When multiple static IPoE users on the same subnet need to come online through multiple access interfaces, you must first execute the static-user interface-list command to create a static user interface list, and then execute the add interface command to add interfaces that allow static users to access to the static user interface list.

Restrictions and guidelines

An interface can be added to up to one static user interface list.

Examples

#‌Add interface Ten-GigabitEthernet 0/0/15 to static user interface list 2.

<Sysname> system-view

[Sysname] static-user interface-list 2

[Sysname-static-interface-list2] add interface ten-gigabitethernet 0/0/15

Related commands

display static-user interface-list

static-user interface-list

display ip subscriber abnormal-logout

Use display ip subscriber abnormal-logout to display entry information about abnormally logged out IPoE users.

Syntax

In standalone mode:‌

display ip subscriber abnormal-logout [ vsrp-instance vsrp-instance-name ] [ access-type { dhcpv4 | dhcpv6 | ndrs } | { mac mac-address | ip-type { ipv4 | ipv6 } } * | { ip ipv4-address | ipv6 ipv6-address | ipv6-prefix prefix-address/prefix-length } ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vsrp-instance vsrp-instance-name: Specifies a VSRP instance by its name, a case-sensitive string of 1 to 31 characters.‌

access-type: Specifies a type of abnormally logged out users.

· dhcpv4: Specifies abnormally logged out DHCPv4 users.

· dhcpv6: Specifies abnormally logged out DHCPv6 users.

· ndrs: Specifies abnormally logged out ND RS users.

mac-address mac-address: Specifies a MAC address in the format of H-H-H.

ip-type: Specifies an IP address type.

ipv4: Specifies IPv4 addresses.

ipv6: Specifies IPv6 addresses.

ip ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

ipv6-prefix prefix-address/prefix-length: Specifies an IPv6 address prefix or prefix length.

verbose: Specifies detailed user information. If this keyword is not specified, this command displays brief entry information about abnormally logged out IPoE users.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on the active MPU. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on the global active MPU. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

Application scenarios

When an IPoE-enabled access interface goes down or is mistakenly operated (for example, has the cut access-user command executed), the sessions for IPoE users on the interface are deleted. The device will automatically record entry information of these abnormally logged out IPoE users. To view information of these users, execute the display ip subscriber abnormal-logout command.

Restrictions and guidelines

For abnormally logged out IPoE users to come online again through packet initiation, you must configure the corresponding packet initiation method. For more information, see Layer 2—WAN Access Configuration Guide.

Examples

#‌Display brief entry information about abnormally logged out IPoE users on the specified slot.

<Sysname> display ip subscriber abnormal-logout slot 0

Total entries: 2

IP/IPv6 address MAC address S-/C-VLAN

2.2.2.3 000c-1983-7712 -/-

2::3 000c-1983-7712 -/-

Table 1 Command output

Field	Description
Total entries	Total number of entries for abnormally logged out users. For each abnormally logged out IPoE user, up to three entries are recorded, including IPv4, IPv6 (including PD prefix), and ND RS entries.
IP/IPv6 address	IPv4 or IPv6 address of the user.
MAC address	MAC address of the user.
S-/C-VLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-).

‌

#‌Display detailed entry information about all abnormally logged out IPoE users.

<Sysname> display ip subscriber abnormal-logout verbose

IP address : 1.1.1.1

IPv6 PD Prefix : -

IPv6 ND Prefix : -

MAC address : 000d-88f8-0eab

S-VLAN/C-VLAN : -/-

Access type : DHCPv4

Access interface : Ten-GigabitEthernet0/0/15

Virtual MAC address : -

Offline reason : cut command

Aging : May 9 10:05:29 2019

VSRP instance : N/A

UP ID : -

UP backup profile : -

IPv6 address : 1::1

IPv6 PD Prefix : -

IPv6 ND Prefix : -

MAC address : 000d-88f8-0eab

S-VLAN/C-VLAN : -/-

Access type : DHCPv6

Access interface : Ten-GigabitEthernet0/0/15

Virtual MAC address : -

Offline reason : cut command

Aging : May 9 10:05:29 2019

VSRP instance : N/A

UP ID : -

UP backup profile : -

Table 2 Command output

Field	Description
IP address	IPv4 address of the user.
IPv6 address	IPv6 address of the user.
IPv6 PD Prefix	IPv6 PD prefix of the user. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
IPv6 ND Prefix	IPv6 ND prefix of the user. If the user does not have an IPv6 ND prefix, this field displays a hyphen (-).
MAC address	MAC address of the user.
S-VLAN/C-VLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Access interface of the user.
Virtual MAC address	This field is not supported in the current software version. Virtual MAC address of the access interface of the user.
Offline reason	Reason why the user is abnormally logged out. For more information, see the log manual for UCM logins and logouts.
Aging	Time when the entry for the abnormally logged out user will age out. N/A means that the entry never ages out. If you modify the system time before the entry ages out, to make the aging time unchanged, the device automatically adjusts this time according to the modified system time.
VSRP instance	Name of a VSRP instance. When no VSRP instance is available, this field displays N/A.
UP ID	This field is not supported in the current software version. UP ID of the abnormally logged out user. When no UP ID is available (for example, on a non-vBRAS-CP), this field displays a hyphen (-).
UP backup profile	This field is not supported in the current software version. UP backup profile ID. When no UP backup profile ID is available (for example, on a non-vBRAS-CP), this field displays a hyphen (-).

‌

Related commands

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

reset ip subscriber abnormal-logout

display ip subscriber chasten user auth-failed

Use display ip subscriber chasten user auth-failed to display information about IPoE individual users with authentication failure records that have not met the blocking conditions.

Syntax

In standalone mode:‌

display ip subscriber chasten user auth-failed [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address | user-type { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 | static } ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

ip ip-address: Specifies the source IPv4 address of an IPoE individual user.

ipv6 ipv6-address: Specifies the source IPv6 address of an IPoE individual user.

mac mac-address: Specifies the MAC address of an IPoE individual user, in the format of H-H-H.

user-type: Specifies a user type. If you do not specify a user type, this command displays information about all types of IPoE individual users.

dhcp: Specifies DHCPv4 users.

dhcpv6: Specifies DHCPv6 users.

ndrs: Specifies IPv6 ND RS users.

unclassified-ip: Specifies unclassified-IPv4 users (including dynamic individual users initiated by IPv4 and ARP packets).

unclassified-ipv6: Specifies unclassified-IPv6 users (including dynamic individual users initiated by IPv6 and NS/NA packets).

static: Specifies static users.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Examples

#‌Display brief information about the IPoE individual users with authentication failure records that have not met the blocking conditions on Ten-GigabitEthernet 0/0/15.

<Sysname> display ip subscriber chasten user auth-failed interface ten-gigabitethernet 0/0/15

Interface MAC address SVLAN/CVLAN

IP address Failures

XGE0/0/15 248c-c3d1-0406 -/-

6.6.6.2 7

Table 3 Command output

Field	Description
Interface	Interface that connects the user.
IP address	IP address of the user.
MAC address	MAC address of the user.
SVLAN/CVLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Failures	Number of consecutive authentication failures of the user. This field displays N/A for entries to age out.

‌

Related commands

ip subscriber authentication chasten

ip subscriber timer quiet

reset ip subscriber chasten user auth-failed

display ip subscriber chasten user quiet

Use display ip subscriber chasten user quiet to display information about blocked IPoE users.

Syntax

In standalone mode:‌

display ip subscriber chasten user quiet [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address | user-type { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 | static } ] [ verbose ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information for all interfaces.

ip ip-address: Specifies the source IPv4 address of a blocked IPoE user.

ipv6 ipv6-address: Specifies the source IPv6 address of a blocked IPoE user.

mac mac-address: Specifies the MAC address of a blocked IPoE user, in the format of H-H-H.

user-type: Specifies a user type.

· dhcp: Specifies DHCPv4 users.

· dhcpv6: Specifies DHCPv6 users.

· ndrs: Specifies IPv6 ND RS users.

· unclassified-ip: Specifies unclassified-IPv4 users (including dynamic individual users initiated by IPv4 and ARP packets).

· unclassified-ipv6: Specifies unclassified-IPv6 users (including dynamic individual users initiated by IPv6 and NS/NA packets).

· static: Specifies static users.

verbose: Displays detailed information about blocked IPoE users. If this keyword is not specified, this command displays brief information about blocked IPoE users.

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Examples

#‌Display brief information about the blocked IPoE users on Ten-GigabitEthernet 0/0/15.

<Sysname> display ip subscriber chasten user quiet interface ten-gigabitethernet 0/0/15

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface MAC address Type

IP address Aging(s)

XGE0/0/15 248c-c3d1-0406 U

6.6.6.2 7

Table 4 Command output

Field	Description
Interface	Interface that connects the user.
IP address	IP address of the user.
MAC address	MAC address of the user.
Type	IPoE user type: · D—DHCP user. · S—Static user. · U—Unclassified-IP user. · N—IPv6 ND RS user.
Aging(s)	Remaining aging time in seconds for the user.

‌

# (In standalone mode.) ‌Display detailed information about all blocked IPoE users on Ten-GigabitEthernet 0/0/15.

<Sysname> display ip subscriber chasten user quiet interface ten-gigabitethernet 0/0/15 verbose

Username : 1.1.1.10

Domain : dm0

IP address : 1.1.1.10

MAC address : 4649-e2cf-0216

Service-VLAN/Customer-VLAN : -/-

Access interface : XGE0/0/15

Service node : Slot 0

Access Type : Unclassified-IP

Aging : 41 sec

Table 5 Command output

Field	Description
Username	Username for authentication.
Domain	ISP domain of the user for authentication.
IP address	IP address of the user.
MAC address	MAC address of the user.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of the user. If the user traffic does not carry a SVLAN or CVLAN tag, this field displays a hyphen (-) for the SVLAN or CVLAN part.
Access interface	Interface that connects the user.
Service node	Slot number and CPU number of the card that connects the user.
Access Type	IPoE user type: · DHCP—DHCP user. · Unclassified-IP—Unclassified-IP user. · NDRS—IPv6 ND RS user. · Static—Static user.
Aging	Remaining aging time for the user, in seconds.

‌

Related commands

ip subscriber timer quiet

reset ip subscriber chasten user quiet

display ip subscriber auto-save‌

Use display ip subscriber auto-save to display information about auto backed-up IPoE users.

Syntax

In standalone mode:‌

display ip subscriber auto-save { access-type { dhcpv4 | dhcpv6 | ndrs } | domain domain-name | ip-type { ipv4 | ipv6 | dual-stack } | mac-address mac-address | online | wait-recover } [ interface interface-type interface-number [ s-vlan s-vlan [ c-vlan c-vlan ] ] ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

access-type: Specifies a type of IPoE access users.

· dhcpv4: Specifies DHCPv4 access users.

· dhcpv6: Specifies DHCPv6 access users.

· ndrs: Specifies ND RS access users.

domain domain-name: Specifies an ISP domain by its name. The domain-name argument specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain the following special characters: /\|“:*?<>@.

ip-type: Specifies the IP version of IPoE users.

· ipv4: Specifies IPv4 users.

· ipv6: Specifies IPv6 users.

· dual-stack: Specifies dual-stack users.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

online: Displays brief information about online IPoE users.

wait-recover: Displays brief information about IPoE users waiting to recover.

interface interface-type interface-number: Specifies an interface by its type and number.

· s-vlan s-vlan: Specifies the SVLAN of an IPoE user. The value range for this argument is 1 to 4094.

· c-vlan c-vlan: Specifies the CVLAN of an IPoE user. The value range for this argument is 1 to 4094.

Examples

# Display brief information about auto backed-up online IPoE users.

<Sysname> display ip subscriber auto-save online

MAC address IP address Interface S-/C-VLAN

IPv6 address

000c-1983-6712 2.2.2.3 XGE0/0/17 -/-

000c-1983-6713 2.2.2.4 XGE0/0/17 -/-

000c-1983-6714 2.2.2.5 XGE0/0/17 -/-

000c-1983-6715 2.2.2.6 XGE0/0/17 -/-

a6f7-a29f-0206 2.2.2.11 XGE0/0/16 -/-

1::2

Table 6 Command output

Field	Description
MAC address	MAC address of the user.
IP address	IPv4 address of the user. If the user does not have an IPv4 address, this field displays a hyphen (-).
Interface	Access interface of the user.
S-/C-VLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays -/-.
IPv6 address	IPv6 address of the user. If the user does not have an IPv6 address, this field displays a hyphen (-).

‌

# Display detailed information about an auto backed-up IPoE user specified by its MAC address.

<Sysname> display ip subscriber auto-save mac-address a6f7-a29f-0206

Basic Info:

MAC address: a6f7-a29f-0206

IP address: 2.2.2.11

IPv6 address: 1::2

Interface: XGE0/0/16

Service-VLAN/Customer-VLAN: -/-

VPN instance: N/A

Domain: dm1

Status: Online

DHCPv4 Info:

DHCP remaining lease: 85557 seconds

DHCPv6 Info:

DHCPv6 remaining lease: 2588825 seconds

IPv6 PD prefix: -

PD prefix length: 0

IA Type: IANA

IANA ID: 33554432

IAPD ID: 0

Option1:

0003 0001 a6f7 a29f 0200

# Display detailed information about an auto backed-up IPoE user specified by its MAC address.

<Sysname> display ip subscriber auto-save mac-address 30c8-46a3-0506

Basic Info:

MAC address: 30c8-46a3-0506

IP address: -

IPv6 address: -

IPv6 ND prefix: 5:6::/64

Interface: XGE0/0/16

Service-VLAN/Customer-VLAN: -/-

VPN instance: N/A

Domain: dm1

Status: Online

DHCPv6 Info:

DHCPv6 remaining lease: 2592000 seconds

IPv6 PD prefix: 2020:2021::

PD prefix length: 40

IA Type: IAPD

IANA ID: 0

IAPD ID: 1

Option1:

0003 0001 30c8 46a3 0500

Table 7 Command output

Field	Description
Basic Info	Basic information of the auto backed-up user.
MAC address	MAC address of the user.
IP address	IPv4 address of the user. If the user does not have an IPv4 address, this field displays a hyphen (-).
IPv6 address	IPv6 address of the user. If the user does not have an IPv6 address, this field displays a hyphen (-).
IPv6 ND prefix	IPv6 ND prefix of the user. If the user does not have an IPv6 ND prefix, this field displays a hyphen (-).
Interface	Access interface of the user.
Service-VLAN/Customer-VLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays -/-.
VPN instance	VPN instance of the user. If the user belongs to the public network, this field displays N/A.
Domain	ISP domain name used for authentication.
Status	User status: · Online. · Wait-Recover—The user is waiting to recover. When a user abnormally goes offline because of failure, the device sets the status of the user backed up in the memory to Wait-Recover.
DHCPv4 Info	DHCPv4 information. This field is displayed only when a user obtains IPv4 addresses.
DHCP remaining lease	Remaining IPv4 address lease duration of the user, in seconds. · Hyphen (-)—The user does not have a DHCP lease. · Unlimited—The lease duration is unlimited.
Optionn: [m]	DHCPv4 option information. This field is displayed only when the user carries the corresponding option when coming online. The option contents are displayed in hexadecimal format. n is the option serial number, and m is the suboption serial number (if any). Possible values include: · Option12—DHCPv4 option12. · Option55—DHCPv4 option55. · Option60—DHCPv4 option60. · Option61—DHCPv4 option61. · Option77—DHCPv4 option77. · Option82—DHCPv4 option82, which contains suboptions. ¡ 1—The first suboption of DHCPv4 option82. ¡ 2—The second suboption of DHCPv4 option82. ¡ 9—The ninth suboption of DHCPv4 option82.
DHCPv6 Info	DHCPv4 information. This field is displayed only when a user obtains IPv6 global unicast addresses or IPv6 prefixes.
DHCPv6 remaining lease	Remaining IPv6 address lease duration of the user, in seconds. · Hyphen (-)—The user does not have a DHCP lease. · Unlimited—The lease duration is unlimited.
IPv6 PD prefix	IPv6 PD prefix of the user. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
PD prefix length	IPv6 PD prefix length of the user. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
IA type	Identity Association (IA) type: · IANA—The user applies for a global unicast address through DHCPv6 (IA_NA). · IAPD—The user applies for a global unicast address through DHCPv6 (IA_PD). · IANA_IAPD—The user applies for a global unicast address through DHCPv6 (IA_NA) and applies for an IPv6 PD prefix through DHCPv6 (IA_PD).
IANA ID	ID in the IANA option.
IAPD ID	ID in the IAPD option.
Optionn	DHCPv6 option information. This field is displayed only when the user carries the corresponding option when coming online. The option contents are displayed in hexadecimal format. n is the option serial number. Possible values include: · Option1—DHCPv6 option1. · Option16—DHCPv6 option16. · Option17—DHCPv6 option17. · Option18—DHCPv6 option18. · Option37—DHCPv6 option37.

‌

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-save max-user

display ip subscriber auto-save file-status‌

Use display ip subscriber auto-save file-status to display the state of the file specified for automatic IPoE user backup.

Syntax

display ip subscriber auto-save file-status

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

Application scenarios

Use this command to view the saving and recovery information of the backup file. For example, before rebooting the device, use this command to identify whether all user data in the memory has been backed up to the backup file.

Recovering user data from the backup file includes the following two phases:

1. ‍Recover the user data from the backup file to the memory, and set the state to wait-recover for these users.

You can execute the display ip subscriber auto-save command with the wait-recover keyword specified to view detailed information about users in the wait-recover state.

2. After all user data in the backup file is recovered to the memory, the recovery delay timer starts. The recovery delay timer is 5 seconds by default and can be configured by using the recover-delay keyword in the ip subscriber auto-recover speed command. After the recovery delay timer expires, the state is restored to online for users in the wait-recover state in the memory.

You can execute the display ip subscriber auto-save command with the online keyword specified to view detailed information about users in the online state.

Restrictions and guidelines

This command displays the real-time data running on the global active MPU. The data will be cleared after the whole device is rebooted or an active/standby MPU switchover is performed.

Examples

# Display the state of the file specified for automatic IPoE user backup.

<Sysname> display ip subscriber auto-save file-status

File saving status : Saved

Last file saved users : 1

Last file saved from : 2021-01-24 20:14:22

File recovering status : Recovered

Last file recovered wait-recover users : 0

Last file recovered from : 2021-01-24 20:08:38

Remaining time to bring wait-recover users online : 0

Table 8 Command output

Field	Description
File saving status	Backup file saving state: · Hyphen (-)—The system has never performed file backup. · Saving—The system is saving user data in the memory to the file. · Saved—The system has saved user data in the memory to the file.
Last file saved users	Total number of users backed up in the backup file after the last backup was completed.
Last file saved from	Time when the last backup started. This field displays a hyphen (-) if the system has never performed file backup.
File recovering status	Backup file recovery state: · Hyphen (-)—The system has never recovered users from the backup file. · Recovering—The system is recovering users from the file. · Recovered—The system has recovered users in the file.
Last file recovered wait-recover users	Total number of users recovered from the backup file to the memory after the last recovery was completed.
Last file recovered from	Time when the system started to recover user data in the backup file to the memory. This field displays a hyphen (-) if the system has never recovered user data from the backup file.
Remaining time to bring wait-recover users online	Remaining recovery delay time for bringing online the users in the wait-recover state after the last operation of recovering user data in the backup file to the memory was completed. The recovery delay timer is 5 seconds by default and can be configured by using the recover-delay keyword in the ip subscriber auto-recover speed command.

‌

Related commands

display ip subscriber auto-save

display ip subscriber auto-save statistics

ip subscriber auto-recover speed

display ip subscriber auto-save statistics‌

Use display ip subscriber auto-save statistics to display statistics about auto backed-up IPoE users.

Syntax

In standalone mode:‌

display ip subscriber auto-save statistics [ slot slot-number ]

In IRF mode:

display ip subscriber auto-save statistics [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Examples

# Display statistics about auto backed-up IPoE users.

<Sysname> display ip subscriber auto-save statistics

Max backup users : 8000

Current online users : 5

Current wait-recover users : 4

Table 9 Command output

Field	Description
Max backup user number	Maximum number of IPoE users that can be automatically backed up.
Current online user number	Number of backed-up online IPoE users.
Current wait-recover user number	Number of backed-up IPoE users waiting to recover. If a dual-stack user is waiting to recover in one protocol stack and online in the other protocol stack, the user is counted as an online user.

‌

Related commands

display ip subscriber auto-save

display ip subscriber http-defense blocked-destination-ip‌

Use display ip subscriber http-defense blocked-destination-ip to display entries of the destination IP addresses blocked by IPoE HTTP/HTTPS attack defense.

Syntax

In standalone mode:‌

display ip subscriber http-defense blocked-destination-ip [ slot slot-number ]

In IRF mode:

display ip subscriber http-defense blocked-destination-ip [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

Application scenarios

On an IPoE Web network, after you enable destination IP-based IPoE HTTP/HTTPS attack defense, the device will monitor and collect statistics of HTTP/HTTPS packets that IPoE Web preauthentication users send to any destination IP address. Within a statistics collection interval, if the number of HTTP/HTTPS packets sent to a destination IP address reaches the blocking conditions and the action to take when the blocking conditions are met is to generate blocking entries, the device will generate blocking entries about the destination IP address. The blocking period is configured in the ip subscriber http-defense destination-ip enable action block period command. Use this command to view the blocking entries.

Restrictions and guidelines

For a destination IP address with the blocking entries generated, when the blocking period expires, the device will delete blocking entries of the destination IP address.

Examples

# (In IRF mode.) ‌Display entries of the destination IP addresses blocked by IPoE HTTP/HTTPS attack defense.

<Sysname> display ip subscriber http-defense blocked-destination-ip slot 0

Slot 0:

Total IPv4 entries: 2

Destination IPv4 address Port VPN instance Agetime(S) DrvStatus

1.1.1.2 80 aaa 500 Succeeded

2.2.2.2 443 bbb 300 Failed

Total IPv6 entries: 2

Destination IPv6 address Port VPN instance Agetime(S) DrvStatus

1:1::1:2 80 aaa 500 Succeeded

2:2::2:2 443 bbb 300 Failed

Table 10 Command output

Field	Description
Total IPv4 entries	Total number of IPv4 entries.
Total IPv6 entries	Total number of IPv6 entries.
Destination IPv4 address	Destination IPv4 address.
Destination IPv6 address	Destination IPv6 address.
Port	Destination port number (the IPoE HTTP/HTTPS attack defense function can recognize and process HTTP/HTTPS packets with known port number 80, 8080, 443, or 8443).
VPN instance	VPN instance to which the packets belong. If the packets are on a public network, this field displays a hyphen (-).
Agetime(S)	Remaining aging time (in seconds) of a blocked entry. After the aging time expires, the HTTP/HTTPS packets sent to the destination IP address will be unblocked.
DrvStatus	State of deploying the HTTP/HTTPS attack blocked entry to the driver hardware. Options include: · Succeeded—The blocked entry was successfully deployed. The hardware will directly block attacks, and does not report packets to the CPU. · Failed—The blocked entry failed to be deployed. The hardware does not block attacks. The software blocks attacks after packets are sent to the CPU. · Incompleted—The deployment is not completed, and the platform has not received the deployment result from the hardware. If you execute the display ip subscriber http-defense blocked-destination-ip command before the hardware returns the success result to the platform, this field displays Incompleted. · None—Does not deploy the blocked entry to the hardware. If the action to take when the blocking conditions are met is logging, the generated blocked entry will not be deployed to the driver hardware.

‌

Related commands

ip subscriber http-defense destination-ip enable

reset ip subscriber http-defense destination-ip

display ip subscriber http-defense free-destination-ip‌

Use display ip subscriber http-defense free-destination-ip to display the allowlist addresses configured for IPoE HTTP/HTTPS attack defense.

Syntax

display ip subscriber http-defense free-destination-ip

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the allowlist addresses configured for IPoE HTTP/HTTPS attack defense.

<Sysname> display ip subscriber http-defense free-destination-ip

Destination IPv4 address VPN instance

1.1.1.2 -

2.2.2.2 bbb

Destination IPv6 address VPN instance

1:1::1:2 -

2:2::2:2 bbb

Table 11 Command output

Field	Description
Destination IPv4 address	Destination IPv4 address.
Destination IPv6 address	Destination IPv6 address.
VPN instance	VPN instance to which the destination IP address belongs. If the destination IP address is on a public network, this field displays a hyphen (-).

‌

Related commands

ip subscriber http-defense free-destination-ip

display ip subscriber http-defense unblocked-destination-ip‌

Use display ip subscriber http-defense unblocked-destination-ip to display entries of the destination IP addresses not blocked by IPoE HTTP/HTTPS attack defense.

Syntax

In standalone mode:‌

display ip subscriber http-defense unblocked-destination-ip [ slot slot-number ]

In IRF mode:

display ip subscriber http-defense unblocked-destination-ip [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

Application scenarios

On an IPoE Web network, after you enable destination IP-based IPoE HTTP/HTTPS attack defense, the device will monitor and collect statistics of HTTP/HTTPS packets that IPoE Web preauthentication users send to any destination IP address, and generate the corresponding attack defense blocking entry for each destination IP address. The attack defense blocking entries record statistics about destination IP addresses that have not met the blocking conditions of IPoE HTTP/HTTPS attack defense. An entry includes the destination IP address and VPN instance of packets, the number of packets accessing the destination IP address, and the time when the last time when the destination IP address was accessed. Use this command to view the attack defense blocking entries.

Restrictions and guidelines

For a destination IP address of a generated attack defense blocking entry, when the number of packets sent to the destination IP address is 0 within any statistics collection interval, the device will delete the attack defense blocking entry for the destination IP address.

Examples

# (In IRF mode.) ‌Display entries of the destination IP addresses not blocked by IPoE HTTP/HTTPS attack defense in slot 0.

<Sysname> display ip subscriber http-defense unblocked-destination-ip slot 0

Slot 0:

Total IPv4 entries: 2

Destination IPv4 address Port VPN instance Count Last request

1.1.1.2 80 aaa 1 17:18:34 11/23/2019

2.2.2.2 443 - 23 17:17:25 11/23/2019

Total IPv6 entries: 2

Destination IPv6 address Port VPN instance Count Last request

1:1::1:2 80 aaa 1 17:18:34 11/23/2019

2:2::2:2 443 - 23 17:17:25 11/23/2019

Table 12 Command output

Field	Description
Total IPv4 entries	Total number of IPv4 entries.
Total IPv6 entries	Total number of IPv6 entries.
Destination IPv4 address	Destination IPv4 address.
Destination IPv6 address	Destination IPv6 address.
Port	Destination port number (the IPoE HTTP/HTTPS attack defense function can recognize and process HTTP/HTTPS packets with known port number 80, 8080, 443, or 8443).
VPN instance	VPN instance to which the packets belong. If the packets are on a public network, this field displays a hyphen (-).
Count	Number of HTTP/HTTPS packets accessing the destination IP address.
Last request	Last time when the destination IP address was accessed.

‌

Related commands

ip subscriber http-defense destination-ip enable

reset ip subscriber http-defense destination-ip

display ip subscriber roam-record

Use display ip subscriber roam-record to display IPoE user roaming records.

Syntax

In standalone mode:‌

display ip subscriber roam-record { user-id user-id | mac-address mac-address | ip-address ipv4-address | ipv6-address ipv6-address | ipv6-prefix ipv6-prefix/prefix-length | interface interface-type interface-number | start-time start-time start-date [ end-time end-time end-date ] } * [ count ] [ slot slot-number ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user-id user-id: Specifies an online user by its ID. The user-id argument specifies an online user ID, a hexadecimal number in the range of 1 to FFFF4240.

mac-address mac-address: Specifies a user by its MAC address in H-H-H format, case-insensitive. This parameter is supported only on network access users.

ip-address ipv4-address: Specifies a user by its IPv4 address. The ipv4-address argument represents a user IPv4 address.

ipv6-address ipv6-address: Specifies a user by its IPv6 addresses. The ipv6-address argument represents a user IPv6 address.

ipv6-prefix ipv6-prefix/prefix-length: Displays user roaming records for the specified IPv6 prefix (IPv6 ND prefix only). The ipv6-prefix argument represents the user's IPv6 prefix, and the prefix-length argument represents the length of the user's IPv6 prefix.

interface interface-type interface-number: Specifies a destination interface by its type and number.

start-time start-time start-date: Displays roaming records that occurred after the specified start time and date.

end-time end-time end-date: Displays roaming records that occurred before the specified end time and date.

count: Displays the number of user roaming records.

Usage guidelines

After enabling the roaming recording feature, use this command to search for user roaming records based on the specified conditions.

Examples

# ‌‌Display all roaming records for the user with the specified user ID.

<Sysname> display ip subscriber roam-record user-id 7ff1

User ID: 0x7ff1

MAC address: 2892-ddec-0706

Access type: L2 IPoE dynamic

UP backup mode: Hot standby

Start roam time: 2021-06-04 01:41:39

Roam initiator: DHCPv4

Init access interface: XGE0/0/16.10

Source interface: XGE0/0/16.10

Source S-VLAN/C-VLAN: 10/100

Source work slot: 0

Destination interface: XGE0/0/19.10

Destination S-VLAN/C-VLAN: 10/100

Destination work slot: 0

IP address: 3.3.3.1

IPv6 address: -

IPv6 ND prefix:22:0:0:1D::/64

# Display the number of roaming records for the user with the specified user ID.

<Sysname> display ip subscriber roam-record user-id 7fff count

Roam-record count: 10

Table 13 Command output

Field	Description
Access type	Access type of the user. In the current software version, only the L2 IPoE dynamic type is supported, which represents Layer 2 IPoE dynamic individual users.
UP backup mode	Backup mode of the UP backup profile. Options include: · Hot standby—1:1 hot standby. · Hyphen (-)—Non-UP backup scenario.
Start roam time	Roaming start time.
Roam initiator	Type of packets that initiate user roaming. Options include: · DHCPv4—DHCPv4 packets. · DHCPv6—DHCPv6 packets. · NDRS—NDRS packets. · NDNS—NDNS packets. · IPoEv4—IP packets. · IPoEv6—IPv6 packets. · ARP—ARP packets.
Init access interface	Initial access interface of a user.
Source interface	Interface where the user is located before roaming.
Source S-VLAN/C-VLAN	SVLAN/CVLAN of a user before roaming. If the user does not have VLAN information, this field displays a hyphen (-).
Source work slot	Slot where the access interface of a user is located before roaming.
Destination interface	Interface where the user is located after roaming.
Destination S-VLAN/C-VLAN	SVLAN/CVLAN of a user after roaming. If the user does not have VLAN information, this field displays a hyphen (-).
Destination work slot	Slot where the access interface of a user is located after roaming.
IP address	User's IPv4 address. If the user does not have an IPv4 address, this field displays a hyphen (-).
IPv6 address	User's IPv6 address. If the user does not have an IPv6 address, this field displays a hyphen (-). For NDRS users, roaming records only record their prefix addresses rather than their unicast IPv6 addresses.
IPv6 ND prefix	IPv6 prefix address of an ND user. If the ND user does not have an IPv6 prefix address, this field displays a hyphen (-). For NDRS users, roaming records only record their prefix addresses rather than their unicast IPv6 addresses.
Roam-record count	Number of user roamings.

display ip subscriber static-session configuration

Use display ip subscriber static-session configuration to display static IPoE session configuration information.

Syntax

display ip subscriber static-session configuration [ interface interface-type interface-number | { description string | { ip start-ipv4-address [ end-ipv4-address ] | ipv6 start-ipv6-address [ end-ipv6-address ] | delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length } } | domain domain-name ] [ all-vpn-instance | vpn-instance instance-name ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

description string: Specifies a static IPoE session by its description, a case-insensitive string of 1 to 31 characters. The description cannot contain the following special characters: /\|“:*?<>@. ip start-ipv4-address [ end-ipv4-address ]: Specifies static IPoE sessions by IPv4 addresses.

· start-ipv4-address: Specifies the start IPv4 address of users.

· end-ipv4-address: Specifies the end IPv4 address of users, which cannot be lower than the start IPv4 address. If you do not specify this argument or the specified end-ipv4-address is the same as the start-ipv4-address, one user IPv4 address start-ipv4-address is specified. Otherwise, all static users with IPv4 addresses in the range of start-ipv4-address to end-ipv4-address are specified.

ipv6 start-ipv6-address [ end-ipv6-address ]: Specifies static IPoE sessions by IPv6 addresses.

· start-ipv6-address: Specifies the start IPv6 address of users.

· end-ipv6-address: Specifies the end IPv6 address of users, which cannot be lower than the start IPv6 address. If you do not specify this argument or the specified end-ipv4-address is the same as the start-ipv6-address, one user IPv6 address start-ipv6-address is specified. Otherwise, all static users with IPv6 addresses in the range of start-ipv6-address to end-ipv4-address are specified.

delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length: Specifies static IPoE sessions by the IPv6 delegation prefixes (PD prefixes).

· start-ipv6-prefix: Specifies the start IPv6 delegation prefix of users.

· end-ipv6-prefix: Specifies the end IPv6 delegation prefix of users, which cannot be smaller than the start IPv6 delegation prefix. If you do not specify this argument or the specified end-ipv6-prefix is the same as the start-ipv6-prefix, one user IPv6 delegation prefix start-ipv6-prefix is specified. Otherwise, all static users with IPv6 delegation prefixes in the range of start-ipv6-prefix to end-ipv6-prefix are specified. Make sure the number of IPv6 delegation prefixes specified by the start-ipv6-prefix [ end-ipv6-prefix ] option is the same as the number of IPv6 addresses specified in the start-ipv6-address [ end-ipv6-address ] option.

· prefix-length: Specifies the IPv6 delegation prefix length, in the range of 1 to 120.

· domain domain-name: Specifies static IPoE sessions in an ISP domain. The domain-name argument specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain the following special characters: /\|“:*?<>@.

all-vpn-instance: Specifies all VPN instances. If neither all-vpn-instance nor vpn-instance is specified, this command displays static IPoE session configuration in the public network.

· vpn-instance vpn-instance-name: Specifies a VPN instance by its name. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters.

· verbose: Displays detailed static IPoE session configuration. If you do not specify this keyword, this command displays the summary static IPoE session configuration.

Usage guidelines

Application scenarios

Use this command to display information about IPoE static individual sessions and static leased sessions.‌

Restrictions and guidelines

If you do not specify any parameter, this commands displays summary configuration information about static IPoE users.

To simplify management and maintenance, before configuring a new static IPoE session, you can execute this command to identify whether static sessions with the specified conditions (for example, an IP address) already exist. In this way, you can avoid repeated configuration.

Examples

#‌Display brief information about all static users on Ten-GigabitEthernet 0/0/15.

<Sysname> display ip subscriber static-session configuration interface ten-gigabitethernet 0/0/15

IP address MAC address Interface

IPv6 address IPv6 PD prefix SVLAN/CVLAN

VPN instance

1.1.1.1 000d-88f8-0eab XGE0/0/15

1::1 10::/64 -/-

1.1.1.2 001d-88f8-0eab XGE0/0/15

1::2 11::/64 -/-

Total 2 items matched

#‌Display brief information about static users in all VPN instances.

<Sysname> display ip subscriber static-session configuration all-vpn-instance

VPN instance: vpn1

IP address MAC address Interface

IPv6 address IPv6 PD prefix SVLAN/CVLAN

VPN instance

Total 0 items matched

VPN instance: vpn2

IP address MAC address Interface

IPv6 address IPv6 PD prefix SVLAN/CVLAN

VPN instance

2.2.2.2 - -

- - -/-

vpn2

2.2.2.3 - XGE0/0/16

- - -/-

vpn2

Total 2 items matched

#‌Display brief information about static users in the specified VPN instance.

<Sysname> display ip subscriber static-session configuration vpn-instance vpn2

VPN instance: vpn2

IP address MAC address Interface

IPv6 address IPv6 PD prefix SVLAN/CVLAN

VPN instance

2.2.2.2 - -

- - -/-

vpn2

2.2.2.3 - XGE0/0/16

- - -/-

vpn2

Total 2 items matched

Table 14 Command output

Field	Description
IP address	User's IPv4 address. If the user does not have an IPv4 address, this field displays a hyphen (-).
IPv6 address	User's IPv6 address. If the user does not have an IPv6 address, this field displays a hyphen (-).
MAC address	User's MAC address.
IPv6 PD prefix	User's IPv6 PD prefix. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
VPN instance	VPN instance to which the user belongs. If the user is on a public network, this field displays a hyphen (-).
Interface	User's access interface name. If the user does not have an access interface, this field displays a hyphen (-).
SVLAN/CVLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-).
Total 2 items matched	Number of static sessions matching the specified conditions.

‌

# Display detailed information about the user with IPv6 address 2001::2.

<Sysname> display ip subscriber static-session configuration ipv6 2001::2 verbose

Interface : -

UP-backup-interface : -

Interface-list : -

IP address : -

IP gateway : -

IPv6 address : 2001::2

IPv6 gateway : FE80::1:2:3:4

IPv6 PD prefix : -

SVLAN/CVLAN : -/-

Description : -

MAC address : -

Domain : -

VPN instance : -

Keep-online : No

Support-ds : No

Request-online : ND

Virtual MAC : -

# Display detailed information about static users in all VPN instances.

<Sysname> display ip subscriber static-session configuration all-vpn-instance verbose

VPN instance: vpn2

Interface : -

UP-backup-interface : -

Interface-list : -

IP address : -

IP gateway : -

IPv6 address : 2001::2

IPv6 gateway : FE80::1:2:3:4

IPv6 PD prefix : -

SVLAN/CVLAN : -/-

Description : -

MAC address : -

Domain : -

VPN instance : 123

Keep-online : No

Support-ds : No

Request-online : ND

Virtual MAC : -

Table 15 Command output

Field	Description
Interface	User's access interface. If the user does not have an access interface, this field displays a hyphen (-).
UP-backup-interface	This field is not supported in the current software version. Backup interface of the user. If the user does not have a backup interface, this field displays a hyphen (-).
Interface-list	Static user interface list. If the user does not have a static user interface list, this field displays a hyphen (-).
IP address	User's IPv4 address. If the user does not have an IPv4 address, this field displays a hyphen (-).
IP gateway	User's IPv4 gateway address. If the user does not have an IPv4 gateway address, this field displays a hyphen (-).
IPv6 address	User's IPv6 address. If the user does not have an IPv6 address, this field displays a hyphen (-).
IPv6 gateway	User's IPv6 gateway address. If the user does not have an IPv6 gateway address, this field displays a hyphen (-).
IPv6 PD prefix	User's IPv6 PD prefix. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
SVLAN/CVLAN	SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-).
Description	Static user description. If the user does not have a description, this field displays a hyphen (-).
MAC address	User's MAC address. If the user does not have a MAC address, this field displays a hyphen (-).
Domain	User’s ISP domain name for authentication. If the user does not have an ISP domain, this field displays a hyphen (-).
VPN instance	VPN instance to which the user belongs. If the user is on a public network, this field displays N/A.
Keep-online	Whether the keep-online keyword is specified in the command for configuring static sessions: · Yes. · No.
Ignore-ip-conflict	Whether the ignore-ip-conflict keyword is specified in the configured static session: ‌ · Yes. · No. This field is displayed in the details only when the bras compatible old-style-commands enable command is used to enable the BRAS to be compatible with old-style commands and the display ip subscriber static-session configuration command is executed with the ip or ipv6 keyword specified.
Support-ds	Whether the support-ds keyword is specified in the command for configuring static sessions: · Yes. · No.
Request-online	Whether the request-online keyword is specified in the command for configuring static sessions: · This keyword is specified when any of the following values is displayed: ¡ ARP—The current interface is operating in Layer 2 access mode. The device actively sends ARP packets to request IPv4 users to come online. ¡ ICMP—The current interface is operating in Layer 3 access mode. The device actively sends ICMP packets to request IPv4 users to come online. ¡ ND—The current interface is operating in Layer 2 access mode. The device actively sends ND NS packets to request IPv6 users to come online. ¡ ICMPv6—The current interface is operating in Layer 3 access mode. The device actively sends ICMPv6 packets to request IPv6 users to come online. · This field displays a hyphen (-) when this keyword is not specified.
Virtual MAC	This field is not supported in the current software version. In a UP backup network, this field displays the virtual MAC address of the primary and secondary interfaces. If the virtual MAC address does not exist, this field displays a hyphen (-). If the virtual MAC address exists, this address will only be displayed on the BRAS-VMs and UPs.

‌

Related commands

bras compatible old-style-commands enable (BRAS Services Command Reference) ‌

ip subscriber session static (system view)

ip subscriber static-session request-online interval

display ip subscriber unclassified-ip-defense

Use display ip subscriber unclassified-ip-defense to display information of the unclassified-IP packet attack defense entries.

Syntax

In standalone mod:

display ip subscriber unclassified-ip-defense [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | statistics ] [ slot slot-number ]

In IRF mode:

display ip subscriber unclassified-ip-defense [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | statistics ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

ip ipv4-address: Specifies a source IPv4 address.

ipv6 ipv6-address: Specifies a source IPv6 address.

statistics: Displays statistics of the unclassified-IP packet attack defense entries.

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

Operating mechanism

Unclassified-IP packet attack defense entries include two types: attack defense blocking entries and attack defense blocked entries.

· Attack defense blocking entries—Record statistics about source IP addresses that have not met the blocking conditions.

¡ With unclassified-IP packet attack defense enabled, the device will monitor and collect statistics of the IP packets sent by all offline users, and generate an attack defense blocking entry for each source IP address.

¡ For a source IP address with an attack defense blocking entry generated, if the number of IP packets from this source IP address is 0 during the most recent packet statistics collection interval, the device will delete the attack defense blocking entry for this source IP address.

· Attack defense blocked entries—Record statistics of the source IP addresses that meet the blocking conditions.

¡ If the number of IP packets from a source IP address reaches the blocking conditions within a statistics collection interval, the device will generate an attack defense blocked entry for that source IP address. The blocking duration is configured by using the ip subscriber unclassified-ip-defense block-period command.

¡ For a source IP address with an attack defense blocked entry generated, the device will delete the attack defense blocked entry for that source IP address when the blocking duration expires.

Examples

# Display entries for all blocked IP addresses and all IP addresses that have not reached the blocking threshold on Ten-GigabitEthernet 0/0/15.‌

<Sysname> display ip subscriber unclassified-ip-defense interface ten-gigabitethernet 0/0/15

Total IPv4 entries: 2

Interface MAC address S-/C-VLAN Drops

Agetime(S) DrvStatus Status

IP address

XGE0/0/15 4c9c-8112-0206 -/- 10000

500 Succeeded Blocked

1.1.1.2

XGE0/0/15 4c9c-8112-0207 -/- 20000

300 Failed Blocked

2.2.2.2

Total IPv6 entries: 2

Interface MAC address S-/C-VLAN Drops

Agetime(S) DrvStatus Status

IP address

XGE0/0/15 4c9c-8112-0206 -/- 10000

500 Succeeded Blocked

1:1::1:2

XGE0/0/15 4c9c-8112-0207 -/- 20000

300 Failed Blocked

2:2::2:2

# Display statistics of the unclassified-IP packet attack defense entries on all interfaces.

<Sysname> display ip subscriber unclassified-ip-defense statistics

Total IPv4 entries: 0

IPv4 entries in blocked state: 0

IPv4 entries in blocking state: 0

Total IPv6 entries: 0

IPv6 entries in blocked state: 0

IPv6 entries in blocking state: 0

Table 16 Command output

Field	Description
Total IPv4 entries	Total number of IPv4 entries.
Total IPv6 entries	Total number of IPv6 entries.
Interface	Interface receiving packets.
IP address	Source IP address.
MAC address	Source MAC address of the unclassified-IP packets.
S-/C-VLAN	Outer VLAN/Inner VLAN of the unclassified-IP packets. If the packets do not have an outer or inner VLAN, this field displays "-/-".
Drops	Number of dropped packets based on the entry.
Agetime(S)	Remaining aging time (in seconds) of the entry. After the aging time expires, the entry will be deleted.
DrvStatus	State of the unclassified-IP packet attack defense entry issued to the driver hardware. Options include: · Succeeded—The entry was successfully deployed. The hardware will directly block attacks, and does not send packets to the CPU. · Failed—The entry failed to be deployed. The hardware does not block attacks. The software blocks attacks after packets are sent to the CPU. · Incompleted—The deployment is not completed, the blocking threshold of the attack defense entry has not been reached, or the platform has not received the deployment result from the hardware. If you execute the command before the hardware returns the success result to the platform, this field displays Incompleted.
Status	Unclassified-IP packet attack defense entry state. Options include: · Blocking—This entry is an attack defense blocking entry. · Blocked—This entry is an attack defense blocked entry.
IPv4 entries in blocked state	Number of IPv4 attack defense blocked entries.
IPv4 entries in blocking state	Number of IPv4 attack defense blocking entries.
IPv6 entries in blocked state	Number of IPv6 attack defense blocked entries.
IPv6 entries in blocking state	Number of IPv6 attack defense blocking entries.

‌

Related commands

reset ip subscriber unclassified-ip-defense

display static-user interface-list

Use display static-user interface-list to display information about a static user interface list.

Syntax

display static-user interface-list [ list-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

list-id: Specifies a static user interface list by its ID in the range of 1 to 65535. If you do not specify this option, this command displays information about all static user interface lists.

Examples

# Display information about static user interface list 100.‌

<Sysname> display static-user interface-list 100

List ID: 100

Total bound static session configuration entries: 2

Total interfaces : 2

Member interfaces:

Ten-GigabitEthernet0/0/15

Ten-GigabitEthernet0/0/16

Table 17 Command output

Field	Description
List ID	Static user interface list ID.
Total bound static session configuration entries	Total number of static sessions bound to the static user interface list.
Total interfaces	Total number of interfaces on the static user interface list.
Member interfaces	Member interfaces on the static user interface list.

‌

Related commands

add interface

static-user interface-list

ip subscriber 8021p

Use ip subscriber 8021p to bind an ISP domain to IPoE users who send IP packets with the specified 802.1p values.

Use undo ip subscriber 8021p to remove the binding between an ISP domain and IPoE users who send IP packets with the specified 802.1p values.

Syntax

ip subscriber 8021p 8021p-list domain domain-name

undo ip subscriber 8021p 8021p-list

Default

No ISP domain is bound to IPoE users who send IP packets with the specified 802.1p values.

Views

Layer 3 aggregate subinterface view

Layer 3 Ethernet subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

8021p-list: Specifies a space-separated list of up to eight 802.1p value items. Each item specifies a 802.1p value or a range of 802.1p values in the form of start-802.1p-value to end-802.1p-value. The 802.1p value is in the range of 0 to 7.

Usage guidelines

Operating mechanism

For this command, IPoE users include DHCP users, unclassified-IP users, and static individual users.

For how an authentication domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an authentication domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an authentication domain is selected for a static IPoE user, see the ip subscriber session static command.

For how an authentication domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an authentication domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an authentication domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

Restrictions and guidelines

For the ip subscriber 8021p command to take effect, you must execute the ip subscriber service-identify 8021p command to configure the corresponding service identifier first.

Examples

#‌Configure ISP domain 1pdm for IPoE users who send IP packets with 802.1p values 2 to 5 on Ten-GigabitEthernet 0/0/15.100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.100

[Sysname-Ten-GigabitEthernet0/0/15.100] ip subscriber service-identify 8021p second-vlan

[Sysname-Ten-GigabitEthernet0/0/15.100] ip subscriber 8021p 2 to 5 domain 1pdm

Related commands

ip subscriber service-identify

ip subscriber abnormal-logout max-user

Use ip subscriber abnormal-logout max-user to set the maximum number of abnormally logged out IPoE users that can be recorded on the device.

Use undo ip subscriber abnormal-logout max-user to restore the default.

Syntax

ip subscriber abnormal-logout max-user max-user

undo ip subscriber abnormal-logout max-user

Default

The maximum number of abnormally logged out IPoE users that can be recorded on the device is 512000.

Views

System view

Predefined user roles

network-admin

Parameters

max-user: Specifies the maximum number of abnormally logged out IPoE users that can be recorded on the device. The value range for this argument 1 to 64000.

Usage guidelines

Operating mechanism

The device uniquely identifies and records an abnormally logged out IPoE user as follows‌:

· For DHCPv4 users and NDRS users, the device records an abnormally logged out IPoE user according to the user MAC address, inner VLAN ID, outer VLAN ID, and access interface.

· For DHCPv6 users, the device records an abnormally logged out IPoE user according to the user DUID, inner VLAN ID, outer VLAN ID, and access interface.

Restrictions and guidelines

When the number of abnormally logged out IPoE users recorded on the device reaches the maximum number, a new record will overwrite the oldest one.

Examples

# Configure the maximum number of abnormally logged out IPoE users that can be recorded on the device as 100.

<Sysname> system-view

[Sysname] ip subscriber abnormal-logout max-user 100

Related commands

display ip subscriber abnormal-logout

reset ip subscriber abnormal-logout

ip subscriber access-block

Use ip subscriber access-block to forbid IPoE users from coming online.

Use undo ip subscriber access-block to restore the default.

Syntax

In standalone mode:‌

ip subscriber access-block [ interface interface-type interface-number | slot slot-number ]

undo ip subscriber access-block [ interface interface-type interface-number | slot slot-number ]

In IRF mode:

ip subscriber access-block [ interface interface-type interface-number | chassis chassis-number slot slot-number ]

undo ip subscriber access-block [ interface interface-type interface-number | chassis chassis-number slot slot-number ]

Default

IPoE users are allowed to come online.

Views

System view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified.(In IRF mode.) ‌

Usage guidelines

Operating mechanism

With this command configured, the device directly drops received online request packets of IPoE users to forbid new IPoE users from coming online through this interface.

Restrictions and guidelines

This command does not affect existing IPoE users, including IPoE Web users in online state during the preauthentication phase.

If you do not specify any parameter for this command, this command forbids all new IPoE users from coming online.

Examples

# Forbid all new IPoE users from coming online.

<Sysname> system-view

[Sysname] ip subscriber access-block

ip subscriber access-delay

Use ip subscriber access-delay to set the response delay time for IPoE users on an interface.

Use undo ip subscriber access-delay to restore the default.

Syntax

ip subscriber access-delay delay-time [ even-mac | odd-mac ]

undo ip subscriber access-delay [ even-mac | odd-mac ]

Default

No response delay time is set for IPoE users on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

delay-time: Specifies the response delay time for IPoE users, in the range of 10 to 25500 milliseconds.

even-mac: Specifies the response delay for users with MAC addresses whose lowest bit (higher on the left and lower on the right) is an even number.

odd-mac: Specifies the response delay for users with MAC addresses whose lowest bit (higher on the left and lower on the right) is an odd number.

Usage guidelines

Application scenarios

This feature is applicable in the scenario where the administrator wants to deploy multiple BRASs on the network and perform load sharing and backup for users with odd MAC addresses and even MAC addresses among these BRASs.

As shown in Figure 1, to implement device-level backup and traffic load sharing, deploy two BRASs in the network and configure them as follows:

· On BRAS A, set the response delay for users with even MAC addresses and use the default settings (do not set the response delay) for users with odd MAC addresses.

· On BRAS B, set the response delay for users with odd MAC addresses and use the default settings (do not set the response delay) for users with even MAC addresses.

After the preceding configuration, BRAS A will respond to the online requests of users with odd MAC addresses before BRAS B in normal conditions. As a result, users with odd MAC addresses will preferentially come online through BRAS A. Similarly, BRAS B will respond to the online requests of users with even MAC addresses before BRAS A. As a result, users with even MAC addresses will preferentially come online through BRAS B. In this way, user traffic is load-balanced between BRAS A and BRAS B.

Figure 1 Schematic diagram (all BRASs are operating normally)

When a BRAS fails (for example, BRAS A fails) as shown in Figure 2, users with odd MAC addresses can come online through BRAS B. In this case, BRAS B provides access services for all users to achieve device-level backup. Among them:

· Users with odd MAC addresses who did not come online before BRAS A fails can now come online through BRAS B after BRAS A fails.

· Users with odd MAC addresses who came online before BRAS A fails must go offline before they can come online through BRAS B after BRAS A fails.

Figure 2 Schematic diagram (a BRAS fails)

Operating mechanism

After you set the response delay for IPoE users, the system will delay the response to IPoE users’ online requests according to the set delay. The system supports setting different response delays for users with odd MAC addresses and users with even MAC addresses.

This command can be used in conjunction with the ip subscriber access-delay odd-even mac offset command to flexibly deploy access response delay policies for users with odd and even MAC addresses based on MAC address offset values. For more information, see the ip subscriber access-delay odd-even mac offset command.

Restrictions and guidelines

· In this scenario, the public address pool, private address pool, and NAS-IP address on each BRAS must be unique. If you cannot do that, route issues might occur. For example, if you have configured the NAS-IP address as 1.1.1.1 on one BRAS, you cannot configure the NAS-IP address as 1.1.1.1 on another BRAS.

· This command takes effect only on newly connected IPoE DHCP users (including new users who access during the preauthentication phase). It does not affect existing online IPoE users (including IPoE Web users in the online state during the preauthentication phase) and users in the Web authentication phase.

· If you do not specify any keyword in this command, the set response delay applies to users with even MAC addresses and users with odd MAC addresses that come online through the current interface.

· If you first execute this command with the even-mac (or odd-mac) keyword specified and then execute this command without specifying any keyword, the latter configuration takes effect, and vice versa.

Examples

#‌Set the response delay time for IPoE users to 10000 milliseconds on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface Ten-GigabitEthernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber access-delay 10000

Related commands

ip subscriber access-delay odd-even mac offset

Use ip subscriber access-delay odd-even mac offset to configure the MAC address offset value used for delaying response to IPoE user access.

Use undo ip subscriber access-delay odd-even mac offset to restore the default.

Syntax

ip subscriber access-delay odd-even mac offset offset-value

undo ip subscriber access-delay odd-even mac offset

Default

The MAC addresses of IPoE users are not offset for matching. The system determines the parity of a MAC address based on the lowest bit (higher on the left and lower on the right) of a MAC address.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

offset-value: Specifies the MAC address offset value, in the range of 1 to 47 bits.

Usage guidelines

Application scenarios

The parity bit refers to the bit used by the BRAS to determine the parity of a user MAC address. If the bit takes a value of 0, it means that the user has an even MAC. If the bit takes a value of 1, it means that the user has an odd MAC.

By default, the device can only select the lowest bit of a user MAC address as the parity bit to determine the parity of the MAC address. Then, based on the delay time configured by using the ip subscriber access-delay command for users with even MAC addresses or odd MAC addresses, the device can delay the response to the user's online requests.

To flexibly specify a certain bit in a user MAC address as the basis for determining the parity of the MAC address as needed, configure this feature.

Operating mechanism

After the MAC address offset value is configured, the device determines whether a user MAC address is an odd or even MAC address based on the offset-value+1 bit (from lowest to highest) of the MAC address when the device receives an IPoE user online request. Then, the device delays the response to the user's online requests according to the delay time configured by using the ip subscriber access-delay command for users with the odd or even MAC addresses.

For example, as shown in Figure 3, an IPoE user has a MAC address of 0012-3400-ABCD. When the default MAC address offset value is used, the parity bit of the user MAC address is the 1st bit and takes the value of 1, so the MAC address is an odd MAC address. If the MAC address offset value is set to 17, the parity bit of the user MAC address is the 18th bit and takes the value of 0, so the MAC address is an even MAC address.

Figure 3 MAC address offset calculation example

Restrictions and guidelines

· To be significant, this command must be used in conjunction with the ip subscriber access-delay command. Executing this command alone without the ip subscriber access-delay command executed is insignificant. In this case, regardless of the configured MAC address offset value, the device will immediately respond to the IPoE user's online requests.

· This command takes effect only on IPoE DHCP users. If the Web authentication method is used, this command only takes effect for users in the preauthentication phase and has no impact on users in the Web authentication phase.

· If you execute this command multiple times, the most recent configuration takes effect. This command takes effect only on newly connected IPoE users. It does not affect existing online IPoE users (including IPoE Web users in the online state during the preauthentication phase).

Examples

# Delay the response to IPoE users with odd MAC addresses for 10000 milliseconds, and set the MAC address offset to 17 bits. ‌

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber access-delay 10000 odd-mac

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber access-delay odd-even mac offset 17

Related commands

ip subscriber access-delay

ip subscriber a ccess-line-id circuit-id trans-format

Use ip subscriber access-line-id circuit-id trans-format to configure the IPoE parsing format for the circuit ID in the DHCP option.

Use undo ip subscriber access-line-id circuit-id trans-format to restore the default.

Syntax

ip subscriber access-line-id circuit-id trans-format { ascii | hex }

undo ip subscriber access-line-id circuit-id trans-format

Default

The IPoE parsing format for the circuit ID in the DHCP option is ASCII.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the ASCII parsing format.

hex: Specifies the hex parsing format.

Usage guidelines

For IPoE to correctly parse information in the circuit ID, use this command to set a proper parsing format according to the format of the circuit ID information sent by downstream devices.

The ip subscriber access-line-id circuit-id trans-format command configuration takes effect only after the ip subscriber trust command is executed to trust the specified option.

Examples

#‌Set the IPoE parsing format for the circuit ID in the DHCP option to hex.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber access-line-id circuit-id trans-format hex

Related commands

ip subscriber access-line-id remote-id trans-format

ip subscriber trust

ip subscriber access-line-id remote-id trans-format

Use ip subscriber access-line-id remote-id trans-format to configure the IPoE parsing format for the remote ID in the DHCP option.

Use undo ip subscriber access-line-id remote-id trans-format to restore the default.

Syntax

ip subscriber access-line-id remote-id trans-format { ascii | hex }

undo ip subscriber access-line-id remote-id trans-format

Default

The IPoE parsing format for the remote ID in the DHCP option is ASCII.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the ASCII parsing format.

hex: Specifies the hex parsing format.

Usage guidelines

For IPoE to correctly parse information in the remote ID, use this command to set a proper parsing format according to the format of the remote ID information sent by downstream devices.

The ip subscriber access-line-id remote-id trans-format command configuration takes effect only after the ip subscriber trust command is executed to trust the specified option.

Examples

#‌Set the IPoE parsing format for the remote ID in the DHCP option to hex.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber access-line-id remote-id trans-format hex

Related commands

ip subscriber access-line-id remote-id trans-format

ip subscriber trust

ip subscriber access-out

Use ip subscriber access-out to enable IPoE access-out authentication for IPoE users.

Use undo ip subscriber access-out to restore the default.

Syntax

ip subscriber access-out

undo ip subscriber access-out

Default

IPoE access-out authentication is disabled for IPoE users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

In a dual-authentication network, one device performs access-in authentication and another device performs access-out authentication. Users who pass access-in authentication can access the intranet and users who pass access-out authentication can access the extranet.

Examples

#‌Enable IPoE access-out authentication for IPoE users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber access-out

ip subscriber access-trigger loose

Use ip subscriber access-trigger loose to specify the loose access duration for the IPoE users after the system is rebooted.

Use undo ip subscriber access-trigger loose to restore the default.

Syntax

ip subscriber access-trigger loose { loose-time | all-time }

undo ip subscriber access-trigger loose

Default

IPoE users cannot access in loose mode after the system is rebooted.

Views

System view

Predefined user roles

network-admin

Parameters

loose-time: Specifies the loose access duration for the IPoE users after the system is rebooted, in the range of 1 to 4294967295 minutes.

all-time: Specifies that the IPoE users can access in loose mode all time after the system is rebooted.

Usage guidelines

Application scenarios

When the sessions of online IPoE users are deleted because the system is rebooted, DHCP users will not send DHCP packets to trigger access again because these user cannot sense the reboot. As a result, the access device cannot regenerate DHCP sessions for these users. To solve this problem, you can specify IPoE users to access in loose mode.

Operating mechanism

After the system is rebooted, IPoE users accessing in loose mode can use IP, ARP, or NS/NA packets to trigger access and generating DHCP sessions within the duration specified by the loose-time argument or all time.

Restrictions and guidelines

IPoE DHCP users can access in loose mode only when all the following conditions exist:

· The Layer 2 access mode is configured on the access interface.

· An IP address pool is assigned to users through the authentication domain or AAA server.

· To use IP packet initiation, you must execute the ip subscriber initiator unclassified-ip enable command on the access interface, and as a best practice, specify the matching-user keyword.

· To use ARP packet initiation, you must execute the ip subscriber initiator arp enable command and the ip subscriber initiator unclassified-ip enable command on the access interface, and as a best practice, specify the matching-user keyword.

For IPoE Web authentication users that access in loose mode, only the sessions in the preauthentication domain can be regenerated. To come online in the Web authentication phase, these users must follow the normal Web authentication procedure.

Examples

# Specify the loose access duration as 300 minutes for the IPoE users after the system is rebooted

<Sysname> system-view

[Sysname] ip subscriber access-trigger loose 300

Related commands

ip subscriber dhcp domain

ip subscriber dhcp password

ip subscriber dhcp username

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber authentication chasten

Use ip subscriber authentication chasten to configure the authentication failure limit in the specified authentication period.

Use undo ip subscriber authentication chasten to restore the default.

Syntax

ip subscriber authentication chasten auth-failure auth-period

undo ip subscriber authentication chasten

Default

One authentication failure immediately triggers the quiet timer for the user.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

auth-failure: Specifies the maximum number of consecutive authentication failures in the specified authentication period that triggers the quiet timer. The value range is 1 to 10000.

auth-period: Specifies an authentication period in the range of 1 to 3600 seconds.

Usage guidelines

Operating mechanism

If this command is used, the quiet timer starts when the number of authentication failures of a user reaches the limit in the specified authentication period. During the quiet time, packets from the user are dropped. After the quiet timer expires, IPoE performs authentication upon receiving a packet from the user. This command prevents password attacks.

If no dual-stack IPoE session is generated for a dual-stack user, the authentication failures of the two protocol stacks are counted separately. The dual-stack user is quieted only when the number of consecutive authentication failures reaches the limit in the specified period for each protocol stack.

Restrictions and guidelines

If a dual-stack IPoE session is generated for a dual-stack user, the authentication failures of the two protocol stacks are counted together. The dual-stack user is quieted when the number of consecutive authentication failures reaches the limit in the specified period.

This command takes effect only after the ip subscriber timer quiet command is executed on the interface.

Examples

#‌Configure Ten-GigabitEthernet 0/0/15 to block an IPoE user on the interface for 100 seconds if the user fails authentication for five consecutive times within one minute.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber timer quiet 100

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber authentication chasten 5 60

Related commands

display ip subscriber chasten user auth-failed

display ip subscriber chasten user quiet

ip subscriber timer quiet

ip subscriber authentication dot1x-retrigger‌

Use ip subscriber authentication dot1x-retrigger to configure the BRAS to retrigger 802.1X authentication based on the specified types of packets sent by an IPoE user when the IPoE user fails to come online through 802.1X authentication.

Syntax

ip subscriber authentication dot1x-retrigger { arp | dhcpv4 | dhcpv6 | nd } *

undo ip subscriber authentication dot1x-retrigger

Default

The BRAS does not retrigger 802.1X authentication based on any type of packets sent by an IPoE user when the IPoE user fails to come online through 802.1X authentication.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

arp: Specifies ARP packets.

dhcpv4: Specifies DHCPv4 packets.

dhcpv6: Specifies DHCPv6 packets.

nd: Specifies ND packets. For this feature, ND packets only includes NS, NA, and RS packets.

Usage guidelines

Application scenarios

By default, in a scenario where 802.1X authentication is prioritized in loose mode, the BRAS will not immediately trigger the IPoE authentication process when it receives ARP, ND, or DHCP packets from an endpoint. Instead, the BRAS will cache the packets and actively send an EAP request (EAP-Request/Identity packet) to the endpoint to trigger 802.1X authentication. If no reply is received from the endpoint within the specified time (set by using the dot1x timer tx-period command), the BRAS will retransmit the EAP request packet to the endpoint. If the number of EAP request attempts reaches the limit (set by the dot1x retry command) and the BRAS still does not receive a reply from the endpoint, the BRAS will stop sending authentication requests. At this point, the BRAS determines that the endpoint has failed to come online through 802.1X authentication, triggers the IPoE authentication process based on cached packets, and allows the user to come online in the preauthentication domain.

After the user comes online in the preauthentication domain, the BRAS will no longer send EAP-Request/Identity packets to the endpoint when receiving ARP, ND, or DHCP packets from the endpoint.

Some endpoints (such as Apple endpoints) must receive the EAP-Request/Identity packets in order to pop up the 802.1X authentication page. If the EAP-Request/Identity packets sent by the BRAS to such endpoints are lost due to poor network quality, these endpoints fail to receive EAP-Request/Identity packets. In this case, these endpoints cannot come online through 802.1X authentication even if you plug/unplug the network cables or restart the network cards for the endpoints.

To resolve this issue, configure this feature to allow the specified types of packets to retrigger 802.1X authentication before an endpoint successfully comes online through 802.1X authentication.

Operating mechanism

With this feature configured, for a user that has already come online in the preauthentication domain, the BRAS will actively retrigger 802.1X authentication by sending an EAP-Request/Identity packet to the user endpoint when the BRAS receives a specific type of packets (specified by the ip subscriber authentication dot1x-retrigger command) from the user endpoint. This feature ensures that the endpoint can receive and respond to the EAP-Request/Identity packets, pop up the 802.1X authentication page, complete 802.1X authentication, and come online. After the 802.1X client comes online, IPoE uses the 802.1X authentication result to have the user come online directly in the postauthentication domain. In this case, the recorded user information is the 802.1X user information, including the 802.1X username, authentication domain, and authorized attributes.

Restrictions and guidelines

· This feature only takes effect when 802.1X authentication is prioritized in loose mode.

· If a user has already come online in the postauthentication domain before coming online through 802.1X authentication, this feature does not take effect.

· For an Apple endpoint, suppose the endpoint receives an EAP Request/Identity packet from the BRAS and pops up the 802.1X authentication window, and then you close the window without entering a username/password for authentication. In this case, the 802.1X authentication window will not pop up again even if the endpoint receives EAP Request/Identity packets from the BRAS later again. To resolve this issue, plug/unplug or restart the network card for the Apple endpoint.

· If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure Ten-GigabitEthernet 0/0/15 to allow the BRAS to retrigger 802.1X authentication based on the ARP packets sent by an IPoE user when the IPoE user fails to come online through 802.1X authentication.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber authentication dot1x-retrigger arp

Related commands

dot1x timer tx-period (BRAS Services Command Reference)

dot1x retry (Security Command Reference)

ip subscriber authentication-method

ip subscriber authentication dot1x-retrigger interval

ip subscriber authentication dot1x-retrigger interval‌

Use ip subscriber authentication dot1x-retrigger interval to configure the suppression interval for retriggering 802.1X authentication based on ARP and ND packets.

Syntax

ip subscriber authentication dot1x-retrigger interval interval

undo ip subscriber authentication dot1x-retrigger interval

Default

The suppression interval for retriggering 802.1X authentication based on ARP and ND packets is 60 seconds.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the suppression interval for retriggering 802.1X authentication based on ARP and ND packets, in the range of 1 to 1200 seconds.

Usage guidelines

Application scenarios

When a large number of ARP and ND packets exist in the network and the ip subscriber authentication dot1x-retrigger command is executed, a network attack might occur if the BRAS sends EAP-Request/Identity packets to endpoints each time the BRAS receives ARP or ND packets. For security purposes, adjust the suppression interval for retriggering 802.1X authentication based on ARP and ND packets on the BRAS according to the actual network requirements.

Operating mechanism

After you configure the suppression interval, whenever the BRAS sends an EAP-Request/Identity packet to an endpoint, the BRAS will record the time (T1) of sending the packet. When the BRAS receives ARP or ND packets from the endpoint, the BRAS will record the time (T2) of receiving ARP or ND packets.

· If T2-T1≥interval, the BRAS will send an EAP-Request/Identity packet to the endpoint to retrigger 802.1X authentication.

· If T2-T1 < interval, the BRAS will not send an EAP-Request/Identity packet to the endpoint.

Restrictions and guidelines

· For ARP packets and ND packets, the BRAS separately calculates the suppression intervals, and the two intervals do not affect each other.

· For NS packets, NA packets, and RS packets among the ND packets, the BRAS calculates the suppression interval uniformly. For example, suppose the BRAS sends an EAP-Request/Identity packet at time T1 to the endpoint based on the received NA packets, and the BRAS receives an RS packet at time T2. The BRAS will decide whether to send an EAP-Request/Identity packet to the endpoint again based on the difference between T2 and T1 and the value for the interval argument.

· This feature takes effect only when the ip subscriber authentication dot1x-retrigger command has been executed.

Examples

# Configure the suppression interval as 100 seconds for retriggering 802.1X authentication based on ARP and ND packets.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber authentication dot1x-retrigger interval 100

Related commands

ip subscriber authentication-method

ip subscriber authentication dot1x-retrigger

ip subscriber authentication-method

Use ip subscriber authentication-method to configure an IPoE authentication method.

Use undo ip subscriber authentication-method to restore the default.

Syntax

Syntax I:

ip subscriber authentication-method { bind [ reauth ] | { dot1x [ high-priority ] | web [ mac-auth ] [ basic-service-ipv4 ] [ support-authorized-vpn ] [ inherit-pppoe ] } * [ support-unclassified-ip ] | http-x-header [ x-header-name ] [ support-authorized-vpn ] }

undo ip subscriber authentication-method

Syntax II:

ip subscriber authentication-method dot1x high-priority-strict [ support-unclassified-ip ]

undo ip subscriber authentication-method

Default

IPoE uses bind authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

bind: Specifies the bind authentication method.

reauth: Enables reauthentication for users using bind authentication. With reauthentication enabled, when a bind authentication user passes the first authentication, the BRAS will reauthenticate the specified user according to the information (for example, username and domain) authorized by the AAA server in the first authentication. If you do not specify this option, reauthentication is not supported.‌

dot1x: Specifies the 802.1X authentication method. For more information about 802.1X, see 802.1X configuration in BRAS Services Configuration Guide. This keyword is mutually exclusive with the basic-service-ipv4 keyword. If 802.1X authentication is configured without the high-priority or high-priority-strict keyword specified, an IPoE user is allowed to perform authentication and come online through the normal IPoE process no matter whether the 802.1X client of the IPoE user is online. When iOS endpoint users in the network perform identity authentication by using the built-in 802.1X service of the iOS system, as a best practice, prioritize 802.1X authentication in the specified mode as needed. If you do not do that, users might fail to use the built-in 802.1X service of the iOS system for 802.1X authentication. ‌‌

· high-priority: Prioritizes 802.1X authentication in loose mode. If you specify this keyword, an IPoE user cannot perform authentication to come online before the 802.1X client of the IPoE user is authenticated. However, when the 802.1X client fails to pass authentication, the IPoE user can perform authentication and come online through the normal IPoE process.‌

· high-priority-strict: Prioritizes 802.1X authentication in strict mode. If you specify this keyword, before the 802.1X client of an IPoE user successfully passes authentication and comes online (the 802.1X client has not been authenticated or the 802.1X client has been authenticated but failed to pass authentication), the IPoE user cannot perform authentication and come online through the normal IPoE process. This keyword is mutually exclusive with the web keyword.‌

web: Specifies the Web authentication method. This parameter is mutually exclusive with the high-priority-strict keyword.

mac-auth: Specifies the Web MAC authentication method.

basic-service-ipv4: Configures the IPv6 protocol stack to depend on the IPv4 protocol stack. If you specify this keyword, an IPoE Web user can come online in the IPv6 protocol stack only after the IPoE Web user has come online in the IPv4 protocol stack through Web authentication. When the user goes offline in the IPv4 protocol stack or returns from the postauthentication phase to the preauthentication phase, the user is forced to go offline in the IPv6 protocol stack. Typically, this keyword is used in the intelligent IPv6 multi-egress scenario. For IPoE Web users, if this command is executed with the basic-service-ipv4 keyword specified on an interface, the ip subscriber basic-service-ip-type command does not take effect on this interface. This keyword is mutually exclusive with the dot1x keyword.

support-authorized-vpn: Specifies that the postauthentication domain of Web authentication supports VPN authorization. If you specify this keyword, a VPN can be authorized to an IPoE Web user after the user comes online in the postauthentication domain. If you do not specify this keyword, a VPN cannot be authorized to an IPoE Web user after the user comes online in the postauthentication domain, even if an authorization VPN is configured in the postauthentication domain. ‌

inherit-pppoe: Configures IPoE Web users in the preauthentication domain to inherit PPPoE user information and come online in the postauthentication domain. With this keyword specified, if a PPPoE user with the same MAC address exists after an IPoE Web user comes online in the preauthentication domain, the IPoE Web user does not need to pass Web authentication. Instead, the device directly makes the IPoE Web user come online in the postauthentication domain by using the authentication and authorization information of the online PPPoE user. If you do not specify this keyword, an IPoE user can come online in the postauthentication domain only after passing Web authentication. This keyword is used in the scenario where both IPoE Web authentication and PPPoE authentication are configured on the same interface.‌

support-unclassified-ip: Specifies unclassified-IP users to support Web authentication or 802.1X authentication. If you specify this keyword when configuring Web authentication or 802.1X authentication, unclassified-IP users will support Web authentication or 802.1X authentication. If you do not do that, unclassified-IP users do not support Web authentication or 802.1X authentication.‌

http-x-header: Specifies the HTTP extension header authentication method. ‌

x-header-name: Resolves the specified field from the HTTP extension header to obtain the username and password for postauthentication. The x-header-name argument represents the field name, a case-sensitive string of 1 to 31 characters. Make sure this argument is configured correctly. If you do not specify this argument, the system resolves the x-up-imei field to obtain the username and password for authentication.‌

Usage guidelines

Common guidelines

IPoE supports the following authentication methods:

· Bind authentication—The BRAS automatically generates usernames and passwords for users based on the user access location. Users are not required to enter usernames and passwords.

· 802.1X authentication—The BRAS requires users to enter usernames and passwords on an 802.1X client. To access a Layer 3 interface through 802.1X, configure the 802.1X authentication method. ‌

· Web authentication—The BRAS requires users to enter usernames and passwords on the Web authentication server page.

· Web MAC authentication—A user needs to enter the username and password only for the first login. Then, the user can access the network without entering the username and password. (Web MAC authentication is a type of Web authentication. Web authentication includes Web MAC authentication unless otherwise specified.)

· HTTP extension header authentication—Transparent to users during the postauthentication phase. In this authentication method, the BRAS automatically obtains the username and password by resolving the extension header in the HTTP packets.

Guidelines in the reauthentication scenario‌

In the 5G To Business (ToB) service applications, for a business endpoint to access resources in the business intranet, you can enable reauthentication for users using bind authentication.

With reauthentication enabled, when a BRAS receives an unclassified-IP, ARP, or NS/NA packet, IPoE authentication is triggered. The BRAS uses the source IP address of the unclassified-IP, ARP, or NS/NA packet (public IP address that the ISP allocates to the endpoint user) as the username to initiate authentication to the ISP AAA server. After the user passes the first authentication, the BRAS initiates reauthentication for the user to the intranet AAA server of the user's business according to the information (username and domain) authorized by the ISP AAA server. The user can come online only after passing reauthentication. The reauthentication process collaborates with NAT. After the user passes reauthentication, the NAT module will allocate a private IP address of the business to the user. After the user comes online, the user can access intranet resources of the business according to the private IP address of the business allocated by NAT.

Figure 4 Schematic diagram

‌

When specifying reauthentication in the bind authentication mode, follow these restrictions and guidelines:

· Reauthentication is supported only in Layer 3 IPoE access mode.

· Only unclassified-IP users support reauthentication.

· Use the ip subscriber unclassified-ip username include source-ip command to make sure the username used in the first authentication is the source IP address of unclassified-IP, ARP, or NS/NA packets.

Guidelines in the IPoE 802.1X authentication scenario‌

IPoE 802.1X authentication supports unclassified-IP users, DHCP users, IPv6 ND RS users, and global static users. For a user configured with a static IP address to come online through 802.1X authentication without configuring the corresponding IPoE static user access on the BRAS, you can enable the static 802.1X user authentication feature. For more information, see the ip subscriber static-dot1x-user enable command.

When both 802.1X authentication and Web authentication are configured on an interface, a user can use only one of them to perform authentication and come online at a time. 802.1X authentication takes priority over Web authentication.

· When 802.1X authentication is prioritized in loose mode, as a best practice to ensure that an endpoint can pop up the 802.1X authentication page to complete the authentication and come online, execute the ip subscriber authentication dot1x-retrigger command.

· When 802.1X authentication is prioritized in strict mode, the BRAS actively sends EAP-Request/Identity packets to an endpoint each time the BRAS receives ARP, ND, or DHCP packets from the endpoint before the 802.1X client of the IPoE user successfully comes online. This mechanism ensures that the endpoint can respond to the EAP-Request/Identity packets, and pop up the 802.1X authentication page normally to complete 802.1X authentication and come online. After the 802.1X client comes online, when the 802.1X client of the IPoE user initiates the offline process, it will also bring offline the IPoE user (clear the IPoE user session).

When you configure 802.1X authentication, follow these restrictions and guidelines:

· If a global static session without the support-ds keyword specified exists on the device, before configuring 802.1X authentication, you must first use the undo ip subscriber session static command to delete all global static sessions without the support-ds keyword specified and then execute the ip subscriber session static command to re-configure global static sessions with the support-ds keyword specified.

· When static users do not support 802.1X authentication on an interface, do not configure both 802.1X authentication and interface-level IPoE static individual sessions on the interface. If you do that, the interface-level IPoE static individual sessions configured on the interface might not function normally.

· On an interface, 802.1X authentication is mutually exclusive with Layer 3 IPoE access mode, IPoE interface-leased users, IPoE subnet-leased users, and IPoE L2VPN-leased users.

· You can configure 802.1X authentication on an interface only when the interface operates in Layer 2 IPoE access mode.

· Only Layer 3 Ethernet interfaces/subinterfaces and Layer 3 aggregate interfaces/subinterfaces support 802.1X authentication.

· For IPoE 802.1X authentication to support unclassified-IP users, specify the support-unclassified-ip keyword when configuring 802.1X authentication.

Guidelines in the intelligent IPv6 multi-egress scenario‌

In the intelligent IPv6 multi-egress scenario, the IPoE Web authentication network functions as follows: When a dual-stack user passes Web authentication in the IPv4 protocol stack, the BRAS identifies the service provider of the user according to the AAA-authorized attributes when the user performs authentication and comes online in the IPv4 protocol stack. Then, the BRAS assigns an IPv6 address of the service provider to the user. As a result, IPv6 packets of different service providers can be forwarded in the corresponding public network egress interfaces separately.

In an IPv6 intelligent multi-egress application, an IPoE Web dual-stack user uses DHCP packet initiation in the IPv4 protocol stack. In the IPv6 protocol stack, the user can come online in one of the following methods according to the type of online request packets in the IPv6 protocol stack.

· ND RS packet initiation—Comes online through IPv6 ND RS packets. In this method, if a user initiates online requests in the IPv6 protocol stack before passing Web authentication in the IPv4 protocol stack, the BRAS buffers the ND RS packets. After the user passes Web authentication and comes online in the IPv4 protocol stack, the BRAS uses the buffered ND RS packets to come online in the IPv6 protocol stack. NOTE: The buffered ND RS packets are time limited. When they expire, they will be deleted from the buffer.

· DHCPv6 packet initiation—Comes online through DHCPv6 packets. In this method, if a user initiates online requests in the IPv6 protocol stack before passing Web authentication in the IPv4 protocol stack, the BRAS drops the received DHCPv6 request packets. A DHCPv6 client sends DHCPv6 requests to request IPv6 addresses irregularly. After the user passes Web authentication and comes online in the IPv4 protocol stack, the BRAS will uses the DHCPv6 packets received subsequently to come online in the IPv6 protocol stack.

Guidelines in the scenario that supports authorizing VPN instances in the Web postauthentication domain‌

On an IPoE Web authentication network, to authorize VPNs to users after they pass postauthentication so that the users can have different access permissions, you can specify the support-authorized-vpn keyword to enable the postauthentication domain of Web authentication to support VPN authorization.

With this feature enabled, when IPoE Web users come online in the postauthentication domain, AAA can be used to authorize VPN instances to users. When a user with a VPN instance authorized comes online in the postauthentication domain, the host route of the user will be switched to the specified VPN instance. Then, the user can access only network resources in the authorized VPN instance.

On an IPoE Web authentication network, follow these restrictions and guidelines for static IPoE users:

· If the vpn-instance keyword is specified in the static session of a static IPoE user, the static user does not support the VPN authorization feature in the postauthentication domain.

· If the vpn-instance keyword is not specified in the static session of a static IPoE user, the following rules apply:

¡ If the strict-check access-interface vpn-instance command is executed in the authorization domain of a static user, the static user does not support the VPN authorization feature in the postauthentication domain.

¡ If the strict-check access-interface vpn-instance command is not executed in the authorization domain of a static user, the static user supports the VPN authorization feature in the postauthentication domain.

When AAA authorizes VPNs to IPoE DHCP users, follow these restrictions and guidelines:

· If the support-authorized-vpn parameter is not configured, the VPN bound to the authorization address pool of the post-authentication domain must be the same as the AAA authorized VPN regardless of whether the access interface is bound to a VPN.

· If the support-authorized-vpn parameter is configured, the VPN bound to the authorization address pool of the post-authentication domain must be the same as the VPN to which the interface belongs.

¡ If the access interface is bound to a VPN, the authorization address pool in the post-authentication domain must be bound to the same VPN as the access interface.

¡ If the access interface is not bound to any VPN, the authorization address pool in the post-authentication domain cannot be bound to any VPN.

In a VSRP network, VPN authorization is not supported in the postauthentication domain of Web authentication.

Usage guidelines when both IPoE Web authentication and PPPoE authentication are configured‌

On an access interface configured with both IPoE Web authentication and PPPoE authentication, a user might separately trigger IPoE Web authentication and PPPoE authentication. For example, a user does not actively disable DHCP on the endpoint. When the user endpoint is powered on, it will automatically send DHCP packets to trigger IPoE Web authentication. After passing the authentication (typically, password-free authentication is used in the preauthentication domain, which is transparent to the user), the user can obtain an IP address and come online in the preauthentication domain. Then, the user does not use IPoE Web authentication to come online in the postauthentication domain. Instead, the user directly comes online through PPPoE dialup authentication. After passing the PPPoE dialup authentication, the user also obtains an IP address.

By default, if a user endpoint preferentially uses the IP address obtained through IPoE Web authentication to come online, the Web authentication page will open to prompt the user to perform authentication again even if the user has passed PPPoE authentication. This affects the network access experience. To resolve this issue, you can configure the Web user in the preauthentication domain to inherit information of the PPPoE user with the same MAC address and then directly come online in the postauthentication domain.

With this feature configured, if a PPPoE user with the same MAC address exists after an IPoE Web user comes online in the preauthentication domain, the IPoE Web user does not need to pass Web authentication. Instead, the device directly makes the IPoE Web user come online in the postauthentication domain by using the authentication and authorization information of the online PPPoE user. This process is transparent to the user. A user can normally access the network after passing one PPPoE authentication, which improves the network access experience.

In this scenario, follow these restrictions and guidelines:

· This command supports the inherit-pppoe keyword only when IPoE operates in Layer 2 access mode.

· The inherit-pppoe keyword takes effect only when the maximum number of users allowed for an account configured by using the users-per-account command is greater than 1 in the PPPoE authentication domain.

· When you execute this command, do not specify both the dot1x and inherit-pppoe keywords. The two keywords are mutually exclusive.

· After an IPoE Web user in the preauthentication domain inherits the information of the PPPoE user with the same MAC address and then comes online in the postauthentication domain, IPoE is not responsible for accounting. IPoE and PPPoE respectively collect traffic statistics and PPPoE summarizes the statistics and sends them to the AAA server for accounting. Configure an AAA authentication scheme correctly for PPPoE as needed.

· When an IPoE Web user in the preauthentication domain inherits information of the PPPoE user with the same MAC address, the protocol stack type is not concerned. For example, a user comes online through IPoE Web authentication in the preauthentication domain in the IPv4 protocol stack and comes online through PPPoE authentication in the IPv6 protocol stack. In this case, the IPoE user can inherit the IPv6 protocol stack information of the PPPoE user in the IPv4 protocol stack and then come online in the postauthentication domain.

· When the PPPoE user goes offline, the IPoE user that inherits information of the PPPoE user and comes online in the postauthentication domain will return to the preauthentication domain.

· In this scenario, the following features are not supported:

¡ IPoE user roaming.

¡ PPPoE agency.

¡ Re-DHCP for IPoE Web authentication.

¡ IPv6 protocol stack dependency on IPv4 protocol stack.

¡ VPN authorization in the postauthentication domain of IPoE Web authentication.

¡ Transparent IPoE Web authentication.

¡ VSRP.

Usage guidelines for unclassified-IP users to support Web authentication and 802.1X authentication

For an IPoE Web authentication or 802.1X authentication network to support unclassified-IP users, specify the support-unclassified-ip keyword to enable unclassified-IP users to support Web authentication or 802.1X authentication.

When configuring unclassified-IP users to support Web authentication or 802.1X authentication on an access interface, follow these restrictions and guidelines:

· On an IPv4 network:

¡ Support of unclassified-IP users for Web authentication or 802.1X authentication takes effect on an interface only when the ip subscriber initiator unclassified-ip enable command is executed on the interface without the matching-user keyword specified.

· On an IPv6 network:

¡ Support of unclassified-IP users for Web authentication or 802.1X authentication takes effect on an interface only when the ip subscriber initiator unclassified-ipv6 enable command is executed on the interface without the matching-user keyword specified.

Usage guidelines for HTTP extension header authentication‌‌

HTTP extension header authentication is applied to the BRAS gateway and includes the preauthentication phase and the postauthentication phase. A user must first perform preauthentication. After passing preauthentication, the user can obtain an IP address (for a DHCP user) and will be assigned the authorization attributes configured in the specified preauthentication domain. Then, the user can obtain the permissions to access the corresponding network resources (for example, the redirect URL of the gateway) based on the authorization information. However, the user cannot access intranet resources of the enterprise until the user completes postauthentication. Postauthentication is transparent to the user, which is automatically completed by the BRAS gateway.

The preauthentication process is the same as the IPoE bind authentication user access process. For more information, see IPoE configuration in BRAS Services Configuration Guide.

As shown in Figure 5, in a 5G network, the postauthentication process for HTTP extension header authentication is as follows:

Figure 5 Postauthentication process for HTTP extension header authentication

1. ‍A user endpoint accesses intranet resources of the enterprise through HTTP, and the sent HTTP request is forwarded through the user plane function (UPF) device to the BRAS that acts as the 5G gateway.

2. The 5G gateway determines that the user is accessing intranet resources of the enterprise based on the destination IP address in the HTTP request and requires postauthentication. Therefore, the 5G gateway redirects the HTTP request to an extension URL that is pre-planned on the 5G gateway and the UPF device.

3. The user endpoint sends an HTTP request to the extension URL based on HTTP redirect.

4. After receiving an HTTP request for the extension URL from the user, the UPF device adds an extension header to the HTTP request. The extension header includes a unique ID for the user endpoint, which can be used for postauthentication of the user. The UPF device sends the HTTP request with the extension header to the 5G gateway.

5. When the 5G gateway receives the HTTP request with the extension URL, it extracts the unique ID (typically the user's phone number) from the extension header, and sends an authentication request with the unique ID as the username and password to the AAA server on the enterprise intranet. After authenticating the user, the AAA server sends a reply to the 5G gateway.

6. If the user fails to pass authentication on the AAA server, the user cannot access intranet resources of the enterprise through HTTP. If the user passes authentication, it indicates that the user passes postauthentication and comes online. The 5G gateway then redirects the HTTP request with the extension URL again to the originally requested URL, which is the URL for intranet resources of the enterprise.

7. When the user requests to access intranet resources of the enterprise again through HTTP, the 5G gateway directly forwards the request to the enterprise intranet.

When configuring HTTP extension header authentication, make sure that the web-server url-parameter original-url command is executed in the preauthentication domain.

Common restrictions

When you execute this command to switch the authentication method, the device performs operations depending on the session type:

· For IPoE dynamic individual sessions, the device deletes all IPoE dynamic individual sessions on the interface and logs out users.

· For interface-level IPoE static individual sessions, the device deletes all IPoE static individual sessions and logs out users.

· For global IPoE static individual sessions, the device deletes all global IPoE static individual sessions and logs out users.

· For IPoE leased sessions (including static leased sessions), you cannot switch the authentication method if leased sessions are configured on the interface.

Examples

#‌Configure the Web authentication method for IPoE users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber authentication-method web

The operation may cut all users on this interface. Continue?[Y/N]:y

Related commands

ip subscriber basic-service-ip-type

ip subscriber enable

users-per-account (BRAS Services Command Reference) ‌

ip subscriber captive-bypass enable

Use ip subscriber captive-bypass enable to enable captive-bypass Web authentication or captive-bypass Web authentication optimization for IPoE.

Use undo ip subscriber captive-bypass enable to disable captive-bypass Web authentication or captive-bypass Web authentication optimization for IPoE.

Syntax

ip subscriber captive-bypass enable [ android | ios ] [ optimize ]

undo ip subscriber captive-bypass enable

Default

Both captive-bypass Web authentication and captive-bypass Web authentication optimization are disabled for IPoE.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

android: Specifies Android users.

ios: Specifies iOS users.

optimize: Enables captive-bypass optimization.

Usage guidelines

Application scenarios

· Captive-bypass Web authentication

By default, in a wireless access scenario, when a user endpoint connects to a network with IPoE Web authentication enabled, the device will actively push the Web authentication page to the user endpoint. In this way, the user endpoint can automatically open the Web authentication page. However, this automatic page opening method requires the device to intercept the probe packets from endpoints, which might cause some endpoints to automatically disconnect from the Wi-Fi network if they cannot detect the network. In this case, the device cannot push the Web authentication page to the user because the Wi-Fi connection has been disconnected. As a result, the authentication process cannot be completed.

To address this issue, you can enable IPoE captive-bypass Web authentication, which allows users to trigger the device to push the Web authentication page by accessing the Internet by using a browser to complete the authentication.

· Captive-bypass Web authentication optimization (applicable only to iOS systems)

By default, Apple endpoints use their own Captive Network Assistant (CNA) tool to detect http://captive.apple.com. If the network is reachable, the endpoint will receive a Success response. If not, the browser will be called again to detect the network and implement the function of automatically opening the Web authentication page.

However, the mechanism for automatically opening the Web authentication page on an endpoint might fail in the following conditions:

- If the page uses HTTPS and the certificate is not issued by a third-party organization trusted by the endpoint, the mechanism for automatically opening the Web authentication page will fail.

- The apps installed on an Apple endpoint (such as Wi-Fi assistant) have a significant impact on the detection mechanism of the endpoint. They might cause the automatic detection feature to fail or cause the Wi-Fi signal on the Apple endpoint to fail to be turned on and the Wi-Fi connection to disconnect.

- If the user directly presses the home button to return to the desktop before the detection is completed, the Wi-Fi signal on the Apple endpoint might fail to be turned on, and the Wi-Fi connection might be disconnected.

To address the preceding issues, you can enable the captive-bypass Web authentication optimization for IPoE.

Operating mechanism

· Automatically opening the Web authentication page

The feature of automatically opening the Web authentication page on the user endpoint is implemented as follows. After an endpoint is associated with an SSID, it actively sends an HTTP probe request packet to identify whether the destination address (usually a fixed URL, which varies by endpoint or app) is reachable and whether the response content meets expectations. According to the detection result, the endpoint identifies whether the accessed network requires Web authentication.

¡ If the destination address is reachable and the response content meets expectations, the network is reachable and no Web authentication is required.

¡ If the destination address is not reachable or the response content does not meet expectations, Web authentication is required. The endpoint will call the browser to send an HTTP request again, and the device will intercept this request and redirect it to automatically open the Web authentication page on the endpoint.

The Web authentication page might fail to automatically open because of the following reasons:

¡ The endpoint does not actively send a probe request packet.

¡ The endpoint can initiate a probe request packet, but it might fail to call the browser and send a request again due to certain installed apps. As a result, the Web authentication page fails to automatically open.

¡ For most Android phones, the feature of automatically opening the Web authentication page must be triggered by manually clicking the SSID interface.

· Captive-bypass Web authentication

Enabling captive-bypass Web authentication ensures that the device does not intercept the probe request packets from endpoints and the endpoints maintain their Wi-Fi connections. When a user connects to the network, the device does not immediately push the Web authentication page to the user. The page is pushed to the user only when the user attempts to access the Internet by using a browser. The Web authentication page requires the user to enter the username and password to complete the authentication process.

· Captive-bypass Web authentication optimization

Enabling the IPoE captive-bypass Web authentication optimization feature specifically benefits iOS users. When the device receives a probe request packet from an Apple endpoint, it will construct a Success response, making the Apple endpoint consider the network is connected. Then, the Wi-Fi signal will be turned on and the Web authentication page will be automatically opened.

Restrictions and guidelines

In the scenario of IPoE captive-bypass Web authentication or captive-bypass Web authentication optimization, do not execute the ip subscriber http-fast-reply enable command to enable the HTTP packet fast reply feature. If you do that, the IPoE captive-bypass Web authentication or captive-bypass Web authentication optimization feature will not work.

· IPoE captive-bypass Web authentication takes effect on both iOS and Android users.

· IPoE captive-bypass Web authentication optimization takes effect only on iOS users and do not take effect on Android users.

· The effects of these commands are as follows:

¡ If the ip subscriber captive-bypass enable command is executed:

- An Apple endpoint does not automatically open the Web authentication page. An Apple endpoint might disconnect from Wi-Fi when the home button is pressed depending on the software version of the endpoint.

- Android endpoints do not automatically open the Web authentication page.

¡ If the ip subscriber captive-bypass enable optimize command is executed:

- Apple endpoints automatically open the Web authentication page and do not disconnect from Wi-Fi when the home button is pressed.

- Android endpoints do not automatically open the Web authentication page.

¡ (Recommend.) If the ip subscriber captive-bypass enable ios optimize command is executed:

- Apple endpoints automatically open the Web authentication page and do not disconnect from Wi-Fi when the home button is pressed.

- Android endpoints automatically open the Web authentication page. (Default.)

¡ If the ip subscriber captive-bypass enable ios command is executed:

- Android endpoints automatically open the Web authentication page. (Default.)

¡ Executing the ip subscriber captive-bypass enable android command has the same effect as executing the ip subscriber captive-bypass enable android optimize command.

- An Apple endpoint automatically opens the Web authentication page. An Apple endpoint might disconnect from Wi-Fi when the home button is pressed depending on the software version of the endpoint. (Default.)

- Android endpoints do not automatically open the Web authentication page.

· If you execute this command multiple times, the most recent configuration takes effect.

Examples

#‌Enable captive-bypass Web authentication.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber captive-bypass enable

#‌# Enable only captive-bypass Web authentication optimization for iOS users (captive-bypass Web authentication is not enabled).

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber captive-bypass enable ios optimize

#‌Enable captive-bypass Web authentication for Android users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber captive-bypass enable android

ip subscriber auto-save max-user‌

Use ip subscriber auto-save max-user to enable automatic IPoE user backup and set the maximum number of DHCP users that can be automatically backed up.

Use undo ip subscriber auto-save to disable automatic IPoE user backup.

Syntax

ip subscriber auto-save max-user max-user

undo ip subscriber auto-save

Default

Automatic IPoE user backup is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

max-user: Specifies the maximum number of IPoE users that can be automatically backed up. The value range for this argument is 8000 to 64000.

Usage guidelines

Application scenarios

In an IPoE DHCP or ND RS user access scenario, DHCP or ND RS users are abnormally logged out and user information is lost if the device or the slot hosting the access interface reboots or the access interface goes down. If the users cannot sense the failure, users will not send DHCP or ND RS packets to trigger coming online again after the failure recovers. As a result, the device cannot recover information for abnormally offline users. To resolve the issue, enable automatic IPoE user backup on the device.

Operating mechanism

With this feature enabled, the device will back up IPoE user information after IPoE users come online. If a failure occurs and then recovers, the device can recover online information for abnormally offline users according to the backup information.

Restrictions and guidelines

For this feature to take effect, you also need to execute the access-user auto-save enable command in the ISP domain of users.

When the number of IPoE users to be backed up in an ISP domain exceeds the maximum number of IPoE users that can be automatically backed up, the exceeding users are not backed up.

With both automatic IPoE user backup and the loose access mode enabled on the device, the following rules apply when the device receives IP, NS/NA, or ARP packets from a user after the device recovers:

· If information of the user has been automatically backed up on the device before the device fails, the information of the user is recovered by using the auto recovery feature.

· If information of the user is not automatically backed up on the device before the device fails, information of the user is recovered by the loose access mode.

For ND RS users, this feature takes effect on the scenario of one prefix per user instead of the prefix sharing scenario.

The automatic IPoE user backup feature is not applicable in Layer 3 IPoE access mode.

Examples

# Enable automatic IPoE user backup and set the maximum number of DHCP users that can be automatically backed up to 9000.

<Sysname> system-view

[Sysname] ip subscriber auto-save max-user 9000

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-save-file‌

Use ip subscriber auto-save-file to enable periodical automatic IPoE user backup.

Use undo ip subscriber auto-save-file to disable periodical automatic IPoE user backup.

Syntax

ip subscriber auto-save-file filename interval interval

undo ip subscriber auto-save-file

Default

Periodical automatic IPoE user backup is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies a file name, which must end with .bak. The total file name (including .bak) cannot exceed 128 characters. The filename argument cannot contain a file path and must be a pure file name, for example, backup.bak. The file is always saved in the root directory of the storage medium of each MPU. For more information about the root directory and path, see file system management in Fundamentals Configuration Guide.

interval interval: Specifies the automatic backup interval in the range of 60 to 864000 seconds.

Usage guidelines

Application scenarios

After the device is rebooted, the IPoE user information saved in the memory will be lost. As a result, the device cannot automatically recover the abnormally logged out users according to the backup information in the memory. To resolve this problem, you can enable periodical automatic IPoE user backup.

Operating mechanism

With this feature enabled, the device periodically, automatically backs up the user information into the specified file. After the device is rebooted, the device will automatically recover information in the file to the memory. If the ip subscriber auto-recover enable command is used to enable automatic IPoE user recovery, the device will automatically recover the abnormally logged out users according to the backup information in the memory.

Restrictions and guidelines

For this feature to take effect, make sure both of the following commands are executed:

· access-user auto-save enable (BRAS Services Command Reference)

· ip subscriber auto-save max-user

After this command is executed, the device does not immediately back up the user information. Instead, the device backs up the user information at the specified interval. If the specified backup file does not exist when the device backs up user information, the system first creates the file and then backs up user information. If the specified backup file already exists (for example, the file is specified by the ip subscriber save-file command), the file will be overwritten.

Examples

# Enable periodical automatic IPoE user backup to back up the IPoE user information to the file backup.bak at the interval of 60 seconds.

<Sysname> system-view

[Sysname] ip subscriber auto-save-file backup.bak interval 60

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-recover enable

ip subscriber auto-save max-user

ip subscriber save-file

ip subscriber auto-save-file now‌

Use ip subscriber auto-save-file now to immediately back up the IPoE user information to the file specified for periodical automatic IPoE user backup.

Syntax

ip subscriber auto-save-file now

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

If the automatic backup interval specified for periodical automatic IPoE user backup is too long, to avoid user information loss before rebooting the device, you can use this command to immediately back up the user information in the memory to the backup file.

Restrictions and guidelines

For the ip subscriber auto-save-file now command to take effect, you must execute both of the following commands:

· ip subscriber auto-save max-user

· ip subscriber auto-save-file

This command is an execution command that immediately takes effect and will not be saved in the configuration file.

Examples

# Immediately back up the IPoE user information to the backup file.

<Sysname> system-view

[Sysname] ip subscriber auto-save-file now

Related commands

ip subscriber auto-save-file

ip subscriber auto-save max-user

ip subscriber auto-recover enable‌

Use ip subscriber auto-recover enable to enable automatic IPoE user recovery.

Use undo ip subscriber auto-recover enable to disable automatic IPoE user recovery.

Syntax

ip subscriber auto-recover enable

undo ip subscriber auto-recover enable

Default

Automatic IPoE user recovery is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In an IPoE DHCP or ND RS user access scenario, DHCP or ND RS users are abnormally logged out and user information is lost if the device or the slot hosting the access interface reboots or the access interface goes down. If the users cannot sense the failure, users will not send DHCP or ND RS packets to trigger coming online again after the failure recovers. As a result, the device cannot recover information for abnormally offline users. To resolve the problem, back up the user information before the failure and automatically recover the user information according to the backup information after the failure recovers.

Restrictions and guidelines

The ip subscriber auto-recover command enables the device to automatically recover the user information according to the backup information after the device recovers.

For this feature to take effect, make sure both of the following commands are executed:

· access-user auto-save enable (BRAS Services Command Reference)

· ip subscriber auto-save max-user

The automatic IPoE user recovery feature is not applicable in Layer 3 IPoE access mode.

Examples

# Enable automatic IPoE user recovery.

<Sysname> system-view

[Sysname] ip subscriber auto-recover enable

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-save max-user

ip subscriber auto-recover speed‌

Use ip subscriber auto-recover speed to configure the speed for automatic IPoE user recovery.

Use undo ip subscriber auto-recover speed to restore the default.

Syntax

ip subscriber auto-recover speed { fast | normal | slow } [ recover-delay delay-time ]

undo ip subscriber auto-recover speed

Default

The speed for automatic IPoE user recovery is normal, and the recovery delay is 5 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

fast: Specifies the fast mode.

normal: Specifies the normal mode.

slow: Specifies the slow mode.

recover-delay delay-time: Specifies the recovery delay in the range of 5 to 3600. The default is 5.

Usage guidelines

Application scenarios

You can use this command to configure the speed for automatic IPoE user recovery as needed. The fast mode is resource-intensive. Select the fast mode and recovery delay as needed.

Operating mechanism

If the device fails, the device does not immediately recover after the fault is resolved. Instead, the device recovers according to the specified recovery mode after the delay specified by delay-time.

Restrictions and guidelines

· In fast mode, the device processes the user online information at a high speed. During the recovery period, the device performance is affected. Select this mode as needed.

· After the fault is resolved, to avoid recovery failure caused by incomplete network convergence (for example, the OSPF neighbors have not restored to the full state), set a proper recovery delay according to the network conditions.

· For this command to take effect, you must enable automatic IPoE user recovery.

Examples

# Configure the speed for automatic IPoE user recovery.

<Sysname> system-view

[Sysname] ip subscriber auto-recover speed fast

Related commands

ip subscriber auto-recover enable

ip subscriber basic-service-ip-type

Use ip subscriber basic-service-ip-type to configure the IP address type on which the main service of IPoE users depends.

Use undo ip subscriber basic-service-ip-type to restore the default.

Syntax

ip subscriber basic-service-ip-type { ipv4 | ipv6 }

undo ip subscriber basic-service-ip-type

Default

The main service of IPoE users does not depend on any IP address type.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ipv4: Specifies the IPv4 protocol stack. If this keyword is specified, the IPv6 protocol stack of IPoE users depends on the IPv4 protocol stack. An IPoE user can come online in the IPv6 protocol stack only after the user has come online in the IPv4 protocol stack.

ipv6: Specifies the IPv6 protocol stack. If this keyword is specified, the IPv4 protocol stack of IPoE users depends on the IPv6 protocol stack. An IPoE user can come online in the IPv4 protocol stack only after the user has come online in the IPv6 protocol stack.

Usage guidelines

Application scenarios

By default, the device does not limit the order in which an IPoE user comes online in the IPv4 protocol stack and IPv6 protocol stack.

In the dual-stack scenario, if you want to specify the main service to depend on a protocol stack as needed, configure this feature. Then, when a user has not come online in the specified protocol stack, the user cannot come online in the other protocol stack.

Operating mechanism

With this feature configured, an IPoE bind authentication user can come online in the other protocol stack only after the user has come online in the protocol stack on which the user’s main service depends. If a user goes offline in the protocol stack on which the user's main service depends, the device will forcibly log out the user in the other protocol stack. As a result, the whole user goes offline.

With this feature configured, the following rules apply to IPoE Web authentication users:

· Coming online:

¡ This feature takes effect in only the preauthentication domain and does not take effect in the postauthentication domain. For example, an IPoE user first comes online in the IPv4 protocol stack in the preauthentication domain. If you configure the main service of IPoE users to depend on the IPv6 protocol stack before the user moves from the preauthentication domain to the postauthentication domain, the user can still move to the postauthentication domain in the IPv4 protocol stack.

¡ An IPoE Web authentication user can come online in the other protocol stack (for example, IPv6) only after the user has come online in the protocol stack (for example, IPv4) on which the user's main service depends in the preauthentication domain.

¡ If the user comes online in the other protocol stack earlier than in the protocol stack on which the user’s main service depends in the postauthentication domain, the whole user comes online in the postauthentication domain.

· Going offline:

¡ If the user returns to the preauthentication domain in the protocol stack on which the user's main service depends, the whole user returns to the preauthentication domain.

¡ If a user goes offline in the protocol stack on which the user's main service depends, the device will forcibly log out the user in the other protocol stack. As a result, the whole user goes offline.

After this command is executed, this command takes effect on online IPoE users as follows:

· If a user first comes online in the IPv4 or IPv6 protocol stack and then this command is executed to specify the user’s main service to depend on the IPv6 or IPv4 protocol stack, this command does not affect the online status of the user and allows the user to stay online in the IPv4 or IPv6 protocol stack.

· If a user first comes online in both the IPv4 and IPv6 protocol stacks and then this command is executed to specify the user’s main service to depend on the IPv6 or IPv4 protocol stack, when the user goes offline in the IPv6 or IPv4 protocol stack, the user will also be forcibly logged out in the IPv4 or IPv6 protocol stack.

Restrictions and guidelines

· This feature applies to only IPoE bind authentication users and IPoE Web authentication users.

· For IPoE users, if the ip subscriber authentication-method web command is executed with the basic-service-ipv4 keyword specified on an interface, the ip subscriber basic-service-ip-type command does not take effect on this interface, and only the ip subscriber authentication-method web command takes effect.

· For IPoE to operate correctly, to use the ip subscriber basic-service-ip-type command to configure the IP address type (IPv4 or IPv6) on which the main service of IPoE users depends on an interface, make sure dual-stack IPoE is enabled on the interface by using the ip subscriber enable command.

· This feature does not apply to the following IPoE users:

¡ IPoE static users (including static leased users).

¡ IPoE interface-leased users (excluding subusers).

¡ IPoE subnet-leased users (including subusers).

¡ IPoE L2VPN-leased users.

¡ Unclassified-IPv4/IPv6 users in Layer 3 IPoE access mode.

· For the roaming feature to operate normally, configure the same IP address type on which the main service of IPoE users depends on the access interfaces before and after roaming.

Examples

# On Ten-GigabitEthernet 0/0/15, configure the main service of IPoE users to depend on the IPv4 protocol stack.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber basic-service-ip-type ipv4

Related commands

ip subscriber authentication-method

ip subscriber enable

ip subscriber roaming enable

ip subscriber dhcp domain

Use ip subscriber dhcp domain to configure an ISP domain for DHCP users.

Use undo ip subscriber dhcp domain to restore the default.

Syntax

ip subscriber dhcp domain domain-name [ force ]

undo ip subscriber dhcp domain

Default

No ISP domain is configured for DHCP users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). To avoid conflicts with the ip subscriber dhcp domain include command, the system does not allow using include or its prefixes (such as i, in, inc, incl, inclu, includ) as domain names, case-insensitive.

force: Specifies the ISP domain as the forced domain with the highest priority. If this keyword is not specified, the ISP domain is a non-forced domain.

Usage guidelines

General restrictions and guidelines

This command configures an ISP domain for DHCP users. The specified ISP domain must exist on the BRAS.

Restrictions and guidelines for the IPv4 scenario

For IPoE users accessing in loose mode, an ISP domain is selected in the following order until a match is found:

1. Forced ISP domain specified by using this command. If the ISP domain has not been created, the user fails to come online.

2. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

3. Non-forced ISP domain specified by this command. If the ISP domain has not been created, the user fails to come online.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For IPoE users accessing in loose mode, an ISP domain is selected in the following order until a match is found:

5. Forced ISP domain specified by using this command. If the ISP domain has not been created, the user fails to come online.

6. ISP domain generated based on the domain name generation rule configured by the ip subscriber dhcp domain include command if the following conditions exist:

¡ The string selected from Option 60 contains the trusted domain.

¡ The BRAS trusts Option 60.

¡ The interface is configured with the ip subscriber dhcp domain include command.

If the ISP domain has not been created, proceed with step 7.

7. Trusted ISP domain configured by the ip subscriber dhcp option60 match command if the following conditions exist:

¡ The string selected from Option 60 contains the trusted domain.

¡ The BRAS trusts Option 60.

¡ The interface is not configured with the ip subscriber dhcp domain include command.

If the ISP domain has not been created, proceed with step 7.

8. ISP domain selected according to the rule for packets that do not carry Option 60 if the following conditions exist:

¡ The BRAS trusts Option 60.

¡ The string selected from Option 60 does not contain the trusted domain.

In this case, the contents of Option 60 are ignored and not used for generating a domain name.

If the ISP domain has not been created, proceed with step 7.

9. ISP domain generated based on the domain name generation rule configured by the ip subscriber dhcp domain include command if the following conditions exist:

¡ The BRAS trusts Option 60.

¡ The interface is not configured with the ip subscriber dhcp option60 match command.

¡ Option 60 does not contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), or right angle bracket (>).

¡ The interface is configured with the ip subscriber dhcp domain include command.

If the ISP domain has not been created, proceed with step 7.

10. ISP domain automatically selected from Option 60 if the following conditions exist:

¡ The BRAS trusts Option 60.

¡ The interface is not configured with the ip subscriber dhcp option60 match or ip subscriber dhcp domain include command.

¡ All information in Option 60 does not contain invalid characters.

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

If the ISP domain has not been created, proceed with step 7.

11. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

12. Non-forced ISP domain specified by this command. If the ISP domain has not been created, the user fails to come online.

13. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For users to pass authentication successfully, make sure the ISP domains selected for users exist on the device and are completely configured.

When the contents in an option are used as ISP domains, make sure the ISP domain names exist on the device. Otherwise, these ISP domains are considered as unavailable.

Make sure Option 60 does not contain null terminators or non-printable characters.

Restrictions and guidelines for the IPv6 scenario

A DHCPv6 user can obtain an ISP domain in various ways.

Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

If multiple ISP domains are available, an ISP domain is selected in the following order until a match is found:

14. Forced ISP domain specified by using this command. If the ISP domain has not been created, the user fails to come online.

15. Trusted ISP domain configured by the ip subscriber dhcpv6 option16 match command if the following conditions exist:

¡ The string selected from Option 16 contains the trusted domain.

¡ The BRAS trusts Option 16.

If the ISP domain has not been created, proceed with step 5.

16. ISP domain selected according to the case that the packets do not carry Option 16 if the following conditions exist:

¡ The BRAS trusts Option 16.

¡ The interface is configured with the ip subscriber dhcpv6 option16 match command, but the specified string cannot be matched in the specified position of Option 16.

If the ISP domain has not been created, proceed with step 5.

17. ISP domain automatically selected from Option 16 if the following conditions exist:

¡ The BRAS trusts Option 16.

¡ The interface is not configured with the ip subscriber dhcpv6 option16 match command.

¡ All information in Option 16 does not contain invalid characters.

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

If the ISP domain has not been created, proceed with step 5.

18. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

19. Non-forced ISP domain specified by this command. If the ISP domain has not been created, the user fails to come online.

20. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Make sure Option 16 does not contain null terminators or non-printable characters.

Examples

#‌Configure ISP domain dm1 for DHCPv4 users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcp domain dm1

Related commands

ip subscriber access-trigger loose

ip subscriber dhcp domain include

ip subscriber dhcp option60 match

ip subscriber dhcpv6 match

ip subscriber trust

ip subscriber dhcp domain include

Use ip subscriber dhcp domain include to configure a domain name generation rule for DHCPv4 users.

Use undo ip subscriber dhcp domain include to restore the default.

Syntax

ip subscriber dhcp domain include vendor-class [ separator separator ] { second-vlan [ separator separator ] | string string [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber dhcp domain include

Default

No domain name generation rule for DHCPv4 users is configured.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

vendor-class: Uses the Option 60 information in DHCPv4 packets for generating a domain name.

separator separator: Specifies a case-insensitive character for separating an option and the option that follows. It cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

second-vlan: Uses the inner VLAN in authentication packets for generating a domain name.

string string: Specifies a case-insensitive string of 1 to 64 characters for generating a domain name. It cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

vlan: Uses the outer VLAN in authentication packets for generating a domain name.

Usage guidelines

Application scenarios

You can execute this command when the following conditions exist:

· DHCP users use the information in Option 60 as ISP domains.

· Differentiated authentication is required for DHCP users that have the same Option 60 and come online through the same interface.

For example, user A and user B belong to different VLANs but have the same Option 60 and come online through the same interface. To assign user A and user B to different ISP domains and authorize different address pools based on ISP domains, executed this command to generate ISP domain names by using the Option 60 + VLAN combination.

Operating mechanism

If this command is executed when the DHCP users use information in Option 60 as the ISP domains, the generated ISP domain name is as follows: String selected from the Option 60 as an ISP domain + parameters configured by using this command. For information about selecting ISP domains, see "ip subscriber dhcp domain."

Restrictions and guidelines

This command takes effect only when DHCP users use information in the Option 60 as ISP domains.

For the device to parse information in Option 60 correctly and generate correct ISP domain names, make sure Option 60 does not contain null terminators or non-printable characters.

Examples

#‌Configure a domain name generation rule on Ten-GigabitEthernet 0/0/15.1 as follows: trusted string from the Option 60 field in DHCP packets (ipoe) + separator (#) + customer VLAN (suppose the customer VLAN is 10). The finally generated domain name is ipoe#10.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.1

[Sysname-Ten-GigabitEthernet0/0/15.1] ip subscriber trust option60

[Sysname-Ten-GigabitEthernet0/0/15.1] ip subscriber dhcp option60 match ipoe

[Sysname-Ten-GigabitEthernet0/0/15.1] ip subscriber dhcp domain include vendor-class separator # vlan

#‌Configure a domain name generation rule on Ten-GigabitEthernet 0/0/15.1 as follows: the whole Option 60 field in DHCP packets (suppose all information in Option 60 is domain123456) + separator (#) + customer VLAN (suppose the customer VLAN is 10). The finally generated domain name is domain123456#10.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.1

[Sysname-Ten-GigabitEthernet0/0/15.1] ip subscriber trust option60

[Sysname-Ten-GigabitEthernet0/0/15.1] ip subscriber dhcp domain include vendor-class separator # vlan

Related commands

ip subscriber dhcp domain

ip subscriber dhcp option60 match

ip subscriber trust

ip subscriber dhcp max-session

Use ip subscriber dhcp max-session to set the IPoE session limit for DHCPv4 packet initiation on an interface.

Use undo ip subscriber dhcp max-session to restore the default.

Syntax

ip subscriber dhcp max-session max-number

undo ip subscriber dhcp max-session

Default

The IPoE session limit for DHCPv4 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for DHCPv4 packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

Operating mechanism

If the IPoE session limit for DHCPv4 packet initiation is reached, no more IPoE session can be initiated by DHCPv4 packets. IPoE sessions initiated by DHCPv4 packets include IPv4 single-stack sessions and dual-stack sessions.

Recommended configuration

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber dhcpv6 max-session command.

Restrictions and guidelines

If the configured limit is smaller than the number of existing sessions on an interface, the configuration succeeds and the existing sessions are not affected. However, new sessions cannot be initiated on the interface.

When this command is executed together with the ip subscriber max-session command, the two commands both take effect. The two commands control sessions in different perspectives, and the number of sessions is controlled by both commands. A new session can be established only when neither limit is reached.

Examples

#‌Set the IPoE session limit to 100 for DHCPv4 packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcp max-session 100

Related commands

display access-user (BRAS Services Command Reference)

cut access-user (BRAS Services Command Reference)

ip subscriber max-session

ip subscriber dhcp option60 match

Use ip subscriber dhcp option60 match to configure trusted ISP domains for DHCPv4 users.

Use undo ip subscriber dhcp option60 match to restore the default.

Syntax

ip subscriber dhcp option60 match string [ offset offset ] [ length length ]

undo ip subscriber dhcp option60 match string

Default

No trusted ISP domains are configured for DHCPv4 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

string: Specifies a trusted ISP domain by its name, a case-insensitive string of 1 to 255 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

offset offset: Specifies an offset for the string starting byte, in the range of 1 to 63. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used to match the trusted ISP domain.

Usage guidelines

Operating mechanism

A DHCPv4 user can obtain an ISP domain in various ways. For how an ISP domain is determined, see "ip subscriber dhcp domain."

Restrictions and guidelines

Make sure Option 60 does not include null terminators or non-printable characters.

You can use this command multiple times.

Examples

#‌On Ten-GigabitEthernet0/0/15, configure trusted ISP domain ipoe to match the string with an offset of 1 and a length of 10 bytes from Option 60.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcp option60 match ipoe offset 1 length 10

Related commands

ip subscriber dhcp domain

ip subscriber trust

ip subscriber dhcp password

Use ip subscriber dhcp password to specify a string from DHCPv4 packets as the password for DHCPv4 users.

Use undo ip subscriber dhcp password to restore the default.

Syntax

ip subscriber dhcp password { circuit-id mac | option60 [ offset offset ] [ length length ] [ original ] | user-class }

undo ip subscriber dhcp password

Default

The BRAS does not use the password specified in DHCPv4 packets for DHCPv4 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

circuit-id: Specifies the DHCPv4 Option82 sub-option1 field in DHCPv4 packets.

mac: Uses the MAC address in the Circuit-ID (Option82 sub-option1) field as the password.

option60: Uses a string from Option 60 in DHCPv4 packets as the password.

· offset offset: Specifies an offset for the password starting byte, in the range of 1 to 254. If you do not specify this option, the first byte of the option is the starting byte.

· length length: Specifies the length of the password string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used as the password.

· original: Directly selects information from Option60 as the authentication password according to the specified rule (for example, the specified offset or length), and does not perform validity check for the selected information. If you do not specify this keyword, the device will perform validity check for information selected from Option60 according to the specified rule. If the selected information does not contain null terminators or non-printable characters, the device uses the selected information as the authentication password. If the selected information contains null terminators or non-printable characters, the device does not use the selected information as the authentication password, and instead the device continues to find the next available authentication password according to the authentication password selection rule (for more information, see the following usage guidelines).

user-class: Uses a string from Option 77 in DHCPv4 packets as the password.

Usage guidelines

Application scenarios

For security on a service provider network, the Option60 information of some endpoints (for example, IPTV set-top boxes) might be encrypted and the encrypted information is transparently transmitted on the intermediate devices. The service provider AAA server first decrypts the encrypted Option60 information and then performs authentication processing. In this case, when you configure Option60 in DHCPv4 packets as the authentication password, you must specify the original keyword. If you do not do that, information in Option60 cannot be used as the authentication password because it fails to pass validity check, and the endpoints fail to pass authentication consequently.

Operating mechanism

A DHCPv4 user can obtain a password in various ways.

For a DHCPv4 user accessing in loose mode, a password is selected in the following order until a match is found:

1. Password configured by using the ip subscriber password command.

2. Default password: vlan.

For a DHCPv4 user accessing in non-loose mode, a password is selected in the following order until a match is found:

3. Password configured by using the ip subscriber dhcp password user-class command if the following conditions exist:

¡ The ip subscriber dhcp password user-class command is executed.

¡ The ip subscriber trust option77 command is executed. Option 77 meets the printable character format requirements.

4. Password configured by using the ip subscriber dhcp password option60 command if the BRAS trusts Option 60 and Option 60 meets the printable character format requirements.

5. Password configured by using the ip subscriber dhcp password circuit-id mac command if the BRAS trusts Option 82 and the MAC address in the Circuit-ID carried in DHCPv4 packets meets the printable character format requirements.

6. Password configured by using the ip subscriber password command.

7. Default password: vlan.

Restrictions and guidelines

Passwords configured by the ip subscriber dhcp password command are used for authentication, and must be the same as those configured on the AAA server.

When you use the MAC address in the Circuit-ID as the password, make sure it does not contain null terminators or non-printable characters.

Examples

#‌Specify the string with an offset of 10 and a length of 20 bytes from Option 60 as the password for DHCPv4 users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcp password option60 offset 10 length 20

Related commands

ip subscriber access-trigger loose

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber dhcp rate-limit

Use ip subscriber dhcp rate-limit to enable rate-limiting the DHCPv4 packets of DHCP users.

Use undo ip subscriber dhcp rate-limit to disable rate-limiting the DHCPv4 packets of DHCP users.

Syntax

ip subscriber dhcp rate-limit rate

undo ip subscriber dhcp rate-limit

Default

Rate-limiting the DHCPv4 packets of DHCP users is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum number of DHCPv4 packets that can be received per second, in the range of 1 to 500000000.

Usage guidelines

When a large number of DHCP users come online at the same time, you can enable this feature to avoid congestion caused by a large number of DHCP packets and ensure users can come online properly.

With this feature enabled, when the device or slot receives DHCPv4 packets (including Discover packets and the unauthenticated users' Request packets) exceeding the rate limit+1 within 1 second, the exceeding packets are dropped.

This command takes effect on only the dynamic DHCPv4 users and the Layer 2 interface-leased DHCPv4 subusers.

When you execute this command multiple times, the most recent configuration takes effect.

When both this feature and the DHCPv4 interface-based attack suppression feature are configured, this feature does not take effect.‌

Examples

# Enable rate-limiting the DHCPv4 packets of DHCP users, and set the rate limit to 1000 pps.

<Sysname> system-view

[Sysname] ip subscriber dhcp rate-limit 1000

Related commands

dhcp interface-rate-suppression enable (BRAS Services Command Reference) ‌

dhcp interface-rate-suppression global enable (BRAS Services Command Reference) ‌

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber recover-file‌

Use ip subscriber recover-file to recover the backup user information in the specified file to the memory.

Syntax

ip subscriber recover-file filename

Default

The backup user information in a file is not recovered to the memory.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies a file name, which must end with .bak. If the file name contains only a file name, for example, backup.bak, the specified file in the root directory of the active MPU's storage medium is used for recovery. If the file does not exist, the recovery fails. If the file name contains a path besides a file name, make sure the path exists. Otherwise, the recovery fails. For more information about the file name value range, root directory, and path, see file system management in Fundamentals Configuration Guide. (In standalone mode.)

filename: Specifies a file name, which must end with .bak. If the file name contains only a file name, for example, backup.bak, the specified file in the root directory of the global active MPU's storage medium is used for recovery. If the file does not exist, the recovery fails. If the file name contains a path besides a file name, make sure the path exists. Otherwise, the recovery fails. For more information about the file name value range, root directory, and path, see file system management in Fundamentals Configuration Guide. (In standalone mode.)

Usage guidelines

After the device reboots, backup user information in the memory is lost. As a result, the device cannot recover online user information for abnormally offline users. Therefore, before rebooting the device, you must execute the ip subscriber save-file command to save the backup user information in the memory to a file. After rebooting the device, you must execute the ip subscriber recover-file command to recover backup user information to the memory. Then, the device can recover online user information for abnormally offline users based on the backup user information in the memory.

When the ip subscriber recover-file command is executed, the device reads the backup user information in the specified file and recovers information to the memory. During the recovery process, existing backup user information in the memory is not affected.

Examples

# Recover the backup user information in the backup.bak file to the memory.

<Sysname> system-view

[Sysname] ip subscriber recover-file backup.bak

It is recommended to delete the file, delete it? [Y/N]: y

Related commands

ip subscriber save-file

ip subscriber save-file‌

Use ip subscriber save-file to immediately save backup IPoE user information in the memory to the specified file.

Syntax

ip subscriber save-file filename

Default

Backup IPoE user information in the memory is not saved to the specified file.

Views

System view

Predefined user roles

network-admin

Parameters

Usage guidelines

Application scenarios

After the device reboots, backup user information in the memory is lost. As a result, the device cannot recover online user information for abnormally offline users. Therefore, before rebooting the device, you can execute the ip subscriber save-file command to save the backup user information in the memory to a file. After rebooting the device, you must execute the ip subscriber recover-file command to recover backup user information to the memory. Then, the device can recover online user information for abnormally offline users based on the backup user information in the memory. If the ip subscriber auto-recover enable command has been used to enable automatic IPoE user recovery, the device will automatically recover the abnormally logged out users according to the backup user information in the memory.

Restrictions and guidelines

For this command to take effect, you must execute the following commands:

· access-user auto-save enable (BRAS Services Command Reference)

· ip subscriber auto-save max-user

When this command is executed, the device immediately backs up the user information. If the specified backup file does not exist when the device backs up user information, the system first creates the file and then backs up user information. If the specified backup file already exists, the file will be overwritten. If you have enabled periodical automatic IPoE user backup, the file specified in this command must be different from the file specified for periodical automatic IPoE user backup. Otherwise, this command fails to be executed.

This command immediately takes effect and will not be saved in the configuration file.

Examples

# Back up the IPoE user information to the file backup.bak in the root directory of the device's file system.

<Sysname> system-view

[Sysname] ip subscriber save-file backup.bak

Related commands

access-user auto-save enable (BRAS Services Command Reference)

ip subscriber auto-recover enable

ip subscriber auto-save max-user

ip subscriber recover-file

ip subscriber dhcp username

Use ip subscriber dhcp username to configure an authentication user naming convention for DHCP users.

Use undo ip subscriber dhcp username to restore the default.

Syntax

ip subscriber dhcp username include { circuit-id [ mac ] [ separator separator ] | client-id [ separator separator ] | hostname [ original ] [ separator separator ] | nas-port-id [ separator separator ] | port [ separator separator ] | remote-id [ separator separator ] | second-vlan [separator separator ] | slot [ separator separator ] | source-mac [ address-separator address-separator [ address-format-version-two ] ] [ separator separator ] | string string [ separator separator ] | subslot [separator separator ] | sysname [separator separator ] | vendor-class [ absent-replace | original ] * [ separator separator ] | vendor-specific [ original ] [ separator separator ] | vlan [separator separator ] } *

undo ip subscriber dhcp username

Default

No authentication user naming convention is configured for DHCP users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

circuit-id: Includes the DHCPv4 Option 82 sub-option 1 or DHCPv6 Option 18 information in a username.

mac: Uses the MAC address in the Circuit-ID (Option82 sub-option1) field as the username. If this keyword is not specified, all information in the Circuit-ID (Option82 sub-option1) field is used as the username.

client-id: Includes the DHCPv4 Option 61 or DHCPv6 Option 1 information in a username.

hostname: Includes the DHCPv4 Option12 in a username.

nas-port-id: Includes the NAS-Port-ID attribute carried in the authentication request packet in a username.

port: Includes the number of the port that receives the user packets in a username.

remote-id: Includes the DHCPv4 Option 82 sub-option 2 or DHCPv6 Option 37 information in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-mac: Includes the source MAC address in a username.

address-separator address-separator: Specifies any printable character as the separator for the MAC address. If you do not specify a separator, the username is the non-separated MAC address (xxxxxxxxxxxx). As a best practice, do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

address-format-version-two: Specifies the MAC addresses to use the six-section format with the configured separator between each section. For example, if you configure the separator as a hyphen (-), the MAC address format will be xx-xx-xx-xx-xx-xx. If you configure the separator as a colon (:), the format will be xx:xx:xx:xx:xx:xx. If you configure a separator without specifying the address-format-version-two keyword, the MAC address will use the three-section format, such as xxxx-xxxx-xxxx when you configure the separator as a hyphen (-).

string string: Includes the specified string in a username, a case-sensitive string of 1 to 128 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vendor-class: Includes the DHCPv4 Option 60 or DHCPv6 Option 16 information in a username.

absent-replace: Replaces an inexistent option with the domain name of the user authentication domain as the username when the Option60 field does not exist in DHCP packets or the Option16 field does not exist in DHCPv6 packets. If you do not specify this option, the Option part in the username is empty when the Option60 field does not exist in DHCP packets or the Option16 field does not exist in DHCPv6 packets.

vendor-specific: Includes the DHCPv4 Option 82 sub-option 9 or DHCPv6 Option 17 information in a username.

vlan: Includes the outer VLAN ID in a username.

original: Directly uses the original information in the DHCPv4 Option 12, DHCPv4 Option 60, DHCPv4 Option 82 sub-option 9, DHCPv6 Option 16, or DHCPv6 Option 17 field in DHCP packets as the username and passes it to the authentication server for authentication. If this keyword is not specified, when Option 12, Option 60, Option 82, Option 16, or Option 17 contains non-printable characters, the device will translate the non-printable characters into printable characters and then passes the translated information to the authentication server for authentication.

separator separator: Specifies a character for separating an option and the option that follows. Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

Usage guidelines

Application scenarios

Usernames obtained based on the naming convention are used for authentication, authorization, and accounting, and must be the same as those configured on the AAA server.

Restrictions and guidelines

For DHCPv4 users accessing in loose mode, the packets do not carry DHCP Option information. Therefore, the circuit-id, mac, client-id, remote-id, vendor-class, absent-replace, original, or vendor-specific keyword does not take effect. Even these keywords are specified, usernames are generated according to the situation where these keywords are not specified. DHCPv6 users cannot access in loose mode.

You can specify one or more keywords in a naming convention. If you use a combination of keywords, a username obtained based on the naming convention includes the specified options in the configuration order.

Options used as the username information cannot include null terminators or non-printable characters.

Examples

#‌Configure information carried in the Client Identifier Option as the authentication usernames for DHCP users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcp username include client-id

#‌Configure an authentication user naming convention for DHCP users on Ten-GigabitEthernet 0/0/15. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcp username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber access-trigger loose

ip subscriber password

ip subscriber trust

ip subscriber dhcp-release-ip dot1x-offline‌

Use ip subscriber dhcp-release-ip dot1x-offline to forcibly log out the 802.1X client of an IPoE user when the IP address of the IPoE user is released.

Use undo ip subscriber dhcp-release-ip dot1x-offline to restore the default.

Syntax

ip subscriber dhcp-release-ip dot1x-offline

undo ip subscriber dhcp-release-ip dot1x-offline

Default

The 802.1X client of an IPoE user stays online when the IP address of the IPoE user is released.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

For an IPoE user that comes online through 802.1X authentication, the 802.1X client of the user refers to the 802.1X authentication-capable client software installed on the user's host.

By default, when the IP address lease expires or fails to be renewed for an IPoE DHCP user or the device receives the DHCP-RELEASE, DHCP-DECLINE, and DHCP-NAK packets from an IPoE DHCP user, the IPoE user that comes online through 802.1X authentication will go offline. However, the 802.1X client of the user still stays online. To log out the 802.1X client of an IPoE user when the IPoE user goes offline, execute this command.

Examples

# Forcibly log out the 802.1X client of an IPoE user when the IP address of the IPoE user is released on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcp-release-ip dot1x-offline

Related commands

ip subscriber authentication-method

ip subscriber dhcpv6 max-session

Use ip subscriber dhcpv6 max-session to set the IPoE session limit for DHCPv6 packet initiation on an interface.

Use undo ip subscriber dhcp max-session to restore the default.

Syntax

ip subscriber dhcpv6 max-session max-number

undo ip subscriber dhcpv6 max-session

Default

The IPoE session limit for DHCPv6 packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for DHCPv6 packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

Operating mechanism

If the IPoE session limit for DHCPv6 packet initiation is reached, no more IPoE session can be initiated by DHCPv6 packets. IPoE sessions initiated by DHCPv6 packets include IPv6 single-stack sessions and dual-stack sessions.

Recommended configuration

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber dhcp max-session command.

Restrictions and guidelines

Examples

#‌Set the IPoE session limit to 100 for DHCPv6 packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcpv6 max-session 100

Related commands

display access-user (BRAS Services Command Reference)

cut access-user (BRAS Services Command Reference)

ip subscriber max-session

ip subscriber dhcpv6 match

Use ip subscriber dhcpv6 match to configure trusted ISP domains for DHCPv6 users.

Use undo ip subscriber dhcpv6 match to restore the default.

Syntax

ip subscriber dhcpv6 { option16 | option17 } match string [ offset offset ] [ length length ]

undo ip subscriber dhcpv6 { option16 | option17 } match string

Default

No trusted ISP domains are configured for DHCPv6 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

option16: Specifies Option 16 in DHCPv6 packets.

option17: Specifies Option 17 in DHCPv6 packets.

offset offset: Specifies an offset for the string starting byte, in the range of 1 to 63. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used to match the trusted ISP domain.

Usage guidelines

Operating mechanism

A DHCPv6 user can obtain an ISP domain in various ways.

Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

For how an ISP domain is determined, see "ip subscriber dhcp domain."

Restrictions and guidelines

You can use this command multiple times.

You can only select a string from the first 255 characters of Option 16 to match the trusted ISP domain. If the selected string contains characters that do not belong to the first 255 characters, the match fails.

Make sure Option 16 does not include null terminators or non-printable characters.

Examples

#‌On Ten-GigabitEthernet0/0/15, configure trusted ISP domain ipoe to match the string with an offset of 1 and a length of 10 bytes from Option 16.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcpv6 option16 match ipoe offset 1 length 10

Related commands

ip subscriber dhcpv6 domain

ip subscriber trust

ip subscriber dhcpv6 password option16

Use ip subscriber dhcpv6 password option16 to specify a string from Option 16 or Option 17 as the password for DHCPv6 users.

Use undo ip subscriber dhcpv6 password option16 to restore the default.

Syntax

ip subscriber dhcpv6 password option16 [ offset offset ] [ length length ] [ original ]

undo ip subscriber dhcpv6 password option16

Default

The BRAS does not use the password specified in Option 16 or Option 17 for DHCPv6 users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

offset offset: Specifies an offset for the password starting byte, in the range of 1 to 254. If you do not specify this option, the first byte of the option is the starting byte.

length length: Specifies the length of the password string, in the range of 1 to 63. If you do not specify this option, all bytes following the starting byte are used as the password.

original: Directly selects information from Option16 or Option17 as the authentication password according to the specified rule (for example, the specified offset or length), and does not perform validity check for the selected information. If you do not specify this keyword, the device will perform validity check for information selected from Option16 or Option17 according to the specified rule. If the selected information does not contain null terminators or non-printable characters, the device uses the selected information as the authentication password. If the selected information contains null terminators or non-printable characters, the device does not use the selected information as the authentication password, and instead the device continues to find the next available authentication password according to the authentication password selection rule (for more information, see the following usage guidelines).

Usage guidelines

Application scenarios

For security on a service provider network, the Option16 or Option17 information of some endpoints might be encrypted and the encrypted information is transparently transmitted on the intermediate devices. The service provider AAA server first decrypts the encrypted Option16 or Option17 information and then performs authentication processing. In this case, when you configure Option16 or Option17 in DHCPv6 packets as the authentication password, you must specify the original keyword. If you do not do that, information in Option16 or Option17 cannot be used as the authentication password because it fails to pass validity check, and the endpoints fail to pass authentication consequently.

Operating mechanism

A DHCPv6 user can obtain a password in various ways. If multiple passwords are available for a DHCPv6 user, a password is selected in the following order until a match is found:

1. Password configured by using this command if the BRAS trusts Option 16 or Option 17 and Option 16 or Option 17 does not contain null terminators or non-printable characters.

2. Password configured by using the ip subscriber password command.

3. Default password: vlan.

Restrictions and guidelines

Passwords configured by using this command are used for authentication, and must be the same as those configured on the AAA server.

Examples

#‌Specify the string with an offset of 10 and a length of 20 bytes from Option 16 or Option 17 as the password for DHCPv6 users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dhcpv6 password option16 offset 10 length 20

Related commands

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber dhcpv6 rate-limit

Use ip subscriber dhcpv6 rate-limit to enable rate-limiting the DHCPv6 packets of DHCPv6 users.

Use undo ip subscriber dhcpv6 rate-limit to disable rate-limiting the DHCPv6 packets of DHCPv6 users.

Syntax

ip subscriber dhcpv6 rate-limit rate

undo ip subscriber dhcpv6 rate-limit

Default

Rate-limiting the DHCPv6 packets of DHCPv6 users is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum number of DHCPv6 packets that can be received per second, in the range of 1 to 500000000.

Usage guidelines

Application scenarios

When a large number of DHCPv6 users come online at the same time, you can enable this feature to avoid congestion caused by a large number of DHCPv6 packets and ensure users can come online properly.

Operating mechanism

With this feature enabled, when the device or slot receives DHCPv6 Solicit packets (excluding those with a Relay-Forward header after being forwarded by the relay) exceeding the rate limit within 1 second, the exceeding packets are dropped.

Restrictions and guidelines

This command takes effect on only the dynamic DHCPv6 users and the Layer 2 interface-leased DHCPv6 subusers.

When you execute this command multiple times, the most recent configuration takes effect.

When both this feature and the DHCPv6 interface-based attack suppression feature are configured, this feature does not take effect.‌

Examples

# Enable rate-limiting the DHCPv6 packets of DHCPv6 users, and set the rate limit to 1000 pps.

<Sysname> system-view

[Sysname] ip subscriber dhcpv6 rate-limit 1000

Related commands

ipv6 dhcp interface-rate-suppression enable (BRAS Services Command Reference) ‌

ipv6 dhcp interface-rate-suppression global enable (BRAS Services Command Reference) ‌

ip subscriber password

ip subscriber trust

ip subscriber dhcp username

ip subscriber dot1x-offline user-offline‌

Use ip subscriber dot1x-offline user-offline to forcibly log out an IPoE user when the 802.1X client of the IPoE user goes offline.

Use undo ip subscriber dot1x-offline user-offline to restore the default.

Syntax

ip subscriber dot1x-offline user-offline

undo ip subscriber dot1x-offline user-offline

Default

An IPoE user stays online when the 802.1X client of the IPoE user goes offline.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

For an IPoE user that comes online through 802.1X authentication, the 802.1X client of the user refers to the 802.1X authentication-capable client software installed on the user's host.

By default, for an IPoE user that comes online through 802.1X authentication, if the 802.1X client of the user goes offline, the device will move the IPoE user from the postauthentication domain to the preauthentication domain, and the IPoE user stays online in the preauthentication domain. To log out an IPoE user when the 802.1X client of the IPoE user goes offline, execute this command.

Examples

# Forcibly log out an IPoE user when the 802.1X client of the IPoE user goes offline on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dot1x-offline user-offline

Related commands

ip subscriber authentication-method

ip subscriber dscp

Use ip subscriber dscp to bind an ISP domain to IPoE users who send IP packets with the specified DSCP values.

Use undo ip subscriber dscp to remove the binding between an ISP domain and IPoE users who send IP packets with the specified DSCP values.

Syntax

ip subscriber dscp dscp-value-list domain domain-name

undo ip subscriber dscp dscp-value-list

Default

No ISP domain is bound to IPoE users who send IP packets with the specified DSCP values.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

dscp-value-list: Specifies a space-separated list of up to eight DSCP value items. Each item specifies a DSCP value or a range of DSCP values in the form of start-DSCP-value to end-DSCP-value. The DSCP value is in the range of 0 to 63.

Usage guidelines

Operating mechanism

For this command, IPoE users include DHCP users, unclassified-IP users, and static individual users.

For how an authentication domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an authentication domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an authentication domain is selected for a static IPoE user, see the ip subscriber session static command.

For how an authentication domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an authentication domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an authentication domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

Restrictions and guidelines

For the ip subscriber dscp command to take effect, you must execute the ip subscriber service-identify dscp command to configure the corresponding service identifier first.

Examples

#‌Configure ISP domain dscpdm for IPoE users who send IP packets with DSCP values 1 to 4 on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber service-identify dscp

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber dscp 1 to 4 domain dscpdm

Related commands

ip subscriber service-identify

ip subscriber enable

Use ip subscriber enable to enable IPoE and configure an IPoE access mode for users.

Use undo ip subscriber enable to disable IPoE for users.

Syntax

ip subscriber { l2-connected | routed } enable [ ipv4 | ipv6 ]

undo ip subscriber { l2-connected | routed } enable

Default

IPoE is disabled for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

l2-connected: Specifies the Layer 2 access mode.

routed: Specifies the Layer 3 access mode.

ipv4: Enables IPoE for the IPv4 protocol stack.

ipv6: Enables IPoE for the IPv6 protocol stack.

Usage guidelines

Application scenarios

IPoE configurations for the IPv4 or IPv6 protocol stack take effect on an interface only when IPoE is enabled on the interface for the IPv4 or IPv6 protocol stack.

Restrictions and guidelines

If you do not specify the ipv4 or ipv6 keyword, this command enables IPoE for both IPv4 and IPv6 protocol stacks.

For IPoE to operate correctly, to use the ip subscriber basic-service-ip-type command to configure the IP address type (IPv4 or IPv6) on which the main service of IPoE users depends on an interface, make sure dual-stack IPoE is enabled on the interface by using the ip subscriber enable command.

For interface-leased users, L2VPN-leased users, and dual-stack static users to come online, you must enable IPoE for both IPv4 and IPv6 protocol stacks.

You cannot repeatedly execute this command to modify the IPoE access mode. To change the IPoE access mode, first execute the undo ip subscriber enable command to disable IPoE , and then execute the ip subscriber enable command to enable IPoE.

When the IPoE access mode does not change, you can repeatedly execute this command only to change the single stack type to the dual stack type. The new command does not take effect on existing online users. You cannot repeatedly execute this command to change the IPoE protocol stack type except changing the single stack type to the dual stack type. To modify the IPoE protocol stack type, first execute the undo ip subscriber enable command to disable IPoE, and then execute the ip subscriber enable command to enable IPoE.

For IPoE configuration to take effect on an interface, make sure the qos apply user-profile command has not been executed on the interface. For more information about the qos apply user-profile command, see user profiles commands in BRAS Services Command Reference.

In an IPoE DHCP scenario, to switch an interface on a BRAS from the mode that provides only common DHCP services to the BRAS mode that supports IPoE access for network reformation, you must first perform the following tasks:

· When the interface on the BRAS functions as a DHCP relay agent, execute the following commands to clear relay entries on the interface:

¡ DHCPv4 scenario: reset dhcp relay client-information [ interface interface-type interface-number ]

¡ DHCPv6 scenario: reset ipv6 dhcp relay client-information address [ interface interface-type interface-number ] and reset ipv6 dhcp relay client-information pd [ interface interface-type interface-number ]

· When the interface on the BRAS functions as a DHCP server, execute the following commands to clear the leases for the address pool that allocates addresses to users on this interface:

¡ DHCPv4 scenario: reset dhcp server ip-in-use pool pool-name

¡ DHCPv6 scenario: reset ipv6 dhcp server ip-in-use pool pool-name and reset ipv6 dhcp server pd-in-use pool pool-name

After performing the preceding tasks, users can seamlessly access the interface through IPoE after the mode for the interface is switched from the mode that provides only common DHCP services to the BRAS mode.

Examples

#‌Enable IPoE and configure the Layer 2 access mode for users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber l2-connected enable

Related commands

ip subscriber basic-service-ip-type

qos apply user-profile (BRAS Services Command Reference)

ip subscriber family-leased‌

Use ip subscriber family-leased to configure an IPoE family-leased user.

Use undo ip subscriber family-leased to delete the specified IPoE family-leased user.

Syntax

ip subscriber family-leased interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] username name password { ciphertext | plaintext } string gateway ipv4 { ipv4-address { mask | mask-length } vpn-instance vpn-instance-name } [ access-limit limit-number ]

undo ip subscriber family-leased interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ]

Default

IPoE family-leased users are not configured.

Views

System view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies the access interface of a family-leased user.

vlan vlan-id: Specifies the outer VLAN of user packets. The value range for the vlan-id argument is 1 to 4094. This parameter is supported only on subinterfaces and VSI interfaces.

second-vlan vlan-id: Specifies the inner VLAN of user packets. The value range for the vlan-id argument is 1 to 4094. This parameter is supported only on subinterfaces and VSI interfaces.

username name: Specifies a username for authentication. The name argument is a case-sensitive string of 1 to 253 characters.

password: Specifies the password for user authentication.

· ciphertext: Specifies a password in encrypted form.

· plaintext: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

· string: Specifies a case-sensitive password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

gateway ipv4: Specifies the IPv4 gateway address and its network segment for a family-leased user. When the device actively sends online detection requests to users, the device preferentially uses the address as the source IP address of the online detection requests. Subusers of a family-leased user (family endpoints) must use IP addresses within the specified network segment to successfully come online through unclassified-IP packets and ARP packets. If not, they will fail to come online. For example, gateway 1.1.1.1 24 means the gateway address is 1.1.1.1 and the network segment is 1.1.1.0/24.

· ipv4-address: Specifies the IPv4 address of a user.

· mask: Specifies a mask in dotted decimal notation for the IPv4 address.

· mask-length: Specifies the mask length of the IPv4 address, in the range of 1 to 31.

· vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to be bound to the family-leased user by its name. The vpn-instance-name argument specifies an MPLS L3VPN instance name, a case-sensitive string of 1 to 31 characters.

access-limit limit-number: Specifies the maximum number of subusers (family endpoint users) that can be online simultaneously for a family-leased user. The value range for the limit-number argument is 1 to 256. If you do not specify this option, each family-leased user can support up to 256 online subusers simultaneously.

Usage guidelines

Application scenarios

In traditional home broadband services, as shown in Figure 6, the process of accessing a home network mainly includes the following steps:

1. ‍Various endpoints, such as computers and mobile phones, within a home first connect to the home router. This router manages the network connections within the home and accesses the BRAS through dial-up. During this process, the actual user accessing the BRAS is the home router.

2. The home router performs network address translation (NAT) on data from endpoints within the home. This process translates private IP addresses within the home to public IP addresses, enabling data transmission over the Internet.

3. Data processed through NAT accesses the broadband network through ONUs.

However, this method has a problem. The BRAS can only monitor and manage the home router and cannot directly detect the endpoints within the home. This problem occurs because the NAT process conceals the specific information of the endpoints within the home, and the BRAS can only see the public IP address of the home router.

Figure 6 Home broadband service networking logic diagram

To address the preceding problem, H3C proposed a new family leased line network solution, as shown in Figure 7. This solution delivers the following benefits:

· Saved home router costs—Reduces the performance requirements for home routers. They do not need to provide the NAT feature and just provide the Layer 2 access feature.

· The IPv4 addresses and IPv6 addresses for home endpoints come from different sources. Among them:

¡ Integrated Terminal Management System (ITMS) is responsible for allocating IPv4 addresses, which are private network IP addresses in the specified VPN and require NAT translation on the BRAS.

¡ IPv6 addresses are generated by home endpoints based on the ND prefixes allocated by the BRAS on the one prefix per user basis. These IPv6 addresses belong to the public network and do not require NAT translation.

· Simple and efficient home broadband access services—Reduces the performance requirements for home routers by performing NAT translation on the BRAS, and simplifies the home network.

· Improved network management efficiency—The service providers can directly monitor and manage endpoints within the homes, and provide better services and support.

Figure 7 Family leased line networking logic diagram

Operating mechanism

An IPoE family-leased user represents all users accessing the same interface and VLAN. With IPoE enabled for both IPv4 and IPv6 protocol stacks on an access interface in up state, the access interface will actively try to initiate authentication by using the configured username and password. After the user successfully passes authentication, a family-leased session is set up. The traffic of all users accessing the same interface and VLAN is permitted to pass through, and the traffic shares a single IPoE session. These users are authorized and accounted based on the interface.

In Layer 2 access mode, leased users are considered as main users, while all IP users accessing through the leased user interfaces are considered as subusers. These subusers depend on the leased users (main users) for network access and share the network resources of the main users. This relationship between main users and subusers only exists in Layer 2 access mode. In Layer 3 access mode, family-leased users are not supported.

To facilitate management, use the display access-user and cut access-user commands to view or delete information of the specific subusers. For more information about the commands used to view and delete the specified subusers, see UCM commands in BRAS Services Command Reference.

In the current software version, subusers of family-leased users can initiate the online process through ARP packets, unclassified-IP packets, and NS/NA packets.

An ISP domain is selected for an IPoE family-leased user in the following order until a match is found:

4. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

5. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain has not been created, the user fails to come online.

6. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Restrictions and guidelines

· If you enable IPoE before configuring family-leased users, you must also enable IPoE for both the IPv4 and IPv6 protocol stacks. If you do not do that, the configured family-leased users cannot come online. Similarly, if you configure family-leased users before enabling IPoE, you must also enable IPoE for both the IPv4 and IPv6 protocol stacks. If you do not do that, the configured family-leased users cannot come online.

· Each interface can be configured with only one IPoE family-leased user. Additionally, you cannot change the username or password of the configured IPoE family-leased user by repeatedly executing this command. To modify these parameters, first remove the configured IPoE family-leased user by executing the undo ip subscriber family-leased command and then execute the ip subscriber family-leased command again.

· On the same interface, the IPoE family-leased user is mutually exclusive with the following users: interface-leased, subnet-leased, L2VPN-leased, unclassified-IP, and static. The system does not automatically check for function conflicts. Make sure normal access and use for all types of users, and avoid configuration errors that lead to function anomalies.

· To avoid function conflicts, do not specify the following interfaces as the access interfaces of family-leased users: interfaces already added to the static user interface list or interfaces specified in the global static session configuration. If an interface is specified as a family-leased user access interface, do not add it to the static user interface list or specify it in the global static session configuration. The system does not automatically check for function conflicts. Make sure the preceding requirements are met, and avoid configuration errors that lead to function anomalies.

· For family-leased users, specify the associated VPN in the home broadband leased line configuration. Do not specify the VPN through AAA authorization or interface-VPN binding. If you do that, family-leased users might fail to successfully come online.

· This feature is not supported on VSRP networks.

· For network isolation between different homes, make sure the VPN of each family-leased user is unique. If you cannot do that, function anomalies will occur.

Examples

# Configure a family-leased user.

<Sysname> system-view

[[Sysname] ip subscriber family-leased interface ten-gigabitethernet 0/0/15.1 vlan 10 second-vlan 20 username user1 password plaintext 123456 gateway ipv4 200.0.0.0 16 vpn-instance vpn1

ip subscriber http-defense destination-ip enable‌

Use ip subscriber http-defense destination-ip enable to enable destination IP-based IPoE HTTP/HTTPS attack defense.

Use undo ip subscriber http-defense destination-ip enable to disable destination IP-based IPoE HTTP/HTTPS attack defense.

Syntax

ip subscriber http-defense destination-ip enable [ action { block [ period blocking-period ] | logging } ]

undo ip subscriber http-defense destination-ip enable

Default

Destination IP-based IPoE HTTP/HTTPS attack defense is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

action: Specifies the action to take when the blocking conditions are met. If you do not specify this keyword, attack defense blocked entries are generated when the attack defense blocking conditions are met to block the corresponding HTTP/HTTPS packets for 600 seconds.

block: Generates attack defense blocked entries when the blocking conditions are met to block attack packets, but does not generate logs.

period blocking-period: Specifies the period of blocking HTTP/HTTPS packets in the range of 0 to 3600 seconds. The default is 600. The blocking period of 0 means that the blocking entries do not automatically age out. To unblock the corresponding destination IP addresses, use the reset ip subscriber http-defense destination-ip command to manually clear blocking entries.

logging: Outputs logs and generates attack defense blocked entries when the blocking conditions are met. When this keyword is specified, the attack defense blocked entries generated can only be used to view blocked users, but do not block attack packets.

Usage guidelines

Application scenarios

When various tool software products (for example, Baidu cloud) are installed on a client, each tool software product will periodically send HTTP/HTTPS requests to a fixed destination IP address. HTTP/HTTPS requests generated by these tool software products will result in high resource usage before users perform IPoE Web authentication. As a result, the authentication efficiency of users is affected, and the authentication might even fail. To resolve this issue, you can enable destination IP-based IPoE HTTP/HTTPS attack defense. Use the attack defense function in the following scenarios:

· To limit the HTTP/HTTPS requests frequently initiated and reduce the resource usage of these massive HTTP/HTTPS packets, use the ip subscriber http-defense destination-ip enable action block command to generate blocking entries when the blocking conditions are met and block HTTP/HTTPS requests sent to the specified destination IP addresses based on the blocking entries.

· Blocking HTTP/HTTPS requests will affect users’ access to the specified destination IP addresses. To only detect the HTTP/HTTPS requests frequently initiated to the specified destination IP addresses rather than block them, use the ip subscriber http-defense destination-ip enable action logging command to output attack logs and generate attack defense blocked entries that are used to view blocked users but will not block attack packets when the blocking conditions are met. The generated attack log messages by the device will be sent to the information center. The information center configuration specifies the log message sending rule and destination. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

In the current software version, the IPoE HTTP/HTTPS attack defense function takes effect only on HTTP/HTTPS packets sent by IPoE Web users that have come online in the preauthentication domain.

This command takes effect only on newly generated blocking rules, but does not take effect on existing blocking entries.

When you use the undo form of this command to disable the attack defense function, the generated attack defense blocking entries and blocked entries will also be deleted.

Examples

# Enable destination IP-based IPoE HTTP/HTTP attack defense and output attack logs when the blocking conditions are met.

<Sysname> system-view

[Sysname] ip subscriber http-defense destination-ip enable action logging

Related commands

display ip subscriber http-defense blocked-destination-ip

display ip subscriber http-defense unblocked-destination-ip

ip subscriber http-defense destination-ip threshold

ip subscriber http-defense free-destination-ip

ip subscriber http-defense destination-ip threshold‌

Use ip subscriber http-defense destination-ip threshold to configure the threshold for triggering IPoE HTTP/HTTPS attack defense.

Use undo ip subscriber http-defense destination-ip threshold to restore the default.

Syntax

ip subscriber http-defense destination-ip threshold packet-number interval interval

undo ip subscriber http-defense destination-ip threshold

Default

When the total number of HTTP/HTTPS packets sent to the same destination IP address within 300 seconds reaches 6000, the attack defense threshold is triggered.

Views

System view

Predefined user roles

network-admin

Parameters

packet-number: Specifies the number of packets in the range of 100 to 4294967295. When the value for this argument is modified, the modification takes effect on both newly generated and existing entries of unblocked destination IP addresses.

interval interval: Specifies the packet statistics collection interval in the range of 60 to 3600 seconds. When the value for this argument is modified, the modification takes effect only on newly generated entries of unblocked destination IP addresses, and does not affect existing entries of unblocked destination IP addresses.

Usage guidelines

On an IPoE Web network, after you enable destination IP-based IPoE HTTP/HTTPS attack defense, the device will monitor and collect statistics of HTTP/HTTPS packets that IPoE Web preauthentication users send to any destination IP address. If the total number of HTTP/HTTPS packets sent to a destination IP address within a statistics collection interval exceeds the specified threshold, the device will generate blocking entries to block attack packets or output attack logs as configured in the ip subscriber http-defense destination-ip enable command.

Examples

# Trigger attack defense when the total number of HTTP/HTTPS packets sent to the same destination IP address within 360 seconds reaches 5000.

<Sysname> system-view

[Sysname] ip subscriber http-defense destination-ip threshold 5000 interval 360

Related commands

ip subscriber http-defense destination-ip enable

ip subscriber http-defense free-destination-ip‌

Use ip subscriber http-defense free-destination to configure the allowlist addressees for IPoE HTTP/HTTP attack defense.

Use undo ip subscriber http-defense free-destination-ip to delete the allowlist addresses configured for IPoE HTTP/HTTPS attack defense.

Syntax

ip subscriber http-defense free-destination-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo ip subscriber http-defense free-destination-ip [ { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ]

Default

Allowlist addresses are not configured for IPoE HTTP/HTTPS attack defense.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies a destination IPv4 address.

ipv6 ipv6-address: Specifies a destination IPv6 address.

vpn-instance vpn-instance-name: Specifies the VPN instance to which the specified destination IP address belongs. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the destination IP address belongs to the public network.

Usage guidelines

Application scenarios

On an IPoE Web network, after you enable destination IP-based IPoE HTTP/HTTPS attack defense, the device will monitor and collect statistics of HTTP/HTTPS packets that IPoE Web preauthentication users send to any destination IP address by default. If the administrator does not want to collect attack defense statistics of HTTP/HTTPS packets sent by users to the specified destination IP addresses and wants to unconditionally push the Web authentication page to users accessing these destination IP addresses, you can add these destination IP addresses to the allowlist.

Restrictions and guidelines

The IPoE HTTP/HTTPS attack defense function does not collect attack defense statistics for or block HTTP/HTTPS packets sent to destination IP addresses on the allowlist.

Execute this command multiple times to add multiple destination IP addresses to the allowlist.

If you do not specify any parameter when executing the undo form of this command, this command will delete allowlist addresses from the public network and all VPN instances.

Examples

# Add IP address 1.1. 1.2 to the allowlist for IPoE HTTP/HTTPS attack defense.

<Sysname> system-view

[Sysname] ip subscriber http-defense free-destination-ip 1.1.1.2

Related commands

ip subscriber http-defense destination-ip enable

ip subscriber http-fast-reply enable

Use ip subscriber http-fast-reply enable to enable HTTP packet fast reply on an interface.

Use undo ip subscriber http-fast-reply enable to disable HTTP packet fast reply on an interface.

Syntax

ip subscriber http-fast-reply enable

undo ip subscriber http-fast-reply enable

Default

HTTP packet fast reply is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

When a user using a browser to perform Web authentication does not access the portal Web server, the access device will redirect the HTTP requests to the CPU. Then, the CPU pushes the Web authentication page of the portal Web server to the user. If an attacker sends a large number of HTTP requests to the device, the device suffers DoS attacks.

To resolve the preceding issues, enable the HTTP packet fast reply feature.

Operating mechanism

After the HTTP packet fast reply feature is enabled, the device will preferentially use the hardware to identify HTTP requests and automatically respond with HTTP replies. Additionally, this feature uses a URL with status code 302 to push the Web authentication page to users. In this way, this feature reduces the CPU workload and prevents DoS attacks. However, if the hardware cannot use a URL with status code 302 to respond to the user's HTTP requests due to reasons such as the URL is too long, the device will redirect the HTTP requests to the CPU for processing. In this case, depending on whether the redirect move-temporarily enable command is executed in the user authentication domain, the device will work differently as follows:

· If the redirect move-temporarily enable command is executed in the user authentication domain, the CPU will use an URL with status code 302 to push the Web authentication page to the user.

· If the redirect move-temporarily enable command is not executed in the user authentication domain, the CPU will use a URL with status code 200 to push the Web authentication page to the user.

This processing method improves the device's adaptability and reliability, and also ensures the user's network usage experience.

Restrictions and guidelines

This feature does not immediately take effect on users that have passed preauthentication and come online before this feature is enabled. This feature takes effect only when these users go offline and come online again after passing preauthentication or return to the preauthentication domain after passing Web authentication.

With both this feature and transparent authentication configured, a user first attempts to come online through transparent authentication. The hardware responds and pushes the Web authentication page if the user fails to come online through transparent authentication for one of the following reasons:

· Transparent authentication binding query request times out.

· The portal server returns a message showing that the user is not bound.

· The AAA server returns authentication failure.

Examples

#‌Enable HTTP packet fast reply on interface Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber http-fast-reply enable

Related commands

ip subscriber authentication-method

redirect move-temporarily enable (BRAS Services Command Reference)

ip subscriber if-match

Use ip subscriber if-match to configure a match rule for IPoE URL redirection.

Use undo ip subscriber if-match to delete an IPoE URL redirection match rule.

Syntax

ip subscriber if-match { original-url url-string redirect-url url-string [ url-param-encryption { aes | des } key { cipher | simple } string ] | user-agent user-agent redirect-url url-string }

undo ip subscriber if-match { original-url url-string | user-agent user-agent }

Default

No IPoE URL redirection match rule is configured.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in Web access requests. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP or HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.

redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

url-param-encryption: Specifies an encryption algorithm to encrypt the parameters carried in the redirection URL. If you do not specify an encryption algorithm, the parameters carried in the redirection URL are not encrypted.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

· If des cipher is specified, the string length is 41 characters.

· If des simple is specified, the string length is 8 characters.

· If aes cipher is specified, the string length is 1 to 73 characters.

· If aes simple is specified, the string length is 1 to 31 characters.

Usage guidelines

Operating mechanism

A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL.

Restrictions and guidelines

For a user to successfully access the redirection URL, configure a preauthentication domain user group ACL to allow HTTP or HTTPS requests destined for the redirection URL to pass.

You can execute the web-server url command in an ISP domain and the ip subscriber if-match command for URL redirection. The web-server url command redirects all HTTP or HTTPS requests from unauthenticated users to the Web server for authentication. The ip subscriber if-match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are executed, the ip subscriber if-match command takes priority to perform URL redirection.

In a network scenario with primary and secondary Web servers, if a user comes online in the preauthentication domain and the current primary Web server does not respond, the following rules apply:

· If the redirect URLs are processed by the CPU, the user can dynamically switch between primary and secondary Web servers without going offline and then coming online.

· If the redirect URLs are processed in the reply by hardware mode, the user cannot dynamically switch between primary and secondary Web servers without going offline. Instead, the user must first go offline and then come online to switch between primary and secondary Web servers.

Examples

# Configure a match rule to redirect HTTP requests destined for the URL http://www.example.com to the URL http://192.168.0.1 and use DES to encrypt the parameters carried in this redirection URL.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber if-match original-url http://www.example.com redirect-url http://192.168.0.1 url-param-encryption des key simple 12345678

# Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1

Related commands

web-server url (BRAS Services Command Reference)

ip subscriber initiator arp enable

Use ip subscriber initiator arp enable to enable ARP packet initiation.

Use undo ip subscriber initiator arp enable to disable ARP packet initiation.

Syntax

ip subscriber initiator arp enable

undo ip subscriber initiator arp enable

Default

ARP packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

With ARP packet initiation enabled, a BRAS allows IPoE users to initiate static or dynamic IPoE sessions by using ARP packets, and restores sessions for abnormally logged out DHCP users according to recorded information. When the BRAS receives ARP packets from abnormally logged out DHCP users, the BRAS can restore the IPoE sessions for these users based on the recorded information.

A DHCP user is abnormally logged out if the IPoE session of the user is deleted for a reason except the user actively releases its IP address.

When an interface receives ARP packets from a user, the interface processes the packets in the following order:

1. ‍If the ARP packets match a configured IPoE static session, the user is processed as a static user.

2. If the ARP packets match a roaming user, the user is processed as a roaming user.‌

3. If the ARP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

5. If the ARP packets match none of the preceding information, the device's processing method depends on the ip subscriber unclassified-ip ip match command configuration. The specific processing is as follows:

¡ If this command is not executed, or if it is executed but the source IP address of the ARP packets is outside the configured range, the device will drop the packets and prevent user access through ARP packets.

¡ If this command is executed and the source IP address of the ARP packets falls within the configured range, the device will allow users to come online as dynamic users through ARP packets.

For dynamic IPoE users to come online through ARP packets, perform the following tasks:

· Enable ARP packet initiation by using the ip subscriber initiator arp enable command.

· Configure the trusted IP addresses or address ranges for IPoE authentication by using the ip subscriber unclassified-ip ip match command.

Restrictions and guidelines

For a static user to initiate sessions by using ARP packets, make sure the following requirements are met:

· ARP packet initiation is enabled.

· The gateway IP address allocated to the static users must be one of the following IP addresses:

¡ The IP address of the access interface.

¡ The shared gateway address in the IP address pool, for example, the gateway address specified by using the gateway command in a BAS IP address pool.

Disabling ARP packet initiation does not affect online ARP-initiated static users.

Examples

#‌Enable ARP packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber initiator arp enable

Related commands

ip subscriber access-trigger loose

ip subscriber enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator ndrs enable

ip subscriber roaming enable‌

ip subscriber unclassified-ip ip match

ip subscriber initiator ndrs enable

Use ip subscriber initiator ndrs enable to enable IPv6 ND RS packet initiation.

Use undo ip subscriber initiator ndrs enable to disable IPv6 ND RS packet initiation.

Syntax

ip subscriber initiator ndrs enable

undo ip subscriber initiator ndrs enable

Default

IPv6 ND RS packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

If you enable IPv6 ND RS packet initiation on an interface, the first IPv6 ND RS packet initiates the IPoE session. If you disable IPv6 ND RS packet initiation on an interface, ND RS packets cannot initiate IPoE sessions. However, existing IPoE sessions initiated by ND RS packets are not deleted.

Restrictions and guidelines

You can enable DHCPv6 packet initiation, IPv6 ND RS packet initiation, and unclassified-IPv6 packet initiation on the same interface.

Examples

#‌Enable IPv6 ND RS packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber initiator ndrs enable

Related commands

ip subscriber enable

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator nsna enable

Use ip subscriber initiator nsna enable to enable NS/NA packet initiation.

Use undo ip subscriber initiator nsna enable to disable NS/NA packet initiation.

Syntax

ip subscriber initiator nsna enable

undo ip subscriber initiator nsna enable

Default

NS/NA packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

With this command executed, when the interface receives NS packets with the source IP address as a global unicast address or NA packets with the source or target address as a global unicast address from a user, the interface processes the packets in the following order:

1. If the packets match a configured static IPoE session, the user is processed as a static user.

2. If the packets match a roaming user, the user is processed as a roaming user.‌

3. If the packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. If the packets match abnormally logged out ND RS user records, the interface restores the session information for the abnormally logged out ND RS user according to the recorded information.

5. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

6. If the packets match none of the preceding information, the device's processing method depends on the ip subscriber unclassified-ip ipv6 match command configuration. The specific processing is as follows:

¡ If this command is not executed, or if it is executed but the source IPv6 address of the NS/NA packets is outside the configured range, the device will drop the packets and prevent user access through NS/NA packets.

¡ If this command is executed and the source IPv6 address of the NS/NA packets falls within the configured range, the device will allow users to come online as dynamic users through NS/NA packets.

Restrictions and guidelines

NS/NA packet initiation is supported only when IPoE operates in Layer 2 access mode.

For dynamic IPoE users to come online through NS/NA packets, perform the following tasks:

· Enable NS/NA packet initiation by using the ip subscriber initiator nsna enable command.

· Configure the trusted IPv6 addresses or address ranges for IPoE authentication by using the ip subscriber unclassified-ip ipv6 match command.

For a static IPoE user to initiate a session by using NS/NA packets, you must execute the ip subscriber initiator nsna enable command to enable NS/NA packet initiation.

With this feature disabled on an interface, the users that have come online by using the NS/NA packet initiation method on the interface are still online and not affected.

Examples

#‌Enable NS/NA packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber initiator nsna enable

Related commands

ip subscriber initiator unclassified-ipv6 enable

ip subscriber roaming enable‌

ip subscriber unclassified-ip ipv6 match

ip subscriber initiator unclassified-ip enable

Use ip subscriber initiator unclassified-ip enable to enable unclassified-IPv4 packet initiation.

Use undo ip subscriber initiator unclassified-ip enable to disable unclassified-IPv4 packet initiation.

Syntax

ip subscriber initiator unclassified-ip enable [ matching-user ]

undo ip subscriber initiator unclassified-ip enable

Default

Unclassified-IPv4 packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

matching-user: Allows only matching static users, abnormally logged out DHCP users, roaming users, and users accessing in loose mode to log in.

Usage guidelines

Operating mechanism

For unclassified-IPv4 packet initiation to take effect, you must execute the dhcp enable command to enable DHCP. For information about this command, see DHCP commands in BRAS Services Command Reference.

With unclassified-IPv4 packet initiation enabled, a BRAS allows IPoE users to initiate IPoE sessions by using unclassified-IP packets, and restores sessions for abnormally logged out DHCP users according to recorded information. When the BRAS receives IP packets from abnormally logged out DHCP users, the BRAS can restore the IPoE sessions for these users based on the recorded information.

A DHCP user is abnormally logged out if the IPoE session of the user is deleted for a reason except the user actively releases its IP address.

An interface processes the IP packets received from a user in the following order if the matching-user keyword is specified:

1. If the IP packets match a configured IPoE static session, the user is processed as a static user.

2. If the IP packets match a roaming user, the user is processed as a roaming user.‌

3. If the IP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

5. If the IP packets match neither of the above information, the user cannot come online by using unclassified-IP packets.

If the matching-user keyword is not specified, an interface processes the packets received from a user in the following order:

6. If the IP packets match a configured IPoE static session, the user is processed as a static user.

7. If the IP packets match a roaming user, the user is processed as a roaming user.‌

8. If the IP packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

9. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

10. If the IP packets match neither of the above information, the user initiates a session by using unclassified-IP packets.

Restrictions and guidelines

If you disable unclassified-IPv4 packet initiation on an interface, existing IPoE sessions initiated by unclassified-IPv4 packets are not deleted.

You can enable DHCPv4 packet initiation and unclassified-IPv4 packet initiation on the same interface.

Examples

#‌Enable unclassified-IPv4 packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber initiator unclassified-ip enable

Related commands

ip subscriber access-trigger loose

ip subscriber enable

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber initiator ndrs enable

ip subscriber roaming enable‌

ip subscriber initiator unclassified-ipv6 enable

Use ip subscriber initiator unclassified-ipv6 enable to enable unclassified-IPv6 packet initiation.

Use undo ip subscriber initiator unclassified-ipv6 enable to disable unclassified-IPv6 packet initiation.

Syntax

ip subscriber initiator unclassified-ipv6 enable [ matching-user ]

undo ip subscriber initiator unclassified-ipv6 enable

Default

Unclassified-IPv6 packet initiation is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

matching-user: Allows only matching static users, abnormally logged out DHCP users, abnormally logged out ND RS users, roaming users, and users accessing in loose mode to log in.

Usage guidelines

Operating mechanism

With unclassified-IPv6 packet initiation enabled, a BRAS allows IPoE users to initiate IPoE sessions by using unclassified-IPv6 packets, and restores sessions for abnormally logged out DHCP and ND RS users according to recorded information. When the BRAS receives IP packets from abnormally logged out DHCP and ND RS users, the BRAS can restore the IPoE sessions for these users based on the recorded information.

A user is abnormally logged out if the IPoE session of the user is deleted for a reason except the user actively releases its IP address.

The interface processes the IPv6 packets received from a user in the following order if the matching-user keyword is specified:

1. If the IPv6 packets match a configured IPoE static session, the user is processed as a static user.

2. If the IPv6 packets match a roaming user, the user is processed as a roaming user.‌

3. If the IPv6 packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

4. If the IPv6 packets match abnormally logged out ND RS user records, the interface restores the session information for the abnormally logged out ND RS user according to the recorded information.

5. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

6. If the IPv6 packets do not match the above information, the user cannot come online by using unclassified-IPv6 packets.

If the matching-user keyword is not specified, the interface processes the IPv6 packets received from a user in the following order:

7. If the IPv6 packets match a configured IPoE static session, the user is processed as a static user.

8. If the IPv6 packets match a roaming user, the user is processed as a roaming user.‌

9. If the IPv6 packets match abnormally logged out DHCP user records, the interface restores the session information for the abnormally logged out DHCP user according to the recorded information.

10. If the IPv6 packets match abnormally logged out ND RS user records, the interface restores the session information for the abnormally logged out ND RS user according to the recorded information.

11. The user accesses in loose mode. (Applicable only when the loose mode takes effect.)

12. If the IPv6 packets do not match the above information, the user initiates a session by using unclassified-IPv6 packets.

For the processing procedure when the interface receives NS/NA packets, see the ip subscriber initiator nsna enable command.

Restrictions and guidelines

If you disable unclassified-IPv6 packet initiation on an interface, existing IPoE sessions initiated by unclassified-IPv6 packets are not deleted.

You can enable DHCPv6 packet initiation, IPv6 ND RS packet initiation, and unclassified-IPv6 packet initiation on the same interface.

Examples

#‌Enable unclassified-IPv6 packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber initiator unclassified-ipv6 enable

Related commands

ip subscriber initiator nsna enable

ip subscriber roaming enable‌

ip subscriber interface-leased

Use ip subscriber interface-leased to configure an interface-leased user.

Use undo ip subscriber interface-leased to restore the default.

Syntax

ip subscriber interface-leased username name password { ciphertext | plaintext } string [ domain domain-name ]

undo ip subscriber interface-leased

Default

No interface-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Parameters

username name: Specifies a username for authentication, a case-sensitive string of 1 to 253 characters.

password ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

password plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

Usage guidelines

Operating mechanism

An interface-leased user represents all access users of the interface. With IPoE enabled for both IPv4 and IPv6 protocol stacks on an interface in up state, the session does not need to be initiated by user traffic. The BRAS actively initiates authentication by using the configured username and password. After the authentication succeeds and the leased session is successfully set up for users, traffic of all users on the interface is permitted, and the users share one IPoE session. The BRAS performs interface-level authorization and accounting for all users on the interface.

An ISP domain is selected for an IPoE interface-leased user in the following order until a match is found:

1. ISP domain specified by using the domain domain-name option in this command. If the ISP domain has not been created, the user fails to come online.

2. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain has not been created, the user fails to come online.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Restrictions and guidelines

If you first enable IPoE and then configure interface-leased users, you must enable IPoE for both IPv4 and IPv6 protocol stacks in order that you can configure interface-leased users. If you first configure interface-leased users and then enable IPoE, you must enable IPoE for both IPv4 and IPv6 stacks. Otherwise, you cannot enable IPoE.

You can configure only one interface-leased user on each interface. To change the parameters of an existing interface-leased user, use the undo form to delete the user, and then reconfigure it with new parameter settings.

You cannot configure an interface-leased user on an interface configured with subnet-leased users, L2VPN-leased users, unclassified-IP users, or static users.

If you have added an interface to the static user interface list, you cannot configure interface-leased users on the interface. If you have configured interface-leased users on an interface, you cannot add the interface to the static user interface list.

Examples

#‌Configure an interface-leased user with a username of intuser and a plaintext password of pw123 on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber interface-leased username intuser password plaintext pw123

#‌Delete interface-leased users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] undo ip subscriber interface-leased

The operation may cut all users on this interface. Continue?[Y/N]:y

ip subscriber ipv6-address-change send-accounting-update

Use ip subscriber ipv6-address-change send-accounting-update to enable immediate sending of accounting-update messages when a user IPv6 address changes.

Use undo ip subscriber ipv6-address-change send-accounting-update to disable immediate sending of accounting-update messages when a user IPv6 address changes.

Syntax

ip subscriber ipv6-address-change send-accounting-update

undo ip subscriber ipv6-address-change send-accounting-update

Default

When a user IPv6 address changes, immediate sending of accounting-update messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

When the AAA-authorized ND prefix pool or ND prefix pool group method is used to implement the one prefix per user scenario, each user exclusively occupies one ND prefix. The user IPv6 address is generated by the ND prefix allocated by the BRAS and the endpoint's own interface ID.

To enhance security, some user endpoints will automatically change the interface IDs and inform the BRAS through NS packets. In this scenario, when the BRAS detects a change in the user IPv6 address, the BRAS will refresh the IPv6 address in the user session. By default, the BRAS will not immediately send an accounting-update message to the AAA server to update the accounting information in real time.

By default, the device will send accounting-update messages at the interval configured by the administrator to update user information. To update the accounting information in a timely manner when the user IPv6 address changes and ensure the timeliness and accuracy of the accounting information, you can enable this feature.

Operating mechanism

With this feature enabled, when the BRAS receives NS packets of a user and detects a change in the user IPv6 address, the BRAS will refresh the IPv6 address in the user session and select the user IPv6 address to be added to attribute 158 (Framed-IPv6-Address) based on the following principles:

· For IPoE ND RS Web authentication, the BRAS fills in attribute 158 with the user IPv6 address at the time of initiating IPv6 Web authentication. No matter how the user IPv6 address changes in the subsequent NS packets, the BRAS always uses the user IPv6 address at the time of initiating IPv6 Web authentication to fill in attribute 158.

· In cases other than those mentioned above, the BRAS fills attribute 158 with the latest user IPv6 address notified in the NS packets.

Then, the BRAS will immediately send an accounting-update message carrying attribute 158 to the AAA server to update user information and thus update accounting information in real time.

Restrictions and guidelines

· This feature is only applicable to the one ND prefix per user scenario.

· In the shared prefix scenario where multiple users share the same ND prefix, immediate sending of accounting-update messages when the user IPv6 address changes is enabled by default and cannot be disabled by using this command.

· In the following cases, do not enable this feature as a best practice.

¡ In scenarios where the network capacity is limited or real-time accounting information is not required, as a best practice to avoid generating excessive accounting-update messages that might impact network performance and bandwidth, do not enable this feature.

¡ In scenarios where the network load is heavy or the AAA server's processing capability is limited, as a best practice to avoid frequent accounting-update requests, which might impact network efficiency and stability, do not enable this feature.

Examples

# Enable immediate sending of accounting-update messages when the user IPv6 address changes.

<Sysname> system-view

[Sysname] ip subscriber ipv6-address-change send-accounting-update

ip subscriber l2vpn-leased‌

Use ip subscriber l2vpn-leased to configure an L2VPN-leased user.

Use undo ip subscriber l2vpn-leased to restore the default.

Syntax

ip subscriber l2vpn-leased username name password { ciphertext | plaintext } string [ domain domain-name ]

undo ip subscriber l2vpn-leased

Default

No L2VPN-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Parameters

username name: Specifies a username for authentication, a case-sensitive string of 1 to 253 characters.

password ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

Usage guidelines

Operating mechanism

An L2VPN-leased user is a group of hosts that rent the same interface and share the same IPoE session on an L2VPN network. The BRAS authenticates, authorizes, and accounts all hosts of the same L2VPN-leased user.

An ISP domain is selected for an IPoE L2VPN-leased user in the following order until a match is found:

1. ISP domain specified by using the domain domain-name option in this command. If the ISP domain has not been created, the user fails to come online.

2. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Restrictions and guidelines

If you first enable IPoE and then configure L2VPN-leased users, you must enable IPoE for both IPv4 and IPv6 protocol stacks in order that you can configure L2VPN-leased users. If you first configure L2VPN-leased users and then enable IPoE, you must enable IPoE for both IPv4 and IPv6 stacks. Otherwise, you cannot enable IPoE.

You can configure only one L2VPN-leased user on one interface. To change the parameters of an existing L2VPN-leased user, use the undo form to delete the user, and then reconfigure it with new parameter settings.

You cannot configure an L2VPN-leased user on an interface configured with interface-leased users, subnet-leased users, or static users.

On a Layer 3 Ethernet or aggregate subinterface, the IPoE L2VPN-leased user configuration is mutually exclusive with the packet statistics collection feature. For more information about packet statistics collection on Ethernet subinterfaces, see Ethernet interface configuration in Interface Configuration Guide. For more information about packet statistics collection on Layer 3 aggregate subinterfaces, see Ethernet link aggregation configuration in Layer 2—LAN Switching Configuration Guide.

Examples

# Configure an L2VPN-leased user with a username of intuser and a plaintext password of pw123 on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber l2vpn-leased username intuser password plaintext pw123

ip subscriber lease-end-time original

Use ip subscriber lease-end-time original to configure the lease expiration time when a logged out user logs in again as the lease expiration time when the user is logged out.

Use undo subscriber lease-end-time original to restore the default.

Syntax

ip subscriber lease-end-time original

undo ip subscriber lease-end-time original

Default

The lease expiration time is renewed when a logged out user logs in again.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

By default, the lease expiration time is renewed when an abnormally logged out or auto backed-up user logs in again. With this command configured, when a logged out client recovers and logs in again, the following rules apply:

· For an abnormally logged out user, the lease expiration time is the same as the time recorded in the client.

· For an auto backed-up user, the lease expiration time is the same as the time recorded in the auto backup entry.

Restrictions and guidelines

This command takes effect only on abnormally logged out IPoE DHCP users and auto backed-up IPoE DHCP users.

Examples

#‌Configure the lease expiration time when a logged out user logs in again as the lease expiration time when the user is logged out.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber lease-end-time original

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

display ip subscriber abnormal-logout

ip subscriber mac-auth domain

Use ip subscriber mac-auth domain to configure the domain for MAC authentication.

Use undo ip subscriber mac-auth domain to restore the default.

Syntax

ip subscriber mac-auth domain domain-name

undo ip subscriber mac-auth domain

Default

No domain is configured for MAC authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

Operating mechanism

If multiple types of domains are configured when Web MAC authentication is used, an ISP domain is selected in the following order until a match is found during the Web authentication phase:

1. Domain carried in the username. If the domain has not been created, the user fails to come online.

2. MAC authentication domain specified by using the ip subscriber mac-auth domain command. If the specified domain has not been created, the user fails to come online.

3. Web authentication domain specified by using the ip subscriber web-auth domain command. If the specified domain has not been created, the user fails to come online.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selected during the Web authentication phase when Web authentication is used, see the ip subscriber web-auth domain command.

Restrictions and guidelines

The ISP domain for MAC authentication is used for transparent MAC authentication during the Web authentication phase for only individual users using Web MAC authentication.

The ISP domain modification for MAC authentication takes effect only on new users.

Examples

#‌Specify ISP domain dm1 for MAC authentication on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber mac-auth domain dm1

Related commands

ip subscriber authentication-method

ip subscriber web-auth domain

ip subscriber max-session

Use ip subscriber max-session to set the maximum number of individual sessions and leased subuser sessions on an interface.

Use undo ip subscriber max-session to restore the default.

Syntax

ip subscriber max-session max-number

undo ip subscriber max-session

Default

The maximum number of individual sessions and leased subuser sessions is not set on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of individual sessions and leased subuser sessions allowed on an interface. The value range for this argument is 1 to 64000.

Usage guidelines

Operating mechanism

When the number of individual sessions and leased subuser sessions on an interface has reached the limit, new IPoE sessions cannot be established. The number of IPoE sessions created includes the number of IPv4 single-stack users, the number of IPv6 single-stack users, and the number of dual-stack sessions.

· A single-stack user occupies one session resource.

· A dual-stack user occupies one session resource.

If a single-stack user has come online successfully, the other stack of the same user can directly come online, and the two stacks share one session resource.

Restrictions and guidelines

When this command is executed together with the ip subscriber { dhcp | dhcpv6 | ndrs | unclassified-ip | unclassified-ipv6 } max-session command, the two commands both take effect. The two commands control sessions in different perspectives, and the number of sessions is controlled by both commands. A new session can be established only when neither limit is reached.

Examples

#‌Set the maximum number of individual sessions and leased subuser sessions on Ten-GigabitEthernet 0/0/15 to 100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber max-session 100

Related commands

ip subscriber dhcp max-session

ip subscriber dhcpv6 max-session

ip subscriber ndrs max-session

ip subscriber unclassified-ip max-session

ip subscriber unclassified-ipv6 max-session

ip subscriber nas-port-id format

Use ip subscriber nas-port-id format to configure the NAS-Port-ID format for IPoE users.

Use undo ip subscriber nas-port-id format to restore the default.

Syntax

ip subscriber nas-port-id format cn-telecom { version1.0 | version2.0 | version3.0 | version4.0 | version5.0 }

undo ip subscriber nas-port-id format

Default

NAS-Port-IDs for IPoE users are encapsulated in the version 1.0 format.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

version 1.0: Specifies the China Telecom format.

· The version 1.0 format varies by interface type.

Table 18 Version 1.0 formats

Interface type	Encapsulation format
Layer 3 Ethernet interface and Layer 3 aggregate interface	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=0
Layer 3 Ethernet subinterface and Layer 3 aggregate subinterface (single VLAN tag)	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=vlan_id
Layer 3 Ethernet subinterface and Layer 3 aggregate subinterface (Dual VLAN tags)	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=inner-vlan;vlanid2=outer-vlan

‌

· Version 1.0 format parameters

Table 19 Version 1.0 format parameter description

Parameter	Description
NAS_slot	Specifies the slot number of the access interface on the BRAS.
NAS_subslot	Specifies the subslot number of the access interface on the BRAS.
NAS_port	Specifies the port number of the access interface on the BRAS.
vlan_id	Specifies the ID of the user's VLAN.
inner-vlan	Specifies the ID of the inner VLAN.
outer-vlan	Specifies the ID of the outer VLAN.
vpi	Specifies the VPI of the access interface on the BRAS.
vci	Specifies the VCI of the access interface on the BRAS.

‌

version 2.0: Specifies the format described in YDT 2275-2011 Subscriber Access Loop (Port) Identification in Broadband Access Networks.

· When the received DHCPv4 packets carry Option 82 Circuit-ID and Option 82 is trusted or the received DHCPv6 packets carry Option 18 and Option 18 is trusted, see "ip subscriber nas-port-id nasinfo-insert" for the version 2.0 format.

· In the other cases, the version 2.0 format is {eth|trunk|atm} NAS_slot/NAS_subslot/NAS_port:svlan.cvlan AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port. The NAS information (NAS_slot/NAS_subslot/NAS_port:svlan.cvlan) and AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port (modified to 0/0/0/0/0/0) are encapsulated in the NAS-Port-ID field.

Table 20 describes the version 2.0 format parameters.

Table 20 Version 2.0 format parameter description

Parameter	Description
{eth\|trunk\|atm}	Specifies the type of the access interface on the BRAS as Ethernet, trunk, or ATM.
NAS_slot	Specifies the slot number of the access interface on the BRAS.
NAS_subslot	Specifies the subslot number of the access interface on the BRAS.
NAS_port	Specifies the port number of the access interface on the BRAS.
svlan	Specifies the ID of the user's SVLAN.
cvlan	Specifies the ID of the user's CVLAN.
AccessNodeIdentifier	Specifies the identifier of the access node.
ANI_rack	Specifies the rack number of the access node.
ANI_frame	Specifies the frame number of the access node.
ANI_slot	Specifies the slot number of the access node.
ANI_subslot	Specifies the subslot number of the access node.
ANI_port	Specifies the port number of the access node.

‌

In the version 2.0 format, for users accessing without VLAN tags, both svlan and cvlan are fixed at 4096. For users accessing with a single layer of VLAN tags, svlan is fixed at 4096 and cvlan is the actual VLAN carried. For more information, see the examples.

version3.0: Specifies the version 3.0 format SlotID/00/IfNO/VlanID, where the forward slash (/) is not displayed. Table 21 describes the meaning of each field.

Table 21 Version 3.0 encapsulation format

Parameter		Description
SlotID	ID of the slot that the user accesses. A minimum of two bits. The empty bits are padded with 0s in the front.
00	Specific field required by the specification.
IFNO	Interface number of the user. A minimum of three bits. The empty bits are padded with 0s in the front.
VlanID	VLAN ID of the user. A minimum of nine bits. The empty bits are padded with 0s in the front.

‌

In the version 3.0 format, for users accessing without VLAN tags, VlanID is fixed at 0. For users accessing with a single layer of VLAN tags, VlanID is the actual VLAN carried. For users with two layers of VLAN tags, VlanID is the actual CVLAN carried. For more information, see the examples.

version4.0: Specifies the version 4.0 format.

· When the received DHCPv4 packets carry Option 82 Circuit-ID and Option 82 is trusted or the received DHCPv6 packets carry Option 18 and Option 18 is trusted, the format adds the following information to the NAS-Port-ID in the version 3.0 format:

¡ For IPv4 users, the DHCP Option 82 Circuit-ID is added. The encapsulation format is SlotID/00/IfNO/VlanID/Option82 Circuit-ID, where the forward slash (/) is not displayed.

¡ For IPv6 users, the DHCP Option18 is added. The encapsulation format is SlotID/00/IfNO/VlanID/Option18, where the forward slash (/) is not displayed.

· In the other cases, the version 4.0 format is the same as the version 3.0 format.

version5.0: Specifies the version 5.0 format. The NAS-Port-ID attribute sent to the RADIUS server is encapsulated according to the YDT 2275-2011 subscriber access loop (port) identification requirements. Option 18 and Option 82 are processed in the same way. The following section takes Option 82 as an example.

· If Option 82 is not trusted or Option 82 is trusted but information cannot be extracted, the NAS-Port-ID attribute is encapsulated in the same way as when Option82 Circuit-ID is not carried. In this case, the NAS-Port-ID attribute is encapsulated in version 2.0 format (AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port is padded with 0/0/0/0/0/0).

· If Option 82 is trusted and information can be extracted, NAS-Port-ID attribute is encapsulated in version 5.0 format. For more information, see the ip subscriber nas-port-id nasinfo-insert command.

Examples

Version 1.0 format

· Access without VLAN tags

#‌Configure Layer 3 aggregate interface 1 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. The users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="slot=0;subslot=0;port=1;vlanid=0;"

· Access with a single layer of VLAN tags

#‌Configure Ten-GigabitEthernet 0/0/15.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.2

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Ten-GigabitEthernet0/0/15.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15.2 3.3.3.3 001b-21a8-0949 400/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="slot=3;subslot=0;port=1;vlanid=400;"

· Access with two layers of VLAN tags

#‌Configure Ten-GigabitEthernet 0/0/15.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.2

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Ten-GigabitEthernet0/0/15.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15.2 3.3.3.3 001b-21a8-0949 400/500

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="slot=0;subslot=1;port=1;vlanid=500;vlanid2=400;"

Version 2.0 format

· Access without VLAN tags

¡ Access through a Layer 3 aggregate interface

#‌Configure Layer 3 aggregate interface 1 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] undo ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="trunk 0/0/1:4096.4096 0/0/0/0/0/0"

¡ Access through a Layer 3 Ethernet interface

#‌Configure Ten-GigabitEthernet 0/0/15 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] undo ip subscriber trust option82

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Ten-GigabitEthernet0/0/15] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:4096.4096 0/0/0/0/0/0"

· Access with a single layer of VLAN tags

#‌Configure Ten-GigabitEthernet 0/0/15.2 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.2

[Sysname-Ten-GigabitEthernet0/0/15.2] undo ip subscriber trust option82

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Ten-GigabitEthernet0/0/15.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15.2 3.3.3.3 001b-21a8-0949 400/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:4096.400 0/0/0/0/0/0"

· Access with two layers of VLAN tags

#‌Configure Ten-GigabitEthernet 0/0/15.2 to use the version 2.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.2

[Sysname-Ten-GigabitEthernet0/0/15.2] undo ip subscriber trust option82

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Ten-GigabitEthernet0/0/15.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15.2 3.3.3.3 001b-21a8-0949 400/500

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="eth 3/1/1:400.500 0/0/0/0/0/0"

Version 3.0 format

· Access without VLAN tags

#‌Configure Layer 3 aggregate interface 1 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access without VLAN tags.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="0000001000000000"

· Access with a single layer of VLAN tags

#‌Configure Ten-GigabitEthernet 0/0/15.2 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.2

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-Ten-GigabitEthernet0/0/15.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15.2 3.3.3.3 001b-21a8-0949 400/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="0300001000000400"

· Access with two layers of VLAN tags

#‌Configure Ten-GigabitEthernet 0/0/15.2 to use the version 3.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.2

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id format cn-telecom version3.0

[Sysname-Ten-GigabitEthernet0/0/15.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15.2 3.3.3.3 001b-21a8-0949 400/500

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="0300001000000500"

Version 4.0 format

#‌Configure Ten-GigabitEthernet 0/0/15.2 to use the version 4.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with two layers of VLAN tags, and DHCP packets carry Option82 Circuit-ID as aaa be cd ef g.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.2

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber trust option82

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id format cn-telecom version4.0

[Sysname-Ten-GigabitEthernet0/0/15.2] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15.2 3.3.3.3 001b-21a8-0949 400/500

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="0300001000000500aaa be cd ef g"

Version 5.0 format

When the DHCP packets do not carry Option 82 circuit-ID or Option 82 is not trusted, the version 5.0 format is the same as the version 2.0 format. For more information, see the example for the version 2.0 format.

When the DHCP packet carry Option 82 circuit-ID and Option 82 is trusted, see the example in the ip subscriber nas-port-id nasinfo-insert command for the version 5.0 format.

Related commands

access-user four-dimension-mode enable (BRAS Services Command Reference)

· ip subscriber trust

ip subscriber nas-port-id interface

ip subscriber nas-port-id nasinfo-insert

ip subscriber nas-port-id interface

Use ip subscriber nas-port-id interface to configure the device to use information of the specified interface to fill in the NAS-Port-ID attribute.

Use undo ip subscriber nas-port-id interface to restore the default.

Syntax

ip subscriber nas-port-id interface interface-type interface-number

undo ip subscriber nas-port-id interface

Default

The device uses information of the interface through which the user comes online to fill in the NAS-Port-ID attribute.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. The specified interface must be the IPoE user's access interface. In the current software version, the interface number can contain one, two, three, or four tiers. In each tier, the number is in the range of 0 to 65534. For example, for a 3-tier interface number, the minimum interface number is 0/0/0, and the maximum interface number is 65534/65534/65534. Specify the interface number according to the actual conditions.

Usage guidelines

Application scenarios

a device uses information about the interface through which a user comes online to fill in the NAS-Port-ID attribute and sends it to the RADIUS server by default. In some special applications, when you need to manually specify the access interface information to be filled in the NAS-Port-ID attribute, you can use this command. For example, suppose the RADIUS server restricts user A's access to only interface A. When user A accesses through interface B and you do not want to modify the RADIUS server configuration, you can execute this command to use information about interface A to fill in the NAS-Port-ID attribute for user A and send the attribute to the RADIUS server.

Operating mechanism

When the NAS-PORT-ID information format is version 1.0 and the ip subscriber nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in the ip subscriber nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute:

¡ chassis=NAS_chassis;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

· If the access-user four-dimension-mode enable command is not executed, the interface information specified in the ip subscriber nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute: slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

When the NAS-PORT-ID information format is version 2.0 and the ip subscriber nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in this command will be used to fill in the following NAS information field in the NAS-PORT-ID attribute:

¡ {eth|trunk|atm} NAS_chassis/NAS_slot/NAS_subslot/NAS_port.

· If the access-user four-dimension-mode enable command is not executed, the interface information specified in this command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute: {eth|trunk|atm} NAS_slot/NAS_subslot/NAS_port.

When version 3.0 is specified as the NAS-Port-ID format, information of the specified access interface will be used to fill in the NAS information SlotID/IfNO.

When version 4.0 is specified as the NAS-Port-ID format, information of the specified access interface will be used to fill in the following NAS information:

· For IPv4 users: SlotID/IfNO/Option82.

· For IPv6 users: SlotID/IfNO/Option18.

Examples

#‌Configure the device to use information of Ten-GigabitEthernet 0/0/15 to fill in the NAS-Port-ID attribute. Configure Ten-GigabitEthernet 0/0/15.2 to use the version 1.0 format to encapsulate the NAS-Port-ID attribute for RADIUS. Users access with a single layer of VLAN tags.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.2

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15.2] ip subscriber nas-port-id format cn-telecom version1.0

[Sysname-Ten-GigabitEthernet0/0/15.2] qui

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e XGE0/0/15.2 3.3.3.3 001b-21a8-0949 400/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID=";vlanid=400;"

Related commands

access-user four-dimension-mode enable (BRAS Services Command Reference)

· ip subscriber nas-port-id format

ip subscriber nas-port-id nasinfo-insert

Use ip subscriber nas-port-id nasinfo-insert to include NAS information and information extracted from DHCPv4 Option 82 Circuit-ID or DHCPv6 Option 18 in the NAS-Port-ID.

Use undo ip subscriber nas-port-id nasinfo-insert to restore the default.

Syntax

ip subscriber nas-port-id nasinfo-insert

undo ip subscriber nas-port-id nasinfo-insert

Default

The BRAS uses information extracted from DHCPv4 Option 82 Circuit-ID or DHCPv6 Option 18 as the NAS-Port-ID.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

On a DHCP relay agent network, an access device can capture DHCP packets of users, and extract DHCPv4 Option82 Circuit-ID information and DHCPv6 Option18 information from these packets.

When the version 2.0 format is configured to encapsulate the NAS-Port-ID attribute and DHCPv4 82 or DHCPv6 Option 18 is trusted, the following rules apply:

· If you execute this command, the following rules apply:

¡ If DHCPv4 packets contain Option 82 Circuit-ID, this command parses Option 82 Circuit-ID, extracts information from Circuit-ID (ignoring the first two spaces), and encapsulates the extracted information and NAS information in the NAS-Port-ID in the version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 82 Circuit-ID.

¡ If DHCPv6 packets contain Option 18, this command parses Option 18, extracts information from Option 18 (ignoring the first two spaces), and encapsulates the extracted information and NAS information in the NAS-Port-ID in the version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 18.

¡ If DHCPv4 packets do not contain Option 82 Circuit-ID, this command includes NAS information in the NAS-Port-ID and sets non-NAS parts to zeros in the following format:

NAS_slot/NAS_subslot/NAS_port:svlan.cvlan 0/0/0/0/0/0

¡ If DHCPv6 packets do not contain Option 18, this command includes NAS information in the NAS-Port-ID and sets non-NAS parts to zeros in the following format:

NAS_slot/NAS_subslot/NAS_port:svlan.cvlan 0/0/0/0/0/0

· If you do not execute this command, the default applies.

When the version 5.0 format is configured to encapsulate the NAS-Port-ID attribute and DHCPv4 82 or DHCPv6 Option 18 is trusted, the following rules apply:

· If this command is executed, the following rules apply:

¡ When the received DHCPv4 packets carry Option 82 Circuit-ID and Option 82 is trusted, this command parses Option 82 Circuit-ID, extracts all information from Circuit-ID, and encapsulates the extracted information (used for filling in the AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port) and NAS information in the NAS-Port-ID in version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 82 Circuit-ID (the AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port field is filled with 0/0/0/0/0/0).

¡ When the received DHCPv6 packets carry Option 18 and Option 18 is trusted, this command parses Option 18, extracts all information from Option 18, and encapsulates the extracted information (used for filling in the AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port) and NAS information in the NAS-Port-ID in version 2.0 format. If the information cannot be extracted, the NAS-Port-ID is encapsulated in the version 2.0 format in the way when the packets do not contain Option 18 (the AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port field is filled with 0/0/0/0/0/0).

· If you do not execute this command, the default applies.

Operating mechanism

This command does not affect Option 82 or Option 18.

This command takes effect on Option 82 or Option 18 only after the ip subscriber trust command is executed to configure trusting Option 82 or Option 18.

Examples

Version 2.0 format

#‌Configure Layer 3 aggregate interface 1 to include NAS information and information extracted from DHCPv4 Option 82 in the NAS-Port-ID, encapsulate the NAS-Port-ID in the version 2.0 format, and trust Option 82. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="trunk 0/0/1:4096.4096 cd ef g"

#‌Configure Layer 3 aggregate interface 1 to include information extracted from DHCPv4 Option 82 or DHCPv6 Option 18 in the NAS-Port-ID, encapsulate the NAS-Port-ID in the version 2.0 format, and trust Option 82. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] undo ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version2.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-ID="aaa be cd ef g"

Version 5.0 format

#‌Configure Layer 3 aggregate interface 1 to include NAS information and information extracted from DHCPv4 Option 82 in the NAS-Port-ID, trust Option 82, and encapsulate the NAS-Port-ID in the version 5.0 format. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version5.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-Id="trunk 0/0/1:4096.4096 aaa be cd ef g”

#‌On Layer 3 aggregate interface 1, execute the undo ip subscriber nas-port-id nasinfo-insert, configure the interface to trust Option 82, and encapsulate the NAS-Port-ID in the version 5.0 format. The DHCP packets carry Option 82 Circuit-ID aaa be cd ef g.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] undo ip subscriber nas-port-id nasinfo-insert

[Sysname-Route-Aggregation1] ip subscriber trust option82

[Sysname-Route-Aggregation1] ip subscriber nas-port-id format cn-telecom version5.0

[Sysname-Route-Aggregation1] quit

[Sysname] display access-user

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x33e RAGG1 3.3.3.3 001b-21a8-0949 -/-

3.3.3.3 L2 IPoE dynamic

In the RADIUS debugging information, NAS-Port-Id="aaa be cd ef g"

Related commands

ip subscriber trust

ip subscriber nas-port-id format

ip subscriber ndrs domain

Use ip subscriber ndrs domain to configure an ISP domain for IPv6 ND RS users.

Use undo ip subscriber ndrs domain to restore the default.

Syntax

ip subscriber ndrs domain domain-name

undo ip subscriber ndrs domain

Default

No ISP domain is specified for IPv6 ND RS users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

This command specifies an ISP domain for IPv6 ND RS users. The specified ISP domain must exist on the BRAS.

An IPv6 ND RS user can obtain ISP domains in multiple ways. An ISP domain is selected for an IPv6 ND RS user in the following order until a match is found:

1. ISP domain specified by using the ip subscriber ndrs domain command. If the ISP domain has not been created, the user fails to come online.

2. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Examples

#‌Configure ISP domain dm1 for IPv6 ND RS users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber ndrs domain dm1

Related commands

ip subscriber initiator ndrs enable

ip subscriber ndrs max-session

Use ip subscriber ndrs max-session to set the IPoE session limit for IPv6 ND RS packet initiation on an interface.

Use undo ip subscriber ndrs max-session to restore the default.

Syntax

ip subscriber ndrs max-session max-number

undo ip subscriber ndrs max-session

Default

The IPoE session limit for IPv6 ND RS packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPv6 single-stack IPoE session limit for IPv6 ND RS packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

Operating mechanism

If the IPoE session limit for IPv6 ND RS packet initiation is reached, no more IPoE session can be initiated by IPv6 ND RS packets. IPoE sessions initiated by IPv6 ND RS packets include the single-stack IPv6 sessions and dual-stack sessions.

Restrictions and guidelines

Examples

#‌Set the IPoE session limit to 100 for IPv6 ND RS packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber ndrs max-session 100

Related commands

ip subscriber initiator ndrs enable

ip subscriber max-session

ip subscriber ndrs username

Use ip subscriber ndrs username to configure an authentication user naming convention for IPv6 ND RS users.

Use undo ip subscriber ndrs username to restore the default.

Syntax

ip subscriber ndrs username include { nas-port-id [ separator separator ] | port [ separator separator ] | second-vlan [ separator separator ] | slot [ separator separator ] | source-mac [ address-separator address-separator ] [ separator separator ] | string string [ separator separator ] | subslot [ separator separator ] | sysname [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber ndrs username

Default

No authentication user naming convention is configured for IPv6 ND RS users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

nas-port-id: Includes the NAS-Port-ID attribute in a username.

port: Includes the number of the port that receives the user packets in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-mac: Includes the source MAC address in a username.

address-separator address-separator: Specifies any printable character as the separator for the MAC address. For example, if you specify a hyphen (-) as the separator, the username is the hyphen-separated MAC address (xxxx-xxxx-xxxx). If you do not specify a separator, the username is the non-separated MAC address (xxxxxxxxxxxx). Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vlan: Includes the outer VLAN ID in a username.

Usage guidelines

Operating mechanism

Usernames obtained based on the naming convention are used for authentication and must be the same as those configured on the AAA server.

Restrictions and guidelines

Examples

#‌Configure the source MAC addresses as the authentication usernames for IPv6 ND RS users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber ndrs username include source-mac

#‌Configure an authentication user naming convention for IPv6 ND RS users on Ten-GigabitEthernet 0/0/15. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber ndrs username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber initiator ndrs enable

ip subscriber password

ip subscriber ndrs user-detect-address eui-64‌

Use ip subscriber ndrs user-detect-address eui-64 to configure the IPv6 addresses generated in EUI-64 method as the destination addresses of online detection.

Use undo ip subscriber ndrs user-detect-address to restore the default.

Syntax

ip subscriber ndrs user-detect-address eui-64

undo ip subscriber ndrs user-detect-address

Default

The link-local addresses of endpoints (in the format of FE80+endpoint interface ID) are used as the destination addresses of online detection.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

The types of endpoints are rich, and the endpoints use IPv6 addresses following different rules. When an endpoint comes online, whether the IPv6 address actually used by the endpoint is the IPv6 address allocated by the BRAS is uncontrollable. For example, the BRAS allocates IPv6 address A to an endpoint. When the BRAS performs online detection for destination address A, the endpoint responds to the probe packets by using IPv6 address B. As a result, the online detection fails. When online detection failures exceed the specified times, the endpoint will be forced to go offline by mistake.

To resolve this issue, by default, when the device uses ND NS packets as probe packets to perform online detection for IPv6 ND RS users, the device uses the link-local addresses of online users (format: FE80+user interface ID) as the destination addresses of online detection.

When the IPv6 address's interface ID of a user meets the IEEE EUI-64 format requirements and the interface generates an IPv6 address in the EUI-64 format, you can use this command to configure the interface to use the generated IPv6 address as the destination address of probe packets as needed.

Operating mechanism

After you execute this command, the device use the generated IPv6 address in the method of ND prefix+interface ID in EUI-64 format as the destination address of online detection.

Examples

# Configure the IPv6 addresses generated in EUI-64 method as the destination addresses of online detection on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber ndrs user-detect-address eui-64

Related commands

ip subscriber user-detect ipv6‌

ip subscriber ndrs wait-delegation-prefix‌

Use ip subscriber ndrs wait-delegation-prefix to allow users to come online through ND RS only after they come online through IA_PD.

Use undo ip subscriber ndrs wait-delegation-prefix to restore the default.

Syntax

ip subscriber ndrs wait-delegation-prefix

undo ip subscriber ndrs wait-delegation-prefix

Default

The users can come online through IA_PD and ND RS in any order.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

As shown in Figure 8, a CPE supports applying for ND prefixes and PD prefixes from the BRAS through the following methods:

· NDRA—The CPE actively sends an ND RS packet to the BRAS. The BRAS returns an ND prefix to the connected CPE WAN interface through an ND RA packet. The CPE uses the ND prefix to generate a global unicast IPv6 address for the CPE WAN interface. The IPv6 address is used for remotely managing the CPE.

· IA_PD—The CPE actively sends DHCPv6 requests to the CPE. The BRAS allocates a PD prefix to the CPE through DHCPv6 (IA_PD). The CPE automatically allocates the obtained PD prefix to the attached hosts. These hosts use the PD prefix to generate global unicast IPv6 addresses.

Figure 8 Network diagram for address assignment through NDRA+DHCPv6 (IA_PD)

‌

In the network as shown in Figure 8, if a CEP fails to come online through IA_PD, hosts attached to the CPE cannot generate global unicast IPv6 addresses to access network resources. In this case, even if the CPE comes online through NDRA, the hosts cannot obtain IPv6 addresses. Additionally, the ND RS user entries of the CPE occupy the system resources of the BRAS. As a best practice to resolve this issue, use this command to allow users to come online through ND RS only after they come online through IA_PD in an NDRA+DHCPv6 (IA_PD) network.

Restrictions and guidelines

For users to successfully come online through ND RS in any other network, do not configure this feature.

Examples

# Allow users to come online through ND RS only after they come online through IA_PD on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber ndrs wait-delegation-prefix

Related commands

ip subscriber initiator ndrs enable

ip subscriber password

Use ip subscriber password to set the password for individual users.

Use undo ip subscriber password to restore the default.

Syntax

ip subscriber password { mac-address [ address-separator address-separator ] [ lowercase | uppercase ] | { ciphertext | plaintext } string }

undo ip subscriber password

Default

No password is set for individual users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

mac-address: Uses a MAC address as the password. The MAC address of the user is preferentially used. If the user MAC address cannot be obtained, the source MAC address of packets is used. By default, the letters in a MAC address are lower-case and a MAC address do not have hyphens.

address-separator address-separator: Specifies any printable character as the separator for the MAC address. For example, if you specify a hyphen (-) as the separator, the password is the hyphen-separated MAC address (xxxx-xxxx-xxxx). If you do not specify a separator, the password is the non-separated MAC address (xxxxxxxxxxxx). Do not use the at sign (@) as the separator. The AAA server cannot parse a password containing the at sign (@).

lowercase: Specifies the letters in the MAC address as lower-case.

uppercase: Specifies the letters in the MAC address as upper-case.

ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

Usage guidelines

Application scenarios

To avoid configuring passwords for each initiation method separately when multiple individual session initiation methods are configured on an interface, you can use this command to uniformly configure authentication passwords for all individual users on an interface.

Operating mechanism

For individual users using bind authentication, a password is selected in the following order until a match is found:

1. Password obtained by using the ip subscriber dhcp password and ip subscriber dhcpv6 password option16 commands. (Applicable to only DHCP users.)

2. The password parameter specified in the ip subscriber session static command. (Applicable to only static users.)

3. Password configured by using the ip subscriber password command.

4. The string vlan.

For Web authentication and Web MAC authentication in the preauthentication phase, a password is selected for individual users in the same order a password is selected for individual users using bind authentication.

For Web authentication in the Web authentication phase, a password is selected in the following order for individual users until a match is found:

5. Password that the user enters when logging in.

6. Password configured by using the ip subscriber password command.

7. The string vlan.

For Web MAC authentication in the Web authentication phase, a password is selected in the following order for individual users until a match is found:

8. Password configured by using the ip subscriber password command.

9. The string vlan.

Examples

#‌Configure the plaintext password as 123 for individual users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber password plaintext 123

Related commands

ip subscriber dhcp username

ip subscriber unclassified-ip username

ip subscriber dhcp password

ip subscriber dhcpv6 password option16

ip subscriber pre-auth domain

Use ip subscriber pre-auth domain to specify a preauthentication domain.

Use ip subscriber pre-auth domain to restore the default.

Syntax

ip subscriber pre-auth domain domain-name

undo ip subscriber pre-auth domain

Default

No preauthentication domain is specified.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

Operating mechanism

You can modify the preauthentication domain. By default, a preauthentication domain is selected in the following order until a match is found:

· For dynamic DHCP users:

a. Domain information obtained from the option. For how domain information is obtained from the option, see how domain information is obtained from the option in the bind authentication method. If the domain has not been created, proceed with the next step.

b. Service-specific domain. If the domain has not been created, the user fails to come online.

c. Preauthentication domain configured by using the ip subscriber pre-auth domain command. If the domain has not been created, the user fails to come online.

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· For static users:

e. Authentication domain configured by using the ip subscriber session static command. If the domain has not been created, the user fails to come online.

f. Preauthentication domain configured by using the ip subscriber pre-auth domain command. If the domain has not been created, the user fails to come online.

g. Service-specific domain. If the domain has not been created, the user fails to come online.

h. Domain configured by using the ip subscriber unclassified-ip domain command. If the domain has not been created, the user fails to come online.

i. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Restrictions and guidelines

This command takes effect only for DHCP users and static individual users using the Web authentication method and the Web MAC authentication method.

If you specify a preauthentication domain, users must pass the preauthentication before obtaining IP addresses (applicable to only DHCP users) and authorization attributes configured for the preauthentication domain. Users will obtain new authorization information after passing the Web authentication.

For Web authentication users, preauthentication is required every time they come online. The user information is deleted upon a preauthentication failure.

New settings in the preauthentication domain do not take effect for users who have passed the preauthentication.

You must configure the Web server URL and user group authorization attributes in the preauthentication domain for redirecting users to the Web authentication page. For more information about the Web server URL and user group, see AAA configuration in BRAS Services Configuration Guide.

Examples

#‌Specify ISP domain dm1 as the preauthentication domain on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber pre-auth domain dm1

Related commands

authorization-attribute user-group (BRAS Services Command Reference)

domain default enable (BRAS Services Command Reference)

ip subscriber authentication-method

web-server url (BRAS Services Command Reference)

ip subscriber pre-auth track

Use ip subscriber pre-auth track to associate a fail-permit user group with a track entry.

Use undo ip subscriber pre-auth track to restore the default.

Syntax

ip subscriber pre-auth track track-entry-number fail-permit user-group group-name

undo ip subscriber pre-auth track

Default

A fail-permit user group is not associated with a track entry.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

track track-entry-number: Specifies a track entry by its ID in the range of 1 to 1024.

user-group group-name: Specifies a fail-permit user group by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Operating mechanism

With this command configured, when the device detects that the Web authentication server or AAA server is unreachable, the device allows users to access network resources without Web authentication. This process is called Web authentication fail-permit.

You can implement Web authentication fail-permit by associating a fail-permit user group with a track entry.

By default, the Web authentication users that come online in the preauthentication domain belong to the user group authorized by AAA or authorized in the ISP domain when the users come online. After a fail-permit user group is associated with a track entry, the following rules apply:

· When the status of the track entry becomes Negative, the access device moves all online users in the current preauthentication domain from the authorized user group to the fail-permit user group. Then, the users can access network resources according to the privilege of the fail-permit user group.

· When the status of the track entry becomes Positive, the access device will move all online users in the current preauthentication domain back to the authorized user group. Then, the users can access network resources only after passing Web authentication.

To monitor the status of multiple servers, you can configure the tracked object list. For more information about track, see track configuration in High Availability Configuration Guide.

Restrictions and guidelines

This command takes effect only on users in the IPoE Web preauthentication domain.

If you execute this command multiple times, the most recent configuration takes effect.

In the preauthentication fail-permit scenario for IPoE Web users, up to one user-group bind nat-instance command is allowed to achieve user group load sharing in the user preauthentication domain. To avoid function anomaly, do not execute the user-group bind nat-instance command multiple times in the user preauthentication domain for user group load sharing.

Examples

#‌Associate fail-permit user group web with track entry 1 on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber pre-auth track 1 fail-permit user-group web

Related commands

authorization-attribute user-group (BRAS Services Command Reference)

user-group bind nat-instance (BRAS Services Command Reference)

ip subscriber reauth‌

Use ip subscriber reauth to enable re-authentication for IPoE users in the specified IP address range.

Use undo ip subscriber reauth to disable re-authentication for IPoE users in the specified IP address range.

Syntax

IPv4:

ip subscriber reauth ip start-ipv4-address [ end-ipv4-address ] [ vpn-instance vpn-instance-name ] domain domain-name

undo ip subscriber reauth ip start-ipv4-address [ end-ipv4-address ]

IPv6:

ip subscriber reauth ipv6 start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ] domain domain-name

undo ip subscriber reauth ipv6 start-ipv6-address [ end-ipv6-address ]

Dual-stack:

ip subscriber reauth ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ] domain domain-name

undo ip subscriber reauth ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ]

Default

Re-authentication is disabled for IPoE users.

Views

System view

Predefined user roles

network-admin

Parameters

ip: Specifies IPv4 addresses of users.

· start-ipv4-address: Specifies the start IPv4 address of users.

· end-ipv4-address: Specifies the end IPv4 address of users, which cannot be lower than the start IPv4 address. If you do not specify this argument or the specified address is the same as the start-ipv4-address value, only one user IPv4 address start-ipv4-address is specified. Otherwise, users with IPv4 addresses in the range of start-ipv4-address to end-ipv4-address are specified.

ipv6: Specifies IPv6 addresses of users.

· start-ipv6-address: Specifies the start IPv6 address of users.

· end-ipv6-address: Specifies the end IPv6 address of users, which cannot be lower than the start IPv6 address. If you do not specify this argument or the specified address is the same as the start-ipv6-address value, only one user IPv6 address start-ipv6-address is specified. Otherwise, users with IPv6 addresses in the range of start-ipv6-address to end-ipv6-address are specified.

vpn-instance vpn-instance-name: Specifies a VPN instance by its name. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the users belong to the public network.

domain domain-name: Specifies an ISP domain name for re-authentication, a case-insensitive string of 1 to 255 characters. The name cannot contain slashes (/), back slashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@).

Usage guidelines

Application scenarios

To perform special permission control for some users whose IP addresses are allocated by DHCP (for example, dumb terminals whose IP addresses and MAC addresses are bound in the static address binding method), you can enable re-authentication for IPoE users in the specified IP address range. After you enable this feature, when an IPoE user passes authentication and comes online with an IP address in the IP address range specified by using this command, the device will immediately use the ISP domain specified in this command to re-authenticate the user. Then, the device can perform unified permission control for users in the re-authentication domain.

In the current software version, this feature supports only IPoE DHCP users.

For a dual-stack IPoE DHCP user:

· If the user meets the conditions for triggering re-authentication after coming online in the first protocol stack (for example, IPv4) and has passed re-authentication, and the user also meets the conditions for triggering re-authentication after coming online in the second protocol stack (for example, IPv6), the user does not need to perform re-authentication in the second protocol stack, and directly comes online in the re-authentication domain.

· If the user meets the conditions for triggering re-authentication after coming online in the first protocol stack (for example, IPv4) and has passed re-authentication, but the user does not meet the conditions for triggering re-authentication after coming online in the second protocol stack (for example, IPv6), the user will be switched to the ISP domain for the first authentication.

· If the user does not meet the conditions for triggering re-authentication after coming online in the first protocol stack (for example, IPv4), re-authentication is not triggered for the user even if the user meets the conditions for triggering re-authentication after coming online in the second protocol stack (for example, IPv6).

Restrictions and guidelines

Executing or editing this command takes effect only on new users.

To provide the access service for IPoE Web authentication users, plan the IP addresses reasonably to prevent IPoE Web authentication users from matching the IP address range specified in this command. If you do not do that, the IPoE Web authentication feature might fail to operate normally.

Suppose the 802.1X authentication mode is configured on an interface by using the ip subscriber authentication-method dot1x command. In this case, reauthentication will not be triggered after an IPoE user passes authentication and comes online from the interface even if the IP address of the IPoE user matches that specified in the ip subscriber reauth command.

Examples

# Configure IPoE users with IP addresses in the range of 20.0.0.1 to 20.0.0.200 to use domain dm1 for re-authentication after coming online.

<Sysname> system-view

[Sysname] ip subscriber reauth ip 20.0.0.1 20.0.0.200 domain dm1

ip subscriber roaming enable

Use ip subscriber roaming enable to enable roaming for IPoE individual users on an interface.

Use ip subscriber roaming enable to disable roaming for IPoE individual users on an interface.

Syntax

ip subscriber roaming enable [ roam-group roam-group-name ]

undo ip subscriber roaming enable

Default

Roaming is disabled for IPoE individual users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

roam-group roam-group-name: Specifies a roaming group by its name, a case-sensitive string of 1 to 15 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). If you do not specify this option, all roaming-enabled interfaces belong to the default roaming group, which does not have a name.

Usage guidelines

Operating mechanism

Online IPoE individual users can roam between different interfaces or VLANs.

To reduce roaming users' impact on other users, you can limit the roaming range by using a roaming group. An online user can roam only within the roaming group of the interface through which the user comes online. For example, user A and user B both use the IP address 1.1.1.1/24 and belong to the same VPN instance. User A first comes online on interface A through unclassified-IP packet initiation. Both interface A and interface B are enabled with roaming but not configured with roaming groups. In this case, when user B comes online on interface B through unclassified-packet initiation, the device will log off user A. For user A and user B to come online simultaneously, you can configure different roaming groups for interface A and interface B. This configuration isolates the roaming range of user A from the roaming range of user B.

Restrictions and guidelines

In a DHCP relay agent network, you must execute the dhcp-proxy enable command on the DHCP relay agent interface to enable DHCP server proxy (enabled by default) on the relay agent. For more information about DHCP relay agents, see DHCP configuration in BRAS Services Configuration Guide.

Online users cannot roam between a roaming-enabled interface and an interface without roaming enabled.

For an IPoE user to roam correctly, configure the interface before roaming and the interface after roaming as follows‌:

· Enable IPoE for the same protocol stack.

· Configure the same IPoE authentication method, authentication domain, roaming group, IP address type (IPv4 or IPv6) on which the main service of IPoE users depends, and Option79 trusting state (required only for DHCPv6 users).

The following events might lead to failures in the process of roaming:

· The user IP address that the user belongs to is changed.

· The target interface is not configured with the same IPoE session initiation method as the interface before roaming.

· The target interface and the current interface are not in the same roaming group.

· For dynamic individual users:

¡ If a VPN instance is authorized to the roaming user and the target interface is bound to a VPN instance, the target interface can be bound to a VPN instance different from the authorized VPN instance. In this case, when the user roams to the target interface, the authorized VPN instance still takes effect.

¡ If no VPN instance is authorized to the roaming user and the interface before roaming is bound to a VPN instance, the target interface must be bound to the same VPN instance.

· For global static individual users:

¡ If a VPN instance is authorized to the roaming user, the following rules apply:

- If the strict-check access-interface vpn-instance command is executed in the authorized domain, the target interface must be bound to a VPN instance the same as the authorized VPN instance. If you cannot do that, the user cannot roam to the target interface.

- If the strict-check access-interface vpn-instance command is not executed in the authorized domain, the target interface can be not bound to a VPN instance, or the target interface can be bound to a VPN instance different from the authorized VPN instance.

¡ No VPN instance is authorized to the roaming user, and no VPN instance is specified in the static session. The interface before roaming is bound to a VPN instance. The target interface is bound to a different VPN instance.

· For dual-stack users formed by global static individual users and dynamic individual users:

¡ If the dynamic individual user roams—A VPN instance is specified in the global static individual session, and the target interface is bound to a VPN instance different from the VPN instance specified in the global static individual session.

¡ If the global static individual user roams—The events that lead to roaming failures are the same as that for common global static individual users.

If the roaming fails, the user must perform authentication again on the destination interface in order to come online. Re-authentication takes a certain period of time.

For static individual users, roaming takes effect as follows:

· For interface-level static individual users, roaming is supported only when you configure IPoE static sessions in interface view by using the ip subscriber session static command without specifying a VLAN. In this case, only roaming across different VLANs of the interface is supported.

· For global static individual users or dual-stack users formed by global static individual users and dynamic individual users, when you execute the ip subscriber session static command in system view, the following rules apply:

¡ If a user access interface is specified but no VLAN is specified, roaming across different VLANs of the interface is supported.

¡ If no user access interface is specified and a user comes online through a roaming-enabled interface, roaming across all roaming-enabled interfaces is supported.

Examples

#‌Enable roaming for IPoE individual users and specify roaming group roam1 on subinterface Ten-GigabitEthernet 0/0/15.1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.1

[Sysname-Ten-GigabitEthernet0/0/15.1] ip subscriber roaming enable roam-group roam1

Related commands

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber roam-group-mismatch dhcp fast-renew

Use ip subscriber roam-group-mismatch dhcp fast-renew to force an existing online user with the same MAC address as a new online user to go offline if they are in different roaming groups.

Use undo ip subscriber roam-group-mismatch dhcp fast-renew to disable forcing an existing online user with the same MAC address as a new online user to go offline if they are in different roaming groups.

Syntax

ip subscriber roam-group-mismatch dhcp fast-renew

undo ip subscriber roam-group-mismatch dhcp fast-renew

Default

The function of forcing an existing online user with the same MAC address as a new online user to go offline if they are in different roaming groups is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In roaming scenarios, when a roaming-enabled interface receives an NDRS or DHCP user online request, the system first checks for any online users with the same MAC address by default.

· If no online user exists with the same MAC address, the user comes online as a new user.

· If an online user exists with the same MAC address, the system will further determine whether the new online user and the existing online user with the same MAC belong to the same roaming group.

¡ If yes, the new user roams.

¡ If not, the new NDRS user will come online as a new user, while the new DHCP user cannot come online.

When a user switches areas across roaming groups without going offline in the original roaming group area and comes online in the new roaming group area, the following issues might occur:

· For an NDRS user, the device maintains separate session information in different roaming groups, which consumes device resources and increases maintenance complexity.

· A DHCP user cannot come online.

To address the preceding issues, you can enable the function of forcing an existing online user with the same MAC address as a new online user to go offline if they are in different roaming groups.

Operating mechanism

With this feature enabled, when a roaming-enabled interface receives an online request from a DHCP or NDRS user, the request is processed as follows if an existing online user with the same MAC address belongs to a different roaming group on the device:

· If the existing online user is a single-stack user, the device forces the existing online user to go offline and allows the new user to come online on the new interface.

· If the existing user is a dual-stack user, the device forces the existing user to go offline in the protocol stack of the new user's online request, keeps the existing user online in the other protocol stack, and allows the new user to come online on the new interface.

Restrictions and guidelines

When this feature is enabled in the system view, the following rules apply to DHCP users across roaming groups:

· If you execute the following commands on roaming target interface A, the commands take effect in the protocol stack of the users on interface A.

¡ dhcp session-mismatch action fast-renew

¡ ipv6 dhcp session-mismatch action fast-renew

· If you do not execute the following commands on roaming target interface B, the ip subscriber roam-group-mismatch dhcp fast-renew command takes effect in the protocol stack of the users on interface B.

¡ dhcp session-mismatch action fast-renew

¡ ipv6 dhcp session-mismatch action fast-renew

This feature only applies to IPoE DHCP users and NDRS users and is effective only when roaming is enabled on both the source and target interfaces.

Configure this feature only when users roam across roaming groups.

Examples

# Enabling the function of forcing an existing online user with the same MAC address as a new online user to go offline if they are in different roaming groups.

<Sysname> system-view

[Sysname] ip subscriber roam-group-mismatch dhcp fast-renew

Related commands

dhcp session-mismatch action (Layer 3—IP Services Command Reference)

ipv6 dhcp session-mismatch action (Layer 3—IP Services Command Reference)

ip subscriber roam-group-mismatch unclassified-ip roam

Use ip subscriber roam-group-mismatch unclassified-ip roam to enable roaming for a new online user with the same IP and MAC addresses as an existing online user in a different roaming group.

Use undo ip subscriber roam-group-mismatch unclassified-ip roam to restore the default.

Syntax

ip subscriber roam-group-mismatch unclassified-ip roam

undo ip subscriber roam-group-mismatch unclassified-ip roam

Default

Roaming is disabled for a new online user with the same IP and MAC addresses as an existing online user in a different roaming group.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

When a roaming-enabled interface receives online requests triggered by IP/ARP/NS/NA packets from a new unclassified-IP user, the interface checks for online users with the same IP and MAC addresses on the device by default.

· If such a user does not exist, the new user comes online as a new user.

· If such a user exist, the system identifies whether the new online user and the existing online user with the same IP and MAC addresses belong to the same roaming group:

¡ If yes, the new user roams.

¡ If not, the new user comes online as a new user.

When a user switches areas across roaming groups without going offline in the original roaming group area and comes online in the new roaming group area, the new user might either come online successfully or fail to come online.

· If the new user comes online successfully, the device maintains separate session information for the user across different roaming groups, which consumes device resources and increases maintenance complexity.

· If the new user fails to come online, the user will fail to access the system.

To address the preceding issues, you can enable roaming for a new online user with the same IP and MAC addresses as an existing online user in a different roaming group.

Operating mechanism

With this feature enabled, the system processes the packets received by an interface depending on the packet type:

· When a roaming-enabled interface receives online requests triggered by a user's IP/ARP/NS/NA packets, the following rules apply:

¡ If the device has an existing online user with the same IP and MAC addresses but belonging to a different roaming group, the device will perform roaming for the user. For example, on a BRAS, interface A and interface B belong to two different roaming groups. User1 initially came online successfully through DHCP on interface A. The device will roam User1 from interface A to interface B if the following conditions exist:

- User1 moves to interface B without going offline on interface A.

- User1 directly uses the IP address obtained when initially coming online on interface A to send IP/ARP/NS/NA packets to trigger online requests.

¡ If no online user exists with the same IP and MAC addresses, User1 comes online as a new user.

· When a roaming-enabled interface receives an online request from a DHCP user or NDRS user, the following rules apply:

¡ If the device has an existing online user with the same MAC address but belonging to a different roaming group, the device will perform the following operations:

- Force the existing online user to go offline in all protocol stacks, whether single-stack or dual-stack.

- Allow the new user to come online on a new interface.

For example, on a BRAS, interface A and interface B belong to two different roaming groups. User1 initially came online successfully through DHCP on interface A. If User1 moves to interface B without going offline on interface A and initiates a new DHCP online request on interface B, the device will force the user with the same MAC address as User1 on interface A to go offline and allow User1 to come online again on interface B.

¡ If no online user with the same MAC address exists, User1 comes online as a new user.

Restrictions and guidelines

This command takes effect only in Layer 2 IPoE access mode.

Configure this feature only when users roam across roaming groups.

Examples

# Enable roaming for a new online user with the same IP and MAC addresses as an existing online user in a different roaming group.

<Sysname> system-view

[Sysname] ip subscriber roam-group-mismatch unclassified-ip roam

ip subscriber roam-record max

Use ip subscriber roam-record max to enable recording IPoE user roaming behaviors on the device.

Use undo ip subscriber roam-record max to disable recording IPoE user roaming behaviors on the device.

Syntax

ip subscriber roam-record max count

undo ip subscriber roam-record max

Default

Recording IPoE user roaming behaviors is disabled on a device.

Views

System view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum number of roaming behaviors that can be recorded for all users, in the range of 1 to 64000.

Usage guidelines

Application scenarios

To perform network security checks based on user roaming behaviors or assist in troubleshooting when the user roaming feature is abnormal, you can enable recording user roaming behaviors.

Operating mechanism

With this feature enabled, the device will record information of each user before and after user roaming, such as the access interface, VLAN, and user MAC address. To view this information, execute the display ip subscriber roam-record command.

Restrictions and guidelines

· The count value is the maximum number of roaming records for all users. To prevent a single user from excessively occupying roaming record resources due to frequent roaming, the system sets the upper limit to 10 for the roaming records of a single user.

· When the specified count value is less than the number of user roaming behaviors recorded by the device, the device will delete the older roaming records of some users based on the roaming time until the remaining number of roaming records equals the specified count value.

· When a user roams, the system first identifies whether the number of roaming records of the user has reached the upper limit for a single user. If yes, the system deletes the oldest roaming record for that user and then adds the new roaming record. If the number of roaming records of the user has not reached the upper limit for a single user but the total number of roaming records for all users on the device has reached the set count value, the device deletes the oldest roaming record from all roaming records and then records the new roaming behavior.

· The roaming records of a user are not automatically deleted when the user goes offline. These records can only be overwritten by the new roaming records of other users or deleted by disabling recording user roaming behaviors.

Examples

# Enable recording IPoE user roaming behaviors on the device.

<Sysname> system-view

[Sysname] ip subscriber roam-record max 100

ip subscriber service-identify

Use ip subscriber service-identify to configure the service identifier for users.

Use undo ip subscriber service-identify to restore the default.

Syntax

Layer 3 Ethernet interface view, Layer 3 aggregate interface view, L3VE interface view:

ip subscriber service-identify dscp

undo ip subscriber service-identify

Layer 3 Ethernet subinterface view, Layer 3 aggregate subinterface view, L3VE subinterface view:

ip subscriber service-identify { 8021p { second-vlan | vlan } | dscp | second-vlan | vlan }

undo ip subscriber service-identify

Default

No service identifier is configured for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

8021p second-vlan: Specifies the 802.1p value of the inner VLAN tag in QinQ mode as the service identifier.

8021p vlan: Specifies the 802.1p value of the VLAN tag or the 802.1p value of the outer VLAN tag in QinQ mode as the service identifier.

dscp: Specifies the DSCP value as the service identifier.

second-vlan: Specifies the inner VLAN ID in QinQ mode as the service identifier.

vlan: Specifies the VLAN ID or the outer VLAN ID in QinQ mode as the service identifier.

Usage guidelines

Operating mechanism

Users include DHCPv4 users, DHCPv6 users, unclassified-IP users, and static individual users.

You must specify an identifier for a service before you bind an ISP domain to the service. Otherwise, the binding does not take effect.

Users whose IP packets contain the specified service identifier will be assigned a service-specific ISP domain.

Restrictions and guidelines

For DHCPv4 users, the trusted Option 60 configuration takes precedence over the global service identifier configuration.

For DHCPv6 users, the trusted Option 16 or Option 17 configuration takes precedence over the global service identifier configuration.

You can configure only one service identifier on each interface.

Examples

#‌Configure the DSCP value as the service identifier for users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber service-identify dscp

Related commands

ip subscriber 8021p

ip subscriber dscp

ip subscriber vlan

ip subscriber session static (interface view)‌

Use ip subscriber session static to configure IPoE static individual sessions on an interface.

Use undo ip subscriber session static to delete IPoE static individual sessions on an interface.

Syntax

IPv4:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online ] [ description string ] [ gateway ip ipv4-address ] [ vpn-instance vpn-instance-name ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ vpn-instance vpn-instance-name ]

IPv6:

ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online ] [ description string ] [ gateway ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ]

undo ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]

Dual-stack:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ mac mac-address ] [ domain domain-name ] [ password mac ] [ request-online { ip | ipv6 } ] [ description string ] [ gateway { ip ipv4-address | ipv6 ipv6-address } * ] [ vpn-instance vpn-instance-name ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]

Default

No IPoE static individual sessions exist on an interface.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ipv4-address: Specifies a start user IPv4 address.

end-ipv4-address: Specifies an end user IPv4 address, which cannot be lower than the start-ipv4-address argument. All users with IP addresses between start-ipv4-address and end-ipv4-address are specified as static users. If you do not specify the end-ipv4-address argument or the specified end-ipv4-address argument is the same as the start-ipv4-address argument, only one IP address is specified.

start-ipv6-address: Specifies a start user IPv6 address.

end-ipv6-address: Specifies an end user IPv6 address, which cannot be lower than the start-ipv6-address argument. All users with IPv6 addresses between start-ipv6-address and end-ipv6-address are specified as static users. If you do not specify the end-ipv6-address argument or the specified end-ipv6-address argument is the same as the start-ipv6-address argument, only one IPv6 address is specified.

vlan vlan-id: Specifies an outer VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.‌

second-vlan vlan-id: Specifies an inner VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

mac mac-address: Specifies a user MAC address in the form of H-H-H.

password: Specifies the password used for user authentication. Static users can obtain authentication passwords in multiple methods. For more information, see the ip subscriber password command.

mac: Uses the user MAC address as the authentication password in the format of HH:HH:HH:HH:HH:HH.

request-online: Specifies the device to actively send ARP, ICMP, ND NS, or ICMPv6 requests to request users to come online. If this keyword is not specified, a user must actively send ARP, ND NS, IPv4, or IPv6 packets to come online.

· ip: Specifies the device to actively send IPv4 packets to request users to come online. In Layer 2 access mode, ARP packets are sent. In Layer 3 access mode, ICMP packets are sent.

· ipv6: Specifies the device to actively send IPv6 packets to request users to come online. In Layer 2 access mode, ND NS packets are sent. In Layer 3 access mode, ICMPv6 packets are sent.

description string: Specifies the static session description, a case-insensitive string of 1 to 31 characters. If this option is not specified, the static session does not have a description. The description cannot contain the following characters: forward slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).

gateway: Specifies the gateway address for users. When the device actively sends online requests to users, the device preferentially uses the address as the source IP address of online requests. If you do not specify this keyword, the device uses the default gateway address as the source IP address of online requests. This keyword takes effect only when the request-online keyword is specified.

ip ipv4-address: Specifies the gateway address for the IPv4 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the IPv4 address of the access interface or the shared gateway address in the IP address pool, for example, the gateway address specified by using the gateway command in a BAS IP address pool.

ipv6 ipv6-address: Specifies the gateway address for the IPv6 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the global unicast address or link-local address of the access interface in Layer 2 access mode or the global unicast address of the access interface in Layer 3 access mode.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to be bound to static users by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the static users are in the public network.

keep-online: Performs no online detection for users even when online detection is enabled. If you do not specify this keyword, users are forced to go offline when online detection fails for users.

Usage guidelines

General restrictions and guidelines

An IPoE static session takes priority over an IPoE dynamic session. If an IPoE static session is configured, the packets matching the IPoE static session cannot initiate new IPoE dynamic sessions. If an unclassified-IP, ARP, NS/NA, DHCP, or ND RS packet has initiated an IPoE dynamic session, you can configure an IPoE static session that matches the unclassified-IP, ARP, NS/NA, DHCP, or ND RS packet, and the configuration does not affect existing online users with the specified IP address. When the users go offline and the device receives packets from these users again, these users preferentially match the IPoE static session.

When the IP addresses specified for a static session overlap with the assignable IP addresses in the DHCP pool, follow these guidelines:

· For an IP address pool, use the dhcp server forbidden-ip or forbidden-ip command to exclude the overlapping IP addresses from dynamic allocation.

· For an IPv6 address pool, use the ipv6 dhcp server forbidden-address command to exclude the overlapping IPv6 addresses from dynamic allocation.

For more information about excluding IP addresses from dynamic allocation, see DHCP commands and DHCPv6 commands in BRAS Services Command Reference.

If you first enable IPoE and then configure dual-stack static users, you must enable IPoE for both IPv4 and IPv6 protocol stacks in order that you can configure dual-stack static users. If you first configure dual-stack static users and then enable IPoE, you must enable IPoE for both IPv4 and IPv6 stacks. Otherwise, you cannot enable IPoE.

On one interface, a maximum of one IPoE session can be configured for one IP address. You cannot use the ip subscriber session static command to modify an IPoE static session configured with the mac, domain, or request-online keyword. To modify such an IPoE session, use the undo form of the command to delete the session, and then reconfigure it with new parameter settings.

When static users do not support 802.1X authentication on an interface, do not configure both 802.1X authentication and interface-level IPoE static individual sessions on the interface. If you do that, the interface-level IPoE static individual sessions configured on the interface might not function normally.‌

You cannot configure an IPoE static individual user on an interface configured with an interface-leased or L2VPN-leased user.

When a session is configured with an IP address range, the system automatically converts the configuration into multiple static session configurations, each with a separate IP address.

Restrictions and guidelines for the device actively requesting users to come online

For the device to automatically request users to come online, you must configure a static session with the request-online keyword on an interface. Then, the following rules apply:

· For single-stack IPv4 static users:

¡ In Layer 2 access mode, the device uses ARP packets to requests users to come online. In this case, you must enable ARP packet initiation.

¡ In Layer 3 access mode, the device uses ICMP packets to request users to come online. In this case, you must enable unclassified-IPv4 packet initiation and configure an IPv4 address for the access interface of the user.

· For single-stack IPv6 static users:

¡ In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

¡ In Layer 3 access mode, the device uses ICMPv6 packets to request users to come online. In this case, you must enable unclassified-IPv6 packet initiation and configure an IPv6 address for the access interface of the user.

· For dual-stack static users:

¡ If a dual-stack static user is configured with the request-online ip keywords:

- In Layer 2 access mode, the device uses ARP packets to request users to come online. In this case, you must enable ARP packet initiation.

- In Layer 3 access mode, the device uses ICMP packets to request users to come online. In this case, you must enable unclassified-IPv4 packet initiation and configure an IPv4 address for the access interface of the user.

¡ If a dual-stack static user is configured with the request-online ipv6 keywords:

- In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

- In Layer 3 access mode, the device uses ICMPv6 packets to request users to come online. In this case, you must enable unclassified-IPv6 packet initiation and configure an IPv6 address for the access interface of the user.

· For static users on a subinterface configured with ambiguous Dot1q termination or ambiguous QinQ termination, for the device to properly request the static users to come online, you must specify VLANs when configuring static sessions or execute the vlan-termination broadcast enable command on the subinterface. As a best practice, specify VLANs when configuring static sessions.

Restrictions and guidelines for unified accounting

To perform unified accounting for dual-stack users, you must configure the IPv4 addresses and IPv6 addresses of these dual-stack users in one ip subscriber session-static command. The IPv4 addresses and IPv6 addresses must be in one-to-one mapping relationship. After the configuration, the device forms the first dual-stack static individual session by using the first IPv4 address and the first IPv6 address. The device forms the second dual-stack static individual session by using the second IPv4 address and the second IPv6 address, and so on.

Restrictions and guidelines for selecting authentication domains for static IPoE users

If you configure multiple ISP domains for a static individual user, an ISP domain is selected for the user in the following order until a match is found:

· When bind authentication is used:

a. ISP domain specified by using the domain domain-name option in this command. If the domain has not been created, the user fails to come online.

b. Service-specific domain. If the domain has not been created, the user fails to come online.

c. ISP domain configured by using the ip subscriber unclassified-ip domain command. If the domain has not been created, the user fails to come online.

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· When Web authentication is used:

¡ For how an ISP domain is selected in the preauthentication phase, see the ip subscriber pre-auth domain command.

¡ For how an ISP domain is selected in the Web authentication phase, see the ip subscriber web-auth domain command.

Restrictions and guidelines for binding VPN instances to static IPoE users

You can bind static IPoE users to VPN instances by using one of the following methods:

· Method 1: Specify the vpn-instance parameter in this command.

· Method 2: Authorize VPN instances to users by using AAA.

· Method 3: Use the ip binding vpn-instance command to bind a VPN instance to the interface through which users come online.

When methods 1 and 2 are both configured, for users to come online successfully, make sure you specify the same VPN instance. If the VPN instance specified by using method 1 or 2 is different from the VPN instance specified by using method 3, the VPN instance specified by using method 1 or 2 is used. If the strict-check access-interface vpn-instance command is executed in an ISP domain, for users to come online successfully, make sure the VPN instances specified by using the three methods are the same.

Restrictions and guidelines for the scenario where one MAC address corresponds to multiple IP addresses

As shown in Figure 9, the firewall performs NAT for the IP addresses of multiple hosts. Because a Layer 2 network exists between the firewall and the BRAS, the IP addresses that trigger IPoE authentication on the BRAS are the NATed IP addresses. Therefore, one MAC address corresponds to multiple IP addresses.

Figure 9 Schematic diagram for the scenario where one MAC address corresponds to multiple IP addresses

When deploying this scenario, for the same access interface, follow these restrictions and guidelines:

· In Layer 2 IPoE access mode:

¡ For a configured IPv4 single-stack IPoE global static individual session, the device allows users with the same MAC address but different IP addresses to be online simultaneously in the following conditions:

- The dot1x keyword is not configured by using the ip subscriber authentication-method command on the interface.

- The inherit-pppoe keyword is not configured by using the ip subscriber authentication-method command on the interface.

If any of the preceding conditions is not met, the device does not allow users with the same MAC address but different IP addresses to be online simultaneously. For users with the same MAC address, the device will not allow another user with the MAC address to access the network when an existing user is online with the MAC address.

¡ For a configured IPv6 single-stack or dual-stack global static individual session, the device does not allow users with the same MAC address but different IP addresses to be online simultaneously. For users with the same MAC address, the device will not allow another user with the MAC address to access the network when an existing user is online with the MAC address.

· In Layer 3 IPoE access mode, the source MAC address in a user packet is the MAC address of the Layer 3 network device, rather than the MAC address of the user. Therefore, the access device ignores the user MAC address. In this mode, the device naturally allows users with the same MAC addresses but different IP addresses to be online simultaneously.

Examples

# Configure an IPv4 IPoE static session with an IP address of 1.1.1.1 and an ISP domain of dm1 on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber session static ip 1.1.1.1 domain dm1

Related commands

dhcp enable (BRAS Services Command Reference)

ip subscriber password

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber static-session request-online interval

strict-check access-interface vpn-instance(BRAS Services Command Reference)

ip subscriber session static (system view)‌

Use ip subscriber session static to configure global IPoE static individual sessions.

Use undo ip subscriber session static to delete global IPoE static individual sessions.

Syntax

Syntax I:

IPv4:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online ] ] [ description string ] [ gateway ip ipv4-address ] [ vpn-instance vpn-instance-name ] [ keep-online | support-ds ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ] [ force ]

IPv6:

ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online ] ] [ description string ] [ gateway ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ] [ keep-online | support-ds ]

undo ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ] [ force ]

Dual-stack:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ interface interface-type interface-number [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online [ ip | ipv6 ] ] ] [ description string ] [ gateway { ip ipv4-address | ipv6 ipv6-address } * ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ] [ force ]

Syntax II:

IPv4:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] interface-list list-id [ delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ description string ] [ vpn-instance vpn-instance-name ] [ keep-online | support-ds ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] [ interface-list list-id ]| vpn-instance vpn-instance-name [ force ]

IPv6:

ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] interface-list list-id [ delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ description string ] [ vpn-instance vpn-instance-name ] [ keep-online | support-ds ]

undo ip subscriber session static ipv6 start-ipv6-address [ end-ipv6-address ] [ interface-list list-id ]| vpn-instance vpn-instance-name [ force ]

Dual-stack:

ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] interface-list list-id [ mac mac-address ] [ domain domain-name ] [ username name ] [ password { { ciphertext | plaintext } string | mac } ] [ description string ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static ip start-ipv4-address [ end-ipv4-address ] ipv6 start-ipv6-address [ end-ipv6-address ] [ interface-list list-id ]| vpn-instance vpn-instance-name [ force ]

Default

No global IPoE static individual sessions exist.

Views

System view

Predefined user roles

network-admin

Parameters

start-ipv4-address: Specifies a start user IPv4 address.

start-ipv6-address: Specifies a start user IPv6 address.

interface-list list-id: Specifies a static user interface list. Static users can come online only through interfaces on the interface list. For an IP address, you cannot configure both a global IPoE static session and an interface-level IPoE session.

delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length: Specifies the IPv6 delegation prefix (PD prefix) of a user. This option and the support-ds keyword cannot be both configured. If this option is specified for a static session, the whole static session takes effect only on interfaces that are configured to operate in Layer 2 access mode and use the bind authentication method. Each field is explained as follows:

· start-ipv6-prefix: Specifies the start IPv6 delegation prefix of users.

· end-ipv6-prefix: Specifies the end IPv6 delegation prefix of users, which cannot be smaller than the start IPv6 delegation prefix. If you do not specify this argument or the specified end-ipv6-prefix is the same as the start-ipv6-prefix, one user IPv6 delegation prefix start-ipv6-prefix is specified. Otherwise, all IPv6 delegation prefixes in the range of start-ipv6-prefix to end-ipv6-prefix are prefixes of static users. Make sure the number of IPv6 delegation prefixes specified by the start-ipv6-prefix [ end-ipv6-prefix ] option is the same as the number of IPv6 addresses specified in the start-ipv6-address [ end-ipv6-address ] option.

· prefix-length: Specifies the IPv6 delegation prefix length, in the range of 1 to 120.

mac mac-address: Specifies a user MAC address in the form of H-H-H.

username name: Specifies a username for authentication. The name argument is a case-sensitive string of 1 to 128 characters and cannot contain the following special characters: /\|“:*?<>@. Static users can obtain authentication usernames in multiple methods. For more information, see the ip subscriber username command.

password: Specifies the password used for user authentication. Static users can obtain authentication passwords in multiple methods. For more information, see the ip subscriber password command.

· ciphertext: Specifies a password in encrypted form.

· plaintext: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

· string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

· mac: Uses the user MAC address as the authentication password in the format of HH:HH:HH:HH:HH:HH. Letters in MAC addresses are lower case.

interface interface-type interface-number: Specifies an interface by its type and number. If you specify an interface, an IPoE static session is initiated only when packets from the specified interface match the manually configured IPoE static session. If you do not specify an interface, an IPoE static session is initiated when packets from any interfaces match the manually configured IPoE static session.

vlan vlan-id: Specifies an outer VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

second-vlan vlan-id: Specifies an inner VLAN ID of the user packet, in the range of 1 to 4094. This option is available only for subinterfaces.

request-online: Specifies the device to actively send ARP or ICMP requests to request users to come online. If this keyword is not specified, a user must actively send ARP or IP packets to come online. For a static dual-stack user, if this keyword is specified but the ip or ipv6 protocol stack is not specified, active detection is enabled for both IPv4 and IPv6, and an active detection packet triggers coming online only in the protocol stack of the packet.

· ip: Specifies the device to actively send IPv4 packets to request users to come online. In Layer 2 access mode, ARP packets are sent. In Layer 3 access mode, ICMP packets are sent.

· ipv6: Specifies the device to actively send IPv6 packets to request users to come online. In Layer 2 access mode, ND NS packets are sent. In Layer 3 access mode, ICMPv6 packets are sent.

keep-online: Performs no online detection for users even when online detection is enabled. If you do not specify this keyword, users are forced to go offline when online detection fails for users.

support-ds: Enables dual stack support. With this keyword specified, the device allows a global static session and a global dynamic session with the same MAC address and different IP protocols to form a dual-stack session. If the user of a protocol stack passes authentication, the user of the other protocol stack can come online without authentication. This keyword takes effect only in Layer 2 access mode. When specifying this keyword, follow these restrictions and guidelines:

· This keyword and the delegation-prefix parameter cannot be both configured.

· If you have configured the IPoE 802.1X authentication method on any interface of the device, you must specify the support-ds keyword when configuring a global static session.

force: Allows an administrator to forcibly delete any IP address configured in an IPoE static session. If a user comes online by using that IP address, the user will be forced offline. If this keyword is not specified, an IP address can only be deleted from an IPoE static session when no online static user corresponds to the IP address. In a VSRP network, if an online static user is using a specific IP address on the current device with the Backup role, you cannot delete that IP address even if the force keyword is specified. To identify the master or backup role of a user, execute the display access-user command and check the Backup role field in the output.

Usage guidelines

General restrictions and guidelines

Interface-level IPoE static sessions take precedence over global IPoE static sessions.

When the IP addresses specified for a static session overlap with the assignable IP addresses in the IP address pool, follow these guidelines:

· For an IP address pool, use the dhcp server forbidden-ip or forbidden-ip command to exclude the overlapping IP addresses from dynamic allocation.

· For an IPv6 address pool, use the ipv6 dhcp server forbidden-address command to exclude the overlapping IPv6 addresses from dynamic allocation.

For more information about excluding IP addresses from dynamic allocation, see DHCP commands and DHCPv6 commands in BRAS Services Command Reference.

In the public network or the same VPN instance, a maximum of one global IPoE static session can be configured for one IP address. You cannot use the ip subscriber session static command to modify a global IPoE static session configured with the mac, domain, interface, interface-list, request-online, or support-ds keyword. To modify such an IPoE session, use the undo form of the command to delete the session, and then reconfigure it with new parameter settings.

In the public network and all VPN instances, the following rules apply:

· For global static sessions with interface specified, the combination of IP addresses and interfaces in each global static IPoE session must be unique.

· For global static sessions without interfaces specified, the IP addresses in each global static IPoE session must be unique.

Restrictions and guidelines for the IPv6 delegation prefix scenario

As shown in Figure 10, Host A and Host B attached to the Layer 3 device use the same IPv6 address prefix and both obtain IPv6 addresses through stateless automatic configuration. You can configure an IPv6 delegation prefix in a static session to meet the following requirements: The BRAS uses the IPoE static user online method to enable all attached hosts to come online through IPv6 packets and perform unified authentication, accounting, rate limiting, and management for these user packets using the same IPv6 address prefix.

Figure 10 IPv6 delegation prefix application network diagram

‌

When a global static IPoE session is configured with an IPv6 delegation prefix, only if the source IP address in user IPv6 packets can match any IPv6 address or IPv6 delegation prefix specified in the static session, the user can perform authentication to come online. Additionally, users on the same IPv6 delegation prefix network segment are considered as one user (the static user with the IPv6 address corresponding to the IPv6 delegation prefix) during the authentication process.

For an IPv6 address and the corresponding IPv6 delegation prefix specified in a global static session, the following rules apply:

· Only the first user that matches the IPv6 address or IPv6 delegation prefix needs to perform authentication. After the user successfully comes online, all subsequent users matching the IPv6 address or IPv6 delegation prefix do not need to perform authentication and can directly forward packets. Additionally, traffic statistics are collected uniformly for these users matching the IPv6 address or IPv6 delegation prefix.

· Only if a user matching the IPv6 address or IPv6 delegation prefix successfully comes online, the device will generate a user network route for the IPv6 delegation prefix with the next hop as the IPv6 address. To redirect all traffic destined for the prefix network segment on the core router to the BRAS, you must configure a dynamic routing protocol to redistribute static routes and advertise the prefix network segment route to the core router. When multiple IPv6 delegation prefix network segment routes exist on the BRAS, to reduce the number of routes advertised to the core router, as a best practice, first summarize these IPv6 delegation prefix network segment routes and then advertise them.

When specifying a prefix for a global static user, you must plan IP addresses reasonably to avoid conflicts with addresses or network segments of the other types of users.

· The IPv6 address and delegation prefix specified in the global static session conflict.

· The IPv6 address specified in the global static session conflicts with the IPv6 delegation prefix specified in an existing global static session.

· The IPv6 delegation prefix specified in the global static session conflicts with the IPv6 delegation prefix specified in an existing global static session.

· The IPv6 delegation prefix specified in the global static session conflicts with the IPv6 address specified in an existing global or interface-level static session.

· The IPv6 delegation prefix specified in the global static session conflicts with addresses in the IPv6 address pool.

· The IPv6 delegation prefix specified in the global static session conflicts with prefixes in the IPv6 prefix pool.

· The IPv6 delegation prefix specified in the global static session conflicts with the subnet specified in an IPoE subnet-leased session.

Restrictions and guidelines for the device actively requesting users to come online

For the device to automatically request users to come online, you must configure a static session with the request-online and interface keywords. Then, the following rules apply:

· For single-stack IPv4 static users:

¡ In Layer 2 access mode, the device uses ARP packets to requests users to come online. In this case, you must enable ARP packet initiation.

· For single-stack IPv6 static users:

¡ In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

· For dual-stack static users:

¡ If a dual-stack static user is configured with the request-online ip keywords:

- In Layer 2 access mode, the device uses ARP packets to request users to come online. In this case, you must enable ARP packet initiation.

¡ If a dual-stack static user is configured with the request-online ipv6 keywords:

- In Layer 2 access mode, the device uses ND NS packets to requests users to come online. In this case, you must enable unclassified-IPv6 packet initiation or NS/NA packet initiation.

· For static users on a subinterface configured with ambiguous Dot1q termination or ambiguous QinQ termination, for the device to properly request the static users to come online, you must specify VLANs when configuring static sessions. As a best practice, specify VLANs when configuring static sessions.

Restrictions and guidelines for unified accounting

To perform unified accounting for dual-stack users, you must configure the IPv4 addresses and IPv6 addresses of these dual-stack users in one ip subscriber session-static command. The IPv4 addresses and IPv6 addresses must be in one-to-one mapping relationship. After the configuration, the device forms the first static dual-stack individual session by using the first IPv4 address and the first IPv6 address. The device forms the second dual-stack static individual session by using the second IPv4 address and the second IPv6 address, and so on.

Restrictions and guidelines for selecting authentication domains for static IPoE users

If you configure multiple ISP domains for a static individual user, an ISP domain is selected for the user in the following order until a match is found:

· When bind authentication is used:

a. ‍ISP domain specified by using the domain domain-name option in this command. If the domain has not been created, the user fails to come online.

b. Service-specific domain. If the domain has not been created, the user fails to come online.

c. ISP domain configured by using the ip subscriber unclassified-ip domain command. If the domain has not been created, the user fails to come online.

d. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

· When Web authentication is used:

¡ For how an ISP domain is selected in the preauthentication phase, see the ip subscriber pre-auth domain command.

¡ For how an ISP domain is selected in the Web authentication phase, see the ip subscriber web-auth domain command.

Restrictions and guidelines for binding VPN instances to static IPoE users

You can bind static IPoE users to VPN instances by using one of the following methods:

· Method 1: Specify the vpn-instance parameter in this command.

· Method 2: Authorize VPN instances to users by using AAA.

· Method 3: Use the ip binding vpn-instance command to bind a VPN instance to the interface through which users come online.

Restrictions and guidelines for the static IPoE dual-stack scenario

When you configure dual-stack static sessions with the interface or interface-list keyword specified, follow these restrictions and guidelines:

· If you first enable IPoE on the interface specified by the interface or interface-list keyword and then configure dual-stack static users, you must enable IPoE for both IPv4 and IPv6 protocol stacks in order that you can configure dual-stack static users.

· If you first configure dual-stack static users and then enable IPoE on the interface specified by the interface or interface-list keyword, you must enable IPoE for both IPv4 and IPv6 stacks. Otherwise, you cannot enable IPoE.

Restrictions and guidelines for the hybrid dynamic+static IPoE dual-stack scenario

For a global static individual session and a dynamic individual session to form a dual-stack session, make sure the usernames/passwords, ISP domains, and AAA authorization attributes of the static and dynamic users are the same. The following sessions can form dual-stack sessions:

· An IPv4 global static individual session can form a dual-stack session with a DHCPv6 dynamic individual session, ND RS dynamic individual session, or unclassified-IPv6 dynamic individual session.

· An IPv6 global static individual session can form a dual-stack session with a DHCPv4 dynamic individual session or unclassified-IPv4 dynamic individual session.

For hybrid dynamic and static dual-stack users:

· If an interface and VLAN are bound to the static protocol stack session, the user does not support roaming.

· If the static protocol stack session is bound to an interface but not bound to a VLAN, the user only supports roaming between different VLANs of the same subinterface, and does not support roaming across devices, across interfaces, or across different VLANs of different subinterfaces.

Restrictions and guidelines for the scenario where one MAC address corresponds to multiple IP addresses

As shown in Figure 11, the firewall performs NAT for the IP addresses of multiple hosts. Because a Layer 2 network exists between the firewall and the BRAS, the IP addresses that trigger IPoE authentication on the BRAS are the NATed IP addresses. Therefore, one MAC address corresponds to multiple IP addresses.

Figure 11 Schematic diagram for the scenario where one MAC address corresponds to multiple IP addresses

When deploying this scenario, for the same access interface, follow these restrictions and guidelines:

· In Layer 2 IPoE access mode:

- The dot1x keyword is not configured by using the ip subscriber authentication-method command on the interface.

- The inherit-pppoe keyword is not configured by using the ip subscriber authentication-method command on the interface.

- The support-ds keyword is not specified in the IPv4 single-stack global IPoE static individual session.

Examples

# Configure a global IPoE static session with an IP address of 1.1.1.1, an ISP domain of dm1, and UP ID 1024. (Syntax I)

<Sysname> system-view

[Sysname] ip subscriber session static ip 1.1.1.1 domain dm1 up-id 1024

# Configure a global IPoE static session, with IP address 1.1.1.1, static user interface list 10, and ISP domain dm1 for authentication. (Syntax II)

<Sysname> system-view

[Sysname] ip subscriber session static ip 1.1.1.1 interface-list 10 domain dm1

Related commands

dhcp enable (BRAS Services Command Reference)

ip subscriber initiator arp enable

ip subscriber initiator unclassified-ip enable

ip subscriber password

ip subscriber static-session request-online interval

static-user interface-list

strict-check access-interface vpn-instance(BRAS Services Command Reference)

ip subscriber session static-leased

Use ip subscriber session static-leased to configure an IPoE static leased session.

Use undo ip subscriber session static-leased to delete the specified IPoE static leased session.

Syntax

IPv4:

ip subscriber session static-leased ip ipv4-address interface interface-type interface-number [ mac mac-address ] [ domain domain-name ] [ password mac ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online ] [ description string ] [ gateway ip ipv4-address ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static-leased ip ipv4-address [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

IPv6:

ip subscriber session static-leased ipv6 ipv6-address interface interface-type interface-number [ mac mac-address ] [ domain domain-name ] [ password mac ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online ] [ description string ] [ gateway ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static-leased ipv6 ipv6-address [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

Dual-stack:

ip subscriber session static-leased ip ipv4-address ipv6 ipv6-address interface interface-type interface-number [ mac mac-address ] [ domain domain-name ] [ password mac ] [ vlan vlan-id [ second-vlan vlan-id ] ] [ request-online [ ip | ipv6 ] ] [ description string ] [ gateway { ip ipv4-address | ipv6 ipv6-address } * ] [ vpn-instance vpn-instance-name ] [ keep-online ]

undo ip subscriber session static-leased ip ipv4-address ipv6 ipv6-address [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]

Default

No IPoE static leased session is configured.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of users.

ipv6-address: Specifies the IPv6 address of users.

interface interface-type interface-number: Specifies the access interface of users.

vlan vlan-id: Specifies the outer VLAN of user packets. The value range for the vlan-id argument is 1 to 4094. This parameter is supported only on subinterfaces.

second-vlan vlan-id: Specifies the inner VLAN of user packets. The value range for the vlan-id argument is 1 to 4094. This parameter is supported only on subinterfaces.

mac mac-address: Specifies a user MAC address in the format of H-H-H.

domain domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). If you do not specify this option, the default ISP domain is used for authentication. For more information about the default authentication domain, see AAA in BRAS Services Configuration Guide.

password mac: Uses the user MAC address as the authentication password.

request-online: Specifies the device to actively send online requests to request users to come online. If this keyword is not specified, a user must actively send ARP or IP packets to come online. For a dual-stack leased user, if you specify this keyword and do not specify the ip or ipv6 keyword, the device actively performs online detection in both protocol stacks.

· ip: Specifies the device to actively perform online detection in the IPv4 protocol stack.

· ipv6: Specifies the device to actively perform online detection in the IPv6 protocol stack.

description string: Specifies the static session description, a case-insensitive string of 1 to 31 characters. The description cannot contain the following characters: forward slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@). If this option is not specified, the static session does not have a description.

· ip ipv4-address: Specifies the gateway address for the IPv4 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the IPv4 address of the access interface or the shared gateway address in the IP address pool, for example, the gateway address specified by using the gateway command in a BAS IP address pool.

· ipv6 ipv6-address: Specifies the gateway address for the IPv6 protocol stack. For the device to actively send requests to request users to come online, make sure the address is the link-local address of the access interface.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to be bound to static leased users by its name. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the IPoE static leased users are in the public network

keep-online: Performs no online detection for users even when online detection is enabled. If you do not specify this keyword, users are forced to go offline when online detection fails for users.

Usage guidelines

Application scenarios

As shown in Figure 12, in a service provider leased line service, the Layer 3 device Device of an enterprise has multiple hosts attached. The uplink port Port A of Device needs a public network IP address assigned by the service provider. The BRAS needs to perform unified authentication, authorization, and accounting for all hosts attached to Device. In this case, for the administrator to properly allocate and easily maintain public network IP addresses in addition to meeting the leased line service requirements, the administrator also hopes to search for the public network IP addresses allocated to the device of each leased line service on the BRAS. To meet these requirements, you can deploy static leased lines on the BRAS.

Figure 12 IPoE static leased line application network diagram‌

‌

Operating mechanism

A static leased session is similar to an interface-leased line. When a static leased session comes online, packets with any source IP address can pass through the leased interface. However, a static leased session can record the public network IP addresses of static leased users in addition to the leased line service of an interface-leased session.

With IPoE enabled on an access interface in up state, when IP, ARP, NS, or NA packets pass through the access device, the access interface will try to initiate authentication by using the configured username and password. If a user passes authentication, a static leased session is established. If a user fails to pass authentication, no static leased session is established.

Restrictions and guidelines

Static leased sessions are supported only when the bind authentication mode is used and IPoE operates in Layer 2 access mode.

On the access interface of a static user, you cannot configure an IPv4 address or IPv6 global unicast address. Follow these restrictions and guidelines:

· For IPv4: Use the shared gateway address in the IP address pool, for example, the gateway address specified by using the gateway command in a BAS IP address pool.

· For IPv6: Use the ipv6 address auto link-local command to generate a link-local address on the access interface of the static user.

On an interface, IPoE static leased users are mutually exclusive with IPoE individual users, IPoE interface-leased users, IPoE subnet-leased users, and IPoE L2VPN-leased users.

In the public network or the same VPN instance, the following rules apply:

· Up to one static leased session can be configured on an interface. You cannot use this command to modify an IPoE static leased session configured with the ip, mac, domain, or request-online keyword. To modify such an IPoE static leased session, use the undo form of the command to delete the session, and then reconfigure an IPoE static leased session with new parameter settings.

· Up to one static leased session with the specified IP addresses can be configured. You cannot use this command to modify an IPoE static leased session configured with the mac, domain, interface, or request-online keyword. To modify such an IPoE static leased session, use the undo form of the command to delete the session, and then reconfigure an IPoE static leased session with new parameter settings.

You can bind static IPoE leased users to VPN instances by using one of the following methods:

· Method 1: Specify the vpn-instance parameter in this command.

· Method 2: Authorize VPN instances to users by using AAA.

· Method 3: Use the ip binding vpn-instance command to bind a VPN instance to the interface through which users come online.

Examples

# In system view, configure an IPoE static leased session, with IP address 1.1.1.1 and bound to interface Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] ip subscriber session static-leased ip 1.1.1.1 interface Ten-GigabitEthernet 0/0/15

Related commands

ip subscriber password

ip subscriber initiator unclassified-ip enable

ip subscriber static-session request-online interval

strict-check access-interface vpn-instance(BRAS Services Command Reference)

ip subscriber session-conflict action offline

Use ip subscriber session-conflict action offline to enable session conflict detection.

Use undo ip subscriber session-conflict action offline to disable session conflict detection.

Syntax

ip subscriber session-conflict action offline

undo ip subscriber session-conflict action offline

Default

Session conflict detection is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In a Layer 2 IPoE network, after an IPoE session moves from an interface to another interface, the device still maintains the session information on the original interface. This wastes resources and increases maintenance complexity.

Operating mechanism

When a user comes online on an interface, this feature uses the user's IP address and MAC address to detect whether the user has come online on other interfaces. If yes, this feature forcibly logs out the user from other interfaces.

Restrictions and guidelines

This command is mutually exclusive with the ip subscriber roaming enable command on the same interface. If one command has been executed, the other command cannot be executed.

This command takes effect only in Layer 2 access mode.

This command takes effect only on IPoE global static users whose static sessions do not have the interface keyword specified.

Examples

# Enable session conflict detection.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber session-conflict action offline

ip subscriber static-dot1x-user enable‌

Use ip subscriber static-dot1x-user enable to enable static 802.1X user authentication.

Use undo ip subscriber static-dot1x-user enable to disable static 802.1X user authentication.

Syntax

ip subscriber static-dot1x-user enable

undo ip subscriber static-dot1x-user enable

Default

Static 802.1X user authentication is disabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

By default, in the IPoE 802.1X authentication scenario, IPoE 802.1X authentication supports unclassified-IP users, DHCP users, IPv6 ND RS users, and global static users. For a user configured with a static IP address to come online through 802.1X authentication, you must configure the corresponding static IPoE user access for the static IP address of the user on the BRAS.

For a user configured with a static IP address to come online through 802.1X authentication without configuring the corresponding static IPoE user access for the user on the BRAS, enable this feature.

Operating mechanism

With this feature enabled, when the 802.1X client of a user passes authentication and comes online, the BRAS will generate a temporary session entry according to the MAC+VLAN information (without IP information) of the user. When the BRAS receives the ARP packets, unclassified-IP packets, and NS/NA packets of the user, the following rules apply:

· If a temporary session entry can be obtained for the user, IPoE uses the 802.1X authentication result to make the user directly come online in the postauthentication domain. After the user comes online in the postauthentication domain, the BRAS will replace the temporary session entry with the formal session entry of the user. Then, the BRAS processes packets of the user based on the formal session entry. In this case, the formal session entry records the 802.1X user information (including 802.1X username, authentication domain, and authorized attributes) of the user.

· If a temporary session entry cannot be obtained for the user, the packets are dropped.

Restrictions and guidelines

Both 802.1X authentication and IPoE static user access are configured on an interface, and the following functions are enabled:

· For 802.1X authentication access, the static 802.1X user authentication feature is enabled.

· For IPoE static user access, unclassified-IP packet initiation is enabled with the matching-user keyword specified.

If the preceding conditions are met, when the packets of a user received by the BRAS match both the 802.1X temporary session entry and the IPoE static user session, the user comes online as an IPoE static user.

With this feature enabled in the IPoE 802.1X authentication scenario, when the 802.1X client of a user passes authentication and comes online, only if the ARP packets, unclassified-IP packets, or NS/NA packets from the user can match the temporary session entry, the user can directly come online in the postauthentication domain, and you do not need to execute one of the following commands to enable ARP packet initiation, unclassified-IP packet initiation, or NS/NA packet initiation.

· ip subscriber initiator unclassified-ip enable

· ip subscriber initiator unclassified-ipv6 enable

· ip subscriber initiator arp enable

· ip subscriber initiator nsna enable

When you configure the static 802.1X user authentication feature, follow these restrictions and guidelines:

· On an interface, static 802.1X user authentication is mutually exclusive with Layer 3 IPoE access mode, IPoE interface-leased users, IPoE subnet-leased users, and IPoE L2VPN-leased users.

· You can configure static 802.1X user authentication on an interface only when the interface operates in Layer 2 IPoE access mode.

Examples

# Enable static 802.1X user authentication on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber static-dot1x-user enable

Related commands

ip subscriber authentication-method

ip subscriber initiator arp enable

ip subscriber initiator nsna enable

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber static-session request-online interval

Use ip subscriber static-session request-online interval to configure the interval at which the device sends online requests to IPoE static users.

Use undo ip subscriber static-session request-online interval to restore the default.

Syntax

ip subscriber static-session request-online interval seconds

undo ip subscriber static-session request-online interval

Default

The interval at which the device sends online requests to IPoE static users is 180 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the interval at which the device sends online requests to IPoE static users. The value range is 60 to 3600 seconds.

Usage guidelines

Set the request interval when the device actively sends ARP, ICMP, ND NS, or ICMPv6 packets to request IPoE static users to come online. To configure the device to actively send online requests, use the ip subscriber session static command in system or interface view.

Examples

# Set the interval at which the device sends online requests to IPoE static users to 60 seconds.

<Sysname> system-view

[Sysname] ip subscriber static-session request-online interval 60

Related commands

ip subscriber session static

ip subscriber subnet-leased

Use ip subscriber subnet-leased to configure a subnet-leased user.

Use undo ip subscriber subnet-leased to delete a subnet-leased user.

Syntax

ip subscriber subnet-leased ip ipv4-address { mask | mask-length } username name password { ciphertext | plaintext } string [ domain domain-name ] [ vpn-instance vpn-instance-name ]

undo ip subscriber subnet-leased ip ipv4-address { mask | mask-length }

ip subscriber subnet-leased ipv6 ipv6-address prefix-length username name password { ciphertext | plaintext } string [ domain domain-name ] [ vpn-instance vpn-instance-name ]

undo ip subscriber subnet-leased ipv6 ipv6-address prefix-length

Default

No subnet-leased user exists.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a user IPv4 address.

mask: Specifies an IPv4 address mask in dotted decimal notation.

mask-length: Specifies a mask length, an integer in the range of 1 to 31.

ipv6 ipv6-address: Specifies a user IPv6 address.

prefix-length: Specifies the IPv6 prefix length in the range of 1 to 127.

username name: Specifies a username for authentication, a case-sensitive string of 1 to 253 characters.

password: Specifies a password for authentication.

ciphertext string: Specifies a ciphertext password, a case-sensitive string of 1 to 117 characters.

plaintext string: Specifies a plaintext password, a case-sensitive string of 1 to 63 characters. For security purposes, the password specified in plaintext form will be stored in encrypted form.

vpn-instance vpn-instance-name: Specifies an existing MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The MPLS L3VPN instance will be bound to the subnet-leased user on the interface. If you do not specify a VPN instance, the subnet-leased user is in the public network.

Usage guidelines

Operating mechanism

A subnet-leased user represents all access users in a subnet of the interface. With IPoE enabled for the IPv4 or IPv6 protocol stack on interface in up state, the session does not need to be initiated by user traffic. The BRAS initiates authentication by using the configured username and password. After the authentication succeeds, a subnet-leased session is established, traffic of all users in the subnet of the interface is permitted, and the users share one IPoE session. The BRAS performs authorization and accounting for all users in the subnet.

An ISP domain is selected for an IPoE subnet-leased user in the following order until a match is found:

1. ISP domain specified by using the domain domain-name option in this command. If the ISP domain has not been created, the user fails to come online.

2. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain has not been created, the user fails to come online.

4. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

Restrictions and guidelines

If you first enable IPoE and then configure subnet-leased users, you must enable IPoE for the IPv4 or IPv6 protocol stack in order that you can configure subnet-leased users for the protocol stack. If you first configure subnet-leased users and then enable IPoE, you must enable IPoE for the protocol stack of the subnet-leased users or dual stacks.

You can configure only one subnet-leased user on each subnet.

You cannot configure a subnet-leased user on an interface configured with interface-leased users or L2VPN-leased users.

To modify the VPN instance or public network to which the subnet-leased user belongs, first execute the undo form of this command and then execute this command again.

When IPoE subnet-leased users are bound to a VPN instance on interfaces, executing the undo ip vpn-instance command to delete the VPN instance deletes all subnet-leased users bound to the VPN instance. In this case, the undo ip vpn-instance command has the same effect as the undo ip subscriber subnet-leased command on these interfaces.

Examples

# ‌Configure a subnet-leased user for subnet 1.1.1.1/24 with a username of netuser and a plaintext password of pw123 on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber subnet-leased ip 1.1.1.1 24 username netuser password plaintext pw123

# ‌Delete subnet-leased users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] undo ip subscriber subnet-leased ip 1.1.1.1 24

The operation may cut all users on this interface. Continue?[Y/N]:y

ip subscriber timer quiet

Use ip subscriber timer quiet to enable the quiet timer and set the quiet time period for users.

Use undo ip subscriber timer quiet to restore the default.

Syntax

ip subscriber timer quiet time

undo ip subscriber timer quiet

Default

The quite timer is disabled for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

time: Specifies the quiet timer period in the range of 10 to 3600 seconds.

Usage guidelines

Operating mechanism

With this command configured, IPoE starts the quiet timer after the number of consecutive authentication failures of a user reaches the limit in the specified period. The BRAS drops packets from the user during the quiet timer period. After the quiet timer expires, the BRAS performs authentication upon receiving a packet from the user.

Restrictions and guidelines

When a user that comes online through a global interface is blocked and the slot where the session of the blocked user resides is switched, the device will initiate authentication again for the user. If the user successfully passes authentication before reaching the maximum number of consecutive authentication failures, the user will be unblocked. Otherwise, the user will be blocked again.

Examples

# ‌Enable the quiet timer and set the quiet timer period to 100 seconds for users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber timer quiet 100

Related commands

display ip subscriber chasten user auth-failed

display ip subscriber chasten user quiet

ip subscriber authentication chasten

ip subscriber trust

Use ip subscriber trust to configure a trusted option for DHCP users.

Use undo ip subscriber trust to cancel a trusted option.

Syntax

ip subscriber trust { option12 | option60 | option77 | option82 | option16 | option17 | option18 | option37 | option79 }

undo ip subscriber trust { option12 | option60 | option77 | option82 | option16 | option17 | option18 | option37 | option79 }

Default

Only Option79 in DHCP packets are trusted.‌

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

option12: Specifies Option 12 as the trusted option.

option60: Specifies Option 60 as the trusted option.

option77: Specifies Option 77 as the trusted option.

option82: Specifies Option 82 as the trusted option.

option16: Specifies Option 16 as the trusted option.

option17: Specifies Option 17 as the trusted option.

option18: Specifies Option 18 as the trusted option.

option37: Specifies Option 37 as the trusted option.

option79: Trusts Option79 in DHCPv6 packets.‌

Usage guidelines

Restrictions and guidelines for trusting Option 60

In a DHCPv4 network, the BRAS can obtain the Option 60 information in the DHCP-Discover packets. If the BRAS trusts Option 60 and the ip subscriber dhcp domain or ip subscriber dhcp option60 match command is not configured, the following information is used as the ISP domain:

· All information in Option 60 if the option does not contain invalid characters or the at sign (@).

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

· Information that follows the last at sign (@) if the option contains at signs (@) and does not contain invalid characters.

When the string selected by using the ip subscriber trust option60 command is used as the ISP domain for authentication and the ip subscriber dhcp domain include command is executed, the domain name generated according to the domain name generation rule is used. For more information about the domain name generation rules, see "ip subscriber dhcp domain include."

For more information about how an ISP domain is determined when the ip subscriber dhcp domain command is executed, see "ip subscriber dhcp domain."

For more information about how an ISP domain is determined when the ip subscriber dhcp option60 match command is executed, see "ip subscriber dhcp option60 match."

For more information about how an ISP domain is determined when the BRAS does not trust DHCPv4 Option 60, see "ip subscriber dhcp domain."

Restrictions and guidelines for trusting Option 82

In a DHCP relay agent network, the BRAS can obtain the Option 82 information in the DHCP-Discover packets. If the BRAS trusts DHCPv4 Option 82, it obtains the following information from the option, parses the information in the configured parsing format (ASCII by default), and uses the information to encapsulate RADIUS attributes:

· Obtains the Circuit-ID information and uses it to encapsulate NAS-Port-ID that adopts version 2.0 or version 5.0 as the encapsulation format.

· Obtains the Circuit-ID information and uses it to encapsulate DSL_AGENT_CIRCUIT_ID.

· Obtains the Remote-ID information and uses it to encapsulate DSL_AGENT_REMOTE_ID.

If the BRAS does not trust DHCPv4 Option 82, it does not use the Option 82 to encapsulate RADIUS attributes.

Restrictions and guidelines for trusting Option 16 and Option 17

In a DHCPv6 network, the BRAS can obtain the ISP domain information from Option 16 or Option 17. Option 16 and Option 17 use the same processing mechanism to match the trusted domain. The following information uses Option 16 as an example.

If the BRAS trusts Option 16 and the ip subscriber dhcp domain or ip subscriber dhcpv6 option16 match command is not configured, the following information is used as the ISP domain:

· All information in Option 16 if the option does not contain invalid characters or the at sign (@).

Invalid characters include the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).

· Information that follows the last at sign (@) if the option contains at signs (@) and does not contain invalid characters.

On the same interface, you can execute this command multiple times to configure multiple trusted options. However, you cannot configure the interface to trust both Option 16 and Option 17. For example, if you have configured Option 16 as a trusted option, you cannot configure Option 17 as a trusted option.

For more information about how an ISP domain is determined when the ip subscriber dhcp domain command is executed, see "ip subscriber dhcp domain."

For more information about how an ISP domain is determined when the ip subscriber dhcpv6 option16 match command is executed, see "ip subscriber dhcpv6 match."

For more information about how an ISP domain is determined when the BRAS does not trust DHCPv6 Option 16, see "ip subscriber dhcp domain."

Restrictions and guidelines for trusting Option 18

In a DHCP relay agent network, the BRAS can obtain the specified Option information from DHCPv6 packets. If the BRAS trusts DHCPv6 Option 18 or Option 37, it obtains the following information from the option, parses the information in the configured parsing format (ASCII by default), and uses the information to encapsulate RADIUS attributes:

· Obtains information from Option 18 and uses it to encapsulate NAS-Port-ID that uses the version 2.0 or version 5.0 encapsulation format.

· Obtains information from Option 18 and uses it to encapsulate DSL_AGENT_CIRCUIT_ID.

Restrictions and guidelines for trusting Option 37

In a DHCP relay agent network, the BRAS can obtain the specified Option information from DHCPv6 packets. If the BRAS trusts DHCPv6 Option 37, it obtains the following information from the option, parses the information in the configured parsing format (ASCII by default), and uses it to encapsulate DSL_AGENT_REMOTE_ID.

Restrictions and guidelines for trusting Option 79

To uniformly perform accounting and management for the same IPoE user, if the IPv4 protocol stack and IPv6 protocol stack of the user can form dual stack, IPoE will preferentially maintain and manage the user as a dual-stack user. For an IPv4 user and an IPv6 user to form a dual-stack user, make sure the users have the same MAC address. When a Layer 3 network with DHCPv6 relay enabled exists between a user and the BRAS, if the DHCPv6 packet forwarded by the DHCPv6 relay agent does not carry the user MAC address in the client ID field, IPoE cannot obtain the user MAC address of the DHCPv6 user. In this case, IPoE will maintain the IPv4 user and IPv6 user with the same MAC address as two separate users, and the two users cannot form a dual-stack user. To resolve this issue, configure the BRAS to trust Option79. If DHCPv6 Option79 is trusted, the user MAC address can be obtained from Option79 when the BRAS receives a DHCPv6 packet carrying Option79 and used as a required condition for recognizing a DHCPv6 user. If a DHCPv4 user uses the same MAC address, the two users can form a dual-stack user. When you configure the BRAS to trust Option79, follow these restrictions and guidelines:

· If IPoE can obtain user MAC addresses from both the Option79 and Client ID fields, the user MAC address obtained from Option79 takes priority.

· For a BRAS to receive DHCPv6 packets carrying Option79, execute the ipv6 dhcp relay client-link-address enable command to enable the DHCPv6 relay agent to support Option 79 on the first DHCPv6 relay agent that the requests from a DHCPv6 client pass through. For more information about the ipv6 dhcp relay client-link-address enable command, see DHCPv6 commands in BRAS Services Command Reference.

When an online DHCPv6 user exists on an access interface, you cannot execute the undo ip subscriber trust option79 command on the interface. To execute the undo ip subscriber trust option79 command on the interface, first log out the DHCPv6 user.

Restrictions and guidelines for trusting Option 12

When Option 12 is trusted, you can configure the DHCPv4 Option 12 information as the authentication username by specifying the hostname parameter in the ip subscriber dhcp username command. For more information, see the ip subscriber dhcp username command.

Restrictions and guidelines for trusting Option 77

When Option 77 is trusted, you can configure the DHCPv4 Option 77 information as the authentication password by specifying the user-class parameter in the ip subscriber dhcp password command. For more information, see the ip subscriber dhcp password command.

Examples

#‌Configure DHCPv4 Option 82 as a trusted option on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber trust option82

Related commands

ip subscriber access-line-id circuit-id trans-format

ip subscriber access-line-id remote-id trans-format

ip subscriber dhcp domain

ip subscriber dhcp domain include

ip subscriber dhcp option60 match

ip subscriber dhcp password

ip subscriber dhcp username

ip subscriber dhcpv6 match

ip subscriber nas-port-id format

ip subscriber nas-port-id nasinfo-insert

ipv6 dhcp relay client-link-address enable (BRAS Services Command Reference)‌

ip subscriber trust aaa-authorized-ip‌

Use ip subscriber trust aaa-authorized-ip to configure the device to trust IP addresses authorized by the AAA server.

Use undo ip subscriber trust aaa-authorized-ip to restore the default.

Syntax

ip subscriber trust aaa-authorized-ip

undo ip subscriber trust aaa-authorized-ip

Default

The device does not trust the IP addresses authorized by the AAA server.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

This command applies to scenarios where user endpoints must access the network by using the specific IP addresses, preventing unauthorized access and enhancing network security.

Operating mechanism

With this feature enabled, when the device receives a reply to an AAA authentication request, the device will process the reply according to the following principles:

· For an unclassified-IP user (including dynamic individual users initiated by unclassified-IP packets, ARP packets, and NS/NA packets), the device compares the IP address carried by the user with the IP address authorized by the AAA server:

¡ If the IP addresses match, the device will proceed with the subsequent processing for the user to come online.

¡ If the IP addresses do not match, the device will disconnect and prevent the user from coming online. Meanwhile, the device will record one authentication failure for the user. When the number of authentication failures reaches the threshold set by using the ip subscriber authentication chasten command, the device will block the user.

· For a DHCP user, the device processes the user according to the IP address authorized by the AAA server and the authorized IP address pool of the user authentication domain as follows:

¡ If the IP address authorized by AAA is within the authorized address pool range of the domain and is available, the device will allocate the IP address to the DHCP user. If the address is unavailable or fails to be allocated, the device will disconnect and prevent the user from coming online.

¡ If the IP address authorized by AAA is not within the authorized address pool range of the domain, the device will disconnect and prevent the user from coming online.

Restrictions and guidelines

· This feature is only applicable to unclassified-IP users (including dynamic individual users initiated by unclassified-IP packets, ARP packets, and NS/NA packets) and DHCP users.

· This feature takes effect only when the AAA server authorizes IP addresses.

· Before configuring this feature, make sure the AAA server has been properly deployed and the server has pre-configured endpoint-IP bindings.

· In scenarios where DHCP users come online, to prevent issues such as allocation failure, make sure the IP address authorized by the AAA server is within the authorized address pool range of the user authentication domain on the device and the address is available.

Examples

# Configure the device to trust the IP addresses authorized by the AAA server.

<Sysname> system-view

[Sysname] ip subscriber trust aaa-authorized-ip

ip subscriber unclassified-ip domain

Use ip subscriber unclassified-ip domain to configure an ISP domain for users.

Use undo ip subscriber unclassified-ip domain to restore the default.

Syntax

ip subscriber unclassified-ip domain domain-name

undo ip subscriber unclassified-ip domain

Default

No ISP domain is configured for users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

This command configures an ISP domain for users initiated by IP packets, ARP packets, and NS/NA packets (including unclassified-IP users, static individual users, and subnet/interface-leased users). Unclassified-IP users include dynamic individual users initiated by IP packets, ARP packets, and NS/NA packets.

An ISP domain is selected for an unclassified-IP user in the following order until a match is found:

1. Service-specific ISP domain. If the ISP domain has not been created, the user fails to come online.

2. ISP domain specified by using the ip subscriber unclassified-ip domain command. If the ISP domain has not been created, the user fails to come online.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selected for an IPoE static user, see the ip subscriber session static command.

For how an ISP domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an ISP domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

Examples

# ‌Configure ISP domain dm1 for users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip domain dm1

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber service-identify

ip subscriber unclassified-ip ip match

Use ip subscriber unclassified-ip ip match to configure trusted IPv4 addresses for IPoE authentication.

Use undo ip subscriber unclassified-ip ip match to restore the default.

Syntax

ip subscriber unclassified-ip ip match start-ip-address [ end-ip-address ]

undo ip subscriber unclassified-ip ip match start-ip-address [ end-ip-address ]

Default

Trusted IP addresses or address ranges are not configured, and the default varies by packet type as follows:

· All IP addresses are trusted for IP packets.

· All IP addresses are not trusted for ARP packets.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IPv4 address.

end-ip-address: Specifies the end IPv4 address. The end IPv4 address must be higher than the start IPv4 address. If you specify this option, IPv4 addresses in the IPv4 address range are used as the source IPv4 addresses. If you do not specify this option or the end IPv4 address and start IPv4 address are the same, the start IPv4 address is used as the source IPv4 address.

Usage guidelines

Operating mechanism

After the ip subscriber unclassified-ip ip match command is executed, the following rules apply:

· If IP or ARP packets from a user match a static IPoE session, the user comes online as a static IPoE user no matter whether the source IPv4 address in the IP or ARP packets is within the trusted IPv4 address range.

· If IP or ARP packets from users do not match a static IPoE session, only packets with source IPv4 addresses as trusted IPv4 addresses can initiate IPoE authentication, and other packets are dropped.

Restrictions and guidelines

To cancel trust configuration for an IPv4 address or IPv4 address range belonging to a trusted IPv4 address range, cancel trust configuration for the entire IPv4 address range.

You can use this command multiple times to configure multiple trusted IPv4 addresses or IPv4 address ranges.

When repeatedly executing this command, you can configure a maximum of 64 IP address ranges. Whether you specify a single IP address or a start network segment, it is considered an IP address range. If more than 64 IP address ranges are configured, the configuration will fail. In this case, as a best practice to configure the failed IP address ranges, first execute the undo ip subscriber unclassified-ip ip match command to remove unnecessary IP address ranges. Then, proceed with the configuration.

This feature applies to unclassified-IP individual users (including dynamic individual users initiated by IP or ARP packets) and leased unclassified-IP subusers.

Examples

# ‌Configure IPv4 addresses 192.168.1.10 through 192.168.1.100 as trusted IPv4 addresses of IP packets and ARP packets on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip ip match 192.168.1.10 192.168.1.100

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber unclassified-ip ipv6 match

Use ip subscriber unclassified-ip ipv6 match to configure trusted IPv6 addresses for IPoE authentication.

Use undo ip subscriber unclassified-ip ipv6 match to restore the default.

Syntax

ip subscriber unclassified-ip ipv6 match start-ipv6-address [ end-ipv6-address ]

undo ip subscriber unclassified-ip ipv6 match start-ipv6-address [ end-ipv6-address ]

Default

Trusted IPv6 addresses or address ranges are not configured, and the default varies by packet type as follows:

· All IPv6 global unicast addresses are trusted for IPv6 packets.

· All IPv6 global unicast addresses are not trusted for NS/NA packets.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

start-ipv6-address: Specifies the start IPv6 address.

end-ipv6-address: Specifies the end IPv6 address. The end IPv6 address must be higher than the start IPv6 address. If you specify this option, IPv6 addresses in the IPv6 address range are used as the source IPv6 addresses. If you do not specify this option, the start IPv6 address is used as the source IPv6 address.

Usage guidelines

Operating mechanism

After the ip subscriber unclassified-ip ipv6 match command is executed, the following rules apply:

· If IPv6 or NS/NA packets from a user match a static IPoE session, the user comes online as a static IPoE user no matter whether the source IPv6 address in the IPv6 or NS/NA packets is within the trusted IPv6 address range.

· If IPv6 or NS/NA packets from users do not match a static IPoE session, only packets with source IPv6 addresses as trusted IPv6 addresses can initiate IPoE authentication, and other packets are dropped.

Restrictions and guidelines

To cancel trust configuration for an IPv6 address or IPv6 address range belonging to a trusted IPv6 address range, cancel trust configuration for the entire IPv6 address range.

You can use this command multiple times to configure multiple trusted IPv6 addresses or IPv6 address ranges.

When repeatedly executing this command, you can configure a maximum of 64 IPv6 address ranges. Whether specifying a single IPv6 address or a start network segment, each is considered an IPv6 address range. If more than 64 IPv6 address ranges are configured, the configuration will fail. In this case, as a best practice to configure the failed IPv6 address ranges, first execute the undo ip subscriber unclassified-ip ipv6 match command to remove unnecessary IPv6 address ranges before proceeding with the configuration.

This feature applies to unclassified-IP individual users (including dynamic individual users initiated by IP or NS/NA packets) and leased unclassified-IP subusers.

Examples

# ‌Configure IPv6 addresses 2001::1:10 through 2001::1:100 as trusted IPv6 addresses of IPv6 and NS/NA packets on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip ipv6 match 2001::1:10 2001::1:100

Related commands

ip subscriber initiator unclassified-ipv6 enable

ip subscriber unclassified-ip max-session

Use ip subscriber unclassified-ip max-session to set the IPoE session limit for unclassified-IPv4 or ARP packet initiation on an interface.

Use undo ip subscriber unclassified-ip max-session to restore the default.

Syntax

ip subscriber unclassified-ip max-session max-number

undo ip subscriber unclassified-ip max-session

Default

The IPoE session limit for unclassified-IPv4 or ARP packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for unclassified-IPv4 or ARP packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

Application scenarios

If the IPoE session limit for unclassified-IPv4 or ARP packet initiation is reached, no more IPoE session can be initiated by unclassified-IPv4 packets. IPoE sessions initiated by unclassified-IPv4 packets include single-stack IPv4 sessions and dual-stack sessions.

Recommended configuration

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber unclassified-ipv6 max-session command.

Restrictions and guidelines

Examples

# ‌Set the IPoE session limit to 100 for unclassified-IPv4 or ARP packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip max-session 100

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber max-session

ip subscriber unclassified-ip username

Use ip subscriber unclassified-ip username to configure an authentication user naming convention for unclassified-IP users and static users.

Use undo ip subscriber unclassified-ip username to restore the default.

Syntax

ip subscriber unclassified-ip username include { nas-port-id [ separator separator ] | port [ separator separator ] | second-vlan [ separator separator ] | slot [ separator separator ] | source-ip [ address-separator address-separator ] [ separator separator ] | source-mac [ address-separator address-separator ] [ separator separator ] | string string [ separator separator ] | subslot [ separator separator ] | sysname [ separator separator ] | vlan [ separator separator ] } *

undo ip subscriber unclassified-ip username

Default

No authentication user naming convention is configured for unclassified-IP users and static users.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

nas-port-id: Includes the NAS-Port-ID attribute in a username.

port: Includes the number of the port that receives the user packets in a username.

second-vlan: Includes the inner VLAN ID in a username.

slot: Includes the number of the slot that receives the user packets in a username.

source-ip: Includes the source IP address in a username.

address-separator address-separator: Specifies any printable character as the separator for the IPv4 address. For example, if you specify a hyphen (-) as the separator, the username is the hyphen-separated IPv4 address (xxxx-xxxx-xxxx) or colon-separated IPv6 address (x::x:x). If you do not specify a separator, the username is the dot-separated IP address (x.x.x.x). Do not use the at sign (@) as the separator. The AAA server cannot parse a username containing the at sign (@).

source-mac: Includes the source MAC address in a username.

subslot: Includes the number of the subslot that receives the user packets in a username.

sysname: Includes the name of the device that receives the user packets in a username.

vlan: Includes the outer VLAN ID in a username.

Usage guidelines

Operating mechanism

Unclassified-IP users include dynamic individual users initiated by IP packets, ARP packets, and NS/NA packets.

Usernames obtained based on the naming convention are used for authentication and must be the same as those configured on the AAA server.

Restrictions and guidelines

Examples

# ‌Configure the source IP address as the authentication usernames for unclassified-IP users and static users on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip username include source-ip

# ‌Configure an authentication user naming convention for unclassified-IP users and static users on Ten-GigabitEthernet 0/0/15. Each username contains the device name, slot number, subslot number, port number, and outer VLAN, separated by the pound sign (#).

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip username include sysname separator # slot separator # subslot separator # port separator # vlan

Related commands

ip subscriber initiator unclassified-ip enable

ip subscriber initiator unclassified-ipv6 enable

ip subscriber password

ip subscriber unclassified-ip-defense block-period

Use ip subscriber unclassified-ip-defense block-period to configure the blocking duration for unclassified-IP packet attack defense.

Use undo ip subscriber unclassified-ip-defense block-period to restore the default.

Syntax

ip subscriber unclassified-ip-defense block-period blocking-period

undo ip subscriber unclassified-ip-defense block-period

Default

The blocking duration for unclassified-IP packet attack defense is 600 seconds when the blocking threshold is reached.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

blocking-period: Specifies the blocking duration for unclassified-IP packet attack defense, in the range of 0 to 3600 seconds. When the blocking duration is 0, the attack defense blocked entries will not automatically age out. To unblock packets, you can execute the reset ip subscriber unclassified-ip-defense command to manually clear the attack defense blocked entries.

Usage guidelines

Operating mechanism

With unclassified-IP packet attack defense enabled on an interface, when the device generates an attack defense blocked entry for a specific source IP address on that interface, it will block packets from the same source IP address received from that interface for a duration of blocking-period, and drop all packets from that source IP address during the blocking duration. If the blocking duration is non-zero, the device will delete the attack defense blocked entry after the blocking duration expires.

When the attack defense blocked entry of a certain source IP address is deleted, if the device continues to receive IP packets from that source IP address, the device will regenerate the corresponding attack defense blocking entry and count the packets again. When the blocking conditions are met, the device will generate the corresponding attack defense blocked entry to block IP packets from that source IP address.

Restrictions and guidelines

This command takes effect only on newly generated attack defense blocked entries, but does not take effect on existing attack defense blocked entries.

In the live network, when the network security requirements are high, set a higher value for the blocking-period argument. When the network security requirements are general, set a lower value for the blocking-period argument.

Examples

# Configure the blocking duration as 10 seconds for unclassified-IP packet attack defense on Ten-GigabitEthernet 0/0/15.‌

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip-defense block-period 10

Related commands

display ip subscriber unclassified-ip-defense

ip subscriber unclassified-ip-defense enable

ip subscriber unclassified-ip-defense threshold

reset ip subscriber unclassified-ip-defense

ip subscriber unclassified-ip-defense enable

Use ip subscriber unclassified-ip-defense enable to enable unclassified-IP packet attack defense.

Use undo ip subscriber unclassified-ip-defense enable to disable unclassified-IP packet attack defense.

Syntax

ip subscriber unclassified-ip-defense enable

undo ip subscriber unclassified-ip-defense enable

Default

Unclassified-IP packet attack defense is disabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

To avoid excessive resource usage caused by a large number of illegal IP packets, which can affect the onboarding efficiency of normal users, you can enable unclassified-IP packet attack defense.

Operating mechanism

When this feature is enabled, the device generates an attack defense blocking entry (also called statistics entry) for a user upon receiving the first IP packet of the user. Then, the device checks whether the user meets the trigger conditions for IPoE user onboarding based on the device configuration.

· Before the check result is confirmed, the device drops all IP packets from the user based on the attack defense blocking entry. The first IP packet is also counted as a dropped packet because it is used to check the configuration. Even if the user packet count reaches the blocking threshold during this phase, no attack defense blocked entries will be generated.

· After the check result is confirmed, the following rules apply:

¡ If the trigger conditions are met, the device will initiate the IPoE user onboarding process based on the first IP packet of the user.

- The device continues to drop IP packets from the user based on the attack defense blocking entry until the onboarding result (successful or failed) of the user is determined. Even if the user packet count reaches the blocking threshold during this phase, no attack defense blocked entries will be generated.

- After the onboarding result (successful or failed) of the user is determined, the device will automatically delete the attack defense blocking entry of the user.

¡ If the trigger conditions are not met, the device checks whether the packet count of the user has reached the blocking threshold configured by using the ip subscriber unclassified-ip-defense threshold command:

- If the blocking threshold is reached, the device deletes the attack defense blocking entry of the user and generates an attack defense blocked entry for the user. Subsequently, the device drops IP packets from the user based on the attack defense blocked entry and outputs attack log messages. The attack log messages generated by the device will be sent to the information center. The information center configuration specifies the log message sending rule and destination. For more information about the information center, see Network Management and Monitoring Configuration Guide.

- If the blocking threshold is not reached, the device continues to wait for subsequent packets. If the IP packets of the user are not received within a packet statistics collection interval (configured by using the interval parameter in the ip subscriber unclassified-ip-defense threshold command), the device will delete the attack defense blocking entry of the user. If the IP packets of the user are received again within a packet statistics collection interval, the device will re-check whether the user meets the trigger conditions for IPoE user onboarding based on the existing configuration and repeat the preceding process. During this phase, the device will not regenerate an attack defense blocking entry for the user but will directly use the existing one.

Restrictions and guidelines

Executing the undo form of this command on an interface to disable attack defense will also delete all attack defense blocking entries and attack defense blocked entries generated on the interface.

Examples

# Enable unclassified-IP packet attack defense on Ten-GigabitEthernet 0/0/15.‌

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip-defense enable

Related commands

display ip subscriber unclassified-ip-defense

ip subscriber unclassified-ip-defense block-period

ip subscriber unclassified-ip-defense threshold

reset ip subscriber unclassified-ip-defense

ip subscriber unclassified-ip-defense threshold

Use ip subscriber unclassified-ip-defense threshold to configure the blocking threshold for unclassified-IP packet attack defense.

Use undo ip subscriber unclassified-ip-defense threshold command to restore the default.

Syntax

ip subscriber unclassified-ip-defense threshold packet-number interval interval

undo ip subscriber unclassified-ip-defense threshold

Default

When the total number of IP packets received from the same source IP address within 300 seconds reaches 6000, the blocking threshold for attack defense is reached.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the packet statistics collection interval in the range of 60 to 3600 seconds. When the value for this argument is modified, the modification takes effect only on newly generated attack defense blocking entries and does not take effect on existing attack defense blocking entries.

Usage guidelines

Operating mechanism

With unclassified-IP packet attack defense enabled on an interface, the device will monitor and collect statistics of the IP packets sent by all offline users and received on the interface. For users who do not meet the triggering conditions for IPoE user onboarding, if the device receives a specified number (packet-number) of IP packets from the same source IP address within one packet statistics collection interval (interval), the device will determine that the packets from that source IP address are malicious. Then, the device will generate an attack defense blocked entry to block the attack packets from that source IP address and output attack log messages.

Recommended configuration

In the live network, when the network security requirements are high, set a lower value for the packet-number argument while keeping the interval argument unchanged. When the network security requirements are general, set a higher value for the packet-number argument while keeping the interval argument unchanged.

Examples

# Configure the blocking threshold for attack defense on Ten-GigabitEthernet 0/0/15 as a total number of 5000 IP packets received from the same source IP address within 360 seconds. ‌

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ip-defense threshold 5000 interval 360

Related commands

display ip subscriber unclassified-ip-defense

ip subscriber unclassified-ip-defense enable

ip subscriber unclassified-ip-defense block-period

reset ip subscriber unclassified-ip-defense

ip subscriber unclassified-ipv6 max-session

Use ip subscriber unclassified-ipv6 max-session to set the IPoE session limit for unclassified-IPv6 or NS/NA packet initiation on an interface.

Use undo ip subscriber unclassified-ipv6 max-session to restore the default.

Syntax

ip subscriber unclassified-ipv6 max-session max-number

undo ip subscriber unclassified-ipv6 max-session

Default

The IPoE session limit for unclassified-IPv6 or NS/NA packet initiation on an interface is not set.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the IPoE session limit for unclassified-IPv6 or NS/NA packet initiation. The value range for this argument is 1 to 64000.

Usage guidelines

Application scenarios

If the IPoE session limit for unclassified-IPv6 or NS/NA packet initiation is reached, no more IPoE session can be initiated by unclassified-IPv6 or NS/NA packets. IPoE sessions initiated by unclassified-IPv6 or NS/NA packets include single-stack IPv6 sessions and dual-stack IPoE sessions.

Recommended configuration

In a dual-stack IPoE network, as a best practice, configure the same IPoE session limit by using this command and the ip subscriber unclassified-ip max-session command.

Restrictions and guidelines

Examples

# ‌Set the IPoE session limit to 100 for unclassified-IPv6 or NS/NA packet initiation on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber unclassified-ipv6 max-session 100

Related commands

ip subscriber initiator unclassified-ipv6 enable

ip subscriber max-session

ip subscriber username

Use ip subscriber username to configure the username for an IPoE individual user.

Use undo ip subscriber username to restore the default.

Syntax

ip subscriber username { mac-address [ address-separator address-separator ] [ lowercase | uppercase ] | string string }

undo ip subscriber username

Default

No username is configured for an IPoE individual user.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

mac-address: Uses a MAC address as the username. The MAC address of the user is preferentially used. If the user MAC address cannot be obtained, the source MAC address of packets is used. By default, the letters in a MAC address are lower-case and a MAC address do not have hyphens.

lowercase: Specifies the letters in the MAC address as lower-case.

uppercase: Specifies the letters in the MAC address as upper-case.

string string: Uses the specified string as the username, a case-sensitive string of 1 to 128 characters. The string cannot contain the slash (/), back slash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

Application scenarios

To avoid configuring usernames for each initiation method separately when multiple individual session initiation methods are configured on an interface, you can use this command to uniformly configure authentication usernames for all individual users on an interface.

Operating mechanism

For individual users using bind authentication, a username is selected in the following order until a match is found:

1. Username configured by using the command specific to the users.

¡ For DHCP users, username obtained by using the ip subscriber dhcp username command.

¡ For ND RS users, username obtained by using the ip subscriber ndrs username command.

¡ For unclassified-IP users, username obtained by using the ip subscriber unclassified-ip username command.

¡ For static users:‌

- The username parameter specified in the ip subscriber session static command. (Applicable only to global static access users.)

- The authentication username obtained by using the ip subscriber unclassified-ip username command.

2. Username configured by using the ip subscriber username command.

3. Default user name.

¡ For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

¡ For ND RS users, source MAC address of packets.

¡ For unclassified-IP users and static individual users, source IP address of packets.

For Web authentication and Web MAC authentication in the preauthentication phase, a username is selected for individual users in the order a username is selected for individual users using bind authentication.

For Web authentication in the Web authentication phase, a username is selected in the following order for individual users until a match is found:

4. Username that the user enters when logging in.

5. Username configured by using the ip subscriber username command.

6. Default user name.

¡ For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

¡ For ND RS users, source MAC address of packets.

¡ For static users, source IP address of packets.

For Web MAC authentication in the Web authentication phase, a username is selected in the following order for individual users until a match is found:

7. Username configured by using the ip subscriber username command.

8. Default user name.

¡ For DHCP users, MAC address of the user. If the user MAC address cannot be obtained, the source MAC address of packets is used.

¡ For ND RS users, source MAC address of packets.

¡ For static users, source IP address of packets.

Examples

# ‌Use the MAC address of an IPoE individual user as the username on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber username mac-address

ip subscriber user-detect ip‌

Use ip subscriber user-detect ip to configure online detection for IPv4 protocol stack users.

Use undo ip subscriber user-detect ip to restore the default.

Syntax

ip subscriber user-detect ip { arp | icmp } retry retries interval interval [no-datacheck ]

undo ip subscriber user-detect ip

Default

Online detection is enabled for IPv4 protocol stack users.

· For leased subusers, no matter whether user uplink traffic is updated within a detection timer period (120 seconds), the BRAS sends ARP request packets to detect the online status of users after the detection timer expires. The BRAS performs a maximum of five detection attempts after the first detection failure.

· For other users, no detection packets are sent after the detection timer expires if user uplink traffic is updated within a detection timer period (120 seconds). If user uplink traffic is not updated within a detection timer period, the BRAS uses the ARP request packets to detect the online status of IPv4 protocol stack users. The BRAS performs a maximum of five detection attempts after the first detection failure.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

arp: Specifies the ARP request packet as detection packets.

icmp: Specifies the icmp request packet as detection packets.

retry retries: Specifies the maximum number of detection attempts following the first detection attempt, in the range of 1 to 255.

interval interval: Configures the detection timer for each attempt, in the range of 1 to 32767 seconds.

no-datacheck: Specifies an interface to send detection packets after the detection timer expires no matter whether user uplink traffic is updated within a detection timer period. If this keyword is not specified, the following rules apply:

· If user uplink traffic is updated within a detection timer period, no detection packets are sent within one detection timer period after the detection timer expires.

· If user uplink traffic is not updated within a detection timer period, detection packets are sent after the detection timer expires.

When the accounting mode is merge for dual-stack users, the sum of IPv4 uplink traffic and IPv6 uplink traffic is used to determine whether the user uplink traffic is updated. This keyword does not take effect on leased subusers.

Usage guidelines

Operating mechanism

With online detection enabled for IPv4 protocol stack users on an interface, the BRAS periodically detects the online status of an IPv4 protocol stack user after the user comes online on the interface.

After you configure online detection, the BRAS starts a detection timer to detect online users. If the BRAS does not receive user packets before the detection timer expires, it sends a detection packet to the user.

· If the BRAS receives user packets within the maximum detection attempts, the BRAS assumes that the user is online. It resets the detection failure counter, and starts the next detection attempt.

· If the BRAS receives no user packets after detection attempts reach the maximum, the BRAS assumes the user is offline and deletes the session.

Restrictions and guidelines

This feature uses ARP or ICMP requests to detect IPv4 protocol stack users. If IPv4 protocol stack users and the interface are in different subnets, only ICMP request packets can be used for detection.

Do not configure both ARP and ICMP detection methods to detect the IPv4 protocol stack users.

The IPv4 protocol stack in this command includes the single IPv4 protocol stack and the IPv4 stack in the dual stack.

· For the single IPv4 protocol stack, this feature supports only leased subusers in Layer 2 access mode and individual users.

· For the dual stack, this feature supports only individual users. Online detection is performed for the two protocol stacks separately. Online detection failure for a stack does not affect the online status of the other stack.

Examples

# Configure online detection for IPv4 protocol stack users on Ten-GigabitEthernet 0/0/15. The maximum number of detection attempts is 5 after the first failure, the detection timer is 100 seconds, and the detection packet type is ARP.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber user-detect ip arp retry 5 interval 100

Related commands

ip subscriber enable

ip subscriber user-detect ipv6‌

Use ip subscriber user-detect ipv6 to configure online detection for IPv6 protocol stack users.

Use undo ip subscriber user-detect ipv6 to disable online detection for IPv6 protocol stack users.

Syntax

ip subscriber user-detect ipv6 { icmp | nd } retry retries interval interval [no-datacheck ]

undo ip subscriber user-detect ipv6

Default

Online detection is enabled for IPv6 protocol stack users.

· For leased subusers, no matter whether user uplink traffic is updated within a detection timer period (120 seconds), the BRAS sends ND Neighbor Solicitation (NS) packets to detect the online status of users after the detection timer expires. The BRAS performs a maximum of five detection attempts after the first detection failure.

· For other users, no detection packets are sent after the detection timer expires if user uplink traffic is updated within a detection timer period (120 seconds). If user uplink traffic is not updated within a detection timer period, the BRAS uses the ND NS packets to detect the online status of IPv6 protocol stack users. The BRAS performs a maximum of five detection attempts after the first detection failure.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

icmp: Specifies the ICMPv6 request packet as detection packets. For detection to succeed when this keyword is specified, you must configure a global unicast address on the access interface.

nd: Specifies the NS packets of the ND protocol as detection packets.

retry retries: Specifies the maximum number of detection attempts following the first detection attempt, in the range of 1 to 255.

interval interval: Configures the detection timer in the range of 1 to 32767 seconds.

no-datacheck: Specifies an interface to send detection packets after the detection timer expires no matter whether user uplink traffic is updated within a detection timer period.

If this keyword is not specified, the following rules apply:

· If user uplink traffic is updated within a detection timer period, no detection packets are sent within one detection timer period after the detection timer expires.

· If user uplink traffic is not updated within a detection timer period, detection packets are sent after the detection timer expires.

Usage guidelines

Operating mechanism

With online detection enabled for IPv6 protocol stack users on an interface, the BRAS periodically detects the online status of an IPv6 protocol stack user after the user comes online on the interface.

· If the BRAS receives user packets within the maximum detection attempts, the BRAS assumes that the user is online. It resets the detection failure counter, and starts the next detection attempt.

· If the BRAS receives no user packets after detection attempts reach the maximum, the BRAS assumes the user is offline and deletes the session.

Restrictions and guidelines

This feature uses NS packets of the ND protocol or ICMPv6 requests to detect IPv6 protocol stack users. If IPv6 protocol stack users and the interface are in different subnets, only ICMPv6 request packets can be used for detection.

Do not configure both ICMPv6 and ND detection methods to detect the IPv6 protocol stack users.

The IPv6 protocol stack in this command includes the single IPv6 protocol stack and the IPv6 stack in the dual stack.

· For the single IPv6 protocol stack, this feature supports only leased subusers in Layer 2 access mode and individual users.

Examples

# Configure online detection for IPv6 protocol stack users on Ten-GigabitEthernet 0/0/15. The maximum number of detection attempts is 3 after the first failure, the detection timer is 50 seconds, and the detection packet type is ND.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber user-detect ipv6 nd retry 3 interval 50

Related commands

ip subscriber enable

ip subscriber vlan

Use ip subscriber vlan to bind an ISP domain to IPoE users who send packets with the specified VLAN IDs.

Use undo ip subscriber vlan to remove the binding between an ISP domain and IPoE users who send packets with the specified VLAN IDs.

Syntax

ip subscriber vlan vlan-list domain domain-name

undo ip subscriber vlan vlan-list

Default

No ISP domain is bound to IPoE users who send packets with the specified VLAN IDs.

Views

Layer 3 aggregate subinterface view

Layer 3 Ethernet subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

vlan-list: Specifies a space-separated list of up to 10 VLAN ID items. Each item specifies a VLAN by its ID or a range of VLANs in the form of start-VLAN-ID to end-VLAN-ID. The VLAN ID is in the range of 1 to 4094.

Usage guidelines

Operating mechanism

This command configures an ISP domain for DHCP users, unclassified-IP users, and static individual users who send IP packets with the specified VLAN IDs.

For how an ISP domain is selected for a DHCP user, see the ip subscriber dhcp domain command.

For how an ISP domain is selected for an unclassified-IP user, see the ip subscriber unclassified-ip domain command.

For how an ISP domain is selected for an IPoE static user, see the ip subscriber session static command.

For how an ISP domain is selected for an IPoE subnet-leased user, see the ip subscriber subnet-leased command.

For how an ISP domain is selected for an IPoE interface-leased user, see the ip subscriber interface-leased command.

For how an ISP domain is selected for an IPoE L2VPN-leased user, see the ip subscriber l2vpn-leased command.

Restrictions and guidelines

For the ip subscriber vlan command to take effect, you must execute the ip subscriber service-identify { second-vlan | vlan } command to configure the corresponding service identifier first.

Examples

# ‌Configure an ISP domain for users who send IP packets with VLAN IDs 2 to 100 on Ten-GigabitEthernet 0/0/15.100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.100

[Sysname-Ten-GigabitEthernet0/0/15.100] ip subscriber service-identify second-vlan

[Sysname-Ten-GigabitEthernet0/0/15.100] ip subscriber vlan 2 to 100 domain vlandm

Related commands

ip subscriber service-identify

ip subscriber web-auth domain

Use ip subscriber web-auth domain to configure the domain for Web authentication.

Use undo ip subscriber web-auth domain to restore the default.

Syntax

ip subscriber web-auth domain domain-name

undo ip subscriber web-auth domain

Default

No domain is configured for Web authentication.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

Usage guidelines

Operating mechanism

When Web MAC authentication is configured with multiple types of domains, an ISP domain is selected in the following order until a match is found during the Web authentication phase:

1. Domain carried in the username. If the domain has not been created, the user fails to come online.

2. Web authentication domain specified by using the ip subscriber web-auth domain command. If the specified domain has not been created, the user fails to come online.

3. ISP domain selected by the AAA module. For more information, see AAA configuration in BRAS Services Configuration Guide.

For how an ISP domain is selecting during the Web authentication phase when Web MAC authentication is used, see the ip subscriber mac-auth domain command.

Restrictions and guidelines

The ISP domain configured for Web authentication applies to only individual users using Web authentication and Web MAC authentication during the Web authentication phase.

The ISP domain modification for Web authentication takes effect only on new users.

Examples

# ‌Specify ISP domain dm1 for Web authentication on Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber web-auth domain dm1

Related commands

ip subscriber authentication-method

ip subscriber mac-auth domain

ip subscriber web-redhcp enable

Use ip subscriber web-redhcp enable to enable re-DHCP for IPoE Web authentication.

Use undo ip subscriber web-redhcp enable to disable re-DHCP for IPoE Web authentication.

Syntax

ip subscriber web-redhcp enable

undo ip subscriber web-redhcp enable

Default

Re-DHCP for IPoE Web authentication is disabled.

Views

Layer 3 aggregate interface/subinterface view

Layer 3 Ethernet interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

To solve IP address planning and allocation problems, you can enable re-DHCP for IPoE Web authentication. With re-DHCP enabled for IPoE Web authentication on an interface, the interface allocates public IP addresses on the specified network segment to only users coming online through transparent MAC authentication. In this way, the network segment for online users is limited and effectively controlled.

Operating mechanism

With this feature enabled, when a DHCP user first comes online, the access device assigns a temporary IP address to the user in the preauthentication phase. When the user comes online in the Web authentication phase, the AAA server adds a user record for the user. When the user comes online for the second time, the user performs transparent MAC authentication in the preauthentication phase, and the device assigns a new public IP address to the user. Then, the user stays in the preauthentication domain.

This feature is supported only in Layer 2 IPoE access mode.

Examples

# ‌Enable re-DHCP for IPoE Web authentication on Ten-GigabitEthernet 0/0/15 .

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber web-redhcp enable

Related commands

ip subscriber authentication-method web

reset ip subscriber abnormal-logout

Use reset ip subscriber abnormal-logout to clear entry information about abnormally logged out IPoE users.

Syntax

reset ip subscriber abnormal-logout [ vsrp-instance vsrp-instance-name ]

Views

User view

Predefined user roles

network-admin

Parameters

vsrp-instance vsrp-instance-name: Specifies a VSRP instance by its name, a case-sensitive string of 1 to 31 characters.‌

Usage guidelines

This command clears entry information about abnormally logged out IPoE users. If you do not specify any option, this command clears entry information about all abnormally logged out IPoE users

Examples

# Clear entry information about all abnormally logged out IPoE users.

<Sysname> reset ip subscriber abnormal-logout interface

Related commands

display ip subscriber abnormal-logout

reset ip subscriber chasten user auth-failed

Use reset ip subscriber chasten user auth-failed to clear information about IPoE individual users with authentication failure records that have not met the blocking conditions.

Syntax

reset ip subscriber chasten user auth-failed [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

ip ip-address: Specifies the source IPv4 address of a blocked IPoE user.

ipv6 ipv6-address: Specifies the source IPv6 address of a blocked IPoE user.

mac mac-address: Specifies the MAC address of a blocked IPoE user, in the format of H-H-H.

Usage guidelines

By default, with the user blocking feature enabled, authentication failure records will be generated for IPoE access users that fail authentication. Before the authentication failure records of a user reach the blocking conditions, the authentication failure records can automatically age out.

You can use this command to manually clear the IPoE user authentication failure records. If the user continues to fail authentication later, the authentication failure records will be generated and counted again.

If you do not specify any parameter, this command clears information about IPoE individual users with authentication failure records that have not met the blocking conditions.

Examples

# Clear information about IPoE individual users with authentication failure records that have not met the blocking conditions.

<Sysname> reset ip subscriber chasten auth-failed

Related commands

ip subscriber authentication chasten

display ip subscriber chasten user auth-failed

reset ip subscriber chasten user quiet

Use reset ip subscriber chasten user quiet to clear information about blocked IPoE users.

Syntax

reset ip subscriber chasten user quiet [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

ip ip-address: Specifies the source IPv4 address of a blocked IPoE user.

ipv6 ipv6-address: Specifies the source IPv6 address of a blocked IPoE user.

mac mac-address: Specifies the MAC address of a blocked IPoE user, in the format of H-H-H.

Usage guidelines

A user will be blocked when the blocking conditions are met. By default, once a user is blocked, the blocking state of the user can be cleared only after the quiet time period expires. Within the quiet time period, the device drops packets from the IPoE user.

You can use this command to manually clear the blocking state of blocked users. After the blocking state of a user is cleared, if the device receives packets from the IPoE user again, the packets can still be processed.

If you do not specify any parameter, this command clears information about all blocked IPoE users.

Examples

# Clear information about blocked IPoE users.

<Sysname> reset ip subscriber chasten user quiet

Related commands

ip subscriber timer quiet

display ip subscriber chasten user quiet

reset ip subscriber http-defense destination-ip‌

Use reset ip subscriber http-defense destination-ip to clear entries of destination IP-based IPoE HTTP/HTTPS attack defense.

Syntax

In standalone mode:‌

reset ip subscriber http-defense destination-ip [ slot slot-number ] [ ip ipv4-address | ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ]

In IRF mode:

reset ip subscriber http-defense destination-ip [ chassis chassis-number slot slot-number ] [ ip ipv4-address | ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

ip ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

vpn-instance vpn-instance-name: Specifies a VPN instance by its name The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the IPoE static leased users are in the public network

Usage guidelines

Application scenarios

You can execute this command in any of the following scenarios:

· You want to immediately clear the attack defense blocking entries of some or all destination IP addresses rather than wait until these attack defense blocking entries automatically age out.

· You want to immediately unblock HTTP/HTTPS packets sent to some or all destination IP addresses rather than wait until these attack defense blocked entries automatically age out.

Operating mechanism

After you execute this command to manually clear the attack defense blocking entries and blocked entries of a destination IP address, if the device continues to send HTTP/HTTPS packets to the destination IP address, the device will regenerate the corresponding attack defense blocking entries and re-count the packets, and generate blocking entries to block HTTP/HTTPS packets sent to the destination IP address.

Restrictions and guidelines

When you execute this command, follow these restrictions and guidelines:

· If you specify the ip ipv4-address or ipv6 ipv6-address option but do not specify the vpn-instance vpn-instance-name option in this command, this command clears the attack defense blocking entries and blocked entries of the specified IP address on the public network and all VPN instances.

· If you do not specify any parameter, this command clears the attack defense blocking entries and blocked entries of the public network and all VPN instances.

Examples

# Clear all attack defense blocking entries and blocked entries generated during IPoE HTTP/HTTPS attack defense.

<Sysname> reset ip subscriber http-defense destination-ip

Related commands

display ip subscriber http-defense unblocked-destination-ip

display ip subscriber http-defense blocked-destination-ip

reset ip subscriber roam-record

Use reset ip subscriber roam-record to clear all IPoE user roaming records.

Syntax

reset ip subscriber roam-record

Views

User view

Predefined user roles

network-admin

Usage guidelines

Execute this command to clear all existing IPoE user roaming records on the device when device memory is low or you need to clear existing IPoE user roaming records.

Examples

# ‌ Clear all IPoE user roaming records.‌

<Sysname> reset ip subscriber roam-record

Related commands

display ip subscriber roam-record

reset ip subscriber unclassified-ip-defense

Use reset ip subscriber unclassified-ip-defense to clear information of the unclassified-IP packet attack defense entries.

Syntax

reset ip subscriber unclassified-ip-defense [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

ip ipv4-address: Specifies a source IPv4 address.

ipv6 ipv6-address: Specifies a source IPv6 address.

Usage guidelines

Application scenarios

You can execute this command in any of the following scenarios:

· You want to immediately clear the attack defense blocking entries of some or all source IP addresses rather than wait until these attack defense blocking entries automatically age out.

· You want to immediately unblock IP packets received from some or all source IP addresses rather than wait until these attack defense blocked entries automatically age out.

Operating mechanism

After you execute this command to manually clear the attack defense blocking entry and attack defense blocked entry of a certain source IP address, if the device continues to receive IP packets from that source IP address, the device will regenerate the corresponding attack defense blocking entry and count the packets again. When the blocking conditions are met, the device will generate the corresponding attack defense blocked entry to block IP packets from that source IP address.

Restrictions and guidelines

If no parameters are specified when you execute this command, this command clears all attack defense blocking entries and attack defense blocked entries.

Examples

# Clear information of all unclassified-IP packet attack defense entries.

<Sysname> reset ip subscriber unclassified-ip-defense

Related commands

display ip subscriber unclassified-ip-defense

static-user interface-list

Use static-user interface-list to create a static user interface list and enter its view, or enter the view of an existing static user interface list.

Use undo static-user interface-list delete a static user interface list.

Syntax

static-user interface-list list-id

undo static-user interface-list list-id

Default

No static user interface list exists.

Views

System view

Predefined user roles

network-admin

Parameters

list-id: Specifies a static user interface list ID in the range of 1 to 65535.

Usage guidelines

Examples

# Create static user interface list 2 and enter its view.

<Sysname> system-view

[Sysname] static-user interface-list 2

[Sysname-static-interface-list2]

Related commands

display static-user interface-list

add interface

Old-style IPoE commands‌

CAUTION:

Commands in this section are old-style commands reserved for compatibility with the network management software. As a best practice, use these commands only in situations where the network management software does not support the corresponding new-style commands and you want to manage BRASs by using old-style commands.

‌

display ip subscriber session

Use display ip subscriber session to display information about IPoE individual sessions and static leased sessions.

Syntax

display ip subscriber session interface interface-type interface-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. In the current software version, only Layer 3 aggregate interfaces and Layer 3 aggregate subinterfaces are supported.

verbose: Displays detailed information about IPoE individual sessions and static IPoE leased sessions. If this parameter is not specified, this command displays only the brief information of IPoE individual sessions and static leased sessions.

Usage guidelines

Both the display ip subscriber session command and the display access-user command can be used to display information about IPoE users. The display ip subscriber session command is an old-style command reserved for compatibility with the network management software. As a best practice, use the old-style command only when the network management software does not support the display access-user command, and use the display access-user command in any other cases.

Examples

# Display brief information about IPoE individual sessions and static leased sessions on Layer 3 aggregate interface 1.

<Sysname> display ip subscriber session interface route-aggregation 1

Type: D-DHCP S-Static U-Unclassified-IP N-NDRS

Interface IP address MAC address Type State

IPv6 address SVLAN/CVLAN VXLAN

IPv6 PD Prefix Username

RAGG1 1.1.1.1 000d-88f8-0eab D/U Online

1::1 -/- -

10::/64 User1

RAGG1 1.1.1.1 000d-88f8-0eab D/U Online

1::2 -/- -

10::/64 User1

Table 22 Command output

Field	Description
Interface	Name of the interface where the user resides.
IP address	IPv4 address of the user. If no IPv4 user is online, this field displays a hyphen (-).
IPv6 address	IPv6 address of the user. If no IPv6 user is online, this field displays a hyphen (-). For an ND RS user that came online in the prefix authorization through ND prefix pool method, this field displays the IPv6 ND prefix in the brief information and is not displayed in the detailed information.
IPv6 PD Prefix	IPv6 PD prefix of the user. If no IPv6 IA_PD user is online, this field displays a hyphen (-).
MAC address	MAC address of the user.
SVLAN/CVLAN	Outer VLAN and inner VLAN of the user. If the user does not have an outer VLAN or inner VLAN, the outer VLAN or inner VLAN field displays a hyphen (-).
Username	Username for authentication.
Type	IPoE user type: · D—DHCP user. · S—Static user. · U—Unclassified-IP user. · N—IPv6 ND RS user.
VXLAN	VXLAN ID of a user. If the user does not have VXLAN information, this field displays a hyphen (-).
State	User session state: · Init—Initializing. · Authing—Authentication in progress. · Authed—Authentication completed. · Reauth—Reauthentication in progress. · Logout—Exiting the current authentication phase. · Online—Online. · Offline—Going offline.

‌

# Display detailed information about all IPoE individual sessions and static leased sessions. (ITA) (Distributed devices in standalone mode)

<Sysname> display ip subscriber session interface route-aggregation 1 verbose

Basic:

Description : -

Username : abc

Authorization domain : dm1

Authentication domain : dm1

VPN instance : vpn1

IP address : 1.1.1.1

IPv6 address : 1::1

User address type : private-ipv4

MAC address : 000d-88f8-0eab

IPv4 DUID : 000d-88f8-0eab

Service-VLAN/Customer-VLAN : -/-

Access interface : RAGG1

User ID : 0x380800b5

VPI/VCI(for ATM) : -/-

VSI Index : -

VSI link ID : -

VXLAN ID : -

DNS servers : N/A

IPv6 DNS servers : N/A

DHCP lease : N/A

DHCP remain lease : N/A

DHCPv6 lease : N/A

DHCPv6 remain lease : N/A

DHCPv6 PD lease : N/A

DHCPv6 PD remain lease : N/A

Access time : May 9 08:56:29 2014

Online time (hh:mm:ss) : 00:16:37

Service node : Slot 0

Authentication type : Bind

IPv4 access type : DHCP

IPv4 detect state : N/A

State : Online

AAA:

ITA policy name : ipoe

IP pool : N/A

IPv6 pool : N/A

Primary DNS server : N/A

Secondary DNS server : N/A

Primary IPv6 DNS server : N/A

Secondary IPv6 DNS server : N/A

Session idle cut : N/A

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Acct start-fail action : Online

Acct update-fail action : Online

Acct quota-out action : Offline

Dual-stack accounting mode : Merge

Max IPv4 multicast addresses: 4

IPv4 multicast address list : N/A

Max IPv4 multicast addresses: 4

IPv4 multicast address list : N/A

Accounting start time : May 9 08:56:29 2014 (succeed)

Subscriber ID : -

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes (active)

Outbound CAR : CIR 3000kbps PIR 4000kbps CBS 4100bytes (active)

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

NAT:

Global IP address : 111.8.0.234

Port block : 1024-1033

Extended port block : 2024-2033/3024-3033/4024-4033/5024-5033/6024-6033

Flow statistic:

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

ITA:

Acct merge : Disabled

Acct quota-out action : Offline

Denied level : None

Level-1 Inbound CAR : CIR 126976000kbps PIR 126976000kbps (active)

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Level-2 Inbound CAR : N/A

Outbound CAR : N/A

Traffic separate : Disabled

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

# Display detailed information about all IPoE individual sessions and static leased sessions. (EDSG) (Distributed devices in standalone mode)

<Sysname> display ip subscriber session interface route-aggregation 1 verbose

Basic:

Description : -

Username : abc

Authorization domain : dm1

Authentication domain : dm1

VPN instance : vpn1

IP address : 1.1.1.1

IPv6 address : 1::1

User address type : private-ipv4

MAC address : 000d-88f8-0eab

Link-layer address : 0010-0094-0002

IPv4 DUID : 000d-88f8-0eab

Service-VLAN/Customer-VLAN : -/-

Access interface : RAGG1

User ID : 0x380800b5

VPI/VCI(for ATM) : -/-

VSI Index : -

VSI link ID : -

VXLAN ID : -

DNS servers : N/A

IPv6 DNS servers : N/A

DHCP lease : N/A

DHCP remain lease : N/A

DHCPv6 lease : N/A

DHCPv6 remain lease : N/A

DHCPv6 PD lease : N/A

DHCPv6 PD remain lease : N/A

Access time : May 9 08:56:29 2014

Online time (hh:mm:ss) : 00:16:37

Service node : Slot 0

Authentication type : Bind

IPv4 access type : DHCP

IPv4 detect state : N/A

State : Online

AAA:

ITA policy name : N/A

IP pool : N/A

IPv6 pool : N/A

Primary DNS server : N/A

Secondary DNS server : N/A

Primary IPv6 DNS server : N/A

Secondary IPv6 DNS server : N/A

Session idle cut : N/A

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Acct start-fail action : Online

Acct update-fail action : Online

Acct quota-out action : Offline

Dual-stack accounting mode : Merge

Max IPv4 multicast addresses: 4

IPv4 multicast address list : N/A

Max IPv4 multicast addresses: 4

IPv4 multicast address list : N/A

Accounting start time : May 9 08:56:29 2014 (succeed)

Subscriber ID : -

QoS:

User profile : abc (active)

Session group profile : N/A

User group ACL : N/A

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes (active)

Outbound CAR : CIR 3000kbps PIR 4000kbps CBS 4100bytes (active)

Inbound user priority : 1 (active)

Outbound user priority : 1 (active)

NAT:

Global IP address : 111.8.0.234

Port block : 1024-1033

Extended port block : 2024-2033/3024-3033/4024-4033/5024-5033/6024-6033

Flow statistic:

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Service policy: s2m

Service ID : 1

Username (EDSG) : 200.1.1.1

Service rate-limit mode : Merge

Traffic statistics mode : Separate

Dual-stack rate limit mode : Merge

Session duration : N/A, remaining: N/A

Traffic quota : N/A

Traffic remained : N/A

Quota-out action : Service deactivate

Priority : 0

Inbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes EBS 200bytes (active)

Outbound CAR : CIR 1000kbps PIR 2000kbps CBS 4100bytes EBS 200bytes (active)

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Table 23 Command output

Field	Description
Basic	Basic IPoE session information.
Description	Description of an IPoE session. If the IPoE session does not have a description, this field displays a hyphen (-).
Username	Username for authentication.
Authorization domain	ISP domain actually used by the user after coming online. The specific meanings of this field are as follows: · When the user successfully comes online in the authentication domain, the following rules apply: ¡ If the AAA server authorizes an ISP domain to the user through the H3C-ISP-ID attribute, this field displays the authorized ISP domain. ¡ If the AAA server does not authorize an ISP domain to the user through the H3C-ISP-ID attribute, this field displays the authentication domain. · If the RADIUS server in the authentication scheme becomes unreachable during the user authentication process, the following rules apply: ¡ If the none authentication method is not configured as the backup scheme but a critical domain is configured in the authentication domain, the user will enter the critical domain, and this field will display the critical domain. ¡ If a recovery domain is configured in the authentication domain, the user will enter the recovery domain when the RADIUS server becomes reachable again. In this case, this field displays the recovery domain.
Authentication domain	Domain used by the user to request authentication from the AAA server. If the user does not have an authentication domain, this field displays a hyphen (-).
VPN instance	MPLS L3VPN instance to which the user belongs. If the user is on a public network, this field displays N/A.
IP address	IP address of the user. For a dynamic individual session, this field is displayed only when an IPv4 user is online. For a static individual session or static leased session, this field is displayed according to the configuration.
IPv6 address	IPv6 address of the user. For a dynamic individual session, this field is displayed only when an IPv6 user is online. For a static individual session or static leased session, this field is displayed according to the configuration. For an ND RS user that came online in the prefix authorization through ND prefix pool method, this field displays the IPv6 ND prefix in the brief information and is not displayed in the detailed information.
IPv6 ND Prefix	IPv6 ND prefix of the user. This field is displayed only when an ND RS user comes online in the prefix authorization through ND prefix pool method.
IPv6 PD Prefix	IPv6 prefix binding information. This field is displayed only when the DHCPv6 server has created prefix binding information for the assigned prefix or the IPv6 delegation prefix has been specified in the global static session.
User address type	User address type authorized by AAA. · private-ds—Private dual-stack address. · private-ipv4—Private IPv4 address. · public-ds—Public dual-stack address. · public-ipv4—Public IPv4 address. · ds-lite—Lite dual-stack address. · ipv6—IPv6 address. · nat64—NAT64 address. · N/A—AAA did not authorize this attribute.
MAC address	MAC address of the user. When a Layer 3 device exists between the user and BRAS, this MAC address is the MAC address of the interface connecting the Layer 3 device to the BRAS.
Link-layer address	MAC address of the user obtained from Option 79. This field is displayed only when the MAC address from Option 79 is necessary for a DHCPv6 user to come online.
IPv4 DUID	DUID of the DHCPv4 client. This field is displayed only when the BRAS obtains the DUID of the DHCP user.
IPv6 DUID	DUID of the DHCPv6 client. This field is displayed only when the BRAS obtains the DUID of the DHCP user.
Service-VLAN/Customer-VLAN	Outer VLAN and inner VLAN of the user. If the user does not have an outer VLAN or inner VLAN, the outer VLAN or inner VLAN field displays a hyphen (-).
Access interface	Name of the interface that the user accesses.
User ID	User ID. It is assigned by the system only after the user comes online. The value of 0xffffffff indicates that no user ID has been assigned.
VPI/VCI (for ATM)	ATM PVC. If the user does not have a PVC, this field displays a hyphen (-).
VSI Index	Index of the VSI.
VSI link ID	ID of the VSI link.
VXLAN ID	VXLAN ID.
DNS servers	DNS server addresses actually assigned to the user. Depending on the number of DNS server addresses actually assigned to the user, the following rules apply: · When the number is 0, this field displays N/A, which means no DNS server address is assigned. · When the number is 1 or 2, this field displays the actual conditions. · When the number is greater than 2, this field displays only the first two DNS server addresses actually assigned to the user.
IPv6 DNS servers	IPv6 DNS server addresses actually assigned to the user. Depending on the number of IPv6 DNS server addresses actually assigned to the user, the following rules apply: · When the number is 0, this field displays N/A, which means no IPv6 DNS server address is assigned. · When the number is 1 or 2, this field displays the actual conditions. · When the number is greater than 2, this field displays only the first two IPv6 DNS server addresses actually assigned to the user.
DHCP lease	IP address lease time assigned to the user by the DHCPv4 server, in seconds. This field is displayed only when an IPv4 user is online. · N/A—The user does not have a DHCP lease. · Unlimited—The user has an unlimited lease.
DHCP remain lease	Remaining duration of the IP address lease assigned to the user by the DHCPv4 server, in seconds. This field is displayed only when an IPv4 user is online. This field displays the remaining lease duration only on service nodes and displays N/A on non-service nodes.
DHCPv6 PD lease	PD prefix lease time assigned to the user by the DHCPv6 server, in seconds. This field is displayed only when an IPv6 user is online. · N/A—The user does not have a DHCP lease. · Unlimited—The user has an unlimited lease.
DHCPv6 PD remain lease	Remaining duration of the PD prefix lease assigned to the user by the DHCPv6 server, in seconds. This field is displayed only when an IPv6 user is online. This field displays the remaining lease duration only on service nodes and displays N/A on non-service nodes.
DHCPv6 lease	IPv6 address lease time assigned to the user by the DHCPv6 server, in seconds. This field is displayed only when an IPv6 user is online. · N/A—The user does not have a DHCP lease. · Unlimited—The user has an unlimited lease.
DHCPv6 remain lease	Remaining duration of the IPv6 address lease assigned to the user by the DHCPv6 server, in seconds. This field is displayed only when an IPv6 user is online. This field displays the remaining lease duration only on service nodes and displays N/A on non-service nodes.
Access time	For a DHCP user, this field displays the time when the IP address was assigned. For any other user, this field displays the login time.
Online time (hh:mm:ss)	Online duration of the user at this time.
Failure reason	Reason for which the session failed to be issued to the driver. This field is displayed only when the session failed to be issued to the driver. · Not support—The driver does not support this session. · No resource—Insufficient hardware resources. · Unknown—The reason for this failure is unknown.
Service node	Node that provides authentication services to the user.
Authentication type	User authentication type. Options include: · Bind—Bind authentication. · Web pre-auth—Preauthentication. · Web—Common Web authentication. · Web mac-auth—Web MAC authentication. · Web mac-trigger—MAC trigger authentication.
IPv4 access type	Creation type of the IPv4 IPoE session. For a dynamic individual session, this field is displayed only when an IPv4 user is online. For a static individual or static leased session, this field is unconditionally displayed. Options include: · DHCP—DHCP packet initiation. · Unclassified-IP—Unclassified-IP packet initiation. · Static—Static configuration.
IPv6 access type	Creation type of the IPv6 IPoE session. For a dynamic individual session, this field is displayed only when an IPv6 user is online. For a static individual or static leased session, this field is unconditionally displayed. Options include: · DHCP—DHCP packet initiation. · Unclassified-IP—Unclassified-IP packet initiation. · Static—Static configuration. · NDRS—IPv6 ND RS packet initiation.
IPv4 detect state	IPv4 IPoE detection status. For a dynamic individual session, this field is displayed only when an IPv4 user is online. For a static individual or static leased session, this field is unconditionally displayed. Options include: · Detecting. · Failed. · N/A—Not detected.
IPv6 detect state	IPv6 IPoE detection status. For a dynamic individual session, this field is displayed only when an IPv6 user is online. For a static individual or static leased session, this field is unconditionally displayed. Options include: · Detecting. · Failed. · N/A—Not detected.
State	User session state: · Init—Initializing. · Authing—Authentication in progress. · Authed—Authentication completed. · Reauth—Reauthentication in progress. · Logout—Exiting the current authentication phase. · Online—Online. · Offline—Going offline.
AAA	AAA authorization information of an IPoE session.
ITA policy name	Name of the Intelligent Target Accounting (ITA) policy authorized by AAA. If no ITA policy is authorized, this field displays N/A.
IP pool	Name of the AAA-authorized IPv4 DHCP address pool. If no IPv4 DHCP address pool is authorized, this field displays N/A.
IP pool group	Name of the AAA-authorized IPv4 DHCP address pool group. This field is displayed only when AAA has authorized an IPv4 DHCP address pool group but has not authorized an IPv4 DHCP address pool. This field will not be displayed together with the IP pool field.
IPv6 pool	Name of the AAA-authorized IPv6 DHCP address pool. If no IPv6 DHCP address pool is authorized, this field displays N/A.
IPv6 pool group	Name of the AAA-authorized IPv6 DHCP address pool group. This field is displayed only when AAA has authorized an IPv6 DHCP address pool group but has not authorized an IPv6 DHCP address pool. This field will not be displayed together with the IPv6 pool field.
Primary DNS server	Name of the AAA-authorized primary IPv4 DNS server. If no primary IPv4 DNS server is authorized, this field displays N/A.
Secondary DNS server	Name of the AAA-authorized secondary IPv4 DNS server. If no secondary IPv4 DNS server is authorized, this field displays N/A.
Primary IPv6 DNS server	Name of the AAA-authorized primary IPv6 DNS server. If no primary IPv6 DNS server is authorized, this field displays N/A.
Secondary IPv6 DNS server	Name of the AAA-authorized secondary IPv6 DNS server. If no secondary IPv4 DNS server is authorized, this field displays N/A.
Session idle cut	Idle timeout period (in minutes) and minimum traffic (in bytes) that must be generated in the idle timeout period of the user. The user will be logged out (idle cut) if the user's traffic in the idle timeout period is less than the specified minimum traffic. If idle cut is not performed, this field displays N/A.
direction	The user will be logged out (idle cut) if the user's traffic in the idle timeout period is less than the specified minimum traffic (in bytes) in the specified direction. The directions of the minimum traffic for idle cut include: · Both—Determines whether to perform idle cut based on the sum of incoming traffic and outgoing traffic of the user. · Inbound—Determines whether to perform idle cut based on the incoming traffic of the user. · Outbound—Determines whether to perform idle cut based on the outgoing traffic of the user.
Session duration	AAA-authorized IPoE session timeout period, in seconds. · N/A—No session duration is authorized. · Unlimited—The session duration is not limited.
remaining	Remaining AAA-authorized session timeout period in seconds. · When no IPoE session timeout period is authorized by AAA, this field always displays N/A. · When the IPoE session timeout period is authorized by AAA, the following rules apply: ¡ If the user comes online through a Layer 3 Ethernet interface or Layer 3 Ethernet subinterface, this field will always display the specific remaining time or Unlimited (indicating the session duration is not limited). ¡ If the user comes online through a Layer 3 aggregate interface or Layer 3 aggregate subinterface, this field displays the remaining time or Unlimited (indicating the session duration is not limited) when the slot or interface where the service node is located is specified in this command. This field displays N/A in any other cases.
Traffic quota	Authorized traffic quota in bytes. If no traffic quota is authorized to the user, this field displays N/A.
Traffic remained	Remaining authorized traffic quota, in bytes. If no traffic quota is authorized or the authorized traffic quota has been exhausted, this field displays N/A.
Acct start-fail action	Action to take on the user after accounting fails to start: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct update-fail action	Action to take on the user after accounting fails to update: · Online—Keeps the user online. · Offline—Forces the user offline.
Account quota out action	Action to take on the user after the traffic quota is exhausted: · Online—Keeps the user online. · Offline—Forces the user offline.
Dual-stack accounting mode	Accounting mode of dual-stack users: · Merge—Reports the IPv4 and IPv6 traffic of a dual-stack user as a whole to the accounting server. · Separate—Reports the IPv4 and IPv6 traffic of a dual-stack user to the accounting server separately. · N/A—AAA did not authorize this attribute.
Max IPv4 multicast addresses	Maximum number of AAA-authorized IPv4 multicast groups that a user can join.
IPv4 multicast address list	List of AAA-authorized IPv4 multicast group addresses. If no IPv4 multicast group is authorized, this field displays N/A.
Max IPv6 multicast addresses	Maximum number of AAA-authorized IPv6 multicast groups that a user can join.
IPv6 multicast address list	List of AAA-authorized IPv6 multicast group addresses. If no IPv6 multicast group is authorized, this field displays N/A.
Accounting start time	Time when accounting started for the user: · succeed—Accounting started successfully. · failed—Accounting failed to start.
Redirect URL	This field is displayed only during Web authentication. If no URL is authorized or the authorized URL does not meet the redirect conditions, this field displays N/A. · In the preauthentication phase, this field displays the URL of the Web authentication page pushed to the user. · In the Web authentication phase, this field displays the redirect URL pushed to the user. Redirect URLs are mainly used for pushing Web pages, for example, pushing advertisement or notification pages to the user after the user passes authentication and accesses the network for the first time.
Redirect IPv6 URL	This field is displayed only during Web authentication. If no IPv6 URL is authorized, this field displays N/A. · In the preauthentication phase, this field displays the IPv6 URL of the Web authentication page pushed to the user. · In the Web authentication phase, this field is insignificant and displays a hyphen (-).
Subscriber ID	Subscriber ID authorized to the user. If no subscriber ID is authorized, this field displays a hyphen (-).
QoS	QoS information of the IPoE session.
User profile	Name of the AAA-authorized user profile. If no user profile is authorized, this field displays N/A. Authorization status options include: · active—AAA has authorized the user profile successfully. · inactive—AAA has failed to authorize the user profile or the user profile does not exist on the BRAS. · Authorization result unknown.
Session group profile	Name of the AAA-authorized session group profile. If no session group profile is authorized, this field displays N/A. Authorization status options include: · active—AAA has authorized the session group profile successfully. · inactive—AAA has failed to authorize the session group profile or the session group profile does not exist on the BRAS. · Authorization result unknown.
User group ACL	Name of the AAA-authorized user group ACL. If no user group ACL is authorized, this field displays N/A. Authorization status options include: · active—AAA has authorized the user group ACL successfully. · inactive—AAA has failed to authorize the user group ACL or the user group ACL does not exist on the BRAS. · Authorization result unknown.
Inbound CAR		AAA-authorized inbound CAR parameters: · Committed information rate (CIR) in kbps. · Peak information rate (PIR) in kbps. · Committed burst size (CBS) in bytes. · Excess burst size (EBS) in bytes. If no such information has been authorized to the user, this field displays N/A. Authorization status options include: · active—Inbound CAR parameters have been authorized successfully. · inactive—Inbound CAR parameters have failed to be authorized.
Outbound CAR		AAA-authorized outbound CAR parameters: · Committed information rate (CIR) in kbps. · Peak information rate (PIR) in kbps. · Committed burst size (CBS) in bytes. · Excess burst size (EBS) in bytes. If no such information has been authorized to the user, this field displays N/A. Authorization status options include: · active—Outbound CAR parameters have been authorized successfully. · inactive—Outbound CAR parameters have failed to be authorized.
Inbound user priority		AAA-authorized inbound user priority, which can be a number in the range of 0 to 7, 15, or N/A. The value of 15 or N/A means that no inbound user priority is authorized. Authorization status options include: · active—AAA has successfully authorized the inbound user priority. · inactive—AAA has failed to authorize the inbound user priority.
Outbound user priority		AAA-authorized outbound user priority, which can be a number in the range of 0 to 7, 15, or N/A. The value of 15 or N/A means that no outbound user priority is authorized. Authorization status options include: · active—AAA has successfully authorized the outbound user priority. · inactive—AAA has failed to authorize the outbound user priority.
NAT		NAT information of the IPoE session. This field is displayed only when IPoE collaborates with NAT.
Global IP address		Public network IP address.
Port block		Port block in the format of start port-end port.
Extended port block		Extended port block in the format of start port-end port. The extended port blocks are separated by using slashes (/). This field is display only when extended port blocks are configured in dynamic port block mapping mode.
Flow statistic		Flow statistics of the IPoE session.
Uplink packets/bytes		This field displays the total number and size (in bytes) of uplink IPv4 and IPv6 packets in merge accounting mode and displays the total number and size (in bytes) of uplink IPv4 packets in any other cases.
Downlink packets/bytes		This field displays the total number and size (in bytes) of downlink IPv4 and IPv6 packets in merge accounting mode and displays the total number and size (in bytes) of downlink IPv4 packets in any other cases.
IPv6 uplink packets/bytes		Total number and size (in bytes) of uplink IPv6 packets.
IPv6 downlink packets/bytes		Total number and size (in bytes) of downlink IPv6 packets.
ITA		Intelligent Target Accounting (ITA) service traffic statistics of the IPoE session.
Acct merge	State of the accounting merge feature: · Enabled. · Disabled.
Denied level	Level of traffic being denied, in the range of 1 to 8. When IPoE receives traffic of this level, the traffic is directly dropped. If no traffic of any level is denied, this field displays None.
Level-n Inbound CAR	AAA-authorized inbound CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Authorization status options for inbound CAR include: · active—Authorization succeeded. · inactive—Authorization failed. · N/A—Unauthorized.
Outbound CAR	AAA-authorized outbound CIR and PIR in kbps for level n traffic (n is in the range of 1 to 8). Authorization status options for outbound CAR include: · active—Authorization succeeded. · inactive—Authorization failed. · N/A—Unauthorized.
Traffic separate	State of excluding the amount of specific-level ITA traffic from the overall traffic statistics that are sent to the accounting server. · Enabled. · Disabled.
Service policy	Name of the EDSG service policy.
Service ID	ID of the EDSG service policy.
Username (EDSG)	Username for EDSG service authentication.
Service rate-limit mode	Rate limit mode for EDSG traffic: · Merge—In-band mode. In this mode, the device limits the overall rates of both EDSG traffic and non-EDSG traffic for a user within the available basic bandwidth of the user. The bandwidth for the EDSG traffic is preferentially guaranteed. · Separate—Out-band mode. In this mode, the device limits the rate of EDSG traffic within an independent bandwidth. The bandwidth for the non-EDSG traffic is not affected.
Traffic statistics mode	Traffic statistics mode for the EDSG service: · Merge—The EDSG service traffic of a user is included in the overall traffic of the user. · Separate—The EDSG service traffic of a user is excluded from the overall traffic of the user.
Dual-stack rate limit mode	Rate limit mode for IPv4 and IPv6 EDSG traffic: · Merge—Collectively limits the rate of IPv4 and IPv6 EDSG traffic. · Separate—Separately limits the rates of IPv4 and IPv6 EDSG traffic.
Session duration	Authorized timeout period for the EDSG service, in seconds. · N/A—No session duration is authorized. · Unlimited—The session duration is not limited.
Quota-out action	Action to take when the quota is exhausted: · Service deactivate—Deactivates the EDSG service policy. In the current software version, only this action is supported. · Redirect—Redirects packets. · Flow drop—Drops packets. · Flow forward—Forwards packets.
Priority	EDSG service priority, in the range of 0 to 7. A greater value represents a higher priority. In the current software version, only priority 0 is supported.

‌

Related commands

cut access-user (new style) (BRAS Services Command Reference)

display access-user (new style) (BRAS Services Command Reference)

ip subscriber initiator dhcp enable

Use ip subscriber initiator dhcp enable to enable DHCPv4 packet initiation on an interface.

Use undo ip subscriber initiator dhcp enable to disable DHCPv4 packet initiation on an interface.

Syntax

ip subscriber initiator dhcp enable

undo ip subscriber initiator dhcp enable

Default

DHCPv4 packet initiation is enabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

To meet business development requirements, you might need to upgrade the software versions of BRASs to implement new function requirements. After software upgrade, some functional commands might change. For example, the ip subscriber initiator dhcp enable command is obsoleted in the new software version. The feature configured by using this command is enabled by default and cannot be disabled in the new software version. To use the ip subscriber initiator dhcp enable command to manage the upgraded BRAS in the network management software without upgrading the network management software for BRASs, execute this command.

Operating mechanism

After the bras compatible old-style-commands enable command is executed to enable compatibility with old-style commands on the BRAS, DHCPv4 packet initiation is enabled by default and cannot be disabled. In this case, even if you execute the undo ip subscriber initiator dhcp enable command, the device configuration file (which can be viewed by using the display current-configuration command) still displays the positive configuration of the ip subscriber initiator dhcp enable command.

Restrictions and guidelines

DHCPv4 packet initiation is enabled by default and cannot be disabled on the current device. In any cases, executing the ip subscriber initiator dhcp enable or undo ip subscriber initiator dhcp enable command does not affect the DHCPv4 packet initiation feature on the interface.

If the bras compatible old-style-commands enable command is not used to enable compatibility with old-style commands on the BRAS, you cannot view the configuration of the ip subscriber initiator dhcp enable command on the interface in the device configuration file.

Examples

# Enable DHCPv4 packet initiation on Ten-GigabitEthernet 0/0/15 .

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber initiator dhcp enable

Related commands

bras compatible old-style-commands enable (BRAS Services Command Reference)

ip subscriber nas-port-type

Use ip subscriber nas-port-type to configure the IPoE access interface type for an interface.

Use undo ip subscriber nas-port-type to restore the default.

Syntax

ip subscriber nas-port-type cable

undo ip subscriber nas-port-type

Default

The IPoE access interface type is Ethernet, with the code value of 15.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

cable: Specifies the interface type as cable, with the code value of 17.

Usage guidelines

Application scenarios

To meet business development requirements, you might need to upgrade the software versions of BRASs to implement new function requirements. After software upgrade, some functional commands might change. For example, the ip subscriber nas-port-type cable command changes to nas-port-type cable after software upgrade. To use the ip subscriber nas-port-type cable command to manage the upgraded BRAS in the network management software without upgrading the network management software for BRASs, execute this command.

Operating mechanism

The NAS-Port-Type attribute configured by this command is mainly applied to the NAS-Port-Type attribute carried during RADIUS authentication and accounting.

For more information about the NAS-Port-Type attribute, see RFC 2865.

This command takes effect only on new users and does not take effect on existing users.

Restrictions and guidelines

To execute the ip subscriber nas-port-type cable command, first execute the bras compatible old-style-commands enable command to enable compatibility with old-style commands on the BRAS.

Examples

# Configure the IPoE access interface type as cable for interface Ten-GigabitEthernet 0/0/15 .

<Sysname> system-view

[Sysname] bras compatible old-style-commands enable

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] ip subscriber nas-port-type cable

Related commands

bras compatible old-style-commands enable (BRAS Services Command Reference)

nas-port-type cable (new style) (BRAS Services Command Reference)

Portal commands

The device does not support users' access to the network through portal authentication. The portal commands can only be used in IPoE Web authentication scenarios.

aging-time

Use aging-time to set the aging time for MAC-trigger entries.

Use undo aging-time to restore the default.

Syntax

aging-time seconds

undo aging-time

Default

The aging time for MAC-trigger entries is 300 seconds.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

seconds: Specifies the aging time for MAC-trigger entries. The value range is 60 to 7200 seconds.

Usage guidelines

With MAC-based quick portal authentication enabled, the device generates a MAC-trigger entry for a user when the device detects traffic from the user for the first time. The MAC-trigger entry records the following information:

· MAC address of the user.

· Interface index.

· VLAN ID.

· Traffic statistics.

· Aging timer.

When the aging time expires, the device deletes the MAC-trigger entry. The device re-creates a MAC-trigger entry for the user when it detects the user's traffic again.

Examples

# Specify the aging time as 300 seconds for MAC-trigger entries.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aging-time 300

Related commands

display mac-trigger-server

authentication-timeout

Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the MAC binding query response.

Use undo authentication-timeout to restore the default.

Syntax

authentication-timeout minutes

undo authentication-timeout

Default

The authentication timeout time is 3 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the authentication timeout in the range of 1 to 15 minutes.

Usage guidelines

Upon receiving the MAC binding query response of a user from the MAC binding server, the device starts an authentication timeout timer for the user. When the timer expires, the device deletes the MAC-trigger entry of the user.

Examples

# Specify the authentication timeout as 10 minutes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] authentication-timeout 10

Related commands

display mac-trigger-server

binding-retry

Use binding-retry to specify the maximum number of attempts and the interval for sending MAC binding queries to the MAC binding server.

Use undo binding-retry to restore the default.

Syntax

binding-retry { retries | interval interval } *

undo binding-retry

Default

The maximum number of query attempts is 3 and the query interval is 1 second.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10.

interval interval: Specifies the query interval in the range of 1 to 60 seconds.

Usage guidelines

If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable. The device performs normal portal authentication for the user. The user needs to enter the username and password for authentication.

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Set the maximum number of MAC binding query attempts to 3 and the query interval to 60 seconds.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] binding-retry 3 interval 60

Related commands

display mac-trigger-server

default-logon-page

Use default-logon-page to specify the default authentication page file for the local portal Web service.

Use undo default-logon-page to restore the default.

Syntax

default-logon-page file-name

undo default-logon-page

Default

No default authentication page file is specified for the local portal Web service.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

file-name: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_).

Usage guidelines

You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages. The device then sets them as the default authentication pages for local portal authentication.

For successful local portal authentication, you must specify the default portal authentication page file for the local portal Web service.

Examples

# Specify the file pagefile1.zip as the default authentication page file for local portal authentication.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] default-logon-page pagefile1.zip

Related commands

portal local-web-server

display portal ip-subscriber message statistics

Use display portal ip-subscriber message statistics to display statistics for messages exchanged between portal and IPoE during IPoE Web authentication.

Syntax

display portal ip-subscriber message statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display statistics for messages exchanged between portal and IPoE.

<Sysname> display portal ip-subscriber message statistics

Message Total Error Duplicate

Sent logon request 0 0 0

Received logon success 0 0 0

Received logon failure 0 0 0

Received EAP authentication continue 0 0 0

Sent logoff request 0 0 0

Received logoff response 0 0 0

Received forced logoff request 0 0 0

Sent smooth user start 0 0 0

Sent smooth user end 0 0 0

Sent smooth user message 0 0 0

Sent mac-trigger enable 0 0 0

Sent mac-trigger disable 0 0 0

Received binding request 0 0 0

Sent binding response 0 0 0

Sent nobinding response 0 0 0

Sent processing bind response 0 0 0

Sent delete mac-trigger entry 0 0 0

Received mac-trigger user online 0 0 0

Received mac-trigger user offline 0 0 0

Table 24 Command output

Field	Description
Total	Total number of messages.
Error	Number of error messages.
Duplicate	Number of duplicated messages.
Sent logon request	Number of sent requests for users to come online.
Received logon success	Number of received messages indicating that users came online successfully.
Received logon failure	Number of received messages indicating that users failed to come online.
Received EAP authentication continue	Number of received EAP authentication continue messages.
Sent logoff request	Number of sent requests for users to go offline.
Received logoff response	Number of received responses for users to go offline.
Received forced logoff request	Number of received requests to forcibly log out users.
Sent smooth user start	Number of sent messages indicating that portal started smoothing user information.
Sent smooth user end	Number of sent messages indicating that portal ended smoothing user information.
Sent smooth user message	Number of sent messages for smoothing user information.
Sent mac-trigger enable	Number of sent messages indicating that portal applied a MAC binding server to an interface.
Sent mac-trigger disable	Number of sent messages indicating that portal removed a MAC binding server from an interface.
Received binding request	Number of received binding queries.
Sent binding response	Number of sent responses indicating that user accounts are bound to user MAC addresses.
Sent nobinding response	Number of sent responses indicating that user accounts are not bound to user MAC addresses.
Sent processing bind response	Number of sent responses indicating that portal was processing the binding query request.
Sent delete mac-trigger entry	Number of sent messages indicating that the device deleted MAC-trigger entries.
Received mac-trigger user online	Number of received messages indicating that MAC-trigger users came online.
Received mac-trigger user offline	Number of received messages indicating that MAC-trigger users went offline.

‌

Related commands

reset portal ip-subscriber message statistics

display portal mac-trigger entry

Use display portal mac-trigger entry to display MAC-trigger entries for portal users.

Syntax

display portal mac-trigger entry [ ip ipv4-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ipv4-address: Specifies a portal user by its IP address. If you do not specify a portal user, this command displays MAC-trigger entries for all portal users.

Examples

# Display MAC-trigger entries for all portal users.

<Sysname> display portal mac-trigger entry

IP MAC ADDR L3IF L2IF SVLAN CVLAN Status Source

2.2.2.2 0001-0001-0001 vlan2 XGE0/0/16 2 -- Bound Portal

Table 25 Command output

Field	Description
IP	IP address of the user.
MAC ADDR	MAC address of the user.
L3IF	Layer 3 access interface.
L2IF	Layer 2 access interface. This field displays two hyphens (--) if the access interface of the user is a physical Layer 3 interface.
SVLAN	Outer VLAN ID of portal packets from the user.
CVLAN	Inner VLAN ID of portal packets from the user. This field displays two hyphens (--) if portal packets from the user are not double-tagged packets.
Status	Binding status between the MAC address and the user account: · Auth-free—The user with the MAC address can access the network without authentication. · Querying—The binding status of the MAC address is being queried. · Not bound—The MAC address is not bound with the user account. · Bound—The MAC address is bound with the user account. · Deleting—The MAC-trigger entry for the MAC address is being deleted.
Source	Access method of the user: · Portal. · IPoE.

‌

display portal mac-trigger-server

Use display portal mac-trigger-server to display information about MAC binding servers.

Syntax

display portal mac-trigger-server { all | name server-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all MAC binding servers.

name server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Examples

# Display information about all MAC binding servers.

<Sysname> display portal mac-trigger-server all

Portal mac trigger server name: ms1

Version : 2.0

Server type : CMCC

IP : 10.1.1.1

Port : 100

VPN instance : Not configured

Aging time : 120 seconds

NAS-Port-Type : 255

Binding retry times : 5

Binding retry interval : 2 seconds

Authentication timeout : 5 minutes

Portal mac trigger server name: mts

Version : 1.0

Server type : IMC

IP : 4.4.4.2

Port : 50100

VPN instance : Not configured

Aging time : 300 seconds

NAS-Port-Type : Not configured

Binding retry times : 3

Binding retry interval : 1 seconds

Authentication timeout : 3 minutes

# Display information about the MAC binding server ms1.

<Sysname> display portal mac-trigger-server name ms1

Portal mac trigger server name: ms1

Version : 2.0

Server type : CMCC

IP : 10.1.1.1

Port : 100

VPN instance : Not configured

Aging time : 120 seconds

NAS-Port-Type : 255

Binding retry times : 5

Binding retry interval : 2 seconds

Authentication timeout : 5 minutes

Table 26 Command output

Field	Description
Portal mac trigger server name	Name of the MAC binding server.
Version	Version of the portal protocol: · 1.0—Version 1. · 2.0—Version 2. · 3.0—Version 3.
Server type	Type of the MAC binding server: · CMCC—CMCC server. · IMC—IMC server.
IP	IP address of the MAC binding server.
Port	UDP port number on which the MAC binding server listens for MAC binding query packets.
VPN instance	‌ MPLS L3VPN instance where the MAC binding server resides.
Aging time	Aging time in seconds. A MAC-trigger entry is aged out when the aging time expires.
NAS-Port-Type	NAS-Port-Type attribute value in RADIUS request packets sent to the RADIUS server.
Binding retry times	Maximum number of attempts for sending MAC binding queries to the MAC binding server.
Binding retry interval	Interval at which the device sends MAC binding queries to the MAC binding server.
Authentication timeout	Maximum amount of time that the device waits for portal authentication to complete after receiving the MAC binding query response.

‌

display portal mac-trigger-server packet statistics

Use display portal mac-trigger-server packet statistics to display statistics for messages exchanged between the device and MAC binding servers.

Syntax

display portal mac-trigger-server packet statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display statistics for messages exchanged between the device and MAC binding servers.

<Sysname> display portal mac-trigger-server packet statistics

Packets sent:

User online notifications: 0

User offline notifications: 0

MAC binding queries: 0

Retries: 0

MaxRetryCount reached: 0

Sending failures: 0

Packets received:

MAC binding responses: 0

Binding: 0

Nobinding: 0

Checksum failures: 0

Table 27 Command output

Field	Description
Packets sent	Number of messages that the device sent to MAC binding servers.
User online notifications	Number of notification messages indicating that users came online.
User offline notifications	Number of notification messages indicating that users went offline.
MAC binding queries	Number of MAC binding queries sent to MAC binding servers.
Retries	Number of times that the device attempted to retransmit MAC binding queries.
MaxRetryCount reached	Number of times that the maximum number of retransmissions was reached.
Sending failures	Number of transmission failures.
Packets received	Number of messages that the device received from MAC binding servers.
MAC binding responses	Number of MAC binding responses received from MAC binding servers.
Binding	Number of MAC binding responses indicating that user MAC addresses are bound to the user accounts.
Nobinding	Number of MAC binding responses indicating that user MAC addresses are not bound to user accounts.
Checksum failures	Number of MAC binding responses with checksum failures.

‌

Related commands

display portal packet statistics

reset portal mac-trigger-server packet statistics

display portal packet statistics

Use display portal packet statistics to display packet statistics for portal authentication servers.

Syntax

display portal packet statistics [ server server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters. If you do not specify a portal authentication server, this command displays packet statistics for all portal authentication servers.

Usage guidelines

This command displays statistics on packets the device sent to and received from portal authentication servers.

Examples

# Display packet statistics for portal authentication server pts.

<Sysname> display portal packet statistics server pts

Portal server : pts

Invalid packets: 0

Pkt-Type Total Drops Errors

REQ_CHALLENGE 3 0 0

ACK_CHALLENGE 3 0 0

REQ_AUTH 3 0 0

ACK_AUTH 3 0 0

REQ_LOGOUT 1 0 0

ACK_LOGOUT 1 0 0

AFF_ACK_AUTH 3 0 0

NTF_LOGOUT 1 0 0

REQ_INFO 6 0 0

ACK_INFO 6 0 0

NTF_USERDISCOVER 0 0 0

NTF_USERIPCHANGE 0 0 0

AFF_NTF_USERIPCHAN 0 0 0

ACK_NTF_LOGOUT 1 0 0

NTF_HEARTBEAT 0 0 0

NTF_USER_HEARTBEAT 2 0 0

ACK_NTF_USER_HEARTBEAT 0 0 0

NTF_CHALLENGE 0 0 0

NTF_USER_NOTIFY 0 0 0

AFF_NTF_USER_NOTIFY 0 0 0

Table 28 Command output

Field	Description
Invalid packets	Number of invalid packets.
Portal server	Name of the portal authentication server.
Pkt-Type	Packet type.
Total	Total number of packets.
Drops	Number of dropped packets.
Errors	Number of packets that carry error information.
REQ_CHALLENGE	Challenge request packet the portal authentication server sent to the access device.
ACK_CHALLENGE	Challenge acknowledgment packet the access device sent to the portal authentication server.
REQ_AUTH	Authentication request packet the portal authentication server sent to the access device.
ACK_AUTH	Authentication acknowledgment packet the access device sent to the portal authentication server.
REQ_LOGOUT	Logout request packet the portal authentication server sent to the access device.
ACK_LOGOUT	Logout acknowledgment packet the access device sent to the portal authentication server.
AFF_ACK_AUTH	Affirmation packet the portal authentication server sent to the access device after receiving an authentication acknowledgment packet.
NTF_LOGOUT	Forced logout notification packet the access device sent to the portal authentication server.
REQ_INFO	Information request packet.
ACK_INFO	Information acknowledgment packet.
NTF_USERDISCOVER	User discovery notification packet the portal authentication server sent to the access device.
NTF_USERIPCHANGE	User IP change notification packet the access device sent to the portal authentication server.
AFF_NTF_USERIPCHAN	User IP change success notification packet the portal authentication server sent to the access device.
ACK_NTF_LOGOUT	Forced logout acknowledgment packet the portal authentication server sent to the access device.
NTF_HEARTBEAT	Server heartbeat packet the portal authentication server periodically sent to the access device.
NTF_USER_HEARTBEAT	User synchronization packet the portal authentication server sent to the access device.
ACK_NTF_USER_HEARTBEAT	User synchronization acknowledgment packet the access device sent to the portal authentication server.
NTF_CHALLENGE	Challenge request packet the access device sent to the portal authentication server.
NTF_USER_NOTIFY	User information notification packet the access device sent to the portal authentication server.
AFF_NTF_USER_NOTIFY	NTF_USER_NOTIFY acknowledgment packet the portal authentication server sent to the access device.

‌

Related commands

reset portal packet statistics

display portal server

Use display portal server to display information about portal authentication servers.

Syntax

display portal server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server-name argument, this command displays information about all portal authentication servers.

Examples

# Display information about the portal authentication server pts.

<Sysname> display portal server pts

Portal server: pts

Type : IMC

IP : 192.168.0.111

VPN instance : Not configured

Port : 50100

Server detection : Timeout 60s Action: log

User synchronization : Timeout 200s

Status : Up

Exclude-attribute : Not configured

Logout notification : Retry 3 interval 5s

Table 29 Command output

Field	Description
Type	Portal authentication server type: · CMCC—CMCC server. · IMC—IMC server.
Portal server	Name of the portal authentication server.
IP	IP address of the portal authentication server.
VPN instance	‌ MPLS L3VPN instance where the portal authentication server resides.
Port	Listening port on the portal authentication server.
Server detection	Parameters for portal authentication server detection: · Detection timeout in seconds. · Actions(log) triggered by the reachability status change of the portal authentication server.
User synchronization	User idle timeout in seconds for portal user synchronization.
Status	Reachability status of the portal authentication server: · Up—This value indicates one of the following conditions: ¡ Portal authentication server detection is disabled. ¡ Portal authentication server detection is enabled and the server is reachable. · Down—Portal authentication server detection is enabled and the server is unreachable.
Exclude-attribute	Attribute fields not carried in portal protocol packets.
Logout notification	Maximum number of times and the interval (in seconds) for retransmitting a logout notification packet.

‌

Related commands

portal server

server-detect (portal authentication server view)

user-sync

display portal session user-type

Use display portal session user-type to display session information for portal users or portal-based IPoE authentication users.

Syntax

display portal session user-type { ipoe | portal }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipoe: Specifies portal-based IPoE authentication users.

portal: Specifies portal users.

Examples

# Display information about sessions for portal-based IPoE authentication users. 错误!未提供文档变量。

<Sysname> display portal session user-type ipoe

Total IPoE sessions: 1

IP address: 1:2::3:5

MAC address: 1212-1212-1211

Interface: XGE0/0/15 User type: IPoE

Creation time: 2022-05-31 16:13:35

Status: Online

# Display information about sessions for portal users. 错误!未提供文档变量。

<Sysname> display portal session user-type portal

Total Portal sessions: 1

IP address: 1:2::3:5

MAC address: 1212-1212-1211

Interface: XGE0/0/15 User type: Portal

Creation time: 2022-05-31 16:13:35

Status: Online

Table 30 Command output

Field	Description
Total IPoE sessions	Total number of sessions for IPoE authentication users.
Total Portal sessions	Total number of sessions for portal users.
IP address	IP address of a user.
MAC address	MAC address of the user.
Interface	Access interface of the user.
Creation time	Session creation time.
Status	Status of the portal authentication state machine: · Initial. · Authenticating. · Continue. · Authenticated. · Assigning new IP. · Assigned new IP. · Online. · Waiting. · Offline.
User type	Type of the user: · IPoE—Portal-based IPoE authentication user. · Portal—Portal user.

‌

exclude-attribute

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

Default

No attributes are excluded from portal protocol packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

number: Specifies an attribute by its number, in the range of 1 to 255. If you do not specify any type of portal protocol packets behind this argument, the device excludes the specified attribute from all portal protocol packets.

ack-auth: Excludes the attribute from ACK_AUTH packets.

ack-challenge: Excludes the attribute from ACK_CHALLENGE packets.

ack-info: Excludes the attribute from ACK_INFO packets.

ack-logout: Excludes the attribute from ACK_LOGOUT packets.

ack-ntf-user-heartbeat: Excludes the attribute from ACK_NTF_USER_HEARTBEAT packets.

ntf-challenge: Excludes the attribute from NTF_CHALLENGE packets.

ntf-logout: Excludes the attribute from NTF_LOGOUT packets.

ntf-user-notify: Excludes the attribute from NTF_USER_NOTIFY packets.

ntf-useripchange: Excludes the attribute from NTF_USERIPCHANGE packets.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.

To address this issue, you can execute this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).

Table 31 describes all attributes of the portal protocol.

Table 31 Portal attributes

Name	Number	Description
UserName	1	Name of the user to be authenticated.
PassWord	2	User password in plaintext form.
Challenge	3	Random challenge for CHAP authentication.
ChapPassWord	4	CHAP password encrypted by MD5.
TextInfo	5	The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server. The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.
UpLinkFlux	6	Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.
DownLinkFlux	7	Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.
Port	8	Port information, a string excluding the end character '\0'.
IP-Config	9	This attribute has different meanings in different types of packets. · The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP. · The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.
BAS-IP	10	IP address of the access device. For re-DHCP portal authentication, the value of this attribute is the public IP address of the access device.
Session-ID	11	Identifier of a portal user. Generally, the value of this attribute is the MAC address of the portal user.
Delay-Time	12	Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.
User-List	13	List of IP addresses of an IPv4 portal user.
EAP-Message	14	An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.
User-Notify	15	Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.
BAS-IPv6	16	IPv6 address of the access device.
UserIPv6-List	101	List of IPv6 addresses of an IPv6 portal user.

‌

Examples

# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] exclude-attribute 6 ack-auth

Related commands

display portal server

free-traffic threshold

Use free-traffic threshold to specify the free-traffic threshold for portal users.

Use undo free-traffic threshold to restore the default.

Syntax

free-traffic threshold value

undo free-traffic threshold

Default

The free-traffic threshold is 0 bytes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers MAC-based quick portal authentication for a user once the user's traffic is deleted.

Usage guidelines

After MAC-based quick portal authentication is configured, the device monitors a user's network traffic (sent and received) in real time before the MAC-trigger entry for the user ages out. A user can access the network without authentication if the user's network traffic is below the free-traffic threshold. When the user's network traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user.

If the user passes portal authentication, the device deletes the MAC-trigger entry and clears the user traffic statistics. If the user fails authentication, the device does not trigger MAC-based quick authentication for the user before the MAC-trigger entry ages out. When the MAC-trigger entry ages out, the device clears the user traffic statistics.

When traffic is detected from the user again, the device re-creates a MAC-trigger entry for the user and repeats the previous procedure.

Examples

# Specify the free-traffic threshold for portal users as 10240 bytes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] free-traffic threshold 10240

Related commands

display mac-trigger-server

ip (MAC binding server view)

Use ip to specify the IP address of a MAC binding server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ip

Default

The IP address of the MAC binding server is not specified.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of a MAC binding server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the MAC binding server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the MAC binding server belongs to the public network, do not specify this option.

key: Specifies a shared key for securing communication between the device and the MAC binding server. Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to verify the correctness of the received portal packets. If you do not specify a shared key, the device and MAC binding server do not authenticate the packets between them.

cipher: Specifies a shared key in encrypted form.

simple: Specifies a shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the shared key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Specify 192.168.0.111 as the IP address of MAC binding server mts and specify plaintext key portal for securing communication between the device and the MAC binding server.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal

Related commands

display mac-trigger-server

ip (portal authentication server view)

Use ip to specify the IPv4 address of a portal authentication server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ip

Default

The IPv4 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the portal authentication server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the portal authentication server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server belongs to the public network, do not specify this option.

key: Specifies a shared key for securing communication between the device and the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv4 address. Therefore, in portal authentication server view, only one IPv4 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv4 address and MPLS L3VPN for different portal authentication servers.

Examples

# Specify 192.168.0.111 as the IPv4 address of portal authentication server pts and specify plaintext key portal for securing communication between the device and the portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ip 192.168.0.111 key simple portal

Related commands

display portal server

portal server

ipv6

Use ipv6 to specify the IPv6 address of a portal authentication server.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ipv6

Default

The IPv6 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IP address of the IPv6 portal authentication server.

key: Specifies a shared key for securing the communication between the device and the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv6 address. Therefore in portal authentication server view, only one IPv6 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv6 address and MPLS L3VPN for different portal authentication servers.

Examples

# Specify 2000::1 as the IPv6 address of portal authentication server pts and specify plaintext key portal for securing the communication between the device and the portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ipv6 2000::1 key simple portal

Related commands

display portal server

portal server

logon-page bind

Use logon-page bind to bind an endpoint name to an authentication page file.

Use undo logon-page bind to unbind the endpoint name from the authentication page file.

Syntax

logon-page bind device-name device-name file file-name

undo logon-page bind { all | device-name device-name }

Default

No endpoint name is bound to an authentication page file.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

all: Specifies all endpoint names.

device-name device-name: Specifies an endpoint name, a case-sensitive string of 1 to 127 characters. The specified endpoint name must have been predefined on the device. Otherwise, the bound authentication page file does not take effect.

file file-name: Specifies an authentication page file by the file name (without the file storage directory). A file name is a string of 1 to 91 characters, and can contain letters, digits, and underscores (_). You must edit the authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

Usage guidelines

This command implements customized authentication page pushing for portal users. After you execute this command, the device pushes authentication pages to users according to the user SSID or endpoint name.

When a Web user triggers local portal authentication, the device searches for a binding that matches the user's endpoint name.

· If the binding exists, the device pushes the bound authentication pages to the user.

· If the binding does not exist, the device pushes the default authentication pages to the user. If the default authentication page file is not specified (by using the default-logon-page command), the user cannot perform local portal authentication.

When you execute this command, follow these restrictions and guidelines:

· If the name or content of the file in a binding entry is changed, you must reconfigure the binding.

· To reconfigure or modify a binding, simply re-execute this command without canceling the existing binding.

· If you execute this command multiple times to bind an endpoint name to different authentication page files, the most recent configuration takes effect.

· You can configure multiple binding entries on the device.

Examples

# Create an HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

# Bind endpoint name iphone to authentication page file file2.zip.

[Sysname-portal-local-websvr-http] logon-page bind device-name iphone file file2.zip

Related commands

default-logon-page

portal local-web-server

logout-notify

Use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet.

Use undo logout-notify to restore the default.

Syntax

logout-notify retry retries interval interval

undo logout-notify

Default

The device does not retransmit a logout notification packet.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

retry retries: Specifies the maximum number of retries, in the range of 1 to 5.

interval interval: Specifies the retry interval, in the range of 1 to 10 seconds.

Usage guidelines

A logout notification packet is a UDP packet that the device sends to the portal authentication server for forcibly logging out a portal user. To increase the delivery reliability, you can set the maximum number of times and the interval for retransmitting a logout notification packet.

After the device sends a logout notification packet for logging out a portal user, it waits for a response from the portal authentication server. If the device receives a response within the specified period of time (maximum number of retries × retry interval), it logs out and deletes the user immediately. If the device does not receive a response within the period of time, the device logs out and deletes the user when the period of time elapses.

Examples

# Set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds.

<Sysname> system-view

[Sysname] portal server pt

[Sysname-portal-server-pt] logout-notify retry 3 interval 5

Related commands

display portal server

nas-port-type

Use nas-port-type to set the NAS-Port-Type attribute value carried in RADIUS requests sent to the RADIUS server.

Use undo nas-port-type to restore the default.

Syntax

nas-port-type value

undo nas-port-type

Default

The NAS-Port-Type attribute value carried in RADIUS requests is not set.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the NAS-Port-Type attribute value in the range of 1 to 255.

Usage guidelines

Some MAC binding servers identify MAC-based quick portal authentication by a specific NAS-Port-Type attribute value in received RADIUS requests. To communicate with such a MAC binding server, you must configure the device to use the NAS-Port-Type attribute value required by the MAC binding server.

Examples

# Set the NAS-Port-Type attribute value to 30 for RADIUS requests sent to MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] nas-port-type 30

Related commands

display mac-trigger-server

port (MAC binding server view)

Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The MAC binding server listens for MAC binding query packets on UDP port 50100.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening UDP port number in the range of 1 to 65534.

Usage guidelines

The specified port number must be the same as the query listening port number configured on the MAC binding server.

Examples

# Set the UDP port number to 1000 for MAC binding server pts to listen for MAC binding query packets.

<sysname> system-view

[sysname] portal mac-trigger-server mts

[sysname-portal-mac-trigger-server-mts] port 1000

Related commands

display mac-trigger-server

port (portal authentication server view)

Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The device uses 50100 as the destination UDP port number for unsolicited portal packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534.

Usage guidelines

The specified port must be the port that listens to portal packets on the portal authentication server.

Examples

# Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to portal authentication server pts.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] port 50000

Related commands

portal server

portal { bas-ip | bas-ipv6 } (system view/interface view)

Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal notification packets sent to the portal authentication server.

Use undo portal { bas-ip | bas-ipv6 } to restore the default.

Syntax

portal { bas-ip ipv4-address | bas-ipv6 ipv6-address }

undo portal { bas-ip | bas-ipv6 }

Default

The BAS-IP attribute value of an IPv4 portal notification packet sent to the portal authentication server is the IPv4 address of the packet's output interface.

The BAS-IPv6 attribute value of an IPv6 portal notification packet sent to the portal authentication server is the IPv6 address of the packet's output interface.

Views

System view

Interface view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the BAS-IP attribute value for portal notification packets sent to the portal authentication server. This attribute must be the IPv4 address of an interface on the device. It cannot be 0.0.0.0, 1.1.1.1, a class D address, a class E address, or a loopback address.

ipv6-address: Specifies the BAS-IPv6 attribute value for portal notification packets sent to the portal authentication server. This attribute must be the IPv6 address of an interface on the device. It cannot be a multicast address, an all-0 address, or a link-local address.

Usage guidelines

To avoid portal user offline failure and re-DHCP portal authentication failure, the BAS-IP or BAS-IPv6 attribute must be the same as the device IP address on the portal authentication server. Use this command to configure the BAS-IP or BAS-IPv6 attribute value as the device IP address specified on the portal authentication server. The device uses the BAS-IP or BAS-IPv6 attribute value as the source IP address of portal notification packets sent to the portal authentication server.

This command takes effect only on unsolicited portal notification packets sent to the portal authentication server. For IPv4 portal reply packets, the BAS-IP attribute value is the source IPv4 address of the packets. For IPv6 portal reply packets, the BAS-IPv6 attribute value is the source IPv6 address of the packets.

The global BAS-IP or BAS-IPv6 configuration made in system view takes effect on all interfaces. For an interface, the interface-specific BAS-IP or BAS-IPv6 configuration takes precedence over the global configuration.

Examples

# Globally configure the BAS-IP attribute as 2.2.2.2 for portal notification packets sent to the portal authentication server.

<Sysname> system-view

[Sysname] portal bas-ip 2.2.2.2

# On interface Ten-GigabitEthernet 0/0/15, configure the BAS-IP attribute as 2.2.2.2 for portal notification packets sent to the portal authentication server. 错误!未提供文档变量。

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] portal bas-ip 2.2.2.2

Related commands

display portal

portal access-info trust

Use portal access-info trust to configure the device to obtain user information from ARP or ND entries.

Use portal access-info trust to restore the default.

Syntax

portal access-info trust { arp | nd }

undo portal access-info trust { arp | nd }

Default

The device obtains user information from FIB entries.

Views

System view

Predefined user roles

network-admin

Parameters

arp: Obtains user information from ARP entries.

nd: Obtains user information from ND entries.

Usage guidelines

In an IPoE Web authentication network, when the device receives portal packets from the portal authentication server, it obtains user access information to complete authentication for users.

By default, the device obtains the user access information from FIB entries in the VPN instance of the portal authentication server. In the following situation, however, the device cannot obtain user access information from FIB and therefore users cannot pass Web authentication:

· The DHCP access users and the portal authentication server belong to different VPN instances.

· The user access interface is not bound to a VPN instance.

To resolve this issue, you can configure this feature on the device. When this feature is enabled, the device first attempts to obtain user access information from ARP or ND entries during Web authentication. If the attempt fails, the device obtains user access information from UCM user entries.

As a best practice, configure this feature in all IPoE Web authentication scenarios.

To use this feature, make sure the VPN instances do not have overlapping IP addresses. Otherwise, this feature cannot ensure normal user logins.

Examples

# Configure the device to get user access information from ARP entries.

<Sysname> system-view

[Sysname] portal access-info trust arp

portal apply mac-trigger-server

Use portal apply mac-trigger-server to specify a MAC binding server.

Use undo portal apply mac-trigger-server to restore the default.

Syntax

portal apply mac-trigger-server server-name

undo portal apply mac-trigger-server

Default

No MAC binding server is specified.

Views

Interface view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

Only IPv4 direct authentication supports MAC-based quick authentication.

For MAC-based quick portal authentication to take effect, perform the following tasks:

· Configure normal portal authentication.

· Configure a MAC binding server.

· Specify the MAC binding server on a portal enabled interface.

Examples

# Specify MAC binding server mts on Ten-GigabitEthernet 0/0/15.错误!未提供文档变量。

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] portal apply mac-trigger-server mts

Related commands

portal mac-trigger-server

portal local-web-server

Use portal local-web-server to create an HTTP- or HTTPS-based local portal Web service and enter its view, or enter the view of the existing HTTP- or HTTPS-based local portal Web service.

Use undo portal local-web-server to delete the HTTP- or HTTPS-based local portal Web service.

Syntax

portal local-web-server { http | https ssl-server-policy policy-name [ tcp-port port-number ] }

undo portal local-web-server { http | https }

Default

No local portal Web service exists.

Views

System view

Predefined user roles

network-admin

Parameters

http: Specifies the HTTP-based local portal Web service, which uses HTTP to exchange authentication information with clients.

https: Specifies the HTTPS-based local portal Web service, which uses HTTPS to exchange authentication information with clients.

ssl-server-policy policy-name: Specifies an existing SSL server policy for HTTPS. The policy name is a case-insensitive string of 1 to 31 characters.

tcp-port port-number: Specifies the listening TCP port number for the HTTPS-based local portal Web service. The value range for the port-number argument is 1 to 65535. The default port number is 443.

Usage guidelines

In the local portal Web service, the access device also acts as the portal Web server and the portal authentication server. No external portal Web server and portal authentication server are needed.

For an interface to use the local portal Web service, the URL of the portal Web server specified for the interface must meet the following requirements:

· The IP address in the URL must be the IP address of a Layer 3 interface (except 127.0.0.1) on the device, and the IP address must be reachable to portal clients.

· The URL must be ended with /portal/. For example: https://1.1.1.1/portal/.

You cannot delete an SSL server policy by using the undo ssl server-policy command when the policy is associated with HTTPS.

To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing HTTPS-based local portal Web service.

When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines:

· For HTTPS-based local portal Web service and other services that use HTTPS:

¡ If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

¡ If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

· Do not configure the HTTPS listening TCP port number as the port number used by a known protocol (except HTTPS) or other service.

· Do not configure the same TCP port number for HTTP-based local portal Web service and HTTPS-based local portal Web service.

Examples

# Create an HTTP-based local portal Web service and enter its view.

<Sysname> system-view

[Sysname] portal local-web-server http

# Create an HTTPS-based local portal Web service and associate SSL server policy policy1 with the service.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1

# Change the associated SSL server policy to policy2.

[Sysname] undo portal local-web-server https

[Sysname] portal local-web-server https ssl-server-policy policy2

# Create an HTTPS-based local portal Web service. In the service, the associated SSL server policy is policy1 and the listening port number is 442.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1 tcp-port 442

[Sysname-portal-local-websvr-https] quit

Related commands

default-logon-page

portal local-web-server

ssl server-policy (Security Command Reference)

portal mac-trigger-server

Use portal mac-trigger-server to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server.

Use undo portal mac-trigger-server to delete the MAC binding server.

Syntax

portal mac-trigger-server server-name

undo portal mac-trigger-server server-name

Default

No MAC binding servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

After you create a MAC binding server, you can configure MAC binding server parameters, such as the server's IP address, port number, VPN instance, and the pre-shared key for communication between the access device and the server.

Examples

# Create the MAC binding server mts and enter its view.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts]

Related commands

display mac-trigger-server

portal apply mac-trigger-server

portal server

Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server.

Use undo portal server to delete the specified portal authentication server.

Syntax

portal server server-name

undo portal server server-name

Default

No portal authentication servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

In portal authentication server view, you can configure the following parameters and features for the portal authentication server:

· IP address of the server.

· Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

· MPLS L3VPN where the portal authentication server resides.

· Pre-shared key for communication between the access device and the server.

· Server detection feature.

You can configure multiple portal authentication servers for an access device.

Examples

# Create the portal authentication server pts and enter its view.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts]

Related commands

display portal server

reset portal ip-subscriber message statistics

Use reset portal ip-subscriber message statistics to clear statistics for messages exchanged between portal and IPoE.

Syntax

reset portal ip-subscriber message statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear statistics for messages exchanged between portal and IPoE.

<Sysname> reset portal ip-subscriber message statistics

Related commands

display portal ip-subscriber message statistics

reset portal mac-trigger-server packet statistics

Use reset portal mac-trigger-server packet statistics to clear statistics for messages exchanged between the device and MAC binding servers.

Syntax

reset portal mac-trigger-server packet statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear statistics for messages exchanged between the device and MAC binding servers.

<Sysname> reset portal mac-trigger-server packet statistics

Related commands

display portal mac-trigger-server packet statistics

reset portal packet statistics

Use reset portal packet statistics to clear packet statistics for portal authentication servers.

Syntax

reset portal packet statistics [ server server-name ]

Views

User view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server server-name argument, this command clears packet statistics for all portal authentication servers.

Examples

# Clear packet statistics for portal authentication server pts.

<Sysname> reset portal packet statistics server pts

Related commands

display portal packet statistics

server-detect (portal authentication server view)

Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status.

Use undo server-detect to disable portal authentication server detection.

Syntax

server-detect [ timeout timeout ] { log | trap } *

undo server-detect

Default

Portal authentication server detection is disabled.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds.

{ log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal authentication server. You can select one of the following options or both:

· log—When reachability status of the portal authentication server changes, the device sends a log message. The log message contains the name, the original state, and the current state of the portal authentication server.

· trap—When reachability status of the portal authentication server changes, the device sends a trap message to the NMS. The trap message contains the name and the current state of the portal authentication server.

Usage guidelines

The device determines a portal authentication server is reachable if the device receives a correct portal packet from the server before the detection timeout expires.

To test server reachability by detecting heartbeat packets, you must enable the server heartbeat feature on the portal authentication server. Only the IMC portal authentication server supports sending heartbeat packets.

The detection timeout configured on the device must be greater than the server heartbeat interval configured on the portal authentication server.

Examples

# Enable server detection for the portal authentication server pts:

· Set the detection timeout to 600 seconds.

· Configure the device to send a log message and a trap message if the server reachability status changes.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-detect timeout 600 log trap

Related commands

portal server

server-register

Use server-register to set the interval at which the device registers with a portal authentication server.

Use undo server-register to restore the default.

Syntax

server-register [ interval interval-value ]

undo server-register

Default

The device does not register with a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the register interval in the range of 1 to 3600 seconds. The default interval is 600 seconds.

Usage guidelines

This feature is typically used in scenarios where a NAT device exists between a portal authentication server and an access device.

Before this feature is used, you must configure a static NAT mapping for each access device on the NAT device. Adding static NAT mappings for access devices requires much workload of the administrator. After this feature is enabled, the access device automatically sends a register packet to the portal authentication server. When the server receives the register packet, it records register information for the access device, including the device name and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

After this feature is enabled, the access device automatically sends register packets to the portal authentication server. The register packet contains the access device name. After the server receives the register packet, it records register information for the access device, including the device name and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

Only CMCC portal authentication servers support this feature.

Examples

# Configure the device to register with the portal authentication server at intervals of 120 seconds.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-register interval 120

Related commands

server-type

Use server-type to specify the type of a portal authentication server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc }

undo server-type

Default

The type of the portal authentication server is IMC.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the portal server type as CMCC.

imc: Specifies the portal server type as IMC.

Usage guidelines

Specify the portal server type on the device with the server type the device actually uses.

Examples

# Specify the type of the portal authentication server as cmcc.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-type cmcc

Related commands

display portal server

server-type (MAC binding server view)

Use server-type to specify the type of a MAC binding server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc }

undo server-type

Default

The type of the MAC binding server is IMC.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the MAC binding server type as CMCC.

imc: Specifies the MAC binding server type as IMC.

Examples

# Specify the type of the MAC binding server as cmcc.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] server-type cmcc

tcp-port

Use tcp-port to configure a listening TCP port for the local portal Web service.

Use undo tcp-port to restore the default.

Syntax

tcp-port port-number

undo tcp-port

Default

The listening TCP port number for HTTP is 80. The listening TCP port number for HTTPS is the TCP port number set by using the portal local-web-server command.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening TCP port number in the range of 1 to 65535.

Usage guidelines

To use the local portal Web service, make sure the port number in the portal Web server URL and the port number configured in this command are the same.

For successful local portal authentication, follow these guidelines:

· Do not configure the listening TCP port number for the local portal Web service as the port number used by a known protocol. For example, do not specify port numbers 21 and 23, which are used by FTP and Telnet, respectively.

· Do not configure the HTTP listening port number as the default HTTPS listening port number 443.

· Do not configure the HTTPS listening port number as the default HTTP listening port number 80.

· Do not configure the same listening port number for HTTP and HTTPS.

· For the HTTPS-based local portal Web service and other services that use HTTPS:

¡ If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

¡ If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

Examples

# Set the HTTP listening port number to 2331 for the HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] tcp-port 2331

Related commands

portal local-web-server

user-sync

Use user-sync to enable portal user synchronization for a portal authentication server.

Use undo user-sync to disable portal user synchronization for a portal authentication server.

Syntax

user-sync timeout timeout

undo user-sync

Default

Portal user synchronization is disabled for a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Sets a detection timeout for synchronization packets, in the range of 60 to 18000 seconds.

Usage guidelines

After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server. In this way, information about online portal users on the device and on the portal authentication server remains consistent.

Portal user synchronization requires that the portal authentication server support the portal user heartbeat feature. Now, only the IMC portal authentication server supports portal user heartbeat. To implement portal user synchronization, you need to configure the user heartbeat feature on the portal authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device.

Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.

If you execute this command multiple times, the most recent configuration takes effect.

For information of the users considered as nonexistent on the portal authentication server, the device deletes the information after the configured detection timeout expires.

If the user information from the portal authentication server does not exist on the device, the device encapsulates IP addresses of the users in user heartbeat reply packets to the server. The portal authentication server then deletes the users.

Examples

# Enable portal user synchronization for the portal authentication server pts and set the detection timeout to 600 seconds. If a user has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] user-sync timeout 600

Related commands

portal server

version

Use version to specify the version of the portal protocol.

Use undo version to restore the default.

Syntax

version version-number

undo version

Default

The version of the portal protocol is 1.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

version-number: Specifies the portal protocol version in the range of 1 to 3.

Usage guidelines

The specified portal protocol version must be the that required by the MAC binding server.

Examples

# Configure the device to use portal protocol version 2 to communicate with the MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] version 2

Related commands

display mac-trigger-server

portal mac-trigger-server

15-BRAS Services Command Reference

IPoE commands

Application scenarios

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

display ip subscriber auto-save‌

display ip subscriber auto-save file-status‌

Application scenarios

Restrictions and guidelines

display ip subscriber auto-save statistics‌

display ip subscriber http-defense blocked-destination-ip‌

Application scenarios

Restrictions and guidelines

display ip subscriber http-defense free-destination-ip‌

display ip subscriber http-defense unblocked-destination-ip‌

Application scenarios

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Operating mechanism

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

ip subscriber access-line-id circuit-id trans-format

Application scenarios

Operating mechanism

Restrictions and guidelines

ip subscriber authentication chasten

Operating mechanism

Restrictions and guidelines

ip subscriber authentication dot1x-retrigger‌

Application scenarios

Operating mechanism

Restrictions and guidelines

ip subscriber authentication dot1x-retrigger interval‌

Application scenarios

Operating mechanism

Restrictions and guidelines

Common guidelines

Guidelines in the reauthentication scenario‌

Guidelines in the IPoE 802.1X authentication scenario‌

Guidelines in the intelligent IPv6 multi-egress scenario‌

Guidelines in the scenario that supports authorizing VPN instances in the Web postauthentication domain‌

Usage guidelines when both IPoE Web authentication and PPPoE authentication are configured‌

Usage guidelines for unclassified-IP users to support Web authentication and 802.1X authentication

Usage guidelines for HTTP extension header authentication‌‌

Common restrictions

Application scenarios

Operating mechanism

Restrictions and guidelines

ip subscriber auto-save max-user‌

Application scenarios

Operating mechanism

Restrictions and guidelines

ip subscriber auto-save-file‌

Application scenarios

Operating mechanism

Restrictions and guidelines

ip subscriber auto-save-file now‌

Application scenarios

Restrictions and guidelines

ip subscriber auto-recover enable‌

Application scenarios

Restrictions and guidelines

ip subscriber auto-recover speed‌

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

ip subscriber a ccess-line-id circuit-id trans-format