Example for Configuring Ethernet Layer 2 Leased Line Access

This section provides an example for configuring Ethernet Layer 2 leased line access.

Networking Requirements

On the network shown in Figure 1, the networking requirements are as follows:

  • Ethernet Layer 2 leased line users access the Internet through GE 0/1/2.1 on the router.

  • The username is layer2lease1@isp1 and the password is Root@123 for the leased line.

  • The VLAN ID for a leased line user ranges from 1 to 100.

  • The leased line users obtain IP addresses from the router through DHCP.

  • RADIUS authentication and RADIUS accounting are used. The IP address of the RADIUS server is 192.168.7.249. The authentication port number is 1645, and the accounting port number is 1646. The RADIUS+1.1 protocol is used. The shared key is Huawei.

  • The IP address of the DNS server is 192.168.7.252.

  • The network-side interface is GE 0/1/1.

Figure 1 Networking for configuring Ethernet Layer 2 leased line access

Interfaces 1 and 2 in this example represent GE 0/1/2.1, GE 0/1/1, respectively.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure authentication and accounting schemes.

  2. Configure a RADIUS server group.

  3. Configure an address pool.

  4. Configure an authentication domain.

  5. Configure access interfaces.

Data Preparation

To complete the configuration, you need the following data:

  • Authentication template name and authentication mode

  • Accounting template name and accounting mode

  • RADIUS server group name, and IP addresses and port numbers of the RADIUS authentication server and accounting server

  • IP address pool name, gateway address, and DNS server address

  • Domain name

  • BAS interface parameters

Procedure

  1. Configure an authentication scheme.

    <HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit

  2. Configure an accounting scheme.

    [~HUAWEI-aaa] accounting-scheme acct1
[*HUAWEI-aaa-accounting-acct1] accounting-mode radius
[*HUAWEI-aaa-accounting-acct1] commit
[~HUAWEI-aaa-accounting-acct1] quit
[~HUAWEI-aaa] quit

  3. Configure a RADIUS server group.

    [~HUAWEI] radius-server group rd1
[*HUAWEI-radius-rd1] radius-server authentication 192.168.7.249 1645
[*HUAWEI-radius-rd1] radius-server accounting 192.168.7.249 1646
[*HUAWEI-radius-rd1] commit
[~HUAWEI-radius-rd1] radius-server type plus11
[*HUAWEI-radius-rd1] radius-server shared-key Huawei
[*HUAWEI-radius-rd1] commit
[~HUAWEI-radius-rd1] quit

  4. Configure an address pool.

    [~HUAWEI] ip pool pool1 bas local
[*HUAWEI-ip-pool-pool1] gateway 10.82.0.1 255.255.0.0
[*DeviceB-ip-pool-pool2] commit
[~HUAWEI-ip-pool-pool1] section 0 10.82.0.2 10.82.0.200
[~HUAWEI-ip-pool-pool1] dns-server 192.168.7.252
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] quit

  5. Configure a domain.

    [~HUAWEI] aaa
[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
[*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
[*HUAWEI-aaa-domain-isp1] radius-server group rd1
[*HUAWEI-aaa-domain-isp1] commit
[~HUAWEI-aaa-domain-isp1] ip-pool pool1
[~HUAWEI-aaa-domain-isp1] quit
[~HUAWEI-aaa]quit

  6. Configure access interfaces.

    If the access interface is an Ethernet sub-interface, you must configure a VLAN. If the access interface is an Ethernet main interface, no VLAN is required.

    You can configure multiple VLANs for an interface used for Layer 2 leased line access.

    [~HUAWEI] interface GigabitEthernet 0/1/2.1
[*HUAWEI-GigabitEthernet0/1/2.1] commit
[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 100
[~HUAWEI-GigabitEthernet0/1/2.1-vlan-1-100] quit
[~HUAWEI-GigabitEthernet0/1/2.1] bas
[~HUAWEI-GigabitEthernet0/1/2.1-bas] access-type layer2-leased-line user-name layer2lease1 password cipher Root@123 default-domain authentication isp1
[*HUAWEI-Virtual-Ethernet0/1/2.1-bas] commit
[~HUAWEI-GigabitEthernet0/1/2.1-bas] quit
[~HUAWEI-GigabitEthernet0/1/2.1] quit

Configuration Files

#
sysname HUAWEI
#
radius-server group rd1
 radius-server shared-key-cipher %^%#`E)v.Q@BHVzxxZ;ij{>&_M0!TGP7YRA@8a7mq<\/%^%#
 radius-server authentication 192.168.7.249 1645 weight 0
 radius-server accounting 192.168.7.249 1646 weight 0
 radius-server type plus11
 radius-server traffic-unit kbyte
#
interface GigabitEthernet0/1/2
 undo shutdown
#
interface GigabitEthernet0/1/2.1
 user-vlan 1 100
 bas
 #
  access-type layer2-leased-line user-name layer2lease1 password cipher %^%#4*RHO=w*}.d\>j09'Z:%=:co~p\w9'G-^|-zR'N4%^%# default-domain authentication isp1
 #
#
ip pool pool1 bas local
 gateway 10.82.0.1 255.255.255.0
 section 0 10.82.0.2 10.82.0.200
 dns-server 192.168.7.252
#
aaa
 #
 authentication-scheme auth1
 #
 accounting-scheme acct1
 #
 domain default0
 #
 domain default1
 #
 domain default_admin
 #
 domain isp1
  authentication-scheme auth1
  accounting-scheme acct1
  radius-server group rd1
  ip-pool pool1
#
return
Parent Topic: Configuration Examples for IPoE Access Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >