Configuring the Limit on the Number of Access Users

Procedure

• Limiting the number of users who go online from a single VLAN

  If the number of users who go online from a single VLAN exceeds 3K, run the vlan-host-car command to increase the bandwidth for user-side packets that are sent to the CPU and carry the same VLAN ID. After the configuration is complete, packets of excess users are discarded and these excess users go offline.

  

  1. The router supports CAR rate limiting to prevent a large number of user-side packets from compromising the CPU processing efficiency. The router is enabled with some CAR functions by default and has some default CAR parameter settings. For configuration details, see section "Configuring CAR."

• Limiting PPP user access
  1. Run system-view

     The system view is displayed.

  2. Run ppp-user-slot-warning-threshold threshold-value

     The alarm threshold for the number of PPP users who go online from an interface board is configured. If the proportion of the number of PPP users who go online from an interface board to the total number of access users exceeds the threshold, an alarm is generated.

  3. Run ppp-user-warning-threshold threshold-value

     The alarm threshold for the number of PPP users who go online from the NetEngine 8000 F is configured. If the proportion of the number of PPP users who go online from the NetEngine 8000 F to the total number of access users exceeds the threshold, an alarm is generated.

  4. Run ppp connection chasten option105 request-sessions request-period blocking-period [ padi-discard ] [ quickoffline ] or ppp connection chasten request-sessions request-period blocking-period [ padi-discard ] [ quickoffline ] [ multi-sessions-permac ]

     The number of PPP user access requests is limited.

     Limiting the number of access attempts can prevent unauthorized users from using a brute force attack to crack the password of the authorized user. If a user fails to pass the authentication for N times during a specified period, the user account is frozen for a period of time, thwarting unauthorized users' efforts in cracking the password of the authorized user.

     In a scenario in which a large number of users go offline immediately after they go online, the CPU may be overloaded and the RADIUS server may even go down. To prevent this problem, you can configure the quickoffline parameter to limit the number of times a PPP user can go offline immediately after the user goes online within a specified period. If the PPP user immediately goes offline after going online for request-sessions times within request-period, the user account is blocked for blocking-period seconds.

     In the system view, this command takes effect on all users who go online from the NetEngine 8000 F. In the VLAN view, the command takes effect only on the users who go online from the interface where the VLAN resides. If this command is configured in both the system and VLAN views, the command that first meets the restriction condition takes effect.

  5. Run pppoe-server slot-number max-sessions session-number

     The maximum number of users allowed to go online from an interface board is configured.

  6. Run pppoe-server max-sessions remote-mac session-number [ with-check-location [ padi-mac-check ] ]

     The maximum number of users allowed to go online when a MAC address is used for access from different physical locations is configured. Only one access user is allowed at the same physical location.

     

     After the pppoe-server max-sessions remote-mac command is run to set the maximum number of users allowed to go online based on a MAC address to be greater than 1, if option105 is not specified in the ppp connection chasten command, the function of limiting the number of PPP user access requests based on MAC addresses does not take effect. To make this function take effect, specify the multi-sessions-permac parameter. If option105 is specified in the ppp connection chasten command, the function of limiting the number of PPP user access requests based on Option 105 still takes effect.

     After executing the pppoe-server max-sessions remote-mac session-number command, you can also allow multiple users to access the network based on one MAC address. In this case, however, physical location information is not checked.

  7. Run pppoe-server same-user forbid

     For the PPPoE users who have the same MAC address and attempt to access the network at the same physical location in a one-to-one mapping between a MAC address and a session, users who go online later are prohibited from accessing the network.

  8. Run aaa

     The AAA view is displayed.

  9. Run ppp username check

     The NetEngine 8000 F is configured to check whether a PPP user access request contains a username and to deny the request if it does not contain a username.

  10. Run commit

      The configuration is committed.

• Limiting the number of IP addresses for PPP users

  A user can access the router through multiple links. If the number of IP addresses of PPP users attempting to access the network reaches the threshold specified for a BAS interface or board, the BAS interface or board does not respond to the PADO packets sent by PPP users and no more PPP users can access the BAS interface or board. In this case, PPP users can go online only through other interfaces or boards. This achieves load balancing among different interfaces and boards.

  This configuration applies only to PPPoE and L2TP users. A single-stack user is counted as one user, and a dual-stack user is counted as two users. When the number of IP addresses of PPP users attempting to access the network from a BAS interface or board reaches the threshold specified, the BAS interface or board stops responding to the PADO packets sent by PPP users and no more PPP users can access the BAS interface or board.

  1. Run system-view

     The system view is displayed.

  2. Run slot slot-id

     The slot view is displayed.

  3. Run access-ip-limit max-number user-type ppp

     The maximum number of IP addresses for PPP users allowed to access the network from a board is configured.

  4. Run quit

     Return to the system view.

  5. Run interface interface-type interface-number

     The interface view is displayed.

  6. Run bas

     A BAS interface is created and the BAS interface view is displayed.

  7. Run access-type layer2-subscriber [ bas-interface-name name | default-domain { pre-authentication domain-name | authentication [ force | replace ] domain-name } * | accounting-copy radius-server radius-name ] *

     The access type and related attributes for Layer 2 common users are configured.

  8. Run access-ip-limit max-number user-type ppp [ exclude ]

     The maximum number of IP addresses for PPP users allowed to access the network from a specified BAS interface is configured. If the number of PPP users who access the network from a BAS interface reaches the maximum number of IP addresses for PPP users allowed to access the network from a board, the BAS interface stops responding to the PADO packets sent by new PPP users. However, the BAS interfaces configured with the exclude parameter have no such limitation.

  9. Run commit

     The configuration is committed.

• Limiting the number of user access packets

  When a large number of ARP/IPv4/IPv6/ND packets are sent to launch attack or unauthorized clients send requests continuously, the CPU usage of the main control board becomes high. You can limit the number of users on a board within a specified period and discard excess packets.

  1. Run system-view

     The system view is displayed.

  2. Run slot slot-id

     The slot view is displayed.

  3. Run access trigger packet-limit packets-num time seconds [ all ]

     The maximum number of user packets that can be sent on a specified board within a specified period is configured.

  4. Run quit

     Return to the system view.

  5. Run commit

     The configuration is committed.

• Limiting DHCP user access
  1. Run system-view

     The system view is displayed.

  2. Run dhcp-user-slot-warning-threshold threshold-value

     The alarm threshold for the number of DHCP users who go online from an interface board is configured. If the percentage of the number of DHCP users who go online from the interface board exceeds the threshold, an alarm is generated.

  3. Run dhcp-user-warning-threshold threshold-value

     The alarm threshold for the number of DHCP users who go online from the NetEngine 8000 F is configured. If the proportion of the number of DHCP users who go online from the NetEngine 8000 F to the total number of users exceeds the threshold, an alarm is generated.

  4. Run dhcp connection chasten { authen-packets authen-packets | request-packets request-packets } * check-period check-period restrain-period restrain-period [ slot slotid ]

     A limit is configured for DHCP access users.

     • You can run the display dhcp chasten-user slot slotid [ mac-address mac-address ] [ state { restrain | check } ] command to view information about DHCP access users for whom a limit is configured.

  5. Run commit

     The configuration is committed.

• Limiting the number of users who go online from a board
  1. Run system-view

     The system view is displayed.

  2. Run slot-warning-threshold threshold-value

     The alarm threshold for the number of users who go online from a board is configured. If the percentage of the number of users who go online from the board to the total number of access users exceeds the threshold, an alarm is generated.

  3. Run commit

     The configuration is committed.

• Limiting the access response delay
  1. Run system-view

     The system view is displayed.

  2. Run aaa

     The AAA view is displayed.

  3. Run access-delay step step-value minimum minimum-time maximum maximum-time [ slot slot-id ]

     The user access response delay function is enabled, and the maximum and minimum access response delay times are configured.

     

     If the access response delay function is enabled both globally and on a BAS interface, the configuration on the BAS interface rather than the global configuration takes effect.

     The access response delay time depends on the number of access users and the configured parameters including the step, maximum access response delay time, and minimum access response delay time. The access response delay time is the rounded-down value obtained by dividing the number of access users by the step plus the minimum access response delay time. Compare the calculated access response delay time (assuming that the value is N) with the maximum access response delay time.

     • If N is less than or equal to the maximum access response delay time, the access response delay time is N multiplying 10 ms.
     • If N is greater than the maximum access response delay time, the access response delay time is the maximum access response delay time multiplying 10 ms.

     An example assumes that the step is 3000, the maximum access response delay is 7, and the minimum access response delay is 3. The delay for access users numbered 0 to 2999 is 3 x 10 ms, the delay for access users numbered 3000 to 5999 is 4 x 10 ms, the delay for access users numbered 6000 to 8999 is 5 x 10 ms, the delay for access users numbered 9000 to 11999 is 6 x 10 ms, and the delay for access users numbered 12000 and later is 7 x 10 ms.

  4. Run quit

     Return to the system view.

  5. (Optional) Run access delay load-balance group group-name [ delay-time ]

     A load balancing group is configured.

     If two devices with the same configuration are deployed, users can go online from any of the two devices that work in master/backup mode. If load balancing groups are configured on both the master and backup devices, run the access delay load-balance group group-name delay-time command to configure a response delay policy for the load balancing group on the backup device. In this way, even if an interface on the backup device is selected in a Hash operation, the interface will not respond to user login requests until the time specified by delay-time elapses. This ensures that users go online preferentially through an interface on the master device. Users will go online through an interface on the backup device only when the master device is faulty.

  6. Run interface interface-type interface-number

     The interface view is displayed.

  7. Run bas

     A BAS interface is created and the BAS interface view is displayed.

  8. (Optional) Run access-delay delay-time load-balance-group group-name

     The interface that requires load balancing is added to the load balancing group. The interfaces in the same load balancing group determine the access response delay based on the hash result of user MAC addresses, achieving inter-board load balancing.

     If the access response delay is not configured for a load balancing group:

     • If the interface through which users go online is selected in a Hash operation, the interface immediately responds to the received login requests.
     • If the interface through which users go online is not selected in a Hash operation, the interface responds to the received login requests after the delay time configured for the BAS interface elapses.
     If the access response delay is configured for a load balancing group:

     • If the interface through which users go online is selected in a Hash operation, the interface responds to the received login requests after the delay time configured for the load balancing group elapses.
     • If the interface through which users go online is not selected in a Hash operation, the interface responds to the received login requests after the delay time configured for the load balancing group plus the delay time configured for the BAS interface elapses.

  9. (Optional) Run access-delay delay-time [ circuit-id-include text-value | even-mac | odd-mac ]

     An access response delay policy is configured on a BAS interface.

     If circuit-id-include is specified, you must run the client-option82 command in the BAS interface view to configure the device to trust the DHCP Option 82 field (for a DHCP user) or the PPPoE+ field (for a PPP user) for the response delay to take effect.

  10. (Optional) Run access delay load-balance algorithm enhance enable

      The enhanced load balancing algorithm is enabled.

      To configure the frequency for updating the preferred access interface in the load balancing group, run the access delay load-balance algorithm enhance update-frequency update-frequency command.

      

      Currently, this command applies only to PPPoE users.

  11. Run commit

      The configuration is committed.

• Limiting user packets of a specified type
  1. Run system-view

     The system view is displayed.

  2. Run access packet strict-check { all | { nd | dhcpv6 | dhcp | ppp | l2tp | dot1x } ^* }

     The NetEngine 8000 F is configured to perform strict check on the user packets of a specified type.

     Even if the destination MAC address of the packets sent by a user is not the MAC address of the BAS interface, the user may still receive a response from the router. To prevent this problem, you can run this command to configure strict check on the user packets so that the packets that do not comply with a standard protocol are discarded. This prevents the router from being affected by malicious attacks.

     Additionally, if this configuration is performed on a user device that does not strictly comply with a standard protocol, the involved users may fail to go online. Therefore, exercise caution when running this command.

  3. Run commit

     The configuration is committed.

• Configure the NetEngine 8000 F to dynamically adjust the number of access users based on the system status.
  1. Run system-view

     The system view is displayed.

  2. Run aaa

     The AAA view is displayed.

  3. Run access-speed adjustment system-state enable [ strict-check ]

     The NetEngine 8000 F is configured to adjust the user access rate based on the system status.

  4. Run access-speed adjustment system-state threshold { main-cpu-usage | main-memory-usage | access-queue | slot-cpu-usage | slot-memory-usage | ppp-cpcar-drop | ppp-receive-queue | pppoe-receive-queue | l2tp-queue | dhcp-slot-queue | fes-queue | lns-cpcar-drop | dhcp-server-queue | dhcpv6-server-queue | eap-cpcar-drop } alarm threshold-value resume threshold-value

     The alarm threshold and alarm clear threshold for decreasing the user access rate are configured.

  5. Run access-speed adjustment system-state user-type { { dhcp | pppoe | ipv4-trigger | ipv6-trigger | dot1x } * | none }

     The type of the user whose access rate needs to be adjusted based on the system status is configured.

  6. Run access-speed adjustment system-state time interval adjust-interval delay-count adjust-delay-count [ slot ]

     An interval at which the user access rate is adjusted based on the system status and the minimum number of delay periods for increasing the user access rate are configured.

  7. Run commit

     The configuration is committed.

• Configure the NetEngine 8000 F to adjust the UM message queue threshold based on the system status.
  1. Run system-view

     The system view is displayed.

  2. Run aaa

     The AAA view is displayed.

  3. Run access-speed adjustment system-state threshold access-queue length length-value

     The NetEngine 8000 F is configured to adjust the threshold for the UM message queue usage based on the system status. When the UM message queue usage reaches the threshold, the CPCAR value is decreased or increased as required to control the number of user packets to be sent to the CPU.

  4. Run commit

     The configuration is committed.

• Configure the NetEngine 8000 F to adjust the access rate for users who send ARP/IPv4/IPv6/ND packets to go online based on the system status.
  1. Run system-view

     The system view is displayed.

  2. Run aaa

     The AAA view is displayed.

  3. Run access-speed adjustment system-state packet-limit trigger enable

     The NetEngine 8000 F is enabled to adjust the access rate of users who send ARP/IPv4/IPv6/ND packets to go online based on the system status.

  4. Run commit

     The configuration is committed.

• Configure the NetEngine 8000 F to preferentially allocate CPU resources to online users.
  1. Run system-view

     The system view is displayed.

  2. Run aaa

     The AAA view is displayed.

  3. Run access-speed adjustment edsg-queue enable

     The NetEngine 8000 F is enabled to preferentially allocate CPU resources to online users. In this case, EDSG services enter the activation queue and are not activated immediately.

  4. Run commit

     The configuration is committed.

• Configure the NetEngine 8000 F to generate an alarm when the user resource usage or CPU usage exceeds a specified threshold and to clear the alarm when the user resource usage or CPU usage falls below the threshold.
  1. Run system-view

     The system view is displayed.

  2. Run access-user exhaust warning enable

     The NetEngine 8000 F is configured to generate an alarm when the user resource usage or CPU usage reaches a specified threshold and to clear the alarm when the user resource usage or CPU usage falls below the threshold.

  3. Run access-user exhaust threshold-alarm { main-resource-usage | slot-resource-usage | main-cpu-usage | slot-cpu-usage } upper-limit upper-limit lower-limit lower-limit

     The alarm threshold and alarm clear threshold for the user resource usage or CPU usage are configured.

  4. Run commit

     The configuration is committed.

• Configure the maximum number of active sessions when the NetEngine 8000 F functions as a RADIUS proxy.
  1. Run system-view

     The system view is displayed.

  2. Run aaa

     The AAA view is displayed.

  3. Run access-speed adjustment system-state radius-proxy active-session threshold restrain restrain-threshold-value resume resume-threshold-value

     The suppression threshold and recovery threshold for the maximum number of active sessions are configured for the RADIUS proxy.

  4. Run commit

     The configuration is committed.