PPPoE specifies the methods for establishing PPPoE sessions and encapsulating PPP frames over Ethernet. PPPoE requires a point-to-point relationship between peers instead of a point-to-multipoint relationship as in multi-access environments such as Ethernet. PPPoE provides Internet access for the hosts in an Ethernet through a remote access device and implement access control, authentication, and accounting on a per-host basis. Integrating the low cost of Ethernet and scalability and management functions of PPP, PPPoE gained popularity in various application environments, such as residential access networks.

For more information about PPPoE, see RFC 2516.

PPPoE network structure

PPPoE uses the client/server model. The PPPoE client initiates a connection request to the PPPoE server. After session negotiation between them is complete, a session is established between them, and the PPPoE server provides access control, authentication, and accounting to the PPPoE client.

PPPoE network structures are classified into router-initiated and host-initiated network structures depending on the starting point of the PPPoE session.

Router-initiated network structure

As shown in Figure 1, the PPPoE session is established between routers (Router A and Router B). All hosts share one PPPoE session for data transmission without being installed with PPPoE client software. This network structure is typically used by enterprises.

Figure 1 Router-initiated network structure

‌

Host-initiated network structure

As shown in Figure 2, a PPPoE session is established between each host (PPPoE client) and the carrier router (PPPoE server). The service provider assigns an account to each host for billing and control. The host must be installed with PPPoE client software.

Figure 2 Host-initiated network structure

‌

PPPoE packet structure

The format of PPPoE packets carries PPP packets in Ethernet frames. The encapsulation structure of the packets is as shown in Figure 3.

Figure 3 PPPoE packet structure

‌

Table 1 Fields in the PPPoE packets

Field	Description
Destination address	An Ethernet unicast destination address or Ethernet broadcast address (0xffffffffffff): · In the discovery phase, the field value is a unicast or broadcast address. The PPPoE client uses a broadcast address to find the PPPoE server, and then uses a unicast address after determining the PPPoE server. · In the session phase, this field must be the unicast address of the peer end determined during the discovery phase.
Source_address	Ethernet MAC address of the source device.
Ether_type	Set to 0x8863 (discovery phase) or 0x8864 (session phase).
Ver	4 bits long. This field represents the PPPoE version number. The value is 0x1.
Type	4 bits long. This field represents the PPPoE type. The value is 0x1.
Code	8 bits. This field represents the PPPoE packet type. Possible values include: · 0x00—Session data. · 0x09—PADI packet. · 0x07—PADO or PADT packet. · 0x19—PADR packet. · 0x65—PADS packet.
Session_ID	16 bits long. The value is fixed for a given PPP session and, in fact, defines a PPP session along with the Ethernet Source_address and Destination_address fields. The value of 0xffff is reserved for future use and must not be used.
Length	16 bits long. This field defines the length of the PPPoE payload. It does not include the length of the Ethernet or PPPoE headers.
PPP packet	For the PPP packet structure, see the frame format for PPP packet encapsulation in basic PPP concepts.

‌

Interaction process for PPPoE user onboarding

The PPPoE user onboarding process involves two phases: PPPoE negotiation and PPP negotiation. PPP negotiation includes LCP negotiation, PAP/CHAP authentication, NCP negotiation, and other phases.

PPPoE negotiation

In the PPPoE negotiation phase, the device assigns a session ID for the user's PPPoE access. A session ID uniquely identifies a virtual PPPoE link between the user and the device. The negotiation process of PPPoE is as shown in Figure 4.

1. The user broadcasts a PPPoE Active Discovery Initiation (PADI) packet, which contains the type of service the user wants.

2. Upon receiving this PADI packet, all access concentrators on the Ethernet (such as the device in the diagram) compare the requested service with their own capabilities. The device that can provide the service responds with a PPPoE Active Discovery Offer (PADO) packet.

3. The user might receive PADO packets from different devices. The user selects a device from the returned PADO packets based on certain conditions and sends to the device a non-broadcast session request packet, PPPoE Active Discovery Request (PADR). The PADR packet has the required service information encapsulated.

4. The selected device starts to enter the PPP session phase after receiving the PADR packet. The device will generate a session ID to uniquely identify the PPPoE session between the device and the host. The device includes this specific session ID in a session confirmation packet, PPPoE Active Discovery Session-confirmation (PADS), and sends the PADS packet to the user. If no errors occur, the device enters the PPP session phase. When the user receives the PADS packet, the user also enters the PPP session phase if no errors occur.

Figure 4 PPPoE negotiation process

‌

PPP negotiation

PPP negotiation includes LCP negotiation, PAP/CHAP authentication, NCP negotiation, and other phases.

LCP negotiation

After the PPP negotiation phase starts, the LCP negotiation process starts first. The LCP negotiation process is as shown in Figure 5.

1. The user and the device send an LCP Configure-Request packet to each other.

2. After receiving the Configure-Request packet from the peer end, the local end responds appropriately based on the negotiation option support in the packet. For more information, see Table 2. If both ends have responded with a Configure-Ack packet, the LCP link has been successfully established. If not, both ends will continue to send requests.

¡ If the peer end responds with a Configure-Ack packet within the configured LCP negotiation interval and negotiation times, the LCP link has been successfully established.

¡ If the peer end has not responded with a Configure-Ack packet after the set LCP negotiation times, LCP negotiation will be terminated.

3. After the LCP link is successfully established, the device will periodically send LCP Echo-Requests to the user and then receive the Echo-Replies from the peer to detect whether the LCP link is normal and maintain the LCP connection.

Figure 5 Basic LCP negotiation process

‌

Table 2 Response packet type list

Response packet type	Description
Configure-Ack	If the end fully supports the LCP options of the peer end, the end responds with a Configure-Ack packet that fully carries the options in the request of the peer end.
Configure-Nak	If the end supports the negotiation options of the peer end but does not accept the negotiated content, the end responds with a Configure-Nak packet filled with the expected content. For example, if the MRU value of the peer is 1500 and the local end expects the MRU value of 1492, the local end will fill in 1492 in the Configure-Nak packet.
Configure-Reject	If the end does not support the negotiation options of the peer end, the end responds with a Configure-Reject packet carrying the unsupported options.

‌

Authentication phase

After the LCP negotiation is completed, the PPP link enters the authentication phase. Two authentication methods are supported: PAP authentication and CHAP authentication.

· PAP authentication

PAP is a two-way handshake protocol that authenticates a user by using a username and password. PAP transmits the username and password in plain text. Therefore, PAP is suitable for environments with relatively low network security requirements. The PAP authentication process is as shown in Figure 6.

a. The authenticatee sends the username and password to the authenticator.

b. The authenticator checks for this user in the user table at this end.

¡ If the user exists, the authenticator identifies whether the authentication password is correct.

- If the password is correct, the authenticator sends an Authenticate-ACK packet to the peer end to notify the peer end that it is allowed to enter the next phase of negotiation.

- If the password is not correct, the authenticator sends an Authenticate-NAK packet to the peer to notify the peer of authentication failure.

¡ If the user does not exist, the authentication will fail.

‌

NOTE:

After authentication failure, the link will not be directly closed. The link will be closed only when the number of authentication failures reaches a certain value.

‌

Figure 6 PAP authentication process

‌

· CHAP authentication

CHAP is a three-way handshake protocol. CHAP transmits only the username rather than the user password over the network, so it is more secure than PAP. The authentication process of CHAP is as shown in Figure 7.

a. The authenticator initiates the authentication request, and sends a packet (Challenge) with a random number to the authenticatee and also sends the username to the authenticatee.

b. Upon receiving the authentication request from the authenticator, the authenticatee first identifies whether a CHAP password is configured on the local interface.

- If a CHAP password is configured, the authenticatee uses the hash algorithm to calculate a hash value based on the packet ID, configured password, and random number in the packet. Then, the authenticatee sends this hash value and the authenticatee's username (Response) back to the authenticator.

- If no CHAP password is configured, the authenticatee looks up the password corresponding to the username in the user table at this end based on the authenticator username in this packet. The authenticatee uses the hash algorithm to calculate a hash value based on the packet ID, the user's password, and the random number in the packet. The authenticatee sends the obtained hash value and the authenticatee's username back to the authenticator. (Response).

c. The authenticator uses the hash algorithm to calculate a hash value based on the packet ID, its saved password for the authenticatee, and the random number in the Challenge packet. The authenticator then compares the calculated hash value with the hash value in the Response packet. If the comparison result is consistent, authentication succeeds. If the comparison result is inconsistent, authentication fails.

Figure 7 CHAP authentication process

‌

NCP negotiation

The main function of NCP negotiation is to negotiate network layer parameters of PPP packets, such as IPCP and IPv6CP, among which IPCP is the most common protocol. PPPoE users mainly obtain their IP addresses or IP address ranges for accessing the network through the IPCP protocol.

As shown in Figure 8, the NCP process is similar to the LCP process. When users and devices exchange Configure-Request packets and respond with Configure-Ack packets, NCP negotiation succeeds and users can normally access the network.

Figure 8 Basic NCP negotiation process

‌

The following section will describe the commonly used IPCP and IPv6CP protocols in NCP negotiation.

· IPCP

The IPCP negotiation process is performed based on the PPP state machine. After both parties negotiate and they exchange configuration information through Configure-Request, Configure-Ack, and Configure-Nak packets, the IPCP state changes from initial (or closed) state to opened state finally. The condition for the IPCP state to become opened is that both the sender and receiver have sent and received Ack packets.

During the IPCP negotiation process, the negotiation packet can contain multiple options (parameters), such as IP address, gateway, and mask. The rejection or denial of each option does not affect the successful negotiation of IPCP, and IPCP also supports negotiation without options.

· IPv6CP

IPv6 Control Protocol (IPv6CP) is a network control protocol. IPv6CP is mainly responsible for configuring settings on both ends of a point-to-point link, enabling and disabling the IPv6 protocol module, and negotiating parameters such as interface ID and IPv6 compression protocol. IPv6CP uses the same packet exchange mechanism as the Link Control Protocol (LCP). However, the IPv6CP packets can be exchanged only when PPP reaches the network layer protocol phase. IPv6CP packets received before this phase will be dropped.

In the current software version, the IPv6CP negotiation options only support interface IDs and do not support the IPv6 compression protocols.

In an IPv6 network, PPP users and IPoE users both need to use the ND protocol or DHCPv6 protocol to allocate global unicast addresses and configuration information. The IA_PD option of the DHCPv6 protocol is used to allocate IPv6 prefixes to LAN interfaces in routed mode on CPEs.

PPPoE MTU and MRU negotiation method

During the interaction process of PPPoE user onboarding, the values of interface MTU and MRU will be negotiated, and then both sides will send and receive packets. The main negotiation methods include the following types.

The PPPoE connection is enabled to negotiate the MRU according to relevant standards

PPPoE discovery phase:

· If the user packet carries the PPP-Max-Payload field and the value is greater than 1492, the value will be compared with the MTU value on the BAS interface minus 8. The smaller value will be used as the negotiated value and named PPP_MRU_Max. This negotiated value is not the final MTU negotiation result, but one of the reference values.

· If the PPP-Max-Payload field carried in the user packet is less than or equal to 1492, PPP_MRU_Max takes the default value of 1492 as one of the reference values.

· If the user packet does not carry the PPP-Max-Payload field, then PPP_MRU_Max is set to 0 and not used as one of the reference values.

LCP negotiation phase:

· If the user carries the MRU field in the Config-Request packet during the LCP phase, the following rules apply:

¡ If the MRU carried in the user packet is equal to the PPP_MRU_Max negotiated in the PPPoE discovery phase, the MRU carried in the user packet will be used as the final MTU for the user.

¡ If the MRU carried in the user packet is not equal to the PPP_MRU_Max negotiated in the PPPoE discovery phase or the PPP_MRU_Max is 0, the MRU carried in the user packet will be compared with the MTU value on the VT interface minus 8. The smaller value will be used as the final MTU for the user.

· If the user's Config-Request packet during the LCP phase does not carry the MRU field, 1492 will be compared with the MTU value on the VT interface minus 8. The smaller value will be used as the final MTU for the user.

The PPPoE connection is disabled from negotiating the MRU according to relevant standards

PPPoE discovery phase:

· If the user packet carries the PPP-Max-Payload field, the smaller value between this value and the MTU on the BAS interface is used as the negotiated value and named PPP_MRU_Max. This value is not the final MTU negotiation result, but one of the reference values.

· If the user packet does not carry the PPP-Max-Payload field, the value for PPP_MRU_Max is the default value 0 and is not used as a reference value.

LCP negotiation phase:

· If the user includes the MRU field in the Config-Request packet during the LCP phase, the value will be compared with the MTU on the VT interface. The smaller value will be taken as the final MTU for the user.

· If the user does not include the MRU field in the Config-Request packet during the LCP phase, the following rules apply:

¡ If the user does not negotiate PPP_MRU_Max during the PPPoE discovery phase, the MTU on the VT interface will be used as the final MTU for the user.

¡ If PPP_MRU_Max is negotiated in the PPPoE discovery phase, the smaller value of the MTU on the VT interface and PPP-Max-Payload is used as the final MTU for the user.

Protocols and standards

RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE)

Restrictions and guidelines: PPPoE configuration

This device can only act as a PPPoE server, and cannot act as a PPPoE client.

In standard system operating mode, this feature is available only for the following cards:

Table 3 Card information

Card category	Cards
CSPEX	NP5-CSPEX

In SDN-WAN system operating mode, the device does not support this feature.

In PPPoE applications, the advertisement pushing function takes effect only on HTTP packets with port number 80 or 8080.

When a PPPoE server acts as a DHCP relay agent, the following command settings must be the same on the DHCP relay agent and the remote DHCP server for a common IP address pool:

· In a DHCPv4 network:

¡ network: Specifies a network segment for dynamic allocation in an IP pool.

¡ address range: Configures an IP address range in an IP pool for dynamic allocation.

¡ forbidden-ip: Exclude IP addresses from dynamic allocation in an IP pool.

For more information about these commands, see BRAS Services Command Reference.

· In a DHCPv6 network:

¡ network: Specifies an IPv6 subnet for dynamic allocation in an IPv6 address pool.

¡ address range: Specifies a non-temporary IPv6 address range in an IPv6 address pool for dynamic allocation.

¡ forbidden-address: Excludes IPv6 addresses from dynamic allocation in an IPv6 address pool.

¡ forbidden-prefix: Excludes IPv6 prefixes from dynamic allocation in an IPv6 address pool.

¡ prefix-pool: Applies a prefix pool to an IPv6 address pool, so the DHCPv6 server can dynamically select a prefix from the prefix pool for a client.

For more information about these commands, see BRAS Services Command Reference.

Configuring the PPPoE server

PPPoE server tasks at a glance

To configure PPPoE server, perform the following tasks:

1. Configuring a PPPoE session

2. (Optional.) Setting the maximum number of PPPoE sessions

3. (Optional.) Enabling PPPoE logging

4. (Optional.) Limiting the PPPoE access rate

5. (Optional.) Configuring the NAS-Port-ID attribute

6. Configuring NAS-Port-ID binding for PPPoE access users

Perform this task if you need to acquire the physical location of the PPPoE user access interface by NAS-Port-ID.

7. (Optional.) Setting a service name for the PPPoE server

8. (Optional.) Setting the maximum number of PADI packets that the device can receive per second

9. (Optional.) Configuring PPPoE user blocking

10. (Optional.) Configuring PPPoE protocol packet attack prevention

11. (Optional.) Forbidding PPPoE users from coming online through an interface

12. (Optional.) Set the response delay time for PPPoE user access

13. (Optional.) Specify the MAC address offset for response delay of PPPoE user access

Configuring a PPPoE session

1. Enter system view.

system-view

2. Create a VT interface and enter VT interface view.

interface virtual-template number

3. Set PPP parameters.

When configuring PPP authentication, use the PPPoE server as the authenticator.

4. Return to system view.

quit

5. Enter interface view.

interface interface-type interface-number

6. Enable the PPPoE server on the interface and bind this interface to the specified VT interface.

pppoe-server bind virtual-template number

By default, the PPPoE server is disabled on the interface.

7. (Optional.) Configure an access concentrator (AC) name for the PPPoE server.

pppoe-server tag ac-name name

By default, the AC name for the PPPoE server is the device name.

PPPoE clients can choose a PPPoE server according to the AC name.

8. (Optional.) Enable the PPPoE server to support the ppp-max-payload tag and specify a range for the PPP maximum payload.

pppoe-server tag ppp-max-payload [ minimum min-number maximum max-number ]

By default, The PPPoE server does not support the ppp-max-payload tag.

9. Return to system view.

quit

10. Configure the PPPoE server to perform authentication, authorization, and accounting for PPP users.

For more information, see BRAS Services Configuration Guide.

Setting the maximum number of PPPoE sessions

About this task

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· (In standalone mode.) (In IRF mode.) Limit on a card.

Restrictions and guidelines for maximum number of PPPoE sessions

If the configured limit is smaller than the number of existing online sessions on the interface, the configuration succeeds. The configuration does not affect the existing online sessions. However, new sessions cannot be established on the interface.

(In standalone mode.) (In IRF mode.) The total maximum number of PPPoE sessions set for all cards or IRF member devices cannot be greater than the maximum number of PPPoE sessions supported by the device.

Setting the maximum number of PPPoE sessions in interface view

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

The PPPoE server is enabled on the interface.

3. Set the maximum number of PPPoE sessions.

¡ Set the maximum number of PPPoE sessions on an interface.

pppoe-server session-limit number

By default, the number of PPPoE sessions on an interface is not limited.

¡ Set the maximum number of PPPoE sessions for a VLAN.

pppoe-server session-limit per-vlan number

By default, the number of PPPoE sessions for a VLAN on an interface is not limited.

¡ Set the maximum number of PPPoE sessions for a user.

pppoe-server session-limit per-mac number

By default, a user is allowed to create a maximum of 1 PPPoE sessions.

Setting the maximum number of PPPoE sessions in system view

1. Enter system view.

system-view

2. Set the maximum number of PPPoE sessions.

In standalone mode:

pppoe-server session-limit slot slot-number total number

In IRF mode:

pppoe-server session-limit chassis chassis-number slot slot-number total number

By default, the number of PPPoE sessions is not limited.

Enabling PPPoE logging

About this task

The PPPoE logging feature enables the device to generate PPPoE logs and send them to the information center. Logs are generated when the following requirements are met:

· The number of PPPoE sessions reaches the upper limit for an interface, user, VLAN, or the system.

· New users request to come online.

A log entry records the interface-based, MAC-based, VLAN-based, or system-based session limit. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

As a best practice, disable this feature to prevent excessive PPP log output.

Procedure

1. Enter system view.

system-view

2. Enable PPPoE logging.

pppoe-server log enable

By default, PPPoE logging is disabled.

Limiting the PPPoE access rate

About this task

The device can limit the rate at which a user (identified by an MAC address) can create PPPoE sessions on an interface. If the number of PPPoE requests within the monitoring time reaches the configured threshold, the device discards the excessive requests, and outputs log messages. If the blocking time is set to 0, the device does not block any requests, and it only outputs log messages.

The device uses a monitoring table and a blocking table to control PPP access rates:

· Monitoring table—Stores a maximum of 8000 monitoring entries. Each entry records the number of PPPoE sessions created by a user within the monitoring time. When the monitoring entries reach the maximum, the system stops monitoring and blocking session requests from new users. The aging time of monitoring entries is determined by the session-request-period argument. When the timer expires, the system starts a new round of monitoring for the user.

· Blocking table—Stores a maximum of 8000 blocking entries. The system creates a blocking entry if the access rate of a user reaches the threshold, and blocks requests from that user. When the blocking entries reach the maximum number, the system stops blocking session requests from new users and it only outputs log messages. The aging time of the blocking entries is determined by the blocking-period argument. When the timer expires, the system starts a new round of monitoring for the user.

Restrictions and guidelines

If the access rate setting is changed, the system removes all monitoring and blocking entries, and uses the new settings to limit PPPoE access rates.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

The PPPoE server is enabled on the interface.

3. Set the PPPoE access limit.

pppoe-server throttle per-mac session-requests session-request-period blocking-period

By default, the PPPoE access rate is not limited.

Configuring the NAS-Port-ID attribute

About this task

On the PPPoE+ network as shown in Figure 9 or on a network with a DSLAM, the PPPoE server on a BRAS uses the RADIUS NAS-Port-ID attribute to send the access line ID received from a PPPoE+ device (typically a switch with PPPoE+ deployed) or DSLAM device to the RADIUS server. The access line ID includes the circuit-id and remote-id. The RADIUS server compares the received NAS-Port-ID attribute with the local line ID information to verify the location of the user.

You can configure the content of the NAS-Port-ID attribute that the PPPoE server sends to the RADIUS server.

Figure 9 PPPoE+ network diagram

Restrictions and guidelines

If the attribute 87 format command is executed in RADIUS scheme view, the format of the NAS-Port-ID attribute sent to the RADIUS server is determined by using this command. In this case, the NAS-Port-ID attribute format defined in PPPoE does not take effect. For more information about the attribute 87 format command, see AAA commands in BRAS Services Command Reference.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

The PPPoE server is enabled on the interface.

Support for interface views depends on the device model.

3. Configure the content of the NAS-Port-ID attribute.

pppoe-server access-line-id content { all [ separator ] | circuit-id | remote-id }

By default, the NAS-Port-ID attribute contains only the circuit-id.

4. Configure the NAS-Port-ID attribute to include the BAS information automatically.

pppoe-server access-line-id bas-info [ cn-163 | cn-163-redback ]

By default, the NAS-Port-ID attribute does not include the BAS information automatically.

5. Configure the PPPoE server to trust the access line ID in received packets.

pppoe-server access-line-id trust

By default, the PPPoE server does not trust the access line ID in received packets.

6. Configure the transmission format for the circuit-id.

pppoe-server access-line-id circuit-id trans-format { ascii | hex }

The default format is a string of characters.

7. Configure the transmission format for the remote-id.

pppoe-server access-line-id remote-id trans-format { ascii | hex }

The default format is a string of characters.

8. Insert the VXLAN information into the NAS-Port-ID attribute.

pppoe-server access-line-id vxlan-info enable

By default, VXLAN information is not inserted into the NAS-Port-ID attribute.

Configuring NAS-Port-ID binding for PPPoE access users

About this task

a device uses information about the interface through which a user comes online to fill in the NAS-Port-ID attribute and sends it to the RADIUS server by default. In some special applications, when you need to manually specify the access interface information to be filled in the NAS-Port-ID attribute, you can use this command. For example, suppose the RADIUS server restricts user A's access to only interface A. When user A accesses through interface B and you do not want to modify the RADIUS server configuration, you can configure this command to use information about interface A to fill in the NAS-Port-ID attribute for user A and send the attribute to the RADIUS server.

When the BAS information format is China-Telecom 163 and the pppoe-server nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also specified, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute:

¡ chassis=NAS_chassis;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

· If the access-user four-dimension-mode enable command is not executed, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute: slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

When the BAS information format is China-Telecom and the pppoe-server nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following NAS information field in the NAS-PORT-ID attribute:

¡ {eth|trunk|atm} NAS_chassis/NAS_slot/NAS_subslot/NAS_port.

Restrictions and guidelines

This feature takes effect only when the corresponding interface is configured to automatically include BAS information in the NAS-Port-ID attribute by using the pppoe-server access-line-id bas-info command.

The information configured in this feature is also used to fill in the NAS-Port attribute.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Configure the CP to use information of the specified interface on a UP to fill in the NAS-Port-ID attribute.

pppoe-server nas-port-id interface interface-type interface-number

By default, the CP uses information about the interface through which the user comes online to fill in the NAS-Port-ID attribute.

Setting a service name for the PPPoE server

About this task

Upon receiving a PADI or a PADR packet from a PPPoE client, the PPPoE server compares its service name with the service-name tag field of the packet. The server accepts the session establishment request only if the field matches the service name. Table 4 describes different matching rules in different matching modes.

Table 4 Service name matching rules

Matching mode	PPPoE client	PPPoE server	Result
Exact match	No service name is specified.	The number of configured service names is less than 8.	Success
	No service name is specified.	The number of configured service names is 8.	Failure
	A service name is specified.	A service name that is the same as that of the client is configured.	Success
	A service name is specified.	A service name that is the same as that of the client is not configured.	Failure
Fuzzy match	No service name is specified.	Any configuration.	Success
	A service name is specified.	A service name that is the same as that of the client is configured, or the number of configured service names is less than 8.	Success
	A service name is specified.	A service name that is the same as that of the client is not configured, or the number of configured service names is 8.	Failure

‌

Restrictions and guidelines

Service names identify the traffic destined for PPPoE servers when multiple PPPoE servers are providing services on the network.

You can configure a maximum of 8 service names on an interface.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Configure the service name matching mode for the PPPoE server as exact match.

pppoe-server service-name-tag exact-match

By default, the service name matching mode for the PPPoE server is fuzzy match..

4. Set a service name for the PPPoE server.

pppoe-server tag service-name name

By default, the PPPoE server does not have a service name.

Setting the maximum number of PADI packets that the device can receive per second

About this task

When device reboot or version update is performed, the burst of online requests might affect the device performance. To avoid device performance degradation and make sure the device can process PADI packets correctly, use this feature to adjust the PADI packet receiving rate limit.

Restrictions and guidelines

Table 5 Default settings for the PADI packet receiving rate limit

MPU model	PADI packet receiving rate limit
CSR07SRPUD3	500
Other MPUs	200

‌

Procedure

1. Enter system view.

system-view

2. Set the maximum number of PADI packets that the LNS can receive per second.

In standalone mode:

pppoe-server padi-limit slot slot-number number

In IRF mode:

pppoe-server padi-limit chassis chassis-number slot slot-number number

The default varies by MPU model. For more information, see the preceding table.

Configuring PPPoE user blocking

About this task

You can use this feature to prevent multiple PPPoE users from frequently coming online and going offline or prevent protocol packet attacks. After this feature is enabled, users who performs the following operations for the specified number of times within a period will be blocked:

· Come online.

· Go offline.

· Send PPPoE connection requests.

Packets from blocked users will be discarded during the blocking period, and will be processed after the blocking period expires. At the same time, the device still performs PPPoE user blocking detection for PPPoE users within the blocking period. If the number of discarded packets meets the formula (number of discarded packets × request-period ≥requests × blocking-period) before the blocking period expires, the PPPoE users will be blocked for one more blocking period.

User blocking includes MAC-based user blocking and option105-based user blocking.

Restrictions and guidelines for PPPoE user blocking configuration

· If you enable this feature in system view, the feature applies to all PPPoE users.

· If you enable this feature in interface view, the feature applies to PPPoE users accessing the interface.

· If you execute this command in both system view and interface view, a user is monitored by blocking conditions in both views. When the user meets the blocking conditions in any view first, the user is blocked by the blocking settings in the view.

· If you enable MAC-based user blocking, the device uniquely identifies a blocked user by using its MAC address, the outermost VLAN ID, and the access interface.

· If you enable option105-based user blocking, the device uniquely identifies a blocked user by using its circuit ID, remote ID, and the access interface.

· In the unified scenario, when the blocking conditions are met, blocking entries are generated only for the slots hosting interfaces actually receiving packets. For example, when a user accessing a Layer 3 aggregate interface meets the blocking conditions, the blocking entries are generated only on the slots hosting member ports of the Layer 3 aggregate interface.

Enabling MAC-based user blocking in system view

1. Enter system view.

system-view

2. Enable MAC-based user blocking.

pppoe-server connection chasten [ quickoffline ] [ multi-sessions-permac ] requests request-period blocking-period

By default, a MAC-based PPPoE user will be blocked for 300 seconds if the user fails authentication consecutively for 120 times within 60 seconds.

Enabling MAC-based user blocking in interface view

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

The PPPoE server is enabled on the interface.

Support for interface views depends on the device model.

3. Enable MAC-based user blocking.

pppoe-server connection chasten [ quickoffline ] [ multi-sessions-permac ] requests request-period blocking-period

By default, MAC-based user blocking is disabled.

Enabling option105-based user blocking in system view

1. Enter system view.

system-view

2. Enable option105-based user blocking.

pppoe-server connection chasten option105 [ quickoffline ] requests request-period blocking-period

By default, option105-based user blocking is disabled.

Enabling option105-based user blocking in interface view

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

The PPPoE server is enabled on the interface.

Support for interface views depends on the device model.

3. Enable option105-based user blocking.

pppoe-server connection chasten option105 [ quickoffline ] requests request-period blocking-period

By default, option105-based user blocking is disabled.

Configuring PPPoE protocol packet attack prevention

About this task

In the Discovery phase of the PPPoE link establishment process, the PPPoE client sends PADI or PADR packets to find the PPPoE server that can provide the access service. After the PPPoE session is established, the PPPoE client can send PADT packets at any time to terminate the PPPoE session.

To prevent a large number of users frequently coming online and going offline or illegal users from initiating protocol packet attacks, which will occupy a large number of system resources, you can configure the PPPoE protocol packet attack prevention feature. With this feature configured, if the number of protocol packets that the PPPoE server receives within the detection interval exceeds the specified number, the PPPoE protocol packets received from the interface will be rate-limited. During the rate-limiting period, the excess PPPoE protocol packets are dropped. At the same time, the device still performs attack prevention detection for the interface within the rate-limiting period. If the number of PPPoE protocol packets dropped meets the formula (number of dropped packets × interval ≥ number ×rate-limit-period) before the rate-limiting period expires, one more rate-limiting period is added. After the rate-limiting period expires, the rate-limiting on the PPPoE protocol packets received from the interface is cancelled.

Restrictions and guidelines

You can configure PPPoE protocol packet attack prevention in system view and in interface view. The configuration in system view takes effect on all interfaces, and the configuration in interface view takes effect only on the current interface. If you configure this feature both in system view and interface view, the configuration in interface view takes priority.

Configuring PPPoE protocol packet attack prevention globally

1. Enter system view.

system-view

2. Enable PPPoE protocol packet attack prevention.

pppoe-server connection chasten per-interface number interval rate-limit-period

By default, PPPoE protocol packet attack prevention is disabled.

Configuring PPPoE protocol packet attack prevention on an interface

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

Make sure the interface has PPPoE server enabled.

3. Enable PPPoE protocol packet attack prevention.

pppoe-server connection chasten per-interface number interval rate-limit-period

By default, PPPoE protocol packet attack prevention is disabled.

Forbidding PPPoE users from coming online through an interface

About this task

With this feature configured on an interface, the interface directly drops received PADI and PADR packets to forbid users from coming online through this interface.

Restrictions and guidelines

This feature does not affect existing PPPoE users.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Forbid PPPoE users from coming online through the interface.

pppoe-server block

By default, PPPoE users are permitted to come online.

Set the response delay time for PPPoE user access

About this task

Application scenarios

This feature is suitable for administrators to deploy multiple BRAS devices in the network, and distribute user loads and backups among these devices based on odd/even MAC addresses.

As shown in Figure 10, to provide device-level backup and traffic load balancing, two BRAS devices are deployed in the network, with the following configurations:

· Configure BRAS A to delay responses for users with even MAC addresses, and maintain the default setting (no response delay) for users with odd MAC addresses.

· Configure BRAS B to delay responses for users with odd MAC addresses, and maintain the default setting (no response delay) for users with even MAC addresses.

In this case, under normal circumstances, BRAS A responds to the online requests of users with odd MAC addresses before BRAS B, so users with odd MAC addresses prefer to come online through BRAS A. Similarly, BRAS B responds to the online requests of users with even MAC addresses before BRAS A, so users with even MAC addresses prefer to come online through BRAS B. This achieves load balancing of user traffic between BRAS A and BRAS B.

Figure 10 Response delay time functionality (both BRAS devices operate correctly)

‌

As shown in Figure 11, when a BRAS device (assuming BRAS A) malfunctions, BRAS B provides access services for all users, thus achieving device-level backup.

· For users with odd MAC addresses who have not come online before the failure of BRAS A, these users can directly come online through BRAS B.

· For users with odd MAC addresses who have come online before the failure of BRAS A, these users must disconnect first before they can come online through BRAS B.

Figure 11 Response delay time functionality (one BRAS device fails)

‌

Operating mechanism

With the response delay time set for PPPoE user access, the system delays responses to the online requests of PPPoE users according to the configured time. You can set different response delay times for users with odd and even MAC addresses respectively.

Restrictions and guidelines

· In this scenario, you must configure address isolation between BRAS devices. Public address pools, private address pools, and NAS-IP addresses must be uniquely configured on each BRAS device and cannot be cross-utilized. If you cannot do that, route issues might occur. For example, if NAS-IP address 1.1.1.1 is configured on one BRAS device, then you cannot configure the NAS-IP address on another BRAS device as 1.1.1.1.

· You can use this feature in conjunction with the pppoe-server access-delay odd-even mac offset command to flexibly deploy access response delay strategies for odd and even MAC users based on MAC address offsets. For more information, see the pppoe-server access-delay odd-even mac offset command.

· This feature takes effect only for PPPoE users that attempt to come online afterward and has no impact on currently online PPPoE users.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Set the response delay time for PPPoE user access.

pppoe-server access-delay delay-time [ even-mac | odd-mac ]

By default, no response delay time is set for PPPoE user access.

¡ If you specify either keyword, the configured response delay time applies to both odd MAC users and even MAC users who are newly connected from the current interface.

¡ If you specify this command twice, once with the even-mac or odd-mac keyword specified and once without any keyword specified, the most recent configuration takes effect.

Specify the MAC address offset for response delay of PPPoE user access

About this task

Application scenarios

The parity bit is used by the BRAS device to determine the parity of a user's MAC address. In this context, the bit value of 0 indicates an even MAC address, while a value of 1 indicates an odd MAC address.

By default, the device only selects the lowest bit of a user's MAC address as the parity bit to determine the parity of the MAC address. It then uses the delay time configured by the pppoe-server access-delay command to delay the response to the user's online requests based on the parity of the MAC address.

To flexibly specify a certain bit in a user's MAC address as the basis for determining the parity of the address, you can specify the offset.

Operating mechanism

With the MAC address offset specified, when the device receives a PPPoE user's online request, it uses the principle of offsetting from the low bit to the high bit. The (offset-value+1)th bit of the user's MAC address is as the offset parity bit to determine whether the user's MAC address is odd or even. Then, based on the delay time for odd or even MAC addresses, the device delays the response to the user's online request.

For example, as shown in Figure 12, for a PPPoE user with MAC address 0012-3400-ABCD, the parity bit value for this MAC address is 1 by default, indicating an odd MAC address. If you set the offset value to 17 bits, the parity bit (starting from the default parity bit, the 17+1=18th bit) value for this user's MAC address becomes 0, indicating an even MAC address.

Figure 12 MAC address offset calculation

‌

Restrictions and guidelines

· This feature must be used together with the pppoe-server access-delay command. If pppoe-server access-delay is not configured, the device responds to the access requests of PPPoE users immediately regardless of the configured MAC address offset value.

· This feature takes effect only for PPPoE users that attempt to come online afterward and has no impact on currently online PPPoE users.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify the MAC address offset for response delay of PPPoE user access.

pppoe-server access-delay odd-even mac offset offset-value

By default, no offset is specified for matching the MAC addresses of PPPoE users. The parity of the MAC address is determined by the lowest bit of the MAC address (using the left-high and right-low principle).

If you execute this command multiple times, the most recent configuration takes effect.

Display and maintenance commands for PPPoE

Display and maintenance commands for PPPoE server

Execute display commands in any view and reset commands in user view.

Task	Command
Display PPPoE user blocking configuration information.	display pppoe-server chasten configuration [ global \| interface interface-type interface-number ]
Display the PPPoE protocol packet attack prevention entries.	In standalone mode: display pppoe-server chasten per-interface [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display pppoe-server chasten per-interface [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Display the PPPoE protocol packet attack prevention configuration information.	display pppoe-server chasten per-interface configuration [ interface interface-type interface-number ]
Display statistics about PPPoE user blocking.	In standalone mode: display pppoe-server chasten statistics [ mac-address \| option105 ] [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display pppoe-server chasten statistics [ mac-address \| option105 ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Display information about blocked PPPoE users.	In standalone mode: display pppoe-server chasten user [ mac-address [ mac-address ] \| option105 [ circuit-id circuit-id ] [ remote-id remote-id ] ] [ interface interface-type interface-number ] [ slot slot-number ] [ verbose ] In IRF mode: display pppoe-server chasten user [ mac-address [ mac-address ] \| option105 [ circuit-id circuit-id ] [ remote-id remote-id ] ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] [ verbose ]
Display PPPoE server negotiation packet statistics.	In standalone mode: display pppoe-server packet statistics [ slot slot-number ] In IRF mode: display pppoe-server packet statistics [ chassis chassis-number slot slot-number ]
Display summary information for PPPoE sessions.	In standalone mode: display pppoe-server session summary [ [ interface interface-type interface-number \| slot slot-number ] \| mac-address mac-address ] * In IRF mode: display pppoe-server session summary [ [ interface interface-type interface-number \| chassis chassis-number slot slot-number ] \| mac-address mac-address ] *
Display information about blocked users.	In standalone mode: display pppoe-server throttled-mac { slot slot-number \| interface interface-type interface-number } In IRF mode: display pppoe-server throttled-mac { chassis chassis-number slot slot-number \| interface interface-type interface-number }
Clear PPPoE sessions.	reset pppoe-server { all \| [ interface interface-type interface-number \| mac-address mac-address ] * \| virtual-template number }
Clear PPPoE protocol packet attack prevention entry information.	In standalone mode: reset pppoe-server chasten per-interface [ packets ] [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: reset pppoe-server chasten per-interface [ packets ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Clear information of blocked PPPoE users.	In standalone mode: reset pppoe-server chasten user [ packets ] [ mac-address [ mac-address ] \| option105 [ circuit-id circuit-id ] [ remote-id remote-id ] ] [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: reset pppoe-server chasten user [ packets ] [ mac-address [ mac-address ] \| option105 [ circuit-id circuit-id ] [ remote-id remote-id ] ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Clear PPPoE server negotiation packet statistics.	In standalone mode: reset pppoe-server packet statistics [ slot slot-number ] In IRF mode: reset pppoe-server packet statistics [ chassis chassis-number slot slot-number ]

‌

PPPoE configuration examples

Example: Configuring the PPPoE server to assign IPv4 addresses through the local DHCP server

Network configuration

As shown in Figure 13, configure the PPPoE server as a DHCP server to assign an IP address to the host.

Figure 13 Network diagram

‌

Procedure

# Configure Virtual-Template 1 to use CHAP for authentication.

<Router> system-view

[Router] interface virtual-template 1

[Router-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable the PPPoE server on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[Router] interface ten-gigabitethernet 3/1/1

[Router-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[Router-Ten-GigabitEthernet3/1/1] quit

# Enable DHCP.

[Router] dhcp enable

# Configure local BAS IP address pool pool1.

[Router] ip pool pool1 bas local

[Router-ip-pool-pool1] gateway 1.1.1.1 24

[Router-ip-pool-pool1] dns-list 8.8.8.8

# Exclude the IP address 1.1.1.1 from dynamic allocation in IP address pool pool1.

[Router-ip-pool-pool1] forbidden-ip 1.1.1.1

[Router-ip-pool-pool1] quit

# Create a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple 123456TESTplat&!

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# In ISP domain dm1, perform local AAA for PPP users and authorize an address pool.

[Router] domain name dm1

[Router-isp-dm1] authentication ppp local

[Router-isp-dm1] accounting ppp local

[Router-isp-dm1] authorization ppp local

[Router-isp-dm1] authorization-attribute ip-pool pool1

[Router-isp-dm1] quit

Verifying the configuration

# Log in to the router by using username user1 and password 123456TESTplat&!.

# Display information about IP addresses assigned by the DHCP server.

[Router] display access-user interface ten-gigabitethernet 3/1/1

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0xc XGE3/1/1 1.1.1.2 001b-21a8-0949 -/-

user1 PPPoE

The output shows that the router has assigned an IP address to the host.

Example: Configuring the PPPoE server to assign IP addresses to dual-stack users through a remote DHCP server

Network configuration

As shown in Figure 14, configure the PPPoE server as a DHCP relay agent to relay an IPv4 address and an IPv6 address from the DHCP server to the host.

Figure 14 Network diagram

‌

Prerequisites

Assign IP addresses to interface, and make sure the devices can reach each other at Layer 3. (Details not shown.)

Procedure

1. Configure Router A as the PPPoE server:

# Configure Virtual-Template 1 to use CHAP for authentication.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable Virtual-Template 1 to advertise RA messages.

[RouterA-Virtual-Template1] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent on Virtual-Template 1.

[RouterA-Virtual-Template1] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent on Virtual-Template 1.

[RouterA-Virtual-Template1] ipv6 nd autoconfig other-flag

[RouterA-Virtual-Template1] quit

# Enable the PPPoE server on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[RouterA] interface ten-gigabitethernet 3/1/1

[RouterA-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[RouterA-Ten-GigabitEthernet3/1/1] quit

# Enable DHCP.

[RouterA] dhcp enable

# Create remote BAS IP address pool pool1.

[RouterA] ip pool pool1 bas remote

# Specify a gateway address for the clients in pool1.

[RouterA-ip-pool-pool1] gateway 1.1.1.1 24

# Exclude IP address 1.1.1.1 from dynamic allocation in pool1.

[RouterA-ip-pool-pool1] forbidden-ip 1.1.1.1

# Specify a DHCP server for pool1.

[RouterA-ip-pool-pool1] remote-server 10.1.1.1

[RouterA-ip-pool-pool1] quit

# Create an IPv6 address pool named pool2.

[RouterA] ipv6 pool pool2

# Specify gateway address 1::1 for DHCPv6 clients in the IPv6 address pool.

[RouterA-ipv6-pool-pool2] gateway-list 1::1

# Specify the subnet 1::/64 for dynamic allocation in the IPv6 address pool.

[RouterA-ipv6-pool-pool2] network 1::/64 export-route

# Exclude IPv6 address 1::1 from dynamic allocation in the IPv6 address pool.

[RouterA-ipv6-pool-pool2] forbidden-address 1::1

# Specify DHCPv6 server 10::1 for the IPv6 address pool.

[RouterA-ipv6-pool-pool2] remote-server 10::1

[RouterA-ipv6-pool-pool2] quit

# Enable the DHCPv4 relay agent and DHCPv6 relay agent on Ten-GigabitEthernet 3/1/1.

[RouterA] interface ten-gigabitethernet 3/1/1

[RouterA–Ten-GigabitEthernet3/1/1] dhcp select relay

[RouterA–Ten-GigabitEthernet3/1/1] ipv6 dhcp select relay

[RouterA–Ten-GigabitEthernet3/1/1] ipv6 dhcp relay release-agent

# Configure Ten-GigabitEthernet 3/1/1 to automatically generate a link-local address, which is to be used as the gateway of users.

[RouterA–Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable Ten-GigabitEthernet 3/1/1 to advertise RA messages.

[RouterA–Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

[RouterA–Ten-GigabitEthernet3/1/1] quit

# Create a PPPoE user.

[RouterA] local-user user1 class network

[RouterA-luser-network-user1] password simple 123456TESTplat&!

[RouterA-luser-network-user1] service-type ppp

[RouterA-luser-network-user1] quit

# In ISP domain dm1, perform local AAA for PPP users and authorize an address pool.

[RouterA] domain name dm1

[RouterA-isp-dm1] authentication ppp local

[RouterA-isp-dm1] accounting ppp local

[RouterA-isp-dm1] authorization ppp local

[RouterA-isp-dm1] authorization-attribute ip-pool pool1

[RouterA-isp-dm1] authorization-attribute ipv6-pool pool2

[RouterA-isp-dm1] quit

2. Configure Router B as a DHCP server:

¡ Configure an IPv4 address pool:

# Enable DHCP.

<RouterB> system-view

[RouterB] dhcp enable

# Create IPv4 address pool pool1. Specify a subnet for dynamic allocation and specify a gateway address and a DNS server address for DHCP clients in the IPv4 address pool.

[RouterB] ip pool pool1

[RouterB-ip-pool-pool1] network 1.1.1.0 24

[RouterB-ip-pool-pool1] gateway-list 1.1.1.1

[RouterB-ip-pool-pool1] dns-list 8.8.8.8

# Exclude the IP address 1.1.1.1 from dynamic allocation in IPv4 address pool pool1.

[RouterB-ip-pool-pool1] forbidden-ip 1.1.1.1

[RouterB-ip-pool-pool1] quit

# Configure the default route to the PPPoE server.

[RouterB] ip route-static 0.0.0.0 0 10.1.1.2

¡ Configure an IPv6 address pool:

# Create IPv6 address pool pool2. Specify a subnet for dynamic allocation and specify a DNS server address for DHCP clients in the IPv6 address pool.

[RouterB] ipv6 pool pool2

[RouterB-ipv6-pool-pool2] network 1::/64

[RouterB-ipv6-pool-pool2] dns-server 8::8

# Exclude the IPv6 address 1::1 from dynamic allocation in IPv6 address pool pool2.

[RouterB-ipv6-pool-pool2] forbidden-address 1::1

[RouterB-ipv6-pool-pool2] quit

# Enable the DHCPv6 server on Ten-GigabitEthernet 3/1/1.

[RouterB] interface ten-gigabitethernet 3/1/1

[RouterB-Ten-GigabitEthernet3/1/1] ipv6 dhcp select server

[RouterB-Ten-GigabitEthernet3/1/1] quit

# Configure the default route to the PPPoE server.

[RouterB] ipv6 route-static :: 0 10::2

Verifying the configuration

# Verify that a host is assigned an IPv4 address and an IPv6 address after logging in to Router A by using username user1 and password 123456TESTplat&! through PPPoE.

[RouterA] display access-user interface ten-gigabitethernet 3/1/1

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0xc XGE3/1/1 1.1.1.2 001b-21a8-0949 -/-

user1 PPPoE

1::2

Example: Configuring the PPPoE server to assign IPv6 addresses through the NDRA method (prefixes authorized by AAA)

Network configuration

As shown in Figure 15, configure the PPPoE server to advertise the following information to the host:

· IPv6 prefix in RA messages.

· IPv6 interface identifier during IPv6CP negotiation.

The host uses the IPv6 prefix and IPv6 interface identifier to generate an IPv6 global unicast address. The IPv6 address prefixes in RA packets are authorized prefixes.

Figure 15 Network diagram

‌

Procedure

# Create Virtual-Template 1.

<Router> system-view

[Router] interface virtual-template 1

# Configure Virtual-Template 1 to use CHAP to authenticate the peer.

[Router-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable Virtual-Template 1 to advertise RA messages.

[Router-Virtual-Template1] undo ipv6 nd ra halt

[Router-Virtual-Template1] quit

# Configure Ten-GigabitEthernet 3/1/1 to automatically generate an IPv6 link-local address.

[Router] interface ten-gigabitethernet 3/1/1

[Router-Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable Ten-GigabitEthernet 3/1/1 to advertise RA messages.

[Router-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Enable the PPPoE sever on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[Router-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[Router-Ten-GigabitEthernet3/1/1] quit

# (Applicable only to advertising prefix subnet routes.) Create an IPv6 address pool and enter its view. Specify the subnet for DHCPv6 clients and advertise the subnet route.

[Router] ipv6 pool pool1

[Router-ipv6-pool-pool1] network 10::/64 export-route

[Router-ipv6-pool-pool1] quit

# Configure a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple 123456TESTplat&!

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# Configure local AAA for the PPP users in the ISP domain dm1.

[Router] domain name dm1

[Router-isp-dm1] authentication ppp local

[Router-isp-dm1] accounting ppp local

[Router-isp-dm1] authorization ppp local

# Configure an IPv6 prefix and a DNS server authorized to the users in the ISP domain dm1.

[Router-isp-dm1] authorization-attribute ipv6-prefix 10:: 64

[Router-isp-dm1] authorization-attribute primary-dns ipv6 8::8

[Router-isp-dm1] quit

Verifying the configuration

# Display PPP user information on Ten-GigabitEthernet 3/1/1.

[Router] display access-user interface Ten-GigabitEthernet 3/1/1

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x6 XGE3/1/1 - 001b-21a8-0949 -/-

user1 PPPoE

10::F85B:7EE1:1410:74C9

Example: Configuring the PPPoE server to assign IPv6 addresses through the NDRA method (prefixes authorized by ND prefix pool)

Network configuration

As shown in Figure 15, configure the PPPoE server to advertise the following information to the host:

· IPv6 prefix in RA messages.

· IPv6 interface identifier during IPv6CP negotiation.

The host uses the IPv6 prefix and IPv6 interface identifier to generate an IPv6 global unicast address. The IPv6 address prefixes in RA packets are authorized prefixes.

Figure 16 Network diagram

‌

Procedure

# Create Virtual-Template 1.

<Router> system-view

[Router] interface virtual-template 1

# Configure Virtual-Template 1 to use CHAP to authenticate the peer.

[Router-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable Virtual-Template 1 to advertise RA messages.

[Router-Virtual-Template1] undo ipv6 nd ra halt

[Router-Virtual-Template1] quit

# Configure Ten-GigabitEthernet 3/1/1 to automatically generate an IPv6 link-local address.

[Router] interface ten-gigabitethernet 3/1/1

[Router-Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable Ten-GigabitEthernet 3/1/1 to advertise RA messages.

[Router-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Enable the PPPoE sever on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[Router-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[Router-Ten-GigabitEthernet3/1/1] quit

# Create prefix pool 1, and specify the prefix 10::/32 with the assigned prefix length 64. Prefix pool 1 contains 4294967296 prefixes from 10::/64 to 10:0:FFFF:FFFF::/64.

[Router] ipv6 dhcp prefix-pool 1 prefix 10::/32 assign-len 64

# Create an IPv6 address pool named pool1, and apply prefix pool 1 to the address pool.

[Router] ipv6 pool pool1

[Router-ipv6-pool-pool1] prefix-pool 1 export-route

[Router-ipv6-pool-pool1] quit

# Configure a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple 123456TESTplat&!

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# Configure local AAA for the PPP users in the ISP domain dm1.

[Router] domain name dm1

[Router-isp-dm1] authentication ppp local

[Router-isp-dm1] accounting ppp local

[Router-isp-dm1] authorization ppp local

# Authorize ND prefix pool pool1 and the primary DNS server to users in the ISP domain dm1.

[Router-isp-dm1] authorization-attribute ipv6-nd-prefix-pool pool1

[Router-isp-dm1] authorization-attribute primary-dns ipv6 8::8

[Router-isp-dm1] quit

Verifying the configuration

# Display PPP user information on Ten-GigabitEthernet 3/1/1.

[Router] display access-user interface Ten-GigabitEthernet 3/1/1

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x6 XGE3/1/1 - 001b-21a8-0949 -/-

user1 PPPoE

10::F85B:7EE1:1410:74C9

Example: Configuring the PPPoE server to assign IPv6 addresses through the IA_NA method

Network configuration

As shown in Figure 17, configure the PPPoE server to assign an IPv6 address to the host through DHCPv6.

Figure 17 Network diagram

‌

Procedure

# Create Virtual-Template 1.

<Router> system-view

[Router] interface virtual-template 1

# Configure Virtual-Template 1 to use CHAP to authenticate the peer.

[Router-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable Virtual-Template 1 to advertise RA messages.

[Router-Virtual-Template1] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent.

[Router-Virtual-Template1] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent on Virtual-Template 1.

[Router-Virtual-Template1] ipv6 nd autoconfig other-flag

[Router-Virtual-Template1] quit

# Configure Ten-GigabitEthernet 3/1/1 to automatically generate an IPv6 link-local address.

[Router] interface ten-gigabitethernet 3/1/1

[Router-Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable Ten-GigabitEthernet 3/1/1 to advertise RA messages.

[Router-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Enable the DHCPv6 server on Ten-GigabitEthernet 3/1/1.

[Router-Ten-GigabitEthernet3/1/1] ipv6 dhcp select server

# Enable the PPPoE sever on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[Router-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[Router-Ten-GigabitEthernet3/1/1] quit

# Configure IPv6 address pool pool1 with network 1::/32 for dynamic allocation and DNS server IP address 8::8.

[Router] ipv6 pool pool1

[Router-ipv6-pool-pool1] network 1::/32 export-route

[Router-ipv6-pool-pool1] dns-server 8::8

[Router-ipv6-pool-pool1] quit

# (Optional.) Configure the interface ID-based allocation mode for the IPv6 address pool.

NOTE:

You must configure this feature when dialup users that use the Windows 7 system exist on the network.

[Router-ipv6-pool-pool1] address-alloc-mode interface-id

# Configure a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple 123456TESTplat&!

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# In the ISP domain dm1, perform local AAA for PPP users, and authorize an address pool to PPP users.

[Router] domain name dm1

[Router-isp-dm1] authentication ppp local

[Router-isp-dm1] accounting ppp local

[Router-isp-dm1] authorization ppp local

[Router-isp-dm1] authorization-attribute ipv6-pool pool1

[Router-isp-dm1] quit

Verifying the configuration

# Display PPP user information on Ten-GigabitEthernet 3/1/1.

[Router] display access-user interface Ten-GigabitEthernet 3/1/1

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x9 XGE3/1/1 - 001b-21a8-0949 -/-

user1 PPPoE

1::1

Example: Configuring the PPPoE server to assign IPv6 addresses through the IA_PD method

Network configuration

As shown in Figure 18, configure the PPPoE server to assign a prefix to Router A through DHCPv6. Router A then assigns the prefix to the host for it to generate an IPv6 address.

Figure 18 Network diagram

‌

Procedure

1. Configure Router B (PPPoE server):

# Create Virtual-Template 1.

<RouterB> system-view

[RouterB] interface virtual-template 1

# Configure Virtual-Template 1 to use CHAP to authenticate the peer.

[RouterB-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable Virtual-Template 1 to advertise RA messages.

[RouterB-Virtual-Template1] undo ipv6 nd ra halt

[RouterB-Virtual-Template1] quit

# Configure Ten-GigabitEthernet 3/1/1 to automatically generate an IPv6 link-local address.

[Router] interface ten-gigabitethernet 3/1/1

[RouterB-Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable Ten-GigabitEthernet 3/1/1 to advertise RA messages.

[RouterB-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Enable the DHCPv6 server on Ten-GigabitEthernet 3/1/1.

[RouterB-Ten-GigabitEthernet3/1/1] ipv6 dhcp select server

# Enable the PPPoE sever on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[RouterB-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[RouterB-Ten-GigabitEthernet3/1/1] quit

# Create prefix pool 6, and specify prefix 20::/32 with assigned prefix length 42.

[RouterB] ipv6 dhcp prefix-pool 6 prefix 20::/32 assign-len 42

# Create IPv6 address pool pool1, and apply prefix pool 6 to address pool pool1.

[RouterB] ipv6 pool pool1

[RouterB-ipv6-pool-pool1] prefix-pool 6 export-route

[RouterB-ipv6-pool-pool1] quit

# Configure a PPPoE user.

[RouterB] local-user user1 class network

[RouterB-luser-network-user1] password simple 123456TESTplat&!

[RouterB-luser-network-user1] service-type ppp

[RouterB-luser-network-user1] quit

# In the ISP domain dm1, perform local AAA for PPP users, and authorize an address pool to PPP users.

[RouterB] domain name dm1

[RouterB-isp-dm1] authentication ppp local

[RouterB-isp-dm1] accounting ppp local

[RouterB-isp-dm1] authorization ppp local

[RouterB-isp-dm1] authorization-attribute ipv6-pool pool1

[RouterB-isp-dm1] quit

2. Configure Router A (PPPoE client):

IMPORTANT:

· The device (Router B in this example) can only act as a PPPoE server, and cannot act as a PPPoE client.

· The configuration for the device acting as the PPPoE client varies by version. The configuration in this section is for reference only. For more information, see the manual for the device acting as the PPPoE client.

‌

# Enable bundle DDR on interface Dialer 1.

<RouterA> system-view

[RouterA] interface dialer 1

[RouterA-Dialer1] dialer bundle enable

# On Dialer 1, configure the CHAP username and password sent from Router A to Router B as user1 and 123456TESTplat&! when Router A is authenticated by Router B by using CHAP.

[RouterA-Dialer1] ppp chap user user1

[RouterA-Dialer1] ppp chap password simple 123456TESTplat&!

# Configure the PPPoE session to operate in permanent mode.

[RouterA-Dialer1] dialer timer idle 0

# Set the DDR auto-dial interval to 60 seconds.

[RouterA-Dialer1] dialer timer autodial 60

# Configure Dialer 1 to use DHCPv6 to obtain an IPv6 address and other configuration parameters.

[RouterA-Dialer1] ipv6 address dhcp-alloc

# Configure Dialer 1 as a DHCPv6 client for IPv6 prefix acquisition. Configure the DHCPv6 client to assign ID 1 to the obtained IPv6 prefix.

[RouterA-Dialer1] ipv6 dhcp client pd 1

[RouterA-Dialer1] quit

# Configure a PPPoE session corresponding to Dialer bundle 1, which corresponds to Dialer 1.

[RouterA] interface ten-gigabitethernet 3/1/2

[RouterA-Ten-GigabitEthernet3/1/2] pppoe-client dial-bundle-number 1

[RouterA-Ten-GigabitEthernet3/1/2] quit

# Configure a default route.

[RouterA] ipv6 route-static :: 0 dialer 1

# Enable Ten-GigabitEthernet3/1/1 to advertise RA messages.

[RouterA] interface ten-gigabitethernet 3/1/1

[RouterA-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Configure Ten-GigabitEthernet3/1/1 to dynamically obtain IPv6 prefix 1, use IPv6 prefix 1 to generate IPv6 address 20::123:1:1 (which must be configured as the gateway for users attached to Router A) and advertise IPv6 prefix 1 to endpoints through RA messages.

[RouterA-Ten-GigabitEthernet3/1/1] ipv6 address 1 123::123:1:1/64

[RouterA-Ten-GigabitEthernet3/1/1] quit

Verifying the configuration

# Verify that Router B has assigned a prefix to Router A through DHCPv6.

[RouterB] display ipv6 dhcp server pd-in-use

Pool: pool1

IPv6 prefix Type Lease expiration

20::/42 Auto(C) Jul 10 19:45:01 2019

# Display information about prefixes on Router A.

[RouterA] display ipv6 prefix

Number Prefix Type

1 20::/42 Dynamic

The output shows that Router A has created prefix 1 based on the ipv6 dhcp client pd 1 command after obtaining a prefix from Router B.

Then, Router A can assign the prefix 20::/42 to the host who uses the prefix to generate an IPv6 global unicast address.

Example: Configuring the PPPoE server to assign IP addresses through the DHCPv4+NDRA+IA_PD method

Network configuration

As shown in Figure 19, configure the PPPoE server as follows:

· Configure Router B as a DHCP relay agent to request an IPv4 address for Router A from the DHCP server.

· Configure the PPPoE server to assign an IPv6 prefix from the ND prefix pool to the WAN interface (Dialer 1 in this example) of Router A through NDRA.

· Configure the PPPoE server to assign a prefix to Router A through IA_PD. Router A then assigns the prefix to the host for it to generate an IPv6 address.

Figure 19 Network diagram

‌

Procedure

1. Configure Router C (DHCP server):

# Enable DHCP.

<RouterC> system-view

[RouterC] dhcp enable

# Configure IP pool pool1 to assign IP addresses and other configuration parameters to clients on subnet 2.2.2.0/24.

[RouterC] ip pool pool1

[RouterC-ip-pool-pool1] network 1.1.1.0 24

[RouterC-ip-pool-pool1] gateway-list 1.1.1.1

[RouterC-ip-pool-pool1] dns-list 8.8.8.8

# Exclude the gateway address from dynamic allocation.

[RouterC-ip-pool-pool1] forbidden-ip 1.1.1.1

[RouterC-ip-pool-pool1] quit

# Configure the default route to the PPPoE server.

[RouterC] ip route-static 0.0.0.0 0 10.1.1.2

2. Configure Router B (PPPoE server):

# Create Virtual-Template 1.

<RouterB> system-view

[RouterB] interface virtual-template 1

# Configure Virtual-Template 1 to use CHAP to authenticate the peer.

[RouterB-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable Virtual-Template 1 to advertise RA messages.

[RouterB-Virtual-Template1] undo ipv6 nd ra halt

[RouterB-Virtual-Template1] quit

# Enable DHCP.

[RouterB] dhcp enable

# Create a remote BAS IP pool named pool1, and specify the gateway IP address and the network mask for the IP pool. Exclude IP address 1.1.1.1 from dynamic allocation, and specify a DHCP server for the IP pool.

[RouterB] ip pool pool1 bas remote

[RouterB-ip-pool-pool1] gateway 1.1.1.1 24

[RouterB-ip-pool-pool1] forbidden-ip 1.1.1.1

[RouterB-ip-pool-pool1] remote-server 10.1.1.1

[RouterB-ip-pool-pool1] quit

# Configure Ten-GigabitEthernet 3/1/1 to automatically generate an IPv6 link-local address.

[RouterB] interface ten-gigabitethernet 3/1/1

[RouterB-Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable Ten-GigabitEthernet 3/1/1 to advertise RA messages.

[RouterB-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Enable the DHCP relay agent on Ten-GigabitEthernet 3/1/1.

[RouterB-Ten-GigabitEthernet3/1/1] dhcp select relay

# Enable the DHCPv6 server on Ten-GigabitEthernet 3/1/1.

[RouterB-Ten-GigabitEthernet3/1/1] ipv6 dhcp select server

# Enable the PPPoE sever on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[RouterB-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[RouterB-Ten-GigabitEthernet3/1/1] quit

# (For NDRA) Create DHCPv6 prefix pool 1, and specify the prefix 10::/32 with the assigned prefix length 64. Prefix pool 1 contains 4294967296 prefixes from 10::/64 to 10:0:FFFF:FFFF::/64.

[RouterB] ipv6 dhcp prefix-pool 1 prefix 10::/32 assign-len 64

# Create an IPv6 address pool named ndra and apply prefix pool 1 to the IPv6 address pool.

[RouterB] ipv6 pool ndra

[RouterB-ipv6-pool-ndra] prefix-pool 1 export-route

[RouterB-ipv6-pool-ndra] quit

# (For IA_PD) Create prefix pool 6, and specify prefix 20::/32 with assigned prefix length 42.

[RouterB] ipv6 dhcp prefix-pool 6 prefix 20::/32 assign-len 42

# Create IPv6 address pool iapd, and apply prefix pool 6 to address pool iapd.

[RouterB] ipv6 pool iapd

[RouterB-ipv6-pool-iapd] prefix-pool 6 export-route

[RouterB-ipv6-pool-iapd] quit

# Configure a PPPoE user.

[RouterB] local-user user1 class network

[RouterB-luser-network-user1] password simple 123456TESTplat&!

[RouterB-luser-network-user1] service-type ppp

[RouterB-luser-network-user1] quit

# In the ISP domain dm1, perform local AAA for PPP users, and authorize an IPv4 address pool, ND prefix pool, IPv6 DNS address, and IPv6 address pool to PPP users.

[RouterB] domain name dm1

[RouterB-isp-dm1] authentication ppp local

[RouterB-isp-dm1] accounting ppp local

[RouterB-isp-dm1] authorization ppp local

[RouterB-isp-dm1] authorization-attribute ip-pool pool1

[RouterB-isp-dm1] authorization-attribute ipv6-nd-prefix-pool ndra

[RouterB-isp-dm1] authorization-attribute primary-dns ipv6 8::8

[RouterB-isp-dm1] authorization-attribute ipv6-pool iapd

[RouterB-isp-dm1] quit

3. Configure Router A (PPPoE client):

IMPORTANT:

· The device (Router B in this example) can only act as a PPPoE server, and cannot act as a PPPoE client.

‌

# Enable bundle DDR on interface Dialer 1.

<RouterA> system-view

[RouterA] interface dialer 1

[RouterA-Dialer1] dialer bundle enable

# On Dialer 1, configure the CHAP username and password sent from Router A to Router B as user1 and 123456TESTplat&! when Router A is authenticated by Router B by using CHAP.

[RouterA-Dialer1] ppp chap user user1

[RouterA-Dialer1] ppp chap password simple 123456TESTplat&!

# Configure the PPPoE session to operate in permanent mode.

[RouterA-Dialer1] dialer timer idle 0

# Set the DDR auto-dial interval to 60 seconds.

[RouterA-Dialer1] dialer timer autodial 60

# (For IPv4) Configure Dialer 1 to obtain an IP address through PPP negotiation, enable Dialer 1 to actively request the DNS server IP address from its peer, and configure Dialer 1 to accept the DNS server IP addresses assigned by the peer even though it does not request DNS server IP addresses from the peer.

[RouterA-Dialer1] ip address ppp-negotiate

[RouterA-Dialer1] ppp ipcp dns request

[RouterA-Dialer1] ppp ipcp dns admit-any

# (For IPv4) Translate the source addresses of the packets from internal hosts into the IP address of Dialer 1.

[RouterA-Dialer1] nat outbound

# (For NDRA) Configure Dialer 1 to automatically generate an IPv6 global unicast address.

[RouterA-Dialer1] ipv6 address auto

# (For IA_PD) Configure Dialer 1 to use DHCPv6 to obtain an IPv6 address and other configuration parameters.

[RouterA-Dialer1] ipv6 address dhcp-alloc

# (For IA_PD) Configure Dialer 1 as a DHCPv6 client for IPv6 prefix acquisition. Configure the DHCPv6 client to assign ID 1 to the obtained IPv6 prefix.

[RouterA-Dialer1] ipv6 dhcp client pd 1

[RouterA-Dialer1] quit

# Configure a PPPoE session corresponding to Dialer bundle 1, which corresponds to Dialer 1.

[RouterA] interface ten-gigabitethernet 3/1/2

[RouterA-Ten-GigabitEthernet3/1/2] pppoe-client dial-bundle-number 1

[RouterA-Ten-GigabitEthernet3/1/2] quit

# Configure default routes.

[RouterA] ip route-static 0.0.0.0 0 dialer 1

[RouterA] ipv6 route-static :: 0 dialer 1

# Enable DHCP.

[RouterA] dhcp enable

# Configure IP address pool pool1 to assign IPv4 addresses and other configuration parameters to clients on subnet 192.168.1.0/24.

[RouterA] ip pool pool1

[RouterA-ip-pool-pool1] network 192.168.1.0 24

[RouterA-ip-pool-pool1] gateway-list 192.168.1.1

[RouterA-ip-pool-pool1] dns-list 8.8.8.8

# Exclude the gateway address from dynamic allocation.

[RouterA-ip-pool-pool1] forbidden-ip 192.168.1.1

[RouterA-ip-pool-pool1] quit

# Assign IP address 192.168.1.1 to Ten-GigabitEthernet3/1/1.

[RouterA] interface ten-gigabitethernet 3/1/1

[RouterA-Ten-GigabitEthernet3/1/1] ip address 192.168.1.1 24

# Enable Ten-GigabitEthernet3/1/1 to advertise RA messages.

[RouterA-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Configure Ten-GigabitEthernet3/1/1 to dynamically obtain IPv6 prefix 1, use IPv6 prefix 1 to generate IPv6 address 20::123:1:1 (which must be configured as the gateway for users attached to Router A), and advertise IPv6 prefix 1 to endpoints through RA messages.

[RouterA-Ten-GigabitEthernet3/1/1] ipv6 address 1 123::123:1:1/64

[RouterA-Ten-GigabitEthernet3/1/1] quit

Verifying the configuration

# Verify that Router B has assigned a prefix to Router A through DHCPv6. After Router A is configured and accesses Router B through username user1 and password 123456TESTplat&! through PPPoE, Router B automatically obtains an IPv4 address through DHCPv4 and generates an IPv6 global unicast address through the authorized IPv6 prefix and IPv6 interface identifier obtained through IPv6CP negotiation.

[RouterB] display access-user interface ten-gigabitethernet 3/1/1

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x6 XGE3/1/1 1.1.1.2 001b-21a8-0949 -/-

user1 PPPoE

10::F85B:7EE1:1410:74C9

# Verify that Router B has assigned a prefix to Router A through DHCPv6.

[RouterB] display ipv6 dhcp server pd-in-use

Pool: iapd

IPv6 prefix Type Lease expiration

20::/42 Auto(C) Jul 10 19:45:01 2019

Pool: ndra

IPv6 prefix Type Lease expiration

10::/64 Auto(C) Expires after 2100

# Display information about prefixes on Router A.

[RouterA] display ipv6 prefix

Number Prefix Type

1 20::/42 Dynamic

The output shows that Router A has created prefix 1 based on the ipv6 dhcp client pd 1 command after obtaining a prefix from Router B.

Then, Router A can assign the prefix 20::/42 to the host who uses the prefix to generate an IPv6 global unicast address.

Example: Configuring the PPPoE server to assign IPv6 addresses through the IA_NA+IA_PD method

Network configuration

As shown in Figure 20, configure the PPPoE server as follows:

· Configure the PPPoE server to assign an IPv6 global unicast address to the WAN interface (Dialer 1 in this example) of Router A.

· Configure the PPPoE server to assign a prefix to Router A through IA_PD. Router A then assigns the prefix to the host for it to generate an IPv6 address.

Figure 20 Network diagram

‌

Procedure

1. Configure Router B (PPPoE server):

# Create Virtual-Template 1.

<RouterB> system-view

[RouterB] interface virtual-template 1

# Configure Virtual-Template 1 to use CHAP to authenticate the peer.

[RouterB-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable Virtual-Template 1 to advertise RA messages.

[RouterB-Virtual-Template1] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent.

[RouterB-Virtual-Template1] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent on Virtual-Template 1.

[RouterB-Virtual-Template1] ipv6 nd autoconfig other-flag

[RouterB-Virtual-Template1] quit

# Configure Ten-GigabitEthernet 3/1/1 to automatically generate an IPv6 link-local address.

[Router] interface ten-gigabitethernet 3/1/1

[RouterB-Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable Ten-GigabitEthernet 3/1/1 to advertise RA messages.

[RouterB-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Enable the DHCPv6 server on Ten-GigabitEthernet 3/1/1.

[RouterB-Ten-GigabitEthernet3/1/1] ipv6 dhcp select server

# Enable the PPPoE sever on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[RouterB-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[RouterB-Ten-GigabitEthernet3/1/1] quit

# (For IA_PD) Create prefix pool 6, and specify prefix 20::/32 with assigned prefix length 42.

[RouterB] ipv6 dhcp prefix-pool 6 prefix 20::/32 assign-len 42

# Create an IPv6 address pool named pool1.

[RouterB] ipv6 pool pool1

# (For IA_NA) Configure IPv6 address pool pool1 with network 1::/32 for dynamic allocation and DNS server IP address 8::8.

[RouterB-ipv6-pool-pool1] network 1::/32

[RouterB-ipv6-pool-pool1] dns-server 8::8

# (For IA_PD) Apply prefix pool 6 to address pool pool1.

[RouterB-ipv6-pool-pool1] prefix-pool 6 export-route

[RouterB-ipv6-pool-pool1] quit

# Configure a PPPoE user.

[RouterB] local-user user1 class network

[RouterB-luser-network-user1] password simple 123456TESTplat&!

[RouterB-luser-network-user1] service-type ppp

[RouterB-luser-network-user1] quit

# In the ISP domain dm1, perform local AAA for PPP users, and authorize an address pool to PPP users.

[RouterB] domain name dm1

[RouterB-isp-dm1] authentication ppp local

[RouterB-isp-dm1] accounting ppp local

[RouterB-isp-dm1] authorization ppp local

[RouterB-isp-dm1] authorization-attribute ipv6-pool pool1

[RouterB-isp-dm1] quit

2. Configure Router A (PPPoE client):

IMPORTANT:

· The device (Router B in this example) can only act as a PPPoE server, and cannot act as a PPPoE client.

‌

# Enable bundle DDR on interface Dialer 1.

<RouterA> system-view

[RouterA] interface dialer 1

[RouterA-Dialer1] dialer bundle enable

# On Dialer 1, configure the CHAP username and password sent from Router A to Router B as user1 and 123456TESTplat&! when Router A is authenticated by Router B by using CHAP.

[RouterA-Dialer1] ppp chap user user1

[RouterA-Dialer1] ppp chap password simple 123456TESTplat&!

# Configure the PPPoE session to operate in permanent mode.

[RouterA-Dialer1] dialer timer idle 0

# Set the DDR auto-dial interval to 60 seconds.

[RouterA-Dialer1] dialer timer autodial 60

# (For IA_NA+IA_PD) Configure Dialer 1 to use DHCPv6 to obtain an IPv6 address and other configuration parameters.

[RouterA-Dialer1] ipv6 address dhcp-alloc

# (For IA_PD) Configure Dialer 1 as a DHCPv6 client for IPv6 prefix acquisition. Configure the DHCPv6 client to assign ID 1 to the obtained IPv6 prefix.

[RouterA-Dialer1] ipv6 dhcp client pd 1

[RouterA-Dialer1] quit

# Configure a PPPoE session corresponding to Dialer bundle 1, which corresponds to Dialer 1.

[RouterA] interface ten-gigabitethernet 3/1/2

[RouterA-Ten-GigabitEthernet3/1/2] pppoe-client dial-bundle-number 1

[RouterA-Ten-GigabitEthernet3/1/2] quit

# Configure a default route.

[RouterA] ipv6 route-static :: 0 dialer 1

# Enable Ten-GigabitEthernet3/1/1 to advertise RA messages.

[RouterA] interface ten-gigabitethernet 3/1/1

[RouterA-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Configure Ten-GigabitEthernet3/1/1 to dynamically obtain IPv6 prefix 1, use IPv6 prefix 1 to generate IPv6 address 20::123:1:1 (which must be configured as the gateway for users attached to Router A), and advertise IPv6 prefix 1 to endpoints through RA messages.

[RouterA-Ten-GigabitEthernet3/1/1] ipv6 address 1 123::123:1:1/64

[RouterA-Ten-GigabitEthernet3/1/1] quit

Verifying the configuration

# Verify that Router B has assigned an IPv6 global unicast address to Router A through DHCPv6 after Router A is configured and accesses Router B through username user1 and password 123456TESTplat&! through PPPoE.

[Router] display access-user interface ten-gigabitethernet 3/1/1

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x9 XGE3/1/1 - 001b-21a8-0949 -/-

user1 PPPoE

1::1

# Verify that Router B has assigned a prefix to Router A through DHCPv6.

[RouterB] display ipv6 dhcp server pd-in-use

Pool: pool1

IPv6 prefix Type Lease expiration

20::/42 Auto(C) Jul 10 19:45:01 2019

# Display information about prefixes on Router A.

[RouterA] display ipv6 prefix

Number Prefix Type

1 20::/42 Dynamic

The output shows that Router A has created prefix 1 based on the ipv6 dhcp client pd 1 command after obtaining a prefix from Router B.

Then, Router A can assign the prefix 20::/42 to the host who uses the prefix to generate an IPv6 global unicast address.

Example: Assigning IP addresses to dual-stack users through the local DHCP server

Network configuration

As shown in Figure 21, configure the PPPoE server as a DHCP server to assign an IPv4 address to the host and configure it as a DHCPv6 server to assign an IPv6 address to the host.

Figure 21 Network diagram

‌

Procedure

# Configure Virtual-Template 1 to use CHAP for authentication.

<Router> system-view

[Router] interface virtual-template 1

[Router-Virtual-Template1] ppp authentication-mode chap domain dm1

# Enable Virtual-Template 1 to advertise RA messages.

[Router-Virtual-Template1] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent.

[Router-Virtual-Template1] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent on Virtual-Template 1.

[Router-Virtual-Template1] ipv6 nd autoconfig other-flag

[Router-Virtual-Template1] quit

# Configure Ten-GigabitEthernet 3/1/1 to automatically generate an IPv6 link-local address.

[Router] interface ten-gigabitethernet 3/1/1

[Router-Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable Ten-GigabitEthernet 3/1/1 to advertise RA messages.

[Router-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Enable the DHCPv6 server on Ten-GigabitEthernet 3/1/1.

[Router-Ten-GigabitEthernet3/1/1] ipv6 dhcp select server

# Enable the PPPoE server on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[Router-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[Router-Ten-GigabitEthernet3/1/1] quit

# Enable DHCPv4.

[Router] dhcp enable

# Configure local BAS IP address pool pool1.

[Router] ip pool pool1 bas local

[Router-ip-pool-pool1] gateway 1.1.1.1 24

[Router-ip-pool-pool1] dns-list 8.8.8.8

# Exclude the IP address 1.1.1.1 from dynamic allocation in IP address pool pool1.

[Router-ip-pool-pool1] forbidden-ip 1.1.1.1

[Router-ip-pool-pool1] quit

# Configure IPv6 address pool pool1 with network 1::/32 for dynamic allocation and DNS server IP address 8::8.

[Router] ipv6 pool pool1

[Router-ipv6-pool-pool1] network 1::/32 export-route

[Router-ipv6-pool-pool1] dns-server 8::8

[Router-ipv6-pool-pool1] quit

# Create a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple 123456TESTplat&!

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# In the ISP domain dm1, perform local AAA for PPP users, and authorize address pools to PPP users.

[Router] domain name dm1

[Router-isp-dm1] authentication ppp local

[Router-isp-dm1] accounting ppp local

[Router-isp-dm1] authorization ppp local

[Router-isp-dm1] authorization-attribute ipv6-pool pool1

[Router-isp-dm1] quit

Verifying the configuration

# Log in to the router by using username user1 and password 123456TESTplat&!.

# Display information about IP addresses assigned by the DHCP server.

[Router] display access-user interface Ten-GigabitEthernet 3/1/1

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0xc XGE3/1/1 1.1.1.2 001b-21a8-0949 -/-

user1 PPPoE

1::1

The output shows that the router has assigned an IPv4 address and an IPv6 address to the host.

Example: Configuring PPPoE server RADIUS-based IP address assignment

Network configuration

As shown in Figure 22, configure the PPPoE server to meet the following requirements:

· The PPPoE server uses the RADIUS server to perform authentication, authorization, and accounting for access users. This example uses Free RADIUS that runs in the Linux operating system.

· The RADIUS server assigns access users an IP address pool named pool1 and a VPN instance named vpn1.

· Users in vpn1 obtain IP addresses from IP address pool pool1.

Figure 22 Network diagram

‌

Prerequisites

For the two ends of VPN 1 to communicate with each other, specify the same route target attributes on the two PEs (Router A and Router B). This example describes only the authentication-related configuration on the PE that is connected to the PPPoE client. For information about configuring MPLS L3VPN, see MPLS Configuration Guide.

Procedure

1. Configure the RADIUS server:

# Add the following text to the client.conf file to configure RADIUS client information.

client 10.1.1.1/24 {

secret = radius

}

Where, secret represents the shared key for authentication, authorization, and accounting.

# Add the following text to the users.conf file to configure legal user information.

user1 Auth-Type == CHAP,User-Password := pass1

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-Pool = "pool1",

H3C-VPN-Instance = "vpn1",

2. Configure Router A:

a. Configure the PPPoE server:

# Configure Virtual-Template 1 to use CHAP for authentication and use ISP domain dm1 as the authentication domain.

<RouterA> system-view

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ppp authentication-mode chap domain dm1

[RouterA-Virtual-Template1] quit

# Enable DHCP.

[RouterA] dhcp enable

# Configure local BAS IP address pool pool1.

[RouterA] ip pool pool1 bas local

[RouterA-ip-pool-pool1] vpn-instance vpn1

[RouterA-ip-pool-pool1] gateway 1.1.1.1 24

[RouterA-ip-pool-pool1] dns-list 8.8.8.8

# Exclude IP address 1.1.1.1 from dynamic allocation in the address pool.

[RouterA-ip-pool-pool1] forbidden-ip 1.1.1.1

[RouterA-ip-pool-pool1] quit

# Enable the PPPoE server on Ten-GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 1.

[RouterA] interface ten-gigabitethernet 3/1/1

[RouterA-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[RouterA-Ten-GigabitEthernet3/1/1] quit

b. Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1, and enter its view.

[RouterA] radius scheme rs1

# Specify the primary authentication server and the primary accounting server.

[RouterA-radius-rs1] primary authentication 10.1.1.2

[RouterA-radius-rs1] primary accounting 10.1.1.2

# Set the shared key for secure communication with the server to radius in plain text.

[RouterA-radius-rs1] key authentication simple radius

[RouterA-radius-rs1] key accounting simple radius

# Exclude domain names in the usernames sent to the RADIUS server.

[RouterA-radius-rs1] user-name-format without-domain

[RouterA-radius-rs1] quit

c. Configure an authentication domain:

# Create an ISP domain named dm1.

[RouterA] domain name dm1

# In ISP domain dm1, perform RADIUS authentication, authorization, and accounting for users based on scheme rs1.

[RouterA-isp-dm1] authentication ppp radius-scheme rs1

[RouterA-isp-dm1] authorization ppp radius-scheme rs1

[RouterA-isp-dm1] accounting ppp radius-scheme rs1

[RouterA-isp-dm1] quit

Verifying the configuration

# Verify that Host A can successfully ping CE. (Details not shown.)

# Display binding information about assigned IP addresses in VPN1.

[RouterA] display dhcp server ip-in-use vpn-instance vpn1

IP address Client identifier/ Lease expiration Type

Hardware address

1.1.1.2 3030-3030-2e30-3030- Unlimited Auto(C)

662e-3030-3033-2d45-

7468-6572-6e65-74

Example: Configuring PPPoE static dual-stack users

Network configuration

Host is manually configured with static IPv4 address 1.1.1.2/24, static IPv6 address 1::021B:21FF:FEA8:0949/64, and static IPv6 DNS server address 8::F85B:7EE1:1410:74C9. Host is connected to Router through an Ethernet interface, and Router acts as the PPPoE server. Configure Host to access Router through PPPoE by using the manually configured static IP addresses.

Figure 23 Network diagram

‌

Restrictions and guidelines

In some operating systems (for example, Windows 7), if the interface ID in the IPv6 global unicast address requested by a DHCPv6 client is different from the interface ID in the link-local address of the DHCPv6 client, Windows 7 will consider the IPv6 global unicast address as unavailable. As a result, the DHCPv6 client cannot use the address as the source address to send packets. Therefore, as a best practice to ensure that the function operates normally, configure the interface ID in a static IPv6 address to be the same as that in the link-local address when configuring the static IPv6 address. For example, the link-local address in this example is FE80::021B:21FF:FEA8:0949, and the static IPv6 address is 1::021B:21FF:FEA8:0949.

Procedure

# Configure Virtual-Template 1 to use CHAP for authenticating the peer.

<Router> system-view

[Router] interface virtual-template 1

[Router-Virtual-Template1] ppp authentication-mode chap domain dm1

# Configure the device to allow a remote user to come online by using a self-configured static IPv4 address and IPv6 address.

[Router-Virtual-Template1] ppp accept remote-ip-address

[Router-Virtual-Template1] ppp accept remote-ipv6-address

# Enable Virtual-Template 1 to advertise RA messages. Set the managed address configuration flag (M) to 1 to prevent the IPv6 static users from coming online through NDRA.

[Router-Virtual-Template1] undo ipv6 nd ra halt

[Router-Virtual-Template1] ipv6 nd autoconfig managed-address-flag

[Router-Virtual-Template1] quit

# Automatically generate a link-local address for Ten-GigabitEthernet 3/1/1.

[Router] interface ten-gigabitethernet 3/1/1

[Router-Ten-GigabitEthernet3/1/1] ipv6 address auto link-local

# Enable the interface to advertise RA messages.

[Router-Ten-GigabitEthernet3/1/1] undo ipv6 nd ra halt

# Disable the DHCPv6 server and DHCPv6 relay agent on the interface to prevent IPv6 static users from coming online through IA_NA. (The default configuration.)

[Router-Ten-GigabitEthernet3/1/1] undo ipv6 dhcp select

# Enable the PPPoE server on Ten-GigabitEthernet 3/1/1 and bind it to Virtual-Template 1.

[Router-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[Router-Ten-GigabitEthernet3/1/1] quit

# Enable DHCPv4.

[Router] dhcp enable

# Configure a local BAS IP address pool pool1.

[Router] ip pool pool1 bas local

[Router-ip-pool-pool1] gateway 1.1.1.1 24

[Router-ip-pool-pool1] dns-list 8.8.8.8

# Exclude gateway IP address 1.1.1.1 and static user IP address 1.1.1.2 from dynamic allocation.

[Router-ip-pool-pool1] forbidden-ip 1.1.1.1

[Router-ip-pool-pool1] forbidden-ip 1.1.1.2

[Router-ip-pool-pool1] quit

# Exclude static user IPv6 address 1::021B:21FF:FEA8:0949 from dynamic allocation.

[Router] ipv6 dhcp server forbidden-address 1::021B:21FF:FEA8:0949

# Configure a PPPoE user.

[Router] local-user user1 class network

[Router-luser-network-user1] password simple 123456TESTplat&!

[Router-luser-network-user1] service-type ppp

[Router-luser-network-user1] quit

# In ISP domain dm1, perform local AAA for users and authorize an address pool.

[Router] domain name dm1

[Router-isp-dm1] authentication ppp local

[Router-isp-dm1] accounting ppp local

[Router-isp-dm1] authorization ppp local

[Router-isp-dm1] authorization-attribute ip-pool pool1

[Router-isp-dm1] quit

Verifying the configuration

After the configuration is completed, Host accesses Router through PPPoE by using username user1 and password 123456TESTplat&!. Verify that Host has come online successfully by using the manually configured static IP addresses.

[Router] display access-user interface ten-gigabitethernet 3/1/1

Username Access type

IPv6 address

0xc XGE3/1/1 1.1.1.2 001b-21a8-0949 -/-

user1 PPPoE

1::021B:21FF:FEA8:0949

16-BRAS Services Configuration Guide

Configuring PPPoE

Router-initiated network structure

Host-initiated network structure

PPPoE negotiation

PPP negotiation

LCP negotiation

Authentication phase

NCP negotiation

The PPPoE connection is enabled to negotiate the MRU according to relevant standards

The PPPoE connection is disabled from negotiating the MRU according to relevant standards

About this task

Restrictions and guidelines for maximum number of PPPoE sessions

Setting the maximum number of PPPoE sessions in interface view

Setting the maximum number of PPPoE sessions in system view

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines for PPPoE user blocking configuration

Enabling MAC-based user blocking in system view

Enabling MAC-based user blocking in interface view

Enabling option105-based user blocking in system view

Enabling option105-based user blocking in interface view

About this task

Restrictions and guidelines

Configuring PPPoE protocol packet attack prevention globally

Configuring PPPoE protocol packet attack prevention on an interface

About this task

Restrictions and guidelines

Procedure

About this task

Application scenarios

Operating mechanism

Restrictions and guidelines

Procedure

About this task

Application scenarios

Operating mechanism

Restrictions and guidelines

Procedure

Display and maintenance commands for PPPoE

PPPoE configuration examples

Network configuration

Procedure

Verifying the configuration

Network configuration

Prerequisites

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration