Configuring a BAS Interface

If an interface is used for broadband access, you must configure it as a BAS interface. Before PPPoE users use a BAS interface to access a network, you must specify the access type as Layer 2 subscriber access.

Context

When configuring a BAS interface, you need the following information:

  • BAS interface number

  • Access type and authentication method

  • (Optional) Maximum number of users who are allowed to access through the BAS interface and maximum number of users who are allowed to access through a specified VLAN

  • (Optional) Default domain, roaming domain, and domains that users are allowed to access

  • (Optional) Whether to enable the functions of accounting packet copy and locating a user

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run bas

    A BAS interface is created and the BAS interface view is displayed.

    • In scenarios with BRAS access through L2VPN termination, run the ve-group ve-group-id l2-terminate command in the VE interface view to configure the VE interface as an L2VE interface to terminate an L2VPN and bind the interface to a VE-group.
    • The bas command run in the view of an interface configures the interface as a BAS interface. A GE interface or its sub-interface or an Eth-Trunk interface or its sub-interface can be configured as a BAS interface.

  4. Run commit

    The configuration is committed.

  5. Run access-type layer2-subscriber [ default-domain { authentication [ force | replace ] dname | pre-authentication predname } * | bas-interface-name bname | accounting-copy radius-server rd-name ] *

    The access type is set to Layer 2 subscriber access, and attributes are configured for this access type.

    • When setting the access type on the BAS interface, you can set service attributes for the access users at the same time. You can also set these attributes in later configurations.
    • The access type cannot be configured on an Ethernet interface that has been added to an Eth-Trunk interface. You can configure the access type of such an Ethernet interface only on the associated Eth-Trunk interface.

  6. (Optional) Run access-limit user-number

    The number of users who are allowed access through the interface is configured.

    • If the access-limit command is configured on a sub-interface enabled with BAS, the number of VLAN users who access the sub-interface is limited.
    • If the access-limit command is configured on an interface enabled with BAS and the VLAN range is not specified in the command, the total number of VLAN users who access the interface is limited. Note that the configuration of access-limit on a sub-interface takes precedence over that on the corresponding interface.

  7. (Optional) Run default-domain pre-authentication domain-name

    The default pre-authentication domain is specified.

    • Or run default-domain authentication ppp-user domain-name

      The default authentication domain for PPP users is specified.

      • If the default-domain authentication ppp-user domain-name command is configured, the authentication domain specified in this step is used as the default authentication domain for PPP users.
      • If the default-domain authentication ppp-user domain-name command is not configured but the default-domain authentication [ force | replace ] domain-name command is configured, the authentication domain specified using the default-domain authentication [ force | replace ] domain-name command is used as the default authentication domain for PPP users.
      • If neither of the commands is configured, the default authentication domain for PPP users is default1.

    • Or run roam-domain domain-name

      The roaming domain is specified.

    • Or run permit-domain domain-name &<1-16>

      The domain in which users are allowed to access is specified.

      Or run deny-domain domain-name &<1-16>

      The domain in which users are denied to access is specified.

      The permit-domain-list command cannot be configured together with the deny-domain-list, deny-domain, or permit-domain command on a BAS interface.

    • Or run permit-domain-list domainlist-name>

      The list of domains whose users are allowed to access is specified.

      Or run deny-domain-list domainlist-name

      The list of domains whose users are denied to access is specified.

  8. (Optional) Run any of the following commands:

    • To configure the NetEngine 8000 F to trust the Access-Line-Id information reported by clients, run the client-option82 [ basinfo-insert { cn-telecom [ version2 ] | version3 } | version1 ] or client-access-line-id [ basinfo-insert { cn-telecom [ version2 ] | version3 } | version1 ] command.

    • To configure the NetEngine 8000 F to insert the Access-Line-Id information in the format defined by cn-telecom instead of trusting that reported by clients, run the basinfo-insert cn-telecom command.

    • To configure the NetEngine 8000 F to trust the Access-Line-Id information in the format defined by version2 instead of trusting that reported by clients, run the basinfo-insert version2 command.

    • To enable the function to locate a user through the virtual BAS (vBAS), run the vbas vbas-mac-address [ auth-mode { ignore | reject } ] command.

    • To enable the NetEngine 8000 F to extract information from the Access-Line-Id field in a packet sent by the DSLAM and add the information to Agent-Circuit-ID and Agent-Remote-ID attributes of packets to be sent to the RADIUS server, run the option82-relay-mode dslam { auto-identify | config-identify } command.
    • To allow the NAS-Port-Id attribute to be sent to the RADIUS server to carry Access-Line-Id information, run the option82-relay-mode include { allvalue | { agent-circuit-id | agent-remote-id [ separator ] } * } command.
    • To configure the format of Agent-Circuit-ID or Agent-Remote-ID information, run the option82-relay-mode subopt { agent-circuit-id { hex | string } | agent-remote-id { hex | string } command.

  9. (Optional) Run link-account resolve

    The NetEngine 8000 F is enabled to carry link-account information in an Accounting-Request packet to be sent to a RADIUS server.

    Before running the command, set the access type to Layer 2 subscriber access.

    The command affects the RADIUS attribute 25 in Accounting-Request packets sent by the NetEngine 8000 F to a RADIUS accounting server.

    An interface fills the link-account information in the RADIUS attribute 25 (Class) if both of the following conditions are met:
    • None authentication and RADIUS accounting are configured for users going online through the interface.
    • For Layer 2 common users, VLANs and VLAN descriptions are configured on the interface.

  10. (Optional) Run accounting-copy radius-server radius-name

    The accounting packet copy function is enabled.

  11. (Optional) Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq qinq-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } ]

    The BAS interface is blocked.

    If you run block start-vlan any qinq command in the interface view to set the interface status to blocked. Then, all the users who go online from this interface with a specified VLAN ID are prohibited from access.

  12. (Optional) Run authentication-method ppp [ web ]

    PPP or PPP+web authentication is configured.

  13. (Optional) Run ppp keepalive slow

    PPP slow reply is configured on the BAS interface, allowing the BAS interface to send PPP echo packets to the CPU for processing.

  14. Run commit

    The configuration is committed.

Parent Topic: Configuring PPPoE Access
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >