Professional Documents
Culture Documents
NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 22 Value-Added Services
NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 22 Value-Added Services
NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 22 Value-Added Services
Configuration Guide
Issue 01
Date 2023-03-31
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: https://www.huawei.com
Email: support@huawei.com
Contents
1 Configuration............................................................................................................................1
1.1 Value-Added Services.............................................................................................................................................................1
1.1.1 BOD Configuration.............................................................................................................................................................. 1
1.1.1.1 BOD Description............................................................................................................................................................... 1
1.1.1.1.1 Introduction of BOD..................................................................................................................................................... 1
1.1.1.1.2 Understanding BOD..................................................................................................................................................... 2
1.1.1.1.3 Application Scenarios for BOD................................................................................................................................. 9
1.1.1.1.4 Terminology for BOD................................................................................................................................................ 10
1.1.1.2 BOD Configuration........................................................................................................................................................ 10
1.1.1.2.1 Overview of BOD........................................................................................................................................................ 10
1.1.1.2.2 Feature Requirements for BOD..............................................................................................................................11
1.1.1.2.3 Configuring BOD......................................................................................................................................................... 11
1.1.1.2.4 Configuration Examples for BOD.......................................................................................................................... 15
1.1.2 DAA Configuration............................................................................................................................................................ 21
1.1.2.1 DAA Description............................................................................................................................................................. 21
1.1.2.1.1 Overview of DAA........................................................................................................................................................ 21
1.1.2.1.2 Understanding DAA................................................................................................................................................... 22
1.1.2.1.3 Application Scenarios for DAA............................................................................................................................... 32
1.1.2.1.4 Terminology for DAA................................................................................................................................................. 33
1.1.2.2 DAA Configuration........................................................................................................................................................ 34
1.1.2.2.1 Overview of DAAr.......................................................................................................................................................34
1.1.2.2.2 Feature Requirements for DAA.............................................................................................................................. 35
1.1.2.2.3 Summary of DAA Configuration Tasks................................................................................................................35
1.1.2.2.4 Configuring DAA......................................................................................................................................................... 36
1.1.2.2.5 Configuration Examples for DAA.......................................................................................................................... 53
1.1.3 EDSG Configuration.......................................................................................................................................................... 63
1.1.3.1 EDSG Description........................................................................................................................................................... 63
1.1.3.1.1 Introduction of EDSG................................................................................................................................................ 63
1.1.3.1.2 Understanding EDSG................................................................................................................................................. 64
1.1.3.1.3 Application Scenarios for EDSG............................................................................................................................. 81
1.1.3.1.4 Terminology for EDSG............................................................................................................................................... 82
1.1.3.2 EDSG Configuration...................................................................................................................................................... 83
1.1.3.2.1 Overview........................................................................................................................................................................ 83
Figures
Tables
1 Configuration
This feature applies only to the NetEngine 8000 M4, NetEngine 8000 M8, NetEngine 8000
M14, NetEngine 8000 M8K, NetEngine 8000 M14K, NetEngine 8000E M8, NetEngine 8000E
M14.
Definition
Bandwidth on demand (BOD) is a value-added service featuring dynamic
bandwidth allocation. When users need to adjust their bandwidths, they can
dynamically activate or deactivate the BOD service through a portal server,
achieving bandwidth adjustment without carriers' intervention.
Purpose
With the diversification of network applications such as VoIP and IPTV, users pose
more requirements on the network bandwidth. BOD services can enhance
interaction between users and networks and improves network resource usage
efficiency while meeting users' personalization requirements and reducing user
costs.
Benefits
BOD offers the following benefits to carriers:
● Carriers can provide target customers with flexible service and tariff policies,
increasing the average revenue per user (ARPU) and operating revenues.
● Carriers can rapidly deploy new services, avoiding homogeneous competition
and reducing the user churn rate.
● Carriers can adjust user bandwidths based on tariff policies to maximize
bandwidth utilization and protect investment.
● Carriers can provide self-service for users, reducing O&M costs.
BOD offers the following benefits to users:
● Users can flexibly customize personal services.
● Users do not need to pay for unnecessary broadband.
BOD Overview
BOD is one of the value-added services. Therefore, this section introduces BOD by
describing the value-added service process.
The interfaces connecting the BRAS and an AAA server use RADIUS or HWTACACS; the
interfaces connecting the BRAS and an SSS use RADIUS or DIAMETER.
NOTE
The process for the RADIUS server to use a DM message to delete a BOD
service policy is as follows:
1. The RADIUS server sends a BOD service policy deletion message to the BRAS.
2. The BRAS sends the RADIUS server a response message indicating that the
BOD service policy is deleted.
3. The BRAS sends an accounting stop request to the RADIUS server.
4. The RADIUS server sends an accounting stop response to the BRAS.
The process for the Diameter server to use an RAR message to delete a BOD
service policy is as follows:
1. The Diameter server sends an RAR message to the BRAS to delete a BOD
service policy.
2. The BRAS sends the Diameter server a response message indicating that the
BOD service policy is deleted.
Zero quotas are delivered after quota 1. When a user's quota is exhausted,
exhaustion. the BRAS sends a real-time
accounting request to the RADIUS
server. The BRAS sends a CCR-U
request to the Diameter server.
2. The RADIUS server delivers zero
quotas to the BRAS. The Diameter
server responds to the BRAS with a
CCA-T message carrying zero
quotas.
3. The service goes offline, and the
BRAS sends an accounting stop
request to the RADIUS server. The
BRAS sends a CCR-T request to the
Diameter server.
4. The RADIUS server sends an
accounting stop response to the
BRAS. The Diameter server sends a
CCA-T response to the BRAS.
BOD traffic is user traffic. The total traffic volume of a user is stored separately
from the total BOD traffic volume of the user. The user traffic volume displayed in
AAA entries is the difference between the two traffic volumes. The BOD traffic
increment is not counted into the value-added service.
After a BOD service is installed, service entries store the total user traffic volume
on the AAA server during BOD service installation. When the BOD service exists
and its traffic volume needs to be obtained, the system obtains the total current
traffic volume from the AAA server. The current BOD traffic volume can be
obtained by subtracting the initial traffic volume during BOD service installation
from the total current traffic volume.
BOD traffic is user traffic. The total traffic volume of a user is stored separately
from the total BOD traffic volume of the user. The user traffic volume displayed in
AAA entries is the difference between the two traffic volumes. The BOD traffic
increment is not counted into the value-added service.
After a BOD service is installed, service entries store the total user traffic volume
on the AAA server during BOD service installation. When the BOD service exists
and its traffic volume needs to be obtained, the system obtains the total current
traffic volume from the AAA server. The current BOD traffic volume can be
obtained by subtracting the initial traffic volume during BOD service installation
from the total current traffic volume.
As shown in Figure 1-3, the RM9000 functions as a policy server. The user logs in
to the portal server's portal page to select a desired bandwidth type. The portal
server then submits the selected bandwidth type to the RM9000. After going
online, the user visits ISP1's email server and sends emails at a default bandwidth
of 2 Mbit/s. To visit ISP2's video server, the user must apply for a higher service
bandwidth. After the user selects a desired bandwidth type, the portal server sends
the selected bandwidth type to the RM9000. The RM9000 instructs the BRAS to
change the user bandwidth to 10 Mbit/s, and the BRAS sends an accounting
packet to the RM9000. Then the user can access the requested video service at 10
Mbit/s.
COA change-of-authorization
DM Disconnect Message
CCR Credit-Control-Request
CCA Credit-Control-Answer
● Carriers can provide target customers with flexible service and tariff policies,
increasing the average revenue per user (ARPU) and operating revenues.
● Carriers can rapidly deploy new services, avoiding homogeneous competition
and reducing the user churn rate.
● Carriers can adjust user bandwidths based on tariff policies to maximize
bandwidth utilization and protect investment.
● Carriers can provide self-service for users, reducing O&M costs.
Procedure
Step 1 Run system-view
----End
Context
If a value-added service policy is delivered over RADIUS, you must configure a
RADIUS server on the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000 M.
For details about the configuration, see Configuring a Device as a RADIUS Client.
If a value-added service policy is delivered over Diameter, you must configure a
Diameter server on the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000
M. For details about the configuration, see Configuring a Diameter Server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run accounting-scheme scheme-name
An accounting scheme is created.
Step 4 Run accounting interim interval interval [ second ] [ traffic ][ hash ]
A real-time accounting interval is configured. The traffic and hash parameters can
be configured to prevent the server performance from deteriorating when the
server receives a large number of real-time accounting packets.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run value-added-service bod portal-reserved
The device is enabled to reserve portal services when BOD is deployed.
Step 3 Run value-added-service policy service-policy-name bod
A BOD service policy is created, and its view is displayed.
Step 4 Run accounting-scheme scheme-name
An existing accounting scheme is configured for the BOD service policy.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
NOTE
● Value 1 indicates that the accounting server supports dynamic switching of value-
added service policy templates. After the policy server releases a new template, users
are not charged with the corresponding tariff level, and a new accounting service is
generated.
● Value 2 indicates that the accounting server supports normal switching of value-added
service policy templates. After the policy server releases a new template, users can
only obtain the QoS parameters in it. Real-time accounting packets are sent after
original bandwidth restrictions are updated.
----End
Procedure
● Run the display value-added-service policy command to check value-added
service policy information.
● Run the display value-added-service user command to check value-added
service information.
● Run the display diameter-group bind-info command to check the bindings
between AAA domains and Diameter server groups.
● Run the display dhcp option-64 qos-profile [ domain domain-name ]
configuration command to check the Option 64 parsing mode configured in
the system view or the AAA domain view.
● Run the display dhcp receive server-packet [ domain domain-name ]
configuration command to check whether the router is enabled in the system
view or the domain view to process ACK packets destined for gateways from a
DHCP server.
----End
Networking Requirements
As shown in Figure 1-4, the networking requirements are as follows:
● The basic value-added service policy for users in domain isp1 is to implement
RADIUS charging and allow users in this domain to access network segment
192.168.100.0/24.
● The IP address and port number of the RADIUS authentication server are
10.10.10.2 and 1812, respectively. The IP address and port number of the
RADIUS accounting server are 10.10.10.2 and 1813, respectively. The default
values are used for other parameters.
● The IP address and port number of the Diameter server are 10.10.10.3 and
3288, respectively.
Networking Diagram
Configuration Roadmap
1. Configure an authentication scheme and an accounting scheme.
2. Configure a RADIUS server group.
3. Configure an address pool.
4. Configure a policy server.
5. Configure a value-added service accounting mode.
6. Configure a QoS profile.
7. Configure a BOD service policy.
8. Configure an AAA domain.
9. Configure interfaces.
Data Preparation
To complete the configuration, you need the following data:
● Authentication scheme name and authentication mode
● Accounting scheme name and accounting mode
● RADIUS server group name, and IP addresses and port numbers of the
RADIUS authentication server and accounting server
● Address pool name, gateway address, server group name, and IP addresses on
different network segments
● BOD traffic policy
● QoS profile and BOD service template
● Domain name
● Interface parameters
Configuration Procedure
1. Configure AAA.
# Configure an authentication scheme.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit
Configuration Files
#
sysname HUAWEI
#
value-added-service enable
#
diameter enable
#
diameter-local huawei interface GigabitEthernet0/5/0 host test107 realm huawei.com product NetEngine
8100 M, NetEngine 8000E M, NetEngine 8000 M
#
diameter-peer huawei ip 10.10.10.3 port 3288 host pcrf realm huawei.com
#
radius-server group group1
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^%#
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
#
diameter-server group huawei
diameter-link local huawei peer huawei client-port 4097 weight 5
#
ip pool pool1 bas local
gateway 172.16.100.1 255.255.255.0
section 0 172.16.100.2 172.16.100.200
#
dot1x-template 1
#
aaa
authentication-scheme auth1
#
authorization-scheme default
#
accounting-scheme acct1
#
domain isp1
authentication-scheme auth1
accounting-scheme acct1
ip-pool pool1
diameter-server group huawei
value-added-service account-type radius group1
radius-server group group1
#
qos-profile qos-prof1
car cir 5000 cbs 935000 green pass red discard inbound
car cir 5000 cbs 935000 green pass red discard outbound
#
value-added-service policy bod1 bod
accounting-scheme acct1
qos-profile qos-prof1
#
interface Virtual-Template1
ppp authentication-mode auto
#
interface GigabitEthernet0/4/4.1
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/5/0
undo shutdown
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/4/2z
pppoe-server bind Virtual-Template 1
undo shutdown
bas
#
access-type layer2-subscriber
#
#
return
This feature applies only to the NetEngine 8000 M4, NetEngine 8000 M8, NetEngine 8000
M14, NetEngine 8000 M8K, NetEngine 8000 M14K, NetEngine 8000E M8, NetEngine 8000E
M14.
Definition
Destination address accounting (DAA) implements differentiated accounting, rate
limit, and priority scheduling based on traffic destination addresses.
Purpose
DAA is performed at different tariff levels that are defined based on different
destination addresses of user access traffic. The functions implemented in carriers'
broadband operation are as follows:
Benefits
DAA offers the following benefits to carriers:
● Carriers can use DAA to distinguish between Internet traffic and intranet
traffic and perform accounting based on different tariff levels, ensuring
operation revenues.
● Carriers can identify services based on the network segments of servers
storing the services. When users access these servers to obtain services,
carriers can perform differentiated rate limit, scheduling, and accounting on
the services.
1. The user sends a login request to the BRAS. The BRAS sends a user
authentication request to the AAA server. The AAA server returns a user
authentication success message to the BRAS.
2. The BRAS reports the user's information to the RADIUS server over RADIUS,
and the RADIUS server delivers a DAA service policy to the BRAS over RADIUS.
The BRAS converts the policy information, delivers the information to an
interface board, and generates a service.
3. When the user accesses a network, the BRAS uses an ACL to match the
destination address accessed by the user, and performs independent rate limit
and accounting for traffic to the local network and Internet.
4. The BRAS sends an accounting stop request packet for basic services to the
AAA server. The server uses the DAA service policy in the packet to identify
services and provides rate limit.
● Accounting mode
The accounting mode determines the type of a server that the BRAS uses for
accounting. Default accounting, none accounting, and RADIUS accounting can
be adopted for the value-added services.
● QoS profile
QoS profile can be used to associate QoS with DAA for traffic policing and
rate control. As shown in Figure 1-8, the tariff level maps the QoS priority,
and the priority is used for scheduling.
As shown in Figure 1-10, the BRAS obtains the quality of service (QoS) profile
for the tariff level using the DAA service policy template. Then it uses the QoS
profile to obtain CAR parameters and the mapping between tariff levels and
flow queues (FQs). Based on the CAR parameters and the mapping between
tariff levels and FQs, the BRAS performs rate limit and priority scheduling on
the DAA service flows and gathers traffic statistics.
Basic Concepts
Each type of service can correspond to one tariff level, implementing service-based
refined operation functions and meeting requirements for settlement between
local network carriers and Internet toll network carriers and for value-added
services.
Statistical Mode
User and service traffic supports the following statistical modes:
● Statistics separation: DAA service traffic is not counted into user traffic.
● Statistics unseparation: DAA service traffic is counted into user traffic.
The following rate limit modes are supported:
● Rate limit separation: DAA service traffic is unlimited by the user bandwidth.
● Rate limit unseparation: DAA service traffic is limited by the user bandwidth.
Account Type
Default accounting, none accounting, and RADIUS accounting can be adopted for
the value-added services.
Default Accounting
● If the RADIUS server delivers the value-added service policy, the system
searches for the local value-added policy matching the policy name delivered
by the RADIUS server, and then performs accounting according to the
accounting scheme configured in the local value-added service policy.
● If a value-added service policy is bound to the domain, all users in the domain
use this policy as the default value-added service policy. When the service
policy is not sent by policy server, the system performs accounting according
to the accounting scheme configured in the bound value-added service policy.
None Accounting
● The system does not perform accounting for the value-added service,
regardless of whether a value-added service policy is bound to the domain
and the accounting scheme configured in the value-added service policy.
RADIUS Accounting
● If radius is specified in the value-added-service account-type command,
RADIUS accounting is performed for the value-added service, regardless of
whether a value-added service policy is bound to the domain.
3. The AAA server generates service CDR files and sends the CDR files to the
billing system.
4. The billing system performs rating, charging, and settlement based on the
user name, service policy name, and preset tariff conversion relationship in
the CDR files.
● Real-time accounting: To ensure the timeliness and accuracy of user service
accounting, the BRAS can send service accounting packets to the RADIUS
server at a configurable interval. (If real-time accounting is required,
configure an accounting scheme with real-time accounting specified in a
service policy.)
● Accounting stop: After a service is deactivated and a forwarding channel is
deleted, accounting stop is immediately triggered for the service.
1. The user sends a logout request to the BRAS. The BRAS sends an accounting
stop request packet to the AAA server.
2. The AAA server sends an accounting stop response packet to the BRAS.
3. The BRAS sends an accounting stop request packet for basic services to the
AAA server.
4. The AAA server sends an accounting stop response packet for basic services to
the BRAS, and the user goes offline successfully.
If an online user uses a DAA service, a CoA message can be used to deliver a new
DAA service policy to adjust the DAA service's bandwidth. If a user goes online but
a DAA service is disabled, a CoA message cannot be delivered to activate a DAA
service. The RADIUS server can be used to switch a DAA service policy (uniform
and non-uniform accounting) and content (non-uniform accounting).
c. In uniform accounting mode, when the service goes offline, the BRAS
sends an accounting stop request to the RADIUS server. In non-uniform
accounting mode, when the user bandwidth parameter is updated to 0,
traffic fails to be forwarded.
d. In uniform accounting mode, the RADIUS server sends an accounting stop
response to the BRAS.
● In uniform accounting mode, no quota is delivered after quota exhaustion.
a. When a user's quota is exhausted, the BRAS sends a real-time accounting
request to the RADIUS server.
b. The RADIUS server does not deliver a quota, and the BRAS determines
whether to log out the service based on the configuration. By default, the
service remains online.
c. In uniform accounting mode, if the service is configured to go offline, the
BRAS sends an accounting stop request to the RADIUS server. In non-
uniform accounting mode, when the user bandwidth parameter is
updated to 0 through a configuration, traffic fails to be forwarded.
d. In uniform accounting mode, the RADIUS server sends an accounting stop
response to the BRAS.
PUPP Mode
In the per user per policy (PUPP) traffic management mode, a policy is specified
for each user. Either the same policy or different policies can be specified for
different users.
As shown in Figure 1-15, multiple users in an enterprise access the network over
a Layer 2 or Layer 3 leased line. All the users in the enterprise are on the same
VPN. Applying a traffic policy for each user allows access control between
different users in the enterprise.
CoA Change-of-Authorization
Definition
Destination address accounting (DAA) implements differentiated accounting, rate
limit, and priority scheduling based on traffic destination addresses.
Purpose
DAA is performed at different tariff levels that are defined based on different
destination addresses of user access traffic. The functions implemented in carriers'
broadband operation are as follows:
Benefits
DAA offers the following benefits to carriers:
● Carriers can use DAA to distinguish between Internet traffic and intranet
traffic and perform accounting based on different tariff levels, ensuring
operation revenues.
● Carriers can identify services based on the network segments of servers
storing the services. When users access these servers to obtain services,
carriers can perform differentiated rate limit, scheduling, and accounting on
the services.
● Check whether the used AAA server type is available for the DAA function on
a BRAS and whether a device functions as a policy server.
● Check whether the configured AAA domain and user group are consistent
with DAA deployment objectives. If they are inconsistent, reconfigure an AAA
domain and a user group and ensure that the reconfiguration does not affect
user services or AAA procedures.
● Do not configure both DAA and behavior aggregate (BA) classification
because they are mutually exclusive.
Usage Scenario
Typical DAA usage scenarios are as follows:
● In some regions, small local carriers need to rent backbone carriers' lines to
provide Internet access services to users. The local carriers also need to pay
the backbone carriers for traffic over the backbone networks. Low fees are
charged for traffic over a local network, whereas high fees are charged for
traffic over a backbone network. To increase revenues, local carriers need a
solution that can distinguish the two types of traffic and perform accounting
based on tariff levels. DAA meets this requirement and is capable of
performing differentiated accounting on traffic over both local and backbone
networks.
● When campus users access a campus network, the carrier does not charge
any fees or charges low fees, and the carrier does not limit their access rates.
However, when campus users access an external network, the carrier charges
high fees and limits their access rates. DAA is capable of performing
differentiated accounting and rate limit on traffic over the campus and
external networks, increasing carrier revenues.
● Many Internet services, such as gaming, File Transfer Protocol (FTP), video on
demand (VOD), and news services, have different costs and bandwidth
requirements. Carriers need to perform differentiated accounting and rate
limit on different services. When network congestion occurs, the quality of the
services is guaranteed based on their priorities. For example, if the priority of
gaming services is higher than that of news services, the quality of the
gaming services is preferentially guaranteed during network congestion. DAA
can also meet this requirement. Carriers deploy various services on different
servers. When users access these servers, DAA distinguishes services based on
the network segments on which the servers reside and performs differentiated
accounting, rate limit, and priority scheduling.
Pre-configuration Tasks
Before configuring DAA, complete the following tasks:
● Run the license active command to load the BRAS and DAA licenses.
● Configure an authentication scheme, an accounting scheme, and a RADIUS
server group for a DAA service policy (for details, see AAA and User
Management Configuration (Access Users)).
● Configure an address pool (for details, see Configuring an IPv4 Address Pool
and an Address Pool Group).
● Configure a domain and bind the authentication scheme, accounting scheme,
address pool, and RADIUS server group to the domain (for details, see
Configuring a Domain).
● Configure a BAS interface (for details, see IPoE Access Configuration and
PPPoE Access Configuration).
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run value-added-service enable
The value-added service function is enabled globally.
Step 3 Run commit
The configuration is committed.
----End
Context
If a value-added service policy is delivered over RADIUS, you must configure a
RADIUS server on the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000 M.
For details about the configuration, see Configuring a Device as a RADIUS Client.
If a value-added service policy is delivered over Diameter, you must configure a
Diameter server on the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000
M. For details about the configuration, see Configuring a Diameter Server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run accounting-scheme acct-scheme-name
An accounting scheme is created.
Step 4 Run accounting interim interval interval [ second ] [ traffic ] [ hash ]
An interval for real-time accounting and conditions for sending real-time
accounting packets are configured, and real-time accounting packets are hashed
for the accounting scheme.
NOTE
----End
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Configure a DAA traffic policy and globally apply it.
1. Run the acl { name ucl-acl-name [ ucl | [ ucl ] number ucl-acl-number ] |
[ number ] ucl-acl-number } [ match-order { auto | config } ] command to
create an ACL and enter the ACL view.
2. Run the corresponding command to create an ACL rule based on the protocol
type.
Protocol Command
Type
Protocol Command
Type
This command can take effect only after the accounting-together enable command is run.
----End
Context
After a value-added service policy is applied to a domain, all users in the domain
use this policy as the default value-added service policy. The service policy sent by
a policy server takes precedence over the service policy configured in a domain.
Procedure
Step 1 Run system-view
----End
Procedure
Step 1 Run system-view
NOTE
● You can configure a user group using any of the following methods:
– Configure a user group in a domain.
– Configure a user group using a DAA service policy template.
– Deliver a user group through the RADIUS server.
The user group configured using a DAA service policy template has the highest priority,
followed by the one delivered by the RADIUS server, and then the one configured in a
domain.
● The DAA service tariff level used by users must be the same as the DAA ACL tariff level
planned for the user group to which the users belong.
----End
Context
When enterprise users access the router over a Layer 3 leased line, each enterprise
belongs to a VPN. You can apply a DAA service policy to a BAS interface to allow
access control between users in an enterprise as well as policy sharing between
users in different enterprises. When Layer 2 or Layer 3 leased line users are not
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run bas
The BAS interface view is displayed.
Step 4 Run access-type layer2-leased-line user-name uname password { cipher
password | simple password } [ bas-interface-name bname | default-domain
authentication dname | accounting-copy radius-server rd-name | nas-port-type
{ async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs |
hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl |
cable | wireless-other | 802.11 } ] * or access-type layer3-leased-line { user-
name uname | user-name-template } password { cipher password | simple
password } [ default-domain authentication dname | bas-interface-name
bname | accounting-copy radius-server rd-name | nas-port-type { async | sync |
isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 |
g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other
| 802.11 } | mac-address mac-address | client-id client-id ] *
The BAS interface is configured as a Layer 2 or Layer 3 leased line interface.
Step 5 Run value-added-service policy policy-name
A DAA service policy is applied to the BAS interface.
Step 6 Run quit
Return to the system view.
Step 7 Run commit
The configuration is committed.
----End
Configuring PUPP
Context
In per user per policy (PUPP) traffic management mode, a policy is specified for
each user. Either the same policy or different policies can be specified for different
users. When enterprise users access the router over a Layer 3 leased line, each
enterprise belongs to a VPN. You can apply a traffic policy to a BAS interface to
allow access control between users in the same enterprise. When Layer 2 or Layer
3 leased line users are not authenticated, applying a traffic policy to a BAS
interface is also required to allow access control between Layer 2 or Layer 3 leased
line users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run bas
The BAS interface view is displayed.
Step 4 Run access-type layer2-leased-line user-name uname password { cipher
password | simple password } [ bas-interface-name bname | default-domain
authentication dname | accounting-copy radius-server rd-name | nas-port-type
{ async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs |
hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl |
cable | wireless-other | 802.11 } ] * or access-type layer3-leased-line { user-
name uname | user-name-template } password { cipher password | simple
password } [ default-domain authentication dname | bas-interface-name
bname | accounting-copy radius-server rd-name | nas-port-type { async | sync |
isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 |
g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other
| 802.11 } | mac-address mac-address | client-id client-id ] *
The BAS interface is configured as a Layer 2 or Layer 3 leased line interface.
Step 5 Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the BAS interface.
Step 6 Run quit
Return to the system view.
Step 7 Run traffic behavior behavior-name
A traffic behavior is defined and the traffic behavior view is displayed.
Step 8 (Optional) Run match termination
ACL matching for low-priority traffic that matches the PUPP traffic policy is
terminated.
Step 9 Run quit
Return to the system view.
Step 10 Run commit
The configuration is committed.
----End
Context
When a large number of users go online and each user applies for many value-
added services, a large number of accounting packets are generated. Due to the
limited processing capability of a RADIUS accounting server, the number of
accounting packets sent by a device to a RADIUS accounting server must be
reduced to relieve the pressure on the RADIUS accounting server.
Procedure
Step 1 Enable accounting packet merging for value-added services.
1. Run system-view
The system view is displayed.
2. Run aaa
The AAA view is displayed.
3. Run domain domain-name
The AAA domain view is displayed.
4. Run value-added-service accounting-merge { daa { start | stop | interim
interval interval [ hash ] } | edsg { stop | interim interval interval
[ hash ] } }
Accounting packet merging is enabled for value-added services.
5. Run commit
The configuration is committed.
Step 2 (Optional) Set the maximum length of a post-merging accounting packet for
value-added services.
1. Run system-view
The system view is displayed.
2. Run radius-server group group-name
The RADIUS server group view is displayed.
3. Run radius-server accounting-merge max-length length
The maximum length is set for a post-merging accounting packet for value-
added services.
4. Run commit
The configuration is committed.
Step 3 (Optional) Enable a post-merging accounting packet that fails to be sent for
value-added services to enter the accounting packet cache.
1. Run system-view
The system view is displayed.
2. Run value-added-service accounting-merge cache enable
A post-merging accounting packet that fails to be sent for value-added
services is enabled to enter the accounting packet cache.
3. Run commit
The configuration is committed.
----End
(Optional) Enabling the Device to Report Statistics About Dropped DAA Service
Traffic
You can enable the device to report statistics about dropped DAA service traffic.
This allows you to query information about users with such traffic.
Context
To query information about users with dropped DAA service traffic, enable the
device to report statistics about dropped DAA service traffic. The information can
be used to locate the device that dropped DAA service traffic.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run value-added-service daa report-dropped-flow enable
The device is enabled to report statistics about dropped DAA service traffic.
----End
Result
After the preceding configurations are complete, run the display value-added-
service user daa with-dropped-flow command to query information about users
with dropped DAA service traffic. Then run the display value-added-service user
user-id command to query the number of dropped upstream and downstream
DAA service packets.
Procedure
● Run the display value-added-service policy command to check information
about value-added service policies.
● Run the display value-added-service user command to check information
about all users using value-added services.
● Run the display value-added-service user user-id command to check
information about a specified user using value-added services.
----End
Networking Requirements
On the network shown in Figure 1-16:
● The domain to which users belong is isp1, and the limited bandwidth is 20
Mbit/s.
● The accounting mode is RADIUS accounting; the user group to which the
users belong is isp1; tariff level 1 is used for the users who access the network
segment 192.168.100.0/24 and the limited bandwidth is 10 Mbit/s; tariff level
5 is used for the users who access the network segment 192.168.200.0/24 and
the limited bandwidth is 5 Mbit/s.
● The IP address and port number of the RADIUS authentication server are
10.10.10.2 and 1812, respectively. The IP address and port number of the
RADIUS accounting server are 10.10.10.2 and 1813, respectively. The default
values are used for other parameters.
Networking Diagram
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure AAA.
Data Preparation
To complete the configuration, you need the following data:
Configuration Procedure
1. Configure AAA.
# Configure an authentication scheme.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] quit
# Configure a traffic behavior named tb1, and set an action for tariff level 1.
[*HUAWEI] traffic behavior tb1
[*HUAWEI-behavior-tb1] tariff-level 1
[*HUAWEI-behavior-tb1] car
[*HUAWEI-behavior-tb1] traffic-statistic
[*HUAWEI-behavior-tb1] quit
# Configure a traffic behavior named tb2, and set an action for tariff level 5.
[*HUAWEI] traffic behavior tb2
[*HUAWEI-behavior-tb2] tariff-level 5
[*HUAWEI-behavior-tb2] car
[*HUAWEI-behavior-tb2] traffic-statistic
[*HUAWEI-behavior-tb2] quit
NOTE
When priority scheduling based on tariff levels is enabled, the tariff levels configured here
must be consistent with those configured in 5.
8. Configure an AAA domain.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
[*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
[*HUAWEI-aaa-domain-isp1] radius-server group group1
[*HUAWEI-aaa-domain-isp1] commit
[~HUAWEI-aaa-domain-isp1] user-group isp1
[~HUAWEI-aaa-domain-isp1] value-added-service policy vp-daa
[~HUAWEI-aaa-domain-isp1] value-added-service account-type radius group1
[~HUAWEI-aaa-domain-isp1] ip-pool pool1
[~HUAWEI-aaa-domain-isp1] qos-profile qos-prof3 inbound
[~HUAWEI-aaa-domain-isp1] qos-profile qos-prof3 outbound
[~HUAWEI-aaa-domain-isp1] quit
[~HUAWEI-aaa] quit
NOTE
If a RADIUS server is used to deliver a DAA service policy, you may not bind a DAA
service policy to a domain. The RADIUS server delivers a DAA service policy name
through the HW-Policy-Name (26-95) attribute carried in an authentication response
packet.
9. Configure interfaces.
# Create a virtual template (VT).
[~HUAWEI] interface Virtual-Template 1
[*HUAWEI-Virtual-Template1] commit
[~HUAWEI-Virtual-Template1] quit
[~HUAWEI-GigabitEthernet0/1/2] quit
Configuration Files
#
sysname HUAWEI
#
user-group isp1
#
value-added-service enable
#
qos-profile qos-prof3
car cir 20000 cbs 1870000 green pass red discard inbound
car cir 20000 cbs 1870000 green pass red discard outbound
qos-profile qos-prof2
car cir 10000 cbs 1870000 green pass red discard inbound
car cir 10000 cbs 1870000 green pass red discard outbound
qos-profile qos-prof1
car cir 5000 cbs 935000 green pass red discard inbound
car cir 5000 cbs 935000 green pass red discard outbound
#
radius-server group group1
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
#
acl number 6000
rule 5 permit ip source user-group isp1 destination ip-address 192.168.100.0 0.0.0.255
rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination user-group isp1
#
acl number 6001
rule 10 permit ip source user-group isp1 destination ip-address 192.168.200.0 0.0.0.255
rule 15 permit ip source ip-address 192.168.200.0 0.0.0.255 destination user-group isp1
#
traffic classifier tc2 operator or
if-match acl 6001
traffic classifier tc1 operator or
if-match acl 6000
#
traffic behavior tb1
tariff-level 1
car
traffic-statistic
traffic behavior tb2
tariff-level 5
car
traffic-statistic
#
traffic policy traffic_policy_daa1
share-mode
classifier tc1 behavior tb1
classifier tc2 behavior tb2
#
ip pool pool1 bas local
gateway 172.16.100.1 255.255.255.0
section 0 172.16.100.2 172.16.100.200
#
dot1x-template 1
#
aaa
authentication-scheme auth1
#
authorization-scheme default
#
accounting-scheme acct1
#
domain isp1
authentication-scheme auth1
accounting-scheme acct1
ip-pool pool1
value-added-service policy vp-daa
radius-server group group1
user-group isp1
Networking Requirements
On the network shown in Figure 1-17, three users in an enterprise access the
Internet over a Layer 3 leased line. To implement access control between users in
the enterprise, configure a traffic policy on a BAS interface.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure advanced ACLs.
2. Configure traffic classifiers.
3. Configure traffic behaviors.
4. Configure traffic policies.
5. Configure a BAS interface.
6. Apply the traffic policies to the BAS interface.
Data Preparation
To complete the configuration, you need the following data:
● ACL numbers
● Traffic classifier names
● Traffic behavior names
● Traffic policy names
Procedure
Step 1 Configure advanced ACLs.
[~HUAWEI] acl number 3001
[*HUAWEI-acl-adv-3001] rule 1 permit ip source 10.11.11.1 0
[*HUAWEI-acl-adv-3001] rule 2 permit ip source 10.11.11.2 0
[*HUAWEI-acl-adv-3001] quit
[~HUAWEI] acl number 3002
[*HUAWEI-acl-adv-3002] rule 3 permit ip source 10.11.11.3 0
[*HUAWEI-acl-adv-3002] quit
----End
Configuration Files
#
sysname HUAWEI
#
acl number 3001
rule 1 permit ip source 10.11.11.1 0
rule 2 permit ip source 10.11.11.2 0
#
acl number 3002
rule 3 permit ip source 10.11.11.3 0
#
traffic classifier tc1
if-match acl 3001
traffic classifier tc2
if-match acl 3002
#
traffic behavior tb1
permit
match termination
traffic behavior tb2
permit
match termination
#
traffic policy p1
classifier tc1 behavior tb1
#
traffic policy p2
classifier tc2 behavior tb2
#
interface GigabitEthernet0/1/1
bas
access-type layer3-leased-line user-name sr-test-eth password cipher %@%##!!!!!!!!!"!!!!"!!!!!!1];
16qfZ81fv"uMoKKZ.1k"`AO!X2K2N.b~'NB^V!!!!!!!!!!1!!!!o/4J(q"J1F.!K9%M!6x8 default-domain authentication
enterprise_sr
traffic-policy p1 inbound
traffic-policy p2 outbound
#
return
This feature applies only to the NetEngine 8000 M4, NetEngine 8000 M8, NetEngine 8000
M14, NetEngine 8000 M8K, NetEngine 8000 M14K, NetEngine 8000E M8, NetEngine 8000E
M14.
Definition
Enhanced dynamic service gateway (EDSG) independently identifies a channel of
user traffic and implements independent rate limit, accounting, and management
for the traffic.
Purpose
In the early broadband development, most carriers use the extensive operation
mode to increase the number of users. In this mode, carriers continuously expand
networks and publicize high bandwidth to attract users. With the development of
broadband network operation environments, the traditional operation mode
creates the following challenges:
Benefits
EDSG offers the following benefits to carriers:
● Carriers can use EDSG to distinguish between Internet traffic and intranet
traffic and perform accounting based on different tariff levels, ensuring
operation revenues.
● Carriers can use a BRAS to identify services based on the network segments
of servers storing the services. When users access these servers to obtain
services, carriers can perform differentiated rate limit, scheduling, and
accounting on the services.
● Carriers can provide a combination of EDSG services or a self-service page for
users to select services on demand, improving user experience and increasing
revenues. A self-service page may also be provided by service providers that
cooperate with carriers.
Basic Concepts
This section describes the basic concepts of EDSG and the relationships between
EDSG elements.
Service Group
A service group identifies a type of specific data traffic. It is used as a source or
destination in a traffic rule and is referenced in an access control list (ACL).
Service Identification
Policies are executed for specific data flows, and the ACL mechanism is used to
send service flows matching a service group to the corresponding service channel.
Differentiated Accounting
User traffic is identified and managed as different services, and independent
statistics and accounting are performed for each service. Traffic levels can be set
on an AAA server to implement differentiated accounting for different types of
packets.
Policy Control
Policies are classified into the following types:
● Static service policy
A static service policy takes effect immediately when users go online. It is
obtained from a BRAS's local configurations or delivered by an AAA server
using an authentication response message.
Figure 1-21 shows the process of a static service policy. The process is
described as follows:
a. The user sends a login request to the BRAS. The BRAS sends a user
authentication request to the AAA server.
b. The AAA server returns a user authentication success message to the
BRAS. The message can carry an EDSG service policy name. If the
message does not carry a service policy name, the BRAS implements
policy control based on the local configurations.
c. After the user goes online, the BRAS initiates the basic service accounting
start process to the AAA server. The BRAS distinguishes traffic based on
the EDSG service policy delivered by the AAA server or the locally
configured EDSG service policy, collects traffic statistics, and performs
bandwidth control for traffic. For details, see EDSG Service Accounting.
d. The BRAS cyclically sends each EDSG service's accounting start request
packet (carrying the user name, EDSG service policy name, and service
traffic information) to the AAA server. The AAA server uses the EDSG
service policy in the packet to identify services. The tariffs for services are
defined on the AAA server.
e. The AAA server generates service CDR files and uses FTP/TFTP to send
the CDR files to the billing system. The AAA server can also send the
service accounting information to the billing system through an SQL
database interface.
f. The billing system performs rating, charging, and settlement based on
the user name, service policy name, and preset tariff conversion
relationship in the CDR files (or service accounting information in the
database).
g. The user sends a logout request to the BRAS. The BRAS sends an
accounting stop request packet to the AAA server.
h. The AAA server sends an accounting stop response packet to the BRAS.
i. The BRAS sends an accounting stop request packet for basic services to
the AAA server.
j. The AAA server sends an accounting stop response packet for basic
services to the BRAS, and the user goes offline successfully.
c. The BRAS performs bandwidth control and accounting for services based
on a new service policy combination and sends accounting start packets
for new services to the AAA server. The packets carry information, such as
the user name and service policy name.
d. The AAA server generates CDR files based on the new service accounting
information from the BRAS and sends the files to the billing system for
rating and charging based on the new service policy combination.
Figure 1-23 shows the process of a dynamic service policy, which is modified
through the policy server or the other resource management server. The
process is described as follows:
a. After the user goes online, an initial service policy is delivered by the AAA
server or obtained from the BRAS's local configurations.
b. The initial service policy is used for traffic statistics, accounting, and
bandwidth control.
c. After going online, the user logs in to the portal self-service page to
modify the service policy.
d. The portal server uses the SOAP protocol to send the service policy
modification result to the policy server.
e. The policy server sends the modified service policy to the BRAS through
the CoA interface.
f. After receiving the service policy from the policy server, the BRAS
performs bandwidth control and accounting for services based on the
new service policy combination and sends accounting start packets for
new services to the AAA server.
g. The AAA server generates CDR files based on the new service accounting
information from the BRAS and sends the files to the billing system for
rating and charging based on the new service policy combination.
RADIUS supports both static and dynamic activation. Static activation means that
an EDSG service policy is delivered during user login through user authentication
response packets carrying the HW-Account-Info(26-184) or HW-Policy-
Name(26-95) attribute. Dynamic activation means that the EDSG service is
activated during user login through dynamic authorization messages, such as the
CoA messages carrying the HW-Command-Mode(26-34) or HW-Policy-
Name(26-95) attribute.
NOTE
Diameter supports service activation through CCR-I messages during user login as
well as dynamic service activation through RAR messages after users go online.
NOTE
If the EDSG service template and BOD/DAA service template configured on the device are
of the same name, only BOD/DAA services take effect during Diameter activation.
A service policy delivered by a server carries only the service policy name, and
parameters must be obtained from a service policy. An EDSG service policy can be
obtained in any of the following modes:
● Local: A service name is used as an index to obtain an EDSG service policy
from the local configurations.
● RADIUS: A service name is used as a user name and authentication packets
are used to obtain an EDSG service policy from a RADIUS server. The obtained
EDSG service policy is cached to the local device and will not be deleted if it is
referenced by any service instance. The EDSG service policy does not need to
be repeatedly obtained.
● Local and then RADIUS: An EDSG service policy is first obtained from the local
configurations. If no EDSG service policy is configured on the local device, an
EDSG service policy is obtained from the RADIUS server.
● RADIUS and then local: An EDSG service policy is first obtained from the
RADIUS server. If the RADIUS server has no response, a locally configured
EDSG service policy is used.
You can manually specify a service policy name to forcibly update all service
instance parameters to the latest service policy parameters.
Accounting Modes
EDSG services support RADIUS accounting and non-accounting. RADIUS
accounting is classified into the following types:
● Start accounting: After a service is activated and a forwarding channel is
established, start accounting is immediately triggered for the service.
● Stop accounting: After a service is deactivated and a forwarding channel is
deleted, stop accounting is immediately triggered for the service.
● Real-time accounting: To ensure the timeliness and accuracy of user service
accounting, the BRAS can send service accounting packets to the AAA server
at a configurable interval.
Accounting start request packets, accounting stop request packets, and real-time
accounting request packets carry information, such as the service name, Acct-
Session-Id (44) attribute, service traffic volume, and service duration. In addition,
the Acct-Multi-Session-Id (50) attribute is used to deliver the user accounting ID.
In non-uniform accounting mode, accounting is performed for all services, a
service accounting packet is separately sent for each service of a user, and all
services' traffic is independently counted. EDSG services support only non-uniform
accounting (also called individual accounting).
EDSG service switching supports only the transmission of accounting stop packets
for the original service and of accounting start packets for a new service.
Statistical Modes
User and service traffic supports the following statistical modes:
● Statistics separation: Service traffic is not counted into user traffic. That is,
user traffic statistics include only basic traffic except EDSG service traffic.
NOTE
Statistics separation for EDSG services does not support multi-VS scenarios.
● Statistics unseparation: Service traffic is counted into user traffic. That is, user
traffic statistics include both basic traffic and EDSG service traffic.
The following rate limit modes are supported:
● Rate limit separation: EDSG service traffic is unlimited by the basic user
bandwidth. That is, EDSG service traffic does not use the basic user
bandwidth.
● Rate limit unseparation: EDSG service traffic is limited by the basic user
bandwidth. That is, EDSG service traffic uses the basic user bandwidth.
Accounting Copy
EDSG supports accounting copy. The types supported are as follows:
● Copy of EDSG service accounting packets: When sending an EDSG service
accounting packet to the AAA server, the NetEngine 8100 M, NetEngine
8000E M, NetEngine 8000 M copies the packet to the accounting copy server.
● Copy of EDSG prepaid accounting packets: When sending an EDSG prepaid
accounting packet to the AAA server, the NetEngine 8100 M, NetEngine
8000E M, NetEngine 8000 M copies the packet to the accounting copy server.
EDSG accounting copy supports accounting start, real-time accounting, and
accounting stop. If accounting packets fail to be copied to the accounting copy
server, EDSG service activation is not affected.
Accounting Packaging
EDSG enables the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000 M to
package a user's EDSG service accounting packets into a packet and send the
packet to the RADIUS server. By default, EDSG service accounting packets are
independently sent and are not packaged. This function can be implemented
through configuration.
● Service deletion
After the recharging is complete and a new quota is delivered, HTTP redirection
can recover.
Figure 1-29 shows the EDSG service prepaid process.
● If prepaid is configured for a service, the BRAS applies for an initial quota to
the prepaid server during service activation. After the prepaid server delivers a
valid quota, the service is activated.
● When the service is online, the BRAS monitors the service's quota exhaustion.
If the service quota is exhausted or the remaining quota reaches a configured
threshold, the BRAS requests the prepaid server to update the service quota
and sends the total used quota to the prepaid server. If the total service quota
is not exhausted, the prepaid server delivers a valid quota again. The BRAS
continues to monitor the service's quota exhaustion based on the newly
delivered quota.
● If the service quota is exhausted again or the remaining quota reaches a
configured threshold, the BRAS requests the prepaid server to update the
service quota and sends the total used quota to the prepaid server again. If
the total service quota has been exhausted, the prepaid server returns a zero
quota to the BRAS. The BRAS then performs an action based on a configured
quota exhaustion policy.
To enable the portal server to provide service information query and status
acknowledgement, EDSG services support the query of basic user information and
EDSG service information through CoA messages. The portal server sends CoA
requests for information query to the BRAS, and the BRAS returns CoA responses
carrying the information (such as the service status, duration, and traffic volume)
to the portal server. The 0x04 command word in the HW-Command-Mode (26-34)
attribute carried in CoA responses is used to query EDSG service information.
The traffic reporting frequency of each EDSG service decreases when the number
of users on an interface board increases, which may affect the real-time
performance of traffic information and precision of traffic quota management but
does not affect the accuracy of accounting stop traffic.
If CAR is used for rate limit, you can manually configure EDSG traffic reporting
frequency.
When a user visits the game, FTP, and VoD networks shown in Figure 1-32, rate
limit is performed on traffic over the three networks. Three EDSG services are
planned for the three networks, and rate limit and accounting are independently
performed for each service.
CoA Change-of-Authorization
1.1.3.2.1 Overview
In the early broadband development, most carriers use the extensive operation
mode to increase the number of users. In this mode, carriers continuously expand
networks and publicize high bandwidth to attract users. With the development of
broadband network operation environments, the traditional operation mode
creates the following challenges:
Usage Scenarios
Typical EDSG usage scenarios are as follows:
● In some regions, small local carriers need to rent backbone carriers' lines to
provide Internet access services to users. The local carriers also need to pay
the backbone carriers for traffic over the backbone networks. Low fees are
charged for traffic over a local network, whereas high fees are charged for
traffic over a backbone network. To increase revenues, local carriers need a
solution that can distinguish the two types of traffic and perform accounting
based on network types. EDSG meets this requirement. Two EDSG services
can be configured for the local and backbone networks based on destination
addresses to implement differentiated accounting on traffic over both the
local and backbone networks.
● When campus users access a campus network, the carrier does not charge
any fees or charges low fees, and the access rate is unlimited. However, when
campus users access an external network, the carrier charges high fees and
limits their access rates. To increase the carrier's revenues, configure two
EDSG services for the campus and external networks based on destination
addresses to implement differentiated accounting and rate limit on traffic
over both the campus and external networks.
● Many Internet services, such as gaming, File Transfer Protocol (FTP), video on
demand (VOD), and news services, have different costs and bandwidth
requirements. To implement differentiated accounting and rate limit on
various services, configure these services as different EDSG services.
As shown in Figure 1-33, Point-to-Point Protocol over Ethernet (PPPoE) users
access networks 1 and 2. Different fees need to be charged for traffic over
networks 1 and 2. The users have different bandwidth requirements for networks
1 and 2. To meet these requirements, configure two EDSG services on the
broadband remote access server (BRAS) to perform differentiated accounting and
rate limit on traffic over networks 1 and 2. EDSG allows carriers to provide flexible
service and accounting policies for different user requirements.
NOTE
The BRAS can work with the AAA server, policy server, and portal server to implement
differentiated accounting and rate limit based on destination addresses.
● AAA server: provides user authentication, authorization, and accounting. Generally, a
RADIUS server is used as a AAA server.
● Policy server: delivers EDSG service policies. Only a RADIUS server can be used as a
policy server.
● Portal server: provides user interfaces. Users can log in to a portal server and select
EDSG services as required. A portal server is generally integrated into a AAA or policy
server.
Pre-configuration Tasks
Before configuring EDSG, complete the following tasks:
● Load the BRAS license and the EDSG license.
● Configure an authentication scheme, an accounting scheme, and a RADIUS
server group for an EDSG service policy (for details, see AAA and User
Management Configuration (Access Users)).
● Configure an address pool (for details, see Configuring an IPv4 Address Pool
and an Address Pool Group).
● Configure a domain and bind the authentication scheme, accounting scheme,
address pool, and RADIUS server group to the domain (for details, see
Configuring a Domain).
● Configure a BAS interface (for details, see IPoE Access Configuration and
PPPoE Access Configuration).
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run value-added-service enable
The value-added service function is enabled globally.
The value-added service function is not enabled globally by default.
Step 3 Run commit
The configuration is committed.
----End
Context
If a value-added service policy is delivered over RADIUS, you must configure a
RADIUS server on the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000 M.
For details about the configuration, see Configuring a Device as a RADIUS Client.
If a value-added service policy is delivered over Diameter, you must configure a
Diameter server on the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000
M. For details about the configuration, see Configuring a Diameter Server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run service-group service-group-name
A service group is created.
Step 3 Define an ACL rule for matching the service group.
1. Run the acl { name advance-acl-name [ advance | [ advance ] number
advance-acl-number ] | [ number ] advance-acl-number } [ match-order
{ config | auto } ] command to create an ACL and enter the ACL view.
NOTE
You need to use UCLs. The number of a UCL ranges from 6000 to 9999.
2. Create an ACL rule based on protocol types.
a. For TCP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp }
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination
{ destination-ip-address { destination-wildcard | 0 | des-netmask } | any }
| destination-pool destination-pool-name } | { destination-port operator
port-number | destination-port-pool destination-port-pool-name } |
fragment-type { fragment | non-fragment | non-subseq | fragment-
subseq | fragment-spe-first } | { source { source-ip-address { source-
wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } |
{ source-port operator port-number | source-port-pool source-port-pool-
name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] |
established |{ ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst |
syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack
| syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh |
rst | syn | urg ] * } } | time-range time-name | [ vpn-instance vpn-
Step 4 (Optional) Define an ACL6 rule for matching the service group.
1. Run the acl ipv6 number ucl-acl6-number [ match-order { auto | config } ]
command to create an ACL6 and enter the ACL6 view.
NOTE
You need to use UCL6s. The number of a UCL6 ranges from 6000 to 9999.
The device is configured to retain the service class of the original packets
after the EDSG service is matched to a traffic behavior.
3. Run commit
An EDSG traffic policy is configured and the EDSG traffic policy view is
displayed.
2. Run classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
The traffic behavior is specified for the traffic classifier.
3. Run commit
----End
Context
To implement differentiated accounting and rate limiting for user access to
different networks, you may need to configure multiple EDSG service policies. An
EDSG service policy can be configured in either of the following modes:
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 (Optional) Run the service-policy cache update interval interval-value command
to configure an interval at which the EDSG cache policy template is updated.
Step 6 Run the service-policy name policy-name edsg command to create an EDSG
service policy and enter its view.
NOTE
If the policy template name is case-sensitive, you need to run the service-policy name-
case-sensitive enable command first to enable case sensitivity for the EDSG service
template name.
Step 7 (Optional) Run the ip-type ipv6 command to set the traffic statistic type to IPv6
for EDSG services.
The service group must already exist. If not, run the service-group service-group-
name command in the system view to create a service group.
Step 9 Run the radius-server group group-name command to configure the RADIUS
server group to be bound to the EDSG service policy.
Currently, EDSG services support only the RADIUS accounting and non-accounting
modes.
The device provides two fixed accounting schemes: default0 and default1. The two
accounting schemes cannot be deleted but can be modified.
Step 12 Run the rate-limit cir cir-value [ pir pir-value ] [ cbs cbs-value [ pbs pbs-value ]
[ flow-queue-pbs flow-queue-pbs ] ] { inbound | outbound } command to
configure the bandwidth parameters for upstream and downstream traffic rate
limiting of EDSG services.
Step 13 (Optional) Configure a Diameter monitor key for the EDSG service policy based on
the format of the monitor key delivered by the Diameter server.
● Run the diameter monitor-key string monitor-key-string command to
configure a Diameter monitor key in string format for the EDSG service policy.
Before running this command, run the diameter monitor-key parse-mode
string command in the system view to set the parsing mode of the Diameter
monitor key to string.
● Run the diameter monitor-key monitor-key command to configure a
Diameter monitor key in integer format for the EDSG service policy.
Before running this command, run the diameter monitor-key parse-mode
integer command in the system view to set the parsing mode of the
Diameter monitor key to integer.
Step 14 (Optional) Run the service-class { cs7 | cs6 | ef | af4 | af3 | af2 | af1 | be }
{ inbound | outbound } command to configure a scheduling class in the upstream
or downstream direction.
----End
Context
After configuring an EDSG service policy locally, you can bind it to the service
policy group and apply it to an AAA domain. If no service policy is delivered from
the policy server, the service policy group bound to the AAA domain is used. If the
policy server delivers a service policy, the service policy delivered by the policy
server is used.
Before configuring this function, complete the task of Configuring an EDSG
Service Policy Locally.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the service-policy-group group-name command to create a service policy
group and enter the service policy group view.
Step 3 Run the service-policy policy-name command to bind an EDSG service policy to
the service policy group.
Step 4 Run the quit command to return to the system view.
Step 5 Run the aaa command to enter the AAA view.
Step 6 Run the domain domain-name command to enter the AAA domain view.
Step 7 Run the service-policy-group group-name command to apply the service policy
group to the AAA domain.
Step 8 Run the commit command to commit the configuration.
----End
Context
User service traffic has different requirements on service bandwidth in different
time ranges. For example, the service traffic volume used by a user in a time range
during daylight hours is usually greater than that in the early morning. Therefore,
a larger service bandwidth must be set for the time range during daylight hours.
To properly distribute service traffic, configure the service bandwidth to be flexibly
adjusted when the time range changes.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run time-range time-name [ start-time to end-time days &<1-7> | from time1
date1 [ to time2 date2 ] ]
Step 4 Run time-range time-range-name rate-limit cir cir-value [ pir pir-value ] [ cbs
cbs-value [ pbs pbs-value ] ] [ inbound | outbound ]
A mapping is configured between the time range template and EDSG service
bandwidth.
----End
Context
An authentication scheme, an accounting scheme, and a RADIUS server group
have been configured for the prepaid function of EDSG services (for details, see
AAA Configuration).
Procedure
Step 1 Run system-view
The BRAS provides two fixed accounting schemes: default0 and default1. The
two accounting schemes cannot be deleted but can be modified.
5. Run password cipher cipher-password
A password used is configured for the BRAS to apply for an EDSG service
quota from the RADIUS server.
6. (Optional) Run threshold time time-threshold seconds
A time threshold is configured for the BRAS to reapply for a time quota for
EDSG services from the RADIUS server.
When the remaining time quota of a user's EDSG service reaches a configured
time threshold, the BRAS reapplies for a time quota for the EDSG service from
the RADIUS server. When the RADIUS server returns a zero time quota, the
BRAS executes a deactivation or redirection policy.
7. (Optional) Run threshold volume volume-threshold { kbytes | mbytes |
bytes }
A traffic volume threshold is configured for the BRAS to reapply for a traffic
volume quota for EDSG services from the RADIUS server.
When the remaining traffic volume quota of a user's EDSG service reaches a
configured traffic volume threshold, the BRAS reapplies for a traffic volume
quota for the EDSG service from the RADIUS server. When the RADIUS server
returns a zero traffic volume quota, the BRAS executes a deactivation or
redirection policy.
NOTE
You can configure both the time and traffic volume thresholds for the BRAS to reapply
for EDSG service quotas from the RADIUS server. Once the remaining time or traffic
volume quota of a user's EDSG service reaches the corresponding configured
threshold, the BRAS reapplies for an EDSG service quota from the RADIUS server. For
example, if the time and traffic volume thresholds are respectively set to 60s and 5
Mbytes for a user:
– When the remaining traffic volume quota of the user's EDSG service is 5 Mbytes
but the remaining time quota of the EDSG service is greater than 60s, the BRAS
reapplies for a traffic volume quota for the EDSG service from the RADIUS server.
– When the remaining time quota of the user's EDSG service is 60s but the
remaining traffic volume quota of the EDSG service is greater than 5 Mbytes, the
BRAS reapplies for a time quota for the EDSG service from the RADIUS server.
8. Run commit command
Step 3 (Optional) Configure a policy used when the quota is exhausted as required.
1. Configure a deactivation policy. When the quota of a user's EDSG service is
exhausted, the BRAS deletes the EDSG service.
a. Run the quota-out service deactivate command to configure a
deactivation policy.
b. Run the commit command to commit the configuration.
c. Run the quit command to return to the system view.
2. Configure a redirection policy. When the quota of a user's EDSG service is
exhausted, the user is redirected to a specified web page.
a. Run the http-redirect-profile redirect-profile-name command to create
an HTTP redirection profile and enter the HTTP redirection profile view.
b. Run the web-server url redirect-url command to configure a redirection
web page.
c. (Optional) Run the web-server mode { get | post } command to
configure an HTTP access mode for the web server.
Step 4 Apply the prepaid profile in the EDSG service policy view.
1. Run service-policy name policy-name edsg
An EDSG service policy must have been configured. For details about how to
configure an EDSG service policy, see Configuring an EDSG Service Policy.
2. Run prepaid-profile prepaid-profile-name
The traffic direction to which the EDSG service quota applies is configured.
----End
Procedure
Step 1 Run system-view
To configure the BRAS to obtain an EDSG service policy from local configurations,
you must have configured an authentication scheme, an accounting scheme, and
a RADIUS server group for the EDSG service policy. For configuration details, see
Configuring AAA Schemes. To configure the BRAS to obtain an EDSG service policy
from a RADIUS server, you must have configured the RADIUS server. For
configuration details, see Configuring a Device as a RADIUS Client.
----End
Context
You can configure different rate limit modes for upstream and downstream EDSG
service traffic of users who go online from an AAA domain. To locate information
about EDSG services and users whose traffic is discarded due to rate limiting,
enable the function of reporting dropped EDSG service traffic.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 3 Run the domain domain-name command to enter the domain view.
Step 5 (Optional) Run the quit command to return to the AAA view.
Step 6 (Optional) Run the quit command to return to the system view.
----End
(Optional) Configuring EDSG Service Rate Limiting and Traffic Statistics Collection
Policies
Context
If EDSG service traffic consumes the user traffic bandwidth, run the edsg traffic-
mode rate together statistic together command so that rate limiting is
performed on user traffic after it is performed on service traffic. For example,
when the service traffic bandwidth is 2 Mbit/s and the user traffic bandwidth is 5
Mbit/s, if a user accesses services and consumes 2 Mbit/s service traffic bandwidth,
the user can only use the remaining 3 Mbit/s user traffic bandwidth to access
other services.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 3 Run the domain domain-name command to enter the domain view.
Step 4 Run the edsg traffic-mode rate { separate | together } statistic together
command to configure an EDSG service rate limit policy and a traffic statistics
collection policy.
Step 5 Run the commit command to commit the configuration.
----End
(Optional) Enabling EDSG Services to Support HQoS Scheduling for Home Users
This section describes how to enable EDSG services to support HQoS scheduling
for home users in a AAA domain.
Context
Home users support HQoS, but differentiated traffic statistics collection and
accounting cannot be performed for different user services. To resolve this issue,
enable EDSG services to support HQoS scheduling for home users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The AAA domain view is displayed.
Step 4 Run value-added-service edsg family-schedule { inbound | outbound }
EDSG services are enabled to support HQoS scheduling for home users.
Step 5 Run commit
The configuration is committed.
----End
Context
In load-balancing scenarios, after user traffic matches EDSG services, it must
continue to match a user group for service selection.
Procedure
Step 1 Run system-view
NOTE
For DS-Lite users, the EDSG service matches the inner IPv4 address of the tunnel.
----End
Context
If the original accounting packet information of EDSG services is required, a device
must send EDSG service accounting packets to a RADIUS copy server group as the
original accounting information in subsequent settlement.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
Step 4 Run service-policy accounting-copy radius-server group-name
EDSG service accounting copy is enabled, and a RADIUS copy server group is
configured.
Step 5 Run commit
The configuration is committed.
----End
Context
When a large number of users go online and each user applies for many value-
added services, a large number of accounting packets are generated. The
processing capability of a RADIUS accounting server is limited. To prevent the
number of accounting packets from exceeding the processing capability of a
RADIUS accounting server, the number of accounting packets sent by a device to a
RADIUS accounting server must be reduced to relieve the pressure on the RADIUS
accounting server.
Procedure
Step 1 Enable accounting packet merging for value-added services.
1. Run system-view
The system view is displayed.
2. Run aaa
The AAA view is displayed.
3. Run domain domain-name
The domain view is displayed.
4. Run value-added-service accounting-merge edsg { stop | interim interval
interval [ hash ] }
Accounting packet merging is enabled for value-added services.
5. Run the commit to commit the configuration.
Step 2 (Optional) Set the maximum length of a post-merging accounting packet for
value-added services.
1. Run system-view
The system view is displayed.
2. Run radius-server group groupname
The RADIUS server group view is displayed.
3. Run radius-server accounting-merge max-length length
The maximum length is set for a post-merging accounting packet for value-
added services.
4. Run the commit to commit the configuration.
Step 3 (Optional) Enable a post-merging accounting packet that fails to be sent for
value-added services to enter the accounting packet cache.
1. Run system-view
The system view is displayed.
2. Run value-added-service accounting-merge cache enable
A post-merging accounting packet that fails to be sent for value-added
services is enabled to enter the accounting packet cache.
3. Run the commit to commit the configuration.
----End
Procedure
Step 1 Run system-view
An EDSG service policy profile is created and the EDSG service policy profile
view is displayed.
2. (Optional) Run web-server redirect-key user-ip-address user-ip-key
The user IP address and name carried in the URL to which EDSG users are
redirected in mandatory web authentication are configured.
3. Run either of the following command to bind the redirection profile to the
service policy view.
– If users are required to be redirected to a specified page while visiting
HTTP web pages matching service traffic, run the http-redirect-profile
profile-name command to bind the redirection profile to the service
policy view
– If the traffic matching the service needs to be redirected instantly after
the service is activated, run the service force redirect redirect-profile-
name command to bind the redirection profile to the service policy view.
----End
(Optional) Configuring the Device to Use the Inner IPv4 Address of Each IPv4-in-
IPv6 Packet to Match IPv4 UCLs of EDSG Services
You can configure this function to allow IPv4-in-IPv6 packets to use inner IPv4
addresses to match IPv4 UCLs of EDSG services.
Context
By default, the device uses the outer IPv6 header in each IPv4-in-IPv6 packet to
match EDSG services. To allow EDSG rate limiting and accounting based on inner
IPv4 addresses, perform the following steps to configure the device to use inner
IPv4 addresses to match IPv4 UCLs of EDSG services,
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run value-added-service edsg centralized-ds-lite
The function to use the inner IPv4 address of each IPv4-in-IPv6 packet to match
EDSG services is configured.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run value-added-service edsg modify-synchronous attribute-name
A specified attribute is enabled to take effect upon activation or deactivation of
EDSG services.
Step 4 Run value-added-service edsg accounting interim send-update user-ip enable
The device is enabled to send a real-time accounting packet carrying the HW-
Acct-Update-Address (26-159) attribute with a value of 1 for EDSG services when
the user address changes.
----End
Procedure
● Run the display service-policy { configuration [ name config-policy-name ] |
cache [ name config-policy-name ] } command to check the EDSG service
policy configuration.
● Run the display service-policy configuration global command to check
global service policy configurations.
● Run the display prepaid-profile [ name prepaid-profile-name ] command to
check information about a specified prepaid profile.
● Run the display value-added-service update-online-edsg process-
information command to check online EDSG service update information.
● Run the display value-added-service policy command to check service policy
information.
● Run the display value-added-service user command to check information
about users' value-added services.
● Run the display value-added-service edsg time-range process-information
command to check the process of updating the EDSG service bandwidth
based on a time range.
● Run the display value-added-service user edsg with-car-dropped-flow
command to check information about users whose EDSG service traffic is
dropped by CAR.
● Run the display value-added-service user user-id user-id edsg command to
check information about a specified user's EDSG services whose traffic is
dropped by CAR.
● Run the display value-added-service user user-id user-id edsg service-index
service-index-value command to check information about a specified user's
specified EDSG service whose traffic is dropped by CAR.
----End
Context
During routine maintenance, you can perform the following operations to check
the running status of EDSG services.
Procedure
● Run the display service activate-fail-record [ time begin-time end-time
[ date begin-date end-date ] | user-id user-id | policy-name policy-name ] *
----End
Procedure
● In the system view, run service activate-fail-record
----End
Context
NOTICE
After you clear the historical information about EDSG service failures, the
information cannot be restored. Exercise caution when clearing information about
EDSG service failures.
Procedure
● Run the reset service activate-fail-record command in the user view to clear
information about EDSG service activation failures.
● Run the reset service deactivate-record command in the user view to clear
EDSG service deactivation information.
● Run the reset service update-fail-record command in the user view to clear
information about EDSG service update failures.
● Run the reset value-added-service edsg time-range process-information
command in the user view to clear the process of updating the EDSG service
bandwidth based on a time range.
● Run the reset value-added-service user user-id user-id-val edsg [ service-
index service-index-value ] car-dropped-flow statistics command in the user
view to clear statistics about CAR-dropped EDSG service traffic.
----End
Example for Activating the EDSG Services Downloaded from Local Configurations
Through RADIUS
This section provides an example for activating the EDSG services downloaded
from local configurations through RADIUS.
Networking Requirements
On the network shown in Figure 1-34, PPPoE users access network 1 at
192.168.100.0/24 and network 2 at 192.168.200.0/24. Different fees need to be
charged for traffic over networks 1 and 2. The users have different bandwidth
requirements for networks 1 and 2. The uplink and downlink traffic bandwidths
for access to network 1 and network 2 are limited to 1 Mbit/s and 2 Mbit/s,
respectively.
In this example, interfaces 1 through 3, sub-interface 3.1, and sub-interface 3.2 represent
GE 0/1/2, GE 0/1/1, GE 0/1/0, GE 0/1/0.1, and GE 0/1/0.2, respectively.
NOTE
The AAA server shown in Figure 1-34 also functions as a policy server and delivers services
through RADIUS.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the VAS function.
2. Configure policy servers.
3. Configure an EDSG traffic policy.
4. Configure RADIUS authentication and accounting schemes.
5. Configure a mode in which EDSG service policies are downloaded.
6. Configure EDSG service policies.
7. Configure a local address pool.
8. Bind the local address pool and RADIUS server group to an AAA domain.
9. Configure interfaces.
10. Configure access users.
Data Preparation
To complete the configuration, you need the following data:
● Policy server parameters, such as the IP address and port number
● EDSG traffic policy parameters, such as the service group name, ACL rule,
traffic classifier, traffic behavior, and traffic policy
● RADIUS server group name, IP address and port number of a RADIUS
authentication server, and IP address and port number of a RADIUS
accounting server used for an EDSG service policy
● Authentication scheme name, authentication mode, accounting scheme
name, and accounting mode used for an EDSG service policy
● Name of the local address pool used in the domain, gateway address, and
address pool range
● EDSG service policy parameters, such as the mode in which EDSG service
policies are downloaded, EDSG service policy name, name of the bound
RADIUS server group, authentication scheme, accounting scheme, and
bandwidths for uplink and downlink traffic rate limiting for EDSG services
Procedure
Step 1 Enable the VAS function.
<HUAWEI> system-view
[~HUAWEI] value-added-service enable
[*HUAWEI] commit
NOTE
For details about how to configure a RADIUS server group, see Configuring a Device as a
RADIUS Client in HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E M14/M8 series Configuration Guide - User
Access.
# Configure ACL 6021 and define ACL rules for the service group s_2m.
[~HUAWEI] acl number 6021
[*HUAWEI-acl-ucl-6021] rule 15 permit ip source service-group s_2m destination ip-address
192.168.200.0 0.0.0.255
[*HUAWEI-acl-ucl-6021] rule 16 permit ip source ip-address 192.168.200.0 0.0.0.255 destination
service-group s_2m
[*HUAWEI-acl-ucl-6021] commit
[~HUAWEI-acl-ucl-6021] quit
3. Define traffic classifiers.
# Define a traffic classifier named c1.
NOTE
An EDSG service policy can be downloaded in four modes: from local configurations, from a
RADIUS server, first from local configurations and then from a RADIUS server, and first from
a RADIUS server and then from local configurations. You can run the service-policy
download command to configure a mode in which EDSG service policies are downloaded.
# Bind the service group s_1m to the EDSG service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] service-group s_1m
# Bind the RADIUS server group rad_group1 to the EDSG service policy
service_edsg1.
[*HUAWEI-service-policy-service_edsg1] radius-server group rad_group1
# Set the bandwidth for uplink traffic rate limit to 1 Mbit/s for the EDSG
service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] rate-limit cir 1000 inbound
# Set the bandwidth for downlink traffic rate limit to 1 Mbit/s for the EDSG
service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] rate-limit cir 1000 outbound
[*HUAWEI-service-policy-service_edsg1] commit
[~HUAWEI-service-policy-service_edsg1] quit
# Bind the service group s_2m to the EDSG service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] service-group s_2m
# Bind the RADIUS server group rad_group1 to the EDSG service policy
service_edsg2.
[*HUAWEI-service-policy-service_edsg2] radius-server group rad_group1
# Set the bandwidth for uplink traffic rate limit to 2 Mbit/s for the EDSG
service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] rate-limit cir 2000 inbound
# Set the bandwidth for downlink traffic rate limit to 2 Mbit/s for the EDSG
service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] rate-limit cir 2000 outbound
[*HUAWEI-service-policy-service_edsg2] commit
[~HUAWEI-service-policy-service_edsg2] quit
# Configure a local address pool named edsg_pool, set the gateway address to
172.31.0.1/16, and specify the address range as 172.31.0.2 to 172.31.255.255.
[~HUAWEI] ip pool edsg_pool bas local
[*HUAWEI-ip-pool-edsg_pool] gateway 172.31.0.1 255.255.0.0
[*HUAWEI-ip-pool-edsg_pool] section 0 172.31.0.2 172.31.255.255
[*HUAWEI-ip-pool-edsg_pool] commit
[~HUAWEI-ip-pool-edsg_pool] quit
Step 8 Bind the local address pool and RADIUS server group to an AAA domain. By
default, the rate of EDSG service traffic is separately limited and is not affected by
user bandwidth. Only non-service traffic is counted as user traffic. To change EDSG
service traffic rate limiting and statistics collection policies, run the edsg traffic-
mode rate { separate | together } statistic together command.
# Bind the local address pool edsg_pool and the RADIUS server group
rad_group1 to an AAA domain.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain domain1
[*HUAWEI-aaa-domain-domain1] radius-server group rad_group1
[*HUAWEI-aaa-domain-domain1] commit
[~HUAWEI-aaa-domain-domain1] ip-pool edsg_pool
[~HUAWEI-aaa] quit
For details about how to configure a BAS interface, see Example for Configuring PPPoE
Access for IPv4 Users in HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E M14/M8 series Configuration Guide -
User Access.
[~HUAWEI] interface GigabitEthernet0/1/2.1
[*HUAWEI-GigabitEthernet10/1/2.1] commit
[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1000 2000
[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 1000 qinq 100
[~HUAWEI-GigabitEthernet0/1/2.1] bas
[~HUAWEI-GigabitEthernet0/1/2.1-bas] access-type layer2-subscriber default-domain pre-
authentication domain1
[*HUAWEI-GigabitEthernet0/1/2.1-bas] authentication-method ppp web
[*HUAWEI-GigabitEthernet0/1/2.1-bas] quit
[*HUAWEI-GigabitEthernet10/1/2.1] commit
[~HUAWEI-GigabitEthernet10/1/2.1] quit
3. Configure the interface connecting the BRAS to the policy server, AAA server,
and portal server.
[~HUAWEI] interface GigabitEthernet0/1/1
[~HUAWEI-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0
[*HUAWEI-GigabitEthernet0/1/1] commit
[~HUAWEI-GigabitEthernet0/1/1] quit
Step 10 Configure access users. (This step is performed on the RADIUS server.)
# Configure the RADIUS server to deliver the RADIUS attribute User-Password
with a value of YsHsjx_202206 for PPPoE user 1.
NOTE
The shared key configured for a RADIUS server group determines the value of the User-
Password attribute.
NOTE
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg1 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d1 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg2 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d2 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change the
RADIUS attribute names to be the same as those in the RADIUS attribute dictionary based
on the vendor ID and attribute number.
# View the service group name and service status information of the user with an
ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg
-------------------------------------------------------
User access index : 128000
User name : user1
-------------------------------------------------------
Traffic rate mode : Separate
Traffic statistic mode : Separate
Inbound rate limit mode : Car
Outbound rate limit mode : Car
Service change mode : Stop-start
-------------------------------------------------------
User edsg service table:
-------------------------------------------------------
Index Service name State
-------------------------------------------------------
0 service_edsg1 Active
1 service_edsg2 Active
-------------------------------------------------------
# View detailed information about the EDSG service with a service index of 0 and
a user ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg service-index 0
-------------------------------------------------------
Service index :0
Service name : service_edsg1
Service type : EDSG
Service state : Active
Service group : s_1m
Service group priority :0
Authentication method : None
Account method : Radius
Radius server template : rad_group1
Account session id : HUAWEI05001SSG000100d39d7b128000
Service online time(HH:MM:SS) : 00:04:36
Up committed information rate : 1000(kbps)
Up Peak information rate : 1000(kbps)
Up committed burst size : 187000(bytes)
Up Peak burst size : 187000(bytes)
Down committed information rate : 1000(kbps)
Down Peak information rate : 1000(kbps)
Down committed burst size : 187000(bytes)
Down Peak burst size : 187000(bytes)
Up flow packets(high, low) : (0, 0)
Up flow bytes(high, low) : (0, 0)
Down flow packets(high, low) : (0, 0)
Down flow bytes(high, low) : (0, 0)
----------------------------------------------
----End
Configuration Files
HUAWEI configuration file
#
sysname HUAWEI
#
value-added-service enable
#
radius-server group rad_group1
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^%#
#
ip pool edsg_pool bas local
gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#
aaa
authentication-scheme auth1
accounting-scheme acct1
accounting-mode radius
domain domain1
ip-pool edsg_pool
radius-server group rad_group1
#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
rule 11 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
#
acl number 6021
rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0 0.0.0.255
rule 16 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-group s_2m
#
traffic classifier c1 operator or
if-match acl 6020 precedence 1
#
traffic classifier c2 operator or
if-match acl 6021 precedence 1
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy traffic_policy_edsg
share-mode
classifier c1 behavior b1 precedence 1
classifier c2 behavior b2 precedence 2
#
traffic-policy traffic_policy_edsg inbound
traffic-policy traffic_policy_edsg outbound
#
service-policy download local radius rad_group1 password cipher $$e:TY%^%glhJ;yPG#$=tC&(Is%q!S_";(k.Ef
$%^%#:978
#
service-policy name service_edsg1 edsg
radius-server group rad_group1
service-group s_1m
authentication-scheme auth1
accounting-scheme acct1
rate-limit cir 1000 inbound
rate-limit cir 1000 outbound
#
service-policy name service_edsg2 edsg
radius-server group rad_group1
service-group s_2m
authentication-scheme auth1
accounting-scheme acct1
rate-limit cir 2000 inbound
rate-limit cir 2000 outbound
#
interface GigabitEthernet0/1/0.1
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/1/1
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/1/2.1
Networking Requirements
On the network shown in Figure 1-35, PPPoE users go online from domain1.
PPPoE users' traffic fees and bandwidth requirements for accessing network 1
(192.168.100.0/24) and network 2 (192.168.200.0/24) differ greatly. The upstream
and downstream bandwidths for accessing network 1 are limited to 1 Mbit/s, and
those for accessing network 2 are limited to 2 Mbit/s.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the VAS function.
2. Configure a RADIUS server.
3. Configure an EDSG traffic policy.
4. Configure AAA authentication and accounting schemes.
5. Configure a mode in which EDSG service policies are downloaded.
6. Configure EDSG service policies.
7. Configure a service policy group.
8. Configure a local address pool.
9. Configure an AAA domain.
10. Configure interfaces.
Data Preparation
To complete the configuration, you need the following data:
● Parameters related to the RADIUS server, including the IP address and port
number.
● EDSG traffic policy parameters, such as the service group name, ACL rule,
traffic classifier, traffic behavior, and traffic policy
● RADIUS server group name, IP address and port number of a RADIUS
authentication server, and IP address and port number of a RADIUS
accounting server used for an EDSG service policy
● Authentication scheme name, authentication mode, accounting scheme
name, and accounting mode used for an EDSG service policy
● EDSG service policy parameters, such as the mode in which EDSG service
policies are downloaded, EDSG service policy name, name of the bound
RADIUS server group, authentication scheme, accounting scheme, and
bandwidths for uplink and downlink traffic rate limiting for EDSG services
● Name of the service policy group bound to the domain, name of the local
address pool, gateway, and range of the user address pool.
Procedure
Step 1 Enable the VAS function.
<HUAWEI> system-view
[~HUAWEI] value-added-service enable
[*HUAWEI] commit
# Configure ACL 6021 and define ACL rules for the service group s_2m.
[~HUAWEI] acl number 6021
[*HUAWEI-acl-ucl-6021] rule 15 permit ip source service-group s_2m destination ip-address
192.168.200.0 0.0.0.255
[*HUAWEI-acl-ucl-6021] rule 16 permit ip source ip-address 192.168.200.0 0.0.0.255 destination
service-group s_2m
[*HUAWEI-acl-ucl-6021] commit
[~HUAWEI-acl-ucl-6021] quit
3. Configure traffic classifiers.
# Configure a traffic classifier named c1.
[~HUAWEI] traffic classifier c1
[*HUAWEI-classifier-c1] if-match acl 6020
[*HUAWEI-classifier-c1] commit
[~HUAWEI-classifier-c1] quit
# Configure two AAA authentication schemes, one with the authentication mode
set to RADIUS, and that of the other one set to none.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit
[~HUAWEI-aaa] authentication-scheme none
[*HUAWEI-aaa-authen-none] authentication-mode none
[*HUAWEI-aaa-authen-none] commit
[~HUAWEI-aaa-authen-none] quit
Step 5 Configure the mode in which EDSG service policies are downloaded as local
download.
[~HUAWEI] service-policy download local
[*HUAWEI] commit
# Bind the service group s_1m to the EDSG service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] service-group s_1m
[~HUAWEI-service-policy-service_edsg1] commit
# Bind the RADIUS server group rad_group1 to the EDSG service policy
service_edsg1.
[~HUAWEI-service-policy-service_edsg1] radius-server group rad_group1
# Set the bandwidth for uplink traffic rate limit to 1 Mbit/s for the EDSG
service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] rate-limit cir 1000 inbound
# Set the bandwidth for downlink traffic rate limit to 1 Mbit/s for the EDSG
service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] rate-limit cir 1000 outbound
[*HUAWEI-service-policy-service_edsg1] commit
[~HUAWEI-service-policy-service_edsg1] quit
# Bind the service group s_2m to the EDSG service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] service-group s_2m
[~HUAWEI-service-policy-service_edsg2] commit
# Bind the RADIUS server group rad_group1 to the EDSG service policy
service_edsg2.
[~HUAWEI-service-policy-service_edsg2] radius-server group rad_group1
# Set the bandwidth for uplink traffic rate limit to 2 Mbit/s for the EDSG
service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] rate-limit cir 2000 inbound
# Set the bandwidth for downlink traffic rate limit to 2 Mbit/s for the EDSG
service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] rate-limit cir 2000 outbound
[*HUAWEI-service-policy-service_edsg2] commit
[~HUAWEI-service-policy-service_edsg2] quit
Step 9 Bind the local address pool and RADIUS server group to an AAA domain.
# Bind the local address pool edsg_pool, RADIUS server group rad_group1, and
service policy group group1 to the AAA domain.
[~HUAWEI] aaa
[*HUAWEI-aaa] domain domain1
[*HUAWEI-aaa-domain-domain1] ip-pool edsg_pool
[*HUAWEI-aaa-domain-domain1] radius-server group rad_group1
[*HUAWEI-aaa-domain-domain1] service-policy-group group1
[*HUAWEI-aaa-domain-domain1] authentication-scheme auth1
[*HUAWEI-aaa-domain-domain1] quit
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
For details about how to configure a BAS interface, see Example for Configuring PPPoE
Access for IPv4 Users in HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E M14/M8 series Configuration Guide -
User Access.
[~HUAWEI] interface GigabitEthernet0/1/2.1
[*HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1000 2000
[*HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 1000 qinq 100
[*HUAWEI-GigabitEthernet0/1/2.1] bas
[*HUAWEI-GigabitEthernet0/1/2.1-bas] access-type layer2-subscriber default-domain pre-
authentication domain1
[*HUAWEI-GigabitEthernet0/1/2.1-bas] authentication-method ppp web
[*HUAWEI-GigabitEthernet0/1/2.1-bas] quit
[*HUAWEI-GigabitEthernet10/1/2.1] commit
[~HUAWEI-GigabitEthernet10/1/2.1] quit
2. Configure an uplink interface.
[~HUAWEI] interface GigabitEthernet0/1/0.1
[*HUAWEI-GigabitEthernet0/1/0.1] vlan-type dot1q 1
[*HUAWEI-GigabitEthernet0/1/0.1] ip address 192.168.100.1 255.255.255.0
[*HUAWEI-GigabitEthernet0/1/0.1] commit
[~HUAWEI-GigabitEthernet0/1/0.1] quit
3. Configure the interface connecting the BRAS to the policy server, AAA server,
and portal server.
[~HUAWEI] interface GigabitEthernet0/1/1
[*HUAWEI-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0
[*HUAWEI-GigabitEthernet0/1/1] commit
[~HUAWEI-GigabitEthernet0/1/1] quit
# View the service group name and service status information of the user with an
ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg
-------------------------------------------------------
User access index : 128000
User name : user1
-------------------------------------------------------
Traffic rate mode : Separate
Traffic statistic mode : Separate
# View detailed information about the EDSG service with a service index of 0 and
a user ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg service-index 0
-------------------------------------------------------
Service index :0
Service name : service_edsg1
Service type : EDSG
Service state : Active
Service group : s_1m
Service group priority :0
Authentication method : None
Account method : Radius
Radius server template : rad_group1
Account session id : HUAWEI05001SSG000100d39d7b128000
Service online time(HH:MM:SS) : 00:04:36
Up committed information rate : 1000(kbps)
Up Peak information rate : 1000(kbps)
Up committed burst size : 187000(bytes)
Up Peak burst size : 187000(bytes)
Down committed information rate : 1000(kbps)
Down Peak information rate : 1000(kbps)
Down committed burst size : 187000(bytes)
Down Peak burst size : 187000(bytes)
Up flow packets(high, low) : (0, 0)
Up flow bytes(high, low) : (0, 0)
Down flow packets(high, low) : (0, 0)
Down flow bytes(high, low) : (0, 0)
----------------------------------------------
Flow Statistic:
If flow info contain l2-head : Yes
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Up packets number(high,low) : (0,0)
Up bytes number(high,low) : (0,0)
Down packets number(high,low) : (0,0)
Down bytes number(high,low) : (0,0)
IPV6 Up packets number(high,low) : (0,0)
IPV6 Up bytes number(high,low) : (0,0)
IPV6 Down packets number(high,low) : (0,0)
IPV6 Down bytes number(high,low) : (0,0)
----End
Configuration Files
HUAWEI configuration file
#
sysname HUAWEI
#
value-added-service enable
#
radius-server group rad_group1
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^%#
#
ip pool edsg_pool bas local
gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#
service-policy name service_edsg1 edsg
radius-server group rad_group1
service-group s_1m
authentication-scheme none
accounting-scheme acct1
rate-limit cir 1000 inbound
rate-limit cir 1000 outbound
#
service-policy name service_edsg2 edsg
radius-server group rad_group1
service-group s_2m
authentication-scheme none
accounting-scheme acct1
rate-limit cir 2000 inbound
rate-limit cir 2000 outbound
#
service-policy-group group1
service-policy service_edsg1
service-policy service_edsg2
#
aaa
authentication-scheme auth1
authentication-scheme radius
authentication-scheme none
authentication-scheme none
accounting-scheme acct1
accounting-mode radius
domain domain1
ip-pool edsg_pool
radius-server group rad_group1
service-policy-group group1
authentication-scheme auth1
#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
rule 11 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
#
acl number 6021
rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0 0.0.0.255
rule 16 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-group s_2m
#
traffic classifier c1 operator or
if-match acl 6020 precedence 1
#
traffic classifier c2 operator or
if-match acl 6021 precedence 1
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy traffic_policy_edsg
share-mode
classifier c1 behavior b1 precedence 1
classifier c2 behavior b2 precedence 2
#
traffic-policy traffic_policy_edsg inbound
traffic-policy traffic_policy_edsg outbound
#
interface GigabitEthernet0/1/0.1
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/1/1
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/1/2.1
Example for Configuring the Delivery of the EDSG Rate Limiting Service Through a
RADIUS Server
This section provides an example for configuring the delivery of the EDSG rate
limiting service through a RADIUS server. In this example, the RADIUS server uses
authentication packets to deliver EDSG services, and the uplink and downlink
bandwidths of EDSG service policies are configured.
Networking Requirements
On the network shown in Figure 1-36, PPPoE users access network 1 at
192.168.100.0/24 and network 2 at 192.168.200.0/24. Different fees need to be
charged for traffic over networks 1 and 2. The users have different bandwidth
requirements for networks 1 and 2. The uplink and downlink traffic bandwidths
for access to network 1 and network 2 are limited to 1 Mbit/s and 2 Mbit/s,
respectively. The AAA server uses RADIUS to deliver EDSG service policies in which
parameters, such as the authentication scheme, accounting scheme, and
bandwidths for uplink and downlink traffic rate limit, are specified.
In this example, interfaces 1 through 3, sub-interface 3.1, and sub-interface 3.2 represent
GE 0/1/2, GE 0/1/1, GE 0/1/0, GE 0/1/0.1, and GE 0/1/0.2, respectively.
NOTE
The AAA server shown in Figure 1-36 also functions as a policy server and delivers services
through RADIUS.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the VAS function.
2. Configure policy servers.
3. Configure an EDSG traffic policy.
4. Configure RADIUS authentication and accounting schemes.
5. Configure a mode in which EDSG service policies are downloaded.
6. Configure EDSG service policies.
7. Configure a local address pool.
8. Bind the local address pool and RADIUS server group to an AAA domain.
9. Configure interfaces.
10. Configure access users.
Data Preparation
To complete the configuration, you need the following data:
● Policy server parameters, such as the IP address and port number
● EDSG traffic policy parameters, such as the service group name, ACL rule,
traffic classifier, traffic behavior, and traffic policy
● RADIUS server group name, IP address and port number of a RADIUS
authentication server, and IP address and port number of a RADIUS
accounting server used for an EDSG service policy
● Authentication scheme name, authentication mode, accounting scheme
name, and accounting mode used for an EDSG service policy
● Name of the local address pool used in the domain, gateway address, and
address pool range
● EDSG service policy parameters, such as the mode in which an EDSG service
policy is downloaded, policy name, bound RADIUS server group,
authentication scheme, accounting scheme, and bandwidths for uplink and
downlink traffic rate limiting for EDSG services
Procedure
Step 1 Enable the VAS function.
<HUAWEI> system-view
[~HUAWEI] value-added-service enable
[*HUAWEI] commit
NOTE
For details about how to configure a RADIUS server group, see Configuring a Device as a
RADIUS Client in HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E M14/M8 series Configuration Guide - User
Access.
# Configure ACL 6021 and define ACL rules for the service group s_2m.
[~HUAWEI] acl number 6021
[*HUAWEI-acl-ucl-6021] rule 15 permit ip source service-group s_2m destination ip-address
192.168.200.0 0.0.0.255
[*HUAWEI-acl-ucl-6021] rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination
service-group s_2m
[*HUAWEI-acl-ucl-6021] commit
[~HUAWEI-acl-ucl-6021] quit
3. Define traffic classifiers.
# Define a traffic classifier named c1.
[*HUAWEI] commit
Step 6 Configure EDSG service policies. (This step is performed on the RADIUS server.)
1. Configure an EDSG service policy for access to network 1.
# Configure the RADIUS server to deliver the RADIUS attribute User-Password
with a value of YsHsjx_202206 for the service policy service_edsg1.
NOTE
The shared key configured for a RADIUS server group determines the value of the
User-Password attribute.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change
the RADIUS attribute names to be the same as those in the RADIUS attribute
dictionary based on the vendor ID and attribute number.
Step 8 Bind the local address pool and RADIUS server group to an AAA domain.
# Bind the local address pool edsg_pool and the RADIUS server group
rad_group1 to an AAA domain.
[~HUAWEI] aaa
[*HUAWEI-aaa] domain domain1
[*HUAWEI-aaa-domain-domain1] ip-pool edsg_pool
[*HUAWEI-aaa-domain-domain1] radius-server group rad_group1
[*HUAWEI-aaa-domain-domain1] quit
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
For details about how to configure a BAS interface, see Example for Configuring PPPoE
Access for IPv4 Users in HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E M14/M8 series Configuration Guide -
User Access.
3. Configure the interface connecting the BRAS to the policy server, AAA server,
and portal server.
[~HUAWEI] interface GigabitEthernet0/1/1
[*HUAWEI-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0
[*HUAWEI-GigabitEthernet0/1/1] commit
[~HUAWEI-GigabitEthernet0/1/1] quit
Step 10 Configure access users. (This step is performed on the RADIUS server.)
# Configure the RADIUS server to deliver the RADIUS attribute User-Password
with a value of YsHsjx_202206 for PPPoE user 1.
NOTE
The shared key configured for a RADIUS server group determines the value of the User-
Password attribute.
NOTE
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg1 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d1 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg2 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d2 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change the
RADIUS attribute names to be the same as those in the RADIUS attribute dictionary based
on the vendor ID and attribute number.
# View the service group name and service status information of the user with an
ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg
-------------------------------------------------------
User access index : 128000
User name : user1
-------------------------------------------------------
Traffic rate mode : Separate
Traffic statistic mode : Separate
Inbound rate limit mode : Car
Outbound rate limit mode : Car
Service change mode : Stop-start
-------------------------------------------------------
User edsg service table:
-------------------------------------------------------
Index Service name State
-------------------------------------------------------
0 service_edsg1 Active
1 service_edsg2 Active
-------------------------------------------------------
# View detailed information about the EDSG service with a service index of 0 and
a user ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg service-index 0
-------------------------------------------------------
Service index :0
Service name : service_edsg1
Service type : EDSG
Service state : Active
Service group : s_1m
Service group priority :0
Authentication method : auth1
Account method : Radius
Radius server template : rad_group1
Account session id : HUAWEI05001SSG000100d39d7b128000
Service online time(HH:MM:SS) : 00:04:36
Up committed information rate : 1000(kbps)
Up Peak information rate : 1000(kbps)
Up committed burst size : 187000(bytes)
Up Peak burst size : 187000(bytes)
Down committed information rate : 1000(kbps)
Down Peak information rate : 1000(kbps)
Down committed burst size : 187000(bytes)
Down Peak burst size : 187000(bytes)
Up flow packets(high, low) : (0, 0)
Up flow bytes(high, low) : (0, 0)
Down flow packets(high, low) : (0, 0)
Down flow bytes(high, low) : (0, 0)
----------------------------------------------
AAA:
RADIUS-server-template : rad_group1
Server-template of second acct: -
Current authen method : RADIUS authentication
Authen result : Success
Current author method : Idle
Author result : Success
Action flag : Idle
Authen state : Authed
Author state : Idle
Configured accounting method : RADIUS accounting
Quota-out : Offline
Current accounting method : RADIUS accounting
Realtime-accounting-switch : Close
Realtime-accounting-interval(sec) :-
Realtime-accounting-send-update : No
Realtime-accounting-traffic-update : No
Accounting start time : 2013-10-17 10:42:15
Online time (h:min:sec) : 00:07:45
Accounting state : Accounting
MTU : 1492
MRU : 1492
Idle-cut direction : Both
Idle-cut-data (time,rate,idle): 0 sec, 60 kbyte/min, 0 min 0 sec
Ipv4 Realtime speed : 0 kbyte/min
Ipv4 Realtime speed inbound : 0 kbyte/min
Ipv4 Realtime speed outbound : 0 kbyte/min
Dot1X:
User MSIDSN name :-
EAP user : No
MD5 end : No
VPN&Policy-route:
Vpn-Instance :-
Multicast Service:
Multicast-profile :-
Multicast-profile-ipv6 :-
Max Multicast List Number :4
IGMP enable : Yes
ACL&QoS:
Link bandwidth auto adapt : Disable
UpPriority : Unchangeable
DownPriority : Unchangeable
EDSG information:
Service info : Aservice_edsg1
Flow Statistic:
If flow info contain l2-head : Yes
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Dslam information :
Circuit ID :-
Remote ID :-
Actual datarate upstream :0(Kbps)
Actual datarate downstream :0(Kbps)
Min datarate upstream :0(Kbps)
Min datarate downstream :0(Kbps)
Attainable datarate upstream :0(Kbps)
Attainable datarate downstream :0(Kbps)
Max datarate upstream :0(Kbps)
Max datarate downstream :0(Kbps)
Min lowpower datarate upstream :0(Kbps)
Min lowpower datarate downstream :0(Kbps)
Max delay upstream :0(s)
Max delay downstream :0(s)
Actual delay upstream :0(s)
Actual delay downstream :0(s)
Access loop encapsulation :0x000000
-------------------------------------------------------------------
Are you sure to display some information?(Y/N)[Y]:
----End
Configuration Files
HUAWEI configuration file
#
sysname HUAWEI
#
value-added-service enable
#
radius-server group rad_group1
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^%#
#
segments for user access, achieving independent rate limiting for different
network segments.
Networking Requirements
On the network shown in Figure 1-37, PPPoE users access network 1 and network
2. Different fees need to be charged for traffic over networks 1 and 2. The users
have different bandwidth requirements for networks 1 and 2. The uplink and
downlink traffic bandwidths for access to network 1 and network 2 are limited to
1 Mbit/s and 2 Mbit/s, respectively. The RADIUS server functions as both an AAA
server and an EDSG service policy server. The EDSG service policy server uses
RADIUS to deliver EDSG service policies in which parameters, such as the
authentication mode, accounting mode, and bandwidths for uplink and downlink
traffic rate limit, are specified.
Interface 1, sub-interface 2.1, and sub-interface 2.2 in this example represent GE 0/1/2.100,
GE 0/1/1.1, and GE 0/1/1.2, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the VAS function.
2. Configure AAA schemes and a RADIUS server.
3. Configure an EDSG traffic policy.
4. Configure a mode in which EDSG service policies are downloaded.
5. Configure the RADIUS server to deliver EDSG service policies. (This step is
performed on the RADIUS server.)
6. Configure address pools.
7. Configure an AAA domain.
8. Configure interfaces.
9. Configure IP routes. IS-IS is used as an example.
10. Configure access users. (This step is performed on the RADIUS server.)
Data Preparation
To complete the configuration, you need the following data:
● Policy server parameters, such as the IP address and port number
● EDSG traffic policy parameters, such as the service group name, ACL rule,
traffic classifier, traffic behavior, and traffic policy
● Name of the local address pool used in the domain, gateway address, and
address pool range
● EDSG service policy parameters, such as the mode in which EDSG service
policies are downloaded, EDSG service policy name, name of the bound
RADIUS server group, RADIUS authentication scheme, RADIUS accounting
scheme, and bandwidths for uplink and downlink traffic rate limiting for
EDSG services
Procedure
Step 1 Set the host name of the BRAS to HUAWEI.
<Device> system-view
[~Device] sysname HUAWEI
[*Device] commit
Step 2 Configure the BRAS to generate DUIDs in DUID-LLT mode. (This step is not
required if a DUID has been configured on the BRAS.)
[~HUAWEI] dhcpv6 duid llt
[*HUAWEI] commit
# Configure a RADIUS server that functions as both an AAA server and an EDSG
service policy server.
[~HUAWEI] radius-server group radius
[*HUAWEI-radius-radius] radius-server authentication 10.10.10.2 1812
[*HUAWEI-radius-radius] radius-server accounting 10.10.10.2 1813
[*HUAWEI-radius-radius] radius-server shared-key-cipher YsHsjx_202206
[*HUAWEI-radius-radius] commit
[~HUAWEI-radius-radius] quit
# Configure an IPv6 ACL numbered 6020 for the service group s_1m to match
the IPv6 packets between the service group s_1m and network 1.
[~HUAWEI] acl ipv6 number 6020
[*HUAWEI-acl6-ucl-6020] rule 10 permit ipv6 source service-group s_1m destination ipv6-address
2001:db8::2/64
[*HUAWEI-acl6-ucl-6020] rule 20 permit ipv6 source ipv6-address 2001:db8::2/64 destination
service-group s_1m
[*HUAWEI-acl6-ucl-6020] commit
[~HUAWEI-acl6-ucl-6020] quit
# Configure an IPv4 ACL numbered 6021 for the service group s_2m to match
the IPv4 packets between the service group s_2m and network 2.
[~HUAWEI] acl number 6021
[*HUAWEI-acl-ucl-6021] rule 15 permit ip source service-group s_2m destination ip-address
192.168.200.0 0.0.0.255
[*HUAWEI-acl-ucl-6021] rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination
service-group s_2m
[*HUAWEI-acl-ucl-6021] commit
[~HUAWEI-acl-ucl-6021] quit
# Configure an IPv6 ACL numbered 6021 for the service group s_2m to match
the IPv6 packets between the service group s_2m and network 2.
[~HUAWEI] acl ipv6 number 6021
[*HUAWEI-acl6-ucl-6021] rule 15 permit ipv6 source service-group s_2m destination ipv6-address
2001:db8:1::2/64
[*HUAWEI-acl6-ucl-6021] rule 25 permit ipv6 source ipv6-address 2001:db8:1::2/64 destination
service-group s_2m
[*HUAWEI-acl6-ucl-6021] commit
[~HUAWEI-acl6-ucl-6021] quit
[~HUAWEI-classifier-c2] quit
4. Configure traffic behaviors.
# Configure a traffic behavior named b1.
[~HUAWEI] traffic behavior b1
[*HUAWEI-behavior-b1] commit
[~HUAWEI-behavior-b1] quit
Step 7 Configure EDSG service policies. (This step is performed on the RADIUS server.)
1. Configure an EDSG service policy for access to network 1.
# Configure the RADIUS server to deliver the RADIUS attribute User-Password
with a value of YsHsjx_202206 for the service policy service_edsg1.
NOTE
The shared key configured for a RADIUS server group determines the value of the
User-Password attribute.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change
the RADIUS attribute names to be the same as those in the RADIUS attribute
dictionary based on the vendor ID and attribute number.
Step 10 Bind the address pools, AAA schemes, and RADIUS server group to an AAA
domain.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
[*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
[*HUAWEI-aaa-domain-isp1] radius-server group radius
[*HUAWEI-aaa-domain-isp1] commit
[~HUAWEI-aaa-domain-isp1] prefix-assign-mode unshared
[~HUAWEI-aaa-domain-isp1] ip-pool edsg_pool
[~HUAWEI-aaa-domain-isp1] ipv6-pool pool_nd
[~HUAWEI-aaa-domain-isp1] ipv6-pool pool_pd
[~HUAWEI-aaa-domain-isp1] quit
[~HUAWEI-aaa] quit
Step 13 Configure access users. (This step is performed on the RADIUS server.)
# Configure the RADIUS server to deliver the RADIUS attribute User-Password
with a value of YsHsjx_202206 for PPPoE user 1.
NOTE
The shared key configured for a RADIUS server group determines the value of the User-
Password attribute.
NOTE
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg1 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d1 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg2 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d2 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change the
RADIUS attribute names to be the same as those in the RADIUS attribute dictionary based
on the vendor ID and attribute number.
# View the service group name and service status information of the user with an
ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg
-------------------------------------------------------
User access index : 128000
User name : user1
-------------------------------------------------------
Traffic rate mode : Separate
Traffic statistic mode : Separate
Inbound rate limit mode : Car
Outbound rate limit mode : Car
Service change mode : Stop-start
-------------------------------------------------------
User edsg service table:
-------------------------------------------------------
Index Service name State
-------------------------------------------------------
0 service_edsg1 Active
1 service_edsg2 Active
-------------------------------------------------------
# View detailed information about the EDSG service with a service index of 0 and
a user ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg service-index 0
-------------------------------------------------------
Service index :0
Service name : service_edsg1
Service type : EDSG
Service state : Active
Service group : s_1m
Service group priority :0
Authentication method : auth1
Account method : Radius
Radius server template : rad_group1
Account session id : HUAWEI05001SSG000100d39d7b128000
Service online time(HH:MM:SS) : 00:04:36
Up committed information rate : 1000(kbps)
Up Peak information rate : 1000(kbps)
Up committed burst size : 187000(bytes)
Up Peak burst size : 187000(bytes)
Down committed information rate : 1000(kbps)
Down Peak information rate : 1000(kbps)
Down committed burst size : 187000(bytes)
Down Peak burst size : 187000(bytes)
Up flow packets(high, low) : (0, 0)
Up flow bytes(high, low) : (0, 0)
Down flow packets(high, low) : (0, 0)
Down flow bytes(high, low) : (0, 0)
----------------------------------------------
----End
Configuration Files
HUAWEI configuration file
#
sysname HUAWEI
#
dhcpv6 duid 0001000125a7625df063f9761497
#
value-added-service enable
#
radius-server group radius
radius-server shared-key-cipher %^%#yp(NBJ@lRGH\VOIu>g^5;;Wg@}YoR7/BfHIm:/@~%^%#
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
#
acl ipv6 number 6020
rule 10 permit ipv6 source service-group s_1m destination ipv6-address 2001:db8::2/64
rule 20 permit ipv6 source ipv6-address 2001:db8::2/64 destination service-group s_1m
#
acl number 6021
rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0 0.0.0.255
rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-group s_2m
#
acl ipv6 number 6021
rule 15 permit ipv6 source service-group s_2m destination ipv6-address 2001:db8:1::2/64
rule 25 permit ipv6 source ipv6-address 2001:db8:1::2/64 destination service-group s_2m
#
traffic classifier c1 operator or
if-match acl 6020 precedence 1
if-match ipv6 acl 6020 precedence 2
#
traffic classifier c2 operator or
if-match acl 6021 precedence 1
if-match ipv6 acl 6021 precedence 2
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy traffic_policy_edsg
share-mode
classifier c1 behavior b1 precedence 1
classifier c2 behavior b2 precedence 2
#
traffic-policy traffic_policy_edsg inbound
traffic-policy traffic_policy_edsg outbound
#
service-policy download radius rad_group1 password cipher $$e:TY%^%glhJ;yPG#$=tC&(Is%q!S_";(k.Ef$%^
%#:978
#
ip pool pool1 bas local
gateway 172.16.100.1 255.255.255.0
section 0 172.16.100.2 172.16.100.200
dns-server 10.179.155.161 10.179.155.177
#
ipv6 prefix pre_nd delegation
prefix 2001:DB8:1::/48 delegating-prefix-length 64
slaac-unshare-only
#
ipv6 prefix pre_pd delegation
prefix 2001:DB8:2::/48 delegating-prefix-length 60
pd-unshare-only
#
ipv6 pool pool_nd bas delegation
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_nd
#
ipv6 pool pool_pd bas delegation
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_pd
#
aaa
authentication-scheme auth1
authentication-mode radius
#
accounting-scheme acct1
accounting-mode radius
#
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group radius
prefix-assign-mode unshared
ip-pool edsg_pool
ipv6-pool pool_nd
ipv6-pool pool_pd
#
#
isis 100
cost-style wide
#
ipv6 enable topology ipv6
ipv6 preference 105
#
#
interface Virtual-Template 1
ppp authentication-mode chap
#
interface GigabitEthernet0/1/2.100
ipv6 enable
ipv6 address auto link-local
user-vlan 3074 qinq 3074
pppoe-server bind Virtual-Template 1
bas
#
access-type layer2-subscriber default-domain authentication isp1
authentication-method ppp web
#
#
interface GigabitEthernet0/1/1.1
ipv6 enable
ipv6 address 2001:DB8:200:2:2102:2205:1:1/64
ipv6 address auto link-local
ip address 192.168.100.1 24
isis enable 100
isis ipv6 enable 100
isis ipv6 cost 61
#
#
interface GigabitEthernet0/1/1.2
ipv6 enable
ipv6 address 2001:DB8:201:2:2102:2205:1:1/64
ipv6 address auto link-local
ip address 192.168.200.1 24
isis enable 100
isis ipv6 enable 100
isis ipv6 cost 62
#
#
interface LoopBack0
ipv6 enable
ip address 10.10.10.10 255.255.0.0
ipv6 address 2001:DB8:200::2205/128
ipv6 address auto link-local
isis enable 100
isis ipv6 enable 100
#
return
Networking Requirements
On the network shown in Figure 1-38, PPPoE users access network 1 at
192.168.100.0/24 and network 2 at 192.168.200.0/24. Different fees need to be
charged for traffic over networks 1 and 2. The users have different bandwidth
requirements for networks 1 and 2. The uplink and downlink traffic bandwidths
for access to network 1 and network 2 are limited to 1 Mbit/s and 2 Mbit/s,
respectively. The RADIUS server delivers EDSG service policies, in which the
accounting modes, authentication modes, and uplink and downlink bandwidths
are specified. The BRAS is equipped with a NAT service board to implement NAT
following authentication, authorization, and accounting. The BRAS implements
NAT on EDSG service traffic to translate private IP addresses to public IP addresses
so that users can access the public network.
In this example, interfaces 1 through 3, sub-interface 3.1, and sub-interface 3.2 represent
GE 0/1/2, GE 0/1/1, GE 0/1/0, GE 0/1/0.1, and GE 0/1/0.2, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the VAS function.
2. Configure policy servers.
3. Configure an EDSG traffic policy.
Data Preparation
To complete the configuration, you need the following data:
● Policy server parameters, such as the IP address and port number
● Authentication scheme name, authentication mode, accounting scheme
name, and accounting mode used for an EDSG service policy
● Name of the local address pool used in the domain, gateway address, and
address pool range
● EDSG service policy parameters, such as the mode in which EDSG service
policies are downloaded, EDSG service policy name, name of the bound
RADIUS server group, RADIUS authentication scheme, RADIUS accounting
scheme, and bandwidths for uplink and downlink traffic rate limiting for
EDSG services
● NAT instance name
● NAT address pool's number and start and end IP addresses
● NAT traffic diversion policy parameters, such as the user group name, ACL
rule, traffic classifier, traffic behavior, and traffic policy
Procedure
Step 1 Enable the VAS function.
<HUAWEI> system-view
[~HUAWEI] value-added-service enable
[*HUAWEI] commit
# Configure ACL 6021 and define ACL rules for the service group s_2m.
[~HUAWEI] acl number 6021
[*HUAWEI-acl-ucl-6021] rule 15 permit ip source service-group s_2m destination ip-address
192.168.200.0 0.0.0.255
[*HUAWEI-acl-ucl-6021] rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination
service-group s_2m
[*HUAWEI-acl-ucl-6021] commit
[~HUAWEI-acl-ucl-6021] quit
[~HUAWEI-aaa-authen-auth1] quit
# Configure the RADIUS mode for downloading EDSG service policies. In this
mode, EDSG service policies are downloaded from the RADIUS server through
authentication packets.
[~HUAWEI] service-policy download radius rad_group1 password cipher YsHsjx_202206
[*HUAWEI] commit
Step 6 Configure EDSG service policies. (This step is performed on the RADIUS server.)
1. Configure an EDSG service policy for access to network 1.
NOTE
The shared key configured for a RADIUS server group determines the value of the
User-Password attribute.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change
the RADIUS attribute names to be the same as those in the RADIUS attribute
dictionary based on the vendor ID and attribute number.
# Configure a local address pool named edsg_pool, set the gateway address to
172.31.0.1/16, and specify the address range as 172.31.0.2 to 172.31.255.255.
[~HUAWEI] ip pool edsg_pool bas local
[~HUAWEI-ip-pool-edsg_pool] gateway 172.31.0.1 255.255.0.0
[~HUAWEI-ip-pool-edsg_pool] section 0 172.31.0.2 172.31.255.255
[~HUAWEI-ip-pool-edsg_pool] quit
Step 8 Bind the local address pool and RADIUS server group to an AAA domain.
# Bind the local address pool edsg_pool and the RADIUS server group
rad_group1 to an AAA domain.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain domain1
[*HUAWEI-aaa-domain-domain1] commit
[~HUAWEI-aaa-domain-domain1] ip-pool edsg_pool
[~HUAWEI-aaa-domain-domain1] radius-server group rad_group1
[*HUAWEI-aaa-domain-domain1] quit
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
3. Configure the interface connecting the BRAS to the policy server, RADIUS
server, and portal server.
[~HUAWEI] interface GigabitEthernet0/1/1
[~HUAWEI-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0
[*HUAWEI-GigabitEthernet0/1/1] commit
[~HUAWEI-GigabitEthernet0/1/1] quit
2. Create a NAT instance named nat1, bind the service board to the NAT
instance, and configure an address pool in which the IP addresses range from
22.22.22.0 to 22.22.22.255 for the NAT instance.
[~HUAWEI] service-location 1
[*HUAWEI-service-location-1] location slot 9 engine 0
[*HUAWEI-service-location-1] commit
[~HUAWEI-service-location-1] quit
[~HUAWEI] service-instance-group group1
[*HUAWEI-service-instance-group-1] service-location 1
[*HUAWEI-service-instance-group-1] commit
[~HUAWEI-service-instance-group-1] quit
[~HUAWEI] nat instance nat1 id 1
[*HUAWEI-nat-instance-nat1] service-instance-group group1
[*HUAWEI-nat-instance-nat1] nat address-group address-group1 group-id 1 22.22.22.0 mask 24
Step 11 Bind the NAT instance to a user group in the AAA domain.
1. Create a user group named usergroup1.
[~HUAWEI] user-group usergroup1
2. Bind the NAT instance nat1 to the user group usergroup1 in the AAA domain
domain1.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain domain1
[~HUAWEI-aaa-domain-domain1] user-group usergroup1 bind nat instance nat1
[~HUAWEI-aaa-domain-domain1] traffic match user-group
[*HUAWEI-aaa-domain-domain1] commit
[~HUAWEI-aaa-domain-domain1] quit
[~HUAWEI-aaa] quit
3. Configure a traffic behavior named nat and bind it to the NAT instance nat1.
[~HUAWEI] traffic behavior nat
[*HUAWEI-behavior-nat] nat bind instance nat1
[*HUAWEI-behavior-nat] commit
[~HUAWEI-behavior-nat] quit
4. Associate the traffic classifier with the traffic behavior of the NAT service in
the traffic policy traffic_policy_edsg_nat.
[~HUAWEI] traffic policy traffic_policy_edsg_nat
[~HUAWEI-policy-traffic_policy_edsg_nat] classifier nat behavior nat precedence 3
[*HUAWEI-policy-traffic_policy_edsg_nat] commit
[~HUAWEI-policy-traffic_policy_edsg_nat] quit
Step 14 Configure access users. (This step is performed on the RADIUS server.)
NOTE
The shared key configured for a RADIUS server group determines the value of the User-
Password attribute.
NOTE
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg1 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d1 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg2 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d2 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change the
RADIUS attribute names to be the same as those in the RADIUS attribute dictionary based
on the vendor ID and attribute number.
# View the service group name and service status information of the user with an
ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg
-------------------------------------------------------
User access index : 128000
User name : user1
-------------------------------------------------------
Traffic rate mode : Separate
Traffic statistic mode : Separate
Inbound rate limit mode : Car
Outbound rate limit mode : Car
Service change mode : Stop-start
-------------------------------------------------------
User edsg service table:
-------------------------------------------------------
Index Service name State
-------------------------------------------------------
0 service_edsg1 Active
1 service_edsg2 Active
-------------------------------------------------------
# View detailed information about the EDSG service with a service index of 0 and
a user ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg service-index 0
-------------------------------------------------------
Service index :0
Service name : service_edsg1
Service type : EDSG
Service state : Active
Service group : s_1m
Service group priority :0
Authentication method : auth1
Account method : Radius
Radius server template : rad_group1
Account session id : HUAWEI05001SSG000100d39d7b128000
Service online time(HH:MM:SS) : 00:04:36
----End
Configuration Files
HUAWEI configuration file
#
sysname HUAWEI
#
radius-server group rad_group1
radius-server shared-key-cipher %^%#/@aaSf_t=7;.A3Z6;`bR;1Q'Tf[1E>tLhc71lu2@%^%#
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
#
service-policy download radius rad_group1 password cipher %^%#Uuo@Qh
\,eK@5DcKnGf:AfR5eVA@rlFLlx{(YtM6W%^%#
#
service-location 1
location slot 9 engine 0
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat address-group address-group1 group-id 1 22.22.22.0 mask 24
nat outbound any address-group address-group1
#
ip pool edsg_pool bas local
gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#
value-added-service enable
#
service-group s_1m
service-group s_2m
#
acl number 6001
rule 10 permit ip source user-group usergroup1
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
#
acl number 6021
rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0 0.0.0.255
rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-group s_2m
#
traffic classifier c1 operator or
if-match acl 6020 precedence 1
#
traffic classifier c2 operator or
if-match acl 6021 precedence 1
#
traffic classifier nat operator or
if-match acl 6001 precedence 1
#
traffic behavior b1
#
traffic behavior b2
#
traffic behavior nat
nat bind instance nat1
#
traffic policy traffic_policy_edsg_nat
share-mode
classifier c1 behavior b1 precedence 1
classifier c2 behavior b2 precedence 2
classifier nat behavior nat precedence 3
#
aaa
#
authentication-scheme auth1
authentication-mode radius
#
accounting-scheme acct1
accounting-mode radius
#
domain domain1
radius-server group rad_group1
ip-pool edsg_pool
user-group usergroup1 bind nat instance nat1
traffic match user-group
#
license
active nat session-table size 6 slot 9 engine 0
#
interface GigabitEthernet0/1/2.1
statistic enable
user-vlan 1000 2000
user-vlan 1 1000 qinq 100
bas
#
access-type layer2-subscriber default-domain pre-authentication domain1
authentication-method ppp web
#
#
interface GigabitEthernet0/1/0.1
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/1/0.2
vlan-type dot1q 2
ip address 192.168.200.2 255.255.255.0
#
interface GigabitEthernet0/1/1
undo shutdown
ip address 10.10.10.1 255.255.255.0
undo dcn
#
traffic-policy traffic_policy_edsg_nat inbound
traffic-policy traffic_policy_edsg_nat outbound
#
return
Example for Configuring the Delivery of the EDSG Prepaid Service Through a
RADIUS Server
This section provides an example for configuring the delivery of the EDSG prepaid
service through a RADIUS server.
Networking Requirements
On the network shown in Figure 1-39, PPPoE users access network 1 at
192.168.100.0/24 and network 2 at 192.168.200.0/24. Different fees need to be
charged for traffic over networks 1 and 2. The users have different bandwidth
requirements for networks 1 and 2. The uplink and downlink traffic bandwidths
for access to network 1 and network 2 are limited to 1 Mbit/s and 2 Mbit/s,
respectively. In addition, the prepaid function needs to be enabled for the users. To
meet these requirements, configure two EDSG services on the BRAS to implement
differentiated accounting, rate limit, and prepaid functions on traffic over network
1 and network 2. EDSG allows carriers to provide flexible service and accounting
policies for different user requirements.
In this example, interfaces 1 through 3, sub-interface 3.1, and sub-interface 3.2 represent
GE 0/1/2, GE 0/1/1, GE 0/1/0, GE 0/1/0.1, and GE 0/1/0.2, respectively.
NOTE
The AAA server shown in Figure 1-39 also functions as a policy server and delivers services
through RADIUS.
Configuration Roadmap
1. Enable the VAS function.
2. Configure policy servers.
3. Configure an EDSG traffic policy.
4. Configure AAA authentication and accounting schemes.
5. Configure a mode in which EDSG service policies are downloaded.
6. Configure EDSG service policies.
7. Configure a local address pool.
8. Bind the local address pool and RADIUS server group to an AAA domain.
9. Configure the prepaid function.
10. Configure interfaces.
11. Configure access users.
12. Set user 1's prepaid time to 120s on the RADIUS server.
13. Set user 2's prepaid traffic volume to 100 Mbytes on the RADIUS server.
Data Preparation
To complete the configuration, you need the following data:
● Policy server parameters, such as the IP address and port number
● EDSG traffic policy parameters, such as the service group name, ACL rule,
traffic classifier, traffic behavior, and traffic policy
● RADIUS server group name, IP address and port number of a RADIUS
authentication server, and IP address and port number of a RADIUS
accounting server used for an EDSG service policy
● Authentication scheme name, authentication mode, accounting scheme
name, and accounting mode used for an EDSG service policy
● Name of the local address pool used in the domain, gateway address, and
address pool range
● EDSG service policy parameters, such as the mode in which EDSG service
policies are downloaded, EDSG service policy name, name of the bound
RADIUS server group, RADIUS authentication scheme, RADIUS accounting
scheme, and bandwidths for uplink and downlink traffic rate limiting for
EDSG services
● RADIUS server group name, IP address and port number of a RADIUS
authentication server, and IP address and port number of a RADIUS
accounting server used for a prepaid profile
● Authentication scheme name, authentication mode, accounting scheme
name, and accounting mode used for a prepaid profile
● Prepaid function parameters, such as the prepaid profile name, bound RADIUS
server group, authentication scheme, accounting scheme, password used for
the BRAS to apply for an EDSG service quota from the RADIUS server group,
time and traffic volume thresholds, and policy used when the service quota is
exhausted.
Procedure
Step 1 Enable the VAS function.
<HUAWEI> system-view
[~HUAWEI] value-added-service enable
[~HUAWEI] commit
NOTE
For details about how to configure a RADIUS server group, see Configuring a Device as a
RADIUS Client in HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E M14/M8 series Configuration Guide - User
Access.
NOTE
You must run the service-group command to create service groups regardless of
whether the BRAS obtains an EDSG service policy from local configurations or a
RADIUS server.
2. Configure ACL rules for service groups.
# Configure ACL 6020 and define ACL rules for the service group s_1m.
[~HUAWEI] acl number 6020
[*HUAWEI-acl-ucl-6020] rule 10 permit ip source service-group s_1m destination ip-address
192.168.100.0 0.0.0.255
[*HUAWEI-acl-ucl-6020] rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination
service-group s_1m
[*HUAWEI-acl-ucl-6020] commit
[~HUAWEI-acl-ucl-6020] quit
# Configure ACL 6021 and define ACL rules for the service group s_2m.
[~HUAWEI] acl number 6021
[*HUAWEI-acl-ucl-6021] rule 15 permit ip source service-group s_2m destination ip-address
192.168.200.0 0.0.0.255
[*HUAWEI-acl-ucl-6021] rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination
service-group s_2m
[*HUAWEI-acl-ucl-6021] commit
[~HUAWEI-acl-ucl-6021] quit
# Bind the service group s_1m to the EDSG service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] service-group s_1m
# Bind the RADIUS server group rad_group1 to the EDSG service policy
service_edsg1.
[*HUAWEI-service-policy-service_edsg1] radius-server group rad_group1
# Set the bandwidth for uplink traffic rate limit to 1 Mbit/s for the EDSG
service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] rate-limit cir 1000 inbound
# Set the bandwidth for downlink traffic rate limit to 1 Mbit/s for the EDSG
service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] rate-limit cir 1000 outbound
[*HUAWEI-service-policy-service_edsg1] commit
[~HUAWEI-service-policy-service_edsg1] quit
2. Configure an EDSG service policy for access to network 2.
# Create an EDSG service policy named service_edsg2.
[~HUAWEI] service-policy name service_edsg2 edsg
# Bind the service group s_2m to the EDSG service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] service-group s_2m
# Bind the RADIUS server group rad_group1 to the EDSG service policy
service_edsg2.
[*HUAWEI-service-policy-service_edsg2] radius-server group rad_group1
# Set the bandwidth for uplink traffic rate limit to 2 Mbit/s for the EDSG
service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] rate-limit cir 2000 inbound
# Set the bandwidth for downlink traffic rate limit to 2 Mbit/s for the EDSG
service policy service_edsg2.
[*HUAWEI-service-policy-service_edsg2] rate-limit cir 2000 outbound
[*HUAWEI-service-policy-service_edsg2] commit
[~HUAWEI-service-policy-service_edsg2] quit
Step 8 Bind the local address pool and RADIUS server group to an AAA domain.
# Bind the local address pool edsg_pool and the RADIUS server group
rad_group1 to an AAA domain.
[~HUAWEI] aaa
[*HUAWEI-aaa] domain domain1
[*HUAWEI-aaa-domain-domain1] ip-pool edsg_pool
[*HUAWEI-aaa-domain-domain1] radius-server group rad_group1
[*HUAWEI-aaa-domain-domain1] quit
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
# Bind the RADIUS server group rad_group1 to the prepaid profile prepaid1.
[~HUAWEI-prepaid-profile-prepaid1] radius-server group rad_group1
# Configure a password used for the BRAS to apply for an EDSG service quota
from the RADIUS server group.
[~HUAWEI-prepaid-profile-prepaid1] password cipher YsHsjx_202206
# Set the time threshold for the BRAS to reapply for a time quota for EDSG
services from the RADIUS server to 60s.
# Set the traffic volume threshold for the BRAS to reapply for a traffic volume
quota for EDSG services from the RADIUS server to 10 Mbytes.
[*HUAWEI-prepaid-profile-prepaid1] threshold volume 10 mbytes
[*HUAWEI-prepaid-profile-prepaid1] commit
[~HUAWEI-prepaid-profile-prepaid1] quit
2. Configure a prepaid profile for access to network 2.
# Create a prepaid profile named prepaid2.
[~HUAWEI] prepaid-profile prepaid2
# Bind the RADIUS server group rad_group1 to the prepaid profile prepaid2.
[~HUAWEI-prepaid-profile-prepaid2] radius-server group rad_group1
# Configure a password used for the BRAS to apply for an EDSG service quota
from the RADIUS server group.
[~HUAWEI-prepaid-profile-prepaid2] password cipher YsHsjx_202206
# Set the time threshold for the BRAS to re-apply for a time quota for EDSG
services from the RADIUS server to 300s.
[*HUAWEI-prepaid-profile-prepaid2] threshold time 300 seconds
# Set the traffic volume threshold for the BRAS to re-apply for a traffic
volume quota for EDSG services from the RADIUS server to 20 Mbytes.
[*HUAWEI-prepaid-profile-prepaid2] threshold volume 20 mbytes
[*HUAWEI-prepaid-profile-prepaid2] commit
[~HUAWEI-prepaid-profile-prepaid2] quit
3. Configure a policy used when the quota is exhausted.
# Configure a deactivation policy for access to network 1.
[~HUAWEI] prepaid-profile prepaid1
[~HUAWEI-prepaid-profile-prepaid1] quota-out service deactivate
[~HUAWEI-prepaid-profile-prepaid1] commit
[~HUAWEI-prepaid-profile-prepaid1] quit
[~HUAWEI-prepaid-profile-prepaid2] commit
[~HUAWEI-prepaid-profile-prepaid2] quit
4. Configure the interface connecting the BRAS to the policy server, AAA server,
and portal server.
[~HUAWEI] interface GigabitEthernet0/1/1
[*HUAWEI-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0
[*HUAWEI-GigabitEthernet0/1/1] commit
[~HUAWEI-GigabitEthernet0/1/1] quit
Step 11 Configure access users. (This step is performed on the RADIUS server.)
NOTE
The shared key configured for a RADIUS server group determines the value of the User-
Password attribute.
NOTE
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg1 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d1 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg2 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d2 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change the
RADIUS attribute names to be the same as those in the RADIUS attribute dictionary based
on the vendor ID and attribute number.
Step 12 Set user 1's prepaid time to 120s on the RADIUS server.
# Configure the RADIUS server to deliver the RADIUS attribute Session-Timeout
with a value of 120s for user 1. This attribute indicates the remaining service time.
# Obtain the ID of the online user.
<HUAWEI> display value-added-service user edsg
The used user id table are:
128000
128001
# View detailed information about the EDSG service when the user has used the
EDSG service for 60s and the BRAS sends CoA messages to the RADIUS server in
advance to apply for a new time.
<HUAWEI> display value-added-service user user-id 128000 edsg service-index 0
-------------------------------------------------------
Service index :0
Service name : service_edsg1
Service type : EDSG
Service state : Active
Service group : s_1m
Service group priority :0
Authentication method : None
Account method : Radius
Radius server template : rad_group1
Account session id : HUAWEI05001SSG000100f5fcb5128034
Service online time(HH:MM:SS) : 00:01:00
Up committed information rate : 1000(kbps)
# View service deactivation information. The command output shows that the
user service has been deactivated after 120s.
<HUAWEI> display service deactivate-record
-------------------------------------------------------------------
Policy name : service_edsg1
User ID : 128000
Service index :0
Access time : 2013-10-17 17:41:03
Deavtivate time : 2013-10-17 17:45:33
Deactivate reason : The server does not reply with prepaid authorization response
Step 13 Set user 2's prepaid traffic volume to 100 Mbytes on the RADIUS server.
# Configure the RADIUS server to deliver the RADIUS attribute Huawei-Remanent-
Volume (Vendor ID=2011, Attribute number=15) with a value of 100M for user 2.
The RADIUS attribute Huawei-Remanent-Volume indicates the remaining traffic
volume of user 2.
# View the status information of the prepaid profile prepaid2.
<HUAWEI> display prepaid-profile name prepaid2
------------------------------------------------
Prepaid-profile-index :1
Prepaid-profile-name : prepaid2
Prepaid-password : ******
Reference-count :0
Authentication-scheme-name : auth1
Accounting-scheme-name : acct1
Radius-server-template : rad_group1
Time-threshold : 300(s)
Volume-threshold : 20(Mbytes)
Quota-out-action : service deactivate
HTTP-redirect-profile : http_redirect_profile
------------------------------------------------
# View detailed information about the EDSG service with a service index of 0 and
a user ID of 128001.
<HUAWEI> display value-added-service user user-id 128001 edsg service-index 0
-------------------------------------------------------
Service index :0
Service name : service_edsg2
Service type : EDSG
Service state : Active
Service group : s_2m
Service group priority :0
Authentication method : None
Account method : Radius
Radius server template : rad_group1
Account session id : HUAWEI05001SSG000100f5fcb5128034
Service online time(HH:MM:SS) : 00:04:28
----End
Configuration Files
HUAWEI configuration file
#
sysname HUAWEI
#
value-added-service enable
#
radius-server group rad_group1
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^%#
#
ip pool edsg_pool bas local
gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#
aaa
authentication-scheme auth1
authentication-scheme radius
accounting-scheme acct1
accounting-mode radius
domain domain1
ip-pool edsg_pool
radius-server group rad_group1
#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
#
acl number 6021
rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0 0.0.0.255
rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-group s_2m
#
traffic classifier c1 operator or
if-match acl 6020 precedence 1
#
traffic classifier c2 operator or
if-match acl 6021 precedence 1
#
traffic behavior b1
#
traffic behavior b2
#
Networking Requirements
On the network shown in Figure 1-40, User1 and User2 access BRAS1 through
SW1. BRAS1 uses RADIUS for authentication and accounting. It assigns to the
users IPv4 addresses through the local address pool, IPv6 prefixes through DHCPv6
IA_PD, and IPv6 addresses through ND.
EDSG services need to be deployed to meet users' different requirements for
network service traffic. ACLs need to be configured to match destination addresses
of user traffic so that network segments accessed by users can be differentiated,
thereby implementing independent rate limiting and accounting for different
network segments. To enable private network users to access the Internet, deploy
distributed CGN on the network to translate private addresses into public
addresses. In addition, deploy dual-device cold backup to improve network
reliability. This function allows the users to go online through the other device if a
device fails.
Figure 1-40 PPPoE dual-stack user access (ND unshared+PD) in a dual-device cold
backup scenario with distributed CGN and EDSG services deployed
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure AAA schemes, and specify RADIUS authentication and RADIUS
accounting.
2. Configure RADIUS.
3. Configure address pools.
4. Configure devices to generate DUIDs in DUID-LLT mode.
5. Configure a domain.
6. Configure interfaces.
7. Configure EDSG services.
8. Configure distributed CGN services.
9. Enable the devices to advertise public routes.
Data Preparation
To complete the configuration, you need the following data:
● User access parameters
● CGN service parameters
● EDSG service parameters
NOTE
Procedure
Step 1 Configure AAA schemes.
# Configure two authentication schemes, one with the authentication mode set to
RADIUS, and that of the other one set to none.
<HUAWEI> system-view
[~HUAWEI] sysname BRAS1
[*HUAWEI] commit
[~BRAS1] aaa
[~BRAS1-aaa] authentication-scheme auth1
[*BRAS1-aaa-authen-auth1] authentication-mode radius
[*BRAS1-aaa-authen-auth1] quit
[~BRAS1-aaa] authentication-scheme none
[*BRAS1-aaa-authen-none] authentication-mode none
[*BRAS1-aaa-authen-none] quit
[*BRAS1-aaa] commit
Step 4 Configure the device to generate a DUID in DUID-LLT mode. (This step is not
required if a DUID has been configured on the device.)
[~BRAS1] dhcpv6 duid llt
[*BRAS1] commit
# Configure the Eth-Trunk interface to work in static LACP mode and set a
protocol packet timeout period.
[~BRAS1] interface Eth-Trunk2
[*BRAS1-Eth-Trunk2] mode lacp-static
[*BRAS1-Eth-Trunk2] lacp timeout fast
[*BRAS1-Eth-Trunk2] commit
# Create a NAT instance named nat444-1, bind the service instance group
nat444-group1 to it to specify the corresponding service board resources, and
configure a port range.
# Enable ALG for all protocols and configure the 3-tuple mode.
[*BRAS1-nat-instance-nat444-1] nat alg all
[*BRAS1-nat-instance-nat444-1] nat filter mode full-cone
[*BRAS1-nat-instance-nat444-1] quit
[*BRAS1] commit
NOTE
The procedure for configuring a NAT instance named nat444-2 is similar to that for
configuring a NAT instance named nat444-1. For details, see the configuration files.
[*BRAS1] commit
[~BRAS1] traffic classifier no-nat
[*BRAS1-classifier-no-nat] if-match acl 6002
[*BRAS1-classifier-no-nat] quit
[*BRAS1] commit
3. Configure traffic behaviors.
[~BRAS1] traffic behavior nat-b1
[*BRAS1-nat-b1] nat bind instance nat444-1
[*BRAS1-nat-b1] quit
[*BRAS1] commit
[~BRAS1] traffic behavior nat-b2
[*BRAS1-nat-b2] nat bind instance nat444-2
[*BRAS1-nat-b2] quit
[*BRAS1] commit
[~BRAS1] traffic behavior no-nat
[*BRAS1-no-nat] quit
[*BRAS1] commit
4. Configure a NAT traffic policy.
[~BRAS1] traffic policy p1
[~BRAS1-traffic-policy-p1] classifier no-nat behavior no-nat precedence 2
[*BRAS1-traffic-policy-p1] classifier nat-c1 behavior nat-b1 precedence 3
[*BRAS1-traffic-policy-p1] classifier nat-c2 behavior nat-b2 precedence 4
[*BRAS1-traffic-policy-p1] quit
[*BRAS1] commit
5. Apply the NAT traffic policy in the upstream direction.
[~BRAS1] traffic-policy p1 inbound
[*BRAS1] commit
----End
Configuration Files
● BRAS1 configuration file
#
sysname BRAS1
#
license
active nat session-table size 16 slot 3 engine 0
active nat session-table size 16 slot 10 engine 0
active nat bandwidth-enhance slot 3 engine 0
active nat bandwidth-enhance slot 10 engine 0
#
radius local-ip all
#
radius-attribute hw-policy-name support-type edsg
#
radius-server group rd1
radius-server shared-key-cipher %^%#e,yC%f9z4M2)b)2~r+lA{$g*Fzc+5/bu7VHAN<%(%^%
#
radius-server authentication 192.168.7.249 1812 weight 0
radius-server accounting 192.168.7.249 1813 weight 0
radius-server class-as-car
radius-server calling-station-id include mac
radius-server user-name original
#
radius-server authorization 192.168.8.249 shared-key-cipher %^%#e,yC%f9z4M2)b)2~r+lA{$g*Fzc+5/
bu7VHAN<%(%^% server-group rd1
#
service-location 1
location slot 3 engine 0 backup slot 10 engine 0
#
service-location 2
location slot 10 engine 0 backup slot 3 ngine 0
#
service-instance-group nat444-group1
service-location 1
#
service-instance-group nat444-group2
service-location 2
#
nat instance nat444-1 id 1
service-instance-group nat444-group1
port-range 4096
nat address-group pppoe-public-1 group-id 1
section 0 10.1.1.0 mask 24
section 1 10.3.1.0 mask 24
nat outbound 2011 address-group pppoe-public-1
nat alg all
nat filter mode full-cone
#
nat instance nat444-2 id 1
service-instance-group nat444-group2
port-range 4096
nat address-group pppoe-public-2 group-id 1
section 0 10.1.1.0 mask 24
section 1 10.3.1.0 mask 24
nat outbound 2011 address-group pppoe-public-2
nat alg all
nat filter mode full-cone
#
user-group pppoe-nat-1
user-group pppoe-nat-2
#
ip pool pool_v4 bas local
gateway 172.16.0.1 255.255.255.0
section 0 172.16.0.2 172.16.0.200
dns-server 10.179.155.161 10.179.155.177
#
ipv6 prefix pre_nd delegation
prefix 2001:DB8:1::/48
slaac-unshare-only
#
ipv6 pool pool_nd bas delegation
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_nd
#
ipv6 prefix pre_pd delegation
prefix 2001:DB8:2::/48
pd-unshare-only
#
ipv6 pool pool_pd bas delegation
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_pd
#
value-added-service enable
#
service-group edsg
#
acl number 6100
description edsg
rule 5 permit ip source service-group edsg destination ip-address 192.168.100.0 0.0.0.255
rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group edsg
#
acl ipv6 number 6100
rule 5 permit ipv6 source service-group edsg destination ipv6-address 2001:DB8::/32
rule 10 permit ipv6 source ipv6-address 2001:DB8::/32 destination service-group edsg
#
acl number 6000
description for_pppoe-nat-1
rule 5 permit ip source user-group pppoe-nat-1
#
acl number 6001
description for_pppoe-nat-2
rule 5 permit ip source user-group pppoe-nat-2
#
acl number 6003
description for_pppoe-no-nat
rule 5 permit ip source user-group pppoe-nat-2 destination ip-address 192.168.200.0 0.0.0.255
rule 10 permit ip source user-group pppoe-nat-2 destination ip-address 10.168.200.0 0.0.0.255
#
dhcpv6 duid 00010001280ef7a400e0fc904b50
#
traffic classifier edsg-c1 operator or
if-match acl 6100 precedence 1
if-match ipv6 acl 6100 precedence 2
#
traffic classifier nat-c1 operator or
if-match acl 6000 precedence 1
#
traffic classifier nat-c2 operator or
if-match acl 6001 precedence 1
#
traffic classifier no-nat operator or
if-match acl 6002 precedence 1
#
traffic behavior edsg-b1
#
traffic behavior nat-b1
nat bind instance nat444-1
#
traffic behavior nat-b2
nat bind instance nat444-1
#
traffic behavior no-nat
#
traffic policy p1
share-mode
classifier edsg-c1 behavior edsg-b1 precedence 1
classifier no-nat behavior no-nat precedence 2
classifier nat-c1 behavior nat-b1 precedence 3
classifier nat-c2 behavior nat-b1 precedence 4
#
aaa
#
authentication-scheme auth1
authentication-mode radius
#
authentication-scheme none
authentication-mode none
#
accounting-scheme acct1
#
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
prefix-assign-mode unshared
ip-pool pool_v4
ipv6-pool pool_nd
ipv6-pool pool_pd
user-group pppoe-nat-1 bind nat instance nat444-1
user-group pppoe-nat-2 bind nat instance nat444-2
accounting-start-delay 10 online user-type ppp
accounting-start-delay traffic-forward before-start-accounting
user-basic-service-ip-type ipv4
#
interface Virtual-Template5
ppp authentication-mode chap
#
interface Eth-Trunk2
mode lacp-static
lacp timeout fast
#
interface Eth-Trunk2.10
ipv6 enable
ipv6 address auto link-local
statistic enable
pppoe-server bind Virtual-Template 5
user-vlan 1000 4000 qinq 2000 2001
bas
#
access-type layer2-subscriber default-domain authentication isp1
client-option82 basinfo-insert cn-telecom
access-delay 100 even-mac
#
#
interface GigabitEthernet0/1/0
undo shutdown
ipv6 enable
ip address 10.2.1.1 255.255.255.0
ipv6 address 2001:DB8:8::7/128
ipv6 address auto link-local
#
traffic-policy p1 inbound
traffic-policy p1 outbound
#
service-policy name service_edsg1 edsg
authentication-scheme none
accounting-scheme acct1
radius-server group rd1
service-group edsg
rate-limit cir 100000 pir 100000 inbound
rate-limit cir 100000 pir 100000 outbound
#
bgp 65008
#
ipv4-family unicast
network 0 10.1.1.0 255.255.255.0
network 0 10.3.1.0 255.255.255.0
#
return
● BRAS2 configuration file
#
sysname BRAS2
#
license
active nat session-table size 16 slot 3 engine 0
active nat session-table size 16 slot 10 engine 0
active nat bandwidth-enhance slot 3 engine 0
active nat bandwidth-enhance slot 10 engine 0
#
radius local-ip all
#
radius-attribute hw-policy-name support-type edsg
#
radius-server group rd1
radius-server shared-key-cipher %^%#e,yC%f9z4M2)b)2~r+lA{$g*Fzc+5/bu7VHAN<%(%^%
#
radius-server authentication 192.168.7.249 1812 weight 0
radius-server accounting 192.168.7.249 1813 weight 0
radius-server class-as-car
radius-server calling-station-id include mac
radius-server user-name original
#