Example for Configuring PPPoE Access for IPv4 Users to a VPN
This section provides an example for configuring PPPoE access for IPv4 users to a VPN.
Networking Requirements
On the network shown inFigure 1 , user belongs to domain isp1. The network-side interface on the router is GE 0/1/2. To allow the users to use IPv4 addresses to go online, configure PPPoEoVLAN access. The requirements are as follows:
The users belong to the domain isp1 and use PPPoE to go online through GE 0/1/1.1 on the router.
RADIUS non-authentication and non-accounting are used.
The IP address of the RADIUS server is 192.168.7.249. The authentication and accounting port numbers are 1645 and 1646, respectively. RADIUS+1.1 is used, with the key of it-is-my-secret1.
The IP address of the DNS server is 192.168.7.252.
The network-side interface is GE 0/1/1.
Configuration Roadmap
The configuration roadmap is as follows:
Configure a VT.
Configure AAA schemes.
Configure a RADIUS server group.
Configure an IPv4 address pool.
Configure a domain and bind the VPN instance to the domain.
Configure a user-side VLAN and bind the VT to a sub-interface.
Configure a BAS interface.
Data Preparation
- VT number
- Authentication and accounting schemes and their names
- RADIUS server group name and server address
- DNS server address
- User domain name
- BAS interface parameters
Procedure
- Configure a VT.
<HUAWEI> system-view [~HUAWEI] sysname DeviceA [~DeviceA] interface virtual-template 1 [*DeviceA-Virtual-Template1] ppp authentication-mode chap [*DeviceA-Virtual-Template1] commit [*DeviceA-Virtual-Template1] quit
- Configure AAA schemes.
# Configure an authentication scheme.
[~DeviceA] aaa [~DeviceA-aaa] authentication-scheme none [*DeviceA-aaa-authen-auth1] authentication-mode none [*DeviceA-aaa-authen-auth1] commit [~DeviceA-aaa-authen-auth1] quit
# Configure an accounting scheme.
[~DeviceA-aaa] accounting-scheme none [*DeviceA-aaa-accounting-acct1] accounting-mode none [*DeviceA-aaa-accounting-acct1] commit [~DeviceA-aaa-accounting-acct1] quit [~DeviceA-aaa] quit
- Configure a VPN instance.
[~DeviceA] ip vpn-instance isp1 [*DeviceA-vpn-instance-isp1] ipv4-family [*DeviceA-vpn-instance-isp1-af-ipv4] route-distinguisher 100:2 [*DeviceA-vpn-instance-isp1-af-ipv4] vpn-target 100:100 export-extcommunity [*DeviceA-vpn-instance-isp1-af-ipv4] vpn-target 100:100 import-extcommunity [*DeviceA-vpn-instance-isp1-af-ipv4] commit [~DeviceA-vpn-instance-isp1-af-ipv4] quit [~DeviceA-vpn-instance-isp1] quit
- Configure a RADIUS server group.
[~DeviceA] radius-server group rd1 [*DeviceA-radius-rd1] radius-server authentication 192.168.7.249 1645 [*DeviceA-radius-rd1] radius-server accounting 192.168.7.249 1646 [*DeviceA-radius-rd1] radius-server type plus11 [*DeviceA-radius-rd1] radius-server shared-key-cipher it-is-my-secret1 [*DeviceA-radius-rd1] commit [*DeviceA-radius-rd1] quit
- Configure an IPv4 address pool.
[~DeviceA] ip pool pool1 bas local [*DeviceA-ip-pool-pool1] gateway 10.82.0.1 255.255.255.0 [*DeviceA-ip-pool-pool1] commit [~DeviceA-ip-pool-pool1] section 0 10.82.0.2 10.82.0.200 [~DeviceA-ip-pool-pool1] dns-server 192.168.7.252 [*DeviceA-ip-pool-pool1] commit [~DeviceA-ip-pool-pool1] vpn-instance isp1 [~DeviceA-ip-pool-pool1] quit
- Configure a domain and bind the VPN instance to the domain.
[~DeviceA] aaa [~DeviceA-aaa] domain isp1 [*DeviceA-aaa-domain-isp1] authentication-scheme none [*DeviceA-aaa-domain-isp1] accounting-scheme none [*DeviceA-aaa-domain-isp1] radius-server group rd1 [*DeviceA-aaa-domain-isp1] commit [~DeviceA-aaa-domain-isp1] ip-pool pool1 [~DeviceA-aaa-domain-isp1] vpn-instance isp1 [~DeviceA-aaa-domain-isp1] quit [~DeviceA-aaa] quit
- Configure user VLANs on the sub-interface and bind the VT to it.
# Configure user VLANs on GE 0/1/1.1 and bind the VT to it.
[~DeviceA] interface gigabitethernet 0/1/1.1 [*DeviceA-GigabitEthernet0/1/1.1] commit [~DeviceA-GigabitEthernet0/1/1.1] user-vlan 1 2 [~DeviceA-GigabitEthernet0/1/1.1-vlan-1-2] quit [~DeviceA-GigabitEthernet0/1/1.1] pppoe-server bind virtual-template 1 [*DeviceA-GigabitEthernet0/1/1.1] commit
- Configure a BAS interface.
[~DeviceA-GigabitEthernet0/1/1.1] bas [~DeviceA-GigabitEthernet0/1/1.1-bas] access-type layer2-subscriber [*DeviceA-GigabitEthernet0/1/1.1-bas] authentication-method ppp [*DeviceA-GigabitEthernet0/1/1.1-bas] commit [~DeviceA-GigabitEthernet0/1/1.1-bas] quit [~DeviceA-GigabitEthernet0/1/1.1] quit
In this example, users go online with the domain name isp1 carried in the user names. Therefore, the BAS interface does not need to have any authentication domain configured. If users go online with no domain name carried in the user names, you must specify an authentication domain on the BAS interface.
- Verify the configuration.
# Check information about the address pool named pool1. The command output shows that the gateway address is 10.82.0.1, the addresses in the pool range from 10.82.0.2 to 10.82.0.200, and the DNS server address is 192.168.7.252.
[~DeviceA] display ip pool name pool1 2020-01-23 17:38:40.529 ------------------------------------------------------------------------------ Pool-Name : pool1 Pool-No : 270 Pool-constant-index: 270 Lease : 3 Days 0 Hours 0 Minutes Frameip-Lease-Manage: disable NetBios Type : N-Node Auto recycle : 30 Option 3 : Enable DNS-Suffix : - Dom-Search-List0: - Dom-Search-List1: - Dom-Search-List2: - Dom-Search-List3: - Option-Code 125 : enterprise-code : 2011, string: - DNS1 :192.168.7.252 Position : Local Status : Unlocked RUI-Flag : - Attribute : Private Gateway : 10.82.0.1 Mask : 255.255.255.0 Vpn instance : isp1 Unnumbered gateway: - Profile-Name : - Server-Name : - Total Idle : 199 Have Dhcp IP : 1 Timeouts : 0 Timeout Count : 0 Sub Option Count : 0 Option Count : 0 Force-reply Count: 0 Auto-Blocked Times: 0 IP Allocation Failures: 0 Codes: CFLCT(conflicted) Wait-Request-Time: -- IP Loose Check : 0 Blocked Times : 0 ------------------------------------------------------------------------------------------------------- ID start end total used idle CFLCT disable reserved static-bind delayed ------------------------------------------------------------------------------------------------------ 0 10.82.0.2 10.82.0.200 199 0 199 0 0 0 0 0 -------------------------------------------------------------------------------------------------------# Check information about the domain named isp1. The command output shows that the address pool named pool1 is bound to the domain.
[~DeviceA] display domain isp1 2020-01-23 17:40:01.532 ------------------------------------------------------------------------------ Domain-name : isp1 Domain-state : Active Authentication-scheme-name : none Accounting-scheme-name : none Authorization-scheme-name : - Vpn-instance-name : isp1 Primary-DNS-IP-address : - Second-DNS-IP-address : - Primary-DNS-IPV6-address : - Second-DNS-IPV6-address : - Web-server-URL-parameter : No Portal-server-URL-parameter : No Primary-NBNS-IP-address : - Second-NBNS-IP-address : - Time-range : Disable Idle-cut direction : Both Idle-data-attribute (time,flow) : 0, 60 User detect interval : 0s User detect retransmit times : 0 Install-BOD-Count : 0 Report-VSM-User-Count : 0 Value-added-service : default User-access-limit : 1045504 Online-number : 0 Web-IP-address : - Web-IPv6-address : - Dns-redirect-IP-address : - Web-URL : - Web-auth-server : - Web-auth-state : - Web-server-mode : get Slave Web-IP-address : - Slave Web-IPv6-address : - Slave Web-URL : - Slave Web-auth-server : - Slave Web-auth-state : - Web-server identical-url : Disable Portal-server-IP : - Portal-URL : - Portal-force-times : 2 Portal-server identical-url : Disable Service-policy(Portal) : - Ds-lite IPv4 portal : Disable PPPoE-user-URL : Disable AdminUser-priority : 16 IPUser-ReAuth-Time : 300s mscg-name-portal-key : - Portal-user-first-url-key : - User-session-limit : 4294967295 Ancp auto qos adapt : Disable L2TP-group-name : - User-lease-time-no-response : 0s RADIUS-server-template : - Two-acct-template : - RADIUS-server-pre-template : - - - RADIUS-server-llid-first-template: - HWTACACS-server-template : - Bill Flow : Disable Tunnel-acct-2867 : Disable Qos-profile-name inbound : - Qos-profile-name outbound : - Flow Statistic: Flow-Statistic-Up : Yes Flow-Statistic-Down : Yes Source-IP-route : Disable IP-warning-threshold : - IP-warning-threshold(Low) : - IPv6-warning-threshold : - IPv6-warning-threshold(Low) : - Multicast Forwarding : Yes Multicast Virtual : No Max-multilist num : 4 Multicast-profile : - Multicast-profile ipv6 : - Multicast-policy : - Multicast-bandwidth : - Multicast-bandwidth-level-1 : - IP-address-pool-name : pool1 Quota-out : Offline Service-type : - User-basic-service-ip-type : -/-/- PPP-ipv6-address-protocol : Ndra IPv6-information-protocol : Stateless dhcpv6 IPv6-PPP-assign-interfaceid : Disable IPv6-PPP-NDRA-halt : Disable IPv6-PPP-NDRA-unicast : Disable Trigger-packet-wait-delay : 60s Peer-backup : Enable Reallocate-ip-address : Disable Cui enable : Disable Igmp enable : Enable CPE IP address : - Pim snooping enable : Enable L2tp-user radius-force : Disable Accounting dual-stack : Separate Radius server domain-annex : - Dhcp-option64-service : Disable Parse-separator : - Parse-segment-value : - Dhcp-receive-server-packet : - Http-hostcar : Disable Public-address assign-first : Disable Public-address nat : Enable Dhcp-user auto-save : Disable IP-pool usage-status threshold : 255 , 255 Select-Pool-Rule : gateway + local priority AFTR name : - Traffic-rate-mode : Separate Traffic-statistic-mode : Separate Rate-limit-mode-inbound : Car Rate-limit-mode-outbound : Car Service-change-mode : Stop-start Session-group function : Disable DAA Direction : both Session Volumequota apply direction: both Soap-server group : - Nas logic-sysname : - Accounting exclude-type vlan : -/- Framed-ip urpf : Enable RA link-prefix : Disable Local backup : Enable DAA start accounting merge : disable DAA stop accounting merge : disable DAA interim accounting merge : disable DAA merged interim accounting interval(minute) : -- DAA merged interim accounting hash : disable EDSG stop accounting merge : disable EDSG interim accounting merge : disable EDSG merged interim accounting interval(minute): -- EDSG merged interim accounting hash : disable Stop dropped flow direction : - Interval dropped flow direction : - Edsg family-schedule inbound : Disable Edsg family-schedule outbound : Disable Layer2 IPoE ip-pool select-mode : Local Layer2 PPPoE ip-pool select-mode: Local access-trigger loose time(minute) : 0 access-trigger loose infinite-lease : Disable IPv6 address assignment mode : - LNS Tcp-Ack Priority-Car : Disable EDSG Tcp-Ack Priority-Car : Disable Include LNS-IPv6 : Disable Map priority : MAP-E Coa-zero-lease Dual-cut : Disable COA lease zero policy : - Authentication fail online domain : - ------------------------------------------------------------------------------
Configuration Files
# sysname DeviceA # interface Virtual-Template1 ppp authentication-mode chap # interface GigabitEthernet0/1/1 # interface GigabitEthernet0/1/1.1 pppoe-server bind Virtual-Template 1 user-vlan 1 2 bas access-type layer2-subscriber # ip vpn-instance isp1 ipv4-family route-distinguisher 100:1 vpn-target 100:100 export-extcommunity vpn-target 100:100 import-extcommunity # interface GigabitEthernet1/0/1 ip address 10.1.1.1 255.255.255.0 # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key-cipher %^%#clY:%[]x='-RMNJus[s/VJ:3YBq3<..|.{'xgbp+%^% radius-server type plus11 radius-server traffic-unit kbyte # ip pool pool1 bas local gateway 10.82.0.1 255.255.255.0 section 0 10.82.0.2 10.82.0.200 dns-server 192.168.7.252 # aaa # authentication-scheme none authentication-mode none # accounting-scheme none accounting-mode none # domain default0 domain default1 domain default_admin # domain isp1 authentication-scheme none accounting-scheme none radius-server group rd1 ip-pool pool1 vpn-instance isp1 # return