Login
- Table of Contents
-
- 17-BRAS Services Command Reference
- 00-Preface
- 01-AAA commands
- 02-ANCP commands
- 03-PPP commands
- 04-DHCP commands
- 05-DHCPv6 commands
- 06-User profile commands
- 07-Connection limit commands
- 08-L2TP commands
- 09-PPPoE commands
- 10-IPoE commands
- 11-802.1X commands (Layer 3)
- 12-UCM commands
- 13-iBRAS SA commands
- 14-CP-UP connection management commands
- 15-UP backup commands
- 16-UP fail-permit and graceful offboarding commands
- 17-Value-added services commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 16-UP fail-permit and graceful offboarding commands | 128.85 KB |
UP fail-permit and graceful offboarding commands
display offline-access-user (UPs)
display pppoe-server escape-session summary (UPs)
reset pppoe-server escape-session (UPs)
UP fail-permit and graceful offboarding commands
On a CUPS network, the device acts only as a UP and must work with a CP to fully configure the UP fail-permit and graceful offboarding features. For more information about the UP fail-permit and graceful offboarding features, see UP fail-permit and graceful offboarding configuration in CP and UP Separation Configuration Guide for CPs.
The commands in this document are available only on UPs on a CUPS network. Before you execute a command, make sure you are fully aware of the impact of this command on the current network and prevent configuration errors from causing network failures.
display offline-access-user (UPs)
Use display offline-access-user to display offline users on the UP device.
Syntax
display offline-access-user [ { access-type { pppoe | dhcpv4 | dhcpv6} | interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] | mac-address mac-address } * ] [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
access-type: Specifies a user type.
· pppoe: Specifies PPPoE user.
· dhcpv4: Specifies DHCPv4 user.
· dhcpv6: Specifies DHCPv6 user.
interface interface-type interface-number: Specifies users that access an interface specified by its type and number. Only network access users support this option.
s-vlan svlan-id: Displays information about users with the specified SVLAN ID. The value range for the svlan-id argument is 1 to 4094.
c-vlan cvlan-id: Displays information about users with the specified CVLAN ID. The value range for the cvlan-id argument is 1 to 4094.
mac-address mac-address: Displays information about users with the specified MAC address. The MAC address is in H-H-H format and case-insensitive. Only network access users support this option.
count: Displays the number of users.
verbose: Displays detailed user information. If you do not specify this keyword, the command displays brief information.
Usage guidelines
Execute this command to display information about users who go offline when the UP fail-permit feature is enabled.
If you do not specify the [ { access-type { pppoe | dhcpv4 | dhcpv6} | interface interface-type interface-number [ s-vlan svlan-id [ c-vlan cvlan-id ] ] | mac-address mac-address } * ] option, the command displays information about all offline users.
Examples
# Display the number of offline users on the UP device.
<Sysname> display offline-access-user count
Total offline users : 4
PPPoE offline users : 2
DHCP4 offline users : 1
DHCP6 offline users : 1
Table 1 Command output
|
Field |
Description |
|
Total offline users |
Total number of offline users. |
|
PPPoE offline users |
Number of offline PPPoE users. |
|
DHCP4 offline users |
Number of offline DHCPv4 users. |
|
DHCP6 offline users |
Number of offline DHCPv6 users. |
# Display brief information about all offline users on the UP device.
<Sysname> display offline-access-user
Interface S-/C-VLAN MAC address
IPv6 address IP address Access type
XGE3/1/1 -/- 0010-9500-0002
- 14.1.3.2 PPPoE
XGE3/1/1.1 10/- 0010-9400-006c
- 14.1.5.1 PPPoE
XGE3/1/1 -/- 0010-9400-0002
- 14.1.4.1 DHCPv4
XGE3/1/1 -/- 0010-9700-0001
14::201 - DHCPv6
Table 2 Command output
|
Field |
Description |
|
Interface |
User access interface. |
|
IP address |
User's IPv4 address. If the user does not have an IPv4 address, this field displays a hyphen (-). |
|
IPv6 address |
User's IPv6 address. If the user does not have an IPv6 address, this field displays a hyphen (-). |
|
MAC address |
User's MAC address. If the user does not have a MAC address, this field displays a hyphen (-). |
|
S-/C-VLAN |
SVLAN/CVLAN of a user. If the user does not have VLAN information, this field displays a hyphen (-). |
|
Access type |
Access type of a user, which can be: · PPPoE. · DHCPv4. · DHCPv6. |
# Display detailed information about all offline users on the UP device.
<Sysname> display offline-access-user verbose
Basic:
MAC address: 0010-9400-006c
Interface: XGE3/1/1.10
Service-VLAN/Customer-VLAN: 10/-
Offline time: 2025-02-14 06:53:44
Access type: PPPoE
VPN instance: N/A
Local MAC address: 0000-5e00-0111
Managed address flag: 1
Other flag: 0
IP address: 14.1.5.1
IP gateway address: 14.1.5.254
Primary DNS server: 123.1.1.1
Secondary DNS server: 156.1.1.1
IP access type: -
IPv6 address: -
IPv6 PD prefix: -
IPv6 ND prefix: -
IPv6 prefix length:
IPv6 address type: -
IA Type: -
Primary IPv6 DNS server: -
Secondary IPv6 DNS server: -
IPv6 access type: -
IPv6CP access type: -
IPv6CP primary DNS server: -
IPv6CP secondary DNS server: -
User IPv6CP interface ID: -
IPv4 route cost: 0
IPv4 UNR route tag: 0
IPv4 frame UNR route tag: 0
IPv4 route export: Yes
IPv6 route cost: 10
IPv6 address UNR route tag: 1
IPv6 prefix UNR route tag: 0
IPv6 address route export: No
IPv6 prefix route export: Yes
AAA:
MRU: 1492 bytes
IPv4 MTU: 1492 bytes
IPv6 MTU: N/A
Usergroup name: voipnew
Dual-stack accounting mode: Separate
Dual-stack rate mode: Merge
ACL&QOS:
Inbound user profile: abcdefghijklmnopqrstuvwxyznew
Outbound user profile: abcdefghijklmnopqrstuvwxyznew
Inbound user priority: 6
Outbound user priority: 6
InCIR: 1111
InPIR: 2222
InCBS: -
InEBS: -
InCirUnit: 1
InPirUnit: 1
InCbsUnit: -
InEbsUnit: -
OutCIR: 7777
OutPIR: 8888
OutCBS: -
OutEBS: -
OutCirUnit: 1
OutPirUnit: 1
OutCbsUnit: -
OutEbsUnit: -
Table 3 Command output
|
Field |
Description |
|
Basic |
Basic information of the access user. |
|
Interface |
User access interface name. |
|
Service-VLAN/Customer-VLAN |
Outer VLAN and inner VLAN of the user. If the user does not have an outer VLAN or inner VLAN, the outer VLAN or inner VLAN field displays a hyphen (-). |
|
Offline time |
User Offline At |
|
VPN instance |
VPN instance to which the user belongs. If the user is on a public network, this field displays N/A. |
|
Access type |
Access type of a user, which can be: · PPPoE. · DHCPv4. · DHCPv6. |
|
MAC address |
User's MAC address. If the user does not have a MAC address, this field displays a hyphen (-). |
|
Local MAC address |
Local MAC address assigned when the user accesses. |
|
Authentication type |
Authentication type for user access. Options include: · Bind—Indicates an IPoE access user that uses bind authentication. · PPP—Indicates a PPP access user. · Web—Indicates IPoE individual users in the Web authentication phase and users authenticated through Web-based identity verification on Layer 2 Ethernet interfaces. · Web pre-auth—Indicates IPoE individual users in the pre-authentication phase. |
|
Managed address flag |
Managed address configuration flag. |
|
Other flag |
Other configuration flags. |
|
IP address |
User's IPv4 address. If the user does not have an IPv4 address, this field displays a hyphen (-). |
|
IP gateway address |
IPv4 gateway address of the user. If the user does not have an IPv6 gateway address, this field displays a hyphen (-). |
|
Primary DNS server |
User's primary DNS server IPv4 address. If the user does not have such an IPv4 address, this field displays a hyphen (-). |
|
Secondary DNS server |
User's secondary DNS server IPv4 address. If the user does not have such an IPv4 address, this field displays a hyphen (-). |
|
IP access type |
IPv4 access user type. If this field does not have a value, this field displays a hyphen (-). |
|
IPv6 address |
User's IPv6 address. If the user does not have an IPv6 address, this field displays a hyphen (-). |
|
IPv6 PD prefix |
User's IPv6 PD prefix. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-). |
|
IPv6 ND prefix |
User's IPv6 ND prefix. If the user does not have an IPv6 PD prefix, this field displays a hyphen (-). |
|
IPv6 prefix length |
IPv6 PD prefix length. |
|
IPv6 address type |
IPv6 address type. Options include: · IANA—DHCPv6 assigned address. · NDRA_SHARE—Shared ND prefix. · NDRA_EXCLUSIVE—One prefix per user. · NDRA_SHAREIF—ND prefix configured on the interface. · Hyphen (-)—Does not exist. |
|
IA Type |
DHCPv6 requested address type. Options include: · IANA_IAPD—IANA and IAPD. · IANA. · IAPD. · Hyphen (-)—Does not exist. |
|
Primary IPv6 DNS server |
User's primary DNS server IPv4 address. If the user does not have such an IPv4 address, this field displays a hyphen (-). |
|
Secondary IPv6 DNS server |
User's secondary DNS server IPv4 address. If the user does not have such an IPv4 address, this field displays a hyphen (-). |
|
IPv6 access type |
IPv6 access type. Options include: · DHCP—DHCPv6 initiated. · NDRS—ND RS initiated. |
|
IPv6CP access type |
IPv6 access type after a PPP user successfully passes IPv6CP negotiation: · DHCP—DHCPv6 initiated. · NDRS—ND RS initiated. |
|
IPv6CP primary DNS server |
User's primary DNS server IPv4 address. If the user does not have such an IPv4 address, this field displays a hyphen (-). |
|
IPv6CP secondary DNS server |
User's secondary DNS server IPv4 address. If the user does not have such an IPv4 address, this field displays a hyphen (-). |
|
User IPv6CP interface ID |
Actual interface ID used by a PPP user after IPv6CP negotiation succeeds. If no ID exists, this field displays a hyphen (-). |
|
IPv4 route cost: 0 |
Cost value for IPv4 routes generated for the user. |
|
IPv4 UNR route tag: 0 |
Tag value for IPv4 UNR routes generated for the user. |
|
IPv4 frame UNR route tag: 0 |
Tag value for IPv4 frame UNR routes generated for the user. |
|
IPv4 route export: No |
Whether to advertise the route or not. Options include: · Yes. · No. |
|
IPv6 route cost : 0 |
Cost value for IPv6 routes generated for the user. |
|
IPv6 address UNR route tag: 0 |
Tag value for IPv6 UNR routes generated for the user. This field is applicable to the scenario where IPv6 global unicast addresses are directly assigned to users. |
|
IPv6 prefix UNR route tag: 0 |
Tag value for IPv6 UNR routes generated for the user. This field is applicable to the scenario where IPv6 address prefixes are assigned to users. |
|
IPv6 address route export: Yes |
Whether to advertise the route or not. Options include: · Yes. · No. This field is applicable to the scenario where IPv6 global unicast addresses are directly assigned to users. |
|
IPv6 prefix route export: Yes |
Whether to advertise the route or not. Options include: · Yes. · No. This field is applicable to the scenario where IPv6 address prefixes are assigned to users. |
|
Detect interval |
IPoE user online detection interval. Non-IPoE access users do not support this field. |
|
Detect retransmit times |
Maximum number of detection failures allowed by IPoE user online detection. Non-IPoE access users do not support this field. |
|
AAA |
AAA information. |
|
MRU |
Negotiated MRU value between both ends of the link during the PPP LCP phase, in bytes. (This field applies only to PPPoE and L2TP users. For other users, this field displays N/A.) |
|
IPv4 MTU |
Actual maximum transmission unit (MTU) value that guides IPv4 user packet forwarding, in bytes. (This field applies only to PPPoE and L2TP users. For other users, this field displays N/A.) |
|
IPv6 MTU |
Actual maximum transmission unit (MTU) value that guides IPv6 user packet forwarding, in bytes. (This field applies only to PPPoE and L2TP users. For other users, this field displays N/A.) |
|
User group name |
Authorized user group name. |
|
Dual-stack accounting mode |
Accounting mode for dual-stack users: · Merge—Reports the IPv4 and IPv6 traffic of a dual-stack user as a whole to the accounting server. · Separate—Reports the IPv4 and IPv6 traffic of a dual-stack user to the accounting server separately. |
|
Dual-stack rate mode |
Rate limiting mode for dual-stack users: · Merge—Unified rate limiting, which calculates the rate for both the IPv4 and IPv6 traffic of dual-stack users. · Separate—Separate rate limiting, which calculates the IPv4 and IPv6 traffic rates of dual-stack users separately. |
|
Dual-stack rate mode |
Rate limiting mode for dual-stack users: · Merge—Unified rate limiting, which calculates the rate for both the IPv4 and IPv6 traffic of dual-stack users. · Separate—Separate rate limiting, which calculates the IPv4 and IPv6 traffic rates of dual-stack users separately. |
|
ACL&QoS |
ACL and QoS information. |
|
Inbound user profile |
Name of the authorized inbound user profile. If no user profile is authorized, this field displays N/A. Authorization status options include: · active—AAA has authorized the inbound user profile successfully. · inactive—AAA has failed to authorize the inbound user profile or the inbound user profile does not exist on the BRAS. |
|
Outbound user profile |
Name of the authorized outbound user profile. If no user profile is authorized, this field displays N/A. Authorization status options include: · active—AAA has authorized the outbound user profile successfully. · inactive—AAA has failed to authorize outbound user profile or the outbound user profile does not exist on the BRAS. |
|
Inbound user priority |
AAA-authorized inbound user priority, which can be a number in the range of 0 to 7, 15, or a hyphen (-). The value of 15 or hyphen (-) means no inbound user priority is authorized. |
|
Outbound user priority |
AAA-authorized outbound user priority, which can be a number in the range of 0 to 7, 15, or a hyphen (-), A. The value of 15 or hyphen (-) means no outbound user priority is authorized. |
|
InCIR |
Inbound committed information rate, in the range of 1 to 4294967295 kbps. |
|
InPIR |
Inbound peak information rate, in the range of 1 to 4294967295 kbps. |
|
InCBS |
Inbound committed burst size in bytes. |
|
InEBS |
Inbound excess burst size in bytes. |
|
InCirUnit |
Unit of the inbound committed information rate. |
|
InPriUnit |
Unit of the inbound peak information rate. |
|
InCbsUnit |
Unit of the inbound committed burst size. |
|
InEbsUint |
Unit of the inbound excess burst size. |
|
OutCIR |
Outbound committed information rate, in the range of 1 to 4294967295 kbps. |
|
OutPIR |
Outbound peak information rate, in the range of 1 to 4294967295 kbps. |
|
OutCBS |
Outbound committed burst size in bytes. |
|
OutEBS |
Outbound excess burst size in bytes. |
|
OutCirUnit |
Unit of the outbound committed information rate. |
|
OutPriUnit |
Unit of the outbound peak information rate. |
|
OutCbsUnit |
Unit of the outbound committed burst size. |
|
OutEbsUint |
Unit of the outbound excess burst size. |
Related commands
up-escape enable
display pppoe-server escape-session summary (UPs)
Use display pppoe-server escape-session summary to display the summary of PPPoE sessions established when a UP is in fail-permit state.
Syntax
display pppoe-server escape-session summary [ { slot slot-number | interface interface-type interface-number } | mac-address mac-address ]*
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number.
interface interface-type interface-number: Specifies users that access an interface specified by its type and number. Only network access users support this option.
mac-address mac-address: Displays session information about users with the specified MAC address. The MAC address is in H-H-H format and case-insensitive. Only network access users support this option.
Usage guidelines
If you do not specify any parameter, this command displays information about all sessions.
For more information about UP fail-permit, see UCM configuration in Security Configuration Guide.
Examples
# Display summary information about the all PPPoE sessions established when the UP is in fail-permit state.
<Sysname> display pppoe-server escape-session summary
Slot 7:
Total Escape PPPoE sessions on slot 7: 2
Ethernet interface: GE1/0/1.10 Session ID: 1
PPP index: 0x11000140004c01 State: OPEN
Remote MAC: 0010-9400-006c Local MAC: 0000-5e00-0111
Service VLAN: 10 Customer VLAN: N/A
Ethernet interface: GE1/0/1 Session ID: 1
PPP index: 0x11000140000ca1 State: OPEN
Remote MAC: 0010-9500-0101 Local MAC: 0000-5e00-0111
Service VLAN: N/A Customer VLAN: N/A
Table 4 Command output
|
Field |
Description |
|
Total PPPoE sessions |
Total number of PPPoE sessions. |
|
Ethernet interface |
Interface bound to a PPPoE session. |
|
Session ID |
ID of a PPPoE session. |
|
PPP index |
PPP session index information |
|
State |
State of a PPPoE session: · PADR_RCVD—The PPPoE session is being created and in the session negotiation phase. · OPEN—The PPPoE session is open. · OFFLINE—The PPPoE session is being deleted. · BACKUP—The PPPoE session is to be activated on the VSRP backup device. |
|
Remote MAC |
Remote MAC address. |
|
Local MAC |
Local MAC address. |
|
Service VLAN |
Service provider VLAN. This field displays N/A if no service VLAN is available. |
|
Customer VLAN |
Customer VLAN. This field displays N/A if no customer VLAN is available. |
Related commands
up-escape enable (Security Command Reference)
reset pppoe-server escape-session
display up-escape state (UPs)
Use display up-escape state to display the UP fail-permit state.
Syntax
display up-escape state
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
After you enable the fail-permit feature on a UP device, execute this command to identify whether the UP enters the fail-permit state.
Examples
# Display the UP fail-permit state.
<Sysname> display up-escape state
UP escape state: OFF
Table 5 Command output
|
Field |
Description |
||
|
UP escape state |
Whether the UP enters the fail-permit state. Options include: · ON—The UP enters the fail-permit state. · OFF—The UP is not in fail-permit state. |
|
|
Related commands
up-escape enable
reset pppoe-server escape-session (UPs)
Use reset pppoe-server escape-session to clear the PPPoE sessions established when a UP is in fail-permit state.
Syntax
reset pppoe-server escape-session { all | interface interface-type interface-number mac-address mac-address [ service-vlan svlan-id ] [ customer-vlan svlan-id ] }
Views
Any view
Predefined user roles
network-admin
Parameters
all: Clears all fail-permit sessions.
interface interface-type interface-number: Clears the PPPoE sessions on an interface specified by its type and number.
service-vlan svlan-id: Clears PPPoE sessions of users with the specified SVLAN ID. The value range for the svlan-id argument is 1 to 4094.
customer-vlan cvlan-id: Clears PPPoE sessions of users with the specified CVLAN ID. The value range for the cvlan-id argument is 1 to 4094.
mac-address mac-address: Clear PPPoE sessions of users with the specified MAC address. The MAC address is in H-H-H format and case-insensitive. Only network access users support this option.
Usage guidelines
For more information about UP fail-permit, see UCM configuration in Security Configuration Guide.
Examples
# Clear all PPPoE sessions established when the UP is in fail-permit state.
<Sysname> reset pppoe-server escape-session all
Related commands
up-escape enable (Security Command Reference)
display pppoe-server escape-session summary
up-escape enable (UPs)
Use up-escape enable to enable the UP fail-permit feature.
Use undo up-escape enable to disable the UP fail-permit feature.
Syntax
up-escape enable
undo up-escape enable
Default
The UP fail-permit feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
In the CUPS scenario, the vBRAS-CP provides control plane features, and the vBRAS-UP provides only forwarding plane features, providing access services to users. Although this architecture has many benefits, it requires both CP and UP devices to run correctly to ensure service continuity. You can configure UP backup to ensure UP redundancy and configure remote deployment on the CP for disaster recovery, but the following risks still exist:
· Homogeneous software issue—The primary and backup CP devices use the same software platform, and they might fail and restart simultaneously, causing user onboarding failures.
· Concentrated offboarding issue—After the CP device recovers from failure, users will reonboard in a concentrated manner, leading to a surge in the service processing load of the vBRAS system within a short period. This issue might cause delayed user connections and prolonged service interruptions.
· CP-UP channel down issue—If the control channel and protocol channel between the CP and UP devices go down, user dial-up requests cannot reach the CP device, causing user onboarding failures.
To further enhance the reliability of the CUPS system, you can configure the UP fail-permit feature. Then, the UP device can process user dial-up requests for access and provide basic forwarding capabilities to ensure service continuity in the following scenarios:
· Both the primary and backup CP devices fail.
· The control and protocol channels between both the primary and backup CP devices and the UP device are down.
Operating mechanism
With the UP fail-permit feature enabled, the UP device enters fail-permit state when the control and protocol channels between the UP and CP devices are down. In the CP disaster recovery scenario, the UP device enters fail-permit state only when the control and protocol channels between both the primary and backup CP devices and the UP device are down. To avoid frequent state changes caused by channel flapping, the UP device will wait for a specific time period before it enters fail-permit state.
With the fail-permit feature enabled, the UP device processes user access requests as follows:
· For users who came online when the CUPS system ran correctly and are still online when the UP device enters fail-permit state, the UP device keeps the users online.
During the fail-permit period, if a PPPoE user or DHCP-based Layer 2 access user goes offline, the user can come online again, because the UP device can process the user's access request locally. For other types of users, they cannot come online again after going offline.
· For PPPoE users and DHCP-based Layer 2 access users who came online when the CUPS system ran correctly but are not online when the UP device enters fail-permit state, they can come online during the fail-permit period, because the UP device has generated offline backup entries for them and can process their access requests locally. An offline backup entry of a user records the user's basic access and forwarding information.
· In other scenarios, a user cannot come online during the fail-permit period.
During the fail-permit period, the UP device continuously monitors the CP-UP channel state. After the channel recovers, the UP device exits fail-permit state. You can execute the access-user temporary-session age enable and access-user graceful-offline speed commands to configure the graceful offboarding feature to avoid large-scale service interruptions caused by concentrated user onboarding and offboarding.
Restrictions and guidelines
This command is supported only on UPs.
After you disable the UP fail-permit feature, the UP device deletes all offline backup entries.
Examples
# Enable the UP fail-permit feature.
<Sysname> system-view
[Sysname] up-escape enable
Related commands
access-user graceful-offline speed
access-user temporary-session age enable
display up-escape state
display offline-access-user
display access-user user-plane up-escape
display pppoe-server escape-session (Layer 2—WAN Access Command Reference)
reset pppoe-server escape-session (Layer 2—WAN Access Command Reference)
