NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 22 Value-Added Services

HUAWEI NetEngine 8100 M14/M8, NetEngine
8000 M14K/M14/M8K/M8/M4 & NetEngine 8000E

M14/M8 series
V800R022C10SPC500
Configuration Guide
Issue 01
Date 2023-03-31
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2023. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://www.huawei.com
Email: support@huawei.com
Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. i

HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E
M14/M8 series
Configuration Guide Contents
Contents
1 Configuration............................................................................................................................1
1.1 Value-Added Services.............................................................................................................................................................1
1.1.1 BOD Configuration.............................................................................................................................................................. 1
1.1.1.1 BOD Description............................................................................................................................................................... 1
1.1.1.1.1 Introduction of BOD..................................................................................................................................................... 1
1.1.1.1.2 Understanding BOD..................................................................................................................................................... 2
1.1.1.1.3 Application Scenarios for BOD................................................................................................................................. 9
1.1.1.1.4 Terminology for BOD................................................................................................................................................ 10
1.1.1.2 BOD Configuration........................................................................................................................................................ 10
1.1.1.2.1 Overview of BOD........................................................................................................................................................ 10
1.1.1.2.2 Feature Requirements for BOD..............................................................................................................................11
1.1.1.2.3 Configuring BOD......................................................................................................................................................... 11
1.1.1.2.4 Configuration Examples for BOD.......................................................................................................................... 15
1.1.2 DAA Configuration............................................................................................................................................................ 21
1.1.2.1 DAA Description............................................................................................................................................................. 21
1.1.2.1.1 Overview of DAA........................................................................................................................................................ 21
1.1.2.1.2 Understanding DAA................................................................................................................................................... 22
1.1.2.1.3 Application Scenarios for DAA............................................................................................................................... 32
1.1.2.1.4 Terminology for DAA................................................................................................................................................. 33
1.1.2.2 DAA Configuration........................................................................................................................................................ 34
1.1.2.2.1 Overview of DAAr.......................................................................................................................................................34
1.1.2.2.2 Feature Requirements for DAA.............................................................................................................................. 35
1.1.2.2.3 Summary of DAA Configuration Tasks................................................................................................................35
1.1.2.2.4 Configuring DAA......................................................................................................................................................... 36
1.1.2.2.5 Configuration Examples for DAA.......................................................................................................................... 53
1.1.3 EDSG Configuration.......................................................................................................................................................... 63
1.1.3.1 EDSG Description........................................................................................................................................................... 63
1.1.3.1.1 Introduction of EDSG................................................................................................................................................ 63
1.1.3.1.2 Understanding EDSG................................................................................................................................................. 64
1.1.3.1.3 Application Scenarios for EDSG............................................................................................................................. 81
1.1.3.1.4 Terminology for EDSG............................................................................................................................................... 82
1.1.3.2 EDSG Configuration...................................................................................................................................................... 83
1.1.3.2.1 Overview........................................................................................................................................................................ 83
Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. ii

M14/M8 series
Configuration Guide Contents
1.1.3.2.2 Feature Requirements for EDSG............................................................................................................................ 83

1.1.3.2.3 Configuring EDSG....................................................................................................................................................... 83
1.1.3.2.4 Maintaining EDSG.................................................................................................................................................... 102
1.1.3.2.5 EDSG Configuration Examples.............................................................................................................................104
Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. iii

M14/M8 series
Configuration Guide Figures
Figures
Figure 1-1 Composition of a Value-added Service System................................................................................ 2

Figure 1-2 Process of dynamic value-added services...........................................................................................4
Figure 1-3 BOD service application............................................................................................................................ 9
Figure 1-4 BOD networking diagram......................................................................................................................15
Figure 1-5 DAA usage scenario................................................................................................................................. 22
Figure 1-6 DAA service matching process............................................................................................................. 23
Figure 1-7 DAA traffic policy......................................................................................................................................24
Figure 1-8 Default tariff level and QoS priority mapping............................................................................... 24
Figure 1-9 DAA traffic policy......................................................................................................................................25
Figure 1-10 DAA service mapping tariff level implementation..................................................................... 25
Figure 1-11 DAA service accounting process....................................................................................................... 28
Figure 1-12 Message exchange process................................................................................................................. 30
Figure 1-13 Message exchange process................................................................................................................. 31
Figure 1-14 Accounting based on destination addresses.................................................................................33
Figure 1-15 PUPP networking................................................................................................................................... 33
Figure 1-16 DAA service networking.......................................................................................................................54
Figure 1-17 DAA networking..................................................................................................................................... 60
Figure 1-18 EDSG service policy............................................................................................................................... 65
Figure 1-19 Service identification............................................................................................................................. 66
Figure 1-20 Differentiated accounting................................................................................................................... 66
Figure 1-21 Process of a static service policy....................................................................................................... 68
Figure 1-22 Process of a dynamic service policy (a service policy is modified through the AAA
server)................................................................................................................................................................................. 69
Figure 1-23 Process of a dynamic service policy (a service policy is modified through the policy
server)................................................................................................................................................................................. 70
Figure 1-24 Service replacement process.............................................................................................................. 72
Figure 1-25 Service restoration process................................................................................................................. 73
Figure 1-26 EDSG service policy obtainment....................................................................................................... 74
Figure 1-27 EDSG service authentication.............................................................................................................. 75
Figure 1-28 Packet packaging's implementation mechanism........................................................................77
Figure 1-29 EDSG service prepaid process............................................................................................................ 78
Figure 1-30 Process of information query over CoA..........................................................................................79
Figure 1-31 Accounting based on destination addresses.................................................................................81
Figure 1-32 Accounting based on used services................................................................................................. 82
Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. iv

M14/M8 series
Configuration Guide Figures
Figure 1-33 EDSG networking................................................................................................................................... 85

Figure 1-34 EDSG service networking.................................................................................................................. 104
Figure 1-38 Configuring NAT over EDSG............................................................................................................ 143
Figure 1-40 PPPoE dual-stack user access (ND unshared+PD) in a dual-device cold backup
scenario with distributed CGN and EDSG services deployed........................................................................ 165
Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. v

M14/M8 series
Configuration Guide Tables
Tables
Table 1-1 Creating an ACL rule................................................................................................................................. 39

Table 1-2 Creating an ACL6 rule............................................................................................................................... 40
Table 1-3 Procedure for configuring a DAA service policy.............................................................................. 42
Table 1-4 RADIUS attributes supported by CoA messages..............................................................................79
Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. vi

M14/M8 series
Configuration Guide 1 Configuration
1 Configuration
1.1 Value-Added Services
1.1 Value-Added Services
1.1.1 BOD Configuration

NOTE
This feature applies only to the NetEngine 8000 M4, NetEngine 8000 M8, NetEngine 8000
M14, NetEngine 8000 M8K, NetEngine 8000 M14K, NetEngine 8000E M8, NetEngine 8000E
M14.
1.1.1.1 BOD Description
1.1.1.1.1 Introduction of BOD
Definition
Bandwidth on demand (BOD) is a value-added service featuring dynamic
bandwidth allocation. When users need to adjust their bandwidths, they can
dynamically activate or deactivate the BOD service through a portal server,
achieving bandwidth adjustment without carriers' intervention.
Purpose
With the diversification of network applications such as VoIP and IPTV, users pose
more requirements on the network bandwidth. BOD services can enhance
interaction between users and networks and improves network resource usage
efficiency while meeting users' personalization requirements and reducing user
costs.
Benefits
BOD offers the following benefits to carriers:
Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 1

M14/M8 series
● Carriers can provide target customers with flexible service and tariff policies,
increasing the average revenue per user (ARPU) and operating revenues.
● Carriers can rapidly deploy new services, avoiding homogeneous competition
and reducing the user churn rate.
● Carriers can adjust user bandwidths based on tariff policies to maximize
bandwidth utilization and protect investment.
● Carriers can provide self-service for users, reducing O&M costs.
BOD offers the following benefits to users:
● Users can flexibly customize personal services.
● Users do not need to pay for unnecessary broadband.
1.1.1.1.2 Understanding BOD
BOD Overview
BOD is one of the value-added services. Therefore, this section introduces BOD by
describing the value-added service process.
Composition of a value-added service system
Figure 1-1 Composition of a Value-added Service System

M14/M8 series
To implement value-added services, the following systems or devices are required:

● Service Selection Server (SSS): As a Policy Decision Point (PDP), it is
responsible for the configuration, management, policy decision, and
accounting of value-added services.
● AAA server: It is used for authentication, authorization, and accounting of
access services
● BRAS: As a Policy Enforcement Point (PEP), it is responsible for enforcing
service policies, forwarding service flows, and providing original accounting
information of each type of service for service-based accounting.
● Service select portal (SSP): It is a Web-based self-help service portal, through
which an operator demonstrates services and introduces services to users. The
SSP can be a portal server, through which users can browse, subscribe to, and
search for services.
NOTE
The interfaces connecting the BRAS and an AAA server use RADIUS or HWTACACS; the
interfaces connecting the BRAS and an SSS use RADIUS or DIAMETER.
Processing of Value-added Services

Value-added services are based on access services. When a user accesses a device,
the policy server delivers the access service policy for the user. When using value-
added services, the user needs to dynamically change the service policy.
For example, a user visits the Portal page to select value-added services. Figure
1-2 shows the process of delivering BOD dynamic value-added services.

M14/M8 series
Figure 1-2 Process of dynamic value-added services
1. A user sends a login request.

2. The user is authenticated by the AAA server and successfully logs in.
3. The BRAS informs the SSS (Radius/Diameter) of the user information.
4. The user visits the Portal page and select the interested value-added services.
5. The SSP sends information about the user and the selected services to the SSS
(Radius/Diameter).
6. The SSS customizes a service policy based on the selected services, and then
sends the service policy to the BRAS by Radius or Diameter.
7. The BRAS implements the delivered service policy and instructs the SSS to
start accounting.
8. After receiving the message of starting accounting, the SSS informs the SSP.
9. The SSP notifies the user through the Portal page that the selected services
have been activated and can be used.
10. The user starts to use the value-added services. The BRAS accounts and
controls the value-added services based on the service policy, and reports the
traffic volume to the SSS.

M14/M8 series
BOD Service Activation and Deactivation
BOD service activation can be implemented using the RADIUS or Diameter

protocol. The RADIUS protocol supports dynamic activation only. That is, COA
packets carrying the RADIUS attribute HW-Policy-Name(26-95) are sent upon user
access. The packet content is the BOD service policy template name, and the
accounting mode is RADIUS accounting. The Diameter protocol supports the
sending of CCR-I packets upon user access to activate services or the sending of
RAR packets after user access to dynamically activate services.
NOTE
Format of the HW-Policy-Name (26-95) attribute: <service-name>.
The BOD service activation process is as follows:

● BOD service delivery by the RADIUS server
1. The RADIUS server sends a BOD service installation message to the BRAS.
2. The BRAS sends the RADIUS server a response message indicating that the
BOD service is installed successfully.
3. The BRAS sends an accounting start request to the RADIUS server.
4. The RADIUS server sends an accounting start response to the BRAS.
● BOD service delivery by the Diameter server
1. The BRAS sends a CCR-I message to the Diameter server.
2. The Diameter server responds to the BRAS with a CCA-I message, which
indicates the BOD service is installed successfully.
BOD service deactivation involves the following scenarios:

● Service deactivation when a user goes offline: All BOD services of the user are
automatically stopped when a user goes offline.
● Dynamic service deactivation: When a user is online:
– The RADIUS server uses a DM message to delete the BOD service policy.
– The Diameter server uses an RAR message to delete the BOD service
policy.
● Service deactivation after quota exhaustion: After the service duration or
traffic volume quota is exhausted, the service can be configured to go offline.
The process for the RADIUS server to use a DM message to delete a BOD
service policy is as follows:
1. The RADIUS server sends a BOD service policy deletion message to the BRAS.
BOD service policy is deleted.
3. The BRAS sends an accounting stop request to the RADIUS server.
4. The RADIUS server sends an accounting stop response to the BRAS.
The process for the Diameter server to use an RAR message to delete a BOD
service policy is as follows:

M14/M8 series
1. The Diameter server sends an RAR message to the BRAS to delete a BOD
service policy.
2. The BRAS sends the Diameter server a response message indicating that the
BOD service policy is deleted.
BOD Service Quota Management
BOD services support a duration quota, a traffic volume quota, or a combination

of duration and traffic volume quotas. If both duration and traffic volume quotas
are delivered, they take effect together. An action is triggered if either of the
quotas is exhausted. When the RADIUS or Diameter server delivers a new quota,
BOD services use the new quota; when the RADIUS or Diameter server delivers
zero quotas, BOD services are logged out; when the RADIUS or Diameter server
does not deliver a quota, the BRAS determines whether to log out BOD services
based on the configuration. By default, BOD services remain online.
After a user goes online, the RADIUS server uses a CoA message to deliver Huawei
No. 95 attribute carrying a BOD service policy name. The standard No. 27 attribute
is used to deliver a duration quota, and Huawei No. 15 attribute is used to deliver
a traffic volume quota. The BRAS uses a CCR-I message (Diameter protocol) to
notify the server that the user goes online. The Diameter server returns a CCA-I
message carrying the service that the user subscribed to and a service quota.
Rules for the Diameter server to deliver quotas through the Gx interface are as
follows:
● When the Diameter server delivers only a BOD service policy name, the BRAS
checks whether the quota's monitor key delivered by the Diameter server is
the same as the Diameter monitor key locally configured in the BOD service
policy. If they are the same, the quota takes effect; otherwise, it does not.
● When the Diameter server directly delivers a BOD service policy, the BRAS
checks whether the quota's monitor key delivered by the Diameter server is
the same as the monitor key in the Charging-Rule-Definition AVP. If they are
the same, the quota takes effect; otherwise, it does not. If the Charging-Rule-
Definition AVP delivered by the Diameter server does not carry the monitor
key, the BRAS trusts the monitor key of the initially delivered quota.
● If the original BOD service policy needs to be replaced, the Diameter server
deletes this policy from the BRAS and installs the new BOD service policy
through the Gx interface. The monitor keys for quotas of the original and new
services can be different.
After a BOD service goes online successfully, the process for quota exhaustion is as
follows:

M14/M8 series
Action After Quota Exhaustion Procedure
A new quota is delivered after quota 1. When a user's quota is exhausted,

exhaustion. the BRAS sends a real-time
accounting request to the RADIUS
server. The BRAS sends a CCR-U
request to the Diameter server.
2. The RADIUS or Diameter server
delivers a new quota to the BRAS,
and the user continues to use the
new quota.
Zero quotas are delivered after quota 1. When a user's quota is exhausted,
2. The RADIUS server delivers zero
quotas to the BRAS. The Diameter
server responds to the BRAS with a
CCA-T message carrying zero
quotas.
3. The service goes offline, and the
BRAS sends an accounting stop
request to the RADIUS server. The
BRAS sends a CCR-T request to the
Diameter server.
4. The RADIUS server sends an
accounting stop response to the
BRAS. The Diameter server sends a
CCA-T response to the BRAS.

M14/M8 series
Action After Quota Exhaustion Procedure
No quota is delivered after quota 1. When a user's quota is exhausted,

2. The RADIUS or Diameter server
does not deliver a quota, and the
BRAS determines whether to log
out the service based on the
configuration. By default, the
service remains online.
3. If the service is configured to go
offline, the BRAS sends an
accounting stop request to the
RADIUS server. The BRAS sends a
CCR-T request to the Diameter
server.
4. The RADIUS server sends an
accounting stop response to the
BRAS. The Diameter server sends a
CCA-T response to the BRAS.
BOD Service Accounting
BOD service accounting is classified as individual or non-individual accounting. In

individual accounting mode, after a BOD service is generated, accounting stop is
triggered; after a BOD service is deleted, accounting start is triggered. The
configuration determines whether the BOD service accounting mode is individual
accounting. By default, non-individual accounting is used. When a BOD service is
generated or deleted, user accounting remains unchanged.
BOD traffic is user traffic. The total traffic volume of a user is stored separately
from the total BOD traffic volume of the user. The user traffic volume displayed in
AAA entries is the difference between the two traffic volumes. The BOD traffic
increment is not counted into the value-added service.
After a BOD service is installed, service entries store the total user traffic volume
on the AAA server during BOD service installation. When the BOD service exists
and its traffic volume needs to be obtained, the system obtains the total current
traffic volume from the AAA server. The current BOD traffic volume can be
obtained by subtracting the initial traffic volume during BOD service installation
from the total current traffic volume.
BOD services support RADIUS accounting and non-accounting. RADIUS accounting

is classified into the following types:
● Accounting start: After a service is activated and a forwarding channel is

established, accounting start is immediately triggered for the service.

M14/M8 series
● Accounting stop: After a service is deactivated and a forwarding channel is

deleted, accounting stop is immediately triggered for the service.
● Real-time accounting: To ensure the timeliness and accuracy of user service
accounting, the BRAS can send service accounting packets to the AAA server
in real-time.
BOD Service Traffic Statistics
BOD traffic is user traffic. The total traffic volume of a user is stored separately
from the total BOD traffic volume of the user. The user traffic volume displayed in
AAA entries is the difference between the two traffic volumes. The BOD traffic
increment is not counted into the value-added service.
After a BOD service is installed, service entries store the total user traffic volume
on the AAA server during BOD service installation. When the BOD service exists
and its traffic volume needs to be obtained, the system obtains the total current
traffic volume from the AAA server. The current BOD traffic volume can be
obtained by subtracting the initial traffic volume during BOD service installation
from the total current traffic volume.
1.1.1.1.3 Application Scenarios for BOD
Typical BOD Service Application

BOD allows the BRAS to dynamically allocate user bandwidth and modify basic
user attributes, such as user groups, user priorities, and accounting policies. Users
can select the desired service bandwidth types to use more service bandwidth.
Figure 1-3 BOD service application

M14/M8 series
As shown in Figure 1-3, the RM9000 functions as a policy server. The user logs in
to the portal server's portal page to select a desired bandwidth type. The portal
server then submits the selected bandwidth type to the RM9000. After going
online, the user visits ISP1's email server and sends emails at a default bandwidth
of 2 Mbit/s. To visit ISP2's video server, the user must apply for a higher service
bandwidth. After the user selects a desired bandwidth type, the portal server sends
the selected bandwidth type to the RM9000. The RM9000 instructs the BRAS to
change the user bandwidth to 10 Mbit/s, and the BRAS sends an accounting
packet to the RM9000. Then the user can access the requested video service at 10
Mbit/s.
1.1.1.1.4 Terminology for BOD
Acronyms and Abbreviations

Acronym and Abbreviation Full Name
BOD bandwidth on demand
COA change-of-authorization
DM Disconnect Message
AAA Authentication, Authorization and

Accounting
RADIUS Remote Authentication Dial In User

Service
BRAS broadband remote access server
SSP service selection portal
SSS service selection server
CCR Credit-Control-Request
CCA Credit-Control-Answer
1.1.1.2 BOD Configuration

NOTE
In VS mode, this feature is supported only by the admin VS.
1.1.1.2.1 Overview of BOD
Bandwidth on demand (BOD) is a value-added service featuring dynamic

bandwidth allocation. When users need to adjust their bandwidths, they can
dynamically activate or deactivate the BOD service through a portal server,
achieving bandwidth adjustment without carriers' intervention.
BOD offers the following benefits to carriers:

M14/M8 series
● Carriers can provide target customers with flexible service and tariff policies,
increasing the average revenue per user (ARPU) and operating revenues.
● Carriers can rapidly deploy new services, avoiding homogeneous competition
and reducing the user churn rate.
● Carriers can adjust user bandwidths based on tariff policies to maximize
bandwidth utilization and protect investment.
● Carriers can provide self-service for users, reducing O&M costs.
1.1.1.2.2 Feature Requirements for BOD
1.1.1.2.3 Configuring BOD

Before configuring BOD, complete the pre-configuration tasks and obtain the data
required for the configuration.
Enabling the Value-added Service Function

BOD can be configured only after the value-added service function is enabled.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run value-added-service enable
The value-added service function is enabled globally.
Step 3 Run commit
The configuration is committed.
----End
Configuring a Policy Server

A value-added service policy can be delivered over RADIUS or Diameter. This
section describes how to configure a RADIUS or Diameter policy server.
Context
If a value-added service policy is delivered over RADIUS, you must configure a
RADIUS server on the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000 M.
For details about the configuration, see Configuring a Device as a RADIUS Client.
If a value-added service policy is delivered over Diameter, you must configure a
Diameter server on the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000
M. For details about the configuration, see Configuring a Diameter Server.
Configuring an Accounting Mode for Value-added Services

Operators can configure differentiated services and tariff policies for users.

M14/M8 series
Procedure
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run accounting-scheme scheme-name
An accounting scheme is created.
Step 4 Run accounting interim interval interval [ second ] [ traffic ][ hash ]
A real-time accounting interval is configured. The traffic and hash parameters can
be configured to prevent the server performance from deteriorating when the
server receives a large number of real-time accounting packets.
Step 5 Run quit

Return to the AAA view.
Step 6 Run domain domain-name
The domain view is displayed.
Step 7 Run value-added-service account-type { none | radius radius-server | default }
An accounting mode is configured for value-added services. The accounting mode
can be none, RADIUS accounting, or default accounting.
Step 8 Run commit
----End
Configuring a BOD Service Policy

This section describes how to configure a BOD service policy.
Procedure
Step 2 (Optional) Run value-added-service bod portal-reserved
The device is enabled to reserve portal services when BOD is deployed.
Step 3 Run value-added-service policy service-policy-name bod
A BOD service policy is created, and its view is displayed.
Step 4 Run accounting-scheme scheme-name
An existing accounting scheme is configured for the BOD service policy.

M14/M8 series
Step 5 Run qos-profile qos-profile-name

A QoS profile is referenced in the BOD service policy.
If both CAR and user-queue are configured in a QoS profile, you are advised to set
the two CIRs to the same value.
Step 6 (Optional) Run user-group user-group-name
A user group is bound to the BOD service policy.
Step 7 (Optional) Configure a Diameter monitor key for the BOD service policy based on
the format of the monitor key delivered by the Diameter server.
● Run the diameter monitor-key string monitor-key-string command to
configure a Diameter monitor key in string format for the BOD service policy.
Before running this command, run the diameter monitor-key parse-mode
string command in the system view to set the parsing mode of the Diameter
monitor key to string.
● Run the diameter monitor-key monitor-key command to configure a
Diameter monitor key in integer format for the BOD service policy.
integer command in the system view to set the parsing mode of the
Diameter monitor key to integer.
Step 8 Run quit
Return to the system view.
Step 9 (Optional) Run diameter gx attribute used-service-unit include cc-output-
octets
The device is enabled to report the downstream traffic of value-added services to
the Diameter server.
Step 10 (Optional) Run diameter monitor-key change support-type bod
The Gx interface is enabled to support changes of the Diameter monitor key in the
BOD service policy. If the BOD service policy is subsequently replaced, the quota
can be matched based on the monitor key in the new BOD service policy.
Step 11 Run commit
----End
Binding a Policy Server to a Domain

This section describes the procedure for binding a policy server to a domain.
Procedure
Step 2 Run aaa

M14/M8 series
Step 4 Run either of the following commands:

● To bind a RADIUS server group to the domain, run the radius-server group
group-name command.
● To bind a Diameter server group to the domain, run the diameter-server
group group-name command.
Step 5 Run user-group group-name
A user group is bound to the domain.
Step 6 Run billing-server type { 1 | 2 }
An accounting server type is specified.
NOTE
● Value 1 indicates that the accounting server supports dynamic switching of value-
added service policy templates. After the policy server releases a new template, users
are not charged with the corresponding tariff level, and a new accounting service is
generated.
● Value 2 indicates that the accounting server supports normal switching of value-added
service policy templates. After the policy server releases a new template, users can
only obtain the QoS parameters in it. Real-time accounting packets are sent after
original bandwidth restrictions are updated.
Step 7 Run commit
----End
Verifying the BOD Configuration

After configuring BOD, verify the configuration.
Procedure
● Run the display value-added-service policy command to check value-added
service policy information.
● Run the display value-added-service user command to check value-added
service information.
● Run the display diameter-group bind-info command to check the bindings
between AAA domains and Diameter server groups.
● Run the display dhcp option-64 qos-profile [ domain domain-name ]
configuration command to check the Option 64 parsing mode configured in
the system view or the AAA domain view.
● Run the display dhcp receive server-packet [ domain domain-name ]
configuration command to check whether the router is enabled in the system
view or the domain view to process ACK packets destined for gateways from a
DHCP server.
----End

M14/M8 series
1.1.1.2.4 Configuration Examples for BOD

This section provides BOD configuration examples.
Example for Configuring BOD

This section provides an example for configuring BOD. You can learn about the
configuration process based on the BOD networking diagram. This example covers
networking requirements, configuration roadmap, data preparation, configuration
procedure, and configuration files.
Networking Requirements
As shown in Figure 1-4, the networking requirements are as follows:
● The basic value-added service policy for users in domain isp1 is to implement
RADIUS charging and allow users in this domain to access network segment
192.168.100.0/24.
● The IP address and port number of the RADIUS authentication server are
10.10.10.2 and 1812, respectively. The IP address and port number of the
RADIUS accounting server are 10.10.10.2 and 1813, respectively. The default
values are used for other parameters.
● The IP address and port number of the Diameter server are 10.10.10.3 and
3288, respectively.
Networking Diagram
Figure 1-4 BOD networking diagram

NOTE
Interfaces 1 through 3 in this example represent GE 0/4/2, GE 0/4/4, and GE 0/5/0,

respectively.

M14/M8 series
Configuration Roadmap
1. Configure an authentication scheme and an accounting scheme.
2. Configure a RADIUS server group.
3. Configure an address pool.
4. Configure a policy server.
5. Configure a value-added service accounting mode.
6. Configure a QoS profile.
7. Configure a BOD service policy.
8. Configure an AAA domain.
9. Configure interfaces.
Data Preparation
To complete the configuration, you need the following data:
● Authentication scheme name and authentication mode
● Accounting scheme name and accounting mode
● RADIUS server group name, and IP addresses and port numbers of the
RADIUS authentication server and accounting server
● Address pool name, gateway address, server group name, and IP addresses on
different network segments
● BOD traffic policy
● QoS profile and BOD service template
● Domain name
● Interface parameters
Configuration Procedure
1. Configure AAA.
# Configure an authentication scheme.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit
# Configure an accounting scheme.

[~HUAWEI-aaa] accounting-scheme acct1
[*HUAWEI-aaa-accounting-acct1] accounting-mode radius
[*HUAWEI-aaa-accounting-acct1] commit
[~HUAWEI-aaa-accounting-acct1] quit
[~HUAWEI-aaa] quit
# Configure a RADIUS server group.

[~HUAWEI] radius-server group group1
[*HUAWEI-radius-group1] radius-server authentication 10.10.10.2 1812
[*HUAWEI-radius-group1] radius-server accounting 10.10.10.2 1813
[*HUAWEI-radius-group1] radius-server shared-key-cipher huawei
[*HUAWEI-radius-group1] commit
[~HUAWEI-radius-group1] quit

M14/M8 series
[~HUAWEI] ip pool pool1 bas local

[~HUAWEI-ip-pool-pool1] gateway 172.16.100.1 24
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] section 0 172.16.100.2 172.16.100.200
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] quit
3. Enable the value-added service function.
[~HUAWEI] value-added-service enable
[*HUAWEI] commit
4. Configure value-added service policies.
# Configure a policy server.
[~HUAWEI] diameter enable
[~HUAWEI] diameter-local huawei interface GigabitEthernet 0/5/0 host test107 realm
huawei.com product NetEngine 8000 X
[~HUAWEI] diameter-peer huawei ip 10.10.10.3 port 3288 host pcrf realm huawei.com
[*HUAWEI] commit
[~HUAWEI] diameter-server group huawei
[~HUAWEI-diameter-group-huawei] diameter-link local huawei peer huawei client-port 4097
weight 5
[*HUAWEI-diameter-group-huawei] commit
[~HUAWEI-diameter-group-huawei] quit
5. Configure a value-added service accounting mode.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] radius-server group group1
[~HUAWEI-aaa-domain-isp1] value-added-service account-type radius group1
[*HUAWEI-aaa-domain-isp1] commit
[~HUAWEI-aaa-domain-isp1] quit
[~HUAWEI-aaa] quit
6. Configure a QoS profile.
# Configure a QoS profile named qos-prof1.
[~HUAWEI] qos-profile qos-prof1
[*HUAWEI-qos-profile-qos-prof1] car cir 5000 inbound
[*HUAWEI-qos-profile-qos-prof1] car cir 5000 outbound
[*HUAWEI-qos-profile-qos-prof1] commit
[~HUAWEI-qos-profile-qos-prof1] quit
7. Configure a BOD service policy named bod1.
[~HUAWEI] value-added-service policy bod1 bod
[~HUAWEI-bod1] accounting-scheme acct1
[~HUAWEI-bod1] qos-profile qos-prof1
[~HUAWEI-bod1] quit
8. Configure an AAA domain named isp1.
# Configure an AAA domain named isp1.
[~HUAWEI] aaa
# Configure an authentication scheme in the domain.
[~HUAWEI-aaa-domain-isp1] authentication-scheme auth1
# Configure an accounting scheme in the domain.
[~HUAWEI-aaa-domain-isp1] accounting-scheme acct1
# Configure a RADIUS server group named group1 in the domain.
[~HUAWEI-aaa-domain-isp1] radius-server group group1
# Configure an accounting type in the domain.
# Configure a Diameter server group named huawei in the domain.

M14/M8 series
[~HUAWEI-aaa-domain-isp1] diameter-server group huawei

# Configure an address pool in the domain.
[~HUAWEI-aaa-domain-isp1] ip-pool pool1
[~HUAWEI-aaa] quit
# Create a virtual template (VT).
[~HUAWEI] interface Virtual-Template 1
[*HUAWEI-Virtual-Template1] commit
[~HUAWEI-Virtual-Template1] quit
# Configure a BAS interface.
[~HUAWEI] interface GigabitEthernet 0/4/2
[~HUAWEI-GigabitEthernet0/4/2] pppoe-server bind virtual-template 1
[*HUAWEI-GigabitEthernet0/4/2] commit
[~HUAWEI-GigabitEthernet0/4/2] bas
[~HUAWEI-GigabitEthernet0/4/2-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/4/2-bas] commit
[~HUAWEI-GigabitEthernet0/4/2] quit
# Configure an upstream interface.
[~HUAWEI] interface GigabitEthernet 0/4/4.1
[~HUAWEI-GigabitEthernet0/4/4.1] vlan-type dot1q 1
[*HUAWEI-GigabitEthernet0/4/4.1] commit
[~HUAWEI-GigabitEthernet0/4/4.1] ip address 192.168.100.1 255.255.255.0
[~HUAWEI-GigabitEthernet0/4/4.1] quit
# Configure the interface that is connected to both the RADIUS and Diameter
servers.
[~HUAWEI-GigabitEthernet0/5/0] ip address 10.10.10.1 255.255.255.0
10. Verify the configuration.
Run the display value-added-service policy command to check value-added
service policy information.
<HUAWEI> display value-added-service policy
------------------------------------------------------------------
Index Service Policy Name Used Num Type User Num
------------------------------------------------------------------
1 bod1 1 BOD 1
------------------------------------------------------------------
Total 2,2 printed
Run the display value-added-service user command to check value-added
service information.
<HUAWEI> display value-added-service user user-id 168 bod
-------------------------------------------------------------------------
Bod user service table:
Service user id : 168

Service type : Diameter user bod
Service policy : bod1
Account method : Radius
Account start time : 2016-11-22 13:10:32
Normal-server-group : --
Flow up packets(high,low) : (0,0)
Flow up bytes(high,low) : (0,0)
Flow down packets(high,low) : (0,0)
Flow down bytes(high,low) : (0,0)
IPV6 Flow up packets(high,low) : (0,0)
IPV6 Flow up bytes(high,low) : (0,0)
IPV6 Flow down packets(high,low) : (0,0)

M14/M8 series
IPV6 Flow down bytes(high,low) : (0,0)

Up committed information rate <kbps> : 5000
Up Peak information rate <kbps> : No limit
Up committed burst size <bytes> :-
Up Peak burst size <bytes> :-
Down committed information rate <kbps> : 5000
Down Peak information rate <kbps> : No limit
Down committed burst size <bytes> :-
Down Peak burst size <bytes> :-
Run the display diameter-group bind-info command to check the bindings

between AAA domains and Diameter server groups.
<HUAWEI> display diameter-group bind-info
-----------------------------------------------------------------------------
| Domain Name | Diameter Group Name |
-----------------------------------------------------------------------------
| isp1 | huawei |
-----------------------------------------------------------------------------
Run the display diameter configuration command to check Diameter-

related configuration.
<HUAWEI> display diameter configuration
-- Diameter Configuration ---------------------------------------------------
Diameter function is Enabled
Diameter Gx use XML data dictionary
Diameter predefined-rule support-type edsg is Disabled
Diameter GX application version is R940
-----------------------------------------------------------------------------
-- Diameter local information -----------------------------------------------
Diameter local number :1
-----------------------------------------------------------------------------
| Local index :0
| Local name : abc
| Local interface name : GigabitEthernet0/1/0
| Local IP Address : 10.137.83.222
| Local IPv6 Address : 2001:DB8:3::1
| Local host name : nanjing222
| Local realm name : huawei
| Local product name : testa
-----------------------------------------------------------------------------
-- Diameter peer information -----------------------------------------------
Diameter peer number :1
-----------------------------------------------------------------------------
| Peer index :0
| Peer name : peer
| Peer IPv4 address : 10.137.83.56
| Peer port : 3868
| Peer host name : pcrf.huawei.com
| Peer realm name : huawei.com
-----------------------------------------------------------------------------
-- Diameter server group Configuration --------------------------------------
Diameter server group number : 1
-----------------------------------------------------------------------------
| Group index :0
| Group name : test
| Group active state : Active
| Group Reference number :1
-----------------------------------------------------------------------------
| Connection group number :1
-----------------------------------------------------------------------------
|| Connection group index :0
|| Local index :0
|| Local name : abc
|| Local interface name : GigabitEthernet0/1/0
|| Local IP Address : 10.137.83.222
|| Local host name : nanjing222
|| Local realm name : huawei
|| Local product name : testa
|| Peer index :0

M14/M8 series
|| Peer name : peer

|| Peer IPv4 address : 10.137.83.56
|| Peer port : 3868
|| Peer host name : pcrf.huawei.com
|| Peer realm name : huawei.com
-----------------------------------------------------------------------------
|| Connection number :1
-----------------------------------------------------------------------------
|||Connection index :0
|||Client port : 3896
|||Link State : Up
-----------------------------------------------------------------------------
| Total connection number :1
-----------------------------------------------------------------------------
Configuration Files
#
sysname HUAWEI
#
value-added-service enable
#
diameter enable
#
diameter-local huawei interface GigabitEthernet0/5/0 host test107 realm huawei.com product NetEngine
8100 M, NetEngine 8000E M, NetEngine 8000 M
#
diameter-peer huawei ip 10.10.10.3 port 3288 host pcrf realm huawei.com
#
radius-server group group1
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^%#
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
#
diameter-server group huawei
diameter-link local huawei peer huawei client-port 4097 weight 5
#
ip pool pool1 bas local
gateway 172.16.100.1 255.255.255.0
section 0 172.16.100.2 172.16.100.200
#
dot1x-template 1
#
aaa
authentication-scheme auth1
#
authorization-scheme default
#
accounting-scheme acct1
#
domain isp1
ip-pool pool1
diameter-server group huawei
value-added-service account-type radius group1
#
qos-profile qos-prof1
car cir 5000 cbs 935000 green pass red discard inbound
car cir 5000 cbs 935000 green pass red discard outbound
#
value-added-service policy bod1 bod
#
interface Virtual-Template1
ppp authentication-mode auto
#

M14/M8 series
interface GigabitEthernet0/4/4.1
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/5/0
undo shutdown
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/4/2z
pppoe-server bind Virtual-Template 1
undo shutdown
bas
#
access-type layer2-subscriber
#
#
return
1.1.2 DAA Configuration

NOTE
M14.
1.1.2.1 DAA Description
1.1.2.1.1 Overview of DAA
Definition
Destination address accounting (DAA) implements differentiated accounting, rate
limit, and priority scheduling based on traffic destination addresses.
Purpose
DAA is performed at different tariff levels that are defined based on different
destination addresses of user access traffic. The functions implemented in carriers'
broadband operation are as follows:
● Service types are distinguished based on destination addresses to implement

statistics for traffic of different service types.
● Each type of service can correspond to one tariff level, implementing service-
based refined operation functions and meeting requirements for settlement
between local network carriers and Internet toll network carriers and for
value-added services.
● Different bandwidth control is performed for different destination addresses.
Flexible combinations of packages can be launched to meet service
bandwidth requirements of different levels of users, which helps carriers
segment markets and use limited network bandwidth resources to provide
differentiated operations and services.
● Access users can log in to the portal and purchase, activate, or deactivate DAA
policies as required, reducing carriers' O&M costs.

M14/M8 series
● An open architecture and standard interfaces are used to implement flexible

interworking with systems, such as the AAA server, billing system, and policy
server.
Benefits
DAA offers the following benefits to carriers:
● Carriers can use DAA to distinguish between Internet traffic and intranet
traffic and perform accounting based on different tariff levels, ensuring
operation revenues.
● Carriers can identify services based on the network segments of servers
storing the services. When users access these servers to obtain services,
carriers can perform differentiated rate limit, scheduling, and accounting on
the services.
1.1.2.1.2 Understanding DAA
Basic Concepts of DAA

Destination address accounting (DAA) is performed at different tariff levels
defined based on different destination addresses of user access traffic. DAA also
provides rate limit.
DAA service process as shown in Figure 1-5
Figure 1-5 DAA usage scenario

M14/M8 series
1. The user sends a login request to the BRAS. The BRAS sends a user
authentication request to the AAA server. The AAA server returns a user
authentication success message to the BRAS.
2. The BRAS reports the user's information to the RADIUS server over RADIUS,
and the RADIUS server delivers a DAA service policy to the BRAS over RADIUS.
The BRAS converts the policy information, delivers the information to an
interface board, and generates a service.
3. When the user accesses a network, the BRAS uses an ACL to match the
destination address accessed by the user, and performs independent rate limit
and accounting for traffic to the local network and Internet.
4. The BRAS sends an accounting stop request packet for basic services to the
AAA server. The server uses the DAA service policy in the packet to identify
services and provides rate limit.
DAA Service Matching Process

As shown in Figure 1-6, user A and user B need to access the internal and
external networks, respectively. After the users are successfully authenticated and
start to access the networks, the BRAS identifies user traffic based on the ACL
rules. When the users access different networks, the BRAS matches the user
groups and destination addresses with the ACL rules in the configured DAA service
policy, and uses DAA services for differentiated management.
Figure 1-6 DAA service matching process
DAA Service Policy

DAA Service Policy contains:
● DAA ACL
Packets can be matched based on the source/destination IP address, source/
destination service group, source/destination user group, source/destination
port number, and protocol type. Config a rule for a created user ACL. Then
ACL rules can be applied to match packets.
As shown in Figure 1-7 , when the users access different networks, the BRAS
matches the user groups and destination addresses with the access control list
(ACL) rules in the configured DAA traffic policy.

M14/M8 series
Figure 1-7 DAA traffic policy
● Accounting mode
The accounting mode determines the type of a server that the BRAS uses for
accounting. Default accounting, none accounting, and RADIUS accounting can
be adopted for the value-added services.
● QoS profile
QoS profile can be used to associate QoS with DAA for traffic policing and
rate control. As shown in Figure 1-8, the tariff level maps the QoS priority,
and the priority is used for scheduling.
Figure 1-8 Default tariff level and QoS priority mapping
● DAA Traffic Policy

As shown in Figure 1-9, a DAA service policy can work with a DAA traffic
policy, which is actually a specific application of a QoS traffic policy. A DAA
traffic policy consists of a traffic classifier and traffic behavior, and a traffic
classifier establishes a matching relationship with an ACL rule.

M14/M8 series
Figure 1-9 DAA traffic policy
As shown in Figure 1-10, the BRAS obtains the quality of service (QoS) profile
for the tariff level using the DAA service policy template. Then it uses the QoS
profile to obtain CAR parameters and the mapping between tariff levels and
flow queues (FQs). Based on the CAR parameters and the mapping between
tariff levels and FQs, the BRAS performs rate limit and priority scheduling on
the DAA service flows and gathers traffic statistics.
Figure 1-10 DAA service mapping tariff level implementation
DAA Service Accounting
Basic Concepts
Each type of service can correspond to one tariff level, implementing service-based
refined operation functions and meeting requirements for settlement between

M14/M8 series
local network carriers and Internet toll network carriers and for value-added
services.
DAA Service Activation and Deactivation

DAA service activation can be implemented using any of the following methods:
binding a DAA policy template to a domain, delivering RADIUS packets, and
delivering Diameter packets. The RADIUS protocol supports static activation only.
That is, RADIUS authentication reply packets carry the DAA service template
name. The Diameter protocol supports the sending of CCR-I packets upon user
access to activate services or the sending of RAR packets after user access to
dynamically activate services.
The DAA service activation process is as follows
1. The BRAS installs services and delivers service forwarding entries.
2. The BRAS initiates service accounting start requests.
DAA service deactivation involves the following scenarios
● Service deactivation when a user goes offline: All DAA services of the user are
automatically stopped when a user goes offline.
● Dynamic service deactivation: The RADIUS server uses a DM message to
delete the DAA service policy.
● Service deactivation after quota exhaustion: After the service duration or
traffic volume quota is exhausted, zero quotas are delivered or the service can
be configured to go offline.
The process for the RADIUS server to use a DM message to delete a DAA
service policy is as follows
1. The RADIUS server sends a DAA service policy deletion message to the BRAS.
DAA service policy is deleted.
3. The BRAS sends an accounting stop request to the RADIUS server.
4. The RADIUS server sends an accounting stop response to the BRAS.
Uniform accounting and Non-uniform accounting

When uniform accounting is used for DAA services, all service accounting packets
are sent for the last service of a user, and all services' traffic is counted together.
When non-uniform accounting is used for DAA services, a service accounting
packet is separately sent for each service of a user, and all services' traffic is
independently counted.
Statistical Mode
User and service traffic supports the following statistical modes:
● Statistics separation: DAA service traffic is not counted into user traffic.
● Statistics unseparation: DAA service traffic is counted into user traffic.
The following rate limit modes are supported:

M14/M8 series
● Rate limit separation: DAA service traffic is unlimited by the user bandwidth.
● Rate limit unseparation: DAA service traffic is limited by the user bandwidth.
Account Type
Default accounting, none accounting, and RADIUS accounting can be adopted for
the value-added services.
Default Accounting
● If the RADIUS server delivers the value-added service policy, the system
searches for the local value-added policy matching the policy name delivered
by the RADIUS server, and then performs accounting according to the
accounting scheme configured in the local value-added service policy.
● If a value-added service policy is bound to the domain, all users in the domain
use this policy as the default value-added service policy. When the service
policy is not sent by policy server, the system performs accounting according
to the accounting scheme configured in the bound value-added service policy.
None Accounting
● The system does not perform accounting for the value-added service,
regardless of whether a value-added service policy is bound to the domain
and the accounting scheme configured in the value-added service policy.
RADIUS Accounting
● If radius is specified in the value-added-service account-type command,
RADIUS accounting is performed for the value-added service, regardless of
whether a value-added service policy is bound to the domain.
DAA service accounting process

Figure1 shows the process of DAA service accounting:

M14/M8 series
Figure 1-11 DAA service accounting process
DAA service accounting process is as follows:

● User Authentication
1. The user sends a login request to the BRAS. The BRAS sends a user
authentication request to the AAA server.
2. The AAA server returns a user authentication success message to the BRAS.
The message can carry a DAA service policy name. If the message does not
carry a service policy name, the BRAS implements policy control based on the
local configurations.
● Accounting start: After a service is activated and a forwarding channel is
established, accounting start is immediately triggered for the service.
1. After the user goes online, the BRAS initiates the basic service accounting
start process to the AAA server. The BRAS distinguishes destination addresses
based on the DAA service policy, performs bandwidth control for traffic.
2. The BRAS sends each DAA service's accounting start request packet to the
AAA server. The AAA server uses the DAA service policy in the packet to
identify services.

M14/M8 series
3. The AAA server generates service CDR files and sends the CDR files to the
billing system.
4. The billing system performs rating, charging, and settlement based on the
user name, service policy name, and preset tariff conversion relationship in
the CDR files.
accounting, the BRAS can send service accounting packets to the RADIUS
server at a configurable interval. (If real-time accounting is required,
configure an accounting scheme with real-time accounting specified in a
service policy.)
● Accounting stop: After a service is deactivated and a forwarding channel is
deleted, accounting stop is immediately triggered for the service.
1. The user sends a logout request to the BRAS. The BRAS sends an accounting
stop request packet to the AAA server.
2. The AAA server sends an accounting stop response packet to the BRAS.
3. The BRAS sends an accounting stop request packet for basic services to the
AAA server.
4. The AAA server sends an accounting stop response packet for basic services to
the BRAS, and the user goes offline successfully.
DAA Service Policy Switching
If an online user uses a DAA service, a CoA message can be used to deliver a new
DAA service policy to adjust the DAA service's bandwidth. If a user goes online but
a DAA service is disabled, a CoA message cannot be delivered to activate a DAA
service. The RADIUS server can be used to switch a DAA service policy (uniform
and non-uniform accounting) and content (non-uniform accounting).
Dynamic DAA Service Policy Switching over RADIUS (Uniform Accounting)

As shown in Figure 1-12, A DAA service policy contains service 1 and service 2 and
is bound to a domain, and uniform accounting is used. After a user goes online,
the RADIUS server uses a CoA message to deliver Huawei No. 95 attribute carrying
a DAA service policy name. The service policy contains service 2 and service 3, and
uniform accounting is used.

M14/M8 series
Figure 1-12 Message exchange process
Dynamic DAA Service Policy Switching over RADIUS (Non-uniform

Accounting)
As shown in Figure 1-13, a DAA service policy contains service 1 and service 2 and
is bound to a domain, and non-uniform accounting is used. After a user goes
online, the RADIUS server uses a CoA message to deliver Huawei No. 95 attribute
carrying a DAA service policy name. The service policy contains service 1, and non-
uniform accounting is used. Only a subset can be switched for a DAA service policy
in non-uniform accounting mode.

M14/M8 series
Figure 1-13 Message exchange process
DAA Service Quota Management
DAA services support a duration quota, a traffic volume quota, or a combination

of duration and traffic volume quotas. If both duration and traffic volume quotas
are delivered, they take effect together. An action is triggered if either of the
quotas is exhausted. When the RADIUS server delivers a new quota, DAA services
use the new quota; when the RADIUS server delivers zero quotas, DAA services go
offline; when the RADIUS server does not deliver a quota, the BRAS determines
whether to log out DAA services based on the configuration. By default, DAA
services remain online.
After a user goes online, the RADIUS server uses a CoA message to deliver Huawei
No. 95 attribute carrying a DAA service policy name. The standard No. 27 attribute
is used to deliver a duration quota, and Huawei No. 15 attribute is used to deliver
a traffic volume quota.
After a DAA service goes online successfully, the process for quota exhaustion is as
follows:
● A new quota is delivered after quota exhaustion.
a. When a user's quota is exhausted, the BRAS sends a real-time accounting
request to the RADIUS server.
b. The RADIUS server delivers a new quota to the BRAS, and the user
continues to use the new quota.
● Zero quotas are delivered after quota exhaustion.
b. The RADIUS server delivers zero quotas to the BRAS.

M14/M8 series
c. In uniform accounting mode, when the service goes offline, the BRAS
sends an accounting stop request to the RADIUS server. In non-uniform
accounting mode, when the user bandwidth parameter is updated to 0,
traffic fails to be forwarded.
d. In uniform accounting mode, the RADIUS server sends an accounting stop
response to the BRAS.
● In uniform accounting mode, no quota is delivered after quota exhaustion.
b. The RADIUS server does not deliver a quota, and the BRAS determines
whether to log out the service based on the configuration. By default, the
service remains online.
c. In uniform accounting mode, if the service is configured to go offline, the
BRAS sends an accounting stop request to the RADIUS server. In non-
uniform accounting mode, when the user bandwidth parameter is
updated to 0 through a configuration, traffic fails to be forwarded.
d. In uniform accounting mode, the RADIUS server sends an accounting stop
response to the BRAS.
1.1.2.1.3 Application Scenarios for DAA
Typical Usage Scenarios of DAA
Destination address accounting (DAA) is performed at different tariff levels

defined based on different destination addresses of user access traffic. DAA
resolves issues involved in the following scenarios.
Separate Operation for Local and Toll Networks

In a region where a toll network and a local network are separately deployed, the
local carrier must rent the toll network carrier's expensive egress link for
connecting to the Internet and pay the toll network carrier for expensive Internet
traffic. Internet traffic and intranet traffic have large cost differences. Therefore,
the local carrier needs to distinguish between Internet traffic and intranet traffic
and perform accounting based on different tariff levels to ensure revenues.
When a user visits networks 1 to 3 shown in Figure 1-14, accounting based on
volume and time is performed for traffic over the three networks. Three DAA
services are planned for the three networks, and accounting is independently
performed for each service.

M14/M8 series
Figure 1-14 Accounting based on destination addresses
PUPP Mode
In the per user per policy (PUPP) traffic management mode, a policy is specified
for each user. Either the same policy or different policies can be specified for
different users.
As shown in Figure 1-15, multiple users in an enterprise access the network over
a Layer 2 or Layer 3 leased line. All the users in the enterprise are on the same
VPN. Applying a traffic policy for each user allows access control between
different users in the enterprise.
Figure 1-15 PUPP networking
1.1.2.1.4 Terminology for DAA

M14/M8 series

Acronym and Abbreviation Full Name
DAA Destination Address Accounting
CoA Change-of-Authorization
RADIUS Remote Authentication Dial in User

Service
ACL Access Control List
1.1.2.2 DAA Configuration

NOTE
In VS mode, this feature is supported only by the admin VS.
1.1.2.2.1 Overview of DAAr
Definition
Destination address accounting (DAA) implements differentiated accounting, rate
limit, and priority scheduling based on traffic destination addresses.
Purpose
DAA is performed at different tariff levels that are defined based on different
destination addresses of user access traffic. The functions implemented in carriers'
broadband operation are as follows:
● Service types are distinguished based on destination addresses to implement

statistics for traffic of different service types.
● Each type of service can correspond to one tariff level, implementing service-
based refined operation functions and meeting requirements for settlement
between local network carriers and Internet toll network carriers and for
● Different bandwidth control is performed for different destination addresses.
Flexible combinations of packages can be launched to meet service
bandwidth requirements of different levels of users, which helps carriers
segment markets and use limited network bandwidth resources to provide
differentiated operations and services.
● Access users can log in to the portal and purchase, activate, or deactivate DAA
policies as required, reducing carriers' O&M costs.
● An open architecture and standard interfaces are used to implement flexible
interworking with systems, such as the AAA server, billing system, and policy
server.

M14/M8 series
Benefits
DAA offers the following benefits to carriers:
● Carriers can use DAA to distinguish between Internet traffic and intranet
operation revenues.
● Carriers can identify services based on the network segments of servers
storing the services. When users access these servers to obtain services,
carriers can perform differentiated rate limit, scheduling, and accounting on
the services.
1.1.2.2.2 Feature Requirements for DAA
1.1.2.2.3 Summary of DAA Configuration Tasks
DAA Deployment on a New Network

The roadmap for deploying DAA on a new network is as follows:
1. Build a network environment.

– Ensure that authorized users can access the network regardless of which
authentication or accounting mode is used.
– Plan an AAA domain and a user group and ensure that they can
distinguish various service types and accommodate users of the
corresponding service types.
2. Deploy DAA services on a BRAS.
a. Plan and configure basic items, such as interfaces and routes.
b. Plan an AAA domain, and configure an authentication mode, an
accounting mode, a RADIUS server group, and an address pool for the
AAA domain.
c. Plan user groups.
d. Configure DAA.
DAA Deployment on an Existing Network

The DAA networking mode is similar to a general AAA networking mode. The
following points must be noted:
● Check whether the used AAA server type is available for the DAA function on
a BRAS and whether a device functions as a policy server.
● Check whether the configured AAA domain and user group are consistent
with DAA deployment objectives. If they are inconsistent, reconfigure an AAA
domain and a user group and ensure that the reconfiguration does not affect
user services or AAA procedures.
● Do not configure both DAA and behavior aggregate (BA) classification
because they are mutually exclusive.

M14/M8 series
1.1.2.2.4 Configuring DAA

Before configuring DAA, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain the data required for the configuration.
Usage Scenario
Typical DAA usage scenarios are as follows:
● In some regions, small local carriers need to rent backbone carriers' lines to
provide Internet access services to users. The local carriers also need to pay
the backbone carriers for traffic over the backbone networks. Low fees are
charged for traffic over a local network, whereas high fees are charged for
traffic over a backbone network. To increase revenues, local carriers need a
solution that can distinguish the two types of traffic and perform accounting
based on tariff levels. DAA meets this requirement and is capable of
performing differentiated accounting on traffic over both local and backbone
networks.
● When campus users access a campus network, the carrier does not charge
any fees or charges low fees, and the carrier does not limit their access rates.
However, when campus users access an external network, the carrier charges
high fees and limits their access rates. DAA is capable of performing
differentiated accounting and rate limit on traffic over the campus and
external networks, increasing carrier revenues.
● Many Internet services, such as gaming, File Transfer Protocol (FTP), video on
demand (VOD), and news services, have different costs and bandwidth
requirements. Carriers need to perform differentiated accounting and rate
limit on different services. When network congestion occurs, the quality of the
services is guaranteed based on their priorities. For example, if the priority of
gaming services is higher than that of news services, the quality of the
gaming services is preferentially guaranteed during network congestion. DAA
can also meet this requirement. Carriers deploy various services on different
servers. When users access these servers, DAA distinguishes services based on
the network segments on which the servers reside and performs differentiated
accounting, rate limit, and priority scheduling.
Pre-configuration Tasks
Before configuring DAA, complete the following tasks:
● Run the license active command to load the BRAS and DAA licenses.
● Configure an authentication scheme, an accounting scheme, and a RADIUS
server group for a DAA service policy (for details, see AAA and User
Management Configuration (Access Users)).
● Configure an address pool (for details, see Configuring an IPv4 Address Pool
and an Address Pool Group).
● Configure a domain and bind the authentication scheme, accounting scheme,
address pool, and RADIUS server group to the domain (for details, see
Configuring a Domain).
● Configure a BAS interface (for details, see IPoE Access Configuration and
PPPoE Access Configuration).

M14/M8 series

A value-added service can be configured only after the value-added service
function is enabled.
Procedure
Step 3 Run commit
----End
Configuring the Policy Server

This section describes the methods and procedures for configuring the policy
server.
Context
Configuring an Accounting Mode for Value-added Services

Carriers can configure differentiated services and tariff policies for different users.
Procedure
Step 2 Run aaa
Step 3 Run accounting-scheme acct-scheme-name
An accounting scheme is created.
Step 4 Run accounting interim interval interval [ second ] [ traffic ] [ hash ]
An interval for real-time accounting and conditions for sending real-time
accounting packets are configured, and real-time accounting packets are hashed
for the accounting scheme.

M14/M8 series
Step 5 Run quit

Return to the AAA view.
Step 7 Run value-added-service account-type { none | radius radius-server | default }
An accounting mode is configured for value-added services.
NOTE
The accounting mode can be default accounting, non-accounting, or RADIUS accounting.
Step 8 Run commit

----End
Configuring a DAA Service Policy

This section describes how to configure a DAA service policy.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Configure a DAA traffic policy and globally apply it.
1. Run the acl { name ucl-acl-name [ ucl | [ ucl ] number ucl-acl-number ] |
[ number ] ucl-acl-number } [ match-order { auto | config } ] command to
create an ACL and enter the ACL view.
2. Run the corresponding command to create an ACL rule based on the protocol
type.

M14/M8 series
Table 1-1 Creating an ACL rule

Protocol Command
Type
TCP rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol

| tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] |
source { { ip-address { source-ip-address { source-ip-address-
mask | 0 } | any } | source-pool source-pool-name } | any |
[ service-group { service-group-name | any } | user-group
{ user-group-name | any } ] } | destination { { ip-address
{ destination-ip-address { destination-ip-address-mask | 0 } |
any } | destination-pool destination-pool-name } | any |
{ user-group-name | any } ] } | source-port operator port-
number | destination-port operator port-number | syn-flag
{ syn-flag [ mask mask-value ] | { bit-match { established | fin
| syn | rst | psh | ack | urg | ece | crw | ns } } } | fragment-type
{ fragment | non-fragment | non-subseq | fragment-subseq |
fragment-spe-first } | time-range time-name | vlan vlan-id |
inner-vlan cvlan-id ] *
UDP rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol

| udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] |
{ user-group-name | any } ] } | source-port operator port-
number | destination-port operator port-number | fragment-
type { fragment | non-fragment | non-subseq | fragment-
subseq | fragment-spe-first } | time-range time-name | vlan
vlan-id | inner-vlan cvlan-id ] *
ICMP rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol
| icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] |
{ user-group-name | any } ] } | icmp-type { icmp-name | icmp-
type icmp-code } | fragment-type { fragment | non-fragment
| non-subseq | fragment-subseq | fragment-spe-first } | time-
range time-name | vlan vlan-id | inner-vlan cvlan-id ] *

M14/M8 series
Protocol Command
Type
Other rule [ rule-id ] [ name rule-name ] { deny | permit } { zero |

protocols protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp |
[ precedence precedence | tos tos ] * ] | source { { ip-address
{ source-ip-address { source-ip-address-mask | 0 } | any } |
source-pool source-pool-name } | any | [ service-group
{ service-group-name | any } | user-group { user-group-name |
any } ] } | destination { { ip-address { destination-ip-address
{ destination-ip-address-mask | 0 } | any } | destination-pool
destination-pool-name } | any | [ service-group { service-
group-name | any } | user-group { user-group-name | any } ] }
| fragment-type { fragment | non-fragment | non-subseq |
fragment-subseq | fragment-spe-first } | time-range time-
name | vlan vlan-id | inner-vlan cvlan-id ] *
3. Run the commit command to commit the configuration.

4. Run the quit command to return to the system view.
5. (Optional) Run the acl ipv6 number ucl-acl6-number [ match-order { auto |
config } ] command to create an ACL6 and enter its view.
6. (Optional) Run the corresponding command to create an ACL6 rule based on
the protocol type.
Table 1-2 Creating an ACL6 rule

Protocol Command
Type
TCP rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol

| tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] |
destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | any } | destination-
port operator port | fragment | source { source-ipv6-address
prefix-length | source-ipv6-address/prefix-length | any } source-
pool source-pool-name } | source-port operator port | tcp-flag
{ tcp-flag [ mask mask-value ] | established | { ack | fin | psh |
rst | syn | urg } * } | time-range time-name | [ vpn-instance
vpn-instance-name | vpn-instance-any ] ] *
UDP rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol
| udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] |
destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | any } | destination-
port operator port | fragment | source { source-ipv6-address
prefix-length | source-ipv6-address/prefix-length | any } source-
pool source-pool-name } | source-port operator port | time-
range time-name | [ vpn-instance vpn-instance-name | vpn-
instance-any ] ] *

M14/M8 series
Protocol Command
Type
ICMPv6 rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol

| icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ]
* ] | destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | any } | fragment |

icmp6-type { icmp6-type-name | icmp6-type [ to icmp6-type-
end ] [ icmp6-code ] } | source { source-ipv6-address prefix-
length | source-ipv6-address/prefix-length | any } source-pool
source-pool-name } | time-range time-name | [ vpn-instance
vpn-instance-name | vpn-instance-any ] ] *
Other rule [ rule-id ] [ name rule-name ] { permit | deny } { hoport
protocols [ option-code option-value ] | 1 | 5 | protocol | gre | ipv6 |
ipv6-frag | ipv6-ah | ipv6-esp | ospf | 7-16 | 18-42 | { 43 | ipv6-
routing } [ routing-type routing-number ] | 44-57 | 59 | { 60 |
ipv6-destination } [ option-code option-value ] | 61-255 }
[ destination { destination-ipv6-address prefix-length | dest-
ipv6-addr-prefix | any } | fragment | { source { source-ipv6-
address prefix-length | src-ipv6-addr-prefix | any } | source-pool
source-pool-name } | time-range time-name | [ dscp dscp |
[ precedence { precedence | critical | flash | flash-override |
immediate | internet | network | priority | routine } | tos { tos
| max-reliability | max-throughput | min-delay | min-
monetary-cost | normal } ] * ] | [ vpn-instance vpn-instance-
name | vpn-instance-any ] ] *
7. (Optional) Run the commit command to commit the configuration.

8. (Optional) Run the quit command to return to the system view.
Step 3 Configure a traffic classifier.
1. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is configured and the traffic classifier view is displayed.
2. Run if-match [ ipv6 ] acl { acl-number | name acl-name }
The traffic classifier references a specified ACL or ACL6.
3. Run commit
4. Run quit
Step 4 Configure a traffic behavior.
1. Run traffic behavior behavior-name
A traffic behavior is configured and the traffic behavior view is displayed.
2. Run the tariff-level tariff-level command to configure a DAA tariff level.
3. Run the car command to configure DAA traffic policing for the traffic
behavior.

M14/M8 series
4. Run the traffic-statistic command to enable traffic statistics collection for

DAA services.
Step 5 Define a DAA traffic policy.
1. Run the traffic policy policy-name command to configure a DAA traffic policy
and enter its view.
2. Run the classifier classifier-name behavior behavior-name [ precedence
precedence-value ] command to specify a traffic behavior for the traffic
classifier in the DAA traffic policy. classifier-name and behavior-name specify
the configured traffic classifier and traffic behavior, respectively.
5. Run the accounting-service-policy policy-name command to globally apply
the DAA traffic policy.
Step 6 Configure a DAA service policy.
Table 1-3 Procedure for configuring a DAA service policy
Objective Task Description
Create a DAA service Run the value-added- Mandatory.

policy and enter the DAA service policy service- Creating a DAA service
service policy view. policy-name daa policy and entering its
command. view are the
prerequisites for
performing the following
operations.
Configure an accounting Run the accounting- Mandatory.

scheme for the DAA scheme accounting- After an accounting
service policy scheme-name command. scheme template is
referenced by a value-
added service policy
template, the service
uses the accounting
scheme in the
accounting scheme
template.
An accounting scheme
can be configured either
in a domain or in a DAA
service policy template.
The priority of an
accounting scheme
configured in a DAA
service policy template is
higher than that
configured in a domain.

M14/M8 series
Enable uniform Run the accounting- Optional.

accounting for DAA together enable When users access
services. command. network services with
different bandwidth
requirements, such as
gaming, FTP, and VoD
services, these network
services are planned as
different DAA services
for rate limiting.
Configure uniform
accounting so that the
device interacts with the
accounting server to
implement traffic
reporting and service
quota management.
In non-uniform Run the tariff-level level Optional.

accounting mode, if the monitor-key string In non-uniform
monitoring key delivered monitor-key-string accounting mode,
by the Diameter server is command. different quotas are
in string format, delivered for DAA
configure the mapping services at different tariff
between the tariff level levels. Therefore,
and the monitoring key different monitor keys
in string format for DAA must be configured for
services. such services.
Before running this
command, run the
diameter monitor-key
parse-mode string
command in the system
view to set the parsing
mode of the Diameter

M14/M8 series
In uniform accounting Run the diameter Optional.

mode, if the monitor key monitor-key string In uniform accounting
delivered by the monitor-key-string mode, accounting is
Diameter server is in command. performed for DAA
string format, configure services at different tariff
a monitor key for the levels in a uniform
DAA service policy. manner. As such, only
one monitor key needs
to be configured so that
the corresponding quota
takes effect.
Before running this
command, run the
diameter monitor-key
parse-mode string
command in the system
view to set the parsing
mode of the Diameter
Configure the QoS Run the rate-limit-mode Optional.

resource type requested command. If CAR is performed on
by downstream DAA DAA service traffic and
services. then the traffic is re-
marked with different
priorities, the traffic
enters the subscriber
queue (SQ) for
scheduling. When an
eTM subcard is used, you
need to run the rate-
limit-mode car
outbound command to
set the QoS rate limiting
mode to CAR for
downstream DAA
services.

M14/M8 series
Configure DAA user Run the accounting- Optional.

traffic to match a DAA service-policy { inbound To implement refined
service policy. | outbound } { auto | control on DAA services
disable | enable } and save QoS resources,
command. for example, to enable
only downstream service
matching for users, run
the accounting-service-
policy inbound disable
command in a DAA
service policy to disable
upstream service
matching for DAA users
who use this service
policy. This prevents DAA
users from applying for
upstream QoS resources.
Enable rate limit Run the traffic-separate Optional.

separation for DAA enable command. After rate limit
services. separation is enabled for
DAA services in a DAA
service policy template,
the service traffic
bandwidth of DAA users
using this template is no
longer limited by the
user bandwidth.
Enable DAA service Run the user Optional.

traffic to be counted into accounting-together You can run this
user traffic. enable command. command to count DAA
user service traffic into
user traffic.

M14/M8 series
Configure separate Run the user accounting Optional.

traffic statistics collection dual-stack separate When CAR-based rate
for dual-stack DAA users user-queue command. limiting is performed for
based on user queues. DAA services and SQs
are configured to limit
user rates, statistics
based on count IDs are
not performed for traffic
after CAR-based rate
limiting if the traffic-
separate enable
command is run to
configure DAA service
separation. In this
situation, separate traffic
statistics are collected for
dual-stack DAA users. As
a result, user service
traffic cannot be counted
into DAA service traffic.
To collect separate traffic
statistics for dual-stack
DAA users based on user
queues, run the user
accounting dual-stack
separate user-queue
command.
Configure the accounting Run the tariff-level-cfg Optional.

status or IP type for a level { accounting off | DAA service traffic
specified DAA tariff level. ip-type ipv6 } command. statistics are collected
and reported based on
the IP type configured
for each level, which is
irrelevant to the traffic
type that actually
matches the specific
level. Therefore, when
deploying dual-stack
DAA services, you need
to ensure that the ACL
type of each service is
consistent with the IP
type configured for the
DAA tariff level to
prevent IPv4 and IPv6
traffic from matching the
same level.

M14/M8 series
Configure a tariff level Run the tariff-level level Mandatory.

and a QoS profile for qos-profile qos-profile- To limit the rate of DAA
DAA services name command. users based on
parameters in the QoS
profile corresponding to
a DAA tariff level, run
this command.
Configure the user group Run the user-group Mandatory.

to be bound to a service user-group-name Reference an ACL user
policy. command. group to the value-
added service template.
NOTE
● You can configure a
user group using any of
the following methods:
– Configure a user
group in a domain.
– Configure a user
group using a DAA
service policy
template.
– Deliver a user group
through the RADIUS
server.
The user group
configured using a DAA
service policy template
has the highest priority,
followed by the one
delivered by the
RADIUS server, and
then the one
configured in a domain.
● The DAA service tariff
level used by users
must be the same as
the DAA ACL tariff level
planned for the user
group to which the
users belong.
Step 7 Run the quit command to return to the system view.

Step 8 (Optional) Run the radius-server coa-request hw-policy-name daa same-policy
reply-ack command to enable the device to respond with an ACK message when
the RADIUS server delivers the same DAA service policy as that in the domain
using the HW-Policy-Name (26-95) attribute in a CoA message in uniform
accounting scenarios.
NOTE
This command can take effect only after the accounting-together enable command is run.

M14/M8 series
Step 9 (Optional) Run the radius-server coa-request hw-policy-name daa coexist-

with-user command to allow both the HW-Policy-Name (26–95) attribute (DAA
value-added service attribute) and other user attributes in a CoA message to take
effect at the same time.
Step 10 (Optional) Run the value-added-service tariff-queue-mapping { [ cs7 ] | [ cs6 ] |

[ ef ] | [ af4 ] | [ af3 ] | [ af1 ] | [ be ] | [ af2 ] } #8-8 command to configure the
mapping between DAA tariff levels and flow queues.
Step 11 (Optional) Run the value-added-service quota-out { online | offline } command

to configure a policy for the scenario where the real-time accounting response
packet sent after the DAA accounting service quota is exhausted does not carry a
new quota.
Step 12 Run the commit command to commit the configuration.
----End
Applying a Value-added Service Policy to a Domain

If a policy server does not deliver any service policy, the service policy configured
in a domain is used.
Context
After a value-added service policy is applied to a domain, all users in the domain
use this policy as the default value-added service policy. The service policy sent by
a policy server takes precedence over the service policy configured in a domain.
Procedure
Step 2 Run aaa
The AAA domain view is displayed.
Step 4 Run value-added-service policy service-policy-name
A value-added service policy is bound to the domain.
Step 5 (Optional) Run accounting-service-policy { inbound | outbound } { disable |

enable }
The device is enabled to determine whether to match the upstream or

downstream traffic of users that go online through an AAA domain against DAA
services.
----End

M14/M8 series
Binding a Policy Server to a Domain

Bind a policy server to a domain so that users are authenticated and accounted by
the server.
Procedure
Step 2 Run aaa
Step 4 Run radius-server group groupname
A RADIUS server group is bound to the domain.
Step 5 Run user-group group-name
A user group is bound to the domain.
NOTE
● You can configure a user group using any of the following methods:
– Configure a user group in a domain.
– Configure a user group using a DAA service policy template.
– Deliver a user group through the RADIUS server.
The user group configured using a DAA service policy template has the highest priority,
followed by the one delivered by the RADIUS server, and then the one configured in a
domain.
● The DAA service tariff level used by users must be the same as the DAA ACL tariff level
planned for the user group to which the users belong.
Step 6 Run billing-server type { 1 | 2 }
An accounting server type is configured.
----End
Applying a DAA Service Policy to a BAS Interface

Applying a DAA service policy to a BAS interface allows access control between
users in an enterprise as well as policy sharing between users in different
enterprises.
Context
When enterprise users access the router over a Layer 3 leased line, each enterprise
belongs to a VPN. You can apply a DAA service policy to a BAS interface to allow
access control between users in an enterprise as well as policy sharing between
users in different enterprises. When Layer 2 or Layer 3 leased line users are not

M14/M8 series
authenticated, applying a DAA service policy to a BAS interface is also required to

allow access control between Layer 2 or Layer 3 leased line users.
Procedure
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run bas
The BAS interface view is displayed.
Step 4 Run access-type layer2-leased-line user-name uname password { cipher
password | simple password } [ bas-interface-name bname | default-domain
authentication dname | accounting-copy radius-server rd-name | nas-port-type
{ async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs |
hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl |
cable | wireless-other | 802.11 } ] * or access-type layer3-leased-line { user-
name uname | user-name-template } password { cipher password | simple
password } [ default-domain authentication dname | bas-interface-name
bname | accounting-copy radius-server rd-name | nas-port-type { async | sync |
isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 |
g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other
| 802.11 } | mac-address mac-address | client-id client-id ] *
The BAS interface is configured as a Layer 2 or Layer 3 leased line interface.
Step 5 Run value-added-service policy policy-name
A DAA service policy is applied to the BAS interface.
Step 6 Run quit
Step 7 Run commit
----End
Configuring PUPP
Context
In per user per policy (PUPP) traffic management mode, a policy is specified for
each user. Either the same policy or different policies can be specified for different
users. When enterprise users access the router over a Layer 3 leased line, each
enterprise belongs to a VPN. You can apply a traffic policy to a BAS interface to
allow access control between users in the same enterprise. When Layer 2 or Layer
3 leased line users are not authenticated, applying a traffic policy to a BAS
interface is also required to allow access control between Layer 2 or Layer 3 leased
line users.

M14/M8 series
Procedure
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run bas
The BAS interface view is displayed.
Step 4 Run access-type layer2-leased-line user-name uname password { cipher
password | simple password } [ bas-interface-name bname | default-domain
authentication dname | accounting-copy radius-server rd-name | nas-port-type
{ async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs |
hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl |
cable | wireless-other | 802.11 } ] * or access-type layer3-leased-line { user-
name uname | user-name-template } password { cipher password | simple
password } [ default-domain authentication dname | bas-interface-name
bname | accounting-copy radius-server rd-name | nas-port-type { async | sync |
isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 |
g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other
| 802.11 } | mac-address mac-address | client-id client-id ] *
The BAS interface is configured as a Layer 2 or Layer 3 leased line interface.
Step 5 Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the BAS interface.
Step 6 Run quit
Step 7 Run traffic behavior behavior-name
A traffic behavior is defined and the traffic behavior view is displayed.
Step 8 (Optional) Run match termination
ACL matching for low-priority traffic that matches the PUPP traffic policy is
terminated.
Step 9 Run quit
Step 10 Run commit
----End
(Optional) Configuring Accounting Packet Merging for Value-added Services

To reduce the number of packets sent to a RADIUS accounting server, configure
accounting packet merging for value-added services.

M14/M8 series
Context
When a large number of users go online and each user applies for many value-
added services, a large number of accounting packets are generated. Due to the
limited processing capability of a RADIUS accounting server, the number of
accounting packets sent by a device to a RADIUS accounting server must be
reduced to relieve the pressure on the RADIUS accounting server.
Procedure
Step 1 Enable accounting packet merging for value-added services.
1. Run system-view
2. Run aaa
3. Run domain domain-name
4. Run value-added-service accounting-merge { daa { start | stop | interim
interval interval [ hash ] } | edsg { stop | interim interval interval
[ hash ] } }
Accounting packet merging is enabled for value-added services.
5. Run commit
Step 2 (Optional) Set the maximum length of a post-merging accounting packet for
1. Run system-view
2. Run radius-server group group-name
The RADIUS server group view is displayed.
3. Run radius-server accounting-merge max-length length
The maximum length is set for a post-merging accounting packet for value-
added services.
4. Run commit
Step 3 (Optional) Enable a post-merging accounting packet that fails to be sent for
value-added services to enter the accounting packet cache.
1. Run system-view
2. Run value-added-service accounting-merge cache enable
A post-merging accounting packet that fails to be sent for value-added
services is enabled to enter the accounting packet cache.

M14/M8 series
3. Run commit
----End
(Optional) Enabling the Device to Report Statistics About Dropped DAA Service
Traffic
You can enable the device to report statistics about dropped DAA service traffic.
This allows you to query information about users with such traffic.
Context
To query information about users with dropped DAA service traffic, enable the
device to report statistics about dropped DAA service traffic. The information can
be used to locate the device that dropped DAA service traffic.
Procedure
Step 2 Run value-added-service daa report-dropped-flow enable
The device is enabled to report statistics about dropped DAA service traffic.
----End
Result
After the preceding configurations are complete, run the display value-added-
service user daa with-dropped-flow command to query information about users
with dropped DAA service traffic. Then run the display value-added-service user
user-id command to query the number of dropped upstream and downstream
DAA service packets.
Verifying the DAA Configuration

After configuring DAA, verify the DAA configuration.
Procedure
● Run the display value-added-service policy command to check information
about value-added service policies.
● Run the display value-added-service user command to check information
about all users using value-added services.
● Run the display value-added-service user user-id command to check
information about a specified user using value-added services.
----End
1.1.2.2.5 Configuration Examples for DAA

M14/M8 series
Example for Configuring a DAA Service

This section provides an example for configuring a DAA service.
On the network shown in Figure 1-16:
● The domain to which users belong is isp1, and the limited bandwidth is 20
Mbit/s.
● The accounting mode is RADIUS accounting; the user group to which the
users belong is isp1; tariff level 1 is used for the users who access the network
segment 192.168.100.0/24 and the limited bandwidth is 10 Mbit/s; tariff level
5 is used for the users who access the network segment 192.168.200.0/24 and
the limited bandwidth is 5 Mbit/s.
● The IP address and port number of the RADIUS authentication server are
10.10.10.2 and 1812, respectively. The IP address and port number of the
RADIUS accounting server are 10.10.10.2 and 1813, respectively. The default
values are used for other parameters.
Networking Diagram
Figure 1-16 DAA service networking

NOTE
In this example, interface1, interface2, subinterface3.1, and subinterface3.2 represent GE

0/1/1, GE ,0/1/2 , GE 0/1/0.1, and GE 0/1/0.2, respectively.
The configuration roadmap is as follows:
1. Configure AAA.

M14/M8 series

4. Configure a user group.
5. Configure a DAA traffic policy.
6. Configure QoS profiles.
7. Configure a DAA service policy.
Data Preparation
● Authentication scheme name and authentication mode

● Accounting scheme name and accounting mode
● RADIUS server group name, and IP addresses and port numbers of the
RADIUS authentication and accounting servers
● Address pool name, gateway address, user group name, and IP addresses of
different network segments
● ACL rules and DAA traffic policy
● QoS profiles and DAA service policy
● Domain name
● Interface parameters
Configuration Procedure
1. Configure AAA.
# Configure an authentication scheme.
[~HUAWEI] aaa
[*HUAWEI-aaa-authen-auth1] quit
# Configure an accounting scheme.

[*HUAWEI-aaa] accounting-scheme acct1
[*HUAWEI-aaa-accounting-acct1] quit
[*HUAWEI-aaa] quit

[*HUAWEI] radius-server group group1
[*HUAWEI-radius-group1] radius-server authentication 10.10.10.2 1812
[*HUAWEI-radius-group1] radius-server accounting 10.10.10.2 1813
[*HUAWEI-radius-group1] radius-server shared-key huawei
[*HUAWEI-radius-group1] commit
[~HUAWEI-radius-group1] quit

[~HUAWEI] ip pool pool1 bas local
[~HUAWEI-ip-pool-pool1] gateway 172.16.100.1 24
[~HUAWEI-ip-pool-pool1] section 0 172.16.100.2 172.16.100.200
[~HUAWEI-ip-pool-pool1] quit

M14/M8 series

[*HUAWEI] commit
4. Configure a user group.

[~HUAWEI] user-group isp1
5. Configure a DAA traffic policy.

# Configure user ACL 6000.
[~HUAWEI] acl number 6000
[*HUAWEI-acl-ucl-6000] rule 5 permit ip source user-group isp1 destination ip-address
192.168.100.0 0.0.0.255
[*HUAWEI-acl-ucl-6000] rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination
user-group isp1
[*HUAWEI-acl-ucl-6000] quit
# Configure user ACL 6001.

[*HUAWEI] acl number 6001
[*HUAWEI-acl-ucl-6001] rule 10 permit ip source user-group isp1 destination ip-address
192.168.200.0 0.0.0.255
user-group isp1
[*HUAWEI-acl-ucl-6001] quit
# Configure a traffic classifier named tc1.

[*HUAWEI] traffic classifier tc1
[*HUAWEI-classifier-tc1] if-match acl 6000
[*HUAWEI-classifier-tc1] quit
# Configure a traffic classifier named tc2.

# Configure a traffic behavior named tb1, and set an action for tariff level 1.
[*HUAWEI] traffic behavior tb1
[*HUAWEI-behavior-tb1] tariff-level 1
[*HUAWEI-behavior-tb1] car
[*HUAWEI-behavior-tb1] traffic-statistic
[*HUAWEI-behavior-tb1] quit
# Configure a traffic behavior named tb2, and set an action for tariff level 5.
[*HUAWEI-behavior-tb2] tariff-level 5
[*HUAWEI-behavior-tb2] car
[*HUAWEI-behavior-tb2] traffic-statistic
# Configure a DAA traffic policy named traffic_policy_daa1, and associate

tc1 and tc2 with tb1 and tb2, respectively.
[*HUAWEI] traffic policy traffic_policy_daa1
[*HUAWEI-trafficpolicy-traffic_policy_daa1] classifier tc1 behavior tb1
[*HUAWEI-trafficpolicy-traffic_policy_daa1] classifier tc2 behavior tb2
[*HUAWEI-trafficpolicy-traffic_policy_daa1] quit
# Apply the DAA traffic policy globally.

[*HUAWEI] accounting-service-policy traffic_policy_daa1
6. Configure QoS profiles.

[*HUAWEI] qos-profile qos-prof1
[*HUAWEI-qos-profile-qos-prof1] quit

M14/M8 series

[*HUAWEI-qos-profile-qos-prof2] quit

7. Configure a DAA service policy.

# Configure a DAA service policy named vp-daa, which is configured in a
domain from which users go online or carried in an authentication response
packet delivered by a RADIUS server.
[~HUAWEI] value-added-service policy vp-daa daa
[~HUAWEI-vas-policy-vp-daa] accounting-scheme acct1
# Configure QoS profiles for traffic levels.

[~HUAWEI-vas-policy-vp-daa] tariff-level 1 qos-profile qos-prof2
[~HUAWEI-vas-policy-vp-daa] tariff-level 5 qos-profile qos-prof1
[~HUAWEI-vas-policy-vp-daa] quit
NOTE
When priority scheduling based on tariff levels is enabled, the tariff levels configured here
must be consistent with those configured in 5.
[~HUAWEI] aaa
[*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
[*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
[*HUAWEI-aaa-domain-isp1] radius-server group group1
[~HUAWEI-aaa-domain-isp1] user-group isp1
[~HUAWEI-aaa-domain-isp1] value-added-service policy vp-daa
[~HUAWEI-aaa-domain-isp1] ip-pool pool1
[~HUAWEI-aaa-domain-isp1] qos-profile qos-prof3 inbound
[~HUAWEI-aaa-domain-isp1] qos-profile qos-prof3 outbound
[~HUAWEI-aaa] quit
NOTE
If a RADIUS server is used to deliver a DAA service policy, you may not bind a DAA
service policy to a domain. The RADIUS server delivers a DAA service policy name
through the HW-Policy-Name (26-95) attribute carried in an authentication response
packet.
# Create a virtual template (VT).
# Configure a BAS interface.

[~HUAWEI-GigabitEthernet0/1/2] pppoe-server bind virtual-template 1
[~HUAWEI-GigabitEthernet0/1/2-bas] access-type layer2-subscriber default-domain
authentication isp1
[~HUAWEI-GigabitEthernet0/1/2-bas] quit

M14/M8 series
# Configure upstream interfaces.

# Configure an interface for connecting to the RADIUS server.

10. Verify the configuration.

Run the display value-added-service policy command to check information
about value-added service policies.
<HUAWEI>display value-added-service policy
------------------------------------------------------------------
Index Service Policy Name Used Num Type User Num
------------------------------------------------------------------
0 vp-daa 1 DAA 1
------------------------------------------------------------------
Total 1,1 printed
Run the display value-added-service user command to check information

about all users using value-added services.
<HUAWEI> display value-added-service user daa
----------------------------------------------------------------
The used user id table are:
95
----------------------------------------------------------------
Total users:1
Run the display value-added-service user user-id command to check

information about a specified user using the DAA service.
<HUAWEI> display value-added-service user user-id 95 daa tariff-level 1
-------------------------------------------------------------------------
Daa user service table:
Service user id : 95
Service type : Default dsg
Service IP type : IPv4
Service policy : vp-daa
Account start time : 2017-04-07 08:14:36
Normal-server-group : --
Flow up packets(high,low) : (0,0)
Flow up bytes(high,low) : (0,0)
Flow down packets(high,low) : (0,0)
Flow down bytes(high,low) : (0,0)
IPV6 Flow up packets(high,low) : (0,0)
IPV6 Flow up bytes(high,low) : (0,0)
IPV6 Flow down packets(high,low) : (0,0)
IPV6 Flow down bytes(high,low) : (0,0)
Up committed information rate <kbps> : 10000
Up Peak information rate <kbps> : No limit
Up committed burst size <bytes> :-
Up Peak burst size <bytes> :-
Down committed information rate <kbps> : 10000
Down Peak information rate <kbps> : No limit
Down committed burst size <bytes> :-
Down Peak burst size <bytes> :-

M14/M8 series
Configuration Files
#
sysname HUAWEI
#
user-group isp1
#
#
#
#
acl number 6000
rule 5 permit ip source user-group isp1 destination ip-address 192.168.100.0 0.0.0.255
rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination user-group isp1
#
acl number 6001
rule 10 permit ip source user-group isp1 destination ip-address 192.168.200.0 0.0.0.255
rule 15 permit ip source ip-address 192.168.200.0 0.0.0.255 destination user-group isp1
#
traffic classifier tc2 operator or
if-match acl 6001
traffic classifier tc1 operator or
if-match acl 6000
#
traffic behavior tb1
tariff-level 1
car
traffic-statistic
tariff-level 5
car
traffic-statistic
#
traffic policy traffic_policy_daa1
share-mode
classifier tc1 behavior tb1
#
gateway 172.16.100.1 255.255.255.0
section 0 172.16.100.2 172.16.100.200
#
dot1x-template 1
#
aaa
#
authorization-scheme default
#
#
domain isp1
ip-pool pool1
value-added-service policy vp-daa
user-group isp1

M14/M8 series
qos-profile qos-prof3 inbound

qos-profile qos-prof3 outbound
#
value-added-service policy vp-daa daa
user-group isp1
tariff-level 1 qos-profile qos-prof2
tariff-level 5 qos-profile qos-prof1
#
ppp authentication-mode auto
#
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
vlan-type dot1q 2
ip address 192.168.200.1 255.255.255.0
#
undo shutdown
ip address 10.10.10.1 255.255.255.0
undo shutdown
bas
#
access-type layer2-subscriber default-domain authentication isp1
#
#
accounting-service-policy traffic_policy_daa1
#
return
Example for Configuring the PUPP Mode

This section provides an example for configuring the PUPP mode.
On the network shown in Figure 1-17, three users in an enterprise access the
Internet over a Layer 3 leased line. To implement access control between users in
the enterprise, configure a traffic policy on a BAS interface.
Figure 1-17 DAA networking

NOTE
Interface 1 in this example represents GE 0/1/1.

M14/M8 series
1. Configure advanced ACLs.
2. Configure traffic classifiers.
3. Configure traffic behaviors.
4. Configure traffic policies.
5. Configure a BAS interface.
6. Apply the traffic policies to the BAS interface.
Data Preparation
● ACL numbers
● Traffic classifier names
● Traffic behavior names
● Traffic policy names
Procedure
Step 1 Configure advanced ACLs.
[*HUAWEI-acl-adv-3001] rule 1 permit ip source 10.11.11.1 0
[*HUAWEI-acl-adv-3001] quit
[*HUAWEI-acl-adv-3002] quit
Step 2 Configure traffic classifiers.


M14/M8 series

Step 3 Configure traffic behaviors.

[*HUAWEI-behavior-tb1] permit
[*HUAWEI-behavior-tb1] match termination
[*HUAWEI-behavior-tb2] permit
[*HUAWEI-behavior-tb2] match termination
Step 4 Configure traffic policies.

[*HUAWEI] traffic policy p1
[*HUAWEI-trafficpolicy-p1] classifier tc1 behavior tb1
[*HUAWEI-trafficpolicy-p1] quit
[*HUAWEI] traffic policy p2
[*HUAWEI-trafficpolicy-p2] classifier tc2 behavior tb2
[*HUAWEI-trafficpolicy-p2] quit
Step 5 Configure a BAS interface.

[~HUAWEI-GigabitEthernet0/1/1-bas] access-type layer3-leased-line user-name sr-test-eth password
cipher root_123 default-domain authentication enterprise_sr
Step 6 Apply the traffic policies to the BAS interface.

[*HUAWEI-GigabitEthernet0/1/1-bas] traffic-policy p1 inbound
[*HUAWEI-GigabitEthernet0/1/1-bas] traffic-policy p2 outbound
[*HUAWEI-GigabitEthernet0/1/1-bas] quit
Step 7 Verify the configuration.

Run the display access traffic-policy statistics command to check statistics about
the PUPP traffic policy.
<HUAWEI> display access traffic-policy statistics user-id 18496 inbound
--------------------------------------------------------------------------------
slot 9
--------------------------------------------------------------------------------
Policy name: p1
Classifier name: tc1
Acl 3001
rule 1 permit ip source 10.11.11.1 0
(00 packets, 00 bytes)
----End
Configuration Files
#
sysname HUAWEI
#
acl number 3001
#
acl number 3002
#
traffic classifier tc1
if-match acl 3001
traffic classifier tc2
if-match acl 3002

M14/M8 series
#
permit
match termination
permit
match termination
#
traffic policy p1
#
traffic policy p2
#
bas
access-type layer3-leased-line user-name sr-test-eth password cipher %@%##!!!!!!!!!"!!!!"!!!!!!1];
16qfZ81fv"uMoKKZ.1k"`AO!X2K2N.b~'NB^V!!!!!!!!!!1!!!!o/4J(q"J1F.!K9%M!6x8 default-domain authentication
enterprise_sr
traffic-policy p1 inbound
traffic-policy p2 outbound
#
return
1.1.3 EDSG Configuration

NOTE
M14.
1.1.3.1 EDSG Description
1.1.3.1.1 Introduction of EDSG
Definition
Enhanced dynamic service gateway (EDSG) independently identifies a channel of
user traffic and implements independent rate limit, accounting, and management
for the traffic.
EDSG provides the following functions:

● Accounting based on destination addresses and tariff levels
● Bandwidth limit based on destination addresses
● Scheduling based on destination addresses and priorities
Purpose
In the early broadband development, most carriers use the extensive operation
mode to increase the number of users. In this mode, carriers continuously expand
networks and publicize high bandwidth to attract users. With the development of
broadband network operation environments, the traditional operation mode
creates the following challenges:
● How to increase the input-output ratio?

M14/M8 series
Growing bandwidth demands drive carriers to increase investment in the

infrastructure. The investment continuously increases, but the revenue
increases slowly. As a result, the input-output ratio decreases.
● How to ensure a local carrier's revenues?
In a region where a toll network and a local network are separately deployed,
the local carrier must rent the toll network carrier's expensive egress link for
connecting to the Internet and pay the toll network carrier for expensive
Internet traffic. Internet traffic and intranet traffic have large cost differences.
The local carrier's revenues increase slowly because Internet traffic and
intranet traffic cannot be distinguished and accounting cannot be performed
for them based on different tariff levels.
● How to meet customers' refined operation requirements?
Carriers need to provide differentiated accounting for traffic to different
service servers. For example, carriers need to use different tariffs to perform
accounting for the traffic, such as Internet data center (IDC), local IPTV, and
local gaming website traffic.
● How to meet different customers' requirements?
Carriers need to control the bandwidth when users access the local service
networks or the Internet to provide differentiated services based on the
service bandwidth and to identify high-end, mid-range, and low-end users to
prevent a few low-end users from using too much bandwidth.
● How to resolve benefit allocation issues when traffic is transmitted through
networks of different network service providers (NSPs)?
Some carriers use the ISP service wholesale mode. Different tariffs are
provided for national and international ISP traffic. Benefit allocation issues
must be resolved if traffic is transmitted through different NSPs' networks.
To address these challenges, EDSG is introduced. EDSG is characterized by flexible

service extension and dynamic deployment and applies when large numbers of
users use various service combinations.
Benefits
EDSG offers the following benefits to carriers:
● Carriers can use EDSG to distinguish between Internet traffic and intranet
operation revenues.
● Carriers can use a BRAS to identify services based on the network segments
of servers storing the services. When users access these servers to obtain
services, carriers can perform differentiated rate limit, scheduling, and
accounting on the services.
● Carriers can provide a combination of EDSG services or a self-service page for
users to select services on demand, improving user experience and increasing
revenues. A self-service page may also be provided by service providers that
cooperate with carriers.
1.1.3.1.2 Understanding EDSG

M14/M8 series
Basic Concepts
This section describes the basic concepts of EDSG and the relationships between
EDSG elements.
Service Group
A service group identifies a type of specific data traffic. It is used as a source or
destination in a traffic rule and is referenced in an access control list (ACL).
EDSG Service Policy

As shown in Figure 1-18, EDSG service policies are bound to service groups, which
are used to identify service traffic. Typically, a group of specific destination
addresses is used as traffic identification characteristics. EDSG service policies have
the following characteristics:
● Each EDSG service policy contains rate limit and statistics at the forwarding
layer, and authentication, accounting, and prepaid quota management at the
service layer.
● Each EDSG service is mapped to one service flow, and multiple EDSG services
can be loaded for a user.
Figure 1-18 EDSG service policy
Key EDSG Techniques
Service Identification
Policies are executed for specific data flows, and the ACL mechanism is used to
send service flows matching a service group to the corresponding service channel.

M14/M8 series
Figure 1-19 Service identification
Differentiated Accounting
User traffic is identified and managed as different services, and independent
statistics and accounting are performed for each service. Traffic levels can be set
on an AAA server to implement differentiated accounting for different types of
packets.
Figure 1-20 Differentiated accounting
Policy Control
Policies are classified into the following types:
● Static service policy
A static service policy takes effect immediately when users go online. It is
obtained from a BRAS's local configurations or delivered by an AAA server
using an authentication response message.

M14/M8 series
Figure 1-21 shows the process of a static service policy. The process is
described as follows:
a. The user sends a login request to the BRAS. The BRAS sends a user
authentication request to the AAA server.
b. The AAA server returns a user authentication success message to the
BRAS. The message can carry an EDSG service policy name. If the
message does not carry a service policy name, the BRAS implements
policy control based on the local configurations.
c. After the user goes online, the BRAS initiates the basic service accounting
start process to the AAA server. The BRAS distinguishes traffic based on
the EDSG service policy delivered by the AAA server or the locally
configured EDSG service policy, collects traffic statistics, and performs
bandwidth control for traffic. For details, see EDSG Service Accounting.
d. The BRAS cyclically sends each EDSG service's accounting start request
packet (carrying the user name, EDSG service policy name, and service
traffic information) to the AAA server. The AAA server uses the EDSG
service policy in the packet to identify services. The tariffs for services are
defined on the AAA server.
e. The AAA server generates service CDR files and uses FTP/TFTP to send
the CDR files to the billing system. The AAA server can also send the
service accounting information to the billing system through an SQL
database interface.
f. The billing system performs rating, charging, and settlement based on
the user name, service policy name, and preset tariff conversion
relationship in the CDR files (or service accounting information in the
database).
g. The user sends a logout request to the BRAS. The BRAS sends an
accounting stop request packet to the AAA server.
h. The AAA server sends an accounting stop response packet to the BRAS.
i. The BRAS sends an accounting stop request packet for basic services to
the AAA server.
j. The AAA server sends an accounting stop response packet for basic
services to the BRAS, and the user goes offline successfully.

M14/M8 series
Figure 1-21 Process of a static service policy
● Dynamic service policy

After a user goes online, a policy server or AAA server can be used to deliver
an added or changed service policy to the BRAS. The following dynamic
service policies are supported:
– A carrier uses the AAA server to send the CoA parameter or the service
policy name to the BRAS to modify the service policy information.
– A user logs in to the portal self-service page to dynamically modify the
service policy. The policy server (or the other resource management
server) then sends the modification result to the BRAS.
Figure 1-22 shows the process of a dynamic service policy (service policies are
modified through the AAA server). The process is described as follows:
a. After the user goes online, an initial service policy is delivered by the AAA
server or obtained from the BRAS's local configurations.
b. The AAA server delivers the CoA parameter to modify service bandwidth
control parameters or delivers a service policy name to add a service
policy or modify the user's service policy. For details, see EDSG Service
Activation and Deactivation.

M14/M8 series
c. The BRAS performs bandwidth control and accounting for services based
on a new service policy combination and sends accounting start packets
for new services to the AAA server. The packets carry information, such as
the user name and service policy name.
d. The AAA server generates CDR files based on the new service accounting
information from the BRAS and sends the files to the billing system for
rating and charging based on the new service policy combination.
Figure 1-22 Process of a dynamic service policy (a service policy is modified

through the AAA server)
Figure 1-23 shows the process of a dynamic service policy, which is modified
through the policy server or the other resource management server. The
process is described as follows:
a. After the user goes online, an initial service policy is delivered by the AAA
server or obtained from the BRAS's local configurations.
b. The initial service policy is used for traffic statistics, accounting, and
bandwidth control.
c. After going online, the user logs in to the portal self-service page to
modify the service policy.

M14/M8 series
d. The portal server uses the SOAP protocol to send the service policy
modification result to the policy server.
e. The policy server sends the modified service policy to the BRAS through
the CoA interface.
f. After receiving the service policy from the policy server, the BRAS
performs bandwidth control and accounting for services based on the
new service policy combination and sends accounting start packets for
new services to the AAA server.
g. The AAA server generates CDR files based on the new service accounting
information from the BRAS and sends the files to the billing system for
rating and charging based on the new service policy combination.
Figure 1-23 Process of a dynamic service policy (a service policy is modified

through the policy server)
EDSG Service Activation and Deactivation

EDSG services can be activated by binding a service policy group to a domain or
through RADIUS or Diameter.

M14/M8 series
RADIUS supports both static and dynamic activation. Static activation means that
an EDSG service policy is delivered during user login through user authentication
response packets carrying the HW-Account-Info(26-184) or HW-Policy-
Name(26-95) attribute. Dynamic activation means that the EDSG service is
activated during user login through dynamic authorization messages, such as the
CoA messages carrying the HW-Command-Mode(26-34) or HW-Policy-
Name(26-95) attribute.
NOTE
● The HW-Account-Info(26-184) attribute is in the format of A<service-name>[;authen-

name;password] if services automatically take effect after delivery and in the format of
N<service-name> if services do not automatically take effect after delivery.
● The HW-Policy-Name(26-95) attribute is in the format of <service-name>[;authen-
name;password] after delivery. You can perform configuration to allow this attribute to
support the EDSG service policy. This attribute can carry multiple EDSG service names.
● The HW-Command-Mode(26-34) attribute is used to activate the EDSG service when
the first byte is 0x0B followed by a service name.
Diameter supports service activation through CCR-I messages during user login as
well as dynamic service activation through RAR messages after users go online.
NOTE
If the EDSG service template and BOD/DAA service template configured on the device are
of the same name, only BOD/DAA services take effect during Diameter activation.
The EDSG service activation process is as follows:

1. (Optional) Perform service authentication.
2. (Optional) Download the content of a service policy template.
3. Install service forwarding entries.
4. After service installation is completed, trigger to start service accounting (You
can set the accounting mode to non-accounting.)
The EDSG service deactivation process is as follows:

● Service deactivation when a user goes offline: All EDSG services of a user are
automatically stopped when the user goes offline.
● Dynamic service deactivation: During user login, protocols (such as CoA and
DM) are used to delete the user's EDSG service.
● Service deactivation after service quotas are exhausted: The service is
automatically deleted by default after the duration or volume quota of the
service is exhausted.
● Service deactivation after replacement: The original EDSG service in a service
group is automatically deactivated after a new EDSG service in the service
group is activated. (For details, see EDSG Service Replacement and
Restoration.)
The EDSG service deactivation process is as follows:

1. Delete service forwarding entries.
2. After service forwarding entries are deleted, trigger accounting-stop requests
(The accounting mode can be set to non-accounting.)
3. Uninstall all contents of the service.

M14/M8 series
EDSG Service Replacement and Restoration
The EDSG service replacement and restoration mechanism applies to services in a

service group. This mechanism can be used to dynamically increase the bandwidth
for a service flow. After a high-bandwidth service is deactivated or its quota is
exhausted, the initial-bandwidth service is automatically restored.
As shown in Figure 1-24, if a user's service A has been activated and service B in
the same service group needs to be activated, service A is automatically
deactivated before service B is activated. That is, service B replaces service A.
Figure 1-24 Service replacement process
As shown in Figure 1-25, if service B is deactivated, service A is automatically

activated.

M14/M8 series
Figure 1-25 Service restoration process
EDSG Service Policy Obtainment
A service policy delivered by a server carries only the service policy name, and
parameters must be obtained from a service policy. An EDSG service policy can be
obtained in any of the following modes:
● Local: A service name is used as an index to obtain an EDSG service policy
from the local configurations.
● RADIUS: A service name is used as a user name and authentication packets
are used to obtain an EDSG service policy from a RADIUS server. The obtained
EDSG service policy is cached to the local device and will not be deleted if it is
referenced by any service instance. The EDSG service policy does not need to
be repeatedly obtained.
● Local and then RADIUS: An EDSG service policy is first obtained from the local
configurations. If no EDSG service policy is configured on the local device, an
EDSG service policy is obtained from the RADIUS server.

M14/M8 series
● RADIUS and then local: An EDSG service policy is first obtained from the
RADIUS server. If the RADIUS server has no response, a locally configured
EDSG service policy is used.
Figure 1-26 EDSG service policy obtainment
Periodic Update of a Cached EDSG Service Policy

You can configure an interval at which a cached EDSG service policy is updated.
After the cached EDSG service policy reaches the configured interval, the BRAS re-
obtains an EDSG service policy from the RADIUS server to update the cached
EDSG service policy when a service is added.
Online Update of Service Policy Parameters

By default, service policy parameter updates do not affect generated service
instances and apply only to service instances that are activated after an update.
You can manually specify a service policy name to forcibly update all service
instance parameters to the latest service policy parameters.
EDSG Service Authentication

M14/M8 series
EDSG supports service-level authentication. A BRAS performs service

authentication before activating EDSG services. Only services that are successfully
authenticated can be activated. A user can enter an authentication user name and
password when selecting services on the portal page. The authentication user
name and password may be different from those for user login.
Figure 1-27 EDSG service authentication
EDSG Service Accounting
Accounting Modes
EDSG services support RADIUS accounting and non-accounting. RADIUS
accounting is classified into the following types:
● Start accounting: After a service is activated and a forwarding channel is
established, start accounting is immediately triggered for the service.
● Stop accounting: After a service is deactivated and a forwarding channel is
deleted, stop accounting is immediately triggered for the service.
accounting, the BRAS can send service accounting packets to the AAA server
at a configurable interval.

M14/M8 series
Accounting start request packets, accounting stop request packets, and real-time
accounting request packets carry information, such as the service name, Acct-
Session-Id (44) attribute, service traffic volume, and service duration. In addition,
the Acct-Multi-Session-Id (50) attribute is used to deliver the user accounting ID.
In non-uniform accounting mode, accounting is performed for all services, a
service accounting packet is separately sent for each service of a user, and all
services' traffic is independently counted. EDSG services support only non-uniform
accounting (also called individual accounting).
EDSG service switching supports only the transmission of accounting stop packets
for the original service and of accounting start packets for a new service.
Statistical Modes
User and service traffic supports the following statistical modes:
● Statistics separation: Service traffic is not counted into user traffic. That is,
user traffic statistics include only basic traffic except EDSG service traffic.
NOTE
Statistics separation for EDSG services does not support multi-VS scenarios.
● Statistics unseparation: Service traffic is counted into user traffic. That is, user
traffic statistics include both basic traffic and EDSG service traffic.
The following rate limit modes are supported:
● Rate limit separation: EDSG service traffic is unlimited by the basic user
bandwidth. That is, EDSG service traffic does not use the basic user
bandwidth.
● Rate limit unseparation: EDSG service traffic is limited by the basic user
bandwidth. That is, EDSG service traffic uses the basic user bandwidth.
Accounting Copy
EDSG supports accounting copy. The types supported are as follows:
● Copy of EDSG service accounting packets: When sending an EDSG service
accounting packet to the AAA server, the NetEngine 8100 M, NetEngine
8000E M, NetEngine 8000 M copies the packet to the accounting copy server.
● Copy of EDSG prepaid accounting packets: When sending an EDSG prepaid
accounting packet to the AAA server, the NetEngine 8100 M, NetEngine
8000E M, NetEngine 8000 M copies the packet to the accounting copy server.
EDSG accounting copy supports accounting start, real-time accounting, and
accounting stop. If accounting packets fail to be copied to the accounting copy
server, EDSG service activation is not affected.
Accounting Packaging
EDSG enables the NetEngine 8100 M, NetEngine 8000E M, NetEngine 8000 M to
package a user's EDSG service accounting packets into a packet and send the
packet to the RADIUS server. By default, EDSG service accounting packets are
independently sent and are not packaged. This function can be implemented
through configuration.

M14/M8 series
The following packets support accounting packaging:

● Real-time accounting packets of EDSG services
● Prepaid real-time accounting packets of EDSG services
● Accounting stop packets of EDSG services when users go offline
● Prepaid accounting stop packets of EDSG services when users go offline
A package packet carries only one copy of all services' public information, and the
information includes the user name, device name, user IP address, and user
accounting ID. The package packet also carries each service's non-public
information, and the information includes the service accounting ID, traffic
information, and service quota information (for details about the implementation
mechanism, see Figure 1-28). The maximum length of a package packet can be
set. If a service's information volume exceeds the maximum length of a package
packet, the service's information is divided into multiple package packets before
being sent. Each package packet must contain a service's complete information.
That is, a service's information must be in a package packet.
Figure 1-28 Packet packaging's implementation mechanism
Prepaid Quota Management for EDSG Services
EDSG services support a duration quota, a traffic volume quota, or a combination

of duration and traffic volume quotas. When the quota is initialized or the quota
usage reaches the threshold, service-level authentication packets are sent to a
server to apply for a new quota. After the server returns a zero quota, either of
the following actions can be performed:
● HTTP redirection (forcibly pushed to pages). The redirection is only for service
flows.

M14/M8 series
● Service deletion
After the recharging is complete and a new quota is delivered, HTTP redirection
can recover.
Figure 1-29 shows the EDSG service prepaid process.
● If prepaid is configured for a service, the BRAS applies for an initial quota to
the prepaid server during service activation. After the prepaid server delivers a
valid quota, the service is activated.
● When the service is online, the BRAS monitors the service's quota exhaustion.
If the service quota is exhausted or the remaining quota reaches a configured
threshold, the BRAS requests the prepaid server to update the service quota
and sends the total used quota to the prepaid server. If the total service quota
is not exhausted, the prepaid server delivers a valid quota again. The BRAS
continues to monitor the service's quota exhaustion based on the newly
delivered quota.
● If the service quota is exhausted again or the remaining quota reaches a
configured threshold, the BRAS requests the prepaid server to update the
service quota and sends the total used quota to the prepaid server again. If
the total service quota has been exhausted, the prepaid server returns a zero
quota to the BRAS. The BRAS then performs an action based on a configured
quota exhaustion policy.
Figure 1-29 EDSG service prepaid process

M14/M8 series
EDSG Information Query over CoA
To enable the portal server to provide service information query and status
acknowledgement, EDSG services support the query of basic user information and
EDSG service information through CoA messages. The portal server sends CoA
requests for information query to the BRAS, and the BRAS returns CoA responses
carrying the information (such as the service status, duration, and traffic volume)
to the portal server. The 0x04 command word in the HW-Command-Mode (26-34)
attribute carried in CoA responses is used to query EDSG service information.
Figure 1-30 Process of information query over CoA
Table 1-4 RADIUS attributes supported by CoA messages
No. Attribute Description
1 HW-Command-Mode Query type and query object status

(26-34)
2 HW-Account-Info (26-184) User's EDSG service information,

including the service name, traffic
volume, and online duration
3 NAS-Port-Id (87) User's login interface identifier
4 NAS-Identifier (32) BRAS identifier
5 Framed-IP-Address (8) User's IPv4 address
6 Framed-IP-Netmask (9) User's IPv4 address mask

M14/M8 series
No. Attribute Description
7 Framed-IPv6-Prefix (97) User's IPv6 ND prefix
8 Delegated-IPv6-Prefix User's delegated IPv6 prefix

(123)
9 HW-Framed-IPv6-Address User's IPv6 address

(26-158)
10 HW-Input-Peak- User's upstream PIR

Information-Rate (26-3)
11 HW-Output-Peak- User's downstream PIR

12 HW-Input-Committed- User's upstream CIR

13 HW-Output-Committed- User's downstream CIR

14 HW-Input-Peak-Burst-Size User's upstream PBS

(26-77)
15 HW-Output-Peak-Burst- User's downstream PBS

Size (26-78)
16 HW-Input-Committed- User's upstream CBS

Burst-Size (26-1)
17 HW-Output-Committed- User's downstream CBS

Burst-Size (26-4)
18 HW-Subscriber-QoS- Name of the subscriber QoS profile

Profile (26-17) used by a user
19 HW-QOS-Profile-Name Name of the common QoS profile

(26-31) used by a user
20 HW-Down-Qos-Profile- Name of the downstream QoS

Name (26-182) profile used by a user
21 Idle-Timeout (28) User's idle-timeout parameter
EDSG Traffic Reporting Frequency
The traffic reporting frequency of each EDSG service decreases when the number
of users on an interface board increases, which may affect the real-time
performance of traffic information and precision of traffic quota management but
does not affect the accuracy of accounting stop traffic.
If CAR is used for rate limit, you can manually configure EDSG traffic reporting
frequency.

M14/M8 series
1.1.3.1.3 Application Scenarios for EDSG
Typical EDSG Networking
Separate Operation for Local and Toll Networks

In a region where a toll network and a local network are separately deployed, the
local carrier must rent the toll network carrier's expensive egress link for
connecting to the Internet and pay the toll network carrier for expensive Internet
traffic. Internet traffic and intranet traffic have large cost differences. Therefore,
the local carrier needs to distinguish between Internet traffic and intranet traffic
and perform accounting based on different tariff levels to ensure revenues.
When a user visits networks 1 to 3 shown in Figure 1-31, accounting based on
volume and time is performed for traffic over the three networks. Three EDSG
services are planned for the three networks, and accounting is independently
Figure 1-31 Accounting based on destination addresses
Accounting Based on Used Services

Different bandwidths are provided for different network services, and accounting
is independently performed for all of the network services. A policy server can be
used to dynamically change the number and bandwidth of network services.
Volume and duration quotas can also be delivered for the services. After a user's
quotas are exhausted, HTTP requests matching the user's service flow are
redirected to a recharge page.

M14/M8 series
When a user visits the game, FTP, and VoD networks shown in Figure 1-32, rate
limit is performed on traffic over the three networks. Three EDSG services are
planned for the three networks, and rate limit and accounting are independently
Figure 1-32 Accounting based on used services
Different Bandwidths for Networks Inside and Outside a Campus

Networks inside and outside a campus can be distinguished based on the network
segment addresses accessed by campus users, and different bandwidths are used
for traffic over the networks. When a campus user goes online, a BRAS sends an
authentication request packet to a RADIUS server. After receiving the packet, the
RADIUS server delivers two EDSG service policies for traffic over networks inside
and outside a campus to limit the bandwidth of traffic over the networks. In
addition, the RADIUS server performs accounting only for traffic over the network
outside a campus.
1.1.3.1.4 Terminology for EDSG

Acronym and Full Name
Abbreviation
AAA Authentication, Authorization and Accounting
ACL Access Control List

M14/M8 series
Acronym and Full Name

Abbreviation
CoA Change-of-Authorization
SOAP Simple Object Access Protocol
RADIUS Remote Authentication Dial in User Service
1.1.3.2 EDSG Configuration

NOTE
In VS mode, this feature applies only to the admin VS.
1.1.3.2.1 Overview
Enhanced dynamic service gateway (EDSG) independently identifies a channel of

user traffic and implements independent rate limit, accounting, and management
for the traffic.
In the early broadband development, most carriers use the extensive operation
mode to increase the number of users. In this mode, carriers continuously expand
networks and publicize high bandwidth to attract users. With the development of
broadband network operation environments, the traditional operation mode
creates the following challenges:
● How to increase the input-output ratio?

● How to ensure a local carrier's revenues?
● How to meet customers' refined operation requirements?
● How to meet different customers' requirements?
● How to resolve benefit allocation issues when traffic is transmitted through
networks of different network service providers (NSPs)?
To address these challenges, EDSG is introduced. EDSG is characterized by flexible

service extension and dynamic deployment and applies when large numbers of
users use various service combinations.
Carriers can provide a combination of EDSG services or a self-service page for

users to select services on demand, improving user experience and increasing
revenues. A self-service page may also be provided by service providers that
cooperate with carriers.
1.1.3.2.2 Feature Requirements for EDSG
1.1.3.2.3 Configuring EDSG

Before configuring EDSG, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain the data required for the configuration.

M14/M8 series
Usage Scenarios
Typical EDSG usage scenarios are as follows:
● In some regions, small local carriers need to rent backbone carriers' lines to
provide Internet access services to users. The local carriers also need to pay
the backbone carriers for traffic over the backbone networks. Low fees are
charged for traffic over a local network, whereas high fees are charged for
traffic over a backbone network. To increase revenues, local carriers need a
solution that can distinguish the two types of traffic and perform accounting
based on network types. EDSG meets this requirement. Two EDSG services
can be configured for the local and backbone networks based on destination
addresses to implement differentiated accounting on traffic over both the
local and backbone networks.
● When campus users access a campus network, the carrier does not charge
any fees or charges low fees, and the access rate is unlimited. However, when
campus users access an external network, the carrier charges high fees and
limits their access rates. To increase the carrier's revenues, configure two
EDSG services for the campus and external networks based on destination
addresses to implement differentiated accounting and rate limit on traffic
over both the campus and external networks.
● Many Internet services, such as gaming, File Transfer Protocol (FTP), video on
demand (VOD), and news services, have different costs and bandwidth
requirements. To implement differentiated accounting and rate limit on
various services, configure these services as different EDSG services.
As shown in Figure 1-33, Point-to-Point Protocol over Ethernet (PPPoE) users
access networks 1 and 2. Different fees need to be charged for traffic over
networks 1 and 2. The users have different bandwidth requirements for networks
1 and 2. To meet these requirements, configure two EDSG services on the
broadband remote access server (BRAS) to perform differentiated accounting and
rate limit on traffic over networks 1 and 2. EDSG allows carriers to provide flexible
service and accounting policies for different user requirements.
NOTE
The BRAS can work with the AAA server, policy server, and portal server to implement
differentiated accounting and rate limit based on destination addresses.
● AAA server: provides user authentication, authorization, and accounting. Generally, a
RADIUS server is used as a AAA server.
● Policy server: delivers EDSG service policies. Only a RADIUS server can be used as a
policy server.
● Portal server: provides user interfaces. Users can log in to a portal server and select
EDSG services as required. A portal server is generally integrated into a AAA or policy
server.

M14/M8 series
Figure 1-33 EDSG networking
Pre-configuration Tasks
Before configuring EDSG, complete the following tasks:
● Load the BRAS license and the EDSG license.
● Configure an authentication scheme, an accounting scheme, and a RADIUS
server group for an EDSG service policy (for details, see AAA and User
Management Configuration (Access Users)).
● Configure an address pool (for details, see Configuring an IPv4 Address Pool
and an Address Pool Group).
● Configure a domain and bind the authentication scheme, accounting scheme,
address pool, and RADIUS server group to the domain (for details, see
Configuring a Domain).
● Configure a BAS interface (for details, see IPoE Access Configuration and
PPPoE Access Configuration).

A value-added service can be configured only after the value-added service
function is enabled.
Procedure
The value-added service function is not enabled globally by default.
Step 3 Run commit
----End

M14/M8 series
Configuring a Policy Server

EDSG requires a dedicated policy server to deliver an EDSG service policy. This
section describes how to configure a policy server.
Context
Configuring an EDSG Traffic Policy

To distinguish user traffic over networks 1 and 2, create two service groups and
configure an EDSG traffic policy for each service group. This section describes how
to configure an EDSG traffic policy.
Procedure
Step 2 Run service-group service-group-name
A service group is created.
Step 3 Define an ACL rule for matching the service group.
1. Run the acl { name advance-acl-name [ advance | [ advance ] number
advance-acl-number ] | [ number ] advance-acl-number } [ match-order
{ config | auto } ] command to create an ACL and enter the ACL view.
NOTE
You need to use UCLs. The number of a UCL ranges from 6000 to 9999.
2. Create an ACL rule based on protocol types.
a. For TCP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp }
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination
{ destination-ip-address { destination-wildcard | 0 | des-netmask } | any }
| destination-pool destination-pool-name } | { destination-port operator
port-number | destination-port-pool destination-port-pool-name } |
fragment-type { fragment | non-fragment | non-subseq | fragment-
subseq | fragment-spe-first } | { source { source-ip-address { source-
wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } |
{ source-port operator port-number | source-port-pool source-port-pool-
name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] |
established |{ ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst |
syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack
| syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh |
rst | syn | urg ] * } } | time-range time-name | [ vpn-instance vpn-

M14/M8 series
instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-

length length-operation length-value ] *
b. For UDP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp }
| destination-pool destination-pool-name } | { destination-port operator
port-number | destination-port-pool destination-port-pool-name } |
{ source-port operator port-number | source-port-pool source-port-pool-
name } | time-range time-name | [ vpn-instance vpn-instance-name |
vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-
operation length-value ] *
c. For ICMP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp }
| destination-pool destination-pool-name } | fragment-type { fragment
| non-fragment | non-subseq | fragment-subseq | fragment-spe-first } |
icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] }
| { source { source-ip-address { source-wildcard | 0 | src-netmask } | any }
| source-pool source-pool-name } | time-range time-name | [ vpn-
instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-
value | packet-length length-operation length-value ] *
d. For other protocols, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip
| ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ]
* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-
netmask } | any } | destination-pool destination-pool-name } |

time-range time-name | [ vpn-instance vpn-instance-name | vpn-
instance-any ] | ttl ttl-operation ttl-value | packet-length length-
operation length-value ] *
3. Run commit

4. Run quit
Step 4 (Optional) Define an ACL6 rule for matching the service group.
1. Run the acl ipv6 number ucl-acl6-number [ match-order { auto | config } ]
command to create an ACL6 and enter the ACL6 view.
NOTE
You need to use UCL6s. The number of a UCL6 ranges from 6000 to 9999.

M14/M8 series
2. Create an ACL6 rule based on protocol types.

a. For TCP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp }
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-
address { source-ipv6-address { prefix-length | source-wildcard } | source-
ipv6-address/prefix-length | any } | any | [ service-group { service-group-
name | any } | user-group { user-group-name | any } ] } | destination
{ ipv6-address { destination-ipv6-address { prefix-length | destination-
wildcard } | destination-ipv6-address/prefix-length | any } | any |
[ service-group { service-group-name | any } | user-group { user-group-
name | any } ] } | source-port operator port-number | destination-port
operator port-number | fragment | traffic-class traffic-class | time-range
time-name ] *
b. For UDP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp }
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-
address { source-ipv6-address { prefix-length | source-wildcard } | source-
ipv6-address/prefix-length | any } | any | [ service-group { service-group-
name | any } | user-group { user-group-name | any } ] } | destination
{ ipv6-address { destination-ipv6-address { prefix-length | destination-
wildcard } | destination-ipv6-address/prefix-length | any } | any |
name | any } ] } | source-port operator port-number | destination-port
operator port-number | fragment | traffic-class traffic-class | time-range
time-name ] *
c. For ICMP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol |
icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source
{ ipv6-address { source-ipv6-address { prefix-length | source-wildcard } |
source-ipv6-address/prefix-length | any } | any | [ service-group { service-
group-name | any } | user-group { user-group-name | any } ] } |
destination { ipv6-address { destination-ipv6-address { prefix-length |
destination-wildcard } | destination-ipv6-address/prefix-length | any } |
any | [ service-group { service-group-name | any } | user-group { user-
group-name | any } ] } | icmp6-type { icmp6-type-name | icmp6-type
icmp6-code } | fragment | traffic-class traffic-class | time-range time-
name ] *
d. For other protocols, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre |
ipv6-esp | ipv6 | ipv6-ah | ospf } [ [ dscp dscp | [ precedence precedence
| tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length
| source-wildcard } | source-ipv6-address/prefix-length | any } | any |
name | any } ] } | destination { ipv6-address { destination-ipv6-address
{ prefix-length | destination-wildcard } | destination-ipv6-address/prefix-
length | any } | any | [ service-group { service-group-name | any } | user-
group { user-group-name | any } ] } | fragment | traffic-class traffic-
class | time-range time-name ] *
3. Run commit

M14/M8 series

4. Run quit
Step 5 Configure a traffic classifier.

1. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is configured and the traffic classifier view is displayed.

2. Run if-match [ ipv6 ] acl { acl-number | name acl-name }
The traffic classifier references a specified ACL or ACL6.

3. Run commit

4. Run quit
Step 6 Configure a traffic behavior.

1. Run traffic behavior behavior-name
A traffic behavior is configured and the traffic behavior view is displayed.

2. (Optional) Run service-class edsg keep-queue-level
The device is configured to retain the service class of the original packets
after the EDSG service is matched to a traffic behavior.
3. Run commit

4. Run quit
Step 7 Configure an EDSG traffic policy.

1. Run traffic policy policy-name command
An EDSG traffic policy is configured and the EDSG traffic policy view is
displayed.
2. Run classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
The traffic behavior is specified for the traffic classifier.
3. Run commit

4. Run quit
Step 8 Run traffic-policy policy-name { inbound | outbound }
The EDSG traffic policy is globally applied.
Step 9 Run commit

M14/M8 series
----End
Configuring an EDSG Service Policy

You can configure different EDSG service policies to implement differentiated
accounting and rate limiting for user access to different networks.
Context
To implement differentiated accounting and rate limiting for user access to
different networks, you may need to configure multiple EDSG service policies. An
EDSG service policy can be configured in either of the following modes:
1. Configuration delivery to the device from the policy server.

2. Local configuration: To implement differentiated accounting and rate limiting
for two EDSG services, associate the corresponding service groups with the
two EDSG service policies, bind different accounting schemes to the two EDSG
service policies, and set bandwidth parameters for different traffic rate limits.
This section describes how to configure an EDSG service policy locally.
Procedure
Step 2 (Optional) Run the service-policy cache update interval interval-value command
to configure an interval at which the EDSG cache policy template is updated.
Step 3 (Optional) Run the value-added-service update-online-edsg rate-limit service-

policy [ cache [ cache-policy-name ] | configuration [ configuration ] ] command
to manually trigger an update of bandwidth limit parameters for online EDSG
services.
Step 4 (Optional) Run the radius-attribute hw-policy-name support-type edsg

command to allow the HW-Policy-Name attribute to carry an EDSG service policy
name.
Step 5 (Optional) Run the radius-attribute include edsg-service-name accounting-

request command to allow user accounting packets to carry an EDSG service
policy name.
NOTE
If the radius-attribute hw-policy-name support-type edsg command has been

configured, Huawei proprietary No. 95 attribute is carried in packets. If this command has
not been configured, Huawei proprietary No. 185 attribute is carried in packets.
Step 6 Run the service-policy name policy-name edsg command to create an EDSG
service policy and enter its view.
NOTE
If the policy template name is case-sensitive, you need to run the service-policy name-
case-sensitive enable command first to enable case sensitivity for the EDSG service
template name.

M14/M8 series
Step 7 (Optional) Run the ip-type ipv6 command to set the traffic statistic type to IPv6
for EDSG services.
Step 8 Run the service-group service-group-name [ inbound | outbound ] [ priority

priority ] command to configure the service group to be bound to the EDSG
service policy.
The service group must already exist. If not, run the service-group service-group-
name command in the system view to create a service group.
Step 9 Run the radius-server group group-name command to configure the RADIUS
server group to be bound to the EDSG service policy.
Step 10 Run the authentication-scheme authentication-scheme-name command to

configure an authentication scheme for the EDSG service policy.
Step 11 Run the accounting-scheme accounting-scheme-name command to configure an

accounting scheme for the EDSG service policy.
Currently, EDSG services support only the RADIUS accounting and non-accounting
modes.
The device provides two fixed accounting schemes: default0 and default1. The two
accounting schemes cannot be deleted but can be modified.
Step 12 Run the rate-limit cir cir-value [ pir pir-value ] [ cbs cbs-value [ pbs pbs-value ]
[ flow-queue-pbs flow-queue-pbs ] ] { inbound | outbound } command to
configure the bandwidth parameters for upstream and downstream traffic rate
limiting of EDSG services.
Step 13 (Optional) Configure a Diameter monitor key for the EDSG service policy based on
the format of the monitor key delivered by the Diameter server.
● Run the diameter monitor-key string monitor-key-string command to
configure a Diameter monitor key in string format for the EDSG service policy.
string command in the system view to set the parsing mode of the Diameter
● Run the diameter monitor-key monitor-key command to configure a
Diameter monitor key in integer format for the EDSG service policy.
integer command in the system view to set the parsing mode of the
Diameter monitor key to integer.
Step 14 (Optional) Run the service-class { cs7 | cs6 | ef | af4 | af3 | af2 | af1 | be }
{ inbound | outbound } command to configure a scheduling class in the upstream
or downstream direction.
----End
(Optional) Applying an EDSG Service Policy to a Domain

If no EDSG service policy is delivered from the policy server, use the service policy
group configured in the AAA domain.

M14/M8 series
Context
After configuring an EDSG service policy locally, you can bind it to the service
policy group and apply it to an AAA domain. If no service policy is delivered from
the policy server, the service policy group bound to the AAA domain is used. If the
policy server delivers a service policy, the service policy delivered by the policy
server is used.
Before configuring this function, complete the task of Configuring an EDSG
Service Policy Locally.
Procedure
Step 2 Run the service-policy-group group-name command to create a service policy
group and enter the service policy group view.
Step 3 Run the service-policy policy-name command to bind an EDSG service policy to
the service policy group.
Step 4 Run the quit command to return to the system view.
Step 5 Run the aaa command to enter the AAA view.
Step 6 Run the domain domain-name command to enter the AAA domain view.
Step 7 Run the service-policy-group group-name command to apply the service policy
group to the AAA domain.
----End
(Optional) Configuring a Mapping Between a Time Range Template and Service

Bandwidth
This section describes how to configure a mapping between a time range
template and EDSG service bandwidth. After the configuration is complete, the
EDSG service bandwidth is adjusted when the time range changes.
Context
User service traffic has different requirements on service bandwidth in different
time ranges. For example, the service traffic volume used by a user in a time range
during daylight hours is usually greater than that in the early morning. Therefore,
a larger service bandwidth must be set for the time range during daylight hours.
To properly distribute service traffic, configure the service bandwidth to be flexibly
adjusted when the time range changes.
Procedure
Step 2 Run time-range time-name [ start-time to end-time days &<1-7> | from time1
date1 [ to time2 date2 ] ]

M14/M8 series
A time range is defined.
Step 3 Run service-policy name policy-name edsg
The EDSG service policy view is displayed.
Step 4 Run time-range time-range-name rate-limit cir cir-value [ pir pir-value ] [ cbs
cbs-value [ pbs pbs-value ] ] [ inbound | outbound ]
A mapping is configured between the time range template and EDSG service
bandwidth.
----End
(Optional) Configuring the Prepaid Function

The prepaid function allows the RADIUS server to deliver an EDSG service with a
specified time or traffic volume quota in advance. After the quota is exhausted,
the BRAS reapplies for an EDSG service quota from the RADIUS server. When the
RADIUS server returns a zero quota, the BRAS executes a deactivation or
redirection policy. This section describes how to configure the prepaid function.
Context
An authentication scheme, an accounting scheme, and a RADIUS server group
have been configured for the prepaid function of EDSG services (for details, see
AAA Configuration).
Procedure
Step 2 Configure a prepaid profile.

1. Run prepaid-profile prepaid-profile-name
A prepaid profile is created, and the prepaid profile view is displayed.

2. Run radius-server group group-name
A RADIUS server group is bound to the prepaid profile.

3. Run authentication-scheme prepaid-profile-name
An authentication scheme is configured for the prepaid profile.

4. Run accounting-scheme accounting-scheme-name command
An accounting scheme is configured for the prepaid profile.
The BRAS provides two fixed accounting schemes: default0 and default1. The
two accounting schemes cannot be deleted but can be modified.
5. Run password cipher cipher-password
A password used is configured for the BRAS to apply for an EDSG service
quota from the RADIUS server.
6. (Optional) Run threshold time time-threshold seconds

M14/M8 series
A time threshold is configured for the BRAS to reapply for a time quota for
EDSG services from the RADIUS server.
When the remaining time quota of a user's EDSG service reaches a configured
time threshold, the BRAS reapplies for a time quota for the EDSG service from
the RADIUS server. When the RADIUS server returns a zero time quota, the
BRAS executes a deactivation or redirection policy.
7. (Optional) Run threshold volume volume-threshold { kbytes | mbytes |
bytes }
A traffic volume threshold is configured for the BRAS to reapply for a traffic
volume quota for EDSG services from the RADIUS server.
When the remaining traffic volume quota of a user's EDSG service reaches a
configured traffic volume threshold, the BRAS reapplies for a traffic volume
quota for the EDSG service from the RADIUS server. When the RADIUS server
returns a zero traffic volume quota, the BRAS executes a deactivation or
redirection policy.
NOTE
You can configure both the time and traffic volume thresholds for the BRAS to reapply
for EDSG service quotas from the RADIUS server. Once the remaining time or traffic
volume quota of a user's EDSG service reaches the corresponding configured
threshold, the BRAS reapplies for an EDSG service quota from the RADIUS server. For
example, if the time and traffic volume thresholds are respectively set to 60s and 5
Mbytes for a user:
– When the remaining traffic volume quota of the user's EDSG service is 5 Mbytes
but the remaining time quota of the EDSG service is greater than 60s, the BRAS
reapplies for a traffic volume quota for the EDSG service from the RADIUS server.
– When the remaining time quota of the user's EDSG service is 60s but the
remaining traffic volume quota of the EDSG service is greater than 5 Mbytes, the
BRAS reapplies for a time quota for the EDSG service from the RADIUS server.
8. Run commit command
Step 3 (Optional) Configure a policy used when the quota is exhausted as required.
1. Configure a deactivation policy. When the quota of a user's EDSG service is
exhausted, the BRAS deletes the EDSG service.
a. Run the quota-out service deactivate command to configure a
deactivation policy.
b. Run the commit command to commit the configuration.
c. Run the quit command to return to the system view.
2. Configure a redirection policy. When the quota of a user's EDSG service is
exhausted, the user is redirected to a specified web page.
a. Run the http-redirect-profile redirect-profile-name command to create
an HTTP redirection profile and enter the HTTP redirection profile view.
b. Run the web-server url redirect-url command to configure a redirection
web page.
c. (Optional) Run the web-server mode { get | post } command to
configure an HTTP access mode for the web server.

M14/M8 series
d. Run the commit command to commit the configuration.

e. Run the quit command to return to the system view.
f. Run the prepaid-profile prepaid-profile-name command to enter the
prepaid profile view.
g. Run the quota-out redirect redirect-profile-name command to configure
a redirection policy and specify an HTTP redirection profile.
h. Run the commit command to commit the configuration.
i. Run the quit command to return to the system view.
Step 4 Apply the prepaid profile in the EDSG service policy view.
1. Run service-policy name policy-name edsg
An EDSG service policy must have been configured. For details about how to
configure an EDSG service policy, see Configuring an EDSG Service Policy.
2. Run prepaid-profile prepaid-profile-name
A prepaid profile is configured for the EDSG service policy.
Step 5 (Optional) Run service volume-quota apply { inbound | outbound }
The traffic direction to which the EDSG service quota applies is configured.
Step 6 Run commit
----End
Configuring a Mode in Which an EDSG Service Policy Is Obtained

An EDSG service policy can be downloaded from local configurations or a RADIUS
server.
Procedure
Step 2 Run service-policy download { local | radius server-group password cipher

cipher-password } *
A mode in which an EDSG service policy is obtained is configured.
To configure the BRAS to obtain an EDSG service policy from local configurations,
you must have configured an authentication scheme, an accounting scheme, and
a RADIUS server group for the EDSG service policy. For configuration details, see
Configuring AAA Schemes. To configure the BRAS to obtain an EDSG service policy
from a RADIUS server, you must have configured the RADIUS server. For
configuration details, see Configuring a Device as a RADIUS Client.
Step 3 Run commit

M14/M8 series
----End
(Optional) Configuring a Rate Limit Mode for Services in a Domain
Context
You can configure different rate limit modes for upstream and downstream EDSG
service traffic of users who go online from an AAA domain. To locate information
about EDSG services and users whose traffic is discarded due to rate limiting,
enable the function of reporting dropped EDSG service traffic.
Procedure
Step 3 Run the domain domain-name command to enter the domain view.
Step 4 Run the service rate-limit-mode { car | user-queue } { inbound | outbound }

command to configure a rate limit mode for upstream and downstream EDSG
service traffic of online users.
Step 5 (Optional) Run the quit command to return to the AAA view.
Step 6 (Optional) Run the quit command to return to the system view.
Step 7 (Optional) Run the value-added-service edsg report-car-dropped-flow enable

command to enable the function of reporting CAR-dropped EDSG service traffic.
----End
(Optional) Configuring EDSG Service Rate Limiting and Traffic Statistics Collection
Policies
Context
If EDSG service traffic consumes the user traffic bandwidth, run the edsg traffic-
mode rate together statistic together command so that rate limiting is
performed on user traffic after it is performed on service traffic. For example,
when the service traffic bandwidth is 2 Mbit/s and the user traffic bandwidth is 5
Mbit/s, if a user accesses services and consumes 2 Mbit/s service traffic bandwidth,
the user can only use the remaining 3 Mbit/s user traffic bandwidth to access
other services.
Procedure

M14/M8 series
Step 3 Run the domain domain-name command to enter the domain view.
Step 4 Run the edsg traffic-mode rate { separate | together } statistic together
command to configure an EDSG service rate limit policy and a traffic statistics
collection policy.
----End
(Optional) Enabling EDSG Services to Support HQoS Scheduling for Home Users
This section describes how to enable EDSG services to support HQoS scheduling
for home users in a AAA domain.
Context
Home users support HQoS, but differentiated traffic statistics collection and
accounting cannot be performed for different user services. To resolve this issue,
enable EDSG services to support HQoS scheduling for home users.
Procedure
Step 2 Run aaa
Step 4 Run value-added-service edsg family-schedule { inbound | outbound }
EDSG services are enabled to support HQoS scheduling for home users.
Step 5 Run commit
----End
(Optional) Configuring EDSG Service Traffic to Match a User Group

This section describes how to configure EDSG service traffic to match a user group
in load-balancing scenarios.
Context
In load-balancing scenarios, after user traffic matches EDSG services, it must
continue to match a user group for service selection.
Procedure

M14/M8 series

Step 2 Run service-policy name policy-name edsg
Step 3 Run traffic match user-group [ inbound | outbound ]
EDSG service traffic is configured to match a user group.
NOTE
For DS-Lite users, the EDSG service matches the inner IPv4 address of the tunnel.
Step 4 Run commit

----End
(Optional) Configuring Accounting Copy for EDSG Services

This section describes how to enable the copy function for EDSG service
accounting packets in a user access domain.
Context
If the original accounting packet information of EDSG services is required, a device
must send EDSG service accounting packets to a RADIUS copy server group as the
original accounting information in subsequent settlement.
Procedure
Step 2 Run aaa
Step 4 Run service-policy accounting-copy radius-server group-name
EDSG service accounting copy is enabled, and a RADIUS copy server group is
configured.
Step 5 Run commit
----End
(Optional) Configuring Accounting Packet Merging for Value-added Services

This section describes how to configure accounting packet merging for value-
added services to reduce the number of packets sent to a RADIUS accounting
server.

M14/M8 series
Context
When a large number of users go online and each user applies for many value-
added services, a large number of accounting packets are generated. The
processing capability of a RADIUS accounting server is limited. To prevent the
number of accounting packets from exceeding the processing capability of a
RADIUS accounting server, the number of accounting packets sent by a device to a
RADIUS accounting server must be reduced to relieve the pressure on the RADIUS
accounting server.
Procedure
Step 1 Enable accounting packet merging for value-added services.
1. Run system-view
2. Run aaa
3. Run domain domain-name
4. Run value-added-service accounting-merge edsg { stop | interim interval
interval [ hash ] }
Accounting packet merging is enabled for value-added services.
5. Run the commit to commit the configuration.
Step 2 (Optional) Set the maximum length of a post-merging accounting packet for
1. Run system-view
2. Run radius-server group groupname
The RADIUS server group view is displayed.
3. Run radius-server accounting-merge max-length length
The maximum length is set for a post-merging accounting packet for value-
added services.
Step 3 (Optional) Enable a post-merging accounting packet that fails to be sent for
value-added services to enter the accounting packet cache.
1. Run system-view
2. Run value-added-service accounting-merge cache enable
A post-merging accounting packet that fails to be sent for value-added
services is enabled to enter the accounting packet cache.
----End

M14/M8 series
(Optional) Enabling the Captive Portal Function Based on EDSG Services

After an HTTP redirection profile is bound to a service policy, the captive portal
function based on EDSG services is enabled. When users visit HTTP web pages
matching service traffic, the service traffic is redirected to a specified page.
Procedure
Step 2 Configure a redirection profile.

1. Run http-redirect-profile profile-name
An HTTP redirection profile is created.

2. Run web-server url redirect-url
The destination link for user HTTP redirection is configured.

3. (Optional) Run web-server redirect-limit limit-value [ limit-value | infinite ]
The number of times advertisements are forcibly pushed for an HTTP

redirection profile is configured.
4. Run quit
Step 3 Apply the redirection profile in the service policy view.

1. Run service-policy name policy-name edsg
An EDSG service policy profile is created and the EDSG service policy profile
view is displayed.
2. (Optional) Run web-server redirect-key user-ip-address user-ip-key
The user IP address and name carried in the URL to which EDSG users are
redirected in mandatory web authentication are configured.
3. Run either of the following command to bind the redirection profile to the
service policy view.
– If users are required to be redirected to a specified page while visiting
HTTP web pages matching service traffic, run the http-redirect-profile
profile-name command to bind the redirection profile to the service
policy view
– If the traffic matching the service needs to be redirected instantly after
the service is activated, run the service force redirect redirect-profile-
name command to bind the redirection profile to the service policy view.
Step 4 Run commit
----End

M14/M8 series
(Optional) Configuring the Device to Use the Inner IPv4 Address of Each IPv4-in-
IPv6 Packet to Match IPv4 UCLs of EDSG Services
You can configure this function to allow IPv4-in-IPv6 packets to use inner IPv4
addresses to match IPv4 UCLs of EDSG services.
Context
By default, the device uses the outer IPv6 header in each IPv4-in-IPv6 packet to
match EDSG services. To allow EDSG rate limiting and accounting based on inner
IPv4 addresses, perform the following steps to configure the device to use inner
IPv4 addresses to match IPv4 UCLs of EDSG services,
Procedure
Step 2 Run aaa
Step 3 Run value-added-service edsg centralized-ds-lite
The function to use the inner IPv4 address of each IPv4-in-IPv6 packet to match
EDSG services is configured.
----End
(Optional) Configuring RADIUS Attributes

To enable attributes delivered by a RADIUS server through CoA packets or RADIUS
to take effect, you must configure these attributes on the NetEngine 8100 M,
NetEngine 8000E M, NetEngine 8000 M.
Procedure
Step 2 Run aaa
Step 3 Run value-added-service edsg modify-synchronous attribute-name
A specified attribute is enabled to take effect upon activation or deactivation of
EDSG services.
Step 4 Run value-added-service edsg accounting interim send-update user-ip enable
The device is enabled to send a real-time accounting packet carrying the HW-
Acct-Update-Address (26-159) attribute with a value of 1 for EDSG services when
the user address changes.
----End

M14/M8 series
Verifying the Configuration

After configuring EDSG services successfully, check information about the
configured service policies and users' value-added services and ensure that EDSG
services run properly.
Procedure
● Run the display service-policy { configuration [ name config-policy-name ] |
cache [ name config-policy-name ] } command to check the EDSG service
policy configuration.
● Run the display service-policy configuration global command to check
global service policy configurations.
● Run the display prepaid-profile [ name prepaid-profile-name ] command to
check information about a specified prepaid profile.
● Run the display value-added-service update-online-edsg process-
information command to check online EDSG service update information.
● Run the display value-added-service policy command to check service policy
information.
● Run the display value-added-service user command to check information
about users' value-added services.
● Run the display value-added-service edsg time-range process-information
command to check the process of updating the EDSG service bandwidth
based on a time range.
● Run the display value-added-service user edsg with-car-dropped-flow
command to check information about users whose EDSG service traffic is
dropped by CAR.
● Run the display value-added-service user user-id user-id edsg command to
check information about a specified user's EDSG services whose traffic is
dropped by CAR.
● Run the display value-added-service user user-id user-id edsg service-index
service-index-value command to check information about a specified user's
specified EDSG service whose traffic is dropped by CAR.
----End
1.1.3.2.4 Maintaining EDSG

This section describes how to clear EDSG service information and monitor the
running status of EDSG services.
Checking the Running Status of EDSG Services

This section describes how to check the running status of EDSG services.
Context
During routine maintenance, you can perform the following operations to check
the running status of EDSG services.

M14/M8 series
Procedure
● Run the display service activate-fail-record [ time begin-time end-time
[ date begin-date end-date ] | user-id user-id | policy-name policy-name ] *
command in any view to view information about EDSG service activation

failures.
● Run the display service deactivate-record [ time begin-time end-time [ date
begin-date end-date ] | user-id user-id | policy-name policy-name ] *
command in any view to view EDSG service deactivation information.
● Run the display service update-fail-record [ time begin-time end-time
[ date begin-date end-date ] | user-id user-id | policy-name policy-name ] *
command in any view to view information about EDSG service update

failures.
● Run the display service update-fail-record statistics command in any view
to view statistics about EDSG service update failures.
● Run the display service-policy { configuration [ name configuration-policy-
name ] | cache [ name cache-policy-name ] } command in any view to view
information about service policies, including locally configured service policies
and cached service policies that are downloaded from a server.
● Run the display value-added-service user command to view information
about a value-added service.
● Run the display service-policy configuration global command in any view
to view global service policy configurations.
● Run the display service-policy download-configuration command in any
view to view the mode in which a service policy is obtained.
● Run the display prepaid-profile [ name prepaid-profile-name ] command in
any view to view prepaid profile configurations.
----End
Enabling the EDSG Service Activation Failure or Deactivation Record Function

For fault diagnosis and locating, you can enable the EDSG service activation
failure or deactivation record function.
Procedure
● In the system view, run service activate-fail-record
The EDSG service activation failure record function is enabled.

● In the system view, run service deactivate-record
The EDSG service deactivation record function is enabled.
----End
Clearing EDSG Service Information

If EDSG services fail, you can clear the historical information about EDSG service
failures before attempting to reproduce the fault.

M14/M8 series
Context
NOTICE
After you clear the historical information about EDSG service failures, the
information cannot be restored. Exercise caution when clearing information about
EDSG service failures.
Procedure
● Run the reset service activate-fail-record command in the user view to clear
information about EDSG service activation failures.
● Run the reset service deactivate-record command in the user view to clear
EDSG service deactivation information.
● Run the reset service update-fail-record command in the user view to clear
information about EDSG service update failures.
● Run the reset value-added-service edsg time-range process-information
command in the user view to clear the process of updating the EDSG service
bandwidth based on a time range.
● Run the reset value-added-service user user-id user-id-val edsg [ service-
index service-index-value ] car-dropped-flow statistics command in the user
view to clear statistics about CAR-dropped EDSG service traffic.
----End
1.1.3.2.5 EDSG Configuration Examples
Example for Activating the EDSG Services Downloaded from Local Configurations
Through RADIUS
This section provides an example for activating the EDSG services downloaded
from local configurations through RADIUS.
On the network shown in Figure 1-34, PPPoE users access network 1 at
192.168.100.0/24 and network 2 at 192.168.200.0/24. Different fees need to be
charged for traffic over networks 1 and 2. The users have different bandwidth
requirements for networks 1 and 2. The uplink and downlink traffic bandwidths
for access to network 1 and network 2 are limited to 1 Mbit/s and 2 Mbit/s,
respectively.
Figure 1-34 EDSG service networking

NOTE
In this example, interfaces 1 through 3, sub-interface 3.1, and sub-interface 3.2 represent
GE 0/1/2, GE 0/1/1, GE 0/1/0, GE 0/1/0.1, and GE 0/1/0.2, respectively.

M14/M8 series
NOTE
The AAA server shown in Figure 1-34 also functions as a policy server and delivers services
through RADIUS.
1. Enable the VAS function.
2. Configure policy servers.
3. Configure an EDSG traffic policy.
4. Configure RADIUS authentication and accounting schemes.
5. Configure a mode in which EDSG service policies are downloaded.
6. Configure EDSG service policies.
7. Configure a local address pool.
8. Bind the local address pool and RADIUS server group to an AAA domain.
10. Configure access users.
Data Preparation
● Policy server parameters, such as the IP address and port number
● EDSG traffic policy parameters, such as the service group name, ACL rule,
traffic classifier, traffic behavior, and traffic policy
● RADIUS server group name, IP address and port number of a RADIUS
authentication server, and IP address and port number of a RADIUS
accounting server used for an EDSG service policy
● Authentication scheme name, authentication mode, accounting scheme
name, and accounting mode used for an EDSG service policy
● Name of the local address pool used in the domain, gateway address, and
address pool range

M14/M8 series
● EDSG service policy parameters, such as the mode in which EDSG service
policies are downloaded, EDSG service policy name, name of the bound
RADIUS server group, authentication scheme, accounting scheme, and
bandwidths for uplink and downlink traffic rate limiting for EDSG services
Procedure
Step 1 Enable the VAS function.
[*HUAWEI] commit
Step 2 Configure policy servers.

# Set the RADIUS server group name to rad_group1, the RADIUS authentication
server's IP address and port number to 10.10.10.2 and 1812, the RADIUS
accounting server's IP address and port number to 10.10.10.2 and 1813, and the
shared key for the RADIUS authentication and accounting servers to
YsHsjx_202206.
[~HUAWEI] radius-server group rad_group1
[*HUAWEI-radius-rad_group1] radius-server authentication 10.10.10.2 1812
[*HUAWEI-radius-rad_group1] radius-server accounting 10.10.10.2 1813
[*HUAWEI-radius-rad_group1] radius-server shared-key-cipher YsHsjx_202206
[*HUAWEI-radius-rad_group1] commit
[*HUAWEI-radius-rad_group1] quit
NOTE
For details about how to configure a RADIUS server group, see Configuring a Device as a
RADIUS Client in HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E M14/M8 series Configuration Guide - User
Access.

1. Create service groups.
[~HUAWEI] service-group s_1m
[*HUAWEI] service-group s_2m
[*HUAWEI] commit
2. Configure ACL rules for service groups.
# Configure ACL 6020 and define ACL rules for the service group s_1m.
[*HUAWEI-acl-ucl-6020] rule 10 permit ip source service-group s_1m destination ip-address
192.168.100.0 0.0.0.255
service-group s_1m
[*HUAWEI-acl-ucl-6020] commit
[~HUAWEI-acl-ucl-6020] quit
192.168.200.0 0.0.0.255
service-group s_2m
3. Define traffic classifiers.
# Define a traffic classifier named c1.

M14/M8 series
[~HUAWEI] traffic classifier c1

[*HUAWEI-classifier-c1] if-match acl 6020
[*HUAWEI-classifier-c1] commit
[~HUAWEI-classifier-c1] quit

4. Define traffic behaviors.

# Define a traffic behavior named b1.
[~HUAWEI] traffic behavior b1
[*HUAWEI-behavior-b1] commit
[~HUAWEI-behavior-b1] quit
# Define a traffic behavior b2.


# Configure an EDSG traffic policy named traffic_policy_edsg, and associate
traffic classifiers c1 and c2 with traffic behaviors b1 and b2, respectively.
[~HUAWEI] traffic policy traffic_policy_edsg
[*HUAWEI-policy-traffic_policy_edsg] share-mode
[*HUAWEI-policy-traffic_policy_edsg] classifier c1 behavior b1
[*HUAWEI-policy-traffic_policy_edsg] commit
[~HUAWEI-policy-traffic_policy_edsg] quit
6. Apply the EDSG traffic policy globally.

[~HUAWEI] traffic-policy traffic_policy_edsg inbound
[*HUAWEI] traffic-policy traffic_policy_edsg outbound
[*HUAWEI] commit
Step 4 Configure AAA authentication and accounting schemes.

# Configure an AAA authentication scheme named auth1 and specify RADIUS
authentication as the authentication mode.
[~HUAWEI] aaa
# Configure an AAA accounting scheme named acct1 and specify RADIUS

accounting as the accounting mode.
Step 5 Configure a mode in which EDSG service policies are downloaded.

# Configure the mode "first from local configurations and then from an RADIUS
server." In this mode, the BRAS first attempts to obtain an EDSG service policy
from local configurations. If no EDSG service policy is locally configured, the BRAS
obtains an EDSG service policy from an RADIUS server.

M14/M8 series
[~HUAWEI] service-policy download local radius rad_group1 password cipher YsHsjx_202206

[*HUAWEI] commit
NOTE
An EDSG service policy can be downloaded in four modes: from local configurations, from a
RADIUS server, first from local configurations and then from a RADIUS server, and first from
a RADIUS server and then from local configurations. You can run the service-policy
download command to configure a mode in which EDSG service policies are downloaded.
Step 6 Configure EDSG service policies.

1. Configure an EDSG service policy for access to network 1.
# Create an EDSG service policy named service_edsg1.
[~HUAWEI] service-policy name service_edsg1 edsg
# Bind the service group s_1m to the EDSG service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] service-group s_1m
# Bind the RADIUS server group rad_group1 to the EDSG service policy
service_edsg1.
[*HUAWEI-service-policy-service_edsg1] radius-server group rad_group1
# Bind the authentication scheme auth1 to the EDSG service policy

service_edsg1.
[*HUAWEI-service-policy-service_edsg1] authentication-scheme auth1
# Bind the accounting scheme acct1 to the EDSG service policy

service_edsg1.
[*HUAWEI-service-policy-service_edsg1] accounting-scheme acct1
# Set the bandwidth for uplink traffic rate limit to 1 Mbit/s for the EDSG
service policy service_edsg1.
[*HUAWEI-service-policy-service_edsg1] rate-limit cir 1000 inbound
# Set the bandwidth for downlink traffic rate limit to 1 Mbit/s for the EDSG
[*HUAWEI-service-policy-service_edsg1] rate-limit cir 1000 outbound
[*HUAWEI-service-policy-service_edsg1] commit
[~HUAWEI-service-policy-service_edsg1] quit

service_edsg2.

service_edsg2.

M14/M8 series

service_edsg2.
Step 7 Configure a local address pool.
# Configure a local address pool named edsg_pool, set the gateway address to
172.31.0.1/16, and specify the address range as 172.31.0.2 to 172.31.255.255.
[~HUAWEI] ip pool edsg_pool bas local
[*HUAWEI-ip-pool-edsg_pool] gateway 172.31.0.1 255.255.0.0
[*HUAWEI-ip-pool-edsg_pool] section 0 172.31.0.2 172.31.255.255
[*HUAWEI-ip-pool-edsg_pool] commit
[~HUAWEI-ip-pool-edsg_pool] quit
Step 8 Bind the local address pool and RADIUS server group to an AAA domain. By
default, the rate of EDSG service traffic is separately limited and is not affected by
user bandwidth. Only non-service traffic is counted as user traffic. To change EDSG
service traffic rate limiting and statistics collection policies, run the edsg traffic-
mode rate { separate | together } statistic together command.
# Bind the local address pool edsg_pool and the RADIUS server group
rad_group1 to an AAA domain.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain domain1
[*HUAWEI-aaa-domain-domain1] radius-server group rad_group1
[*HUAWEI-aaa-domain-domain1] commit
[~HUAWEI-aaa-domain-domain1] ip-pool edsg_pool
[~HUAWEI-aaa] quit
Step 9 Configure interfaces.

NOTE
For details about how to configure a BAS interface, see Example for Configuring PPPoE
Access for IPv4 Users in HUAWEI NetEngine 8100 M14/M8, NetEngine 8000
M14K/M14/M8K/M8/M4 & NetEngine 8000E M14/M8 series Configuration Guide -
User Access.
[~HUAWEI] interface GigabitEthernet0/1/2.1
[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1000 2000
[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 1000 qinq 100
[~HUAWEI-GigabitEthernet0/1/2.1] bas
[~HUAWEI-GigabitEthernet0/1/2.1-bas] access-type layer2-subscriber default-domain pre-
authentication domain1
[*HUAWEI-GigabitEthernet0/1/2.1-bas] authentication-method ppp web
[*HUAWEI-GigabitEthernet0/1/2.1-bas] quit

M14/M8 series
2. Configure an uplink interface.

[*HUAWEI-GigabitEthernet0/1/0.1] vlan-type dot1q 1
[*HUAWEI-GigabitEthernet0/1/0.1] ip address 192.168.100.1 255.255.255.0
3. Configure the interface connecting the BRAS to the policy server, AAA server,
and portal server.
[~HUAWEI] interface GigabitEthernet0/1/1
Step 10 Configure access users. (This step is performed on the RADIUS server.)
# Configure the RADIUS server to deliver the RADIUS attribute User-Password
with a value of YsHsjx_202206 for PPPoE user 1.
NOTE
The shared key configured for a RADIUS server group determines the value of the User-
Password attribute.
# Configure the RADIUS server to deliver the RADIUS attribute Huawei-Account-

Info (vendor ID=2011; attribute number=184) with the value of
Aservice_edsg1;d1;huawei and Aservice_edsg2;d2;huawei for PPPoE user 1.
NOTE
The Huawei-Account-Info attribute starting with A followed by the service policy name
service_edsg1 is used in authentication response packets to deliver EDSG services that
automatically take effect after being delivered; d1 and huawei indicate the authentication
name and password, respectively, to be used for service authentication.
NOTE
For details about the RADIUS attribute dictionary used in this step, see User Access >
Appendix: RADIUS Attributes > RADIUS Attribute Dictionary.
The RADIUS attribute names displayed in this step must be the same as those in the
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change the
RADIUS attribute names to be the same as those in the RADIUS attribute dictionary based
on the vendor ID and attribute number.

# Obtain the ID of the online user.
<HUAWEI> display value-added-service user edsg
128000
# View the service group name and service status information of the user with an
ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg
-------------------------------------------------------
User access index : 128000
User name : user1

M14/M8 series
-------------------------------------------------------
Traffic rate mode : Separate
Traffic statistic mode : Separate
Inbound rate limit mode : Car
Outbound rate limit mode : Car
Service change mode : Stop-start
-------------------------------------------------------
User edsg service table:
-------------------------------------------------------
Index Service name State
-------------------------------------------------------
0 service_edsg1 Active
-------------------------------------------------------
# View detailed information about the EDSG service with a service index of 0 and
a user ID of 128000.
<HUAWEI> display value-added-service user user-id 128000 edsg service-index 0
-------------------------------------------------------
Service index :0
Service name : service_edsg1
Service type : EDSG
Service state : Active
Service group : s_1m
Service group priority :0
Authentication method : None
Radius server template : rad_group1
Account session id : HUAWEI05001SSG000100d39d7b128000
Service online time(HH:MM:SS) : 00:04:36
Up committed information rate : 1000(kbps)
Up Peak information rate : 1000(kbps)
Up committed burst size : 187000(bytes)
Up Peak burst size : 187000(bytes)
Down committed information rate : 1000(kbps)
Down Peak information rate : 1000(kbps)
Down committed burst size : 187000(bytes)
Down Peak burst size : 187000(bytes)
Up flow packets(high, low) : (0, 0)
Up flow bytes(high, low) : (0, 0)
Down flow packets(high, low) : (0, 0)
Down flow bytes(high, low) : (0, 0)
----------------------------------------------
# View traffic information of the online user.

<HUAWEI> display access-user domain domain1 verbose
-------------------------------------------------------------------
Flow Statistic:
If flow info contain l2-head : Yes
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Up packets number(high,low) : (0,12799800)
Up bytes number(high,low) : (2,4094944316)
Down packets number(high,low) : (0,12634395)
Down bytes number(high,low) : (2,4145535568)
IPV6 Up packets number(high,low) : (0,0)
IPV6 Up bytes number(high,low) : (0,0)
IPV6 Down packets number(high,low) : (0,0)
IPV6 Down bytes number(high,low) : (0,0)
Value-added-service Flow Statistic:

EDSG(service1) Up packets number(high,low) : (0,12774777)
EDSG(service1) Up bytes number(high,low) : (2,4069869415)
EDSG(service1) Down packets number(high,low) : (0,0)
EDSG(service1) Down bytes number(high,low) : (0,0)
----End

M14/M8 series
Configuration Files
HUAWEI configuration file
#
sysname HUAWEI
#
#
radius-server group rad_group1
#
ip pool edsg_pool bas local
gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#
aaa
accounting-mode radius
domain domain1
ip-pool edsg_pool
#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
rule 11 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
#
acl number 6021
#
traffic classifier c1 operator or
if-match acl 6020 precedence 1
#
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy traffic_policy_edsg
share-mode
classifier c1 behavior b1 precedence 1
#
traffic-policy traffic_policy_edsg inbound
traffic-policy traffic_policy_edsg outbound
#
service-policy download local radius rad_group1 password cipher $$e:TY%^%glhJ;yPG#$=tC&(Is%q!S_";(k.Ef
$%^%#:978
#
service-policy name service_edsg1 edsg
service-group s_1m
rate-limit cir 1000 inbound
rate-limit cir 1000 outbound
#
service-group s_2m

M14/M8 series
#
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
ip address 10.10.10.1 255.255.255.0
#
user-vlan 1000 2000

user-vlan 1 1000 qinq 100
bas
access-type layer2-subscriber default-domain pre-authentication domain1
authentication-method ppp web
#
return
Example for Configuring EDSG Service Bandwidth Limiting Locally

This section describes how to locally configure an EDSG service policy and apply it
to an AAA domain. All users in the AAA domain use the EDSG service policy to
implement differentiated accounting and rate limit for users who access different
subnets.
On the network shown in Figure 1-35, PPPoE users go online from domain1.
PPPoE users' traffic fees and bandwidth requirements for accessing network 1
(192.168.100.0/24) and network 2 (192.168.200.0/24) differ greatly. The upstream
and downstream bandwidths for accessing network 1 are limited to 1 Mbit/s, and
those for accessing network 2 are limited to 2 Mbit/s.

NOTE
In this example, interface1, interface2, interface3, subinterface3.1, and subinterface3.2

represent GE0/1/2, GE0/1/1, GE0/1/0, GE0/1/0.1, and GE0/1/0.2, respectively.

M14/M8 series
2. Configure a RADIUS server.
4. Configure AAA authentication and accounting schemes.
7. Configure a service policy group.
Data Preparation
● Parameters related to the RADIUS server, including the IP address and port
number.
RADIUS server group, authentication scheme, accounting scheme, and
bandwidths for uplink and downlink traffic rate limiting for EDSG services
● Name of the service policy group bound to the domain, name of the local
address pool, gateway, and range of the user address pool.
Procedure
[*HUAWEI] commit

YsHsjx_202206.

M14/M8 series

[~HUAWEI-radius-rad_group1] quit

[*HUAWEI] commit
192.168.100.0 0.0.0.255
service-group s_1m
192.168.200.0 0.0.0.255
service-group s_2m
# Configure a traffic classifier named c1.

# Configure a traffic behavior named b1.


M14/M8 series


[~HUAWEI] commit
# Configure two AAA authentication schemes, one with the authentication mode
set to RADIUS, and that of the other one set to none.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme none
[*HUAWEI-aaa-authen-none] authentication-mode none
[*HUAWEI-aaa-authen-none] commit
[~HUAWEI-aaa-authen-none] quit

[~HUAWEI-aaa] quit
Step 5 Configure the mode in which EDSG service policies are downloaded as local
download.
[~HUAWEI] service-policy download local
[*HUAWEI] commit


[~HUAWEI-service-policy-service_edsg1] commit
service_edsg1.
[~HUAWEI-service-policy-service_edsg1] radius-server group rad_group1

service_edsg1.
[~HUAWEI-service-policy-service_edsg1] authentication-scheme none

service_edsg1.

M14/M8 series

service_edsg2.
[~HUAWEI-service-policy-service_edsg2] radius-server group rad_group1

service_edsg2.
[~HUAWEI-service-policy-service_edsg2] authentication-scheme none

service_edsg2.
Step 7 Configure a service policy group.

[~HUAWEI] service-policy-group group1
[*HUAWEI-service-policy-group-group1] service-policy service_edsg1
[*HUAWEI-service-policy-group-group1] service-policy service_edsg2
[*HUAWEI-service-policy-group-group1] commit
[~HUAWEI-service-policy-group-group1] quit


M14/M8 series
Step 9 Bind the local address pool and RADIUS server group to an AAA domain.
# Bind the local address pool edsg_pool, RADIUS server group rad_group1, and
service policy group group1 to the AAA domain.
[~HUAWEI] aaa
[*HUAWEI-aaa] domain domain1
[*HUAWEI-aaa-domain-domain1] ip-pool edsg_pool
[*HUAWEI-aaa-domain-domain1] service-policy-group group1
[*HUAWEI-aaa-domain-domain1] authentication-scheme auth1
[*HUAWEI-aaa-domain-domain1] quit
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit

NOTE
User Access.
[*HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1000 2000
[*HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 1000 qinq 100
[*HUAWEI-GigabitEthernet0/1/2.1] bas
[*HUAWEI-GigabitEthernet0/1/2.1-bas] access-type layer2-subscriber default-domain pre-
and portal server.
[*HUAWEI-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0

# Check the ID of the online user.
128000
ID of 128000.
-------------------------------------------------------
User name : user1
-------------------------------------------------------

M14/M8 series

-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
Service index :0
Service type : EDSG
----------------------------------------------

-------------------------------------------------------------------
Active EDSG services by order:
Service0 info : service_edsg1
Service1 info : service_edsg2
Flow Statistic:


M14/M8 series

----End
Configuration Files
#
sysname HUAWEI
#
#
#
gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#
service-group s_1m
authentication-scheme none
#
service-group s_2m
#
service-policy-group group1
service-policy service_edsg1
service-policy service_edsg2
#
aaa
authentication-scheme radius
domain domain1
ip-pool edsg_pool
service-policy-group group1
#
service-group s_1m
service-group s_2m
#
acl number 6020
#
acl number 6021
#

M14/M8 series
#
#
traffic behavior b1
#
traffic behavior b2
#
share-mode
#
#
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
ip address 10.10.10.1 255.255.255.0
#
user-vlan 1000 2000

bas
#
return
Example for Configuring the Delivery of the EDSG Rate Limiting Service Through a
RADIUS Server
This section provides an example for configuring the delivery of the EDSG rate
limiting service through a RADIUS server. In this example, the RADIUS server uses
authentication packets to deliver EDSG services, and the uplink and downlink
bandwidths of EDSG service policies are configured.
respectively. The AAA server uses RADIUS to deliver EDSG service policies in which
parameters, such as the authentication scheme, accounting scheme, and
bandwidths for uplink and downlink traffic rate limit, are specified.

NOTE

M14/M8 series
NOTE
through RADIUS.
4. Configure RADIUS authentication and accounting schemes.
Data Preparation
address pool range

M14/M8 series
● EDSG service policy parameters, such as the mode in which an EDSG service
policy is downloaded, policy name, bound RADIUS server group,
authentication scheme, accounting scheme, and bandwidths for uplink and
downlink traffic rate limiting for EDSG services
Procedure
[*HUAWEI] commit

YsHsjx_202206.
NOTE
Access.

[*HUAWEI] commit
192.168.100.0 0.0.0.255
service-group s_1m
192.168.200.0 0.0.0.255
service-group s_2m

M14/M8 series






[*HUAWEI] commit

[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme auth1

[~HUAWEI-aaa] quit

# Configure the RADIUS mode for downloading EDSG service policies. In this
mode, EDSG service policies are downloaded from the RADIUS server through
authentication packets.
[~HUAWEI] service-policy download radius rad_group1 password cipher YsHsjx_202206

M14/M8 series
[*HUAWEI] commit
Step 6 Configure EDSG service policies. (This step is performed on the RADIUS server.)
with a value of YsHsjx_202206 for the service policy service_edsg1.
NOTE
The shared key configured for a RADIUS server group determines the value of the
User-Password attribute.
# Configure the RADIUS server to deliver the RADIUS attribute Huawei-AVpair

(vendor ID=2011; attribute number=188) for the service policy service_edsg1.
– <service:service-group>: service_edsg1 is bound to the service group
s_1m.
The value of Huawei-AVpair is service:service-group=s_1m.
– <service:authentication-scheme>: The authentication scheme auth1 is set
for the service policy service_edsg1.
The value of Huawei-AVpair is service:authentication-scheme=auth1.
– <service:accounting-scheme>: The accounting scheme acct1 is set for the
The value of Huawei-AVpair is service:accounting-scheme=acct1.
– <service:radius-server-group>: The RADIUS server group rad_group1 is set
The value of Huawei-AVpair is service:radius-server-group=rad_group1.
# Configure the RADIUS server to deliver the RADIUS attribute HW-Input-
Committed-Information-Rate (vendor ID=2011; attribute number=2) for the
service policy service_edsg1. The value of HW-Input-Committed-Information-
Rate is 1000000 bits. This attribute indicates that the uplink bandwidth is set
to 1 Mbit/s for the service policy service_edsg1.
# Configure the RADIUS server to deliver the RADIUS attribute HW-Output-
service policy service_edsg1. The value of HW-Output-Committed-
Information-Rate is 1000000 bits. This attribute indicates that the downlink
bandwidth is set to 1 Mbit/s for the service policy service_edsg1.
– <service:service-group>: The service policy service_edsg2 is bound to the
service group s_2m.

M14/M8 series

NOTE
RADIUS attribute dictionary loaded to the RADIUS server. If they are different, change
the RADIUS attribute names to be the same as those in the RADIUS attribute
dictionary based on the vendor ID and attribute number.

[~HUAWEI] aaa
[~HUAWEI-aaa] quit

NOTE
User Access.

M14/M8 series


and portal server.
NOTE
Password attribute.

NOTE
NOTE

# View the ID of the online user.
<HUAWEI> display value-added-service user

M14/M8 series

128000
ID of 128000.
-------------------------------------------------------
User name : user1
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
Service index :0
Service type : EDSG
Authentication method : auth1
----------------------------------------------
# View the user information in domain1.

-------------------------------------------------------------------
Basic:
State : Used
User name : user1
Domain name : domain1
User backup state : No
RUI user state :-
User access interface : GigabitEthernet0/1/2.1
User access PeVlan/CeVlan : 100/100
User access slot :5

M14/M8 series
User MAC : 00e0-fc12-3456

User IP address : 172.31.24.253
User IP netmask : 255.255.255.255
User gateway address : 172.31.0.1
User Authen IP Type : ipv4/-/-
User Basic IP Type : -/-/-
User access type : PPPoE
User authentication type : PPP authentication
Agent-Circuit-Id :-
Agent-Remote-Id :-
Access-line-id Information(pppoe+): -
Access start time : 2013-10-17 10:42:15
User-Group :-
Next-hop :-
Policy-route-IPV6-address :-
AAA:
RADIUS-server-template : rad_group1
Server-template of second acct: -
Current authen method : RADIUS authentication
Authen result : Success
Current author method : Idle
Author result : Success
Action flag : Idle
Authen state : Authed
Author state : Idle
Configured accounting method : RADIUS accounting
Quota-out : Offline
Current accounting method : RADIUS accounting
Realtime-accounting-switch : Close
Realtime-accounting-interval(sec) :-
Realtime-accounting-send-update : No
Realtime-accounting-traffic-update : No
Accounting start time : 2013-10-17 10:42:15
Online time (h:min:sec) : 00:07:45
Accounting state : Accounting
MTU : 1492
MRU : 1492
Idle-cut direction : Both
Idle-cut-data (time,rate,idle): 0 sec, 60 kbyte/min, 0 min 0 sec
Ipv4 Realtime speed : 0 kbyte/min
Ipv4 Realtime speed inbound : 0 kbyte/min
Ipv4 Realtime speed outbound : 0 kbyte/min
Dot1X:
User MSIDSN name :-
EAP user : No
MD5 end : No
VPN&Policy-route:
Vpn-Instance :-
Multicast Service:
Multicast-profile :-
Multicast-profile-ipv6 :-
Max Multicast List Number :4
IGMP enable : Yes
ACL&QoS:
Link bandwidth auto adapt : Disable
UpPriority : Unchangeable
DownPriority : Unchangeable
EDSG information:
Service info : Aservice_edsg1
Flow Statistic:

M14/M8 series

Dslam information :
Circuit ID :-
Remote ID :-
Actual datarate upstream :0(Kbps)
Actual datarate downstream :0(Kbps)
Min datarate upstream :0(Kbps)
Min datarate downstream :0(Kbps)
Attainable datarate upstream :0(Kbps)
Attainable datarate downstream :0(Kbps)
Max datarate upstream :0(Kbps)
Max datarate downstream :0(Kbps)
Min lowpower datarate upstream :0(Kbps)
Min lowpower datarate downstream :0(Kbps)
Max delay upstream :0(s)
Max delay downstream :0(s)
Actual delay upstream :0(s)
Actual delay downstream :0(s)
Access loop encapsulation :0x000000
-------------------------------------------------------------------
Are you sure to display some information?(Y/N)[Y]:

-------------------------------------------------------------------
Flow Statistic:

----End
Configuration Files
#
sysname HUAWEI
#
#
#

M14/M8 series

gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#
aaa
domain domain1
ip-pool edsg_pool
#
service-group s_1m
service-group s_2m
#
acl number 6020
#
acl number 6021
#
#
#
traffic behavior b1
#
traffic behavior b2
#
share-mode
#
#
service-policy download radius rad_group1 password cipher $$e:TY%^%glhJ;yPG#$=tC&(Is%q!S_";(k.Ef$%^
%#:978
#
ip address 10.10.10.1 255.255.255.0
#
user-vlan 1000 2000
bas
#
#
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
return
Example for Configuring EDSG Services for PPPoE Users (ND+PD)

After PPPoE users send access requests to a BRAS and are authenticated, EDSG
services are delivered by the RADIUS server through user authentication packets.
You can configure the uplink and downlink bandwidths for EDSG service policies
and use ACL rules to match the destination addresses and distinguish network

M14/M8 series
segments for user access, achieving independent rate limiting for different
network segments.
On the network shown in Figure 1-37, PPPoE users access network 1 and network
2. Different fees need to be charged for traffic over networks 1 and 2. The users
have different bandwidth requirements for networks 1 and 2. The uplink and
downlink traffic bandwidths for access to network 1 and network 2 are limited to
1 Mbit/s and 2 Mbit/s, respectively. The RADIUS server functions as both an AAA
server and an EDSG service policy server. The EDSG service policy server uses
RADIUS to deliver EDSG service policies in which parameters, such as the
authentication mode, accounting mode, and bandwidths for uplink and downlink
traffic rate limit, are specified.

NOTE
Interface 1, sub-interface 2.1, and sub-interface 2.2 in this example represent GE 0/1/2.100,
GE 0/1/1.1, and GE 0/1/1.2, respectively.
2. Configure AAA schemes and a RADIUS server.
5. Configure the RADIUS server to deliver EDSG service policies. (This step is
performed on the RADIUS server.)
6. Configure address pools.
9. Configure IP routes. IS-IS is used as an example.

M14/M8 series
10. Configure access users. (This step is performed on the RADIUS server.)
Data Preparation
address pool range
RADIUS server group, RADIUS authentication scheme, RADIUS accounting
scheme, and bandwidths for uplink and downlink traffic rate limiting for
EDSG services
Procedure
Step 1 Set the host name of the BRAS to HUAWEI.
<Device> system-view
[~Device] sysname HUAWEI
[*Device] commit
Step 2 Configure the BRAS to generate DUIDs in DUID-LLT mode. (This step is not
required if a DUID has been configured on the BRAS.)
[~HUAWEI] dhcpv6 duid llt
[*HUAWEI] commit

[*HUAWEI] commit
Step 4 Configure AAA.
# Configure an authentication scheme and set the authentication mode to

RADIUS.
[~HUAWEI] aaa
[*HUAWEI-aaa-authen-auth1] quit
# Configure an accounting scheme and set the accounting mode to RADIUS.

[*HUAWEI-aaa] accounting-scheme acct1
[~HUAWEI-aaa] quit
# Configure a RADIUS server that functions as both an AAA server and an EDSG
service policy server.
[~HUAWEI] radius-server group radius
[*HUAWEI-radius-radius] radius-server authentication 10.10.10.2 1812
[*HUAWEI-radius-radius] radius-server accounting 10.10.10.2 1813
[*HUAWEI-radius-radius] radius-server shared-key-cipher YsHsjx_202206
[*HUAWEI-radius-radius] commit
[~HUAWEI-radius-radius] quit

M14/M8 series

[*HUAWEI] commit

# Configure an IPv4 ACL numbered 6020 for the service group s_1m to match
the IPv4 packets between the service group s_1m and network 1.
192.168.100.0 0.0.0.255
service-group s_1m
[~HUAWEI] acl ipv6 number 6020
[*HUAWEI-acl6-ucl-6020] rule 10 permit ipv6 source service-group s_1m destination ipv6-address
2001:db8::2/64
[*HUAWEI-acl6-ucl-6020] rule 20 permit ipv6 source ipv6-address 2001:db8::2/64 destination
service-group s_1m
[*HUAWEI-acl6-ucl-6020] commit
[~HUAWEI-acl6-ucl-6020] quit
192.168.200.0 0.0.0.255
service-group s_2m
[~HUAWEI] acl ipv6 number 6021
[*HUAWEI-acl6-ucl-6021] rule 15 permit ipv6 source service-group s_2m destination ipv6-address
2001:db8:1::2/64
[*HUAWEI-acl6-ucl-6021] rule 25 permit ipv6 source ipv6-address 2001:db8:1::2/64 destination
service-group s_2m
[*HUAWEI-acl6-ucl-6021] commit
[~HUAWEI-acl6-ucl-6021] quit

[~HUAWEI] traffic classifier c1 operator or
[*HUAWEI-classifier-c1] if-match ipv6 acl 6020

[*HUAWEI-classifier-c2] if-match ipv6 acl 6021

M14/M8 series

[*HUAWEI] commit

[~HUAWEI] service-policy download radius radius password cipher YsHsjx_202206
[*HUAWEI] commit
NOTE

– <service:service-group>: The service group s_1m is bound to the service
policy service_edsg1.

M14/M8 series








M14/M8 series
NOTE
Step 8 Configure an IPv4 address pool.

[~HUAWEI-ip-pool-edsg_pool] gateway 172.16.100.1 24
[~HUAWEI-ip-pool-edsg_pool] section 0 172.16.100.2 172.16.100.200
[~HUAWEI-ip-pool-edsg_pool] dns-server 10.179.155.161 10.179.155.177
Step 9 Configure IPv6 address pools.

# Configure a delegation prefix pool for ND users.
[~HUAWEI] ipv6 prefix pre_nd delegation
[~HUAWEI-ipv6-prefix-pre_nd] prefix 2001:db8:1::/48 delegating-prefix-length 64
[~HUAWEI-ipv6-prefix-pre_nd] slaac-unshare-only
[*HUAWEI-ipv6-prefix-pre_nd] commit
[~HUAWEI-ipv6-prefix-pre_nd] quit
# Configure a delegation address pool for ND users.

[~HUAWEI] ipv6 pool pool_nd bas delegation
[~HUAWEI-ipv6-pool-pool_nd] prefix pre_nd
[*HUAWEI-ipv6-pool-pool_nd] commit
[~HUAWEI-ipv6-pool-pool_nd] dns-server 2001:db8::2:2 2001:db8::2:3
[~HUAWEI-ipv6-pool-pool_nd] quit
# Configure a delegation prefix pool for PD users.

[~HUAWEI] ipv6 prefix pre_pd delegation
[~HUAWEI-ipv6-prefix-pre_pd] prefix 2001:db8:2::/48 delegating-prefix-length 60
[~HUAWEI-ipv6-prefix-pre_pd] pd-unshare-only
[~HUAWEI-ipv6-prefix-pre_pd] quit
# Configure a delegation address pool for PD users.

[~HUAWEI] ipv6 pool pool_pd bas delegation
[~HUAWEI-ipv6-pool-pool_pd] prefix pre_pd
[*HUAWEI-ipv6-pool-pool_pd] commit
[~HUAWEI-ipv6-pool-pool_pd] dns-server 2001:db8::2:2 2001:db8::2:3
[~HUAWEI-ipv6-pool-pool_pd] quit
Step 10 Bind the address pools, AAA schemes, and RADIUS server group to an AAA
domain.
[~HUAWEI] aaa
[*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
[*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
[*HUAWEI-aaa-domain-isp1] radius-server group radius
[~HUAWEI-aaa-domain-isp1] prefix-assign-mode unshared
[~HUAWEI-aaa-domain-isp1] ip-pool edsg_pool
[~HUAWEI-aaa-domain-isp1] ipv6-pool pool_nd
[~HUAWEI-aaa-domain-isp1] ipv6-pool pool_pd
[~HUAWEI-aaa] quit

# Create a VT.

M14/M8 series
[*HUAWEI] ppp authentication-mode chap

# Configure a BAS interface for PPPoE users.

[*HUAWEI-GigabitEthernet0/1/2.100] pppoe-server bind virtual-template 1
[*HUAWEI-GigabitEthernet0/1/2.100] ipv6 enable
[*HUAWEI-GigabitEthernet0/1/2.100] ipv6 address auto link-local
[~HUAWEI-GigabitEthernet0/1/2.100] user-vlan 3074 qinq 3074
[~HUAWEI-GigabitEthernet0/1/2-vlan-3074-3074-QinQ-3074-3074] bas
[~HUAWEI-GigabitEthernet0/1/2.100-bas] access-type layer2-subscriber default-domain authentication
isp1
[~HUAWEI-GigabitEthernet0/1/2.100-bas] authentication-method ppp web
[~HUAWEI-GigabitEthernet0/1/2.100-bas] quit
# Configure network-side interfaces and enable IPv6 on these interfaces.

[*HUAWEI-GigabitEthernet0/1/1.1] ipv6 address 2001:db8:0200:2:2102:2205:1:1 64
[*HUAWEI-GigabitEthernet0/1/1.1] ip address 192.168.100.1 24
[*HUAWEI-GigabitEthernet0/1/1.2] ipv6 address 2001:db8:0201:2:2102:2205:1:1 64
[*HUAWEI-GigabitEthernet0/1/1.2] ip address 192.168.200.1 24
# Configure the loopback 0 interface and enable IPv6 on this interface.

[~HUAWEI] interface Loopback0
[*HUAWEI-LoopBack0] ipv6 enable
[*HUAWEI-LoopBack0] ipv6 address 2001:db8:0200::2205 128
[*HUAWEI-LoopBack0] ipv6 address auto link-local
[*HUAWEI-LoopBack0] ip address 10.10.10.10 16
[*HUAWEI-LoopBack0] commit
[~HUAWEI-LoopBack0] quit
Step 12 Configure basic IS-IS functions.
# Create an IS-IS process, and enable IPv6 for this process.

[~HUAWEI] isis 100
[*HUAWEI-isis-100] cost-style wide
[*HUAWEI-isis-100] ipv6 enable topology ipv6
[*HUAWEI-isis-100] ipv6 preference 105
[*HUAWEI-isis-100] commit
[~HUAWEI-isis-100] quit
# Configure IS-IS interfaces. (The cost values can be planned as needed.)

[~HUAWEI-GigabitEthernet0/1/1.1] isis enable 100
[*HUAWEI-GigabitEthernet0/1/1.1] isis ipv6 enable 100
[*HUAWEI-GigabitEthernet0/1/1.1] isis ipv6 cost 61
[~HUAWEI-GigabitEthernet0/1/1.2] isis enable 100
[*HUAWEI-GigabitEthernet0/1/1.2] isis ipv6 enable 100
[*HUAWEI-GigabitEthernet0/1/1.2] isis ipv6 cost 62
[~HUAWEI] interface loopback0

M14/M8 series
[~HUAWEI-LoopBack0] isis enable 100

[*HUAWEI-LoopBack0] isis ipv6 enable 100
[*HUAWEI-LoopBack0] commit
[~HUAWEI-LoopBack0] quit
NOTE
Password attribute.

NOTE
NOTE

128000
ID of 128000.
-------------------------------------------------------
User name : user1
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------

M14/M8 series
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
Service index :0
Service type : EDSG
----------------------------------------------

-------------------------------------------------------------------
Flow Statistic:

----End
Configuration Files
#
sysname HUAWEI
#
dhcpv6 duid 0001000125a7625df063f9761497

M14/M8 series
#
#
radius-server group radius
radius-server shared-key-cipher %^%#yp(NBJ@lRGH\VOIu>g^5;;Wg@}YoR7/BfHIm:/@~%^%#
#
service-group s_1m
service-group s_2m
#
acl number 6020
#
acl ipv6 number 6020
rule 10 permit ipv6 source service-group s_1m destination ipv6-address 2001:db8::2/64
rule 20 permit ipv6 source ipv6-address 2001:db8::2/64 destination service-group s_1m
#
acl number 6021
#
rule 15 permit ipv6 source service-group s_2m destination ipv6-address 2001:db8:1::2/64
rule 25 permit ipv6 source ipv6-address 2001:db8:1::2/64 destination service-group s_2m
#
if-match ipv6 acl 6020 precedence 2
#
#
traffic behavior b1
#
traffic behavior b2
#
share-mode
#
#
service-policy download radius rad_group1 password cipher $$e:TY%^%glhJ;yPG#$=tC&(Is%q!S_";(k.Ef$%^
%#:978
#
gateway 172.16.100.1 255.255.255.0
section 0 172.16.100.2 172.16.100.200
dns-server 10.179.155.161 10.179.155.177
#
ipv6 prefix pre_nd delegation
prefix 2001:DB8:1::/48 delegating-prefix-length 64
slaac-unshare-only
#
ipv6 prefix pre_pd delegation
prefix 2001:DB8:2::/48 delegating-prefix-length 60
pd-unshare-only
#
ipv6 pool pool_nd bas delegation
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_nd
#
ipv6 pool pool_pd bas delegation
dns-server 2001:DB8::2:2 2001:DB8::2:3

M14/M8 series
prefix pre_pd
#
aaa
authentication-mode radius
#
#
domain isp1
radius-server group radius
prefix-assign-mode unshared
ip-pool edsg_pool
ipv6-pool pool_nd
ipv6-pool pool_pd
#
#
isis 100
cost-style wide
#
ipv6 enable topology ipv6
ipv6 preference 105
#
#
interface Virtual-Template 1
ppp authentication-mode chap
#
ipv6 enable
ipv6 address auto link-local
user-vlan 3074 qinq 3074
bas
#
#
#
ipv6 enable
ipv6 address 2001:DB8:200:2:2102:2205:1:1/64
ip address 192.168.100.1 24
isis enable 100
isis ipv6 enable 100
isis ipv6 cost 61
#
#
ipv6 enable
ipv6 address 2001:DB8:201:2:2102:2205:1:1/64
ip address 192.168.200.1 24
isis enable 100
isis ipv6 cost 62
#
#
interface LoopBack0
ipv6 enable
ip address 10.10.10.10 255.255.0.0
ipv6 address 2001:DB8:200::2205/128
isis enable 100
#
return

M14/M8 series
Example for Configuring NAT over EDSG

This section provides an example for configuring NAT over EDSG. The BRAS
performs NAT for EDSG service traffic and translates private IP addresses into
public IP addresses so that users can access the public network.
respectively. The RADIUS server delivers EDSG service policies, in which the
accounting modes, authentication modes, and uplink and downlink bandwidths
are specified. The BRAS is equipped with a NAT service board to implement NAT
following authentication, authorization, and accounting. The BRAS implements
NAT on EDSG service traffic to translate private IP addresses to public IP addresses
so that users can access the public network.
Figure 1-38 Configuring NAT over EDSG

NOTE

M14/M8 series

5. Configure a mode in which EDSG service policies are downloaded and
configure EDSG service policies.
8. Configure uplink and downlink interfaces.
9. Create a NAT instance and bind it to the AAA domain.
10. Configure a NAT traffic diversion policy.
Data Preparation
address pool range
EDSG services
● NAT instance name
● NAT address pool's number and start and end IP addresses
● NAT traffic diversion policy parameters, such as the user group name, ACL
rule, traffic classifier, traffic behavior, and traffic policy
Procedure
[*HUAWEI] commit


[*HUAWEI] commit


M14/M8 series

192.168.100.0 0.0.0.255
service-group s_1m
192.168.200.0 0.0.0.255
service-group s_2m





# Configure an EDSG traffic policy named traffic_policy_edsg_nat, and
associate traffic classifiers c1 and c2 with traffic behaviors b1 and b2,
respectively.
[~HUAWEI] traffic policy traffic_policy_edsg_nat
[*HUAWEI-policy-traffic_policy_edsg_nat] share-mode
[*HUAWEI-policy-traffic_policy_edsg_nat] classifier c1 behavior b1 precedence 1
[*HUAWEI-policy-traffic_policy_edsg_nat] classifier c2 behavior b2 precedence 2
[*HUAWEI-policy-traffic_policy_edsg_nat] commit
[~HUAWEI-policy-traffic_policy_edsg_nat] quit

[~HUAWEI] aaa

M14/M8 series

[~HUAWEI-aaa] quit
[~HUAWEI] service-policy download radius rad_group1 password cipher YsHsjx_202206
[*HUAWEI] commit

NOTE




M14/M8 series





NOTE
[~HUAWEI-ip-pool-edsg_pool] gateway 172.31.0.1 255.255.0.0
[~HUAWEI-ip-pool-edsg_pool] section 0 172.31.0.2 172.31.255.255

M14/M8 series
[~HUAWEI] aaa
[~HUAWEI-aaa-domain-domain1] ip-pool edsg_pool
[~HUAWEI-aaa-domain-domain1] radius-server group rad_group1
[~HUAWEI-aaa] quit

[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1000 2000
[~HUAWEI-GigabitEthernet0/1/2.1-vlan-1000-2000] user-vlan 1 1000 qinq 100
[~HUAWEI-GigabitEthernet0/1/2.1-vlan-1-1000-QinQ-100-100] bas
[~HUAWEI-GigabitEthernet0/1/2.1-bas] access-type layer2-subscriber default-domain pre-
[~HUAWEI-GigabitEthernet0/1/2.1-bas] authentication-method ppp web
[~HUAWEI-GigabitEthernet0/1/2.1-bas] quit
2. Configure uplink interfaces.

3. Configure the interface connecting the BRAS to the policy server, RADIUS
server, and portal server.
Step 10 Configure basic NAT functions.

1. Set the maximum number of sessions that can be created on the service
board in slot 9 to 6M.
[~HUAWEI] license
[~HUAWEI-license] active nat session-table size 6 slot 9 engine 0
[*HUAWEI-license] commit
[~HUAWEI-license] quit
2. Create a NAT instance named nat1, bind the service board to the NAT
instance, and configure an address pool in which the IP addresses range from
22.22.22.0 to 22.22.22.255 for the NAT instance.
[~HUAWEI] service-location 1
[*HUAWEI-service-location-1] location slot 9 engine 0
[*HUAWEI-service-location-1] commit
[~HUAWEI-service-location-1] quit
[~HUAWEI] service-instance-group group1
[*HUAWEI-service-instance-group-1] service-location 1
[*HUAWEI-service-instance-group-1] commit
[~HUAWEI-service-instance-group-1] quit
[~HUAWEI] nat instance nat1 id 1
[*HUAWEI-nat-instance-nat1] service-instance-group group1
[*HUAWEI-nat-instance-nat1] nat address-group address-group1 group-id 1 22.22.22.0 mask 24

M14/M8 series
[*HUAWEI-nat-instance-nat1] nat outbound any address-group address-group1

[*HUAWEI-nat-instance-nat1] commit
[~HUAWEI-nat-instance-nat1] quit
Step 11 Bind the NAT instance to a user group in the AAA domain.
1. Create a user group named usergroup1.
[~HUAWEI] user-group usergroup1
2. Bind the NAT instance nat1 to the user group usergroup1 in the AAA domain
domain1.
[~HUAWEI] aaa
[~HUAWEI-aaa-domain-domain1] user-group usergroup1 bind nat instance nat1
[~HUAWEI-aaa-domain-domain1] traffic match user-group
[~HUAWEI-aaa-domain-domain1] quit
[~HUAWEI-aaa] quit
Step 12 Configure a NAT traffic diversion policy on the inbound interface.

1. Configure ACL 6001 to match the traffic originated from the user group
usergroup1.
[*HUAWEI-acl-ucl-6001] rule 10 permit ip source user-group usergroup1
2. Configure a traffic classifier named nat.

[~HUAWEI] traffic classifier nat
[*HUAWEI-classifier-nat] if-match acl 6001
[*HUAWEI-classifier-nat] commit
[~HUAWEI-classifier-nat] quit
3. Configure a traffic behavior named nat and bind it to the NAT instance nat1.
[~HUAWEI] traffic behavior nat
[*HUAWEI-behavior-nat] nat bind instance nat1
[*HUAWEI-behavior-nat] commit
[~HUAWEI-behavior-nat] quit
4. Associate the traffic classifier with the traffic behavior of the NAT service in
the traffic policy traffic_policy_edsg_nat.
[~HUAWEI] traffic policy traffic_policy_edsg_nat
[~HUAWEI-policy-traffic_policy_edsg_nat] classifier nat behavior nat precedence 3
[*HUAWEI-policy-traffic_policy_edsg_nat] commit
[~HUAWEI-policy-traffic_policy_edsg_nat] quit
Step 13 Apply the EDSG traffic policy globally.

[~HUAWEI] traffic-policy traffic_policy_edsg_nat inbound
[*HUAWEI] traffic-policy traffic_policy_edsg_nat outbound
[*HUAWEI] commit

NOTE
Password attribute.


M14/M8 series
NOTE
NOTE

128000
ID of 128000.
-------------------------------------------------------
User name : user1
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
-------------------------------------------------------
Service index :0
Service type : EDSG

M14/M8 series

----------------------------------------------

-------------------------------------------------------------------
Flow Statistic:

----End
Configuration Files
#
sysname HUAWEI
#
radius-server shared-key-cipher %^%#/@aaSf_t=7;.A3Z6;`bR;1Q'Tf[1E>tLhc71lu2@%^%#
#
service-policy download radius rad_group1 password cipher %^%#Uuo@Qh
\,eK@5DcKnGf:AfR5eVA@rlFLlx{(YtM6W%^%#
#
service-location 1
location slot 9 engine 0
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat address-group address-group1 group-id 1 22.22.22.0 mask 24
nat outbound any address-group address-group1
#
gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#

M14/M8 series
#
service-group s_1m
service-group s_2m
#
acl number 6001
rule 10 permit ip source user-group usergroup1
#
acl number 6020
#
acl number 6021
#
#
#
traffic classifier nat operator or
#
traffic behavior b1
#
traffic behavior b2
#
traffic behavior nat
nat bind instance nat1
#
traffic policy traffic_policy_edsg_nat
share-mode
classifier nat behavior nat precedence 3
#
aaa
#
#
#
domain domain1
ip-pool edsg_pool
user-group usergroup1 bind nat instance nat1
traffic match user-group
#
license
active nat session-table size 6 slot 9 engine 0
#
statistic enable
user-vlan 1000 2000
bas
#
#
#
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#

M14/M8 series
vlan-type dot1q 2
ip address 192.168.200.2 255.255.255.0
#
undo shutdown
ip address 10.10.10.1 255.255.255.0
undo dcn
#
traffic-policy traffic_policy_edsg_nat inbound
traffic-policy traffic_policy_edsg_nat outbound
#
return
Example for Configuring the Delivery of the EDSG Prepaid Service Through a
RADIUS Server
This section provides an example for configuring the delivery of the EDSG prepaid
service through a RADIUS server.
respectively. In addition, the prepaid function needs to be enabled for the users. To
meet these requirements, configure two EDSG services on the BRAS to implement
differentiated accounting, rate limit, and prepaid functions on traffic over network
1 and network 2. EDSG allows carriers to provide flexible service and accounting
policies for different user requirements.

NOTE

M14/M8 series
NOTE
through RADIUS.
9. Configure the prepaid function.
12. Set user 1's prepaid time to 120s on the RADIUS server.
13. Set user 2's prepaid traffic volume to 100 Mbytes on the RADIUS server.
Data Preparation
address pool range
EDSG services
accounting server used for a prepaid profile
name, and accounting mode used for a prepaid profile
● Prepaid function parameters, such as the prepaid profile name, bound RADIUS
server group, authentication scheme, accounting scheme, password used for
the BRAS to apply for an EDSG service quota from the RADIUS server group,

M14/M8 series
time and traffic volume thresholds, and policy used when the service quota is
exhausted.
Procedure
[~HUAWEI] commit

YsHsjx_202206.
NOTE
Access.

[*HUAWEI] commit
NOTE
You must run the service-group command to create service groups regardless of
whether the BRAS obtains an EDSG service policy from local configurations or a
RADIUS server.
192.168.100.0 0.0.0.255
service-group s_1m
192.168.200.0 0.0.0.255
service-group s_2m

M14/M8 series






[~HUAWEI] traffic-policy traffic_policy_edsg outbound
[~HUAWEI] commit

[~HUAWEI] aaa

[~HUAWEI-aaa] quit

M14/M8 series

# Configure the mode "first from local configurations and then from an RADIUS
server." In this mode, the BRAS first attempts to obtain an EDSG service policy
from local configurations. If no EDSG service policy is locally configured, the BRAS
obtains an EDSG service policy from an RADIUS server.
[~HUAWEI] service-policy download local radius rad_group1 password cipher YsHsjx_202206
[~HUAWEI] commit

service_edsg1.

service_edsg1.

service_edsg1.
service_edsg2.

service_edsg2.

M14/M8 series

service_edsg2.

[~HUAWEI] aaa
[~HUAWEI-aaa] quit
Step 9 Configure the prepaid function.

1. Configure a prepaid profile for access to network 1.
# Create a prepaid profile named prepaid1.
[~HUAWEI] prepaid-profile prepaid1
# Bind the RADIUS server group rad_group1 to the prepaid profile prepaid1.
[~HUAWEI-prepaid-profile-prepaid1] radius-server group rad_group1
# Bind the authentication scheme auth1 to the prepaid profile prepaid1.

[~HUAWEI-prepaid-profile-prepaid1] authentication-scheme auth1
# Bind the accounting scheme acct1 to the prepaid profile prepaid1.

[~HUAWEI-prepaid-profile-prepaid1] accounting-scheme acct1
# Configure a password used for the BRAS to apply for an EDSG service quota
from the RADIUS server group.
[~HUAWEI-prepaid-profile-prepaid1] password cipher YsHsjx_202206
# Set the time threshold for the BRAS to reapply for a time quota for EDSG
services from the RADIUS server to 60s.

M14/M8 series
[*HUAWEI-prepaid-profile-prepaid1] threshold time 60 seconds
# Set the traffic volume threshold for the BRAS to reapply for a traffic volume
quota for EDSG services from the RADIUS server to 10 Mbytes.
[*HUAWEI-prepaid-profile-prepaid1] threshold volume 10 mbytes
[*HUAWEI-prepaid-profile-prepaid1] commit
[~HUAWEI-prepaid-profile-prepaid1] quit
2. Configure a prepaid profile for access to network 2.
# Create a prepaid profile named prepaid2.
# Bind the RADIUS server group rad_group1 to the prepaid profile prepaid2.
[~HUAWEI-prepaid-profile-prepaid2] radius-server group rad_group1
# Bind the authentication scheme auth1 to the prepaid profile prepaid2.

[~HUAWEI-prepaid-profile-prepaid2] authentication-scheme auth1
# Bind the accounting scheme acct1 to the prepaid profile prepaid2.

[~HUAWEI-prepaid-profile-prepaid2] accounting-scheme acct1
# Configure a password used for the BRAS to apply for an EDSG service quota
from the RADIUS server group.
[~HUAWEI-prepaid-profile-prepaid2] password cipher YsHsjx_202206
# Set the time threshold for the BRAS to re-apply for a time quota for EDSG
services from the RADIUS server to 300s.
[*HUAWEI-prepaid-profile-prepaid2] threshold time 300 seconds
# Set the traffic volume threshold for the BRAS to re-apply for a traffic
volume quota for EDSG services from the RADIUS server to 20 Mbytes.
[*HUAWEI-prepaid-profile-prepaid2] threshold volume 20 mbytes
[*HUAWEI-prepaid-profile-prepaid2] commit
3. Configure a policy used when the quota is exhausted.
# Configure a deactivation policy for access to network 1.
[~HUAWEI-prepaid-profile-prepaid1] quota-out service deactivate
[~HUAWEI-prepaid-profile-prepaid1] commit
# Configure a redirect policy for access to network 2.

a. Create an HTTP redirect profile named http_redirect_profile.
[~HUAWEI] http-redirect-profile http_redirect_profile
b. Configure http://www.huawei.com as a redirect web page.
[~HUAWEI-redirect-profile-http_redirect_profile] web-server url http://www.huawei.com
c. Configure post as the HTTP access mode for the web server.
[~HUAWEI-redirect-profile-http_redirect_profile] web-server mode post
[~HUAWEI-redirect-profile-http_redirect_profile] commit
[~HUAWEI-redirect-profile-http_redirect_profile] quit
d. Configure a redirect policy and specify http_redirect_profile.
[~HUAWEI-prepaid-profile-prepaid2] quota-out redirect http_redirect_profile

M14/M8 series
[~HUAWEI-prepaid-profile-prepaid2] commit
4. Apply the prepaid profiles in the EDSG service policy view.
# Apply the prepaid profile prepaid1 to the EDSG service policy

service_edsg1.
[~HUAWEI-service-policy-service_edsg1] prepaid-profile prepaid1
# Apply the prepaid profile prepaid2 to the EDSG service policy

service_edsg2.
[~HUAWEI-service-policy-service_edsg2] prepaid-profile prepaid2

1. Configure a VT.

[*HUAWEI-GigabitEthernet0/1/2.1] pppoe-server bind virtual-template 1

and portal server.

with a value of YsHsjx_202206 for PPPoE user 1 and PPPoE user 2.

M14/M8 series
NOTE
Password attribute.

Info (vendor ID=2011; attribute number=184) with a value of
Aservice_edsg1;d1;huawei for PPPoE user 1.
Info (vendor ID=2011; attribute number=184) with a value of
Aservice_edsg2;d2;huawei for PPPoE user 2.
NOTE
NOTE
Step 12 Set user 1's prepaid time to 120s on the RADIUS server.
# Configure the RADIUS server to deliver the RADIUS attribute Session-Timeout
with a value of 120s for user 1. This attribute indicates the remaining service time.
# Obtain the ID of the online user.
128000
128001
# View detailed information about the EDSG service when the user has used the
EDSG service for 60s and the BRAS sends CoA messages to the RADIUS server in
advance to apply for a new time.
-------------------------------------------------------
Service index :0
Service type : EDSG
Account session id : HUAWEI05001SSG000100f5fcb5128034

M14/M8 series

Prepaid state : Monitoring
Time quota : 60(seconds)
Time threshold : 120(seconds)
-------------------------------------------------------
# View service deactivation information. The command output shows that the
user service has been deactivated after 120s.
<HUAWEI> display service deactivate-record
-------------------------------------------------------------------
Policy name : service_edsg1
User ID : 128000
Service index :0
Access time : 2013-10-17 17:41:03
Deavtivate time : 2013-10-17 17:45:33
Deactivate reason : The server does not reply with prepaid authorization response
Step 13 Set user 2's prepaid traffic volume to 100 Mbytes on the RADIUS server.
# Configure the RADIUS server to deliver the RADIUS attribute Huawei-Remanent-
Volume (Vendor ID=2011, Attribute number=15) with a value of 100M for user 2.
The RADIUS attribute Huawei-Remanent-Volume indicates the remaining traffic
volume of user 2.
# View the status information of the prepaid profile prepaid2.
<HUAWEI> display prepaid-profile name prepaid2
------------------------------------------------
Prepaid-profile-index :1
Prepaid-profile-name : prepaid2
Prepaid-password : ******
Reference-count :0
Authentication-scheme-name : auth1
Accounting-scheme-name : acct1
Radius-server-template : rad_group1
Time-threshold : 300(s)
Volume-threshold : 20(Mbytes)
Quota-out-action : service deactivate
HTTP-redirect-profile : http_redirect_profile
------------------------------------------------
-------------------------------------------------------
Service index :0
Service type : EDSG
Account session id : HUAWEI05001SSG000100f5fcb5128034

M14/M8 series

Prepaid state : Exhausted
Volume quota : (0, 8966321)(bytes)
Volume threshold : (0, 104857600)(bytes)
HTTP redirect profile : http_redirect_profile
Source : Diameter
-------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
#
#
gateway 172.31.0.1 255.255.0.0
section 0 172.31.0.2 172.31.255.255
#
aaa
domain domain1
ip-pool edsg_pool
#
service-group s_1m
service-group s_2m
#
acl number 6020
#
acl number 6021
#
#
#
traffic behavior b1
#
traffic behavior b2
#

M14/M8 series

share-mode
#
#
aaa
#
#
#
http-redirect-profile http_redirect_profile
web-server url http://www.huawei.com
web-server mode post
#
prepaid-profile prepaid1
password cipher $$e:TY%^%glhJ;yPG#$=tC&(Is%q!S_";(k.Ef$%^%#:978
threshold time 60 seconds
threshold volume 10 mbytes
#
password cipher $$e:TY%(k.Ef$%^%#:978^%glhJ;yPG#$=tC&(Is%q!S_";
threshold time 300 seconds
threshold volume 20 mbytes
quota-out redirect http_redirect_profile
#
service-policy download local radius rad_group1 password cipher $J;yPG#$=tC&(Is%q!S_";$e:TY%(k.Ef$%^
%#:978^%glh
#
service-group s_1m
#
service-group s_2m
#
ip address 10.10.10.1 255.255.255.0
#
user-vlan 1000 2000
bas
#
#
vlan-type dot1q 1

M14/M8 series
ip address 192.168.100.1 255.255.255.0

#
vlan-type dot1q 2
ip address 192.168.200.1 255.255.255.0
#
return
Example for Configuring PPPoE Dual-Stack User Access (ND Unshared+PD) in a

Dual-Device Cold Backup Scenario with Distributed CGN and EDSG Services
Deployed
This section provides an example for configuring PPPoE dual-stack user access
(ND unshared+PD) in a dual-device cold backup scenario with distributed CGN
and EDSG services deployed.
On the network shown in Figure 1-40, User1 and User2 access BRAS1 through
SW1. BRAS1 uses RADIUS for authentication and accounting. It assigns to the
users IPv4 addresses through the local address pool, IPv6 prefixes through DHCPv6
IA_PD, and IPv6 addresses through ND.
EDSG services need to be deployed to meet users' different requirements for
network service traffic. ACLs need to be configured to match destination addresses
of user traffic so that network segments accessed by users can be differentiated,
thereby implementing independent rate limiting and accounting for different
network segments. To enable private network users to access the Internet, deploy
distributed CGN on the network to translate private addresses into public
addresses. In addition, deploy dual-device cold backup to improve network
reliability. This function allows the users to go online through the other device if a
device fails.
Figure 1-40 PPPoE dual-stack user access (ND unshared+PD) in a dual-device cold
backup scenario with distributed CGN and EDSG services deployed
NOTE
Interfaces 1 and 2 in this example represent Eth-Trunk 2 and GE 0/1/0, respectively.

M14/M8 series
1. Configure AAA schemes, and specify RADIUS authentication and RADIUS
accounting.
2. Configure RADIUS.
3. Configure address pools.
4. Configure devices to generate DUIDs in DUID-LLT mode.
5. Configure a domain.
7. Configure EDSG services.
8. Configure distributed CGN services.
9. Enable the devices to advertise public routes.
Data Preparation
● User access parameters
● CGN service parameters
● EDSG service parameters

M14/M8 series
NOTE
The configuration on BRAS2 is similar to that on BRAS1. The configuration procedure on

BRAS1 is used as an example. For details about the configuration on BRAS2, see the
configuration file.
Procedure
Step 1 Configure AAA schemes.
# Configure two authentication schemes, one with the authentication mode set to
RADIUS, and that of the other one set to none.
[~HUAWEI] sysname BRAS1
[*HUAWEI] commit
[~BRAS1] aaa
[~BRAS1-aaa] authentication-scheme auth1
[*BRAS1-aaa-authen-auth1] authentication-mode radius
[*BRAS1-aaa-authen-auth1] quit
[~BRAS1-aaa] authentication-scheme none
[*BRAS1-aaa-authen-none] authentication-mode none
[*BRAS1-aaa-authen-none] quit
[*BRAS1-aaa] commit
# Configure an accounting scheme and set the accounting mode to RADIUS.

[~BRAS1-aaa] accounting-scheme acct1
[*BRAS1-aaa-accounting-acct1] accounting-mode radius
[*BRAS1-aaa-accounting-acct1] quit
[*BRAS1-aaa] commit
[*BRAS1-aaa] quit
Step 2 Configure RADIUS.

# Create UDP sockets with the local port numbers 1645, 1646, and 3799 and with
any local IP address.
[~BRAS1] radius local-ip all
[*BRAS1] commit

[~BRAS1] radius-server group rd1
[*BRAS1-radius-rd1] radius-server authentication 192.168.7.249 1812 weight 0
[*BRAS1-radius-rd1] radius-server accounting 192.168.7.249 1813 weight 0
[*BRAS1-radius-rd1] radius-server shared-key-cipher YsHsjx_202206
[*BRAS1-radius-rd1] commit
[~BRAS1-radius-rd1] radius-server calling-station-id include mac
[~BRAS1-radius-rd1] radius-server user-name original
[*BRAS1-radius-rd1] commit
[~BRAS1-radius-rd1] radius-server class-as-car
[*BRAS1-radius-rd1] quit
[*BRAS1] commit
# Configure a RADIUS authorization server.

[~BRAS1] radius-server authorization 192.168.8.249 shared-key-cipher YsHsjx_202206 server-group rd1
[*BRAS1] commit
Step 3 Configure address pools.

# Configure a local address pool for IPv4 users.
[~BRAS1] ip pool pool_v4 bas local
[*BRAS1-ip-pool-pool_v4] gateway 172.16.0.1 255.255.255.0
[*BRAS1-ip-pool-pool_v4] commit

M14/M8 series
[~BRAS1-ip-pool-pool_v4] section 0 172.16.0.2 172.16.0.200

[~BRAS1-ip-pool-pool_v4] dns-server 10.179.155.161 10.179.155.177
[*BRAS1-ip-pool-pool_v4] quit
[*BRAS1] commit
# Configure address pools for IPv6 users.

[~BRAS1] ipv6 prefix pre_nd_1 delegation
[*BRAS1-ipv6-prefix-pre_nd] prefix 2001:db8:1::/48
[*BRAS1-ipv6-prefix-pre_nd] slaac-unshare-only
[*BRAS1-ipv6-prefix-pre_nd] quit
[*BRAS1] commit
[~BRAS1] ipv6 pool pool_nd_1 bas delegation
[*BRAS1-ipv6-pool-pool_nd] prefix pre_nd
[*BRAS1-ipv6-pool-pool_nd] dns-server 2001:db8::2:2 2001:db8::2:3
[*BRAS1-ipv6-pool-pool_nd] quit
[*BRAS1] commit
[~BRAS1] ipv6 prefix pre_pd_1 delegation
[*BRAS1-ipv6-prefix-pre_pd] prefix 2001:db8:2::/48
[*BRAS1-ipv6-prefix-pre_pd] commit
[~BRAS1-ipv6-prefix-pre_pd] pd-unshare-only
[~BRAS1-ipv6-prefix-pre_pd] quit
[~BRAS1] ipv6 pool pool_pd bas delegation
[*BRAS1-ipv6-pool-pool_pd] prefix pre_pd
[*BRAS1-ipv6-pool-pool_pd] dns-server 2001:db8::2:2 2001:db8::2:3
[*BRAS1-ipv6-pool-pool_pd] quit
[*BRAS1] commit
Step 4 Configure the device to generate a DUID in DUID-LLT mode. (This step is not
required if a DUID has been configured on the device.)
[~BRAS1] dhcpv6 duid llt
[*BRAS1] commit
Step 5 Configure a domain.

[~BRAS1] aaa
[~BRAS1-aaa] domain isp1
[*BRAS1-aaa-domain-isp1] authentication-scheme auth1
[*BRAS1-aaa-domain-isp1] accounting-scheme acct1
[*BRAS1-aaa-domain-isp1] radius-server group rd1
[*BRAS1-aaa-domain-isp1] commit
[~BRAS1-aaa-domain-isp1] prefix-assign-mode unshared
[~BRAS1-aaa-domain-isp1] ip-pool pool_v4
[~BRAS1-aaa-domain-isp1] ipv6-pool pool_nd
[~BRAS1-aaa-domain-isp1] ipv6-pool pool_pd
[~BRAS1-aaa-domain-isp1] accounting-start-delay 10 online user-type ppp
[*BRAS1-aaa-domain-isp1] accounting-start-delay traffic-forward before-start-accounting
[*BRAS1-aaa-domain-isp1] commit
[~BRAS1-aaa-domain-isp1] user-basic-service-ip-type ipv4
[~BRAS1-aaa-domain-isp1] quit
[~BRAS1-aaa] quit

# Configure a VT.
[~BRAS1] interface virtual-template 5
[*BRAS1-virtual-template5] ppp authentication-mode chap
[*BRAS1-virtual-template5] quit
[*BRAS1] commit
# Configure the Eth-Trunk interface to work in static LACP mode and set a
protocol packet timeout period.
[~BRAS1] interface Eth-Trunk2
[*BRAS1-Eth-Trunk2] mode lacp-static
[*BRAS1-Eth-Trunk2] lacp timeout fast
[*BRAS1-Eth-Trunk2] commit
# Configure IPv6 on the Eth-Trunk interface's sub-interface.

M14/M8 series
[~BRAS1-Eth-Trunk2] interface Eth-Trunk2.10

[*BRAS1-Eth-Trunk2.10] ipv6 enable
[*BRAS1-Eth-Trunk2.10] ipv6 address auto link-local
[*BRAS1-Eth-Trunk2.10] pppoe-server bind Virtual-Template 5
[*BRAS1-Eth-Trunk2.10] commit
[~BRAS1-Eth-Trunk2.10] user-vlan 1000 4000 qinq 2000 2001
[~BRAS1-Eth-Trunk2.10-user-vlan-1000-4000-qinq-2000-2001] quit
# Configure a BAS interface. In a dual-device cold backup scenario, configure

delayed access for users with even-numbered MAC addresses and delayed access
for users with odd-numbered MAC addresses on BRAS1 and BRAS2, respectively.
[~BRAS1-Eth-Trunk2.10] bas
[~BRAS1-Eth-Trunk2.10-bas] access-type layer2-subscriber default-domain authentication isp1
[*BRAS1-Eth-Trunk2.10-bas] client-option82 basinfo-insert cn-telecom
[*BRAS1-Eth-Trunk2.10-bas] commit
[~BRAS1-Eth-Trunk2.10-bas] access-delay 100 even-mac
[~BRAS1-Eth-Trunk2.10-bas] quit
# Configure the network-side interface.

[~BRAS1] interface gigabitEthernet 0/1/0
[*BRAS1-GigabitEthernet0/1/0] ipv6 enable
[*BRAS1-GigabitEthernet0/1/0] ipv6 address 2001:db8:8::7 128
[*BRAS1-GigabitEthernet0/1/0] ipv6 address auto link-local
[*BRAS1-GigabitEthernet0/1/0] ip address 10.2.1.1 24
[*BRAS1-GigabitEthernet0/1/0] quit
[*BRAS1-GigabitEthernet0/1/0] commit
Step 7 Configure EDSG services.

# Enable the value-added service function.
[~BRAS1] value-added-service enable
[*BRAS1] commit
# Configure the HW-Policy-Name attribute to support EDSG service delivery.

[~BRAS1] radius-attribute hw-policy-name support-type edsg
[*BRAS1] commit
# Configure an EDSG traffic policy.

1. Create a service group.
[~BRAS1] service-group edsg
[*BRAS1] commit
2. Configure ACL rules for the service group.
[~BRAS1] acl number 6100
[*BRAS1-acl4-basic-6100] description edsg
[*BRAS1-acl4-basic-6100] rule 5 permit ip source service-group edsg destination ip-address
192.168.100.0 0.0.0.255
[*BRAS1-acl4-basic-6100] rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination
service-group edsg
[*BRAS1-acl4-basic-6100] quit
[*BRAS1] commit
[~BRAS1] acl ipv6 number 6100
[*BRAS1-acl6-ucl-6100] rule 5 permit ipv6 source service-group edsg destination ipv6-address
2001:db8::3:2/32
[*BRAS1-acl6-ucl-6100] rule 10 permit ipv6 source ipv6-address 2001:db8::3:2/32 destination
service-group edsg
[*BRAS1-acl6-ucl-6100] quit
[*BRAS1] commit
3. Configure a traffic classifier.
[~BRAS1] traffic classifier edsg-c1
[*BRAS1-classifier-edsg-c1] if-match acl 6100
[*BRAS1-classifier-edsg-c1] if-match ipv6 acl 6100
[*BRAS1-classifier-edsg-c1] quit
[*BRAS1] commit

M14/M8 series
4. Configure a traffic behavior.

[~BRAS1] traffic behavior edsg-b1
[*BRAS1-edsg-b1] quit
[*BRAS1] commit
[~BRAS1] traffic policy p1
[*BRAS1-traffic-policy-p1] classifier edsg-c1 behavior edsg-b1 precedence 1
[*BRAS1-traffic-policy-p1] quit
[*BRAS1] commit
[~BRAS1] traffic-policy p1 inbound
[*BRAS1] traffic-policy p1 outbound
[*BRAS1] commit
# Configure an EDSG service policy.

[~BRAS1] service-policy name service_edsg1 edsg
[*BRAS1-service-policy-service_edsg1] commit
[~BRAS1-service-policy-service_edsg1] radius-server group rd1
[~BRAS1-service-policy-service_edsg1] authentication-scheme none
[*BRAS1-service-policy-service_edsg1] accounting-scheme acct1
[*BRAS1-service-policy-service_edsg1] service-group edsg
[*BRAS1-service-policy-service_edsg1] rate-limit cir 100000 pir 100000 inbound
[*BRAS1-service-policy-service_edsg1] rate-limit cir 100000 pir 100000 outbound
[*BRAS1-service-policy-service_edsg1] quit
[*BRAS1-service-policy-service_edsg1] commit
Step 8 Configure distributed CGN services.

# Set the session table sizes of the CPUs on the NAT service boards in slots 3 and
4 to 16M.
[~BRAS1] license
[*BRAS1-license] active nat session-table size 16 slot 3 engine 0
[*BRAS1-license] active nat session-table size 16 slot 10 engine 0
[*BRAS1-license] active nat bandwidth-enhance slot 3 engine 0
[*BRAS1-license] active nat bandwidth-enhance slot 10 engine 0
[*BRAS1-license] quit
[*BRAS1] commit
# Create service-location group 1 and bind it to service boards.

[~BRAS1] service-location 1
[*BRAS1-service-location-1] location slot 3 engine 0 backup slot 10 engine 0
[*BRAS1-service-location-1] quit
[*BRAS1] commit
# Create service-location group 2 and bind it to service boards.

[~BRAS1] service-location 2
[*BRAS1-service-location-2] location slot 10 engine 0 backup slot 3 engine 0
[*BRAS1-service-location-2] quit
[*BRAS1] commit
# Create service instance groups and bind service-location groups to them.

[~BRAS1] service-instance-group nat444-group1
[*BRAS1-service-instance-group-nat444-1] service-location 1
[*BRAS1-service-instance-group-nat444-1] quit
[*BRAS1-service-instance-group-nat444-1] commit
[~BRAS1] service-instance-group nat444-group2
[*BRAS1-service-instance-group-nat444-2] service-location 2
[*BRAS1-service-instance-group-nat444-2] quit
[*BRAS1-service-instance-group-nat444-2] commit
# Create a NAT instance named nat444-1, bind the service instance group
nat444-group1 to it to specify the corresponding service board resources, and
configure a port range.

M14/M8 series
[~BRAS1] nat instance nat444-1 id 1

[*BRAS1-nat-instance-nat444-1] service-instance-group nat444-group1
[*BRAS1-nat-instance-nat444-1] port-range 4096
# Configure public addresses.

[*BRAS1-nat-instance-nat444-1] nat address-group pppoe-public-1 group-id 1
[*BRAS1-nat-instance-nat444-1-nat-address-group-pppoe-public-1] section 0 10.1.1.0 mask 24
[*BRAS1-nat-instance-nat444-1-nat-address-group-pppoe-public-1] section 1 10.3.1.0 mask 24
[*BRAS1-nat-instance-nat444-1-nat-address-group-pppoe-public-1] quit
[*BRAS1-nat-instance-nat444-1] nat outbound 3000 address-group pppoe-public-1
# Enable ALG for all protocols and configure the 3-tuple mode.
[*BRAS1-nat-instance-nat444-1] nat alg all
[*BRAS1-nat-instance-nat444-1] nat filter mode full-cone
[*BRAS1-nat-instance-nat444-1] quit
[*BRAS1] commit
NOTE
The procedure for configuring a NAT instance named nat444-2 is similar to that for
configuring a NAT instance named nat444-1. For details, see the configuration files.
# Configure user groups from which the users go online.

[~BRAS1] user-group pppoe-nat-1
[*BRAS1] user-group pppoe-nat-2
[*BRAS1] commit
# Bind NAT instances to user groups in an AAA domain.

[~BRAS1] aaa
[~BRAS1-aaa] domain isp1
[~BRAS1-aaa-domain-isp1] user-group pppoe-nat-1 bind nat instance nat444-1
[*BRAS1-aaa-domain-isp1] user-group pppoe-nat-2 bind nat instance nat444-2
[*BRAS1-aaa-domain-isp1] quit
[*BRAS1-aaa] quit
[*BRAS1] commit
# Configure a NAT traffic policy.

1. Define ACL rules for specified user groups.
[*BRAS1-acl4-basic-6000] description for_pppoe-nat-1
[*BRAS1-acl4-basic-6000] rule 5 permit ip source user-group pppoe-nat-1
[*BRAS1] commit
[*BRAS1-acl4-basic-6001] description for_pppoe-nat-2
[*BRAS1-acl4-basic-6001] rule 5 permit ip source user-group pppoe-nat-2
[*BRAS1] commit
[*BRAS1-acl4-basic-6002] description for_pppoe-no-nat
[*BRAS1-acl4-basic-6002] rule 5 permit ip source user-group pppoe-nat-2 destination ip-address
192.168.200.0 0.0.0.255
[*BRAS1-acl4-basic-6002] rule 10 permit ip source user-group pppoe-nat-2 destination ip-address
10.168.200.0 0.0.0.255
[*BRAS1] commit
[~BRAS1] traffic classifier nat-c1
[*BRAS1-classifier-nat-c1] if-match acl 6000
[*BRAS1-classifier-nat-c1] quit
[*BRAS1] commit
[~BRAS1] traffic classifier nat-c2
[*BRAS1-classifier-nat-c2] if-match acl 6001
[*BRAS1-classifier-nat-c2] quit

M14/M8 series
[*BRAS1] commit
[~BRAS1] traffic classifier no-nat
[*BRAS1-classifier-no-nat] if-match acl 6002
[*BRAS1-classifier-no-nat] quit
[*BRAS1] commit
[~BRAS1] traffic behavior nat-b1
[*BRAS1-nat-b1] nat bind instance nat444-1
[*BRAS1-nat-b1] quit
[*BRAS1] commit
[~BRAS1] traffic behavior nat-b2
[*BRAS1-nat-b2] nat bind instance nat444-2
[*BRAS1-nat-b2] quit
[*BRAS1] commit
[~BRAS1] traffic behavior no-nat
[*BRAS1-no-nat] quit
[*BRAS1] commit
4. Configure a NAT traffic policy.
[~BRAS1] traffic policy p1
[~BRAS1-traffic-policy-p1] classifier no-nat behavior no-nat precedence 2
[*BRAS1-traffic-policy-p1] classifier nat-c1 behavior nat-b1 precedence 3
[*BRAS1-traffic-policy-p1] classifier nat-c2 behavior nat-b2 precedence 4
[*BRAS1-traffic-policy-p1] quit
[*BRAS1] commit
5. Apply the NAT traffic policy in the upstream direction.
[~BRAS1] traffic-policy p1 inbound
[*BRAS1] commit
Step 9 Enable the device to advertise public routes.

[~BRAS1] bgp 65008
[*BRAS1-bgp] ipv4-family unicast
[*BRAS1-bg-af-ipv4] network 0 10.1.1.0 255.255.255.0
[*BRAS1-bg-af-ipv4] network 0 10.3.1.0 255.255.255.0
[*BRAS1-bg-af-ipv4] quit
[*BRAS1-bg] quit
[~BRAS1] commit
----End
Configuration Files
● BRAS1 configuration file
#
sysname BRAS1
#
license
active nat bandwidth-enhance slot 3 engine 0
#
radius local-ip all
#
radius-attribute hw-policy-name support-type edsg
#
radius-server group rd1
radius-server shared-key-cipher %^%#e,yC%f9z4M2)b)2~r+lA{$g*Fzc+5/bu7VHAN<%(%^%
#
radius-server class-as-car
radius-server calling-station-id include mac
radius-server user-name original
#
radius-server authorization 192.168.8.249 shared-key-cipher %^%#e,yC%f9z4M2)b)2~r+lA{$g*Fzc+5/
bu7VHAN<%(%^% server-group rd1

M14/M8 series
#
service-location 1
location slot 3 engine 0 backup slot 10 engine 0
#
service-location 2
location slot 10 engine 0 backup slot 3 ngine 0
#
service-instance-group nat444-group1
service-location 1
#
service-location 2
#
nat instance nat444-1 id 1
port-range 4096
nat address-group pppoe-public-1 group-id 1
section 0 10.1.1.0 mask 24
nat outbound 2011 address-group pppoe-public-1
nat alg all
nat filter mode full-cone
#
port-range 4096
nat alg all
#
user-group pppoe-nat-1
#
ip pool pool_v4 bas local
gateway 172.16.0.1 255.255.255.0
section 0 172.16.0.2 172.16.0.200
dns-server 10.179.155.161 10.179.155.177
#
prefix 2001:DB8:1::/48
slaac-unshare-only
#
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_nd
#
prefix 2001:DB8:2::/48
pd-unshare-only
#
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_pd
#
#
service-group edsg
#
acl number 6100
description edsg
rule 5 permit ip source service-group edsg destination ip-address 192.168.100.0 0.0.0.255
rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group edsg
#
rule 5 permit ipv6 source service-group edsg destination ipv6-address 2001:DB8::/32
rule 10 permit ipv6 source ipv6-address 2001:DB8::/32 destination service-group edsg

M14/M8 series
#
acl number 6000
description for_pppoe-nat-1
rule 5 permit ip source user-group pppoe-nat-1
#
acl number 6001
#
acl number 6003
description for_pppoe-no-nat
rule 5 permit ip source user-group pppoe-nat-2 destination ip-address 192.168.200.0 0.0.0.255
#
dhcpv6 duid 00010001280ef7a400e0fc904b50
#
traffic classifier edsg-c1 operator or
#
traffic classifier nat-c1 operator or
#
#
traffic classifier no-nat operator or
#
traffic behavior edsg-b1
#
traffic behavior nat-b1
nat bind instance nat444-1
#
#
traffic behavior no-nat
#
traffic policy p1
share-mode
classifier edsg-c1 behavior edsg-b1 precedence 1
classifier no-nat behavior no-nat precedence 2
classifier nat-c1 behavior nat-b1 precedence 3
#
aaa
#
#
authentication-mode none
#
#
domain isp1
ip-pool pool_v4
ipv6-pool pool_nd
ipv6-pool pool_pd
user-group pppoe-nat-1 bind nat instance nat444-1
accounting-start-delay 10 online user-type ppp
accounting-start-delay traffic-forward before-start-accounting
user-basic-service-ip-type ipv4

M14/M8 series
#
#
interface Eth-Trunk2
mode lacp-static
lacp timeout fast
#
interface Eth-Trunk2.10
ipv6 enable
statistic enable
user-vlan 1000 4000 qinq 2000 2001
bas
#
client-option82 basinfo-insert cn-telecom
access-delay 100 even-mac
#
#
undo shutdown
ipv6 enable
ip address 10.2.1.1 255.255.255.0
ipv6 address 2001:DB8:8::7/128
#
#
service-group edsg
rate-limit cir 100000 pir 100000 inbound
rate-limit cir 100000 pir 100000 outbound
#
bgp 65008
#
ipv4-family unicast
network 0 10.1.1.0 255.255.255.0
network 0 10.3.1.0 255.255.255.0
#
return
● BRAS2 configuration file
#
sysname BRAS2
#
license
#
radius local-ip all
#
radius-attribute hw-policy-name support-type edsg
#
radius-server shared-key-cipher %^%#e,yC%f9z4M2)b)2~r+lA{$g*Fzc+5/bu7VHAN<%(%^%
#
radius-server class-as-car
radius-server calling-station-id include mac
radius-server user-name original
#

M14/M8 series
radius-server authorization 192.168.8.249 shared-key-cipher %^%#e,yC%f9z4M2)b)2~r+lA{$g*Fzc+5/

bu7VHAN<%(%^% server-group rd1
#
service-location 1
location slot 3 engine 0 backup slot 10 engine 0
#
service-location 2
location slot 10 engine 0 backup slot 3 ngine 0
#
service-location 1
#
service-location 2
#
port-range 4096
nat alg all
#
port-range 4096
nat alg all
#
#
ip pool pool_v4 bas local
gateway 172.16.0.1 255.255.255.0
section 0 172.16.0.2 172.16.0.200
dns-server 10.179.155.161 10.179.155.177
#
prefix 2001:DB8:1::/48
slaac-unshare-only
#
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_nd
#
prefix 2001:DB8:2::/48
pd-unshare-only
#
dns-server 2001:DB8::2:2 2001:DB8::2:3
prefix pre_pd
#
#
service-group edsg
#
acl number 6100
description edsg
rule 5 permit ip source service-group edsg destination ip-address 192.168.100.0 0.0.0.255
rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group edsg
#

M14/M8 series
rule 5 permit ipv6 source service-group edsg destination ipv6-address 2001:DB8::/32

rule 10 permit ipv6 source ipv6-address 2001:DB8::/32 destination service-group edsg
#
acl number 6000
#
acl number 6001
#
acl number 6003
description for_pppoe-no-nat
#
dhcpv6 duid 00010001280ef7a400e0fc904b50
#
traffic classifier edsg-c1 operator or
#
#
#
traffic classifier no-nat operator or
#
traffic behavior edsg-b1
#
#
#
traffic behavior no-nat
#
traffic policy p1
share-mode
classifier edsg-c1 behavior edsg-b1 precedence 1
classifier no-nat behavior no-nat precedence 2
#
aaa
#
#
authentication-mode none
#
#
domain isp1
ip-pool pool_v4
ipv6-pool pool_nd
ipv6-pool pool_pd
accounting-start-delay 10 online user-type ppp

M14/M8 series
accounting-start-delay traffic-forward before-start-accounting

user-basic-service-ip-type ipv4
#
#
interface Eth-Trunk2
mode lacp-static
lacp timeout fast
#
interface Eth-Trunk2.10
ipv6 enable
statistic enable
user-vlan 1000 4000 qinq 2000 2001
bas
#
client-option82 basinfo-insert cn-telecom
access-delay 100 odd-mac
#
#
undo shutdown
ipv6 enable
ip address 10.4.1.1 255.255.255.0
ipv6 address 2001:DB8:9::7/128
#
#
service-group edsg
rate-limit cir 100000 pir 100000 inbound
rate-limit cir 100000 pir 100000 outbound
#
bgp 65008
#
ipv4-family unicast
network 0 10.1.1.0 255.255.255.0
network 0 10.3.1.0 255.255.255.0
#
return

NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 22 Value-Added Services

Uploaded by

Copyright:

Available Formats

You might also like

NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 22 Value-Added Services

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 22 Value-Added Services

Uploaded by

Copyright:

Available Formats

HUAWEI NetEngine 8100 M14/M8, NetEngine

8000 M14K/M14/M8K/M8/M4 & NetEngine 8000E

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. i

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. ii

1.1.3.2.2 Feature Requirements for EDSG............................................................................................................................ 83

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. iii

Figure 1-1 Composition of a Value-added Service System................................................................................ 2

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. iv

Figure 1-33 EDSG networking................................................................................................................................... 85

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. v

Table 1-1 Creating an ACL rule................................................................................................................................. 39

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. vi

1.1 Value-Added Services

1.1 Value-Added Services

1.1.1 BOD Configuration

1.1.1.1 BOD Description

1.1.1.1.1 Introduction of BOD

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 1

1.1.1.1.2 Understanding BOD

Composition of a value-added service system

Figure 1-1 Composition of a Value-added Service System

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 2

To implement value-added services, the following systems or devices are required:

Processing of Value-added Services

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 3

Figure 1-2 Process of dynamic value-added services

1. A user sends a login request.

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 4

BOD Service Activation and Deactivation

BOD service activation can be implemented using the RADIUS or Diameter

Format of the HW-Policy-Name (26-95) attribute: <service-name>.

The BOD service activation process is as follows:

BOD service deactivation involves the following scenarios:

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 5

BOD Service Quota Management

BOD services support a duration quota, a traffic volume quota, or a combination

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 6

Action After Quota Exhaustion Procedure

A new quota is delivered after quota 1. When a user's quota is exhausted,

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 7

Action After Quota Exhaustion Procedure

No quota is delivered after quota 1. When a user's quota is exhausted,

BOD Service Accounting

BOD service accounting is classified as individual or non-individual accounting. In

BOD services support RADIUS accounting and non-accounting. RADIUS accounting

● Accounting start: After a service is activated and a forwarding channel is

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 8

● Accounting stop: After a service is deactivated and a forwarding channel is

BOD Service Traffic Statistics

1.1.1.1.3 Application Scenarios for BOD

Typical BOD Service Application

Figure 1-3 BOD service application

Issue 01 (2023-03-31) Copyright © Huawei Technologies Co., Ltd. 9

1.1.1.1.4 Terminology for BOD

Acronyms and Abbreviations

BOD bandwidth on demand