start-vlan start-vlan: Specifies the start VLAN in the range of 1 to 4094. In QinQ applications, this option specifies the start inner VLAN. Only subinterfaces support this option.

end-vlan end-vlan: Specifies the end VLAN in the range of 1 to 4094. In QinQ applications, this option specifies the end inner VLAN. The end VLAN cannot be smaller than the start VLAN. Only subinterfaces support this option.

qinq qinq-vlan: Specifies the outer VLAN of QinQ in the range of 1 to 4094. If you specify start-vlan and do not specify qinq, all outer VLANs 1 through 4094 are each allocated to the specified inner VLAN. Only subinterfaces support this option.

Usage guidelines

When you execute this command, follow these restrictions and guidelines:

· If no VLAN is specified, the following rules apply:

¡ For a main interface, the user-number argument specifies the maximum number of access users allowed on the main interface.

¡ For a subinterface, the user-number argument specifies the maximum number of access users allowed on each single VLAN or each inner-outer VLAN pair of the subinterface.

· If VLANs are specified in this command, this command specifies the maximum number of users in each of the specified VLANs. For example, if you specify the start-vlan start-vlan and end-vlan end-vlan keywords in this command, this command specifies the maximum number of users allowed in each of the VLANs from the start VLAN to the end VLAN.

· If one access-limit command is configured with VLANs and another access-limit command is not configured with VLANs, the number of users in the specified VLANs is limited by the first command and the number of users in the other VLANs is limited by the second command.

· For a single VLAN or a single inner-outer VLAN pair, the most recent configuration takes effect. For example, if you first execute the access-limit 50 start-vlan 1 end-vlan 3 command and then the access-limit 100 start-vlan 2 end-vlan 3 command, the maximum number of users allowed is 100 in VLAN 2 or VLAN 3 and 50 in VLAN 1.

If the configured limit is smaller than the number of existing users on an interface (or VLANs on an interface), the configuration succeeds and the existing users are not affected. However, new users cannot access on the interface (or VLANs on the interface).

When this command is executed together with the pppoe-server session-limit per-vlan command and the access-limit command in an ISP domain, the three commands all take effect. The three commands control the number of users on the interface (or VLANs on the interface) in different perspectives, and the number of users is controlled by all the three commands. A new PPPoE user can access only when none of these limits is reached.

When this command is executed together with the access-limit command in an ISP domain, the two commands both take effect. The two commands control the number of BRAS users on the interface (or VLANs on the interface) in different perspectives, and the number of BRAS users is controlled by both commands. A new BRAS user can access only when neither limit is reached.

Examples

#‌Set the maximum number of access users allowed on Ten-GigabitEthernet 0/0/15.1. For packets with a single layer of VLAN tags, set the maximum number of access users to 100 for packets with VLAN tag 2. For packets with two layers of VLAN tags, set the maximum number of access users to 100 for each combination of inner VLAN 2 and any of outer VLANs 1 through 4094.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15.1

[Sysname-Ten-GigabitEthernet0/0/15.1] access-limit 100 start-vlan 2

Related commands

access-limit (BRAS Services Command Reference)

pppoe-server session-limit per-vlan (BRAS Services Command Reference)

access-user authen-and-accounting without-ipv6-prefix

Use access-user authen-and-accounting without-ipv6-prefix to configure the BRAS not to carry attribute 97 when sending authentication and accounting packets to the AAA server.

Use undo access-user authen-and-accounting without-ipv6-prefix to restore the default.

Syntax

access-user authen-and-accounting without-ipv6-prefix

undo access-user authen-and-accounting without-ipv6-prefix

Default

The BRAS carries attribute 97 when sending authentication and accounting packets to the AAA server.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

Attribute 97 (Framed-IPv6-Prefix) indicates the user's IPv6 prefix information, with a prefix length of 64 bits.

By default, in the IPv6 scenario, the BRAS will fill in the first 64 bits of a user IPv6 address as a prefix in attribute 97 when sending authentication and accounting packets to the AAA server. This facilitates the AAA server to manage and control the user IPv6 addresses. However, for certain ISPs or application scenarios, providing IPv6 prefix information in non-ND user scenarios might not be necessary or secure. In this case, you can use the access-user authen-and-accounting without-ipv6-prefix command to disable carrying attribute 97.

Operating mechanism

After the access-user authen-and-accounting without-ipv6-prefix command is executed, the BRAS no longer carries attribute 97 when sending authentication and accounting packets to the AAA server. This command effectively prevents the transmission of IPv6 prefix information, reduces the risk of user information leakage, enhances network security, and protects user privacy.

Restrictions and guidelines

· This feature is only applicable to non-ND user scenarios. For example, IPoE unclassified-IPv6 users, DHCPv6 users, and static users.

· For ND user scenarios (such as ND prefix sharing scenarios or one ND prefix per user scenarios), the BRAS will always carry attribute 97 when sending authentication and accounting packets to the AAA server, and cannot be configured to not carry attribute 97 through this command.

· If the AAA server needs to obtain the IPv6 prefix information of the user devices, prohibiting the sending of attribute 97 might cause AAA authentication failure or accounting errors. Configure this feature as needed.

Examples

# Configure the BRAS not to carry attribute 97 when sending authentication and accounting packets to the AAA server.

<Sysname> system-view

[Sysname] access-user authen-and-accounting without-ipv6-prefix

access-user flow-rate-calculate enable

Use access-user flow-rate-calculate enable to enable flow rate calculation for online users.

Use undo access-user flow-rate-calculate enable command to disable flow rate calculation for online users.

Syntax

access-user flow-rate-calculate enable [ interval interval ]

undo access-user flow-rate-calculate enable

Default

Flow rate calculation is disabled for online users.

Views

System view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the interval for calculating the user flow rate, in the range of 1 to 43200 minutes. The default is 5 minutes.

Usage guidelines

Application scenarios

In the live network, you can allocate bandwidth to different users based on their actual requirements to make efficient use of bandwidth resources. To quickly locate users with abnormal bandwidth (such as users with significantly lower or higher Internet access speeds than their allocated bandwidth), you can enable flow rate calculation for online users. With this feature enabled, you can execute the display access-user command with the flow-rate keyword specified to view information of users whose flow rates fall within the specified range.

Operating mechanism

After flow rate calculation for online users is enabled, the device will calculate the flow rate for each online user based on the interval value (5 by default) specified in the access-user flow-rate-calculate enable command and the online user traffic accounting frequency mode (normal mode by default) configured by using the flow-statistics frequency command according to certain principles.

Recommended configuration

In the live network, configure this feature according to the total number of users on the device and the frequency mode set by using the flow-statistics frequency command. For more information, see the following table. For example, when the total number of users on the device is less than 50000 and the frequency mode is fast, configure the interval for calculating user flow rates to be equal to or greater than 3 minutes as a best practice.

Table 1 Recommended intervals for calculating the user flow rates

Frequency mode (right)	Fast mode (fast)	Normal mode (normal)	Slow mode (sflow)
Total number of users on the device (below)	Fast mode (fast)	Normal mode (normal)	Slow mode (sflow)
Less than 50000	≥3 minutes	≥6 minutes	≥12 minutes
50000 to 120000	≥7 minutes	≥14 minutes	≥28 minutes
120000 to 250000	≥15 minutes	≥30 minutes	≥60 minutes
250000 to 500000	≥30 minutes	≥60 minutes	≥120 minutes
500000 to 1000000	≥60 minutes	≥120 minutes	≥240 minutes
More than 1000000	≥100 minutes	≥200 minutes	≥400 minutes

Restrictions and guidelines

Enabling this feature will occupy a certain amount of memory resources. To avoid occupying too many memory resources, enable flow rate calculation for online users only when you need to obtain user rate information. Promptly disable this feature when you do not need to obtain user rate information.

If a user has no service traffic within a certain interval, the device will not use the configured interval as the interval for calculating the user flow rates. Instead, the device will automatically calculate the interval for the user flow rates based on the actual user traffic conditions. To view the interval for automatically calculating the user flow rates and the statistics of the user flow rates within that interval, execute the display access-user verbose command.

In a VSRP network, only the master VSRP device supports recording user flow rate information.

Examples

# Enable flow rate calculation for online users.

<Sysname> system-view

[Sysname] access-user flow-rate-calculate enable

Related commands

display access-user

flow-statistics frequency

access-user four-dimension-mode enable

Use access-user four-dimension-mode enable to configure the device to use four-dimensional interfaces to communicate with AAA servers.

Use undo access-user four-dimension-mode enable to restore the default.

Syntax

access-user four-dimension-mode enable

undo access-user four-dimension-mode enable

Default

The device uses three-dimensional interfaces to communicate with AAA servers.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, in a unified network, when the device communicates with AAA servers, the device uses three-dimensional interface numbers without the chassis information in interface information, for example, NAS-Port-ID. On an IRF fabric, when you need to specify the access IRF member device of a user on the AAA server, use this command to configure the device to use four-dimensional interfaces to communicate with AAA servers.

This command takes effect only on users coming online after this command is executed.

On a unified network, this feature takes effect only on users coming online through physical interfaces, and does not take effect on users coming online through global interfaces such as Layer 3 aggregate interfaces. ‌

Examples

# Configure the device to use four-dimensional interfaces to communicate with AAA servers.

<Sysname> system-view

[Sysname] access-user four-dimension-mode enable

access-user interface-switchto-backup keep-host-routes

Use access-user interface-switchto-backup keep-host-routes to enable the feature of retaining UNR host routes of users when an interface switches to backup.

Use undo access-user interface-switchto-backup keep-host-routes to disable the feature of retaining UNR host routes of users when an interface switches to backup.

Syntax

access-user interface-switchto-backup keep-host-routes

undo access-user interface-switchto-backup keep-host-routes

Default

The feature of retaining UNR host routes of users when an interface switches to backup is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

On a VSRP network, when the master interface switches to backup, the device automatically deletes the UNR host routes for all online users on that master interface by default. When the interface switches to the master interface, the device regenerates UNR host routes for all users that switch to the new master interface and come online.

· When users do not need to access each other, you can enable this feature. This feature avoids the impact on switchover efficiency caused by generating UNR host routes for users that switch to the new master interface on the device.

· When users need to access each other, you must disable this feature to ensure mutual access.‌

Operating mechanism

With this feature enabled, when the master interface switches to backup, the device will retain the UNR host routes for all online users on that master interface. When the interface switches to master, the device directly uses the retained UNR host routes. This feature avoids regenerating UNR host routes for users that switch to the new master interface and improves switchover efficiency.

Restrictions and guidelines

· This feature is only applicable to VSRP networks.‌

· When enabling this feature on a VSRP network, you must enable this feature on both the master and backup devices. If you do not do that, the feature might become unavailable.‌

Examples

# Enable the feature of retaining UNR host routes of users when an interface switches to backup.

<Sysname> system-view

[Sysname] access-user interface-switchto-backup keep-host-routes

access-user log enable

Use access-user log enable to enable logging for access users.

Use undo access-user log enable to disable logging for access users.

Syntax

access-user log enable [ abnormal-logout | failed-login | normal-logout | successful-login ] *

undo access-user log enable [ abnormal-logout | failed-login | normal-logout | successful-login ] *

Default

Logging is disabled for access users.

Views

System view

Predefined user roles

network-admin

Parameters

abnormal-logout: Specifies abnormal logout logs.

failed-login: Specifies login failure logs.

normal-logout: Specifies normal logout logs.

successful-login: Specifies login success logs.

Usage guidelines

CAUTION:

As a best practice, disable this feature to prevent excessive log output.

‌

The logging feature enables the device to generate logs and send them to the information center. Logs are generated after a user comes online successfully, fails to come online, normally goes offline, or abnormally goes offline. A log entry contains information such as the username, IP address, interface name, inner VLAN, outer VLAN, MAC address, and failure causes. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

When you configure this command without specifying any keyword, this command enables or disables logging for login successes, login failures, normal logouts, and abnormal logouts.

Examples

# Enable logging for access users.

<Sysname> system-view

[Sysname] access-user log enable

access-user online-fail-warning

Use access-user online-fail-warning to enable the user online failure threshold alarm function.

Use undo access-user online-fail-warning to disable the user online failure threshold alarm function.

Syntax

access-user online-fail-warning threshold threshold-value period period-value

undo access-user online-fail-warning

Default

The user online failure threshold alarm function is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

threshold threshold-value: Specifies a percentage of the number of user online failures to the total number of user online events, in the range of 1 to 100.

period period-value: Specifies the alarm detection interval in the range of 1 to 1440 minutes.

Usage guidelines

With the user online failure threshold alarm function enabled, when the number of user online failures within an alarm detection interval exceeds the specified threshold, an alarm is automatically triggered. Then, the administrator can promptly learn the user online failure conditions on the live network. An administrator can execute the display aaa online-fail-record command to view user online failure records.

The alarm information output contains logs and traps.

· The generated log messages by the device will be sent to the information center. The information center configuration specifies the log message sending rule and destination. For more information about the information center, see Network Management and Monitoring Configuration Guide.

· To send the traps to an NMS correctly, you must also configure SNMP correctly as described in Network Management and Monitoring Configuration Guide. For more information about SNMP alarms, see SNMP configuration in Network Management and Monitoring Guide.

In standalone mode:

The total number of access user online failures refers to the sum of IPoE user, PPPoE user, and L2TP user online failures on the whole device.

The total number of access user online events refers to the sum of IPoE user, PPPoE user, and L2TP user online failures and online successes on the whole device.

In IRF mode:

The total number of access user online failures refers to the sum of IPoE user, PPPoE user, and L2TP user online failures on the whole IRF system.

The total number of access user online events refers to the sum of IPoE user, PPPoE user, and L2TP user online failures and online successes on the whole IRF system.

If a single user comes online successfully or fails to come online for multiple times, each online success or failure is counted in the total number of online successes or failure.

When the device calculates the number of online events of a user, the device uniquely identifies a user by the MAC address, inner VLAN, and outer VLAN.

· For a dual-stack user, only if the user successfully comes online in one protocol stack, the user is considered as coming online successfully. A dual-stack user is considered failing to come online only when the user fails to come online in both protocol stacks.

· For an IPoE leased user, the online events of the main user and the online events of the subusers are separately counted.

Examples

# Configure the device to generate an alarm when the percentage of user online failures to user online events exceeds 50% within 10 minutes.

<Sysname> system-view

[Sysname] access-user online-fail-warning threshold 50 period 10

access-user session-threshold

Use access-user session-threshold to configure the online access user session count alarm thresholds on the device.

Use undo access-user session-threshold to restore the default.

Syntax

access-user session-threshold { lower-limit lower-limit-value | upper-limit upper-limit-value }

undo access-user session-threshold { lower-limit | upper-limit }

Default

On the device, the upper online access user session count alarm threshold is 100, and the lower online access user session count alarm threshold is 0.

Views

System view

Predefined user roles

network-admin

Parameters

lower-limit lower-limit-value: Specifies the lower online access user session count alarm threshold in the range of 0 to 99. The configured value is a percentage of the maximum number of online access user sessions allowed.

upper-limit upper-limit-value: Specifies the upper online access user session count alarm threshold in the range of 1 to 100. The configured value is a percentage of the maximum number of online access user sessions allowed.

Usage guidelines

(In standalone mode.) The online access user session count on the device is the total number of online IPoE sessions, PPPoE sessions, and L2TP sessions on the device.

(In IRF mode.) The online access user session count on the device is the total number of online IPoE sessions, PPPoE sessions, and L2TP sessions on the IRF system.

You can use this command to set the upper alarm threshold and lower alarm threshold for the online access user session count. When the online access user session count exceeds the upper alarm threshold or drops below the lower threshold, an alarm is triggered automatically. Then, the administrator can promptly know the online user conditions of the network. To view the total number of access users, use the display access-user command.

The user session count alarm function counts only user sessions that occupy session resources. In the current software version, only the following sessions occupy session resources:

· The following IPoE sessions:

¡ Sessions of individual access users

¡ Sessions of interface-leased users

¡ Sessions of interface-leased subusers

¡ Sessions of subnet-leased users

¡ Sessions of subnet-leased subusers

¡ Sessions of L2VPN-leased users

· PPPoE sessions

· L2TP sessions

Either a single-stack user or dual-stack user occupies one session resource.

Suppose the maximum number of online access user sessions allowed on the device is a, the upper alarm threshold is b, and the lower alarm threshold is c. The following rules apply:

· When the online access user session count exceeds a×b or drops below a×c, the corresponding alarm information is output.

· When the online access user session count returns between the upper alarm threshold and lower alarm threshold, the alarm clearing information is output.

In some special cases, the online access user session count frequently changes in the critical range, which causes frequent output of alarm information and alarm clearing information. To avoid this problem, the system introduces a buffer area when the online access user session count recovers from the upper or lower threshold. The buffer area size is 10% of the difference between the upper threshold and the lower threshold. Suppose the buffer area size is d. Then, d=a×(b-c)÷10. When the online access user session count drops below a×b-d or exceeds a×c+d, the alarm information is output.

For example, suppose a is 1000, b is 80%, and c is 20%. Then, d= a×(b-c)÷10=1000×(80%-20%)÷10=1000×60%÷10=600÷10=60.

· When the online access user session count exceeds the upper threshold a×b=1000×80%=800, the upper threshold alarm is output. When the online access user session count restores to be smaller than a×b-d=800-60=740, the alarm clearing information is output.

· When the online access user session count drops below the lower threshold a×c=1000×20%=200, the lower threshold alarm is output. When the online access user session count restores to be greater than a×c+d=200+60=260, the alarm clearing information is output.

The upper threshold alarm information output and the alarm clearing information output both contain logs and traps.

· For traps to be correctly sent to the NMS host, you must execute the snmp-agent trap enable user-warning-threshold command in addition to configuring the SNMP alarm feature correctly. For more information about SNMP alarms, see SNMP configuration in Network Management and Monitoring Guide.

Examples

# Set the upper online access user session count threshold to 80% on the device.

<Sysname> system-view

[Sysname] access-user session-threshold upper-limit 80

Related commands

snmp-agent trap enable user-warning-threshold

access-user url character-transfer‌

Use access-user url character-transfer to configure the escape rules for parameters in the web server URL redirected by the device to users.

Use undo access-user url character-transfer to restore the default or delete the specified characters to be escaped.

Syntax

access-user url character-transfer { none | reserve | unsafe | user-defined-characters character }

undo access-user url character-transfer [ user-defined-characters character ]

Default

The device uses the rules in the following table to escape characters in the web URL parameters (specified by the web-server url-parameter command):

Web URL parameter	Escape rules
param-name	Letters, digits, ampersand signs (&), and equal signs (=) remain unescaped. Other characters are processed using the percent sign (%) followed by their hexadecimal ASCII code.
value expression
ssid
nas-id	Letters and digits remain unescaped. Other characters are processed using the percent sign (%) followed by their hexadecimal ASCII code.
remote-id
nas-port-id	Letters, digits, colons (:), forward slashes (/), equal signs (=), semi-colons (;), and dots (.) remain unescaped. Other characters are processed using the percent sign (%) followed by their hexadecimal ASCII code.
user-location
source-mac	Not escaped and assembled according to the configuration.
original-url	Letters, digits, percent signs (%), ampersand signs (&), equal signs (=), forward slashes (/), dots (.), and colons (:) remain unescaped. Other characters are processed using the percent sign (%) followed by their hexadecimal ASCII code.
source-address

Views

System view

Predefined user roles

network-admin

Parameters

none: Does not escape any characters.

reserve: Escapes only characters recommended to be reserved in RFC 1738, including semi-colons (;), forward slashes (/), question marks (?), colons (:), at signs (@), equal signs (=), and ampersand signs (&).

unsafe: Escape only characters defined as unsafe in RFC 1738, including left angle brackets (<), right angle bracket (>), quotation marks ("), pound signs (#), percent signs (%), left braces ({), and right braces (}), vertical bars (|), backslashes (\), carets (^), tildes (~), left brackets ([), right brackets (]), back quotes (`), and spaces.

user-defined-characters character: Escapes only user-specified characters. The character argument represents the list of hexadecimal values for ASCII characters requiring escaping, separated by spaces. The range of each value is 0 to ff, case-insensitive. For example, to escape the ASCII character A in the URL parameters, specify user-defined-characters 41 when executing this command, where 41 is the hexadecimal value of character A.

Usage guidelines

Application scenarios

In scenarios using URL redirection, such as web authentication or ad pushing, if URL parameters with special characters are not properly escaped, browsers might fail to recognize them, leading to webpage display issues. To resolve the issue, you can configure the escape rules for characters in the URL parameters. This ensures that the redirect URL generated by the device is correctly translated in different browsers.

Operating mechanism

In a URL, question marks (?) are used to separate the path and parameter sections. For example, in an IPoE web authentication network, the URL path is configured by using the web-server { ip | ipv6 } command, and the URL parameters are configured by using the web-server url-parameter command.

With escape rules configured, the system translates characters in the URL parameters (after the question mark) as instructed by the escape rules.

During the escaping process, the system does not differentiate between parameter fields but escapes all matching characters in the entire parameter section. The principle of escaping is to replace matching characters with a percent sign (%) followed by the hex ASCII code of that character. For example,

to escape ASCII characters A, B, and C in URL parameters, execute access-user url character-transfer user-defined-characters 41 42 43, where 41, 42, and 43 represent the hex codes of characters A, B, and C, respectively. This guides the system to escape the characters to %41, %42, %43, ensuring proper URL translation in all browsers. Other characters will not be escaped.

Restrictions and guidelines

· Before configuring the escape rules for URL parameters, make sure that all the browsers used in the network support the escape result. Support for escape characters might differ by browser, which might affect the display and functions of URL redirection.

· You can use the access-user url character-transfer user-defined-characters command to configure up to 145 custom escape rules.

¡ You can execute this command once to specify up to 145 characters to be escaped, or

¡ execute this command multiple times to specify up to 145 characters.

· When you execute the undo access-user url character-transfer command:

¡ If you do not specify the user-defined-characters keyword, the default escape rules take effect.

¡ If you specify the user-defined-characters character keyword, the device only deletes the specified user-defined escape rules. Other configured escape rules, if any, are not affected.

· As a best practice, do not execute the access-user url character-transfer or undo access-user url character-transfer command when online users are present. If you do so, online users might fail to process URLs based on the rule changes, causing the web authentication page to fail to be displayed properly. If configuration changes are required when users are online, modify the configuration during periods with fewer users to minimize impact. After you change the escape rules, if the web authentication page cannot open for an online user, make the user go offline and then come online again.

Examples

# Configure the system to escape unsafe characters in parameters of the web server URL redirected by the device to users.

<Sysname> system-view

[Sysname] access-user url character-transfer unsafe

Related commands

web-server { ip | ipv6 }

web-server url-parameter

access-user user-detect packet-loss-ratio-threshold‌

Use access-user user-detect packet-loss-ratio-threshold to enable the packet loss ratio alarm for access user detection packets.

Use undo access-user user-detect packet-loss-ratio-threshold to disable the packet loss ratio alarm for access user detection packets.

Syntax

access-user user-detect packet-loss-ratio-threshold threshold-value

undo access-user user-detect packet-loss-ratio-threshold

Default

The packet loss ratio alarm is disabled for access user detection packets.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the alarm threshold for the packet loss ratio of access user detection packets (the ratio of dropped detection packets to all detection packets). The value range is 20 to 100.

Usage guidelines

After the online user detection feature is enabled, the device will automatically create a 30-second timer. The timer will be reset after expiration. After the packet loss ratio alarm is enabled for access user detection packets, an alarm will be automatically triggered in either of the following conditions:

· The packet loss ratio calculated exceeds the specified alarm threshold when the 30-second timer expires continuously for three times, and the number of packets sent within each 30-second timer exceeds 50.

· The packet loss ratio calculated within the last 30 seconds when the 30-second timer expires restores to the normal range (equal to or less than the specified alarm threshold) after an alarm is output.

In this way, the administrator can timely learn the packet loss conditions of user detection packets on the live network.

In this function, the packet loss ratio of detection packets refers to the ratio of dropped packets (sent packets - received packets) to all detection packets within the 30-second timer on a detected interface. The formula is as follows: the packet loss ratio = (sent packets - received packet)/sent packets. If you execute the display access-user user-detect packet-loss-ratio or display ppp keepalive packet-loss-ratio command at a time point within a 30-second timer, this command displays the packet loss ratio statistics collected at the specified time point within the 30-second timer. For example, if you execute this display command at the 10th second within a 30-second timer, this command displays the packet loss ratio statistics collected within the 10 seconds.

The alarm information output contains only logs. The generated log messages by the device will be sent to the information center. The information center configuration specifies the log message sending rule and destination. For more information about the information center, see Network Management and Monitoring Configuration Guide.

This feature applies to only IPoE users, PPPoE users, and L2TP users.

Examples

# Enable the packet loss ratio alarm for access user detection packets, and set the alarm threshold to 25%.

<Sysname> system-view

[Sysname] access-user user-detect packet-loss-ratio-threshold 25

Related commands

display access-user user-detect packet-loss-ratio

display ppp keepalive packet-loss-ratio (BRAS Services Command Reference) ‌

reset access-user user-detect packet-loss-ratio

reset ppp keepalive packet-loss-ratio (BRAS Services Command Reference) ‌

bras auto-cut-user before-reboot

Use bras auto-cut-user before-reboot to enable auto user logout before BRAS reboot.

Use undo bras auto-cut-user before-reboot to disable auto user logout before BRAS reboot.

Syntax

bras auto-cut-user before-reboot

undo bras auto-cut-user before-reboot

Default

Auto user logout before BRAS reboot is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, if devices are rebooted as planned or slots are separately rebooted when devices are upgraded, the devices or slots will not actively send accounting stop packets to the AAA server during the reboot process. During the reboot process, the devices will log out users, but the AAA server cannot sense the logout events and still considers the users online. Within a short period of time after the devices or slots are rebooted, the online users before reboot cannot log in again because the AAA server still considers them as online.

To resolve this issue, enable the feature of auto user logout before BRAS reboot. With this feature enabled, when the reboot command is executed each time to reboot a device or slot, the device first forbids new users from coming online, and logs out all online users or online users on the slot to be rebooted. When users are logged out, the device will actively send accounting stop packets to the AAA server. After these users are logged out, the device or slot will be rebooted.

When a slot is restarted, this feature takes effect only on users coming online through physical interfaces in the slot.

If you execute the reboot command with the force keyword specified, the feature of auto user logout before BRAS reboot does not take effect.

Examples

# Enable auto user logout before BRAS reboot.

<Sysname> system-view

[Sysname] bras auto-cut-user before-reboot

Related commands

reboot (Fundamentals Command Reference)

bras compatible old-style-commands enable‌

Use bras compatible old-style-commands enable to enable BRAS device compatibility with old-style commands.

Use undo bras compatible old-style-commands enable to disable BRAS device compatibility with old-style commands.

Syntax

bras compatible old-style-commands enable

undo bras compatible old-style-commands enable

Default

BRAS device compatibility with old-style commands is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

A software upgrade might change the command style on the BRAS device. To manage the BRAS device without upgrading its NMS software, enable BRAS device compatibility with old-style commands.

Operating mechanism

BRAS device compatibility with old-style commands enables the device to recognize old-style commands.

Recommended configuration

Enable this feature only when the NMS software does not recognize the new-style commands and you want to use old-style commands for BRAS device management.

Restrictions and guidelines

· If the following old-style commands have been executed and any of them is effective, do not disable BRAS device compatibility with old-style commands.

¡ ip subscriber nas-port-type cable

¡dhcp server ip-pool

¡ipv6 dhcp pool

¡dhcp pool-group

¡ipv6 dhcp pool-group

· If the following new-style commands have been executed and any of them is effective, do not enable BRAS device compatibility with old-style commands.

¡ nas-port-type

¡ip pool

¡ipv6 pool

¡ip pool-group

¡ipv6 pool-group

Examples

# Enable BRAS device compatibility with old-style commands.

<Sysname> system-view

[Sysname] bras compatible old-style-commands enable

Related commands

dhcp pool-group (BRAS Services Command Reference)

dhcp server ip-pool (BRAS Services Command Reference)

ip pool (BRAS Services Command Reference)

ip pool-group (BRAS Services Command Reference)

ip subscriber nas-port-type cable (BRAS Services Command Reference)

ipv6 dhcp pool (BRAS Services Command Reference)

ipv6 dhcp pool-group (BRAS Services Command Reference)

ipv6 pool (BRAS Services Command Reference)

ipv6 pool-group (BRAS Services Command Reference)

nas-port-type

bras data-backup-mode

Use bras data-backup-mode to configure the data backup mode for the BRAS service module.

Use undo bras data-backup-mode to restore the default.

Syntax

bras data-backup-mode { non-realtime [ auto-reboot-board ] | realtime }

undo bras data-backup-mode

Default

The data backup mode is realtime for the BRAS service module.

Views

System view

Predefined user roles

network-admin

Parameters

non-realtime: Specifies the BRAS service module not to back up the running data (for example, user session information) to the lightning memory-mapped database (LMDB) in real time.

· auto-reboot-board: Specifies the device to automatically forcibly reboot the active MPU and complete active/standby switchover when the BRAS service module process on the active MPU is abnormal. If you do not specify this keyword, the device does not automatically forcibly reboot the active MPU when the BRAS service module process is abnormal. (In standalone mode.)

· auto-reboot-board: Specifies the device to automatically reboot the global active MPU and complete active/standby MPU switchover when the BRAS service module process on the active MPU is abnormal. If you do not specify this keyword, the device does not automatically forcibly reboot the global active MPU when the BRAS service module process is abnormal. (In IRF mode.)

realtime: Specifies the BRAS service module to back up the running data to the LMDB in real time. For traffic data in the UCM module, if user traffic changes, the backup user information in the LMDB will be frequently updated, which will increase the processing load of the LMDB. To avoid this issue, the system triggers backup user information updates in the LMDB according to the following principles:‌

· If the traffic of a user does not change within 5 minutes or the traffic change of a user reaches the update threshold 50 MB, UCM will back up information of the user again to the LMDB to update backup information of the user in the LMDB.

· If the traffic of a user does not change within 5 minutes, UCM does not update the backup information of the user in the LMDB.

Usage guidelines

Operating mechanism

In non-realtime mode, the BRAS service module does not back up the running data to the LMDB in real time and the following rules apply:

· To avoid data loss when the BRAS service module process is normally restarted (for example, by using the process restart command), the BRAS service module will back up the running data of the module to the LMDB before the process is restarted. The LMDB is shipped with the device for storing important information such as backup module running data.

· When the BRAS service module process on the active MPU is abnormal, the data of the BRAS service module on the current active MPU will be lost. The device determines whether to forcibly reboot the active MPU according to whether the auto-reboot-board keyword is specified. (In standalone mode.)

· When the BRAS service module process on the global active MPU is abnormal, the data of the BRAS service module on the current global active MPU will be lost. The device determines whether to forcibly reboot the global active MPU according to whether the auto-reboot-board keyword is specified. (In IRF mode.)

In realtime mode, the BRAS service module will back up the running data to the LMDB in real time to avoid data loss. For traffic data in the UCM module, if user traffic changes, the backup user information in the LMDB will be frequently updated, which will increase the processing load of the LMDB. To avoid this issue, the system triggers backup user information updates in the LMDB according to the following principles:‌

· If the traffic of a user does not change within 5 minutes, UCM does not update the backup information of the user in the LMDB.

Restrictions and guidelines

Active/standby MPU switchover is automatically performed only when the auto-reboot-board keyword is specified in the dual-MPU environment and the BRAS service module process is abnormal.

In the current software version, this feature takes effect only on the UCM, PPP, and DHCP modules.

When you execute this command, follow these restrictions and guidelines:

· As a best practice to ensure device performance when a large number of users are online, do not frequently execute this command to switch the data backup mode for the BRAS service module.

· When you switch the backup mode from non-realtime to realtime, the device will immediately back up the running data of the BRAS service module to the LMDB. Then, the data will be updated in real time.

· When you switch the data backup mode from realtime to non-realtime, the device will delete the data that has been backed up to the LMDB for the BRAS service module. Then, the device will process the data according to whether the auto-reboot-board keyword is specified.

Examples

# Configure the data backup mode as real time for the BRAS service module.

<Sysname> system-view

[Sysname] bras data-backup-mode realtime

Related commands

display access-user (BRAS Services Command Reference)

cut access-user

Use cut access-user to forcibly log out users.

Syntax

In standalone mode:‌

cut access-user [ { auth-type { admin | bind | dot1x [ with-address | without-address ] | ppp | pre-auth | web-auth [ inherit-pppoe | non-inherit-pppoe ] } | domain domain-name [ authentication | authorization ] | interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] | ip-pool pool-name | ip-type { dual-stack | ipv4 | ipv6 } | ipv6-pool pool-name | mac-address mac-address | user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 } | user-profile profile-name [ both | inbound | outbound ] | user-type { l2vpn-leased | lac | layer2-dynamic | layer2-interface-leased | layer2-static | layer2-subnet-leased | layer3-dynamic | layer3-interface-leased | layer3-static | layer3-subnet-leased | leased | leased-subuser | lns | pppoe | pppoea } | username user-name | vpn-instance vpn-instance-name | vxlan vxlan-id [ vxlan-id-max ] | slot slot-number } * | { { ip-address ipv4-address | ipv6-address ipv6-address | ipv6-prefix prefix-address/prefix-length } [ vpn-instance vpn-instance-name ] | user-id user-id } ]

In IRF mode:

cut access-user [ { auth-type { admin | bind | dot1x [ with-address | without-address ] | ppp | pre-auth | web-auth [ inherit-pppoe | non-inherit-pppoe ] } | domain domain-name [ authentication | authorization ] | interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] | ip-pool pool-name | ip-type { dual-stack | ipv4 | ipv6 } | ipv6-pool pool-name | mac-address mac-address | nat-instance nat-instance-name | user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 } | user-profile profile-name [ both | inbound | outbound ] | user-type { l2vpn-leased | lac | layer2-dynamic | layer2-family-leased | layer2-interface-leased | layer2-static | layer2-subnet-leased | layer3-dynamic | layer3-interface-leased | layer3-static | layer3-subnet-leased | leased | leased-subuser | lns | pppoe | pppoea } | username user-name | vpn-instance vpn-instance-name | vxlan vxlan-id [ vxlan-id-max ] | chassis chassis-number slot slot-number } * | { { ip-address ipv4-address | ipv6-address ipv6-address | ipv6-prefix prefix-address/prefix-length } [ vpn-instance vpn-instance-name ] | user-id user-id } ]

Views

User view

Predefined user roles

network-admin

Parameters

auth-type: Specifies an authentication type for access users.

· admin: Specifies device management users.

· bind: Specifies IPoE users using bind authentication.

· dot1x: Specifies 802.1X users. If you specify the dot1x keyword but do not specify the with-address or without-address keyword, this command forcibly logs out all matching 802.1X users. ‌

¡ with-address: Specifies IPoE users that come online in the postauthentication domain in the 802.1X authentication method. Session information about this type of users has IP address information.

¡ without-address: Specifies IPoE users that have not come online in the preauthentication domain in the 802.1X authentication method but whose 802.1X clients have come online. Session information about this type of users does not have IP address information.

· ppp: Specifies PPP users.

· pre-auth: Specifies IPoE users in the preauthentication phase.

· web-auth: Specifies IPoE users using Web authentication in the Web authentication phase.

¡ inherit-pppoe: Specifies IPoE Web users that inherit the PPPoE user information.‌

¡ non-inherit-pppoe: Specifies IPoE Web users except those that inherit PPPoE user information.‌

domain domain-name: Forcibly logs out users in an authorization or authentication domain specified by its name, a case-insensitive string of 1 to 255 characters. If you specify the domain keyword but do not specify the authorization or authentication keyword, this command forcibly logs out all users in the specified authentication domain and authorization domain.

· authorization: Forcibly logs out users that access through the specified authorization domain.

· authentication: Forcibly logs out users that access through the specified authentication domain.

interface interface-type interface-number: Logs out users on an interface specified by its type and number. Only network access users support this keyword.

· s-vlan svlan-id: Logs out users in an SVLAN specified by its ID. The value range is 1 to 4094.

· c-vlan cvlan-id: Logs out users in a CVLAN specified by its ID. The value range is 1 to 4094.

ip-pool pool-name: Logs out users in an IPv4 address pool specified by its name, a case-insensitive string of 1 to 63 characters.

ip-type: Logs out users of the specified IP type.

· dual-stack: Specifies dual-stack users.

· ipv4: Specifies IPv4 users.

· ipv6: Specifies IPv6 users.

ipv6-pool pool-name: Logs out users in an IPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters. On an NDRA network, if the IPv6 prefix of a user is from the ND prefix pool, the pool-name argument represents the name of the AAA-authorized ND prefix pool.

mac-address mac-address: Logs out a user with the specified MAC address in the form of H-H-H, case-insensitive. Only network access users support this keyword.

user-address-type: Logs out users with the specified IP address type.

· ds-lite: Specifies lite dual-stack addresses.

· ipv6: Specifies IPv6 addresses.

· nat64: Specifies NAT64 addresses.

· private-ds: Specifies private dual-stack addresses.

· private-ipv4: Specifies private IPv4 addresses.

· public-ds: Specifies public dual-stack addresses.

· public-ipv4: Specifies public IPv4 addresses.

user-profile profile-name: Logs out users of a user profile specified by its name, a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, underlines (_), minus sings (-), and periods (.). A user profile name must start with a letter or digit, and cannot be all digits. If you do not specify a user profile direction, a user is logged out only if the user’s user profile matches the specified user profile in any direction.

· both: Logs a user whose profile matches the specified profile in both directions.

· inbound: Logs a user whose profile matches the specified profile in the inbound direction.

· outbound: Logs a user whose profile matches the specified profile in the outbound direction.

user-type: Specifies a user type.

· l2vpn-leased: Specifies IPoE L2VPN-leased users.

· lac: Specifies users on the device acting as an LAC.

· layer2-dynamic: Specifies Layer 2 IPoE dynamic users.

· layer2-family-leased: Specifies Layer 2 IPoE family-leased users.

· layer2-interface-leased: Specifies Layer 2 IPoE interface-leased users.

· layer2-static: Specifies Layer 2 IPoE static users.

· layer2-subnet-leased: Specifies Layer 2 IPoE subnet-leased users.

· layer3-dynamic: Specifies Layer 3 IPoE dynamic users.

· layer3-interface-leased: Specifies Layer 3 IPoE interface-leased users.

· layer3-static: Specifies Layer 3 IPoE static users.

· layer3-subnet-leased: Specifies Layer 3 IPoE subnet-leased users.

· leased: Specifies IPoE leased users.

· leased-subuser: Specifies Layer 2 IPoE leased subusers.

· lns: Specifies users on the device acting as an LNS.

· pppoe: Specifies PPPoE users, including PPPoE users that trigger the LAC to set up L2TP tunnels.

· pppoea: Specifies PPPoE agency users. ‌

username user-name: Logs out a user specified by its username, a case-sensitive string of 1 to 253 characters.

vpn-instance vpn-instance-name: Logs out users in a VPN instance specified by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, this command logs out users in the public network.

vxlan vxlan-id [ vxlan-id-max ]: Logs out users in a VXLAN specified by the vxlan-id argument or VXLAN range specified by the vxlan-id vxlan-id-max arguments The vxlan-id and vxlan-id-max arguments are both in the range of 0 to 16777215.

ip-address ipv4-address: Logs out a user with the specified IPv4 address.

ipv6-address ipv6-address: Logs out a user with the specified IPv6 address.

ipv6-prefix prefix-address/prefix-length: Logs out users with the specified IPv6 prefix. The prefix-address argument specifies the IPv6 prefix, and the prefix-length argument specifies the IPv6 prefix length.

user-id user-id: Logs out a user specified by its online index. The value range is 1 to FFFF4240 (hexadecimal).

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed. (In IRF mode.) ‌

Usage guidelines

This command takes effect only on online IPoE, PPPoE, and L2TP users.

After this command is executed, the system will print the number of users affected by this operation and prompt the user to confirm whether to continue. This operation affects users who directly and completely match the execution conditions of the command, excluding users who go offline indirectly as a result of executing this command.

Examples

# Forcibly log out the user with IP address 10.10.10.10.

<Sysname> cut access-user ip-address 10.10.10.10

This command will cut off 1 user totally.Continue?[Y/N]: y

# Forcibly log out the users in ISP domain dm1.

<Sysname> cut access-user domain dm1

This command will cut off 100 user totally.Continue?[Y/N]: y

# Forcibly log out the user named user1.

<Sysname> cut access-user username user1

This command will cut off 100 user totally.Continue?[Y/N]: y

Related commands

display access-user

Use display access-user to display access user information.

Syntax

In standalone mode:‌

display access-user [ [ { { accounting-state { accounting | idle | leaving-flow-query | ready | wait-acct-start | wait-acct-stop } | [ all-vpn-instance | public-instance | vpn-instance vpn-instance-name ] | auth-method { hwtacacs | local | none | radius | radius-proxy } | auth-type { admin | bind | dot1x [ with-address | without-address ] | ppp | pre-auth | web-auth [ inherit-pppoe | non-inherit-pppoe | web-mac-auth | web-mac-trigger | web-normal ] } | car cir cir-value [ pir pir-value ] [ inactive ] [ both | inbound | outbound ] | domain domain-name [ authorization | authentication ] | flow-rate [ ip | ipv6 ] { inbound { above rate-inbound-above-value | below rate-inbound-below-value } * | outbound { above rate-outbound-above-value | below rate-outbound-below-value } * } * | initiator-method { arp | dhcpv4 | dhcpv6 | ndrs | nsna | unclassified-ip | unclassified-ipv6 } | [ interface interface-type interface-number [ all | s-vlan svlan-id [ c-vlan cvlan-id ] | s-vlan svlan-id [ c-vlan cvlan-id ] ] ] | ip-pool pool-name | ip-pool-group ip-pool-groupname | ip-type { dual-stack | ipv4 | ipv6 } | { ipv4 multicast-user-profile profile-name | ipv6 multicast-user-profile profile-name } * | ipv6-address-protocol { dhcpv6 | dhcpv6-pd | nd } | ipv6-cpe-mode { ipv6 | ipv6-pd } | ipv6-pool pool-name | ipv6-pool-group ipv6-pool-groupname | lac-ip lac-ip-address | lns-ip lns-ip-address | { { { local-access | remote-access } | { backup | master } } * | normal } | mac-address mac-address | pppoe-agency-state no-online | quota-out-redirect | radius-attribute-inexistence user-profile | remote-name tunnel-name | session-group-profile { session-group-profile-name | [ session-group-profile-name ] inactive } | start-time start-time start-date end-time end-time end-date | user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 } | user-group { user-group-name | [ user-group-name ] inactive } | user-traffic [ ip | ipv6 ] { inbound { above traffic-inbound-above-value { byte | giga-byte | kilo-byte | mega-byte } | below traffic-inbound-below-value { byte | giga-byte | kilo-byte | mega-byte } } * | outbound { above traffic-outbound-above-value { byte | giga-byte | kilo-byte | mega-byte } | below traffic-outbound-below-value { byte | giga-byte | kilo-byte | mega-byte } } * } * | user-priority { user-priority | [ user-priority ] inactive } [ both | inbound | outbound ] | user-profile { user-profile-name | [ user-profile-name ] inactive } [ both | inbound | outbound ] | user-type { l2vpn-leased | lac | layer2-dynamic | layer2-interface-leased | layer2-static | layer2-subnet-leased | layer3-dynamic | layer3-interface-leased | layer3-static | layer3-subnet-leased | leased | leased-subuser | lns | pppoe | pppoea } | username user-name | vxlan vxlan-id [ vxlan-id-max ] | slot slot-number } * | time time [ slot slot-number ] } [ count | verbose ] | { { ip-address ipv4-address | ipv6-address ipv6-address | ipv6-prefix ipv6-prefix/prefix-length | public-ip-address public-ip-address } [ all-vpn-instance | public-instance | vpn-instance vpn-instance-name ] | user-id user-id } [ slot slot-number ] [ verbose ] ] | { count | verbose } ]

In IRF mode:

display access-user [ [ { { accounting-state { accounting | idle | leaving-flow-query | ready | wait-acct-start | wait-acct-stop } | [ all-vpn-instance | public-instance | vpn-instance vpn-instance-name ] | auth-method { hwtacacs | local | none | radius | radius-proxy } | auth-type { admin | bind | dot1x [ with-address | without-address ] | ppp | pre-auth | web-auth [ inherit-pppoe | non-inherit-pppoe | web-mac-auth | web-mac-trigger | web-normal ] } | car cir cir-value [ pir pir-value ] [ inactive ] [ both | inbound | outbound ] | domain domain-name [ authorization | authentication ] | flow-rate [ ip | ipv6 ] { inbound { above rate-inbound-above-value | below rate-inbound-below-value } * | outbound { above rate-outbound-above-value | below rate-outbound-below-value } * } * | initiator-method { arp | dhcpv4 | dhcpv6 | ndrs | nsna | unclassified-ip | unclassified-ipv6 } | [ interface interface-type interface-number [ all | s-vlan svlan-id [ c-vlan cvlan-id ] ] | s-vlan svlan-id [ c-vlan cvlan-id ] ] | ip-pool pool-name | ip-pool-group ip-pool-groupname | ip-type { dual-stack | ipv4 | ipv6 } | { ipv4 multicast-user-profile profile-name | ipv6 multicast-user-profile profile-name } * | ipv6-address-protocol { dhcpv6 | dhcpv6-pd | nd } | ipv6-cpe-mode { ipv6 | ipv6-pd } | ipv6-pool pool-name | ipv6-pool-group ipv6-pool-groupname | lac-ip lac-ip-address | lns-ip lns-ip-address | { { { local-access | remote-access } | { backup | master } } * | normal } | mac-address mac-address | nat-instance nat-instance-name | pppoe-agency-state no-online | quota-out-redirect | radius-attribute-inexistence user-profile | remote-name tunnel-name | session-group-profile { session-group-profile-name | [ session-group-profile-name ] inactive } | start-time start-time start-date end-time end-time end-date | user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 } | user-group { user-group-name | [ user-group-name ] inactive } | user-traffic [ ip | ipv6 ] { inbound { above traffic-inbound-above-value { byte | giga-byte | kilo-byte | mega-byte } | below traffic-inbound-below-value { byte | giga-byte | kilo-byte | mega-byte } } * | outbound { above traffic-outbound-above-value { byte | giga-byte | kilo-byte | mega-byte } | below traffic-outbound-below-value { byte | giga-byte | kilo-byte | mega-byte } } * } * | user-priority { user-priority | [ user-priority ] inactive } [ both | inbound | outbound ] | user-profile { user-profile-name | [ user-profile-name ] inactive } [ both | inbound | outbound ] | user-type { l2vpn-leased | lac | layer2-dynamic | layer2-interface-leased | layer2-static | layer2-subnet-leased | layer3-dynamic | layer3-interface-leased | layer3-static | layer3-subnet-leased | leased | leased-subuser | lns | pppoe | pppoea } | username user-name | vxlan vxlan-id [ vxlan-id-max ] | chassis chassis-number slot slot-number } * | time time [ chassis chassis-number slot slot-number ] } [ count | verbose ] | { { ip-address ipv4-address | ipv6-address ipv6-address | ipv6-prefix ipv6-prefix/prefix-length | public-ip-address public-ip-address } [ all-vpn-instance | public-instance | vpn-instance vpn-instance-name ] | user-id user-id } [ chassis chassis-number slot slot-number ] [ verbose ] ] | { count | verbose } ]

In standalone mode:‌In IRF mode:

display access-user all-slot [ { { accounting-state { accounting | idle | leaving-flow-query | ready | wait-acct-start | wait-acct-stop } | auth-method { hwtacacs | local | none | radius | radius-proxy } | auth-type { admin | bind | dot1x [ with-address | without-address ] | ppp | pre-auth | web-auth [ web-mac-auth | web-mac-trigger | web-normal ] } | car cir cir-value [ pir pir-value ] [ inactive ] [ both | inbound | outbound ] | domain domain-name [ authorization | authentication ] | flow-rate [ ip | ipv6 ] { inbound { above rate-inbound-above-value | below rate-inbound-below-value } * | outbound { above rate-outbound-above-value | below rate-outbound-below-value } * } * | initiator-method { arp | dhcpv4 | dhcpv6 | ndrs | nsna | unclassified-ip | unclassified-ipv6 } | [ interface interface-type interface-number [ all | s-vlan svlan-id [ c-vlan cvlan-id ] ] | s-vlan svlan-id [ c-vlan cvlan-id ] ] | ip-pool pool-name | ip-pool-group ip-pool-groupname | ip-type { dual-stack | ipv4 | ipv6 } | { ipv4 multicast-user-profile profile-name | ipv6 multicast-user-profile profile-name } * | ipv6-address-protocol { dhcpv6 | nd } | ipv6-cpe-mode { ipv6 | ipv6-pd } | ipv6-pool pool-name | ipv6-pool-group ipv6-pool-groupname | lac-ip lac-ip-address | lns-ip lns-ip-address | { { { local-access | remote-access } | { backup | master } } * | normal } | mac-address mac-address | pppoe-agency-state no-online | quota-out-redirect | radius-attribute-inexistence user-profile | remote-name tunnel-name | session-group-profile { session-group-profile-name | [ session-group-profile-name ] inactive } | start-time start-time start-date end-time end-time end-date | user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 } | user-group { user-group-name | [ user-group-name ] inactive } | user-traffic [ ip | ipv6 ] { inbound { above traffic-inbound-above-value { byte | giga-byte | kilo-byte | mega-byte } | below traffic-inbound-below-value { byte | giga-byte | kilo-byte | mega-byte } } * | outbound { above traffic-outbound-above-value { byte | giga-byte | kilo-byte | mega-byte } | below traffic-outbound-below-value { byte | giga-byte | kilo-byte | mega-byte } } * } * | user-priority { user-priority | [ user-priority ] inactive } [ both | inbound | outbound ] | user-profile { user-profile-name | [ user-profile-name ] inactive } [ both | inbound | outbound ] | user-type { l2vpn-leased | lac | layer2-dynamic | layer2-interface-leased | layer2-static | layer2-subnet-leased | layer3-dynamic | layer3-interface-leased | layer3-static | layer3-subnet-leased | leased | leased-subuser | lns | pppoe } | username user-name | vpn-instance vpn-instance-name | vxlan vxlan-id [ vxlan-id-max ] } * | time time } ] count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

accounting-state: Specifies users in the specified accounting state.

· accounting: Specifies the accounting state.

· idle: Specifies the idle state. A user is in this state when the user is online but the BRAS does not send accounting messages for the user to the AAA server. For example, a user that fails to start accounting or a user that does not support accounting (for example, FTP user) is in this state.

· leaving-flow-query: Specifies the leaving flow query state. A user is in this state when the user is going offline and the BRAS is collecting traffic statistics of the user.

· ready: Specifies the ready state. A user is in this state from the time when the user comes online until the BRAS sends the Accounting-Start messages for the user to the AAA server.

· wait-acct-start: Specifies the wait-acct-start state. A user is in this state from the time when the BRAS sends the Accounting Start messages for the user to the AAA server until the accounting response messages are received.

· wait-acct-stop: Specifies the wait-acct-stop state. A user is in this state from the time when the BRAS sends Accounting-Stop messages for the user to the AAA server until the BRAS receiving the Accounting-Stop response messages.

all-slot: Displays the number of all access users in each slot. ‌

all-vpn-instance: Specifies all VPN instances.

public-instance: Specifies the public network instance.

vpn-instance vpn-instance-name: Specifies users in an MPLS L3VPN instance specified by its name, a case-sensitive string of 1 to 31 characters.

auth-method: Specifies online users that come online by using the specified authentication method.

· hwtacacs: Specifies the HWTACACS authentication method.

· local: Specifies the local authentication method.

· none: Specifies no authentication method.

· radius: Specifies the RADIUS authentication method.

· radius-proxy: Specifies the RADIUS proxy authentication method.

auth-type: Specifies an authentication type for access users.

· admin: Specifies device management users.

· bind: Specifies IPoE users using bind authentication.

· dot1x: Specifies 802.1X users. If you specify the dot1x keyword but do not specify the with-address or without-address keyword, this command displays all matching 802.1X users.‌

¡ with-address: Specifies IPoE users that come online in the postauthentication domain in the 802.1X authentication method. Session information about this type of users has IP address information.

· ppp: Specifies PPP users.

· pre-auth: Specifies IPoE in the preauthentication phase.

· web-auth: Specifies IPoE users using Web authentication in the Web authentication phase.

¡ inherit-pppoe: Specifies IPoE Web users that inherit PPPoE user information.‌

¡ non-inherit-pppoe: Specifies IPoE Web users except those that inherit PPPoE user information.‌

¡ web-mac-auth: Specifies IPoE Web users that come online through transparent MAC authentication.

¡ web-mac-trigger: Specifies IPoE Web users that come online through transparent MAC trigger authentication.

¡ web-normal: Specifies IPoE Web users that come online through common Web authentication (non-transparent authentication).

car: Displays information of users with the specified CAR parameters authorized.

· cir cir-value: Specifies the committed information rate in the range of 1 to 4294967295 kbps.

· pir pir-value: Specifies the peak information rate in the range of 1 to 4294967295 kbps.

· inactive: Displays information of users for which CAR authorization failed. If this keyword is not specified, this command displays information of users with CAR authorized in the inbound or outbound direction.

· both: Matches in both inbound and outbound directions. If none of the both, inbound, and outbound keywords is specified, the user CAR directions are not restricted, as long as the CAR parameters in either the inbound or outbound direction match the criteria.

· inbound: Matches only in the inbound direction.

· outbound: Matches only in the outbound direction.

domain domain-name: Specifies users accessing through an authorization or authentication domain specified by its name, a case-insensitive string of 1 to 255 characters. If you specify the domain keyword but do not specify the authorization or authentication keyword, this command displays information about all matching users accessing through the specified authentication domain and authorization domain.

· authorization: Specifies users that access through the specified authorization domain.

· authentication: Specifies users that access through the specified authentication domain.

flow-rate: Displays information of online users with the flow rates in the specified range. To filter user information through this parameter, you must first execute the access-user flow-rate-calculate enable command.

· ip: Matches users based on the sum of the specified IPv4 flow rate and IPv6 flow rate in merge accounting mode, or matches users based on the specified IPv4 flow rate in separate accounting mode.

· ipv6: Match users based on the specified IPv6 flow rate. If neither of the ip and ipv6 parameters is specified, the system matches users based on the sum of the specified IPv4 flow rate and IPv6 flow rate.

· inbound: Displays information of users with the specified uplink flow rates.

¡ above rate-inbound-above-value: Displays information of users with the uplink flow rate greater than or equal to the specified value. The value for the rate-inbound-above-value argument ranges from 0 to 4294967294 bps.

¡ below rate-inbound-below-value: Displays information of users with the uplink flow rate lower than the specified value. The value for the rate-inbound-below-value argument ranges from 0 to 4294967294 bps.

· outbound: Displays information of users with the specified downlink flow rates.

¡ above rate-outbound-above-value: Displays information of users with the downlink flow rate greater than or equal to the specified value. The value for the rate-outbound-above-value argument ranges from 0 to 4294967294 bps.

¡ below rate-outbound-below-value: Displays information of users with the downlink flow rate lower than the specified value. The value for the rate-outbound-below-value argument ranges from 0 to 4294967294 bps.

initiator-method: Specifies online users that come online by using the specified packet initiation method.

· arp: Specifies ARP packet initiation.

· dhcpv4: Specifies DHCPv4 packet initiation.

· dhcpv6: Specifies DHCPv6 packet initiation.

· ndrs: Specifies IPv6 ND RS packet initiation.

· nsna: Specifies NS/NA packet initiation.

· unclassified-ip: Specifies unclassified-IP packet initiation.

· unclassified-ipv6: Specifies unclassified-IPv6 packet initiation.

interface interface-type interface-number: Specifies users accessing through an interface specified by its type and number. Only network access users support this option.

all: Displays user information on the current main interface and all its subinterfaces. To specify this keyword, make sure the interface specified by using the interface keyword is a main interface and you must also specify the count keyword.

s-vlan svlan-id: Specifies an SVLAN by its ID. The value range is 1 to 4094.

c-vlan cvlan-id: Specifies a CVLAN by its ID. The value range is 1 to 4094.

ip-pool pool-name: Specifies users in an IPv4 address pool specified by its name, a case-insensitive string of 1 to 63 characters.

ip-pool-group ip-pool-groupname: Specifies users in an IPv4 address pool group specified by its name, a case-insensitive string of 1 to 63 characters.

ip-type: Specifies users of an IP type.

· dual-stack: Specifies dual-stack users.

· ipv4: Specifies IPv4 users.

· ipv6: Specifies IPv6 users.

ipv4: Specifies IPv4 multicast user profiles.

ipv6: Specifies IPv6 multicast user profiles.

multicast-user-profile profile-name: Specifies a multicast user profile by its name, a case-sensitive string of 1 to 31 characters.

ipv6-address-protocol: Specifies users whose IPv6 addresses or prefixes are assigned by the specified IPv6 protocol.

· dhcpv6: Specifies users whose IPv6 addresses are assigned by DHCPv6.

· dhcpv6-pd: Specifies users whose IPv6 PD prefixes are assigned by DHCPv6.

· nd: Specifies users whose addresses are assigned by IPv6 NDRA.

ipv6-cpe-mode: Specifies CPE users. In an NDRA+IA_PD or IA_NA+IA_PD hybrid network, you cannot specify the ipv6-cpe-mode keyword to search for access users.

· ipv6: Specifies access users that obtain IPv6 addresses through NDRA or IA_NA.

· ipv6-pd: Specifies access users that obtain IPv6 PD prefixes through IA_PD.

ipv6-pool pool-name: Specifies users in an IPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you specify this parameter, only information of users whose addresses are successfully allocated from the specified IPv6 address pool will be displayed.

ipv6-pool-group ipv6-pool-groupname: Specifies users in an IPv6 address pool group by its name, a case-insensitive string of 1 to 63 characters. If you specify this parameter, information of all users with the specified IPv6 address pool group authorized will be displayed, regardless of whether these users have actually obtained addresses from that pool group.

lac-ip lac-ip-address: Specifies the LNS to display users on the LAC specified by its IP address. Only the LNS supports this option.

lns-ip lns-ip-address: Specifies the LAC to display users on the LNS specified by its IP address. Only the LAC supports this option.

local-access: Specifies users who initially come online from the local device in a VSRP network, as well as all users on the local device in a non-VSRP network.

remote-access: Specifies users who initially come online from the peer device in a VSRP network.

backup: Specifies users with the backup role as Backup in a VSRP network.

master: Specifies users with the backup role as Master in a VSRP network.

normal: Specifies users in a non-VSRP network.

mac-address mac-address: Specifies a user by its MAC address in H-H-H format, case-insensitive. Only network access users support this option.

virtual-mac mac-address: Displays user information for the specified virtual MAC address in the format of H-H-H, case-insensitive. Only network access users support this option.

pppoe-agency-state: Specifies internal campus access authentication users (for example, IPoE users) in the specified PPPoE agency state.‌

no-online: Specifies internal campus access authentication users with the PPPoE agency state as not online.‌

quota-out-redirect: Specifies users who are in Redirect state after their traffic quota has been exhausted.

radius-attribute-inexistence user-profile: Displays information of users without user profiles authorized.

remote-name tunnel-name: Specifies an L2TP user of the LAC or LNS specified by its tunnel name, a string of 1 to 31 characters.

session-group-profile: Displays information of users with a session group profile authorized.

· session-group-profile-name: Specifies a session group profile by its name, a case-sensitive string of 1 to 31 characters.

· inactive: Displays information of users for which session group profiles failed to be authorized. If this keyword is not specified, this command displays information of users with the specified session group profile authorized. If this keyword is specified, the following rules apply:

¡ When the session-group-profile-name argument is not specified, this command displays information of users for which any session group profile failed to be authorized.

¡ When the session-group-profile-name argument is specified, this command only displays information of users for which the specified session group profile failed to be authorized.

start-time start-time start-date end-time end-time end-date: Specifies users within the specified time range. The start-time start-time start-date option specifies the start time and date. The end-time start-time start-date option specifies the end time and date.

· The start-time and end-time arguments are in the HH:MM:SS format. HH specifies an hour in the range of 0 to 23. MM specifies a minute in the range of 0 to 59. SS specifies a second in the range of 0 to 59. To specify an integer hour, you do not need to specify the minute or second. To specify an integer minute, you do not need to specify the second. For example, if you enter 0 or 0:0, the time is hour 0 minute 0 second 0.

· The start-date and end-date arguments are in the MM/DD/YYYY or YYYY/MM/DD format. MM specifies a month in the range of 1 to 12. DD specifies a day and its value range varies by month. YYYY specifies a year in the range of 2000 to 2035.

user-address-type: Specifies users with addresses of the specified type.

· ds-lite: Specifies lite dual-stack addresses.

· ipv6: Specifies IPv6 addresses.

· nat64: Specifies NAT64 addresses.

· private-ds: Specifies private dual-stack addresses.

· private-ipv4: Specifies private IPv4 addresses.

· public-ds: Specifies public dual-stack addresses.

· public-ipv4: Specifies public IPv4 addresses.

user-group: Displays information of users in the specified user group.

· user-group-name: Specifies the name of an authorized user group, a case-insensitive string of 1 to 32 characters.

· inactive: Displays information of users for which the user groups failed to be authorized. If this keyword is not specified, this command displays information of users with the specified user group authorized. If this keyword is specified, the following rules apply:

¡ When the user-group-name argument is not specified, this command displays information of users for which any user group failed to be authorized.

¡ When the user-group-name argument is specified, this command only displays information of users for which the specified user group failed to be authorized.

user-traffic: Displays information of online users in the specified user traffic range.

· ip: Matches users based on the sum of the specified IPv4 traffic and IPv6 traffic in merge accounting mode, or matches users based on the specified IPv4 traffic in separate accounting mode.

· ipv6: Match users based on the specified IPv6 traffic. If neither of the ip and ipv6 parameters is specified, the system matches users based on the sum of the specified IPv4 traffic and IPv6 traffic.

· inbound: Displays information of users with the specified uplink traffic.

¡ above traffic-inbound-above-value: Displays information of users with the uplink traffic greater than or equal to the specified value. The value for the traffic-inbound-above-value argument ranges from 0 to 4294967294 bytes, kilobytes, megabytes, or gigabytes.

¡ below traffic-inbound-below-value: Displays information of users with the uplink traffic lower than the specified value. The value for the traffic-inbound-below-value argument ranges from 0 to 4294967294 bytes, kilobytes, megabytes, or gigabytes.

· outbound: Displays information of users with the specified downlink traffic.

¡ above traffic-outbound-above-value: Displays information of users with the downlink traffic greater than or equal to the specified value. The value for the traffic-outbound-above-value argument ranges from 0 to 4294967294 bytes, kilobytes, megabytes, or gigabytes.

¡ below traffic-outbound-below-value: Displays information of users with the downlink traffic lower than the specified value. The value for the traffic-outbound-below-value argument ranges from 0 to 4294967294 bytes, kilobytes, megabytes, or gigabytes.

· byte: Specifies traffic in bytes.

· giga-byte: Specifies traffic in gigabytes.

· kilo-byte: Specifies traffic in kilobytes.

· mega-byte: Specifies traffic in megabytes.

user-priority: Displays information of users with user priority values authorized.

· user-priority: Specifies traffic with an authorized priority in the range of 0 to 7.

· inactive: Displays information of users for which the user priority failed to be authorized. If this keyword is not specified, this command displays information of users with the specified user priority authorized. If this keyword is specified, the following rules apply:

¡ When the user-priority argument is not specified, this command displays information of users for which any user priority failed to be authorized.

¡ When the user-priority argument is specified, this command only displays information of the users for which the specified user priority failed to be authorized.

· both: Matches in both inbound and outbound directions. If none of the both, inbound, and outbound keywords is specified, the user priority directions are not restricted, as long as the user priority in either the inbound or outbound direction matches the criteria.

· inbound: Matches only in the inbound direction. If neither of the inbound and outbound keywords is specified, the direction is ignored in a match.

· outbound: Matches only in the outbound direction.

user-profile: Displays information of users with user profiles authorized.

· user-profile-name: Specifies an authorized user profile by its name, a case-sensitive string of 1 to 31 characters.

· inactive: Displays information of users for which user profiles failed to be authorized. If this keyword is not specified, this command displays information of users with the specified user profile authorized. If this keyword is specified, the following rules apply:

When the user-profile-name argument is not specified, this command displays information of all users for which any user profile failed to be authorized.

When the user-profile-name argument is specified, this command only displays information of users for which the specified user profile failed to be authorized.

· both: Matches in both inbound and outbound directions. If none of the both, inbound, and outbound keywords is specified, the user profile directions are not restricted, as long as the user profile in either the inbound or outbound direction matches the criteria.

· inbound: Matches only in the inbound direction.

· outbound: Matches only in the outbound direction.

user-type: Specifies users of the specified type.

· l2vpn-leased: Specifies IPoE L2VPN-leased users.

· lac: Specifies users on the device acting as a LAC.

· layer2-dynamic: Specifies Layer 2 IPoE dynamic users.

· layer2-family-leased: Specifies Layer 2 IPoE family-leased users.

· layer2-interface-leased: Specifies Layer 2 IPoE interface-leased users.

· layer2-static: Specifies Layer 2 IPoE static users.

· layer2-subnet-leased: Specifies Layer 2 IPoE subnet-leased users.

· layer3-dynamic: Specifies Layer 3 IPoE dynamic users.

· layer3-interface-leased: Specifies Layer 3 IPoE interface-leased users.

· layer3-static: Specifies Layer 3 IPoE static users.

· layer3-subnet-leased: Specifies Layer 3 IPoE subnet-leased users.

· leased: Specifies IPoE leased users.

· leased-subuser: Specifies Layer 2 IPoE leased subusers.

· lns: Specifies users on the device acting as an LNS.

· pppoe: Specifies PPPoE users, including PPPoE users that trigger the LAC to set up L2TP tunnels.

· pppoea: Specifies PPPoE agency users.

username user-name: Specifies a user by its name, a case-sensitive string of 1 to 253 characters.

vxlan vxlan-id [ vxlan-id-max ]: Specifies users in the specified VXLANs. The vxlan-id argument and the vxlan-id-max argument specify the start VXLAN ID and end VXLAN ID, respectively, each in the range of 1 to 16777215.

time time: Specifies users accessing with the specified time range. The time argument specifies a duration in the range of 1 to 7200 seconds. For example, if you set the time argument to 2000, this command displays users coming online with the latest 2000 seconds.

ip-address ipv4-address: Specifies the user with the specified IPv4 address.

ipv6-address ipv6-address: Specifies the user with the specified IPv6 address.

ipv6-prefix ipv6-prefix: Specifies users with the specified IPv6 prefix (IPv6 ND prefix or IPv6 PD prefix). The ipv6-prefix argument specifies an IPv6 prefix. The prefix-length argument specifies an IPv6 prefix length.

public-ip-address public-ip-address: Specifies a NAT user by the public IP address assigned to the user in the NAT network.

user-id user-id: Specifies an online user by its index, a hexadecimal number in the range of 1 to FFFF4240.‌

count: Displays the number of users.

verbose: Displays detailed user information. This keyword is supported only by IPoE, PPPoE, and L2TP users.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed. (In IRF mode.) ‌

Usage guidelines

If you do not specify the count or verbose keyword, this command displays brief user information.

If you do not specify the all-vpn-instance, public-instance, or vpn-instance keyword, this command displays user information of the public network instance and all VPN instances.

In an L2TP network, this command is supported on an LAC only if a remote system dials in to the LAC through a PPPoE network. For more information about L2TP, see L2TP configuration in BRAS Services Configuration Guide .

Examples

# Display the number of all access users.

<Sysname> display access-user count

Total users : 5

PPPoE users : 0

PPPoEA users : 0

PPPoA users : 0

PPPoFR users : 0

PPPoPhy users : 0

LNS users : 0

LAC users : 0

VPPP users : 0

L2 IPoE dynamic users : 1

L2 IPoE static users : 0

L2 IPoE interface leased users : 0

L2 IPoE subnet leased users : 0

L2 IPoE family leased users : 0

L2 IPoE leased subusers : 0

IPoE L2VPN leased users : 0

L3 IPoE dynamic users : 0

L3 IPoE static users : 0

L3 IPoE interface leased users : 0

L3 IPoE subnet leased users : 0

Web auth users : 0

Portal users : 0

Telnet users : 1

SSH users : 0

HTTP users : 1

HTTPS users : 1

FTP users : 1

Command users : 0

PAD users : 0

Terminal users : 0

MAC auth users : 0

Dot1X users : 0

IKE users : 0

SSLVPN users : 0

DVPN users : 0

Table 2 Command output

Field	Description
Total users	Total number of users (excluding LAC users).
PPPoE users	Number of PPPoE users (including PPPoE users that trigger the LAC to set up L2TP tunnels).
PPPoEA users	Number of PPPoE agency users. ‌
PPPoA users	This field is not supported in the current software version. Number of PPPoA users.
PPPoFR users	This field is not supported in the current software version. Number of PPPoFR users.
PPPoPhy users	Number of PPP access users directly carried on physical links.
LNS users	Number of L2TP users on the LNS.
LAC users	Number of L2TP users on the LAC. For example, PPPoE users that trigger the LAC to set up L2TP tunnels in NAS-initiated mode and LNS users on the LTS.
VPPP users	Number of L2TP users automatically dialing on the LAC.
L2 IPoE dynamic users	Number of Layer 2 IPoE dynamic users, including IPoE users using 802.1X authentication in the postauthentication phase.‌ The access type that initiates the user in the corresponding protocol stack will be displayed after this field only in the summary information. The type is represented in the form of (IPv4 protocol stack access type/IPv6 protocol stack access type). Options include: · D—DHCP user. · S—Static user. · U—Unclassified-IP user. · N—IPv6 ND RS user. · Hyphen (-)—Indicates that the access type for the user in the corresponding protocol stack does not exist.
L2 IPoE static users	Number of Layer 2 IPoE static users, including static individual users, static leased users, and IPoE users using 802.1X authentication in the postauthentication phase.‌
L2 IPoE interface leased users	Number of Layer 2 IPoE interface-leased users.
L2 IPoE subnet leased users	Number of Layer 2 IPoE subnet-leased users.
L2 IPoE family leased users	Number of Layer 2 IPoE family-leased users.
L2 IPoE leased subusers	Number of Layer 2 IPoE leased subusers.
IPoE L2VPN leased users	Number of IPoE L2VPN-leased users.
L3 IPoE dynamic users	Number of Layer 3 IPoE dynamic users.
L3 IPoE static users	Number of Layer 3 IPoE static users, including static individual users and static leased users.‌ The access type that initiates the user in the corresponding protocol stack will be displayed after this field only in the summary information. The type is represented in the form of (IPv4 protocol stack access type/IPv6 protocol stack access type). Options include: · D—DHCP user. · U—Unclassified-IP user. · N—IPv6 ND RS user. · Hyphen (-)—Indicates that the access type for the user in the corresponding protocol stack does not exist.
L3 IPoE interface leased users	Number of Layer 3 IPoE interface-leased users.
L3 IPoE subnet leased users	Number of Layer 3 IPoE subnet-leased users.
Web auth users	Number of Web authentication users. The access type that initiates the user in the corresponding protocol stack will be displayed after this field only in the summary information. The type is represented in the form of (IPv4 protocol stack access type/IPv6 protocol stack access type). Options include: · D—DHCP user. · S—Static user. · U—Unclassified-IP user. · N—IPv6 ND RS user. · Hyphen (-)—Indicates that the access type for the user in the corresponding protocol stack does not exist. When re-authentication for IPoE users in the specified IP address range is enabled by using the ip subscriber reauth command in system view, IPoE users in that IP address range that come online through an interface with IPoE Web authentication enabled and complete re-authentication will be counted in the Web auth users field. ‌
Portal users	This field is not supported in the current software version. Number of portal users.
Telnet users	Number of Telnet users.
SSH users	Number of SSH users.
HTTP users	Number of HTTP users.
HTTPS users	Number of HTTPS users.
FTP users	Number of FTP users.
Command users	Number of command authorization and accounting users.
PAD users	This field is not supported in the current software version. Number of PAD users.
Terminal users	Number of uses logging in through the Console port.
MAC auth users	This field is not supported in the current software version. Number of MAC authentication users.
Dot1X users	This field is not supported in the current software version. Number of Layer 2 802.1X users.
IKE users	This field is not supported in the current software version. Number of IKE users.
SSLVPN users	This field is not supported in the current software version. Number of SSL VPN users.
DVPN users	This field is not supported in the current software version. Number of DVPN users.

‌

#‌Display brief information about all access users.

<Sysname> display access-user

UserID Username Access type MAC address

IP address IPv6 address

Interface S-/C-VLAN

0x33d user1 LNS -

192.168.0.2 -

BAS0 -/-

0x33e user2 L2 IPoE dynamic(D/-) 001b-21a8-0949

3.3.3.3 -

XGE0/0/15 -/-

0x33f user3 PPPoE 001b-21a8-0949

192.168.0.3 -

XGE0/0/15 -/-

0x400005 user4 Telnet -

3.3.3.3 -

- -/-

0x400006 user5 FTP -

3.3.3.3 -

- -/-

Table 3 Command output

Field	Description
UserID	Online index of a user.
Interface	Access interface of a user. If the user does not have an access interface, this field displays a hyphen (-).
Username	Username for authentication. If the username contains more than 20 characters, the username is displayed in the format of “the first 20 characters in the username+...” in the brief information.
IP address	IPv4 address of a user. If the user does not have an IPv4 address, this field displays a hyphen (-). For a PPPoE agency user, this field indicates the IPv4 address assigned by an ISP to the user.‌
IPv6 address	IPv6 address of a user. If the user does not have an IPv6 address, this field displays a hyphen (-).
MAC address	MAC address of a user. If the user does not have a MAC address, this field displays a hyphen (-). For a PPPoE agency user, this field indicates the MAC address of the BRAS user.‌
S-/C-VLAN	SVLAN and CVLAN of a user. If the user does not have a SVLAN or CVLAN, this field displays -/-.
Access type	Access type of a user. For more information, see Table 2.

‌

#‌(Individual users.) Display detailed information about IPoE users using bind authentication.

<Sysname> display access-user auth-type bind verbose

Basic:

State: Online

Description: N/A

User ID: 0x33e

Username: user1

Backup role: N/A

Authorization domain: dm1

Authentication domain: dm1

Interface: XGE0/0/15

Service-VLAN/Customer-VLAN: -/-

VXLAN ID: -

MAC address: 001b-21a8-0949

IP address: 3.3.3.3

IP pool: pool1

Primary DNS server: -

Secondary DNS server: -

IPv6 address: -

IPv6 pool: N/A

Primary IPv6 DNS server: -

Secondary IPv6 DNS server: -

IPv6 PD prefix: -

IPv6 ND prefix: -

IPv6 ND prefix pool: N/A

DHCP lease: -

DHCP remaining lease: -

DHCPv6 lease: -

DHCPv6 remaining lease: -

User address type: N/A

VPN instance: N/A

Access type: L2 IPoE dynamic

Authentication type: Bind

Static leased user: No

Agent-Circuit-Id: -

Agent-Remote-Id: -

NAS-Port-Id: slot=0;subslot=1;port=1;vlanid=0;

User IPv6CP interface ID: -

IP gateway address: 3.3.3.1

IPv6 link-local address: -

IPv6 address protocol: N/A

User basic service IP type: IPv4

AAA:

Authentication state: Authenticated

Authorization state: Authorized

Realtime accounting switch: Closed

Realtime accounting interval: -

Accounting start time: 2019-09-21 13:55:57

Online time (hh:mm:ss): 0:02:19

Accounting state: Accounting

Acct start-fail action: Online

Acct update-fail action: Online

Acct quota-out action: Offline

Dual-stack accounting mode: Merge

Idle cut: 0 seconds 0 bytes, direction: Both

Session timeout: Unlimited

Time remained: Unlimited

Traffic quota: Unlimited

Traffic remained: Unlimited

IPv6CP interface ID assignment: Disabled

Redirect WebURL: -

ITA policy name: N/A

MRU: N/A

IPv4 MTU: N/A

IPv6 MTU: N/A

Subscriber ID: -

Inbound netstream sampler: Not set

Outbound netstream sampler: Not set

IPv4 multicast user profile: N/A

IPv6 multicast user profile: N/A

User session: limit 2, online 1

Account ID: 0x2

Authorized IPv4 address: N/A

Authorized IPv6 address: N/A

Current authen method: RADIUS

Accounting session ID: 400033e-0-0-202205070936120000000012

Max IPv4 multicast addresses: 1

IPv4 multicast address list : 225.0.0.11

Max IPv6 multicast addresses: 1

IPv6 multicast address list : ff1e::31

Radius-proxy client IP address: 200.0.0.1

Radius-proxy client VPN instance: N/A

ACL&QoS:

Inbound user profile: N/A

Outbound user profile: N/A

Session group profile: N/A

User group acl: N/A

Inbound CAR: -

Outbound CAR: -

Inbound subscriber group CAR: -

Outbound subscriber group CAR: -

Inbound user priority: -

Outbound user priority: -

Flow rate statistics:

Flow rate calculation time: 2019-09-21 13:49:50 - 2019-09-21 13:55:57

Flow rate: 0 bits/sec

Inbound flow rate: 0 bits/sec

Outbound flow rate: 0 bits/sec

IPv6 flow rate: 0 bits/sec

IPv6 inbound flow rate: 0 bits/sec

IPv6 outbound flow rate: 0 bits/sec

Flow statistics:

Uplink packets/bytes: 389/50005

Downlink packets/bytes: 23/1362

IPv6 uplink packets/bytes: 0/0

IPv6 downlink packets/bytes: 0/0

ITA:

Level-1 Uplink packets/bytes : 4/392

Downlink packets/bytes : 4/392

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Level-2 Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

#‌(Static leased users.) Display detailed information about IPoE users using bind authentication.

<Sysname> display access-user auth-type bind verbose

Basic:

State: Online

Description: N/A

User ID: 0x33e

Username: user1

Backup role: N/A

Authorization domain: dm1

Authentication domain: dm1

Interface: XGE0/0/15

Service-VLAN/Customer-VLAN: -/-

VXLAN ID: -

MAC address: 001b-21a8-0949

IP address: 3.3.3.3

IP pool: pool1

Primary DNS server: -

Secondary DNS server: -

IPv6 address: -

IPv6 pool: N/A

Primary IPv6 DNS server: -

Secondary IPv6 DNS server: -

IPv6 PD prefix: -

IPv6 ND prefix: -

DHCP lease: -

DHCP remaining lease: -

DHCPv6 lease: -

DHCPv6 remaining lease: -

User address type: N/A

VPN instance: N/A

Access type: L3 IPoE static

Authentication type: Bind

Static leased user: Yes

Agent-Circuit-Id: -

Agent-Remote-Id: -

NAS-Port-Id: slot=0;subslot=1;port=1;vlanid=0;

User IPv6CP interface ID: -

IP gateway address: 3.3.3.1

IPv6 link-local address: -

IPv6 address protocol: N/A

User basic service IP type: IPv4

AAA:

Authentication state: Authenticated

Authorization state: Authorized

Realtime accounting switch: Closed

Realtime accounting interval: -

Accounting start time: 2019-09-21 13:55:57

Online time (hh:mm:ss): 0:02:19

Accounting state: Accounting

Acct start-fail action: Online

Acct update-fail action: Online

Acct quota-out action: Offline

Dual-stack accounting mode: Merge

Idle cut: 0 seconds 0 bytes, direction: Both

Session timeout: Unlimited

Time remained: Unlimited

Traffic quota: Unlimited

Traffic remained: Unlimited

IPv6CP interface ID assignment: Disabled

Redirect WebURL: -

ITA policy name: N/A

MRU: N/A

IPv4 MTU: N/A

IPv6 MTU: N/A

Subscriber ID: -

Inbound netstream sampler: Not set

Outbound netstream sampler: Not set

IPv4 multicast user profile: N/A

IPv6 multicast user profile: N/A

User session: limit 2, online 1

Account ID: 0x2

Authorized IPv4 address: N/A

Authorized IPv6 address: N/A

Current authen method: RADIUS

Accounting session ID: 400033e-0-0-202205070936120000000012

Max IPv4 multicast addresses: 1

IPv4 multicast address list : 225.0.0.11

Max IPv6 multicast addresses: 1

IPv6 multicast address list : ff1e::31

ACL&QoS:

Inbound user profile: N/A

Outbound user profile: N/A

Session group profile: N/A

User group acl: N/A

Inbound CAR: -

Outbound CAR: -

Inbound subscriber group CAR: -

Outbound subscriber group CAR: -

Inbound user priority: -

Outbound user priority: -

Flow rate statistics:

Flow rate calculation time: 2019-09-21 13:49:50 - 2019-09-21 13:55:57

Flow rate: 0 bits/sec

Inbound flow rate: 0 bits/sec

Outbound flow rate: 0 bits/sec

IPv6 flow rate: 0 bits/sec

IPv6 inbound flow rate: 0 bits/sec

IPv6 outbound flow rate: 0 bits/sec

Flow statistics:

Uplink packets/bytes: 389/50005

Downlink packets/bytes: 23/1362

IPv6 uplink packets/bytes: 0/0

IPv6 downlink packets/bytes: 0/0

#‌(Leased users.) Display detailed information about IPoE users using bind authentication.

<Sysname> display access-user auth-type bind verbose

Basic:

State: Online

Description: N/A

User ID: 0x1

Username: user1

Backup role: N/A

Authorization domain : dm1

Authentication domain: dm1

Interface: XGE0/0/15

Service-VLAN/Customer-VLAN: -/-

VXLAN ID: -

MAC address: -

IP address: -

IP pool: N/A

Primary DNS server: -

Secondary DNS server: -

IPv6 address: -

IPv6 pool: N/A

Primary IPv6 DNS server: -

Secondary IPv6 DNS server: -

IPv6 PD prefix: -

IPv6 ND prefix: -

IPv6 ND prefix pool: N/A

DHCP lease: -

DHCP remaining lease: -

DHCPv6 lease: -

DHCPv6 remaining lease: -

User address type: N/A

VPN instance: N/A

Access type: L2 IPoE interface leased

Authentication type: Bind

Static leased user: No

Agent-Circuit-Id: -

Agent-Remote-Id: -

NAS-Port-Id: slot=0;subslot=1;port=1;vlanid=0;

User IPv6CP interface ID: -

IP gateway address: -

IPv6 link-local address: -

IPv6 address protocol: N/A

User basic service IP type: IPv4

AAA:

Authentication state: Authenticated

Authorization state: Authorized

Realtime accounting switch: Closed

Realtime accounting interval: -

Accounting start time: 2019-11-19 10:15:40

Online time(hh:mm:ss): 0:33:54

Accounting state: Accounting

Acct start-fail action: Online

Acct update-fail action: Online

Acct quota-out action: Offline

Dual-stack accounting mode: Merge

Idle cut: 0 seconds 0 bytes, direction: Both

Session timeout: Unlimited

Time remained: Unlimited

Traffic quota: Unlimited

Traffic remained: Unlimited

IPv6CP interface ID assignment: Disabled

Redirect WebURL: -

ITA policy name: N/A

MRU: N/A

IPv4 MTU: N/A

IPv6 MTU: N/A

Subscriber ID: -

Inbound netstream sampler: Not set

Outbound netstream sampler: Not set

IPv4 multicast user profile: N/A

IPv6 multicast user profile: N/A

Current authen method: RADIUS

Accounting session ID: 4000001-0-0-202205070936120000000012

Max IPv4 multicast addresses: 1

IPv4 multicast address list : 225.0.0.11

Max IPv6 multicast addresses: 1

IPv6 multicast address list : ff1e::31

ACL&QoS:

Inbound user profile: N/A

Outbound user profile: N/A

Session group profile: N/A

User group ACL: N/A

Inbound CAR: -

Outbound CAR: -

Inbound subscriber group CAR: -

Outbound subscriber group CAR: -

Inbound user priority: -

Outbound user priority: -

Flow rate statistics:

Flow rate calculation time: 2019-09-21 13:49:50 - 2019-09-21 13:55:57

Flow rate: 0 bits/sec

Inbound flow rate: 0 bits/sec

Outbound flow rate: 0 bits/sec

IPv6 flow rate: 0 bits/sec

IPv6 inbound flow rate: 0 bits/sec

IPv6 outbound flow rate: 0 bits/sec

Flow statistics:

Uplink packets/bytes: 4/392

Downlink packets/bytes: 4/392

IPv6 uplink packets/bytes: 0/0

IPv6 downlink packets/bytes: 0/0

Total subusers: 1

UserID IP address MAC address S-/C-VLAN

IPv6 address

0xc 1.1.1.2 6c45-4eea-0206 -/-

Basic:

State: Online

Description: N/A

User ID: 0xc

Username: user1

Backup role: N/A

Authorization domain : dm1

Authentication domain: N/A

Interface: XGE0/0/15

Service-VLAN/Customer-VLAN: -/-

VXLAN ID: -

MAC address: 6c45-4eea-0206

IP address: 1.1.1.2

IP pool: N/A

Primary DNS server: -

Secondary DNS server: -

IPv6 address: -

IPv6 pool: N/A

Primary IPv6 DNS server: -

Secondary IPv6 DNS server: -

IPv6 PD prefix: -

IPv6 ND prefix: -

IPv6 ND prefix pool: N/A

DHCP lease: -

DHCP remaining lease: -

DHCPv6 lease: -

DHCPv6 remaining lease: -

User address type: N/A

VPN instance: N/A

Access type: L2 IPoE leased subusers

Authentication type: Bind

Static leased user: No

Agent-Circuit-Id: -

Agent-Remote-Id: -

NAS-Port-Id: slot=0;subslot=1;port=1;vlanid=0;

User IPv6CP interface ID: -

IP gateway address: 1.1.1.1

IPv6 link-local address: -

IPv6 address protocol: N/A

User basic service IP type: IPv4

AAA:

Authentication state: -

Authorization state: -

Realtime accounting switch: Closed

Realtime accounting interval: -

Accounting start time: -

Online time(hh:mm:ss): 0:00:00

Accounting state: Stop

Acct start-fail action: Online

Acct update-fail action: Online

Acct quota-out action: Offline

Dual-stack accounting mode: N/A

Idle cut: 0 seconds 0 bytes, direction: Both

IPv6CP interface ID assignment: Disabled

Redirect WebURL: -

ITA policy name: N/A

MRU: N/A

IPv4 MTU: N/A

IPv6 MTU: N/A

Subscriber ID: -

Inbound netstream sampler: Not set

Outbound netstream sampler: Not set

IPv4 multicast user profile: N/A

IPv6 multicast user profile: N/A

Max IPv4 multicast addresses: 1

IPv4 multicast address list : 225.0.0.11

Max IPv6 multicast addresses: 1

IPv6 multicast address list : ff1e::31

ACL&QoS:

Inbound user profile: N/A

Outbound user profile: N/A

Session group profile: N/A

User group ACL: N/A

Inbound CAR: -

Outbound CAR: -

Inbound subscriber group CAR: -

Outbound subscriber group CAR: -

Inbound user priority: -

Outbound user priority: -

Flow rate statistics:

Flow rate calculation time: 2019-09-21 13:49:50 - 2019-09-21 13:55:57

Flow rate: 0 bits/sec

Inbound flow rate: 0 bits/sec

Outbound flow rate: 0 bits/sec

IPv6 flow rate: 0 bits/sec

IPv6 inbound flow rate: 0 bits/sec

IPv6 outbound flow rate: 0 bits/sec

Flow statistics:

Uplink packets/bytes: 0/0

Downlink packets/bytes: 0/0

IPv6 uplink packets/bytes: 0/0

IPv6 downlink packets/bytes: 0/0

#‌Display detailed information about PPP access users.

<Sysname> display access-user auth-type ppp verbose

Basic:

State: Online

Description: N/A

PPP index: 0x22d0a92580000105

User ID: 0x33d

Username: user1

Backup role: N/A

Authorization domain: dm1

Authentication domain: dm1

Interface: BAS0

Service-VLAN/Customer-VLAN: -/-

VXLAN ID: -

MAC address: -

IP address: 192.168.0.2

IP pool: pool1

Primary DNS server: 8.8.8.8

Secondary DNS server: -

IPv6 address: 8::8

IPv6 pool: pool1

Primary IPv6 DNS server: -

Secondary IPv6 DNS server: -

IPv6 PD prefix: -

IPv6 ND prefix: -

IPv6 ND prefix pool: N/A

DHCP lease: -

DHCP remaining lease: -

DHCPv6 lease: -

DHCPv6 remaining lease: -

User address type: N/A

VPN instance: N/A

Access type: LNS

Authentication type: PPP

Agent-Circuit-Id: -

Agent-Remote-Id: -

NAS-Port-Id: slot=0;subslot=1;port=1;vlanid=0;

User IPv6CP interface ID: 1e2f:c3e4:3333:1234

IP gateway address: 192.168.0.1

IPv6 link-local address: -

IPv6 address protocol: N/A

User basic service IP type: IPv4

L2TP LNS:

Group ID: 1

Local tunnel ID: 8912

Remote tunnel ID: 2

Local session ID: 43301

Remote session ID: 1

Local IP: 3.3.3.1

Remote IP: 3.3.3.3

Local port: 1701

Remote port: 1701

Vrf index: 0

Calling station: 9a4d-e968-0116 XGE0/0/15:ffff.ffff

AAA:

Authentication state: Authenticated

Authorization state: Authorized

Realtime accounting switch: Closed

Realtime accounting interval: -

Accounting start time: 2019-09-21 13:54:52

Online time (hh:mm:ss): 0:03:24

Accounting state: Accounting

Acct start-fail action: Online

Acct update-fail action: Online

Acct quota-out action: Offline

Dual-stack accounting mode: Merge

Idle cut: 0 seconds 0 bytes, direction: Both

Session timeout: Unlimited

Time remained: Unlimited

Traffic quota: Unlimited

Traffic remained: Unlimited

IPv6CP interface ID assignment: Enabled

Redirect WebURL: -

ITA policy name: N/A

MRU: 1400 bytes

IPv4 MTU: 1400 bytes

IPv6 MTU: 1400 bytes

Subscriber ID: -

Inbound netstream sampler: Not set

Outbound netstream sampler: Not set

IPv4 multicast user profile: N/A

IPv6 multicast user profile: N/A

Current authen method: RADIUS

Accounting session ID: 400033d-0-0-202205070936120000000012

Max IPv4 multicast addresses: 1

IPv4 multicast address list : 225.0.0.11

Max IPv6 multicast addresses: 1

IPv6 multicast address list : ff1e::31

ACL&QoS:

Inbound user profile: N/A

Outbound user profile: N/A

Session group profile: N/A

User group acl: N/A

Inbound CAR: -

Outbound CAR: -

Inbound subscriber group CAR: -

Outbound subscriber group CAR: -

Inbound user priority: -

Outbound user priority: -

Flow rate statistics:

Flow rate calculation time: 2019-09-21 13:49:50 - 2019-09-21 13:55:57

Flow rate: 0 bits/sec

Inbound flow rate: 0 bits/sec

Outbound flow rate: 0 bits/sec

IPv6 flow rate: 0 bits/sec

IPv6 inbound flow rate: 0 bits/sec

IPv6 outbound flow rate: 0 bits/sec

Flow statistics:

Uplink packets/bytes: 691/57955

Downlink packets/bytes: 0/0

IPv6 uplink packets/bytes: 0/0

IPv6 downlink packets/bytes: 0/0

Basic:

State: Online

Description: N/A

PPP index: 0x140000002

User ID: 0x33f

Username: user2

Backup role: N/A

Authorization domain: dm2

Authentication domain: dm2

Interface: XGE0/0/15

Service-VLAN/Customer-VLAN: -/-

VXLAN ID: -

MAC address: 001b-21a8-0949

IP address: 192.168.0.3

IP pool: pool1

Primary DNS server: 8.8.8.8

Secondary DNS server: -

IPv6 address: 192::1

IPv6 pool: pool1

Primary IPv6 DNS server: 8::8

Secondary IPv6 DNS server: -

IPv6 PD prefix: -

IPv6 ND prefix: -

IPv6 ND prefix pool: N/A

DHCP lease: -

DHCP remaining lease: -

DHCPv6 lease: -

DHCPv6 remaining lease: -

User address type: N/A

VPN instance: N/A

Access type: PPPoE

Authentication type: PPP

Agent-Circuit-Id: -

Agent-Remote-Id: -

NAS-Port-Id: slot=0;subslot=1;port=1;vlanid=0;

User IPv6CP interface ID: 1e2f:c3e4:3333:1234

IP gateway address: 192.168.0.1

IPv6 link-local address: -

IPv6 address protocol: N/A

User basic service IP type: IPv4

PPPoE:

Session ID: 1

AAA:

Authentication state: Authenticated

Authorization state: Authorized

Realtime accounting switch: Closed

Realtime accounting interval: -

Accounting start time: 2019-09-21 13:57:07

Online time (hh:mm:ss): 0:01:09

Accounting state: Accounting

Acct start-fail action: Online

Acct update-fail action: Online

Acct quota-out action: Offline

Dual-stack accounting mode: Merge

Idle cut: 0 seconds 0 bytes, direction: Both

Session timeout: Unlimited

Time remained: Unlimited

Traffic quota: Unlimited

Traffic remained: Unlimited

IPv6CP interface ID assignment: Enabled

Redirect WebURL: -

ITA policy name: N/A

MRU: 1480 bytes

IPv4 MTU: 1480 bytes

IPv6 MTU: 1480 bytes

Subscriber ID: -

Inbound netstream sampler: Not set

Outbound netstream sampler: Not set

IPv4 multicast user profile: N/A

IPv6 multicast user profile: N/A

Current authen method: RADIUS

Accounting session ID: 400033f-0-0-202205070936120000000012

Max IPv4 multicast addresses: 1

IPv4 multicast address list : 225.0.0.11

Max IPv6 multicast addresses: 1

IPv6 multicast address list : ff1e::31

ACL&QoS:

Inbound user profile: N/A

Outbound user profile: N/A

Session group profile: N/A

User group acl: N/A

Inbound CAR: -

Outbound CAR: -

Inbound subscriber group CAR: -

Outbound subscriber group CAR: -

Inbound user priority: -

Outbound user priority: -

NAT:

Global IP address: 111.8.0.200

Port block: 28744-28748

Extended port block: 2024-2033-111.8.0.201/3024-3033-111.8.0.202/4024-4033-111.8.0.203/5024-5033-111.8.0.214/6024-6033-11.8.0.222

Flow rate statistics:

Flow rate calculation time: 2019-09-21 13:49:50 - 2019-09-21 13:55:57

Flow rate: 0 bits/sec

Inbound flow rate: 0 bits/sec

Outbound flow rate: 0 bits/sec

IPv6 flow rate: 0 bits/sec

IPv6 inbound flow rate: 0 bits/sec

IPv6 outbound flow rate: 0 bits/sec

Flow statistics:

Uplink packets/bytes: 28/4736

Downlink packets/bytes: 0/0

IPv6 uplink packets/bytes: 0/0

IPv6 downlink packets/bytes: 0/0

EDSG:

Service ID : 1

Uplink packets/bytes : 4/392

Downlink packets/bytes : 4/392

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Service ID : 2

Uplink packets/bytes : 0/0

Downlink packets/bytes : 0/0

IPv6 uplink packets/bytes : 0/0

IPv6 downlink packets/bytes : 0/0

Table 4 Command output

Field	Description
Basic	Basic information of a user.
State	Session state of a user. Options include: · Init—Initializing. · Authing—Authentication in progress. · Authed—Authentication completed. · Reauth—Reauthentication in progress. · Logout—Exiting the current authentication phase. · Online—Online. · Offline—Going offline.
Description	Description of a user. If the user does not have a description, this field displays N/A.
PPP index	PPP session index. This field is displayed only for PPPoE users and L2TP users.
Username	Username for authentication.
Backup role	Role of the user in the VSRP network: · Master—The user belongs to the master device. · Backup—The user belongs to the backup device, and the user information is synchronized from the master device. · N/A—The user is not in a VSRP network.
Authorization domain	Authorization domain, which specifies the ISP domain that the AAA server authorizes to the user through the H3C-ISP-ID attribute. The authorization domain is the actual ISP domain that the user uses after coming online.
Authentication domain	Authentication domain, which specifies the domain used by the user for authentication on the AAA server. For Layer 2 IPoE leased subusers, who do not need authentication, this field displays N/A.
Interface	Access interface of a user. If the user does not have an access interface, this field displays a hyphen (-).
Backup interface	UP backup access interface of a user. If the user does not have a UP backup access interface, this field is not displayed.
PPPoEA relay interface	Name of the access interface of the PPPoE agency gateway bound to a PPPoE agency group. This interface is on the PPPoE agency gateway for connecting to the campus BRAS. This field is displayed only on a PPPoE agency gateway network.
Service-VLAN/Customer-VLAN	SVLAN and CVLAN of a user. If the user does not have a SVLAN or CVLAN, this field displays -/-.
VXLAN ID	VXLAN ID. If the user does not have a VXLAN ID, this field displays a hyphen (-).
MAC address	MAC address. If the user does not have a MAC address, this field displays a hyphen (-). For a PPPoE agency user, this field indicates the MAC address of the BRAS user.‌
IP address	IPv4 address of the user. If the user does not have an IPv4 address, this field displays a hyphen (-). For a PPPoE agency user, this field indicates the IPv4 address assigned by an ISP to the user.‌
IP pool	Name of the IP address pool actually used by the user (this field displays N/A if the user does not use an IP address pool). The value displayed for this field depends on the origins of the IP address pool as follows: · If AAA authorizes an IP address pool but does not authorize an IP address pool group, the field displays the name of the AAA-authorized IP address pool. · If AAA does not authorize an IP address pool but authorizes an IP address pool group, the field displays the name of the IP address pool that actually allocated an IP address to the user in the AAA-authorized IP address pool group. · If AAA authorizes both an IP address pool and an IP address pool group, the field displays the name of the AAA-authorized IP address pool. · If AAA does not authorize an IP address pool or IP address pool group, the field displays the name of the IP address pool selected through DHCP. For more information about how DHCP selects an IP address pool, see DHCP configuration in BRAS Services Configuration Guide.
IP pool group	AAA-authorized IP address pool group name. This field is displayed when AAA authorizes an IP address pool group.
Primary DNS server	Primary IPv4 DNS server address. This field displays a hyphen (-) when no primary IPv4 DNS server address is allocated to the user.
Secondary DNS server	Secondary IPv4 DNS server address. This field displays a hyphen (-) when no secondary IPv4 DNS server address is allocated to the user.
IPv6 address	IPv6 address of the user. If the user does not have an IPv6 address, this field displays a hyphen (-).
IPv6 pool	Name of the IPv6 address pool actually used by the user (this field displays N/A if the user does not use an IPv6 address pool). The value displayed for this field depends on the origins of the IPv6 address pool as follows: · If AAA authorizes an IPv6 address pool but does not authorize an IPv6 address pool group, the field displays the name of the AAA-authorized IPv6 address pool. · If AAA does not authorize an IPv6 address pool but authorizes an IPv6 address pool group, the field displays the name of the IPv6 address pool that actually allocated an IPv6 address to the user in the AAA-authorized IPv6 address pool group. · If AAA authorizes both an IPv6 address pool and an IPv6 address pool group, the field displays the name of the AAA-authorized IPv6 address pool. · If AAA does not authorize an IPv6 address pool or IPv6 address pool group, the field displays the name of the IPv6 address pool selected through DHCP. For more information about how DHCP selects an IPv6 address pool, see DHCPv6 configuration in BRAS Services Configuration Guide.
IPv6 pool group	AAA-authorized IPv6 address pool group name. This field is displayed when AAA authorizes an IPv6 address pool group.
Primary IPv6 DNS server	Primary IPv6 DNS server address. This field displays a hyphen (-) when no primary IPv6 DNS server address is allocated to the user.
Secondary IPv6 DNS server	Secondary IPv6 DNS server address. This field displays a hyphen (-) when no secondary IPv6 DNS server address is allocated to the user.
IPv6 PD prefix	IPv6 PD prefix of the user. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-).
IPv6 ND prefix	IPv6 ND prefix of the user. If the user does not have an IPv6 ND prefix, this field displays a hyphen (-).
IPv6 ND prefix pool	Name of the AAA-authorized IPv6 ND prefix pool. (This field displays N/A if no IPv6 ND prefix pool is authorized). The value displayed for this field depends on the origins of the IPv6 ND prefix pool: · If AAA authorizes an IPv6 ND prefix pool but does not authorize an IPv6 ND prefix pool group, the field displays the name of the AAA-authorized IPv6 ND prefix pool. · If AAA does not authorize an IPv6 ND prefix pool but authorizes an IPv6 ND prefix pool group, the field displays the name of the IPv6 ND prefix pool that actually allocated a prefix to the user in the AAA-authorized IPv6 ND prefix pool group. · If AAA authorizes both an IPv6 ND prefix pool and an IPv6 ND prefix pool group, the field displays the name of the AAA-authorized IPv6 ND prefix pool.
IPv6 ND prefix pool group	Name of the AAA-authorized IPv6 ND prefix pool group. This field is displayed only when AAA authorizes an IPv6 ND prefix pool group.
DHCP lease	DHCP-authorized IP lease in seconds: · Hyphen (-)—No IP lease is authorized. · Unlimited—The IP lease is unlimited.
DHCP remaining lease	Remaining DHCP-authorized IP lease in seconds. This field is displayed only on the service node. On the other nodes, this field displays a hyphen (-).
DHCPv6 lease	DHCPv6-authorized IPv6 lease in seconds: · Hyphen (-)—No IPv6 lease is authorized. · Unlimited—The IPv6 lease is unlimited.
DHCPv6 remaining lease	Remaining DHCPv6-authorized IPv6 lease in seconds. This field is displayed only on the service node. On the other nodes, this field displays a hyphen (-).
User address type	AAA-authorized user address type: · private-ds—Private dual-stack address. · private-ipv4—Private IPv4 address. · public-ds—Public dual-stack address. · public-ipv4—Public IPv4 address. · ds-lite—Lite dual-stack address. · ipv6—IPv6 address. · nat64—NAT64 address. · N/A—If no IPv4 user address type is authorized, this field displays N/A.
VPN instance	VPN instance of the user. If the user belongs to a public network, this field displays N/A.
Access type	Access type of the user. For more information, see Table 2.
Authentication type	Authentication type of the user: · Admin—Device management users. · Bind—IPoE users using bind authentication. · PPP—PPP users. · Pre-auth—IPoE users in preauthentication phase. · SSLVPN—SSL VPN users. · Web-auth—IPoE users in Web authentication phase and users performing authentication through a Web interface on a Layer 2 Ethernet interface. ¡ mac-auth: IPoE Web users that come online through transparent MAC authentication. ¡ mac-trigger: IPoE Web users that come online through transparent MAC trigger authentication.
Inherit-PPPoE user: Yes	The current IPoE Web user directly inherits the PPPoE user information in the preauthentication domain and comes online in the postauthentication domain. This field is displayed only when the IPoE Web user inherits the PPPoE user information and comes online in the postauthentication domain.‌
Static leased user	Whether the user is an IPoE static leased user. This field displays Yes for static leased users and No for the other users. (Static leased sessions are supported only when the bind authentication mode is used.)‌
Agent-Circuit-Id	Circuit ID. If no circuit ID exists, this field displays a hyphen (-).
Agent-Remote-Id	Remote ID. If no remote ID exists, this field displays a hyphen (-).
NAS-Port-Id	Information encapsulated in the NAS-Port-ID attribute. If no circuit ID NAS-Port-ID attribute information exists, this field displays a hyphen (-). For a leased user or subuser, this field always displays the NAS-Port-ID of the leased user. This field displays the NAS-Port-ID encapsulation format defined by each service module and is not affected by the attribute 87 format command configuration. For more information about this command, see AAA commands.
User IPv6CP interface ID	Interface ID used by a PPP user after the IPv6CP negotiation succeeds. If the user does not have an interface ID, this field displays a hyphen (-). The interface IDs used by PPP users include the following types, in descending order of priority: 1. ‍Interface ID authorized by the RADIUS server through the Framed-Interface-Id attribute. 2. The lowest 64 bits of the authorized IPv6 address if an IPv6 address is authorized to the user but no IPv6 prefix is authorized to the user when NDRA is used to allocate IPv6 addresses to PPP users. 3. Interface ID automatically assigned by the device when the ipv6cp assign-interface-id command is executed in the ISP domain of the user. If the ipv6cp assign-interface-id command is not executed in the ISP domain of the user, the following rules apply: · If the user carries a non-zero interface ID that does not conflict with any other interface ID, the interface carried by the user is used. · Otherwise, the interface ID assigned by the device is used.
IP gateway address	IPv4 gateway address of the user. If the user does not have an IPv6 gateway address, this field displays a hyphen (-).
IPv6 link-local address	IPv6 link-local address of the user. If the user does not have an IPv6 link-local address, this field displays a hyphen (-).
IPv6 address protocol	IPv6 address protocol types. If there are multiple IPv6 address protocol types, they are separated by spaces. Options include: · DHCPv6— DHCPv6 is used to allocate IPv6 addresses to users. · DHCPv6-PD—DHCPv6 is used to allocate IPv6 PD prefixes to users. · ND—IPv6 NDRA is used to allocate IPv6 addresses to users. · N/A—IPv6 addresses are allocated in a non-dynamic method.
User basic service IP type	IP address types on which the main service of the user depends. If multiple IP address types are configured, they are separated by spaces. If no IP address types are configured, this field displays a hyphen (-). Options include: · IPv4—IPv4 address type. · IPv6—IPv6 address type. · IPv6-PD—IPv6 PD prefix.
AAA	AAA information.
Authentication state	Authentication state of the user: · Idle—The user is not authenticated. · Authenticating—The user is being authenticated. · Authenticated—The user has been authenticated.
Authorization state	Authorization state of the user: · Idle—The user is not authorized. · Authorizing—The user is being authorized. · Authorized—The user has been authorized.
Realtime accounting switch	Realtime accounting switch: · Open. · Closed.
Realtime accounting interval	Realtime accounting interval in seconds. If the device does not send accounting information of online users to the AAA server, this field displays a hyphen (-).
Login time	Time when the user logged in.
Accounting start time	Time when accounting started for the user. For a leased subuser, this field always displays a hyphen (-).
Online time (hh:mm:ss)	Online duration of the user in the current login. For a leased subuser, this field always displays 0:00:00.
Accounting state	Accounting state of a user: · Idle. · Ready. · Accounting—Accounting in progress. · Leaving-flow-query—Waiting for offline flow responses. · Wait-acct-start—Waiting for Accounting-Start responses. · Wait-acct-stop—Waiting for the Accounting-Stop responses. · Stop—Accounting stopped.
Acct start-fail action	Actions to take after accounting fails to start: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct update-fail action	Actions to take after accounting fails to update: · Online—Keeps the user online. · Offline—Forces the user offline.
Acct quota-out action	Actions to take after the traffic quota is exhausted: · Online—Keeps the user online. · Offline—Forces the user offline. · Redirect—Pushes a redirect Web page to the user.
Dual-stack accounting mode	Accounting mode of dual-stack users: · Merge—Reports the IPv4 and IPv6 traffic of dual-stack users as a whole to the accounting server. · Separate—Reports the IPv4 and IPv6 traffic of dual-stack users to the accounting server separately.
Idle cut	Parameters for idle cut. If traffic does not reach the specified threshold in bytes within the specified period, the user is considered as offline and is logged out.
direction	The device determines whether to idle cut (forcibly log out) a user based on whether the inbound, outbound, or total traffic of the user reaches the specified threshold in bytes within the specified period. Direction of traffic to be used by idle cut: · Both—Sum of inbound and outbound traffic. · Inbound—Inbound traffic. · Outbound—Outbound traffic.
Session timeout	AAA-authorized session timeout in seconds. · Unlimited—The online duration of the user is not limited in either of the following conditions: ¡ The action to take on a user after the accounting quota (traffic or duration) is exhausted is to keep the user online. ¡ No session timeout is authorized to the user. · Hyphen (-)—After the authorized online duration times out, a redirect Web page is pushed to the user. This field is displayed only when the remaining AAA-authorized session timeout is not 0.
Time remained	Remaining AAA-authorized session timeout in seconds. · Unlimited—The online duration of the user is not limited in either of the following conditions: ¡ The action to take on a user after the accounting quota (traffic or duration) is exhausted is to keep the user online. ¡ No session timeout is authorized to the user. · Hyphen (-)—After the authorized online duration times out, a redirect Web page is pushed to the user. This field is displayed only when the remaining AAA-authorized session timeout is not 0.
Traffic quota	AAA-authorized traffic quota in bytes. · Unlimited—The traffic quota of the user is not limited in either of the following conditions: ¡ The action to take on a user after the accounting quota (traffic or duration) is exhausted is to keep the user online. ¡ No traffic quota is authorized to the user. · Hyphen (-)—After the authorized traffic quota is exhausted, a redirect Web page is pushed to the user. This field is displayed only when the remaining AAA-authorized traffic quota is not 0.
Traffic remained	Remaining AAA-authorized traffic quota in bytes. · Unlimited—The traffic quota of the user is not limited in either of the following conditions: ¡ The action to take on a user after the accounting quota (traffic or duration) is exhausted is to keep the user online. ¡ No traffic quota is authorized to the user. · Hyphen (-)—After the authorized traffic quota is exhausted, a redirect Web page is pushed to the user. This field is displayed only when the remaining AAA-authorized traffic quota is not 0.
IPv6CP interface ID assignment	Whether the ipv6cp assign-interface-id command is executed to enable the device to forcibly assign interface IDs to PPP users during IPv6CP negotiation and not to accept non-zero interface IDs that are carried in user packets and do not conflict with other interface IDs. · Enabled. · Disabled.
Redirect WebURL	URL address of the Web page pushed to the user. Options include: · Authorized reachable redirect URL—For IPoE Web preauthentication, this field displays the URL of the IPv4 Web authentication page pushed to the user. In other cases, this field displays the URL of the redirect IPv4 or IPv6 Web page pushed to the user. · Redirect URL after the user traffic quota is used up—URL of the IPv4 or IPv6 Web page pushed to the user after the user traffic quota is used up. For the preceding URLs, follow these restrictions and guidelines: · If you use the web-server url-parameter userip source-address command to configure the redirect URL to carry the user IP address, this parameter will be displayed as %c here. · If you use the web-server url-parameter userurl original-url command to configure the redirect URL to carry the URL of the Web page that the user initially accesses, this parameter will be displayed as %o here. · If the user does not have the redirect Web URL, this field displays a hyphen (-).
Redirect IPv6 WebURL	This field applies only to the IPoE Web preauthentication domain, and indicates the IPv6 URL of the reachable Web authentication page pushed to the user. · If you use the web-server url-parameter userip source-address command to configure the redirect URL to carry the user IP address, this parameter will be displayed as %c here. · If you use the web-server url-parameter userurl original-url command to configure the redirect URL to carry the URL of the Web page that the user initially accesses, this parameter will be displayed as %o here. · If there is no IPv6 URL for a Web authentication page pushed to the user, this field will not be displayed.
ITA policy name	AAA-authorized ITA policy name. If no ITA policy name is authorized, this field displays N/A.
MRU	MRU in bytes negotiated by both ends of a link in the PPP LCP phase. This field is applicable to only PPPoE and L2TP users, and displays N/A for other users.
IPv4 MTU	MTU used for guiding IPv4 packet forwarding, in bytes. This field is applicable to only PPPoE and L2TP users, and displays N/A for other users.
IPv6 MTU	MTU used for guiding IPv6 packet forwarding, in bytes. This field is applicable to only PPPoE and L2TP users, and displays N/A for other users.
Subscriber ID	Subscriber ID authorized to the user. If no subscriber ID is authorized, this field displays a hyphen (-).
Inbound netstream sampler	Name of the inbound NetStream sampler authorized to the user. If no inbound NetStream sampler is authorized to the user, this field displays Not set.
Outbound netstream sampler	Name of the outbound NetStream sampler authorized to the user. If no outbound NetStream sampler is authorized to the user, this field displays Not set.
IPv4 multicast user profile	Name of the IPv4 multicast user profile authorized to the user. If no IPv4 multicast user profile is authorized to the user, this field displays N/A.
IPv6 multicast user profile	Name of the IPv6 multicast user profile authorized to the user. If no IPv6 multicast user profile is authorized to the user, this field displays N/A.
Current authen method	Current authentication method: · None—Does not authenticate users. · Local—Local authentication. · RADIUS—RADIUS authentication. · RADIUS proxy—RADIUS proxy authentication. · HWTACACS—HWTACACS authentication.
Accounting session ID	Accounting session ID.
NAT instance	NAT instance name. If the user does not have a NAT instance, this field is not displayed.
Max IPv4 multicast addresses	Maximum number of AAA-authorized IPv4 multicast groups that a user can join. This field is displayed only when the number of addresses in the list is greater than 0.
IPv4 multicast address list	List of AAA-authorized IPv4 multicast group addresses. If no IPv4 multicast group is authorized, this field displays an ellipsis (...).
Max IPv6 multicast addresses	Maximum number of AAA-authorized IPv6 multicast groups that a user can join. This field is displayed only when the number of addresses in the list is greater than 0.
IPv6 multicast address list	List of AAA-authorized IPv4 multicast group addresses. If no IPv4 multicast group is authorized, this field displays an ellipsis (...).
Radius-proxy client IP address	IPv4/IPv6 address of the RADIUS client when the RADIUS proxy feature is enabled.
Radius-proxy client VPN instance	Name of the VPN instance to which the RADIUS client belongs when the RADIUS proxy feature is enabled. This field displays N/A if the RADIUS client belongs to the public network instance.
User session: limit n, online m	Statistics about users using a shared account. This field is displayed only when the users-per-account command has been executed in the ISP domain to which users belongs or the RADIUS server has authorized attribute 62 (port-limit) to users. · limit—Maximum number of concurrent users allowed for a shared account. · online—Actual number of access users.
Account ID	Account ID automatically allocated by the system to the user. This field is not displayed if no account ID is allocated.
Authorized IPv4 address	IPv4 address authorized to the user by AAA. If no IPv4 address is authorized, this field displays N/A.
Authorized IPv6 address	IPv6 address authorized to the user by AAA. If no IPv6 address is authorized, this field displays N/A.
PPPoE agency user: Yes	Indicates that the user supports PPPoE agency. This field appears only if PPPoE agency is supported.‌
PPPoEA state	Online state of the PPPoE agency user. The field is displayed only when the PPPoE agency feature is supported. Possible values for the PPPoE agency state include:‌ · Request—PPPoE agency requests are initiated. · Succeeded—PPPoE agency succeeds, but the user has not come online. · Online—The PPPoEA user has come online. · Start redial timer—The redial timer is started after the PPPoE agency fails or the PPPoE agency user goes offline, and the redial timer has not timed out. After the redial timer times out, PPPoE agency will be performed again.
PPPoEA user ID	User ID of a PPPoEA user. This field is displayed only when the PPPoE agency feature is supported.‌
PPPoEA user IP	IP address of a PPPoEA user. This field is displayed only when the PPPoE agency feature is supported.‌
PPPoEA online failure or offline reason	Online or offline failure reason of a PPPoEA user. This field is displayed only when the PPPoE agency feature is supported.‌
PPPoEA redial times	Redial times of a PPPoEA user. This field is displayed only when the PPPoE agency feature is supported.‌
PPPoEA user name	Username used by a PPPoEA user for coming online. This field is displayed only when the PPPoE agency feature is supported.‌
PPPoEA user group	User group to which a PPPoEA user belongs. This field is displayed only when the PPPoE agency feature is supported.‌
ACL&QoS	ACL and QoS information.
Inbound user profile	Name of the AAA-authorized inbound user profile. N/A means that no inbound user profile is authorized. The user profile has the following states: · active—The inbound user profile is authorized successfully. · inactive—Inbound user profile authorization failed or the inbound user profile does not exist on the BRAS. · N/A—The authorization state is insignificant. The device does not need the authorized attribute.
Outbound user profile	Name of the AAA-authorized outbound user profile. N/A means that no outbound user profile is authorized. The user profile has the following states: · active—The outbound user profile is authorized successfully. · inactive—Outbound user profile authorization failed or the outbound user profile does not exist on the BRAS. · N/A—The authorization state is insignificant. The device does not need the authorized attribute.
Session group profile	Name of the AAA-authorized session group profile. N/A means that no session group profile is authorized. The session group profile has the following states: · inactive—Session group profile authorization failed or the session group profile does not exist on the BRAS. · active—The session group profile is authorized successfully. · N/A—The authorization state is insignificant. The device does not need the authorized attribute. If the authorization result has not been updated, nothing is displayed.
User group acl	Name of the AAA-authorized user group ACL. N/A means that no user group ACL is authorized. The user group ACL has the following states: · active—The user group ACL is authorized successfully. · inactive—User group ACL authorization failed or the user group ACL does not exist on the BRAS. · N/A—The authorization state is insignificant. The device does not need the authorized attribute. If the authorization result has not been updated, nothing is displayed.
Inbound CAR	AAA-authorized inbound CIR and PIR in kbps, and CBS in bytes. A hyphen (-) means that no inbound CAR is authorized. The inbound CAR has the following states: · inactive—Inbound CAR is not authorized successfully. · active—Inbound CAR is authorized successfully. · N/A—The authorization state is insignificant. The device does not need the authorized attribute.
Outbound CAR	AAA-authorized outbound CIR and PIR in kbps, and CBS in bytes. A hyphen (-) means that no outbound CAR is authorized. The outbound CAR has the following states: · inactive—Outbound CAR is not authorized successfully. · active—Outbound CAR is authorized successfully. · N/A—The authorization state is insignificant. The device does not need the authorized attribute.
Inbound subscriber group CAR	AAA-authorized inbound subscriber group CAR parameters: · Committed information rate (CIR) in kbps. · Peak information rate (PIR) in kbps. · Committed burst size (CBS) in bytes. If no CAR parameters have been authorized, this field displays a hyphen (-). Authorization status options include: · active—Inbound subscriber group CAR parameters have been authorized successfully. · inactive—Inbound subscriber group CAR parameters have failed to be authorized. · N/A—Indicates insignificant authorization status (the current device does not need this authorization attribute).
Outbound subscriber group CAR	AAA-authorized outbound subscriber group CAR parameters: · Committed information rate (CIR) in kbps. · Peak information rate (PIR) in kbps. · Committed burst size (CBS) in bytes. If no CAR parameters have been authorized, this field displays a hyphen (-). Authorization status options include: · active—Outbound subscriber group CAR parameters have been authorized successfully. · inactive—Outbound subscriber group CAR parameters have failed to be authorized. · N/A—Indicates insignificant authorization status (the current device does not need this authorization attribute).
Inbound user priority	AAA-authorized inbound user priority, which can be a number in the range of 0 to 7, 15, and a hyphen (-). A hyphen (-) or 15 means that no inbound user priority is authorized. The inbound user priority has the following states: · inactive—Inbound user priority is not authorized successfully. · active—Inbound user priority is authorized successfully. · N/A—The authorization state is insignificant. The device does not need the authorized attribute.
Outbound user priority	AAA-authorized outbound user priority, which can be a number in the range of 0 to 7, 15, and a hyphen (-). A hyphen (-) or 15 means that no outbound user priority is authorized. The outbound user priority has the following states: · inactive—Outbound user priority is not authorized successfully. · active—Outbound user priority is authorized successfully. · N/A—The authorization state is insignificant. The device does not need the authorized attribute.
NAT	NAT information.
Global IP address	Public network IP address. This field is displayed after NAT444 translation.
Port block	Port block, from the start port to the end port. This field is displayed after NAT444 translation.
Extended port block	Extended port block, in the form of start port-end port-public network IP address. This field is displayed only when extended port blocks are configured in dynamic port block mapping mode.
Flow statistics	Flow statistics.
Uplink packets/bytes	Total number and size of uplink packets. This field displays the total number and size of uplink IPv4 and IPv6 packets in Merge accounting mode. Otherwise, this field displays the total number and size of uplink IPv4 packets.
Downlink packets/bytes	Total number and size of downlink packets. This field displays the total number and size of downlink IPv4 and IPv6 packets in Merge accounting mode. Otherwise, this field displays the total number and size of downlink IPv4 packets.
IPv6 uplink packets/bytes	Total number and size of uplink IPv6 packets.
IPv6 downlink packets/bytes	Total number and size of downlink IPv6 packets.
Flow rate statistics	Flow rate statistics (displayed only when the access-user flow-rate-calculate enable command is executed).
Flow rate calculation time: 2019-09-21 13:49:50 - 2019-09-21 13:55:57	User flow rate information within the specified time period.
Flow rate	In merge accounting mode, this field displays the sum of the user's IPv4 uplink and downlink flow rates and IPv6 uplink and downlink flow rates. In any other cases, this field displays the sum of the user's uplink IPv4 flow rate and downlink IPv4 uplink flow rate. The unit of measurement is bps.
Inbound flow rate	In merge accounting mode, this field displays the sum of the user's IPv4 uplink flow rate and IPv6 uplink flow rate. In any other cases, this field displays the sum of the user's IPv4 uplink flow rate. The unit of measurement is bps.
Outbound flow rate	In merge accounting mode, this field displays the sum of the user's IPv4 downlink flow rate and IPv6 downlink flow rate. In any other cases, this field displays the sum of the user's IPv4 downlink flow rate. The unit of measurement is bps.
IPv6 flow rate	Sum of the user's IPv6 uplink flow rate and downlink flow rate. The unit of measurement is bps.
IPv6 inbound flow rate	User's IPv6 uplink flow rate, in bps.
IPv6 outbound flow rate	User's IPv6 downlink flow rate, in bps.
PPPoE	PPPoE information.
Session ID	PPPoE session ID.
L2TP LAC	L2TP LAC information.
L2TP LNS	L2TP LNS information.
Group ID	L2TP group number.
Local tunnel ID	Tunnel ID of the local L2TP end.
Remote tunnel ID	Tunnel ID of the L2TP peer.
Local session ID	Session ID of the local L2TP end.
Remote session ID	Session ID of the L2TP peer.
Local IP	IP address of the local L2TP end.
Remote IP	IP address of the L2TP peer.
Local port	UDP port number used by the local L2TP end.
Remote port	UDP port number used by the L2TP peer.
Vrf index	VPN index of an L2TP session.
Calling station	L2TP calling number. If the calling number does not exist, this field displays a hyphen (-).
ITA	ITA information.
Level-n	ITA accounting level n, in the range of 1 to 8.
EDSG	EDSG information.
Service ID	EDSG service ID.
Uplink packets/bytes	· Uplink IPv4 and IPv6 ITA or EDSG traffic in packets and bytes when the dual-stack accounting mode is merge. · Uplink IPv4 ITA or EDSG traffic in packets and bytes in any other case.
Downlink packets/bytes	· Downlink IPv4 and IPv6 ITA or EDSG traffic in packets and bytes when the dual-stack accounting mode is merge. · Downlink IPv4 ITA or EDSG traffic in packets and bytes in any other case.
IPv6 uplink packets/bytes	Uplink IPv6 ITA or EDSG traffic in packets and bytes.
IPv6 downlink packets/bytes	Downlink IPv6 ITA or EDSG traffic in packets and bytes.
Total subusers	Number of Layer 2 IPoE leased subusers and brief information about these subusers (the brief information is displayed only when subusers exist).

‌

Related commands

cut access-user

display access-user statistics

Use display access-user statistics to display accounting state statistics of access users by accounting state, backup role, or session state.

Syntax

display access-user { accounting-state | backup-role | session-state } statistics [ [ all-vpn-instance | public-instance | vpn-instance vpn-instance-name ] | domain domain-name [ authorization | authentication ] | interface interface-type interface-number [ all | s-vlan svlan-id [ c-vlan cvlan-id ] ] | ip-pool pool-name | ip-pool-group ip-pool-groupname | ip-type { dual-stack | ipv4 | ipv6 } | ipv6-address-protocol { dhcpv6 | dhcpv6-pd | nd } | ipv6-pool pool-name | ipv6-pool-group ipv6-pool-groupname | lac-ip lac-ip-address | lns-ip lns-ip-address | nat-instance nat-instance-name | remote-name tunnel-name | user-group { user-group-name | [ user-group-name ] inactive } | user-type { l2vpn-leased | lac | layer2-dynamic | layer2-family-leased | layer2-interface-leased | layer2-static | layer2-subnet-leased | layer3-dynamic | layer3-interface-leased | layer3-static | layer3-subnet-leased | leased | leased-subuser | lns | pppoe | pppoea } ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

accounting-state: Displays statistics of access users based on accounting state.

backup-role: Displays statistics of access users based on backup role.

session-state: Displays statistics of access users based on session state.

all-vpn-instance: Specifies all VPN instances, excluding the public network instance.

public-instance: Specifies the public network instance.

vpn-instance vpn-instance-name: Specifies a VPN instance by its name. The vpn-instance-name argument specifies an MPLS L3VPN name, a case-sensitive string of 1 to 31 characters.

domain domain-name: Specifies an ISP domain by its name. The domain-name argument represents the name of an authorization or authentication domain, a case-insensitive string of 1 to 255 characters. If you specify the domain keyword but do not specify the authorization or authentication keyword, this command displays statistics of users who access through all authentication and authorization domains that meet the criteria.

· authorization: Specifies users that access through the specified authorization domain.

· authentication: Specifies users that access through the specified authentication domain.

interface interface-type interface-number: Specifies users that access an interface specified by its type and number. This parameter is supported only on network access users.

· all: Specifies users on the current main interface and all its subinterfaces. To specify this keyword, make sure the interface specified by using the interface keyword is a main interface.

· s-vlan svlan-id: Specifies an SVLAN by its ID. The value range for the svlan-id argument is 1 to 4094.

· c-vlan cvlan-id: Specifies a CVLAN by its ID. The value range for the cvlan-id argument is 1 to 4094.

ip-pool pool-name: Specifies an IPv4 address pool by its name, a case-insensitive string of 1 to 63 characters.

ip-pool-group ip-pool-groupname: Specifies an IPv4 address pool group by its name, a case-insensitive string of 1 to 63 characters.

ip-type: Specifies an IP version of users.

· dual-stack: Specifies dual-stack users.

· ipv4: Specifies IPv4 users.

· ipv6: Specifies IPv6 users.

ipv6-address-protocol: Specifies users whose IPv6 addresses or prefixes are assigned by the specified IPv6 protocol.

· dhcpv6: Specifies users whose IPv6 addresses are assigned by DHCPv6.

· dhcpv6-pd: Specifies users whose IPv6 PD prefixes are assigned by DHCPv6.

· nd: Specifies users whose addresses are assigned by IPv6 NDRA.

ipv6-pool pool-name: Specifies an IPv6 address pool by its name, a case-insensitive string of 1 to 63 characters. On an NDRA network, if the IPv6 prefix of a user is from an ND prefix pool, the pool-name argument represents the name of the AAA-authorized ND prefix pool.

ipv6-pool-group ipv6-pool-groupname: Specifies an IPv6 address pool group by its name, a case-insensitive string of 1 to 63 characters.

lac-ip lac-ip-address: Specifies the LNS to display users on the LAC specified by its IP address. Only the LNS supports this option.

lns-ip lns-ip-address: Specifies the LAC to display users on the LNS specified by its IP address. Only the LAC supports this option.

nat-instance nat-instance-name: Specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX". To ensure that NAT operates normally, make sure the specified NAT instance name is available.

remote-name tunnel-name: Displays statistics of L2TP users for the specified LAC or LNS. The tunnel-name argument represents the tunnel name on the LAC or LNS, and is a case-sensitive string of 1 to 31 characters.

user-group: Displays statistics for users in the specified user group.

· user-group-name: Specifies the name of an authorized user group, a case-insensitive string of 1 to 32 characters.

¡ When the user-group-name argument is not specified, this command displays information of users for which any user group failed to be authorized.

¡ When the user-group-name argument is specified, this command only displays information of users for which the specified user group failed to be authorized.

user-type: Specifies a user type.

· l2vpn-leased: Specifies IPoE L2VPN-leased users.

· lac: Specifies online users on the device acting as an LAC.

· layer2-dynamic: Specifies Layer 2 IPoE dynamic users.

· layer2-family-leased: Specifies Layer 2 IPoE family-leased users.

· layer2-interface-leased: Specifies Layer 2 IPoE interface-leased users.

· layer2-static: Specifies Layer 2 IPoE static users.

· layer2-subnet-leased: Specifies Layer 2 IPoE subnet-leased users.

· layer3-dynamic: Specifies Layer 3 IPoE dynamic users.

· layer3-interface-leased: Specifies Layer 3 IPoE interface-leased users.

· layer3-static: Specifies Layer 3 IPoE static users.

· layer3-subnet-leased: Specifies Layer 3 IPoE subnet-leased users.

· leased: Specifies IPoE leased users (including main users and subusers).

· leased-subuser: Specifies Layer 2 IPoE leased subusers.

· lns: Specifies online users on the device acting as an LNS.

· pppoa: Specifies online PPPoA users.

· pppoe: Specifies online PPPoE users.

· pppoea: Specifies online PPPoE agency users.‌

Examples

· Display the statistics of the access users by accounting state.

# Display the statistics of the access users by accounting state. ‌

<Sysname> display access-user accounting-state statistics

Total users : 3

Idle : 0

Ready : 0

Wait-acct-start : 0

Accounting : 3

Leaving-flow-query : 0

Wait-acct-stop : 0

Stop : 0

Table 5 Command output

Field	Description
Total users	Total users.
Idle	Number of users in Idle state.
Ready	Number of users in Ready state.
Wait-acct-start	Number of users in Wait-acct-start state.
Accounting	Number of users in Accounting state
Leaving-flow-query	Number of users in Leaving-flow-query state.
Wait-acct-stop	Number of users in Wait-acct-stop state.
Stop	Number of users in Stop state.

‌

· Display the statistics of the access users by backup role.

# Display the statistics of the access users by backup role.‌

<Sysname> display access-user backup-role statistics

Total users : 3

Normal users : 3

Master users : 0

Backup users : 0

-------------------------------------

Local-access users : 3

Remote-access users : 0

Table 6 Command output

Field	Description
Total users	Total number of users, which is the sum of the following types of users: · Normal users. · Master users. · Backup users.
Normal users	Number of users in a non-VSRP network.
Master users	Number of users with the backup role as Master in a VSRP network.
Backup users	Number of users with the backup role as Backup in a VSRP network.
Local-access users	Number of users who initially come online from the local device in a VSRP network, as well as all users on the local device in a non-VSRP network.
Remote-access users	Number of users who initially come online from the remote device in a VSRP network.

‌

· Display the statistics of the access users by session state

# Display the statistics of the access users by session state.‌

<Sysname> display access-user session-state statistics

Total users : 3

Init : 0

Authing : 0

Authed : 0

Reauth : 0

Logout : 0

Online : 3

Offline : 0

Table 7 Command output

Field	Description
Total users	Total number of users.
Init	Number of users in initialization state.
Authing	Number of users in authenticating state.
Authed	Number of users in authenticated state.
Reauth	Number of users in reauthentication phase.
Logout	Number of users exiting the current authentication.
Online	Number of users in online state.
Offline	Number of users going offline.

‌

display access-user backup-state

Use display access-user backup-state to display the access user backup state on each slot.

Syntax

display access-user backup-state

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

The active MPU will synchronize the online user information to the standby MPUs and interface cards. You can use this command to view the progress of synchronizing online user information to the standby MPUs and interface cards.(In standalone mode.)

The global active MPU will synchronize the online user information to the standby MPUs and interface cards. You can use this command to view the progress of synchronizing online user information to the standby MPUs and interface cards. (In IRF mode.)

For example, when locating faults, you might need to manually trigger active/standby switchover. To ensure data consistency after the switchover, use this command to verify that the data has been synchronized completely before triggering the switchover.

Examples

# Display the access user backup state on each slot. ‌

<Sysname> display access-user backup-state

Slot 0: Ready for smoothing

Table 8 Command output

Field	Description
Ready for smoothing	Data synchronization has not started.
Smoothing	Data synchronization is in progress.
Smoothing finished	Data synchronization has finished.

‌

display access-user offline-reason statistics

Use display access-user offline-reason statistics to display offline reason and online reason statistics of access users.

Syntax

display access-user offline-reason statistics [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays the sub-reason codes and related statistics for each main reason code. If you do not specify this keyword, this command displays each main reason code and related statistics.

Usage guidelines

This command displays offline reason and online reason statistics of access users.

When the access module is busy processing services, the system might fail to display the related statistics temporarily. In this case, wait a moment and display the statistics later.

This command can display the offline reason statistics for PPPoE, L2TP, and IPoE users.

If the count for a reason code is 0, the reason code field is not displayed.

The offline reasons vary by network environment. Table 9 only list some common offline reasons. For more offline reasons, see the actual output the device.

Examples

# Display statistics for the main offline reasons.

<Sysname> display access-user offline-reason statistics

Administrator is resetting service on the NAS: 1

NAS detected an error on the port which required ending the session: 1

NAS error: 5

NAS ended session for a non-error unknown reason: 2

# Display statistics for the offline sub-reasons.

<Sysname> display access-user offline-reason statistics verbose

cut command: 1

Interface down: 1

Service-type mismatch with local-user's: 5

TERM with Ifnet down: 2

Table 9 Command output

Field	Description
User request	Number of users who proactively request to go offline.
Physical down	Number of users that go offline because of data interruption. For example, keepalive detection fails for PPP users.
Service can no longer be provided	Number of users that go offline because of service server interruption. For example, the LNS requests users to go offline.
Idle cut	Number of users that go offline because the idle timer expires.
Session timeout	Number of users that go offline because sessions time out. For example, the AAA-authorized session duration times out.
Administrator is resetting service on the NAS	Number of users that go offline because the administrator resets the service. For example, the administrator executes the cut access-user command.
Administrator is ending service on the NAS	Number of users that go offline because the administrator stops the service. For example, the process exits abnormally.
NAS detected an error on the port which required ending the session	Number of users that go offline because of interface failures. For example, an access interface goes down.
NAS ended session for a non-error unknown reason	Number of users that go offline because the sessions are ended by the NAS due to non-error unknown reasons.
NAS error	Number of users that go offline because of NAS failures. For example, UCM failed to apply for memory resources.
NAS request	Number of users that the NAS requests to go offline. For example, the maximum number of online users is reached.
NAS ended session for reboot	Number of users that go offline because the NAS is rebooted.
Port not needed	Number of users that go offline because interfaces are disabled.
Port preempted	Number of users that go offline because interfaces are preempted.
Port suspended	Number of users that go offline because interfaces are suspended.
Service unavailable	Number of users that go offline because services are not supported. For example, the PPPoE server failed to send PADS packets.
Callback user	Number of users that go offline because of callback services. For example, PPP authentication failed.
cut command	Number of users that go offline because the administrator executes the cut access-user command.
Interface down	Number of users that go offline because the access interfaces go down or flap.
Service-type mismatch with local-user's	Number of users that go offline because the access types of users do not match the service type in the local user configuration on the device.
TERM with Ifnet down	Number of users that go offline because the access interfaces go down on the network layer
User info error	Number of users that go offline because of incorrect user information. For example, the authentication username is empty.
Host logoff	Number of users that the client requests to go offline.
Restart of the 802.1X supplicant	Number of users that go offline because the 802.1X service is restarted.
802.1X supplicant failed to re-authenticate	Number of users that go offline because 802.1X re-authentication failed.
802.1X port's MAC is reinitialized	Number of users that go offline because the 802.1X access control method is reset to MAC-based.
802.1X port is administratively disabled	Number of users that go offline because 802.1x authentication is disabled.

‌

display access-user user-detect packet-loss-ratio‌

Use display access-user user-detect packet-loss-ratio to display the packet loss ratio statistics for the access user detection packets.

Syntax

In standalone mode:‌

display access-user user-detect packet-loss-ratio [ interface interface-type interface-number [ s-vlan svlan-id ] ] [ slot slot-number ]

In IRF mode:

display access-user user-detect packet-loss-ratio [ interface interface-type interface-number [ s-vlan svlan-id ] ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays entries of all interfaces.

s-vlan svlan-id: Specifies a SVLAN by its ID. The value range for the svlan-id argument is 1 to 4094.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

After online user detection is enabled on an interface, the device will automatically record the number of sent detection packets and received packets. You can use this command to view the packet loss ratio statistics for detection packets.

If you execute the display access-user user-detect packet-loss-ratio command at a time point within a 30-second timer, this command displays the packet loss ratio statistics collected at the specified time point within the 30-second timer. For example, if you execute this display command at the 10th second within a 30-second timer, this command displays the packet loss ratio statistics collected within the 10 seconds.

On a unified network, this command displays only the packet loss ratio statistics for IPoE user detection packets. To view the packet loss ratio statistics for PPPoE and L2TP user detection packets on a unified network, use the display ppp keepalive packet-loss-ratio command.

Examples

# Display the packet loss ratio statistics for access user detection packets on all interfaces.

<Sysname> display access-user user-detect packet-loss-ratio

Slot 0:

L2TP keepalive : 50%

Interface Ten-GigabitEthernet0/0/15:

ARP : 10%

ND : 15%

PPPoE keepalive : 18%

Interface Ten-GigabitEthernet0/0/16:

ICMPv4 : 20%

ICMPv6 : 15%

PPPoE keepalive : 18%

# Display the packet loss ratio statistics for access user detection packets on the specified interface.

<Sysname> display access-user user-detect packet-loss-ratio interface ten-gigabitethernet 0/0/15.1

Slot 0:

Interface Ten-GigabitEthernet0/0/15.1:

ND : 15%

ICMPv4 : 15%

PPPoE keepalive : 18%

S-VLAN: 100

ND : 15%

ICMPv4 : 13%

PPPoE keepalive : 18%

S-VLAN: 200

ND : 15%

ICMPv4 : 17%

PPPoE keepalive : 18%

Table 10 Command output

Field	Description
L2TP keepalive	Packet loss ratio of L2TP user keepalive detection packets.
Interface	Detected interface.
S-VLAN	Service provider VLAN.
ARP	Packet loss ratio of IPoE user ARP detection packets.
ND	Packet loss ratio of IPoE user ND detection packets.
ICMPv4	Packet loss ratio of IPoE user ICMPv4 detection packets.
ICMPv6	Packet loss ratio of IPoE user ICMPv6 detection packets.
PPPoE keepalive	Packet loss ratio of PPPoE user keepalive detection packets.

Related commands

access-user user-detect packet-loss-ratio-threshold‌

display ppp keepalive packet-loss-ratio (BRAS Services Command Reference) ‌

ip subscriber user-detect ip‌

ip subscriber user-detect ipv6‌

reset access-user user-detect packet-loss-ratio‌

display bras-interface access-user-count

Use display bras-interface access-user-count to display BRAS configuration and the number of users of an interface.

Syntax

display bras-interface [ interface-type interface-number ] access-user-count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays BRAS configuration and the number of users of all interfaces.

Usage guidelines

You can use this command to view configuration and user counts only on interfaces configured with IPoE or PPPoE.

Examples

#‌Display BRAS configuration and the number of users on Ten-GigabitEthernet 0/0/15.

<Sysname> display bras-interface ten-gigabitethernet 0/0/15 access-user-count

Interface IPoE PPPoE Users

XGE0/0/15 L2-connected Bind 100

Table 11 Command output

Field	Description
IPoE	Whether IPoE is enabled on the interface: · L2-connected—IPoE in Layer 2 access mode is enabled on the interface. · Routed—IPoE in Layer 3 access mode is enabled on the interface. · N/A—IPoE is not enabled on the interface.
PPPoE	Whether the interface has the PPPoE server protocol enabled and is bound to a VT interface: · Bind—The interface has the PPPoE server protocol enabled and is bound to a VT interface. · N/A—The PPPoE server protocol is not enabled on the interface.
Users	Number of current users on the interface.

‌

display bras-interface configuration

Use display bras-interface configuration to display BRAS configuration and running information of an interface.

Syntax

In standalone mode:‌

display bras-interface [ interface-type interface-number ] configuration [ slot slot-number ]

In IRF mode:

display bras-interface [ interface-type interface-number ] configuration [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays BRAS configuration and running information of all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

You can use this command to view BRAS configuration and running information only on interfaces configured with IPoE or PPPoE.

The command output and the sequence of information in the command output vary by device type, device configuration, networking mode, and device role on the network.

Examples

#‌Display configuration and running information of interface Route-Aggregation 1.

<Sysname> display bras-interface route-aggregation 1 configuration

Interface configuration:

Interface name : RAGG1

MAC address : 6eb9-84e6-0102

Authentication type : Bind

BRAS mode : Normal

UP status : None

Blocking : No

PPPoEA relay interface : No

Global interface : Yes

Interface deleting : No

Link layer status : Down

IPv4 network layer status : Down

IPv6 network layer status : Down

IPv4 MTU : 1500 bytes

IPv6 MTU : 1500 bytes

IPoE configuration:

IPoE access mode : L2-connected

IPoE protocol type : Dual-stack

IPv4 unclassified-IP trigger : Enable

IPv4 unclassified-IP matching-user : Disable

IPv6 unclassified-IP trigger : Enable

IPv6 unclassified-IP matching-user : Disable

IPoE MAC-auth : Enable

IPoE inherit-PPPoE : Disable

IPoE dot1x : Enable

IPoE dot1x dot1x-retrigger packet : N/A

IPoE dot1x dot1x-retrigger interval : 60 seconds

IPoE dhcp-release-ip dot1x-offline : Disable

IPoE dot1x-offline user-offline : Disable

IPoE static-dot1x-user : Disable

Access-out : Disable

Service identify type : N/A

Lease-end-time original : Disable

Web basic-service-IPv4 : Disable

Web support-authorized-vpn : Disable

Web or 802.1X support-unclassified-IP : Disable

IPoE basic-service-ip-type : Disable

IPoE user name type : MAC-address

IPoE user name MAC separator : N/A

IPoE user name MAC case : Uppercase

IPoE password type : String

IPoE pre-auth domain name : N/A

IPoE web-auth domain name : N/A

IPoE MAC-auth domain name : N/A

DHCP user name type : Sysname

DHCP user name separator : N/A

DHCP domain name : N/A

DHCP domain name force : No

NDRS domain name : N/A

Unclassified-IP domain name : dm1

IPv4 user detect mode : ARP

IPv4 user detect retry times : 5

IPv4 user detect interval : 120 seconds

IPv4 user detect NoDataCheck : Disable

IPv6 user detect mode : ND

IPv6 user detect retry times : 5

IPv6 user detect interval : 120 seconds

IPv6 user detect NoDataCheck : Disable

IPoE pre-auth user track number : N/A

IPoE pre-auth user fail-permit user-group : N/A

IPoE pre-auth user track status : N/A

IPoE captive-bypass type : N/A

IPoE web redhcp : Enable

IPoE http-fast-relay : Disable

IPoE roam : Enable

IPoE roam group name : roam

QoS session-group identify : N/A

IPoE unclassified-ip-defense : Disable

IPoE unclassified-ip-defense period : 600

IPoE unclassified-ip-defense threshold : 6000

IPoE unclassified-ip-defense interval : 300

HTTP-X-Header : Disable

Max session configuration:

Interface max session number : 1000

NDRS max session number : N/A

DHCPv4 max session number : 500

DHCPv6 max session number : N/A

IPv4 unclassified-IP max session number : N/A

IPv6 unclassified-IP max session number : N/A

Access limit configuration:

Access delay type : Even-mac and odd-mac

Even-MAC user delay time : 100 milliseconds

Odd-MAC user delay time : 100 milliseconds

User-policy interface-down online : No

User-policy interface-down keepalive : No

Nas-Port-ID configuration:

NAS port type : 802.11

IPoE circuit-id format : ASCII

IPoE remote-id format : ASCII

IPoE nas-port-id cn-telecom format : Version3.0

IPoE nas-port-id nasinfo-insert : Yes

PPPoE remote-id format : ASCII

PPPoE circuit-id format : ASCII

PPPoE circuit-id mode : TR-101

PPPoE nas-port-id insert BasInfo : Disable

PPPoE nas-port-id insert BasInfo type : N/A

PPPoE trust access-line-id : No

PPPoE access-line-id insert VxlanInfo : Disable

PPPoE access-line-id content : Circuit-id

PPPoE access-line-id separator :

PPPoE configuration:

PPPoE bind : Disable

PPPoE agency bind : Disable

Table 12 Command output

Field	Description
MAC address	MAC address of a local interface.
Authentication type	Authentication mode: · Bind—Bind authentication. · Web—Web authentication. · PPP— PPP authentication. · Admin— Device admin user authentication. · Dot1x—802.1X authentication.
BRAS mode	This field is not supported in the current software version. BRAS mode.
UP status	This field is not supported in the current software version. UP state.
Blocking	Blocking state of the interface: · Yes—The interface is blocked, and does not allow new users to access. · No—The interface is in normal state, and allows new users to access.
PPPoEA relay interface	Whether this interface an agency gateway access interface bound to an agency group: · Yes—This interface is bound to an agency group and is an agency gateway access interface. · No—This interface is not bound to an agency group and is not an agency gateway access interface.
Global interface	Whether the interface is a global interface. · Yes—The interface a global interface (for example, a Layer 3 aggregate interface). · No—The interface a physical interface.
Interface deleting	Interface deletion state: · Yes—The interface is being deleted. · No—The interface is in normal state.
Link layer status	Link layer state of the interface: · Up—The link layer state of the interface is up. · Down—The link layer state of the interface is down.
IPv4 network layer status	IPv4 network layer state of the interface: · Up—The network layer state of the interface is up. · Down—The network layer state of the interface is down.
IPv6 network layer status	IPv6 network layer state of the interface: · Up—The network layer state of the interface is up. · Down—The network layer state of the interface is down.
Temp block remaining time	When you use the cut access-user command to forcibly log out a user, this field displays the remaining time in seconds for temporarily blocking the interface. If interface blocking is not configured, this field displays a hyphen (-).
IPv4 MTU	MTU limit on IPv4 IPoE user packets, in bytes.
IPv6 MTU	MTU limit on IPv6 IPoE user packets, in bytes.
IPoE configuration	IPoE-related configuration.
IPoE access mode	IPoE access mode: · L2-connected—Layer 2 access mode. · Routed—Layer 3 access mode. · N/A—IPoE is not enabled.
IPoE protocol type	Protocol stack for which IPoE is enabled: · IPv4—IPoE is enabled for the IPv4 protocol stack. · IPv6—IPoE is enabled for the IPv6 protocol stack. · Dual-stack—IPoE is enabled for both the IPv4 protocol stack and the IPv6 protocol stack.
IPv4 unclassified-IP trigger	Unclassified-IPv4 packet initiation state: · Enable. · Disable.
IPv4 unclassified-IP matching-user	Unclassified-IPv4 packets allow only the specified types of users to come online: · Enable—Unclassified-IPv4 packets allow only the matching static users, abnormally logged out DHCP users, roaming users, and users in loose mode to come online. · Disable—Unclassified-IPv4 packets allow dynamic users in addition to the matching static users, abnormally logged out DHCP users, roaming users, and users in loose mode to come online.
IPv6 unclassified-IP trigger	Unclassified-IPv6 packet initiation state: · Enable. · Disable.
IPv6 unclassified-IP matching-user	Unclassified-IPv6 packets allow only the specified types of users to come online: · Enable—Unclassified-IPv6 packets allow only the matching static users, abnormally logged out DHCP users, and roaming users to come online. · Disable—Unclassified-IPv6 packets allow dynamic users in addition to the matching static users, abnormally logged out DHCP users, and roaming users to come online.
IPoE MAC-auth	IPoE Web MAC authentication state: · Enable. · Disable.
IPoE inherit-PPPoE	State of inherit-PPPoE for IPoE.‌ · Enable. · Disable.
IPoE dot1x	State of 802.1X authentication for IPoE.‌ · Enable. · Disable.
IPoE dot1x high-priority	State of 802.1X authentication prioritization for IPoE. This information is not displayed if the IPoE 802.1X authentication feature is not enabled.‌ · Enable. · Disable.
IPoE dot1x high-priority strict	State of 802.1X authentication prioritization in strict mode. This information is not displayed if the IPoE 802.1X authentication feature is not enabled. · Enable. · Disable.
IPoE dot1x dot1x-retrigger packet	‌Types of packets that the BRAS can use to retrigger 802.1X authentication when an IPoE user fails to come online through 802.1X authentication. If multiple packet types are specified, they are separated by spaces. Options include: · ARP—Represents ARP packets. · ND—Represents ND packets. · DHCPv4—Represents DHCPv4 packets. · DHCPv6—Represents DHCPv6 packets. N/A—Represents no packets are configured.
IPoE dot1x dot1x-retrigger interval	‌Suppression interval for retriggering 802.1X authentication based on ARP and ND packets, in seconds.
IPoE dhcp-release-ip dot1x-offline	State of logging out the 802.1X client of an IPoE user when the IP address of the IPoE user is released.‌ · Enable. · Disable.
IPoE dot1x-offline user-offline	State of logging out an IPoE user when the 802.1X client of the IPoE user goes offline.‌ · Enable. · Disable.
IPoE static-dot1x-user	State of static 802.1X user authentication.‌ · Enable. · Disable.
Access-out	IPoE access-out authentication state: · Enable. · Disable.
Service identify type	Service identification type of an access user. · 8021p second-vlan—Identifies a service by the 802.1p priority value in the inner VLAN tag of a packet in QinQ mode. · 8021p vlan—Identifies a service by the 802.1p priority value in the VLAN tag of a packet (the 802.1p priority value in the outer VLAN tag of a packet in QinQ mode). · DSCP—Identifies a service by the DSCP value in a packet. · Second-vlan—Identifies a service by the inner VLAN ID of a packet in QinQ mode. · Vlan—Identifies a service by the VLAN ID of a packet (the outer VLAN ID of a packet in QinQ mode).
Lease-end-time original	State of using the lease expiration time when an IPoE user went offline as the lease expiration time when the IPoE comes online again. · Enable. · Disable.
Web basic-service-IPv4	State of IPv6 protocol stack dependency of IPoE Web users on IPv4 protocol stack: · Enable. · Disable.
Web support-authorized-vpn	State of the VPN authorization feature in the Web postauthentication domain:‌ · Enable. · Disable.
Web or 802.1X support-unclassified-IP	State of support of unclassified-IP users for Web authentication or 802.1X authentication: · Enable. · Disable.
IPoE basic-service-ip-type	Protocol stack on which the main service of IPoE users depends: · IPv4—The main service of IPoE users depends on the IPv4 protocol stack. · IPv6—The main service of IPoE users depends on the IPv6 protocol stack. · Disable—The protocol stack on which the main service of IPoE users depends is not set.
IPoE user name type	Authentication username type of an individual IPoE user: · MAC-address—Uses the MAC address as the username. · String—Uses the specified string as the username. · N/A—No authentication username is configured for an individual IPoE user.
IPoE user name string	String specified as the authentication username of an IPoE user.
IPoE user name MAC separator	MAC address separator when IPoE uses MAC addresses as authentication usernames.
IPoE user name MAC case	Case of MAC addresses when IPoE uses MAC addresses as authentication usernames. · Lowercase—Letters in MAC addresses are lower case. · Uppercase—Letters in MAC addresses are upper case.
IPoE password type	Authentication password type of an individual IPoE user: · String—Uses the specified string as the password. · MAC-address—Uses the MAC address as the password. · N/A—No authentication password is configured for IPoE.
IPoE password address-separator	MAC address separator when IPoE uses MAC addresses as passwords.
IPoE password MAC case	Case of MAC addresses when IPoE uses MAC addresses as passwords: · Lowercase—Letters in MAC addresses are lower case. · Uppercase—Letters in MAC addresses are upper case.
IPoE pre-auth domain name	Preauthentication domain name for IPoE Web authentication.
IPoE web-auth domain name	Authentication domain name for IPoE Web authentication.
IPoE MAC-auth domain name	Authentication domain name for MAC authentication users.
DHCP user name type	Authentication username type of DHCP users: · Sysname—Uses the access device name as the username. · Source-IP—Uses the source IP address in packets as the username. · Source-MAC—Uses the source MAC address in packets as the username. · Client-id—Uses the DHCPv4 Option61 or DHCPv6 Option1 in DHCP packets as the username. · Vendor-class—Uses the DHCPv4 Option60 or DHCPv6 Option16 in DHCP packets as the username. · Circuit-id—Uses the DHCPv4 Option82 sub-option1 or DHCPv6 Option18 in DHCP packets as the username. · Remote-id—Uses the DHCPv4 Option82 sub-option2 or DHCPv6 Option37 in DHCP packets as the username. · Vendor-specific—Uses the DHCPv4 Option82 sub-option9 or DHCPv6 Option17 in DHCP packets as the username. · Nas-port-id—Uses the NAS-PORT-ID attribute in the authentication packets as the username. · Vlan—Uses the outer VLAN in the authentication packets as the username. · Second-vlan—Uses the inner VLAN in the authentication packets as the username. · Slot—Uses the slot number of a user as the username. · Subslot—Uses the subslot of a user as the username. · Port—Uses the access port number of a user as the username. · String—Uses the specified string as the username. · Circuit-id MAC—Uses the MAC address in the Circuit-ID (Option82 sub-option1) as the username. · Hostname—Uses the DHCPv4 Option12 in DHCP packets as the username. · N/A—No authentication username is configured for a DHCP user.
DHCP user name separator	Separator used for the field used as the authentication username of a DHCP user.
DHCP user name address-separator	MAC address separator when MAC addresses are used as authentication usernames of DHCP users.
DHCP user name keep original	Directly use the information in the DHCPv4 Option12, DHCPv4 Option60, or DHCPv6 Option16 field in DHCP packets as the username and transmit it to the authentication server for authentication: · Yes—The device directly transmits information above to the authentication server for authentication. · No—The device converts non-printable characters into printable characters and then transmits the information to the authentication server for authentication.
DHCP user name absent replace	Processing when the DHCPv4 Option60 or DHCPv6 Option16 field does not exist in DHCP packets: · Yes—Replaces an inexistent option with the domain name of the user authentication domain as the username when condition above exists. · No—Leaves the option part in the username empty when the condition above exists.
DHCP user name string	String specified as the authentication username of a DHCP user.
DHCPv4 password type	An individual DHCPv4 user uses the specified information in the DHCPv4 packets as the authentication password: · Circuit-id—Uses the DHCPv4 Option82 sub-option1 field in DHCP packets as the authentication password. · Option60—Uses the Option60 field in DHCPv4 packets as the authentication password. · User-class—Uses the Option77 field in DHCPv4 packets as the authentication password. · N/A—No field in the DHCPv4 packets is specified as the authentication password.
DHCPv4 password length	Password length when a DHCPv4 user uses the specified information in the DHCPv4 packets as the authentication password. N/A indicates that the password length is not configured.
DHCPv4 password offset length	Offset length when a DHCPv4 user uses the specified information in the DHCPv4 packets as the authentication password. N/A indicates that the offset length is not configured.
Original mode of DHCPv4 password option 60	Whether to directly use the information selected from Option60 according to the specified rule as the authentication password without performing validity check: · Yes. · No.
DHCPv6 password type	An individual DHCPv6 user uses the specified information in the DHCPv6 packets as the authentication password: · Option16—Uses the Option16 or Option17 field in DHCPv6 packets as the authentication password. · N/A—No field in the DHCPv6 packets is specified as the authentication password.
Original mode of DHCPv6 password option 16 or option 17	Whether to directly use the information selected from Option16 or Option17 according to the specified rule as the authentication password without performing validity check: · Yes. · No.
DHCPv6 password length	Password length when a DHCPv6 user uses the specified information in the DHCPv6 packets as the authentication password. N/A indicates that the password length is not configured.
DHCPv6 password offset length	Offset length when a DHCPv6 user uses the specified information in the DHCPv6 packets as the authentication password. N/A indicates that the offset length is not configured.
DHCP domain name	Authentication domain name for DHCP users.
DHCP domain name force	Whether the authentication domain name configured for DHCP users is forced: · Yes—The authentication domain name configured for DHCP users is forced. · No—The authentication domain name configured for DHCP users is not forced.
DHCP domain type	Sub-option type when a DHCP user uses the vendor class as the authentication domain name: · Vlan—Uses the outer VLAN in authentication packets as the authentication domain name. · Second-vlan—Uses the inner VLAN in the authentication packets as the username. · String—Uses the specified string as the username.
DHCP domain separator	Separator when a DHCP user uses the vendor class as the authentication domain name.
DHCP domain string	String specified as the authentication domain name of a DHCP user.
NDRS user name type	Authentication username type of NDRS users: · Sysname—Uses the access device name as the username. · Source-MAC—Uses the source MAC address in packets as the username. · Nas-port-id—Uses the NAS-Port-ID attribute in the authentication packets as the username. · Vlan—Uses the outer VLAN in the authentication packets as the username. · Second-vlan—Uses the inner VLAN in the authentication packets as the username. · Slot—Uses the slot number of a user as the username. · Subslot—Uses the subslot number of a user as the username. · Port—Uses the access port number of a user as the username. · String—Uses the specified string as the username. · N/A—No authentication username is configured for NDRS users.
NDRS user name separator	Separator for the field used as the authentication username of an NDRS user.
NDRS user name address-separator	MAC address separator when MAC addresses are used as authentication usernames of NDRS users.
NDRS user name string	String specified as the authentication username of an NDRS user.
NDRS domain name	Authentication domain name for NDRS users.
Unclassified-IP user name type	Authentication username type of unclassified-IP access users: · Sysname—Uses the access device name as the username. · Source-IP—Uses the source IP address in packets as the username. · Source-MAC—Uses the source MAC address in packets as the username. · Nas-port-id—Uses the NAS-Port-ID attribute in the authentication packets as the username. · Vlan—Uses the outer VLAN in the authentication packets as the username. · Second-vlan—Uses the inner VLAN in the authentication packets as the username. · Slot—Uses the slot number of a user as the username. · Subslot—Uses the subslot number of a user as the username. · Port—Uses the access port number of a user as the username. · String—Uses the specified string as the username. · N/A—No authentication username is configured for unclassified-IP users.
Unclassified-IP user name separator	Separator for the field used as the authentication username of an unclassified-IP user.
Unclassified-IP user name address-separator	MAC address separator when MAC addresses are used as authentication usernames of unclassified-IP users.
Unclassified-IP user name string	String specified as the authentication username of an unclassified-IP access user.
Unclassified-IP domain name	Authentication domain name for an unclassified-IP user.
IPv4 user detect mode	Online detection type for IPv4 access users: · ARP—Uses ARP packets as the detection packets. · ICMP—Uses ICMP packets as the detection packets. · N/A—Online detection is not enabled for the IPv4 protocol stack.
IPv4 user detect retry times	Maximum number of online detection retries for the IPv4 access users.
IPv4 user detect interval	Online detection interval for IPv4 access users in seconds.
IPv4 user detect NoDataCheck	Ignore data traffic update in online detection for IPv4 access users: · Enable—Detection packets are sent after the detection timer expires no matter whether user uplink traffic is updated within a detection timer. · Disable—No detection packets are sent within one detection timer period after the detection timer expires if user uplink traffic is updated within a detection timer period.
IPv6 user detect mode	Online detection type for IPv6 access users: · ND—Uses ND packets as the detection packets. · ICMP—Uses ICMPv6 packets as the detection packets. · N/A—Online detection is not enabled for the IPv6 protocol stack.
IPv6 user detect retry times	Maximum number of online detection retries for the IPv6 access users.
IPv6 user detect interval	Online detection interval for IPv6 access users in seconds.
IPv6 user detect NoDataCheck	Ignore data traffic update in online detection for IPv6 access users: · Enable—Detection packets are sent after the detection timer expires no matter whether user uplink traffic is updated within a detection timer. · Disable—No detection packets are sent within one detection timer period after the detection timer expires if user uplink traffic is updated within a detection timer period.
IPoE pre-auth user track number	ID of the track entry associated with a fail-permit user group.
IPoE pre-auth user fail-permit user-group	Fail-permit user group.
IPoE pre-auth user track status	Current state of the track entry associated with the fail-permit user group: · NotReady—The monitored object is not ready. · Positive—The monitored object is operating normally. · Negative—The monitored object is operating abnormally. · N/A—No track entry is associated with the fail-permit user group.
IPoE captive-bypass type	IPoE captive-bypass feature type: · Android—Specifies Android users. · IOS—Specifies IOS users. · Android and IOS—Specifies Android and IOS users. · N/A—The IPoE captive-bypass feature is not configured.
IPoE web redhcp	Re-DHCP for IPoE Web authentication: · Enable—Re-DHCP for IPoE Web authentication is enabled. · Disable—Re-DHCP for IPoE Web authentication is disabled.
IPoE http-fast-reply	HTTP packet fast reply state: · Enable—HTTP packet fast reply is enabled. · Disable—HTTP packet fast reply is disabled.
IPoE roam	IPoE individual user roaming state: · Enable—IPoE individual user roaming is enabled. · Disable—IPoE individual user roaming is disabled.
IPoE roam group name	Roaming group to which the interface belongs.
QoS session-group identify	Session group recognition method: · Customer-vlan—Recognizes a session group by inner VLAN (private network VLAN of the user). · Service-vlan—Recognizes a session group by outer VLAN (public network VLAN that the service provider allocates to the user). · Customer-service-vlan—Recognizes a session group by inner VLAN and outer VLAN. · Subscriber-id—Recognizes a session group by subscriber ID. For more information about subscriber IDs, see BRAS Services Command Reference. · N/A—No session group recognition method is configured.
IPoE unclassified-ip-defense	Enabling status of attack prevention against packets with unknown source IP address: · Enable · Disable
IPoE unclassified-ip-defense period	Blocking duration for attack prevention against packets with unknown source IP packets, in seconds.
IPoE unclassified-ip-defense threshold	Blocking threshold for attack prevention against packets with unknown source IP packets.
IPoE unclassified-ip-defense interval	Statistics collection period for attack prevention against packets with unknown source IP packets, in seconds.
HTTP-X-Header	Enabling status of HTTP enhanced header authentication: · Enable. · Disable.
X-Header name	Name of the field in the HTTP-X header that require decoding by the BRAS device. If HTTP enhanced header authentication is disabled, this field is not displayed.
Max session configuration	Configuration related to the maximum numbers of sessions.
Interface max session number	Maximum number of individual IPoE sessions and leased subuser sessions that can be created on an interface.
NDRS max session number	Maximum number of IPoE sessions that can be triggered by RS packets on an interface.
DHCPv4 max session number	Maximum number of IPoE sessions that can be triggered by DHCPv4 packets on an interface.
DHCPv6 max session number	Maximum number of IPoE sessions that can be triggered by DHCPv6 packets on an interface.
IPv4 unclassified-IP max session number	Maximum number of IPoE dynamic sessions that can be triggered by unclassified-IPv4 packets on an interface.
IPv6 unclassified-IP max session number	Maximum number of IPoE dynamic sessions that can be triggered by unclassified-IPv6 packets on an interface.
Access limit configuration	Access limit configuration.
Access delay type	Response delay time for IPoE users on an interface: · Even-MAC—Specifies the response delay time for IPoE users with even MAC addresses. · Odd-MAC—Specifies the response delay time for IPoE users with odd MAC addresses. · Even-MAC and odd-MAC—Specifies the response delay time for all users on the interface. · N/A—The response delay time for IPoE users is not configuration on the interface.
Even-MAC user delay time	Response delay time for IPoE users with even MAC addresses in milliseconds.
Odd-MAC user delay time	Response delay time for IPoE users with odd MAC addresses in milliseconds.
User-policy interface-down online	Keep BRAS users online when an interface goes down: · Yes—Keep BRAS users online when an interface goes down. · No—Log out BRAS users when an interface goes down.
User-policy interface-down keepalive	Online detection state if users are kept online when the interface goes down. (This function takes effect only when the function of keeping users online when the interface goes down is configured.) · Yes—Online detection does not take effect if users are kept online when the interface goes down. · No—Online detection still takes effect if users are kept online when the interface goes down.
IPoE chasten configuration	IPoE blocking configuration.
IPoE chasten quiet time	IPoE user blocking period in seconds. The value of 0 indicates that blocking is not enabled.
IPoE chasten period time	Detection period of consecutive IPoE user authentication failures, in seconds.
IPoE chasten check times	Maximum number of consecutive IPoE user authentication failures allowed within a detection period.
Nas-Port-ID configuration	NAS-Port-ID configuration.
NAS port type	NAS-Port-Type attribute type of an interface, which is Ethernet by default: · 802.11—Interface type compliant with the Wireless-IEEE 802.11 standard. The corresponding code is 19. · Adsl-cap—Asymmetric DSL, Carrierless Amplitude Phase Modulation (ADSL-CAP) interface type. The corresponding code is 12. · Adsl-dmt—Asymmetric DSL, Discrete Multi-Tone (ADSL-DMT) interface type. The corresponding code is 13. · Async—Async interface type. The corresponding code is 0. · Cable—Cable interface type. The corresponding code is 17. · Ethernet—Ethernet interface type. The corresponding code is 15. · G.3-fax—G.3 fax interface type. The corresponding code is 10. · IDSL—ISDN Digital Subscriber Line (IDSL) interface type. The corresponding code is 14. · ISDN-async-v110—ISDN-async-v110 interface type. The corresponding code is 4. · ISDN-async-v120—ISDN-async-v120 interface type. The corresponding code is 3. · ISDN-sync—ISDN sync interface type. The corresponding code is 2. · Piafs—Interface type compliant with the Personal Handyphone System (PHS) Internet Access Forum Standard (PIAFS) standard. The corresponding code is 6. · SDSL—Symmetric DSL (SDSL) interface type. The corresponding code is 11. · Sync—Sync interface type. The corresponding code is 1. · Virtual—Virtual interface type. The corresponding code is 5. · Wireless-other— Wireless-other interface type. The corresponding code is 18. · X.25—X.25 interface type. The corresponding code is 8. · X.75—X.75 interface type. The corresponding code is 9. · XDSL—Digital Subscriber Line of unknown type (XDSL) interface type. The corresponding code is 16.
IPoE circuit-id format	Parsing format for the circuit-id in DHCP Option by IPoE. The default is ascii. · ASCII—Parses in string format. · Hex—Parses in hexadecimal format.
IPoE remote-id format	Parsing format for the remote-id in DHCP Option by IPoE. The default is ascii. · ASCII—Parses in string format. · Hex—Parses in hexadecimal format.
IPoE nas-port-id bind interface type	Interface type when IPoE uses the specified interface information to fill in the NAS-Port-ID attribute of RADIUS.
IPoE nas-port-id bind interface number	Interface number when IPoE uses the specified interface information to fill in the NAS-Port-ID attribute of RADIUS.
IPoE nas-port-id cn-telecom format	Encapsulation format of the NAS-Port-ID attribute that the access device sends to the RADIUS server when IPoE users perform authentication. The default is version 1.0. · Version1.0—Specifies the version 1.0 format. The NAS-Port-ID attribute sent to the RADIUS server is filled in the China-Telecom 163 format. · Version2.0—Specifies the version 2.0 format. The NAS-Port-ID attribute sent to the RADIUS server is filled according to the YDT 2275-2011 subscriber access loop (port) identification requirements. · Version3.0—Specifies the version 3.0 format. · Version4.0—Specifies the version 4.0 format. · Version5.0—Specifies the version 5.0 format.
IPoE nas-port-id nasinfo-insert	The device extracts the content in Option 82 Circuit-ID from DHCPv4 packets or Option18 from DHCPv6 packets, and uses it together with the NAS information as the NAS-Port-ID attribute string. · Yes—This feature is enabled on the interface · No—This feature is disabled on the interface.
PPPoE remote-id format	Transmission format of the remote-id in the PPPoE access line ID. The default is string. · ASCII—String format, which transmits the remote-id information in the form of characters. · Hex—Hexadecimal format, which transmits the remote-id information in the form of hexadecimal digits.
PPPoE circuit-id format	Transmission format of the circuit-id in the PPPoE access line ID. The default is string. · ASCII—String format, which transmits the circuit-id information in the form of characters. · Hex—Hexadecimal format, which transmits the circuit-id information in the form of hexadecimal digits.
PPPoE circuit-id mode	Parsing format of the circuit-id in the PPPoE access line ID. The default is TR-101. · CN-telecom—China Telecom format. · TR-101—TR-101 format.
PPPoE nas-port-id interface type	Interface type when PPPoE uses the specified interface information to fill in the NAS-Port-ID attribute of RADIUS.
PPPoE nas-port-id interface number	Interface number when PPPoE uses the specified interface information to fill in the NAS-Port-ID attribute of RADIUS.
PPPoE nas-port-id insert BasInfo	Function of automatically inserting BAS information into the NAS-Port-ID attribute by PPPoE: · Enable—The function of automatically inserting BAS information into the NAS-Port-ID attribute by PPPoE is enabled. · Disable—The function of automatically inserting BAS information into the NAS-Port-ID attribute by PPPoE is disabled.
PPPoE nas-port-id insert BasInfo type	Format for the BAS information automatically inserted into the NAS-Port-ID attribute by PPPoE: · CN-163—Inserts BAS information in the China Telecom 163 format. · CN-163.redback—Inserts BAS information in the China Telecom 163 redback format. · bas-info-redback—Inserts BAS information in the China Telecom redback format. This mode swaps the inner and outer VLAN positions compared to the China Telecom format. · N/A—Does not automatically insert BAS information.
PPPoE trust access-line-id	Whether PPPoE trusts the contents in the access line ID in the received packets. · Yes—Sets the trust mode. · No—Does not set the trust mode.
PPPoE access-line-id insert VxlanInfo	Function of inserting VXLAN information into the NAS-Port-ID attribute by PPPoE: · Enable—The function of inserting VXLAN information into the NAS-Port-ID attribute by PPPoE is enabled. · Disable—The function of inserting VXLAN information into the NAS-Port-ID attribute by PPPoE is disabled.
PPPoE access-line-id content	Type of the content in the NAS-Port-ID attribute sent to the RADIUS server by PPPoE. By default is, only the circuit-ID is included. · All—Uploads both the circuit-id and remote-id. · Circuit-id—Uploads only the Circuit-id. · Remote-id—Uploads only the Remote-id.
PPPoE access-line-id separator	Separator for the content in the NAS-Port-ID attribute sent to the RADIUS server by PPPoE. The length is one character. The default is a space.
VSRP configuration	VSRP configuration
VSRP instance name	VSRP instance name.
Virtual MAC address	Virtual MAC address of the interface.
Backup relation ID	Backup relationship ID.
Configured main interface	Configured master interface. N/A indicate that no master interface is configured.
Configured backup interface	Configured backup interface. N/A indicate that no backup interface is configured.
UP running configuration	UP running configuration.
ARP trigger	ARP packet initiation state: · Enable. · Disable.
NSNA trigger	IPv6 NS/NA packet initiation state: · Enable. · Disable.
NDRS trigger	IPv6 NDRS packet initiation state: · Enable. · Disable.
MAC trigger	MAC trigger authentication state: · Enable. · Disable.
PPPoE bind	PPPoE server protocol state on the interface: · Enable—The interface has the PPPoE server protocol enabled and is bound to a VT interface. · Disable—The PPPoE server protocol is not enabled on the interface.
ARP proxy	ARP proxy state on the interface: · Enable. · Disable.
ND proxy	ND proxy state on the interface: · Enable. · Disable.
UP ID	UP ID.
Interface online	Online state of the interface: · Yes—The interface is in online state. · No—The interface is in offline state.
IPoE protocol type	IPoE access protocol stack. This feature takes effect only when IPoE is enabled. · IPv4—IPoE is enabled for the IPv4 protocol stack. · IPv6—IPoE is enabled for the IPv6 protocol stack. · Dual-stack—IPoE is enabled for both the IPv4 protocol stack and the IPv6 protocol stack.
PPPoE detect retry times	Maximum number of PPPoE user keepalive detection retries.
PPPoE detect interval	PPPoE user keepalive detection interval, in seconds.
PPPoE detect NoDataCheck	Ignore data traffic update in keepalive detection for PPPoE users: · Enable—Detection packets are sent after the detection timer expires no matter whether user uplink traffic is updated within a detection timer. · Disable—No detection packets are sent within one detection timer period after the detection timer expires if user uplink traffic is updated within a detection timer period.
PPPoE configuration	PPPoE related configuration.
PPPoE agency bind	State of PPPoE agency on an interface.‌ · Enable—The interface has the PPPoE agency protocol enabled and is bound to a VT interface. · Disable—The PPPoE agency protocol is not enabled on the interface.

‌

display bras-interface users-by-vlan

Use display bras-interface users-by-vlan to display the number of BRAS users by VLAN on an interface.

Syntax

display bras-interface interface-type interface-number users-by-vlan [ s-vlan s-vlan-id [ c-vlan c-vlan-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

s-vlan svlan-id: Specifies a SVLAN by its ID. The value range for the svlan-id argument is 1 to 4094. If you do not specify this option, the command displays the number of BRAS users for each SVLAN and CVLAN combination on an interface.

c-vlan cvlan-id: Specifies a CVLAN by its ID. The value range for the cvlan-id argument is 1 to 4094. If you specify the s-vlan keyword but do not specify the c-vlan keyword, this command displays the number of BRAS users for the combination of the fixed SVLAN and each CVLAN on an interface.

Examples

#‌Display the number of BRAS users by VLAN on Ten-GigabitEthernet 0/0/15.1.

<Sysname> display bras-interface ten-gigabitethernet 0/0/15.1 users-by-vlan

Slot 0:

Interface S-VLAN/C-VLAN Users

XGE0/0/1.1 100/200 200

XGE0/0/1.1 100/201 160

XGE0/0/1.1 111/105 100

Total users : 460

Single VLAN-tagged users : 0

QinQ VLAN-tagged users : 460

Table 13 Command output

Field	Description
Interface	User access interface name.
S-VLAN	SVLAN. This field displays a hyphen (-) if no SVLAN exists.
C-VLAN	CVLAN. This field displays a hyphen (-) if no CVLAN exists.
Users	Total number of users.
Total users	Total number of users in all VLANs on the interface.
Single VLAN-tagged users	Total number of users with a single layer of VLAN tags on the interface.
QinQ VLAN-tagged users	Total number of users with two layers of VLAN tags on the interface.

‌

display max-user history

Use display max-user history to display history information about the peak user counts.

Syntax

In standalone mode:‌

display max-user history [ slot slot-number ]

In IRF mode:

display max-user history [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

This command displays the following peak user counts and the time when each peak user count was reached:

· Maximum number of users initiating authentication concurrently.

· Maximum number of users passing authentication concurrently.

· Maximum number of sessions set to the driver concurrently.

· Maximum number of users being accounted concurrently.

When the access module is busy processing services, the history information might not be displayed. In this case, wait for several minutes and then try again.

In the current software version, the history information about the peak user counts can be displayed for PPPoE, L2TP, and IPoE users.

Users authenticated on logical interfaces such as aggregate interfaces are processed in the same way as users authenticated on physical interfaces. The history information of the peak online user counts issued to the driver is displayed only on the slot of the physical interface where users actually come online.

When an online user roams, the system records information of the user on the most recent slot where the user is online.

Users who went online before the reset max-user history command was executed will no longer be counted in the peak user count in the display max-user history command output after the reset max-user history command is executed.

Examples

# (In standalone mode.) ‌Display history information about the peak user counts.

<Sysname> display max-user history slot 0

Slot 0:

PPPoE:

Max concurrent users initiating authentication: 2 Time: 2019-01-08 19:48:23

Max concurrent users passing authentication: 2 Time: 2019-01-08 19:48:23

Max concurrent sessions set to driver: 2 Time: 2019-01-08 19:48:23

Max concurrent users in accounting: 2 Time: 2019-01-08 19:48:23

L2TP:

Max concurrent users initiating authentication: 5 Time: 2019-01-08 19:48:23

Max concurrent users passing authentication: 5 Time: 2019-01-08 19:48:23

Max concurrent sessions set to driver: 5 Time: 2019-01-08 19:48:23

Max concurrent users in accounting: 5 Time: 2019-01-08 19:48:23

IPoE:

Max concurrent users initiating authentication: 6 Time: 2019-01-08 19:48:23

Max concurrent users passing authentication: 6 Time: 2019-01-08 19:48:23

Max concurrent sessions set to driver: 6 Time: 2019-01-08 19:48:23

Max concurrent users in accounting: 6 Time: 2019-01-08 19:48:23

Table 14 Command output

Field	Description
Max concurrent users initiating authentication	Maximum number of users initiating authentication concurrently after the system starts up. This field is not displayed if the user count is 0.
Max concurrent users passing authentication	Maximum number of online users passing authentication concurrently after the system starts up. This field is not displayed if the user count is 0.
Max concurrent sessions set to driver	Maximum number of online sessions set to the driver concurrently after the system starts up. This field is not displayed if the user count is 0.
Max concurrent users in accounting	Maximum number of online users being accounted concurrently after the system starts up. This field is not displayed if the user count is 0.
Time	Time when the peak user count was reached.

‌

Related commands

reset max-user history

display trace access-user

Use display trace access-user to display service tracing object configuration information.

Syntax

display trace access-user [ object object-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

object object-id: Specifies a service tracing object by its ID, in the range of 1 to 5. If you do not specify a tracing object, this command displays configuration information for all service tracing objects.

Usage guidelines

This command displays configuration information for only service tracing objects whose tracing time has not expired.

Examples

#‌Display configuration information for all service tracing objects.

<Sysname> display trace access-user

Object ID: 1

Access mode: IPoE

User name: aaa

Access interface: Ten-GigabitEthernet0/0/15.1

IP address: 1.1.1.2

MAC address: 0001-0002-0003

Service VLAN: 3

Customer VLAN: 2

Output direction: VTY

Aging time: 0 min

Object ID: 2

Access mode: LNS

User name: aaa

Access interface: Ten-GigabitEthernet0/0/15.2

IP address: 1.1.1.3

Service VLAN: 3

Customer VLAN: 2

Tunnel ID: 12345

Calling station ID: 7425-8a23-23d5 XGE0/0/15.2:0003.0002

Output direction: VTY

Aging time: 0 min

Table 15 Command output

Field	Description
Object ID	ID of the service tracing object.
Access mode	Access mode of the service tracing object: · IPoE. · PPPoE. · LNS.
User name	Username of the access user.
Access interface	Access interface of the access user.
IP address	IP address of the access user.
MAC address	MAC address of the access user.
Service VLAN	Outer VLAN ID of the access user.
Customer VLAN	Inner VLAN ID of the access user.
Tunnel ID	L2TP tunnel ID of the access user. This field is displayed only for L2TP users.
Calling station ID	L2TP calling number. If a user comes online without carrying a calling station, this field displays a hyphen (-).
Output direction	Location to which the service tracing object information is output.
Aging time	Tracing time of the service tracing object.

‌

Related commands

trace access-user

flow-statistics frequency

Use flow-statistics frequency to set the traffic accounting frequency mode for online users.

Use undo flow-statistics frequency to restore the default.

Syntax

flow-statistics frequency { fast | normal | slow }

undo flow-statistics frequency

Default

The traffic accounting frequency mode for online users is normal.

Views

System view

Predefined user roles

network-admin

Parameters

fast: Specifies the fast mode. For high accuracy of the BRAS user traffic statistics, specify this keyword.

normal: Specifies the normal mode. For medium accuracy of the BRAS user traffic statistics, specify this keyword.

slow: Specifies the slow mode. For low accuracy of the BRAS user traffic statistics, specify this keyword.

Examples

# Set the traffic accounting frequency mode for online users to fast.

<Sysname> system-view

[Sysname] flow-statistics frequency fast

nas-port-type

Use nas-port-type to configure the NAS-Port-Type for an interface.

Use undo nas-port-type to restore the default.

Syntax

nas-port-type { 802.11 | adsl-cap | adsl-dmt | async | cable | ethernet | g.3-fax | idsl | isdn-async-v110 | isdn-async-v120 | isdn-sync | piafs | sdsl | sync | virtual | wireless-other | x.25 | x.75 | xdsl }

undo nas-port-type

Default

The NAS-Port-Type for an interface is Ethernet.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

802.11: Specifies the port type complying with Wireless-IEEE 802.11. The type ID is 19.

adsl-cap: Specifies the ADSL-CAP port type, including Asymmetric DSL and Carrierless Amplitude Phase Modulation. The type ID is 12.

adsl-dmt: Specifies the ADSL-DMT port type, including Asymmetric DSL and Discrete Multi-Tone. The type ID is 13.

async: Specifies the Async port type with a type ID of 0.

cable: Specifies the Cable port type with a type ID of 17.

ethernet: Specifies the Ethernet port type with a type ID of 15.

g.3-fax: Specifies the G.3 Fax port type with a type ID of 10.

idsl: Specifies the IDSL port type with a type ID of 14.

isdn-async-v110: Specifies the ISDN Async V.110 port type with a type ID of 4.

isdn-async-v120: Specifies the ISDN Async V.120 port type with a type ID of 3.

isdn-sync: Specifies the ISDN Sync port type with a type ID of 2.

piafs: Specifies the port type complying with PIAFS. The type ID is 6.

sdsl: Specifies the SDSL port type with a type ID of 11.

sync: Specifies the Sync port type with a type ID of 1.

virtual: Specifies the Virtual port type with a type ID of 5.

wireless-other: Specifies the Wireless-other port type with a type ID of 18.

x.25: Specifies the X.25 port type with a type ID of 8.

x.75: Specifies the X.75 port type with a type ID of 9.

xdsl: Specifies the XDSL port type with a type ID of 16.

Usage guidelines

Operating mechanism

The nas-port-type attribute is used for RADIUS authentication and accounting. For more information about the nas-port-type attribute, see RFC 2865.

Restrictions and guidelines

This command does not affect existing users.

‌After you execute the bras compatible old-style-commands enable command to enable BRAS device compatibility with old-style commands, follow these restrictions:

· You can use only the old-style ip subscriber nas-port-type cable command to set the Cable port type for an interface. To use the new-style nas-port-type cable command to set the Cable port type for an interface, first execute the undo bras compatible old-style-commands enable command to disable BRAS device compatibility with old-style commands, and then execute the nas-port-type cable command.

· To set a port type other than the Cable port type, you can use the new-style nas-port-type command. If you execute the nas-port-type (except with the cable keyword) and ip subscriber nas-port-type cable commands multiple times, the most recent configuration takes effect.

Examples

#‌Configure the NAS-Port-Type as sdsl for Ten-GigabitEthernet 0/0/15.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] nas-port-type sdsl

Related commands

bras compatible old-style-commands enable‌

ip subscriber nas-port-type cable (old style) (BRAS Services Command Reference) ‌

reset access-user offline-reason statistics

Use reset access-user offline-reason statistics to clear offline reason statistics of access users.

Syntax

reset access-user offline-reason statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear statistics for the offline reasons.

<Sysname> reset access-user offline-reason statistics

Related commands

display access-user offline-reason statistics

reset access-user user-detect packet-loss-ratio‌

Use reset access-user user-detect packet-loss-ratio to clear the packet loss ratio statistics for the access user detection packets.

Syntax

In standalone mode:‌

reset access-user user-detect packet-loss-ratio [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

reset access-user user-detect packet-loss-ratio [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears entries of all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

On a unified network, this command clears only the packet loss ratio statistics for IPoE user detection packets. To clear the packet loss ratio statistics for PPPoE and L2TP user detection packets on a unified network, use the reset ppp keepalive packet-loss-ratio command.

After you execute the reset access-user user-detect packet-loss-ratio command to clear the packet loss ratio statistics for detection packets, the device will re-calculate the packet loss ratio and the continuous intervals. When the packet loss ratio meets the alarm conditions continuously for three intervals, an alarm will be output. For more information, see the access-user user-detect packet-loss-ratio-threshold command.

After you execute the reset system internal ucm statistics command to clear the detection packet statistics, the device will also clear the packet loss ratio statistics and re-calculate the packet loss ratio and continuous intervals. When the alarm conditions are met, an alarm will be output.

Examples

# Clear the packet loss ratio statistics for access user detection packets on all interfaces.

<Sysname> reset access-user user-detect packet-loss-ratio

Related commands

access-user user-detect packet-loss-ratio-threshold‌

display access-user user-detect packet-loss-ratio‌

reset ppp keepalive packet-loss-ratio (BRAS Services Command Reference) ‌

reset max-user history

Use reset max-user history to clear history information about the peak user counts.

Syntax

In standalone mode:‌

reset max-user history [ slot slot-number ]

In IRF mode:

reset max-user history [ chassis chassis-number slot slot-number ]

Views

System view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a slot, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

This command clears the following peak user counts and the time when each peak user count was reached:

· Maximum number of users initiating authentication concurrently.

· Maximum number of users passing authentication concurrently.

· Maximum number of sessions set to the driver concurrently.

· Maximum number of users being accounted concurrently.

Examples

# (In standalone mode.) ‌Clear history information about the peak user counts for slot 1.

<Sysname> reset max-user history slot 0

Related commands

display max-user history

slot-user-warning-threshold

Use slot-user-warning-threshold to configure the per-slot user count alarm threshold.

Use undo slot-user-warning-threshold to restore the default.

Syntax

slot-user-warning-threshold threshold-value

undo slot-user-warning-threshold

Default

The per-slot user count alarm threshold is 100.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the per-slot user count alarm threshold in percentage (the percentage of the user count on a slot to the per-slot maximum user count allowed), in the range of 1 to 100. When you set the upper-limit-value argument to 100 (the default) in this command, the result is the same as when this command is not executed.

Usage guidelines

You can use this command to set the per-slot user count alarm threshold. When the user count on a slot exceeds the threshold, an alarm is triggered automatically. Then, the administrator can promptly know the online user conditions of the network.

This feature counts only the number of IPoE users, PPPoE users, and L2TP users.

· A dual-stack PPPoE user is counted as one user.

· A dual-stack IPoE user is counted as one user.

· For IPoE leased users, one interface-leased user is counted as one user, and one subnet-leased user is counted as one user.

· For IPoE leased subusers, one subuser is counted as one user.

· L2TP users on LACs are counted in the same way as PPPoE users are counted. L2TP users on LNSs are not counted.

Suppose the per-slot maximum user count allowed is a and the per-slot user count alarm threshold is b. The following rules apply:

· When the user count on a slot exceeds a×b, the alarm information is output.

· When the user count on a slot drops within the normal range, the alarm clearing information is output.

In some special cases, the user count on a slot frequently changes in the critical range, which causes frequent output of alarm information and alarm clearing information. To avoid this problem, the system introduces a buffer area when the user count on a slot drops below the threshold. The buffer area size is 10% of the threshold set. Suppose the buffer area size is c. Then, c=a×b÷10. When the user count on a slot drops below a×b-c, the alarm clearing information is output.

For example, suppose a is 1000 and b is 80%. Then, c= a×b÷10=1000×80%÷10=80.

· When the user count on a slot exceeds a×b=1000×80%=800, the alarm information is output.

· When the user count on a slot drops below a×b-c=800-80=720, the alarm clearing information is output.

The upper threshold alarm information output and the alarm clearing information output both contain logs and traps.

· For traps to be correctly sent to the NMS host, you must execute the snmp-agent trap enable slot-user-warning-threshold command in addition to configuring the SNMP alarm feature correctly. For more information about SNMP alarms, see SNMP configuration in Network Management and Monitoring Guide.

Examples

# Set the per-slot user count threshold to 80.

<Sysname> system-view

[Sysname] slot-user-warning-threshold 80

Related commands

snmp-agent trap enable slot-user-warning-threshold

Use snmp-agent trap enable slot-user-warning-threshold to enable the per-slot user count trap feature.

Use undo snmp-agent trap enable slot-user-warning-threshold to disable the per-slot user count trap feature.

Syntax

snmp-agent trap enable slot-user-warning-threshold

undo snmp-agent trap enable slot-user-warning-threshold

Default

The per-slot user count trap feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

With the per-slot user count trap feature enabled, when the user count on a slot exceeds the set threshold or drops within the normal range, a trap is generated. The generated trap will be sent to the SNMP module of the device. You can set the trap sending parameters in SNMP to determine how the traps are output. For more information about traps, see Network Management and Monitoring Configuration Guide.

This feature takes effect only when the per-slot user count alarm threshold is set.

Examples

# Enable the per-slot user count trap feature.

<Sysname> system-view

[Sysname] snmp-agent trap enable slot-user-warning-threshold

Related commands

slot-user-warning-threshold

snmp-agent trap enable user-warning-threshold

Use snmp-agent trap enable user-warning-threshold to enable SNMP notifications for the device-level access user count.

Use undo snmp-agent trap enable user-warning-threshold to disable SNMP notifications for the device-level access user count.

Syntax

snmp-agent trap enable user-warning-threshold

undo snmp-agent trap enable user-warning-threshold

Default

SNMP notifications are disabled for the device-level access user count trap feature.

Views

System view

Predefined user roles

network-admin

Usage guidelines

(In standalone mode.) The number of access user sessions on the whole device refers to the total number of IPoE sessions, PPPoE sessions, and L2TP sessions on the device.

(In IRF mode.) The number of access user sessions on the whole device refers to the total number of IPoE sessions, PPPoE sessions, and L2TP sessions on the whole IRF fabric.

With SNMP notifications enabled for the device-level access user count, when the access user session count ratio on the device exceeds the threshold or restores to the normal range, the corresponding alarm is generated. The generated alarms are sent to the SNMP module of the device. You can specify how the alarms are output through setting the alarm output parameters in SNMP. For more information about alarms, see SNMP configuration in Network Management and Monitoring Guide.

For this feature to take effect, you must first configure the device-level access user count alarm threshold. Use one of the following commands to configure the device-level user count alarm threshold:

· access-user session-threshold (Applicable to IPoE, PPPoE, and L2TP users.)

· l2tp session-threshold (Applicable to only L2TP users.)

· ppp session-threshold (Applicable to only PPPoE users.)

If all of the preceding commands are executed, all of them take effect. An alarm is output when any threshold is reached.

Examples

# Enable SNMP notifications for the device-level access user count.

<Sysname> system-view

[Sysname] snmp-agent trap enable user-warning-threshold

Related commands

access-user session-threshold

l2tp session-threshold (BRAS Services Command Reference)

ppp session-threshold (BRAS Services Command Reference)

trace access-user

Use trace access-user to create a service tracing object.

Use undo trace access-user to delete a service tracing object.

Syntax

trace access-user object object-id { access-mode { ipoe | lns | pppoe } | c-vlan vlan-id | interface interface-type interface-number | ip-address ip-address | mac-address mac-address | s-vlan vlan-id | tunnel-id tunnel-id | username user-name } * [ aging time | output { file file-name | syslog-server server-ip-address | vty } ] *

trace access-user object object-id [ access-mode { ipoe | lns | pppoe } | c-vlan vlan-id | interface interface-type interface-number | ip-address ip-address | mac-address mac-address | s-vlan vlan-id | tunnel-id tunnel-id | username user-name ] * calling-station-id calling-station-id

undo trace access-user { all | object object-id }

Default

No service tracing object exists.

Views

System view

Predefined user roles

network-admin

Parameters

object object-id: Specifies a service tracing object ID, in the range of 1 to 5.

access-mode: Creates a service tracing object based on an access mode.

· ipoe: Creates a service tracing object based on the IPoE access mode.

· lns: Creates a service tracing object based on the LNS device in L2TP access mode.

· pppoe: Creates a service tracing object based on the PPPoE access mode.

calling-station-id calling-station-id: Creates a service tracing object based on an L2TP calling number. The calling-station-id argument specifies an L2TP calling number, a case-insensitive string of 1 to 64 characters. The L2TP calling number format is H-H-H IFNAME:SVLAN.CVLAN, where H-H-H represents the user MAC address, IFNAME represents the abbreviated name of the user access interface on the LAC, and SVLAN.CVLAN represents the outer VLAN ID and inner VLAN ID of the user. When the user does not have VLAN information, the SVLAN.CVLAN field is padded with ffff.ffff. For example, if the MAC address of a user is 000f-e235-dc71, the user access interface on the LAC is RAGG1.1, and the outer VLAN ID and inner VLAN ID of the user are 1 and 2, respectively, the L2TP calling number is 000f-e235-dc71 RAGG1.1:0001.0002.

c-vlan vlan-id: Creates a service tracing object based on an inner VLAN ID in the range of 1 to 4094.

interface interface-type interface-number: Creates a service tracing object based on the specified interface. With this option specified, the service tracing object becomes ineffective when the slot or subslot that hosts the specified interface is rebooted. Only network access users support this option.

ip-address ip-address: Creates a service tracing object based an IP address.

mac-address mac-address: Creates a service tracing object based on a MAC address in the format of H-H-H, case-insensitive. Only network access users support this option.

s-vlan vlan-id: Creates a service tracing object based on an outer VLAN ID in the range of 1 to 4094.

tunnel-id tunnel-id: Creates a service tracing object based on an L2TP tunnel ID in the range of 1 to 65535. This option does not take effect on IPoE users.

username user-name: Creates a service tracing object based on a username, a case-sensitive string of 1 to 253 characters.

aging time: Specifies the maximum length of the tracing time in the range of 0 to 60 minutes. The default is 15. The tracing time is calculated from the time when this command is configured. The service object is no longer traced after the tracing time expires. The value of 0 indicates that the tracing time never expires and the device will always trace the service object. To stop tracing a service object, delete the service tracing object by using the undo form or shut down the VTY where the command is executed.

output: Specifies the location to which the service tracing object information is output. By default, the service tracing object information is output to the VTY monitor terminal.

· file file-name: Outputs the service tracing information to the storage medium on the device. For the specific storage location, execute the display trace access-user command. The file-name argument represents the name of the file storing the service tracing information in the storage medium, a case-sensitive string of 1 to 63 characters. For the configuration to take effect, make sure the file-name argument does not contain the working directory.

· syslog-server server-ip-address: Outputs the service tracing information to the log server specified by its IP address.

· vty: Outputs the service tracing information to the current VTY monitor terminal.

all: Specifies all service tracing objects.

Usage guidelines

You can create service tracing objects to trace access user information, such as login and logout information. By specifying match parameters, you can trace the specific access users.

This command is resource intensive. As a best practice, use this command only when troubleshooting devices.

When the syslog-server server-ip-address option is specified, make sure the device and the specified log server can reach each other and the log server configuration is correct.

(In standalone mode.) Active/standby MPU switchover causes the command to be ineffective.

(In IRF mode.) Active/standby global MPU switchover causes the command to be ineffective.

An LNS cannot obtain the MAC address or inner/outer VLAN information of access users, the mac-address, c-vlan, or s-vlan keyword in this command does not take effect. For example, when the access-mode lns and the mac-address, c-vlan, or s-vlan keyword are configured in this command, only the access-mode lns configuration takes effect.

Examples

#‌Create service tracing object 1.

<Sysname> system-view

[Sysname] trace access-user object 1 access-mode ipoe interface ten-gigabitethernet 0/0/15.1 ip-address 1.1.1.2 mac-address 1-2-3 c-vlan 2 s-vlan 3

Related commands

display trace access-user

user-policy interface-down online

Use user-policy interface-down online to keep the users online after the interface goes down.

Use undo user-policy interface-down to restore the default.

Syntax

user-policy interface-down online [ no-user-detect ]

undo user-policy interface-down

Default

Users on an interface are forced to go offline after the interface goes down.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

online: Keeps users online after the interface goes down.

no-user-detect: Does not perform online detection on users after the interface goes down. If you do not specify this keyword, online detection is still performed for users on the interface after the interface goes down, and forcibly logs out users that fail online detection.

Usage guidelines

Application scenarios

To prevent users from frequently coming online and going offline because the interface frequently comes up and goes down, you can use this command to keep users online after the interface goes down.

When you configure an interface to keep the users online after the interface goes down, to prevent users from being logged out because the users fail online detection during the period the interface recovers from down to up, specify the no-user-detect keyword.

Restrictions and guidelines

· This command takes effect only on PPPoE and IPoE access users.

· When the interface goes down after this command is executed, if you execute this command again to modify the parameter settings, the new settings do not take effect immediately, and the old settings before the interface goes down still take effect. The new settings take effect only when the down interface comes up and then goes down. For example, if you first execute the user-policy interface-down online command, and then execute the user-policy interface-down online no-user-detect command after the interface goes down, the user-policy interface-down online command executed before the interface goes down still takes effect. The user-policy interface-down online no-user-detect command configuration takes effect only when the down interface comes up and then goes down.

· After you execute this command on a unified network, if you execute the undo form after the interface goes down, users on the interface will be forcibly logged out.‌

· As a best practice, do not execute the user-policy interface-down online command in a VSRP network, because this command does not take effect in a VSRP network. Whether users on a primary/secondary interface will be forcibly logged out when the interface goes down depends on the VSRP state and is independent of the configuration of this command. If you execute the undo user-policy interface-down online command when the interface goes down, users might be logged out abnormally.

Examples

#‌Allow users on Ten-GigabitEthernet 0/0/15 to keep online after the interface goes down.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] user-policy interface-down online

Related commands

ip subscriber user-detect ip (BRAS Services Command Reference)

ip subscriber user-detect ipv6 (BRAS Services Command Reference)

timer-hold (BRAS Services Command Reference)

timer-hold retry (BRAS Services Command Reference)

15-BRAS Services Command Reference

Application scenarios

Operating mechanism

Restrictions and guidelines

access-user flow-rate-calculate enable

Application scenarios

Operating mechanism

Recommended configuration

Restrictions and guidelines

access-user four-dimension-mode enable

access-user interface-switchto-backup keep-host-routes

Application scenarios

Operating mechanism

Restrictions and guidelines

access-user online-fail-warning

access-user session-threshold

access-user url character-transfer‌

Application scenarios

Operating mechanism

Restrictions and guidelines

access-user user-detect packet-loss-ratio-threshold‌

bras compatible old-style-commands enable‌

Application scenarios

Operating mechanism

Recommended configuration

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

cut access-user

display access-user user-detect packet-loss-ratio‌

display bras-interface access-user-count

display max-user history

display trace access-user

flow-statistics frequency

Operating mechanism

Restrictions and guidelines

reset access-user user-detect packet-loss-ratio‌

reset max-user history

snmp-agent trap enable slot-user-warning-threshold

snmp-agent trap enable user-warning-threshold

user-policy interface-down online

Application scenarios

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us