Professional Documents
Culture Documents
V600R003C00
02
Date
2011-09-10
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2011-09-10)
l This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this
document.
l On NE80E/40E series excluding NE80E/40E-X1 and NE80E/40E-X2, line processing boards are
called Line Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units
(SFUs). On the NE80E/40E-X1 and NE80E/40E-X2, there are no LPUs and SFUs, and NPUs
implement the same functions of LPUs and SFUs to exchange and forward packets.
Related Versions
The following table lists the product versions related to this document.
Product Name
Version
HUAWEI NetEngine80E/40E
Router
V600R003C00
Intended Audience
This document is intended for:
l
Commissioning engineers
Issue 02 (2011-09-10)
ii
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
TIP
NOTE
Command Conventions
The command conventions that may be found in this document are defined as follows.
Issue 02 (2011-09-10)
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
iii
Change History
Changes in Issue 02 (2011-09-10)
The second commercial release has the following updates.
l
DHCPv4 Configuration
As defined in 2.4.2 Creating a DHCPv4 Server Group, the polling mechanism can
be used to select a DHCPv4 server.
Issue 02 (2011-09-10)
iv
Contents
Contents
About This Document.....................................................................................................................ii
1 AAA Configuration.......................................................................................................................1
1.1 AAA Overview...................................................................................................................................................2
1.1.1 Introduction to AAA..................................................................................................................................2
1.1.2 AAA Supported by the NE80E/40E..........................................................................................................3
1.2 Configuring AAA Schemes................................................................................................................................4
1.2.1 Establishing the Configuration Task.........................................................................................................4
1.2.2 (Optional) Enabling RADIUS or HWTACACS.......................................................................................5
1.2.3 Configuring an Authentication Scheme....................................................................................................5
1.2.4 (Optional) Configuring an Authorization Scheme....................................................................................7
1.2.5 Configuring an Accounting Scheme..........................................................................................................8
1.2.6 (Optional) Configuring a Recording Scheme..........................................................................................10
1.2.7 Checking the Configuration.....................................................................................................................11
1.3 Configuring a RADIUS Server.........................................................................................................................13
1.3.1 Establishing the Configuration Task.......................................................................................................13
1.3.2 Creating a RADIUS Server Group..........................................................................................................14
1.3.3 Configuring RADIUS Authentication and Accounting Servers..............................................................15
1.3.4 (Optional) Configuring the Algorithm for Selecting a RADIUS Server.................................................16
1.3.5 (Optional) Configuring Negotiated Parameters of the RADIUS Server.................................................16
1.3.6 (Optional) Disabling RADIUS Attributes...............................................................................................18
1.3.7 (Optional) Configuring RADIUS Attribute Translation.........................................................................19
1.3.8 (Optional) Configuring the Tunnel Password Delivery Mode................................................................20
1.3.9 (Optional) Configuring the Class Attribute to Carry the CAR Value.....................................................21
1.3.10 (Optional) Configuring the Format of the NAS-Port Attribute.............................................................22
1.3.11 (Optional) Configuring the Source Interface of a RADIUS Server......................................................22
1.3.12 (Optional) Configuring a RADIUS Authorization Server.....................................................................23
1.3.13 (Optional) Setting the Status Parameters of a RADIUS Server............................................................24
1.3.14 (Optional) Configuring the Extended Source Interfaces of a RADIUS Server.....................................24
1.3.15 Checking the Configuration...................................................................................................................25
1.4 Configuring an HWTACACS Server...............................................................................................................27
1.4.1 Establishing the Configuration Task.......................................................................................................28
1.4.2 Creating an HWTACACS Server Template............................................................................................28
1.4.3 Configuring HWTACACS Authentication/Authorization/Accounting Servers.....................................29
Issue 02 (2011-09-10)
Contents
2 DHCPv4 Configuration..............................................................................................................74
2.1 Introduction to DHCPv4...................................................................................................................................75
2.2 DHCPv4 Supported by the NE80E/40E...........................................................................................................75
2.3 Configuring an IPv4 Address Pool...................................................................................................................75
2.3.1 Establishing the Configuration Task.......................................................................................................75
2.3.2 Creating an Address Pool........................................................................................................................78
2.3.3 (Optional) Configuring Static IP Address Binding.................................................................................80
2.3.4 (Optional) Configuring DNS Services for the DHCPv4 Client..............................................................80
2.3.5 (Optional) Configuring NetBIOS Services for the DHCPv4 Client........................................................81
2.3.6 (Optional) Configuring SIP Services for the DHCPv4 Client.................................................................82
2.3.7 (Optional) Configuring DHCPv4 Self-Defined Options.........................................................................83
Issue 02 (2011-09-10)
vi
Contents
3 DHCPv6 Configuration............................................................................................................118
3.1 Introduction to DHCPv6.................................................................................................................................119
3.1.1 DHCPv6 Overview................................................................................................................................119
3.1.2 DHCPv6 Features Supported by the NE80E/40E.................................................................................119
3.2 Configuring a DHCPv6 Relay Agent.............................................................................................................119
3.2.1 Establishing the Configuration Task.....................................................................................................120
3.2.2 Enabling DHCPv6 Relay.......................................................................................................................120
3.2.3 Enabling DHCPv6 on Network-side Interfaces.....................................................................................122
3.2.4 Checking the Configuration...................................................................................................................122
vii
Contents
A Glossary......................................................................................................................................171
B Acronyms and Abbreviations.................................................................................................174
Issue 02 (2011-09-10)
viii
1 AAA Configuration
AAA Configuration
Issue 02 (2011-09-10)
1 AAA Configuration
AAA
AAA provides security functions for user authentication, authorization, and accounting.
l
AAA adopts the client/server model. This model has good extensibility and facilitates
concentrated management over user information.
AAA supports three types of authentication modes: non-authentication, local authentication, and
remote authentication. Remote authentication is implemented through either the Remote
Authentication Dial In User Service (RADIUS) and Huawei Terminal Access Controller Access
Control System (HWTACACS).
AAA supports four types of authorization modes: direct authorization, local authorization,
HWTACACS authorization, and if-authenticated authorization.
NOTE
Managing users based on domains: You can configure the default authorization, RADIUS/
HWTACACS template, and authentication and accounting schemes in the domain.
In current AAA implementations, users are categorized into different domains. The domain to
which a user belongs depends on the character string that follows "@" of a user name. For
example, the user "user@hua" belongs to the domain "hua". If there is no "@" in the user name,
the user belongs to the default0 domain, default1 domain or default_admin domain.
In the AAA view, users can create a maximum of 1021 domains except the default0 domain,
default1 domain, or default_admin domain.
Issue 02 (2011-09-10)
1 AAA Configuration
To perform AAA for users, you need to configure authentication, authorization, and accounting
modes in the AAA view, and then apply the authentication, authorization, and accounting
schemes in the domain view.
The authorization configured in the domain view has a lower priority than the authorization
delivered by an AAA server. That is, the authorization delivered by an AAA server is preferred.
When the AAA server does not have or support the authorization, the authorization configured
in the domain view takes effect. In this manner, you can increase services flexibly by means of
domain management, regardless of the authorization by the AAA server.
Authentication
The authentication modes supported by AAA include non-authentication, local
authentication, and remote authentication. Remote authentication can be performed
through either RADIUS or HWTACACS.
The authentication modes can be used in combination, which is configured through
commands. If the first authentication mode fails (including the situation where the remote
server does not respond), you can adopt another authentication mode according to the
configured sequence of authentication modes. For example, you can configure
authentication to be performed in the sequence of RADIUS authentication, local
authentication, and non-authentication.
2.
Authorization
The authorization modes supported by AAA include direct authorization, local
authorization, HWTACACS authorization, and if-authenticated authorization.
NOTE
3.
Accounting
The accounting modes supported by AAA include non-accounting and remote accounting.
After being authenticated and authorized, users successfully go online, and accounting
starts with the access of services. Accounting is performed based on online time, user traffic,
or both. The accounting process is as follows: The NE80E/40E collects statistics on the
online time and the upstream and downstream traffic, and then sends the statistics to the
RADIUS or HWTACACS server in the format specified by the RADIUS or HWTACACS
protocol. At last, the server returns a message to the NE80E/40E indicating whether
accounting succeeds.
NOTE
User authentication, authorization, and accounting must be performed in the domain view.
Issue 02 (2011-09-10)
1 AAA Configuration
The NE80E/40E supports two methods of modifying passwords of users after they pass through
HWTACACS authentication:
l
Applicable Environment
To provide access services for authorized users and protect sensitive network devices against
unauthorized access, configure AAA on the router.
NOTE
Pre-configuration Tasks
Before configuring AAA schemes, complete the following tasks:
Configuring parameters of the link layer protocol and IP addresses for the interfaces, ensuring
that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure AAA schemes, you need the following data.
Issue 02 (2011-09-10)
No.
Data
1 AAA Configuration
No.
Data
Name of the accounting scheme, accounting mode, interval for real-time accounting,
accounting-start failure policy, real-time accounting failure policy, and number of
real-time accounting failures
(Optional) Name of the recording scheme, name of the HWTACACS server template
associated with the recording mode, and events to be recorded
Interface type and interface number of the server and client, ID and IP address range
of the address pool, and IP addresses to be allocated to users when no address pool
is used
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the router:
Issue 02 (2011-09-10)
1 AAA Configuration
Procedure
Step 1 Run:
system-view
*[
none ]
The policy for handling the authentication failure cannot be configured on the X1 or X2 models of the
NE80E/40E.
| none }
1 AAA Configuration
----End
Context
Do as follow on the router:
NOTE
l You can configure command-line authorization for users of a certain level only when HWTACACS is
adopted.
l Command-line authorization of HWTACACS is irrelevant to the authorization mode configured by
using the authorization-mode command.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
1 AAA Configuration
The policy for authorization failures in the case where the HWTACACS server is unavailable
or no user is locally configured is set.
Step 7 Run:
quit
Context
Do as follows on the router:
Issue 02 (2011-09-10)
1 AAA Configuration
Procedure
Step 1 Run:
system-view
1 AAA Configuration
If the NE80E/40E does not receive any response after re-sending the real-time accounting
packets to the remote accounting server for certain times, the NE80E/40E adopts the policy for
the real-time accounting failure. This policy may keep the user online or log the user out.
By default, the number of retransmission times for real-time accounting packets is 3. When the
real-time accounting fails, the NE80E/40E keeps the user online.
Step 8 (Optional) Run:
accounting send-update
The NE80E/40E is configured to send real-time accounting packets immediately after receiving
the accounting start response.
After receiving the accounting response, the NE80E/40E determines whether to send the realtime accounting packet immediately according to the configuration.
By default, the NE80E/40E does not send any real-time accounting packet immediately after
receiving an accounting response.
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
10
1 AAA Configuration
The commands that have been used on the router are recorded.
Step 7 (Optional) Run:
outbound recording-scheme recording-scheme-name
Prerequisite
The configurations of the AAA schemes are complete.
Procedure
l
Run the display aaa configuration command to check brief information about AAA.
Run the display ip pool global | domain domain-name } command to check the usage of
the address pool.
----End
Example
Run the display aaa configuration command. If brief information about AAA is displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display aaa configuration
--------------------------------------------------------------------------AAA configuration information :
--------------------------------------------------------------------------Domain
: total: 255
used: 2
Authentication-scheme : total: 16
used: 2
Authorization-scheme : total: 16
used: 2
Accounting-scheme
: total: 128
used: 2
Issue 02 (2011-09-10)
11
1 AAA Configuration
Recording-scheme
: total: 128
used: 0
AAA-access-user
: total: 384
used: 0
Access-user-state
: authen: 0
author: 0
accounting: 0
---------------------------------------------------------------------------
Run the display accounting-scheme command. If information about the accounting scheme is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display accounting-scheme scheme0
--------------------------------------------------------------------------Accounting-scheme-name
: scheme0
Accounting-method
: RADIUS accounting
Realtime-accounting-switch
: Open
Realtime-accounting-interval(min)
: 5
Start-accounting-fail-policy
: Cut user
Realtime-accounting-fail-policy
: Cut user
Realtime-accounting-failure-retries
: 3
---------------------------------------------------------------------------
Run the display recording-scheme command. If information about the recording scheme is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display recording-scheme scheme0
--------------------------------------------------------------------------Recording-scheme-name
: scheme0
HWTACACAS-template-name
: template0
---------------------------------------------------------------------------
Run the display ip pool global command. If brief information about usage of the address pool
is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display ip pool global
Issue 02 (2011-09-10)
12
1 AAA Configuration
---------------------------------------------------------------------------Pool-number Pool-start-addr
Pool-end-addr
Pool-length Used-addr-number
---------------------------------------------------------------------------2
10.1.1.1
10.1.1.10
10
0
---------------------------------------------------------------------------Total pool number:
1
Context
NOTE
The access-side RADIUS server cannot be configured on the X1 or X2 models of the NE80E/40E.
Applicable Environment
When the RADIUS protocol is used for implementing AAA, you need to configure a RADIUS
server.
The NE80E/40E uses RADIUS server groups to manage RADIUS servers. A RADIUS server
group is a set of RADIUS servers that have the same attributes (except IP addresses and port
numbers) and work in either primary/secondary or load balancing mode.
NOTE
l There are default values for all RADIUS configurations. You can configure RADIUS as required.
l The RADIUS server group can be modified or deleted regardless of whether it is in use. Modifying or
deleting a RADIUS server group does not affect existing users.
Pre-configuration Tasks
None.
Data Preparation
To configure a RADIUS server, you need the following data.
Issue 02 (2011-09-10)
No.
Data
13
1 AAA Configuration
No.
Data
(Optional) Response timeout period for the RADIUS server and number of the
retransmission times for RADIUS packets
10
11
12
(Optional) Option of carrying the CAR value in the Class attribute of RADIUS
packets
13
14
15
(Optional) Number of extended source ports of the RADIUS server and number of
the start extended source port
Context
You can create up to 128 RADIUS server groups on the router.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
14
1 AAA Configuration
After the RADIUS server group is created, the system displays the RADIUS server group view.
If a RADIUS server group already exists, you can enter the RADIUS server group view directly.
----End
Context
To configure RADIUS authentication and accounting servers, you need to set the following
parameters:
l
VPN instance to which the authentication and accounting servers belong (public being the
default value for the VPN instance)
Port numbers of the authentication and accounting servers (1812 and 1813 by default)
Weights of the authentication and accounting servers (applicable only to the load balancing
mode with the default value being 0)
NOTE
The RADIUS authentication and accounting servers can use the same IP address. This means that a server
can function as both an authentication server and an accounting server.
Procedure
Step 1 Run:
system-view
15
1 AAA Configuration
Context
When multiple authentication or accounting servers are configured in the RADIUS server group,
you can configure the algorithm for selecting the RADIUS servers. The algorithm of selecting
the RADIUS server can be load balancing or master/backup.
l
Load balancing: The NE80E/40E allocates the load according to the weight of each server.
Master/backup: The first configured server functions as the master server, and the others
function as slave servers.
Procedure
Step 1 Run:
system-view
Context
The negotiated parameters specify the conventions of the RADIUS protocol and message format
used for communication between the RADIUS server and the NE80E/40E. The negotiated
parameters are as follows:
Issue 02 (2011-09-10)
16
1 AAA Configuration
Key
The key is used to encrypt user passwords and generate the response authenticator. The
RADIUS server encrypts the user password into an authentication packet by using the MD5
algorithm before sending the packet. This ensures the security of authentication data over
the network.
The key on the NE80E/40E must be the same as that on the RADIUS server so that both
parties of the authentication identify each other. The key is case sensitive.
Traffic unit
The traffic units used by different RADIUS servers may be different. The NE80E/40E
supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet requirements of various
RADIUS servers.
Retransmission parameters
After sending a packet to the RADIUS server, if no response is returned within the specified
time, the NE80E/40E resends the packet. In this manner, authentication or accounting
information will not be lost due to temporary congestion on the network.
Retransmission parameters of the RADIUS server include the timeout period and the
number of retransmission times.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
17
1 AAA Configuration
The format of the user name contained in the RADIUS packets is configured.
By default, the user name on the RADIUS server contains the domain name.
Step 6 Run:
radius-server traffic-unit { byte | gbyte | kbyte | mbyte }
The ID format of the circuit through which RADIUS packets are transmitted to the upstream
device is set.
By default, the packets that inform the upstream device of the link ID are in the cn format.
Step 10 Run:
radius-server calling-station-id include
option82
Context
This function is configured for a RADIUS server group and takes effect on only the RADIUS
servers in this group. You can disable up to 64 attributes in a RADIUS server group.
Issue 02 (2011-09-10)
18
1 AAA Configuration
You can disable the RADIUS attributes of both the sender and receiver on the NE80E/40E.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Context
RADIUS servers from various vendors support different RADIUS attributes, and the vendors
also define RADIUS attributes in different manners. This makes interconnection between the
NE80E/40E and RADIUS servers more difficult.
To address this problem, the NE80E/40E provides the attribute translation function. After the
attribute translation function is configured, the NE80E/40E can encapsulate or parse srcattribute by using the format of dest-attribute when transmitting or receiving RADIUS packets.
By doing this, the NE80E/40E can communicate with different types of RADIUS servers.
This function is usually applied when one attribute has multiple formats. For example, the nasport-id attribute has a new format and an old format. The NE80E/40E uses the new format. If
the RADIUS server uses the old format, you can run the radius-attribute translate nas-portid nas-port-identify-old receive send command on the NE80E/40E. Do as follows on the
router:
Issue 02 (2011-09-10)
19
1 AAA Configuration
Procedure
Step 1 Run:
system-view
Or, run:
radius-attribute translate extend src-attr-description dest-attr-description{
access-accept | { access-request | account } * }
----End
Context
The RADIUS protocol specifies that the RADIUS server must deliver the tunnel password in
cipher text. Most RADIUS servers, however, do not conform to this specification. Therefore,
the NE80E/40E supports configuration of the tunnel password delivery mode so that the NE80E/
40E can communicate with various types of RADIUS servers.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
20
1 AAA Configuration
The mode in which the RADIUS server delivers the tunnel password is configured.
By default, the NE80E/40E requires the RADIUS server to deliver the tunnel password in cipher
text.
----End
Context
As specified in the standard RADIUS protocol, the Class attribute carried in an access accept
packet sent from the RADIUS server to the client must be returned to the accounting server
without any change in an accounting request packet.
The NE80E/40E extends the standard RADIUS protocol by adding the CAR value to the Class
attribute (RADIUS attribute 25).
Do as follows on the router:
Procedure
Step 1 Run:
system-view
To meet the requirements of various RADIUS servers, the NE80E/40E can use the RADIUS attribute 25
or RADIUS attribute 26 to send the CAR value to the RADIUS server. The preceding commands configure
how to use the RADIUS attribute 25 to send the CAR value to the RADIUS server.
----End
Issue 02 (2011-09-10)
21
1 AAA Configuration
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The format of the NAS-Port attribute and format of the NAS-Port-Id attribute are configured.
NOTE
When configuring the format of the NAS-Port-Id attribute, note the following:
l If the vendor ID is 2352, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default
format defined by Redback.
l If the vendor ID is 2636, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default
format defined by Juniper.
l If the vendor ID is 9, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default format
defined by Cisco.
l For other vendors, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the original format.
----End
Context
On the NE80E/40E, you can configure the interface that connects to a RADIUS server as the
source interface of the RADIUS server. On the NE80E/40E, you can configure the source
interface in the system view or in the view of a RADIUS server group. Thus, the RADIUS servers
in the RADIUS server group use this source interface to interact with the NE80E/40E. If the
source interface of the RADIUS server group is not configured, the RADIUS servers use the
global source interface.
Issue 02 (2011-09-10)
22
1 AAA Configuration
Procedure
l
Configure the global source interface of all RADIUS servers in all RADIUS server groups.
1.
Run:
system-view
Run:
radius-server source interface interface-type interface-number
Run:
system-view
Run:
radius-server group group-name
Run:
radius-server source interface interface-type interface-number
Context
You need to configure a RADIUS authorization server for a dynamic service so that the RADIUS
server can dynamically authorize a user when the user uses the dynamic service.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
23
1 AAA Configuration
To retain the RADIUS authorization response packet to respond to the retransmitted packets
from the RADIUS authorization server, you need to set the period of retaining the authorization
response when configuring the RADIUS authorization server.
----End
Context
The configuration is valid for all RADIUS servers.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The parameters used to determine the status of the RADIUS server are set.
By default, the router considers that the RADIUS server is abnormal when the RADIUS server
fails to respond to 10 consecutive packets sent from the router within 5 seconds. The router waits
for 3 minutes before restoring the status of the RADIUS server
If the NE80E/40E does not receive any response packets after sending RADIUS packets for the
number of times configured in this command, and the interval between the first packet and the
last packet (specified by dead-count) that the RADIUS server fails to respond to is longer than
dead-interval, the NE80E/40E determines that the RADIUS server works abnormally and
changes the status of the RADIUS server to Down.
After setting the status of the RADIUS server to Down, the NE80E/40E waits for a certain period
configured in this command before setting the status of the RADIUS server to Up. At the same
time, the NE80E/40E attempts to reestablish a connection with the RADIUS server. If the
connection cannot be established, the NE80E/40E sets the status of the RADIUS server to Down
again.
----End
Issue 02 (2011-09-10)
24
1 AAA Configuration
Context
After you configure the extended source interfaces of the RADIUS server, the NE80E/40E
increases the number of packets sent to the RADIUS server in a certain period of time.
After the configuration, the NE80E/40E sends RADIUS packets by using the extended source
interfaces. The former half of extended source interfaces are used to send and receive RADIUS
authentication packets, and the latter half of extended source interfaces are used to send and
receive RADIUS accounting packets. If an odd number of extended source interfaces are
configured, the authentication interfaces outnumbers the accounting interfaces by one.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
If you do not specify the start interface number when configuring the extended source interfaces, the system
assigns a configured number of valid extended source interfaces.
----End
Prerequisite
All the configurations of the RADIUS server are complete.
Procedure
l
Run the display radius-server configuration [ group groupname ] command to check the
configuration of the RADIUS server group.
Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } [ attribute-number] } ] or display radius-attribute
[ attribute-name ] command to check the RADIUS attributes supported by the system.
Issue 02 (2011-09-10)
25
1 AAA Configuration
Run the display radius-client configuration command to check the configuration of all
RADIUS clients.
----End
Example
Run the display radius-server authorization configuration command, and you can view the
configuration of the RADIUS authorization server.
<HUAWEI> display radius-server authorization configuration
----------------------------------------------------------------------------IP-Address
Secret-key
Group
Ack-r
Reserved-interval
----------------------------------------------------------------------------192.168.7.100
huawei
rd1
20
Vpn : -----------------------------------------------------------------------------1 Radius authorization server(s) in total
Run the display radius-server configuration command, and you can view the configuration
of the RADIUS server group.
<HUAWEI>
RADIUS
RADIUS
RADIUS
RADIUS
Issue 02 (2011-09-10)
26
1 AAA Configuration
Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } [ attribute-number ] } ]command, and you can view the
RADIUS attributes supported by the NE80E/40E of the current version.
<HUAWEI> display radius-attribute type standard 1
Radius Attribute Type
: 1
Radius Attribute Name
: User-Name
Radius Attribute Description : This Attribute indicates the name of the user to
be authenticated.
Supported Packets
: Auth Request, Acct Request, Session Control, COA
Request, COA Ack
Run the display radius-client configuration command, and you can view the configuration of
all the RADIUS clients.
<HUAWEI> display radius-client configuration
-------------------------------------------------------------------------IP-Address
Secret-key
Group
-------------------------------------------------------------------------172.194.0.10
huawei
sim3
172.194.0.20
huawei
sim3
7.0.200.10
huawei
sim3
1.1.1.1
1
xzn
Vpn : dsg
-------------------------------------------------------------------------4 Radius client(s) in total
Run the display radius offline-sub-reason [ subcode subcode-number ] command to check the
user offline causes mapped to the numbers carried in the Accounting Stop packets sent to the
RADIUS server.
<HUAWEI> display radius offline-sub-reason subcode 1
-----------------------------------------------------------------------------Subcode
description of offline sub reason
-----------------------------------------------------------------------------1
User request to offline
------------------------------------------------------------------------------
Context
NOTE
The access-side HWTACACS server cannot be configured on the X1 or X2 models of the NE80E/40E.
Issue 02 (2011-09-10)
27
1 AAA Configuration
Applicable Environment
When the HWTACACS protocol is used for implementing AAA, you need to configure an
HWTACACS server.
NOTE
Pre-configuration Tasks
None.
Data Preparation
To configure an HWTACACS server, you need the following data.
No.
Data
10
(Optional) Time for the primary HWTACACS server to restore to the active state
28
1 AAA Configuration
Context
Up to 128 HWTACACS server templates can be configured on the NE80E/40E.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
If the HWTACACS server template already exists, this command directly displays the
HWTACACS server template view.
----End
Context
Do as follows on the router:
Procedure
l
Run:
system-view
Run:
hwtacacs-server template template-name
Run:
hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpninstance-name ]
29
4.
1 AAA Configuration
Run:
hwtacacs-server authentication ip-address[ port ] [ vpn-instance vpninstance-name ] secondary
Run:
system-view
Run:
hwtacacs-server template template-name
Run:
hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpninstance-name ]
Run:
hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpninstance-name ] secondary
Run:
system-view
Run:
hwtacacs-server template template-name
Run:
hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instancename ]
Run:
hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instancename ] secondary
Issue 02 (2011-09-10)
30
1 AAA Configuration
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Context
The negotiated parameters specify the conventions of the HWTACACS protocol and message
format used for communication between the HWTACACS server and the NE80E/40E. The
negotiated parameters are as follows:
l
Key
The key improves security of communication between the NE80E/40E and the
HWTACACS server.
Issue 02 (2011-09-10)
31
1 AAA Configuration
The key on the NE80E/40E must be the same as that on the HWTACACS server so that
both parties of the authentication identify each other.
The key is case sensitive.
l
Traffic unit
The NE80E/40E supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet
requirements of various HWTACACS servers.
Procedure
l
Run:
system-view
Run:
hwtacacs-server template template-name
Run:
hwtacacs-server shared-key key-string
To guarantee the validity of the authenticator and the authenticated, the router and the
HWTACACS server must be set with the same key.
(Optional) Configure the user name format for the HWTACACS server.
1.
Run:
system-view
Run:
hwtacacs-server template template-name
Run:
hwtacacs-server user-name domain-included
32
1 AAA Configuration
When the HWTACACS server does not identify the user name that contains the
domain name, you can configure the router to remove the domain name from the user
name before sending the user name to the HWTACACS server.
NOTE
Run:
system-view
Run:
hwtacacs-server templatetemplate-name
Run:
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
Context
If the NE80E/40E sends a packet to the HWTACACS server but does not receive any response
within the specified time, the NE80E/40E considers the connection broken. The specified time
is the response timeout period of the HWTACACS server.
NOTE
HWTACACS is implemented based on TCP; therefore, the server response timeout or TCP timeout may
cause disconnection of the NE80E/40E from the HWTACACS server.
If the NE80E/40E determines that its connection with the primary HWTACACS server is
broken, the NE80E/40E waits for a period of time, and then re-connects to the primary server.
The specified time is the time for the primary HWTACACS server to restore to the active state.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
33
1 AAA Configuration
The time for the primary HWTACACS server to restore to the active state is set.
By default, the time for the primary HWTACACS server to restore to the active state is 5 minutes.
----End
Context
If HWTACACS accounting is used, the NE80E/40E generates an accounting stop packet after
a user logs out and then sends the packet to the HWTACACS server. If the connectivity of the
network is less than satisfactory, you can enable retransmission of accounting stop packets to
prevent the loss of accounting information.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
34
1 AAA Configuration
Context
Do as follows on the router:
Procedure
Step 1 Run:
hwtacacs-user change-password hwtacacs-server template-name
l Users can successfully log in to the device only when they pass HWTACACS authentication and also
the HWTACACS server template has been configured.
l Users can modify passwords only when the user names and passwords saved on the HWTACACS
server are still applicable.
l When the users with expired passwords log in to the device, the HWTACACS server returns an
authentication failure packet and these users cannot modify their passwords.
----End
Prerequisite
All the configurations of the server template are complete.
Procedure
l
Run the display hwtacacs-server accounting-stop-packet { all | number | ip ipaddress } command to check information about the accounting stop packets on the
HWTACACS server.
----End
Example
Run the display hwtacacs-server template command, and you can view information about the
HWTACACS server.
<HUAWEI> display hwtacacs-server template
----------------------------------------------------------HWTACACS-server template name
: 123
Primary-authentication-server
: 0.0.0.0:0:Primary-authorization-server
: 0.0.0.0:0:-
Issue 02 (2011-09-10)
35
1 AAA Configuration
Primary-accounting-server
: 0.0.0.0:0:Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 0.0.0.0:0:Secondary-accounting-server
: 0.0.0.0:0:Current-authentication-server
: 0.0.0.0:0:Current-authorization-server
: 0.0.0.0:0:Current-accounting-server
: 0.0.0.0:0:Source-IP-address
: 0.0.0.0
Shared-key
: Quiet-interval(min)
: 5
Response-timeout-Interval(sec) : 5
Domain-included
: Yes
Traffic-unit
: B
------------------------------------------------------------Are you sure to display more information (y/n)[y]:y
------------------------------------------------------------HWTACACS-server template name
: test1
Primary-authentication-server
: 1.1.11.1:49:vpna
Primary-authorization-server
: 0.0.0.0:0:Primary-accounting-server
: 1.1.1.1:49:vpna
Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 1.1.1.1:12:vpna
Secondary-accounting-server
: 0.0.0.0:0:Current-authentication-server
: 1.1.11.1:49:vpna
Current-authorization-server
: 1.1.1.1:12:vpna
Current-accounting-server
: 1.1.1.1:49:vpna
Source-IP-address
: 1.1.1.1
Shared-key
: Quiet-interval(min)
: 5
Response-timeout-Interval(sec) : 5
Domain-included
: Yes
Traffic-unit
: B
------------------------------------------------------------Total 2,2 printed
Context
NOTE
Applicable Environment
The accounting information on the NE80E/40E is a backup of the accounting information on
the remote server. When an error occurs on the remote server, the CDRs are stored on the NE80E/
40E. In this manner, the accounting information will not be lost.
After bill saving is configured on the local device, the NE80E/40E saves the generated CDRs
to the cache first. Then, the cached CDRs are saved to either the CF card or the bill server by
using TFTP. The CDRs saved in the CF card can also be backed up to the bill server.
Issue 02 (2011-09-10)
36
1 AAA Configuration
On the NE80E/40E, you can create or delete local CDR pools by using commands. Bill saving
can be configured on the local device only after a local CDR pool is created. If the local CDR
pool does not exist, this function does not take effect, and CDRs will not be backed up.
Pre-configuration Tasks
None.
Data Preparation
To configure bill saving on the local device, you need the following data.
No.
Data
(Optional) Alarm thresholds for CDRs in the CF card and the cache
(Optional) Intervals for automatic backup of CDRs in the CF card and the cache
Context
You can create or delete local CDR pools by running commands on the NE80E/40E. The local
CDRs can be saved only after a local CDR pool is created. When the local CDR pool is deleted,
the local CDRs in the pool are also deleted. Therefore, back up the local CDRs before deleting
the local CDR pool.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
37
1 AAA Configuration
Context
The cached bills can be backed up to the CF card or the bill server by using TFTP, or not backed
up.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Context
NOTE
By default, the cached bills are automatically backed up to the CF card. Due to limited capacity of the CF
card, you must back up the bills in the CF card to the bill server.
Procedure
l
Run:
system-view
Issue 02 (2011-09-10)
38
1 AAA Configuration
Run:
local-aaa-server
Run:
bill-server ip-address filename file-name
You need to use TFTP to log in to the NE80E/40E, which functions as a bill server, to back up
bills. Hence, you must run the TFTP server program and specify a working directory on the
NE80E/40E.
Run:
system-view
Run:
local-aaa-server
Run:
local-bill cfcard alarm-threshold threshold
Run:
system-view
Run:
local-aaa-server
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
39
1 AAA Configuration
Run:
system-view
Run:
local-aaa-server
Run:
local-bill cfcard backup [ file-name ]
The bills in the CF card are backed up to the bill server manually
l
Run:
system-view
Run:
local-aaa-server
Run:
local-bill cfcard reset
1.5.5 (Optional) Backing up the Bills in the Cache to the Bill Server
The capacities of the cache and the CF card are small; therefore, it is recommended that you
back up bills in the cache to the bill server.
Context
You need to use TFTP to log in to the NE80E/40E, which functions as a bill server, to back up
bills. Hence, you must run the TFTP server program and specify a working directory on the
NE80E/40E.
Do as follows on the router:
Procedure
l
Run:
system-view
Issue 02 (2011-09-10)
40
1 AAA Configuration
Run:
local-aaa-server
Run:
bill-server ip-address filename file-name
Run:
system-view
Run:
local-aaa-server
Run:
local-bill cache alarm-threshold threshold
Run:
system-view
Run:
local-aaa-server
Run:
local-bill cache backup-interval interval
41
1 AAA Configuration
By default, the bills in the cache are backed up at intervals of 1440 minutes.
l
Run:
system-view
Run:
local-aaa-server
Run:
local-bill cache backup
Procedure
l
Run the display local-bill { cache start-no count | configuration | information } command
to check the configuration of bill saving.
----End
Example
Run the display local-bill { cache start-no count | configuration | information } command,
and you can view the configuration of bill saving.
<HUAWEI> display local-bill cache 0 2
Contents of Bill 1:
-------------------------------------------------------------Bill-No
: 1
Session-Id: NE80E/40E-1007002000000100ee7075000024
User-name : user1@huawei
Start-Time: 2007/11/24 18:04:42
Stop-Time : 2007/11/24 18:06:17
Elapse
: 0:01:35
IP-Addr
: 192.168.7.186
MAC
: 0016-ecb7-a879
IPv6-Addr : ::
Auth-Type : PPP
Access-Type: PPPoE
Port-No
: 1/0/2
VLAN
: 100
Status
: 2(offline)
Code
: 6, Ref: 98
Acc Data before Tariff Switch,
1 Priority :
0 : User-received: Bytes=0
, Pkts=0
User-sent:
Bytes=0
, Pkts=0
Acc Data after Tariff Switch,
1 Priority :
0 : User-received: Bytes=0
, Pkts=0
User-sent:
Bytes=0
, Pkts=0
-------------------------------------------------------------Total printed 1 bills from cache.
42
1 AAA Configuration
Context
NOTE
Applicable Environment
You need to configure a domain to perform AAA management on access users.
Pre-configuration Tasks
Before configuring a domain, complete the following tasks:
l
Configuring a RADIUS server group if RADIUS authentication and accounting are adopted
Data Preparation
To configure a domain, you need the following data.
No.
Data
Domain name
(Optional) Maximum number of access users and maximum connection setup rate
NOTE
User attributes of the domain include the user priority, user group, idle-cut parameter, time-specific QoS
guarantee, QoS profile, queue profile, VAS policy, policy-based routing, multicast parameter, and
maximum re-authentication time period. These attributes are valid for only the users that newly go online.
The online users have to go online again to make these attributes valid.
Issue 02 (2011-09-10)
43
1 AAA Configuration
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the router:
Issue 02 (2011-09-10)
44
1 AAA Configuration
Procedure
Step 1 Run:
system-view
45
1 AAA Configuration
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
If a primary or secondary DNS server is also configured in an address pool, the DNS server configured
in the address pool takes precedence over the DNS server configured by using this command.
Context
The IPv4 address pool for a domain can be a local or remote address pool.
A maximum of 1024 IPv4 address pools can be specified for a domain, and one IPv4 address
pool can be used for multiple domains. The IPv4 address pools configured for a domain can be
moved. The range in which the IPv4 address pool can be moved is associated with the number
of address pools configured in the domain. For example, if 10 address pools are configured in
the domain, the address pool can move in the range between 1 and 10.
Do as follows on the router:
Issue 02 (2011-09-10)
46
1 AAA Configuration
Procedure
Step 1 Run:
system-view
Context
To guarantee the processing capability of the NE80E/40E, you can limit the total number of
access users for a domain. If the number of users reaches the limit, additional access users are
denied.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
47
1 AAA Configuration
Context
To guarantee the processing capability of the NE80E/40E, you can limit the maximum number
of sessions for an account. If the number of sessions reaches the limit, additional access users
are denied.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the router:
Issue 02 (2011-09-10)
48
1 AAA Configuration
Procedure
Step 1 Run:
system-view
Context
NOTE
Additional functions for a domain cannot be configured on the X1 or X2 models of the NE80E/40E.
Forced portal
Forced portal means that when a user accesses the Internet for the first time after passing
the authentication, the NE80E/40E forcibly redirects the user's access request to a certain
Issue 02 (2011-09-10)
49
1 AAA Configuration
server, which is usually the portal server of a carrier. In this manner, the user needs to accept
a service at the carrier's portal immediately after accessing the Internet.
l
Time-based control
Time-based control means that a domain is automatically blocked in a specified period.
During this period, the users of this domain cannot access the NE80E/40E and the online
users are disconnected. After the period, the domain is reactivated automatically, and the
domain users are allowed to log in again.
Idle cut
When the traffic volume of a user keeps being lower than a threshold in a period, the NE80E/
40E considers the user idle and disconnects the user. To perform the idle cut function, you
need to set the idle time and the traffic threshold.
The idle cut function configured for a domain controls only the basic traffic of a user. The
multicast traffic and the VAS traffic that is not configured with the summary feature are
not included in the basic traffic. Therefore, the idle cut function is invalid for them.
Policy-based routing
In packet forwarding, the NE80E/40E determines the forwarding egress according to the
destination addresses of the packets. With the policy-based routing function, however, the
NE80E/40E determines the forwarding egress according to the address specified in the user
domain.
Traffic statistics
The traffic statistics function collects the total traffic of a domain and the upstream and
downstream traffic of users.
Re-authentication timeout
The re-authentication timeout is valid for Layer 3 pre-authentication users. If a Layer 3 preauthentication user does not pass the authentication within the maximum re-authentication
time, the NE80E/40E disconnects this user.
50
1 AAA Configuration
Procedure
Step 1 Run:
system-view
The function of collecting the statistics about the total traffic is enabled.
By default, the function of collecting the total traffic statistics is disabled.
Issue 02 (2011-09-10)
51
1 AAA Configuration
Step 10 Run:
flow-statistic { down | up }
The function of collecting the upstream or downstream traffic statistics of the domain users is
enabled.
By default, the function of collecting the upstream and downstream traffic statistics of the domain
users is enabled.
Step 11 Run:
accounting-copy radius-server radius-name
The policy used for online users when the quota is used up is configured.
By default, the NE80E/40E disconnects the user when the quota of a user is used up.
If the RADIUS protocol type is set to non-standard, a real-time accounting packet is sent to
the RADIUS server to apply for a new quota when user's quota is used up. If the RADIUS server
responds with zero quota, the user is redirected based on the configured quota-out redirect
url url-string command.
If you want a user to be directly redirected when its quota is used, you must first set the RADIUS
protocol type to standard and configure the quota-out redirect url url-string .
Step 14 Run:
radius-no-response lease-time time
The extended lease in case of no response from the RADIUS server is set for DHCP users.
By default, DHCP users will be logged out if there is no response from the RADIUS server.
----End
Context
NOTE
52
1 AAA Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
All the configurations of the domain are complete.
Procedure
Step 1 Run the display domain [ domain-name ] command to check the configuration of the domain.
----End
Example
Run the display domain command, and you can view the summaries of configurations of all
the domains.
<HUAWEI> display domain
-----------------------------------------------------------------------------Domain name
State
CAR Access-limit
Online BODNum RptVSMNum
-----------------------------------------------------------------------------default0
Active
0
279552
0
0
0
default1
Active
0
279552
0
0
0
default_admin
Active
0
279552
0
0
0
default
Active
0
279552
0
0
0
isp1
Active
0
279552
0
0
0
-----------------------------------------------------------------------------Total 5,5 printed
<HUAWEI> display domain default
-----------------------------------------------------------------------------Domain-name
: default
Domain-state
: Active
Authentication-scheme-name
: default1
Issue 02 (2011-09-10)
53
1 AAA Configuration
Accounting-scheme-name
Authorization-scheme-name
Primary-DNS-IP-address
Second-DNS-IP-address
Web-server-URL-parameter
Portal-server-URL-parameter
Primary-NBNS-IP-address
Second-NBNS-IP-address
User-group-name
Idle-data-attribute (time,flow)
Install-BOD-Count
Report-VSM-User-Count
Value-added-service
User-access-limit
Online-number
Web-IP-address
Web-URL
Portal-server-IP
Portal-URL
Portal-force-times
PPPoE-user-URL
IPUser-ReAuth-Time(second)
mscg-name-portal-key
Portal-user-first-url-key
Ancp auto qos adapt
Service-type
RADIUS-server-template
Two-acct-template
HWTACACS-server-template
Bill Flow
Tunnel-acct-2867
Qos-profile-name inbound
Qos-profile-name outbound
Flow Statistic:
Flow-Statistic-Up
Flow-Statistic-Down
Source-IP-route
IP-warning-threshold
Multicast Forwarding
Multicast Virtual
Max-multilist num
Multicast-profile
Quota-out
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
default1
No
No
0, 60
0
0
279552
0
2
Disable
300
Disable
STB
Disable
Disabled
-
: Yes
: Yes
: Disable
: : Yes
: No
: 4
: : Offline
Context
CAUTION
Statistics cannot be restored after you clear them. Exercise caution when running the command.
Issue 02 (2011-09-10)
54
1 AAA Configuration
Procedure
l
----End
Context
NOTE
Examples in this document use interface numbers and link types of the NE40E-X8. In real world situations,
interface numbers and link types may be different from those used in this document.
Networking Requirements
NOTE
As shown in Figure 1-1, the users access the network through Router A and the users belong to
the domain named huawei. Router B functions as the access server for the destination network.
To access the destination network, the users have to traverse the network where Router A and
Router B reside and pass remote authentication of the access server. After that, the users can
access the network through Router B. Remote authentication is implemented on the Router B
as follows:
l
The RADIUS server performs authentication and accounting for access users.
Issue 02 (2011-09-10)
55
1 AAA Configuration
Figure 1-1 Networking diagram of performing authentication and accounting for users by using
RADIUS
Domain huawei
RouterB
Network
129.7.66.66/24
RouterA
Destination
network
129.7.66.67/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Apply the RADIUS server group, authentication scheme, and accounting scheme on Router
B to the domain.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and an accounting scheme.
# Configure a RADIUS server group named shiva.
<HUAWEI> system-view
[HUAWEI] radius-server group shiva
# Configure the IP addresses and interface numbers of the primary RADIUS authentication and
accounting servers.
[HUAWEI-radius-shiva] radius-server authentication 129.7.66.66 1812
Issue 02 (2011-09-10)
56
1 AAA Configuration
# Configure the IP addresses and interface numbers of the secondary RADIUS authentication
and accounting servers.
[HUAWEI-radius-shiva] radius-server authentication 129.7.66.67 1812
[HUAWEI-radius-shiva] radius-server accounting 129.7.66.67 1813
# Set the key and the number of retransmission attempts for the RADIUS server.
[HUAWEI-radius-shiva] radius-server shared-key it-is-my-secret
[HUAWEI-radius-shiva] radius-server retransmit 2
[HUAWEI-radius-shiva] quit
Step 2 Configure a domain named huawei and apply authentication scheme 1, accounting scheme 1,
and RADIUS server group shiva in the domain.
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] authentication-scheme 1
[HUAWEI-aaa-domain-huawei] accounting-scheme 1
[HUAWEI-aaa-domain-huawei] radius-server group shiva
Issue 02 (2011-09-10)
[UP]
[UP]
[UP]
[UP]
57
1 AAA Configuration
Accounting-server
: Protocol-version
: radius
Shared-secret-key
: it-is-my-secret
Retransmission
: 2
Timeout-interval(s) : 5
Acct-Stop-Packet Resend : NO
Acct-Stop-Packet Resend-Times : 0
Traffic-unit
: B
ClassAsCar
: NO
User-name-format
: Domain-included
Option82 parse mode : Attribute-translation: NO
Packet send algorithm: Master-Backup
Tunnel password
: cipher
Run the display domain domain-name command on the router, and you can view the
configurations of the domain.
<HUAWEI> display domain huawei
-----------------------------------------------------------------------------Domain-name
: huawei
Domain-state
: Active
Authentication-scheme-name
: 1
Accounting-scheme-name
: 1
Authorization-scheme-name
:
Primary-DNS-IP-address
: Second-DNS-IP-address
: Primary-NBNS-IP-address
: Second-NBNS-IP-address
: User-group-name
: Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count
: 0
Report-VSM-User-Count
: 0
Value-added-service
: COPS
User-access-limit
: 279552
Online-number
: 0
Web-IP-address
: Web-URL
: Portal-server-IP
: Portal-URL
: Portal-force-times
: 2
PPPoE-user-URL
: Disable
IPUser-ReAuth-Time(second)
: 300
Ancp auto qos adapt
: Disable
Service-type
: STB
RADIUS-server-template
: shiva
Two-acct-template
: HWTACACS-server-template
: Bill Flow
: Disable
Tunnel-acct-2867
: Disabled
Flow Statistic:
Flow-Statistic-Up
: Yes
Flow-Statistic-Down
: Yes
Source-IP-route
: Disable
IP-warning-threshold
: Multicast Forwarding
: Yes
Multicast Virtual
: No
Max-multilist num
: 4
Multicast-profile
: Quota-out
: Offline
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
Issue 02 (2011-09-10)
58
1 AAA Configuration
#
aaa
authentication-scheme 1
authentication-mode radius
#
authorization-scheme default
#
accounting-scheme 1
accounting-mode radius
#
domain huawei
authentication-scheme 1
accounting-scheme 1
radius-server group shiva
#
radius-server group shiva
radius-server authentication 129.7.66.66 1812 weight 0
radius-server authentication 129.7.66.67 1812 weight 0
radius-server accounting 129.7.66.66 1813 weight 0
radius-server accounting 129.7.66.67 1813 weight 0
radius-server shared-key it-is-my-secret
radius-server retransmit 2
#
return
Networking Requirements
As shown in Figure 1-2, users belong to the domain huawei and access the network through
Router A. Router B functions as the access server of the destination network. If users need to
access the destination network, they should first traverse the network between Router A and
Router B and then access the destination network through Router B after they pass remote
authentication. In such a case, you can configure the authentication mode on Router B as follows:
l
To upgrade the level of an access user, HWTACACS authentication is used first. If the
HWTACACS server does not respond, the local authentication is performed.
The HWTACACS server at 129.7.66.66/24 functions as the primary server and its default
authentication port number, authorization port number, and accounting port number are all
49. The HWTACACS server at 129.7.66.67/24 functions as the secondary server and its
default authentication port number, authorization port number, and accounting port number
are all 49.
Issue 02 (2011-09-10)
59
1 AAA Configuration
Domain huawei
RouterB
Network
129.7.66.66/24
RouterA
Destination
network
129.7.66.67/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure an HWTACACS server template.
# Create an HWTACACS server template named ht.
[RouterA] hwtacacs-server template ht
# Configure the IP addresses and interface numbers of the primary HWTACACS authentication,
authorization, and accounting server.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49
[RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49
Issue 02 (2011-09-10)
60
1 AAA Configuration
# Configure an authentication scheme named l-h with the authentication mode being local
hwtacacs. To upgrade the user level, configure the authentication mode as hwtacacs super.
[RouterA-aaa] authentication-scheme l-h
[RouterA-aaa-authen-l-h] authentication-mode local hwtacacs
[HUAWEI-aaa-authen-l-h] authentication-super hwtacacs super
[RouterA-aaa-authen-l-h] quit
# Configure an authorization scheme named hwtacacs with the authorization mode being
HWTACACS.
[RouterA-aaa] authorization-scheme hwtacacs
[RouterA-aaa-author-hwtacacs] authorization-mode hwtacacs
[RouterA-aaa-author-hwtacacs] quit
# Configure an accounting scheme named hwtacacs with the accounting mode being
HWTACACS.
[RouterA-aaa] accounting-scheme hwtacacs
[RouterA-aaa-accounting-hwtacacs] accounting-mode hwtacacs
Step 3 Create a domain named huawei and apply the authentication scheme l-h, authorization scheme
hwtacacs, accounting scheme hwtacacs, and HWTACACS server template ht to the domain
huawei.
[RouterA-aaa] domain huawei
[RouterA-aaa-domain-huawei]
[RouterA-aaa-domain-huawei]
[RouterA-aaa-domain-huawei]
[RouterA-aaa-domain-huawei]
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
Issue 02 (2011-09-10)
61
1 AAA Configuration
Current-accounting-server
: 129.7.66.66:49
Source-IP-address
: 0.0.0.0
Shared-key
: it-is-my-secret
Quiet-interval (min)
: 5
Response-timeout-Interval (sec) : 5
Domain-included
: Yes
Traffic-unit
: B
--------------------------------------------------------------------------
Run the display domain command on the router, and you can view information about the
domain.
<HUAWEI>display domain huawei
----End
Configuration Files
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66 49
hwtacacs-server authentication 129.7.66.67 49 secondary
hwtacacs-server authorization 129.7.66.66 49
hwtacacs-server authorization 129.7.66.67 49 secondary
hwtacacs-server accounting 129.7.66.66 49
hwtacacs-server accounting 129.7.66.67 49 secondary
hwtacacs-server shared-key it-is-my-secret
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode local hwtacacs
authentication-super hwtacacs super
#
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs
#
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
#
domain default
domain huawei
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
#
return
Networking Requirements
As shown in Figure 1-3, CE1 and CE2 all belong to VPN-A. The VPN target attribute used by
VPN-A is 111:1. On the public network, the administrator logs in to PE2 through the console
port or logs in to PE2 through a PC, another router, or a Telnet client. After the administrator is
authorized, the administrator manages PE2 and the system events and records of administrator
Issue 02 (2011-09-10)
62
1 AAA Configuration
operations on PE2 are sent to the TACACS server. The TACACS server is deployed on the
VPN. Thus, PE2 needs to forward HWTACACS packets based on VPN instances.
l
The TACACS server 160.1.1.100/24 is the primary server, with authentication port 49,
authorization port 49, and accounting port 49. The TACACS server 160.1.1.101/24 is the
secondary server, with authentication port 49, authorization port 49, and accounting port
49 by default.
Backup
Main
TACACS TACACS
server
server
Loopback1
GE2/0/0
GE1/0/1
CE1
PE1
AS65410
VPNA
Loopback1
GE1/0/0
Loopback1
GE1/0/0 GE1/0/1
GE1/0/0
GE1/0/0
P GE2/0/0
Backbone
AS100
GE2/0/0
PE2
CE2
AS65430
VPNA
Administrator
Device
Interface
IP address
CE1
GE1/0/1
10.1.1.2/24
PE1
Loopback1
1.1.1.9/32
GE2/0/0
10.1.1.1/24
GE1/0/0
100.1.1.1/24
Loopback1
3.3.3.9/32
GE1/0/0
100.1.1.2/24
GE2/0/0
200.1.1.1/24
Loopback1
2.2.2.9/32
GE2/0/0
10.2.1.2/24
GE1/0/0
200.1.1.2/24
GE1/0/0
10.2.1.1/24
GE1/0/1
160.1.1.1/24
PE2
CE2
Issue 02 (2011-09-10)
160.1.1.100/24
63
1 AAA Configuration
160.1.1.101/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Apply the HWTACACS server template, the authentication scheme, and the authorization
scheme.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure BGP MPLS IP VPN
Configure the IGP protocol on the network to enable the communication between PE and P on
the backbone network and to advertise the IP address of CE.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitEthernet1/0/0
[PE1-GigabitEthernet1/0/0] ip address 100.1.1.1 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 3.3.3.9 32
[P-LoopBack1] quit
[P] interface gigabitEthernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 100.1.1.2 24
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitEthernet 2/0/0
[P-GigabitEthernet2/0/0] ip address 200.1.1.1 24
[P-GigabitEthernet2/0/0] quit
Issue 02 (2011-09-10)
64
1 AAA Configuration
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0]
[P-ospf-1-area-0.0.0.0]
[P-ospf-1-area-0.0.0.0]
[P-ospf-1-area-0.0.0.0]
[P-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] interface gigabitEthernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip address 200.1.1.2 24
[PE2-GigabitEthernet1/0/0] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24
[CE1-GigabitEthernet1/0/1] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.2.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE2] interface gigabitethernet 1/0/1
[CE2-GigabitEthernet1/0/1] ip address 160.1.1.1 24
[CE2-GigabitEthernet1/0/1] quit
[CE2] ospf
[CE2-ospf-1] area 0
[CE2-ospf-1-area-0.0.0.0] network 160.1.1.0 0.0.0.255
[CE2-ospf-1-area-0.0.0.0] quit
[CE2-ospf-1] quit
After the configuration, OSPF neighbor relationship should be set up between PE1, P1, and PE2.
Run the display ospf peer command, and you can view that the neighbor relationship is Full.
Run the display ip routing-table command, and you can view that PEs learn the routes to the
Loopback1 interfaces on their peers.
Take the display of PE1 as example:
[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 9
Routes : 9
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.9/32 Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.9/32 OSPF
10
3125
D 100.1.1.2
GigabitEthernet1/0/0
3.3.3.9/32 OSPF
10
1563
D 100.1.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
100.1.1.0/24 Direct 0
0
D 100.1.1.1
GigabitEthernet1/0/0
100.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Issue 02 (2011-09-10)
65
1 AAA Configuration
100.1.1.2/32 Direct 0
0
D 100.1.1.2
GigabitEthernet1/0/0
200.1.1.0/24 OSPF
10
3124
D 100.1.1.2
GigabitEthernet1/0/0
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 100.1.1.1(GigabitEthernet1/0/0)'s neighbors
Router ID: 3.3.3.9
Address: 100.1.1.2
GR State: Normal
State: Full Mode:Nbr is Master Priority: 1
DR: None
BDR: None
MTU: 1500
Dead timer due in 38 sec
Neighbor is up for 00:02:44
Authentication Sequence: [ 0 ]
Configure basic MPLS functions and MPLS LDP on the MPLS backbone network and set up
LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] lsp-trigger all
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitEthernet 1/0/0
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
[PE1-GigabitEthernet3/0/0] quit
# Configure P.
[P] mpls lsr-id 3.3.3.9
[P] mpls
[P-mpls] lsp-trigger all
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitEthernet
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitEthernet
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] quit
1/0/0
ldp
2/0/0
ldp
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] lsp-trigger all
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitEthernet 1/0/0
[PE2-GigabitEthernet3/0/0] mpls
[PE2-GigabitEthernet3/0/0] mpls ldp
[PE2-GigabitEthernet3/0/0] quit
After the configuration, LDP sessions should be set up between PE1 and P, P and PE2. Run the
display mpls ldp session command, and you can view that the Status field displays
Operational. Run the display mpls ldp lsp command, and you can view whether LDP LSPs
are set up.
Take the display of PE1 as example:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
-------------------------------------------------------------------------
Issue 02 (2011-09-10)
66
1 AAA Configuration
Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
------------------------------------------------------------------------3.3.3.9:0
Operational DU
Passive 000:00:01
7/7
------------------------------------------------------------------------TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
[PE1] display mpls ldp lsp
LDP LSP Information
-----------------------------------------------------------------SN DestAddress/Mask
In/OutLabel Next-Hop
In/Out-Interface
-----------------------------------------------------------------1
1.1.1.9/32
3/NULL
127.0.0.1
GigabitEthernet1/0/0/InLoop0
2
2.2.2.9/32
NULL/1027
100.1.1.2
-------/GigabitEthernet1/0/0
3
3.3.3.9/32
NULL/3
100.1.1.2
-------/GigabitEthernet1/0/0
-----------------------------------------------------------------TOTAL: 3 Normal LSP(s) Found.
TOTAL: 0 Liberal LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna] vpn-target 111:1 both
[PE2-vpn-instance-vpna] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE2-GigabitEthernet2/0/0] quit
After the configuration, run the display ip vpn-instance verbose command on PEs, and you
can view the configurations of VPN instances. Each PE can ping its connected CE.
NOTE
When PE has multiple interfaces that are bound to the same VPN, you must specify the source IP address,
namely, the -a source-ip-address if running the ping -vpn-instance vpn-instance-name -a source-ipaddress dest-ip-address command. Otherwise, the ping may fail.
Issue 02 (2011-09-10)
67
1 AAA Configuration
ttl=255
ttl=255
ttl=255
ttl=255
ttl=255
time=56 ms
time=4 ms
time=4 ms
time=52 ms
time=3 ms
Set up EBGP peer relationship between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.1 as-number 100
[CE1-bgp] import-route direct
NOTE
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.2 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
NOTE
After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE, and
you can view that the BGP peer relationship between PE and the connected CE is in the
Established state.
Take the peer relationship between PE1 and CE1 as example:
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peers in established state : 1
Peer
V
AS MsgRcvd MsgSent
OutQ Up/Down
State
PrefRcv
10.1.1.2
4
65410 11
9
0
00:06:37
Established 1
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
Issue 02 (2011-09-10)
68
1 AAA Configuration
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
a PE, and you can view that the BGP peer relationship between PEs is in the Established state.
[PE1] display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peer
V
AS MsgRcvd
2.2.2.9
4
100
2
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2
Peer
V
AS MsgRcvd
2.2.2.9
4
100
12
Peer of vpn instance:
vpn instance vpna :
10.1.1.2
4
65410 25
MsgSent
18
25
00:17:57
Established
# Configure the IP address and ports of the primary HWTACACS authentication, authorization,
and accounting servers, and bind the VPN instances to these servers.
[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna
[PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.100 49 vpn-instance vpna
Step 3 Configure the authentication scheme, the authorization scheme, and the accounting scheme.
# Enter the AAA view.
[PE2] aaa
# Configure the authentication mode as l-h and the authentication mode as HWTACACS.
[PE2-aaa] authentication-scheme l-h
[PE2-aaa-authen-l-h] authentication-mode hwtacacs
[PE2-aaa-authen-l-h] quit
Step 4 Configure the huawei domain. Use the l-h authentication scheme, the HWTACACS
authorization scheme, the HWTACACS accounting scheme, and the ht HWTACACS template
in the domain.
[PE2-aaa] domain huawei
Issue 02 (2011-09-10)
69
1 AAA Configuration
[PE2-aaa-domain-huawei]
[PE2-aaa-domain-huawei]
[PE2-aaa-domain-huawei]
[PE2-aaa-domain-huawei]
[PE2-aaa] quit
authentication-scheme l-h
authorization-scheme hwtacacs
hwtacacs-server ht
quit
After running the display domain command on the router, you can check whether the
configuration of the domain matches the requirements.
<CE1> display domain huawei
------------------------------------------------------------------Domain-name
: huawei
Domain-state
: Active
Authentication-scheme-name
: l-h
Accounting-scheme-name
: default
Authorization-scheme-name
: hwtacacs
User-CAR
: Web-IP-address
: Next-hop
: Primary-DNS-IP-address
: Second-DNS-IP-address
: Primary-NBNS-IP-address
: Second-NBNS-IP-address
: Acl-number
: Idle-data-attribute (time,flow) : 0, 60
User-priority
: User-access-limit
: 384
Online-number
: 0
RADIUS-server-template
: HWTACACS-server-template
: ht
-------------------------------------------------------------------
----End
Configuration Files
l
Issue 02 (2011-09-10)
70
1 AAA Configuration
Configuration file of P
#
sysname P
#
mpls lsr-id 3.3.3.9
mpls
lsp-trigger all
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 200.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
Issue 02 (2011-09-10)
71
1 AAA Configuration
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
Issue 02 (2011-09-10)
72
1 AAA Configuration
#
domain default
domain huawei
authentication-scheme l-h
authorization-scheme hwtacacs
hwtacacs-server ht
#
ospf 1
area 0.0.0.0
network 200.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
Issue 02 (2011-09-10)
73
2 DHCPv4 Configuration
DHCPv4 Configuration
Context
NOTE
74
2 DHCPv4 Configuration
Applicable Environment
On a large network, if the PCs cannot be directly connected to the routing device by using
Ethernet interfaces but have to be connected to the routing device through other devices, a
network-side DHCPv4 server needs to be configured so that the PCs can dynamically obtain IP
addresses from the routing device, as shown in Figure 2-1.
Issue 02 (2011-09-10)
75
2 DHCPv4 Configuration
Figure 2-1 IP address assignment for Ethernet users (without any relay agent in the networking)
NetBIOSserver DHCPclient
DHCPclient DHCPclient
DHCPserver
DNSserver DHCPclient
DHCPclient DHCPclient
A network-side DHCPv4 server usually works with a DHCPv4 relay agent, as shown in Figure
2-2.
Figure 2-2 IP address assignment for Ethernet users (with a relay agent in the networking)
DNSserver NetBIOSserver
DHCPRelay
RouterA
DHCPserver
RouterB
DHCPclient DHCPclient
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
A BAS-side address pool needs to be configured to assign IP addresses to access users. If the
NE80E/40E needs to allocate IP addresses to users, you must configure a local address pool on
the NE80E/40E, as shown in Figure 2-3; if a DHCPv4 or BOOTP server needs to allocate IP
addresses to users, you must configure a remote address pool on the NE80E/40E, as shown in
Figure 2-4.
Issue 02 (2011-09-10)
76
2 DHCPv4 Configuration
Figure 2-3 Networking diagram for address assignment from the local address pool
DNS Server
Internet
subscriber@isp1
Switch
DHCP Server
Figure 2-4 Networking diagram for address assignment from the remote address pool
DHCPServer
Access
Network
subscriber@isp2
Internet
DHCPRelay
Pre-configuration Tasks
Before configuring an IP address pool, complete the following task:
l
If two remote address pools are bound to the same DHCP server, whereas configurations of the DHCP
server are not consistent with both remote address pools, either of the remote address pools becomes invalid.
Therefore, ensure that configurations of the DHCP server and two address pools are consistent, or each
remote address pool is bound to an DHCP server.
Data Preparation
To configure an IP address pool, you need the following data.
Issue 02 (2011-09-10)
No.
Data
Number of address segments and start and end addresses of each address segment
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
77
2 DHCPv4 Configuration
No.
Data
(Optional) Address lease of the address pool, IP address lease extension, and VPN
instance
(Optional) IP addresses and the MAC addresses that need to be bound statically
(Optional) IP address of the DNS server, DNS suffix, IP address of the NetBIOS
server, and IP address of the SIP server
Context
NOTE
The access-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Procedure
Step 1 Run:
system-view
78
2 DHCPv4 Configuration
Up to eight address segments can be configured in an address pool. An address segment contains
at most 65536 IP addresses. The address segments cannot overlap each other.
Step 5 (Optional) Run:
lease days [ hours [ minutes ] ]
The alarm threshold for the address usage of an address pool is set.If the address usage exceeds
the threshold, an alarm is generated on the router.
By default, the alarm threshold for the address usage of an address pool is set to 100.
----End
Issue 02 (2011-09-10)
79
2 DHCPv4 Configuration
Context
NOTE
Based on the clients' needs, you can adopt either static address binding or dynamic address
assignment.
When dynamic address assignment is used, a range of IP addresses to be assigned needs to be
specified; when static address binding is used, it can be considered to be a special DHCPv4
address pool with only one address.
Do as follows on the router that functions as a DHCPv4 server:
Procedure
Step 1 Run:
system-view
Follow-up Procedure
Some clients may need fixed IP addresses that are bound to their MAC addresses. When the
client with a specific MAC address uses DHCPv4 to apply for an IP address, the DHCPv4 server
finds out the fixed IP address bound to the MAC address and assigns it to the client.
80
2 DHCPv4 Configuration
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Do as follows on the DHCPv4 server that provides DNS services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view
This command is valid for only the local address pool and server address pool.
Step 4 Run:
dns-server ip-address &<1-8>
Follow-up Procedure
On the DHCPv4 server, designate a DNS suffix for each address pool used to assign IP addresses
to clients.
When a host accesses the Internet by using the DNS suffix, the DNS server resolves the DNS
suffix into an IP address. Therefore, to ensure that the client successfully accesses the Internet,
the DHCPv4 server also needs to specify the DNS server address for the client when it assigns
IP addresses.
To improve network reliability, you can configure several DNS servers.
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Issue 02 (2011-09-10)
81
2 DHCPv4 Configuration
Do as follows on the router that provides NetBIOS services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view
Follow-up Procedure
For the client using the operating system of Microsoft, Windows Internet Naming Service
(WINS) server provides resolution from the host name to the IP address. This is given to the
host that uses NetBIOS protocol for communication. Most of the Windows clients need to be
configured with WINS.
When a DHCPv4 client communicates in a WAN by adopting the NetBIOS protocol, a mapping
between the host name and the IP address should be set up. The following lists the types of
NetBIOS nodes for obtaining mappings:
l
Type b nodes (b-node): "b" stands for broadcast. That is, type b nodes obtain the mapping
relationship by means of broadcast.
Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the
"peer-to-peer" communicating mechanism.
Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owning
part of the broadcasting features.
Type p nodes (p-node): "p" stands for peer-to-peer. That is, type p nodes obtain the mapping
by communicating with NetBIOS servers.
82
2 DHCPv4 Configuration
Context
NOTE
Do as follows on the router that provides SIP services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Procedure
Step 1 Run:
system-view
string }
83
2 DHCPv4 Configuration
Follow-up Procedure
The Option field in DHCPv4 packets carries control information and parameters that are not
defined in common protocols. If the DHCPv4 server is configured with an Option, the DHCPv4
client obtains the configuration information saved in the Option field of DHCPv4 response
packets.
You need to add the options to the attribute list of the DHCPv4 servers. For example,
l
To configure the Option 129 field to represent "huawei", use the option 129 string
huawei command.
NOTE
The value of a common option for the DNS or lease, is determinate. The common option codes include 3,
6, 15, 44, 46, 50 to 54, and 57 to 59. When the value is re-set, the system prompts that re-setting the value
is not allowed.
The option command enables DHCPv4 response packets to carry specific options.
Before using this command, you need to know the function of each option. Option 77 identifies client types
or applications of DHCPv4 clients. Based on User Class in the Option field, the DHCPv4 server selects a
proper address pool and configuration parameters. Option 77 is commonly configured on the client.
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Issue 02 (2011-09-10)
84
2 DHCPv4 Configuration
Procedure
Step 1 Run:
system-view
[ server ]
Or run:
recycle start-ip-address [ end-ip-address ]
Prerequisite
All configurations of the IP address pool are complete.
Procedure
l
Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ipaddress ] ] | all | used ] ] [ vpn-instance instance-name ] command to check the
configuration of the IP address pool.
----End
Example
Run the display ip pool command, and you can view information about all the address pools
configured in the system.
<HUAWEI> display ip pool
----------------------------------------------------------------------Pool-Name
: test
Pool-No
: 1
Issue 02 (2011-09-10)
85
2 DHCPv4 Configuration
Position
: Local
Status
: Unlocked
Gateway
: 89.0.0.1
Mask
: 255.0.0.0
Vpn instance
: -----------------------------------------------------------------------Pool-Name
: test1
Pool-No
: 6
Position
: Local
Status
: Unlocked
Gateway
: 40.50.60.1
Mask
: 255.255.255.0
Vpn instance
: -IP address pool Statistic
Local
:2
Remote
:0
Relay
:0
IP address Statistic
Total
:51695
Used
:0
Free
:51695
Conflicted :0
Disable
:0
DNS1
:10.10.10.1
Position
: Local
Status
: Unlocked
Gateway
: 10.10.10.2
Mask
: 255.255.255.0
Vpn instance
: -Profile-Name
: Server-Name
: Codes: CFLCT(conflicted)
-------------------------------------------------------------------------------------ID
start
end total used idle CFLCT disable reserved st
atic-bind
-------------------------------------------------------------------------------------0
10.10.10.3
10.10.10.100
98
0
98
0
0
0
0
--------------------------------------------------------------------------------------
Context
NOTE
Issue 02 (2011-09-10)
86
2 DHCPv4 Configuration
Applicable Environment
The NE80E/40E can be used as a DHCPv4 server to assign IP addresses to users. A remote
DHCPv4 server can also be used with the NE80E/40E functioning as a DHCPv4 relay agent to
assign IP addresses to users.
When IP addresses are allocated by a remote DHCPv4 server, as shown in Figure 2-4, you need
to configure the IP address of the remote DHCPv4 server on the NE80E/40E. This allows the
NE80E/40E to communicate with the DHCPv4 server. The NE80E/40E manages DHCPv4
servers by using DHCPv4 server groups.
NOTE
A DHCPv4 server group is required only when the remote address pool is used to assign IP addresses to
BAS-side users.
Pre-configuration Tasks
None.
Data Preparation
To configure a DHCPv4 server group, you need the following data.
No.
Data
IP addresses, VPN instances, and weights of the primary and secondary DHCPv4
servers
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
A DHCPv4 server group is created and the DHCPv4 server group view is displayed.
Step 3 Run:
dhcp-server ip-address [ vpn-instance vpn-instance ] [ weight weight-value ]
Issue 02 (2011-09-10)
87
2 DHCPv4 Configuration
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
88
2 DHCPv4 Configuration
Prerequisite
The configurations of the DHCPv4 server groups are complete.
Procedure
l
Run the display dhcp-server group [ group-name ] command to check the configuration
of the DHCPv4 server group.
----End
Example
Run the display dhcp-server group command, and you can view information about all DHCPv4
server groups.
<HUAWEI> display dhcp-server group
Group-Name
: remote
Release-Agent
: Support
Primary-Server
: Vpn instance
: -Weight
: 0
Status
: Secondary-Server
: Vpn instance
: -Weight
: 0
Status
: Algorithm
: master-backup
Source
: -Giaddr
: -Group-Name
: g1
Release-Agent
: Support
Primary-Server
: Vpn instance
: -Weight
: 0
Status
: Secondary-Server
: Vpn instance
: -Weight
: 0
Status
: Algorithm
: master-backup
Source
: -Giaddr
: -2 DHCP server group(s) in total
89
2 DHCPv4 Configuration
Applicable Environment
If no DHCPv4 server is configured on the local network, the DHCPv4 relay function can be
enabled on other devices on the same network segment. Thus, the DHCPv4 request from the
client can be forwarded to the DHCPv4 server by the configured relay agent, as shown in Figure
2-2.
NOTE
There should be not more than four relay agents between the DHCPv4 server and client; otherwise,
DHCPv4 packets are discarded.
Pre-configuration Tasks
Before configuring DHCPv4 relay, complete the following tasks:
l
Configuring the routes from the relay agent to the DHCPv4 server
Data Preparation
To configure DHCPv4 relay, you need the following data.
No.
Data
Context
When a client and a DHCPv4 server reside on different network segments, you can configure
an interface to function as the DHCPv4 relay agent and the DHCPv4 server address to be relayed
Issue 02 (2011-09-10)
90
2 DHCPv4 Configuration
to. In this manner, the DHCPv4 relay agent can relay the request packet sent from the client to
the DHCPv4 server, and then the client can be assigned an IP address.
You can configure relay in the interface view or system view.
NOTE
Because the DHCPv4 client may send broadcast packets during DHCPv4 configuration, the interface where
DHCPv4 relay is enabled must be able to transmit broadcast packets. The IP address of the interface must
be on the same network segment with the IP addresses in the address pool on the DHCPv4 server. Up to
20 DHCPv4 server addresses can be configured on an interface that relays packets to the DHCPv4 servers.
Procedure
l
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ip address ip-address { mask | mask-length }
The primary IP address of the interface is configured.
4.
Run:
dhcp select relay
DHCPv4 relay is enabled on the interface.
5.
Run:
ip relay address ip-address [ dhcp-option { 60 [ option-text ] | code } ]
The IP address of the DHCPv4 server for which the interface functions as the relay
agent is configured.
6.
Run:
ip relay giaddr ip-address [ dhcp-option { 60 [ option-text ] | code } ]
The DHCP option is associated with the IP address of the relay agent. This allows the
DHCP server to assign the IP addresses on different network segments to the clients
of different types.
Run:
system-view
The system view is displayed.
2.
Issue 02 (2011-09-10)
Run:
ip relay address ip-address { all | interface interface-type interface-number.subinterface-number1 [ to interface-type interface-number.sub-interface-number2 ] |
interface interface-type interface-number | vlan vlan-id }
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
91
2 DHCPv4 Configuration
The IP addresses of the DHCPv4 servers for which multiple interfaces function as the
relay agent are configured.
----End
Prerequisite
All configurations of the DHCPv4 relay are complete.
Procedure
l
Run the display dhcp relay statistics command to check statistics on DHCPv4 relay.
Run the display dhcp relay address { all | interface interface-type interface-number |
vlan vlan-id } command to check the DHCPv4 configuration of the interface enabled with
DHCPv4 relay.
----End
Example
Run the display dhcp relay address command, and you can view the DHCPv4 configurations
of all interfaces.
<HUAWEI> display dhcp relay address all
** GigabitEthernet0/0/0 DHCP Relay Address **
Dhcp Option
Relay Agent IP
Server IP
*
10.10.1.2
** GigabitEthernet2/0/0 DHCP Relay Address **
Dhcp Option
Relay Agent IP
Server IP
*
10.10.1.2
** GigabitEthernet2/0/0.100 DHCP Relay Address **
Dhcp Option
Relay Agent IP
Server IP
*
10.10.1.2
** GigabitEthernet2/0/1 DHCP Relay Address **
Dhcp Option
Relay Agent IP
Server IP
*
10.10.1.2
Run the display dhcp relay statistics command. If statistics on DHCPv4 relay, such as the
number of incorrect DHCPv4 packets and the number of various DHCPv4 packets, are displayed,
it means that the configuration succeeds.
<HUAWEI> display dhcp relay statistics
Bad Packets received:
DHCPv4 packets received from clients:
DHCPv4 DISCOVER packets received:
DHCPv4 REQUEST packets received:
DHCPv4 INFORM packets received:
DHCPv4 DECLINE packets received:
DHCPv4 packets received from servers:
DHCPv4 OFFER packets received:
DHCPv4 ACK packets received:
DHCPv4 NAK packets received:
DHCPv4 packets sent to servers:
Issue 02 (2011-09-10)
0
2
1
1
0
0
2
1
1
0
1
92
2 DHCPv4 Configuration
1
0
0
Applicable Environment
After configuring a DHCPv4 server, you need to configure the security function of the DHCPv4
service. This enhances security of the DHCPv4 service and prevents other unauthorized
DHCPv4 servers from assigning invalid IP addresses to clients. By viewing logs, the
administrator determines whether there are unauthorized DHCPv4 servers assigning invalid IP
addresses to clients.
Pre-configuration Tasks
Before adjusting DHCPv4 parameters, complete the following task:
l
Data Preparation
To adjust DHCPv4 parameters, you need the following data.
No.
Data
Maximum number of DHCPv4 users that are allowed to access a specified board
Interval at which ping packets are sent and number of ping packets
93
2 DHCPv4 Configuration
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The maximum number of DHCPv4 access users allowed for a specified board is set.
By default, the maximum number of DHCPv4 access users allowed for a specified board is
determined by the license file.
Step 3 Run:
dhcp-server ip-address [ vpn-instance vpn-instance ] send-discover-speed packetnumber time
The limit on the packet transmission rate of a DHCPv4 server group is set.
By default, the packet transmission rate of a DHCPv4 server group is not limited.
----End
Context
When a user shuts down the STB and then restarts it immediately, the NE80E/40E cannot detect
that the user goes offline and retains the user entry. When receiving the DHCPv4 Discover packet
that the STB sends after restart, the NE80E/40E forces the user to go offline and waits until the
user sends a DHCPv4 Discover packet to obtain the address through DHCPv4.
Some STBs, however, send only one DHCPv4 Discover packet after they restart. In this case,
the users cannot go online after shutting down their STBs.
You can configure the function of transparently transmitting DHCPv4 packets to solve this
problem. Do as follows on the router:
Procedure
Step 1 Run:
system-view
94
2 DHCPv4 Configuration
Context
If a private DHCPv4 server exists on the network, clients cannot obtain correct IP addresses and
thus cannot log in to the network because this private DHCPv4 server will interact with the
DHCPv4 clients during address application. Such a private DHCPv4 server is an unauthorized
DHCPv4 server.
The logs contain IP addresses of all the DHCPv4 servers that allocate IP addresses to clients.
By viewing these logs, the administrator can determine whether an unauthorized DHCPv4 server
exists.
Do as follows on the NE80E/40E that functions as a DHCPv4 server:
Procedure
Step 1 Run:
system-view
Step 3 Run:
dhcp invalid-server-detecting [ interval ]
You can perform this function on only the devices at the BAS side.
----End
95
2 DHCPv4 Configuration
Context
Before assigning an IP address to a client, the DHCPv4 server needs to detect whether the IP
address is used by another client. This prevents an IP address conflict.
NOTE
Procedure
Step 1 Run:
system-view
The longest time for the DHCPv4 server to wait for a ping response is configured.
Step 3 Run:
dhcp server ping packets number
The maximum number of ping packets sent by the DHCPv4 server is configured.
By default, a maximum of two ping packets are sent and the DHCPv4 server waits for at most
500 ms for a ping response.
----End
Follow-up Procedure
The ping command is used to check whether there is a ping response from the IP address to be
assigned to a client within a specific time. If there is no response after a specific time, the
DHCPv4 server re-send a ping packet to this IP address until the allowed maximum number of
ping packets are sent. If there is still no response, the DHCPv4 server considers that the IP address
is not in use. This ensures that a unique IP address is assigned to the client.
Context
Do as follows on the NE80E/40E that functions as a DHCPv4 server:
Procedure
Step 1 Run:
system-view
96
2 DHCPv4 Configuration
Step 2 Run:
dhcp server database enable
Follow-up Procedure
The NE80E/40E can save the current DHCPv4 data to the storage device and restore the data
from the storage device when the NE80E/40E fails.
DHCPv4 data is saved with a fixed file name on the storage device. Normally, the IP leasing
information is saved in the lease.txt file and the address conflict information is saved in the
conflict.txt file. Back up these two files to other directories because information in these files
is replaced regularly.
Context
Do as follows on the NE80E/40E that functions as a DHCPv4 server:
NOTE
Procedure
Step 1 Run:
system-view
97
2 DHCPv4 Configuration
Prerequisite
All the configurations for the adjustment of DHCPv4 parameters are complete.
Procedure
l
Run the display dhcp server database command to check the storage path and file
information of the DHCPv4 data.
----End
Example
Run the display dhcp-server item ip-address command, and you can view information about
a DHCPv4 server.
<HUAWEI> display dhcp-server item 1.2.3.4
IPAddress : 1.2.3.4
State
: UP
Speed Limit : 0 packets / 0 seconds
Run the display dhcp server database command, and you can view the saved path of the
DHCPv4 data.
<HUAWEI> display dhcp server database
Status: disable
Recover from files after reboot: disable
File saving lease items: cfcard:/dhcp/lease.txt
File saving conflict items: cfcard:/dhcp/conflict.txt
Save Interval: 300 (seconds)
Context
CAUTION
DHCPv4 statistics cannot be restored after you clear them. Exercise caution when running the
commands.
Issue 02 (2011-09-10)
98
2 DHCPv4 Configuration
Procedure
l
Run the reset dhcp relay statistics command in the user view to clear the DHCPv4 relay
statistics.
----End
Prerequisite
In routine maintenance, you can run the following command in any view to check the DHCPv4
operation status.
Procedure
l
Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ipaddress ] ] | all | used ] ] [ vpn-instance vpn-instance-name ] command to check the
configuration of the IP address pool.
Run the display dhcp-server group [ group-name ] command to check the configuration
of the DHCPv4 server group.
Run the display dhcp server database command to check the path at which DHCPv4 data
is saved and file information.
Run the display dhcp relay address { all | interface interface-type interface-number |
vlan vlan-id } [ | count ] [ | { begin | exclude | include } regular-expression ] command
to check configurations about interfaces where DHCPv4 relay is enabled.
----End
Context
NOTE
Examples in this document use interface numbers and link types of the NE40E-X8. In real world situations,
the interface numbers and link types may be different from those used in this document.
In actual networking, the license needs to be loaded. For details, see the HUAWEI NetEngine80E/40E
Router Configuration Guide - System Management.
Issue 02 (2011-09-10)
99
2 DHCPv4 Configuration
Networking Requirements
NOTE
As shown in Figure 2-5, it is required that a local address pool be configured to assign IP
addresses to access users and the following requirements be met:
l
The local address pool is used to assign IP addresses to users in the domain isp1.
The IP addresses in the address pool range from 10.10.10.3 to 10.10.10.100, and the
gateway address is 10.10.10.2.
Figure 2-5 Networking diagram for address assignment based on the local address pool
DNS Server
10.10.10.1
GE1/0/0.1
subscriber@isp1
Switch
GE2/0/0
10.1.1.1
Internet
DHCP
Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the local address pool, including its gateway address, address range, and the IP
address of the DNS server.
2.
Configure the domain isp1 to which the users belong, including the authentication mode
and the accounting mode.
3.
Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2011-09-10)
100
2 DHCPv4 Configuration
Name of the address pool, range of the addresses in the pool, and IP addresses of the gateway
and the DNS server
Procedure
Step 1 Configure the DHCPv4 server.
# Configure an address pool.
<HUAWEI> system-view
[HUAWEI] ip pool pool1
[HUAWEI-ip-pool-pool1]
[HUAWEI-ip-pool-pool1]
[HUAWEI-ip-pool-pool1]
[HUAWEI-ip-pool-pool1]
bas local
gateway 10.10.10.2 255.255.255.0
section 0 10.10.10.3 10.10.10.100
dns-server 10.10.10.1
quit
authentication-scheme default0
accounting-scheme default0
ip-pool pool1
quit
: Unlocked
: 255.255.255.0
: -
-------------------------------------------------------------------------------------ID
start
end total used idle CFLCT disable reserved staticbind
-------------------------------------------------------------------------------------0
10.10.10.3
10.10.10.100
98
0
98
0
0
0
Issue 02 (2011-09-10)
101
2 DHCPv4 Configuration
0
--------------------------------------------------------------------------------------
----End
Configuration Files
Configuration file of HUAWEI
#
sysname HUAWEI
#
ip pool pool1 bas local
gateway 10.10.10.2 255.255.255.0
section 0 10.10.10.3 10.10.10.100
dns-server 10.10.10.1
Issue 02 (2011-09-10)
102
2 DHCPv4 Configuration
#
aaa
authentication-scheme default0
#
accounting-scheme default0
#
domain isp1
authentication-scheme default0
accounting-scheme default0
ip-pool pool1
#
interface GigabitEthernet1/0/0.1
user-vlan 1
bas
#
access-type layer2-subscriber default-domain authentication isp
1
authentication-method bind
#
return
Networking Requirements
NOTE
Address assignment based on the remote address pool cannot be configured on the X1 or X2 models of the
NE80E/40E.
As shown in Figure 2-6, it is required that a remote address pool be configured to assign IP
addresses to access users and the following requirements be met:
l
The remote address pool is used to assign IP addresses to users in the domain isp2.
The router, functioning as a relay agent, is connected to the DHCPv4 server through GE
3/0/0 whose IP address is 10.1.1.2/24.
The IP address of the DHCPv4 server bound to the remote address pool is 10.1.1.1, and no
standby DHCPv4 server is deployed.
Issue 02 (2011-09-10)
103
2 DHCPv4 Configuration
Figure 2-6 Networking diagram for address assignment based on the remote address pool
GE3/0/0
10.1.1.2/24
DHCP
Server
10.1.1.1
Access
Network
GE1/0/0.1
subscriber@isp2
GE2/0/0
Internet
Router
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a DHCPv4 server group and a remote address pool, and bind the address pool to the
DHCPv4 server group.
2.
Configure the domain isp2 to which the user belongs, including the authentication mode
and the accounting mode.
3.
Data Preparation
To complete the configuration, you need the following data:
l
IP address of the interface that connects the router to the DHCPv4 server
Procedure
Step 1 Configure the router.
# Create a DHCPv4 server group.
<HUAWEI> system-view
[HUAWEI] dhcp-server group group1
[HUAWEI-dhcp-server-group-group1] dhcp-server 10.1.1.1
[HUAWEI-dhcp-server-group-group1] quit
# Create a remote address pool, and bind the pool to the DHCPv4 server group.
[HUAWEI] ip pool pool2 bas remote
[HUAWEI-ip-pool-pool2] gateway 10.10.10.1 24
[HUAWEI-ip-pool-pool2] dhcp-server group group1
Issue 02 (2011-09-10)
104
2 DHCPv4 Configuration
[HUAWEI] quit
authentication-scheme default0
accounting-scheme default0
ip-pool pool2
quit
:
:
:
:
:
:
:
:
:
:
:
:
:
group1
Support
10.1.1.1
-0
up
--0
up
master-backup
---
Status
Mask
: Unlocked
: 255.255.255.0
Server-Name
: -
-------------------------------------------------------------------------------------ID
start
end total used idle CFLCT disable reserved staticbind
-------------------------------------------------------------------------------------0
10.10.10.0
10.10.10.255
256
0
256
0
0
0
Issue 02 (2011-09-10)
105
2 DHCPv4 Configuration
0
--------------------------------------------------------------------------------------
----End
Configuration Files
Configuration file of router
#
sysname HUAWEI
#
dhcp-server group group1
dhcp-server 10.1.1.1
#
ip pool pool2 bas remote
gateway 10.10.10.1 255.255.255.0
dhcp-server group group1
#
Issue 02 (2011-09-10)
106
2 DHCPv4 Configuration
aaa
authentication-scheme default0
#
accounting-scheme default0
#
domain isp2
authentication-scheme default0
accounting-scheme default0
ip-pool pool2
#
interface GigabitEthernet1/0/0.1
undo shutdown
user-vlan 1
bas
#
access-type layer2-subscriber default-domain authentication
isp2
authentication-method bind
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return
Networking Requirements
NOTE
Layer 3 DHCPv4 user access cannot be configured on the X1 or X2 models of the NE80E/40E.
The user belongs to the domain isp4 and accesses Router B through Router A by connecting
to GE 1/0/0 on Router A.
The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.
The IP address of the RADIUS server is 10.1.1.2; ports 1812 and 1813 are used for
authentication and accounting respectively; the standard RADIUS protocol is adopted and
the key is hello.
Issue 02 (2011-09-10)
107
2 DHCPv4 Configuration
Figure 2-7 Networking diagram for configuring Layer 3 DHCPv4 user access
Radius Server
10.1.1.2
2
.1. 0.1
2
.
Internet
10 3/0/
GE 1
RouterB
/1.
GE1/0/0
0
/
1 .1 DHCP Server
1.1.1.1
GE .2.1
0
1
RouterA
subscriber@isp4 Switch
DHCP Relay
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the address pool, including the IP address of the gateway and the range of IP
addresses in the pool.
2.
3.
Configure the RADIUS server group, including the IP address of the RADIUS server,
authentication port, and accounting port.
4.
Configure the domain isp4 to which the user belongs, including the authentication mode
and the accounting mode.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the address pool, range of IP addresses in the pool, and IP address of the gateway
Procedure
Step 1 Configure Router A.
# Configure GE 1/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface gigabitEthernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24
[RouterA-GigabitEthernet1/0/0] ip relay address 10.2.1.2
Issue 02 (2011-09-10)
108
2 DHCPv4 Configuration
authentication-scheme auth4
accounting-scheme acct4
radius-server group rd4
quit
109
2 DHCPv4 Configuration
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
ip relay address 10.2.1.2
dhcp select relay
#
interface GigabitEthernet1/0/1.1
undo shutdown
vlan-type dot1q 1
Issue 02 (2011-09-10)
110
2 DHCPv4 Configuration
Networking Requirements
On a large network, if the PCs cannot be directly connected to the routing device using Ethernet
interfaces, but have to be connected to the routing device through other devices, a network-side
DHCPv4 server needs to be configured. This allows the PCs to dynamically obtain IP addresses
from the routing device.
As shown in Figure 2-8, a DHCPv4 server assigns IP addresses to the clients on the same network
segment. The network segment of the address pool, 10.1.1.0/24, includes two subnet segments,
10.1.1.0/25 and 10.1.1.128/25. The IP addresses of the two GE interfaces on the DHCPv4 server
are 10.1.1.1/25 and 10.1.1.129/25.
The lease of the IP addresses on the network segment 10.1.1.0/25 is 10 days and 12 hours; the
domain name suffix of the DNS server is huawei.com; the IP address of the DNS server is
10.1.1.2; there is no NetBIOS address; the IP address of the gateway is 10.1.1.1.
Issue 02 (2011-09-10)
111
2 DHCPv4 Configuration
The lease of the IP addresses on the network segment 10.1.1.128/25 is 5 days; the domain name
suffix of the DNS server is huawei.com; the IP address of the DNS server is 10.1.1.2; the
NetBIOS address is 10.1.1.4; the IP address of the gateway is 10.1.1.129.
Figure 2-8 Networking diagram for IP address assignment for Ethernet users (with no relay
agent)
NetBIOS
server DHCPclient
DHCPclient DHCPclient
GE1/0/0
10.1.1.1/25
GE1/0/1
10.1.1.129/25
DHCPserver
DNSserver DHCPclient
Network:10.1.1.0/25
DHCPclient DHCPclient
Network:10.1.1.128/25
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure the address pool, including the IP address of the gateway, range of IP addresses
in the pool, domain name suffix of the DNS server, allowed lease of IP addresses, and IP
addresses not automatically assigned, which include the IP addresses of the DNS server,
NetBIOS, and gateway.
In this example, it is required that two address pools be configured.
Data Preparation
To complete the configuration, you need the following data:
l
Domain name suffix, IP address of the DNS server, and the address lease
Procedure
Step 1 Configure the DHCPv4 server.
# Assign an IP address to GE 1/0/0.
Issue 02 (2011-09-10)
112
2 DHCPv4 Configuration
# Configure the attributes of DHCPv4 address pool 1, including the IP addresses of the gateway
and DNS server, range of IP addresses in the pool, domain name suffix of the DNS server, and
address lease.
[HUAWEI] ip pool 1
[HUAWEI-ip-pool-1]
[HUAWEI-ip-pool-1]
[HUAWEI-ip-pool-1]
[HUAWEI-ip-pool-1]
[HUAWEI-ip-pool-1]
[HUAWEI-ip-pool-1]
[HUAWEI-ip-pool-1]
[HUAWEI-ip-pool-1]
server
gateway 10.1.1.1 255.255.255.128
section 0 10.1.1.2 10.1.1.126
excluded-ip-address 10.1.1.2
excluded-ip-address 10.1.1.4
dns-suffix huawei.com
dns-server 10.1.1.2
lease 10 12
quit
# Configure the attributes of DHCPv4 address pool 2, including the range of IP addresses in the
pool, IP addresses of the gateway and NetBIOS, and the address lease.
[HUAWEI] ip pool 2
[HUAWEI-ip-pool-2]
[HUAWEI-ip-pool-2]
[HUAWEI-ip-pool-2]
[HUAWEI-ip-pool-2]
[HUAWEI-ip-pool-2]
[HUAWEI-ip-pool-2]
[HUAWEI-ip-pool-2]
server
gateway 10.1.1.129 255.255.255.128
section 0 10.1.1.130 10.1.1.254
dns-suffix huawei.com
dns-server 10.1.1.2
lease 5
netbios-name-server 10.1.1.4
quit
Free
Disable
:0
Server
:2
:152
:0
----End
Issue 02 (2011-09-10)
113
2 DHCPv4 Configuration
Configuration Files
Configuration file of the HUAWEI
#
sysname HUAWEI
#
ip pool 1 server
gateway 10.1.1.1 255.255.255.128
secton 0 10.1.1.2 10.1.1.126
excluded-ip-address 10.1.1.2
excluded-ip-address 10.1.1.4
dns-server 10.1.1.2
dns-suffix huawei.com
lease 10 12
#
ip pool 2 server
gateway 10.1.1.129 255.255.255.128
secton 0 10.1.1.130 10.1.1.254
dns-server 10.1.1.2
dns-suffix huawei.com
netbios-name-server 10.1.1.4
lease 5
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.128
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.129 255.255.255.128
#
return
Networking Requirements
A network-side DHCPv4 server usually works with a DHCPv4 relay agent. As shown in Figure
2-9, DHCPv4 clients reside on the network segment 10.100.0.0/16; the DHCPv4 server resides
on the network segment 202.40.0.0/16. It is required that the DHCPv4 packet be relayed through
the device enabled with the DHCPv4 relay function. In this manner, the DHCPv4 client can
apply for an IP address from the DHCPv4 server.
The DHCPv4 server must be configured with a network-side IP address pool. The IP address of
the DNS server is 10.100.1.2/16; the IP address of the NetBIOS server is 10.100.1.3/16; the IP
address of the gateway is 10.100.1.1; there is a route from the DHCPv4 server to 10.100.0.0/16.
Issue 02 (2011-09-10)
114
2 DHCPv4 Configuration
Figure 2-9 Networking diagram for IP address assignment for Ethernet users (with a relay agent
deployed)
DNS
server
10.100.1.2/16
NetBIOS
server
10.100.1.3/16
GE1/0/0
10.100.1.1/16
DHCP Relay
RouterA
DHCP server
RouterB
GE2/0/0
GE1/0/0
202.40.1.1/16 202.40.1.2/16
DHCP
client
DHCP
client
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure the address of the DHCP server for which the interface functions as the relay
agent for GE 1/0/0 and enable DHCP relay on GE 1/0/0.
3.
4.
Configure the clients connected to GE 1/0/0 on Router B to obtain IP addresses from the
address pool.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Attributes of the DHCPv4 address pool, including the IP address of the gateway, range of
IP addresses in the address pool, IP addresses not allowed to be automatically assigned,
domain name suffix of the DNS server, IP address of the DNS server, and address lease
Procedure
Step 1 Configure the DHCPv4 relay agent.
# Assign an IP address to GE 2/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface GigabitEthernet 2/0/0
Issue 02 (2011-09-10)
115
2 DHCPv4 Configuration
# Enter the view of the interface to be configured with DHCPv4 relay and configure the IP
address, subnet mask, and corresponding DHCPv4 server address on the interface.
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 10.100.1.1 255.255.0.0
[RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2
[RouterA-GigabitEthernet1/0/0] dhcp select relay
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] quit
# Configure the attributes of the DHCPv4 address pool pool 1, including the IP address of the
gateway, range of IP addresses in the address pool, IP addresses not allowed to be automatically
assigned, domain name suffix of the DNS server, IP address of the DNS server, and address
lease.
[RouterB] ip pool 1
[RouterB-ip-pool-1]
[RouterB-ip-pool-1]
[RouterB-ip-pool-1]
[RouterB-ip-pool-1]
[RouterB-ip-pool-1]
[RouterB-ip-pool-1]
[RouterB-ip-pool-1]
server
gateway 10.100.1.1 255.255.0.0
section 0 10.100.1.5 10.100.1.100
dns-suffix huawei.com
dns-server 10.100.1.2
netbios-name-server 10.100.1.3
lease 10 12
quit
Issue 02 (2011-09-10)
Free
Disable
:0
Server
:1
:96
:0
116
2 DHCPv4 Configuration
Run the display dhcp relay address command on the DHCPv4 relay agent, and you can view
the DHCPv4 configurations.
[RouterA] display dhcp relay address all
** GigabitEthernet1/0/0 DHCP Relay Address **
Dhcp Option
Relay Agent IP
Server IP
*
202.40.1.2
----End
Configuration Files
l
Issue 02 (2011-09-10)
117
3 DHCPv6 Configuration
DHCPv6 Configuration
Issue 02 (2011-09-10)
118
3 DHCPv6 Configuration
With the stateless address autoconfiguration, no DHCPv6 server is required. After being
connected to an IPv6 network, the client can automatically configure itself an IPv6 address
using neighbor discovery (ND) messages.
With the stateful configuration, the Dynamic Host Configuration Protocol for IPv6
(DHCPv6) is used to configure IPv6 addresses for clients. This mechanism is similar to
how DHCPv4 functions in an IPv4 network.
DHCPv6 mainly describes the stateful configuration of IPv6 addresses in an IPv6 network. In
an IPv6 network, three roles are involved: client, relay agent, and server. A client interacts with
a relay agent or server to apply for an IPv6 address.
RFC 3633 defines a mechanism for automated delegation of IPv6 prefixes using DHCPv6
(DHCPv6-PD). In this mechanism, two roles, that is, a requesting router and a delegating router
are involved. A requesting router functions as a client, whereas a delegating router functions as
a server. The requesting router obtains IPv6 prefixes from the delegating router and delivers the
obtained IPv6 prefixes as its local resources to IPv6 clients.
Issue 02 (2011-09-10)
119
3 DHCPv6 Configuration
Applicable Environment
If a client is connected to the DHCPv6 server through a Layer 3 access device, the Layer 3 access
device is a DHCPv6 relay agent. The DHCPv6 relay agent receives packets from the client or
other relay agents, encapsulates the received packets, and then forwards the encapsulated packets
to the DHCPv6 server or another relay agent.
You can configure the NE80E/40E so that it can function as a relay agent.
Pre-configuration Tasks
Before configuring a DHCPv6 relay agent, complete the following tasks:
l
Enabling the IPv6 function. For details, refer to the HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Service
Data Preparation
To configure a DHCPv6 relay agent, you need the following data.
No.
Data
IP address of the destination DHCPv6 server, or the type and number of the networkside outbound interface
Context
Do as follows on the NE80E/40E:
Procedure
Step 1 Run:
system-view
120
3 DHCPv6 Configuration
To ensure connectivity between the client and the relay agent, IPv6 address prefixes on the interface of the relay
agent that connects it to the client must be same with the IPv6 address prefixes in the address pool that is
configured on the DHCPv6 server.
Step 5 Run:
ipv6 address auto link-local
This command is required only for the interface connecting to clients on the relay agent.
Step 7 Run:
ipv6 nd autoconfig managed-address-flag
The flag field indicating that routable IPv6 addresses can be obtained through the stateful
autoconfiguration is set.
NOTE
This command is required only for the interface connecting to clients on the relay agent.
Step 8 Run:
ipv6 nd autoconfig other-flag
The flag field indicating the other information about the stateful autoconfiguration is set.
NOTE
This command is required only for the interface connecting to clients on the relay agent.
Step 9 Run:
dhcpv6 relay { interface { interface-name | interface-type interface-number } |
destination ipv6-address }
The DHCPv6 relay function is enabled on an inbound interface and the IP address of the
outbound interface for DHCPv6 messages or the IP address of the destination DHCPv6 server
is specified.
Issue 02 (2011-09-10)
121
3 DHCPv6 Configuration
Context
Do as follows on the NE80E/40E:
NOTE
The inbound interface and the outbound interface of the relay agent are both network-side interfaces. You
need to configure DHCPv6 on both interfaces.
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display this command in the interface view to check the current effective
configurations of the relay interface.
----End
Example
Run the display this command in the view of GE 2/0/1 to view the current effective
configurations on the interface. If the preceding DHCPv6 relay configurations are successful,
configurations of the relay interface are displayed.
[HUAWEI-GigabitEthernet2/0/1] display this
#
interface GigabitEthernet2/0/1
Issue 02 (2011-09-10)
122
3 DHCPv6 Configuration
ipv6 enable
ipv6 address auto link-local
ipv6 address 2660:2321::101:112:2:201/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 enable
dhcpv6 relay interface GigabitEthernet1/0/2
#
Issue 02 (2011-09-10)
123
4.1 Introduction
In BRAS access, users are identified based on the protocol stack of user packets. Different
authentication modes are applicable to different users.
4.2 Configuring the Authentication Mode
You can use authentication technologies to exchange authentication packets, user names and
passwords between user terminals and the NE80E/40E. The NE80E/40E supports multiple
authentication technologies.
4.3 Configuring the IPoX Access Service
In IPoX access, users can access the Internet by sending packets without using the client dialin software for dialing in.
4.4 Configuring and Managing Users
The BRAS manages users either through the domain to which users belong or user accounts.
4.5 Maintaining BRAS Access
Maintaining BRAS access includes monitoring the operation status of the BRAS, clearing the
statistics about login and logout users, and debugging in the case of failures.
4.6 Configuration Examples
This section provides examples for configuring the BRAS access service, including networking
requirements, configuration notes, and configuration roadmap.
Issue 02 (2011-09-10)
124
4.1 Introduction
In BRAS access, users are identified based on the protocol stack of user packets. Different
authentication modes are applicable to different users.
Web authentication: It refers to an interactive authentication mode in which the user opens
the authentication page on the Web authentication server, and enters the user name and
password to be authenticated.
Fast authentication: It is the simplified Web authentication. The user opens the Web page
for authentication but does not need to enter the user name and password. The NE80E/
40E generates the user name and password vlan according to information about the
Broadband Access Server (BAS) interface from which the user logs in.
Mandatory Web authentication: If the user that requires Web authentication or fast
authentication attempts to access an unauthorized address before authentication, the
NE80E/40E redirects the access request to the mandatory Web authentication server for
the user to be authenticated.
Binding authentication: The NE80E/40E automatically generates the user name and
password based on the user's physical location.
IPoX, including Internet Protocol over Ethernet (IPoE), IP over Ethernet over Virtual Local
Areas Network (IPoEoVLAN), IP over Ethernet over QinQ (IPoEoQ)
Web authentication
Fast authentication
Binding authentication
Issue 02 (2011-09-10)
125
Applicable Environment
Web authentication is an interactive authentication mode in which the user opens the
authentication page on the web authentication server, and enters the user name and password to
be authenticated.
Fast authentication is the simplified web authentication. The user opens the web page for
authentication but does not need to enter the user name and password. The NE80E/40E generates
the user name and password (vlan) according to information about the BAS interface from which
the user logs in.
Binding authentication means that the NE80E/40E automatically generates the user name and
password based on the user's physical location.
Pre-configuration Tasks
Before configuring the authentication mode, complete the following tasks:
l
Loading the BRAS license (For details, refer to the HUAWEI NetEngine80E/40E Router
Configuration Guide - System Management.)
Data Preparation
To configure the authentication mode, you need the following data.
Issue 02 (2011-09-10)
No.
Data
IP address, port number, VPN instance, and shared key of the web authentication
server
Portal protocol version, listen port number, and source interface of the NE80E/40E
126
Context
When configuring Web authentication or fast authentication, you need the following parameters:
l
Portal protocol version, listening port number, and source interface sending portal packets
Procedure
l
Run:
system-view
Run:
web-auth-server ip-address [ vpn-instance instance-name ] [ port portnumber ] [ key key-string ] [ nas-ip-address ]
Run:
system-view
(Optional) Run:
web-auth-server version v2
(Optional) run:
web-auth-server listening-port port
127
By default, the NE80E/40E uses port 2000 to listen to the messages sent from the Web
authentication server.
4.
(Optional) run:
web-auth-server source interface interface-type interface-number
(Optional) run:
web-auth-server reply-message
(Optional) Run:
aaa
Run:
domain domain-name
(Optional) Run:
web-server url url
The protocol adopted by Web authentication is set to the extension Portal protocol
supported by the ISP.
Or Run:
web-server ip-address
Issue 02 (2011-09-10)
128
Run:
quit
Configuring the Authentication Domain and Authentication Method on the BAS Interface
1.
Run:
interface interface-type interface-number
Run:
bas
Run:
access-type layer2-subscriber
Run:
default-domain pre-authentication domain-name
Run:
default-domain authentication [ force | replace ] domain-name
Run:
authentication-method { web | fast }
Context
Do as follows on the NE80E/40E:
Issue 02 (2011-09-10)
129
Procedure
Step 1 Run:
system-view
Procedure
l
Issue 02 (2011-09-10)
130
Run the display domain [ domain-name ] command to check the configuration of the
domain.
----End
Example
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface
: Listening port
: 2000
Portal
: version 1, version 2
Display reply message : enabled
-----------------------------------------------------------------------Server Share-Password
Port NAS-IP Vpn-instance
-----------------------------------------------------------------------192.168.3.140 huawei
50100
NO
-----------------------------------------------------------------------1 Web authentication server(s) in total
After the configuration is complete, you can run the display domain domain-name command
to view information about the binding between the domain and user group.
<HUAWEI> display domain isp1
Domain-name
Domain-state
Domain-type
Service-type
Authentication-scheme-name
Accounting-scheme-name
Authorization-scheme-name
RADIUS-server-group
Accounting-copy-RADIUS-group
Hwtacacs-server-template
Tunnel-acct-2867
User-group-name
Policy-route
Policy-route-nexthop
AdminUser-priority
Web-server-IP-address
Web-URL
Web-server-work-mode
Primary dns-IP-address
Secondary dns-IP-address
Queue-profile-name
User-priority-up
User-priority-down
PPPoe-URL
Portal-server-URL
Portal-server-IP-Address
Portal-force-times
Quota-out
Force-Auth-Type
Idle-data-attribute (time,rate)
User-access-limit
Online-user-total
User-session-limit
Flow-Statistic-Up
Flow-Statistic-Down
Time-range
GRE-group-name
L2TP-group-name
L2TP-user RADIUS Force
Dot1x-template-index
Realloc-IP-address
Issue 02 (2011-09-10)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
isp1
Active
Normal domain
HSI
default1
default1
Disabled
Disabled
Get
0
0
Disabled
2
Offline
3 minute, 100 Kbyte/minute
147456
0
Yes
Yes
Disabled
Disabled
1
Disabled
131
Bill Flow
Multicast flow statistic
VPN-instance-name
Value-service-name
DPI-policy-group
Multicast-profile
IPUser-ReAuth-Time
IP-Warning-Percent
Qos-profile-name
Zone-name
Ancp auto qos adapt
TimeRange-Qos
Val-added-srv-account
Multicast Forwarding
Multicast Virtual
Multivirtual cir
Multivirtual pir
Max-multilist num
L2TP-QosProfile-inbind
L2TP-QosProfile-outbind
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Disabled
Disabled
-300 second
default
Disabled
Disabled
Default
Yes
No
4
-
Applicable Environment
The IPoX access service is an access authentication service. In IPoX access, a user accesses the
Internet by using the Ethernet or asymmetric digital subscriber line (ADSL). The user uses a
fixed IP address or obtains an IP address by using the Dynamic Host Configuration Protocol
(DHCP). The system then authenticates the user by using Web authentication, fast
authentication, or binding authentication.
The IPoX services can be classified into the IPoE service, IPoEoVLAN service, IPoEoQ service
in different networking.
NOTE
When an IPoEoQ user attempts to access the network, if the SMAC field in the Layer 2 header is different
from the CHADDR field in a DHCP request packet, the user cannot get online.
Pre-configuration Tasks
Before configuring the IPoX access service, complete the following tasks:
l
Loading the BRAS license (For details, see the HUAWEI NetEngine80E/40E Router
Configuration Guide - System Management.)
Issue 02 (2011-09-10)
132
Configuring a domain
Data Preparation
To configure the IPoX access service, you need the following data.
No.
Data
IP address, VPN instance (optional), MAC address (optional), and number of the
access interface on the NE80E/40E (optional)
User domain
Configuration Procedures
To configure the IPoX access service, perform the following procedures.
NOTE
Configuring an AAA scheme, 1.3 Configuring a RADIUS Server, Configuring an IPv4 address
pool, and Configuring a domain are not provided here because all the procedures are described in other
chapters.
Issue 02 (2011-09-10)
133
IPoE
IPoEoVLAN
IPoEoQ
Configuring AAA
Schemes
Configuring AAA
Schemes
Configuring a server
template
Configuring a server
template
Configuring an IPv4
address pool
Configuring an IPv4
address pool
Configuring a
domain
Configuring a
domain
Mandatory procedure
Optional procedure
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
134
Context
If users access the network by using a sub-interface, the sub-interface needs to be bound to a
VLAN.
You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l
Sub-interface number
VLAN ID
QinQ ID
NOTE
l On each main interface, you can set the any-other parameter on only one sub-interface. On one subinterface, any-other cannot be set together with start-vlan nor qinq.
l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a
sub-interface, the user-vlan cannot be configured on this sub-interface.
l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.
l If an interface on an LPUA, LPUF-10, LPUF-21, LPUF-40 is bound to a VSI or configured with VLL
transparent transmission, users whose packets carry double VLAN tags cannot get online after the
user-vlan command is run on its sub-interfaces.
Procedure
Step 1 Run:
system-view
135
Context
When configuring a BAS interface, you need the following parameters:
l
(Optional) Maximum number of users that are allowed to access through the BAS interface
and maximum number of users that are allowed to access through a specified VLAN
(Optional) Default domain, roaming domain, and domains that users are allowed to access
(Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting
packet copy, IP packet trigger-online, user-based multicast replication
(Optional) Whether to trust the DHCP Option 82 field, user detection parameters, VPN
instances of non-PPP users, BAS interface name, and access device type
Procedure
Step 1 Run:
system-view
136
or its sub-interface , an ATM interface or its sub-interface, or a VE interface or its subinterface as a BAS interface.
Step 4 Run:
access-type layer2-subscriber [ default-domain { [ authentication [ force |
replace ] dname ] [ pre-authentication predname ] } ]
The access type is set to Layer 2 subscriber access and the attributes of this access type are
configured.
Or run:
access-type layer3-subscriber [ default-domain { [ pre-authentication predname ]
authentication [ force | replace ] dname } ]
The access type is set to Layer 3 subscriber access and the attributes of this access type are
configured.
When setting the access type on the BAS interface, you can set the service attributes of the access
users at the same time. You can also set these attributes in later configurations.
The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk
interface. You can configure the access type of such an Ethernet interface only on the associated
Eth-Trunk interface.
Step 5 (Optional) Run:
access-limit number
The number of users that are allowed to access through the interface is configured.
By default, the number of users that are allowed to access through the BAS interface is not
limited.
Step 6 (Optional) Run:
default-domain pre-authentication domain-name
The default authentication domain is specified. By default, the authentication domain of the
BAS interface is default1.
l Or run:
permit-domain domain-name &<1-4>
The Option 82 field (for a DHCP user) reported by a client is trusted by the router.
Or run:
vbas
Issue 02 (2011-09-10)
137
The function of locating a user through the virtual BAS (VBAS) is enabled. By default, the
function of locating a user through the VBAS is disabled.
Step 8 (Optional) Run:
client-option60
The function of filter DHCP users that attempt to get online based on ACL rules on a BAS
interface is configured.
By default, ACL rules are not used to filter DHCP users that attempt to get online on a BAS
interface.
Step 15 Run:
authentication-method { { web | fast } | bind }
138
You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple
authentication modes can be configured on an interface except for the following:
l Web authentication conflicts with fast authentication.
l Binding authentication conflicts with the other authentication modes.
----End
Procedure
l
Run the display domain command to check the configuration of the domain.
Run the display acl command to check the configuration of the ACL.
----End
Example
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface
: Listening port
: 2000
Portal
: version 1, version 2
Display reply message : enabled
-----------------------------------------------------------------------Server Share-Password
Port NAS-IP Vpn-instance
-----------------------------------------------------------------------192.168.3.140 huawei
50100
NO
-----------------------------------------------------------------------1 Web authentication server(s) in total
After the configuration is complete, you can run the display domain command to view
information about the binding between the domain and user group.
<HUAWEI> display domain isp1
Domain-name
Domain-state
Domain-type
Service-type
Authentication-scheme-name
Accounting-scheme-name
Authorization-scheme-name
RADIUS-server-group
Accounting-copy-RADIUS-group
Hwtacacs-server-template
Tunnel-acct-2867
User-group-name
Policy-route
Policy-route-nexthop
AdminUser-priority
Web-server-IP-address
Web-URL
Web-server-work-mode
Primary dns-IP-address
Secondary dns-IP-address
Issue 02 (2011-09-10)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
isp1
Active
Normal domain
HSI
default1
default1
Disabled
Disabled
Get
-
139
Queue-profile-name
User-priority-up
User-priority-down
PPPoe-URL
Portal-server-URL
Portal-server-IP-Address
Portal-force-times
Quota-out
Force-Auth-Type
Idle-data-attribute (time,rate)
User-access-limit
Online-user-total
User-session-limit
Flow-Statistic-Up
Flow-Statistic-Down
Time-range
GRE-group-name
L2TP-group-name
L2TP-user RADIUS Force
Dot1x-template-index
Realloc-IP-address
Bill Flow
Multicast flow statistic
VPN-instance-name
Value-service-name
DPI-policy-group
Multicast-profile
IPUser-ReAuth-Time
IP-Warning-Percent
Qos-profile-name
Zone-name
Ancp auto qos adapt
TimeRange-Qos
Val-added-srv-account
Multicast Forwarding
Multicast Virtual
Multivirtual cir
Multivirtual pir
Max-multilist num
L2TP-QosProfile-inbind
L2TP-QosProfile-outbind
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
0
0
Disabled
2
Offline
3 minute, 100 Kbyte/minute
147456
0
Yes
Yes
Disabled
Disabled
1
Disabled
Disabled
Disabled
-300 second
default
Disabled
Disabled
Default
Yes
No
4
-
After the configuration is complete, you can run the display acl command to view the
configuration of the ACL.
<HUAWEI> display acl 3100
Advanced ACL 3100, 3 rules,
rule 0 permit icmp (2 times matched)
rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 (0 times matched)
rule 2 permit tcp source 10.110.0.0 0.0.255.255 (0 times matched)
Issue 02 (2011-09-10)
140
Applicable Environment
The NE80E/40E can parse the user name and domain name from a user account according to
the domain name delimiter and realm name delimiter. With this function, the NE80E/40E can
parse the user name and domain name as required.
The administrator can manage online users on the NE80E/40E, including viewing online users
and disconnecting users.
Pre-configuration Tasks
Before configuring and managing users, complete the following tasks:
l
Loading the BRAS license (For details, see the HUAWEI NetEngine80E/40E Router
Configuration Guide - System Management.)
Configuring the access method and authentication method for the BAS interface
Data Preparation
To configure and manage users, you need the following data.
No.
Data
Domain name delimiter, location of the domain name, and parsing direction of
the domain name
(Optional) Realm name delimiter, location of the realm name, and parsing
direction of the realm name
Parsing priority
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
141
142
Context
If the user-security-policy enable command has been run, the following rules must be obeyed
during password configuration:
l
For passwords:
A password must be longer than eight characters.
A password must consist of digits, upper-case and lower-case letters, and special
characters (not including spaces or question marks).
A password cannot be the same as the user name, nor can it be the reverse of the user
name.
Procedure
l
Run:
system-view
Run:
local-aaa-server
Run:
user username { password {simple simple-password | cipher cipherpassword } | authentication-type type-mask | block [ fail-times fail-timesvalue interval interval-value ] | ftp-directory ftp-directory | ipaddress ip-address [ vpn-instance instance-name ] | level level | callbacknocheck | callback-number callback-number | idle-cut | qos-profile qosprofile } *
143
AAA view
1.
Run:
system-view
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
(optional)Run:
prompt last-info
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
144
default-user-name [ template template-name ] include { gateway-address | ipaddress | mac-address | option12 | option60 | option61 | option82 | sysname } *
The router is configured to generate the IPoX user name according to information carried in the
user access request packet.
Or run:
vlanpvc-to-username { standard | turkey | version10 | version20 }
Or run:
vlanpvc-to-username standard trust { pevlan | cevlan }
The router is configured to generate the IPoX user name by using the original format.
By default, the original format of the IPoX user name is defined in version20.
Step 4 Run:
default-password { cipher cipher-password | simple simple-password }
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
145
Follow-up Procedure
The authentication request from a local user in the active or blocked state is processed in a
different manner.
l
If the local user is in the active state, the authentication request from this user is allowed
for further processing.
If the local user is in the blocked state, the authentication request from this user is denied.
Context
Do as follows on the router:
Procedure
l
Run:
system-view
Run:
aaa
Run:
local-user user-name access-limit max-number
Run:
system-view
Run:
dhcp-user-slot-warning-threshold
The alarm threshold for DHCP users allowed to access an LPU is configured. If the
percentage of DHCP users currently accessing the LPU exceeds the threshold, an
alarm is generated.
3.
Run:
dhcp-user-warning-threshold
The alarm threshold for DHCP users allowed to access the entire NE80E/40E is
configured. If the percentage of DHCP users currently accessing the entire NE80E/
40E exceeds the threshold, an alarm is generated.
4.
Run:
dhcp connection chasten request-sessions request-period blocking-period
Issue 02 (2011-09-10)
146
You can view the number of users whose attempts to set up DHCP connections
are limited.
You can view information about users whose attempts to set up DHCP connections
are limited.
You can view settings of the limit on attempts to set up a DHCP connection.
You can reset the statistics on user attempts to set up a DHCP connection.
l
Run:
system-view
Run:
slot-warning-threshold
The alarm threshold for users allowed to access an LPU is configured. If the percentage
of users currently accessing the LPU exceeds the threshold, an alarm is generated on
the router.
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
147
The online users using the IP addresses in the specified IP address pool are disconnected.
Or run:
cut access-user slot slot-id
Procedure
Step 1 Run:
system-view
148
aaa offline-record
Procedure
Step 1 Run:
trace access-user object object-id { access-mode mode | user-name username |
interface interface-type interface-number | ip-address ip-address | mac-address
mac-address | ce-vlan ce-vlan-id | pe-vlan pe-vlan-id } * [ output [ file filename | syslog-server ip-address | vty ] | -t time ] *
Procedure
l
Issue 02 (2011-09-10)
Run the display static-user command to check information about static users.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
149
Run the display aaa configuration command to check the configuration of the user account
parsing function.
Run the display vlanpvc-to-username command to check the configuration of the format
of the IPoX user name.
Run the display call rate command to check the put-through rate of all type of users.
----End
Example
After the configuration is complete, you can run the display static-user command to view
information about static users.
<HUAWEI> display static-user
--------------------------------------------------------------------------Interface
VLAN-ID/PVC
IP-address
MAC-address
VPN
--------------------------------------------------------------------------10.10.10.2
-GE1/0/2
10.10.10.5
---------------------------------------------------------------------------Total 2 item(s) matched
After the configuration is complete, you can run the display aaa configuration command to
view the configuration of the user account parsing function.
<HUAWEI> display aaa configuration
--------------------------------------------------------------------------AAA configuration information :
--------------------------------------------------------------------------Parse Priority
: Domain first
Domain Name Delimiter
: @
Domainname parse direction
: Left to right
Domainname location
: After-delimiter
Realm name delimiter
: Realmname parse direction
: Left to right
Realmname location
: Before-delimiter
Domain
: total: 1024 used: 7
Authentication-scheme : total: 32
used: 4
Authorization-scheme : total: 16
used: 2
Accounting-scheme
: total: 128
used: 4
Recording-scheme
: total: 128
used: 1
AAA-access-user
: total: 279552 used: 0
Access-user-state
: authen: 0
author: 0
accounting: 0
Transition-step
: Min-Delay-time
: Max-Delay-time
: Access speed
: Account-session-id-version
: Version1
---------------------------------------------------------------------------
After the configuration is complete, you can run the display vlanpvc-to-username command
to view the configuration of the format of the IPoX user name.
<HUAWEI> display vlanpvc-to-username
Version of vlan and pvc model in username : Version2.0
After the configuration is complete, you can run the display call rate command to view the the
put-through rate of all type of users.
<HUAWEI> display call rate
User callrate:
-------------------------------------------------------Usertype
Calltime
Callcompletion
Rate
-------------------------------------------------------PPP
127
127
100.00%
Issue 02 (2011-09-10)
150
324
7
0
458
100.00%
100.00%
0.00%
100.00%
Context
After the preceding configurations, run the following display commands in any view to check
the BRAS configurations. For details, see the HUAWEI NetEngine80E/40E Router - Command
Reference.
Procedure
Step 1 Run the display web-auth-server configuration command to check the configuration of the
Web authentication server.
Step 2 Run the display bas-interface command to check the configuration of the BAS interface.
Step 3 Run the display aaa online-fail-record command to check the login failure records.
Step 4 Run the display aaa offline-record command to check the logout records.
Step 5 Run the display aaa abnormal-offline-record command to check the abnormal logout records.
Step 6 Run the display access-user command in any view to check information about online users.
----End
Context
CAUTION
BRAS access information cannot be restored after it is cleared. Exercise caution when running
the commands.
To clear BRAS access information, run the following reset commands.
Issue 02 (2011-09-10)
151
Procedure
Step 1 Run the reset aaa online-fail-record command in the user view to clear the login failure records.
Step 2 Run the reset aaa offline-record command in the user view to clear the logout records.
Step 3 Run the reset aaa abnormal offline-record command in the user view to clear the abnormal
logout records.
Step 4 Run the reset call ratecommand in the user view to clear the call rate statistics of users.
----End
4.6.1 Example for Configuring the IPoE Access Service for VPN
Users by Using Web Authentication
This section provides an example for configuring IPoE access to a VPN by Using Web
Authentication, including the networking requirements, configuration roadmap, configuration
procedure, and configuration files.
Networking Requirements
The networking is shown in Figure 4-2. The requirements are as follows:
l
The user belongs to domain isp2 and accesses the Internet by using GE 1/0/2 on the
router in IPoE mode.
The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.
The IP address of the RADIUS server is 192.168.8.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is used. The
shared key is hello.
The user is a VPN user and belongs to a VPN instance named vpn1.
The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.
Issue 02 (2011-09-10)
152
DNS server
192.168.8.252
Access
Network
WEB server
192.168.8.251
192.168.8.1
GE1/0/1
Internet
GE1/0/2
subscriber
@isp2
RADIUS server
192.168.8.249
Router
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
6.
7.
8.
Data Preparation
To complete the configuration, you need the following data:
l
RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
Domain name
ACL rules
Traffic policy
Issue 02 (2011-09-10)
153
Procedure
Step 1 Configure a VPN instance.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1] vpn-target 100:1 both
[HUAWEI-vpn-instance-vpn1] quit
bas local
gateway 172.82.1.1 255.255.255.0
section 0 172.82.1.2 172.82.1.200
dns-server 192.168.8.252
vpn-instance vpn1
quit
ip-pool pool2
user-group huawei
service-type hsi
web-server 192.168.8.251
web-server url http://192.168.8.251
vpn-instance vpn1
quit
Issue 02 (2011-09-10)
authentication-scheme auth2
accounting-scheme acct2
radius-server group rd2
service-type hsi
vpn-instance vpn1
quit
154
The upstream interface connected to MPLS network, the configuration is not mentioned here. For details,
refer to the chapter BGP/MPLS IP VPN of the HUAWEI NetEngine80E/40E Router Configuration Guide
- VPN
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0
----End
Configuration Files
#
sysname HUAWEI
#
user-group huawei
Issue 02 (2011-09-10)
155
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key hello
#
#
acl number 6000
#
acl number 6001
rule 5 permit ip source user-group huawei destination ip-address 192.168.8.251 0
rule 10 permit ip source user-group huawei destination ip-address 192.168.8.252 0
#
traffic classifier c2 operator and
if-match acl 6001
traffic classifier c1 operator and
if-match acl 6000
#
traffic behavior perm1
traffic behavior deny1
deny
#
traffic policy action1
classifier c2 behavior perm1
classifier c1 behavior deny1
traffic-policy action1 inbound
traffic-policy action1 outbound
#
interface GigabitEthernet1/0/2
bas
access-type layer2-subscriber default-domain authentication isp2
authentication-method web
#
interface GigabitEthernet1/0/1
ip address 192.168.8.1 255.255.255.0
#
ip pool pool2 bas local
vpn-instance vpn1
gateway 172.82.1.1 255.255.255.0
section 0 172.82.1.2 172.82.1.200
dns-server 192.168.8.252
#
aaa
authentication-scheme auth2
accounting-scheme acct2
domain default0
service-type hsi
web-server 192.168.8.251
web-server url http://192.168.8.251
user-group
huawei
vpn-instance vpn1
ip-pool
pool2
domain isp2
authentication-scheme
auth2
accounting-scheme
acct2
service-type hsi
radius-server group rd2
#
return
Issue 02 (2011-09-10)
156
Networking Requirements
The networking is shown in Figure 4-3. The requirements are as follows:
l
The user belongs to domain isp3 and accesses the Internet by using GE 1/0/2.1 on the
router in IPoEoVLAN mode. The LAN switch tags user packets with VLAN 1 and VLAN
2.
The user adopts binding authentication, RADIUS authentication, and RADIUS accounting.
The IP address of the RADIUS server is 192.168.8.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.
The shared key is hello.
DNS server
192.168.8.252
RADIUS server
192.168.8.249
GE1/0/2.1
subscriber1
@isp3
Switch
192.168.8.1
GE1/0/1
Internet
Router
subscriber2
@isp3
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Issue 02 (2011-09-10)
157
Data Preparation
To complete the configuration, you need the following data:
l
RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
Domain name
Procedure
Step 1 Configure AAA schemes.
# Configure an authentication scheme.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme auth3
[HUAWEI-aaa-authen-auth3] authentication-mode radius
[HUAWEI-aaa-authen-auth3] quit
bas local
gateway 172.82.2.1 255.255.255.0
section 0 172.82.2.2 172.82.2.200
dns-server 192.168.8.252
quit
NOTE
The configured address pool is used for the authentication domain. The pre-authentication domain is not
required because a user that adopts binding authentication can be authenticated automatically when the
user goes online.
Issue 02 (2011-09-10)
authentication-scheme auth3
accounting-scheme acct3
radius-server group rd3
ip-pool pool3
quit
158
NOTE
When a user obtains an IP address in binding authentication, the router authenticates the user automatically.
Therefore, you do not need to configure the ACL to control the network access rights of the user before
authentication. Instead, you need to configure the ACL to control the network access rights of the user after
authentication.
l The user name for binding authentication is automatically generated based on the location where the
user accesses the NE80E/40E. Therefore, the user name on the RADIUS server must be configured
according to the name generation rule. The password is vlan.
l For details about the user name format used in binding authentication, see the description of the
vlanpvc-to-username command in the HUAWEI NetEngine80E/40E Router Command Reference.
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd3
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key hello
#
interface GigabitEthernet1/0/2.1
user-vlan 1 2
bas
access-type layer2-subscriber default-domain authentication isp3
authentication-method bind
#
interface GigabitEthernet1/0/1
ip address 192.168.8.1 255.255.255.0
#
ip pool pool3 bas local
gateway 172.82.2.1 255.255.255.0
section 0 172.82.2.2 172.82.2.200
dns-server 192.168.8.252
#
aaa
authentication-scheme auth3
accounting-scheme acct3
domain isp3
authentication-scheme
auth3
accounting-scheme
acct3
radius-server group rd3
ip-pool
pool3
Issue 02 (2011-09-10)
159
#
return
Networking Requirements
The networking is shown in Figure 4-4. The requirements are as follows:
l
The user accesses the Internet by using GE 1/0/2.2 on the router in IPoEoQ mode. LAN
switch 1 tags user packets with VLAN 1 and VLAN 2. LAN switch 2 tags user packets
with QinQ 100 (outer VLAN 100).
The user belongs to domain isp1 and adopts bind authentication and RADIUS accounting.
The IP address of the RADIUS server is 192.168.7.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.
The shared key is itellin.
DNS server
192.168.8.252
RADIUS server
192.168.8.249
VLAN1
QinQ100
user1@isp1
Lanswitch1
GE1/0/2.2
Lanswitch2
192.168.7.1
GE1/0/1
Internet
Router
VLAN2
user2@isp1
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Issue 02 (2011-09-10)
160
Data Preparation
To complete the configuration, you need the following data:
l
RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
Domain name
Procedure
Step 1 Configure AAA schemes.
# Configure an authentication scheme.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme auth1
[HUAWEI-aaa-authen-auth1] authentication-mode radius
[HUAWEI-aaa-authen-auth1] quit
bas local
gateway 172.82.0.1 255.255.255.0
section 0 172.82.0.2 172.82.0.200
dns-server 192.168.7.252
quit
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ip-pool pool1
service-type hsi
quit
Issue 02 (2011-09-10)
161
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd1
radius-server authentication 192.168.7.249 1812 weight 0
radius-server accounting 192.168.7.249 1813 weight 0
radius-server shared-key itellin
#
interface GigabitEthernet1/0/2.2
user-vlan 1 2 qinq 100
bas
access-type layer2-subscriber default-domain authentication isp1
authentication-method bind
#
interface GigabitEthernet1/0/1
ip address 192.168.7.1 255.255.255.0
#
ip pool pool1 bas local
gateway 172.82.0.1 255.255.255.0
section 0 172.82.0.2 172.82.0.200
dns-server 192.168.7.252
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain default0
domain default1
domain default_admin
domain isp1
authentication-scheme
auth1
accounting-scheme
acct1
service-type hsi
Issue 02 (2011-09-10)
162
radius-server group
ip-pool
pool1
#
return
rd1
Networking Requirements
The networking is shown in Figure 4-5. The requirements are as follows:
l
Users user1@isp1 and user2@isp1 belong to the same domain isp1 and they access the
Internet by using GE 1/0/2.1 on the router as static users. The LAN switch labels user
packets with VLAN 1 and VLAN 2.
The two users adopt Web authentication. The RADIUS authentication and RADIUS
accounting are used.
The two static users are VPN users and belong to the same VPN instance named VPN1.
The IP address of the RADIUS server is 192.168.7.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.
The shared key is hello.
The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.
Figure 4-5 Networking for configuring remote authentication for static users
DNS server
192.168.8.252
WEB server
192.168.8.251
VLAN1
GE1/0/2.1
user1@isp1
Switch
RADIUS server
192.168.8.249
192.168.8.1
GE1/0/1
Internet
Router
VLAN2
user2@isp1
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2011-09-10)
163
1.
2.
3.
4.
5.
6.
7.
8.
9.
Data Preparation
To complete the configuration, you need the following data:
l
RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
ACL rules
Traffic policy
Domain name
Procedure
Step 1 Configure a VPN instance.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1] vpn-target 100:1 both
[HUAWEI-vpn-instance-vpn1] quit
164
Step 6 Configure an ACL to allow the user to access only the Web server before Web authentication
is implemented.
# Configure a user group.
[HUAWEI] user-group Huawei
bas local
gateway 172.82.1.1 255.255.255.0
section 0 172.82.1.2 172.82.1.200
excluded-ip-address 172.82.1.100
vpn-instance vpn1
quit
bas local
gateway 172.82.2.1 255.255.255.0
section 0 172.82.2.2 172.82.2.200
vpn-instance vpn1
quit
Issue 02 (2011-09-10)
165
[HUAWEI-aaa-domain-default0]
[HUAWEI-aaa-domain-default0]
[HUAWEI-aaa-domain-default0]
[HUAWEI-aaa-domain-default0]
ip-pool pool2
user-group huawei
vpn-instance vpn1
quit
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
vpn-instance vpn1
quit
interface
interface
----End
Configuration Files
#
sysname HUAWEI
#
user-group huawei
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
radius-server group rd1
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key hello
#
acl number 6000 match-order auto
rule 5 permit ip source user-group huawei destination ip-address 192.168.8.0 0.
0.0.255
rule 10 deny ip source user-group huawei destination ip-address any
#
traffic classifier c1 operator or
if-match acl 6000
#
traffic behavior b1
#
Issue 02 (2011-09-10)
166
Networking Requirements
The networking is shown in Figure 4-6. The requirements are as follows:
l
The user accesses the Internet by using GE 1/0/2.1 on the router as a static user and the IP
address of the user is 172.192.0.8.
Issue 02 (2011-09-10)
167
The system uses the IP address carried in the user packet as the user name.
Figure 4-6 Networking for configuring local authentication for static users
GE1/0/2.1
192.168.8.1
GE1/0/1
Internet
Router
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Domain name
Procedure
Step 1 Configure an authentication scheme.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme local
[HUAWEI-aaa-authen-local] authentication-mode local
[HUAWEI-aaa-authen-local] quit
Issue 02 (2011-09-10)
bas local
gateway 172.192.0.1 255.255.255.0
section 0 172.192.0.2 172.192.0.200
excluded-ip-address 172.192.0.8
168
[HUAWEI-ip-pool-pool1] quit
authentication-scheme local
accounting-scheme default0
ip-pool pool1
quit
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.8.1 255.255.255.0
#
interface GigabitEthernet1/0/2.1
user-vlan 100
bas
access-type layer2-subscriber default-domain
ip-trigger
arp-trigger
authentication-method bind
#
ip pool pool1 bas local
Issue 02 (2011-09-10)
authentication isp1
169
Issue 02 (2011-09-10)
170
A Glossary
Glossary
Description
A
access service
B
BRAS
binding authentication
Issue 02 (2011-09-10)
DHCP client
DHCP proxy
DHCP server
direct authorization
domain
171
A Glossary
Glossary
Description
F
fast authentication
H
HWTACACS
HWTACACS
accounting
HWTACACS
authentication
HWTACACS
authorization
L
local address pool
local authentication
local authorization
M
mandatory web
authentication
Issue 02 (2011-09-10)
172
A Glossary
Glossary
Description
Option 60
Option 82
P
portal protocol
R
RADIUS accounting
RADIUS authentication
S
static user
V
value-added service
A service selected by the user when the user logs in to the portal
server of the carrier.
W
web authentication
Issue 02 (2011-09-10)
173
This appendix lists the acronyms and abbreviations mentioned in this menual.
Item
Description
A
AAA
ACL
ADSL
AP
Access Point
ARP
B
BAS
BOOTP
Bootstrap Protocol
BRAS
Issue 02 (2011-09-10)
CAR
CF
Compressed Flash
CHAP
CLI
CMTS
CoA
Change of Authorization
COPS
174
Item
Description
D
DHCP
DNS
DSLAM
E
EAP
EAPoL
F
FE
Fast Ethernet
G
GE
Gigabit Ethernet
GRE
H
HDLC
HFC
Hybrid Fiber-Coaxial
HWTACACS
Huawei TACACS
Issue 02 (2011-09-10)
IEEE
IP
Internet Protocol
IPCP
IPoE
IP over Ethernet
IPoEoVLAN
IPoX
IP over X
IPTN
IP Telecommunication Network
ISP
175
Item
Description
L
LAN
LCP
L2TP
LTS
M
MAC
MSCHAP
Microsoft CHAP
N
NCP
ND
Neighbor Discovery
NetBIOS
P
PAP
PDP
PEP
PPP
Point-to-Point Protocol
PPPoE
PPPoEoVLAN
PPPoX
PPP over X
PSTN
Q
QinQ
802.1Q in 802.1Q
QoS
Quality of Service
R
RADIUS
Issue 02 (2011-09-10)
176
Item
Description
RFC
S
SIG
SIM
DSG
SSH
Secure Shell
T
TACACS
TCP
TFTP
U
UDP
URL
Issue 02 (2011-09-10)
VLAN
Virtual LAN
VoD
Video On Demand
VPN
177