Ipoe Access: About This Chapter

HUAWEI NetEngine40E Universal Service Router
Feature Description - User Access 5 IPoE Access
5 IPoE Access
About This Chapter
5.1 Overview of IPoE Access

5.2 Understanding IPoE Access
5.3 Application Scenarios for IPoE Access
5.4 Terminology for IPoE Access
5.1 Overview of IPoE Access
IPoEv4
l Definition
In IP over Ethernet (IPoE) scenario, a PC is connected to the Ethernet interface of a
BRAS through a Layer 2 device (such as LAN Switch). When the PC accesses the IPv4
network, a user IP packet is encapsulated into an IPoE packet on the Ethernet interface.
The IPoE packet is forwarded to the BRAS through the Layer 2 device. The BRAS then
authenticates the user and authorizes user services based on physical or logical
information carried in the IPoE packet, such as the MAC address, VLAN ID, and Option
82 (line information).
l Purpose
Compared with Point-to-Point over Ethernet (PPPoE), IPoE is easy to use and does not
need any client dial-in software.
In addition, the IPTV or PPPoE access can no longer meet the customers' new
requirements, especially new services that need to be deployed with multicast. IPoE is an
access technology that can meet requirements of multiple services.
l Benefits
IPoE offers the following benefits to carriers:
– IPoE is a simple method of accessing the Internet, and does not need any client dial-
in software.
Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 117

– IPoE is an economic method of accessing the Internet, and does not need any user
device (such as modem) at the client.
– IPoE is an access method that facilitates the deployment of multicast services. It
provides users with value-added services, such as IPTV, NGN telephone, and broad
vision.
IPoE offers the following benefits to users:
– IPoE is easy to use. After connecting the PC to the Internet, a user can access the
Internet directly after the computer is started.
IPoEv6 Access
l Definition
IPv6 over Ethernet (IPoEv6) access refers to the access mode in which users access a
BRAS by sending Dynamic Host Configuration Protocol for IPv6 (DHCPv6) packets,
Neighbor Discovery (ND) packets, or IPv6 packets. In IPoEv6 access mode, users can
directly access the Internet using Web browsers, without having to install client dial-in
software on their PCs.
An IPoE dual-stack user can have both an IPv4 address and an IPv6 address. The IPoE
dual-stack access is the combination of the IPoE access and the IPoEv6 access. An IPoE
dual-stack user obtains an IPv4 address through IPoEv4 and an IPv6 address through
IPoEv6; however, during this process, the user is authenticated only once.
IPv6, also called IP Next Generation (IPng), is the second-generation standard protocol
of network layer protocols. As a set of specifications defined by the Internet Engineering
Task Force (IETF), IPv6 is the upgraded version of IPv4. The most obvious difference
between IPv4 and IPv6 is that IPv4 addresses are of 32 bits whereas IPv6 addresses are
of 128 bits.
IPv6 address autoconfiguration has two modes, stateful address autoconfiguration and
stateless address autoconfiguration. IPv4 has only one address assignment mode, the
DHCP mode.
In stateless address autoconfiguration mode, a user running ND sends a Router
Solicitation (RS) message to a neighboring router. After receiving the RS message, the
router assigns an IPv6 prefix to the user through a Router Advertisement (RA) message.
In stateful address autoconfiguration mode, a DHCPv6 client sends an Information-
Request message containing the IPv6 address and information about the DNS server to
the DHCPv6 server. After receiving the message, the DHCP server replies with the
required configuration information according to the policy.
l Purpose
With the development of the Internet, the shortage of IPv4 address spaces becomes
increasingly serious. IPv6 solves the problem of IP address exhaustion. With the
development of the IPv6 Internet, users need to obtain IPv6 addresses for accessing
network resources.
5.2 Understanding IPoE Access
5.2.1 IPoEv4 Access Fundamentals

Modes of IPoE Access

According to actual networking situations and service processing, IPoE access has the
following modes:
l Common IPoE access

A user PC accesses an Ethernet interface on a BRAS through a Layer 2 device (hub or
LAN switch). The Layer 2 device does not encapsulate or change the IPoE packets from
the user. The IP packets sent from the user are encapsulated into IPoE packets when
passing through the Ethernet interface of the user PC. Then, the packets are forwarded to
the BRAS through the Layer 2 device. Therefore, the packets received on the BRAS are
IPoE packets.
l Common IPoEoVLAN access
A user PC accesses an Ethernet interface on a BRAS through an 802.1Q-supporting
switch. The IP packets sent from the user are encapsulated into IPoE packets when
passing through the Ethernet interface of the user PC. Then, the LAN switch adds VLAN
tags to the IPoE packets and changes them into IPoEoVLAN packets. Finally, the
packets are forwarded to the BRAS. Therefore, the packets received on the BRAS are
IPoEoVLAN packets.
l Common IPoEoQ access
A user PC accesses an Ethernet interface on a BRAS through two 802.1Q-supporting
switches and QinQ is configured on an interface on the switch close to the BRAS. The IP
packets sent from the user are encapsulated into IPoE packets when passing through the
Ethernet interface of the user PC. The switch close to the user PC adds a VLAN tag to
each IPoE packet and changes them into IPoEoVLAN packets before forwarding the
packets. When the IPoEoVLAN packets reach the switch close to the BRAS, this switch
adds another VLAN tag to each IPoEoVLAN packet before forwarding them. Therefore,
each packet finally received on the BRAS is an IP packet with two VLAN tags, that is,
an IPoEoQ packet.
According to the number of access users, IPoE access has the following modes:
l Individual Users
Individual users log in to the BRAS through Layer 2 or Layer 3 network. Each individual
user has independent service attributes. The BRAS authenticates and charges each
individual user separately.
l Leased-line Users
Lease-line users are a group of users that access the Internet using a Layer 2 or Layer 3
network, including Layer 2 and Layer 3 leased-line users. These users share a service
attribute for unified authentication and accounting.
– Layer 2 leased line access
The networking mode for Layer 2 leased line access is the same as that for common
IPoX access, and the packets that reach the BRAS are of three types: IPoE,
IPoEoVLAN, and IPoEoQ. The only difference is that the BRAS handles the Layer
2 leased line service in a different manner.
– Layer 3 leased line access
A user PC is connected to the BRAS through a Layer 3 switch. The packets that
reach the BRAS are of three types: IPoE, IPoEoVLAN, and IPoEoQ.

Interaction Process for IPoEv4 Users to Get Online

In IPoE access mode, a user can access the Internet using the DSLAM. After passing DHCP
authentication and obtaining service authorization, the IPoEv4 user can visit corresponding
services. The overall service procedure is shown in Figure 5-1.
Figure 5-1 Overall Service Procedure
1. After a user terminal (such as an NGN telephone or an IPTV STB) is powered on or

started, it sends a DHCP Discover message. The message is relayed to BRAS through an
access device. In this process, the access device can add Option 82 information to the
DHCP Discover message as required to provide user's line information.
2. BRAS extracts information, such as the MAC address and Option 82 from the DHCP
Discover message and communicates with the RADIUS server using the RADIUS
protocol. The RADIUS server then authenticates the user based on the MAC address and
line information. After learning the user's service type, the RADIUS server delivers
service authorization and QoS policy to BRAS.
3. After authentication is complete, BRAS forwards the DHCP Discover message to the
DHCP server.
4. The DHCP server communicates with the user terminal to assign a dynamic IP address to
the user. BRAS then binds the user's service control and QoS policy to its IP address.
5. The user terminal visits a service system to use the required service. For example, the
user can visit the NGN telephone to use NGN voice services or visit IPTV headend to
use IPTV services.
IP addresses of IPoE access users can be either statically configured on the client or statically/
dynamically assigned. Configuration on the DHCP server determines whether the server
statically or dynamically assigns IP addresses.
Extension functions of IPoEv4

When a user accesses the Internet using IPoE, the DHCP server uses the physical or logical
information carried by the DHCP protocol during the interactive process to authenticate users
and authorize user services.

However, DHCP and ARP do not support the functions such as user authentication, link
establishment, and link monitoring. Therefore, IPoE adopts some extension function to
support these functions.
l Authentication: Unlike PPP packets, DHCP or ARP packets cannot carry authentication
information such as user names or passwords. Hence, IPoE adopts bind authentication,
Web authentication, or fast authentication.
Bind authentication refers to the authentication mode in which a user is authenticated
according to physical information about the user connection. When this mode is adopted,
users do not need to enter the user names or passwords. Instead, the BRAS generates
user names according to the Option 82 value, MAC address, and IP address and sends
the user names together with the default passwords configured on the BRAS to the
authentication server. Only the users who pass authentication are considered legal and
are assigned IP addresses.
Web authentication refers to the authentication mode in which a user who has obtained
an IP address through DHCP or static configuration accesses the authentication page of a
web server and enters the user name and password for authentication.
Fast authentication refers to the authentication mode in which a user accesses the
authentication page of a web server and submits an authentication request without
entering the user name or password. Fast authentication is a combination of Web
authentication and bind authentication.
l Link establishment: Forwarding entries are created for IPoE access users. Only the
traffic of a user who passes authentication and obtains an IP address can be forwarded.
Link monitoring: The system detects the link of an IPoE access user through ARP
probes. If the system detects that the number of link failures exceeds the pre-set number,
the system considers that the user has gone offline. In this case, the system takes back the
IP address from the user and deletes the forwarding entry.
5.2.2 IPoEv6 Access Fundamentals

IPoEv6 access refers to the access mode in which users access the BRAS by sending
DHCPv6 packets, ND packets, or IPv6 packets.
According to the used media, the broadband access includes the Asymmetric Digital
Subscriber Line (ADSL) access using telephone cables, Ethernet access using Category 5
twisted pair cables, and Wireless Local Area Network (WLAN) access using wireless signals.
Users are connected to the BRAS through access devices such as the Digital Subscriber Line
Access Multiplexer (DSLAM), LAN Switch, and access point (AP). The differences in
physical connections are obscured by access devices. As a result, the BRAS does not have to
be concerned with the access modes of users; instead, it distinguishes users by the protocol
stack of packets sent by the terminals to the BRAS. By using various methods such as binding
authentication, the BRAS identifies users according to the user names and passwords of the
users, and then manages the users. For example, the BRAS assigns IP addresses to users and
accounts the services of access users.
DHCPv6 and ND do not support functions such as user authentication, link establishment,
and link monitoring. Therefore, IPoE adopt some extension functions to support these
functions.
l Authentication: Unlike that in PPP access mode, neither DHCPv6 packets nor ND
packets carry authentication information such as the user name and password. Therefore,
in IPoEv6 access mode, binding authentication is used to authenticate users. In binding

authentication, the information about the physical connections of users is used to

authenticate users. Users do not need to enter their user names and passwords. The
BRAS generates user names according to the information such as Option82 fields, MAC
addresses, and IP addresses, and sends the user names together with the default
passwords configured on the BRAS device to the authentication server for
authentication. Only the users that pass the authentication are assigned IP addresses.
l Link establishment: Devices set up related forwarding entries for online IPoEv6 users,
and only the users that pass the authentication and obtain IPv6 addresses can forward
traffic.
l Link monitoring: ND detection is used to detect link status for an IPoEv6 user. If the ND
detection fails for the specified number of times, the IPoEv6 user is considered offline,
and the IPv6 address of the IPoEv6 user is reclaimed and the related forwarding entry is
deleted.
The IPoE single-stack access supports binding authentication and Web authentication. Web
authentication is an interactive authentication mode in which the user that has obtained an IP
address opens the authentication page on the Web authentication server, and enters the user
name and password to be authenticated.
The IPoE dual-stack access refers to the access mode in which a user has both an IPv4 address
and an IPv6 address and IPoE authentication can be triggered through DHCP packets, ARP
packets, IP packets, DHCPv6 packets, ND packets, or IPv6 packets. After receiving a Request
message, the BRAS performs the following operations: If the user is a new user, the BRAS
performs authentication and authorization for the user. If the user is a dual-stack user that has
obtained an IP address of a specified type, the BRAS does not authenticate the user; instead,
the BRAS performs authorization for the user according to the authentication result. The IPoE
dual-stack access also supports binding authentication and Web authentication.
The IPoE dual-stack access supports binding authentication and Web authentication. Web
authentication is an interactive authentication mode in which the user that has obtained an IP
address opens the authentication page on the Web authentication server, and enters the user
name and password to be authenticated.
5.2.3 Web Authentication Process

The authentication page of a web server is also called a portal which provides convenient
management functions for carriers through web authentication. Advertisements, community
services, and personalized services can be provisioned on a portal, building an industry eco-
system for bandwidth carriers, device vendors, and content and service providers.
Concepts
Web authentication, also called portal authentication, is classified as proactive web
authentication or mandatory web authentication.
l Proactive web authentication: A user accesses the authentication page of a web server
and enters and submits the username and password. After obtaining the username and
password, the web server sends them to the BRAS. The BRAS then exchanges messages
with the RADIUS server to complete user authentication.
l Mandatory web authentication: A user attempts to access other extranet resources using
HTTP and is forcibly redirected to the web authentication page to enter and submit the
username and password. After obtaining the username and password, the web server
sends them to the BRAS. The BRAS then exchanges messages with the RADIUS server
to complete user authentication.

Web Authentication Process

Web authentication is classified as proactive web authentication or mandatory web
authentication. The two authentication modes are the same except for how users access the
authentication page. The detailed authentication process is as follows:
As shown in Figure 5-2, the user can access only the web authentication page in the web pre-
authentication domain. If the user passes the authentication after entering the username and
password on the page, the user is switched to the web authentication domain and can access
network resources.
Figure 5-2 User login process in proactive web authentication mode
As shown in Figure 5-3, the user accesses other extranet resources through HTTP and is
forcibly redirected to the web authentication page by the BRAS. The user can access only the
web authentication page in the web pre-authentication domain. If the user passes the
authentication after entering the username and password on the page, the user is switched to
the web authentication domain and can access network resources.

Figure 5-3 User login process in mandatory web authentication mode
Web Authentication Modes

Depending on the network layer where web authentication is performed, web authentication is
classified as Layer 2 authentication or Layer 3 authentication.
l Layer 2 authentication: Web authentication is enabled on the BRAS interface that

connects to Layer 2 users. Only authenticated users are allowed access to external
network resources.
l Layer 3 authentication: Web authentication is enabled on the BRAS interface that
connects to Layer 3 users. Web authentication on Layer 3 interfaces can be further
classified as direct authentication or inter-Layer 3 authentication. If direct authentication
is used, Layer 3 forwarding is not performed between the client and the BRAS. If inter-
Layer 3 authentication is used, the client and the BRAS can communicate through Layer
3 forwarding devices.
– Direct authentication: If a user obtains an IP address using DHCP or has an IP
address configured before authentication, the user can use this IP address to access
only the web server address and specified addresses. After the user is authenticated,
the user can access network resources.

– Inter-Layer 3 authentication: is implemented in basically the same way as direct

authentication, except that the client and the BRAS can communicate through Layer
3 forwarding devices.
In both direct authentication and inter-Layer 3 authentication, an IP address uniquely
identifies a user. The BRAS delivers ACLs based on users' IP addresses to control packet
forwarding of authenticated users on interfaces. If direct authentication is used, users and
the BRAS do not communicate through Layer 3 forwarding devices. Therefore, the
BRAS interface connecting to users can learn the users' MAC addresses, which allows
packet forwarding to be controlled based on a finer granularity.
5.2.4 Web+MAC Authentication Process
Web+MAC authentication, aiming to simplify web authentication, is the most common

authentication mode for Layer 2 IPoE user access. This authentication mode requires a user to
enter the username and password on a portal page when accessing the Internet for the first
time. After RADIUS authentication succeeds, the RADIUS server associates the
automatically recorded terminal MAC address with the username. Later, the user can access
the network again without re-entering the username and password within a specified period
after the first access.
The following describes the authentication process for the first and subsequent Internet
access.
First Internet Access of a User

As shown in Figure 5-4, when the user accesses the Internet for the first time, the user first
enters the MAC authentication domain. Because the RADIUS server cannot find the user's
MAC address during the user's first Internet access, MAC authentication fails, and the user is
switched to the web pre-authentication domain. In the web pre-authentication domain, the
user can access only the web authentication page. On this page, the user enters the username
and password for authentication. After the authentication succeeds, the user enters the MAC
authentication domain and can access network resources.
Figure 5-4 First Internet access process

Subsequent Internet Access of a User

As shown in Figure 5-5, when the user using the same terminal accesses the Internet after the
first access, the RADIUS server can find the user's MAC address, and the authentication
succeeds. The user then enters the MAC authentication domain and can access network
resources.
Because a user does not need to enter the username and password again for Internet access after the first
access, you need to control access rights of terminals accordingly.
Figure 5-5 Subsequent Internet access process
5.2.5 Fast Authentication Process

Fast authentication is a simplified form of web authentication in which a user accesses the
authentication page of a web server for authentication, without entering the username or
password. The BRAS automatically generates the username and password for authentication
based on information about the BAS interface that the user accesses. Fast authentication is a
combination of web authentication and binding authentication.
The following describes the user login and logout processes using fast authentication.
User Login Process

As shown in Figure 1 User login process, the user sends a DHCP Discover message to the
BRAS. After receiving the message, the BRAS creates a user entry, assigns an IP address to
the user through DHCP, and grants permissions that allow the user to access only limited
network resources. The user can access only the specified web page. If the user accesses other
web pages, the user is redirected to the web authentication page. On the web authentication
page, the user can click the button indicating confirmation for authentication without entering
the username or password. After the authentication is successful, the user can access network
resources.

Figure 5-6 User login process
User Logout Process

As shown in Figure 5-7, when the user needs to go offline, the user clicks the button
indicating logout on the authentication result page to send a logout request to the web server.
After accounting is complete, the user goes offline normally.

Figure 5-7 User logout process
Username Generation Mode

If a username template is bound to the BAS interface through which users go online using the
default-user-name-template command, the system generates usernames based on the
username template. If no username template is bound to the user access interface but a mode
for generating pure usernames is configured using the default-user-name command in the
AAA view, the system generates pure usernames based on the configured mode. If neither of
the preceding configurations is available, the system generates usernames based on the default
configuration. Interface-specific configuration applies only to the interface, whereas the
default configuration and the configuration in the AAA view take effect globally.
A pure username can be generated using any of the following methods:
l The system uses the IP address carried in the Access-Request packet of a user as the pure
username. This method applies only to Layer 3 access users and static users whose
Access-Request packets carry IP addresses.
l The system uses the MAC address carried in the Access-Request packet of a user as the
pure username.
l The system uses the Access-Line-Id information (DHCP Option 82/DHCPv6 Option
18+37) carried in the Access-Request packet of a user as the pure username.
l The system uses the hostname (configured using the sysnamehost-name command in the
system view) as the pure username.
l The system uses any combination of the IP address, MAC address, Access-Line-Id
information (DHCP Option 82/DHCPv6 Option 18+37), and hostname as the pure
username. The preceding information is presented in the pure username in the order they
are configured.
l The system generates a pure username based on access interface and VLAN information
of a user in the format configured using the vlanpvc-to-username command.
The system then generates a username based on the pure username, default authentication
domain configured on the BAS interface, and domain name delimiter and position configured

in the system. The username can be in either of the following formats: pure username+domain
name delimiter+domain name (if the system is configured to place the domain name behind
the domain name delimiter) or domain name+domain name delimiter+pure username (if the
system is configured to place the domain name before the domain name delimiter).
Password Generation Modes

By default, the password of an IPoX user is vlan. You can run the default-password
command to specify the mode in which the system automatically generates the password for
an IPoX user. For example:
l The system uses the manually configured IPoX password.
l The system uses all or part of the Vendor-Class attribute (DHCPv4 Option 60/DHCPv6
Option 16) carried in the user's Access-Request packet as the IPoX password.
l The system uses all of the User-Class attribute (DHCPv4 Option 77/DHCPv6 Option 15)
carried in the user's Access-Request packet as the IPoX password.
5.3 Application Scenarios for IPoE Access
5.3.1 Application Scenario for IPoEv4 Access

IPoE users include private users and leased-line users.
Typical Applications of IPoE - Private Users

A private user has independent service attributes, and a BRAS performs separate
authentication and charging for a private user. Private users can be categorized into Layer 2
access users and Layer 3 access users.
A Layer 2 access user accesses a BRAS through an Ethernet device (such as a LAN switch) or
an ADSL device (such as a DSLAM). An access user can be allocated with a DHCP address
on a local BRAS or on a remote DHCP server.
l A Layer 2 access user with address allocation on a local BRAS:
Figure 5-8 shows address allocation on a local BRAS.
Figure 5-8 Networking diagram of local address allocation for Layer 2 access users

A Layer 2 user can go online by sending a DHCP, IP, or ARP packet.

– By Sending a DHCP Packet:
Figure 5-9 shows how a Layer 2 user goes online by sending a DHCP packet.
Figure 5-9 Login process through a DHCP packet
i. A DHCP client sends a DHCP Discover or DHCP Request packet to a BRAS.

ii. After receiving the DHCP Discover or DHCP Request packet, the BRAS
performs authentication, authorization, address allocation, forwarding control,
and accounting management. In addition, the BRAS sends the IP address and
parameters to the DHCP client by forwarding a DHCP Offer or DHCP ACK
packet.
Only the user who successfully logs in to the BRAS can access the Internet. The
user cannot access the Internet through the BRAS by using an address that is not
allocated by the BRAS. IP addresses are locally managed. Therefore, the allocation,
release, and lease extension of IP addresses must be performed on the BRAS.
– By Sending an IP/ARP Packet:
Both a static user and a user logged out abnormally can go online by sending IP or
ARP packets.
A static user has been assigned a fixed IP address on the client and does not need to
be assigned an address on the BRAS. Therefore, the static user can go online only
by sending IP or ARP packets. After receiving an IP or ARP packet from a user, the
BRAS resolves parameters such as the IP address and the MAC address and
determines whether the user is legal. Then, the BRAS performs binding
authentication for the user. After passing the authentication, the user can log in and
access the network.
A user logged out abnormally is the user that logs out because ARP probing fails,
the idle connection is cut off, or a management command is executed to cut off the
client. In this case, the user can enable the client to access the network by sending
IP or ARP packets.
l A Layer 2 access user with address allocation on a remote DHCP server:

A DHCP access user can obtain an IP address from a remote DHCP server. In this case,
the BRAS performs only user authentication, authorization, accounting, and forwarding
control but does not manage IP addresses. The BRAS forwards the DHCP packet from a
user to the remote DHCP server and sends the reply from the DHCP server to the DHCP
client. Figure 5-10 shows the address allocation process through a remote DHCP server.
Figure 5-10 Networking diagram of remote address allocation for a Layer 2 access user
Figure 5-11 shows the process of remote login of a DHCP user.
Figure 5-11 Remote login of a DHCP user

By applying a remote address pool in a domain, the BRAS can enable the remote DHCP
server to allocate an address of an access user. A remote address pool does not contain
any IP addresses but indicates the corresponding DHCP server. When a remote address
pool is used, the BRAS replaces the user to send a DHCP Request packet to apply for an
IP address from the DHCP server or extend the address lease, or relays the DHCP
Request packet from the user.
A remote address pool can be bound to a DHCP server group. You can configure a
maximum of two DHCP servers in each DHCP server group. If two DHCP servers are
configured, they can work either in master/slave mode or in load balance mode. By
default, the two DHCP servers work in master/slave mode.
– In master/slave mode, the master and slave DHCP servers are determined based on
the sequence in which they are added to a DHCP server group. The DHCP server
added earlier is the master and the DHCP server added later is the slave. During IP
address assignment, the master server is used preferentially to assign IP addresses.
If the addresses in the address pool bound to the master DHCP server are used up,
the slave DHCP server is used.
– In load balancing mode, the two DHCP servers assign IP addresses based on
weights. The weight of each DHCP server is configured when the server is added to
a DHCP server group. For example, 100 users apply for IP addresses and server A
and server B have weights being 60 and 40 respectively. Therefore, server A
allocates 60 IP addresses and server B allocates 40 IP addresses.
– In polling mode: The BRAS sends request packets to all servers and selects the
server that receives the packets first. Subsequent packets, except for the discover
and select request packets, are sent to only the selected server.
l A Layer 3 access user adopting Web authentication:
The BRAS does not know the MAC address of a user accessing the network through a
Layer 3 device. Therefore, the BRAS does not allocate an IP address to a user who
adopts Web authentication. A Layer 3 device, allocates an IP address to a user accessing
the network through a Layer 3 device. After receiving an IP packet from a Layer 3 user,
the BRAS checks whether it supports the Layer 3 user. If yes, the BRAS allows the user
to perform Web authentication. After the client visits the web page and submits the user
name and password, the Layer 3 user can access the network if it passes authentication.
Figure 5-12 shows the networking diagram of Layer 3 access users adopting Web
authentication.
Figure 5-12 Networking diagram of Layer 3 access users adopting Web authentication
l A Layer 3 DHCP user:

In the situation that a user accesses the network through a Layer 3 device, a Layer 3
device acts as a DHCP relay agent and relays the DHCP packet from the client to the
BRAS. After authenticating the user, the BRAS allocates an idle IP address to the user
according to the giaddr field. Alternatively, the RADIUS server can allocate an IP
address to the user and send the DHCP Response packet to the client.
Figure 5-13 shows the networking diagram of Layer 3 access users adopting Web
authentication.
Figure 5-13 Networking diagram of Layer 3 DHCP users
The address pool selection mode for Layer 3 access is different from that for Layer 2
access. For a Layer 2 access user, the address pool searched is in the domain to which the
user belongs. For a Layer 3 access user, the address pool of the same gateway IP address
is searched according to the giaddr field in the DHCP packet. This ensures that the
allocated address is on the same network segment with the gateway IP address.
Typical Applications of IPoE - Leased-line Users

Leased line access refers to the access mode in which a certain Ethernet interface on the
BRAS or certain VLANs or PVCs on a certain interface of the BRAS are leased by a group of
users. Multiple users can access the network through one leased line, but the BRAS considers
all the users as a single user. The BRAS uniformly performs authentication, accounting,
bandwidth control, access right control, and QoS management for the users that access the
network through one leased line. According to the networking modes of leased line access,
leased lines can be classified into Layer 2 leased lines, and Layer 3 leased lines.
l Layer 2 leased line

Layer 2 leased line access refers to the access mode in which a user accesses a certain
interface on the BRAS or a certain VLAN or PVC on a certain interface of the BRAS
through a LAN switch or a DSLAM. A Layer 2 leased line is connected to the network
when the protocol status on the interface is Up. A leased line user can access the network
through DHCP or ARP. A leased line user allocated with a dynamic IP address accesses
the network through DHCP; a leased line user allocated with a static IP address accesses
the network through ARP. The services of leased line users are controlled through the
service control policy of the leased line regardless of the access modes of users. All the
traffic passes through the leased line and the BRAS restricts the bandwidth of the leased
line in a unified manner. Figure 5-14 shows Layer 2 leased line access.

Figure 5-14 Networking diagram of Layer 2 leased line access
l Layer 3 leased line

Layer 3 leased line access refers to the access mode in which a user accesses a certain
interface on the BRAS or a certain VLAN or PVC on a certain interface of the BRAS
through a Layer 3 device. When this access mode is adopted, the BRAS performs the
forwarding function. The access Layer 3 device is in charge of assigning IP addresses to
Layer 3 leased line users. The BRAS is in charge of only packet forwarding and validity
inspection. A Layer 3 leased line is connected to the network when the protocol status on
the interface is Up. Then, the users of the leased line can access the network without
accessing the BRAS. The services of the users of the Layer 3 leased line are controlled
through the service control policy of the leased line. All the traffic passes through the
leased line and the BRAS restricts the bandwidth of the leased line in a unified manner.
Figure 5-15 shows Layer 3 leased line access.
Figure 5-15 Networking diagram of Layer 3 leased line access
l Layer 2 VPN leased line

The Layer 2 VPN leased line access mode is similar to the Layer 2 leased line access
mode except that in this mode, each access interface is bound to a Layer 2 VPN. When
the Layer 2 VPN leased line access mode is adopted, the BRAS functions as a UPE. A
Layer 2 VPN leased line is connected to the network when the protocol status on the
interface is Up. Then, the users of the leased line can access the network without
accessing the BRAS. The services of leased line users are controlled through the service
control policy of the leased line regardless of the access modes of users. All the traffic

passes through the leased line and the BRAS restricts the bandwidth of the leased line in
a unified manner.
Figure 5-16 shows Layer 2 VPN leased line access.
Figure 5-16 Networking diagram of Layer 2 VPN leased line access
Typical Application of IPoE - BRAS Access Through L2VPN Termination

Router B uses OSPF to exchange traffic with Router A through interfaces on multiple boards
in load-balancing mode. Traffic from the same user may be sent from different boards. Router
B uses PBR to send traffic from the same user but different boards through the backplane to
the same authentication board. In the preceding process, VE interfaces' internal loopback is
required to support BRAS access through L2VPN termination, so that user authentication is
complete after service traffic enters boards again.

Figure 5-17 BRAS access through L2VPN termination
Typical Application of IPoE - BRAS Access Through L3VPN Termination

Router B uses OSPF to exchange traffic with Router A through interfaces on multiple boards
in load-balancing mode. Traffic from the same user may be sent from different boards. Router
B uses PBR to send traffic from the same user but different boards through the backplane to
the same authentication board. In the preceding process, VE interfaces' internal loopback on
the NP is required to support BRAS access through L3VPN termination, so that Layer 3 static
user authentication is complete after service traffic enters boards again.

Figure 5-18 BRAS access through L3VPN termination
5.3.2 Application Scenario for IPoEv6 Access
Typical IPv6oE Applications

Currently, IPv6oE supports Layer 2 individual users and Layer 3 individual users. Layer 2
individual users are connected to the BRAS through Layer 2 LAN switches, ADSL devices
such DSLAMs. Layer 3 individual users are connected to the BRAS through Layer 3 devices
such as routers.
Figure 5-19 shows IPv6oE user access.

Figure 5-19 Networking diagram for IPv6oE user access
Access of a Layer 2 IPv6 User Running ND

To access the BRAS through a Layer 2 network, an IPv6 user sends an RS message. After
receiving the RS message from the user, the BRAS authenticates the user. If the user passes
the authentication, the BRAS assigns an IPv6 prefix to the user through an RA message. After
receiving the RA message, the user generates a global unicast address by using the IPv6
prefix and the interface ID of the user, and then accesses the corresponding network by using
the address.
Figure 5-20 shows access of a Layer 2 IPv6 user running ND.
Figure 5-20 Networking diagram for access of a Layer 2 IPv6 user running ND
The PC and the BRAS need to support basic IPv6 functions. If the M on the access interface
of the BRAS is set to 0, it indicates that the BRAS assigns an address to the user connected to
the BRAS through the interface in stateless address configuration mode. In this case, binding
authentication needs to be configured on the interface, and the IPv6 prefix pool and the IPv6
address pool need to be configured on the BRAS. In addition, other user access configurations
need to be performed on the BRAS.
Access of a Layer 2 IPv4/IPv6 Dual-Stack User Running DHCPv4 and ND

To access the BRAS through a Layer 2 network, an IPv4/IPv6 dual-stack user sends an RS
message or a DHCPv4 Discovery message. After receiving the message, the BRAS

authenticates the user. If the message sent by the user is an RA message and the user passes
the authentication, the BRAS sends an RA message containing an IPv6 prefix to the user. If
the message sent by the user is a DHCPv4 Discovery message and the user passes the
authentication, the BRAS assigns an IPv4 address to the user. The user can then access the
corresponding network by using the obtained address.
After receiving an RS message or a DHCPv4 Discovery message from a user that has been
authenticated, the BRAS assigns an address of another type to the user without authenticating
the user. After obtaining the address, the user can access the corresponding network by using
the address.
Figure 5-21 shows access of an IPv4/IPv6 dual-stack user running DHCPv4 and ND.
Figure 5-21 Networking diagram for access of a Layer 2 IPv4/IPv6 dual-stack user running
DHCPv4 and ND
The PC and the BRAS need to support the IPv4/IPv6 dual stack. Compared with the access of
an IPv6 user running ND, the related IPv4 configuration needs to be performed for the access
of an IPv4/IPv6 dual-stack user.
An IPv4/IPv6 dual-stack user supports Web authentication. After the user obtains an IPv4
address and an IPv6 address, the BRAS allows the user to access the Web server only. After
the user accesses the Web server with the IPv4 address and passes the Web authentication, the
BRAS allows the user to use the IPv4 address and the IPv6 address. Then, the user can access
the corresponding IPv4 and IPv6 networks.
Access of a Layer 2 IPv4/IPv6 Dual-Stack User Running DHCPv4 and DHCPv6

In comparison with IPv4/IPv6 dual-stack users running DHCPv4 and ND, this type of dual-
stack users supports both DHCPv4 and DHCPv6. After receiving an RS packet, the BRAS
returns an RA packet with the M value as 1. The client then sends a DHCPv6 Solicit packet to
trigger user online. Alternatively, the client can first send a DHCPv4 packet to trigger user
online and then assign a type of IP address to the user after the user authentication on the
BRAS succeeds. After that, the client sends a required packet to obtain the other type of IP
address.

Figure 5-22 Networking diagram for access of a Layer 2 IPv4/IPv6 dual-stack user running
DHCPv4 and DHCPv6
Both the PC and BRAS need to support dual-stack and DHCPv6. In comparison with Layer 2
IPv6 users running DHCPv6, Layer 2 IPv4/IPv6 dual-stack users running DHCPv4/DHCPv6
require IPv4 configurations. Similar to Layer 2 IPv4/IPv6 dual-stack users running DHCPv4
and ND, Layer 2 DHCPv4/DHCPv6 dual-stack users also support web authentication.
Access of a Layer 2 IPv6 User Running DHCPv6 to Log in from the Local Address
Pool
To access the BRAS through a Layer 2 network, an IPv6 user sends an RS message to the
BRAS. The BRAS replies with an RA message with the M/O field being set to 1. After
receiving the RA message from the BRAS, the user sends a DHCPv6 Solicitation message to
the BRAS. After receiving the DHCPv6 Solicitation message from the user, the BRAS
authenticates the user. If the user passes the authentication, the BRAS assigns an IPv6 address
to the user. Then, the user can access the corresponding network by using the IPv6 address.
Figure 5-23 shows access of a Layer 2 IPv6 user running DHCPv6.
Figure 5-23 Networking diagram for access of a Layer 2 IPv6 user running DHCPv6
In the access of a Layer 2 IPv6 user running DHCPv6, the PC and the BRAS need to support
DHCPv6. If the M on the access interface of the BRAS is set to 1, it indicates that the BRAS
assigns an address to the user connected to the BRAS through the interface in stateful address
configuration mode. In this case, binding authentication needs to be configured on the
interface, and the DHCPv6 DUID, IPv6 prefix pool, and IPv6 address pool need to be

configured on the BRAS. In addition, other user access configurations need to be performed
on the BRAS.
Access of a Layer 2 IPv6 User Running DHCPv6 to Log in from the Remote
Address Pool
BRAS. The BRAS replies with an RA message with the M and O flags both being set to 1.
The user then sends a DHCPv6 Solicitation message to the BRAS. After receiving the
DHCPv6 Solicitation message, the BRAS authenticates the user. If the user is authenticated,
the BRAS provides the relay agent functionality. The user then uses an address allocated from
a remote server to access the network.
A remote IPv6 prefix pool, a remote IPv6 address pool, and a DHCPv6 server need to be
configured on the BRAS. This is different from the scenario where the address pool on the
BRAS is used to allocate an address to a user.
Access of a Layer 3 IPv6 User Running DHCPv6

router. The router replies with an RA message with the M/O field being set to 1. After
receiving the RA message with M field being set to 1 from the BRAS, the user sends a
DHCPv6 Solicitation message to the router. The router relays DHCPv6 packets between the
user and the BRAS. After receiving the DHCPv6 Solicitation message from the user, the
BRAS authenticates the user. If the user passes the authentication, the BRAS assigns an IPv6
address to the user. Then, the user can access the corresponding network by using the IPv6
address.

The PC, router, and BRAS need to support basic IPv6 functions and DHCPv6. The DHCPv6
relay function needs to be configured on the router, the DHCPv6 DUID, IPv6 prefix pool, and
IPv6 address pool need to be configured on the BRAS. In addition, other user access
configurations need to be performed on the BRAS.
Access of Residential Users Using a Routed Home Gateway in Unnumbered

Mode
As shown in Figure 5-32, home IPv6 PCs are connected to a home gateway, and the home
gateway is connected to a BRAS over a Layer 2 network. The home gateway uses DHCPv6 to
obtain an IPv6 prefix from the BRAS and uses ND or DHCPv6 to allocate IPv6 addresses to
the IPv6 PCs.
Figure 5-26 Networking diagram for access of Layer 2 IPv6 users using a routed home
gateway
In the scenario, both the home gateway and BRAS need to support DHCPv6-PD for IPv6
prefix allocation. The BRAS interface that provides access services for users must be
configured with binding authentication. A DHCPv6 DUID, an IPv6 prefix pool, an IPv6
address pool, and other user access settings must be configured on the BRAS.
Access of Residential Users Using a Routed Home Gateway in Numbered Mode

gateway is connected to a BRAS over a Layer 2 network. The home gateway uses DHCPv6 to

obtain an IPv6 prefix and an IPv6 address from the BRAS. The home gateway assigns the
obtained IPv6 address to the WAN interface and allocates IPv6 addresses to the IPv6 PCs
based on the obtained IPv6 prefix.
gateway
The BRAS needs to allocate both an IPv6 address and an IPv6 prefix to the home gateway in
numbered mode. This is different from the unnumbered mode. If addresses are to be allocated
from the local server, a delegation address pool and a local address pool need to be configured
on the BRAS. The delegation address pool is in charge of prefix allocation, and the local
address pool is in charge of address allocation.
Access of Layer 2 IPv6 Users Using a Routed Home Gateway

gateway is connected to a BRAS over a Layer 2 network. The home gateway obtains an IPv6
prefix from the BRAS through DHCPv6, and then allocates IPv6 addresses with the same
prefix to the IPv6 PCs. After obtaining IPv6 addresses, the PCs can access the network.
gateway

In the preceding scenario, both the home gateway and the BRAS must support DHCPv6-
Prefix Delegation (DHCPv6-PD) for IPv6 prefix allocation. The home gateway can allocate
IPv6 addresses to the IPv6 PCs through ND or DHCPv6. The BRAS interfaces that allow
access to users must be configured with binding authentication. The BRAS must be
configured with the DHCPv6 DUID, IPv6 prefix pool, address pool, and other access
configurations.
Access of Layer 2 IPv4/IPv6 Dual-Stack Users Through a Routed Home Gateway

As shown in Figure 5-29, IPv4/IPv6 dual-stack users can be connected to a BRAS through a
routed home gateway. As shown in the following figure, the home gateway obtains a public
IPv4 address from the BRAS through DHCPv4, allocates private IPv4 addresses to IPv4/IPv6
PCs; the home gateway obtains an IPv6 prefix from the BRAS through DHCPv6, allocates
IPv6 addresses to IPv4/IPv6 PCs according to the prefix through ND or DHCPv6, and
forwards IPv6 packets of the PCs.
Figure 5-29 Networking diagram for access of Layer 2 IPv4/IPv6 dual-stack users using a
routed home gateway
In the preceding scenario, both the home gateway and the BRAS must support IPv4/IPv6 dual
stack and DHCPv6-PD. In addition to the configurations for access of Layer 2 IPv6 users
through a routed home gateway, the related IPv4 configurations are required. Like IPv6 users,
IPv4/IPv6 dual-stack users support Web authentication.
Layer 3 Leased Line Access

As shown in Figure 5-30, the access router is in charge of allocating addresses to Layer 3
leased line users. The BRAS is only responsible for forwarding packets and performing
authentication and accounting for users. The services of user terminals that use the same
leased line are subject to the leased line control policy, including the limit on the leased line
bandwidth. Layer 3 IPv6 leased line access is triggered by configurations. If Layer 3 leased
line access is configured on the BAS interface of the BRAS, Layer 3 leased line access is
triggered when IPv6 goes Up on the interface.

Figure 5-30 Networking diagram for Layer 3 leased line access
Access of IPoEv6 Users to a 6PE/6vPE Network

As shown in Figure 5-31, after an IPoEv6 user terminal accesses a BRAS that supports the
IPv4/IPv6 dual stack and is authenticated, data packets from the user need to traverse an IPv4
or MPLS backbone network before reaching the destination IPv6 network.
Figure 5-31 Networking diagram for access of IPoEv6 users to a 6PE/6vPE network
ND Proxy
As shown in Figure 5-26, PC1 and PC2 belong to different VLANs and are both IPv6oE
users attached to the BRAS. To allow PC1 to communicate with PC2, you need to enable ND
proxy on the BRAS interfaces that connect to PC1 and PC2.

Figure 5-32 Schematic diagram of communication between users with the same prefix
through the BRAS
If PC1 and PC2 are connected to different interfaces of the BRAS, both interfaces must be
enabled with ND proxy; otherwise, the PCs cannot communicate with each other.
5.4 Terminology for IPoE Access
Term
Term Definition
ADSL Acronym for asymmetric digital subscriber

line. Technology and equipment allowing
high-speed digital communications,
including video signals, across an ordinary
twisted-pair copper phone line, with speeds
up to 8 Mbit/s downstream (to the customer)
and up to 640 Kbit/s upstream. ADSL
access to the Internet is offered by some
regional telephone companies, offering
users faster connection than those available
through connections made over standard
phone lines.
Access service The access service provides access services

to the Internet for all subscribers, including
bandwidth purchase and user priority
change.
IPv6 Internet Protocol Version 6, which is also

called IP Next Generation

Term Definition
ND Neighbor discovery, which is used during

the forwarding of IPv6 packets for duplicate
address detection, neighbor address
resolution, and neighbor reachability
detection. Additionally, ND is a set of
protocols and processes for host address
configuration. In ND, different ICMPv6
messages are used for router discovery and
neighbor discovery.
Acronyms and Abbreviations

Acronym & Abbreviation Full Name
AAA Authentication, Authorization and

Accounting
ARP Address Resolution Protocol
BRAS broadband remote access server
DHCP Dynamic Host Configuration Protocol
DSLAM Digital Subscriber Line Access Multiplexer
IPoE IP over Ethernet
IPoEoQ IP over Ethernet over QinQ
IPoEoVLAN IP over Ethernet over VLAN
QoS Quality of Service
RADIUS Remote Authentication Dial-In User Service
UDP User Datagram Protocol
VPN virtual private network
DAD Duplicate Address Detection
NS Neighbor Solicitation
NA Neighbor Advertisement
PD Prefix delegation
RS Router Solicitation
RA Router Advertisement
DHCPv6 Dynamic Host Configuration Protocol for

IPv6 (DHCPv6)

Acronym & Abbreviation Full Name
DUID A DHCP Unique Identifier for a DHCP

participant

Ipoe Access: About This Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ipoe Access: About This Chapter

Uploaded by

Copyright:

Available Formats

HUAWEI NetEngine40E Universal Service Router

Feature Description - User Access 5 IPoE Access

About This Chapter

5.1 Overview of IPoE Access

5.1 Overview of IPoE Access

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 117

5.2 Understanding IPoE Access

5.2.1 IPoEv4 Access Fundamentals

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 118

Modes of IPoE Access

l Common IPoE access

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 119

Interaction Process for IPoEv4 Users to Get Online

Figure 5-1 Overall Service Procedure

1. After a user terminal (such as an NGN telephone or an IPTV STB) is powered on or

Extension functions of IPoEv4

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 120

5.2.2 IPoEv6 Access Fundamentals

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 121

authentication, the information about the physical connections of users is used to

5.2.3 Web Authentication Process

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 122

Web Authentication Process

Figure 5-2 User login process in proactive web authentication mode

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 123

Figure 5-3 User login process in mandatory web authentication mode

Web Authentication Modes

l Layer 2 authentication: Web authentication is enabled on the BRAS interface that

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 124

– Inter-Layer 3 authentication: is implemented in basically the same way as direct

5.2.4 Web+MAC Authentication Process

Web+MAC authentication, aiming to simplify web authentication, is the most common

First Internet Access of a User

Figure 5-4 First Internet access process

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 125

Subsequent Internet Access of a User

Figure 5-5 Subsequent Internet access process

5.2.5 Fast Authentication Process

User Login Process

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 126

Figure 5-6 User login process

User Logout Process

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 127

Figure 5-7 User logout process

Username Generation Mode

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 128

Password Generation Modes

5.3 Application Scenarios for IPoE Access

5.3.1 Application Scenario for IPoEv4 Access

Typical Applications of IPoE - Private Users

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 129

A Layer 2 user can go online by sending a DHCP, IP, or ARP packet.

Figure 5-9 Login process through a DHCP packet

i. A DHCP client sends a DHCP Discover or DHCP Request packet to a BRAS.

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 130

Figure 5-11 shows the process of remote login of a DHCP user.

Figure 5-11 Remote login of a DHCP user

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 131

l A Layer 3 DHCP user:

Issue 02 (2019-09-30) Copyright © Huawei Technologies Co., Ltd. 132

Figure 5-13 Networking diagram of Layer 3 DHCP users

Typical Applications of IPoE - Leased-line Users

l Layer 2 leased line