Configuring a BAS Interface

When an interface is used for broadband access, you need to configure it as a BAS interface, and then specify the user access type and attributes for the interface.

Context

When configuring a BAS interface, you need the following parameters:

  • BAS interface number

  • Access type and authentication scheme

  • (Optional) Maximum number of users allowed access through the BAS interface and maximum number of users allowed access in a specified VLAN

  • (Optional) Default domain, roaming domain, and domains that users are allowed to access

  • (Optional) Whether to enable proxy ARP, DHCP broadcast, accounting packet copy, IP packet-triggered user login, and user-based multicast replication

  • (Optional) Whether to trust client-reported Access-Line-Id information, user detection parameters, VPN instances of non-PPP users, and BAS interface name

  • For security purposes, use an eight-character or longer password that contains at least two types of the following: uppercase letters, lowercase letters, digits, and special characters.
  • You are advised to configure your password in ciphertext mode and change it periodically.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number [. subinterface-number ]

    The interface view is displayed.

    In scenarios of BRAS access through L2VPN termination, run the ve-group ve-group-id l2-terminate command to configure a VE interface as an L2VE interface to terminate an L2VPN and bind the interface to a VE-group. In scenarios of BRAS access through L3VPN termination, run the ve-group ve-group-id l3-terminate command to configure a VE interface as an L3VE interface to terminate an L3VPN and bind the interface to a VE-group. The preceding commands are configured in the VE interface view. Only Layer 3 static user access is supported in scenarios of BRAS access through L3VPN termination. For details, see Example for Configuring BRAS Access Through L3VPN Termination.

  3. Run bas

    A BAS interface is created, and the BAS interface view is displayed.

    You can configure an interface as the BAS interface by running the bas command in the interface view. You can configure an Ethernet interface or its sub-interface, a VE interface or its sub-interface, or an Eth-Trunk interface or its sub-interface as a BAS interface.

  4. Run any of the following commands:

    • To set the access type to Layer 2 subscriber access and configure the attributes of this access type, run the access-type layer2-subscriber [ bas-interface-name bname | default-domain { pre-authentication predname | authentication [ force | replace ] dname } * | accounting-copy radius-server rd-name ] * command.
    • To set the access type to Layer 3 subscriber access and configure the attributes of this access type, run the access-type layer3-subscriber [ default-domain { [ pre-authentication predname ] authentication [ force | replace ] dname } *] command.
    • When setting the access type of a BAS interface, you can set the service attributes of the access users at the same time. You can also set these attributes in later configurations.

    • To specify the IP address segment for Layer 3 common users, run layer3-subscriber { start-ip-address [ end-ip-address ] | start-ipv6-address [ end-ipv6-address ] | delegation-prefix start-ipv6-address [ end-ipv6-address ] [ end-ip-address ] [ vpn-instance instance-name ] domain-name domain-name
    • To specify the authentication domain for Layer 3 common users, run layer3-subscriber ip-address any domain-name domain-name
    • To configure a mask so that an IPv4 address segment and an authentication domain name are specified for Layer 3 static users, run layer3-subscriber subnet-session start-ip-address { mask-address | mask-length } [ vpn-instance instance-name ] [ domain-name domain-name ] [ routed [route-preference preference-value ] ]

    • The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk interface. You can configure the access type of such an Ethernet interface only on the associated Eth-Trunk interface.

    • When configuring static routes for Layer 3 users, specify the next hop as the user IP address and do not specify the outbound interface. Otherwise, network-to-user traffic may fail to be forwarded.

    • To set the access type to Layer 2 leased line access and configure the attributes of this access type, run the access-type layer2-leased-line user-name uname password { cipher password | simple password } [ bas-interface-name bname | default-domain authentication dname | accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } ] * command.
    • To set the access type to Layer 3 leased line access and configure the attributes of this access type, run the access-type layer3-leased-line { user-name uname | user-name-template } password { cipher password | simple password } [ default-domain authentication dname | bas-interface-name bname | accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } | mac-address mac-address | client-id client-id ] * command.

    • If a BAS interface has an online user, you can change the access type of the BAS interface only when the online user is a leased line user.

    • After the access type is set to leased line access, the NetEngine 8000 F performs authentication on the leased line users immediately.

  5. (Optional) Run access leased-line connection chasten request-session request-period blocking-period quickoffline

    Suppression of leased line user access is enabled.

    If the duration or traffic volume quota delivered by the RADIUS server to a leased line user is 0, the leased line user can go online but will go offline immediately. This results in frequent login and logout of leased line users.

    The command can be run to configure the maximum allowable number of connection requests, the interval at which connection requests can be sent, and a blocking period.

  6. (Optional) Run trust 8021p-protocol

    The BAS interface is configured to trust the 802.1p priority of VLAN packets.

    The trust 8021p-protocol command can be configured only if the access type is set to Layer 2 subscriber access.

  7. (Optional) Run access-limit user-number [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinq-vlan ] [ user-type { ipoe { ipv4 | ipv6 } | pppoe } ] ]

    The maximum number of users allowed access through the interface is configured.

    • If the access-limit command is configured on a BAS sub-interface, the maximum number of access users in a VLAN or a VLAN range is limited.
    • If the access-limit command is configured on a BAS interface and no VLAN range is specified, the maximum number of VLAN users accessing the BAS interface is limited for each VLAN. Note that the access-limit command configuration on a sub-interface takes precedence over that on the corresponding main interface.
    • You can also specify the user-type parameter to limit the maximum number of access users based on a specified access type.

  8. (Optional) Run any of the following commands:

    • To specify the default pre-authentication domain, run the default-domain pre-authentication domain-name command.

    • To specify the default authentication domain, run the default-domain authentication [ force | replace ] domain-name command.

    • To specify the domain in which users are allowed to access the BAS interface, run the permit-domain domain-name &<1-16> command.

    • To specify domains in which users are denied access to the BAS interface, run the deny-domain domain-name&<1-16> command.

      The permit-domain command cannot be configured together with the deny-domain, deny-domain-list, or permit-domain-list command on a BAS interface.

    • To specify a list of domains in which users are allowed to access the BAS interface, run the permit-domain-list command.

    • To specify a list of domains in which users are denied access to the BAS interface, run the deny-domain-list command.

  9. (Optional) Run any of the following commands:

    • To configure the NetEngine 8000 F to trust the Access-Line-Id information reported by clients, run the client-option82 [ basinfo-insert { cn-telecom [ version2 ] | version3 } | version1 ] or client-access-line-id [ basinfo-insert { cn-telecom [ version2 ] | version3 } | version1 ] command.

    • To configure the NetEngine 8000 F to insert the Access-Line-Id information in the format defined by cn-telecom instead of trusting that reported by clients, run the basinfo-insert cn-telecom command.

    • To configure the NetEngine 8000 F to trust the Access-Line-Id information in the format defined by version2 instead of trusting that reported by clients, run the basinfo-insert version2 command.

    • To enable the function to locate a user through the virtual BAS (vBAS), run the vbas vbas-mac-address [ auth-mode { ignore | reject } ] command.

    • To enable the NetEngine 8000 F to extract information from the Access-Line-Id field in a packet sent by the DSLAM and add the information to Agent-Circuit-ID and Agent-Remote-ID attributes of packets to be sent to the RADIUS server, run the option82-relay-mode dslam { auto-identify | config-identify } command.
    • To allow the NAS-Port-Id attribute to be sent to the RADIUS server to carry Access-Line-Id information, run the option82-relay-mode include { allvalue | { agent-circuit-id | agent-remote-id [ separator ] } * } command.
    • To configure the format of Agent-Circuit-ID or Agent-Remote-ID information, run the option82-relay-mode subopt { agent-circuit-id { hex | string } | agent-remote-id { hex | string } command.

  10. (Optional) Run access-line-id update online

    The device is enabled to update the Option 82 information of an online user through a DHCP Request message for lease renewal.

  11. (Optional) Run dhcp option82-mismatch action offline

    The device is configured to log out an online user when the Option 82 information carried in the Discover packets, Request packets, or lease renewal packets sent by the online user is changed.

    Before the dhcp option82-mismatch action offline command is run, perform the following operations:

  12. (Optional) Run client-option60

    The NetEngine 8000 F is configured to trust the Option 60 information reported by clients.

    If user domain information is obtained from Option 60, the character string following the domain name delimiter (@ is the default) in the Option 60 field is used as the domain name. If no user domain information is obtained from Option 60, the router performs the following procedure to continue searching for the information. If there is no domain name delimiter in the field, the router performs a fuzzy or exact match of the domain name information based on the configured mode. The procedure will stop if user domain information is obtained.

    • Check whether the client-option60 command is configured on the BAS interface. If the command is configured, obtain user domain information based on the command configuration.
    • Check whether the dhcp option-60 command is configured in the system view. If the command is configured, obtain user domain information based on the command configuration.
    • Use the authentication domain configured on the BAS interface as the user domain.

  13. (Optional) Run option37-relay-mode include remote-id

    The DHCP6ACC component is enabled to remove enterprise number information from Option 37 in a Solicit or Request message to be sent to the UM component.

    The following operations must have been performed:

    • Run the client-option37 [ basinfo-insert ft-telecom ] command to enable the NetEngine 8000 F to trust the information in the Option 37 field of DHCPv6 messages sent by clients.
    • Run the client-option18 command to enable the server to trust the information in the Option 18 field of DHCPv6 messages sent by clients.

  14. (Optional) Run accounting-copy radius-server radius-name

    The accounting packet copy function is enabled.

  15. (Optional) Run link-account resolve

    The NetEngine 8000 F is enabled to carry link-account information in an Accounting-Request packet to be sent to a RADIUS server.

    Before running the command, set the access type to Layer 2 subscriber access.

    The command affects the RADIUS attribute 25 in Accounting-Request packets sent by the NetEngine 8000 F to a RADIUS accounting server.

    An interface fills the link-account information in the RADIUS attribute 25 (Class) if both of the following conditions are met:
    • None authentication and RADIUS accounting are configured for users going online through the interface.
    • For Layer 2 common users, VLANs and VLAN descriptions are configured on the interface.

  16. Perform the following configurations by service type:

    • For IPoE access services:

      Run the ip-trigger command to enable user access triggered by IP packets or run the arp-trigger command to enable user access triggered by ARP packets.

    • For IPoEv6 access services:

      Run the ipv6-trigger command to enable user access triggered by IPv6 packets or run the nd-trigger command to enable user access triggered by NS/NA packets.

  17. (Optional) Run wlan-switch enable [ switch-group switch-group-name ]

    WLAN user roaming switchover is enabled.

    After WLAN user roaming switchover is enabled on a BAS interface, you need to configure the interface to use received user packets to trigger roaming procedures for WLAN users. Perform the following configurations based on the actual roaming scenarios:
    • If users do not pass through Wi-Fi blind spots when roaming between different APs, run either the ip-trigger or arp-trigger command or both to configure the interface to trigger roaming procedures for the WLAN users based on the received IP or ARP packets, or run the ipv6-trigger command to configure the interface to trigger roaming procedures for Layer 2 IPv6 users based on the received IPv6 packets.
    • If users pass through Wi-Fi blind spots when roaming between different APs, run the dhcp session-mismatch action roam { ipv4 | ipv6 | nd } * command to configure the interface to allow users to send DHCPv4 Discover or Request messages or DHCPv6 Solicit messages or ND RS messages to re-log in.

    After the preceding steps are performed, WLAN users do not need to be re-authenticated for login after being logged out when roaming between different APs. This ensures that services are not interrupted.

  18. (Optional) Run user detect retransmit num interval time [ datacheck ] or user detect datacheck

    User detection parameters are configured.

  19. (Optional) Run dhcp session-mismatch action offline

    Online users whose physical location information is changed but MAC addresses remain unchanged are logged out when they resend DHCP or ND login requests.

  20. (Optional) Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq qinq-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } ]

    The BAS interface is blocked.

    If you run block start-vlan any qinq command in the interface view to set the interface status to blocked. Then, all the users who go online from this interface with a specified VLAN ID are prohibited from access.

  21. Run authentication-method { bind | { ppp } * }

    The authentication method is configured.

    You can configure authentication methods for only Layer 2 users on BAS interfaces. Multiple authentication methods can be configured on a BAS interface but you should note the following:

    • Binding authentication conflicts with the other authentication modes.

  22. (Optional) Run select-authentication-domain individual

    The device is enabled to use the domain carried in an EAP user name as the authentication domain for an EAP-authentication-based RADIUS proxy user.

  23. (Optional) Run dhcp-reply trust broadcast-flag

    The device is enabled to use the broadcast flag value in a DHCP request packet to determine the destination MAC address type for a DHCP response packet.

    After the dhcp-reply trust broadcast-flag command is run, if the broadcast flag value in a DHCP request packet is 1, the device replies with a DHCP response packet that carries the broadcast address of all Fs as the destination MAC address; if the broadcast flag value in a DHCP request packet is 0, the device replies with a DHCP response packet that carries the user MAC address as the destination MAC address.

    The dhcp-reply trust broadcast-flag command applies only to Layer 2 access users.

    The dhcp-reply trust broadcast-flag command is mutually exclusive with the dhcp-broadcast command.

  24. (Optional) Run dhcpv6 user-identify-policy { option79-option38 | option38-option79 | option79 | option38 } [ no-exist-action offline ]

    A method is configured for obtaining MAC addresses of Layer 3 DHCPv6 users during login.

  25. Run commit

    The configuration is committed.

Parent Topic: Configuring IPoE Access
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >