Feature Requirements |
Series |
Models |
|---|---|---|
WLAN user roaming switchover supports only IPoE user access (excluding static users for whom the device initiates ARP packets to trigger user login, static users with the same MAC address but different IP addresses, and all leased line users). Roaming procedures cannot be triggered for static users for whom the device initiates ARP packets to trigger user login and static users with the same MAC address but different IP addresses on the BAS interface with roaming switchover configured. The interface configuration of leased line users is mutually exclusive with the roaming switchover configuration. It is recommended that roaming be properly planned during deployment. |
NetEngine 8000 F |
NetEngine 8000 F1A |
If a DHCPv6 packet carries both IA_NA and IA_PD fields, a home gateway cannot send two Solicit messages to obtain an IPv6 address and prefix. If two Solicit messages are sent, the address type requested in the first Solicit message is assigned for the second Solicit message. Users may fail to go online. The client needs to carry both the address and prefix information. |
NetEngine 8000 F |
NetEngine 8000 F1A |
L2VPN private lines do not support access from main interfaces. After a main interface is configured with L2VPN, the main interface cannot be configured with BAS access. If BAS access is configured on an interface, the interface cannot be configured with L2VPN. Therefore, you need to configure L2VPN private line access on sub-interfaces. |
NetEngine 8000 F |
NetEngine 8000 F1A |
Restrictions on IPv6 web authentication users: 1. Users who obtain IPv6 addresses with shared prefixes through ND are not supported. 2. A dual-stack web user goes online in the pre-authentication domain and is switched to the authentication domain from the IPv6 stack. After the user goes offline from the IPv6 stack by sending a Release message, the user cannot be switched to the pre-authentication domain from the IPv4 stack. A dual-stack web user is switched to the authentication domain from the IPv4 stack. After the user goes offline from the IPv4 stack by sending a Release message, the user cannot be switched to the pre-authentication domain from the IPv6 stack. 3. If the IP address of the web server configured in the pre-authentication domain is the same as that of the portal server configured in the authentication domain, after users are redirected to the specified portal server address when they access an external network for the first time, they will be forcibly redirected to the same portal server address for the number of times specified by the portal-server redirect-limit limit command. |
NetEngine 8000 F |
NetEngine 8000 F1A |
The auto save feature supports Layer 2 DHCPv4 users with the authentication and accounting modes set to non-authentication and non-accounting, respectively. |
NetEngine 8000 F |
NetEngine 8000 F1A |
VPN instances can be dynamically delivered for IPoEv4 Layer 3 static users. 1. Only GE, Eth-Trunk, and VE interfaces are supported. PWVE interfaces are not supported. 2. RUI is not supported. 3. Only IPv4 Layer 3 static users are supported. This may result in: 1. After this feature is enabled, if a Layer 3 static user accesses a PWVE interface and the VPN is delivered through the RADIUS server, the user fails to go online. 2. After this feature is enabled, Layer 3 static users are allowed to go online when RUI is configured. If the VPN instance delivered by the RADIUS server is the same as the interface VPN instance, user information can be backed up to the backup device. If they are inconsistent, user information cannot be backed up. To ensure that the VPN instances of RUI users on the master and backup devices are the same, a CoA message cannot be used to change the VPN instance of a Layer 3 static RUI user. If a CoA message is used to change the VPN instance of a Layer 3 static RUI user, the CoA message does not take effect. 3. IPv6 Layer 3 static users do not support this feature. If the VPN instance delivered by the RADIUS server is different from the VPN instance configured on the interface, users fail to go online. |
NetEngine 8000 F |
NetEngine 8000 F1A |
The RADIUS server can deliver DHCPv6 options: 1. In DHCPv6 protocol interaction, only advertise and reply packets carry DHCPv6 options delivered by the RADIUS server, and other packets do not carry DHCPv6 options. 2. A maximum of eight DHCPv6 options can be delivered. 3. Options can be delivered only in an authentication response packet, but not in a CoA packet. |
NetEngine 8000 F |
NetEngine 8000 F1A |
Roaming switchover between different interface types is not supported. There is a restriction on roaming switchover between different interface types. |
NetEngine 8000 F |
NetEngine 8000 F1A |
In a scenario where the next hop of a static route is the IP address of a static user, multiple next hops are not supported for the static user, that is, route load balancing is not supported. You are advised not to configure a static user's IP address as the next hop of a static route in load-balancing scenarios. |
NetEngine 8000 F |
NetEngine 8000 F1A |
If a Layer 3 DHCPv6 user sends a login request carrying the IA_NA option, the user cannot be directly connected to the BAS interface and must be connected to the BAS interface through a Layer 3 device. The user can apply for an IPv6 address only. If a client DUID is generated in LLT or LL mode, user access is supported. If a client DUID is generated in other modes, user access is supported only when the first-hop relay agent sends a DHCPv6 message in which the Option 37 carries the client's MAC address to the BRAS. User access is not supported if the preceding conditions are not met. Clients are required to obtain IPv6 addresses through DHCPv6. |
NetEngine 8000 F |
NetEngine 8000 F1A |
Flexible access to a VPN supports only PPPoEv4 users, dynamic IPoEv4 users, and static IPoEv4 users. Flexible access to a VPN does not take effect for users not supported. |
NetEngine 8000 F |
NetEngine 8000 F1A |
DHCPv6 Option 16 can be sent to the RADIUS server: 1. Only IPoE DHCPv6 users are supported. 2. This option can be carried only in authentication request packets, but not in accounting request packets. This may result in: 1. The PPPoE user has been authenticated by the RADIUS server in the PPPoE authentication phase. Subsequent PPPoE solicit packets carry the option configured using the radius-attribute include hw-dhcpv6-option command and will not be sent to the RADIUS server. 2. DHCPv6 options can be carried only in authentication request packets, but not in accounting request packets. |
NetEngine 8000 F |
NetEngine 8000 F1A |
If DHCP proxy is disabled (using the undo dhcp-proxy enable command), clients' Request messages (including Renew, Rebind, and Release messages) may be denied and discarded. If the Renew and Release messages of a client are discarded, the client has to go offline when the lease expires. To resolve this issue, a UCL rule needs to be configured to allow such packets destined for a DHCP server to pass. |
NetEngine 8000 F |
NetEngine 8000 F1A |
Separate collection of statistics about IPv4 and IPv6 traffic is not supported for Layer 3 leased line users. You are advised not to collect statistics about IPv4 and IPv6 traffic separately for Layer 3 leased line dual-stack users. |
NetEngine 8000 F |
NetEngine 8000 F1A |
After the function of triggering user logouts upon Option 82 information changes is enabled using the dhcp option82-mismatch action offline command, the following problems occur for users who go online in autosave mode: (1) When the client-option82 basinfo-insert cn-telecom command is run to configure a device to encapsulate access-line-id information in the format defined by China Telecom, if the length of the Option 82 field generated based on the format exceeds 255 bytes, the device truncates part of the Option 82 field to meet the maximum length requirement. For users who go online in autosave mode, the Option 82 information generated by the device based on the format is used for comparison. When the Option 82 information of a user changes, the Option 82 information may be truncated because the generated Option 82 information is too long. As a result, the device may fail to compare the Option 82 information. (2) When the client-option82 basinfo-insert version3 command is run to configure the device to encapsulate access-line-id information in version 3 format and the length of the Option 82 field generated based on the format exceeds 200 bytes, the device truncates part of the Option 82 field to meet the maximum length requirement. For users who go online in autosave mode, the Option 82 information generated by the device based on the format is used for comparison. When the Option 82 information of a user changes, the Option 82 information may be truncated because the generated Option 82 information is too long. As a result, the device may fail to compare the Option 82 information. |
NetEngine 8000 F |
NetEngine 8000 F1A |
HTTPS redirection is supported on the IPU-1T2 and IPU-2T. |
NetEngine 8000 F |
NetEngine 8000 F1A |
Accounting stop packets of IPoE dual-stack users cannot carry all IP addresses of the users in the following scenarios. In these scenarios, RADIUS source tracing cannot be used to trace the addresses used by the users. 1. The IPv6 ND shared address of an offline user cannot be carried. 2. The IPv6 NA (EUI-64) address of an offline user cannot be carried. 3. This function cannot be used together with the DUID address reservation function. 4. The IP addresses obtained from the dynamic IPv4/IPv6 address pool cannot carry the IP addresses of offline users. 5. IPv4/IPv6 addresses obtained from a remote address pool cannot carry the addresses of offline users. 6. If the IPv4/IPv6 address changes when a user is online, the original IPv4/IPv6 address cannot be carried. 7. This feature cannot be used together with the inter-chassis address borrowing feature. 8. This feature cannot be used together with DHCPv6 address allocation based on circuit-id/remote-id. |
NetEngine 8000 F |
NetEngine 8000 F1A |
For users who attempt to go online in loose mode, if the packets sent by the users do not carry Option 82 information, the users fail to go online or the first renewal fails. Please properly plan the service. |
NetEngine 8000 F |
NetEngine 8000 F1A |
When the RADIUS server delivers the Framed-Route attribute to a leased line user, user-to-network traffic does not support source IP address check (URPF). Do not deliver the Framed-Route attribute to leased line users if you have high requirements for source IP address check. |
NetEngine 8000 F |
NetEngine 8000 F1A |
HTTPS redirection in RUI scenarios: a. The HTTPS redirection function is related only to the local configuration. Therefore, the HTTPS configurations on the master and backup devices must be the same. Otherwise, the behavior may be inconsistent after an active/standby switchover. b. Redirection information is not backed up to the backup device. Therefore, if an active/standby switchover occurs during the redirection process (including the process in which the client establishes a connection with the device and the device pushes redirection information to the client), the client needs to re-establish a connection with the device after the switchover. |
NetEngine 8000 F |
NetEngine 8000 F1A |
HTTP Strict Transport Security (HSTS) does not allow users to ignore alarms. Therefore, the browsers or websites running HSTS do not support HTTPS redirection. |
NetEngine 8000 F |
NetEngine 8000 F1A |
HTTPS redirection supports request packets with the destination port being the well-known port 443. If the destination port number is not 443, HTTPS redirection cannot be performed. |
NetEngine 8000 F |
NetEngine 8000 F1A |
HTTPS redirection does not support captive portal (a user is first redirected to the authentication page. If the authentication succeeds, the user is pushed to the specified URL during initial network access). |
NetEngine 8000 F |
NetEngine 8000 F1A |
When the link address configured using the link-address command is used as the source IP address and the polling mode is configured for the DHCPv6 server group: 1. If multiple DHCPv6 servers are configured in a DHCPv6 server group, and some DHCPv6 servers have the same VPN instance as the user and some have a different VPN instance from the user, the DHCPv6 server replies to the BRAS with a packet carrying the user's VPN instance. As a result, the user considers that the DHCPv6 server belonging to the same VPN as the user is reachable and is recorded in the DHCPv6 server information in the user table. After receiving a renew packet, the BRAS sends a packet carrying the DHCPv6 server information recorded in the user entry to the DHCPv6 server. If the DHCPv6 server is unreachable, the lease fails to be renewed. In this case, the BRAS needs to send a rebind packet to renew the lease. 2. If multiple DHCPv6 servers are configured in a DHCPv6 server group and the VPN instances of these DHCPv6 servers are different from the VPN instance of the user, the VPN instance carried in the reply packet sent by the DHCPv6 server to the BRAS is the VPN instance of the user, the BRAS matches the user's VPN in the return packet with the VPN of the DHCPv6 server. Because the two VPNs are different, the user fails to go online. The preceding configuration affects user login and lease renewal in DHCPv6 server group polling mode. You are advised to configure the same VPN for the DHCPv6 server and users or configure only one DHCPv6 server in the DHCPv6 server group. |
NetEngine 8000 F |
NetEngine 8000 F1A |
The modification of only the following commands takes effect for DHCPv6 lease proxy users in real time. (The modification takes effect after renewal packets are sent to the remote or local server for processing.) 1, In the BAS view for the access interface: dhcpv6 user-identify-policy 2, In the BAS view for the access interface: trust 8021p-protocol 3, In the view of the access interface or the main interface corresponding to the access interface: 8021p <8021p-value> 4, For the access interface: ipv6 link-local |
NetEngine 8000 F |
NetEngine 8000 F1A |
After users are switched to the post-authentication domain and obtain IPv6 authorization, if the client fails in automatic dial-up at the IPv6 stack, the client will fail to obtain an IPv6 address and cannot access the network over IPv6. At this point, manual operations (such as tearing down the connection, restarting the NIC, restarting the computer, and executing commands) are needed. |
NetEngine 8000 F |
NetEngine 8000 F1A |
The IPv6 address delivered by the RADIUS server cannot be the same as the IPv6 address configured on any interface. If they are the same, the user's downstream traffic fails to be forwarded, and traffic forwarding for a single user is affected. You are advised to properly plan the configuration. |
NetEngine 8000 F |
NetEngine 8000 F1A |
An accounting stop packet for an IPoE user can carry all IP addresses of the user, including the IP address of the stack from which the user goes offline. This feature does not apply to the following scenarios, and the IP address used by the user cannot be traced using RADIUS: : (1) The IPv6 ND shared address at which the user has gone offline cannot be carried. (2) The IPv6 NA (EUI-64) address at which the user has gone offline cannot be carried. (3) This feature cannot be used together with the DUID address reservation function. (4) An address obtained in the IPv4/IPv6 dynamic address pool cannot carry the address at which the user has gone offline. (5) An address obtained in the IPv4/IPv6 remote address pool cannot carry the address at which the user has gone offline. (6) If the IPv4/IPv6 address changes when a user is online, the original IPv4/IPv6 address cannot be carried. (7) This feature cannot be used together with the inter-chassis address borrowing feature. (8) This feature cannot be used together with the DHCPv6 address allocation based on circuit-id\remote-id. |
NetEngine 8000 F |
NetEngine 8000 F1A |
When the China Telecom Option 82 replacement mode is used and RUI is deployed, only DHCPv6 user access is supported only if the BRAS is connected to a level-1 relay agent in the upstream direction. When multi-level relay agents are deployed in the upstream of a BRAS and the BRAS proactively goes offline, the numbers of levels carried in the relay headers of the Release packets sent by the master and backup RUI devices to the DHCPv6 server are different. If the outer relay header of the DHCPv6 packet received by the BRAS does not carry the Option 18 information but the inner relay header carries the Option 18 information, the RADIUS NAS-PORT-ID (No. 87 attribute) constructed by the master and backup RUI devices are different, and the Option 18 information in the outer relay header of DHCPv6 packets sent to the DHCPv6 server is inconsistent. Plan relay information properly. |
NetEngine 8000 F |
NetEngine 8000 F1A |
If the system time is adjusted forward after IPoE/IPoEv6 users go online, the leases of IPoE/IPoEv6 users may expire, causing the IPoE/IPoEv6 users to be logged out. After an IPoE/IPoEv6 lease proxy user goes online, if the system time is adjusted forward, the proxy lease of the user may expire. As a result, the user is logged out. If a user needs to go online after being logged out, the user needs to dial up again or send an IP/ARP/IPv6/ND packet to go online. |
NetEngine 8000 F |
NetEngine 8000 F1A |
Among the physical interfaces, 40GE interfaces (40GE x/x/x or 40GE x/x/x/x) do not support BRAS access. |
NetEngine 8000 F |
NetEngine 8000 F1A |