can be automatically backed up.
Current online user number	Number of backed-up online IPoE users.
Current wait-recover user number	Number of backed-up IPoE users waiting to recover.

Related commands

display ip subscriber auto-save

display ip subscriber http-defense blocked-destination-ip

Use display ip subscriber http-defense blocked-destination-ip command to display entries of the destination IP addresses blocked by IPoE HTTP/HTTPS attack defense.

Syntax

In standalone mode:

display ip subscriber http-defense blocked-destination-ip [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display ip subscriber http-defense blocked-destination-ip [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

On an IPoE Web network, after you enable destination IP-based IPoE HTTP/HTTPS attack defense, the device will monitor and collect statistics of HTTP/HTTPS packets that IPoE Web preauthentication users send to any destination IP address. Within a statistics collection interval, if the number of HTTP/HTTPS packets sent to a destination IP address reaches the blocking conditions and the action to take when the blocking conditions are met is to generate blocking entries, the device will generate blocking entries about the destination IP address. The blocking period is configured in the ip subscriber http-defense destination-ip enable action block period command. Use this command to view the blocking entries.

For a destination IP address with the blocking entries generated, when the blocking period expires, the device will delete blocking entries of the destination IP address.

Examples

# (In IRF mode.) Display entries of the destination IP addresses blocked by IPoE HTTP/HTTPS attack defense.

<Sysname> display ip subscriber http-defense blocked-destination-ip slot 3

Slot 3:

Total IPv4 entries: 2

Destination IPv4 address Port VPN instance Agetime(S) DrvStatus

1.1.1.2 80 aaa 500 Succeeded

2.2.2.2 443 bbb 300 Failed

Total IPv6 entries: 2

Destination IPv6 address Port VPN instance Agetime(S) DrvStatus

1:1::1:2 80 aaa 500 Succeeded

2:2::2:2 443 bbb 300 Failed

Table 10 Command output

Field	Description
Total IPv4 entries	Total number of IPv4 entries.
Total IPv6 entries	Total number of IPv6 entries.
Destination IPv4 address	Destination IPv4 address.
Destination IPv6 address	Destination IPv6 address.
Port	Destination port number (the IPoE HTTP/HTTPS attack defense function can recognize and process HTTP/HTTPS packets with known port number 80, 8080, 443, or 8443).
VPN instance	VPN instance to which the packets belong. If the packets are on a public network, this field displays a hyphen (-).
Agetime(S)	Remaining aging time (in seconds) of a blocking entry. After the aging time expires, the HTTP/HTTPS packets sent to the destination IP address will be unblocked.
DrvStatus	State of deploying the HTTP/HTTPS attack blocking entry to the driver hardware. Options include: · Succeeded—The blocking entry was successfully deployed. The hardware will directly block attacks, and does not report packets to the CPU. · Failed—The blocking entry failed to be deployed. The hardware does not block attacks. The software blocks attacks after packets are sent to the CPU. · Incompleted—The deployment is not completed, and the platform has not received the deployment result from the hardware. If you execute the display ip subscriber http-defense blocked-destination-ip command before the hardware returns the success result to the platform, this field displays Incompleted. · None—Does not deploy the blocking entry to the hardware. If the action to take when the blocking conditions are met is logging, the generated blocking entry will not be deployed to the driver hardware.

Related commands

ip subscriber http-defense destination-ip enable

reset ip subscriber http-defense destination-ip

display ip subscriber http-defense free-destination-ip

Use display ip subscriber http-defense free-destination-ip command to display the allowlist addresses configured for IPoE HTTP/HTTPS attack defense.

Syntax

display ip subscriber http-defense free-destination-ip

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the allowlist addresses configured for IPoE HTTP/HTTPS attack defense.

<Sysname> display ip subscriber http-defense free-destination-ip

Destination IPv4 address VPN instance

1.1.1.2 -

2.2.2.2 bbb

Destination IPv6 address VPN instance

1:1::1:2 -

2:2::2:2 bbb

Table 11 Command output

Field	Description
Destination IPv4 address	Destination IPv4 address.
Destination IPv6 address	Destination IPv6 address.
VPN instance	VPN instance to which the destination IP address belongs. If the destination IP address is on a public network, this field displays a hyphen (-).

Related commands

ip subscriber http-defense free-destination-ip

display ip subscriber http-defense unblocked-destination-ip

Use display ip subscriber http-defense unblocked-destination-ip command to display entries of the destination IP addresses not blocked by IPoE HTTP/HTTPS attack defense.

Syntax

In standalone mode:

display ip subscriber http-defense unblocked-destination-ip [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display ip subscriber http-defense unblocked-destination-ip [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

On an IPoE Web network, after you enable destination IP-based IPoE HTTP/HTTPS attack defense, the device will monitor and collect statistics of HTTP/HTTPS packets that IPoE Web preauthentication users send to any destination IP address, and generate the corresponding attack defense statistics entry for each destination IP address. The attack defense statistics entries record statistics about destination IP addresses that have not met the blocking conditions of IPoE HTTP/HTTPS attack defense. An entry includes the destination IP address and VPN instance of packets, the number of packets accessing the destination IP address, and the time when the last time when the destination IP address was accessed. Use this command to view the attack defense statistics entries.

For a destination IP address of a generated attack defense statistics entry, when the number of packets sent to the destination IP address is 0 within any statistics collection interval, the device will delete the attack defense statistics entry for the destination IP address.

Examples

# (In IRF mode.) Display entries of the destination IP addresses not blocked by IPoE HTTP/HTTPS attack defense in slot 3.

<Sysname> display ip subscriber http-defense unblocked-destination-ip slot 3

Slot 3:

Total IPv4 entries: 2

Destination IPv4 address Port VPN instance Count Last request

1.1.1.2 80 aaa 1 17:18:34 11/23/2019

2.2.2.2 443 - 23 17:17:25 11/23/2019

Total IPv6 entries: 2

Destination IPv6 address Port VPN instance Count Last request

1:1::1:2 80 aaa 1 17:18:34 11/23/2019

2:2::2:2 443 - 23 17:17:25 11/23/2019

Table 12 Command output

Field	Description
Total IPv4 entries	Total number of IPv4 entries.
Total IPv6 entries	Total number of IPv6 entries.
Destination IPv4 address	Destination IPv4 address.
Destination IPv6 address	Destination IPv6 address.
Port	Destination port number (the IPoE HTTP/HTTPS attack defense function can recognize and process HTTP/HTTPS packets with known port number 80, 8080, 443, or 8443).
VPN instance	VPN instance to which the packets belong. If the packets are on a public network, this field displays a hyphen (-).
Count	Number of HTTP/HTTPS packets accessing the destination IP address.
Last request	Last time when the destination IP address was accessed.

Related commands

ip subscriber http-defense destination-ip enable

reset ip subscriber http-defense destination-ip

display ip subscriber static-session configuration

Use display ip subscriber static-session configuration to display static IPoE session configuration information.

Syntax

display ip subscriber static-session configuration [ interface interface-type interface-number | { description string | { ip start-ipv4-address [ end-ipv4-address ] | ipv6 start-ipv6-address [ end-ipv6-address ] | delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length } } | domain domain-name ] [ all-vpn-instance | vpn-instance instance-name ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

description string: Specifies a static IPoE session by its description, a case-insensitive string of 1 to 31 characters. The description cannot contain the following special characters: /\|“:*?<>@. ip start-ipv4-address [ end-ipv4-address ]: Specifies static IPoE sessions by IPv4 addresses.

· start-ipv4-address: Specifies the start IPv4 address of users.

· end-ipv4-address: Specifies the end IPv4 address of users, which cannot be lower than the start IPv4 address. If you do not specify this argument or the specified end-ipv4-address is the same as the start-ipv4-address, one user IPv4 address start-ipv4-address is specified. Otherwise, all static users with IPv4 addresses in the range of start-ipv4-address to end-ipv4-address are specified.

ipv6 start-ipv6-address [ end-ipv6-address ]: Specifies static IPoE sessions by IPv6 addresses.

· start-ipv6-address: Specifies the start IPv6 address of users.

· end-ipv6-address: Specifies the end IPv6 address of users, which cannot be lower than the start IPv6 address. If you do not specify this argument or the specified end-ipv4-address is the same as the start-ipv6-address, one user IPv6 address start-ipv6-address is specified. Otherwise, all static users with IPv6 addresses in the range of start-ipv6-address to end-ipv4-address are specified.

delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length: Specifies static IPoE sessions by the IPv6 delegation prefixes (PD prefixes).

· start-ipv6-prefix: Specifies the start IPv6 delegation prefix of users.

· end-ipv6-prefix: Specifies the end IPv6 delegation prefix of users, which cannot be smaller than the start IPv6 delegation prefix. If you do not specify this argument or the specified end-ipv6-prefix is the same as the start-ipv6-prefix, one user IPv6 delegation prefix start-ipv6-prefix is specified. Otherwise, all static users with IPv6 delegation prefixes in the range of start-ipv6-prefix to end-ipv6-prefix are specified. Make sure the number of IPv6 delegation prefixes specified by the start-ipv6-prefix [ end-ipv6-prefix ] option is the same as the number of IPv6 addresses specified in the start-ipv6-address [ end-ipv6-address ] option.

· prefix-length: Specifies the IPv6 delegation prefix length, in the range of 1 to 120.

· domain domain-name: Specifies static IPoE sessions in an ISP domain. The domain-name argument specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain the following special characters: /\|“:*?<>@.

all-vpn-instance: Specifies all VPN instances. If neither all-vpn-instance nor vpn-instance is specified, this command displays static IPoE session configuration in the public network.

· vpn-instance vpn-instance-name: Specifies a VPN instance by its name. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters.

· verbose: Displays detailed static IPoE session configuration. If you do not specify this keyword, this command displays the summary static IPoE session configuration.

Usage guidelines

Use this command to display information about IPoE static individual sessions and static leased sessions.

If you do not specify any parameter, this commands displays summary configuration information about static IPoE users.

To simplify management and maintenance, before configuring a new static IPoE session, you can execute this command to identify whether static sessions with the specified conditions (for example, an IP address) already exist. In this way, you can avoid repeated configuration.

Examples

#Display brief information about all static users on Ten-GigabitEthernet 3/1/1.

<Sysname> display ip subscriber static-session configuration interface ten-gigabitethernet 3/1/1

IP address MAC address Interface

IPv6 address IPv6 PD prefix SVLAN/CVLAN

VPN instance

1.1.1.1 000d-88f8-0eab XGE3/1/1

1::1 10::/64 -/-

1.1.1.2 001d-88f8-0eab XGE3/1/1

1::2 11::/64 -/-

Total 2 items matched

#Display brief information about static users in all VPN instances.

<Sysname> display ip subscriber static-session configuration all-vpn-instance

VPN instance: vpn1

IP address MAC address Interface

IPv6 address IPv6 PD prefix SVLAN/CVLAN

VPN instance

Total 0 items matched

VPN instance: vpn2

IP address MAC address Interface

IPv6 address IPv6 PD prefix SVLAN/CVLAN

VPN instance

2.2.2.2 - -

- - -/-

vpn2

2.2.2.3 - XGE3/1/2

- - -/-

vpn2

Total 2 items matched

#Display brief information about static users in the specified VPN instance.

<Sysname> display ip subscriber static-session configuration vpn-instance vpn2

VPN instance: vpn2

IP address MAC address Interface

IPv6 address IPv6 PD prefix SVLAN/CVLAN

VPN instance

2.2.2.2 - -

- - -/-

vpn2

2.2.2.3 - XGE3/1/2

- - -/-

vpn2

Total 2 items matched

Table 13 Command output

Field	Description
IP address	User's IPv4 address. If the user does not have an IPv4 address, this field displays a hyphen (-).
IPv6 address	User's IPv6 address. If the user does not have an IPv6 address, this field displays a hyphen (-).
MAC address	User's MAC address.
IPv6 PD prefix	User's IPv6 PD prefix. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
VPN instance	VPN instance to which the user belongs. If the user is on a public network, this field displays a hyphen (-).
Interface	User's access interface name. If the user does not have an access interface, this field displays a hyphen (-).
SVLAN/CVLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-).
Total 2 items matched	Number of static sessions matching the specified conditions.

# Display detailed information about the user with IPv6 address 2001::2.

<Sysname> display ip subscriber static-session configuration ipv6 2001::2 verbose

Interface : -

UP-backup-interface : -

Interface-list : -

IP address : -

IP gateway : -

IPv6 address : 2001::2

IPv6 gateway : FE80::1:2:3:4

IPv6 PD prefix : -

SVLAN/CVLAN : -/-

Description : -

MAC address : -

Domain : -

VPN instance : -

Keep-online : No

Support-ds : No

Request-online : ND

# Display detailed information about static users in all VPN instances.

<Sysname> display ip subscriber static-session configuration all-vpn-instance verbose

VPN instance: vpn2

Interface : -

UP-backup-interface : -

Interface-list : -

IP address : -

IP gateway : -

IPv6 address : 2001::2

IPv6 gateway : FE80::1:2:3:4

IPv6 PD prefix : -

SVLAN/CVLAN : -/-

Description : -

MAC address : -

Domain : -

VPN instance : 123

Keep-online : No

Support-ds : No

Request-online : ND

Table 14 Command output

Field	Description
Interface	User's access interface. If the user does not have an access interface, this field displays a hyphen (-).
UP-backup-interface	Backup interface of the user. If the user does not have a backup interface, this field displays a hyphen (-). This field is supported only on a UP backup network.
Interface-list	Static user interface list. If the user does not have a static user interface list, this field displays a hyphen (-).
IP address	User's IPv4 address. If the user does not have an IPv4 address, this field displays a hyphen (-).
IP gateway	User's IPv4 gateway address. If the user does not have an IPv4 gateway address, this field displays a hyphen (-).
IPv6 address	User's IPv6 address. If the user does not have an IPv6 address, this field displays a hyphen (-).
IPv6 gateway	User's IPv6 gateway address. If the user does not have an IPv6 gateway address, this field displays a hyphen (-).
IPv6 PD prefix	User's IPv6 PD prefix. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
SVLAN/CVLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-).
Description	Static user description. If the user does not have a description, this field displays a hyphen (-).
MAC address	User's MAC address. If the user does not have a MAC address, this field displays a hyphen (-).
Domain	User’s ISP domain name for authentication. If the user does not have an ISP domain, this field displays a hyphen (-).
VPN instance	VPN instance to which the user belongs. If the user is on a public network, this field displays N/A.
Keep-online	Whether the keep-online keyword is specified in the command for configuring static sessions: · Yes. · No.
Support-ds	Whether the support-ds keyword is specified in the command for configuring static sessions: · Yes. · No.
Request-online	Whether the request-online keyword is specified in the command for configuring static sessions: · This keyword is specified when any of the following values is displayed: ¡ ARP—The current interface is operating in Layer 2 access mode. The device actively sends ARP packets to request IPv4 users to come online. ¡ ICMP—The current interface is operating in Layer 3 access mode. The device actively sends ICMP packets to request IPv4 users to come online. ¡ ND—The current interface is operating in Layer 2 access mode. The device actively sends ND NS packets to request IPv6 users to come online. ¡ ICMPv6—The current interface is operating in Layer 3 access mode. The device actively sends ICMPv6 packets to request IPv6 users to come online. · This field displays a hyphen (-) when this keyword is not specified.

Related commands

ip subscriber session static (system view)

ip subscriber static-session request-online interval

display static-user interface-list

Use display static-user interface-list to display information about a static user interface list.

Syntax

display static-user interface-list [ list-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

list-id: Specifies a static user interface list by its ID in the range of 1 to 65535. If you do not specify this option, this command displays information about all static user interface lists.

Examples

# Display information about static user interface list 100.

<Sysname> display static-user interface-list 100

List ID: 100

Total bound static session configuration entries: 2

Total interfaces : 2

Member interfaces:

Ten-GigabitEthernet3/1/1

Ten-GigabitEthernet3/1/2

Table 15 Command output

Field	Description
List ID	Static user interface list ID.
Total bound static session configuration entries	Total number of static sessions bound to the static user interface list.
Total interfaces	Total number of interfaces on the static user interface list.
Member interfaces	Member interfaces on the static user interface list.

Related commands

add interface

static-user interface-list

ip subscriber 8021p

Use ip subscriber 8021p to bind an ISP domain to IPoE users who send IP packets with the specified 802.1p values.

Use undo ip subscriber 8021p to remove the binding between an ISP domain and IPoE users who send IP packets with the specified 802.1p values.

Syntax

ip subscriber 8021p 8021p-list domain domain-name

undo ip subscriber 8021p 8021p-list

Default

No ISP domain is bound to IPoE users who send IP packets with the specified 802.1p values.

Views

Layer 3 aggregate subinterface view

Layer 3 Ethernet subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

8021p-list: Specifies a space-separated list of up to eight 802.1p value items. Each item specifies a 802.1p value or a range of 802.1p values in the form of start-802.1p-value to end-802.1p-value. The 802.1p value is in the range of 0 to 7.

Usage guidelines

For this command, IPoE users include DHCP users, unclassified-IP users, and static individual users.

For the ip subscriber 8021p command to take effect, you must execute the ip subscriber service-identify 8021p command to configure the corresponding service identifier first.

For how an authentication domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an authentication domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an authentication domain is selected for a static IPoE user, see the ip subscriber session static command.

For how an authentication domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an authentication domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an authentication domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

Examples

#Configure ISP domain 1pdm for IPoE users who send IP packets with 802.1p values 2 to 5 on Ten-GigabitEthernet 3/1/1.100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.100

[Sysname-Ten-GigabitEthernet3/1/1.100] ip subscriber service-identify 8021p second-vlan

[Sysname-Ten-GigabitEthernet3/1/1.100] ip subscriber 8021p 2 to 5 domain 1pdm

Related commands

ip subscriber service-identify

ip subscriber abnormal-logout max-user

Use ip subscriber abnormal-logout max-user to set the maximum number of abnormally logged out IPoE users that can be recorded on the device.

Use undo ip subscriber abnormal-logout max-user to restore the default.

Syntax

ip subscriber abnormal-logout max-user max-user

undo ip subscriber abnormal-logout max-user

Default

The maximum number of abnormally logged out IPoE users that can be recorded on the device is 512000.

Views

System view

Predefined user roles

network-admin

Parameters

max-user: Specifies the maximum number of abnormally logged out IPoE users that can be recorded on the device. The value range for this argument 1 to 512000.

Usage guidelines

The device uniquely identifies and records an abnormally logged out IPoE user as follows:

· For DHCPv4 users and NDRS users, the device records an abnormally logged out IPoE user according to the user MAC address, inner VLAN ID, outer VLAN ID, and access interface.

· For DHCPv6 users, the device records an abnormally logged out IPoE user according to the user DUID, inner VLAN ID, outer VLAN ID, and access interface.

When the number of abnormally logged out IPoE users recorded on the device reaches the maximum number, a new record will overwrite the oldest one.

Examples

# Configure the maximum number of abnormally logged out IPoE users that can be recorded on the device as 100.

<Sysname> system-view

[Sysname] ip subscriber abnormal-logout max-user 100

Related commands

display ip subscriber abnormal-logout

reset ip subscriber abnormal-logout

ip subscriber access-block

Use ip subscriber access-block to forbid IPoE users from coming online.

Use undo ip subscriber access-block to restore the default.

Syntax

In standalone mode:

ip subscriber access-block [ interface interface-type interface-number | slot slot-number [ cpu cpu-number ] ]

undo ip subscriber access-block [ interface interface-type interface-number | slot slot-number [ cpu cpu-number ] ]

In IRF mode:

ip subscriber access-block [ interface interface-type interface-number | chassis chassis-number slot slot-number [ cpu cpu-number ] ]

undo ip subscriber access-block [ interface interface-type interface-number | chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Default

IPoE users are allowed to come online.

Views

System view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

With this command configured, the device directly drops received online request packets of IPoE users to forbid new IPoE users from coming online through this interface.

This command does not affect existing IPoE users, including IPoE Web users in online state during the preauthentication phase.

If you do not specify any parameter for this command, this command forbids all new IPoE users from coming online.

In a CUPS IPoE network, this command takes effect only when it is executed on CPs.

Examples

# Forbid all new IPoE users from coming online.

<Sysname> system-view

[Sysname] ip subscriber access-block

ip subscriber access-delay

Use ip subscriber access-delay to set the response delay time for IPoE users on an interface.

Use undo ip subscriber access-delay to restore the default.

Syntax

ip subscriber access-delay delay-time [ even-mac | odd-mac ]

undo ip subscriber access-delay

Default

No response delay time is set for IPoE users on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

delay-time: Specifies the response delay time for IPoE users, in the range of 10 to 25500 milliseconds.

even-mac: Specifies users with even MAC addresses.

odd-mac: Specifies users with odd MAC addresses.

Usage guidelines

With this command configured, the system delays response to the IPoE user online requests according to the configured delay time.

You can separately specify different response delay times for even-MAC users and odd-MAC users.

If you do not specify any keyword, this command sets the response delay time for all users that come online through this interface.

If you first executed this command with the even-mac or odd-mac keyword specified and then executed this command without specifying any keyword, the latter configuration takes effect, and vice versa.

This command takes effect only on IPoE DHCP users. On an interface using Web authentication, this command takes effect only on users in the preauthentication phase and does not take effect on users in the Web authentication phase.

Examples

#Set the response delay time for IPoE users to 1000 milliseconds on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface Ten-GigabitEthernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber access-delay 1000

ip subscriber a ccess-line-id circuit-id trans-format

Use ip subscriber access-line-id circuit-id trans-format command to configure the IPoE parsing format for the circuit ID in the DHCP option.

Use undo ip subscriber access-line-id circuit-id trans-format to restore the default.

Syntax

ip subscriber access-line-id circuit-id trans-format { ascii | hex }

undo ip subscriber access-line-id circuit-id trans-format

Default

The IPoE parsing format for the circuit ID in the DHCP option is ASCII.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the ASCII parsing format.

hex: Specifies the hex parsing format.

Usage guidelines

For IPoE to correctly parse information in the circuit ID, use this command to set a proper parsing format according to the format of the circuit ID information sent by downstream devices.

The ip subscriber access-line-id circuit-id trans-format command configuration takes effect only after the ip subscriber trust command is executed to trust the specified option.

Examples

#Set the IPoE parsing format for the circuit ID in the DHCP option to hex.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber access-line-id circuit-id trans-format hex

Related commands

ip subscriber access-line-id remote-id trans-format

ip subscriber trust

ip subscriber access-line-id remote-id trans-format

Use ip subscriber access-line-id remote-id trans-format command to configure the IPoE parsing format for the remote ID in the DHCP option.

Use undo ip subscriber access-line-id remote-id trans-format to restore the default.

Syntax

ip subscriber access-line-id remote-id trans-format { ascii | hex }

undo ip subscriber access-line-id remote-id trans-format

Default

The IPoE parsing format for the remote ID in the DHCP option is ASCII.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the ASCII parsing format.

hex: Specifies the hex parsing format.

Usage guidelines

For IPoE to correctly parse information in the remote ID, use this command to set a proper parsing format according to the format of the remote ID information sent by downstream devices.

The ip subscriber access-line-id remote-id trans-format command configuration takes effect only after the ip subscriber trust command is executed to trust the specified option.

Examples

#Set the IPoE parsing format for the remote ID in the DHCP option to hex.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber access-line-id remote-id trans-format hex

Related commands

ip subscriber access-line-id remote-id trans-format

ip subscriber trust

ip subscriber access-out

Use ip subscriber access-out to enable IPoE access-out authentication for IPoE users.

Use undo ip subscriber access-out to restore the default.

Syntax

ip subscriber access-out

undo ip subscriber access-out

Default

IPoE access-out authentication is disabled for IPoE users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

In a dual-authentication network, one device performs access-in authentication and another device performs access-out authentication. Users who pass access-in authentication can access the intranet and users who pass access-out authentication can access the extranet.

Examples

#Enable IPoE access-out authentication for IPoE users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber access-out

ip subscriber access-trigger loose

Use ip subscriber access-trigger loose to specify the loose access duration for the IPoE users after the system is rebooted.

Use undo ip subscriber access-trigger loose to restore the default.

Syntax

ip subscriber access-trigger loose { loose-time | all-time }

undo ip subscriber access-trigger loose

Default

IPoE users cannot access in loose mode after the system is rebooted.

Views

System view

Predefined user roles

network-admin

Parameters

loose-time: Specifies the loose access duration for the IPoE users after the system is rebooted, in the range of 1 to 4294967295 minutes.

all-time: Specifies that the IPoE users can access in loose mode all time after the system is rebooted.

Usage guidelines

When the sessions of online IPoE users are deleted because the system is rebooted, DHCP users will not send DHCP packets to trigger access again because these user cannot sense the reboot. As a result, the access device cannot regenerate DHCP sessions for these users. To solve this problem, you can specify IPoE users to access in loose mode.

After the system is rebooted, IPoE users accessing in loose mode can use IP, ARP, or NS/NA packets to trigger access and generating DHCP sessions within the duration specified by the loose-time argument or all time.

IPoE DHCP users can access in loose mode only when all the following conditions exist:

· The Layer 2 access mode is configured on the access interface.

· An IP address pool is assigned to users through the authentication domain or AAA server.

· To use IP packet initiation, you must execute the ip subscriber initiator unclassified-ip enable command on the access interface, and as a best practice, specify the matching-user keyword.

· To use ARP packet initiation, you must execute the ip subscriber initiator arp enable command and the ip subscriber initiator unclassified-ip enable command on the access interface, and as a best practice, specify the matching-user keyword.

For IPoE Web authentication users that access in loose mode, only the sessions in the preauthentication domain can be regenerated. To come online in the Web authentication phase, these users must follow the normal Web authentication procedure.

In a CUPS IPoE network, this command takes effect only when it is executed on CPs.

Examples

# Specify the loose access duration as 300 minutes for the IPoE users after the system is rebooted

<Sysname> system-view

[Sysname] ip subscriber access-trigger loose 300

Related commands

ip subscriber dhcp domain

ip subscriber dhcp password

ip subscriber dhcp username

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber authentication chasten

Use ip subscriber authentication chasten to configure the authentication failure limit in the specified authentication period.

Use undo ip subscriber authentication chasten to restore the default.

Syntax

ip subscriber authentication chasten auth-failure auth-period

undo ip subscriber authentication chasten

Default

One authentication failure immediately triggers the quiet timer for the user.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

auth-failure: Specifies the maximum number of consecutive authentication failures in the specified authentication period that triggers the quiet timer. The value range is 1 to 10000.

auth-period: Specifies an authentication period in the range of 1 to 3600 seconds.

Usage guidelines

If this command is used, the quiet timer starts when the number of authentication failures of a user reaches the limit in the specified authentication period. During the quiet time, packets from the user are dropped. After the quiet timer expires, IPoE performs authentication upon receiving a packet from the user. This command prevents password attacks.

If no dual-stack IPoE session is generated for a dual-stack user, the authentication failures of the two protocol stacks are counted separately. The dual-stack user is quieted only when the number of consecutive authentication failures reaches the limit in the specified period for each protocol stack.

If a dual-stack IPoE session is generated for a dual-stack user, the authentication failures of the two protocol stacks are counted together. The dual-stack user is quieted when the number of consecutive authentication failures reaches the limit in the specified period.

This command takes effect only after the ip subscriber timer quiet command is executed on the interface.

Examples

#Configure Ten-GigabitEthernet 3/1/1 to block an IPoE user on the interface for 100 seconds if the user fails authentication for five consecutive times within one minute.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber timer quiet 100

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber authentication chasten 5 60

Related commands

display ip subscriber chasten user auth-failed

display ip subscriber chasten user quiet

ip subscriber timer quiet

ip subscriber authentication-method

Use ip subscriber authentication-method to configure an IPoE authentication method.

Use undo ip subscriber authentication-method to restore the default.

Syntax

ip subscriber authentication-method { bind | { dot1x [ high-priority ] | web [ mac-auth ] [ basic-service-ipv4 ] [ support-authorized-vpn ] [ inherit-pppoe ] } * }

undo ip subscriber authentication-method

Default

IPoE uses bind authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

bind: Specifies the bind authentication method.

dot1x: Specifies the 802.1X authentication method. For more information about 802.1X, see 802.1X configuration in BRAS Services Configuration Guide. This keyword is mutually exclusive with the basic-service-ipv4 keyword.

high-priority: Prioritizes 802.1X authentication. If you specify this keyword, an IPoE user cannot perform authentication to come online before the 802.1X client of the IPoE user is authenticated. If you do not specify this keyword, an IPoE user can perform authentication to come online no matter whether the 802.1X client of the IPoE user is authenticated. When endpoint users using the IOS system exist on the network and these users use the 802.1X service of the IOS system for authentication, prioritize 802.1X authentication as a best practice. If you do not do that, the users might fail to use the 802.1X service of the IOS system to perform 802.1X authentication.

web: Specifies the Web authentication method.

mac-auth: Specifies the Web MAC authentication method.

basic-service-ipv4: Configures the IPv6 protocol stack to depend on the IPv4 protocol stack. If you specify this keyword, an IPoE Web user can come online in the IPv6 protocol stack only after the IPoE Web user has come online in the IPv4 protocol stack through Web authentication. When the user goes offline in the IPv4 protocol stack or returns from the postauthentication phase to the preauthentication phase, the user is forced to go offline in the IPv6 protocol stack. Typically, this keyword is used in the intelligent IPv6 multi-egress scenario. This keyword is mutually exclusive with the dot1x keyword.

support-authorized-vpn: Specifies that the postauthentication domain of Web authentication supports VPN authorization. If you specify this keyword, a VPN can be authorized to an IPoE Web user after the user comes online in the postauthentication domain. If you do not specify this keyword, a VPN cannot be authorized to an IPoE Web user after the user comes online in the postauthentication domain, even if an authorization VPN is configured in the postauthentication domain.

inherit-pppoe: Configures IPoE Web users in the preauthentication domain to inherit PPPoE user information and come online in the postauthentication domain. With this keyword specified, if a PPPoE user with the same MAC address exists after an IPoE Web user comes online in the preauthentication domain, the IPoE Web user does not need to pass Web authentication. Instead, the device directly makes the IPoE Web user come online in the postauthentication domain by using the authentication and authorization information of the online PPPoE user. If you do not specify this keyword, an IPoE user can come online in the postauthentication domain only after passing Web authentication. This keyword is used in the scenario where both IPoE Web authentication and PPPoE authentication are configured on the same interface.

Usage guidelines

Common guidelines

IPoE supports the following authentication methods:

· Bind authentication—The BRAS automatically generates usernames and passwords for users based on the user access location. Users are not required to enter usernames and passwords.

· 802.1X authentication—The BRAS requires users to enter usernames and passwords on an 802.1X client. To access a Layer 3 interface through 802.1X, configure the 802.1X authentication method.

· Web authentication—The BRAS requires users to enter usernames and passwords on the Web authentication page.

· Web MAC authentication—A user needs to enter the username and password only for the first login. Then, the user can access the network without entering the username and password. (Web MAC authentication is a type of Web authentication. Web authentication includes Web MAC authentication unless otherwise specified.)

Guidelines in the IPoE 802.1X authentication scenario

IPoE 802.1X authentication supports DHCP users, IPv6 ND RS users, and global static users. For a user configured with a static IP address to come online through 802.1X authentication without configuring the corresponding IPoE static user access on the BRAS, you can enable the static 802.1X user authentication feature. For more information, see the ip subscriber static-dot1x-user enable command.

When both 802.1X authentication and Web authentication are configured on an interface, a user can use only one of them to perform authentication and come online at a time. 802.1X authentication takes priority over Web authentication.

When you configure 802.1X authentication, follow these restrictions and guidelines:

· If a global static session without the support-ds keyword specified exists on the device, before configuring 802.1X authentication, you must first use the undo ip subscriber session static command to delete all global static sessions without the support-ds keyword specified and then execute the ip subscriber session static command to re-configure global static sessions with the support-ds keyword specified.

· When static users do not support 802.1X authentication on an interface, do not configure both 802.1X authentication and interface-level IPoE static individual sessions on the interface. If you do that, the interface-level IPoE static individual sessions configured on the interface might not function normally.

· On an interface, 802.1X authentication is mutually exclusive with Layer 3 IPoE access mode, IPoE interface-leased users, IPoE subnet-leased users, and IPoE L2VPN-leased users.

· You can configure 802.1X authentication on an interface only when the interface operates in Layer 2 IPoE access mode.

· Only Layer 3 Ethernet interfaces/subinterfaces and Layer 3 aggregate interfaces/subinterfaces support 802.1X authentication.

Guidelines in the intelligent IPv6 multi-egress scenario

In the intelligent IPv6 multi-egress scenario, the IPoE Web authentication network functions as follows: When a dual-stack user passes Web authentication in the IPv4 protocol stack, the BRAS identifies the service provider of the user according to the AAA-authorized attributes when the user performs authentication and comes online in the IPv4 protocol stack. Then, the BRAS assigns an IPv6 address of the service provider to the user. As a result, IPv6 packets of different service providers can be forwarded in the corresponding public network egress interfaces separately.

In an IPv6 intelligent multi-egress application, an IPoE Web dual-stack user uses DHCP packet initiation in the IPv4 protocol stack. In the IPv6 protocol stack, the user can come online in one of the following methods according to the type of online request packets in the IPv6 protocol stack.

· ND RS packet initiation—Comes online through IPv6 ND RS packets. In this method, if a user initiates online requests in the IPv6 protocol stack before passing Web authentication in the IPv4 protocol stack, the BRAS buffers the ND RS packets. After the user passes Web authentication and comes online in the IPv4 protocol stack, the BRAS uses the buffered ND RS packets to come online in the IPv6 protocol stack. NOTE: The buffered ND RS packets are time limited. When they expire, they will be deleted from the buffer.

· DHCPv6 packet initiation—Comes online through DHCPv6 packets. In this method, if a user initiates online requests in the IPv6 protocol stack before passing Web authentication in the IPv4 protocol stack, the BRAS drops the received DHCPv6 request packets. A DHCPv6 client sends DHCPv6 requests to request IPv6 addresses irregularly. After the user passes Web authentication and comes online in the IPv4 protocol stack, the BRAS will uses the DHCPv6 packets received subsequently to come online in the IPv6 protocol stack.

Guidelines in the scenario that supports authorizing VPN instances in the Web postauthentication domain

On an IPoE Web authentication network, to authorize VPNs to users after they pass postauthentication so that the users can have different access permissions, you can specify the support-authorized-vpn keyword to enable the postauthentication domain of Web authentication to support VPN authorization.

With this feature enabled, when IPoE Web users come online in the postauthentication domain, AAA can be used to authorize VPN instances to users. When a user with a VPN instance authorized comes online in the postauthentication domain, the host route of the user will be switched to the specified VPN instance. Then, the user can access only network resources in the authorized VPN instance.

On an IPoE Web authentication network, follow these restrictions and guidelines for static IPoE users:

· If the vpn-instance keyword is specified in the static session of a static IPoE user, the static user does not support the VPN authorization feature in the postauthentication domain.

· If the vpn-instance keyword is not specified in the static session of a static IPoE user, the following rules apply:

¡ If the strict-check access-interface vpn-instance command is executed in the authorization domain of a static user, the static user does not support the VPN authorization feature in the postauthentication domain.

¡ If the strict-check access-interface vpn-instance command is not executed in the authorization domain of a static user, the static user supports the VPN authorization feature in the postauthentication domain.

When AAA authorizes VPNs to IPoE DHCP users, follow these restrictions and guidelines:

· If the support-authorized-vpn parameter is not configured, the VPN bound to the authorization address pool of the post-authentication domain must be the same as the AAA authorized VPN regardless of whether the access interface is bound to a VPN.

· If the support-authorized-vpn parameter is configured, the VPN bound to the authorization address pool of the post-authentication domain must be the same as the VPN to which the interface belongs.

¡ If the access interface is bound to a VPN, the authorization address pool in the post-authentication domain must be bound to the same VPN as the access interface.

¡ If the access interface is not bound to any VPN, the authorization address pool in the post-authentication domain cannot be bound to any VPN.

Guidelines when both IPoE Web authentication and PPPoE authentication are configured

On an access interface configured with both IPoE Web authentication and PPPoE authentication, a user might separately trigger IPoE Web authentication and PPPoE authentication. For example, a user does not actively disable DHCP on the endpoint. When the user endpoint is powered on, it will automatically send DHCP packets to trigger IPoE Web authentication. After passing the authentication (typically, password-free authentication is used in the preauthentication domain, which is transparent to the user), the user can obtain an IP address and come online in the preauthentication domain. Then, the user does not use IPoE Web authentication to come online in the postauthentication domain. Instead, the user directly comes online through PPPoE dialup authentication. After passing the PPPoE dialup authentication, the user also obtains an IP address.

By default, if a user endpoint preferentially uses the IP address obtained through IPoE Web authentication to come online, the Web authentication page will open to prompt the user to perform authentication again even if the user has passed PPPoE authentication. This affects the network access experience. To resolve this issue, you can configure the Web user in the preauthentication domain to inherit information of the PPPoE user with the same MAC address and then directly come online in the postauthentication domain.

With this feature configured, if a PPPoE user with the same MAC address exists after an IPoE Web user comes online in the preauthentication domain, the IPoE Web user does not need to pass Web authentication. Instead, the device directly makes the IPoE Web user come online in the postauthentication domain by using the authentication and authorization information of the online PPPoE user. This process is transparent to the user. A user can normally access the network after passing one PPPoE authentication, which improves the network access experience.

In this scenario, follow these restrictions and guidelines:

· This command supports the inherit-pppoe keyword only when IPoE operates in Layer 2 access mode.

· The inherit-pppoe keyword takes effect only when the maximum number of users allowed for an account configured by using the users-per-account command is greater than 1 in the PPPoE authentication domain.

· When you execute this command, do not specify both the dot1x and inherit-pppoe keywords. The two keywords are mutually exclusive.

· After an IPoE Web user in the preauthentication domain inherits the information of the PPPoE user with the same MAC address and then comes online in the postauthentication domain, IPoE is not responsible for accounting. IPoE and PPPoE respectively collect traffic statistics and PPPoE summarizes the statistics and sends them to the AAA server for accounting. Configure an AAA authentication scheme correctly for PPPoE as needed.

· When an IPoE Web user in the preauthentication domain inherits information of the PPPoE user with the same MAC address, the protocol stack type is not concerned. For example, a user comes online through IPoE Web authentication in the preauthentication domain in the IPv4 protocol stack and comes online through PPPoE authentication in the IPv6 protocol stack. In this case, the IPoE user can inherit the IPv6 protocol stack information of the PPPoE user in the IPv4 protocol stack and then come online in the postauthentication domain.

· When the PPPoE user goes offline, the IPoE user that inherits information of the PPPoE user and comes online in the postauthentication domain will return to the preauthentication domain.

· In this scenario, the following features are not supported:

¡ IPoE user roaming.

¡ PPPoE agency.

¡ Re-DHCP for IPoE Web authentication.

¡ IPv6 protocol stack dependency on IPv4 protocol stack.

¡ VPN authorization in the postauthentication domain of IPoE Web authentication.

¡ Transparent IPoE Web authentication.

Common restrictions

When you execute this command to switch the authentication method, the device performs operations depending on the session type:

· For IPoE dynamic individual sessions, the device deletes all IPoE dynamic individual sessions on the interface and logs out users.

· For interface-level IPoE static individual sessions, the device deletes all IPoE static individual sessions and logs out users.

· For global IPoE static individual sessions, the device deletes all global IPoE static individual sessions and logs out users.

· For IPoE leased sessions (including static leased sessions), you cannot switch the authentication method if leased sessions are configured on the interface.

Examples

#Configure the Web authentication method for IPoE users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber authentication-method web

The operation may cut all users on this interface. Continue?[Y/N]:y

Related commands

ip subscriber enable

users-per-account (BRAS Services Command Reference)

ip subscriber captive-bypass enable

Use ip subscriber captive-bypass enable to enable captive-bypass Web authentication or captive-bypass Web authentication optimization for IPoE.

Use undo ip subscriber captive-bypass enable to disable captive-bypass Web authentication or captive-bypass Web authentication optimization for IPoE.

Syntax

ip subscriber captive-bypass enable [ android | ios ] [ optimize ]

undo ip subscriber captive-bypass enable

Default

Both captive-bypass Web authentication and captive-bypass Web authentication optimization are disabled for IPoE.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

android: Specifies Android users.

ios: Specifies iOS users.

optimize: Enables captive-bypass optimization.

Usage guidelines

Application scenarios

· Captive-bypass Web authentication

By default, in a wireless access scenario, when a user endpoint connects to a network with IPoE Web authentication enabled, the device will actively push the Web authentication page to the user endpoint. In this way, the user endpoint can automatically open the Web authentication page. However, this automatic page opening method requires the device to intercept the probe packets from endpoints, which might cause some endpoints to automatically disconnect from the Wi-Fi network if they cannot detect the network. In this case, the device cannot push the Web authentication page to the user because the Wi-Fi connection has been disconnected. As a result, the authentication process cannot be completed.

To address this issue, you can enable IPoE captive-bypass Web authentication, which allows users to trigger the device to push the Web authentication page by accessing the Internet by using a browser to complete the authentication.

· Captive-bypass Web authentication optimization (applicable only to iOS systems)

By default, Apple endpoints use their own Captive Network Assistant (CNA) tool to detect http://captive.apple.com. If the network is reachable, the endpoint will receive a Success response. If not, the browser will be called again to detect the network and implement the function of automatically opening the Web authentication page.

However, the mechanism for automatically opening the Web authentication page on an endpoint might fail in the following conditions:

¡ If the page uses HTTPS and the certificate is not issued by a third-party organization trusted by the endpoint, the mechanism for automatically opening the Web authentication page will fail.

¡ The apps installed on an Apple endpoint (such as Wi-Fi assistant) have a significant impact on the detection mechanism of the endpoint. They might cause the automatic detection feature to fail or cause the Wi-Fi signal on the Apple endpoint to fail to be turned on and the Wi-Fi connection to disconnect.

¡ If the user directly presses the home button to return to the desktop before the detection is completed, the Wi-Fi signal on the Apple endpoint might fail to be turned on, and the Wi-Fi connection might be disconnected.

To address the preceding issues, you can enable the captive-bypass Web authentication optimization for IPoE.

Operating mechanism

· Automatically opening the Web authentication page

The feature of automatically opening the Web authentication page on the user endpoint is implemented as follows. After an endpoint is associated with an SSID, it actively sends an HTTP probe request packet to identify whether the destination address (usually a fixed URL, which varies by endpoint or app) is reachable and whether the response content meets expectations. According to the detection result, the endpoint identifies whether the accessed network requires Web authentication.

¡ If the destination address is reachable and the response content meets expectations, the network is reachable and no Web authentication is required.

¡ If the destination address is not reachable or the response content does not meet expectations, Web authentication is required. The endpoint will call the browser to send an HTTP request again, and the device will intercept this request and redirect it to automatically open the Web authentication page on the endpoint.

The Web authentication page might fail to automatically open because of the following reasons:

¡ The endpoint does not actively send a probe request packet.

¡ The endpoint can initiate a probe request packet, but it might fail to call the browser and send a request again due to certain installed apps. As a result, the Web authentication page fails to automatically open.

¡ For most Android phones, the feature of automatically opening the Web authentication page must be triggered by manually clicking the SSID interface.

· Captive-bypass Web authentication

Enabling captive-bypass Web authentication ensures that the device does not intercept the probe request packets from endpoints and the endpoints maintain their Wi-Fi connections. When a user connects to the network, the device does not immediately push the Web authentication page to the user. The page is pushed to the user only when the user attempts to access the Internet by using a browser. The Web authentication page requires the user to enter the username and password to complete the authentication process.

· Captive-bypass Web authentication optimization

Enabling the IPoE captive-bypass Web authentication optimization feature specifically benefits iOS users. When the device receives a probe request packet from an Apple endpoint, it will construct a Success response, making the Apple endpoint consider the network is connected. Then, the Wi-Fi signal will be turned on and the Web authentication page will be automatically opened.

Restrictions and guidelines

· IPoE captive-bypass Web authentication takes effect on both iOS and Android users.

· IPoE captive-bypass Web authentication optimization takes effect only on iOS users and do not take effect on Android users.

· The effects of these commands are as follows:

¡ If the ip subscriber captive-bypass enable command is executed:

- An Apple endpoint does not automatically open the Web authentication page. An Apple endpoint might disconnect from Wi-Fi when the home button is pressed depending on the software version of the endpoint.

- Android endpoints do not automatically open the Web authentication page.

¡ If the ip subscriber captive-bypass enable optimize command is executed:

- Apple endpoints automatically open the Web authentication page and do not disconnect from Wi-Fi when the home button is pressed.

- Android endpoints do not automatically open the Web authentication page.

¡ (Recommend.) If the ip subscriber captive-bypass enable ios optimize command is executed:

- Apple endpoints automatically open the Web authentication page and do not disconnect from Wi-Fi when the home button is pressed.

- Android endpoints automatically open the Web authentication page. (Default.)

¡ If the ip subscriber captive-bypass enable ios command is executed:

- Android endpoints will automatically open the Web authentication page. (Default.)

¡ Executing the ip subscriber captive-bypass enable android command has the same effect as executing the ip subscriber captive-bypass enable android optimize command.

- An Apple endpoint automatically opens the Web authentication page. An Apple endpoint might disconnect from Wi-Fi when the home button is pressed depending on the software version of the endpoint. (Default.)

- Android endpoints do not automatically open the Web authentication page.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

#Enable the captive-bypass Web authentication feature.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber captive-bypass enable

#Enable only the captive-bypass Web authentication optimization feature for iOS users. (The captive-bypass Web authentication feature is not enabled.)

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber captive-bypass enable ios optimize

#Enable the captive-bypass Web authentication feature for Android users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber captive-bypass enable android

ip subscriber auto-save max-user

Use ip subscriber auto-save max-user to enable automatic IPoE user backup and the set the maximum number of DHCP users that can be automatically backed up.

Use undo ip subscriber auto-save to disable automatic IPoE user backup.

Syntax

ip subscriber auto-save max-user max-user

undo ip subscriber auto-save

Default

Automatic IPoE user backup is enabled, and up to 512000 users can be automatically backed up.

Views

System view

Predefined user roles

network-admin

Parameters

max-user: Specifies the maximum number of IPoE users that can be automatically backed up. The value range for this argument is 8000 to 512000.

Usage guidelines

In an IPoE DHCP or ND RS user access scenario, DHCP or ND RS users are abnormally logged out and user information is lost if the device or the slot hosting the access interface reboots or the access interface goes down. If the users cannot sense the failure, users will not send DHCP or ND RS packets to trigger coming online again after the failure recovers. As a result, the device cannot recover information for abnormally offline users. To resolve the issue, enable automatic IPoE user backup on the device.

With this feature enabled, the device will back up IPoE user information after IPoE users come online. If a failure occurs and then recovers, the device can recover online information for abnormally offline users according to the backup information.

For this feature to take effect, you also need to execute the access-user auto-save enable command in the ISP domain of users.

When the number of IPoE users to be backed up in an ISP domain exceeds the maximum number of IPoE users that can be automatically backed up, the exceeding users are not backed up.

With both automatic IPoE user backup and the loose access mode enabled on the device, the following rules apply when the device receives IP, NS/NA, or ARP packets from a user after the device recovers:

· If information of the user has been automatically backed up on the device before the device fails, the information of the user is recovered by using the auto recovery feature.

· If information of the user is not automatically backed up on the device before the device fails, information of the user is recovered by the loose access mode.

For ND RS users, this feature takes effect on the scenario of one prefix per user instead of the prefix sharing scenario.

Examples

# Enable automatic IPoE user backup and the set the maximum number of DHCP users that can be automatically backed up to 9000.

<Sysname> system-view

[Sysname] ip subscriber auto-save max-user 9000

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-save-file

Use ip subscriber auto-save-file to enable periodical automatic IPoE user backup.

Use undo ip subscriber auto-save-file to disable periodical automatic IPoE user backup.

Syntax

ip subscriber auto-save-file filename interval interval

undo ip subscriber auto-save-file

Default

Periodical automatic IPoE user backup is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies a file name, which must end with .bak. The total file name (including .bak) cannot exceed 128 characters. The filename argument cannot contain a file path and must be a pure file name, for example, backup.bak. The file is always saved in the root directory of the storage medium of each MPU. For more information about the root directory and path, see file system management in Fundamentals Configuration Guide.

interval interval: Specifies the automatic backup interval in the range of 60 to 864000 seconds.

Usage guidelines

After the device is rebooted, the IPoE user information saved in the memory will be lost. As a result, the device cannot automatically recover the abnormally logged out users according to the backup information in the memory. To resolve this problem, you can enable periodical automatic IPoE user backup. With this feature enabled, the device periodically, automatically backs up the user information into the specified file. After the device is rebooted, the device will automatically recover information in the file to the memory. If the ip subscriber auto-recover enable command is used to enable automatic IPoE user recovery, the device will automatically recover the abnormally logged out users according to the backup information in the memory.

For this feature to take effect, make sure both of the following commands are executed:

· access-user auto-save enable (BRAS Services Command Reference)

· ip subscriber auto-save max-user

After this command is executed, the device does not immediately back up the user information. Instead, the device backs up the user information at the specified interval. If the specified backup file does not exist when the device backs up user information, the system first creates the file and then backs up user information. If the specified backup file already exists (for example, the file is specified by the ip subscriber save-file command), the file will be overwritten.

Examples

# Enable periodical automatic IPoE user backup to back up the IPoE user information to the file backup.bak at the interval of 60 seconds.

<Sysname> system-view

[Sysname] ip subscriber auto-save-file backup.bak interval 60

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-recover enable

ip subscriber auto-save max-user

ip subscriber save-file

ip subscriber auto-save-file now

Use ip subscriber auto-save-file now to immediately back up the IPoE user information to the file specified for periodical automatic IPoE user backup.

Syntax

ip subscriber auto-save-file now

Views

System view

Predefined user roles

network-admin

Usage guidelines

If the automatic backup interval specified for periodical automatic IPoE user backup is too long, to avoid user information loss before rebooting the device, you can use this command to immediately back up the user information in the memory to the backup file.

For the ip subscriber auto-save-file now command to take effect, you must execute both of the following commands:

· ip subscriber auto-save max-user

· ip subscriber auto-save-file

This command is an execution command that immediately takes effect and will not be saved in the configuration file.

Examples

# Immediately back up the IPoE user information to the backup file.

<Sysname> system-view

[Sysname] ip subscriber auto-save-file now

Related commands

ip subscriber auto-save-file

ip subscriber auto-save max-user

ip subscriber auto-recover enable

Use ip subscriber auto-recover enable to enable automatic IPoE user recovery.

Use undo ip subscriber auto-recover enable to disable automatic IPoE user recovery.

Syntax

ip subscriber auto-recover enable

undo ip subscriber auto-recover enable

Default

Automatic IPoE user recovery is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

In an IPoE DHCP or ND RS user access scenario, DHCP or ND RS users are abnormally logged out and user information is lost if the device or the slot hosting the access interface reboots or the access interface goes down. If the users cannot sense the failure, users will not send DHCP or ND RS packets to trigger coming online again after the failure recovers. As a result, the device cannot recover information for abnormally offline users. To resolve the problem, back up the user information before the failure and automatically recover the user information according to the backup information after the failure recovers.

The ip subscriber auto-recover command enables the device to automatically recover the user information according to the backup information after the device recovers.

For this feature to take effect, make sure both of the following commands are executed:

· access-user auto-save enable (BRAS Services Command Reference)

· ip subscriber auto-save max-user

Examples

# Enable automatic IPoE user recovery.

<Sysname> system-view

[Sysname] ip subscriber auto-recover enable

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-save max-user

ip subscriber auto-recover speed

Use ip subscriber auto-recover speed to configure the speed for automatic IPoE user recovery.

Use undo ip subscriber auto-recover speed to restore the default.

Syntax

ip subscriber auto-recover speed { fast | normal | slow } [ recover-delay delay-time ]

undo ip subscriber auto-recover speed

Default

The speed for automatic IPoE user recovery is normal, and the recovery delay is 5 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

fast: Specifies the fast mode.

normal: Specifies the normal mode.

slow: Specifies the slow mode.

recover-delay delay-time: Specifies the recovery delay in the range of 5 to 3600. The default is 5.

Usage guidelines

You can use this command to configure the speed for automatic IPoE user recovery as needed. The fast mode is resource-intensive. Select the fast mode and recovery delay as needed.

If the device fails, the device does not immediately recover after the fault is resolved. Instead, the device recovers according to the specified recovery mode after the delay specified by delay-time. NOTE:

· In fast mode, the device processes the user online information at a high speed. During the recovery period, the device performance is affected. Select this mode as needed.

· After the fault is resolved, to avoid recovery failure caused by incomplete network convergence (for example, the OSPF neighbors have not restored to the full state), set a proper recovery delay according to the network conditions.

For this command to take effect, you must enable automatic IPoE user recovery.

Examples

# Configure the speed for automatic IPoE user recovery.

<Sysname> system-view

[Sysname] ip subscriber auto-recover speed fast

Related commands

ip subscriber auto-recover enable

ip subscriber basic-service-ip-type

Use ip subscriber basic-service-ip-type to configure the IP address type on which the main service of IPoE users depends.

Use undo ip subscriber basic-service-ip-type to restore the default.

Syntax

ip subscriber basic-service-ip-type { ipv4 | ipv6 }

undo ip subscriber basic-service-ip-type

Default

The main service of IPoE users does not depend on any IP address type.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ipv4: Specifies the IPv4 protocol stack. If this keyword is specified, the IPv6 protocol stack of IPoE users depends on the IPv4 protocol stack. An IPoE user can come online in the IPv6 protocol stack only after the user has come online in the IPv4 protocol stack.

ipv6: Specifies the IPv6 protocol stack. If this keyword is specified, the IPv4 protocol stack of IPoE users depends on the IPv6 protocol stack. An IPoE user can come online in the IPv4 protocol stack only after the user has come online in the IPv6 protocol stack.

Usage guidelines

Application scenarios

By default, the device does not limit the order in which an IPoE user comes online in the IPv4 protocol stack and IPv6 protocol stack.

In the dual-stack scenario, if you want to specify the main service to depend on a protocol stack as needed, configure this feature. Then, when a user has not come online in the specified protocol stack, the user cannot come online in the other protocol stack.

Operating mechanism

With this feature configured, an IPoE bind authentication user can come online in the other protocol stack only after the user has come online in the protocol stack on which the user’s main service depends. If a user goes offline in the protocol stack on which the user's main service depends, the device will forcibly log out the user in the other protocol stack. As a result, the whole user goes offline.

With this feature configured, the following rules apply to IPoE Web authentication users:

· Coming online:

¡ This feature takes effect in only the preauthentication domain and does not take effect in the postauthentication domain. For example, an IPoE user first comes online in the IPv4 protocol stack in the preauthentication domain. If you configure the main service of IPoE users to depend on the IPv6 protocol stack before the user moves from the preauthentication domain to the postauthentication domain, the user can still move to the postauthentication domain in the IPv4 protocol stack.

¡ An IPoE Web authentication user can come online in the other protocol stack (for example, IPv6) only after the user has come online in the protocol stack (for example, IPv4) on which the user's main service depends in the preauthentication domain.

¡ If the user comes online in the other protocol stack earlier than in the protocol stack on which the user’s main service depends in the postauthentication domain, the whole user comes online in the postauthentication domain.

· Going offline:

¡ If the user returns to the preauthentication domain in the protocol stack on which the user's main service depends, the whole user returns to the preauthentication domain.

¡ If a user goes offline in the protocol stack on which the user's main service depends, the device will forcibly log out the user in the other protocol stack. As a result, the whole user goes offline.

After this feature is configured, this feature takes effect on online IPoE users as follows:

· If a user first comes online in the IPv4 or IPv6 protocol stack and then the user’s main service is configured to depend on the IPv6 or IPv4 protocol stack, this feature does not affect the online status of the user and allows the user to stay online in the IPv4 or IPv6 protocol stack.

· If a user first comes online in both the IPv4 and IPv6 protocol stacks and then the user’s main service is configured to depend on the IPv6 or IPv4 protocol stack, when the user goes offline in the IPv6 or IPv4 protocol stack, the user will also be forcibly logged out in the IPv4 or IPv6 protocol stack.

Restrictions and guidelines

· This feature applies to only IPoE bind authentication users and IPoE Web authentication users.

· For IPoE Web authentication users, if the ip subscriber authentication-method web command is executed with the basic-service-ipv4 keyword specified on an interface, the ip subscriber basic-service-ip-type command does not take effect on this interface, and only the ip subscriber authentication-method web command takes effect.

· For IPoE to operate correctly, to use the ip subscriber basic-service-ip-type command to configure the IP address type (IPv4 or IPv6) on which the main service of IPoE users depends on an interface, make sure dual-stack IPoE is enabled on the interface by using the ip subscriber enable command.

· This feature does not apply to the following IPoE users:

¡ IPoE static users (including static leased users).

¡ IPoE interface-leased users (excluding subusers).

¡ IPoE subnet-leased users (including subusers).

¡ IPoE L2VPN-leased users.

¡ Unclassified-IPv4/IPv6 users in Layer 3 IPoE access mode.

· For the roaming feature to operate normally, configure the same IP address type on which the main service of IPoE users depends on the access interfaces before and after roaming.

Examples

# On Ten-GigabitEthernet 3/1/1, configure the main service of IPoE users to depend on the IPv4 protocol stack.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber basic-service-ip-type ipv4

Related commands

ip subscriber authentication-method

ip subscriber enable

ip subscriber roaming enable

ip subscriber dhcp domain

Use ip subscriber dhcp domain to configure an ISP domain for DHCP users.

Use undo ip subscriber dhcp domain to restore the default.

Syntax

ip subscriber dhcp domain domain-name [ force ]

undo ip subscriber dhcp domain

Default

No ISP domain is configured for DHCP users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

force: Specifies the ISP domain as the forced domain with the highest priority. If this keyword is not specified, the ISP domain is a non-forced domain.

Usage guidelines

This command configures an ISP domain for DHCP users. The specified ISP domain must exist on the BRAS.

For IPoE users accessing in loose mode, an ISP domain is selected in the following order until a match is found:

1. Forced ISP domain specified by using this command. If the ISP domain has not been created, the user fails to come online.

2. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

3. Non-forced ISP domain specified by this command. If the ISP domain has not been created, the user fails to come online.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For users accessing in non-loose mode, an ISP domain is selected in the following order until a match is found:

1. Forced ISP domain specified by using this command. If the ISP domain has not been created, the user fails to come online.

2. ISP domain generated based on the domain name generation rule configured by the ip subscriber dhcp domain include command if the following conditions exist:

¡ The string selected from Option 60 contains the trusted domain.

¡ The BRAS trusts Option 60.

¡ The interface is configured with the ip subscriber dhcp domain include command.

If the ISP domain has not been created, proceed with step 7.

3. Trusted ISP domain configured by the ip subscriber dhcp option60 match command if the following conditions exist:

¡ The string selected from Option 60 contains the trusted domain.

¡ The BRAS trusts Option 60.

¡ The interface is not configured with the ip subscriber dhcp domain include command.

If the ISP domain has not been created, proceed with step 7.

4. ISP domain selected according to the rule for packets that do not carry Option 60 if the following conditions exist:

¡ The BRAS trusts Option 60.

¡ The string selected from Option 60 does not contain the trusted domain.

In this case, the contents of Option 60 are ignored and not used for generating a domain name.

If the ISP domain has not been created, proceed with step 7.

5. ISP domain generated based on the domain name generation rule configured by the ip subscriber dhcp domain include command if the following conditions exist:

¡ The BRAS trusts Option 60.

¡ The interface is not configured with the ip subscriber dhcp option60 match command.

¡ Option 60 does not contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), or right angle bracket (>).

¡ The interface is configured with the ip subscriber dhcp domain include command.

If the ISP domain has not been created, proceed with step 7.

6. ISP domain automatically selected from Option 60 if the following conditions exist:

¡ The BRAS trusts Option 60.

¡ The interface is not configured with the ip subscriber dhcp option60 match or ip subscriber dhcp domain include command.

¡ All information in Option 60 does not contain invalid characters.

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

If the ISP domain has not been created, proceed with step 7.

7. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

8. Non-forced ISP domain specified by this command. If the ISP domain has not been created, the user fails to come online.

9. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For users to pass authentication successfully, make sure the ISP domains selected for users exist on the device and are completely configured.

When the contents in an option are used as ISP domains, make sure the ISP domain names exist on the device. Otherwise, these ISP domains are considered as unavailable.

Make sure Option 60 does not contain null terminators or non-printable characters.

A DHCPv6 user can obtain an ISP domain in various ways.

Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

If multiple ISP domains are available, an ISP domain is selected in the following order until a match is found:

1. Forced ISP domain specified by using this command. If the ISP domain has not been created, the user fails to come online.

2. Trusted ISP domain configured by the ip subscriber dhcpv6 option16 match command if the following conditions exist:

¡ The string selected from Option 16 contains the trusted domain.

¡ The BRAS trusts Option 16.

If the ISP domain has not been created, proceed with step 5.

3. ISP domain selected according to the case that the packets do not carry Option 16 if the following conditions exist:

¡ The BRAS trusts Option 16.

¡ The interface is configured with the ip subscriber dhcpv6 option16 match command, but the specified string cannot be matched in the specified position of Option 16.

If the ISP domain has not been created, proceed with step 5.

4. ISP domain automatically selected from Option 16 if the following conditions exist:

¡ The BRAS trusts Option 16.

¡ The interface is not configured with the ip subscriber dhcpv6 option16 match command.

¡ All information in Option 16 does not contain invalid characters.

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

If the ISP domain has not been created, proceed with step 5.

5. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

6. Non-forced ISP domain specified by this command. If the ISP domain has not been created, the user fails to come online.

7. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Make sure Option 16 does not contain null terminators or non-printable characters.

Examples

#Configure ISP domain dm1 for DHCPv4 users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcp domain dm1

Related commands

ip subscriber access-trigger loose

ip subscriber dhcp domain include

ip subscriber dhcp option60 match

ip subscriber dhcpv6 match

ip subscriber trust

ip subscriber dhcp domain include

Use ip subscriber dhcp domain include to configure a domain name generation rule for DHCPv4 users.

Use undo ip subscriber dhcp domain include to restore the default.

Syntax

ip subscriber dhcp domain include vendor-class [ separator separator ] { second-vlan [ separator separator ] | string string [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber dhcp domain include

Default

No domain name generation rule for DHCPv4 users is configured.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

vendor-class: Uses the Option 60 information in DHCPv4 packets for generating a domain name.

separator separator: Specifies a case-insensitive character for separating an option and the option that follows. It cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

second-vlan: Uses the inner VLAN in authentication packets for generating a domain name.

string string: Specifies a case-insensitive string of 1 to 64 characters for generating a domain name. It cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

vlan: Uses the outer VLAN in authentication packets for generating a domain name.

Usage guidelines

You can executed this command when the following conditions exist:

· DHCP users use the information in Option 60 as ISP domains.

· Differentiated authentication is required for DHCP users that have the same Option 60 and come online through the same interface.

For example, user A and user B belong to different VLANs but have the same Option 60 and come online through the same interface. To assign user A and user B to different ISP domains and authorize different address pools based on ISP domains, executed this command to generate ISP domain names by using the Option 60 + VLAN combination.

If this command is executed when the DHCP users use information in Option 60 as the ISP domains, the generated ISP domain name is as follows: String selected from the Option 60 as an ISP domain + parameters configured by using this command. For information about selecting ISP domains, see "ip subscriber dhcp domain."

This command takes effect only when DHCP users use information in the Option 60 as ISP domains.

For the device to parse information in Option 60 correctly and generate correct ISP domain names, make sure Option 60 does not contain null terminators or non-printable characters.

Examples

#Configure a domain name generation rule on Ten-GigabitEthernet 3/1/1.1 as follows: trusted string from the Option 60 field in DHCP packets (ipoe) + separator (#) + customer VLAN (suppose the customer VLAN is 10). The finally generated domain name is ipoe#10.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.1

[Sysname-Ten-GigabitEthernet3/1/1.1] ip subscriber trust option60

[Sysname-Ten-GigabitEthernet3/1/1.1] ip subscriber dhcp option60 match ipoe

[Sysname-Ten-GigabitEthernet3/1/1.1] ip subscriber dhcp domain include vendor-class separator # vlan

#Configure a domain name generation rule on Ten-GigabitEthernet 3/1/1.1 as follows: the whole Option 60 field in DHCP packets (suppose all information in Option 60 is domain123456) + separator (#) + customer VLAN (suppose the customer VLAN is 10). The finally generated domain name is domain123456#10.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.1

[Sysname-Ten-GigabitEthernet3/1/1.1] ip subscriber trust option60

[Sysname-Ten-GigabitEthernet3/1/1.1] ip subscriber dhcp domain include vendor-class separator # vlan

Related commands

ip subscriber dhcp domain

ip subscriber dhcp option60 match

ip subscriber trust

ip subscriber dhcp max-session

Use ip subscriber dhcp max-session to set the IPoE session limit for DHCPv4 packet initiation on an interface.

Use undo ip subscriber dhcp max-session to restore the default.

Syntax

ip subscriber dhcp max-session max-number

undo ip subscriber dhcp max-session

Default

The IPoE session limit for DHCPv4 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for DHCPv4 packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

If the IPoE session limit for DHCPv4 packet initiation is reached, no more IPoE session can be initiated by DHCPv4 packets. IPoE sessions initiated by DHCPv4 packets include IPv4 single-stack sessions and dual-stack sessions.

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber dhcpv6 max-session command.

If the configured limit is smaller than the number of existing sessions on an interface, the configuration succeeds and the existing sessions are not affected. However, new sessions cannot be initiated on the interface.

When this command is executed together with the ip subscriber max-session command, the two commands both take effect. The two commands control sessions in different perspectives, and the number of sessions is controlled by both commands. A new session can be established only when neither limit is reached.

Examples

#Set the IPoE session limit to 100 for DHCPv4 packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcp max-session 100

Related commands

display access-user (BRAS Services Command Reference)

cut access-user (BRAS Services Command Reference)

ip subscriber max-session

ip subscriber dhcp option60 match

Use ip subscriber dhcp option60 match to configure trusted ISP domains for DHCPv4 users.

Use undo ip subscriber dhcp option60 match to restore the default.

Syntax

ip subscriber dhcp option60 match string [ offset offset ] [ length length ]

undo ip subscriber dhcp option60 match string

Default

No trusted ISP domains are configured for DHCPv4 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

string: Specifies a trusted ISP domain by its name, a case-insensitive string of 1 to 255 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

offset offset: Specifies an offset for the string starting byte, in the range of 1 to 63. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used to match the trusted ISP domain.

Usage guidelines

For how an ISP domain is determined, see "ip subscriber dhcp domain."

Make sure Option 60 does not include null terminators or non-printable characters.

You can use this command multiple times.

Examples

#On Ten-GigabitEthernet3/1/1, configure trusted ISP domain ipoe to match the string with an offset of 1 and a length of 10 bytes from Option 60.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcp option60 match ipoe offset 1 length 10

Related commands

ip subscriber dhcp domain

ip subscriber trust

ip subscriber dhcp password

Use ip subscriber dhcp password to specify a string from DHCPv4 packets as the password for DHCPv4 users.

Use undo ip subscriber dhcp password to restore the default.

Syntax

ip subscriber dhcp password { circuit-id mac | option60 [ offset offset ] [ length length ] [ original ] | user-class }

undo ip subscriber dhcp password

Default

The BRAS does not use the password specified in DHCPv4 packets for DHCPv4 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

circuit-id: Specifies the DHCPv4 Option82 sub-option1 field in DHCPv4 packets.

mac: Uses the MAC address in the Circuit-ID (Option82 sub-option1) field as the password.

option60: Uses a string from Option 60 in DHCPv4 packets as the password.

· offset offset: Specifies an offset for the password starting byte, in the range of 1 to 254. If you do not specify this option, the first byte of the option is the starting byte.

· length length: Specifies the length of the password string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used as the password.

· original: Directly selects information from Option60 as the authentication password according to the specified rule (for example, the specified offset or length), and does not perform validity check for the selected information. If you do not specify this keyword, the device will perform validity check for information selected from Option60 according to the specified rule. If the selected information does not contain null terminators or non-printable characters, the device uses the selected information as the authentication password. If the selected information contains null terminators or non-printable characters, the device does not use the selected information as the authentication password, and instead the device continues to find the next available authentication password according to the authentication password selection rule (for more information, see the following usage guidelines).

user-class: Uses a string from Option 77 in DHCPv4 packets as the password.

Usage guidelines

Application scenarios

For security on a service provider network, the Option60 information of some endpoints (for example, IPTV set-top boxes) might be encrypted and the encrypted information is transparently transmitted on the intermediate devices. The service provider AAA server first decrypts the encrypted Option60 information and then performs authentication processing. In this case, when you configure Option60 in DHCPv4 packets as the authentication password, you must specify the original keyword. If you do not do that, information in Option60 cannot be used as the authentication password because it fails to pass validity check, and the endpoints fail to pass authentication consequently.

Working mechanism

A DHCPv4 user can obtain a password in various ways.

For a DHCPv4 user accessing in loose mode, a password is selected in the following order until a match is found:

1. Password configured by using the ip subscriber password command.

2. Default password: vlan.

For a DHCPv4 user accessing in non-loose mode, a password is selected in the following order until a match is found:

1. Password configured by using the ip subscriber dhcp password user-class command if the following conditions exist:

¡ The ip subscriber dhcp password user-class command is executed.

¡ The ip subscriber trust option77 command is executed. Option 77 meets the printable character format requirements.

2. Password configured by using the ip subscriber dhcp password option60 command if the BRAS trusts Option 60 and Option 60 meets the printable character format requirements.

3. Password configured by using the ip subscriber dhcp password circuit-id mac command if the BRAS trusts Option 82 and the MAC address in the Circuit-ID carried in DHCPv4 packets meets the printable character format requirements.

4. Password configured by using the ip subscriber password command.

5. Default password: vlan.

Restrictions and guidelines

Passwords configured by the ip subscriber dhcp password command are used for authentication, and must be the same as those configured on the AAA server.

When you use the MAC address in the Circuit-ID as the password, make sure it does not contain null terminators or non-printable characters.

Examples

#Specify the string with an offset of 10 and a length of 20 bytes from Option 60 as the password for DHCPv4 users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcp password option60 offset 10 length 20

Related commands

ip subscriber access-trigger loose

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber dhcp rate-limit

Use ip subscriber dhcp rate-limit to enable rate-limiting the DHCPv4 packets of DHCP users.

Use undo ip subscriber dhcp rate-limit to disable rate-limiting the DHCPv4 packets of DHCP users.

Syntax

ip subscriber dhcp rate-limit rate

undo ip subscriber dhcp rate-limit

Default

Rate-limiting the DHCPv4 packets of DHCP users is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum number of DHCPv4 packets that can be received per second, in the range of 1 to 500000000.

Usage guidelines

When a large number of DHCP users come online at the same time, you can enable this feature to avoid congestion caused by a large number of DHCP packets and ensure users can come online properly.

With this feature enabled, when the device or slot receives DHCPv4 packets (including Discover packets and the unauthenticated users' Request packets) exceeding the rate limit, the exceeding packets are dropped.

This command takes effect on only the dynamic DHCPv4 users and the Layer 2 interface-leased DHCPv4 subusers.

When you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable rate-limiting the DHCPv4 packets of DHCP users, and set the rate limit to 1000 pps.

<Sysname> system-view

[Sysname] ip subscriber dhcp rate-limit 1000

Related commands

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber recover-file

Use ip subscriber recover-file to recover the backup user information in the specified file to the memory.

Syntax

ip subscriber recover-file filename

Default

The backup user information in a file is not recovered to the memory.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies a file name, which must end with .bak. If the file name contains only a file name, for example, backup.bak, the specified file in the root directory of the active MPU's storage medium is used for recovery. If the file does not exist, the recovery fails. If the file name contains a path besides a file name, make sure the path exists. Otherwise, the recovery fails. For more information about the file name value range, root directory, and path, see file system management in Fundamentals Configuration Guide. (In standalone mode.)

filename: Specifies a file name, which must end with .bak. If the file name contains only a file name, for example, backup.bak, the specified file in the root directory of the global active MPU's storage medium is used for recovery. If the file does not exist, the recovery fails. If the file name contains a path besides a file name, make sure the path exists. Otherwise, the recovery fails. For more information about the file name value range, root directory, and path, see file system management in Fundamentals Configuration Guide. (In standalone mode.)

Usage guidelines

After the device reboots, backup user information in the memory is lost. As a result, the device cannot recover online user information for abnormally offline users. Therefore, before rebooting the device, you must execute the ip subscriber save-file command to save the backup user information in the memory to a file. After rebooting the device, you must execute the ip subscriber recover-file command to recover backup user information to the memory. Then, the device can recover online user information for abnormally offline users based on the backup user information in the memory.

When the ip subscriber recover-file command is executed, the device reads the backup user information in the specified file and recovers information to the memory. During the recovery process, existing backup user information in the memory is not affected.

Examples

# Recover the backup user information in the backup.bak file to the memory.

<Sysname> system-view

[Sysname] ip subscriber recover-file backup.bak

It is recommended to delete the file, delete it? [Y/N]: y

Related commands

ip subscriber save-file

Use ip subscriber save-file to immediately save backup IPoE user information in the memory to the specified file.

Syntax

ip subscriber save-file filename

Default

Backup IPoE user information in the memory is not saved to the specified file.

Views

System view

Predefined user roles

network-admin

Parameters

Usage guidelines

After the device reboots, backup user information in the memory is lost. As a result, the device cannot recover online user information for abnormally offline users. Therefore, before rebooting the device, you can execute the ip subscriber save-file command to save the backup user information in the memory to a file. After rebooting the device, you must execute the ip subscriber recover-file command to recover backup user information to the memory. Then, the device can recover online user information for abnormally offline users based on the backup user information in the memory. If the ip subscriber auto-recover enable command has been used to enable automatic IPoE user recovery, the device will automatically recover the abnormally logged out users according to the backup user information in the memory.

For this command to take effect, you must execute the following commands:

· access-user auto-save enable (BRAS Services Command Reference)

· ip subscriber auto-save max-user

When this command is executed, the device immediately backs up the user information. If the specified backup file does not exist when the device backs up user information, the system first creates the file and then backs up user information. If the specified backup file already exists, the file will be overwritten. If you have enabled periodical automatic IPoE user backup, the file specified in this command must be different from the file specified for periodical automatic IPoE user backup. Otherwise, this command fails to be executed.

This command immediately takes effect and will not be saved in the configuration file.

Examples

# Back up the IPoE user information to the file backup.bak in the root directory of the device's file system.

<Sysname> system-view

[Sysname] ip subscriber save-file backup.bak

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-recover enable

ip subscriber auto-save max-user

ip subscriber recover-file

ip subscriber dhcp username

Use ip subscriber dhcp username to configure an authentication user naming convention for DHCP users.

Use undo ip subscriber dhcp username to restore the default.

Syntax

ip subscriber dhcp username include { circuit-id [ mac ] [ separator separator ] | client-id [ separator separator ] | hostname [ original ] [ separator separator ] | nas-port-id [ separator separator ] | port [ separator separator ] | remote-id [ separator separator ] | second-vlan [separator separator ] | slot [ separator separator ] | source-mac [ address-separator address-separator ] [ separator separator ] | string string [ separator separator ] | subslot [separator separator ] | sysname [separator separator ] | vendor-class [ absent-replace | original ] * [ separator separator ] | vendor-specific [ separator separator ] | vlan [separator separator ] } *

undo ip subscriber dhcp username

Default

No authentication user naming convention is configured for DHCP users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

circuit-id: Includes the DHCPv4 Option 82 sub-option 1 or DHCPv6 Option 18 information in a username.

mac: Uses the MAC address in the Circuit-ID (Option82 sub-option1) field as the username. If this keyword is not specified, all information in the Circuit-ID (Option82 sub-option1) field is used as the username.

client-id: Includes the DHCPv4 Option 61 or DHCPv6 Option 1 information in a username.

hostname: Includes the DHCPv4 Option12 in a username.

nas-port-id: Includes the NAS-Port-ID attribute carried in the authentication request packet in a username.

port: Includes the number of the port that receives the user packets in a username.

remote-id: Includes the DHCPv4 Option 82 sub-option 2 or DHCPv6 Option 37 information in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-mac: Includes the source MAC address in a username.

address-separator address-separator: Specifies any printable character as the separator for the MAC address. For example, if you specify a hyphen (-) as the separator, the username is the hyphen-separated MAC address (xxxx-xxxx-xxxx). If you do not specify a separator, the username is the non-separated MAC address (xxxxxxxxxxxx). Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

string string: Includes the specified string in a username, a case-sensitive string of 1 to 128 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vendor-class: Includes the DHCPv4 Option 60 or DHCPv6 Option 16 information in a username.

absent-replace: Replaces an inexistent option with the domain name of the user authentication domain as the username when the Option60 field does not exist in DHCP packets or the Option16 field does not exist in DHCPv6 packets. If you do not specify this option, the Option part in the username is empty when the Option60 field does not exist in DHCP packets or the Option16 field does not exist in DHCPv6 packets.

vendor-specific: Includes the DHCPv4 Option 82 sub-option 9 or DHCPv6 Option 17 information in a username.

vlan: Includes the outer VLAN ID in a username.

original: Directly uses the original information in the DHCPv4 Option 12, the DHCPv4 Option 60, or DHCPv6 Option 16 field in DHCP packets as the username and passes it to the authentication server for authentication. If this keyword is not specified, when Option 12, Option 60, or Option 16 contains non-printable characters, the device will translate the non-printable characters into printable characters and then passes the translated information to the authentication server for authentication.

separator separator: Specifies a character for separating an option and the option that follows. Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

Usage guidelines

Usernames obtained based on the naming convention are used for authentication, authorization, and accounting, and must be the same as those configured on the AAA server.

For DHCPv4 users accessing in loose mode, the packets do not carry DHCP Option information. Therefore, the circuit-id, mac, client-id, remote-id, vendor-class, absent-replace, original, or vendor-specific keyword does not take effect. Even these keywords are specified, usernames are generated according to the situation where these keywords are not specified. DHCPv6 users cannot access in loose mode.

You can specify one or more keywords in a naming convention. If you use a combination of keywords, a username obtained based on the naming convention includes the specified options in the configuration order.

Options used as the username information cannot include null terminators or non-printable characters.

Examples

#Configure information carried in the Client Identifier Option as the authentication usernames for DHCP users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcp username include client-id

#Configure an authentication user naming convention for DHCP users on Ten-GigabitEthernet 3/1/1. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcp username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber access-trigger loose

ip subscriber password

ip subscriber trust

ip subscriber dhcp-release-ip dot1x-offline

Use ip subscriber dhcp-release-ip dot1x-offline to forcibly log out the 802.1X client of an IPoE user when the IP address of the IPoE user is released.

Use undo ip subscriber dhcp-release-ip dot1x-offline to restore the default.

Syntax

ip subscriber dhcp-release-ip dot1x-offline

undo ip subscriber dhcp-release-ip dot1x-offline

Default

The 802.1X client of an IPoE user stays online when the IP address of the IPoE user is released.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

For an IPoE user that comes online through 802.1X authentication, the 802.1X client of the user refers to the 802.1X authentication-capable client software installed on the user's host.

By default, when the IP address lease expires or fails to be renewed for an IPoE DHCP user or the device receives the DHCP-RELEASE, DHCP-DECLINE, and DHCP-NAK packets from an IPoE DHCP user, the IPoE user that comes online through 802.1X authentication will go offline. However, the 802.1X client of the user still stays online. To log out the 802.1X client of an IPoE user when the IPoE user goes offline, execute this command.

Examples

# Forcibly log out the 802.1X client of an IPoE user when the IP address of the IPoE user is released on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcp-release-ip dot1x-offline

Related commands

ip subscriber authentication-method

ip subscriber dhcpv6 max-session

Use ip subscriber dhcpv6 max-session to set the IPoE session limit for DHCPv6 packet initiation on an interface.

Use undo ip subscriber dhcp max-session to restore the default.

Syntax

ip subscriber dhcpv6 max-session max-number

undo ip subscriber dhcpv6 max-session

Default

The IPoE session limit for DHCPv6 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for DHCPv6 packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

If the IPoE session limit for DHCPv6 packet initiation is reached, no more IPoE session can be initiated by DHCPv6 packets. IPoE sessions initiated by DHCPv6 packets include IPv6 single-stack sessions and dual-stack sessions.

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber dhcp max-session command.

Examples

#Set the IPoE session limit to 100 for DHCPv6 packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcpv6 max-session 100

Related commands

display access-user (BRAS Services Command Reference)

cut access-user (BRAS Services Command Reference)

ip subscriber max-session

ip subscriber dhcpv6 match

Use ip subscriber dhcpv6 match to configure trusted ISP domains for DHCPv6 users.

Use undo ip subscriber dhcpv6 match to restore the default.

Syntax

ip subscriber dhcpv6 { option16 | option17 } match string [ offset offset ] [ length length ]

undo ip subscriber dhcpv6 { option16 | option17 } match string

Default

No trusted ISP domains are configured for DHCPv6 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

option16: Specifies Option 16 in DHCPv6 packets.

option17: Specifies Option 17 in DHCPv6 packets.

offset offset: Specifies an offset for the string starting byte, in the range of 1 to 254. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used to match the trusted ISP domain.

Usage guidelines

A DHCPv6 user can obtain an ISP domain in various ways.

Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

For how an ISP domain is determined, see "ip subscriber dhcp domain."

Make sure Option 16 does not include null terminators or non-printable characters.

You can use this command multiple times.

You can only select a string from the first 255 characters of Option 16 to match the trusted ISP domain. If the selected string contains characters that do not belong to the first 255 characters, the match fails.

Examples

#On Ten-GigabitEthernet 3/1/1, configure trusted ISP domain ipoe to match the string with an offset of 1 and a length of 10 bytes from Option 16.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcpv6 option16 match ipoe offset 1 length 10

Related commands

ip subscriber dhcpv6 domain

ip subscriber trust

ip subscriber dhcpv6 password option16

Use ip subscriber dhcpv6 password option16 to specify a string from Option 16 or Option 17 as the password for DHCPv6 users.

Use undo ip subscriber dhcpv6 password option16 to restore the default.

Syntax

ip subscriber dhcpv6 password option16 [ offset offset ] [ length length ] [ original ]

undo ip subscriber dhcpv6 password option16

Default

The BRAS does not use the password specified in Option 16 or Option 17 for DHCPv6 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

offset offset: Specifies an offset for the password starting byte, in the range of 1 to 63. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the password string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used as the password.

original: Directly selects information from Option16 or Option17 as the authentication password according to the specified rule (for example, the specified offset or length), and does not perform validity check for the selected information. If you do not specify this keyword, the device will perform validity check for information selected from Option16 or Option17 according to the specified rule. If the selected information does not contain null terminators or non-printable characters, the device uses the selected information as the authentication password. If the selected information contains null terminators or non-printable characters, the device does not use the selected information as the authentication password, and instead the device continues to find the next available authentication password according to the authentication password selection rule (for more information, see the following usage guidelines).

Usage guidelines

Application scenarios

For security on a service provider network, the Option16 or Option17 information of some endpoints might be encrypted and the encrypted information is transparently transmitted on the intermediate devices. The service provider AAA server first decrypts the encrypted Option16 or Option17 information and then performs authentication processing. In this case, when you configure Option16 or Option17 in DHCPv6 packets as the authentication password, you must specify the original keyword. If you do not do that, information in Option16 or Option17 cannot be used as the authentication password because it fails to pass validity check, and the endpoints fail to pass authentication consequently.

Working mechanism

A DHCPv6 user can obtain a password in various ways. If multiple passwords are available for an DHCPv6 user, a password is selected in the following order until a match is found:

1. Password configured by using this command if the BRAS trusts Option 16 or Option 17 and Option 16 or Option 17 meets the printable character format requirements.

2. Password configured by using the ip subscriber password command.

3. Default password: vlan.

Restrictions and guidelines

Passwords configured by using this command are used for authentication, and must be the same as those configured on the AAA server.

Examples

#Specify the string with an offset of 10 and a length of 20 bytes from Option 16 or Option 17 as the password for DHCPv6 users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dhcpv6 password option16 offset 10 length 20

Related commands

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber dhcpv6 rate-limit

Use ip subscriber dhcpv6 rate-limit to enable rate-limiting the DHCPv6 packets of DHCPv6 users.

Use undo ip subscriber dhcpv6 rate-limit to disable rate-limiting the DHCPv6 packets of DHCPv6 users.

Syntax

ip subscriber dhcpv6 rate-limit rate

undo ip subscriber dhcpv6 rate-limit

Default

Rate-limiting the DHCPv6 packets of DHCPv6 users is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum number of DHCPv6 packets that can be received per second, in the range of 1 to 500000000.

Usage guidelines

When a large number of DHCPv6 users come online at the same time, you can enable this feature to avoid congestion caused by a large number of DHCPv6 packets and ensure users can come online properly.

With this feature enabled, when the device or slot receives DHCPv6 packets (including Solicit packets and the unauthenticated users' Request packets) exceeding the rate limit, the exceeding packets are dropped.

This command takes effect on only the dynamic DHCPv6 users and the Layer 2 interface-leased DHCPv6 subusers.

When you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable rate-limiting the DHCPv6 packets of DHCPv6 users, and set the rate limit to 1000 pps.

<Sysname> system-view

[Sysname] ip subscriber dhcpv6 rate-limit 1000

Related commands

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber dot1x-offline user-offline

Use ip subscriber dot1x-offline user-offline to forcibly log out an IPoE user when the 802.1X client of the IPoE user goes offline.

Use undo ip subscriber dot1x-offline user-offline to restore the default.

Syntax

ip subscriber dot1x-offline user-offline

undo ip subscriber dot1x-offline user-offline

Default

An IPoE user stays online when the 802.1X client of the IPoE user goes offline.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

For an IPoE user that comes online through 802.1X authentication, the 802.1X client of the user refers to the 802.1X authentication-capable client software installed on the user's host.

By default, for an IPoE user that comes online through 802.1X authentication, if the 802.1X client of the user goes offline, the device will move the IPoE user from the postauthentication domain to the preauthentication domain, and the IPoE user stays online in the preauthentication domain. To log out an IPoE user when the 802.1X client of the IPoE user goes offline, execute this command.

Examples

# Forcibly log out an IPoE user when the 802.1X client of the IPoE user goes offline on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dot1x-offline user-offline

Related commands

ip subscriber authentication-method

ip subscriber dscp

Use ip subscriber dscp to bind an ISP domain to IPoE users who send IP packets with the specified DSCP values.

Use undo ip subscriber dscp to remove the binding between an ISP domain and IPoE users who send IP packets with the specified DSCP values.

Syntax

ip subscriber dscp dscp-value-list domain domain-name

undo ip subscriber dscp dscp-value-list

Default

No ISP domain is bound to IPoE users who send IP packets with the specified DSCP values.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

dscp-value-list: Specifies a space-separated list of up to eight DSCP value items. Each item specifies a DSCP value or a range of DSCP values in the form of start-DSCP-value to end-DSCP-value. The DSCP value is in the range of 0 to 63.

Usage guidelines

For this command, IPoE users include DHCP users, unclassified-IP users, and static individual users.

For how an authentication domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an authentication domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an authentication domain is selected for a static IPoE user, see the ip subscriber session static command.

For how an authentication domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an authentication domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an authentication domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

For the ip subscriber dscp command to take effect, you must execute the ip subscriber service-identify dscp command to configure the corresponding service identifier first.

Examples

#Configure ISP domain dscpdm for IPoE users who send IP packets with DSCP values 1 to 4 on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber service-identify dscp

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber dscp 1 to 4 domain dscpdm

Related commands

ip subscriber service-identify

ip subscriber enable

Use ip subscriber enable to enable IPoE and configure an IPoE access mode for users.

Use undo ip subscriber enable to disable IPoE for users.

Syntax

ip subscriber { l2-connected | routed } enable [ ipv4 | ipv6 ]

undo ip subscriber { l2-connected | routed } enable

Default

IPoE is disabled for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

l2-connected: Specifies the Layer 2 access mode.

routed: Specifies the Layer 3 access mode.

ipv4: Enables IPoE for the IPv4 protocol stack.

ipv6: Enables IPoE for the IPv6 protocol stack.

Usage guidelines

IPoE configurations for the IPv4 or IPv6 protocol stack take effect on an interface only when IPoE is enabled on the interface for the IPv4 or IPv6 protocol stack.

If you do not specify the ipv4 or ipv6 keyword, this command enables IPoE for both IPv4 and IPv6 protocol stacks.

For interface-leased users, L2VPN-leased users, and dual-stack static users to come online, you must enable IPoE for both IPv4 and IPv6 protocol stacks.

To change the IPoE access mode on an interface, you must disable IPoE, and then enable IPoE with a new IPoE access mode.

When the IPoE access mode does not change, you can repeatedly execute this command only to change the single stack type to the dual stack type. The new command does not take effect on existing online users. You cannot repeatedly execute this command to change the IPoE protocol stack type except changing the single stack type to the dual stack type. To modify the IPoE protocol stack type, first execute the undo ip subscriber enable command to disable IPoE, and then execute the ip subscriber enable command to enable IPoE.

On a device configured to operate in user plane mode by using the work-mode user-plane command, you cannot enable IPoE on any interface of the device.

For IPoE configuration to take effect on an interface, make sure the qos apply user-profile command has not been executed on the interface. For more information about the qos apply user-profile command, see user profiles commands in BRAS Services Command Reference.

Examples

#Enable IPoE and configure the Layer 2 access mode for users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber l2-connected enable

Related commands

qos apply user-profile (BRAS Services Command Reference)

work-mode user-plane (BRAS Services Command Reference)

ip subscriber http-defense destination-ip enable

Use ip subscriber http-defense destination-ip enable command to enable destination IP-based IPoE HTTP/HTTPS attack defense.

Use undo ip subscriber http-defense destination-ip enable command to disable destination IP-based IPoE HTTP/HTTPS attack defense.

Syntax

ip subscriber http-defense destination-ip enable [ action { block [ period blocking-period ] | logging } ]

undo ip subscriber http-defense destination-ip enable

Default

Destination IP-based IPoE HTTP/HTTPS attack defense is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

action: Specifies the action to take when the blocking conditions are met. If you do not specify this keyword, attack defense blocking entries are generated when the attack defense blocking conditions are met to block the corresponding HTTP/HTTPS packets for 600 seconds.

block: Generates attack defense blocking entries when the blocking conditions are met to block attack packets, but does not generate logs.

period blocking-period: Specifies the period of blocking HTTP/HTTPS packets in the range of 0 to 3600 seconds. The default is 600. The blocking period of 0 means that the blocking entries do not automatically age out. To unblock the corresponding destination IP addresses, use the reset ip subscriber http-defense destination-ip command to manually clear blocking entries.

logging: Outputs logs and generates attack defense blocking entries when the blocking conditions are met. When this keyword is specified, the attack defense blocking entries generated can only be used to view blocked users, but do not block attack packets.

Usage guidelines

When various tool software products (for example, Baidu cloud) are installed on a client, each tool software product will periodically send HTTP/HTTPS requests to a fixed destination IP address. HTTP/HTTPS requests generated by these tool software products will result in high resource usage before users perform IPoE Web authentication. As a result, the authentication efficiency of users is affected, and the authentication might even fail. To resolve this issue, you can enable destination IP-based IPoE HTTP/HTTPS attack defense. Use the attack defense function in the following scenarios:

· To limit the HTTP/HTTPS requests frequently initiated and reduce the resource usage of these massive HTTP/HTTPS packets, use the ip subscriber http-defense destination-ip enable action block command to generate blocking entries when the blocking conditions are met and block HTTP/HTTPS requests sent to the specified destination IP addresses based on the blocking entries.

· Blocking HTTP/HTTPS requests will affect users’ access to the specified destination IP addresses. To only detect the HTTP/HTTPS requests frequently initiated to the specified destination IP addresses rather than block them, use the ip subscriber http-defense destination-ip enable action logging command to output attack logs and generate attack defense blocking entries that are used to view blocked users. These attack defense blocking entries will not block attack packets. The generated attack log messages by the device will be sent to the information center. The information center configuration specifies the log message sending rule and destination. For more information about the information center, see Network Management and Monitoring Configuration Guide.

In the current software version, the IPoE HTTP/HTTPS attack defense function takes effect only on HTTP/HTTPS packets sent by IPoE Web users that have come online in the preauthentication domain.

This command takes effect only on newly generated blocking rules, but does not take effect on existing blocking entries.

When you use the undo form of this command to disable the attack defense function, the generated attack defense statistics entries and blocking entries will also be deleted.

Examples

# Enable destination IP-based IPoE HTTP/HTTP attack defense and output attack logs when the blocking conditions are met.

<Sysname> system-view

[Sysname] ip subscriber http-defense destination-ip enable action logging

Related commands

display ip subscriber http-defense blocked-destination-ip

display ip subscriber http-defense unblocked-destination-ip

ip subscriber http-defense destination-ip threshold

ip subscriber http-defense free-destination-ip

ip subscriber http-defense destination-ip threshold

Use ip subscriber http-defense destination-ip threshold command to configure the threshold for triggering IPoE HTTP/HTTPS attack defense.

Use undo ip subscriber http-defense destination-ip threshold to restore the default.

Syntax

ip subscriber http-defense destination-ip threshold packet-number interval interval

undo ip subscriber http-defense destination-ip threshold

Default

When the total number of HTTP/HTTPS packets sent to the same destination IP address within 300 seconds reaches 6000, the attack defense threshold is triggered.

Views

System view

Predefined user roles

network-admin

Parameters

packet-number: Specifies the number of packets in the range of 100 to 4294967295. When the value for this argument is modified, the modification takes effect on both newly generated and existing entries of unblocked destination IP addresses.

interval interval: Specifies the packet statistics collection interval in the range of 60 to 3600 seconds. When the value for this argument is modified, the modification takes effect only on newly generated entries of unblocked destination IP addresses, and does not affect existing entries of unblocked destination IP addresses.

Usage guidelines

On an IPoE Web network, after you enable destination IP-based IPoE HTTP/HTTPS attack defense, the device will monitor and collect statistics of HTTP/HTTPS packets that IPoE Web preauthentication users send to any destination IP address. If the total number of HTTP/HTTPS packets sent to a destination IP address within a statistics collection interval exceeds the specified threshold, the device will generate blocking entries to block attack packets or output attack logs as configured in the ip subscriber http-defense destination-ip enable command.

Examples

# Trigger attack defense when the total number of HTTP/HTTPS packets sent to the same destination IP address within 360 seconds reaches 5000.

<Sysname> system-view

[Sysname] ip subscriber http-defense destination-ip threshold 5000 interval 360

Related commands

ip subscriber http-defense destination-ip enable

ip subscriber http-defense free-destination-ip

Use ip subscriber http-defense free-destination command to configure the allowlist addressees for IPoE HTTP/HTTP attack defense.

Use undo ip subscriber http-defense free-destination-ip command to delete the allowlist addresses configured for IPoE HTTP/HTTPS attack defense.

Syntax

ip subscriber http-defense free-destination-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo ip subscriber http-defense free-destination-ip [ { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ]

Default

Allowlist addresses are not configured for IPoE HTTP/HTTPS attack defense.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies a destination IPv4 address.

ipv6 ipv6-address: Specifies a destination IPv6 address.

vpn-instance vpn-instance-name: Specifies the VPN instance to which the specified destination IP address belongs. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the destination IP address belongs to the public network.

Usage guidelines

On an IPoE Web network, after you enable destination IP-based IPoE HTTP/HTTPS attack defense, the device will monitor and collect statistics of HTTP/HTTPS packets that IPoE Web preauthentication users send to any destination IP address by default. If the administrator does not want to collect attack defense statistics of HTTP/HTTPS packets sent by users to the specified destination IP addresses and wants to unconditionally push the Web authentication page to users accessing these destination IP addresses, you can add these destination IP addresses to the allowlist.

The IPoE HTTP/HTTPS attack defense function does not collect attack defense statistics for or block HTTP/HTTPS packets sent to destination IP addresses on the allowlist.

Execute this command multiple times to add multiple destination IP addresses to the allowlist.

If you do not specify any parameter when executing the undo form of this command, this command will delete allowlist addresses from the public network and all VPN instances.

Examples

# Add IP address 1.1. 1.2 to the allowlist for IPoE HTTP/HTTPS attack defense.

<Sysname> system-view

[Sysname] ip subscriber http-defense free-destination-ip 1.1.1.2

Related commands

ip subscriber http-defense destination-ip enable

ip subscriber http-fast-reply enable

Use ip subscriber http-fast-reply enable to enable HTTP packet fast reply on an interface.

Use undo ip subscriber http-fast-reply enable to disable HTTP packet fast reply on an interface.

Syntax

ip subscriber http-fast-reply enable

undo ip subscriber http-fast-reply enable

Default

HTTP packet fast reply is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

When a user using a browser to perform Web authentication does not access the portal Web server, the access device will redirect the HTTP requests to the CPU. Then, the CPU pushes the Web authentication page of the portal Web server to the user. If an attacker sends a large number of HTTP requests to the device, the device suffers DoS attacks.

With this feature enabled on an interface, the device uses hardware to recognize HTTP requests and automatically responds with HTTP replies. This feature reduces the workload of the CPU and prevents DoS attacks.

This feature does not immediately take effect on users that have passed preauthentication and come online before this feature is enabled. This feature takes effect only when these users go offline and come online again after passing preauthentication or return to the preauthentication domain after passing Web authentication.

With both this feature and transparent authentication configured, a user first attempts to come online through transparent authentication. The hardware responds and pushes the Web authentication page if the user fails to come online through transparent authentication for one of the following reasons:

· Transparent authentication binding query request times out.

· The portal server returns a message showing that the user is not bound.

· The AAA server returns authentication failure.

Examples

#Enable HTTP packet fast reply on interface Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber http-fast-reply enable

Related commands

ip subscriber authentication-method

work-mode user-plane (BRAS Services Command Reference)

ip subscriber if-match

Use ip subscriber if-match to configure a match rule for IPoE URL redirection.

Use undo ip subscriber if-match to delete an IPoE URL redirection match rule.

Syntax

ip subscriber if-match { original-url url-string redirect-url url-string [ url-param-encryption { aes | des } key { cipher | simple } string ] | user-agent user-agent redirect-url url-string }

undo ip subscriber if-match { original-url url-string | user-agent user-agent }

Default

No IPoE URL redirection match rule is configured.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in Web access requests. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP or HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.

redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

url-param-encryption: Specifies an encryption algorithm to encrypt the parameters carried in the redirection URL. If you do not specify an encryption algorithm, the parameters carried in the redirection URL are not encrypted.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

· If des cipher is specified, the string length is 41 characters.

· If des simple is specified, the string length is 8 characters.

· If aes cipher is specified, the string length is 1 to 73 characters.

· If aes simple is specified, the string length is 1 to 31 characters.

Usage guidelines

A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL.

For a user to successfully access the redirection URL, configure a preauthentication domain user group ACL to allow HTTP or HTTPS requests destined for the redirection URL to pass.

You can execute the web-server url command in an ISP domain and the ip subscriber if-match command for URL redirection. The web-server url command redirects all HTTP or HTTPS requests from unauthenticated users to the Web server for authentication. The ip subscriber if-match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are executed, the ip subscriber if-match command takes priority to perform URL redirection.

In a CUPS network, this command takes effect only when it is executed on a UP.

Examples

#Configure a match rule to redirect HTTP requests destined for the URL http://www.example.com to the URL http://192.168.0.1 and use DES to encrypt the parameters carried in this redirection URL.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber if-match original-url http://www.example.com redirect-url http://192.168.0.1 url-param-encryption des key simple 12345678

#Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1

Related commands

web-server url (BRAS Services Command Reference)

ip subscriber initiator arp enable

Use ip subscriber initiator arp enable to enable ARP packet initiation.

Use undo ip subscriber initiator arp enable to disable ARP packet initiation.

Syntax

ip subscriber initiator arp enable

undo ip subscriber initiator arp enable

Default

ARP packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

With ARP packet initiation enabled, a BRAS allows static IPoE users to initiate IPoE sessions by using ARP packets, and restores sessions for abnormally logged out DHCP users according to recorded information. When the BRAS receives ARP packets from abnormally logged out DHCP users, the BRAS can restore the IPoE sessions for these users based on the recorded information.

A DHCP user is abnormally logged out if the IPoE session of the user is deleted for a reason except the user actively releases its IP address.

When an interface receives ARP packets from a user, the interface processes the packets in the following order:

1. If the ARP packets match a configured IPoE static session, the user is processed as a static user.

2. If the ARP packets match a roaming user, the user is processed as a roaming user.

3. If the ARP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

5. If the ARP packets match neither of the above information, the ARP packets are dropped and the user cannot initiate a session by using ARP packets.

For a static user to initiate sessions by using ARP packets, make sure the following requirements are met:

· ARP packet initiation is enabled.

· The gateway IP address allocated to the static users must be one of the following IP addresses:

¡ The IP address of the access interface.

¡ A shared gateway address from the gateway address list in the IP address pool (for example, gateway address specified by using the gateway command in a BAS IP address pool).

Disabling ARP packet initiation does not affect online ARP-initiated static sessions.

Examples

#Enable ARP packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber initiator arp enable

Related commands

ip subscriber access-trigger loose

ip subscriber enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator ndrs enable

ip subscriber roaming enable

reset ip subscriber session

ip subscriber initiator ndrs enable

Use ip subscriber initiator ndrs enable to enable IPv6 ND RS packet initiation.

Use undo ip subscriber initiator ndrs enable to disable IPv6 ND RS packet initiation.

Syntax

ip subscriber initiator ndrs enable

undo ip subscriber initiator ndrs enable

Default

IPv6 ND RS packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

If you enable IPv6 ND RS packet initiation on an interface, the first IPv6 ND RS packet initiates the IPoE session. If you disable IPv6 ND RS packet initiation on an interface, ND RS packets cannot initiate IPoE sessions. However, existing IPoE sessions initiated by ND RS packets are not deleted.

You can enable DHCPv6 packet initiation, IPv6 ND RS packet initiation, and unclassified-IPv6 packet initiation on the same interface.

Examples

#Enable IPv6 ND RS packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber initiator ndrs enable

Related commands

ip subscriber enable

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator nsna enable

Use ip subscriber initiator nsna enable to enable NS/NA packet initiation.

Use undo ip subscriber initiator nsna enable to disable NS/NA packet initiation.

Syntax

ip subscriber initiator nsna enable

undo ip subscriber initiator nsna enable

Default

NS/NA packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

With this command executed, when the interface receives NS packets with the source IP address as a global unicast address or NA packets with the source or target address as a global unicast address from a user, the interface processes the packets in the following order:

1. If the packets match a configured static IPoE session, the user is processed as a static user.

2. If the packets match a roaming user, the user is processed as a roaming user.

3. If the packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. If the packets match abnormally logged out ND RS user records, the interface restores the session information for the abnormally logged out ND RS user according to the recorded information.

5. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

6. If the packets match neither of the above information, the user cannot initiate a session by using NS/NA packets.

NS/NA packet initiation is supported only when IPoE operates in Layer 2 access mode. For a user to initiate a session by using NS/NA packets, you must execute the ip subscriber initiator nsna enable command to enable NS/NA packet initiation.

With this feature disabled on an interface, the users that have come online by using the NS/NA packet initiation method on the interface are still online and not affected.

Examples

#Enable NS/NA packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber initiator nsna enable

Related commands

ip subscriber initiator unclassified-ipv6 enable

ip subscriber roaming enable

ip subscriber initiator unclassified-ip enable

Use ip subscriber initiator unclassified-ip enable to enable unclassified-IPv4 packet initiation.

Use undo ip subscriber initiator unclassified-ip enable to disable unclassified-IPv4 packet initiation.

Syntax

ip subscriber initiator unclassified-ip enable [ matching-user ]

undo ip subscriber initiator unclassified-ip enable

Default

Unclassified-IPv4 packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

matching-user: Allows only matching static users, abnormally logged out DHCP users, roaming users, and users accessing in loose mode to log in.

Usage guidelines

For unclassified-IPv4 packet initiation to take effect, you must execute the dhcp enable command to enable DHCP. For information about this command, see DHCP commands in BRAS Services Command Reference.

With unclassified-IPv4 packet initiation enabled, a BRAS allows IPoE users to initiate IPoE sessions by using unclassified-IP packets, and restores sessions for abnormally logged out DHCP users according to recorded information. When the BRAS receives IP packets from abnormally logged out DHCP users, the BRAS can restore the IPoE sessions for these users based on the recorded information.

A DHCP user is abnormally logged out if the IPoE session of the user is deleted for a reason except the user actively releases its IP address.

If the matching-user keyword is specified, an interface processes the IP packets received from a user in the following order:

1. If the IP packets match a configured IPoE static session, the user is processed as a static user.

2. If the IP packets match a roaming user, the user is processed as a roaming user.

3. If the IP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

5. If the IP packets match neither of the above information, the user cannot initiate a session by using unclassified-IP packets.

If the matching-user keyword is not specified, an interface processes the packets received from a user in the following order:

1. If the IP packets match a configured IPoE static session, the user is processed as a static user.

2. If the IP packets match a roaming user, the user is processed as a roaming user.

3. If the IP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

5. If the IP packets match neither of the above information, the user initiates a session by using unclassified-IP packets.

If you disable unclassified-IPv4 packet initiation on an interface, existing IPoE sessions initiated by unclassified-IPv4 packets are not deleted.

You can enable DHCPv4 packet initiation and unclassified-IPv4 packet initiation on the same interface.

Examples

#Enable unclassified-IPv4 packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber initiator unclassified-ip enable

Related commands

ip subscriber access-trigger loose

ip subscriber enable

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator ndrs enable

ip subscriber roaming enable

ip subscriber initiator unclassified-ipv6 enable

Use ip subscriber initiator unclassified-ipv6 enable to enable unclassified-IPv6 packet initiation.

Use undo ip subscriber initiator unclassified-ipv6 enable to disable unclassified-IPv6 packet initiation.

Syntax

ip subscriber initiator unclassified-ipv6 enable [ matching-user ]

undo ip subscriber initiator unclassified-ipv6 enable

Default

Unclassified-IPv6 packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

matching-user: Allows only matching static users, abnormally logged out DHCP users, abnormally logged out ND RS users, roaming users, and users accessing in loose mode to log in.

Usage guidelines

With unclassified-IPv6 packet initiation enabled, a BRAS allows IPoE users to initiate IPoE sessions by using unclassified-IPv6 packets, and restores sessions for abnormally logged out DHCP users according to recorded information. When the BRAS receives IP packets from abnormally logged out DHCP users, the BRAS can restore the IPoE sessions for these users based on the recorded information.

A DHCP user is abnormally logged out if the IPoE session of the user is deleted for a reason except the user actively releases its IP address.

If the matching-user keyword is specified, the interface processes the IPv6 packets received from a user in the following order:

1. If the IPv6 packets match a configured IPoE static session, the user is processed as a static user.

2. If the IPv6 packets match a roaming user, the user is processed as a roaming user.

3. If the IPv6 packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. If the IPv6 packets match abnormally logged out ND RS user records, the interface restores the session information for the abnormally logged out ND RS user according to the recorded information.

5. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

6. If the IPv6 packets do not match the above information, the user cannot initiate a session by using unclassified-IPv6 packets.

If the matching-user keyword is not specified, the interface processes the IPv6 packets received from a user in the following order:

1. If the IPv6 packets match a configured IPoE static session, the user is processed as a static user.

2. If the IPv6 packets match a roaming user, the user is processed as a roaming user.

3. If the IPv6 packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. If the IPv6 packets match abnormally logged out ND RS user records, the interface restores the session information for the abnormally logged out ND RS user according to the recorded information.

5. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

6. If the IPv6 packets do not match the above information, the user initiates a session by using unclassified-IPv6 packets.

For the processing procedure when the interface receives NS/NA packets, see the ip subscriber initiator nsna enable command.

If you disable unclassified-IPv6 packet initiation on an interface, existing IPoE sessions initiated by unclassified-IPv6 packets are not deleted.

You can enable DHCPv6 packet initiation, IPv6 ND RS packet initiation, and unclassified-IPv6 packet initiation on the same interface.

Examples

#Enable unclassified-IPv6 packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber initiator unclassified-ipv6 enable

Related commands

ip subscriber initiator nsna enable

ip subscriber roaming enable

ip subscriber interface-leased

Use ip subscriber interface-leased to configure an interface-leased user.

Use undo ip subscriber interface-leased to restore the default.

Syntax

ip subscriber interface-leased username name password { ciphertext | plaintext } string [ domain domain-name ]

undo ip subscriber interface-leased

Default

No interface-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Parameters

username name: Specifies a username for authentication, a case-sensitive string of 1 to 253 characters.

password ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

password plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

Usage guidelines

An interface-leased user represents all access users of the interface. With IPoE enabled for both IPv4 and IPv6 protocol stacks on an interface in up state, the session does not need to be initiated by user traffic. The BRAS actively initiates authentication by using the configured username and password. After the authentication succeeds and the leased session is successfully set up for users, traffic of all users on the interface is permitted, and the users share one IPoE session. The BRAS performs interface-level authorization and accounting for all users on the interface.

If you first enable IPoE and then configure interface-leased users, you must enable IPoE for both IPv4 and IPv6 protocol stacks in order that you can configure interface-leased users. If you first configure interface-leased users and then enable IPoE, you must enable IPoE for both IPv4 and IPv6 stacks. Otherwise, you cannot enable IPoE.

You can configure only one interface-leased user on each interface. To change the parameters of an existing interface-leased user, use the undo form to delete the user, and then reconfigure it with new parameter settings.

You cannot configure an interface-leased user on an interface configured with subnet-leased users, L2VPN-leased users, unclassified-IP users, or static users.

If you have added an interface to the static user interface list, you cannot configure interface-leased users on the interface. If you have configured interface-leased users on an interface, you cannot add the interface to the static user interface list.

An ISP domain is selected for an IPoE interface-leased user in the following order until a match is found:

1. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

2. ISP domain specified by using the domain domain-name option in this command. If the ISP domain has not been created, the user fails to come online.

3. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain has not been created, the user fails to come online.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Examples

#Configure an interface-leased user with a username of intuser and a plaintext password of pw123 on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber interface-leased username intuser password plaintext pw123

ip subscriber l2vpn-leased

Use ip subscriber l2vpn-leased to configure an L2VPN-leased user.

Use undo ip subscriber l2vpn-leased to restore the default.

Syntax

ip subscriber l2vpn-leased username name password { ciphertext | plaintext } string [ domain domain-name ]

undo ip subscriber l2vpn-leased

Default

No L2VPN-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Parameters

username name: Specifies a username for authentication, a case-sensitive string of 1 to 253 characters.

password ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

Usage guidelines

An L2VPN-leased user is a group of hosts that rent the same interface and share the same IPoE session on an L2VPN network. The BRAS authenticates, authorizes, and accounts all hosts of the same L2VPN-leased user.

If you first enable IPoE and then configure L2VPN-leased users, you must enable IPoE for both IPv4 and IPv6 protocol stacks in order that you can configure L2VPN-leased users. If you first configure L2VPN-leased users and then enable IPoE, you must enable IPoE for both IPv4 and IPv6 stacks. Otherwise, you cannot enable IPoE.

You can configure only one L2VPN-leased user on one interface. To change the parameters of an existing L2VPN-leased user, use the undo form to delete the user, and then reconfigure it with new parameter settings.

You cannot configure an L2VPN-leased user on an interface configured with interface-leased users, subnet-leased users, or static users.

On a Layer 3 Ethernet or aggregate subinterface, the IPoE L2VPN-leased user configuration is mutually exclusive with the packet statistics collection feature. For more information about packet statistics collection on Ethernet subinterfaces, see Ethernet interface configuration in Interface Configuration Guide. For more information about packet statistics collection on Layer 3 aggregate subinterfaces, see Ethernet link aggregation configuration in Layer 2—LAN Switching Configuration Guide.

An ISP domain is selected for an IPoE L2VPN-leased user in the following order until a match is found:

1. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

2. ISP domain specified by using the domain domain-name option in this command. If the ISP domain has not been created, the user fails to come online.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Examples

# Configure an L2VPN-leased user with a username of intuser and a plaintext password of pw123 on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber l2vpn-leased username intuser password plaintext pw123

ip subscriber lease-end-time original

Use ip subscriber lease-end-time original to configure the lease expiration time when a logged out user logs in again as the lease expiration time when the user is logged out.

Use undo subscriber lease-end-time original to restore the default.

Syntax

ip subscriber lease-end-time original

undo ip subscriber lease-end-time original

Default

The lease expiration time is renewed when a logged out user logs in again.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

By default, the lease expiration time is renewed when an abnormally logged out or auto backed-up user logs in again. With this command configured, when a logged out client recovers and logs in again, the following rules apply:

· For an abnormally logged out user, the lease expiration time is the same as the time recorded in the client.

· For an auto backed-up user, the lease expiration time is the same as the time recorded in the auto backup entry.

This command takes effect only on abnormally logged out IPoE DHCP users and auto backed-up IPoE DHCP users.

Examples

#Configure the lease expiration time when a logged out user logs in again as the lease expiration time when the user is logged out.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber lease-end-time original

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

display ip subscriber abnormal-logout

ip subscriber mac-auth domain

Use ip subscriber mac-auth domain to configure the domain for MAC authentication.

Use undo ip subscriber mac-auth domain to restore the default.

Syntax

ip subscriber mac-auth domain domain-name

undo ip subscriber mac-auth domain

Default

No domain is configured for MAC authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

If multiple types of domains are configured when Web MAC authentication is used, an ISP domain is selected in the following order until a match is found during the Web authentication phase:

1. Domain carried in the username. If the domain has not been created, the user fails to come online.

2. MAC authentication domain specified by using the ip subscriber mac-auth domain command. If the specified domain has not been created, the user fails to come online.

3. Web authentication domain specified by using the ip subscriber web-auth domain command. If the specified domain has not been created, the user fails to come online.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selected during the Web authentication phase when Web authentication is used, see the ip subscriber web-auth domain command.

The ISP domain for MAC authentication is used for transparent MAC authentication during the Web authentication phase for only individual users using Web MAC authentication.

The ISP domain modification for MAC authentication takes effect only on new users.

Examples

#Specify ISP domain dm1 for MAC authentication on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber mac-auth domain dm1

Related commands

ip subscriber authentication-method

ip subscriber web-auth domain

ip subscriber max-session

Use ip subscriber max-session to set the maximum number of individual sessions and leased subuser sessions on an interface.

Use undo ip subscriber max-session to restore the default.

Syntax

ip subscriber max-session max-number

undo ip subscriber max-session

Default

The maximum number of individual sessions and leased subuser sessions is not set on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of individual sessions and leased subuser sessions allowed on an interface. The value range for this argument is 1 to 64000.

Usage guidelines

When the number of individual sessions and leased subuser sessions on an interface has reached the limit, new IPoE sessions cannot be established. The number of IPoE sessions created includes the number of IPv4 single-stack users, the number of IPv6 single-stack users, and the number of dual-stack sessions. A single-stack user occupies one session resource, and a dual-stack user occupies one session resource. If a single-stack user has come online successfully, the other stack of the same user can directly come online, and the two stacks share one session resource.

When this command is executed together with the ip subscriber { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 } max-session command, the two commands both take effect. The two commands control sessions in different perspectives, and the number of sessions is controlled by both commands. A new session can be established only when neither limit is reached.

Examples

#Set the maximum number of individual sessions and leased subuser sessions on Ten-GigabitEthernet 3/1/1 to 100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber max-session 100

Related commands

ip subscriber dhcp max-session

ip subscriber dhcpv6 max-session

ip subscriber ndrs max-session

ip subscriber unclassified-ip max-session

ip subscriber unclassified-ipv6 max-session

ip subscriber nas-port-id format

Use ip subscriber nas-port-id format to configure the NAS-Port-ID format for IPoE users.

Use undo ip subscriber nas-port-id format to restore the default.

Syntax

ip subscriber nas-port-id format cn-telecom { version1.0 | version2.0 | version3.0 | version4.0 | version5.0 }

undo ip subscriber nas-port-id format

Default

NAS-Port-IDs for IPoE users are encapsulated in the version 1.0 format.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

version 1.0: Specifies the China Telecom format.

· The version 1.0 format varies by interface type.

Table 16 Version 1.0 formats

Interface type	Encapsulation format
Layer 3 Ethernet interface and Layer 3 aggregate interface	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=0
Layer 3 Ethernet subinterface and Layer 3 aggregate subinterface (single VLAN tag)	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=vlan_id
Layer 3 Ethernet subinterface and Layer 3 aggregate subinterface (Dual VLAN tags)	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=inner-vlan;vlanid2=outer-vlan

· Version 1.0 format parameters

Table 17 Version 1.0 format parameter description

Parameter	Description
NAS_slot	Specifies the slot number of the access interface on the BRAS.
NAS_subslot	Specifies the subslot number of the access interface on the BRAS.
NAS_port	Specifies the port number of the access interface on the BRAS.
vlan_id	Specifies the ID of the user's VLAN.
inner-vlan	Specifies the ID of the inner VLAN.
outer-vlan	Specifies the ID of the outer VLAN.
vpi	Specifies the VPI of the access interface on the BRAS.
vci	Specifies the VCI of the access interface on the BRAS.

version 2.0: Specifies the format described in YDT 2275-2011 Subscriber Access Loop (Port) Identification in Broadband Access Networks.

· When the received DHCPv4 packets carry Option 82 Circuit-ID and Option 82 is trusted or the received DHCPv6 packets carry Option 18 and Option 18 is trusted, see "ip subscriber nas-port-id nasinfo-insert" for the version 2.0 format.

· In the other cases, the version 2.0 format is {eth|trunk|atm} NAS_slot/NAS_subslot/NAS_port:svlan.cvlan AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port. The NAS information (NAS_slot/NAS_subslot/NAS_port:svlan.cvlan) and AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port (modified to 0/0/0/0/0/0) are encapsulated in the NAS-Port-ID field.

Table 18 describes the version 2.0 format parameters.

Table 18 Version 2.0 format parameter description

Parameter	Description
{eth\|trunk\|atm}	Specifies the type of the access interface on the BRAS as Ethernet, trunk, or ATM.
NAS_slot	Specifies the slot number of the access interface on the BRAS.
NAS_subslot	Specifies the subslot number of the access interface on the BRAS.
NAS_port	Specifies the port number of the access interface on the BRAS.
svlan	Specifies the ID of the user's SVLAN.
cvlan	Specifies the ID of the user's CVLAN.
AccessNodeIdentifier	Specifies the identifier of the access node.
ANI_rack	Specifies the rack number of the access node.
ANI_frame	Specifies the frame number of the access node.
ANI_slot	Specifies the slot number of the access node.
ANI_subslot	Specifies the subslot number of the access node.
ANI_port	Specifies the port number of the access node.

In the version 2.0 format, for users accessing without VLAN tags, both svlan and cvlan are fixed at 4096. For users accessing with a single layer of VLAN tags, svlan is fixed at 4096 and cvlan is the actual VLAN carried. For more information, see the examples.

version3.0: Specifies the version 3.0 format SlotID/00/IfNO/VlanID, where the forward slash (/) is not displayed. Table 19 describes the meaning of each field.

Table 19 Version 3.0 encapsulation format

Parameter		Description
SlotID	ID of the slot that the user accesses. A minimum of two bits. The empty bits are padded with 0s in the front.
00	Specific field required by the specification.
IFNO	Interface number of the user. A minimum of three bits. The empty bits are padded with 0s in the front.
VlanID	VLAN ID of the user. A minimum of nine bits. The empty bits are padded with 0s in the front.

In the version 3.0 format, for users accessing without VLAN tags, VlanID is fixed at 0. For users accessing with a single layer of VLAN tags, VlanID is the actual VLAN carried. For users with two layers of VLAN tags, VlanID is the actual CVLAN carried. For more information, see the examples.

version4.0: Specifies the version 4.0 format.

· When the received DHCPv4 packets carry Option 82 Circuit-ID and Option 82 is trusted or the received DHCPv6 packets carry Option 18 and Option 18 is trusted, the format adds the following information to the NAS-Port-ID in the version 3.0 format:

¡ For IPv4 users, the DHCP Option 82 Circuit-ID is added. The encapsulation format is SlotID/00/IfNO/VlanID/Option82 Circuit-ID, where the forward slash (/) is not displayed.

¡ For IPv6 users, the DHCP Option18 is added. The encapsulation format is SlotID/00/IfNO/VlanID/Option18, where the forward slash (/) is not displayed.

· In the other cases, the version 4.0 format is the same as the version 3.0 format.

version5.0: Specifies the version 5.0 format. The NAS-Port-ID attribute sent to the RADIUS server is encapsulated according to the YDT 2275-2011 subscriber access loop (port) identification requirements. Option 18 and Option 82 are processed in the same way. The following section takes Option 82 as an example.

· If Option 82 is not trusted or Option 82 is trusted but information cannot be extracted, the NAS-Port-ID attribute is encapsulated in the same way as when Option82 Circuit-ID is not carried. In this case, the NAS-Port-ID attribute is encapsulated in version 2.0 format (AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port is padded with 0/0/0/0/0/0).

· If Option 82 is trusted and information can be extracted, NAS-Port-ID attribute is encapsulated in version 5.0 format. For more information, see the ip subscriber nas-port-id nasinfo-insert command.

Usage guidelines

In a CUPS network, the following rules apply:

· When the version 1.0 format is used and the access-user four-dimension-mode enable command is executed, if an IPoE user accesses through a UP, the UP ID information is added before slot in the NAS-Port-ID information. In this case, the NAS-Port-ID information in version 1.0 format is chassis=UP_ID;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=0.

· When the version 2.0 format is used and the access-user four-dimension-mode enable command is executed, if an IPoE user accesses through a UP, the UP ID information is added before the NAS_slot. In this case, the NAS-Port-ID information in version 2.0 format is {eth|trunk|atm} UP_ID/NAS_slot/NAS_subslot/NAS_port:svlan.cvlan AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port.

· When the version 3.0 or version 4.0 format is used, the NAS-Port-ID format is the same as that in a common network.

Examples

Version 1.0 format

· Access without VLAN tags

#Configure Layer 3 aggregate interface 1 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. The users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="slot=0;subslot=0;port=1;vlanid=0;"

· Access with a single layer of VLAN tags

#Configure Ten-GigabitEthernet 3/1/1.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.2

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Ten-GigabitEthernet3/1/1.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE3/1/1.2 3.3.3.3 001b-21a8-0949 400/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="slot=3;subslot=1;port=1;vlanid=400;"

· Access with two layers of VLAN tags

#Configure Ten-GigabitEthernet 3/1/1.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.2

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Ten-GigabitEthernet3/1/1.2] quit

[Sysname] display access-user

Username Access type

IPv6 address

0x33e XGE3/1/1.2 3.3.3.3 001b-21a8-0949 400/500

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="slot=3;subslot=1;port=1;vlanid=500;vlanid2=400;"

version 2.0 format

· Access without VLAN tags

¡ Access through a Layer 3 aggregate interface

#Configure Layer 3 aggregate interface 1 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] undo ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="trunk 0/0/1:4096.4096 0/0/0/0/0/0"

¡ Access through a Layer 3 Ethernet interface

#Configure Ten-GigabitEthernet 3/1/1 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] undo ip subscriber trust option82

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Ten-GigabitEthernet3/1/1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE3/1/1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:4096.4096 0/0/0/0/0/0"

· Access with a single layer of VLAN tags

#Configure Ten-GigabitEthernet 3/1/1.2 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.2

[Sysname-Ten-GigabitEthernet3/1/1.2] undo ip subscriber trust option82

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Ten-GigabitEthernet3/1/1.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE3/1/1.2 3.3.3.3 001b-21a8-0949 400/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:4096.400 0/0/0/0/0/0"

· Access with two layers of VLAN tags

#Configure Ten-GigabitEthernet 3/1/1.2 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.2

[Sysname-Ten-GigabitEthernet3/1/1.2] undo ip subscriber trust option82

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Ten-GigabitEthernet3/1/1.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE3/1/1.2 3.3.3.3 001b-21a8-0949 400/500

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:400.500 0/0/0/0/0/0"

version 3.0 format

· Access without VLAN tags

#Configure Layer 3 aggregate interface 1 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="0000001000000000"

· Access with a single layer of VLAN tags

#Configure Ten-GigabitEthernet 3/1/1.2 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.2

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-Ten-GigabitEthernet3/1/1.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE3/1/1.2 3.3.3.3 001b-21a8-0949 400/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="0300001000000400"

· Access with two layers of VLAN tags

#Configure Ten-GigabitEthernet 3/1/1.2 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.2

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-Ten-GigabitEthernet3/1/1.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE3/1/1.2 3.3.3.3 001b-21a8-0949 400/500

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="0300001000000500"

version 4.0 format

#Configure Ten-GigabitEthernet 3/1/1.2 to use the version 4.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags, and DHCP packets carry Option82 Circuit-ID as aaa be cd ef g.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.2

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber trust option82

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version4.0

[Sysname-Ten-GigabitEthernet3/1/1.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE3/1/1.2 3.3.3.3 001b-21a8-0949 400/500

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="0300001000000500aaa be cd ef g"

Version 5.0 format

When the DHCP packets do not carry Option 82 circuit-ID or Option 82 is not trusted, the version 5.0 format is the same as the version 2.0 format. For more information, see the example for the version 2.0 format.

When the DHCP packet carry Option 82 circuit-ID and Option 82 is trusted, see the example in the ip subscriber nas-port-id nasinfo-insert command for the version 5.0 format.

Related commands

access-user four-dimension-mode enable (BRAS Services Command Reference)

ip subscriber trust

ip subscriber nas-port-id interface

ip subscriber nas-port-id nasinfo-insert

ip subscriber nas-port-id interface

Use ip subscriber nas-port-id interface to configure the device to use information of the specified interface to fill in the NAS-Port-ID attribute.

Use undo ip subscriber nas-port-id interface to restore the default.

Syntax

ip subscriber nas-port-id interface interface-type interface-number

undo ip subscriber nas-port-id interface

Default

The device uses information of the interface through which the user comes online to fill in the NAS-Port-ID attribute.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. The specified interface must be the IPoE user's access interface. In the current software version, the interface number can contain one, two, three, or four tiers. In each tier, the number is in the range of 0 to 65534. For example, for a 3-tier interface number, the minimum interface number is 0/0/0, and the maximum interface number is 65534/65534/65534. Specify the interface number according to the actual conditions.

Usage guidelines

A device uses information about the interface through which a user comes online to fill in the NAS-Port-ID attribute and sends it to the RADIUS server by default. In some special applications, when you need to manually specify the access interface information to be filled in the NAS-Port-ID attribute, you can use this command. For example, suppose the RADIUS server restricts user A's access to only interface A. When user A accesses through interface B and you do not want to modify the RADIUS server configuration, you can executed this command to use information about interface A to fill in the NAS-Port-ID attribute for user A and send the attribute to the RADIUS server.

In a CUPS network, the interface specified in this command must be the access interface of IPoE users on the UP. The interface number is in the format of UP ID/actual interface number on the UP. For example, if a user accesses through Ten-GigabitEthernet 3/1/1 on UP 1024, the interface number specified in this command must be 1024/3/1/1.

When the NAS-PORT-ID information format is version 1.0 and the ip subscriber nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in the ip subscriber nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute:

¡ On a non-CUPS network: chassis=NAS_chassis;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

¡ On a CUPS network: chassis=UP_ID;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

· If the access-user four-dimension-mode enable command is not executed, the interface information specified in the ip subscriber nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute: slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

When the NAS-PORT-ID information format is version 2.0 and the ip subscriber nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in this command will be used to fill in the following NAS information field in the NAS-PORT-ID attribute:

¡ On a non-CUPS network: {eth|trunk|atm} NAS_chassis/NAS_slot/NAS_subslot/NAS_port.

¡ On a CUPS network: {eth|trunk|atm} UP_ID/NAS_slot/NAS_subslot/NAS_port.

· If the access-user four-dimension-mode enable command is not executed, the interface information specified in this command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute: {eth|trunk|atm} NAS_slot/NAS_subslot/NAS_port.

When version 3.0 is specified as the NAS-Port-ID format, information of the specified access interface will be used to fill in the NAS information SlotID/IfNO.

When version 4.0 is specified as the NAS-Port-ID format, information of the specified access interface will be used to fill in the following NAS information:

· For IPv4 users: SlotID/IfNO/Option82.

· For IPv6 users: SlotID/IfNO/Option18.

Examples

#Configure the device to use information of Ten-GigabitEthernet 3/1/1 to fill in the NAS-Port-ID attribute. Configure Ten-GigabitEthernet 3/1/1.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.2

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1.2] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Ten-GigabitEthernet3/1/1.2] qui

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE3/1/1.2 3.3.3.3 001b-21a8-0949 400/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="slot=3;subslot=1;port=1;vlanid=400;"

Related commands

access-user four-dimension-mode enable (BRAS Services Command Reference)

ip subscriber nas-port-id format

ip subscriber nas-port-id nasinfo-insert

Use ip subscriber nas-port-id nasinfo-insert to include NAS information and information extracted from DHCPv4 Option 82 Circuit-ID or DHCPv6 Option 18 in the NAS-Port-ID.

Use undo ip subscriber nas-port-id nasinfo-insert to restore the default.

Syntax

ip subscriber nas-port-id nasinfo-insert

undo ip subscriber nas-port-id nasinfo-insert

Default

The BRAS uses information extracted from DHCPv4 Option 82 Circuit-ID or DHCPv6 Option 18 as the NAS-Port-ID.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

On a DHCP relay agent network, an access device can capture DHCP packets of users, and extract DHCPv4 Option82 Circuit-ID information and DHCPv6 Option18 information from these packets.

When the version 2.0 format is configured to encapsulate the NAS-Port-ID attribute and DHCPv4 82 or DHCPv6 Option 18 is trusted, the following rules apply:

· If you execute this command, the following rules apply:

¡ If DHCPv4 packets contain Option 82 Circuit-ID, this command parses Option 82 Circuit-ID, extracts information from Circuit-ID (ignoring the first two spaces), and encapsulates the extracted information and NAS information in the NAS-Port-ID in the version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 82 Circuit-ID.

¡ If DHCPv6 packets contain Option 18, this command parses Option 18, extracts information from Option 18 (ignoring the first two spaces), and encapsulates the extracted information and NAS information in the NAS-Port-ID in the version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 18.

¡ If DHCPv4 packets do not contain Option 82 Circuit-ID, this command includes NAS information in the NAS-Port-ID and sets non-NAS parts to zeros in the following format:

NAS_slot/NAS_subslot/NAS_port:svlan.cvlan 0/0/0/0/0/0

¡ If DHCPv6 packets do not contain Option 18, this command includes NAS information in the NAS-Port-ID and sets non-NAS parts to zeros in the following format:

NAS_slot/NAS_subslot/NAS_port:svlan.cvlan 0/0/0/0/0/0

· If you do not execute this command, the default applies.

When the version 5.0 format is configured to encapsulate the NAS-Port-ID attribute and DHCPv4 82 or DHCPv6 Option 18 is trusted, the following rules apply:

· If this command is executed, the following rules apply:

¡ When the received DHCPv4 packets carry Option 82 Circuit-ID and Option 82 is trusted, this command parses Option 82 Circuit-ID, extracts all information from Circuit-ID, and encapsulates the extracted information (used for filling in the AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port) and NAS information in the NAS-Port-ID in version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 82 Circuit-ID (the AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port field is filled with 0/0/0/0/0/0).

¡ When the received DHCPv6 packets carry Option 18 and Option 18 is trusted, this command parses Option 18, extracts all information from Option 18, and encapsulates the extracted information (used for filling in the AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port) and NAS information in the NAS-Port-ID in version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 18 (the AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port field is filled with 0/0/0/0/0/0).

· If you do not execute this command, the default applies.

This command does not affect Option 82 or Option 18.

This command takes effect on Option 82 or Option 18 only after the ip subscriber trust command is executed to configure trusting Option 82 or Option 18.

Examples

Version 2.0 format

#Configure Layer 3 aggregate interface 1 to include NAS information and information extracted from DHCPv4 Option 82 in the NAS-Port-ID, encapsulate the NAS-Port-ID in the version 2.0 format, and trust Option 82. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="trunk 0/0/1:4096.4096 cd ef g"

#Configure Layer 3 aggregate interface 1 to include information extracted from DHCPv4 Option 82 or DHCPv6 Option 18 in the NAS-Port-ID, encapsulate the NAS-Port-ID in the version 2.0 format, and trust Option 82. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] undo ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="aaa be cd ef g"

Version 5.0 format

#Configure Layer 3 aggregate interface 1 to include NAS information and information extracted from DHCPv4 Option 82 in the NAS-Port-ID, trust Option 82, and encapsulate the NAS-Port-ID in the version 5.0 format. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version5.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-Id="trunk 0/0/1:4096.4096 aaa be cd ef g”

#On Layer 3 aggregate interface 1, execute the undo ip subscriber nas-port-id nasinfo-insert, configure the interface to trust Option 82, and encapsulate the NAS-Port-ID in the version 5.0 format. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] undo ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version5.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-Id="aaa be cd ef g"

Related commands

ip subscriber trust

ip subscriber nas-port-id format

ip subscriber ndrs domain

Use ip subscriber ndrs domain to configure an ISP domain for IPv6 ND RS users.

Use undo ip subscriber ndrs domain to restore the default.

Syntax

ip subscriber ndrs domain domain-name

undo ip subscriber ndrs domain

Default

No ISP domain is specified for IPv6 ND RS users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

This command specifies an ISP domain for IPv6 ND RS users. The specified ISP domain must exist on the BRAS.

An IPv6 ND RS user can obtain ISP domains in multiple ways. An ISP domain is selected for an IPv6 ND RS user in the following order until a match is found:

1. ISP domain specified by using the ip subscriber ndrs domain command. If the ISP domain has not been created, the user fails to come online.

2. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Examples

#Configure ISP domain dm1 for IPv6 ND RS users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber ndrs domain dm1

Related commands

ip subscriber initiator ndrs enable

ip subscriber ndrs max-session

Use ip subscriber ndrs max-session to set the IPoE session limit for IPv6 ND RS packet initiation on an interface.

Use undo ip subscriber ndrs max-session to restore the default.

Syntax

ip subscriber ndrs max-session max-number

undo ip subscriber ndrs max-session

Default

The IPv6 single-stack IPoE session limit for ND RS packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for IPv6 ND RS packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

If the IPoE session limit for IPv6 ND RS packet initiation is reached, no more IPoE session can be initiated by IPv6 ND RS packets. IPoE sessions initiated by IPv6 ND RS packets include the single-stack IPv6 sessions and dual-stack sessions.

Examples

#Set the IPoE session limit to 100 for IPv6 ND RS packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber ndrs max-session 100

Related commands

ip subscriber initiator ndrs enable

ip subscriber max-session

ip subscriber ndrs username

Use ip subscriber ndrs username to configure an authentication user naming convention for IPv6 ND RS users.

Use undo ip subscriber ndrs username to restore the default.

Syntax

ip subscriber ndrs username include { nas-port-id [ separator separator ] | port [ separator separator ] | second-vlan [ separator separator ] | slot [ separator separator ] | source-mac [ address-separator address-separator ] [ separator separator ] | string string [ separator separator ] | subslot [ separator separator ] | sysname [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber ndrs username

Default

No authentication user naming convention is configured for IPv6 ND RS users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

nas-port-id: Includes the NAS-Port-ID attribute in a username.

port: Includes the number of the port that receives the user packets in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-mac: Includes the source MAC address in a username.

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vlan: Includes the outer VLAN ID in a username.

Usage guidelines

Usernames obtained based on the naming convention are used for authentication and must be the same as those configured on the AAA server.

Examples

#Configure the source MAC addresses as the authentication usernames for IPv6 ND RS users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber ndrs username include source-mac

#Configure an authentication user naming convention for IPv6 ND RS users on Ten-GigabitEthernet 3/1/1. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber ndrs username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber initiator ndrs enable

ip subscriber password

ip subscriber ndrs user-detect-address eui-64

Use ip subscriber ndrs user-detect-address eui-64 to configure the IPv6 addresses generated in EUI-64 method as the destination addresses of online detection.

Use undo ip subscriber ndrs user-detect-address to restore the default.

Syntax

ip subscriber ndrs user-detect-address eui-64

undo ip subscriber ndrs user-detect-address

Default

The link-local addresses of endpoints (in the format of FE80+endpoint interface ID) are used as the destination addresses of online detection.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

The types of endpoints are rich, and the endpoints use IPv6 addresses following different rules. When an endpoint comes online, whether the IPv6 address actually used by the endpoint is the IPv6 address allocated by the BRAS is uncontrollable. For example, the BRAS allocates IPv6 address A to an endpoint. When the BRAS performs online detection for destination address A, the endpoint responds to the probe packets by using IPv6 address B. As a result, the online detection fails. When online detection failures exceed the specified times, the endpoint will be forced to go offline by mistake.

To resolve this issue, by default, when the device uses ND NS packets as probe packets to perform online detection for IPv6 ND RS users, the device uses the link-local addresses of online users (format: FE80+user interface ID) as the destination addresses of online detection.

When the IPv6 address's interface ID of a user meets the IEEE EUI-64 format requirements and the interface generates an IPv6 address in the EUI-64 format, you can use this command to configure the interface to use the generated IPv6 address as the destination address of probe packets as needed.

After you execute this command, the device use the generated IPv6 address in the method of ND prefix+interface ID in EUI-64 format as the destination address of online detection.

Examples

# Configure the IPv6 addresses generated in EUI-64 method as the destination addresses of online detection on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber ndrs user-detect-address eui-64

Related commands

ip subscriber user-detect ipv6

ip subscriber ndrs wait-delegation-prefix

Use ip subscriber ndrs wait-delegation-prefix to allow users to come online through ND RS only after they come online through IA_PD.

Use undo ip subscriber ndrs wait-delegation-prefix to restore the default.

Syntax

ip subscriber ndrs wait-delegation-prefix

undo ip subscriber ndrs wait-delegation-prefix

Default

The users can come online through IA_PD and ND RS in any order.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

As shown in Figure 1, a CPE supports applying for ND prefixes and PD prefixes from the BRAS through the following methods:

· NDRA—The CPE actively sends an ND RS packet to the BRAS. The BRAS returns an ND prefix to the connected CPE WAN interface through an ND RA packet. The CPE uses the ND prefix to generate a global unicast IPv6 address for the CPE WAN interface. The IPv6 address is used for remotely managing the CPE.

· IA_PD—The CPE actively sends DHCPv6 requests to the CPE. The BRAS allocates a PD prefix to the CPE through DHCPv6 (IA_PD). The CPE automatically allocates the obtained PD prefix to the attached hosts. These hosts use the PD prefix to generate global unicast IPv6 addresses.

Figure 1 Network diagram for address assignment through NDRA+DHCPv6 (IA_PD)

In the network as shown in Figure 1, if a CEP fails to come online through IA_PD, hosts attached to the CPE cannot generate global unicast IPv6 addresses to access network resources. In this case, even if the CPE comes online through NDRA, the hosts cannot obtain IPv6 addresses. Additionally, the ND RS user entries of the CPE occupy the system resources of the BRAS. As a best practice to resolve this issue, use this command to allow users to come online through ND RS only after they come online through IA_PD in an NDRA+DHCPv6 (IA_PD) network.

For users to successfully come online through ND RS in any other network, do not configure this feature.

Examples

# Allow users to come online through ND RS only after they come online through IA_PD on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber ndrs wait-delegation-prefix

Related commands

ip subscriber initiator ndrs enable

ip subscriber password

Use ip subscriber password to set the password for individual users.

Use undo ip subscriber password to restore the default.

Syntax

ip subscriber password { mac-address [ address-separator address-separator ] [ lowercase | uppercase ] | { ciphertext | plaintext } string }

undo ip subscriber password

Default

No password is set for individual users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

mac-address: Uses a MAC address as the password. The MAC address of the user is preferentially used. If the user MAC address cannot be obtained, the source MAC address of packets is used. By default, the letters in a MAC address are lower-case and a MAC address do not have hyphens.

address-separator address-separator: Specifies any printable character as the separator for the MAC address. For example, if you specify a hyphen (-) as the separator, the password is the hyphen-separated MAC address (xxxx-xxxx-xxxx). If you do not specify a separator, the password is the non-separated MAC address (xxxxxxxxxxxx). Do not use the at sign (@) as the separator. The AAA server cannot parse a password containing the at sign (@).

lowercase: Specifies the letters in the MAC address as lower-case.

uppercase: Specifies the letters in the MAC address as upper-case.

ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

Usage guidelines

To avoid configuring passwords for each initiation method separately when multiple individual session initiation methods are configured on an interface, you can use this command to uniformly configure authentication passwords for all individual users on an interface.

For individual users using bind authentication, a password is selected in the following order until a match is found:

1. Password obtained by using the ip subscriber dhcp password and ip subscriber dhcpv6 password option16 commands. (Applicable to only DHCP users.)

2. The password parameter specified in the ip subscriber session static command. (Applicable to only static users.)

3. Password configured by using the ip subscriber password command.

4. The string vlan.

For Web authentication and Web MAC authentication in the preauthentication phase, a password is selected for individual users in the same order a password is selected for individual users using bind authentication.

For Web authentication in the Web authentication phase, a password is selected in the following order for individual users until a match is found:

1. Password that the user enters when logging in.

2. Password configured by using the ip subscriber password command.

3. The string vlan.

For Web MAC authentication in the Web authentication phase, a password is selected in the following order for individual users until a match is found:

1. Password configured by using the ip subscriber password command.

2. The string vlan.

Examples

#Configure the plaintext password as 123 for individual users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber password plaintext 123

Related commands

ip subscriber dhcp username

ip subscriber unclassified-ip username

ip subscriber dhcp password

ip subscriber dhcpv6 password option16

ip subscriber pre-auth domain

Use ip subscriber pre-auth domain to specify a preauthentication domain.

Use ip subscriber pre-auth domain to restore the default.

Syntax

ip subscriber pre-auth domain domain-name

undo ip subscriber pre-auth domain

Default

No preauthentication domain is specified.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

This command takes effect only for DHCP users and static individual users using the Web authentication method and the Web MAC authentication method.

You can modify the preauthentication domain. By default, a preauthentication domain is selected in the following order until a match is found:

· For dynamic DHCP users:

a. Domain information obtained from the option. For how domain information is obtained from the option, see how domain information is obtained from the option in the bind authentication method. If the domain has not been created, proceed with the next step.

b. Service-specific domain. If the domain has not been created, the user fails to come online.

c. Preauthentication domain configured by using the ip subscriber pre-auth domain command. If the domain has not been created, the user fails to come online.

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· For static users:

a. Authentication domain configured by using the ip subscriber session static command. If the domain has not been created, the user fails to come online.

b. Preauthentication domain configured by using the ip subscriber pre-auth domain command. If the domain has not been created, the user fails to come online.

c. Service-specific domain. If the domain has not been created, the user fails to come online.

d. Domain configured by using the ip subscriber unclassified-ip domain command. If the domain has not been created, the user fails to come online.

e. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

If you specify a preauthentication domain, users must pass the preauthentication before obtaining IP addresses (applicable to only DHCP users) and authorization attributes configured for the preauthentication domain. Users will obtain new authorization information after passing the Web authentication.

For Web authentication users, preauthentication is required every time they come online. The user information is deleted upon a preauthentication failure.

New settings in the preauthentication domain do not take effect for users who have passed the preauthentication.

You must configure the Web server URL and user group authorization attributes in the preauthentication domain for redirecting users to the Web authentication page. For more information about the Web server URL and user group, see AAA configuration in BRAS Services Configuration Guide.

Examples

#Specify ISP domain dm1 as the preauthentication domain on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber pre-auth domain dm1

Related commands

authorization-attribute user-group (BRAS Services Command Reference)

domain default enable (BRAS Services Command Reference)

ip subscriber authentication-method

web-server url (BRAS Services Command Reference)

ip subscriber pre-auth track

Use ip subscriber pre-auth track to associate a fail-permit user group with a track entry.

Use undo ip subscriber pre-auth track to restore the default.

Syntax

ip subscriber pre-auth track track-entry-number fail-permit user-group group-name

undo ip subscriber pre-auth track

Default

A fail-permit user group is not associated with a track entry.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

track track-entry-number: Specifies a track entry by its ID in the range of 1 to 1024.

user-group group-name: Specifies a fail-permit user group by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

With this command configured, when the device detects that the Web authentication server or AAA server is unreachable, the device allows users to access network resources without Web authentication. This process is called Web authentication fail-permit.

You can implement Web authentication fail-permit by associating a fail-permit user group with a track entry.

By default, the Web authentication users that come online in the preauthentication domain belong to the user group authorized by AAA or authorized in the ISP domain when the users come online. After a fail-permit user group is associated with a track entry, the following rules apply:

· When the status of the track entry becomes Negative, the access device moves all online users in the current preauthentication domain from the authorized user group to the fail-permit user group. Then, the users can access network resources according to the privilege of the fail-permit user group.

· When the status of the track entry becomes Positive, the access device will move all online users in the current preauthentication domain back to the authorized user group. Then, the users can access network resources only after passing Web authentication.

To monitor the status of multiple servers, you can configure the tracked object list. For more information about track, see track configuration in High Availability Configuration Guide.

This command takes effect only on users in the preauthentication domain.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

#Associate fail-permit user group web with track entry 1 on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber pre-auth track 1 fail-permit user-group web

Related commands

authorization-attribute user-group (BRAS Services Command Reference)

ip subscriber reauth

Use ip subscriber reauth to enable re-authentication for IPoE users in the specified IP address range.

Use undo ip subscriber reauth to disable re-authentication for IPoE users in the specified IP address range.

Syntax

IPv4:

ip subscriber reauth ip start-ipv4-address [ end-ipv4-address ] [ vpn-instance vpn-instance-name ] domain domain-name

undo ip subscriber reauth ip start-ipv4-address [ end-ipv4-address ]

IPv6:

ip subscriber reauth ipv6 start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ] domain domain-name

undo ip subscriber reauth ipv6 start-ipv6-address [ end-ipv6-address ]

Dual-stack:

ip subscriber reauth ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ] domain domain-name

undo ip subscriber reauth ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ]

Default

Re-authentication is disabled for IPoE users.

Views

System view

Predefined user roles

network-admin

Parameters

ip: Specifies IPv4 addresses of users.

· start-ipv4-address: Specifies the start IPv4 address of users.

· end-ipv4-address: Specifies the end IPv4 address of users, which cannot be lower than the start IPv4 address. If you do not specify this argument or the specified address is the same as the start-ipv4-address value, only one user IPv4 address start-ipv4-address is specified. Otherwise, users with IPv4 addresses in the range of start-ipv4-address to end-ipv4-address are specified.

ipv6: Specifies IPv6 addresses of users.

· start-ipv6-address: Specifies the start IPv6 address of users.

· end-ipv6-address: Specifies the end IPv6 address of users, which cannot be lower than the start IPv6 address. If you do not specify this argument or the specified address is the same as the start-ipv6-address value, only one user IPv6 address start-ipv6-address is specified. Otherwise, users with IPv6 addresses in the range of start-ipv6-address to end-ipv6-address are specified.

vpn-instance vpn-instance-name: Specifies a VPN instance by its name. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the users belong to the public network.

domain domain-name: Specifies an ISP domain name for re-authentication, a case-insensitive string of 1 to 255 characters. The name cannot contain slashes (/), back slashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@).

Usage guidelines

To perform special permission control for some users whose IP addresses are allocated by DHCP (for example, dumb terminals whose IP addresses and MAC addresses are bound in the static address binding method), you can enable re-authentication for IPoE users in the specified IP address range. After you enable this feature, when an IPoE user passes authentication and comes online with an IP address in the IP address range specified by using this command, the device will immediately use the ISP domain specified in this command to re-authenticate the user. Then, the device can perform unified permission control for users in the re-authentication domain.

In the current software version, this feature supports only IPoE DHCP users.

For a dual-stack IPoE DHCP user:

· If the user meets the conditions for triggering re-authentication after coming online in the first protocol stack (for example, IPv4) and has passed re-authentication, and the user also meets the conditions for triggering re-authentication after coming online in the second protocol stack (for example, IPv6), the user does not need to perform re-authentication in the second protocol stack, and directly comes online in the re-authentication domain.

· If the user meets the conditions for triggering re-authentication after coming online in the first protocol stack (for example, IPv4) and has passed re-authentication, but the user does not meet the conditions for triggering re-authentication after coming online in the second protocol stack (for example, IPv6), the user will be switched to the ISP domain for the first authentication.

· If the user does not meet the conditions for triggering re-authentication after coming online in the first protocol stack (for example, IPv4), re-authentication is not triggered for the user even if the user meets the conditions for triggering re-authentication after coming online in the second protocol stack (for example, IPv6).

Executing or editing this command takes effect only on new users.

To provide the access service for IPoE Web authentication users, plan the IP addresses reasonably to prevent IPoE Web authentication users from matching the IP address range specified in this command. If you do not do that, the IPoE Web authentication feature might fail to operate normally.

Examples

# Configure IPoE users with IP addresses in the range of 20.0.0.1 to 20.0.0.200 to use domain dm1 for re-authentication after coming online.

<Sysname> system-view

[Sysname] ip subscriber reauth ip 20.0.0.1 20.0.0.200 domain dm1

ip subscriber roaming enable

Use ip subscriber roaming enable to enable roaming for IPoE individual users on an interface.

Use ip subscriber roaming enable to disable roaming for IPoE individual users on an interface.

Syntax

ip subscriber roaming enable [ roam-group roam-group-name ]

undo ip subscriber roaming enable

Default

Roaming is disabled for IPoE individual users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

roam-group roam-group-name: Specifies a roaming group by its name, a case-sensitive string of 1 to 15 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). If you do not specify this option, all roaming-enabled interfaces belong to the default roaming group, which does not have a name.

Usage guidelines

Online IPoE individual users can roam between different interfaces or VLANs.

To reduce roaming users' impact on other users, you can limit the roaming range by using a roaming group. An online user can roam only within the roaming group of the interface through which the user comes online. For example, user A and user B both use the IP address 1.1.1.1/24 and belong to the same VPN instance. User A first comes online on interface A through unclassified-IP packet initiation. Both interface A and interface B are enabled with roaming but not configured with roaming groups. In this case, when user B comes online on interface B through unclassified-packet initiation, the device will log off user A. For user A and user B to come online simultaneously, you can configure different roaming groups for interface A and interface B. This configuration isolates the roaming range of user A from the roaming range of user B.

In a DHCP relay agent network, you must execute the dhcp-proxy enable command on the DHCP relay agent interface to enable DHCP proxy (enabled by default) on the relay agent. For more information about DHCP relay agents, see DHCP configuration in BRAS Services Configuration Guide.

Make sure the user access interfaces before and after the roaming have IPoE enabled for the same protocol stacks and are configured with the same IPoE authentication method, authentication domain, roaming group, and Option79 trusting state (required only for DHCPv6 users).

The following events might lead to failures in the process of roaming:

· The user IP address that the user belongs to is changed.

· The target interface is not configured with the same IPoE session initiation method as the interface before roaming.

· The target interface and the current interface are not in the same roaming group.

· For dynamic individual users:

¡ If a VPN instance is authorized to the roaming user and the target interface is bound to a VPN instance, the target interface can be bound to a VPN instance different from the authorized VPN instance. In this case, when the user roams to the target interface, the authorized VPN instance still takes effect.

¡ If no VPN instance is authorized to the roaming user and the interface before roaming is bound to a VPN instance, the target interface must be bound to the same VPN instance.

· For global static individual users:

¡ If a VPN instance is authorized to the roaming user, the following rules apply:

- If the strict-check access-interface vpn-instance command is executed in the authorized domain, the target interface must be bound to a VPN instance the same as the authorized VPN instance. If you cannot do that, the user cannot roam to the target interface.

- If the strict-check access-interface vpn-instance command is not executed in the authorized domain, the target interface can be not bound to a VPN instance, or the target interface can be bound to a VPN instance different from the authorized VPN instance.

¡ No VPN instance is authorized to the roaming user, and no VPN instance is specified in the static session. The interface before roaming is bound to a VPN instance. The target interface is bound to a different VPN instance.

· For dual-stack users formed by global static individual users and dynamic individual users:

¡ If the dynamic individual user roams—A VPN instance is specified in the global static individual session, and the target interface is bound to a VPN instance different from the VPN instance specified in the global static individual session.

¡ If the global static individual user roams—The events that lead to roaming failures are the same as that for common global static individual users.

If the roaming fails, the user must perform authentication again on the destination interface in order to come online. Re-authentication takes a certain period of time.

For static individual users, roaming takes effect as follows:

· For interface-level static individual users, roaming is supported only when you configure IPoE static sessions in interface view by using the ip subscriber session static command without specifying a VLAN. In this case, only roaming across different VLANs of the interface is supported.

· For global static individual users or dual-stack users formed by global static individual users and dynamic individual users, when you execute the ip subscriber session static command in system view, the following rules apply:

¡ If a user access interface is specified but no VLAN is specified, roaming across different VLANs of the interface is supported.

¡ If no user access interface is specified and a user comes online through a roaming-enabled interface, roaming across all roaming-enabled interfaces is supported.

Examples

#Enable roaming for IPoE individual users and specify roaming group roam1 on subinterface Ten-GigabitEthernet 3/1/1.1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.1

[Sysname-Ten-GigabitEthernet3/1/1.1] ip subscriber roaming enable roam-group roam1

Related commands

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber service-identify

Use ip subscriber service-identify to configure the service identifier for users.

Use undo ip subscriber service-identify to restore the default.

Syntax

Layer 3 Ethernet interface view, Layer 3 aggregate interface view, L3VE interface view:

ip subscriber service-identify dscp

undo ip subscriber service-identify

Layer 3 Ethernet subinterface view, Layer 3 aggregate subinterface view, L3VE subinterface view:

ip subscriber service-identify { 8021p { second-vlan | vlan } | dscp | second-vlan | vlan }

undo ip subscriber service-identify

Default

No service identifier is configured for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

8021p second-vlan: Specifies the 802.1p value of the inner VLAN tag in QinQ mode as the service identifier.

8021p vlan: Specifies the 802.1p value of the VLAN tag or the 802.1p value of the outer VLAN tag in QinQ mode as the service identifier.

dscp: Specifies the DSCP value as the service identifier.

second-vlan: Specifies the inner VLAN ID in QinQ mode as the service identifier.

vlan: Specifies the VLAN ID or the outer VLAN ID in QinQ mode as the service identifier.

Usage guidelines

Users include DHCPv4 users, DHCPv6 users, unclassified-IP users, and static individual users.

You must specify an identifier for a service before you bind an ISP domain to the service. Otherwise, the binding does not take effect.

Users whose IP packets contain the specified service identifier will be assigned a service-specific ISP domain.

For DHCPv4 users, the trusted Option 60 configuration takes precedence over the global service identifier configuration.

For DHCPv6 users, the trusted Option 16 or Option 17 configuration takes precedence over the global service identifier configuration.

You can configure only one service identifier on each interface.

Examples

#Configure the DSCP value as the service identifier for users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber service-identify dscp

Related commands

ip subscriber 8021p

ip subscriber dscp

ip subscriber vlan

ip subscriber session static (interface view)

Use ip subscriber session static to configure IPoE static individual sessions on an interface.

Use undo ip subscriber session static to delete IPoE static individual sessions on an interface.

Syntax

Single-stack IPv4:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online ] [ description string ] [ gateway ip ipv4-address ] [ vpn-instance vpn-instance-name ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ]

Single-stack IPv6:

ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online ] [ description string ] [ gateway ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ]

undo ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ]

Dual-stack:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online { ip | ipv6 } ] [ description string ] [ gateway { ip ipv4-address | ipv6 ipv6-address } * ] [ vpn-instance vpn-instance-name ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ]

Default

No IPoE static individual sessions exist on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ipv4-address: Specifies a start user IPv4 address.

end-ipv4-address: Specifies an end user IPv4 address, which cannot be lower than the start-ipv4-address argument. All users with IP addresses between start-ipv4-address and end-ipv4-address are specified as static users. If you do not specify the end-ipv4-address argument or the specified end-ipv4-address argument is the same as the start-ipv4-address argument, only one IP address is specified.

start-ipv6-address: Specifies a start user IPv6 address.

end-ipv6-address: Specifies an end user IPv6 address, which cannot be lower than the start-ipv6-address argument. All users with IPv6 addresses between start-ipv6-address and end-ipv6-address are specified as static users. If you do not specify the end-ipv6-address argument or the specified end-ipv6-address argument is the same as the start-ipv6-address argument, only one IPv6 address is specified.

vlan vlan-id: Specifies an outer VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.‌

second-vlan vlan-id: Specifies an inner VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

mac mac-address: Specifies a user MAC address in the form of H-H-H.

password: Specifies the password used for user authentication. Static users can obtain authentication passwords in multiple methods. For more information, see the ip subscriber password command.

mac: Uses the user MAC address as the authentication password in the format of HH:HH:HH:HH:HH:HH.

request-online: Specifies the device to actively send ARP, ICMP, ND NS, or ICMPv6 requests to request users to come online. If this keyword is not specified, a user must actively send ARP, ND NS, IPv4, or IPv6 packets to come online. In a CUPS IPoE network, when the AC is a Layer 3 subinterface and the access mode is Ethernet, for the device to actively send requests to request users to come online, you must specify the VLAN information for users in static sessions.

· ip: Specifies the device to actively send IPv4 packets to request users to come online. In Layer 2 access mode, ARP packets are sent. In Layer 3 access mode, ICMP packets are sent.

· ipv6: Specifies the device to actively send IPv6 packets to request users to come online. In Layer 2 access mode, ND NS packets are sent. In Layer 3 access mode, ICMPv6 packets are sent.

description string: Specifies the static session description, a case-insensitive string of 1 to 31 characters. If this option is not specified, the static session does not have a description. The description cannot contain the following characters: forward slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).

gateway: Specifies the gateway address for users. When the device actively sends online requests to users, the device preferentially uses the address as the source IP address of online requests. If you do not specify this keyword, the device uses the default gateway address as the source IP address of online requests. This keyword takes effect only when the request-online keyword is specified.

ip ipv4-address: Specifies the gateway address for the IPv4 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the IPv4 address of the access interface or the shared gateway address for an IP address pool (for example, gateway address specified by using the gateway command in a BAS IP address pool).

ipv6 ipv6-address: Specifies the gateway address for the IPv6 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the global unicast address or link-local address of the access interface in Layer 2 access mode or the global unicast address of the access interface in Layer 3 access mode.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to be bound to static users by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the static users are in the public network.

keep-online: Performs no online detection for users even when online detection is enabled. If you do not specify this keyword, users are forced to go offline when online detection fails for users.

Usage guidelines

General restrictions and guidelines

An IPoE static session takes priority over an IPoE dynamic session. If an IPoE static session is configured, the packets matching the IPoE static session cannot initiate new IPoE dynamic sessions. If an unclassified-IP, DHCP, or ND RS packet has initiated an IPoE dynamic session, you can configure an IPoE static session that matches the unclassified-IP, DHCP, or ND RS packet, and the configuration does not affect existing online users with the specified IP address. When the users go offline and the device receives packets from these users again, these users preferentially match the IPoE static session.

When the IP addresses specified for a static session overlap with the assignable IP addresses in the DHCP pool, follow these guidelines:

· For an IP address pool, use the dhcp server forbidden-ip or forbidden-ip command to exclude the overlapping IP addresses from dynamic allocation.

· For an IPv6 address pool, use the ipv6 dhcp server forbidden-address command to exclude the overlapping IPv6 addresses from dynamic allocation.

For more information about excluding IP addresses from dynamic allocation, see DHCP commands and DHCPv6 commands in BRAS Services Command Reference.

If you first enable IPoE and then configure dual-stack static users, you must enable IPoE for both IPv4 and IPv6 protocol stacks in order that you can configure dual-stack static users. If you first configure dual-stack static users and then enable IPoE, you must enable IPoE for both IPv4 and IPv6 stacks. Otherwise, you cannot enable IPoE.

On one interface, a maximum of one IPoE session can be configured for one IP address. You cannot use the ip subscriber session static command to modify an IPoE static session configured with the mac, domain, or request-online keyword. To modify such an IPoE session, use the undo form of the command to delete the session, and then reconfigure it with new parameter settings.

When static users do not support 802.1X authentication on an interface, do not configure both 802.1X authentication and interface-level IPoE static individual sessions on the interface. If you do that, the interface-level IPoE static individual sessions configured on the interface might not function normally.

You cannot configure an IPoE static individual user on an interface configured with an interface-leased or L2VPN-leased user.

When a session is configured with an IP address range, the system automatically converts the configuration into multiple static session configurations, each with a separate IP address.

Restrictions and guidelines for the device actively requesting users to come online

For the device to automatically request users to come online, you must configure a static session with the request-online keyword on an interface. Then, the following rules apply:

· For single-stack IPv4 static users:

¡ In Layer 2 access mode, the device uses ARP packets to requests users to come online. In this case, you must enable ARP packet initiation.

¡ In Layer 3 access mode, the device uses ICMP packets to request users to come online. In this case, you must enable unclassified-IPv4 packet initiation and configure an IPv4 address for the access interface of the user.

· For single-stack IPv6 static users:

¡ In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

¡ In Layer 3 access mode, the device uses ICMPv6 packets to request users to come online. In this case, you must enable unclassified-IPv6 packet initiation and configure an IPv6 address for the access interface of the user.

· For dual-stack static users:

¡ If a dual-stack static user is configured with the request-online ip keywords:

- In Layer 2 access mode, the device uses ARP packets to request users to come online. In this case, you must enable ARP packet initiation.

- In Layer 3 access mode, the device uses ICMP packets to request users to come online. In this case, you must enable unclassified-IPv4 packet initiation and configure an IPv4 address for the access interface of the user.

¡ If a dual-stack static user is configured with the request-online ipv6 keywords:

- In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

- In Layer 3 access mode, the device uses ICMPv6 packets to request users to come online. In this case, you must enable unclassified-IPv6 packet initiation and configure an IPv6 address for the access interface of the user.

· For static users on a subinterface configured with ambiguous Dot1q termination or ambiguous QinQ termination, for the device to properly request the static users to come online, you must specify VLANs when configuring static sessions or execute the vlan-termination broadcast enable command on the subinterface. As a best practice, specify VLANs when configuring static sessions.

Restrictions and guidelines for unified accounting

To perform unified accounting for dual-stack users, you must configure the IPv4 addresses and IPv6 addresses of these dual-stack users in one ip subscriber session-static command. The IPv4 addresses and IPv6 addresses must be in one-to-one mapping relationship. After the configuration, the device forms the first dual-stack static individual session by using the first IPv4 address and the first IPv6 address. The device forms the second dual-stack static individual session by using the second IPv4 address and the second IPv6 address, and so on.

Restrictions and guidelines for selecting authentication domains for static IPoE users

If you configure multiple ISP domains for a static individual user, an ISP domain is selected for the user in the following order until a match is found:

· When bind authentication is used:

a. ISP domain specified by using the domain domain-name option in this command. If the domain has not been created, the user fails to come online.

b. Service-specific domain. If the domain has not been created, the user fails to come online.

c. ISP domain configured by using the ip subscriber unclassified-ip domain command. If the domain has not been created, the user fails to come online.

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· When Web authentication is used:

¡ For how an ISP domain is selected in the preauthentication phase, see the ip subscriber pre-auth domain command.

¡ For how an ISP domain is selected in the Web authentication phase, see the ip subscriber web-auth domain command.

Restrictions and guidelines for binding VPN instances to static IPoE users

You can bind static IPoE users to VPN instances by using one of the following methods:

· Method 1: Specify the vpn-instance parameter in this command.

· Method 2: Authorize VPN instances to users by using AAA.

· Method 3: Use the ip binding vpn-instance command to bind a VPN instance to the interface through which users come online.

When methods 1 and 2 are both configured, for users to come online successfully, make sure you specify the same VPN instance. If the VPN instance specified by using method 1 or 2 is different from the VPN instance specified by using method 3, the VPN instance specified by using method 1 or 2 is used. If the strict-check access-interface vpn-instance command is executed in an ISP domain, for users to come online successfully, make sure the VPN instances specified by using the three methods are the same.

Examples

# Configure an IPv4 IPoE static session with an IP address of 1.1.1.1 and an ISP domain of dm1 on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber session static ip 1.1.1.1 domain dm1

Related commands

dhcp enable (BRAS Services Command Reference)

ip subscriber password

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber static-session request-online interval

strict-check access-interface vpn-instance(BRAS Services Command Reference)

ip subscriber session static (system view)

Use ip subscriber session static to configure global IPoE static individual sessions.

Use undo ip subscriber session static to delete global IPoE static individual sessions.

Syntax

Syntax I:

Single-stack IPv4:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online ] ] [ description string ] [ gateway ip ipv4-address ] [ vpn-instance vpn-instance-name ] [ keep-online | support-ds ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ interface interface-type interface-number ]

Single-stack IPv6:

ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online ] ] [ description string ] [ gateway ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ] [ keep-online | support-ds ]

undo ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ interface interface-type interface-number ]

Dual-stack:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online [ ip | ipv6 ] ] ] [ description string ] [ gateway { ip ipv4-address | ipv6 ipv6-address } * ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ interface interface-type interface-number ]

Syntax II:

Single-stack IPv4:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] interface-list list-id [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ description string ] [ vpn-instance vpn-instance-name ] [ keep-online | support-ds ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ interface-list list-id ]

Single-stack IPv6:

ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] interface-list list-id [ delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ description string ] [ vpn-instance vpn-instance-name ] [ keep-online | support-ds ]

undo ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ interface-list list-id ]

Dual-stack:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] interface-list list-id [ delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ description string ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ interface-list list-id ]

Default

No global IPoE static individual sessions exist.

Views

System view

Predefined user roles

network-admin

Parameters

start-ipv4-address: Specifies a start user IPv4 address.

start-ipv6-address: Specifies a start user IPv6 address.

interface-list list-id: Specifies a static user interface list. Static users can come online only through interfaces on the interface list. For an IP address, you cannot configure both a global IPoE static session and an interface-level IPoE session.

delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length: Specifies the IPv6 delegation prefix (PD prefix) of a user. This option and the support-ds keyword cannot be both configured. If this option is specified for a static session, the whole static session takes effect only on interfaces that are configured to operate in Layer 2 access mode and use the bind authentication method. Each field is explained as follows:

· start-ipv6-prefix: Specifies the start IPv6 delegation prefix of users.

· end-ipv6-prefix: Specifies the end IPv6 delegation prefix of users, which cannot be smaller than the start IPv6 delegation prefix. If you do not specify this argument or the specified end-ipv6-prefix is the same as the start-ipv6-prefix, one user IPv6 delegation prefix start-ipv6-prefix is specified. Otherwise, all IPv6 delegation prefixes in the range of start-ipv6-prefix to end-ipv6-prefix are prefixes of static users. Make sure the number of IPv6 delegation prefixes specified by the start-ipv6-prefix [ end-ipv6-prefix ] option is the same as the number of IPv6 addresses specified in the start-ipv6-address [ end-ipv6-address ] option.

· prefix-length: Specifies the IPv6 delegation prefix length, in the range of 1 to 120.

mac mac-address: Specifies a user MAC address in the form of H-H-H.

username name: Specifies a username for authentication. The name argument is a case-sensitive string of 1 to 128 characters and cannot contain the following special characters: /\|“:*?<>@. Static users can obtain authentication usernames in multiple methods. For more information, see the ip subscriber username command.

password: Specifies the password for user authentication. Static users can obtain authentication passwords in multiple methods. For more information, see the ip subscriber password command.

· ciphertext: Specifies a password in encrypted form.

· plaintext: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

· string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

mac: Uses the user MAC address as the authentication password in the format of HH:HH:HH:HH:HH:HH.

interface interface-type interface-number: Specifies an interface by its type and number. If you specify an interface, an IPoE static session is initiated only when packets from the specified interface match the manually configured IPoE static session. If you do not specify an interface, an IPoE static session is initiated when packets from any interfaces match the manually configured IPoE static session.

vlan vlan-id: Specifies an outer VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

second-vlan vlan-id: Specifies an inner VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

request-online: Specifies the device to actively send ARP or ICMP requests to request users to come online. If this keyword is not specified, a user must actively send ARP or IP packets to come online. For a static dual-stack user, if this keyword is specified but the ip or ipv6 protocol stack is not specified, active detection is enabled for both IPv4 and IPv6, and an active detection packet triggers coming online only in the protocol stack of the packet. In a CUPS IPoE network, when the AC is a Layer 3 subinterface and the access mode is Ethernet, for the device to actively send requests to request users to come online, you must specify the VLAN information for users in static sessions.

· ip: Specifies the device to actively send IPv4 packets to request users to come online. In Layer 2 access mode, ARP packets are sent. In Layer 3 access mode, ICMP packets are sent.

· ipv6: Specifies the device to actively send IPv6 packets to request users to come online. In Layer 2 access mode, ND NS packets are sent. In Layer 3 access mode, ICMPv6 packets are sent.

keep-online: Performs no online detection for users even when online detection is enabled. If you do not specify this keyword, users are forced to go offline when online detection fails for users.

support-ds: Enables dual stack support. With this keyword specified, the device allows a global static session and a global dynamic session with the same MAC address and different IP protocols to form a dual-stack session. If the user of a protocol stack passes authentication, the user of the other protocol stack can come online without authentication. This keyword takes effect only in Layer 2 access mode. When specifying this keyword, follow these restrictions and guidelines:

· This keyword is mutually exclusive with the delegation-prefix keyword.

· If you have configured the IPoE 802.1X authentication method on any interface of the device, you must specify the support-ds keyword when configuring a global static session.

Usage guidelines

General restrictions and guidelines

Interface-level IPoE static sessions take precedence over global IPoE static sessions.

When the IP addresses specified for a static session overlap with the assignable IP addresses in the IP address pool, follow these guidelines:

· For an IP address pool, use the dhcp server forbidden-ip or forbidden-ip command to exclude the overlapping IP addresses from dynamic allocation.

· For an IPv6 address pool, use the ipv6 dhcp server forbidden-address command to exclude the overlapping IPv6 addresses from dynamic allocation.

For more information about excluding IP addresses from dynamic allocation, see DHCP commands and DHCPv6 commands in BRAS Services Command Reference.

In the public network or the same VPN instance, a maximum of one global IPoE static session can be configured for one IP address. You cannot use the ip subscriber session static command to modify a global IPoE static session configured with the mac, domain, interface, interface-list, request-online, or support-ds keyword. To modify such an IPoE session, use the undo form of the command to delete the session, and then reconfigure it with new parameter settings.

In the public network and all VPN instances, the following rules apply:

· For global static sessions with interface specified, the combination of IP addresses and interfaces in each global static IPoE session must be unique.

· For global static sessions without interfaces specified, the IP addresses in each global static IPoE session must be unique.

To delete a session, the IP address or range in the undo form must be the same as that in the ip subscriber session static command. To delete sessions for an IP address or range that belongs to an IP address range, delete the sessions for the entire address range.

Restrictions and guidelines for the IPv6 delegation prefix scenario

As shown in Figure 2, Host A and Host B attached to the Layer 3 device use the same IPv6 address prefix and both obtain IPv6 addresses through stateless automatic configuration. You can configure an IPv6 delegation prefix in a static session to meet the following requirements: The BRAS uses the IPoE static user online method to enable all attached hosts to come online through IPv6 packets and perform unified authentication, accounting, rate limiting, and management for these user packets using the same IPv6 address prefix.

Figure 2 IPv6 delegation prefix application network diagram

When a global static IPoE session is configured with an IPv6 delegation prefix, only if the source IP address in user IPv6 packets can match any IPv6 address or IPv6 delegation prefix specified in the static session, the user can perform authentication to come online. Additionally, users on the same IPv6 delegation prefix network segment are considered as one user (the static user with the IPv6 address corresponding to the IPv6 delegation prefix) during the authentication process.

For an IPv6 address and the corresponding IPv6 delegation prefix specified in a global static session, the following rules apply:

· Only the first user that matches the IPv6 address or IPv6 delegation prefix needs to perform authentication. After the user successfully comes online, all subsequent users matching the IPv6 address or IPv6 delegation prefix do not need to perform authentication and can directly forward packets. Additionally, traffic statistics are collected uniformly for these users matching the IPv6 address or IPv6 delegation prefix.

· Only if a user matching the IPv6 address or IPv6 delegation prefix successfully comes online, the device will generate a user network route for the IPv6 delegation prefix with the next hop as the IPv6 address. To redirect all traffic destined for the prefix network segment on the core router to the BRAS, you must configure a dynamic routing protocol to redistribute static routes and advertise the prefix network segment route to the core router. When multiple IPv6 delegation prefix network segment routes exist on the BRAS, to reduce the number of routes advertised to the core router, as a best practice, first summarize these IPv6 delegation prefix network segment routes and then advertise them.

When specifying a prefix for a global static user, you must plan IP addresses reasonably to avoid conflicts with addresses or network segments of the other types of users.

· The IPv6 address and delegation prefix specified in the global static session conflict.

· The IPv6 address specified in the global static session conflicts with the IPv6 delegation prefix specified in an existing global static session.

· The IPv6 delegation prefix specified in the global static session conflicts with the IPv6 delegation prefix specified in an existing global static session.

· The IPv6 delegation prefix specified in the global static session conflicts with the IPv6 address specified in an existing global or interface-level static session.

· The IPv6 delegation prefix specified in the global static session conflicts with addresses in the IPv6 address pool.

· The IPv6 delegation prefix specified in the global static session conflicts with prefixes in the IPv6 prefix pool.

· The IPv6 delegation prefix specified in the global static session conflicts with the subnet specified in an IPoE subnet-leased session.

Restrictions and guidelines for the device actively requesting users to come online

For the device to automatically request users to come online, you must configure a static session with the request-online and interface keywords. Then, the following rules apply:

· For single-stack IPv4 static users:

¡ In Layer 2 access mode, the device uses ARP packets to requests users to come online. In this case, you must enable ARP packet initiation.

· For single-stack IPv6 static users:

¡ In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

· For dual-stack static users:

¡ If a dual-stack static user is configured with the request-online ip keywords:

- In Layer 2 access mode, the device uses ARP packets to request users to come online. In this case, you must enable ARP packet initiation.

¡ If a dual-stack static user is configured with the request-online ipv6 keywords:

- In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

· For static users on a subinterface configured with ambiguous Dot1q termination or ambiguous QinQ termination, for the device to properly request the static users to come online, you must specify VLANs when configuring static sessions or configure the vlan-termination broadcast enable command on the subinterface. As a best practice, specify VLANs when configuring static sessions.

Restrictions and guidelines for unified accounting

To perform unified accounting for dual-stack users, you must configure the IPv4 addresses and IPv6 addresses of these dual-stack users in one ip subscriber session-static command. The IPv4 addresses and IPv6 addresses must be in one-to-one mapping relationship. After the configuration, the device forms the first static dual-stack individual session by using the first IPv4 address and the first IPv6 address. The device forms the second dual-stack static individual session by using the second IPv4 address and the second IPv6 address, and so on.

Restrictions and guidelines for selecting authentication domains for static IPoE users

If you configure multiple ISP domains for a static individual user, an ISP domain is selected for the user in the following order until a match is found:

· When bind authentication is used:

a. ISP domain specified by using the domain domain-name option in this command. If the domain has not been created, the user fails to come online.

b. Service-specific domain. If the domain has not been created, the user fails to come online.

c. ISP domain configured by using the ip subscriber unclassified-ip domain command. If the domain has not been created, the user fails to come online.

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· When Web authentication is used:

¡ For how an ISP domain is selected in the preauthentication phase, see the ip subscriber pre-auth domain command.

¡ For how an ISP domain is selected in the Web authentication phase, see the ip subscriber web-auth domain command.

Restrictions and guidelines for binding VPN instances to static IPoE users

You can bind static IPoE users to VPN instances by using one of the following methods:

· Method 1: Specify the vpn-instance parameter in this command.

· Method 2: Authorize VPN instances to users by using AAA.

· Method 3: Use the ip binding vpn-instance command to bind a VPN instance to the interface through which users come online.

Restrictions and guidelines for the static IPoE dual-stack scenario

When you configure dual-stack static sessions with the interface or interface-list keyword specified, follow these restrictions and guidelines:

· If you first enable IPoE on the interface specified by the interface or interface-list keyword and then configure dual-stack static users, you must enable IPoE for both IPv4 and IPv6 protocol stacks in order that you can configure dual-stack static users.

· If you first configure dual-stack static users and then enable IPoE on the interface specified by the interface or interface-list keyword, you must enable IPoE for both IPv4 and IPv6 stacks. Otherwise, you cannot enable IPoE.

Restrictions and guidelines for the hybrid dynamic+static IPoE dual-stack scenario

For a single-stack IPv4 or IPv6 global static individual session and a dynamic individual session to form a dual-stack session, make sure the usernames/passwords, ISP domains, and AAA authorization attributes of the static and dynamic users are the same. The following sessions can form dual-stack sessions:

· An IPv4 global static individual session can form a dual-stack session with a DHCPv6 dynamic individual session, ND RS dynamic individual session, or unclassified-IPv6 dynamic individual session.

· An IPv6 global static individual session can form a dual-stack session with a DHCPv4 dynamic individual session or unclassified-IPv4 dynamic individual session.

Examples

# Configure a global IPoE static session with an IP address of 1.1.1.1, an ISP domain of dm1, and UP ID 1024. (Syntax I)

<Sysname> system-view

[Sysname] ip subscriber session static ip 1.1.1.1 domain dm1 up-id 1024

# Configure a global IPoE static session, with IP address 1.1.1.1, static user interface list 10, and ISP domain dm1 for authentication. (Syntax II)

<Sysname> system-view

[Sysname] ip subscriber session static ip 1.1.1.1 interface-list 10 domain dm1

Related commands

dhcp enable (BRAS Services Command Reference)

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber password

ip subscriber static-session request-online interval

static-user interface-list

strict-check access-interface vpn-instance(BRAS Services Command Reference)

ip subscriber session static-leased

Use ip subscriber session static-leased to configure an IPoE static leased session.

Use undo ip subscriber session static-leased to delete the specified IPoE static leased session.

Syntax

Single-stack IPv4 IPoE static leased session:

ip subscriber session static-leased ip ipv4-address interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online ] [ description string ] [ gateway ip ipv4-address ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static-leased ip ipv4-address [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

Single-stack IPv6 IPoE static leased session:

ip subscriber session static-leased ipv6 ipv6-address interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online ] [ description string ] [ gateway ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static-leased ipv6 ipv6-address [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

Dual-stack IPoE static leased session:

ip subscriber session static-leased ip ipv4-address ipv6 ipv6-address interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online [ ip | ipv6 ] ] [ description string ] [ gateway { ip ipv4-address | ipv6 ipv6-address } * ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static-leased ip ipv4-address ipv6 ipv6-address [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

Default

No IPoE static leased session is configured.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of users.

ipv6-address: Specifies the IPv6 address of users.

interface interface-type interface-number: Specifies the access interface of users.

vlan vlan-id: Specifies the outer VLAN of user packets. The value range for the vlan-id argument is 1 to 4094. This parameter is supported only on subinterfaces.

second-vlan vlan-id: Specifies the inner VLAN of user packets. The value range for the vlan-id argument is 1 to 4094. This parameter is supported only on subinterfaces.

mac mac-address: Specifies a user MAC address in the format of H-H-H.

domain domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). If you do not specify this option, the default ISP domain is used for authentication. For more information about the default authentication domain, see AAA in (BRAS Services Configuration Guide.

password mac: Uses the user MAC address as the authentication password.

request-online: Specifies the device to actively send online requests to request users to come online. If this keyword is not specified, a user must actively send ARP or IP packets to come online. For a dual-stack leased user, if you specify this keyword and do not specify the ip or ipv6 keyword, the device actively performs online detection in both protocol stacks. In a CUPS IPoE network, when the AC is a Layer 3 subinterface and the access mode is Ethernet, for the device to actively send requests to request users to come online, you must specify the VLAN information for users in static sessions.

· ip: Specifies the device to actively perform online detection in the IPv4 protocol stack.

· ipv6: Specifies the device to actively perform online detection in the IPv6 protocol stack.

description string: Specifies the static session description, a case-insensitive string of 1 to 31 characters. The description cannot contain the following characters: forward slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@). If this option is not specified, the static session does not have a description.

· ip ipv4-address: Specifies the gateway address for the IPv4 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the IPv4 address of the access interface or the shared gateway address for an IP address pool (for example, gateway address specified by using the gateway command in a BAS IP address pool).

· ipv6 ipv6-address: Specifies the gateway address for the IPv6 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the link-local address of the access interface.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to be bound to static leased users by its name. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the IPoE static leased users are in the public network

keep-online: Performs no online detection for users even when online detection is enabled. If you do not specify this keyword, users are forced to go offline when online detection fails for users.

Usage guidelines

As shown in Figure 3, in a service provider leased line service, the Layer 3 device Device of an enterprise has multiple hosts attached. The uplink port Port A of Device needs a public network IP address assigned by the service provider. The BRAS needs to perform unified authentication, authorization, and accounting for all hosts attached to Device. In this case, for the administrator to properly allocate and easily maintain public network IP addresses in addition to meeting the leased line service requirements, the administrator also hopes to search for the public network IP addresses allocated to the device of each leased line service on the BRAS. To meet these requirements, you can deploy static leased lines on the BRAS.

Figure 3 IPoE static leased line application network diagram

‌

A static leased session is similar to an interface-leased line. When a static leased session comes online, packets with any source IP address can pass through the leased interface. However, a static leased session can record the public network IP addresses of static leased users in addition to the leased line service of an interface-leased session.

With IPoE enabled on an access interface in up state, when IP, ARP, NS, or NA packets pass through the access device, the access interface will try to initiate authentication by using the configured username and password. If a user passes authentication, a static leased session is established. If a user fails to pass authentication, no static leased session is established.

Static leased sessions are supported only when the bind authentication mode is used and IPoE operates in Layer 2 access mode.

On the access interface of a static user, you cannot configure an IPv4 address or IPv6 global unicast address. Follow these restrictions and guidelines:

· For IPv4: Use the shared gateway address in the IP address pool, for example, the gateway address specified by using the gateway command in a BAS IP address pool.

· For IPv6: Use the ipv6 address auto link-local command to generate a link-local address on the access interface of the static user.

On an interface, IPoE static leased users are mutually exclusive with IPoE individual users, IPoE interface-leased users, IPoE subnet-leased users, and IPoE L2VPN-leased users.

In the public network or the same VPN instance, the following rules apply:

· Up to one static leased session can be configured on an interface. You cannot use this command to modify an IPoE static leased session configured with the ip, mac, domain, or request-online keyword. To modify such an IPoE static leased session, use the undo form of the command to delete the session, and then reconfigure an IPoE static leased session with new parameter settings.

· Up to one static leased session with the specified IP addresses can be configured. You cannot use this command to modify an IPoE static leased session configured with the mac, domain, interface, or request-online keyword. To modify such an IPoE static leased session, use the undo form of the command to delete the session, and then reconfigure an IPoE static leased session with new parameter settings.

You can bind static IPoE leased users to VPN instances by using one of the following methods:

· Method 1: Specify the vpn-instance parameter in this command.

· Method 2: Authorize VPN instances to users by using AAA.

· Method 3: Use the ip binding vpn-instance command to bind a VPN instance to the interface through which users come online.

Examples

# In system view, configure an IPoE static leased session, with IP address 1.1.1.1 and bound to interface Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] ip subscriber session static-leased ip 1.1.1.1 interface Ten-GigabitEthernet 3/1/1

Related commands

ip subscriber password

ip subscriber initiator unclassified-ip enable

ip subscriber static-session request-online interval

strict-check access-interface vpn-instance(BRAS Services Command Reference)

ip subscriber session-conflict action offline

Use ip subscriber session-conflict action offline to enable session conflict detection.

Use undo ip subscriber session-conflict action offline to disable session conflict detection.

Syntax

ip subscriber session-conflict action offline

undo ip subscriber session-conflict action offline

Default

Session conflict detection is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

In a Layer 2 IPoE network, after an IPoE session moves from an interface to another interface, the device still maintains the session information on the original interface. This wastes resources and increases maintenance complexity.

When a user comes online on an interface, this feature uses the user's IP address and MAC address to detect whether the user has come online on other interfaces. If yes, this feature forcibly logs out the user from other interfaces.

This command is mutually exclusive with the ip subscriber roaming enable command on the same interface. If one command has been executed, the other command cannot be executed.

This command takes effect only in Layer 2 access mode.

This command takes effect only on IPoE global static users whose static sessions do not have the interface keyword specified.

Examples

# Enable session conflict detection.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber session-conflict action offline

ip subscriber static-dot1x-user enable

Use ip subscriber static-dot1x-user enable to enable static 802.1X user authentication.

Use undo ip subscriber static-dot1x-user enable to disable static 802.1X user authentication.

Syntax

ip subscriber static-dot1x-user enable

undo ip subscriber static-dot1x-user enable

Default

Static 802.1X user authentication is disabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

By default, in the IPoE 802.1X authentication scenario, IPoE 802.1X authentication supports DHCP users, IPv6 ND RS users, and global static users. For a user configured with a static IP address to come online through 802.1X authentication, you must configure the corresponding static IPoE user access for the static IP address of the user on the BRAS.

For a user configured with a static IP address to come online through 802.1X authentication without configuring the corresponding static IPoE user access for the user on the BRAS, enable this feature.

Working mechanism

With this feature enabled, when the 802.1X client of a user passes authentication and comes online, the BRAS will generate a temporary session entry according to the MAC+VLAN information (without IP information) of the user. When the BRAS receives the ARP packets, unclassified-IP packets, and NS/NA packets of the user, the following rules apply:

· If a temporary session entry can be obtained for the user, IPoE uses the 802.1X authentication result to make the user directly come online in the postauthentication domain. After the user comes online in the postauthentication domain, the BRAS will replace the temporary session entry with the formal session entry of the user. Then, the BRAS processes packets of the user based on the formal session entry. In this case, the formal session entry records the 802.1X user information (including 802.1X username, authentication domain, and authorized attributes) of the user.

· If a temporary session entry cannot be obtained for the user, the packets are dropped.

Restrictions and guidelines

Both 802.1X authentication and IPoE static user access are configured on an interface, and the following functions are enabled:

· For 802.1X authentication access, the static 802.1X user authentication feature is enabled.

· For IPoE static user access, unclassified-IP packet initiation is enabled with the matching-user keyword specified.

If the preceding conditions are met, when the packets of a user received by the BRAS match both the 802.1X temporary session entry and the IPoE static user session, the user comes online as an IPoE static user.

With this feature enabled in the IPoE 802.1X authentication scenario, when the 802.1X client of a user passes authentication and comes online, only if the ARP packets, unclassified-IP packets, or NS/NA packets from the user can match the temporary session entry, the user can directly come online in the postauthentication domain, and you do not need to execute one of the following commands to enable ARP packet initiation, unclassified-IP packet initiation, or NS/NA packet initiation.

· ip subscriber initiator unclassified-ip enable

· ip subscriber initiator unclassified-ipv6 enable

· ip subscriber initiator arp enable

· ip subscriber initiator nsna enable

When you configure the static 802.1X user authentication feature, follow these restrictions and guidelines:

· On an interface, static 802.1X user authentication is mutually exclusive with Layer 3 IPoE access mode, IPoE interface-leased users, IPoE subnet-leased users, and IPoE L2VPN-leased users.

· You can configure static 802.1X user authentication on an interface only when the interface operates in Layer 2 IPoE access mode.

Examples

# Enable static 802.1X user authentication on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber static-dot1x-user enable

Related commands

ip subscriber authentication-method

ip subscriber initiator arp enable

ip subscriber initiator nsna enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber static-session request-online interval

Use ip subscriber static-session request-online interval to configure the interval at which the device sends online requests to IPoE static users.

Use undo ip subscriber static-session request-online interval to restore the default.

Syntax

ip subscriber static-session request-online interval seconds

undo ip subscriber static-session request-online interval

Default

The interval at which the device sends online requests to IPoE static users is 180 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the interval at which the device sends online requests to IPoE static users. The value range is 60 to 3600 seconds.

Usage guidelines

Set the request interval when the device actively sends ARP, ICMP, ND NS, or ICMPv6 packets to request IPoE static users to come online. To configure the device to actively send online requests, use the ip subscriber session static command in system or interface view.

Examples

# Set the interval at which the device sends online requests to IPoE static users to 60 seconds.

<Sysname> system-view

[Sysname] ip subscriber static-session request-online interval 60

Related commands

ip subscriber session static

ip subscriber subnet-leased

Use ip subscriber subnet-leased to configure a subnet-leased user.

Use undo ip subscriber subnet-leased to delete a subnet-leased user.

Syntax

ip subscriber subnet-leased ip ipv4-address { mask | mask-length } username name password { ciphertext | plaintext } string [ domain domain-name ] [ vpn-instance vpn-instance-name ]

undo ip subscriber subnet-leased ip ipv4-address { mask | mask-length }

ip subscriber subnet-leased ipv6 ipv6-address prefix-length username name password { ciphertext | plaintext } string [ domain domain-name ] [ vpn-instance vpn-instance-name ]

undo ip subscriber subnet-leased ipv6 ipv6-address prefix-length

Default

No subnet-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a user IPv4 address.

mask: Specifies an IPv4 address mask in dotted decimal notation.

mask-length: Specifies a mask length, an integer in the range of 1 to 31.

ipv6 ipv6-address: Specifies a user IPv6 address.

prefix-length: Specifies the IPv6 prefix length in the range of 1 to 127.

username name: Specifies a username for authentication, a case-sensitive string of 1 to 253 characters.

password: Specifies a password for authentication.

ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

vpn-instance vpn-instance-name: Specifies an existing MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The MPLS L3VPN instance will be bound to the subnet-leased user on the interface. If you do not specify a VPN instance, the subnet-leased user is in the public network.

Usage guidelines

A subnet-leased user represents all access users in a subnet of the interface. With IPoE enabled for the IPv4 or IPv6 protocol stack on interface in up state, the session does not need to be initiated by user traffic. The BRAS initiates authentication by using the configured username and password. After the authentication succeeds, a subnet-leased session is established, traffic of all users in the subnet of the interface is permitted, and the users share one IPoE session. The BRAS performs authorization and accounting for all users in the subnet.

If you first enable IPoE and then configure subnet-leased users, you must enable IPoE for the IPv4 or IPv6 protocol stack in order that you can configure subnet-leased users for the protocol stack. If you first configure subnet-leased users and then enable IPoE, you must enable IPoE for the protocol stack of the subnet-leased users or dual stacks.

You can configure only one subnet-leased user on each subnet.

You cannot configure a subnet-leased user on an interface configured with interface-leased users or L2VPN-leased users.

An ISP domain is selected for an IPoE subnet-leased user in the following order until a match is found:

1. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

2. ISP domain specified by using the domain domain-name option in this command. If the ISP domain has not been created, the user fails to come online.

3. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain has not been created, the user fails to come online.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

To modify the VPN instance or public network to which the subnet-leased user belongs, first execute the undo form of this command and then execute this command again.

To configure an IPoE subnet-leased user bound to a VPN instance on an interface in Layer 2 IPoE access mode, follow these restrictions and guidelines to ensure proper functionality:

· Before configuring an IPoE subnet-leased user bound to a VPN instance, make sure the VPN instance already exists on the device.

· If you use the undo ip vpn-instance command to delete a VPN instance after configuring IPoE subnet-leased users bound to the VPN instance, you must use the undo ip subscriber subnet-leased command to delete all the IPoE subnet-leased users bound to the deleted VPN instance on the interfaces in Layer 2 IPoE access mode. Then use the ip subscriber subnet-leased command to reconfigure these users as needed.

When IPoE subnet-leased users are bound to a VPN instance on an interface in Layer 3 IPoE access mode, executing the undo ip vpn-instance command to delete the VPN instance deletes all subnet-leased users bound to the VPN instance.

Examples

# Configure a subnet-leased user for subnet 1.1.1.1/24 with a username of netuser and a plaintext password of pw123 on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber subnet-leased ip 1.1.1.1 24 username netuser password plaintext pw123

ip subscriber timer quiet

Use ip subscriber timer quiet to enable the quiet timer and set the quiet time period for users.

Use undo ip subscriber timer quiet to restore the default.

Syntax

ip subscriber timer quiet time

undo ip subscriber timer quiet

Default

The quite timer is disabled for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

time: Specifies the quiet timer period in the range of 10 to 3600 seconds.

Usage guidelines

With this command configured, IPoE starts the quiet timer after the number of consecutive authentication failures of a user reaches the limit in the specified period. The BRAS drops packets from the user during the quiet timer period. After the quiet timer expires, the BRAS performs authentication upon receiving a packet from the user.

When a user that comes online through a global interface is blocked and the slot where the session of the blocked user resides is switched, the device will initiate authentication again for the user. If the user successfully passes authentication before reaching the maximum number of consecutive authentication failures, the user will be unblocked. Otherwise, the user will be blocked again.

Examples

# Enable the quiet timer and set the quiet timer period to 100 seconds for users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber timer quiet 100

Related commands

display ip subscriber chasten user auth-failed

display ip subscriber chasten user quiet

ip subscriber authentication chasten

ip subscriber trust

Use ip subscriber trust to configure a trusted option for DHCP users.

Use undo ip subscriber trust to cancel a trusted option.

Syntax

ip subscriber trust { option12 | option60 | option77 | option82 | option16 | option17 | option18 | option37 | option79 }

undo ip subscriber trust { option12 | option60 | option77 | option82 | option16 | option17 | option18 | option37 | option79 }

Default

Only Option 79 is trusted for DHCP users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

option12: Specifies Option 12 as the trusted option.

option60: Specifies Option 60 as the trusted option.

option77: Specifies Option 77 as the trusted option.

option82: Specifies Option 82 as the trusted option.

option16: Specifies Option 16 as the trusted option.

option17: Specifies Option 17 as the trusted option.

option18: Specifies Option 18 as the trusted option.

option37: Specifies Option 37 as the trusted option.

option79: Specifies Option 79 as the trusted option.

Usage guidelines

In a DHCPv4 network, the BRAS can obtain the Option 60 information in the DHCP-Discover packets. If the BRAS trusts Option 60 and the ip subscriber dhcp domain or ip subscriber dhcp option60 match command is not configured, the following information is used as the ISP domain:

· All information in Option 60 if the option does not contain invalid characters or the at sign (@).

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

· Information that follows the last at sign (@) if the option contains at signs (@) and does not contain invalid characters.

When the string selected by using the ip subscriber trust option60 command is used as the ISP domain for authentication and the ip subscriber dhcp domain include command is executed, the domain name generated according to the domain name generation rule is used. For more information about the domain name generation rules, see "ip subscriber dhcp domain include."

For more information about how an ISP domain is determined when the ip subscriber dhcp domain command is executed, see "ip subscriber dhcp domain."

For more information about how an ISP domain is determined when the ip subscriber dhcp option60 match command is executed, see "ip subscriber dhcp option60 match."

For more information about how an ISP domain is determined when the BRAS does not trust DHCPv4 Option 60, see "ip subscriber dhcp domain."

In a DHCP relay agent network, the BRAS can obtain the Option 82 information in the DHCP-Discover packets. If the BRAS trusts DHCPv4 Option 82, it obtains the following information from the option, parses the information in the configured parsing format (ASCII by default), and uses the information to encapsulate RADIUS attributes:

· Obtains the Circuit-ID information and uses it to encapsulate NAS-Port-ID that adopts version 2.0 or version 5.0 as the encapsulation format.

· Obtains the Circuit-ID information and uses it to encapsulate DSL_AGENT_CIRCUIT_ID.

· Obtains the Remote-ID information and uses it to encapsulate DSL_AGENT_REMOTE_ID.

If the BRAS does not trust DHCPv4 Option 82, it does not use the Option 82 to encapsulate RADIUS attributes.

In a DHCPv6 network, the BRAS can obtain the ISP domain information from Option 16 or Option 17. Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

If the BRAS trusts Option 16 and the ip subscriber dhcp domain or ip subscriber dhcpv6 option16 match command is not configured, the following information is used as the ISP domain:

· All information in Option 16 if the option does not contain invalid characters or the at sign (@).

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

· Information that follows the last at sign (@) if the option contains at signs (@) and does not contain invalid characters.

For more information about how an ISP domain is determined when the ip subscriber dhcp domain command is executed, see "ip subscriber dhcp domain."

For more information about how an ISP domain is determined when the ip subscriber dhcpv6 option16 match command is executed, see "ip subscriber dhcpv6 match."

For more information about how an ISP domain is determined when the BRAS does not trust DHCPv6 Option 16, see "ip subscriber dhcp domain."

In a DHCP relay agent network, the BRAS can obtain the specified Option information from DHCPv6 packets. If the BRAS trusts DHCPv6 Option 18 or Option 37, it obtains the following information from the option, parses the information in the configured parsing format (ASCII by default), and uses the information to encapsulate RADIUS attributes:

· Obtains information from Option 18 and uses it to encapsulate NAS-Port-ID that uses the version 2.0 or version 5.0 encapsulation format.

· Obtains information from Option 18 and uses it to encapsulate DSL_AGENT_CIRCUIT_ID.

· Obtains information from Option 37 and uses it to encapsulate DSL_AGENT_REMOTE_ID.

On the same interface, you can execute this command multiple times to configure multiple trusted options. However, you cannot configure the interface to trust both Option 16 and Option 17. For example, if you have configured Option 16 as a trusted option, you cannot configure Option 17 as a trusted option.

To uniformly perform accounting and management for the same IPoE user, if the IPv4 protocol stack and IPv6 protocol stack of the user can form dual stack, IPoE will preferentially maintain and manage the user as a dual-stack user. For an IPv4 user and an IPv6 user to form a dual-stack user, make sure the users have the same MAC address. When a Layer 3 network with DHCPv6 relay enabled exists between a user and the BRAS, if the DHCPv6 packet forwarded by the DHCPv6 relay agent does not carry the user MAC address in the client ID field, IPoE cannot obtain the user MAC address of the DHCPv6 user. In this case, IPoE will maintain the IPv4 user and IPv6 user with the same MAC address as two separate users, and the two users cannot form a dual-stack user. To resolve this issue, configure the BRAS to trust Option79. If DHCPv6 Option79 is trusted, the user MAC address can be obtained from Option79 when the BRAS receives a DHCPv6 packet carrying Option79 and used as a required condition for recognizing a DHCPv6 user. If a DHCPv4 user uses the same MAC address, the two users can form a dual-stack user. When you configure the BRAS to trust Option79, follow these restrictions and guidelines:

· If IPoE can obtain user MAC addresses from both the Option79 and Client ID fields, the user MAC address obtained from Option79 takes priority.

· For a BRAS to receive DHCPv6 packets carrying Option79, execute the ipv6 dhcp relay client-link-address enable command to enable the DHCPv6 relay agent to support Option 79 on the first DHCPv6 relay agent that the requests from a DHCPv6 client pass through. For more information about the ipv6 dhcp relay client-link-address enable command, see DHCPv6 commands in BRAS Services Command Reference.

When an online DHCPv6 user exists on an access interface, you cannot execute the undo ip subscriber trust option79 command on the interface. To execute the undo ip subscriber trust option79 command on the interface, first log out the DHCPv6 user.

When Option 12 is trusted, you can configure the DHCPv4 Option 12 information as the authentication username by specifying the hostname parameter in the ip subscriber dhcp username command. For more information, see the ip subscriber dhcp username command.

When Option 77 is trusted, you can configure the DHCPv4 Option 77 information as the authentication password by specifying the user-class parameter in the ip subscriber dhcp password command. For more information, see the ip subscriber dhcp password command.

Examples

#Configure DHCPv4 Option 82 as a trusted option on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber trust option82

Related commands

ip subscriber access-line-id circuit-id trans-format

ip subscriber access-line-id remote-id trans-format

ip subscriber dhcp domain

ip subscriber dhcp domain include

ip subscriber dhcp option60 match

ip subscriber dhcp password

ip subscriber dhcp username

ip subscriber dhcpv6 match

ip subscriber nas-port-id format

ip subscriber nas-port-id nasinfo-insert

ipv6 dhcp relay client-link-address enable (BRAS Services Command Reference)

ip subscriber unclassified-ip domain

Use ip subscriber unclassified-ip domain to configure an ISP domain for users.

Use undo ip subscriber unclassified-ip domain to restore the default.

Syntax

ip subscriber unclassified-ip domain domain-name

undo ip subscriber unclassified-ip domain

Default

No ISP domain is configured for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

This command configures an ISP domain for unclassified-IP users, static individual users, and subnet/interface-leased users.

An ISP domain is selected for an unclassified-IP user in the following order until a match is found:

1. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

2. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain has not been created, the user fails to come online.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selected for an IPoE static user, see the ip subscriber session static command.

For how an ISP domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an ISP domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

Examples

# Configure ISP domain dm1 for users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber unclassified-ip domain dm1

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber service-identify

ip subscriber unclassified-ip ip match

Use ip subscriber unclassified-ip ip match to configure trusted IPv4 addresses for IPoE authentication.

Use undo ip subscriber unclassified-ip ip match to restore the default.

Syntax

ip subscriber unclassified-ip ip match start-ip-address [ end-ip-address ]

undo ip subscriber unclassified-ip ip match start-ip-address [ end-ip-address ]

Default

All IPv4 addresses are trusted.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IPv4 address.

end-ip-address: Specifies the end IPv4 address. The end IPv4 address must be higher than the start IPv4 address. If you specify this option, IPv4 addresses in the IPv4 address range are used as the source IPv4 addresses. If you do not specify this option or the end IPv4 address and start IPv4 address are the same, the start IPv4 address is used as the source IPv4 address.

Usage guidelines

After the ip subscriber unclassified-ip ip match command is executed, the following rules apply:

· If IPv4 packets from a user match a static IPoE session, the user comes online as a static IPoE user no matter whether the source IPv4 address in the IPv4 packets is within the trusted IPv4 address range.

· If IPv4 packets from users do not match a static IPoE session, only packets with source IPv4 addresses as trusted IPv4 addresses can initiate IPoE authentication, and other packets are dropped.

To cancel trust configuration for an IPv4 address or IPv4 address range belonging to a trusted IPv4 address range, cancel trust configuration for the entire IPv4 address range.

You can use this command multiple times to configure multiple trusted IPv4 addresses or IPv4 address ranges.

This command takes effect only on unclassified-IP users and leased unclassified-IP subusers.

Examples

# Configure IPv4 addresses 192.168.1.10 through 192.168.1.100 as trusted IPv4 addresses on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber unclassified-ip ip match 192.168.1.10 192.168.1.100

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber unclassified-ip ipv6 match

Use ip subscriber unclassified-ip ipv6 match to configure trusted IPv6 addresses for IPoE authentication.

Use undo ip subscriber unclassified-ip ipv6 match to restore the default.

Syntax

ip subscriber unclassified-ip ipv6 match start-ipv6-address [ end-ipv6-address ]

undo ip subscriber unclassified-ip ipv6 match start-ipv6-address [ end-ipv6-address ]

Default

All IPv6 global unicast addresses are trusted.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ipv6-address: Specifies the start IPv6 address.

end-ipv6-address: Specifies the end IPv6 address. The end IPv6 address must be higher than the start IPv6 address. If you specify this option, IPv6 addresses in the IPv6 address range are used as the source IPv6 addresses. If you do not specify this option, the start IPv6 address is used as the source IPv6 address.

Usage guidelines

After the ip subscriber unclassified-ip ipv6 match command is executed, the following rules apply:

· If IPv6 packets from a user match a static IPoE session, the user comes online as a static IPoE user no matter whether the source IPv6 address in the IPv6 packets is within the trusted IPv6 address range.

· If IPv6 packets from users do not match a static IPoE session, only packets with source IPv6 addresses as trusted IPv6 addresses can initiate IPoE authentication, and other packets are dropped.

To cancel trust configuration for an IPv6 address or IPv6 address range belonging to a trusted IPv6 address range, cancel trust configuration for the entire IPv6 address range.

You can use this command multiple times to configure multiple trusted IPv6 addresses or IPv6 address ranges.

This command takes effect only on unclassified-IP users and leased unclassified-IP subusers.

Examples

# Configure IPv6 addresses 2001::1:10 through 2001::1:100 as trusted IPv6 addresses on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber unclassified-ip ipv6 match 2001::1:10 2001::1:100

Related commands

ip subscriber initiator unclassified-ipv6 enable

ip subscriber unclassified-ip max-session

Use ip subscriber unclassified-ip max-session to set the IPoE session limit for unclassified-IPv4 packet initiation on an interface.

Use undo ip subscriber unclassified-ip max-session to restore the default.

Syntax

ip subscriber unclassified-ip max-session max-number

undo ip subscriber unclassified-ip max-session

Default

The IPoE session limit for unclassified-IPv4 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for unclassified-IPv4 packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

If the IPoE session limit for unclassified-IPv4 packet initiation is reached, no more IPoE session can be initiated by unclassified-IPv4 packets. IPoE sessions initiated by unclassified-IPv4 packets include single-stack IPv4 sessions and dual-stack sessions.

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber unclassified-ipv6 max-session command.

Examples

# Set the IPoE session limit to 100 for unclassified-IPv4 packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber unclassified-ip max-session 100

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber max-session

ip subscriber unclassified-ip username

Use ip subscriber unclassified-ip username to configure an authentication user naming convention for unclassified-IP users and static users.

Use undo ip subscriber unclassified-ip username to restore the default.

Syntax

ip subscriber unclassified-ip username include { nas-port-id [ separator separator ] | port [ separator separator ] | second-vlan [ separator separator ] | slot [ separator separator ] | source-ip [ address-separator address-separator ] [ separator separator ] | source-mac [ address-separator address-separator ] [ separator separator ] | string string [ separator separator ] | subslot [ separator separator ] | sysname [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber unclassified-ip username

Default

No authentication user naming convention is configured for unclassified-IP users and static users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

nas-port-id: Includes the NAS-Port-ID attribute in a username.

port: Includes the number of the port that receives the user packets in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-ip: Includes the source IP address in a username.

address-separator address-separator: Specifies any printable character as the separator for the IPv4 address. For example, if you specify a hyphen (-) as the separator, the username is the hyphen-separated IPv4 address (xxxx-xxxx-xxxx) or colon-separated IPv6 address (x::x:x). If you do not specify a separator, the username is the dot-separated IP address (x.x.x.x). Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

source-mac: Includes the source MAC address in a username.

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vlan: Includes the outer VLAN ID in a username.

Usage guidelines

Usernames obtained based on the naming convention are used for authentication and must be the same as those configured on the AAA server.

Examples

# Configure the source IP address as the authentication usernames for unclassified-IP users and static users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber unclassified-ip username include source-ip

# Configure an authentication user naming convention for unclassified-IP users and static users on Ten-GigabitEthernet 3/1/1. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber unclassified-ip username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber password

ip subscriber unclassified-ipv6 max-session

Use ip subscriber unclassified-ipv6 max-session to set the IPoE session limit for unclassified-IPv6 packet initiation on an interface.

Use undo ip subscriber unclassified-ipv6 max-session to restore the default.

Syntax

ip subscriber unclassified-ipv6 max-session max-number

undo ip subscriber unclassified-ipv6 max-session

Default

The IPoE session limit for unclassified-IPv6 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for unclassified-IPv6 packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

If the IPoE session limit for unclassified-IPv6 packet initiation is reached, no more IPoE session can be initiated by unclassified-IPv6 packets. IPoE sessions initiated by unclassified-IPv6 packets include single-stack IPv6 sessions and dual-stack IPoE sessions.

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber unclassified-ip max-session command.

Examples

# Set the IPoE session limit to 100 for unclassified-IPv6 packet initiation on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber unclassified-ipv6 max-session 100

Related commands

ip subscriber initiator unclassified-ipv6 enable

ip subscriber max-session

ip subscriber username

Use ip subscriber username to configure the username for an IPoE individual user.

Use undo ip subscriber username to restore the default.

Syntax

ip subscriber username { mac-address [ address-separator address-separator ] [ lowercase | uppercase ] | string string }

undo ip subscriber username

Default

No username is configured for an IPoE individual user.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

mac-address: Uses a MAC address as the username. The MAC address of the user is preferentially used. If the user MAC address cannot be obtained, the source MAC address of packets is used. By default, the letters in a MAC address are lower-case and a MAC address do not have hyphens.

lowercase: Specifies the letters in the MAC address as lower-case.

uppercase: Specifies the letters in the MAC address as upper-case.

string string: Uses the specified string as the username, a case-sensitive string of 1 to 128 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

To avoid configuring usernames for each initiation method separately when multiple individual session initiation methods are configured on an interface, you can use this command to uniformly configure authentication usernames for all individual users on an interface.

For individual users using bind authentication, a username is selected in the following order until a match is found:

1. Username configured by using the command specific to the users.

¡ For DHCP users, username obtained by using the ip subscriber dhcp username command.

¡ For ND RS users, username obtained by using the ip subscriber ndrs username command.

¡ For unclassified-IP users, username obtained by using the ip subscriber unclassified-ip username command.

¡ For static users, a username is selected in the following order until a match is found:

- The username parameter specified in the ip subscriber session static command is preferentially used as the authentication username. (Applicable only to global static access users.)

- The authentication username obtained by using the ip subscriber unclassified-ip username command.

2. Username configured by using the ip subscriber username command.

3. Default user name.

¡ For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

¡ For ND RS users, source MAC address of packets.

¡ For unclassified-IP users and static individual users, source IP address of packets.

For Web authentication and Web MAC authentication in the preauthentication phase, a username is selected for individual users in the order a username is selected for individual users using bind authentication.

For Web authentication in the Web authentication phase, a username is selected in the following order for individual users until a match is found:

1. Username that the user enters when logging in.

2. Username configured by using the ip subscriber username command.

3. Default user name.

¡ For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

¡ For ND RS users, source MAC address of packets.

¡ For static users, source IP address of packets.

For Web MAC authentication in the Web authentication phase, a username is selected in the following order for individual users until a match is found:

1. Username configured by using the ip subscriber username command.

2. Default user name.

¡ For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

¡ For ND RS users, source MAC address of packets.

¡ For static users, source IP address of packets.

Examples

# Use the MAC address of an IPoE individual user as the username on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber username mac-address

ip subscriber user-detect ip

Use ip subscriber user-detect ip to configure online detection for IPv4 protocol stack users.

Use undo ip subscriber user-detect ip to restore the default.

Syntax

ip subscriber user-detect ip { arp | icmp } retry retries interval interval [no-datacheck ]

undo ip subscriber user-detect ip

Default

Online detection is enabled for IPv4 protocol stack users.

· For leased subusers, no matter whether user uplink traffic is updated within a detection timer period (120 seconds), the BRAS sends ARP request packets to detect the online status of users after the detection timer expires. The BRAS performs a maximum of five detection attempts after the first detection failure.

· For other users, no detection packets are sent after the detection timer expires if user uplink traffic is updated within a detection timer period (120 seconds). If user uplink traffic is not updated within a detection timer period, the BRAS uses the ARP request packets to detect the online status of IPv4 protocol stack users. The BRAS performs a maximum of five detection attempts after the first detection failure.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

arp: Specifies the ARP request packet as detection packets.

icmp: Specifies the icmp request packet as detection packets.

retry retries: Specifies the maximum number of detection attempts following the first detection attempt, in the range of 1 to 255.

interval interval: Configures the detection timer for each attempt, in the range of 1 to 32767 seconds.

no-datacheck: Specifies an interface to send detection packets after the detection timer expires no matter whether user uplink traffic is updated within a detection timer period. If this keyword is not specified, the following rules apply:

· If user uplink traffic is updated within a detection timer period, no detection packets are sent within one detection timer period after the detection timer expires.

· If user uplink traffic is not updated within a detection timer period, detection packets are sent after the detection timer expires.

When the accounting mode is merge for dual-stack users, the sum of IPv4 uplink traffic and IPv6 uplink traffic is used to determine whether the user uplink traffic is updated. This keyword does not take effect on leased subusers.

Usage guidelines

With online detection enabled for IPv4 protocol stack users on an interface, the BRAS periodically detects the online status of an IPv4 protocol stack user after the user comes online on the interface. It uses ARP or ICMP requests to detect IPv4 protocol stack users. If IPv4 protocol stack users and the interface are in different subnets, only ICMP request packets can be used for detection.

After you configure online detection, the BRAS starts a detection timer to detect online users. If the BRAS does not receive user packets before the detection timer expires, it sends a detection packet to the user.

· If the BRAS receives user packets within the maximum detection attempts, the BRAS assumes that the user is online. It resets the detection failure counter, and starts the next detection attempt.

· If the BRAS receives no user packets after detection attempts reach the maximum, the BRAS assumes the user is offline and deletes the session.

Do not configure both ARP and ICMP detection methods to detect the IPv4 protocol stack users.

The IPv4 protocol stack in this command includes the single IPv4 protocol stack and the IPv4 stack in the dual stack.

· For the single IPv4 protocol stack, this feature supports only leased subusers in Layer 2 access mode and individual users.

· For the dual stack, this feature supports only individual users. Online detection is performed for the two protocol stacks separately. Online detection failure for a stack does not affect the online status of the other stack.

Examples

# Configure online detection for IPv4 protocol stack users on Ten-GigabitEthernet 3/1/1. The maximum number of detection attempts is 5 after the first failure, the detection timer is 100 seconds, and the detection packet type is ARP.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber user-detect ip arp retry 5 interval 100

Related commands

ip subscriber enable

ip subscriber user-detect ipv6

Use ip subscriber user-detect ipv6 to configure online detection for IPv6 protocol stack users.

Use undo ip subscriber user-detect ipv6 to disable online detection for IPv6 protocol stack users.

Syntax

ip subscriber user-detect ipv6 { icmp | nd } retry retries interval interval [no-datacheck ]

undo ip subscriber user-detect ipv6

Default

Online detection is enabled for IPv6 protocol stack users.

· For leased subusers, no matter whether user uplink traffic is updated within a detection timer period (120 seconds), the BRAS sends ND Neighbor Solicitation (NS) packets to detect the online status of users after the detection timer expires. The BRAS performs a maximum of five detection attempts after the first detection failure.

· For other users, no detection packets are sent after the detection timer expires if user uplink traffic is updated within a detection timer period (120 seconds). If user uplink traffic is not updated within a detection timer period, the BRAS uses the ND NS packets to detect the online status of IPv6 protocol stack users. The BRAS performs a maximum of five detection attempts after the first detection failure.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

icmp: Specifies the ICMPv6 request packet as detection packets. For detection to succeed when this keyword is specified, you must configure a global unicast address on the access interface.

nd: Specifies the NS packets of the ND protocol as detection packets.

retry retries: Specifies the maximum number of detection attempts following the first detection attempt, in the range of 1 to 255.

interval interval: Configures the detection timer in the range of 1 to 32767 seconds.

no-datacheck: Specifies an interface to send detection packets after the detection timer expires no matter whether user uplink traffic is updated within a detection timer period.

If this keyword is not specified, the following rules apply:

· If user uplink traffic is updated within a detection timer period, no detection packets are sent within one detection timer period after the detection timer expires.

· If user uplink traffic is not updated within a detection timer period, detection packets are sent after the detection timer expires.

Usage guidelines

With online detection enabled for IPv6 protocol stack users on an interface, the BRAS periodically detects the online status of an IPv6 protocol stack user after the user comes online on the interface. It uses NS packets of the ND protocol or ICMPv6 requests to detect IPv6 protocol stack users. If IPv6 protocol stack users and the interface are in different subnets, only ICMPv6 request packets can be used for detection.

· If the BRAS receives user packets within the maximum detection attempts, the BRAS assumes that the user is online. It resets the detection failure counter, and starts the next detection attempt.

· If the BRAS receives no user packets after detection attempts reach the maximum, the BRAS assumes the user is offline and deletes the session.

Do not configure both ICMPv6 and ND detection methods to detect the IPv6 protocol stack users.

The IPv6 protocol stack in this command includes the single IPv6 protocol stack and the IPv6 stack in the dual stack.

· For the single IPv6 protocol stack, this feature supports only leased subusers in Layer 2 access mode and individual users.

Examples

# Configure online detection for IPv6 protocol stack users on Ten-GigabitEthernet 3/1/1. The maximum number of detection attempts is 3 after the first failure, the detection timer is 50 seconds, and the detection packet type is ND.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber user-detect ipv6 nd retry 3 interval 50

Related commands

ip subscriber enable

ip subscriber vlan

Use ip subscriber vlan to bind an ISP domain to IPoE users who send packets with the specified VLAN IDs.

Use undo ip subscriber vlan to remove the binding between an ISP domain and IPoE users who send packets with the specified VLAN IDs.

Syntax

ip subscriber vlan vlan-list domain domain-name

undo ip subscriber vlan vlan-list

Default

No ISP domain is bound to IPoE users who send packets with the specified VLAN IDs.

Views

Layer 3 aggregate subinterface view

Layer 3 Ethernet subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

vlan-list: Specifies a space-separated list of up to 10 VLAN ID items. Each item specifies a VLAN by its ID or a range of VLANs in the form of start-VLAN-ID to end-VLAN-ID. The VLAN ID is in the range of 1 to 4094.

Usage guidelines

This command configures an ISP domain for DHCP users, unclassified-IP users, and static individual users who send IP packets with the specified VLAN IDs.

For how an ISP domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an ISP domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an ISP domain is selected for an IPoE static user, see the ip subscriber session static command.

For how an ISP domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an ISP domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an ISP domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

For the ip subscriber vlan command to take effect, you must execute the ip subscriber service-identify { second-vlan | vlan } command to configure the corresponding service identifier first.

Examples

# Configure an ISP domain for users who send IP packets with VLAN IDs 2 to 100 on Ten-GigabitEthernet 3/1/1.100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.100

[Sysname-Ten-GigabitEthernet3/1/1.100] ip subscriber service-identify second-vlan

[Sysname-Ten-GigabitEthernet3/1/1.100] ip subscriber vlan 2 to 100 domain vlandm

Related commands

ip subscriber service-identify

ip subscriber web-auth domain

Use ip subscriber web-auth domain to configure the domain for Web authentication.

Use undo ip subscriber web-auth domain to restore the default.

Syntax

ip subscriber web-auth domain domain-name

undo ip subscriber web-auth domain

Default

No domain is configured for Web authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

When Web MAC authentication is configured with multiple types of domains, an ISP domain is selected in the following order until a match is found during the Web authentication phase:

1. Domain carried in the username. If the domain has not been created, the user fails to come online.

2. Web authentication domain specified by using the ip subscriber web-auth domain command. If the specified domain has not been created, the user fails to come online.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selecting during the Web authentication phase when Web MAC authentication is used, see the ip subscriber mac-auth domain command.

The ISP domain configured for Web authentication applies to only individual users using Web authentication and Web MAC authentication during the Web authentication phase.

The ISP domain modification for Web authentication takes effect only on new users.

Examples

# Specify ISP domain dm1 for Web authentication on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber web-auth domain dm1

Related commands

ip subscriber authentication-method

ip subscriber mac-auth domain

ip subscriber web-redhcp enable

Use ip subscriber web-redhcp enable to enable re-DHCP for IPoE Web authentication.

Use undo ip subscriber web-redhcp enable to disable re-DHCP for IPoE Web authentication.

Syntax

ip subscriber web-redhcp enable

undo ip subscriber web-redhcp enable

Default

Re-DHCP for IPoE Web authentication is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

To solve IP address planning and allocation problems, you can enable re-DHCP for IPoE Web authentication. With re-DHCP enabled for IPoE Web authentication on an interface, the interface allocates public IP addresses on the specified network segment to only users coming online through transparent MAC authentication. In this way, the network segment for online users is limited and effectively controlled.

With this feature enabled, when a DHCP user first comes online, the access device assigns a temporary IP address to the user in the preauthentication phase. When the user comes online in the Web authentication phase, the AAA server adds a user record for the user. When the user comes online for the second time, the user performs transparent MAC authentication in the preauthentication phase, and the device assigns a new public IP address to the user. Then, the user stays in the preauthentication domain.

This feature is supported only in Layer 2 IPoE access mode.

Examples

# Enable re-DHCP for IPoE Web authentication on Ten-GigabitEthernet3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] ip subscriber web-redhcp enable

Related commands

ip subscriber authentication-method web

reset ip subscriber abnormal-logout

Use reset ip subscriber abnormal-logout command to clear entry information about abnormally logged out IPoE users.

Syntax

reset ip subscriber abnormal-logout

Views

User view

Predefined user roles

network-admin

Usage guidelines

This command clears entry information about abnormally logged out IPoE users. If you do not specify any option, this command clears entry information about all abnormally logged out IPoE users

Examples

# Clear entry information about all abnormally logged out IPoE users.

<Sysname> reset ip subscriber abnormal-logout interface

Related commands

display ip subscriber abnormal-logout

reset ip subscriber chasten user auth-failed

Use reset ip subscriber chasten user auth-failed to clear information about IPoE individual users with authentication failure records that have not met the blocking conditions.

Syntax

reset ip subscriber chasten user auth-failed [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

ip ip-address: Specifies the source IPv4 address of a blocked IPoE user.

ipv6 ipv6-address: Specifies the source IPv6 address of a blocked IPoE user.

mac mac-address: Specifies the MAC address of a blocked IPoE user, in the format of H-H-H.

Usage guidelines

By default, with the user blocking feature enabled, authentication failure records will be generated for IPoE access users that fail authentication. Before the authentication failure records of a user reach the blocking conditions, the authentication failure records can automatically age out.

You can use this command to manually clear the IPoE user authentication failure records. If the user continues to fail authentication later, the authentication failure records will be generated and counted again.

If you do not specify any parameter, this command clears information about IPoE individual users with authentication failure records that have not met the blocking conditions.

Examples

# Clear information about IPoE individual users with authentication failure records that have not met the blocking conditions.

<Sysname> reset ip subscriber chasten auth-failed

Related commands

ip subscriber authentication chasten

display ip subscriber chasten user auth-failed

reset ip subscriber chasten user quiet

Use reset ip subscriber chasten user quiet to clear information about blocked IPoE users.

Syntax

reset ip subscriber chasten user quiet [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

ip ip-address: Specifies the source IPv4 address of a blocked IPoE user.

ipv6 ipv6-address: Specifies the source IPv6 address of a blocked IPoE user.

mac mac-address: Specifies the MAC address of a blocked IPoE user, in the format of H-H-H.

Usage guidelines

A user will be blocked when the blocking conditions are met. By default, once a user is blocked, the blocking state of the user can be cleared only after the quiet time period expires. Within the quiet time period, the device drops packets from the IPoE user.

You can use this command to manually clear the blocking state of blocked users. After the blocking state of a user is cleared, if the device receives packets from the IPoE user again, the packets can still be processed.

If you do any parameter, this command clears information about all blocked IPoE users.

Examples

# Clear information about blocked IPoE users.

<Sysname> reset ip subscriber chasten user quiet

Related commands

ip subscriber timer quiet

display ip subscriber chasten user quiet

reset ip subscriber http-defense destination-ip

Use reset ip subscriber http-defense destination-ip to clear entries of destination IP-based IPoE HTTP/HTTPS attack defense.

Syntax

In standalone mode:

reset ip subscriber http-defense destination-ip [ slot slot-number [ cpu cpu-number ] ] [ ip ipv4-address | ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ]

In IRF mode:

reset ip subscriber http-defense destination-ip [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ ip ipv4-address | ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

ip ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

vpn-instance vpn-instance-name: Specifies a VPN instance by its name The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the IPoE static leased users are in the public network

Usage guidelines

You can execute this command in any of the following scenarios:

· You want to immediately clear the attack defense statistics entries of some or all destination IP addresses rather than wait until these attack defense statistics entries automatically age out.

· You want to immediately unblock HTTP/HTTPS packets sent to some or all destination IP addresses rather than wait until these attack defense entries automatically age out.

After you execute this command to manually clear the attack defense statistics entries and blocking entries of a destination IP address, if the device continues to send HTTP/HTTPS packets to the destination IP address, the device will regenerate the corresponding attack defense statistics entries and re-count the packets, and generate blocking entries to block HTTP/HTTPS packets sent to the destination IP address.

When you execute this command, follow these restrictions and guidelines:

· If you specify the ip ipv4-address or ipv6 ipv6-address option but do not specify the vpn-instance vpn-instance-name option in this command, this command clears the attack defense statistics entries and blocking entries of the specified IP address on the public network and all VPN instances.

· If you do not specify any parameter, this command clears the attack defense statistics entries and blocking entries of the public network and all VPN instances.

Examples

# Clear all attack defense statistics entries and blocking entries generated during IPoE HTTP/HTTPS attack defense.

<Sysname> reset ip subscriber http-defense destination-ip

Related commands

display ip subscriber http-defense unblocked-destination-ip

display ip subscriber http-defense blocked-destination-ip

static-user interface-list

Use static-user interface-list to create a static user interface list and enter its view, or enter the view of an existing static user interface list.

Use undo static-user interface-list delete a static user interface list.

Syntax

static-user interface-list list-id

undo static-user interface-list list-id

Default

No static user interface list exists.

Views

System view

Predefined user roles

network-admin

Parameters

list-id: Specifies a static user interface list ID in the range of 1 to 65535.

Usage guidelines

Examples

# Create static user interface list 2 and enter its view.

<Sysname> system-view

[Sysname] static-user interface-list 2

[Sysname-static-interface-list2]

Related commands

display static-user interface-list

add interface

Portal commands

The device does not support users to access the network through portal authentication. The portal commands can only be used in IPoE Web authentication scenarios.

aging-time

Use aging-time to set the aging time for MAC-trigger entries.

Use undo aging-time to restore the default.

Syntax

aging-time seconds

undo aging-time

Default

The aging time for MAC-trigger entries is 300 seconds.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

seconds: Specifies the aging time for MAC-trigger entries. The value range is 60 to 7200 seconds.

Usage guidelines

With MAC-based quick portal authentication enabled, the device generates a MAC-trigger entry for a user when the device detects traffic from the user for the first time. The MAC-trigger entry records the following information:

· MAC address of the user.

· Interface index.

· VLAN ID.

· Traffic statistics.

· Aging timer.

When the aging time expires, the device deletes the MAC-trigger entry. The device re-creates a MAC-trigger entry for the user when it detects the user's traffic again.

Examples

# Specify the aging time as 300 seconds for MAC-trigger entries.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aging-time 300

Related commands

display mac-trigger-server

authentication-timeout

Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the MAC binding query response.

Use undo authentication-timeout to restore the default.

Syntax

authentication-timeout minutes

undo authentication-timeout

Default

The authentication timeout time is 3 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the authentication timeout in the range of 1 to 15 minutes.

Usage guidelines

Upon receiving the MAC binding query response of a user from the MAC binding server, the device starts an authentication timeout timer for the user. When the timer expires, the device deletes the MAC-trigger entry of the user.

Examples

# Specify the authentication timeout as 10 minutes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] authentication-timeout 10

Related commands

display mac-trigger-server

binding-retry

Use binding-retry to specify the maximum number of attempts and the interval for sending MAC binding queries to the MAC binding server.

Use undo binding-retry to restore the default.

Syntax

binding-retry { retries | interval interval } *

undo binding-retry

Default

The maximum number of query attempts is 3 and the query interval is 1 second.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10.

interval interval: Specifies the query interval in the range of 1 to 60 seconds.

Usage guidelines

If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable. The device performs normal portal authentication for the user. The user needs to enter the username and password for authentication.

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Set the maximum number of MAC binding query attempts to 3 and the query interval to 60 seconds.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] binding-retry 3 interval 60

Related commands

display mac-trigger-server

default-logon-page

Use default-logon-page to specify the default authentication page file for the local portal Web service.

Use undo default-logon-page to restore the default.

Syntax

default-logon-page file-name

undo default-logon-page

Default

No default authentication page file is specified for the local portal Web service.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

file-name: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_).

Usage guidelines

You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages. The device then sets them as the default authentication pages for local portal authentication.

For successful local portal authentication, you must specify the default portal authentication page file for the local portal Web service.

Examples

# Specify the file pagefile1.zip as the default authentication page file for local portal authentication.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] default-logon-page pagefile1.zip

Related commands

portal local-web-server

display portal ip-subscriber message statistics

Use display portal ip-subscriber message statistics to display statistics for messages exchanged between portal and IPoE during IPoE Web authentication.

Syntax

display portal ip-subscriber message statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display statistics for messages exchanged between portal and IPoE.

<Sysname> display portal ip-subscriber message statistics

Message Total Error Duplicate

Sent logon request 0 0 0

Received logon success 0 0 0

Received logon failure 0 0 0

Received EAP authentication continue 0 0 0

Sent logoff request 0 0 0

Received logoff response 0 0 0

Received forced logoff request 0 0 0

Sent smooth user start 0 0 0

Sent smooth user end 0 0 0

Sent smooth user message 0 0 0

Sent mac-trigger enable 0 0 0

Sent mac-trigger disable 0 0 0

Received binding request 0 0 0

Sent binding response 0 0 0

Sent nobinding response 0 0 0

Sent processing bind response 0 0 0

Sent delete mac-trigger entry 0 0 0

Received mac-trigger user online 0 0 0

Received mac-trigger user offline 0 0 0

Table 20 Command output

Field	Description
Total	Total number of messages.
Error	Number of error messages.
Duplicate	Number of duplicated messages.
Sent logon request	Number of sent requests for users to come online.
Received logon success	Number of received messages indicating that users came online successfully.
Received logon failure	Number of received messages indicating that users failed to come online.
Received EAP authentication continue	Number of received EAP authentication continue messages.
Sent logoff request	Number of sent requests for users to go offline.
Received logoff response	Number of received responses for users to go offline.
Received forced logoff request	Number of received requests to forcibly log out users.
Sent smooth user start	Number of sent messages indicating that portal started smoothing user information.
Sent smooth user end	Number of sent messages indicating that portal ended smoothing user information.
Sent smooth user message	Number of sent messages for smoothing user information.
Sent mac-trigger enable	Number of sent messages indicating that portal applied a MAC binding server to an interface.
Sent mac-trigger disable	Number of sent messages indicating that portal removed a MAC binding server from an interface.
Received binding request	Number of received binding queries.
Sent binding response	Number of sent responses indicating that user accounts are bound to user MAC addresses.
Sent nobinding response	Number of sent responses indicating that user accounts are not bound to user MAC addresses.
Sent processing bind response	Number of sent responses indicating that portal was processing the binding query request.
Sent delete mac-trigger entry	Number of sent messages indicating that the device deleted MAC-trigger entries.
Received mac-trigger user online	Number of received messages indicating that MAC-trigger users came online.
Received mac-trigger user offline	Number of received messages indicating that MAC-trigger users went offline.

‌

Related commands

reset portal ip-subscriber message statistics

display portal mac-trigger entry

Use display portal mac-trigger entry to display MAC-trigger entries for portal users.

Syntax

display portal mac-trigger entry [ ip ipv4-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ipv4-address: Specifies a portal user by its IP address. If you do not specify a portal user, this command displays MAC-trigger entries for all portal users.

Examples

# Display MAC-trigger entries for all portal users.

<Sysname> display portal mac-trigger entry

IP MAC ADDR L3IF L2IF SVLAN CVLAN Status Source

2.2.2.2 0001-0001-0001 vlan2 XGE3/1/2 2 -- Bound Portal

Table 21 Command output

Field	Description
IP	IP address of the user.
MAC ADDR	MAC address of the user.
L3IF	Layer 3 access interface.
L2IF	Layer 2 access interface. This field displays two hyphens (--) if the access interface of the user is a physical Layer 3 interface.
SVLAN	Outer VLAN ID of portal packets from the user.
CVLAN	Inner VLAN ID of portal packets from the user. This field displays two hyphens (--) if portal packets from the user are not double-tagged packets.
Status	Binding status between the MAC address and the user account: · Auth-free—The user with the MAC address can access the network without authentication. · Querying—The binding status of the MAC address is being queried. · Not bound—The MAC address is not bound with the user account. · Bound—The MAC address is bound with the user account. · Deleting—The MAC-trigger entry for the MAC address is being deleted.
Source	Access method of the user: · Portal. · IPoE.

‌

display portal mac-trigger-server

Use display portal mac-trigger-server to display information about MAC binding servers.

Syntax

display portal mac-trigger-server { all | name server-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all MAC binding servers.

name server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Examples

# Display information about all MAC binding servers.

<Sysname> display portal mac-trigger-server all

Portal mac trigger server name: ms1

Version : 2.0

Server type : CMCC

IP : 10.1.1.1

Port : 100

VPN instance : Not configured

Aging time : 120 seconds

NAS-Port-Type : 255

Binding retry times : 5

Binding retry interval : 2 seconds

Authentication timeout : 5 minutes

Portal mac trigger server name: mts

Version : 1.0

Server type : IMC

IP : 4.4.4.2

Port : 50100

VPN instance : Not configured

Aging time : 300 seconds

NAS-Port-Type : Not configured

Binding retry times : 3

Binding retry interval : 1 seconds

Authentication timeout : 3 minutes

# Display information about the MAC binding server ms1.

<Sysname> display portal mac-trigger-server name ms1

Portal mac trigger server name: ms1

Version : 2.0

Server type : CMCC

IP : 10.1.1.1

Port : 100

VPN instance : Not configured

Aging time : 120 seconds

NAS-Port-Type : 255

Binding retry times : 5

Binding retry interval : 2 seconds

Authentication timeout : 5 minutes

Table 22 Command output

Field	Description
Portal mac trigger server name	Name of the MAC binding server.
Version	Version of the portal protocol: · 1.0—Version 1. · 2.0—Version 2. · 3.0—Version 3.
Server type	Type of the MAC binding server: · CMCC—CMCC server. · IMC—IMC server.
IP	IP address of the MAC binding server.
Port	UDP port number on which the MAC binding server listens for MAC binding query packets.
VPN instance	MPLS L3VPN instance where the MAC binding server resides.
Aging time	Aging time in seconds. A MAC-trigger entry is aged out when the aging time expires.
NAS-Port-Type	NAS-Port-Type attribute value in RADIUS request packets sent to the RADIUS server.
Binding retry times	Maximum number of attempts for sending MAC binding queries to the MAC binding server.
Binding retry interval	Interval at which the device sends MAC binding queries to the MAC binding server.
Authentication timeout	Maximum amount of time that the device waits for portal authentication to complete after receiving the MAC binding query response.

‌

display portal mac-trigger-server packet statistics

Use display portal mac-trigger-server packet statistics to display statistics for messages exchanged between the device and MAC binding servers.

Syntax

display portal mac-trigger-server packet statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display statistics for messages exchanged between the device and MAC binding servers.

<Sysname> display portal mac-trigger-server packet statistics

Packets sent:

User online notifications: 0

User offline notifications: 0

MAC binding queries: 0

Retries: 0

MaxRetryCount reached: 0

Sending failures: 0

Packets received:

MAC binding responses: 0

Binding: 0

Nobinding: 0

Checksum failures: 0

Table 23 Command output

Field	Description
Packets sent	Number of messages that the device sent to MAC binding servers.
User online notifications	Number of notification messages indicating that users came online.
User offline notifications	Number of notification messages indicating that users went offline.
MAC binding queries	Number of MAC binding queries sent to MAC binding servers.
Retries	Number of times that the device attempted to retransmit MAC binding queries.
MaxRetryCount reached	Number of times that the maximum number of retransmissions was reached.
Sending failures	Number of transmission failures.
Packets received	Number of messages that the device received from MAC binding servers.
MAC binding responses	Number of MAC binding responses received from MAC binding servers.
Binding	Number of MAC binding responses indicating that user MAC addresses are bound to the user accounts.
Nobinding	Number of MAC binding responses indicating that user MAC addresses are not bound to user accounts.
Checksum failures	Number of MAC binding responses with checksum failures.

‌

Related commands

display portal packet statistics

reset portal mac-trigger-server packet statistics

display portal packet statistics

Use display portal packet statistics to display packet statistics for portal authentication servers.

Syntax

display portal packet statistics [ server server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters. If you do not specify a portal authentication server, this command displays packet statistics for all portal authentication servers.

Usage guidelines

This command displays statistics on packets the device sent to and received from portal authentication servers.

Examples

# Display packet statistics for portal authentication server pts.

<Sysname> display portal packet statistics server pts

Portal server : pts

Invalid packets: 0

Pkt-Type Total Drops Errors

REQ_CHALLENGE 3 0 0

ACK_CHALLENGE 3 0 0

REQ_AUTH 3 0 0

ACK_AUTH 3 0 0

REQ_LOGOUT 1 0 0

ACK_LOGOUT 1 0 0

AFF_ACK_AUTH 3 0 0

NTF_LOGOUT 1 0 0

REQ_INFO 6 0 0

ACK_INFO 6 0 0

NTF_USERDISCOVER 0 0 0

NTF_USERIPCHANGE 0 0 0

AFF_NTF_USERIPCHAN 0 0 0

ACK_NTF_LOGOUT 1 0 0

NTF_HEARTBEAT 0 0 0

NTF_USER_HEARTBEAT 2 0 0

ACK_NTF_USER_HEARTBEAT 0 0 0

NTF_CHALLENGE 0 0 0

NTF_USER_NOTIFY 0 0 0

AFF_NTF_USER_NOTIFY 0 0 0

Table 24 Command output

Field	Description
Invalid packets	Number of invalid packets.
Portal server	Name of the portal authentication server.
Pkt-Type	Packet type.
Total	Total number of packets.
Drops	Number of dropped packets.
Errors	Number of packets that carry error information.
REQ_CHALLENGE	Challenge request packet the portal authentication server sent to the access device.
ACK_CHALLENGE	Challenge acknowledgment packet the access device sent to the portal authentication server.
REQ_AUTH	Authentication request packet the portal authentication server sent to the access device.
ACK_AUTH	Authentication acknowledgment packet the access device sent to the portal authentication server.
REQ_LOGOUT	Logout request packet the portal authentication server sent to the access device.
ACK_LOGOUT	Logout acknowledgment packet the access device sent to the portal authentication server.
AFF_ACK_AUTH	Affirmation packet the portal authentication server sent to the access device after receiving an authentication acknowledgment packet.
NTF_LOGOUT	Forced logout notification packet the access device sent to the portal authentication server.
REQ_INFO	Information request packet.
ACK_INFO	Information acknowledgment packet.
NTF_USERDISCOVER	User discovery notification packet the portal authentication server sent to the access device.
NTF_USERIPCHANGE	User IP change notification packet the access device sent to the portal authentication server.
AFF_NTF_USERIPCHAN	User IP change success notification packet the portal authentication server sent to the access device.
ACK_NTF_LOGOUT	Forced logout acknowledgment packet the portal authentication server sent to the access device.
NTF_HEARTBEAT	Server heartbeat packet the portal authentication server periodically sent to the access device.
NTF_USER_HEARTBEAT	User synchronization packet the portal authentication server sent to the access device.
ACK_NTF_USER_HEARTBEAT	User synchronization acknowledgment packet the access device sent to the portal authentication server.
NTF_CHALLENGE	Challenge request packet the access device sent to the portal authentication server.
NTF_USER_NOTIFY	User information notification packet the access device sent to the portal authentication server.
AFF_NTF_USER_NOTIFY	NTF_USER_NOTIFY acknowledgment packet the portal authentication server sent to the access device.

‌

Related commands

reset portal packet statistics

display portal server

Use display portal server to display information about portal authentication servers.

Syntax

display portal server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server-name argument, this command displays information about all portal authentication servers.

Examples

# Display information about the portal authentication server pts.

<Sysname> display portal server pts

Portal server: pts

Type : IMC

IP : 192.168.0.111

VPN instance : Not configured

Port : 50100

Server detection : Timeout 60s Action: log

User synchronization : Timeout 200s

Status : Up

Exclude-attribute : Not configured

Logout notification : Retry 3 interval 5s

Table 25 Command output

Field	Description
Type	Portal authentication server type: · CMCC—CMCC server. · IMC—IMC server.
Portal server	Name of the portal authentication server.
IP	IP address of the portal authentication server.
VPN instance	MPLS L3VPN instance where the portal authentication server resides.
Port	Listening port on the portal authentication server.
Server detection	Parameters for portal authentication server detection: · Detection timeout in seconds. · Actions(log) triggered by the reachability status change of the portal authentication server.
User synchronization	User idle timeout in seconds for portal user synchronization.
Status	Reachability status of the portal authentication server: · Up—This value indicates one of the following conditions: ¡ Portal authentication server detection is disabled. ¡ Portal authentication server detection is enabled and the server is reachable. · Down—Portal authentication server detection is enabled and the server is unreachable.
Exclude-attribute	Attribute fields not carried in portal protocol packets.
Logout notification	Maximum number of times and the interval (in seconds) for retransmitting a logout notification packet.

‌

Related commands

portal server

server-detect (portal authentication server view)

user-sync

display portal session user-type

Use display portal session user-type to display session information for portal users or portal-based IPoE authentication users.

Syntax

display portal session user-type { ipoe | portal }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipoe: Specifies portal-based IPoE authentication users.

portal: Specifies portal users.

Examples

# Display information about sessions for portal-based IPoE authentication users.

<Sysname> display portal session user-type ipoe

Total IPoE sessions: 1

IP address: 1:2::3:5

MAC address: 1212-1212-1211

Interface: XGE3/1/1 User type: IPoE

Creation time: 2022-05-31 16:13:35

Status: Online

# Display information about sessions for portal users.

<Sysname> display portal session user-type portal

Total Portal sessions: 1

IP address: 1:2::3:5

MAC address: 1212-1212-1211

Interface: XGE3/1/1 User type: Portal

Creation time: 2022-05-31 16:13:35

Status: Online

Table 26 Command output

Field	Description
Total IPoE sessions	Total number of sessions for IPoE authentication users.
Total Portal sessions	Total number of sessions for portal users.
IP address	IP address of a user.
MAC address	MAC address of the user.
Interface	Access interface of the user.
Creation time	Session creation time.
Status	Status of the portal authentication state machine: · Initial. · Authenticating. · Continue. · Authenticated. · Assigning new IP. · Assigned new IP. · Online. · Waiting. · Offline.
User type	Type of the user: · IPoE—Portal-based IPoE authentication users. · Portal—Portal users.

‌

exclude-attribute

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

Default

No attributes are excluded from portal protocol packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

number: Specifies an attribute by its number, in the range of 1 to 255. If you do not specify any type of portal protocol packets behind this argument, the device excludes the specified attribute from all portal protocol packets.

ack-auth: Excludes the attribute from ACK_AUTH packets.

ack-challenge: Excludes the attribute from ACK_CHALLENGE packets.

ack-info: Excludes the attribute from ACK_INFO packets.

ack-logout: Excludes the attribute from ACK_LOGOUT packets.

ack-ntf-user-heartbeat: Excludes the attribute from ACK_NTF_USER_HEARTBEAT packets.

ntf-challenge: Excludes the attribute from NTF_CHALLENGE packets.

ntf-logout: Excludes the attribute from NTF_LOGOUT packets.

ntf-user-notify: Excludes the attribute from NTF_USER_NOTIFY packets.

ntf-useripchange: Excludes the attribute from NTF_USERIPCHANGE packets.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.

To address this issue, you can configure this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).

Table 27 describes all attributes of the portal protocol.

Table 27 Portal attributes

Name	Number	Description
UserName	1	Name of the user to be authenticated.
PassWord	2	User password in plaintext form.
Challenge	3	Random challenge for CHAP authentication.
ChapPassWord	4	CHAP password encrypted by MD5.
TextInfo	5	The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server. The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.
UpLinkFlux	6	Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.
DownLinkFlux	7	Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.
Port	8	Port information, a string excluding the end character '\0'.
IP-Config	9	This attribute has different meanings in different types of packets. · The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP. · The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.
BAS-IP	10	IP address of the access device. For re-DHCP portal authentication, the value of this attribute is the public IP address of the access device.
Session-ID	11	Identifier of a portal user. Generally, the value of this attribute is the MAC address of the portal user.
Delay-Time	12	Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.
User-List	13	List of IP addresses of an IPv4 portal user.
EAP-Message	14	An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.
User-Notify	15	Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.
BAS-IPv6	16	IPv6 address of the access device.
UserIPv6-List	101	List of IPv6 addresses of an IPv6 portal user.

‌

Examples

# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] exclude-attribute 6 ack-auth

Related commands

display portal server

free-traffic threshold

Use free-traffic threshold to specify the free-traffic threshold for portal users.

Use undo free-traffic threshold to restore the default.

Syntax

free-traffic threshold value

undo free-traffic threshold

Default

The free-traffic threshold is 0 bytes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers MAC-based quick portal authentication for a user once the user's traffic is deleted.

Usage guidelines

After MAC-based quick portal authentication is configured, the device monitors a user's network traffic (sent and received) in real time before the MAC-trigger entry for the user ages out. A user can access the network without authentication if the user's network traffic is below the free-traffic threshold. When the user's network traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user.

If the user passes portal authentication, the device deletes the MAC-trigger entry and clears the user traffic statistics. If the user fails authentication, the device does not trigger MAC-based quick authentication for the user before the MAC-trigger entry ages out. When the MAC-trigger entry ages out, the device clears the user traffic statistics.

When traffic is detected from the user again, the device re-creates a MAC-trigger entry for the user and repeats the previous procedure.

Examples

# Specify the free-traffic threshold for portal users as 10240 bytes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] free-traffic threshold 10240

Related commands

display mac-trigger-server

ip (MAC binding server view)

Use ip to specify the IP address of a MAC binding server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ip

Default

The IP address of the MAC binding server is not specified.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of a MAC binding server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the MAC binding server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the MAC binding server belongs to the public network, do not specify this option.

key: Specifies a shared key for securing communication between the device and the MAC binding server. Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to verify the correctness of the received portal packets. If you do not specify a shared key, the device and MAC binding server do not authenticate the packets between them.

cipher: Specifies a shared key in encrypted form.

simple: Specifies a shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the shared key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Specify 192.168.0.111 as the IP address of MAC binding server mts and specify plaintext key portal for securing communication between the device and the MAC binding server.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal

Related commands

display mac-trigger-server

ip (portal authentication server view)

Use ip to specify the IPv4 address of a portal authentication server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ip

Default

The IPv4 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the portal authentication server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the portal authentication server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server belongs to the public network, do not specify this option.

key: Specifies a shared key for securing communication between the device and the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv4 address. Therefore, in portal authentication server view, only one IPv4 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv4 address and MPLS L3VPN for different portal authentication servers.

Examples

# Specify 192.168.0.111 as the IPv4 address of portal authentication server pts and specify plaintext key portal for securing communication between the device and the portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ip 192.168.0.111 key simple portal

Related commands

display portal server

portal server

ipv6

Use ipv6 to specify the IPv6 address of a portal authentication server.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ipv6

Default

The IPv6 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IP address of the IPv6 portal authentication server.

key: Specifies a shared key for securing the communication between the device and the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv6 address. Therefore in portal authentication server view, only one IPv6 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv6 address and MPLS L3VPN for different portal authentication servers.

Examples

# Specify 2000::1 as the IPv6 address of portal authentication server pts and specify plaintext key portal for securing the communication between the device and the portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ipv6 2000::1 key simple portal

Related commands

display portal server

portal server

logon-page bind

Use logon-page bind to bind an endpoint name to an authentication page file.

Use undo logon-page bind to unbind the endpoint name from the authentication page file.

Syntax

logon-page bind device-name device-name file file-name

undo logon-page bind { all | device-name device-name }

Default

No endpoint name is bound to an authentication page file.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

all: Specifies all endpoint names.

device-name device-name: Specifies an endpoint name, a case-sensitive string of 1 to 127 characters. The specified endpoint name must have been predefined on the device. Otherwise, the bound authentication page file does not take effect.

file file-name: Specifies an authentication page file by the file name (without the file storage directory). A file name is a string of 1 to 91 characters, and can contain letters, digits, and underscores (_). You must edit the authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

Usage guidelines

This command implements customized authentication page pushing for portal users. After you configure this command, the device pushes authentication pages to users according to the user endpoint name.

When a Web user triggers local portal authentication, the device searches for a binding that matches the user's endpoint name.

· If the binding exists, the device pushes the bound authentication pages to the user.

· If the binding does not exist, the device pushes the default authentication pages to the user. If the default authentication page file is not specified (by using the default-logon-page command), the user cannot perform local portal authentication.

When you configure this command, follow these restrictions and guidelines:

· If the name or content of the file in a binding entry is changed, you must reconfigure the binding.

· To reconfigure or modify a binding, simply re-execute this command without canceling the existing binding.

· If you execute this command multiple times to bind an endpoint name to different authentication page files, the most recent configuration takes effect.

· You can configure multiple binding entries on the device.

Examples

# Create an HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

# Bind endpoint name iphone to authentication page file file2.zip.

[Sysname-portal-local-websvr-http] logon-page bind device-name iphone file file2.zip

Related commands

default-logon-page

portal local-web-server

logout-notify

Use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet.

Use undo logout-notify to restore the default.

Syntax

logout-notify retry retries interval interval

undo logout-notify

Default

The device does not retransmit a logout notification packet.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

retry retries: Specifies the maximum number of retries, in the range of 1 to 5.

interval interval: Specifies the retry interval, in the range of 1 to 10 seconds.

Usage guidelines

A logout notification packet is a UDP packet that the device sends to the portal authentication server for forcibly logging out a portal user. To increase the delivery reliability, you can set the maximum number of times and the interval for retransmitting a logout notification packet.

After the device sends a logout notification packet for logging out a portal user, it waits for a response from the portal authentication server. If the device receives a response within the specified period of time (maximum number of retries × retry interval), it logs out and deletes the user immediately. If the device does not receive a response within the period of time, the device logs out and deletes the user when the period of time elapses.

Examples

# Set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds.

<Sysname> system-view

[Sysname] portal server pt

[Sysname-portal-server-pt] logout-notify retry 3 interval 5

Related commands

display portal server

nas-port-type

Use nas-port-type to set the NAS-Port-Type attribute value carried in RADIUS requests sent to the RADIUS server.

Use undo nas-port-type to restore the default.

Syntax

nas-port-type value

undo nas-port-type

Default

The NAS-Port-Type attribute value carried in RADIUS requests is not set.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the NAS-Port-Type attribute value in the range of 1 to 255.

Usage guidelines

Some MAC binding servers identify MAC-based quick portal authentication by a specific NAS-Port-Type attribute value in received RADIUS requests. To communicate with such a MAC binding server, you must configure the device to use the NAS-Port-Type attribute value required by the MAC binding server.

Examples

# Set the NAS-Port-Type attribute value to 30 for RADIUS requests sent to MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] nas-port-type 30

Related commands

display mac-trigger-server

port (MAC binding server view)

Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The MAC binding server listens for MAC binding query packets on UDP port 50100.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening UDP port number in the range of 1 to 65534.

Usage guidelines

The specified port number must be the same as the query listening port number configured on the MAC binding server.

Examples

# Set the UDP port number to 1000 for MAC binding server pts to listen for MAC binding query packets.

<sysname> system-view

[sysname] portal mac-trigger-server mts

[sysname-portal-mac-trigger-server-mts] port 1000

Related commands

display mac-trigger-server

port (portal authentication server view)

Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The device uses 50100 as the destination UDP port number for unsolicited portal packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534.

Usage guidelines

The specified port must be the port that listens to portal packets on the portal authentication server.

Examples

# Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to portal authentication server pts.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] port 50000

Related commands

portal server

portal { bas-ip | bas-ipv6 } (system view/interface view)

Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal notification packets sent to the portal authentication server.

Use undo portal { bas-ip | bas-ipv6 } to restore the default.

Syntax

portal { bas-ip ipv4-address | bas-ipv6 ipv6-address }

undo portal { bas-ip | bas-ipv6 }

Default

The BAS-IP attribute value of an IPv4 portal notification packet sent to the portal authentication server is the IPv4 address of the packet's output interface.

The BAS-IPv6 attribute value of an IPv6 portal notification packet sent to the portal authentication server is the IPv6 address of the packet's output interface.

Views

System view

Interface view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the BAS-IP attribute value for portal notification packets sent to the portal authentication server. This attribute must be the IPv4 address of an interface on the device. It cannot be 0.0.0.0, 1.1.1.1, a class D address, a class E address, or a loopback address.

ipv6-address: Specifies the BAS-IPv6 attribute value for portal notification packets sent to the portal authentication server. This attribute must be the IPv6 address of an interface on the device. It cannot be a multicast address, an all-0 address, or a link-local address.

Usage guidelines

To avoid portal user offline failure and re-DHCP portal authentication failure, the BAS-IP or BAS-IPv6 attribute must be the same as the device IP address on the portal authentication server. Use this command to configure the BAS-IP or BAS-IPv6 attribute value as the device IP address specified on the portal authentication server. The device uses the BAS-IP or BAS-IPv6 attribute value as the source IP address of portal notification packets sent to the portal authentication server.

This command takes effect only on unsolicited portal notification packets sent to the portal authentication server. For IPv4 portal reply packets, the BAS-IP attribute value is the source IPv4 address of the packets. For IPv6 portal reply packets, the BAS-IPv6 attribute value is the source IPv6 address of the packets.

The global BAS-IP or BAS-IPv6 configuration made in system view takes effect on all interfaces. For an interface, the interface-specific BAS-IP or BAS-IPv6 configuration takes precedence over the global configuration.

Examples

# Globally configure the BAS-IP attribute as 2.2.2.2 for portal notification packets sent to the portal authentication server.

<Sysname> system-view

[Sysname] portal bas-ip 2.2.2.2

# On interface Ten-GigabitEthernet 3/1/1, configure the BAS-IP attribute as 2.2.2.2 for portal notification packets sent to the portal authentication server.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] portal bas-ip 2.2.2.2

Related commands

display portal

portal access-info trust

Use portal access-info trust to configure the device to obtain user information from ARP or ND entries.

Use portal access-info trust to restore the default.

Syntax

portal access-info trust { arp | nd }

undo portal access-info trust { arp | nd }

Default

The device obtains user information from FIB entries.

Views

System view

Predefined user roles

network-admin

Parameters

arp: Obtains user information from ARP entries.

nd: Obtains user information from ND entries.

Usage guidelines

In an IPoE Web authentication network, when the device receives portal packets from the portal authentication server, it obtains user access information to complete authentication for users.

By default, the device obtains the user access information from FIB entries in the VPN instance of the portal authentication server. In the following situation, however, the device cannot obtain user access information from FIB and therefore users cannot pass Web authentication:

· The DHCP access users and the portal authentication server belong to different VPN instances.

· The user access interface is not bound to a VPN instance.

To resolve this issue, you can configure this feature on the device. When this feature is enabled, the device first attempts to obtain user access information from ARP or ND entries during Web authentication. If the attempt fails, the device obtains user access information from UCM user entries.

As a best practice, configure this feature in all IPoE Web authentication scenarios.

To use this feature, make sure the VPN instances do not have overlapping IP addresses. Otherwise, this feature cannot ensure normal user logins.

Examples

# Configure the device to get user access information from ARP entries.

<Sysname> system-view

[Sysname] portal access-info trust arp

portal apply mac-trigger-server

Use portal apply mac-trigger-server to specify a MAC binding server.

Use undo portal apply mac-trigger-server to restore the default.

Syntax

portal apply mac-trigger-server server-name

undo portal apply mac-trigger-server

Default

No MAC binding server is specified.

Views

Interface view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

Only IPv4 direct authentication supports MAC-based quick authentication.

For MAC-based quick portal authentication to take effect, perform the following tasks:

· Configure normal portal authentication.

· Configure a MAC binding server.

· Specify the MAC binding server on a portal enabled interface.

Examples

# Specify MAC binding server mts on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] portal apply mac-trigger-server mts

Related commands

portal mac-trigger-server

portal local-web-server

Use portal local-web-server to create an HTTP- or HTTPS-based local portal Web service and enter its view, or enter the view of the existing HTTP- or HTTPS-based local portal Web service.

Use undo portal local-web-server to delete the HTTP- or HTTPS-based local portal Web service.

Syntax

portal local-web-server { http | https ssl-server-policy policy-name [ tcp-port port-number ] }

undo portal local-web-server { http | https }

Default

No local portal Web service exists.

Views

System view

Predefined user roles

network-admin

Parameters

http: Specifies the HTTP-based local portal Web service, which uses HTTP to exchange authentication information with clients.

https: Specifies the HTTPS-based local portal Web service, which uses HTTPS to exchange authentication information with clients.

ssl-server-policy policy-name: Specifies an existing SSL server policy for HTTPS. The policy name is a case-insensitive string of 1 to 31 characters.

tcp-port port-number: Specifies the listening TCP port number for the HTTPS-based local portal Web service. The value range for the port-number argument is 1 to 65535. The default port number is 443.

Usage guidelines

In the local portal Web service, the access device also acts as the portal Web server and the portal authentication server. No external portal Web server and portal authentication server are needed.

For an interface to use the local portal Web service, the URL of the portal Web server specified for the interface must meet the following requirements:

· The IP address in the URL must be the IP address of a Layer 3 interface (except 127.0.0.1) on the device, and the IP address must be reachable to portal clients.

· The URL must be ended with /portal/. For example: http://1.1.1.1/portal/.

You cannot delete an SSL server policy by using the undo ssl server-policy command when the policy is associated with HTTPS.

To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing HTTPS-based local portal Web service.

When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines:

· For HTTPS-based local portal Web service and other services that use HTTPS:

¡ If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

¡ If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

· Do not configure the HTTPS listening TCP port number as the port number used by a known protocol (except HTTPS) or other service.

· Do not configure the same TCP port number for HTTP-based local portal Web service and HTTPS-based local portal Web service.

Examples

# Create an HTTP-based local portal Web service and enter its view.

<Sysname> system-view

[Sysname] portal local-web-server http

# Create an HTTPS-based local portal Web service and associate SSL server policy policy1 with the service.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1

# Change the associated SSL server policy to policy2.

[Sysname] undo portal local-web-server https

[Sysname] portal local-web-server https ssl-server-policy policy2

# Create an HTTPS-based local portal Web service. In the service, the associated SSL server policy is policy1 and the listening port number is 442.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1 tcp-port 442

[Sysname-portal-local-websvr-https] quit

Related commands

default-logon-page

portal local-web-server

ssl server-policy

portal mac-trigger-server

Use portal mac-trigger-server to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server.

Use undo portal mac-trigger-server to delete the MAC binding server.

Syntax

portal mac-trigger-server server-name

undo portal mac-trigger-server server-name

Default

No MAC binding servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

After you create a MAC binding server, you can configure MAC binding server parameters, such as the server's IP address, port number, VPN instance, and the pre-shared key for communication between the access device and the server.

Examples

# Create the MAC binding server mts and enter its view.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts]

Related commands

display mac-trigger-server

portal apply mac-trigger-server

portal server

Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server.

Use undo portal server to delete the specified portal authentication server.

Syntax

portal server server-name

undo portal server server-name

Default

No portal authentication servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

In portal authentication server view, you can configure the following parameters and features for the portal authentication server:

· IP address of the server.

· Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

· MPLS L3VPN where the portal authentication server resides.

· Pre-shared key for communication between the access device and the server.

· Server detection feature.

You can configure multiple portal authentication servers for an access device.

Examples

# Create the portal authentication server pts and enter its view.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts]

Related commands

display portal server

reset portal ip-subscriber message statistics

Use reset portal ip-subscriber message statistics to clear statistics for messages exchanged between portal and IPoE.

Syntax

reset portal ip-subscriber message statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear statistics for messages exchanged between portal and IPoE.

<Sysname> reset portal ip-subscriber message statistics

Related commands

display portal ip-subscriber message statistics

reset portal mac-trigger-server packet statistics

Use reset portal mac-trigger-server packet statistics to clear statistics for messages exchanged between the device and MAC binding servers.

Syntax

reset portal mac-trigger-server packet statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear statistics for messages exchanged between the device and MAC binding servers.

<Sysname> reset portal mac-trigger-server packet statistics

Related commands

display portal mac-trigger-server packet statistics

reset portal packet statistics

Use reset portal packet statistics to clear packet statistics for portal authentication servers.

Syntax

reset portal packet statistics [ server server-name ]

Views

User view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server server-name argument, this command clears packet statistics for all portal authentication servers.

Examples

# Clear packet statistics for portal authentication server pts.

<Sysname> reset portal packet statistics server pts

Related commands

display portal packet statistics

server-detect (portal authentication server view)

Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status.

Use undo server-detect to disable portal authentication server detection.

Syntax

server-detect [ timeout timeout ] { log | trap } *

undo server-detect

Default

Portal authentication server detection is disabled.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds.

{ log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal authentication server. You can select one of the following options or both:

· log—When reachability status of the portal authentication server changes, the device sends a log message. The log message contains the name, the original state, and the current state of the portal authentication server.

· trap—When reachability status of the portal authentication server changes, the device sends a trap message to the NMS. The trap message contains the name and the current state of the portal authentication server.

Usage guidelines

The device determines a portal authentication server is reachable if the device receives a correct portal packet from the server before the detection timeout expires.

To test server reachability by detecting heartbeat packets, you must enable the server heartbeat feature on the portal authentication server. Only the IMC portal authentication server supports sending heartbeat packets.

The detection timeout configured on the device must be greater than the server heartbeat interval configured on the portal authentication server.

Examples

# Enable server detection for the portal authentication server pts:

· Set the detection timeout to 600 seconds.

· Configure the device to send a log message and a trap message if the server reachability status changes.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-detect timeout 600 log trap

Related commands

portal server

server-register

Use server-register to set the interval at which the device registers with a portal authentication server.

Use undo server-register to restore the default.

Syntax

server-register [ interval interval-value ]

undo server-register

Default

The device does not register with a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the register interval in the range of 1 to 3600 seconds. The default interval is 600 seconds.

Usage guidelines

This feature is typically used in scenarios where a NAT device exists between a portal authentication server and an access device.

Before this feature is used, you must configure a static NAT mapping for each access device on the NAT device. Adding static NAT mappings for access devices requires much workload of the administrator. After this feature is enabled, the access device automatically sends a register packet to the portal authentication server. When the server receives the register packet, it records register information for the access device, including the device name and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

After this feature is enabled, the access device automatically sends register packets to the portal authentication server. The register packet contains the access device name. After the server receives the register packet, it records register information for the access device, including the device name and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

Only CMCC portal authentication servers support this feature.

Examples

# Configure the device to register with the portal authentication server at intervals of 120 seconds.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-register interval 120

Related commands

server-type

Use server-type to specify the type of a portal authentication server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc }

undo server-type

Default

The type of the portal authentication server is IMC.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the portal server type as CMCC.

imc: Specifies the portal server type as IMC.

Usage guidelines

Specify the portal server type on the device with the server type the device actually uses.

Examples

# Specify the type of the portal authentication server as cmcc.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-type cmcc

Related commands

display portal server

server-type (MAC binding server view)

Use server-type to specify the type of a MAC binding server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc }

undo server-type

Default

The type of the MAC binding server is IMC.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the MAC binding server type as CMCC.

imc: Specifies the MAC binding server type as IMC.

Examples

# Specify the type of the MAC binding server as cmcc.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] server-type cmcc

tcp-port

Use tcp-port to configure a listening TCP port for the local portal Web service.

Use undo tcp-port to restore the default.

Syntax

tcp-port port-number

undo tcp-port

Default

The listening TCP port number for HTTP is 80. The listening TCP port number for HTTPS is the TCP port number set by using the portal local-web-server command.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening TCP port number in the range of 1 to 65535.

Usage guidelines

To use the local portal Web service, make sure the port number in the portal Web server URL and the port number configured in this command are the same.

For successful local portal authentication, follow these guidelines:

· Do not configure the listening TCP port number for the local portal Web service as the port number used by a known protocol. For example, do not specify port numbers 21 and 23, which are used by FTP and Telnet, respectively.

· Do not configure the HTTP listening port number as the default HTTPS listening port number 443.

· Do not configure the HTTPS listening port number as the default HTTP listening port number 80.

· Do not configure the same listening port number for HTTP and HTTPS.

· For the HTTPS-based local portal Web service and other services that use HTTPS:

¡ If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

¡ If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

Examples

# Set the HTTP listening port number to 2331 for the HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] tcp-port 2331

Related commands

portal local-web-server

user-sync

Use user-sync to enable portal user synchronization for a portal authentication server.

Use undo user-sync to disable portal user synchronization for a portal authentication server.

Syntax

user-sync timeout timeout

undo user-sync

Default

Portal user synchronization is disabled for a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Sets a detection timeout for synchronization packets, in the range of 60 to 18000 seconds.

Usage guidelines

After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server. In this way, information about online portal users on the device and on the portal authentication server remains consistent.

Portal user synchronization requires that the portal authentication server support the portal user heartbeat feature. Now, only the IMC portal authentication server supports portal user heartbeat. To implement portal user synchronization, you need to configure the user heartbeat feature on the portal authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device.

Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.

If you execute this command multiple times, the most recent configuration takes effect.

For information of the users considered as nonexistent on the portal authentication server, the device deletes the information after the configured detection timeout expires.

If the user information from the portal authentication server does not exist on the device, the device encapsulates IP addresses of the users in user heartbeat reply packets to the server. The portal authentication server then deletes the users.

Examples

# Enable portal user synchronization for the portal authentication server pts and set the detection timeout to 600 seconds. If a user has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] user-sync timeout 600

Related commands

portal server

version

Use version to specify the version of the portal protocol.

Use undo version to restore the default.

Syntax

version version-number

undo version

Default

The version of the portal protocol is 1.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

version-number: Specifies the portal protocol version in the range of 1 to 3.

Usage guidelines

The specified portal protocol version must be the that required by the MAC binding server.

Examples

# Configure the device to use portal protocol version 2 to communicate with the MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] version 2

Related commands

display mac-trigger-server

portal mac-trigger-server

17-BRAS Services Command Reference

IPoE commands

display ip subscriber chasten user auth-failed

display ip subscriber auto-save

ip subscriber access-line-id circuit-id trans-format

Common guidelines

Guidelines in the IPoE 802.1X authentication scenario

Guidelines in the intelligent IPv6 multi-egress scenario

Guidelines in the scenario that supports authorizing VPN instances in the Web postauthentication domain

Guidelines when both IPoE Web authentication and PPPoE authentication are configured

Common restrictions

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

ip subscriber dhcp max-session

Application scenarios

Working mechanism

Restrictions and guidelines

Application scenarios

Working mechanism

Restrictions and guidelines

Version 1.0 format

version 2.0 format

version 3.0 format

version 4.0 format

Version 5.0 format

Version 5.0 format

ip subscriber ndrs domain

ip subscriber session static (interface view)

General restrictions and guidelines

Restrictions and guidelines for the device actively requesting users to come online

Restrictions and guidelines for unified accounting

Restrictions and guidelines for selecting authentication domains for static IPoE users

Restrictions and guidelines for binding VPN instances to static IPoE users

Syntax I:

Syntax II:

General restrictions and guidelines

Restrictions and guidelines for the IPv6 delegation prefix scenario

Restrictions and guidelines for the device actively requesting users to come online

Restrictions and guidelines for unified accounting

Restrictions and guidelines for selecting authentication domains for static IPoE users

Restrictions and guidelines for binding VPN instances to static IPoE users

Restrictions and guidelines for the static IPoE dual-stack scenario

Restrictions and guidelines for the hybrid dynamic+static IPoE dual-stack scenario

Application scenarios

Working mechanism

Restrictions and guidelines

ip subscriber trust

ip subscriber unclassified-ip ip match

ip subscriber a ccess-line-id circuit-id trans-format