On a CUPS network, this device acts only as a UP. When executing operation commands in this chapter (commands except the display commands), follow these restrictions and guidelines:

· If a command is tagged with (UPs), this command can be executed only on a UP. Before executing this command on a UP, make sure you are fully aware of the impact of this command on the current network and prevent configuration errors from causing network failures.

· If a command does not have any tag, this command can be executed only on a CP by default. To execute this command on a UP, do that under the guidance of professionals, make sure you are fully aware of the impact of this command on the current network, and prevent configuration errors from causing network failures.

PPPoE server commands

display pppoe-server chasten configuration

Use display pppoe-server chasten configuration to display PPPoE user blocking configuration information.

Syntax

display pppoe-server chasten configuration [ global | interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

global: Displays global PPPoE user blocking configuration information.

interface interface-type interface-number: Displays PPPoE user blocking configuration information on an interface specified by its type and number. Make sure the interface has PPPoE user blocking enabled. Otherwise, information is not displayed for the interface.

Usage guidelines

If you do not specify any parameter, this command displays global PPPoE user blocking configuration information and the PPPoE user blocking configuration information of all interfaces.

Examples

# ‌Display PPPoE user blocking configuration information.

<Sysname> display pppoe-server chasten configuration

Global configuration:

Method: MAC Quickoffline: Y

Multi-sessions-permac: Y Requests: 6

Request-period(S): 60 Blocking-period(S): 300

Global configuration:

Method: Option105 Quickoffline: N

Multi-sessions-permac: Y Requests: 6

Request-period(S): 60 Blocking-period(S): 300

Interface: XGE3/1/1

Method: MAC Quickoffline: Y

Multi-sessions-permac: Y Requests: 6

Request-period(S): 60 Blocking-period(S): 300

Interface: XGE3/1/2

Method: Option105 Quickoffline: N

Multi-sessions-permac: N Requests: 10

Request-period(S): 100 Blocking-period(S): 1000

Table 1 Command output

Field	Description
Global configuration	Global PPPoE user blocking configuration information.
Interface	PPPoE user blocking configuration information on the interface.
Method	Detection type of PPPoE user blocking: · MAC—MAC-based PPPoE user blocking. · Option105—Option105-based PPPoE user blocking.
Quickoffline	Blocking type: · Y—The users are blocked because the number of times users go offline immediately after coming online reach the limit during the detection period. · N—The users are blocked because the connection requests reach the limit during the detection period.
Multi-sessions-permac	When PPPoE users are blocked based on MAC address, whether a single user is permitted to establish multiple PPPoE sessions: · Y—Permitted. · N—Not permitted.
Requests	Times of PPPoE connection requests.
Request-period(S)	Detection period in seconds.
Blocking-period(S)	PPPoE user blocking period in seconds.

‌

Related commands

pppoe-server connection chasten

pppoe-server connection chasten option105

display pppoe-server chasten per-interface

Use display pppoe-server chasten per-interface to display the PPPoE protocol packet attack prevention entries.

Syntax

In standalone mode:‌

display pppoe-server chasten per-interface [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-server chasten per-interface [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the PPPoE protocol packet attack prevention entries of all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameter, this command displays the PPPoE protocol packet attack prevention entries of all interfaces.

Examples

# (In IRF mode.) ‌Display the PPPoE protocol packet attack prevention entries of all interfaces.

<Sysname> display pppoe-server chasten per-interface

Slot 3:

Interface Lifetime(S) Agetime(S) DrvStatus Drops

XGE3/1/1 1200 2000 Active 3000

XGE3/1/2 1000 1500 Inactive 0

Table 2 Command output

Field	Description
Interface	Interface name.
Lifetime(S)	Lifetime of the attack prevention entry, in seconds.
Agetime(S)	Aging time of the attack prevention entry, in seconds. After the timer times out, rate-limiting on PPPoE protocol packets received on the interface is canceled.
DrvStatus	Status of issuing the attack prevention entry to the driver: · Active—The entry is successfully issued to the driver. Only entries in this state take effect. · Inactive—The entry failed to be issued to the driver, or the entry is not issued to the driver because the device does not support this entry.
Drops	Number of PPPoE protocol packets dropped on the interface.

‌

Related commands

pppoe-server connection chasten per-interface

display pppoe-server chasten per-interface configuration

Use display pppoe-server chasten per-interface configuration to display the PPPoE protocol packet attack prevention configuration information.

Syntax

display pppoe-server chasten per-interface configuration [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

Examples

#‌Display the PPPoE protocol packet attack prevention configuration information of al interfaces.

<Sysname> display pppoe-server chasten per-interface configuration

Interface Number Interval(S) Rate-limit-period(S)

XGE3/1/1 6 60 300

XGE3/1/2 10 100 1000

Table 3 Command output

Field	Description
Interface	Interface name.
Number	Number of PPPoE protocol packets received.
Interval(S)	Detection interval of the PPPoE protocol packet attack prevention feature, in seconds.
Rate-limit-period(S)	Period for which the PPPoE protocol packets are rate-limited, in seconds.

‌

Related commands

pppoe-server connection chasten per-interface

display pppoe-server chasten statistics

Use display pppoe-server chasten user to display statistics about PPPoE user blocking.

Syntax

In standalone mode:‌

display pppoe-server chasten statistics [ mac-address | option105 ] [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-server chasten statistics [ mac-address | option105 ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address: Specifies MAC-based user blocking information.

option105: Specifies option105-based user blocking information.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, the command displays PPPoE user blocking statistics for all interfaces.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any keywords, the command displays all PPPoE user blocking statistics. For a blocked PPPoE user, this command displays the blocking entries generated for the user on all slots. For how blocking entries are generated, see the pppoe-server connection chasten command and the pppoe-server connection chasten option105 command.

Examples

#‌Display PPPoE user blocking statistics on Ten-GigabitEthernet 3/1/1.

<Sysname> display pppoe-server chasten statistics interface ten-gigabitethernet 3/1/1

Statistics of users possibly to be blocked:

Non-quickoffline by MAC : 0

Quickoffline by MAC : 0

Non-quickoffline by Option105 : 0

Quickoffline by Option105 : 0

Statistics of users blocked:

Non-quickoffline by MAC : 0

Quickoffline by MAC : 1

Non-quickoffline by Option105 : 0

Quickoffline by Option105 : 0

Table 4 Command output

Field	Description
Statistics of users possibly to be blocked	Statistics of PPPoE users who might be blocked (the blocking feature has detected these users but the blocking conditions have not been met).
Non-quickoffline by MAC	Number of MAC-based users blocked because the PPP connection requests reach the limit during the detection period.
Quickoffline by MAC	Number of MAC-based users blocked because the number of times users go offline immediately after coming online reach the limit during the detection period.
Non-quickoffline by Option105	Number of option105-based users blocked because the connection requests reach the limit during the detection period.
Quickoffline by Option105	Number of option105-based users blocked because the number of times users go offline immediately after coming online reach the limit during the detection period.

‌

Related commands

display pppoe-server chasten user

pppoe-server connection chasten

pppoe-server connection chasten option105

display pppoe-server chasten user

Use display pppoe-server chasten user to display information about blocked PPPoE users.

Syntax

In standalone mode:‌

display pppoe-server chasten user [ mac-address [ mac-address ] | option105 [ circuit-id circuit-id ] [ remote-id remote-id ] ] [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address: Specifies the MAC-based blocked PPPoE users..

mac-address: Specifies a user's MAC address in the format of H-H-H. If you specify the mac-address keyword but do not specify this argument, the command displays information about all MAC-based blocked PPPoE users.

option105: Specifies option105-based blocked PPPoE users.

circuit-id circuit-id: Specifies fuzzy matching of a circuit ID, a case-sensitive string of 1 to 127 characters. For example, if the circuit-id argument is abc, information about users whose circuit IDs contain abc will be displayed.

remote-id remote-id: Specifies fuzzy matching of a remote ID, a case-sensitive string of 1 to 127 characters. For example, if the remote-id argument is abc, information about users whose remote IDs contain abc will be displayed.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, the command displays information about blocked PPPoE users on all interfaces.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about blocked PPPoE users.

Usage guidelines

If you do not specify any keywords, the command displays brief information about all blocked PPPoE users.

Examples

# (In standalone mode.) ‌Display brief information about all blocked PPPoE users.

<Sysname> display pppoe-server chasten user slot 3

Slot 3:

Type: N-non-Quickoffline Q-Quickoffline

MAC/Option105 VLAN ID Interface Aging(S) Type Drops

0001-0001-0001 N/A XGE3/1/1 89 N 1000

circuitid:123 N/A XGE3/1/1 10 Q 1000

remoteid:abcde

# (In standalone mode.) ‌Display detailed information about all blocked PPPoE users.

<Sysname> display pppoe-server chasten user interface ten-gigabitethernet 3/1/1 verbose

Slot 3:

MAC address: 0001-0001-0001

VLAN ID: N/A

Interface: XGE3/1/1

Aging(S): 89

Type: Non-Quickoffline

Drops: 1000

Lifetime(S): 1000

DrvStatus: Active

Option105: (circuitid:123 remoteid:abcde)

Vlan ID: N/A

Interface: XGE3/1/1

Aging(S): 10

Type: Quickoffline

Drops: 1000

Lifetime(S): 1000

DrvStatus: Inactive

Table 5 Command output

Field	Description
MAC/Option105	MAC-based or option105-based blocked PPPoE users: · For a MAC-based user, the MAC address is displayed. · For an option105-based user, the circuit ID and remote ID are displayed.
VLAN ID	VLAN to which a blocked user belongs. This field displays only the outermost VLAN information if the user has multiple VLAN tags. This field displays N/A for a user that does not have VLAN information, for example, an option105-based user.
Interface	Access interface for a blocked user.
Aging(S)	On devices in common mode or CP and UP separation (CUPS) mode, this field indicates the remaining blocking time for a blocked user. When the timer times out, the user is unblocked. On devices in data plane mode, this field is insignificant and displays 0.
Type	Blocking type: · N (or Non-Quickoffline)—Non-quickoffline users, the users that are blocked because the connection requests reach the limit during the detection period. · Q (or Quickoffline)—Quickoffline users, the users that are blocked because the number of times users go offline immediately after coming online reach the limit during the detection period.
Drops	Number of PPPoE protocol packets that have been dropped for a blocked user.
Lifetime(S)	Lifetime of the attack prevention entry, in seconds.
DrvStatus	Status of issuing the attack prevention entry to the driver: · Active—The entry is successfully issued to the driver. Only entries in this state take effect. · Inactive—The entry is not issued to the driver or the entry fails to be issued to the driver.

‌

Related commands

display pppoe-server chasten statistics

pppoe-server connection chasten

pppoe-server connection chasten option105

reset pppoe-server chasten user

display pppoe-server packet statistics

Use display pppoe-server packet statistics to display PPPoE server negotiation packet statistics.

Syntax

In standalone mode:‌

display pppoe-server packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-server packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) ‌Display PPPoE server negotiation packet statistics for the specified slot.

<Sysname> display pppoe-server packet statistics slot 1

PPPoE server packet statistics in slot 1:

RECV_PADI_PKT : 10 DISCARD_PADI_PKT : 0

SEND_PADO_PKT : 10

RECV_PADR_PKT : 10 DISCARD_PADR_PKT : 0

SEND_PADS_PKT : 10

RECV_PADT_PKT : 9 DISCARD_PADT_PKT : 0

SEND_PADT_PKT : 9

Table 6 Command output

Field	Description
RECV_PADI_PKT	Number of received PADI packets.
DISCARD_PADI_PKT	Number of discarded PADI packets.
SEND_PADO_PKT	Number of sent PADO packets.
RECV_PADR_PKT	Number of received PADR packets.
DISCARD_PADR_PKT	Number of discarded PADR packets.
SEND_PADS_PKT	Number of sent PADS packets.
RECV_PADT_PKT	Number of received PADT packets.
DISCARD_PADT_PKT	Number of discarded PADT packets.
SEND_PADT_PKT	Number of sent PADT packets.

‌

Related commands

pppoe-server block

reset pppoe-server packet statistics

display pppoe-server session summary

Use display pppoe-server session summary to display summary PPPoE session information.

Syntax

In standalone mode:‌

display pppoe-server session summary [ [ interface interface-type interface-number | slot slot-number [ cpu cpu-number ] ] | mac-address mac-address ] *

In IRF mode:

display pppoe-server session summary [ [ interface interface-type interface-number | chassis chassis-number slot slot-number [ cpu cpu-number ] ] | mac-address mac-address ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

mac-address mac-address: Specifies a PPPoE user by its MAC address in the format of H-H-H.

Usage guidelines

Summary PPPoE session information on a physical interface can be displayed only on the card where the interface resides. Summary PPPoE session information on a logical interface can be displayed on all cards.

Examples

#‌Display summary PPPoE session information on Ten-GigabitEthernet 3/1/1.

<Sysname> display pppoe-server session summary interface ten-gigabitethernet 3/1/1

Total PPPoE sessions: 2

Ethernet interface: XGE3/1/1 Session ID: 1

PPP index: 0x140000105 State: PADR_RCVD

Remote MAC: 00e0-1500-7100 Local MAC: 00e0-1400-7300

Service VLAN: N/A Customer VLAN: N/A

Ethernet interface: XGE3/1/1 Session ID: 2

PPP index: 0x150000105 State: OPEN

Remote MAC:00e0-1600-7200 Local MAC: 00e0-1400-7300

Service VLAN: N/A Customer VLAN: N/A

# (In standalone mode.) ‌Display summary PPPoE session information on the MPU in the specified slot.

<Sysname> display pppoe-server session summary slot 3

Total PPPoE sessions on slot 3: 2

Local PPPoE sessions on slot 3: 1

Ethernet interface: XGE3/1/2 Session ID: 1

PPP index: 0x140000105 State: OPEN

Remote MAC: 0000-0000-0005 Local MAC: 0000-5e00-0101

Service VLAN: N/A Customer VLAN: N/A

Ethernet interface: RAGG1 Session ID: 2

PPP index: 0x150000105 State: OPEN

Remote MAC: 0050-56c0-0005 Local MAC: 0000-5e00-0102

Service VLAN: N/A Customer VLAN: N/A

Table 7 Command output

Field	Description
Total PPPoE sessions	Total number of PPPoE sessions. When a slot is specified in this command, this field displays the total number of PPPoE sessions coming online through physical interfaces in the slot and all global PPPoE sessions in the system.
Local PPPoE sessions	Total number of PPPoE sessions. · The PPPoE sessions coming online through a physical interface are counted on the slot of the physical interface. · (In standalone mode.) The PPPoE sessions coming online through a global interface are counted on the slot of the active MPU. · (In IRF mode.) The PPPoE sessions coming online through a global interface are counted on the slot of the global active MPU. When an interface is specified, this field is not displayed.
Ethernet interface	Interface where the PPPoE session is present.
Session ID	PPPoE session ID.
PPP index	Index of the PPP session.
PPP interface	Virtual access interface created for the PPPoE session.
State	PPPoE session state: · PADR RCVD—The PPPoE session is being negotiated. · Open—The PPPoE session has been successfully established. · OFFLINE—The PPPoE session is being deleted. · BACKUP—The PPPoE session on the backup VSRP peer is to be activated.
RemoteMAC	MAC address of the remote end.
LocalMAC	MAC address of the local end.
Service VLAN	Service provider VLAN. N/A means no service provider VLAN is available.
Customer VLAN	Customer VLAN. N/A means no customer VLAN is available.

‌

Related commands

reset pppoe-server

display pppoe-server throttled-mac

Use display pppoe-server throttled-mac to display information about blocked users.

Syntax

In standalone mode:‌

display pppoe-server throttled-mac { slot slot-number [ cpu cpu-number ] | interface interface-type interface-number }

In IRF mode:

display pppoe-server throttled-mac { chassis chassis-number slot slot-number [ cpu cpu-number ] | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

#‌Display information about blocked users on Ten-GigabitEthernet 3/1/1.

<Sysname> display pppoe-server throttled-mac interface ten-gigabitethernet 3/1/1

Total 3 client MACs:

Interface Remote MAC Start time Remaining time(s)

XGE3/1/1 00e0-1500-4100 2019-12-01,12:10:30 55

XGE3/1/1 00e0-1500-4000 2019-12-01,12:10:40 65

XGE3/1/1 00e0-1500-3300 2019-12-01,12:10:50 75

Table 8 Command output

Field	Description
Interface	Interface at which the user is blocked.
Remote MAC	MAC address of the user.
Start time	Time to start blocking users.
Remaining time(s)	Time left for blocking users, in seconds.

‌

Related commands

pppoe-server throttle per-mac

pppoe-server access-delay

Use pppoe-server access-delay to set the response delay time for PPPoE users on an interface.

Use undo pppoe-server access-delay to restore the default.

Syntax

pppoe-server access-delay delay-time [ even-mac | odd-mac ]

undo pppoe-server access-delay [ even-mac | odd-mac ]

Default

No response delay time is set for PPPoE users on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

delay-time: Specifies the response delay time for PPPoE users, in the range of 10 to 25500 milliseconds.

even-mac: Specifies users with even MAC addresses.

odd-mac: Specifies users with odd MAC addresses.

Usage guidelines

Application scenarios

This feature is suitable for administrators to deploy multiple BRAS devices in the network, and distribute user loads and backups among these devices based on odd/even MAC addresses.

As shown in Figure 1, to provide device-level backup and traffic load balancing, two BRAS devices are deployed in the network, with the following configurations:

· Configure BRAS A to delay responses for users with even MAC addresses, and maintain the default setting (no response delay) for users with odd MAC addresses.

· Configure BRAS B to delay responses for users with odd MAC addresses, and maintain the default setting (no response delay) for users with even MAC addresses.

In this case, under normal circumstances, BRAS A responds to the online requests of users with odd MAC addresses before BRAS B, so users with odd MAC addresses prefer to come online through BRAS A. Similarly, BRAS B responds to the online requests of users with even MAC addresses before BRAS A, so users with even MAC addresses prefer to come online through BRAS B. This achieves load balancing of user traffic between BRAS A and BRAS B.

Figure 1 Response delay time functionality (both BRAS devices operate correctly)

‌

As shown in Figure 2, when a BRAS device (assuming BRAS A) malfunctions, BRAS B provides access services for all users, thus achieving device-level backup.

· For users with odd MAC addresses who have not come online before the failure of BRAS A, these users can directly come online through BRAS B.

· For users with odd MAC addresses who have come online before the failure of BRAS A, these users must disconnect first before they can come online through BRAS B.

Figure 2 Response delay time functionality (one BRAS device fails)

‌

Operating mechanism

With the response delay time set for PPPoE user access, the system delays responses to the online requests of PPPoE users according to the configured time. You can set different response delay times for users with odd and even MAC addresses respectively.

Restrictions and guidelines

· In this scenario, you must configure address isolation between BRAS devices. Public address pools, private address pools, and NAS-IP addresses must be uniquely configured on each BRAS device and cannot be cross-utilized. If you cannot do that, route issues might occur. For example, if NAS-IP address 1.1.1.1 is configured on one BRAS device, then you cannot configure the NAS-IP address on another BRAS device as 1.1.1.1.

· You can use this feature in conjunction with the pppoe-server access-delay odd-even mac offset command to flexibly deploy access response delay strategies for odd and even MAC users based on MAC address offsets. For more information, see the pppoe-server access-delay odd-even mac offset command.

· This feature takes effect only for PPPoE users that attempt to come online afterward and has no impact on currently online PPPoE users.

Examples

#‌Set the response delay time for PPPoE users to 10000 milliseconds on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-delay 10000

Related commands

pppoe-server access-delay odd-even mac offset

Use pppoe-server access-delay odd-even mac offset to specify the MAC address offset for response delay of PPPoE user access.

Use undo pppoe-server access-delay odd-even mac offset to restore the default.

Syntax

pppoe-server access-delay odd-even mac offset offset-value

undo pppoe-server access-delay odd-even mac offset

Default

No offset is specified for matching the MAC addresses of PPPoE users. The parity of the MAC address is determined by the lowest bit of the MAC address (using the left-high and right-low principle).

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

offset-value: Specifies the user MAC address offset in the range of 1 to 47 bits.

Usage guidelines

Application scenarios

The parity bit is used by the BRAS device to determine the parity of a user's MAC address. In this context, the bit value of 0 indicates an even MAC address, while a value of 1 indicates an odd MAC address.

By default, the device only selects the lowest bit of a user's MAC address as the parity bit to determine the parity of the MAC address. It then uses the delay time configured by the pppoe-server access-delay command to delay the response to the user's online requests based on the parity of the MAC address.

To flexibly specify a certain bit in a user's MAC address as the basis for determining the parity of the address, you can specify the offset.

Operating mechanism

With the MAC address offset specified, when the device receives a PPPoE user's online request, it uses the principle of offsetting from the low bit to the high bit. The (offset-value+1)th bit of the user's MAC address is as the offset parity bit to determine whether the user's MAC address is odd or even. Then, based on the delay time for odd or even MAC addresses, the device delays the response to the user's online request.

For example, as shown in Figure 3, for a PPPoE user with MAC address 0012-3400-ABCD, the parity bit value for this MAC address is 1 by default, indicating an odd MAC address. If you set the offset value to 17 bits, the parity bit (starting from the default parity bit, the 17+1=18th bit) value for this user's MAC address becomes 0, indicating an even MAC address.

Figure 3 MAC address offset calculation

‌

Restrictions and guidelines

· This feature must be used together with the pppoe-server access-delay command. If pppoe-server access-delay is not configured, the device responds to the access requests of PPPoE users immediately regardless of the configured MAC address offset value.

· This feature takes effect only for PPPoE users that attempt to come online afterward and has no impact on currently online PPPoE users.

Examples

#‌Configure response delay for PPPoE users with odd MAC addresses, set the delay time to 10000 milliseconds, and set the MAC address offset to 17 bits.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-delay 10000 odd-mac

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-delay odd-even mac offset 17

Related commands

pppoe-server access-delay

pppoe-server access-line-id bas-info

Use pppoe-server access-line-id bas-info to configure the NAS-Port-ID attribute to automatically include BAS information on an interface.

Use undo pppoe-server access-line-id bas-info to restore the default.

Syntax

pppoe-server access-line-id bas-info [ cn-163 | cn-163-redback ]

undo pppoe-server access-line-id bas-info

Default

The NAS-Port-ID attribute does not automatically include BAS information on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

cn-163: Specifies the China-Telecom 163 format for the BAS information.

cn-163-redback: Specifies the China-Telecom 163 Redback format for the BAS information.

Usage guidelines

Operating mechanism

The BAS information formats include the following formats:

· China-Telecom format—The China-Telecom format is {eth|trunk|atm} NAS_slot/NAS_subslot/NAS_port:XPI.XCI. The format refers to the user access interface information on the BRAS, including upstream interface, VLAN, and VPI/VCI information:

¡ When Ethernet/DSL is used, XPI.XCI refers to VLAN information.

¡ When ATM/DSL is used, XPI.XCI refers to VPI/VCI information.

For example, eth 3/1/1:4096.2345 includes the following user access interface information:

¡ The type of the upstream interface is Ethernet interface.

¡ The interface is located at slot 3, subslot 1, and port 1 .

¡ The outer VLAN ID is 4096 (which means an invalid VLAN), and the inner VLAN ID is 2345.

In a non-CUPS network, the device uses three-dimensional interfaces to communicate with servers by default. On an IRF fabric, when you need to specify the access IRF member device of a user on the AAA server, use the access-user four-dimension-mode enable command to configure the device to use four-dimensional interfaces to communicate with AAA servers. In this case, the BAS information in China Telecom format is {eth|trunk|atm} NAS_chassis/NAS_slot/NAS_subslot/NAS_port:XPI.XCI.

In a CUPS network, the device uses three-dimensional interfaces to communicate with servers by default. If the access-user four-dimension-mode enable command is executed, when a PPPoE user accesses through a UP, the UP ID information is added before the NAS_slot in the BAS information. In this case, the BAS information in China-Telecom format is {eth|trunk|atm} UP_ID/NAS_slot/NAS_subslot/NAS_port:XPI.XCI.

· China-Telecom 163 format—Table 9 shows the China-Telecom 163 format, where:

¡ NAS_slot, NAS_subslot, and NAS_port refer to the numbering information of the PPPoE user access interface on the BRAS.

¡ vpi and vci refer to VPI and VCI information.

¡ vlanid and vlanid2 refer to inner VLAN and outer VLAN, respectively. Value for the vlanid of the primary interface is fixed at 0.

In a non-CUPS network, the device uses three-dimensional interfaces to communicate with servers by default. On an IRF fabric, when you need to specify the access IRF member device of a user on the AAA server, use the access-user four-dimension-mode enable command to configure the device to use four-dimensional interfaces to communicate with AAA servers. For example, for a main interface on an IRF fabric, the BAS information is China Telecom 163 format is: chassis=NAS_chassis;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=VLAN id.

In a CUPS network, the device uses three-dimensional interfaces to communicate with servers by default. If the access-user four-dimension-mode enable command is executed, when a PPPoE user accesses through a UP, the UP ID information is added before slot in the BAS information. In this case, for a main interface in a CUPS network, the BAS information in China-Telecom 163 format is chassis=UP_ID;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=VLAN id.

Table 9 BAS information in China-Telecom 163 format

Interface type	Format
ATM interface	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vpi=XPI;vci=XCI;
Primary interface or interface that does not carry inner VLAN or outer VLAN information.	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=VLAN id;
Interface that carries inner VLAN and outer VLAN information.	slot=NAS_slot;subslot=NAS_subslot;port=NAS_port;vlanid=VLAN id;vlanid2=VLAN id2;

‌

· China-Telecom 163 Redback format—The China-Telecom 163 Redback format is the same as the China-Telecom 163 format except in the VLAN information. In the China-Telecom 163 Redback format, the vlanid and vlanid2 fields refer to outer VLAN and inner VLAN, respectively. In the other sections, both BAS information in the China-Telecom 163 format and BAS information in the China-Telecom 163 Redback format are described in the China-Telecom 163 format as an example.

This command specifies whether to automatically insert BAS information into the NAS-Port-ID attribute:

· If you disable the function of automatically inserting BAS information, for information about the content in the NAS-Port-ID attribute that the BRAS sends to the RADIUS server, see the pppoe-server access-line-id content command.

· If you enable the function of automatically inserting BAS information and execute the pppoe-server access-line-id trust command, the contents are generated as follows for the NAS-Port-ID attribute that the BRAS sends to the RADIUS server:

¡ If BAS information in China Telecom 163 format is inserted, the BAS information is inserted before the circuit-id field. The BAS information+circuit-id combination is sent to the RADIUS server as the NAS-Port-ID attribute.

¡ If BAS information in China Telecom format is inserted, the BAS information and the user access information on the DSLAM in the original circuit-id information are used to construct the circuit-id in China Telecom format. The circuit-id in China Telecom format is sent to the RADIUS server as the NAS-Port-ID attribute.

· If you enable the function of automatically inserting BAS information but do not execute the pppoe-server access-line-id trust command, the device does not copies the circuit-id or remote-id in packets to the NAS-Port-ID attribute. In this case, the NAS-Port-ID attribute sent to the RADIUS server contains only the BAS information as follows:

¡ If BAS information in China Telecom 163 format is inserted, the BAS information in China Telecom 163 format is sent to the RADIUS server as the NAS-Port-ID attribute.

¡ If BAS information in China Telecom format is inserted, the BAS information in China Telecom format is sent to the RADIUS server as the NAS-Port-ID attribute.

Prerequisites

This feature involves the use of the access-user four-dimension-mode enable command. Before using this feature, see BRAS Services Command Reference for detailed guidelines on how to use the access-user four-dimension-mode enable command.

Restrictions and guidelines

If you do not specify any keyword, BAS information in the China-Telecom format is included.

The RADIUS server cannot correctly parse a NAS-Port-ID attribute that includes the remote-id and BAS information. When you execute this command together with the pppoe-server access-line-id trust command, make sure the NAS-Port-ID attribute sent to the RADIUS sever does not include the remote-id.

Examples

#‌Configure the NAS-Port-ID attribute to automatically include BAS information on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id bas-info

Related commands

access-user four-dimension-mode enable (BRAS Services Command Reference)

pppoe-server access-line-id content

pppoe-server access-line-id trust

· pppoe-server nas-port-id interface

pppoe-server access-line-id circuit-id trans-format

Use pppoe-server access-line-id circuit-id trans-format to configure the transmission format for the circuit-id in access line ID on an interface.

Use undo pppoe-server access-line-id circuit-id trans-format to restore the default.

Syntax

pppoe-server access-line-id circuit-id trans-format { ascii | hex }

undo pppoe-server access-line-id circuit-id trans-format

Default

The transmission format for the circuit-id in access line ID is a string of characters on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the character string format. For example, the circuit-id 00010002 is transmitted in the form of 01 08 30 30 30 31 30 30 30 32.

hex: Specifies the hexadecimal format. For example, the circuit-id 00010002 is transmitted in the form of 01 04 00 01 00 02.

Examples

#‌Configure Ten-GigabitEthernet 3/1/1 to use the hexadecimal format to transmit the circuit-id.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id circuit-id trans-format hex

pppoe-server access-line-id content

Use pppoe-server access-line-id content to configure the content of the NAS-Port-ID attribute delivered to the RADIUS server on an interface.

Use undo pppoe-server access-line-id content to restore the default.

Syntax

pppoe-server access-line-id content { all [ separator ] | circuit-id | remote-id }

undo pppoe-server access-line-id content

Default

The NAS-Port-ID attribute contains only the circuit-id on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

all: Sends both the circuit-id and remote-id.

separator: Specifies a separator that is one character long. By default, the value is a blank space. The circuit-id and remote-id are connected by the separator.

circuit-id: Sends only the circuit-id.

remote-id: Sends only the remote-id.

Usage guidelines

Operating mechanism

The PPPoE server on a BRAS uses the RADIUS NAS-Port-ID attribute to send the access line ID received from a DSLAM device to the RADIUS server. The access line ID contains the circuit-id and remote-id. The RADIUS server compares the received NAS-Port-ID attribute with the local line ID information to verify the location of the user.

For more information about the circuit-id, see the pppoe-server access-line-id circuit-id parse-mode command.

For more information about the remote-id, see pppoe-server access-line-id remote-id trans-format the command.

Restrictions and guidelines

Do not use a character that exists in the circuit-id or remote-id as the separator. Otherwise, the RADIUS server might fail to parse the ID information.

This command takes effect only when the pppoe-server access-line-id trust command is executed.

When the pppoe-server access-line-id bas-info command is not executed, the following rules apply:

· If the pppoe-server access-line-id trust command is executed, the following rules apply:

¡ If the circuit-id or remote-id configured in the pppoe-server access-line-id content command is effective (non-null), the specified circuit-id or remote-id is sent to the RADIUS server as the NAS-Port-ID attribute. The exception is that, when the nas logic-port command is also executed in a UP backup network, the NAS-PORT-ID attribute sent to the RADIUS server contains BAS information in China Telecom 163 format plus the circuit-id or remote-id configured by using the pppoe-server access-line-id content command. The exception is that, when the nas logic-port command is also executed in a UP backup network, the NAS-PORT-ID attribute sent to the RADIUS server contains BAS information in China Telecom 163 format plus the circuit-id or remote-id configured by using the pppoe-server access-line-id content command.

¡ If the circuit-id or remote-id configured in the pppoe-server access-line-id content command is null, the BAS information in China Telecom 163 format is sent to the RADIUS server as the NAS-Port-ID attribute. For more information, see the pppoe-server access-line-id bas-info command.

· If the pppoe-server access-line-id trust command is not executed, the BAS information in China Telecom 163 format is sent to the RADIUS server as the NAS-Port-ID attribute. For more information, see the pppoe-server access-line-id bas-info command.

If the pppoe-server access-line-id bas-info command is executed, this command determines the content of the NAS-Port-ID attribute.

Examples

#‌Configure Ten-GigabitEthernet 3/1/1 to deliver only the circuit-id to the RADIUS server.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id content circuit-id

Related commands

pppoe-server access-line-id bas-info

pppoe-server access-line-id remote-id trans-format

Use pppoe-server access-line-id remote-id trans-format to configure the transmission format for the remote-id in the access line ID on an interface.

Use undo pppoe-server access-line-id remote-id trans-format to restore the default.

Syntax

pppoe-server access-line-id remote-id trans-format { ascii | hex }

undo pppoe-server access-line-id remote-id trans-format

Default

The transmission format for the remote-id is a string of characters on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

ascii: Specifies the character string format.

hex: Specifies the hexadecimal format.

Usage guidelines

The remote-id is the system MAC address of a PPPoE relay device (for example, DSLAM). It can be transmitted in character strings or hexadecimal format.

Examples

#‌Configure Ten-GigabitEthernet 3/1/1 to use the hexadecimal format to transmit the remote-id.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id remote-id trans-format hex

pppoe-server access-line-id trust

Use pppoe-server access-line-id trust to configure the PPPoE server to trust the access line ID in received packets on an interface.

Use undo pppoe-server access-line-id trust to restore the default.

Syntax

pppoe-server access-line-id trust

undo pppoe-server access-line-id trust

Default

The PPPoE server does not trust the access line ID in received packets on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

This command enables the PPPoE server to copy the circuit-id and remote-id in a received packet, to the NAS-PORT-ID attribute.

If this command is not executed, the PPPoE server does not copy the circuit-id and remote-id in a received packet to the NAS-PORT-ID attribute.

Examples

#‌Configure Ten-GigabitEthernet 3/1/1 to trust the access line ID in received packets.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id trust

Related commands

pppoe-server access-line-id bas-info

pppoe-server access-line-id vxlan-info enable

Use pppoe-server access-line-id vxlan-info enable to insert the VXLAN information in the NAS-Port-ID attribute.

Use undo pppoe-server access-line-id vxlan-info enable to restore the default.

Syntax

pppoe-server access-line-id vxlan-info enable

undo pppoe-server access-line-id vxlan-info enable

Default

The VXLAN information is not inserted into the NAS-Port-ID attribute.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

The VXLAN information is inserted into the following fields in the NAS-Port-ID attribute:

· BAS information is China Telecom format.

· DSLAM uplink interface information in the circuit ID in China Telecom format.

The two fields above are in the same format. For more information, see the pppoe-server access-line-id bas-info command.

For example, if the information is ge 3/1/1:4075.2345 before the VXLAN information is inserted, the information is ge 3/1/1: 4294967295.4075.2345 after the VXLAN information is inserted. The newly added 4294967295 is a VXLAN ID. 4294967295 indicates an invalid VXLAN.

Examples

#‌Insert the VXLAN information into the NAS-Port-ID attribute on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server access-line-id vxlan-info enable

Related commands

pppoe-server access-line-id bas-info

pppoe-server bind

Use pppoe-server bind to enable the PPPoE server on an interface and bind the interface to a VT interface.

Use undo pppoe-server bind to disable the PPPoE server on an interface.

Syntax

pppoe-server bind virtual-template number

undo pppoe-server bind

Default

The PPPoE server is disabled on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

virtual template number: Specifies a VT interface by its number. The value range for the number argument is 0 to 1023.

Usage guidelines

A PPPoE server-enabled interface must be bound to an existing VT interface.

When online PPPoE users exist on an interface, you cannot directly use the undo pppoe-server bind command to disable the PPPoE server on the interface. To do that, first log out all online PPPoE users on the interface, and then execute the undo pppoe-server bind command.

If the interface has been bound to a VT interface, you cannot use this command to bind the interface to another VT interface. To do that, disable the PPPoE server on the interface first.

You cannot enable the PPPoE server on a device configured to operate in user plane mode by using the work-mode user-plane command.

On an interface, the pppoe-server bind command and the pppoe-agency bind command are mutually exclusive.‌

Examples

#‌Enable the PPPoE server on Ten-GigabitEthernet 3/1/1 and bind the interface to interface Virtual-Template 1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

Related commands

work-mode user-plane (BRAS Services Command Reference)

pppoe-server block

Use pppoe-server block to forbid PPPoE users on an interface from coming online.

Use undo pppoe-server block to restore the default.

Syntax

pppoe-server block

undo pppoe-server block

Default

PPPoE users on an interface are permitted to come online.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

With this command executed on an interface, the interface directly drops received PADI and PADR packets to forbid users from coming online through this interface.

Restrictions and guidelines

This command does not affect existing PPPoE users.

Examples

#‌Forbid PPPoE users on Ten-GigabitEthernet 3/1/1 from coming online.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server block

Related commands

display pppoe-server packet statistics

pppoe-server connection chasten

Use pppoe-server connection chasten to enable MAC-based user blocking.

Use undo pppoe-server connection chasten to disable MAC-based user blocking.

Syntax

pppoe-server connection chasten [ quickoffline ] [ multi-sessions-permac ] requests request-period blocking-period

undo pppoe-server connection chasten [ quickoffline ]

Default

In interface view, MAC-based user blocking is disabled.

In system view, a MAC-based PPPoE user will be blocked for 300 seconds if the user fails authentication consecutively for 120 times within 60 seconds.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

quickoffline: Specifies the users that go offline immediately after coming online. If you specify this keyword, users that go offline immediately after coming online for requests times within request-period seconds will be blocked for blocking-period seconds. If you do not specify this keyword, users that send PPPoE requests for requests times within request-period seconds will be blocked for blocking-period seconds.

multi-sessions-permac: Specifies a user that establishes multiple PPPoE sessions. You must specify this keyword if multiple sessions exist on a MAC address.

requests: Specifies the number of PPPoE connection requests, in the range of 1 to 10000.

request-period: Specifies the detection period in the range of 1 to 3600 seconds.

blocking-period: Specifies the blocking period in the range of 0 to 3600 seconds. The value of 0 means that users will not be blocked even when they meet the blocking conditions.

Usage guidelines

Operating mechanism

If you execute this command, the device uniquely identifies a blocked user by using its MAC address, the outermost VLAN ID, and the access interface.

In the unified scenario, when the blocking conditions are met, blocking entries are generated only for the slots hosting interfaces actually receiving packets. For example, when a user accessing a Layer 3 aggregate interface meets the blocking conditions, the blocking entries are generated only on the slots hosting member ports of the Layer 3 aggregate interface.‌

In the CUPS scenario, when the blocking conditions are met for a user accessing a global interface on a UP, the blocking entries are generated on the master BRAS-VM managing the UP and all slots of the UP. For a user accessing a local interface on a UP, the blocking entries are generated on the master BRAS-VM managing the UP and the slot hosting the local interface on the UP.‌

Restrictions and guidelines

The following commands can be configured on the same interface or subinterface:

· pppoe-server connection chasten quickoffline [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten [ multi-sessions-permac ] requests request-period blocking-period

The pppoe-server connection chasten quickoffline [ multi-sessions-permac ] requests request-period blocking-period command will override existing configuration of the following commands:

· pppoe-server connection chasten quickoffline [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten option105 quickoffline requests request-period blocking-period

The pppoe-server connection chasten [ multi-sessions-permac ] requests request-period blocking-period command will override existing configuration of the following commands:

· pppoe-server connection chasten [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten option105 requests request-period blocking-period

If you execute this command in system view, the command applies to all PPPoE users. If you execute this command in interface view, the command applies to PPPoE users accessing the interface. If you execute this command in both system view and interface view, a user is blocked in the view whose blocking conditions are met first.

‌

NOTE:

In the UP backup scenario, you can configure this command only in system view. Configuration of this command in interface view does not take effect.

‌

When the device is operating in user plane mode (configured by using the work-mode user-plane command), you cannot change the default MAC-based user blocking configuration in system view or interface view.

The modified configuration in this command takes effect only on newly blocked users and does not affect existing blocked users. For example, if you modify the blocking period before it expires, the remaining blocking time is still based on the previously configured blocking period.

Examples

# Configure the device to block a user for 1000 seconds by its MAC address if the user sends 100 PPPoE connection requests within 500 seconds.

<Sysname> system-view

[Sysname] pppoe-server connection chasten 100 500 1000

Related commands

display pppoe-server chasten statistics

display pppoe-server chasten user

pppoe-server connection chasten option105

pppoe-server session-limit per-mac

reset pppoe-server chasten user

work-mode user-plane (on UPs) (BRAS Services Command Reference)

pppoe-server connection chasten option105

Use pppoe-server connection chasten option105 to enable option105-based user blocking.

Use undo pppoe-server connection chasten option105 to disable option105-based user blocking.

Syntax

pppoe-server connection chasten option105 [ quickoffline ] requests request-period blocking-period

undo pppoe-server connection chasten option105 [ quickoffline ]

Default

Option105-based user blocking is disabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

quickoffline: Specifies the users that come online. If you specify this keyword, users that come online for requests times within request-period seconds will be blocked for blocking-period seconds. If you do not specify this keyword, users that send PPPoE connection requests for requests times within request-period seconds will be blocked for blocking-period seconds.

requests: Specifies the number of PPPoE connection requests, in the range of 1 to 10000.

request-period: Specifies the detection period in the range of 1 to 3600 seconds.

blocking-period: Specifies the blocking period in the range of 0 to 3600 seconds. The value of 0 means that users will not be blocked even when they meet the blocking conditions.

Usage guidelines

Operating mechanism

If you execute this command, the device uniquely identifies a blocked user by using its circuit ID, remote ID, and the access interface.

In the CUPS scenario, the blocking entries are generated on only the master BRAS-VM managing the UP, regardless of whether a user accesses a global interface or local interface on the UP. They are not generated on UPs.‌

Restrictions and guidelines

The following commands can be configured on the same interface or subinterface:

· pppoe-server connection chasten option105 quickoffline requests request-period blocking-period

· pppoe-server connection chasten option105 requests request-period blocking-period

The pppoe-server connection chasten option105 quickoffline requests request-period blocking-period command will override existing configuration of the following commands:

· pppoe-server connection chasten quickoffline [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten option105 quickoffline requests request-period blocking-period

The pppoe-server connection chasten option105 requests request-period blocking-period command will override existing configuration of the following commands:

· pppoe-server connection chasten [ multi-sessions-permac ] requests request-period blocking-period

· pppoe-server connection chasten option105 requests request-period blocking-period

When the device is operating in user plane mode (configured by using the work-mode user-plane command), you cannot change the default option105-based user blocking configuration in system view or interface view.

Examples

# Configure the device to block a user for 1000 seconds by its option105 if the user sends 100 PPPoE connection requests within 500 seconds.

<Sysname> system-view

[Sysname] pppoe-server connection chasten option105 100 500 1000

Related commands

display pppoe-server chasten statistics

display pppoe-server chasten user

pppoe-server connection chasten

pppoe-server session-limit per-mac

reset pppoe-server chasten user

work-mode user-plane (on UPs) (BRAS Services Command Reference)

pppoe-server connection chasten per-interface

Use pppoe-server connection chasten per-interface to enable PPPoE protocol packet attack prevention.

Use undo pppoe-server connection chasten per-interface to disable PPPoE protocol packet attack prevention.

Syntax

pppoe-server connection chasten per-interface number interval rate-limit-period

undo pppoe-server connection chasten per-interface

Default

PPPoE protocol packet attack prevention is disabled.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

System view

Predefined user roles

network-admin

Parameters

number: Specifies the number of PPPoE protocol packets received, in the range of 1 to 10000.

interval: Specifies the detection interval of the PPPoE protocol packet attack prevention feature, in the range of 1 to 3600 seconds.

rate-limit-period: Specifies the period for which the PPPoE protocol packets are rate-limited, in the range of 0 to 3600 seconds. The value of 0 means that users are not rate-limited even when the conditions are met.

Usage guidelines

Application scenarios

In the Discovery phase of the PPPoE link establishment process, the PPPoE client sends PADI or PADR packets to find the PPPoE server that can provide the access service. After the PPPoE session is established, the PPPoE client can send PADT packets at any time to terminate the PPPoE session.

To prevent a large number of users frequently coming online and going offline or illegal users from initiating protocol packet attacks, which will occupy a large number of system resources, you can configure the PPPoE protocol packet attack prevention feature.

Operating mechanism

With this feature configured, if the number of protocol packets that the PPPoE server receives within the detection interval exceeds the specified number, the PPPoE protocol packets received from the interface will be rate-limited. During the rate-limiting period, the excess PPPoE protocol packets are dropped. At the same time, the device still performs attack prevention detection for the interface within the rate-limiting period. If the number of PPPoE protocol packets dropped meets the formula (number of dropped packets × interval ≥ number ×rate-limit-period) before the rate-limiting period expires, one more rate-limiting period is added. After the rate-limiting period expires, the rate-limiting on the PPPoE protocol packets received from the interface is cancelled.

Restrictions and guidelines

You can execute this command in system view and in interface view. The configuration in system view takes effect on all interfaces, and the configuration in interface view takes effect only on the current interface. If this command is executed in both system view and interface view, the command in interface view takes priority.

When the device is operating in user plane mode (configured by using the work-mode user-plane command), you cannot change the default PPPoE protocol packet attack prevention configuration in system view or interface view.

If the configured rate-limit period is modified before it expires, the remaining rate-limit time for rate-limited users is the newly configured rate-limit period no matter whether other parameters are modified. For example, if the previously configured rate-limit period is 3000 seconds and it is modified as 2500 seconds when the remaining rate-limit time is 2000 seconds, rate-limited users will continue to be rate limited for 2500 seconds.

Examples

#‌Configure PPPoE protocol attack prevention on Ten-GigabitEthernet 3/1/1. When the number of PPPoE protocol packets received from the interface exceeds 1000 within 60 seconds, the packets received from the interface will be rate-limited for 300 seconds.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server connection chasten per-interface 1000 60 300

Related commands

display pppoe-server chasten per-interface

reset pppoe-server chasten per-interface

work-mode user-plane (on UPs) (BRAS Services Command Reference)

pppoe-server log enable

Use pppoe-server log enable to enable the PPPoE logging feature.

Use undo pppoe-server log enable to disable the PPPoE logging feature.

Syntax

pppoe-server log enable

undo pppoe-server log enable

Default

The PPPoE logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

You can enable the PPPoE logging feature to meet the security audit (for example, source tracing) requirements. The PPPoE logging feature enables the device to generate PPPoE logs and send them to the information center. Logs are generated when the following requirements are met:

· The number of PPPoE sessions reaches the upper limit for an interface, user, VLAN, or the system.

· New users request to come online.

Operating mechanism

A log entry records the interface-based, MAC-based, VLAN-based, or system-based session limit. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Recommended configuration

As a best practice, disable this feature to prevent excessive PPPoE log output.

Examples

# Enable the PPPoE logging feature.

<Sysname> system-view

[Sysname] pppoe-server log enable

pppoe-server nas-port-id interface

Use pppoe-server nas-port-id interface to configure a device to use information of the specified interface to fill in the NAS-Port-ID attribute.

Use undo pppoe-server nas-port-id to restore the default.

Syntax

pppoe-server nas-port-id interface interface-type interface-number

undo pppoe-server nas-port-id

Default

Information about the interface through which the user comes online is used to fill in the NAS-Port-ID attribute.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. The specified interface must be the PPPoE user's access interface. In the current software version, the interface number can contain one, two, three, or four tiers. In each tier, the number is in the range of 0 to 65534. For example, for a 3-tier interface number, the minimum interface number is 0/0/0, and the maximum interface number is 65534/65534/65534. Specify the interface number according to the actual conditions.

Usage guidelines

Application scenarios

a device uses information about the interface through which a user comes online to fill in the NAS-Port-ID attribute and sends it to the RADIUS server by default. In some special applications, when you need to manually specify the access interface information to be filled in the NAS-Port-ID attribute, you can use this command. For example, suppose the RADIUS server restricts user A's access to only interface A. When user A accesses through interface B and you do not want to modify the RADIUS server configuration, you can execute this command to use information about interface A to fill in the NAS-Port-ID attribute for user A and send the attribute to the RADIUS server.

Operating mechanism

When the BAS information format is China-Telecom 163 and the pppoe-server nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute:

¡ On a non-CUPS network: chassis=NAS_chassis;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

¡ On a CUPS network: chassis=UP_ID;slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

· If the access-user four-dimension-mode enable command is not executed, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following access interface information field in the NAS-PORT-ID attribute: slot=NAS_slot;subslot=NAS_subslot;port=NAS_port.

When the BAS information format is China-Telecom and the pppoe-server nas-port-id interface command is executed, the following rules apply:

· If the access-user four-dimension-mode enable command is also executed, the interface information specified in the pppoe-server nas-port-id interface command will be used to fill in the following NAS information field in the NAS-PORT-ID attribute:

¡ On a non-CUPS network: {eth|trunk|atm} NAS_chassis/NAS_slot/NAS_subslot/NAS_port.

¡ On a CUPS network: {eth|trunk|atm} UP_ID/NAS_slot/NAS_subslot/NAS_port.

Restrictions and guidelines

This command takes effect only when the pppoe-server access-line-id bas-info command is executed on the device.

In a CUPS network, the interface specified in this command must be the access interface of PPPoE users on the UP. The interface number is in the format of UP ID/actual interface number on the UP. For example, if a user accesses through Ten-GigabitEthernet 3/1/1 on UP 1024, the interface number specified in this command must be 1024/3/1/1.

Examples

#‌ Configure the device to use information of Ten-GigabitEthernet 3/1/2 to fill in the NAS-Port-ID attribute.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server nas-port-id interface ten-gigabitethernet 3/1/2

Related commands

access-user four-dimension-mode enable (BRAS Services Command Reference)

pppoe-server access-line-id bas-info

pppoe-server padi-limit

Use pppoe-server padi-limit to set the maximum number of PADI packets that the device can receive per second.

Use undo pppoe-server padi-limit to restore the default.

Syntax

In standalone mode:‌

pppoe-server padi-limit slot slot-number [ cpu cpu-number ] number

undo pppoe-server padi-limit slot slot-number

In IRF mode:

pppoe-server padi-limit chassis chassis-number slot slot-number [ cpu cpu-number ] number

undo pppoe-server padi-limit chassis chassis-number slot slot-number

Default

The default settings vary by MPU model. For more information, see the configuration guide.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the PADI packet receiving rate limit in the range of 1 to 6000.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

When device reboot or version update is performed, the burst of online requests might affect the device performance. To avoid device performance degradation and make sure the device can process PADI packets correctly, use this command to adjust the PADI packet receiving rate limit.

Examples

# (In standalone mode.) ‌Set the maximum number of PADI packets that slot 3 can receive per second to 100.

<Sysname> system-view

[Sysname] pppoe-server padi-limit slot 3 100

pppoe-server padi-limit per-slot (UPs)

Use pppoe-server padi-limit to set the maximum number of PADI packets that each slot of a UP can receive per second.

Use undo pppoe-server padi-limit to restore the default.

Syntax

pppoe-server padi-limit per-slot number

undo pppoe-server padi-limit per-slot

Default

Each slot of a UP can receive a maximum of 2000 PADI packets per second.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the PADI packet receiving rate limit in the range of 1 to 6000.

Usage guidelines

In the CUPS scenario, when device reboot or version update is performed, the burst of online requests might affect the device performance. To avoid device performance degradation and make sure the device can process PADI packets correctly, use this command to adjust the PADI packet receiving rate limit on each slot of a UP.

Examples

# Set the maximum number of PADI packets that each slot of UP 1024 can receive per second to 100.

<Sysname> system-view

[Sysname] pppoe-server padi-limit per-slot 100

pppoe-server service-name-tag exact-match

Use pppoe-server service-name-tag exact-match to set the service name matching mode to exact match for the PPPoE server on an interface.

Use undo pppoe-server service-name-tag exact-match to restore the default.

Syntax

pppoe-server service-name-tag exact-match

undo pppoe-server service-name-tag exact-match

Default

The service name matching mode for the PPPoE server on an interface is fuzzy match.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Usage guidelines

Upon receiving a PADI or a PADR packet from a PPPoE client, the PPPoE server compares its service name with the service-name tag field of the packet. The server accepts the session establishment request only if the field matches the service name. Table 10 describes different matching rules in different matching modes.

Table 10 Service name matching rules

Matching mode	PPPoE client	PPPoE server	Result
Exact match	No service name is specified.	The number of configured service names is less than 8.	Success
	No service name is specified.	The number of configured service names is 8.	Failure
	A service name is specified.	A service name that is the same as that of the client is configured.	Success
	A service name is specified.	A service name that is the same as that of the client is not configured.	Failure
Fuzzy match	No service name is specified.	Any configuration.	Success
	A service name is specified.	A service name that is the same as that of the client is configured, or the number of configured service names is less than 8.	Success
	A service name is specified.	A service name that is the same as that of the client is not configured, or the number of configured service names is 8.	Failure

‌

Examples

#‌Set the service name matching mode to exact match for the PPPoE server on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server service-name-tag exact-match

Related commands

· pppoe-server tag service-name

pppoe-server session-limit

Use pppoe-server session-limit to set the maximum number of PPPoE sessions on an interface.

Use undo pppoe-server session-limit to restore the default.

Syntax

pppoe-server session-limit number

undo pppoe-server session-limit

Default

The number of PPPoE sessions on an interface is not limited.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of PPPoE sessions on an interface, in the range of 1 to 65534.

Usage guidelines

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· Limit on a card.

If the configured limit is smaller than the number of existing online sessions on the interface, the configuration succeeds. The configuration does not affect the existing online sessions. However, new sessions cannot be established on the interface.

Examples

#‌Set the maximum number of PPPoE sessions on Ten-GigabitEthernet 3/1/1 to 50.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server session-limit 50

Related commands

pppoe-server session-limit per-mac

pppoe-server session-limit per-vlan

pppoe-server session-limit total

pppoe-server session-limit per-mac

Use pppoe-server session-limit per-mac to set the maximum number of PPPoE sessions for a user on an interface.

Use undo pppoe-server session-limit per-mac to restore the default.

Syntax

pppoe-server session-limit per-mac number

undo pppoe-server session-limit per-mac

Default

A user can create a maximum of one PPPoE session on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of PPPoE sessions for a user, in the range of 1 to 65534.

Usage guidelines

A user is identified by a MAC address.

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· Limit on a card.

If the number argument is set to 1, when the device receives a PADR packet whose MAC address is the same as an online user, the following happens:

· If the online user has finished NCP negotiation for less than 30 seconds, the device discards the received PADR packet and the user remains online.

· If the online user has finished NCP negotiation for more than 30 seconds, the device sends a PADT packet to notify the user to go offline and deletes the session.

To generate DHCP client IDs based on PPP sessions, execute the remote address dhcp client-identifier command with the session-info keyword when the following requirements are met:

· The number argument is set to 2 or greater than 2.

· PPPoE users obtain IP addresses from the IP address pool.

Examples

#‌Set the maximum number of PPPoE sessions for a user on Ten-GigabitEthernet 3/1/1.1 to 50.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.1

[Sysname-Ten-GigabitEthernet3/1/1.1] pppoe-server session-limit per-mac 50

Related commands

pppoe-server session-limit

pppoe-server session-limit per-vlan

· pppoe-server session-limit total

remote address dhcp client-identifier

pppoe-server session-limit per-vlan

Use pppoe-server session-limit per-vlan to set the maximum number of PPPoE sessions for a VLAN on an interface.

Use undo pppoe-server session-limit per-vlan to restore the default.

Syntax

pppoe-server session-limit per-vlan number

undo pppoe-server session-limit per-vlan

Default

The number of PPPoE sessions for a VLAN on an interface is not limited.

Views

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

L3VE subinterface view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of PPPoE sessions for a VLAN, in the range of 1 to 65534.

Usage guidelines

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· Limit on a card.

Examples

#‌Set the maximum number of PPPoE sessions for a VLAN on Ten-GigabitEthernet 3/1/1.1 to 50.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1.1

[Sysname-Ten-GigabitEthernet3/1/1.1] pppoe-server session-limit per-vlan 50

Related commands

pppoe-server sessions limit

pppoe-server sessions limit per-mac

pppoe-server sessions limit total

pppoe-server session-limit total

Use pppoe-server session-limit total to set the maximum number of PPPoE sessions on a device.

Use undo pppoe-server session-limit total to restore the default.

Syntax

In standalone mode:‌

pppoe-server session-limit slot slot-number [ cpu cpu-number ] total number

undo pppoe-server session-limit slot slot-number total

In IRF mode:

pppoe-server session-limit chassis chassis-number slot slot-number [ cpu cpu-number ] total number

undo pppoe-server session-limit chassis chassis-number slot slot-number total

Default

The number of PPPoE sessions on a card is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

total number: Specifies the maximum number of PPPoE sessions on a device, in the range of 1 to 2147483647.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

PPPoE can establish a session when none of the following limits are reached:

· Limit for a user on an interface.

· Limit for a VLAN on an interface.

· Limit on an interface.

· (In standalone mode.) (In IRF mode.) Limit on a card.

If you execute this command on an interface card, this command does not limit the total number of PPPoE sessions created on all global interfaces such as aggregate interfaces.

(In standalone mode.) If you execute this command on the active MPU, this command only limits the total number of PPPoE sessions created on all global interfaces. If you execute this command on the standby MPU, the setting takes effect only after the MPU changes to be the active MPU upon an active/standby switchover.

(In IRF mode.) If you execute this command on the global active MPU, this command only limits the total number of PPPoE sessions created on all global interfaces. If you execute this command on any other MPUs in the IRF fabric, the setting takes effect only after the MPU changes to be the global active MPU upon an active/standby switchover.

Examples

# (In standalone mode.) ‌Set the maximum number of PPPoE sessions on the specified slot to 3000.

[Sysname] pppoe-server session-limit slot 1 total 3000

Related commands

pppoe-server session-limit

pppoe-server session-limit per-mac

pppoe-server session-limit per-vlan

pppoe-server tag ac-name

Use pppoe-server tag ac-name to set the access concentrator (AC) name for the PPPoE server on an interface.

Use undo pppoe-server tag ac-name to restore the default.

Syntax

pppoe-server tag ac-name name

undo pppoe-server tag ac-name

Default

The AC name for the PPPoE server is the device name on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

name: Specifies an AC name, a case-sensitive string of 1 to 64 characters.

Usage guidelines

The PPPoE server sends its AC name in PADO packets. PPPoE clients choose a PPPoE server by AC name.

The device does not support an AC name comprised of all blank spaces.

Examples

#‌Specify the AC name for the PPPoE server on Ten-GigabitEthernet 3/1/1 as pppoes.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server tag ac-name pppoes

pppoe-server tag ppp-max-payload

Use pppoe-server tag ppp-max-payload to enable the PPPoE server to support the ppp-max-payload tag and set a range for the tag on an interface.

Use undo pppoe-server tag ppp-max-payload to restore the default.

Syntax

pppoe-server tag ppp-max-payload [ minimum min-number maximum max-number ]

undo pppoe-server tag ppp-max-payload

Default

The PPPoE server does not support ppp-max-payload tag on an interface. The PPPoE server ignores the ppp-max-payload tag in PADI or PADS packets from clients, and returns a PADO or PADS packets without the ppp-max-payload tag.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

minimum min-number: Specifies the minimum value for the PPP maximum payload, in the range of 64 to 9600 bytes. The default value is 1492 bytes.

maximum max-number: Specifies the maximum value for the PPP maximum payload, in the range of 64 to 9600 bytes. The default value is 1500 bytes. The max-number argument must be equal or greater than the min-number argument.

Usage guidelines

Application scenarios

This command enables the PPPoE server to forward large PPP packets with a payload larger than 1492 bytes and reduces fragmentation.

Operating mechanism

If the ppp-max-payload tag sent by the PPPoE client is within the tag range, the PPPoE server returns a PADO or PADS packet that includes the tag. If not, the PPPoE server determines that the received packets are invalid, and it does not return a PADO or PADS packet.

Operating mechanism

The jumboframe enable command can change the size of jumbo frames supported by the interface. The maximum size of the jumbo frames configured by the jumboframe enable command should be larger than the maximum value configured by the pppoe-server tag ppp-max-payload command.

Examples

#‌Enable the PPPoE server to support the ppp-max-payload tag and set the value for the PPP maximum payload to be in the range of 1494 to 1580 bytes on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server tag ppp-max-payload minimum 1494 maximum 1508

Related commands

jumboframe enable (Interface Command References)

pppoe-server tag service-name

Use pppoe-server tag service-name to set a service name for a PPPoE server on an interface.

Use undo pppoe-server tag service-name to delete the specified service name.

Syntax

pppoe-server tag service-name name

undo pppoe-server tag service-name name

Default

A PPPoE server does not have a service name.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

name: Specifies a service name, a case-sensitive string of 1 to 64 characters.

Usage guidelines

Application scenarios

Service names identify the traffic destined for PPPoE servers when multiple PPPoE servers are providing services on the network. Likewise, the PPPoE server provides services to a specific PPPoE client based on the service name configured on the PPPoE server.

Operating mechanism

Upon receiving a PADI or a PADR packet from a PPPoE client, the PPPoE server compares its service name with the service-name tag field of the packet. The server accepts the session establishment request only if the field matches the service name. Service names support fuzzy match and exact match. For information about the match rules of fuzzy match and exact match, see the pppoe-server service-name-tag exact-match command.

Restrictions and guidelines

Up to eight service names can be configured on an interface.

Examples

#‌Set the service name to pppoes for the PPPoE server on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server tag service-name pppoes

Related commands

pppoe-server service-name-tag exact-match

pppoe-server throttle per-mac

Use pppoe-server throttle per-mac to set the PPPoE access limit on an interface.

Use undo pppoe-server throttle per-mac to restore the default.

Syntax

pppoe-server throttle per-mac session-requests session-request-period blocking-period

undo pppoe-server throttle per-mac

Default

The PPPoE access rate is not limited on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

session-requests: Specifies the maximum number of PPPoE session requests from a user within the monitoring time. The value range is 1 to 100000.

session-request-period: Specifies the monitoring time in the range of 1 to 3600 seconds.

blocking-period: Specifies the blocking time in the range of 1 to 3600 seconds.

Usage guidelines

Application scenarios

This command limits the rate at which a user (identified by MAC address) can create PPPoE sessions on an interface. If the number of PPPoE requests within the monitoring time reaches the configured threshold, the device discards the excessive requests, and outputs log messages. If the blocking time is set to 0, the device does not block any requests, and it only outputs log messages.

The device uses a monitoring table and a blocking table to control PPP access rates.

· Monitoring table—Stores a maximum of 8000 monitoring entries. Each entry records the number of PPPoE sessions created by a user within the monitoring time. When the monitoring entries reach the maximum, the system stops monitoring and blocking session requests from new users. The aging time of monitoring entries is determined by the session-request-period argument. When the timer expires, the system starts a new round of monitoring for the user.

· Blocking table—Stores a maximum of 8000 blocking entries. The system creates a blocking entry if the access rate of a user reaches the threshold, and blocks requests from that user. When the blocking entries reach the maximum, the system stops blocking session requests from new users and it only outputs log messages. The aging time of the blocking entries is determined by the blocking-period argument. When the timer expires, the system starts a new round of monitoring for the user.

Restrictions and guidelines

If the access rate setting is changed, the system removes all monitoring and blocking entries, and uses the new settings to limit PPPoE access rates.

Examples

#‌Block PPPoE session requests of a PPPoE user for 10 seconds when the PPPoE user sends 100 requests within 80 seconds on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-server throttle per-mac 100 80 10

Related commands

display pppoe-server throttled-mac

reset pppoe-server

Use reset pppoe-server to clear PPPoE sessions on the PPPoE server.

Syntax

reset pppoe-server { all | [ interface interface-type interface-number | mac-address mac-address ] * | virtual-template number }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all PPPoE sessions.

interface interface-type interface-number: Specifies an interface by its type and number.

mac-address mac-address: Specifies a PPPoE user by its MAC address in the format of H-H-H.

virtual-template number: Specifies a VT interface by its number.

Usage guidelines

This command clears PPPoE sessions and forcibly logs out the corresponding users.

Examples

# Clear established sessions on Virtual-template 1 on the PPPoE server.

<Sysname> reset pppoe-server virtual-template 1

Related commands

display pppoe-server session summary

reset pppoe-server chasten per-interface

Use reset pppoe-server chasten per-interface to clear PPPoE protocol packet attack prevention entry information.

Syntax

In standalone mode:‌

reset pppoe-server chasten per-interface [ packets ] [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset pppoe-server chasten per-interface [ packets ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

packets: Clears only dropped packet statistics of PPPoE protocol packet attack prevention entries. If you do not specify this keyword, this command clears information of PPPoE protocol packet attack prevention entries.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears PPPoE protocol packet attack prevention entry information of all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you specify only the packets keyword, this command clears dropped packet statistics in PPPoE protocol packet attack prevention entry information of all interfaces.

If you do not specify any parameter, this command clears PPPoE protocol packet attack prevention entry information of all interfaces.

Examples

#‌Clear PPPoE protocol packet attack prevention entry information on Ten-GigabitEthernet 3/1/1.

<Sysname> reset pppoe-server chasten per-interface interface ten-gigabitethernet 3/1/1

Related commands

pppoe-server connection chasten per-interface

reset pppoe-server chasten user

Use reset pppoe-server chasten user to clear information of blocked PPPoE users.

Syntax

In standalone mode:‌

reset pppoe-server chasten user [ packets ] [ mac-address [ mac-address ] | option105 [ circuit-id circuit-id ] [ remote-id remote-id ] ] [ interface interface-type interface-number ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

Views

User view

Predefined user roles

network-admin

Parameters

packets: Clears only dropped packet statistics of blocked PPPoE users. If you do not specify this keyword, this command clears information of blocked PPPoE users.

mac-address [ mac-address ]: Specifies a MAC address in the H-H-H format. If you do not specify the mac-address argument, this command clears information of PPPoE users blocked based on MAC address.

option105: Clears information of PPPoE users blocked based on option 105.

circuit-id circuit-id: Specifies fuzzy matching of a circuit ID, a case-sensitive string of 1 to 127 characters. For example, if the circuit-id argument is abc, information of blocked PPPoE users whose circuit IDs contain abc will be cleared.

remote-id remote-id: Specifies fuzzy matching of a remote ID, a case-sensitive string of 1 to 127 characters. For example, if the remote-id argument is abc, information of blocked PPPoE users whose remote IDs contain abc will be cleared.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, this command clears information of blocked PPPoE users on all interfaces.

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

By default, the blocking state of blocked users are not cleared until the blocking period times out. During the blocking period, packets from these PPPoE users are dropped.

Use this command without specifying the packets keyword to clear the blocking state of blocked users. Then, the users can perform authentication to come online when the device receives packets from these users.

If you specify only the packets keyword, this command clears dropped packet statistics of all blocked PPPoE users.

If you do not specify any parameter, this command clears information of all blocked PPPoE users.

Examples

#‌Clear information of blocked PPPoE users on interface Ten-GigabitEthernet 3/1/1.

<Sysname> reset pppoe-server chasten user interface ten-gigabitethernet 3/1/1

Related commands

display pppoe-server chasten statistics

display pppoe-server chasten user

pppoe-server connection chasten

pppoe-server connection chasten option105

reset pppoe-server packet statistics

Use reset pppoe-server packet statistics to clear PPPoE server negotiation packet statistics.

Syntax

In standalone mode:‌

reset pppoe-server packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset pppoe-server packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

Parameters

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) ‌Clear PPPoE server negotiation packet statistics for the specified slot.

<Sysname> reset pppoe-server packet statistics slot 1

Related commands

display pppoe-server packet statistics

PPPoE agency commands‌

display pppoe-agency acl statistics

Use display pppoe-agency acl statistics to display statistics of packets matching ACLs in the PPPoE agency application.

Syntax

In standalone mode:‌

display pppoe-agency { ipv4 | ipv6 } acl statistics user-group user-group-name slot slot-number [ cpu cpu-number ]

In IRF mode:

display pppoe-agency { ipv4 | ipv6 } acl statistics user-group user-group-name chassis chassis-number slot slot-number [ cpu cpu-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Specifies IPv4 ACLs.

ipv6: Specifies IPv6 ACLs.

user-group user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if CPUs are available on the specified slot.

Usage guidelines

This command displays only statistics of incoming packets matching ACL rules with the counting keyword specified.

To use this command to display statistics of matching packets in the PPPoE agency application, make sure the ACL rules specified in the pppoe-agency forward command in a user group have the counting keyword specified.

Examples

# (In standalone mode.) ‌Display statistics of incoming packets of the specified slot matching IPv4 ACLs in user group group001 in the PPPoE agency application.

<Sysname> display pppoe-agency ipv4 acl statistics user-group group001 slot 1

User-group: group001

Inbound policy:

IPv4 ACL 3001, Hardware-count

rule 0 permit destination 2.2.2.2 0 counting (2 packets 203 Bytes)

rule 5 permit destination 1.1.1.1 0 counting (5 packets 603 Bytes)

rule 10 permit destination 3.3.3.3 0 counting (No Counting Resource)

Table 11 Command output

Field	Description
User-group	User group name.
IPv4 ACL acl-number	IPv4 ACL acl-number was successfully applied.
IPv6 ACL acl-number	IPv6 ACL acl-number was successfully applied.
Hardware-count	ACL rule match counting in hardware has been successfully enabled.
Hardware-count (Failed)	The device has failed to enable counting ACL rule matches in hardware.
Hardware-count(Not enough resources to complete the operation.)	The device has failed to enable counting ACL rule matches in hardware because the resources are insufficient.
Hardware-count(The operation is not supported.)	The device has failed to enable counting ACL rule matches in hardware because this operation is not supported.
2 packets 203 Bytes	Two packets of 203 bytes match the rule.
No Counting Resource	Insufficient hardware counting resources.

‌

Related commands

reset pppoe-agency acl statistics

display pppoe-agency multi-host

Use display pppoe-agency multi-host to display information about PPPoE agency users with the multi-endpoint single account feature enabled.

Syntax

In standalone mode:‌

display pppoe-agency multi-host [ { username user-name | ip-address ipv4-address } [ verbose ] ] [ slot slot-id ]

In IRF mode:

display pppoe-agency multi-host [ { username user-name | ip-address ipv4-address } [ verbose ] ] [ chassis chassis-number slot slot-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

username user-name: Specifies a user by its username. The user-name argument is a case-sensitive string of 1 to 80 characters.

ip-address ipv4-address: Specifies a public IP address.

verbose: Displays detailed information. If you do not specify this keyword, this command displays brief information.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌ In IRF mode:‌

Usage guidelines

If you do not specify any parameters, this command displays brief information about all PPPoE agency users.

Examples

# Display brief information about all PPPoE agency users.

<Sysname> display pppoe-agency multi-host

UserID Public IP address MAC address Username Agency group

0x12f 192.168.10.2 001b-21a8-0454 User1 cmcc

Figure 4 Command output

Field	Description
UserID	Online index number of the agency account.
Username	Agency username, which is the agency account name that the user users. (If the username contains more than 15 characters, the username is displayed in the format of “the first 15 characters in the username+...” in the brief information.)
Public IP address	Public IP address assigned to the agency user.
MAC address	MAC address of the agency user.
Agency group	Agency group to which the information belongs. (If the agency group name contains more than 14 characters, the agency group name is displayed in the format of “the first 14 characters in the agency group name+...” in the brief information.)

# Display detailed information about the PPPoE agency user named User1 in the multi-endpoint single account scenario.

<Sysname> display pppoe-agency multi-host verbose

User ID : 0x12f

Public IP address : 192.168.10.2

MAC address : 001b-21a8-0454

Username : User1

Agency group : cmcc

Agency status: : Online

BRAS user count : 2

BRAS user :

UserID Private IP address VPN instance

- 4.4.4.1 N/A

Figure 5 Command output

Field	Description
UserID	Online index number of the agency account.
Public IP address	Public IP address assigned to the agency user.
MAC address	MAC address of the agency user.
Username	Agency username, which is the agency account name that the user uses.
Agency group	Agency group to which the information belongs to.
BRAS user count	Number of internal network users sharing the same agency account.
Agency status	Agency user status. Options include: · Online. · Offline—Offline or redialing. · Add—Being added. · Request—Processing the online request. · Init—Initializing.
BRAS user	Internal network user information corresponding to the agency account, including the following values: · UserID—Online index number of the internal network user. · Private IP address—Internal network IP address of the internal network user. · VPN instance—Name of the VPN instance to which the internal network user belongs.

display pppoe-agency packet statistics

Use display pppoe-agency packet statistics to display the PPPoE agency negotiation packet statistics.

Syntax

In standalone mode:‌

display pppoe-agency packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-agency packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) ‌Display the PPPoE agency negotiation packet statistics of the specified slot.

<Sysname> display pppoe-agency packet statistics slot 1

PPPoE agency packet statistics in slot 1:

SEND_PADI_PKT : 0

RECV_PADO_PKT : 0 DISCARD_PADO_PKT : 0

SEND_PADR_PKT : 0

RECV_PADS_PKT : 0 DISCARD_PADS_PKT : 0

RECV_PADT_PKT : 0 DISCARD_PADT_PKT : 0

SEND_PADT_PKT : 0

Table 12 Command output

Field	Description
SEND_PADI_PKT	Number of PADI packets sent.
RECV_PADO_PKT	Number of PADO packets received.
DISCARD_PADO_PKT	Number of dropped PADO packets received.
SEND_PADR_PKT	Number of PADR packets sent.
RECV_PADS_PKT	Number of PADS packets received.
DISCARD_PADS_PKT	Number of dropped PADS packets received.
RECV_PADT_PKT	Number of PADT packets received.
DISCARD_PADT_PKT	Number of dropped PADT packets received.
SEND_PADT_PKT	Number of PADT packets sent.

‌

display pppoe-agency session summary

Use display pppoe-agency session summary to display summary information of the PPPoE agency user sessions.

Syntax

In standalone mode:‌

display pppoe-agency session summary [ interface interface-type interface-number | slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display pppoe-agency session summary [ interface interface-type interface-number | chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if CPUs are available on the specified slot.

Usage guidelines

Session information of PPPoE agency users coming online through a physical interface is displayed only on the card hosting the physical interface and the MPU. Session information of global PPPoE agency users coming online through a logical interface is displayed on all cards.

Examples

# Display summary information of the PPPoE agency user sessions on Ten-GigabitEthernet 3/1/1.

<Sysname> display pppoe-agency session summary interface ten-gigabitethernet 3/1/1

Total PPPoE agency sessions: 2

Ethernet interface: XGE3/1/1 Session ID: 1

PPP index: 0x140000105 State: PADR_SEND

Remote MAC: 00e0-1500-7100 Local MAC: 00e0-1400-7300

Service VLAN: N/A Customer VLAN: N/A

Local session ID: 1

Ethernet interface: XGE3/1/1 Session ID: 2

PPP index: 0x150000105 State: OPEN

Remote MAC: 00e0-1600-7200 Local MAC: 00e0-1400-7300

Service VLAN: N/A Customer VLAN: N/A

Local session ID: 2

# (In standalone mode.) ‌Display summary information of the PPPoE agency user sessions on the specified slot.

<Sysname> display pppoe-agency session summary slot 3

Total PPPoE agency sessions on slot 3: 2

Local PPPoE agency sessions on slot 3: 1

Ethernet interface: XGE3/1/2 Session ID: 1

PPP index: 0x140000105 State: OPEN

Remote MAC: 0000-0000-0005 Local MAC: 0000-5e00-0101

Service VLAN: N/A Customer VLAN: N/A

Local session ID: 1

Ethernet interface: RAGG1 Session ID: 2

PPP index: 0x150000105 State: OPEN

Remote MAC: 0050-56c0-0005 Local MAC: 0000-5e00-0102

Service VLAN: N/A Customer VLAN: N/A

Local session ID: 2

Table 13 Command output

Field	Description
Total PPPoE agency sessions	Total number of PPPoE agency user sessions. When a slot is specified in this command, this command displays the total number of PPPoE agency user sessions coming online through physical interfaces in the specified slot and all global PPPoE agency user sessions in the system.
Local PPPoE agency sessions	Number of local PPPoE agency user sessions. For this field, the following rules apply: · The statistics of sessions of PPPoE agency users coming online through a physical interface are displayed on the slot hosting the physical interface. · The statistics of sessions of PPPoE agency users coming online through a global interface are displayed on the slot hosting the active MPU. (In standalone mode.) · The statistics of sessions of PPPoE agency users coming online through a global interface are displayed on the slot hosting the global active MPU. (In IRF mode.) (This field is not displayed if an interface is specified in this command.)
Ethernet interface	Interface bound to a PPPoE agency user session.
Session ID	ID of a PPPoE agency user session.
PPP index	PPP session index information
State	State of a PPPoE agency user session: · PADI_SEND—The PPPoE session is being created and in the session discovery phase. · PADR_SEND—The PPPoE session is being created and in the session negotiation phase. · OPEN—The PPPoE session is open. · OFFLINE—The PPPoE session is being deleted. · INIT—The PPPoE session is to be activated.
Remote MAC	Remote MAC address.
Local MAC	Local MAC address.
Service VLAN	Service provider VLAN. This field displays N/A if no service VLAN is available.
Customer VLAN	Customer VLAN. This field displays N/A if no customer VLAN is available.
Local session ID	ID of a local PPPoE agency session.

‌

pppoe-agency authentication domain

Use pppoe-agency authentication domain to configure the authentication domain for PPPoE agency users.

Use undo pppoe-agency authentication to restore the default.

Syntax

pppoe-agency authentication domain domain-name

undo pppoe-agency authentication

Default

No authentication domain is configured for PPPoE agency users.

Views

User group view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a PPPoE agency user authentication domain, a case-insensitive string of 1 to 255 characters. The domain name cannot contain the following special characters: /\|”:*?<>@.

Usage guidelines

When a campus BRAS simulates a PPPoE client and initiates PPPoE dialup for network access to the PPPoE server of the corresponding ISP according to the PPPoE agency group name carried in the COA messages, the BRAS first authenticates the PPPoE agency user according to the authentication domain specified in the pppoe-agency authentication domain command. If no authentication domain is specified by the pppoe-agency authentication domain command or the specified authentication domain does not exist, the BRAS uses the authentication domain selected by the AAA module, and the username and password used for authentication are issued by the AAA service through COA messages. PPPoE agency can succeed only when the campus BRAS successfully authenticates the PPPoE agency user and the ISP PPPoE server successfully authenticates the PPPoE client. If the authentication on any end fails, PPPoE agency fails. In this case, the user can access only the internal network, and cannot access the external network.

This command is mutually exclusive with the following commands:

· pppoe-agency-relay enable

· pppoe-agency-relay-group

· work-mode user-plane (UPs)

Examples

# Configure authentication domain dm1 for PPPoE agency users in user group group1.

<Sysname> system-view

[Sysname] user-group group1

[Sysname-ugroup-group1] pppoe-agency authentication domain dm1

Related commands

domain (BRAS Services Command Reference)

pppoe-agency bind

pppoe-agency-relay enable

pppoe-agency-relay-group

work-mode user-plane (UPs) (BRAS Services Command Reference)

pppoe-agency bind

Use pppoe-agency bind to enable the PPPoE agency on an interface and bind the interface to a PPPoE agency group.

Use undo pppoe-agency bind to disable the PPPoE agency on an interface.

Syntax

pppoe-agency bind virtual-template number pppoe-agency-group pppoe-agency-group-name [ nat-instance instance-name ]

undo pppoe-agency bind

Default

The PPPoE agency is disabled on an interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

virtual-template number: Specifies a VT interface by its number. The value range for this field is 0 to 1023.

pppoe-agency-group pppoe-agency-group-name: Specifies a PPPoE agency group by its name, a case-insensitive string of 1 to 31 characters. The PPPoE agency group name can only be authorized by the AAA server through the Framed-Pool attribute. The value for the pppoe-agency-group-name argument specified in this command must be the same as the value for the Framed-Pool attribute authorized by the AAA server to the PPPoE agency users.

· In unified PPPoE agency mode, a PPPoE agency group uniquely identifies the ISP to which an agency user belongs.

· In PPPoE agency gateway mode, the network includes the following types depending on the deployment position of the PPPoE agency gateway:

¡ School-side agency gateway network—A PPPoE agency group name uniquely identifies the ISP to which an agency user belongs.

¡ ISP-side agency gateway network—A PPPoE agency group name uniquely identifies the school to which an agency user belongs.

nat-instance instance-name: Binds the interface to a NAT instance when you enable the multi-endpoint single account feature for PPPoE agency. This binds corporate network IP mappings. The instance-name argument specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Operating mechanism

With this feature configured, the device that provides the PPPoE agency feature operates in either of the following modes:

· Unified PPPoE agency mode—When a campus BRAS user initiates the agency process, the campus BRAS will select one interface that matches the PPPoE agency group name carried in COA messages from the interfaces with the pppoe-agency bind command executed (PPPoE agency interfaces, called agency interface for short). Then, the campus BRAS will use the selected interface to simulate a PPPoE client and initiate PPPoE dialup for network access to the PPPoE server of the corresponding ISP.

· PPPoE agency gateway mode—When a campus BRAS user initiates the agency process, the PPPoE agency gateway will select one interface that matches the PPPoE agency group name carried in COA messages from the interfaces with the pppoe-agency bind command executed (PPPoE agency interfaces, called agency interface for short). Then, the PPPoE agency gateway will use the selected interface to simulate a PPPoE client and initiate PPPoE dialup for network access to the PPPoE server of the corresponding ISP.

If the PPPoE agency group name carried in the COA messages authorized to a user matches the pppoe-agency-group-name argument value configured on multiple interfaces, the device will select the interface with the least online PPPoE agency users to simulate a PPPoE client for the user to perform PPPoE dialup. If multiple interfaces meet the requirements, the device randomly selects one from them.

Restrictions and cautions

When the PPPoE agency is enabled on an interface, the VT interface bound to the interface must exist.

When online PPPoE agency users exist on an interface, you cannot directly use the undo pppoe-agency bind command to disable the PPPoE agency on the interface. To do that, first log out all online PPPoE agency users on the interface, and then execute the undo pppoe-agency bind command.

If an interface has the PPPoE agency enabled and is bound to a VT interface, you cannot directly use this command to bind the interface to a new VT interface. To do that, first disable the PPPoE agency on the interface, and then re-enable the PPPoE agency on the interface and bind it to a new VT interface.

If both the PPPoE client and PPPoE agency are enabled on an interface, the PPPoE client does not take effect.

When the device is configured to operate in user plane mode by using the work-mode user-plane command, you cannot enable the PPPoE agency on any interface of the device.

On an interface, the pppoe-server bind command and the pppoe-agency bind command are mutually exclusive.

Examples

# Enable the PPPoE agency on Ten-GigabitEthernet 3/1/1, and bind Ten-GigabitEthernet 3/1/1 to VT interface 1 and PPPoE agency group 1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-agency bind virtual-template 1 pppoe-agency-group 1

If the pppoe-agency multi-host function is enabled, please specify the nat-instance.

Related commands

pppoe-agency-relay-group

pppoe-agency forward

Use pppoe-agency forward to configure a PPPoE agency forwarding policy.

Use undo pppoe-agency forward to restore the default.

Syntax

pppoe-agency forward { ipv4 | ipv6 } acl { acl-number | name acl-name }

undo pppoe-agency forward { ipv4 | ipv6 }

Default

No PPPoE agency forwarding policy is configured.

Views

User group view

Predefined user roles

network-admin

Parameters

ipv4: Specifies IPv4 ACLs.

ipv6: Specifies IPv6 ACLs.

acl: Performs PPPoE agency forwarding for traffic based on ACLs. Traffic matching the specified ACL is considered as internal network traffic and directly forwarded. Traffic not matching the specified ACL is considered as external network traffic and forwarded through the PPPoE agency.

· acl-number: Specifies an ACL by its number, in the range of 3000 to 3999 (advanced ACL) .

· name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, it cannot be all.

Usage guidelines

When specifying an ACL, follow these restrictions and guidelines:

· Do not specify the user-group keyword in any ACL rule. If you do that, the PPPoE agency function based on the ACL is not available.

· If the specified ACL does not exist or does not have any rules, all traffic is external network traffic and must be forwarded through the PPPoE agency.

· In the specified ACL, the following rules apply:

¡ If a rule has the vpn-instance keyword specified, the rule takes effect only on users in the specified VPN instance, and user traffic matching the ACL rule in the specified VPN instance is considered as internal network traffic and directly forwarded.

¡ If a rule does not have the vpn-instance keyword specified, the rule takes effect only on all users (including users in VPN instances). When user traffic is compared with the ACL rule, its VPN attributes are ignored. User traffic matching the ACL rule is considered as internal network traffic and directly forwarded.

This command is mutually exclusive with the following commands:

· pppoe-agency-relay enable

· pppoe-agency-relay-group

· work-mode user-plane (UPs)

Examples

# Configure user group group1 to directly forward traffic matching IPv4 ACL 3000 and forward non-matching traffic through the PPPoE agency or drop the non-matching traffic.

<Sysname> system-view

[Sysname] user-group group1

[Sysname-ugroup-group1] pppoe-agency forward ipv4 acl 3000

Related commands

pppoe-agency bind

user-group (BRAS Services Command Reference)

pppoe-agency-relay enable

pppoe-agency-relay-group

work-mode user-plane (UPs) (BRAS Services Command Reference)

pppoe-agency log enable

Use pppoe-agency log enable to enable the PPPoE agency logging feature.

Use undo pppoe-agency log enable to disable the PPPoE agency logging feature.

Syntax

pppoe-agency log enable

undo pppoe-agency log enable

Default

The PPPoE agency logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

IMPORTANT:

As a best practice, disable this feature to prevent excessive PPPoE agency log output.

‌

You can enable the PPPoE agency logging feature to meet the security audit (for example, source tracing) requirements. The PPPoE agency logging feature enables the BRAS device to generate PPPoE agency logs and send them to the information center. Logs are generated when PPPoE agency users come online.

A log entry records mapping between the internal IP address and the IP address assigned by the ISP to a PPPoE agency user. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable the PPPoE agency logging feature.

<Sysname> system-view

[Sysname] pppoe-agency log enable

pppoe-agency multi-host enable

Use pppoe-agency multi-host enable to enable the multi-endpoint single account feature for PPPoE agency.

Use undo pppoe-agency multi-host enable to disable the multi-endpoint single account feature for PPPoE agency.

Syntax

pppoe-agency multi-host enable

undo pppoe-agency multi-host enable

Default

The multi-endpoint single account feature is disabled for PPPoE agency.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

On a PPPoE agency network, when multiple user endpoints use the same agency account for PPPoE dialup, the PPPoE agency device establishes a separate PPPoE session for each user endpoint by default. If too many users share the same account, excessive sessions will be established, consuming too many system resources.

Operating mechanism

To save system resources, enable the multi-endpoint single account feature for PPPoE agency. With this feature enabled, all users that use the same agency account share one PPPoE session on the PPPoE agency device. They also share the same IP address and agency user ID. After you execute the pppoe-agency bind command to bind a NAT instance, the NAT module of the PPPoE agency device maintains NAT entries with port information for agency users. When traffic from the external network reaches the PPPoE agency gateway, the gateway identifies the account by IP address and identifies the specific target agency user by port number.

Examples

# Enable the multi-endpoint single account feature for PPPoE agency.

<Sysname> system-view

[Sysname] pppoe-agency multi-host enable

Related commands

pppoe-agency bind

pppoe-agency-relay enable

Use pppoe-agency-relay enable to enable the PPPoE agency gateway feature.

Use undo pppoe-agency-relay enable to disable the PPPoE agency gateway feature.

Syntax

pppoe-agency-relay enable

undo pppoe-agency-relay enable

Default

The PPPoE agency gateway feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

On a PPPoE agency network, the device that provide the PPPoE agency feature operates in either of the following modes:

· Unified PPPoE agency mode—In this mode, the campus BRAS also acts as the PPPoE agency device. The campus BRAS provides both BRAS access authentication and PPPoE agency features for campus network users.

· PPPoE agency gateway mode—In this mode, a separate ISP BRAS (PPPoE agency gateway) rather than the campus BRAS provides the PPPoE agency feature. Depending on the deployment position, the PPPoE agency gateways include the following types:

¡ School-side agency gateway—Deployed on the campus network.

¡ ISP-side agency gateway—Deployed on the ISP network.

To use a BRAS as a PPPoE agency gateway, you can enable the PPPoE agency gateway feature on that BRAS. With the PPPoE agency gateway feature enabled, the BRAS will be used as a dedicated PPPoE agency gateway and will no longer support the unified PPPoE agency mode.

Restrictions and guidelines

When online PPPoEA users exist on a PPPoE agency gateway, you cannot execute the undo pppoe-agency-relay enable command to disable the PPPoE agency gateway feature. To do that, first execute the cut access-user command to log off all PPPoEA users, and then execute the undo pppoe-agency-relay enable command.

PPPoE agency gateways are used only for PPPoE agency networking. Non-PPPoE agency services (such as IPoE or L2TP) cannot be deployed on PPPoE agency gateways. Before executing this command on an agency gateway, make sure no non-PPPoEA users are online on the agency gateway. If non-PPPoEA users are online on the agency gateway, you cannot execute this command.

This command is mutually exclusive with the following commands:

· pppoe-agency authentication domain

· pppoe-agency forward

· work-mode user-plane (UPs)

Examples

# Enable the PPPoE agency gateway feature.

<Sysname> system-view

[Sysname] pppoe-agency-relay enable

Related commands

pppoe-agency authentication domain

pppoe-agency forward

work-mode user-plane (UPs) (BRAS Services Command Reference)

pppoe-agency-relay-group

Use pppoe-agency-relay-group to bind an interface to a PPPoE agency group.

Use undo pppoe-agency-relay-group to unbind an interface from a PPPoE agency group.

Syntax

pppoe-agency-relay-group pppoe-agency-group-name interface interface-type interface-number [ peer-ip peer-ip-address ]

undo pppoe-agency-relay-group pppoe-agency-group-name interface interface-type interface-number

Default

An interface is not bound to any PPPoE agency group.

Views

System view

Predefined user roles

network-admin

Parameters

pppoe-agency-group-name: Specifies a PPPoE agency group by its name, a case-insensitive string of 1 to 31 characters. The PPPoE agency group name can only be authorized by the AAA server through the Framed-Pool attribute. The value for the pppoe-agency-group-name argument specified in this command must be the same as the value for the Framed-Pool attribute authorized by the AAA server to the PPPoE agency users. Among them:

· School-side agency gateway network—A PPPoE agency group name uniquely identifies the ISP to which an agency user belongs.

· ISP-side agency gateway network—A PPPoE agency group name uniquely identifies the school to which an agency user belongs.

interface interface-type interface-number: Specifies a PPPoE agency gateway access interface (called agency gateway access interface for short) by its type and number. The interface connects the PPPoE agency gateway to the campus BRAS.

peer-ip peer-ip-address: Specifies the IPv4 address of the physical interface or the global interface (for example, Layer 3 aggregate interface) of the physical interface connecting the peer device to the PPPoE agency gateway access interface. The interface specified by the peer-ip-address argument can be either a main interface or subinterface. When the multi-endpoint single account feature is enabled, do not specify this parameter. When the multi-endpoint single account feature is disabled, you must specify this parameter.

Usage guidelines

Operating mechanism

(School-side agency gateway)

On a school-side agency gateway network, the PPPoE agency gateway, as a school device, might be uplinked to multiple ISPs through different PPPoE agency interfaces. To differentiate traffic from different ISPs, use this command to bind the following elements:

· The PPPoE agency gateway access interface that is allocated to an ISP and connects to the campus BRAS.

· The agency group of the ISP.

For example, perform the following tasks for ISP A on the PPPoE agency gateway as shown in Figure 6:

· Use the pppoe-agency-relay-group command to bind the PPPoE agency gateway access interface Port B to the PPPoE agency group of ISP A.

· Use the pppoe-agency bind command to bind the PPPoE agency interface Port D to the PPPoE agency group of ISP A.

Figure 6 Schematic diagram

‌

In this case, when the PPPoE agency gateway receives uplink traffic from users at school A through access interface Port B, it forwards the traffic through PPPoE agency interface Port D. Similarly, when the PPPoE agency gateway receives downlink traffic to users at school A through PPPoE agency interface Port D, it forwards the traffic through access interface Port B.

(ISP-side agency gateway)

On an ISP-side agency gateway network, the PPPoE agency gateway, as an ISP device, might be downlinked to multiple schools through different PPPoE agency gateway access interfaces. To differentiate traffic of users from different schools, you must use this command to bind the following elements:

· The interface connecting to the specified school on the PPPoE agency gateway.

· The agency group of the school.

For example, perform the following tasks on the PPPoE agency gateway for school A as shown in Figure 7:

· Use the pppoe-agency-relay-group command to bind the PPPoE agency gateway access interface Port B to the PPPoE agency group of school A.

· Use the pppoe-agency bind command to bind PPPoE agency interface Port D to the PPPoE agency group of school A.

Figure 7 Schematic diagram

Restrictions and guidelines

On the school-side PPPoE agency gateway, multiple ISPs cannot share the same PPPoE agency gateway access interface or PPPoE agency interface. Each ISP must have an exclusive pair of PPPoE agency gateway access interface and PPPoE agency interface, which can be main interfaces or subinterfaces.

On the ISP-side PPPoE agency gateway, multiple schools cannot share the same PPPoE agency gateway access interface or PPPoE agency interface. Each school must have an exclusive pair of PPPoE agency gateway access interface and PPPoE agency interface, which can be main interfaces or subinterfaces.

At a time, a PPPoE agency gateway access interface can be bound to only one PPPoE agency group, and vice versa. To change a binding between PPPoE agency group and PPPoE agency gateway access interface, first execute the undo pppoe-agency-relay-group command to remove the binding, and then execute the pppoe-agency-relay-group command to configure a new binding.

When online PPPoEA users exist on the PPPoE agency interface bound to a PPPoE agency group, follow these restrictions and guidelines:

· You cannot directly execute the undo pppoe-agency-relay-group command to remove the binding. To do that, first log off all online PPPoEA users on the PPPoE agency interface bound to the PPPoE agency group, and then execute the undo pppoe-agency-relay-group command.

· You cannot directly execute this command to modify the binding between the PPPoE agency group and the PPPoE agency gateway access interface. To do that, follow these steps:

¡ First, log off all online PPPoEA users on the PPPoE agency interface bound to the PPPoE agency group.

¡ Next, execute the undo pppoe-agency-relay-group command to remove the binding.

¡ Finally, execute the pppoe-agency-relay-group command to configure a new binding.

This command is mutually exclusive with the following commands:

· pppoe-agency authentication domain

· pppoe-agency forward

· work-mode user-plane (UPs)

Examples

# Bind the specified interface to the PPPoE agency group.

<Sysname> system-view

[Sysname] pppoe-agency-relay-group school1 interface ten-gigabitethernet 3/1/1 peer-ip 1.1.1.1

Related commands

pppoe-agency authentication domain

pppoe-agency bind

pppoe-agency forward

work-mode user-plane (UPs) (BRAS Services Command Reference)

reset pppoe-agency

Use reset pppoe-agency to clear the PPPoE agency sessions on the PPPoE agency.

Syntax

reset pppoe-agency { all | interface interface-type interface-number | virtual-template number }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all PPPoE agency sessions.

interface interface-type interface-number: Specifies an interface by its type and number.

virtual-template number: Specifies a VT interface by its number.

Usage guidelines

This command clears PPPoE agency sessions and forcibly logs out agency users.

Examples

# Clear the PPPoE agency sessions on Virtual-Template 1 on the PPPoE agency.

<Sysname> reset pppoe-agency virtual-template 1

Related commands

display pppoe-agency session summary

reset pppoe-agency acl statistics

Use reset pppoe-agency acl statistics to clear statistics of packets matching ACLs in the PPPoE agency application.

Syntax

In standalone mode:‌

reset pppoe-agency { ipv4 | ipv6 } acl statistics user-group user-group-name slot slot-number [ cpu cpu-number ]

In IRF mode:

reset pppoe-agency { ipv4 | ipv6 } acl statistics user-group user-group-name chassis chassis-number slot slot-number [ cpu cpu-number ]

Views

User view

Predefined user roles

network-admin

Parameters

ipv4: Specifies IPv4 ACLs.

ipv6: Specifies IPv6 ACLs.

user-group user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if CPUs are available on the specified slot.

Examples

# (In standalone mode.) ‌Clear statistics of packets of the specified slot matching IPv4 ACLs in user group group001.

<Sysname> reset pppoe-agency ipv4 acl statistics user-group group001 slot 1

Related commands

display pppoe-agency acl statistics

reset pppoe-agency multi-host

Use reset pppoe-agency multi-host to clear information about PPPoE agency users with the multi-endpoint single account feature enabled.

Syntax

reset pppoe-agency multi-host pppoe-agency-group pppoe-agency-group-name username user-name ip-address ipv4-address

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

pppoe-agency-group pppoe-agency-group-name: Specifies an agency group. The pppoe-agency-group-name argument specifies a PPPoE agency group name, a case-insensitive string of 1 to 31 characters.

username user-name: Specifies a user by its username. The user-name argument is a case-sensitive string of 1 to 80 characters.

ip-address ipv4-address: Specifies a user by its internal network IP address.

Usage guidelines

This command also applies to the PPPoE agency scenario without the multi-endpoint single account feature enabled.

Examples

# Clear information about the PPPoE agency user named user1 and with IP address 10.1.1.2 in the agency group named g1.

<Sysname> reset pppoe-agency multi-host pppoe-agency-group g1 username user1 ip-address 10.1.1.2

reset pppoe-agency packet statistics

Use reset pppoe-agency packet statistics to clear the PPPoE agency negotiation packet statistics.

Syntax

In standalone mode:‌

reset pppoe-agency packet statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset pppoe-agency packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries for the active MPU. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears entries for the global active MPU. On this device, the slot-number argument represents the entire device and its value is fixed.(In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Clear the PPPoE agency negotiation packet statistics on the device.

<Sysname> reset pppoe-agency packet statistics

dialer diagnose

Use dialer diagnose to configure DDR to operate in diagnostic mode.

Use undo dialer diagnose to restore the default.

Syntax

dialer diagnose [ interval interval ]

undo dialer diagnose

Default

DDR operates in non-diagnostic mode.

Views

Dialer interface view

Predefined user roles

network-admin

Parameters

interval: Specifies the diagnostic interval in the range of 5 to 65535 seconds. The default is 120 seconds.

Usage guidelines

Operating mechanism

In diagnostic mode, the device performs the following operations:

· Dials a PPPoE connection immediately after the device configurations are complete.

· Automatically terminates the connection.

· Starts the auto-dial timer after a configurable diagnostic interval.

· Redials a connection when the auto-dial timer expires.

By establishing and terminating PPPoE sessions periodically, you can monitor the operating status of the PPPoE link.

Restrictions and guidelines

This command takes effect only when a dialer interface is used with PPPoE client applications.

In diagnostic mode, the link idle-timeout timer is ignored.

Examples

# Configure Dialer 1 to operate in diagnostic mode, with a diagnostic interval of 300 seconds.

<Sysname> system-view

[Sysname] interface dialer 1

[Sysname-Dialer1] dialer diagnose interval 300

Related commands

dialer timer autodial (Layer 2—WAN Services Command Reference)

dialer timer idle (Layer 2—WAN Services Command Reference)

display interface virtual-access

Use display interface virtual-access to display information about VA interfaces.

Syntax

display interface [ virtual-access [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

virtual-access [ interface-number ]: Specifies an existing VA interface by its number. If you do not specify the virtual-access keyword, the command displays information about all interfaces except VA interfaces on the device. If you specify the virtual-access keyword without the interface-number argument, the command displays information about all VA interfaces.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays interface description information. This keyword does not apply to VA interfaces because VA interfaces do not support description configuration.

down: Displays information about interfaces in physically down state and the causes. If you do not specify this keyword, the command displays information about all interfaces.

Examples

# Display information about Virtual-Access 1.

<Sysname> display interface virtual-access 1

Virtual-Access1

Current state: UP

Line protocol state: UP

Description: Virtual-Access1 Interface

Bandwidth: 1920kbps

Maximum transmission unit: 1500

Hold timer: 10 seconds, retry times: 5

Internet address is 122.1.1.1/24 (primary)

Link layer protocol: PPP

LCP: opened, MP: opened, IPCP: opened

Physical: MP, baudrate: 1920000 bps

Main interface: Virtual-Template1

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last link flapping: Never

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 2 packets, 24 bytes, 0 drops

Output: 2 packets, 24 bytes, 0 drops

# Display brief information about Virtual-Access 1.

<Sysname> display interface virtual-access 1 brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

VA1 DOWN DOWN --

# Display brief information about VA interfaces in physically down state and the causes.

<Sysname> display interface virtual-access brief down

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface Link Cause

VA1 DOWN Not connected

Table 14 Command output

Field	Description
Current state	Physical link state of the interface: · DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). · UP—The interface is both administratively and physically up.
Line protocol state	Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. · UP—The data link layer protocol is up. · DOWN—The data link layer protocol is down.
Description	Description of the interface.
Bandwidth	Expected bandwidth of the interface.
Hold timer	Interval at which the interface sends keepalive packets.
retry times	Maximum number of keepalive retransmission attempts. A link is removed after the maximum number of retransmission attempts is reached.
Internet protocol processing: Disabled	The interface is not assigned an IP address and cannot process IP packets.
Internet address: 122.1.1.1/24 (primary)	Primary IP address of the interface.
LCP: opened, MP: opened, IPCP: opened	The PPP connection has been successfully established.
Physical	Physical type of the interface.
Main interface	VT interface associated with the VA interface.
Output queue - Urgent queuing: Size/Length/Discards 0/100/0 Output queue - Protocol queuing: Size/Length/Discards 0/500/0 Output queue - FIFO queuing: Size/Length/Discards 0/75/0	Traffic statistics of the interface output queues.
Last link flapping	The amount of time that has elapsed since the most recent physical state change of the interface. This field displays Never if the interface has been physically down since device startup.
Last clearing of counters	Last time when statistics on the interface were cleared. Never indicates that statistics on the interface were never cleared.
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec	Average rate of input packets in the last 300 seconds, in Bps, bps, and pps.
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec	Average rate of output packets in the last 300 seconds, in Bps, bps, and pps.
Input: 2 packets, 24 bytes, 0 drops	Total number of inbound packets of the interface (in the number of packets and in bytes), and the number of packets dropped among the inbound packets.
Output: 2 packets, 24 bytes, 0 drops	Total number of outbound packets of the interface (in the number of packets and in bytes), and the number of packets dropped among the outbound packets.
Brief information on interfaces in route mode	Brief information about Layer 3 interfaces.
Interface	Abbreviated interface name.
Link	Physical link state of the interface: · UP—The interface is physically up. · DOWN—The interface is physically down. · ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Stby—The interface is a backup interface in standby state. To see the primary interface, use the display interface-backup state command.
Protocol	Data link layer protocol state of the interface: · UP—The data link layer protocol of the interface is up. · DOWN—The data link layer protocol of the interface is down. · UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces.
Primary IP	Primary IP address of the interface. This field displays two hyphens (--) if the interface does not have an IP address.
Cause	Cause for the physical link state of an interface to be DOWN. Not connected indicates no physical link exists (possibly because the network cable is disconnected or faulty).

‌

Related commands

reset counters interface virtual-access

display pppoe-client session packet

Use display pppoe-client session packet to display the protocol packet statistics for a PPPoE session.

Syntax

display pppoe-client session packet [ dial-bundle-number number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dial-bundle-number number: Specifies the dialer bundle number corresponding to a PPPoE session. The value range for the number argument varies by device model. If you do not specify this option, the command displays the protocol packet statistics for all PPPoE sessions.

Usage guidelines

To display the data packet statistics for a PPPoE session, use the display interface virtual-access command to display information about the specified VA interface.

Examples

# Display the protocol packet statistics for all PPPoE sessions.

<Sysname> display pppoe-client session packet

Bundle: 1 Interface: XGE3/1/1

InPackets: 19 OutPackets: 19

InBytes: 816 OutBytes: 816

InDrops: 0 OutDrops: 0

Bundle: 2 Interface: XGE3/1/1

InPackets: 18 OutPackets: 18

InBytes: 730 OutBytes: 730

InDrops: 0 OutDrops: 0

Table 15 Command output

Field	Description
Bundle	Dialer bundle to which a PPPoE session belongs.
Interface	Ethernet interface where the PPPoE session is present.
InPackets	Number of packets received.
OutPackets	Number of packets transmitted.
InBytes	Number of bytes received.
OutBytes	Number of bytes transmitted.
InDrops	Number of discarded incoming packets.
OutDrops	Number of discarded outgoing packets.

‌

Related commands

display interface virtual-access

reset pppoe-client session packet

display pppoe-client session summary

Use display pppoe-client session summary to display summary PPPoE session information.

Syntax

display pppoe-client session summary [ dial-bundle-number number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

Examples

# Display summary information for all PPPoE sessions.

<Sysname> display pppoe-client session summary

Bundle ID Interface VA RemoteMAC LocalMAC State

1 1 XGE3/1/1 VA0 00e0-1400-4300 00e0-1500-4100 SESSION

2 1 XGE3/1/2 VA1 00e0-1500-4300 00e0-1600-4100 SESSION

Table 16 Command output

Field	Description
Bundle	Dialer bundle to which the PPPoE session belongs.
Interface	Ethernet interface where the PPPoE session is present.
VA	Virtual access interface created for the PPPoE session.
RemoteMAC	MAC address of the remote end.
LocalMAC	MAC address of the local end.
State	PPPoE session state: · IDLE—Initialization state. · PADI SENT—A PPPoE Active Discovery Initiation (PADI) packet has been sent, and a PPPoE Active Discovery Offer (PADO) packet is being expected. · PADR SENT—A PPPoE Active Discovery Request (PADR) packet has been sent, and a PPPoE Active Discovery Session-confirmation (PADS) packet is being expected. · SESSION—The PPPoE session has been successfully established.

‌

pppoe-client

Use pppoe-client to establish a PPPoE session and specify the dialer bundle corresponding to the session.

Use undo pppoe-client to remove a PPPoE session.

Syntax

pppoe-client dial-bundle-number number [ no-hostuniq ]

undo pppoe-client dial-bundle-number number

Default

No PPPoE session is established.

Views

Layer 3 Ethernet interface/subinterface view

VEth interface/subinterface view

VLAN interface view

WLAN Ethernet interface view

Predefined user roles

network-admin

Parameters

dial-bundle-number number: Specifies the dialer bundle number corresponding to a PPPoE session. A dialer bundle number uniquely identifies a PPPoE session. It can also be used as a PPPoE session ID. The value range for the number argument varies by device model.

no-hostuniq: Configures the client not to carry the Host-Uniq field in discovery packets. If you do not specify this keyword, the client carries the Host-Unique field. The Host-Unique field uniquely identifies a PPPoE client when an interface is configured with multiple PPPoE sessions. When the PPPoE server receives a packet with this field, it must include this field unmodified in the response packet. The device identifies the PPPoE client where the response packet belongs based on the Host-Unique field in the response packet.

Examples

# Establish a PPPoE session on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] pppoe-client dial-bundle-number 1

# Establish a PPPoE session on Virtual-Ethernet 0.

<Sysname> system-view

[Sysname] interface virtual-ethernet 0

[Sysname-Virtual-Ethernet0] pppoe-client dial-bundle-number 1

# Establish a PPPoE session on VLAN-interface 1.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] pppoe-client dial-bundle-number 1

# Establish a PPPoE session on WLAN-Ethernet 1.

<Sysname> system-view

[Sysname] interface wlan-ethernet 1

[Sysname-WLAN-Ethernet1] pppoe-client dial-bundle-number 1

reset counters interface virtual-access

Use reset counters interface virtual-access to clear statistics on VA interfaces.

Syntax

reset counters interface [ virtual-access [ interface-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

virtual-access [ interface-number ]: Specifies an existing VA interface by its number. If you do not specify the virtual-access keyword, the command clears statistics on all interfaces except VA interfaces. If you specify the virtual-access keyword without the interface-number argument, the command clears statistics on all VA interfaces. If you specify both virtual-access and interface-number, the command clears statistics on the specified VA interface.

Usage guidelines

Before collecting traffic statistics regularly on a VA interface, clear the existing statistics.

Examples

# Clear statistics on Virtual-Access 10.

<Sysname> reset counters interface virtual-access 10

Related commands

display interface virtual-access

reset pppoe-client

Use reset pppoe-client to reset a PPPoE session corresponding to a dialer bundle.

Syntax

reset pppoe-client { all | dial-bundle-number number }

Views

User view

Predefined user roles

network-admin

Parameters

all: Resets all the PPPoE sessions.

dial-bundle-number number: Specifies a dialer bundle by its number. The value range for the number argument varies by device model.

Usage guidelines

When you use this command to clear PPPoE sessions and log out the corresponding PPPoE clients, the following rules apply:

· A PPPoE session in permanent mode or diagnostic mode and terminated by this command will be established again when the auto dial timer expires.

· A PPPoE session in on-demand mode and terminated by this command will be established again only when there is a need for data transmission.

Examples

# Reset all PPPoE sessions.

<Sysname> reset pppoe-client all

Related commands

dialer timer autodial (Layer 2—WAN Services Command Reference)

reset pppoe-client session packet

Use reset pppoe-client session packet to reset the protocol packet statistics for a PPPoE session.

Syntax

reset pppoe-client session packet [ dial-bundle-number number ]

Views

User view

Predefined user roles

network-admin

Parameters

dial-bundle-number number: Specifies the dialer bundle number corresponding to a PPPoE session. The value range for the number argument varies by device model. If you do not specify this option, the command resets the protocol packet statistics for all PPPoE sessions.

Examples

# Reset the protocol packet statistics for all PPPoE sessions.

<Sysname> reset pppoe-client session packet

Related commands

display pppoe-client session packet

PPPoE gateway commands‌

pppoe-gateway bind username

Use pppoe-gateway bind username to bind an interface to the username of a user that will come online on the PPPoE gateway.

Use undo pppoe-gateway bind username to restore the default.

Syntax

pppoe-gateway bind username username

undo pppoe-gateway bind username

Default

An interface is not bound to a username.

Views

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

username: Specify the username to be bound to an interface, a case-sensitive string of 1 to 253 characters.

Usage guidelines

Application scenarios

Use this command in the edge convergence gateway scenario.

Figure 8 Edge convergence gateway

As shown in Figure 8, in the edge convergence gateway scenario, the edge cloud network moves some functions of the access gateway to the cloud and uses a concept similar to separation of the forwarding and control planes to enable access to users and cloud resources. The edge cloud gateway contains the following components:

· vCPE—Virtual customer premise equipment, a cloud-based device that processes control protocol information. For example, the vCPE can perform the following tasks:

¡ Process user access authentication.

¡ Assign IP addresses to users through DHCP.

¡ Connect PPPoE users and act as a PPPoE gateway to establish PPPoE sessions with the BRAS on the cloud network. For the PPPoE sessions, the edge cloud gateway acts as the PPPoE client and the BRAS acts as the PPPoE server.

¡ Provide security and accounting functions.

· H3C router—Processes traffic forwarding. The router receives the PPPoE user entries issued by the vCPE. It brings users online on the public network interface based on these entries. Then, it acts as the forwarding plane for the PPPoE gateway, and forwards data traffic between users and the cloud network. Although the vCPE implements control messages and user access, the data traffic does not need to pass through the vCPE. Instead, the data traffic is diverted to the H3C router for forwarding. This mechanism optimizes network resources and improves forwarding efficiency.

In addition, the H3C router has a Carrier Grade NAT (CGN) module deployed to process translation between public and private IP addresses during data packet forwarding.

Operating mechanism

As shown in Figure 8, use this command to bind a user to the interface that connects the router to the metropolitan area network (MAN), which acts as the private network interface. When the user comes online on the PPPoE gateway-enabled interface, the router receives traffic from the interface bound to the user. Then, the router forwards the traffic to the cloud network through the PPPoE gateway-enabled interface, which acts as the public network interface.

Restrictions and guidelines

An interface can be bound to only one username. Different private network interfaces must belong to different VPN instances, and be bound to different usernames.

Only a user with the username bound by using the pppoe-gateway bind username command can successfully come online on a PPPoE gateway-enabled interface.

You cannot execute the pppoe-gateway enable and pppoe-gateway bind username commands on the same interface.

Examples

# Bind username useraaa to interface VE-L3VPN 3/1/1/.

<Sysname> system-view

[Sysname] interface ve-l3vpn 3/1/1

[Sysname-VE-L3VPN3/1/1] pppoe-gateway bind username useraaa

Related commands

pppoe-gateway enable

Use pppoe-gateway enable to enable the PPPoE gateway on an interface and bind the PPPoE gateway to a NAT instance.

Use undo pppoe-gateway enable to restore the default.

Syntax

pppoe-gateway enable nat-instance instance-name

undo pppoe-gateway enable nat-instance

Default

The PPPoE gateway is disabled.

Views

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

nat-instance instance-name: Specifies a NAT instance to be bound to the PPPoE gateway by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

Use this command in the edge convergence gateway scenario.

Figure 9 Edge convergence gateway

As shown in Figure 9, in the edge convergence gateway scenario, the edge cloud network moves some functions of the access gateway to the cloud and uses a concept similar to separation of the forwarding and control planes to enable access to users and cloud resources. The edge cloud gateway contains the following components:

· vCPE—Virtual customer premise equipment, a cloud-based device that processes control protocol information. For example, the vCPE can perform the following tasks:

¡ Process user access authentication.

¡ Assign IP addresses to users through DHCP.

¡ Provide security and accounting functions.

In addition, the H3C router has a Carrier Grade NAT (CGN) module deployed to process translation between public IP address and private IP addresses during data packet forwarding.

Operating mechanism

Use this command to enable the data plane feature of the PPPoE gateway. Execute this command on the interface that connects the router to the BRAS on the cloud network, which acts as a public network interface, as shown in Figure 9. When the user comes online on the PPPoE gateway-enabled interface, the router receives traffic from the interface bound to the user. Then, the router forwards the traffic to the cloud network through the PPPoE gateway-enabled interface, which acts as the public network interface.

The vCPE maintains a separate PPPoE session for each user, and sends the recorded PPPoE session ID, the user MAC address, and the MAC address of the BRAS acting as the PPPoE server to the router. For traffic coming from the BRAS on the cloud network, the router distinguishes the target user based on the PPPoE session ID. Then, the router forwards the traffic to the user based on the user MAC address.

The NAT instance specified in this command determines the public and private IP address translation policy on the router during data forwarding.

Restrictions and guidelines

Only a user with the username bound by using the pppoe-gateway bind username command can successfully come online on a PPPoE gateway-enabled interface.

The PPPoE gateway acts as a PPPoE client in a PPPoE session. This command is mutually exclusive with PPPoE server-related commands on the same interface.

You cannot execute the pppoe-gateway enable and pppoe-gateway bind username commands on the same interface.

On a device, you can enable the PPPoE gateway on only one interface. (In non-IRF mode.)

In an IRF fabric, you can enable the PPPoE gateway on only one interface. (In IRF mode.)

Examples

# Enable the PPPoE gateway on interface Route-Aggregation 1 and bind the PPPoE gateway to the NAT instance named test.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] pppoe-gateway enable nat-instance test

# Enable the PPPoE gateway on interface VE-L3VPN 3/1/1 and bind the PPPoE gateway to the NAT instance named test.

<Sysname> system-view

[Sysname] interface ve-l3vpn 3/1/1

[Sysname-VE-L3VPN3/1/1] pppoe-gateway enable nat-instance test

Related commands

pppoe-gateway bind username

pppoe-gateway wan-instance

Use pppoe-gateway wan-instance to bind a WAN instance ID to an interface.

Use undo pppoe-gateway wan-instance to restore the default.

Syntax

pppoe-gateway wan-instance instance-name

undo pppoe-gateway wan-instance

Default

No WAN instance ID is bound to an interface.

Views

L3VE interface/subinterface view

Predefined user roles

network-admin

Parameters

wan-instance instance-name: Specify the WAN instance ID for an interface. The instance-name argument represents a case-sensitive string of 1 to 31 characters. The WAN instance IDs must differ across interfaces.

Usage guidelines

Application scenarios

Use this command in the edge convergence gateway scenario.

Operating mechanism

Figure 10 Edge convergence gateway

When a router has multiple WAN interfaces (such as the left-side interfaces of the router in Figure 10), use this command to bind a WAN instance ID to each interface. This enables load sharing by allowing traffic from different users or services to fully utilize the bandwidth of multiple WAN interfaces. When the vCPE deploys user entry information to the router, it associates the user information with a WAN instance ID. The router matches the WAN instance ID in the user entry information with the WAN instance IDs bound to local interfaces. This allows traffic from different users or services to be forwarded through different interfaces.

Examples

# Bind WAN instance ID 100 to interface Route-Aggregation 1.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] pppoe-gateway wan-instance 100

# Bind WAN instance ID 100 to interface VE-L3VPN 3/1/1.

<Sysname> system-view

[Sysname] interface ve-l3vpn 3/1/1

[Sysname-VE-L3VPN3/1/1] pppoe-gateway enable nat-instance test

Related commands

pppoe-gateway enable

17-BRAS Services Command Reference

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Operating mechanism

Prerequisites

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Recommended configuration

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Operating mechanism

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

PPPoE agency commands‌

Operating mechanism

Restrictions and cautions

Application scenarios

Operating mechanism

Application scenarios

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

PPPoE gateway commands‌

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us