6.2 CLI - Ejemplo para Acceder A Internet Mediante PPPoE de IPv4

6.
2 CLI- Ejemplo para acceder a Internet mediante PPPoE de IPv4

Esta sección proporciona un ejemplo para configurar el dispositivo, trabajando como un cliente PPPoE, para obtener
una dirección IP marcando un servidor de operador a través de PPPoE y luego para acceder a Internet.
Requisitos de red
Como se muestra en la Figura 6-2 , FW proporciona una salida de Internet para PC en la LAN. La red de la empresa
está prevista de la siguiente manera:
 Todas las PC en la LAN se implementan en el segmento de red 10.1.1.0/24, y obtienen dinámicamente
direcciones IP a través de DHCP.
 El dispositivo se conecta a todas las PC de la empresa a través del enlace descendente.
 El dispositivo se aplica para el servicio de Internet del proveedor a través del enlace ascendente. El servicio de
acceso a Internet se proporciona utilizando el protocolo PPPoE.
De acuerdo con los requisitos anteriores, especifique el FW como un cliente PPPoE. Una vez que el cliente obtiene las
direcciones IP y DNS del servidor del operador, los usuarios de la intranet pueden acceder a Internet.
Figura 6-2 Diagrama de redes de acceso a Internet a través de PPPoE
En este ejemplo, la información proporcionada por el transportista se utiliza solo como referencia.
Datos Descripción
Número de interfaz: GigabitEthernet 1/0/1 El dispositivo obtiene las direcciones IP y DNS del servidor PPPoE
Zona de seguridad: untrust. (implementado por el operador) a través del acceso telefónico.
 Nombre de usuario de acceso telefónico: user
 Contraseña de acceso telefónico: password
Número de interfaz: GigabitEthernet 1/0/3 DHCP se utiliza para asignar dinámicamente direcciones IP a PC en la
Dirección IP: 10.3.0.1/24 LAN.
Zona de seguridad: trust
Mapa de configuración
1. Configurar el enlace descendente.
Habilite el servidor DHCP en la interfaz GigabitEthernet 1/0/3 para que asigne dinámicamente las
direcciones IP a las PC, y especifique la dirección IP de la interfaz GigabitEthernet 1/0/3 como la puerta de
enlace y las direcciones del servidor DNS para las PC.
Las PC suelen requerir la resolución de nombres de dominio para acceder a Internet. Por esta razón, se debe
especificar un servidor DNS. En este ejemplo, FW funciona como una retransmisión de DNS.
2. Configure el enlace ascendente y utilice PPPoE para obtener direcciones IP y DNS.
3. Agregue las interfaces en las zonas de seguridad y configure las políticas de seguridad.
Agregue la interfaz conectada a la LAN a una zona de seguridad de alta prioridad (Zona trust), y la interfaz
ascendente conectada a Internet a una zona de seguridad de baja prioridad (Zona untrust).
4. Las direcciones IP utilizadas en las LAN son direcciones IP privadas, que NAT las convierte en direcciones
IP públicas para el acceso a Internet si es necesario. En este ejemplo, la interfaz ascendente obtiene su
dirección IP mediante acceso telefónico. La dirección IP obtenida puede variar para cada conexión de
acceso telefónico. Por lo tanto, se recomienda IP fácil.
Procedimiento
1. Configure la dirección IP de la interfaz GigabitEthernet 1/0/3.
2. <FW> system-view
3. [FW] interface GigabitEthernet 1/0/3
4. [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.128
5. [FW-GigabitEthernet1/0/3] quit
6. Asigna las interfaces a las zonas de seguridad.

7. [FW] firewall zone untrust
8. [FW-zone-untrust] add interface GigabitEthernet 1/0/1
9. [FW-zone-untrust] quit
10. [FW] firewall zone trust
11. [FW-zone-trust] add interface GigabitEthernet 1/0/3
12. [FW-zone-trust] quit
13. Configure el dispositivo como un servidor DHCP para asignar direcciones IP a las PC en la LAN.
# Habilitar la función DHCP.
[FW] dhcp enable
# Cree un grupo de direcciones de interfaz en la interfaz y especifique el servidor DNS para las PC de la
intranet.
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] dhcp select interface
[FW-GigabitEthernet1/0/3] dhcp server ip-range 10.3.0.1 10.3.0.125
[FW-GigabitEthernet1/0/3] dhcp server dns-list 9.9.9.9
[FW-GigabitEthernet1/0/3] dhcp server gateway-list 10.3.0.1
[FW-GigabitEthernet1/0/3] quit
Configure la interfaz GigabitEthernet 1/0/1 para que obtenga las direcciones IP y DNS utilizando PPPoE.
1. [FW] dialer-rule 1 ip permit
2. [FW] interface Dialer 1
3. [FW-Dialer1] link-protocol ppp
4. [FW-Dialer1] dialer user PPPOE
5. [FW-Dialer1] ip address ppp-negotiate
6. [FW-Dialer1] ppp ipcp dns admit-any
7. [FW-Dialer1] dialer-group 1
8. [FW-Dialer1] dialer bundle 1
9. [FW-Dialer1] ppp pap local-user PPPOE password cipher PPPOE
[FW-Dialer1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface Dialer 1
[FW-zone-untrust] quit
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv4
[FW-GigabitEthernet1/0/1] quit
14. Configure una política de seguridad para permitir que las PC de la intranet accedan a Internet.
15. [FW] security-policy
16. [FW-security-policy] rule name policy_sec_1
17. [FW-security-policy-policy_sec_1] source-address 10.3.0.0 mask 255.255.255.128
18. [FW-security-policy-policy_sec_1] source-zone trust
19. [FW-security-policy-policy_sec_1] destination-zone untrust
20. [FW-security-policy-policy_sec_1] action permit
21. [FW-security-policy-policy_sec_1] quit
[FW-security-policy] quit
22. Configure una política de NAT para permitir que los usuarios de la intranet accedan a Internet.
23. [FW] nat-policy
24. [FW-policy-nat] rule name policy_nat_1
25. [FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.128
26. [FW-policy-nat-rule-policy_nat_1] source-zone trust
27. [FW-policy-nat-rule-policy_nat_1] egress-interface dialer 1
28. [FW-policy-nat-rule-policy_nat_1] action nat easy-ip
29. [FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit
30. Configure una ruta predeterminada para asegurarse de que los usuarios de LAN sean enrutables a Internet. El
siguiente salto es la dirección de la puerta de enlace asignada por el operador a la empresa.
[ FW ] ip route-static 0.0.0.0 0.0.0.0 Dialer 1
Verificación
1. Muestre la información detallada de GigabitEthernet 1/0/1 y verifique si el estado físico y el estado de IPv4
de la interfaz es Arriba.
2. [FW] display interface GigabitEthernet 1/0/1
3. GigabitEthernet 1/0/1 current state : UP
4. Line protocol current state : UP
5. GigabitEthernet 1/0/1 current firewall zone : untrust
6. Description : GigabitEthernet 1/0/1 Interface, Route Port
7. The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
8. Internet Address is 1.1.1.1/24
9. IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-a101
10. Media type is twisted pair, loopback not set, promiscuous mode not set
11. 100Mb/s-speed mode, full-duplex mode, link type is auto negotiation
12. max-bandwidth : 100000 Kbps
13. Max input bit rate:528530448 bits/sec at 2015-05-07 12:53:46
14. Max output bit rate:5280418 bits/sec at 2015-05-07 12:54:26
15. Max input packet rate:750753 packets/sec at 2015-05-07 22:43:46
16. Max output packet rate:7843 packets/sec at 2015-05-07 22:53:58
17. Last 300 seconds input rate 8 bytes/sec, 0 packets/sec
18. Last 300 seconds output rate 8 bytes/sec, 0 packets/sec
19. Input: 1149 packets, 99478 bytes
20. 12 unicasts, 4 broadcasts, 1133 multicasts, 0 pauses
21. 0 overruns, 0 runts, 0 jumbos, 0 FCS errors
22. 0 length errors, 0 code errors, 0 align errors
23. 0 fragment errors, 0 giants, 0 jabber errors
24. 0 dribble condition detected, 0 other errors
25. Output: 1104 packets, 94646 bytes
26. 7 unicasts, 10 broadcasts, 1087 multicasts, 0 pauses
27. 0 underruns, 0 runts, 0 jumbos, 0 FCS errors
28. 0 fragment errors, 0 giants, 0 jabber errors
29. 0 collisions, 0 late collisions
30. 0 ex. collisions, 0 deferred, 0 other errors
31.
32. Compruebe si el estado PPPoE de FW está arriba. Compruebe si el valor de los paquetes de salida de sesión
PPPoE (OutP) no es 0.
33. [FW] display pppoe-client session summary
34. PPPoE Client Session:
35. ID Bundle Dialer Intf Client-MAC Server-MAC State
36. 0 1 1 GE1/0/1 00e0fc0254f3 00049a23b050 PPPUP
37. [FW] display pppoe-client session packet
38. 17:17:05 2015/11/28
39. PPPoE Client Session:
40. ID InP InO InD OutP OutO OutD
41. 0 0 0 0 254 7620 0
42. En una PC LAN, ejecute el comando ipconfig / all para verificar si las direcciones IP y DNS privadas se
han configurado correctamente para el adaptador de red. Lo siguiente usa Windows XP como ejemplo.
43. Ethernet adapter Local:
44.
45. Connection-specific DNS Suffix . :
46. Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
47. Physical Address. . . . . . . . . : 00-1B-21-B4-0B-35
48. Dhcp Enabled. . . . . . . . . . . : Yes
49. Autoconfiguration Enabled . . . . : Yes
50. IP Address. . . . . . . . . . . . : 10.3.0.3
51. Subnet Mask . . . . . . . . . . . : 255.255.255.0
52. Default Gateway . . . . . . . . . : 10.3.0.1
53. DHCP Server . . . . . . . . . . . : 10.3.0.1
54. DNS Servers . . . . . . . . . . . : 9.9.9.9
55. Lease Obtained. . . . . . . . . . : 2012-8-2 9:38:14
Lease Expires . . . . . . . . . . : 2012-8-13 9:38:14
56. Compruebe si las PC de LAN pueden acceder a los nombres de dominio en Internet. Si es así, las
configuraciones son correctas. Si no, compruebe y corrija las configuraciones.
Guión de configuración
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv4
#
ip address 10.3.0.1 24
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.254
dhcp server gateway-list 10.3.0.1
dhcp server dns-list 9.9.9.9
#
dhcp enable
#
interface Dialer1
link-protocol ppp
ppp chap user user
ppp chap password cipher %$%$8*YSTS6T4Xon5,*wo<v~0>5,%$%$
ppp pap local-user user password cipher %$%$8*YSTS6T4Xon5,*wo<v~0>5,%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user user
dialer bundle 1
dialer-group 1
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface Dialer1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface dialer 1
action nat easy-ip
#
return
Se coloco PPPOE=para user
Info: La contraseña es con menos complejidad. La longitud de la contraseña no debe ser inferior a 6. La contraseña debe
contener dos tipos de caracteres de los siguientes cuatro grupos: letras mayúsculas <A-Z>; Letras minúsculas <a-z>; Numerales
<0-9>; Símbolos (todos los caracteres no definidos como letras o números), como!, $, # Y%. La contraseña no debe ser relevante
para la ortografía del nombre de usuario.
<FW1>dis ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 6
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 7
Interface IP Address/Mask Physical Protocol

Dialer1 1.1.1.254/32 up up(s)
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 unassigned down down
GigabitEthernet1/0/1 unassigned up down
GigabitEthernet1/0/3 10.3.0.1/25 up up
NULL0 unassigned up up(s)
Virtual-if0 unassigned up up(s)
<FW1>
<FW1>dis interface Dialer 1

Dialer1 current state : UP
Line protocol current state : UP (spoofing)
Description:Huawei, USG6000V1 Series, Dialer1 Interface
Route Port,The Maximum Transmit Unit is 1492, Hold timer is 10(sec)
Internet Address is negotiated, 1.1.1.254/32 Link layer protocol is PPP
LCP stopped
Physical is Dialer
Current system time: 2019-04-11 04:23:22
Last 300 seconds input rate 40 bits/sec, 0 packets/sec
Last 300 seconds output rate 40 bits/sec, 0 packets/sec
Realtime 0 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 0 seconds output rate 0 bits/sec, 0 packets/sec
Input: 3878 bytes
Output:3832 bytes
Input bandwidth utilization : 0.06%
Output bandwidth utilization : 0.06%Bound to Dialer1:0
Dialer1:0 current state : UP
Line protocol current state : UP
Link layer protocol is PPP
LCP opened, IPCP opened
Falta configurar local para ping desde FW1
<FW1>dis pppoe-client session summary

PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 GE1/0/1 00e0fcdd4284 00e0fcea52dd PPPUP
<FW1>
<SERV>dis pppoe-server session all

SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template10:0 UP GE0/0/0 00e0.fcdd.4284 00e0.fcea.52dd
<SERV>
Solicitud de página web desde el PC cliente web al servidor web
<FW1>dis firewall session table
Current Total Sessions : 2
http VPN: public --> public 10.3.0.126:2052[1.1.1.254:2050] --> 8.8.8.8:80
dns VPN: public --> public 10.3.0.126:49153[1.1.1.254:2051] --> 9.9.9.9:53
<FW1>
Configuración FW1
#
sysname FW1
#
#
dialer-rule 1 ip permit
#
#
interface Dialer1
link-protocol ppp
ppp pap local-user PPPOE password cipher %$%$.p1/1d-BuE^wq@PE,'YS}Pb}%$%$
dialer user PPPOE
dialer bundle 1
dialer-group 1
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
#
#
undo shutdown
ip address 10.3.0.1 255.255.255.128
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.125
dhcp server gateway-list 10.3.0.1
dhcp server dns-list 9.9.9.9
#
#
firewall zone trust
set priority 85
#
set priority 5
add interface Dialer1
#
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
#
security-policy
source-zone trust
action permit
rule name local_to_untrust
action permit
#
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface Dialer1
action nat easy-ip
#
#
return
<FW1
Configuración router SERV

#
sysname SERV
#
#
ip pool PPPOE
gateway-list 1.1.1.1
network 1.1.1.0 mask 255.255.255.0
dns-list 9.9.9.9
#
#
aaa
local-user pppoe password cipher %$%$YBcVBvj`,&YB`#E#OzPAOJxO%$%$
local-user pppoe service-type ppp
#
#
interface Virtual-Template10
remote address pool PPPOE
ip address unnumbered interface GigabitEthernet0/0/0
#
pppoe-server bind Virtual-Template 10
ip address 1.1.1.1 255.255.255.0
#
ip address 8.8.8.1 255.255.255.0
#
ip address 9.9.9.1 255.255.255.0
#
#
ip route-static 1.1.1.0 255.255.255.0 Virtual-Template10
#
#
return
<SERV>
Captura en giga 2/0/0 de SERV

Cuando el cliente web se conecta al server web
Captura en giga 1/0/3 de FW1


Cuando el PC-1 se conecta al FW1 solicitando una IP y IP DNS no hay
solicitud al sever DNS
8.7 PPP
This section describes Point-to-Point Protocol (PPP) concepts and how to configure PPP.
8.7.1 Overview
The Point-to-Point Protocol (PPP) is a data link-layer protocol used to transmit and encapsulate network layer packets
on point-to-point (P2P) links.
Definition
A P2P connection is a simple WAN connection. Link layer protocols for PPP links are as follows:
 PPP: supports both synchronous and asynchronous transmission.
 High-level Data Link Control protocol (HDLC): only supports synchronous transmission.
PPP defines a set of protocols:
 Link Control Protocol (LCP): used to establish, monitor, and terminate data links.
 Network Control Protocol (NCP): used to establish and configure different network layer protocols and
negotiate the format and type of packets transmitted over data links.
 Authentication protocols: include Password Authentication Protocol (PAP) and Challenge-Handshake
Authentication Protocol (CHAP).
Objective
Located at the data link layer of the Open Systems Interconnection (OSI) model, PPP supports both synchronous or
asynchronous full-duplex links to transmit data. PPP is widely used because it has the following advantages:
 Provides user authentication.
 Supports synchronous and asynchronous communications.
 Is easily expanded.
8.7.2 Mechanism
This section describes the mechanism of Point-to-Point Protocol (PPP).
PPP Operation Process
Two devices establish a PPP link after they negotiate parameters using the following PPP protocols:
 Link Control Protocol (LCP): establishes, monitors, and tears down PPP data links and determines data link
layer parameters, such as the maximum receive unit (MRU) and authentication mode.
 Network Control Protocol (NCP): used by devices to negotiate formats and types of packets transmitted on data
links and IP addresses.
PPP-enabled devices on two ends of a link must send LCP packets to set up a P2P link.
After the LCP configuration parameters have been negotiated, the two communicating devices choose the
authentication mode according to the authentication parameters in the Configure-Request packets.
By default, the devices on the two ends do not authenticate each other. After the negotiation of the LCP configuration
parameters, the devices negotiate NCP configuration parameters without any authentication. After all the negotiations,
the two devices on the P2P link can transmit network-layer packets, and the whole link is available.
A link is torn down and a PPP session ends if one of the following situations occurs:
 The device on either end receives an LCP or an NCP Terminate frame that aims at closing the link.
 The physical layer cannot detect a carrier.
 The network administrator shuts down the link.
NCP does not have the capability to close a link. The packets used to close the link are generated during the LCP
negotiation phase or application session phase.
Figure 8-71 shows the setup process of a PPP session and status transition.
Figure 8-71 PPP operation process
The PPP operation process is described as follows:

 the Link Establishment phase is the first phase to set up a PPP link.
 LCP negotiation is performed, during which the working mode, MRU, authentication mode, magic number,
and asynchronous character mapping are negotiated. The working mode can be Single-link PPP (SP) or
Multilink PPP (MP). If the LCP negotiation is successful, the LCP status turns to Opened.
 If no authentication is configured, the communicating devices directly enter the NCP negotiation phase. If
authentication is configured, the communicating devices enter the Authentication phase and perform CHAP or
PAP authentication.
 If the authentication fails, the devices enter the Terminate phase and disconnect the link, and LCP status
becomes Down. If the authentication is successful, the devices enter the NCP negotiation phase. The LCP
status remains Opened, while the NCP status changes from Inital to Starting.
 The devices run an NCP protocol to negotiate parameters. The NCP suite includes the Internet Protocol Control
Protocol (IPCP), Multiprotocol Label Switching Control Protocol (MPLSCP), and Open System
Interconnection Control Protocol (OSCICP). Devices run IPCP to negotiate IP addresses. A network layer
protocol is selected during NCP negotiation. The network layer protocol sends packets over the PPP link only
after negotiation of the network layer protocol is successful.
 The PPP link remains in Up until an LCP or NCP frame is generated to close the link or traffic is interrupted.
A PPP link undergoes the following phases:
 Link Dead phase
The Link Dead phase is also called the unavailable phase. During this phase, there is no physical layer link
established between two devices. PPP link setup always begins and ends with the Link Dead phase.
After the communicating devices on both ends detect that a physical link is activated, generally, the carrier
signal is detected on the link, and the devices enter the Link Establishment phase.
If a link is in the Link Dead phase, the LCP status is Initial or Starting. After the link becomes available, the
LCP status changes.
After a link is torn down, the link returns to the Link Dead phase. In real-world situations, this state does not
last long and is only used to detect the existence of a peer device.
 Link Establishment phase
The Link Establishment phase is the most complex PPP phase.
The two devices on both ends of a PPP link exchange packets, which do not include network layer protocol
parameters. Both devices enter the Authentication or Network-Layer Protocol phase.
In the Link Establishment phase, the LCP state machine changes twice:
 If the link is Up, the physical layer sends an Up event in a packet to the data link layer. The data link layer
changes the LCP status to Request-Sent. LCP then sends Configure-Request packets to configure a data
link.
 After one end receives the Configure-Ack packet, the LCP status changes to Opened. The link enters the
next phase.
Note that the link configurations on both ends are mutually independent. In the Link Establishment phase,
devices discard non-LCP packets.
 Authentication phase
Authentication is performed before devices on both ends enter the Network-Layer Protocol phase.
PPP authentication is disabled by default. To enable authentication, specify an authentication protocol in the
Link Establishment phase.
PPP authentication is used on the following two types of links:
 Non-leased lines between hosts and devices
 Leased lines
PPP provides the following two authentication modes:
 PAP: Password Authentication Protocol
 CHAP: Challenge-Handshake Authentication Protocol
The authentication mode used is determined based on negotiation performed during the Link Establishment
phase. Link quality detection is also performed in the Link Establishment phase. According to the PPP
protocol, detection delays the authentication process within a specified period of time.
The link control protocol, authentication protocol, and quality detection packets are supported in the
Authentication phase. The packets of other types are discarded. If a device receives a Configure-Request
packet in the Authentication phase, the link restores the Link Establishment phase.
 Network-Layer Protocol phase
Network protocols, such as IP, IPX, and AppleTalk, are negotiated using NCPs, which can be enabled or
disabled during any phase. After an NCP state machine turns to Opened, PPP links can transmit network layer
packets.
If a device receives a Configure-Request packet in the Network-Layer Protocol phase, the device and its peer
device enter the Link Establishment phase.
 Termination phase
PPP can terminate links at any time. In addition, a network administrator can manually disconnect links.
Carrier connection loss, authentication failures, or link-quality detection failures can cause link
disconnections. When devices exchange LCP Terminate frames during the Link Establishment phase, the link
in question is torn down. Therefore, NCP does not need to close a PPP link.
PAP
PAP supports two-way handshake authentication and simple passwords. The authentication process is performed in the
Link Establishment phase.
After the Link Establishment phase is complete, the user name and password of a supplicant are repeatedly sent to the
authenticator until authentication is successful or the link is ended.
PAP authentication is the optimal option when a password transmitted in plain text must be used to simulate logging
into a remote host.
Figure 8-72 shows the PAP authentication process.
Figure 8-72 PAP authentication process
The PAP authentication process is as follows:

1. The supplicant sends the local user name and password to the authenticator.
2. The authenticator checks the user list for the user name and whether the password is correct and returns an
appropriate response.
PAP is an unsecured protocol. Simple passwords are sent over links. After a PPP link is established, the supplicant
repeatedly sends the user name and password until authentication is complete, which could leave the system vulnerable
to malicious attacks.
CHAP
CHAP is a three-way handshake authentication protocol. CHAP authentication only allows user names to be
transmitted over a network. Compared with PAP, CHAP provides higher security because passwords are not
transmitted.
CHAP authentication is generally performed before the link is set up. However, it can be performed at any time using
CHAP negotiation packets.
After the Link Establishment phase ends, an authenticator sends a Challenge packet to a supplicant. After performing
the "one-way hash" algorithm, the supplicant returns a calculated value to the authenticator.
The authenticator compares the value it itself has calculated using the hash algorithm with the value provided by the
supplicant. If the two values match, authentication is successful. If the values do not match, the authentication fails,
and the link is torn down.
Figure 8-73 shows the CHAP authentication process.
Figure 8-73 CHAP authentication process
CHAP authentication is performed in either of the following modes:

 Unidirectional: One end acts as the authenticator, while the other end acts as a supplicant.
 Bidirectional: Two ends act as both the authenticator and supplicant.
Unidirectional authentication is usually used.
There are two possible scenarios for unidirectional CHAP authentication: the authenticator is configured with a user
name and the authenticator is not configured with a user name. Configuring a user name for the authenticator is
recommended for improved connection security.
 When the authenticator is configured with a user name, the authentication process is as follows:
1. The authenticator sends a randomly generated Challenge packet and the host name to the supplicant.
2. The supplicant searches for the local password in the local user list according to the user name of the
authenticator. Based on the found password and the Challenge packet, a supplicant obtains a value
calculated using the message digest algorithm 5 (MD5) algorithm. The supplicant then sends its host
name and the calculated value in a response packet to the authenticator.
3. After receiving the response packet, the authenticator searches for the supplicant's password in the local
user list based on the supplicant's host name.
 When the authenticator is not configured with a user name, the authentication process is as follows:
1. The authenticator sends the Challenge packet to a supplicant.
2. The supplicant uses the message digest algorithm 5 (MD5) algorithm to calculate a value based on the
local password and the Challenge packet. The supplicant then sends its host name and the calculated value
in a response packet to the authenticator.
3. The authenticator searches for the supplicant's password in the local user list based on the supplicant's
host name.
8.7.3 Configuring PPP

PPP provides communications on point-to-point links and supports PAP and CHAP authentication.
8.7.3.1 Encapsulating the Interface with PPP

This section describes how to encapsulate the interface with PPP. You can configure PPP to use PPP encapsulation to
transmit packets over a point-to-point link at the data link layer.
Procedure
1. Display the system view.
system-view
2. Display the interface view.

interface interface-type interface-number
Only the dialer interface supports PPP.

3. Configure PPP as a data link layer protocol.
link-protocol ppp
By default, PPP is used as a data link layer protocol of dialer interfaces.
8.7.3.2 Configuring PAP Authentication

This section describes how to configure Password Authentication Protocol (PAP) authentication. PAP uses simple
passwords.
Prerequisites
A NGFW functions as an authenticator and uses PAP to authenticate its peer. PAP authentication is performed locally
on the authenticator or on a remote authentication server. To implement PAP authentication, configure user accounts
and the authentication mode. If remote authentication is used, configure an authentication server as well. For more
information about PAP authentication, see Users and Authentication.
Context
PAP uses simple passwords and is the least secure authentication protocol. After a PPP link is established, the device
to be authenticated repeatedly sends a user name and a password until authentication is complete. During PAP
authentication, the transmitted user name and password are susceptible to interception.
By default, PPP packets are not authenticated.
Procedure
 Configure an authenticator to authenticate the peer end in PAP mode.
system-view

3. Configure the local end to authenticate its peer end in PAP mode.
ppp authentication-mode [ chap ] pap
The ppp authentication-mode chap pap command enables CHAP negotiation to take precedence over
PAP negotiation during LCP negotiation. If the authenticator supports neither of these two modes,
negotiation fails.
 Configure the peer end to perform PAP authentication.
system-view

3. Enable the local end to be authenticated by the peer end in PAP mode and send a PAP user name and a
password.
ppp pap local-user user-name password cipher password
8.7.3.3 Configuring CHAP Authentication

This section describes how to configure Challenge Handshake Authentication Protocol (CHAP) authentication. CHAP
is a three-way handshake authentication protocol.
Prerequisites
A NGFW functioning as an authenticator supports local and remote authentication. If local authentication is used, you
must configure a user account and an authentication mode. If remote authentication is used, you must also configure an
authentication server. For more information, see Users and Authentication.
If the NGFW is a supplicant, you must configure a user name, authentication mode, and an authentication server if a
user name is configured on the authenticator. For more information, see Users and Authentication.
Context
Devices enabled with CHAP authentication only transmit user names over a network. CHAP supports higher security
than the Password Authentication Protocol (PAP) because passwords are not transmitted.
By default, Point-to-Point Protocol (PPP) packets are not authenticated using CHAP.
Procedure
 Configure an authenticator to use CHAP to authenticate the peer end when the user name is specified.
NOTE:
When an authenticator sets a user name, the authenticator must set the same password the same as that for the authenticated end.
 Configure a NGFW that authenticates a peer end.

system-view

3. Configure a local end to use CHAP to authenticate the peer end.

ppp authentication-mode chap [ pap ]
The ppp authentication-mode chap pap command enables CHAP negotiation to take precedence
over PAP negotiation during Link Control Protocol (LCP) negotiation. If the authenticator does not
support CHAP or PAP, LCP negotiation between the two devices fails.
4. Specify a local user name.
ppp chap user user-name
 Configure a NGFW that is authenticated by the local NGFW.

system-view


 Configure the authenticator to authenticate the peer end in CHAP mode if the user name is not specified.
During authentication, the authenticator searches locally configured AAA user names. If the user name and
password configured on the peer interface match those on the local end, authentication succeeds.
 Configure a NGFW that authenticates a peer end.
system-view

3. Configure a local end to use CHAP to authenticate the peer end.

ppp authentication-mode chap [ pap ]
The ppp authentication-mode chap pap command enables CHAP negotiation to take precedence
over PAP negotiation during LCP negotiation. If the authenticator does not support CHAP or PAP,
LCP negotiation between the two devices fails.
 Configure a NGFW that is authenticated by the local NGFW.
system-view


4. Set a password for the peer end to use CHAP to authenticate the local end.
ppp chap password cipher password
8.7.3.4 Setting PPP Negotiation Parameters

PPP negotiation parameters are available, including the negotiation timeout period, IP address negotiation, DNS server
address negotiation, and WINS server address negotiation.
Context
 Negotiation timeout period: If no response is received from the peer end within a specified interval during PPP
negotiation, PPP resends a negotiation request.
 IP address negotiation: implemented in two modes based on device roles:
 Client: When PPP is enabled on an interface, the interface IP address is not specified, and the IP address of
the peer end is specified, you can configure the IP address negotiation function for the local interface. The
local interface is assigned an IP address by the peer end during PPP negotiation. The configuration is
applicable when a NGFWaccesses the Internet through an ISP network and obtains an IP address assigned
by the ISP.
 Server: Before a server assigns an IP address to a peer device, you must configure a local IP address pool
in the authentication domain view, specify the range of IP addresses in the address pool, and determine the
address pool used by an interface in the interface view.
 DNS server address negotiation: You can implement both DNS server address negotiation and PPP address
negotiation on a NGFW simultaneously. The NGFW can be configured with a DNS server address assigned
by or provided for the peer end.
A network access server (NAS) can allocate IP addresses to PPP users through PPP address negotiation. The address
allocation rules are as follows:
 For the user not to be authenticated:
 If the interface is configured with an IP address to be allocated to the peer, the NAS allocates the address to
the peer directly.
 If the interface is configured with an IP address in the address pool, the NAS allocates the address in the
global address pool to the peer.
 For the default domain user passing the authentication process (The default user name has two types: the name
excluding @, such as "aaa" and the name including @, such as "aaa@default"):
 If the server has delivered an IP address, the NAS directly allocates this address to the peer.
 If the server has delivered an IP address pool ID, the NAS allocates the address in the global or domain
address pool to the peer.
 If the server has not delivered an address pool ID but the interface has an IP address pool, the NAS
allocates the address in this global address pool to the peer. If the interface is configured with an IP address
pool, the NAS allocates the address in the address pool to the peer.
 For the authenticated common domain user:
 If the server has delivered an IP address, the NAS directly allocates this address to the peer.
 If the server has delivered an IP address pool ID, the NAS allocates the address in the domain address pool
to the peer.
 If the server has not delivered either an IP address or address pool ID, the NAS traverses from the first
address pool in the domain to search for an available IP address.
NOTE:
In the above three cases, both the global address pool and domain address pool are traversed for one time. If all the addresses in the specified
global address pool or the domain address pool are used, the NAS no longer traverses the address pool for an available IP address and directly
returns an invalid IP address 0.0.0.0.
The following addresses cannot be configured as valid start or end addresses of an address pool:
 Class A addresses X.255.255.255 and X.0.0.0
 Class B addresses X.X.255.255 and X.X.0.0
 Class C addresses X.X.X.25 and X.X.X.0
If the address pool contains these addresses, the addresses cannot be allocated.
Procedure
 Set the negotiation timeout.
1. Access the system view.
system-view
2. Access the interface view.

3. Set the negotiation timeout period.

ppp timer negotiate seconds
By default, the PPP negotiation timeout period is 3 seconds.

 Set the negotiation IP address.
 When the device serves as the server, perform the following steps:
system-view
2. Select either of the following methods to assign an IP address to the peer device.
 Configure a global IP address pool to assign IP addresses to PPP users.
a. Access the AAA view.
aaa
b. Access the default authentication domain view.

domain default
c. Define the global IP address pool.

ip pool pool-number low-ip-address [ high-ip-address ]
d. Return to the AAA view.

quit
e. Return to the system view.

quit
f. Access the interface view.
g. Prevent the client from using its own IP address when the server is configured to assign an IP
address to it.
ppp ipcp remote-address forced
h. Specify the IP address pool that is used when IP addresses are assigned to users.
remote address pool [ pool-number ]
If pool-number is not specified, global IP address pool 0 is used by default.

 Configure a domain IP address pool to assign IP addresses to PPP users.
a. Access the AAA view.
aaa
b. Access the authentication domain view.

domain domain-name
c. Define the domain IP address pool.

ip pool pool-number low-ip-address [ high-ip-address ]
d. Return to the AAA view.

quit
e. Return to the system view.

quit
f. Access the interface view.

g. Prevent the client from using its own IP address when the server to assign an IP address to it.
h. Specify the IP address pool that is used when IP addresses are assigned to users.
remote address pool [ pool-number ]
If pool-number is not specified, domain IP address pool 0 is used by default.

 Specify an IP address for the peer end.
a. Access the interface view.
b. Assign an IP address to the peer end.

remote address ip-address
 When the device serves as the client, perform the following steps:
system-view

3. Specify the IP address negotiation function of the interface.

 Set the negotiation DNS server address.

 When the device serves as the server, perform the following steps:
system-view

3. Specify the IP address of the DNS server for the peer end.
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
By default, the NGFW does not provide the DNS server address for the peer end.
 When the device serves as the client, perform the following steps:
system-view

3. Configure the local end to request the peer end for the IP address of the DNS server.
ppp ipcp dns request
4. Enable the device to use any DNS server address proposed by the peer end.
By default, the DNS server address proposed by the peer end is not accepted.
 Set the negotiation WINS server address.
system-view

3. Enable the device to use any WINS server address proposed by the peer end.
ppp ipcp nbns request
By default, the device does not request for the IP address of the WINS server from the peer end.
8.7.3.5 Configuring the Polling Interval

Link-layer protocols, such as PPP use the polling timer to check whether the link status is normal.
Context
If the network delay is long or congestion is serious, you can lengthen the polling interval to reduce network flapping.
During the settings of polling intervals, ensure that the settings on both ends are identical.
Procedure
system-view

3. Set the pooling interval.
timer hold seconds
8.7.3.6 Preventing the Peer Host Route from Being Added to the Local Routing Table as a
Direct Route
You can decide whether a peer host route is added to the local routing table as a direct route.
Context
A PPP link does not strictly require that the peer and local routes exist on the same network segment. Two ends of the
PPP link on different network segments can communicate. In addition, the peer host route on a different network
segment is automatically added to local routing table of direct routes.
However, when one end is configured with an incorrect IP address, the other end automatically adds the incorrect peer
host route to the local routing table of direct routes. As a result, the incorrect routing information is advertised across
the network.
Procedure
system-view

3. Prevent the peer host route from being added to the local routing table as a direct route.
ppp peer hostroute-suppress
NOTE:
The local routing table does not contain the peer host route as a direct route after the ppp peer hostroute-suppress command is
performed.
8.7.4 Maintaining PPP

After configuring PPP, you can run the display command to view the configuration. You can also enable the
debugging function if necessary.
8.7.4.1 Displaying the PPP Configuration

After configuring PPP, you can run the display command to view the configuration.
You can display the PPP configurations by run the command listed in Table 8-108 in any view.
Table 8-108 Displaying the PPP configuration
Action Command
Display the specified VT status. display interface virtual-template [ number ]

[ | { begin | exclude | include } regular-expression ]
8.7.4.2 Debugging PPP

If PPP running faults occur, you can run the debugging commands in the user view to debug PPP, view the debugging
information, and locate and analyze faults.
Before enabling the debugging, you must run the terminal monitor command in the user view to enable the terminal
information display and the terminal debugging command in the user view to terminal debugging information display
functions.
NOTICE:
Enabling the debugging deteriorates system performance. After the debugging is complete, run the undo debugging
all command to disable the debugging immediately.
For the description of the debugging commands, see Debugging Reference.
Table 8-109 lists the commands to debug PPP information.
Table 8-109 Debugging PPP
Action Command
Enable the debugging of all PPP information. debugging ppp all [ verbose ] [ interface interface-type
interface-number ]
Enable the debugging of PPP control protocols. debugging

ppp { ccp | chap | ipcp | lcp | mplscp | osicp | pap }
{ all | error | event | packet [ verbose ] | state }
[ interface interface-type interface-number ]
Enable the debugging of PPP EAP packets. debugging ppp eap { all | error | event | packet | state }
Enable the debugging of PPP packets. debugging ppp { ip | lqc | mpls-multicast | mpls-
unicast | osi-npdu | scp | vjcomp } packet [ verbose ]
[ interface interface-type interface-number ]
Enable the debugging of PPP core events. debugging ppp core event [ interface interface-type
interface-number]
8.7.5 Feature Reference

This section provides PPP references.
8.7.5.1 Feature History

This section describes the versions and changes in the Point-to-Point Protocol (PPP) feature.
Version Change Description
V100R001C00 The first version.
8.7.5.2 Reference Standards and Protocols

This section provides PPP standards and protocols.
PPP standards and protocols are as follows:
RFC 1661: The Point-to-Point Protocol (PPP)
8.8 PPPoE
This section describes Point-to-Point Protocol over Ethernet (PPPoE) concepts and how to configure PPPoE, as well as
provides configuration examples.
8.8.1 Overview
PPPoE describes the method used to set up PPPoE sessions and encapsulate Point-to-Point Protocol (PPP) datagram
over the Ethernet. These functions require a point-to-point (P2P) relationship between the peers instead of the multi-
point relationships that are available in the Ethernet and other multi-access environments.
Definition
PPP provides a standard method for transporting multi-protocol datagrams over point-to-point links. Although PPP is
widely used, it does not apply to an Ethernet. Therefore, the PPPoE technology was introduced. PPPoE is an extension
to PPP and applies PPP to an Ethernet.
PPPoE connects a network of Ethernet hosts to a remote access device to gain access to the Internet. PPPoE allows you
to perform access control and accounting on a per-host basis. PPPoE is widely used because it is highly cost-effective.
A common application scenario for PPPoE is constructing a network in a residential area.
Purpose
PPPoE performs the following functions when multiple users access a server using PPP links:
 Provides cost effective access services for users and allows a few or no configuration changes. An Ethernet is
the most cost-effective networking mode.
 Allows a service provider to connect multiple hosts at a remote site to the same access server and supports
access control and accounting functions in a way similar to dial-up services using PPP.
PPPoE enables a bridged access server to connect multiple hosts on a network to a remote access server.
NOTE:
A NGFW currently supports IPv4 PPPoE server and client functions and IPv6 client functions.
8.8.2 Mechanism
This section describes the Point-to-Point Protocol over Ethernet (PPPoE) mechanism.
PPPoE works in the client/server mode. PPPoE provides point-to-point connectivity over Ethernet networks by
encapsulating PPP packets in Ethernet frames.
Figure 8-74 shows the process for establishing an IPv4 PPPoE connection.
Figure 8-74 Process for establishing an IPv4 PPPoE connection
Discovery Phase
After the Discovery phase is complete, both ends of a connection obtain the PPPoE Session_ID and peer Ethernet
address. The PPPoE Session_ID and peer Ethernet address together define a unique PPPoE session.
The Discovery phase consists of the following steps:
1. A host broadcasts a PPPoE Active Discovery Initial (PADI) packet within a local Ethernet. This packet
contains service information required by the host.
NOTE:
A PPPoE server checks service names as follows:
 If a PPPoE server is configured with a service name, a PPPoE client sends a PADI packet at the Discovery phase to the server
to request for a connection.
 If this PADI packet contains a non-null service name, the server examines whether the configured service name matches the
service name in this packet. If the service names match, the server provides follow-up services. If the service names do not
match, the server does not provide services.
The preceding situation applies when two service names are not null. If either of the service names is null, the server does not
check the service names and proceeds with the packet processing.
2. After receiving this PADI packet, the servers on the Ethernet compare the requested services with the
services the servers can provide. Then, the server that can provide the requested services send back a PPPoE
Active Discovery Offer (PADO) packet.
3. Upon receipt, the host obtains information from the PADO packet and sends a PPPoE Active Discovery
Request (PADR) packet to the server.
4. The server generates a unique session identifier to identify a PPPoE session. Then, the server sends this
session identifier in a PPPoE Active Discovery Session-confirmation (PADS) packet to the host.
If the server successfully sends and the host received the PADS packet, both the server and host enter the
PPPoE Session phase.
Session Phase
The host encapsulates a PPP packet as the payload of a PPPoE frame into an Ethernet frame before sending the
Ethernet frame to its peer. The Ethernet frame carries a Session_ID determined at the Discovery phase and a peer
MAC address. The PPP packet section in the frame begins at the Protocol ID. An Ethernet packet is a unicast packet.
In the Session phase, either the host or server may send PPPoE Active Discovery Terminate (PADT) packets to
instruct the other to end this session.
8.8.3 Configuring the IPv4 PPPoE Server

This section describes the basic configurations of an IPv4 PPPoE server.
8.8.3.1 Configuring a PPPoE Server

This section describes how to configure an IPv4 PPPoE server.
Prerequisites
PPPoE authentication works in either local or remote mode. You must configure a user account and an authentication
mode to implement authentication. If remote authentication is used, you must also configure an authentication server.
For more information, see Users and Authentication.
A PPPoE server uses address pools to allocate IP addresses to many clients. The ip pool command creates an address
pool.
Context
You can use PPPoE to allow many hosts on a single Ethernet to connect to a peer server and create PPPoE sessions to
implement access control and the accounting.
NOTICE:
A NGFW serves both as a PPPoE server to provide local access services and as a Layer 2 Tunneling Protocol (L2TP)
access concentrator (LAC) to provide remote dial-up services. After a PPPoE server is started and LAC configuration
is implemented on the NGFW, L2TP configuration takes precedence over PPPoE server configuration. For example, if
a user name is set to user123 in both L2TP and PPPoE configurations, the NGFW initiates a dial-up using the user
name user123 and performs L2TP authentication, not PPPoE authentication.
Procedure
1. Configure a Virtual-Template (VT) interface.
A PPPoE server communicates with its clients using a VT interface. If no IP address is specified on a client,
the PPPoE server allocates an IP address to the client. The IP address to be allocated must be specified on the
VT interface.
a. Display the system view.
system-view
b. Create a VT interface and display the VT interface view.

interface virtual-template number
c. Set an IP address.
ip address ip-address { mask | mask-length }
d. Optional: Enable local PPP authentication.

ppp authentication-mode { chap | eap | pap } *
By default, no authentication is performed.

NOTE:
PAP is not a secure protocol, and CHAP is recommended.
e. Optional: Prevent the client from using its own IP address when the server is configured to assign an IP
address to it.
By default, the peer is allowed to use its own IP address.

f. Optional: Specify the IP address pool that is used when IP addresses are assigned to users.
remote address { ip-address | pool [ pool-name ] }
g. Optional: Set an IP address of the DNS server for the peer end.
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
By default, no IP address of a DNS server is configured.

h. Display the system view.
system-view
2. Bind the VT interface to an Ethernet interface.

a. Display the Ethernet interface view.
b. Bind a VT interface to the Ethernet interface.

pppoe-server bind virtual-template number
3. Optional: Specify a PPPoE service name.

pppoe-server service-name service-name
The server name identifies a service type required by a client. If the server name is rejected by the client, the
client replies with service error information to the server. Upon receipt, the server terminates the connection
to the client.
 The interface must be bound to the VT interface before you configure the PPPoE server name on the
server interface.
 After specifying the PPPoE server name, restart the interface to allow the clients to be reconnected.
8.8.3.2 Configuring PPPoE Parameters

After the basic PPPoE functions of are configured, you can set PPPoE parameters of as required to optimize links.
Context
After configuring PPPoE, configure PPPoE parameters as required to optimize links. The configurations include:
 Log the PPPoE user status changes.
 Specify the maximum number of PPPoE sessions that can be set up using a local MAC address.
 Specify the maximum number of PPPoE sessions that can be set up using a peer MAC address.
 Specify the maximum number of PPPoE sessions that can be set up on the local system.
Procedure
 Log PPPoE user status changes.

system-view
2. Specify the maximum number of sessions that can be created using a local MAC address.
pppoe-server max-sessions local-mac number
 Set the maximum number of sessions that can be created using a local MAC address.

system-view
2. Specify the maximum number of sessions that can be created using a local MAC address.
pppoe-server max-sessions local-mac number
 Set the maximum number of sessions that can be created using a peer MAC address.

system-view
2. Specify the maximum number of sessions that can be created using a peer MAC address.
pppoe-server max-sessions remote-mac number
 Set the maximum number of sessions that can be created in the system.

system-view
2. Specify the maximum number of sessions that can be created in the system is specified.
pppoe-server max-sessions total number
8.8.4 Configuring an IPv4 PPPoE Client

This section describes how to configure an IPv4 PPPoE client.
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single dialer interface. A PPPoE
session can be created using a dialer interface.
Procedure
system-view
2. Configure a dialer ACL for the dialer access group.

dialer-rule rule-number { ip { deny | permit } | acl acl-number }
3. Create a dialer interface.

interface dialer number
4. It is recommended that both PAP and CHAP user names and passwords be specified on the client. Configure
an authentication mode using either of the following methods:
 Configure PAP authentication.
Specify a PAP user name and a password.
 Configure CHAP authentication.

 Specify a user name for the peer end to use CHAP to authenticate the local end.
 Set a password for the peer end to use CHAP to authenticate the local end.
5. Specify a dial-up user name.

dialer user username
The user name is a string of 1 to 32 characters.

6. Enable the IP address negotiation function.
NOTE:
The IP address negotiated by the device is a host IP address with a 32-digit mask. If the device needs to communicate with other
PPPoE clients, run the ip route-static command to manually configure the static route to the network segment.
7. Configure the dialer bundle.

dialer bundle bundle-number
8. Configure a dialer group.

dialer-group group-number
NOTE:
The same group-number value must be specified in the dialer-rule and dialer-group commands.
9. Return to the system view.

quit
10. Display the Ethernet interface view.

11. Create a PPPoE session and specify the dialer bundle for the session.
pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds [ queue-
length packets ] ] [ ipv4 | ipv6 ]
8.8.5 Configuring an IPv6 PPPoE Client

This section describes how to configure an IPv6 PPPoE client.
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single dialer interface. A PPPoE
session can be created using a dialer interface.
The way a dialer interface obtains an IPv6 address depends on the application scenario of an IPv6 PPPoE client.
 When a device serves as a client that needs to access the Internet, the dialer interface can obtain an IPv6 address
using one of the following methods:
 Stateless address autoconfiguration
 DHCPv6
 When a device serves as a gateway, the device supports the following functions:
 (Optional) Obtains an IPv6 address using stateless address autoconfiguration.
 Obtains a prefix using DHCPv6-PD and assigns prefixes to intranet users.
Procedure
system-view
2. Create a dialer interface and display the dialer interface view.

interface dialer number
3. Configure an authentication mode. The server may use PAP or CHAP authentication. Configuring both PAP
and CHAP user names and passwords is recommended.
 Configure PAP authentication.
Specify a PAP user name and a password.
 Configure CHAP authentication.

 Specify a CHAP user name.
 Set a CHAP password.

4. Specify a dial-up user name.

dialer user username
The user name is a string of 1 to 32 characters.

5. Configure the device to automatically obtain an IPv6 address as follows:
 When the device serves as a client, perform the following steps:
 Enable stateless address autoconfiguration.
ipv6 address autoconfig
 Configure the DHCPv6 client to obtain an IPv6 address from the server.
dhcpv6 client ia-address [ ipv6-address ] [ rapid-commit | unicast-option ] *
 When the device serves as a gateway, perform the following steps:

a. Enable stateless address autoconfiguration.
b. Configure the DHCPv6 client to obtain an IPv6 prefix from the server.
dhcpv6 client ia-prefix prefix-name prefix-name [ prefix-address/prefix-length ]
[ rapid-commit | unicast-option ] *
6. Configure the dialer bundle.
dialer bundle bundle-number
7. Return to the system view.

quit
8. Display the Ethernet interface view.

interface GigabitEthernet interface-number
9. Create a PPPoE session.

pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds [ queue-
length packets ] ]
Follow-up Procedure
After the configurations are complete, the device obtains an IPv6 address or prefix.
 To view the obtained IPv6 address or prefix, run either of the following commands:
 display ipv6 auto-configuration prefix all: displays the IPv6 prefix and the derived IPv6 address that the
device uses stateless address autoconfiguration to obtain.
 display dhcpv6 client { all | interface interface-type interface-number }: displays the IPv6 address that
the device uses DHCPv6 to obtain.
 If the device serves as a gateway and uses DHCPv6-PD to obtain a prefix, the device uses RA messages to
assign prefixes to intranet users.
1. Run the display dhcpv6 client { all | interface interface-type interface-number } command to view the
IPv6 address obtained by the DHCPv6 client.
2. Run the undo ipv6 nd ra halt command in the interface view to enable RA advertisement.
3. Run the ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | [ prefix-name ] ipv6-prefix/ipv6-prefix-
length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ] command in the interface view to
configure a prefix in an RA message.
8.8.6 Maintaining PPPoE

This section describes how to maintain PPPoE.
8.8.6.1 Displaying the PPPoE Configuration

After configuring PPPoE, you can run the display commands to view the configurations.
In any view, you can check the PPPoE configuration by running the commands listed in Table 8-110.
Table 8-110 Displaying the PPPoE configuration
Action Command
Display information display pppoe-server session { all | packet | statistic interface interface-type interface-number }
about all PPPoE
sessions.
Display statistics about display pppoe-client session packet [ dial-bundle-number dial-bundle-number ]

PPPoE session
packets.
Display brief display pppoe-client session summary [ dial-bundle-number dial-bundle-number ]

Action Command
information about
PPPoE session
packets.
8.8.6.2 Debugging PPPoE

If PPPoE running faults occur, you can run the debugging commands in the user view to debug PPPoE, view the
debugging information, and locate and analyze the faults.
Before enabling the debugging, you must run the terminal monitor command in the user view to enable the terminal
information display and the terminal debugging command in the user view to terminal debugging information display
functions.
NOTICE:
Enabling the debugging deteriorates system performance. After the debugging is complete, run the undo debugging
all command to disable the debugging immediately.
For the description of the debugging commands, see Debugging Reference.
Table 8-111 lists the commands to debug PPPoE.
Table 8-111 Debugging PPPoE
Action Command
Enable the debugging of all debugging pppoe-client all [ interface interface-type interface-number ]
PPPoE client information.
Enable the debugging of a debugging pppoe-client [ data | error | event | packet | verbose ] [ interface interface-type
PPPoE client. interface-number]
Enable debugging of all debugging pppoe-server all [ interface interface-type interface-number ]

PPPoE server information.
Enable the debugging of a debugging pppoe-server [ data | error | event | packet ] [ interface interface-type interface-
PPPoE server. number ]
8.8.6.3 Clearing Statistics About PPPoE Sessions

This section describes how to clear statistics about PPPoE sessions on a specified interface.
NOTICE:
Cleared PPPoE statistics cannot be recovered. Exercise caution when performing this operation.
You can run the command in Table 8-112 in the user view to clear PPPoE statistics.
Table 8-112 Clearing PPPoE statistics
Action Command
Clear statistics about PPPoE sessions on a specified interface. reset pppoe-server session statistic interface interface-type
interface-number
8.8.6.4 Resetting a PPPoE Session

This section describes how to reset a PPPoE session.
You can run the command in Table 8-113 in the user view to reset a PPPoE session.
Table 8-113 Resetting a PPPoE session
Action Command
Reset a session on a PPPoE client and re-establish a session reset pppoe-client { all | dial-bundle-number number }
later.
8.8.7 Configuration Examples

This section provides examples for configuring IPv4 and IPv6 PPPoE clients.
8.8.7.1 Example for Configuring IPv4 PPPoE

This section provides an example for configuring basic IPv4 PPPoE functions.
Networking Requirements
As shown in Figure 8-75, NGFW_A functions as a PPPoE client, and NGFW_B functions as a PPPoE
server. NGFW_B assigns an IP address to NGFW_A allowing PCs on networks A and B to communicate.
NGFW_B (server) runs PAP to authenticate NGFW_A (client). The user name is set to usera, and the password is set
to Password1. NGFW_B assigns NGFW_A an IP address 10.2.0.2.
Figure 8-75 IPv4 PPPoE networking
Procedure
1. # Configure NGFW_B.
# Configure interfaces and assign them to security zones.
<NGFW_B> system-view
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit
[NGFW_B-GigabitEthernet1/0/3] ip address 10.4.0.1 24
[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_B-zone-trust] quit
# Add a PPPoE user.

[NGFW_B] user-manage user usera
[NGFW_B-localuser-usera] password Password1
[NGFW_B-localuser-usera] quit
# Configure an IP address pool.

[NGFW_B] aaa
[NGFW_B-aaa] domain default
[NGFW_B-aaa-domain-default] ip pool 1 10.2.0.2
# Set VT interface parameters.
NOTE:
PAP is not a secure protocol, and CHAP is recommended.
[NGFW_B] interface virtual-template 1
[NGFW_B-Virtual-Template1] ppp authentication-mode pap
The command is used to configure the PPP authentication mode on the local end.
Confirm that the peer end adopts the corresponding PPP authentication. Continue[Y/N]: y
[NGFW_B-Virtual-Template1] ip address 10.2.0.1 24
[NGFW_B-Virtual-Template1] remote address pool 1
[NGFW_B-Virtual-Template1] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface virtual-template 1
[NGFW_B-zone-untrust] quit
# Bind the VT interface to the physical interface.

[NGFW_B-GigabitEthernet1/0/1] pppoe-server bind virtual-template 1
# Configure security policies.

[NGFW_B] security-policy
[NGFW_B-policy-security] rule name policy_sec_1
[NGFW_B-policy-security-rule-policy_sec_1] source-zone trust
[NGFW_B-policy-security-rule-policy_sec_1] source-address 10.4.1.0 24
[NGFW_B-policy-security-rule-policy_sec_1] destination-zone untrust
[NGFW_B-policy-security-rule-policy_sec_1] destination-address 10.3.1.0 24
[NGFW_B-policy-security-rule-policy_sec_1] action permit
[NGFW_B-policy-security-rule-policy_sec_1] quit
[NGFW_B-policy-security] rule name policy_sec_2
[NGFW_B-policy-security-rule-policy_sec_2] source-zone untrust
[NGFW_B-policy-security-rule-policy_sec_2] source-address 10.3.1.0 24
[NGFW_B-policy-security-rule-policy_sec_2] destination-zone trust
[NGFW_B-policy-security-rule-policy_sec_2] destination-address 10.4.1.0 24
[NGFW_B-policy-security-rule-policy_sec_2] action permit
[NGFW_B-policy-security-rule-policy_sec_2] quit
[NGFW_B-policy-security] quit
# Configure a static route.

[NGFW_B] ip route-static 10.3.0.0 24 virtual-template 1
2. Configure NGFW_A.
# Configure interfaces and assign them to security zones.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-untrust] quit
# Configure PPPoE dial-up.

[NGFW_A] dialer-rule 1 ip permit
[NGFW_A] interface dialer 1
[NGFW_A-Dialer1] dialer user usera
[NGFW_A-Dialer1] dialer-group 1
[NGFW_A-Dialer1] dialer bundle 1
[NGFW_A-Dialer1] ip address ppp-negotiate
[NGFW_A-Dialer1] ppp pap local-user usera password cipher Password1
[NGFW_A-Dialer1] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface dialer 1
[NGFW_A-zone-untrust] quit
# Configure a PPPoE session.

[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv4

[NGFW_A] security-policy
[NGFW_A-policy-security] rule name policy_sec_1
[NGFW_A-policy-security-rule-policy_sec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_sec_1] source-address 10.3.1.0 24
[NGFW_A-policy-security-rule-policy_sec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_sec_1] destination-address 10.4.1.0 24
[NGFW_A-policy-security-rule-policy_sec_1] action permit
[NGFW_A-policy-security-rule-policy_sec_1] quit
[NGFW_A-policy-security] rule name policy_sec_2
[NGFW_A-policy-security-rule-policy_sec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_sec_2] source-address 10.4.1.0 24
[NGFW_A-policy-security-rule-policy_sec_2] destination-zone trust
[NGFW_A-policy-security-rule-policy_sec_2] destination-address 10.3.1.0 24
[NGFW_A-policy-security-rule-policy_sec_2] action permit
[NGFW_A-policy-security-rule-policy_sec_2] quit
[NGFW_A-policy-security] quit
# Configure a static route.

[NGFW_A] ip route-static 10.4.0.0 24 dialer 1
Example
After completing the configuration, check statistics about PPPoE session packets.
 Check statistics about PPPoE packets of the PPPoE server.
 [NGFW_B] display pppoe-server session all
 SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template1:0 UP GE1/0/1 0022.a100.11ab 0018.82cf.ebed
 Check statistics about PPPoE packets of the PPPoE client.
 [NGFW_A] display pppoe-client session summary dial-bundle-number 1
 PPPoE Client Session:
 ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 GE1/0/1 0022a10011ab 001882cfebed PPPUP
Configuration Scripts
Configuration script for NGFW_A:
#
dialer-rule 1 ip permit
#
sysname NGFW_A
#
interface Dialer1
link-protocol ppp
ppp pap local-user usera password cipher %$%$UQ"HLOehx>*n^PPqyBQVaNE<%$%$
dialer user usera
dialer-group 1
dialer bundle 1
#
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
add interface dialer 1
#
ip route-static 10.4.0.0 24 dialer 1
#
security-policy
source-zone trust
destination-address 10.4.1.0 24
action permit
source-zone untrust
destination-zone trust
action permit
#
return
Configuration script for NGFW_B:

#
sysname NGFW_B
#
interface Virtual-Template1
ppp authentication-mode pap
ip address 10.2.0.1 255.255.255.0
remote address pool 1
#
pppoe-server bind Virtual-Template 1
ip address 10.4.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
add interface virtual-template 1
#
aaa
#
domain default
ip pool 1 10.2.0.2
#
#
ip route-static 10.3.0.0 255.255.255.0 virtual-template1
#
security-policy
source-zone trust
action permit
source-zone untrust
action permit
#
return
8.8.7.2 Example for Configuring an IPv6 PPPoE Client (Stateless Address

Autoconfiguration)
This section describes how to configure an IPv6 PPPoE client. A NGFW functions as an IPv6 PPPoE client to obtain
an IPv6 address and access the Internet.
The NGFW shown in Figure 8-76 functions as an IPv6 PPPoE client and uses stateless address autoconfiguration to
obtain an IPv6 address from an IPv6 PPPoE server.
Figure 8-76 Networking diagram for configuring an IPv6 PPPoE client
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the NGFW to enable the interface to access
an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on NGFW so that a dialer interface can automatically obtain an
IPv6 address.
4. Configure a global unicast address for GigabitEthernet 1/0/1 on the PPPoE server and enable RA
advertisement to advertise the IPv6 prefix to GigabitEthernet 1/0/1 of the NGFW using a router
advertisement (RA) message.
Procedure
1. Configure the NGFW.
# Configure the NGFW as an IPv6 PPPoE client.
<NGFW> system-view
[NGFW] interface Dialer1
[NGFW-Dialer1] link-protocol ppp
[NGFW-Dialer1] ppp pap local-user admin-example password cipher Admin@123
[NGFW-Dialer1] dialer user admin-example
[NGFW-Dialer1] dialer bundle 1
[NGFW-Dialer1] quit
# Enable IPv6.
[NGFW] ipv6
# Assign a link-local IPv6 address to a dialer interface.

[NGFW]interface Dialer1
[NGFW-Dialer1] ipv6 enable
[NGFW-Dialer1] ipv6 address auto link-local
# Enable stateless address autoconfiguration.

[NGFW-Dialer1] ipv6 address autoconfig
[NGFW-Dialer1] quit

[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv6
[NGFW-GigabitEthernet1/0/1] quit
# Assign the dialer interface to a security zone.

[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW-zone-trust] add interface Dialer 1
[NGFW-zone-trust] quit
2. Configure a PPPoE server. The actual configuration varies depending on devices.

# Create a PPPoE user and set the user name to admin-example and the password to Admin@123, which
are the same as those specified on the PPPoE client.
# Set the global unicast address to 3001::1/64 for the interface that directly connects the PPPoE server to the
PPPoE client.
# Enable RA message advertisement.
Configuration Verification
1. After complete the configuration, run the display ipv6 auto-configuration prefix command on the NGFW.
The NGFW has obtained an IPv6 address with a prefix 3001::/64.
2. The PPPoE client can access the IPv6 network.
Configuration Script
#
sysname NGFW
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher (TT8F]Y\5SQ=^Q`MAF4<1!!
dialer user admin-example
dialer bundle 1
ipv6 enable
ipv6 address auto link-local
#
#
firewall zone trust
set priority 85
add interface Dialer 1
#
return
8.8.7.3 Example for Configuring an IPv6 PPPoE Client for DHCPv6-PD Address
Assignment
This section provides an example for configuring an IPv6 PPPoE client for DHCPv6-PD Address Assignment.
A NGFW functions as an IPv6 PPPoE client and obtains an IPv6 prefix before assigning the prefix to PCs attached to
the NGFW. After obtaining the IPv6 addresses, the PCs can access IPv6 networks.
The NGFW shown in Figure 8-77 functions as an IPv6 PPPoE client and uses DHCPv6-PD to obtain an IPv6 prefix
from an IPv6 PPPoE server. The NGFW then connects PCs to the IPv6 network.
Figure 8-77 Networking diagram for configuring an IPv6 PPPoE client (for DHCPv6-PD address assignment)
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the NGFW to enable the interface to access
an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on NGFW so that the dialer interface can automatically obtain an
IPv6 address and an IPv6 prefix and assign the prefix to the PCs on the intranet.
4. Configure an address pool on the PPPoE server for DHCPv6-PD address assignment.
Procedure
1. Configure the NGFW.
# Configure the NGFW as an IPv6 PPPoE client.
<NGFW> system-view
[NGFW-Dialer1] link-protocol ppp
[NGFW-Dialer1] ppp pap local-user admin-example password cipher Admin@123
[NGFW-Dialer1] dialer user admin-example
[NGFW-Dialer1] dialer bundle 1
[NGFW-Dialer1] quit
# Enable IPv6.
[NGFW] ipv6
# Configure the link-local address of the interface.

[NGFW-Dialer1] ipv6 enable
[NGFW-Dialer1] ipv6 address auto link-local
# Enable stateless address autoconfiguration.

[NGFW-Dialer1] ipv6 address autoconfig
# Enable the DHCPv6 client to obtain IPv6 prefix 2001::1/64 and save the prefix in prefix pool abc.
[NGFW-Dialer1] dhcpv6 client enable
[NGFW-Dialer1] dhcpv6 client ia-prefix prefix-name abc 2001::1/64

[NGFW-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv6
# Enable RA message advertisement to send prefix 2001::1/64 to PCs on the intranet.

[NGFW-GigabitEthernet1/0/3] undo ipv6 nd ra halt
[NGFW-GigabitEthernet1/0/3] ipv6 nd ra prefix abc 2001::1/64
# Assign interfaces to security zones.

[NGFW] firewall zone untrust
[NGFW-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW-zone-untrust] add interface Dialer 1
[NGFW-zone-untrust] quit
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW-zone-trust] quit

[NGFW] security-policy
[NGFW-policy-security] rule name policy_sec_1
[NGFW-policy-security-rule-policy_sec_1] source-zone trust
[NGFW-policy-security-rule-policy_sec_1] destination-zone untrust
[NGFW-policy-security-rule-policy_sec_1] action permit
[NGFW-policy-security-rule-policy_sec_1] quit
[NGFW-policy-security] rule name policy_sec_2
[NGFW-policy-security-rule-policy_sec_2] source-zone untrust
[NGFW-policy-security-rule-policy_sec_2] destination-zone trust
[NGFW-policy-security-rule-policy_sec_2] action permit
[NGFW-policy-security-rule-policy_sec_2] quit
[NGFW-policy-security] quit
2. Configure a PPPoE server. The configuration varies with devices. The configuration details are not provided.
# Create a PPPoE user with a user name admin-example and a password Admin@123, which are the same
as those on the PPPoE client.
# Configure a delegated prefix pool.
Configuration Verification
1. If the configurations are successful, a PC can obtain an IPv6 address with the prefix 2001::.
2. Check whether a PC can access the IPv6 network. If the PC can access the IPv6 network, the configuration is
successful. If the PC fails to access the IPv6 network, modify the configuration and try again.
#
sysname NGFW
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher (TT8F ] Y\5SQ=^Q`MAF4<1!!
dialer user admin-example
dialer bundle 1
ipv6 enable
ipv6 address auto link-local
dhcpv6 client enable
dhcpv6 client ia-prefix prefix-name abc 2001::1/64
#
#
undo ipv6 nd ra halt
ipv6 nd ra prefix abc 2001::1/64
#
firewall zone trust
set priority 85
#
set priority 5
add interface Dialer 1
#
security-policy
source-zone trust
action permit
source-zone untrust
action permit
#
return
8.8.8 Feature Reference

This section provides PPPoE references.
8.8.8.1 Feature History

This section describes the versions and changes in the Point-to-Point Protocol over Ethernet (PPPoE) feature.
8.8.8.2 Reference Standards and Protocols

This section provides PPPoE standards and protocols.
PPPoE standards and protocols are as follows:
 RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE)
 RFC 1661: The Point-to-Point Protocol (PPP)
8.9 MAC Address Table

This section describes MAC address table concepts and how to configure a MAC address table, as well as provides a
configuration example.
8.9.1 Overview
A MAC address table is an interface-based Layer 2 forwarding table. It stores information about the MAC addresses
learned by a device.
MAC Address Table

Before implementing the express packet forwarding, the MAC address table of a NGFW must be maintained.
The maintenance items in the MAC address table are as follows:
 MAC address of a device connected to a NGFW
 Number and VLAN ID of an interface connecting the NGFW to the device
MAC Address Entries
MAC address entries are classified into the following types:
 Static MAC address entry: manually configured. It can be added or deleted manually and never ages. Using
static MAC address entries can reduce broadcast traffic on a network. MAC address entries apply to networks
where devices are seldom changed.
 Dynamic MAC address entry: manually configured by a user or learned by a device. It ages after the specified
aging time elapses.
 Blackhole MAC address entry: a special type of MAC addresses manually configured. After receiving a packet
whose source or destination MAC address is a blackhole MAC address, the device discards the packet.
Table 8-114 lists the classifications and features of MAC address entries.
Table 8-114 Classifications and features of MAC address entries
MAC Address Entry Configuration Method Aging Time Be Saved After the Device
Restarts (Configurations are
saved.)
Static MAC address entry Manually configured None Yes

Dynamic MAC address entry Manually configured by a user A specified value No
or learned by the device
Blackhole MAC address entry Manually configured None Yes
The following rules apply:
 If a dynamic MAC address is used, it can be changed to a static or blackhole one, and the VLAN ID in the
entry is changed to a newly specified value.
 If a static or blackhole MAC address is used, a message indicating that the MAC address already exists is
displayed, and the entry is not changed.
Process for Learning MAC Address Entries

If a port (for example, port A) receives a data frame, a NGFW analyzes the source MAC address of the data frame and
allows the data frames with the MAC address as the destination to be forwarded through port A.
 If the MAC address table contains this entry, the NGFW updates the related entry.
 If the MAC address table does not contain this entry, the NGFW adds the new MAC address and port A
mapped to the MAC address as a new entry to the MAC address table.
Figure 8-78 shows how the NGFW learns MAC addresses. In the MAC address table on the NGFW, MAC A and
MAC B map to port 1, and MAC C and MAC D map to port 2. A data frame whose destination MAC address is MAC
C, and source MAC address is MAC A is to travels from port 1 to port 2 on the NGFW.
The process is as follows:
1. When the data frame arrives at the NGFW, the NGFW analyzes the source MAC address in the data frame
and searches for the matching address in the MAC address table.
2. As the MAC address entry already exists in the MAC address table, the NGFW updates the entry.
3. The NGFW then checks the destination MAC address of the data frame.
4. As the destination address entry also already exists in the MAC address table and maps to port 2,
the NGFW forwards the data frame through port 2.
Figure 8-78 Process for learning MAC address entries
When forwarding packets, the NGFW takes the following measures based on the mapping between the destination
MAC address in the received packet and the entry in the MAC address table:
 If a mapping entry exists, the NGFW directly forwards the packet through the corresponding port.
 If no mapping entry exists, the NGFW forwards the packet in broadcast mode.
After the broadcast packet is sent, the following situations may occur:
 The packet reaches the device with the destination MAC address. The destination device replies to the
broadcast packet, and the MAC address of the destination device is included in the reply packet (namely,
the source MAC address of the reply packet).
After receiving the reply packet, the NGFW learns the source MAC address of the reply packet and adds
the MAC address to the MAC address table.
Therefore, packets with the source MAC address of the reply packet as the destination MAC address are
directly forwarded based on the entry.
 The packet cannot reach the device with the destination MAC address, the NGFW broadcasts the packet.
8.9.2 Configuring a MAC Address Table

This section describes how to configure a static MAC address entry and the aging time of dynamically learned MAC
address entries.
Prerequisites
Interfaces mapped to the MAC addresses in the MAC address table work in Layer 2 mode.
Procedure
system-view
2. Configure MAC address entries.

 To configure MAC address entries in the system view, perform the following steps:
 Configure a blackhole MAC address entry.
mac-address blackhole mac-address interface-type interface-number vlan vlan-id
 Configure a dynamic MAC address entry.

mac-address dynamic mac-address interface-type interface-number vlan vlan-id
 Configure a static MAC address entry.

mac-address static mac-address interface-type interface-number vlan vlan-id
 To configure MAC address entries in the interface view, perform the following steps:
a. Display the interface view.
b. Run the following commands to configure MAC address table entries:

 Configure a blackhole MAC address entry.
mac-address blackhole mac-address interface-type interface-number vlan vlan-id
 Configure a dynamic MAC address entry.

mac-address dynamic mac-address interface-type interface-number vlan vlan-id
 mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is configured.

c. Return to the system view.
quit
3. Set the aging time of dynamic MAC address entries.

mac-address aging-time seconds
The value can be 0s or ranges from 30s to 65535s. If the seconds parameter is set to 0, a MAC address entry
never ages.
The default aging time is 300s.
8.9.3 (Optional) Configuring a Limit Rule for Learning MAC Addresses

You can configure a limit rule for learning dynamic MAC addresses.
Context
A limit rule for learning dynamic MAC addresses is applicable to insecure networks with fixed access users, such as
cell access network or intranet that lacks security management.
When the number of access users reaches the upper limit, the MAC addresses of new users cannot be learned, and the
packets of the new users are discarded.
NOTICE:
Before configuring a limit rule for learning dynamic MAC addresses, if learned MAC addresses exist on the port, run
the undo mac-address dynamic command in the system view to clear the MAC addresses. If this command is not run,
the limit rule cannot function properly.
Procedure
system-view
2. Access the Ethernet interface view.
3. Switch the Layer 3 Ethernet interface to Layer 2 mode.

portswitch
4. Configure a limit rule for learning MAC addresses.

mac-limit { maximum max | action { discard | forward } } *
8.9.4 Maintaining the MAC Address Table

After configuring the MAC address table, you can run the display commands to view the configuration.
You can run the commands listed in Table 8-115 in any view to display the configurations of the MAC address table.
Table 8-115 Displaying the MAC address table configuration
Action Command
Display information about MAC address entries. display mac-address [ count ]

display mac-address mac-address [ vlan vlan-id ] [ count ]
display mac-address { all | blackhole | static | dynamic } [ interface-
type interface-number ] [ vlan vlan-id ] [ count ]
Display the aging time the MAC address entries. display mac-address aging-time
Display the limit rules for learning MAC addresses. display mac-limit [ interface-type interface-number ]
8.9.5 Example for Configuring the MAC Address Table

This section provides an example for configuring the MAC address table. You can set the MAC address of the server
statically to improve the stability and security of entries.
GigabitEthernet 1/0/3 on a NGFW works at Layer 2 and is connected to a server with MAC address 00e0-fa33-dc51 on
the network shown in Figure 8-79.
To help prevent the NGFW from flooding the server with packets, a static MAC address entry is configured on
the NGFW. This entry maps MAC address 00e0-fa33-dc51 to both GigabitEthernet 1/0/3 and VLAN1, to
which GigabitEthernet 1/0/3 is assigned. The NGFW sends packets destined for the server out of GigabitEthernet
1/0/3, instead of flooding the server with packets.
Figure 8-79 NGFW with a MAC address table
Procedure
<NGFW> system-view
2. Switch GigabitEthernet 1/0/3 to a Layer 2 port.

3. [NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] portswitch
4. Configure a static MAC address entry.

[NGFW-GigabitEthernet1/0/3] mac-address static 00e0-fa33-dc51 GigabitEthernet 1/0/3
vlan 1
#
sysname NGFW
#
portswitch
port link-type access
mac-address static 00e0-fa33-dc51 GigabitEthernet1/0/3 vlan 1
#
return
8.9.6 Feature History

This section describes the versions and changes in the MAC address table feature.
8.10 ARP
This section describes Address Resolution Protocol (ARP) concepts and how to configure ARP, as well as provides
configuration examples.
8.10.1 Overview
The Address Resolution Protocol (ARP) is at the link layer of the TCP/IP protocol suite. An Ethernet device must
support ARP. ARP dynamically map Layer 3 IP addresses and Layer 2 Medium Access Control (MAC) addresses.
Definition
ARP maps IP addresses to MAC addresses. ARP entries are classified as static and dynamic ARP entries. In addition,
ARP provides extension application functions, such as proxy ARP and gratuitous ARP.
Objective
Each host or router in a local area network (LAN) has a 32-bit IP address for communicating with other hosts. IP
addresses are independent of hardware addresses. On an Ethernet, a host or a router transmits Ethernet frames based on
48-bit MAC addresses. A MAC address is also called a physical or hardware address. It is allocated to an Ethernet
interfaces when a device is produced. In actual networking, MAC and IP addresses must be mapped using an address
resolution mechanism.
ARP supports the following functions:
 Dynamic ARP
ARP dynamically resolves an IP address into an Ethernet MAC address based on ARP packets. No network
administrator interference is required.
 Static ARP
Static ARP establishes a fixed mapping between the IP and MAC addresses, which cannot be dynamically
adjusted on a host or router. Network administrator interference is required.
 Proxy ARP
Also called routed proxy ARP. If a host is not configured with a default gateway address, the host can send an
ARP Request packet to request the destination host MAC address. After the device enabled with proxy ARP
receives the packet, it sends an ARP Reply packet containing its own MAC address so that internal hosts on
different physical networks but on the same network segment can communicate.
 Gratuitous ARP
Gratuitous ARP checks existing IP addresses and declares new MAC addresses.
 Authorized ARP
Authorized ARP, valid on only devices enabled with the DHCP server function, applies when the DHCP
server and DHCP client reside on the same network segment to prevent attackers from forging the IP
addresses or MAC addresses of legitimate DHCP clients to launch attacks.
8.10.2 Mechanism
This section describes the mechanism of the Address Resolution Protocol (ARP).
Address Resolution Process

ARP was developed for the Ethernet network that supports broadcast functions. A host can use ARP to obtain the
MAC address of a destination host on the same physical network though the host only obtains the IP address of the
destination host. The mapping between IP and MAC addresses are dynamically updated. The dynamic mapping update
allows IP addresses to be translated into MAC addresses even if hosts change, for example, when the number of hosts
is changed or a network interface card (NIC) is replaced.
The address resolution process is as follows:
1. ARP request
Host A shown in Figure 8-80 knows only the IP address of host B. Host A broadcasts an ARP request packet
to request the MAC address of host B.
Figure 8-80 ARP request
2. ARP reply
All hosts on the network, including host B, receive the ARP request packet. Only host B responds to the
ARP request packet. Host B shown in Figure 8-81 sends an ARP reply packet carrying a local MAC address
to host A.
Host A obtains host B's MAC address and uses this MAC address to communicate with host B.
Figure 8-81 ARP reply
ARP Aging Mechanism

 ARP cache
Host A broadcasts an ARP Request packet before sending a packet to host B each time, which causes traffic to
increase. All hosts have to receive and process the ARP Request packets, which decreases network efficiency.
To solve the preceding problems, each host maintains an ARP cache. This cache maintains recently created
mappings between IP and MAC addresses.
Before sending a packet, a sender searches the cache for a MAC address mapped to the destination IP address.
If the sender finds a matched MAC address, the sender directly sends the packet to a host with the MAC
address, without sending an ARP Request packet. If the sender does not find a matching MAC address, the
sender broadcasts an ARP Request packet.
 Aging time of dynamic ARP entries
After host A shown in Figure 8-81 obtains host B's MAC address from an ARP Reply packet sent by host B,
host A generates a mapping entry between the IP and MAC addresses of host B in the ARP cache. If host B
fails or its NIC is replaced, host A fails to update the mapping entry and keeps sending packets to host B.
A timer can be set to allow host A to delete cached ARP entries after the timer expires.
Using the timer helps only reduce address resolution errors because the sender can detect a fault and delete
invalid ARP entries only after the timer expires.
 Probes for aging dynamic ARP entries
A specified upper limit of probes can be set on a device to reduce errors that occur during address resolution.
If the device receives no response after the number of times probes can be set on a device reaches the upper
limit, the device deletes an ARP entry.
Static ARP
Static ARP supports the fixed mappings between IP and MAC addresses. Hosts and routers involved cannot change
mappings dynamically. Static ARP is configured manually by network administrators.
Static ARP entries are used in the following situations:
 A gateway on a local network segment is used to forward packets with destination addresses on other network
segments.
 Packets with invalid IP addresses can be filtered out by binding these IP addresses to a nonexistent MAC
address.
 IP addresses are bound to MAC addresses to defend against attacks, such as ARP flood attacks.
Static ARP entries have a higher priority than dynamic ARP entries. When you configure a static ARP entry for an IP
address that maps to a dynamic ARP entry in the ARP table, the static ARP entry replaces the dynamic ARP entry.
Proxy ARP
Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is
not on that network.
Proxy ARP has the following features:
 All processes are performed on ARP Subnet Gateways. Hosts on the networks have no change.
 Any host faces a standard IP network, not a subnet.
 Proxy ARP affects only the ARP high-speed caches on hosts, not the ARP high-speed caches or routing tables
on gateways.
 After proxy ARP is enabled, a small ARP aging time should be set to rapidly invalidate invalid ARP entries to
reduce the number of packets that are sent to routers but the routers cannot forward.
The NGFW supports two proxy ARP modes:
 Routed proxy ARP
Allows communication between hosts or routers in the same network segment but on different physical
networks.
In actual situations, if no default gateway address is set on a host connected to a router (the proxy to this
network is unknown), the router cannot forward data for this host. Routed proxy ARP can resolve this issue.
The host sends an ARP request (to request the MAC address of the destination host), the proxy ARP-enabled
router uses its MAC address to return an ARP reply.
 Inner-VLAN proxy ARP
Allows communication between hosts or routers in the same VLAN configured with user isolation.
If two users belong to one VLAN and the VLAN is configured with user isolation, inner-VLAN proxy ARP
must be enabled on the interface associated with the VLAN for communication between the users.
As shown in Figure 8-82, HOST_A and HOST_B are attached to the NGFW. The interfaces connecting
the NGFW to the hosts belong to VLAN 10, and the hosts are isolated on the switch. The hosts cannot
communicate at Layer 2. You can enable inner-VLAN proxy ARP on the interfaces of the NGFW to resolve
this issue. If the NGFW receives an ARP request that is not destined for itself, it does not discard the packet.
Instead, it searches the ARP table for an ARP entry related to HOST_B. If the ARP entry is found,
the NGFW sends its MAC address to HOST_A and forwards the packets from HOST_A to HOST_B. In this
manner, the NGFW serves as a proxy for HOST_B.
Figure 8-82 Networking diagram for inner-VLAN proxy ARP
Dynamic ARP
Dynamic ARP dynamically and automatically resolves IP addresses into Ethernet MAC addresses. Dynamic ARP does
not require the involvement of an administrator.
A NGFW creates or updates an ARP entry if a received ARP packet satisfies any of the following conditions:
 The ARP packet carries a non-broadcast source address that is on the same network segment as the inbound
interface address. The ARP packet is bound for the IP address of the inbound interface.
 The ARP packet carries a non-broadcast source address that is on the same network segment as the inbound
interface address. The ARP packet is bound for the virtual IP address of a Virtual Router Redundancy
Protocol (VRRP) backup group created on the inbound interface.
 The ARP packet is bound for an address in a Network Address Translation (NAT) address pool configured on
the inbound interface.
If the source IP address of the received ARP packet maps to an ARP entry of the inbound interface, the NGFW also
updates the ARP entry.
Gratuitous ARP
Gratuitous ARP enables a device to send an ARP Request packet to its own IP address. Gratuitous ARP provides the
following functions:
 IP address conflicts: If a device receives no reply to a gratuitous ARP request packet, the device has a unique IP
address. If the device receives an ARP reply packet in response to a gratuitous ARP request packet, there is an
IP address conflict.
 New MAC address advertising: If a device has its NIC replaced and its MAC address is changed, the device
sends a gratuitous ARP to notify all hosts of the MAC address update before the ARP entry aging time
elapses.
Authorized ARP
Authorized ARP allows a DHCP server to automatically add an ARP entry that contains the MAC and IP addresses of
the client after assigning an IP address to the client.
 Authorized ARP entries
Authorized ARP entries do not age. After a DHCP server logs out DHCP clients, the DHCP server
automatically deletes their authorized ARP entries from an ARP table.
Authorized ARP entries have higher priorities than dynamic ARP entries, but lower than static ARP entries. A
new authorized ARP entry overrides a duplicate dynamic ARP entry, but not a duplicate static ARP entry. The
authorized ARP entry can be overridden by a duplicate static ARP entry.
 Working mechanism
Authorized ARP combines the ARP and DHCP working mechanisms. The authorized ARP function is only
available on devices with the DHCP server function enabled when the DHCP server and client reside on the
same network segment. Authorized ARP is not applicable to DHCP relay scenarios.
The authorized ARP mechanism is as follows:
1. A DHCP client broadcasts a DHCPDISCOVER message. After receiving this message, a DHCP server
replies with a DHCPOFFER message carrying network parameters, including an IP address.
2. If many DHCP servers send DHCPOFFER messages to the client at the same time, the client accepts the
first DHCPOFFER message. The client then broadcasts a DHCPREQUEST message to all DHCP servers.
The DHCPREQUEST message contains the MAC address of the DHCP client and IP address request.
3. After the selected DHCP server receives the DHCPREQUEST message, the DHCP server sends a
DHCPACK message to the client. The message contains network parameters, including the assigned IP
address. Meanwhile, the DHCP server automatically adds an authorized ARP entry that contains the IP
and MAC addresses of the DHCP client.
4. The DHCP server uses the authorized ARP entry to prevent DHCP clients from dynamically learning
MAC addresses in invalid ARP responses. An attacker forges the IP or MAC address of a valid DHCP
client to originate an ARP request. Upon receipt, the DHCP server (gateway) finds that the IP or MAC
address in the request does not match an authorized ARP entry and sends no response. The attacker,
therefore, cannot access the network, which improves network security. The address of the DHCP server
is the same as the gateway address when the DHCP server and client reside on the network segment.
8.10.3 Configuring Static ARP

Static ARP entries record the fixed mapping between IP and MAC addresses. They are configured manually.
Context
A static ARP entry is manually added. It does not age and cannot be overwritten by a dynamic ARP entry. Static ARP
entries are valid as long as the device works properly.
Static ARP entries improve communication security. Static ARP entries ensure communication between a local device
and a specified device using the specified MAC address. Attackers cannot modify the mapping between IP and MAC
addresses in static ARP entries.
Procedure
system-view
2. Perform either of the following operations:

 To configure a common static ARP entry, run:
arp static ip-address mac-address
 To configure a common static ARP entry in a virtual local area network (VLAN), perform the following
steps:
 Configure a static ARP entry.
arp static ip-address mac-address vid vlan-id
If the interface of a specified VLAN is bound to a virtual private network (VPN), the device can
automatically associate the configured static ARP entry with the VPN. This command is applicable to
port-based VLANs.
 Bind the static entry to a VPN instance.
arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlan-id
This command is applicable to a sub-interface that supports VLAN and can be bound to a VPN
instance.
 To configure a static ARP entry in a VPN instance, run:
arp static ip-address mac-address vpn-instance vpn-instance-name
Example
# Map the Ethernet MAC address 0022-a101-2259 to the IP address 192.168.0.1.
<NGFW> system-view
[NGFW] arp static 192.168.0.1 0022-a101-2259
Follow-up Procedure
Run the display arp static command to view the static ARP entry.
<NGFW> display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
192.168.0.1 0022-a101-2259 S
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:1 Interface:0 Authorized:0 SNMP:0
The TYPE field displays S, which indicates a static ARP entry. If the EXPIRE (M) field is null, the entry does not
age.
8.10.4 Optimizing Dynamic ARP

Dynamic ARP is enabled without the need to be enabled. To optimize this function, you can modify some dynamic
ARP parameters.
Context
If the device needs to update ARP entries frequently, reduce the aging timeout period of ARP entries and increase the
aging detection frequency.
Procedure
system-view

3. Set the timeout period for aging dynamic ARP entries.

arp expire-time expire-times
By default, the aging timeout period is 1200 seconds.
4. Set the maximum number of ARP probe packets to be sent.
arp detect-times detect-times
The default value is 3.

Each time the aging time of a dynamic ARP entry elapses, the device sends an ARP probe packet to the peer
device. If the device does not receive an ARP Reply packet from the peer device after sending a maximum
number of probe packets, it deletes the ARP entry.
For example, the aging time of dynamic ARP entries is 60s, and the maximum number of ARP probe packets
to be sent is 6. After 60s since an ARP entry is generated, the device sends an ARP probe packet every 5s. If
the device does not receive any response after sending six ARP probe packets, it deletes the ARP entry.
Therefore, the actual aging time of the ARP entry is 90s (60 + 6 x 5).
If the number of aging detection times is set to 0, the device deletes dynamic ARP entries immediately when
the entries age.
5. Enable multicast MAC address learning.
arp multi-mac-permit
If the multicast MAC address learning function is disabled, the NGFW can learn only unicast MAC
addresses from ARP packets.
On the network shown in Figure 8-83, the NGFW works at Layer 3 and the switch works at Layer 2. The
server cluster has a virtual IP address and a virtual MAC address which is a multicast address.
The NGFW needs the virtual MAC address of the server cluster in order to forward service packets from
clients to the server cluster. Enable MAC address learning on interface GigabitEthernet1/0/2 so that
the NGFW can learn this address.
Figure 8-83 A standalone firewall learning the MAC address
To enhance network availability, you can deploy two NGFWs to implement dual-system hot backup, as
shown in Figure 8-84. A routing loop is formed if multicast MAC address learning is enabled on the NGFWs
in dual-system hot backup deployment. The following example explains how the routing loop is formed on
Switch_Active.
a. NGFW_Active (the active firewall) encapsulates the MAC address of the server cluster into a service
packets from a client, and forwards the packet to Switch_Active.
b. Switch_Active broadcasts this packet. Switch_Standby receives the broadcast packet and forwards it
to NGFW_Standby (the standby firewall).

6.2 CLI - Ejemplo para Acceder A Internet Mediante PPPoE de IPv4

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

6.2 CLI - Ejemplo para Acceder A Internet Mediante PPPoE de IPv4

Cargado por

Copyright:

Formatos disponibles

6.

2 CLI- Ejemplo para acceder a Internet mediante PPPoE de IPv4

6. Asigna las interfaces a las zonas de seguridad.

Se coloco PPPOE=para user

Interface IP Address/Mask Physical Protocol

<FW1>dis interface Dialer 1

Falta configurar local para ping desde FW1

<FW1>dis pppoe-client session summary

<SERV>dis pppoe-server session all

Configuración router SERV

Captura en giga 2/0/0 de SERV

Captura en giga 1/0/1 de FW1

Captura en giga 1/0/3 de FW1

The PPP operation process is described as follows:

The PAP authentication process is as follows:

CHAP authentication is performed in either of the following modes:

8.7.3 Configuring PPP

8.7.3.1 Encapsulating the Interface with PPP

2. Display the interface view.

Only the dialer interface supports PPP.

By default, PPP is used as a data link layer protocol of dialer interfaces.

8.7.3.2 Configuring PAP Authentication

2. Display the interface view.

2. Display the interface view.

8.7.3.3 Configuring CHAP Authentication

 Configure a NGFW that authenticates a peer end.

2. Display the interface view.

3. Configure a local end to use CHAP to authenticate the peer end.

 Configure a NGFW that is authenticated by the local NGFW.

2. Display the interface view.

3. Specify a local user name.

2. Display the interface view.

3. Configure a local end to use CHAP to authenticate the peer end.

2. Display the interface view.

3. Specify a local user name.

8.7.3.4 Setting PPP Negotiation Parameters

2. Access the interface view.

3. Set the negotiation timeout period.

By default, the PPP negotiation timeout period is 3 seconds.

b. Access the default authentication domain view.

c. Define the global IP address pool.

d. Return to the AAA view.

e. Return to the system view.

If pool-number is not specified, global IP address pool 0 is used by default.

b. Access the authentication domain view.

c. Define the domain IP address pool.

d. Return to the AAA view.

e. Return to the system view.

f. Access the interface view.

If pool-number is not specified, domain IP address pool 0 is used by default.

b. Assign an IP address to the peer end.

2. Access the interface view.

3. Specify the IP address negotiation function of the interface.

 Set the negotiation DNS server address.

2. Access the interface view.

2. Access the interface view.

2. Access the interface view.

8.7.3.5 Configuring the Polling Interval

2. Access the interface view.

2. Access the interface view.

8.7.4 Maintaining PPP

8.7.4.1 Displaying the PPP Configuration

Display the specified VT status. display interface virtual-template [ number ]