H3C SR8800-F Configuration manual

Category
Software
Type
Configuration manual
H3C SR8800-F Routers
Comware 7 User Access Configuration Guide
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Software version: SR8800FS-CMW710-R7655P05 or later
Document version: 6W100-20170825
Copyright © 2017, New H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written
consent of New H3C Technologies Co., Ltd.
Trademarks
H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H
3
Care, , IRF, NetPilot, Netflow, SecEngine,
SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies
Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
This configuration guide describes fundamentals and configuration of user access features.
This preface includes the following topics about the documentation:
• Audience.
• Conventions
• Obtaining documentation
• Technical support
• Documentation feedback
Audience
This documentation is intended for:
• Network planners.
• Field technical support and servicing engineers.
• Network administrators working with the routers.
Conventions
The following information describes the conventions used in the documentation.
Command conventions
Convention Description
Boldface Bold
text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars,
from which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select a minimum of one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the
New User
window opens; click
OK
.
>
Multi-level menus are separated by angle brackets. For example,
File
>
Create
>
Convention Description
Folde
r
.
Symbols
Convention Description
WARNING!
An alert that calls attention to important information that if not understood or followed
can result in personal injury.
CAUTION:
An alert that calls attention to important information that if not understood or followed
can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT:
An alert that calls attention to essential information.
NOTE:
An alert that contains additional or supplementary information.
TIP:
An alert that provides helpful information.
Network topology icons
Convention Description
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that
supports Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the access
controller engine on a unified wired-WLAN switch.
Represents an access point.
Wireless terminator unit.
Wireless terminator.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Represents a security product, such as a firewall, UTM, multiservice security
gateway, or load balancing device.
Represents a security module, such as a firewall, load balancing, NetStream, SSL
VPN, IPS, or ACG module.
T
T
T
T




Examples provided in this document
Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.
Obtaining documentation
To access the most up-to-date H3C product documentation, go to the H3C website at
http://www.h3c.com.hk
To obtain information about installation, configuration, and maintenance, click
http://www.h3c.com.hk/Technical_Documents
To obtain software version information such as release notes, click
http://www.h3c.com.hk/Software_Download
Technical support
service@h3c.com
http://www.h3c.com.hk
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
i
Contents
Configuring AAA ·············································································· 1
About AAA ······························································································································· 1
AAA implementation ············································································································ 1
AAA network diagram ··········································································································· 1
RADIUS ···························································································································· 2
HWTACACS ······················································································································ 5
LDAP ································································································································ 8
User management based on ISP domains and user access types ··············································· 11
Authentication, authorization, and accounting methods ······························································ 11
AAA for MPLS L3VPNs ······································································································ 13
Protocols and standards ····································································································· 13
AAA tasks at a glance ··············································································································· 14
Configuring local users ·············································································································· 15
About local users ··············································································································· 15
Local user configuration tasks at a glance··············································································· 16
Configuring attributes for device management users ································································· 16
Configuring attributes for network access users ······································································· 17
Configuring local guest attributes ·························································································· 18
Configuring user group attributes ·························································································· 19
Managing local guests ········································································································ 21
Display and maintenance commands for local users and local user groups ···································· 22
Configuring RADIUS ················································································································· 23
RADIUS tasks at a glance ··································································································· 23
Configuring a test profile for RADIUS server status detection ······················································ 23
Creating a RADIUS scheme ································································································ 24
Specifying the RADIUS authentication servers ········································································· 24
Specifying the RADIUS accounting servers ············································································· 25
Specifying the shared keys for secure RADIUS communication ··················································· 26
Specifying an MPLS L3VPN instance for the scheme ································································ 26
Setting the username format and traffic statistics units ······························································ 27
Setting the maximum number of RADIUS request transmission attempts ······································ 27
Setting the maximum number of real-time accounting attempts ··················································· 28
Configuring RADIUS stop-accounting packet buffering ······························································ 28
Setting the maximum number of pending RADIUS requests ······················································· 29
Setting the status of RADIUS servers ···················································································· 29
Enabling the RADIUS server load sharing feature ···································································· 31
Specifying the source IP address for outgoing RADIUS packets ·················································· 32
Setting RADIUS timers ······································································································· 33
Configuring the RADIUS accounting-on feature ······································································· 34
Interpreting the RADIUS class attribute as CAR parameters ······················································· 34
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users ·················· 35
Configuring the MAC address format for RADIUS attribute 31 ····················································· 35
Configuring the format for RADIUS attribute 87 ········································································ 36
Setting the data measurement unit for the Remanent_Volume attribute········································· 36
Specifying a server version for interoperating with servers with a vendor ID of 2011 ························ 37
Configuring the RADIUS attribute translation feature ································································· 37
Configuring the RADIUS session-control feature ······································································ 39
Configuring the RADIUS DAS feature ···················································································· 39
Changing the DSCP priority for RADIUS packets ····································································· 40
Configuring the device to preferentially process RADIUS authentication requests ··························· 40
Enabling SNMP notifications for RADIUS ··············································································· 41
Display and maintenance commands for RADIUS ···································································· 41
Configuring HWTACACS ··········································································································· 42
HWTACACS tasks at a glance ····························································································· 42
Creating an HWTACACS scheme ························································································· 42
Specifying the HWTACACS authentication servers ··································································· 42
Specifying the HWTACACS authorization servers ···································································· 43
ii
Specifying the HWTACACS accounting servers ······································································· 44
Specifying the shared keys for secure HWTACACS communication ············································· 44
Specifying an MPLS L3VPN instance for the scheme ································································ 45
Setting the username format and traffic statistics units ······························································ 45
Configuring HWTACACS stop-accounting packet buffering ························································ 46
Specifying the source IP address for outgoing HWTACACS packets ············································ 46
Setting HWTACACS timers ································································································· 47
Display and maintenance commands for HWTACACS ······························································ 48
Configuring LDAP ···················································································································· 49
LDAP tasks at a glance ······································································································ 49
Creating an LDAP server ···································································································· 49
Configuring the IP address of the LDAP server ········································································ 49
Specifying the LDAP version ································································································ 50
Setting the LDAP server timeout period ·················································································· 50
Configuring administrator attributes ······················································································· 50
Configuring LDAP user attributes ·························································································· 51
Configuring an LDAP attribute map ······················································································· 52
Creating an LDAP scheme ·································································································· 52
Specifying the LDAP authentication server·············································································· 53
Specifying the LDAP authorization server ··············································································· 53
Specifying an LDAP attribute map for LDAP authorization ·························································· 53
Display and maintenance commands for LDAP ········································································ 53
Configuring AAA methods for ISP domains ···················································································· 54
Creating an ISP domain ······································································································ 54
Configuring ISP domain attributes ························································································· 55
Configuring authentication methods for an ISP domain ······························································ 58
Configuring authorization methods for an ISP domain ······························································· 60
Configuring accounting methods for an ISP domain ·································································· 62
Display and maintenance commands for ISP domains ······························································ 64
Setting the maximum number of concurrent login users···································································· 65
Configuring the local bill cache feature ························································································· 65
About local bill cache ········································································································· 65
Procedure ························································································································ 65
Display and maintenance commands for local bill cache ···························································· 66
Configuring a NAS-ID ··············································································································· 66
About NAS-IDs ················································································································· 66
Configuring a NAS-ID profile ································································································ 66
Setting the NAS-ID on an interface ························································································ 67
Setting the NAS-ID in an ISP domain ····················································································· 67
Configuring the device ID ··········································································································· 68
AAA configuration examples ······································································································· 68
Example: Configuring authentication and authorization for SSH users by a RADIUS server ··············· 68
Example: Configuring local authentication and authorization for SSH users ··································· 71
Example: Configuring AAA for SSH users by an HWTACACS server ············································ 72
Example: Configuring authentication for SSH users by an LDAP server ········································ 73
Example: Configuring AAA for PPP users by an HWTACACS server ············································ 78
Troubleshooting RADIUS ··········································································································· 79
RADIUS authentication failure ······························································································ 79
RADIUS packet delivery failure ···························································································· 80
RADIUS accounting error ···································································································· 80
Troubleshooting HWTACACS ····································································································· 81
Troubleshooting LDAP ·············································································································· 81
LDAP authentication failure ································································································· 81
Appendixes ···························································································································· 82
Appendix A Commonly used RADIUS attributes ······································································· 82
Appendix B Descriptions for commonly used standard RADIUS attributes ····································· 83
Appendix C RADIUS subattributes (vendor ID 25506) ······························································· 85
DHCP overview ············································································· 88
DHCP network model ··············································································································· 88
DHCP address allocation ··········································································································· 88
Allocation mechanisms ······································································································· 88
iii
IP address allocation process ······························································································ 89
IP address lease extension ·································································································· 89
DHCP message format ············································································································· 90
DHCP options ························································································································· 91
Common DHCP options ············································································································ 91
Custom DHCP options ·············································································································· 91
Vendor-specific option (Option 43) ························································································ 92
Relay agent option (Option 82) ····························································································· 93
Option 184 ······················································································································· 93
Protocols and standards ············································································································ 94
Configuring the DHCP server ···························································· 95
About DHCP server ·················································································································· 95
DHCP address assignment mechanisms ················································································ 95
Principles for selecting an address pool·················································································· 96
IP address allocation sequence ···························································································· 97
DHCP server tasks at a glance ··································································································· 97
Creating a DHCP user class ······································································································· 98
Configuring an address pool on the DHCP server ··········································································· 98
DHCP address pool tasks at a glance ···················································································· 98
Creating a DHCP address pool ···························································································· 99
Specifying IP address ranges for a DHCP address pool ····························································· 99
Specifying gateways for DHCP clients ················································································· 102
Specifying a domain name suffix for DHCP clients ·································································· 102
Specifying DNS servers for DHCP clients ············································································· 103
Specifying WINS servers and NetBIOS node type for DHCP clients ··········································· 103
Specifying BIMS server for DHCP clients ·············································································· 103
Specifying the configuration file for DHCP client auto-configuration ············································ 104
Specifying a server for DHCP clients ··················································································· 105
Configuring Option 184 parameters for DHCP clients ······························································ 105
Customizing DHCP options ······························································································· 105
Configuring the DHCP user class whitelist ············································································ 107
Enabling DHCP ····················································································································· 107
Enabling the DHCP server on an interface ·················································································· 108
Applying a DHCP address pool to a VPN instance ········································································ 108
Applying an address pool on an interface ···················································································· 108
Configuring a DHCP policy for dynamic address assignment ··························································· 109
Allocating different IP addresses to DHCP clients with the same MAC ··············································· 110
Enabling random IP address allocation ······················································································· 110
Configuring IP address conflict detection ····················································································· 110
Enabling handling of Option 82 ································································································· 111
Disabling Option 60 encapsulation in DHCP replies ······································································· 111
Configuring the DHCP server security features ············································································· 112
Restrictions and guidelines ································································································ 112
Configuring DHCP flood attack protection ············································································· 112
Configuring DHCP starvation attack protection ······································································ 113
Configuring DHCP server compatibility ······················································································· 113
Configuring the DHCP server to always broadcast responses ··················································· 113
Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses
··································································································································· 114

Configure the DHCP server to ignore BOOTP requests ··························································· 114
Configuring the DHCP server to send BOOTP responses in RFC 1048 format ····························· 115
Setting the DSCP value for DHCP packets sent by the DHCP server ················································ 115
Configuring DHCP packet rate limit on a DHCP server interface ······················································ 115
Configuring DHCP binding auto backup ······················································································ 116
Binding gateways to DHCP server's MAC address ········································································ 116
Advertising subnets assigned to clients ······················································································· 117
Enabling client offline detection on the DHCP server ····································································· 118
Configuring SNMP notifications for the DHCP server ····································································· 118
Enabling DHCP logging on the DHCP server ··············································································· 119
Display and maintenance commands for DHCP server ·································································· 119
DHCP server configuration examples ························································································· 120
iv
Example: Configuring static IP address assignment ································································ 120
Example: Configuring dynamic IP address assignment ···························································· 121
Example: Configuring DHCP user class ··············································································· 123
Example: Configuring DHCP user class whitelist ···································································· 125
Example: Configuring primary and secondary subnets ···························································· 126
Example: Customizing DHCP option ··················································································· 127
Example: Configuring DHCP server (WLAN application) ································································· 129
Network configuration ······································································································· 129
Procedure ······················································································································ 130
Verifying the configuration ································································································· 130
Troubleshooting DHCP server configuration ················································································ 130
Failure to obtain a non-conflicting IP address ········································································ 130
Configuring the DHCP relay agent ··················································· 132
About DHCP relay agent ········································································································· 132
DHCP relay agent operation ······························································································ 132
DHCP relay agent support for Option 82 ··············································································· 133
DHCP relay agent support for MCE ····················································································· 133
DHCP relay agent tasks at a glance ··························································································· 134
Enabling DHCP ····················································································································· 134
Enabling the DHCP relay agent on an interface ············································································ 134
Specifying DHCP servers ········································································································ 135
Specifying DHCP servers on a relay agent ············································································ 135
Configuring a DHCP address pool on a DHCP relay agent ······················································· 135
Specifying the DHCP server selecting algorithm ····································································· 136
Configuring the DHCP relay agent security features ······································································ 138
Rustications and guidelines ······························································································· 138
Enabling the DHCP relay agent to record relay entries ···························································· 138
Enabling periodic refresh of dynamic relay entries ·································································· 138
Configuring DHCP flood attack protection ············································································· 139
Enabling DHCP starvation attack protection ·········································································· 139
Enabling DHCP server proxy on the DHCP relay agent ··························································· 140
Enabling client offline detection on the DHCP relay agent ························································ 141
Configuring the DHCP relay agent to release an IP address ···························································· 141
Configuring Option 82 ············································································································· 141
Setting the DSCP value for DHCP packets sent by the DHCP relay agent ·········································· 142
Configuring DHCP packet rate limit on a DHCP relay interface ························································ 143
Specifying the DHCP relay agent address for the giaddr field ························································· 143
Manually specifying the DHCP relay agent address for the giaddr field······································· 143
Configuring smart relay to specify the DHCP relay agent address for the giaddr field ···················· 143
Specifying the source IP address for DHCP requests····································································· 145
Configuring the DHCP relay agent to always unicast relayed DHCP responses ··································· 146
Configuring forwarding DHCP replies based on Option 82 ······························································ 146
Display and maintenance commands for DHCP relay agent ···························································· 147
DHCP relay agent configuration examples ·················································································· 148
Example: Configuring basic DHCP relay agent ······································································ 148
Example: Configuring Option 82 ························································································· 149
Example: Configuring DHCP server selection ········································································ 149
Troubleshooting DHCP relay agent configuration ·········································································· 151
Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent ············· 151
Configuring the DHCP client ··························································· 152
About DHCP client ················································································································· 152
Restrictions and guidelines: DHCP client configuration ··································································· 152
Enabling the DHCP client on an interface ···················································································· 152
Configuring a DHCP client ID for an interface ··············································································· 152
Enabling duplicated address detection ························································································ 153
Setting the DSCP value for DHCP packets sent by the DHCP client ················································· 153
Display and maintenance commands for DHCP client ···································································· 154
DHCP client configuration examples ·························································································· 154
Example: Configuring DHCP client ······················································································ 154
v
Configuring DHCP snooping ··························································· 157
About DHCP snooping ············································································································ 157
Application of trusted and untrusted ports ············································································· 157
DHCP snooping support for Option 82 ················································································· 158
Restrictions and guidelines: DHCP snooping configuration ····························································· 159
DHCP snooping tasks at a glance ····························································································· 159
Configuring basic DHCP snooping ····························································································· 159
Configuring Option 82 ············································································································· 160
Configuring DHCP snooping entry auto backup ············································································ 161
Enabling DHCP starvation attack protection ················································································· 162
Enabling DHCP-REQUEST attack protection ··············································································· 162
Setting the maximum number of DHCP snooping entries ································································ 163
Configuring a DHCP packet blocking port ···················································································· 163
Enabling DHCP snooping logging ······························································································ 164
Display and maintenance commands for DHCP snooping ······························································· 164
DHCP snooping configuration examples ····················································································· 165
Example: Configuring basic DHCP snooping ········································································· 165
Example: Configuring DHCP snooping support for Option 82 ···················································· 166
Configuring the BOOTP client ························································· 168
About BOOTP client ··············································································································· 168
BOOTP application ·········································································································· 168
Obtaining an IP address dynamically ··················································································· 168
Protocols and standards ··································································································· 168
Configuring an interface to use BOOTP for IP address acquisition ···················································· 168
Display and maintenance commands for BOOTP client ·································································· 169
BOOTP client configuration examples ························································································ 169
Example: Configuring BOOTP client ···················································································· 169
DHCPv6 overview ········································································ 170
DHCPv6 address/prefix assignment ··························································································· 170
Rapid assignment involving two messages ··········································································· 170
Assignment involving four messages ··················································································· 170
Address/prefix lease renewal ···································································································· 171
Stateless DHCPv6 ················································································································· 172
DHCPv6 options ···················································································································· 172
Option 18 ······················································································································· 172
Option 37 ······················································································································· 173
Protocols and standards ·········································································································· 174
Configuring the DHCPv6 server ······················································ 175
About DHCPv6 server ············································································································· 175
IPv6 address assignment ·································································································· 175
IPv6 prefix assignment ····································································································· 175
Concepts ······················································································································· 176
DHCPv6 address pool ······································································································ 176
IPv6 address/prefix allocation sequence ··············································································· 177
DHCPv6 server tasks at a glance ······························································································ 178
Configuring IPv6 prefix assignment ···························································································· 178
Configuring IPv6 address assignment ························································································ 180
Configuring network parameters assignment ··············································································· 181
Configuring network parameters in a DHCPv6 address pool ····················································· 182
Configuring network parameters in a DHCPv6 option group ····················································· 182
Configuring a DHCPv6 policy for IPv6 address and prefix assignment ··············································· 183
Configuring the DHCPv6 server on an interface ············································································ 184
Allocating different IPv6 addresses to DHCPv6 clients with the same MAC ········································ 185
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server ·········································· 185
Configuring DHCPv6 binding auto backup ··················································································· 186
Advertising subnets assigned to clients ······················································································· 186
Applying a DHCPv6 address pool to a VPN instance ····································································· 187
Configuring the DHCPv6 server security features ········································································· 188
vi
Configuring DHCPv6 flood attack protection ·········································································· 188
Enabling the DHCPv6 server to advertise IPv6 prefixes ·································································· 189
Enabling DHCPv6 logging on the DHCPv6 server ········································································· 189
Display and maintenance commands for DHCPv6 server ······························································· 189
DHCPv6 server configuration examples ······················································································ 190
Example: Configuring dynamic IPv6 prefix assignment ···························································· 190
Example: Configuring dynamic IPv6 address assignment ························································· 193
Configuring the DHCPv6 relay agent ················································ 195
About DHCPv6 relay agent ······································································································ 195
Typical application ··········································································································· 195
DHCPv6 relay agent operating process ················································································ 195
DHCPv6 relay agent tasks at a glance ························································································ 196
Enabling the DHCPv6 relay agent on an interface ········································································· 196
Specifying DHCPv6 servers on the relay agent ············································································ 196
Specifying the DHCPv6 server IP addresses ········································································· 196
Specifying DHCPv6 servers for a DHCPv6 address pool on the DHCPv6 relay agent ···················· 197
Specifying a gateway address for DHCPv6 clients ········································································ 198
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent ··································· 198
Specifying a padding mode for the Interface-ID option ··································································· 199
Configuring DHCPv6 relay security features ················································································ 199
Enabling the DHCPv6 relay agent to record relay entries ························································· 199
Enabling IPv6 release notification ······················································································· 199
Enabling client offline detection ·························································································· 200
Configuring DHCPv6 flood attack protection ·········································································· 200
Enabling the DHCPv6 relay agent to advertise IPv6 prefixes ··························································· 201
Display and maintenance commands for DHCPv6 relay agent ························································· 201
DHCPv6 relay agent configuration examples ··············································································· 202
Example: Configuring DHCPv6 relay agent ··········································································· 202
Configuring DHCPv6 snooping ························································ 204
About DHCPv6 snooping ········································································································· 204
Application of trusted and untrusted ports ············································································· 204
Restrictions and guidelines: DHCPv6 snooping configuration ·························································· 205
DHCPv6 snooping tasks at a glance ·························································································· 205
Configuring basic DHCPv6 snooping ·························································································· 205
Configuring support for Option 18 ······························································································ 206
Configuring support for Option 37 ······························································································ 206
Configuring DHCPv6 snooping entry auto backup ········································································· 206
Setting the maximum number of DHCPv6 snooping entries ····························································· 207
Enabling DHCPv6-REQUEST check ·························································································· 207
Configuring a DHCPv6 packet blocking port ················································································ 208
Enabling DHCPv6 snooping logging ··························································································· 208
Display and maintenance commands for DHCPv6 snooping ··························································· 209
Example: Configuring DHCPv6 snooping ···················································································· 209
Network configuration ······································································································· 209
Procedure ······················································································································ 210
Verifying the configuration ································································································· 210
Configuring MAC authentication ······················································ 211
About MAC authentication ······································································································· 211
User account policies ······································································································· 211
Authentication methods ···································································································· 212
VLAN assignment ············································································································ 212
ACL assignment ·············································································································· 214
User profile assignment ···································································································· 214
Periodic MAC reauthentication ··························································································· 215
Restrictions and guidelines: MAC authentication configuration ························································· 215
MAC authentication tasks at a glance ························································································· 215
Prerequisites for MAC authentication ························································································· 216
Enabling MAC authentication ···································································································· 216
Specifying a MAC authentication domain ···················································································· 216
vii
Configuring the user account format ··························································································· 217
Configuring MAC authentication timers ······················································································· 217
About MAC authentication timers ························································································ 217
Procedure ······················································································································ 217
Enabling MAC authentication offline detection ·············································································· 218
Setting the maximum number of concurrent MAC authentication users on a port ································· 218
Enabling MAC authentication multi-VLAN mode on a port ······························································· 218
Configuring MAC authentication delay ························································································ 219
Configuring a MAC authentication guest VLAN ············································································· 219
Restrictions and guidelines ································································································ 219
Prerequisites ·················································································································· 220
Procedure ······················································································································ 220
Configuring a MAC authentication critical VLAN ··········································································· 220
Restrictions and guidelines ································································································ 220
Prerequisites ·················································································································· 221
Procedure ······················································································································ 221
Configuring the keep-online feature ··························································································· 221
Including user IP addresses in MAC authentication requests ··························································· 222
About the feature of including user IP addresses in MAC authentication requests ························· 222
Restrictions and guidelines ································································································ 222
Procedure ······················································································································ 222
Display and maintenance commands for MAC authentication ·························································· 222
MAC authentication configuration examples ················································································ 223
Example: Configuring local MAC authentication ····································································· 223
Example: Configuring RADIUS-based MAC authentication ······················································· 225
Example: Configuring ACL assignment for MAC authentication ················································· 227
Configuring PPP ·········································································· 230
About PPP ··························································································································· 230
PPP protocols ················································································································· 230
PPP link establishment process ·························································································· 230
PPP authentication ·········································································································· 231
PPP for IPv4 ·················································································································· 231
PPP for IPv6 ·················································································································· 232
Protocols and standards ·········································································································· 233
PPP tasks at a glance ············································································································· 233
Configuring a VT interface ······································································································· 233
Configuring PPP authentication ································································································· 234
Configuring PAP authentication ·························································································· 234
Configuring CHAP authentication (authenticator name is configured)·········································· 235
Configuring CHAP authentication (authenticator name is not configured) ····································· 236
Configuring MS-CHAP or MS-CHAP-V2 authentication ··························································· 237
Configuring the polling feature ·································································································· 238
Enabling fast reply for keepalive packets ····················································································· 239
Configuring PPP negotiation ····································································································· 239
Configuring the PPP negotiation timeout time ········································································ 239
Configuring IP address negotiation on the client ····································································· 240
Configuring IP address negotiation on the server ··································································· 240
Enabling IP segment match ······························································································· 243
Configuring DNS server IP address negotiation on the client ···················································· 244
Configuring DNS server IP address negotiation on the server ··················································· 244
Enabling PPP accounting ········································································································ 244
Enabling logging for PPP users ································································································· 245
Configuring service tracing objects ···························································································· 245
Enabling PPP user blocking ····································································································· 246
About PPP user blocking ·································································································· 246
Procedure ······················································································································ 246
Configuring the NAS-Port-Type attribute ····················································································· 246
Suppressing adding PPP peer host routes to the local direct route table ············································ 247
Configuring the traffic accounting frequency mode for online PPP users ············································ 247
Display and maintenance commands for PPP ·············································································· 247
viii
Configuring L2TP ········································································· 250
About L2TP ·························································································································· 250
Typical L2TP networking ··································································································· 250
L2TP message types and encapsulation structure ·································································· 250
L2TP tunnel and session ··································································································· 251
L2TP tunneling modes and tunnel establishment process ························································ 251
L2TP features ················································································································· 254
L2TP-based EAD ············································································································ 256
Protocols and standards ··································································································· 256
Restrictions: Hardware compatibility with L2TP ············································································ 256
Restrictions and guidelines: L2TP configuration ············································································ 256
L2TP tasks at a glance ············································································································ 257
Configuring basic L2TP capabilities ··························································································· 258
Configuring an LAC ················································································································ 258
Configuring an LAC to initiate tunneling requests for a user ······················································ 258
Specifying LNS IP addresses ····························································································· 259
Configuring the source IP address of L2TP tunnel packets ······················································· 259
Configuring each L2TP user to use an L2TP tunnel exclusively ················································· 259
Enabling transferring AVP data in hidden mode ····································································· 260
Configuring AAA authentication on an LAC ··········································································· 260
Configuring an LAC to automatically establish an L2TP tunnel ·················································· 260
Configuring an LNS ················································································································ 261
Creating a VT interface ····································································································· 262
Configuring an LNS to accept L2TP tunneling requests from an LAC ·········································· 262
Configuring user authentication on an LNS ··········································································· 262
Configuring AAA authentication on an LNS ··········································································· 264
Setting the maximum number of ICRQ packets that the LNS can process per second ···················· 264
Configuring optional L2TP parameters ························································································ 264
Configuring L2TP tunnel authentication ················································································ 264
Setting the Hello interval ··································································································· 265
Setting the DSCP value of L2TP packets ·············································································· 265
Setting the TSA ID of the LTS ···························································································· 265
Enabling L2TP-based EAD ······································································································ 266
Configuring IMSI/SN binding authentication on the LNS ································································· 266
Display and maintenance commands for L2TP ············································································· 267
L2TP configuration examples ··································································································· 267
Example: Configuring a NAS-initiated L2TP tunnel ································································· 267
Example: Configuring a client-initiated L2TP tunnel ································································ 270
Example: Configuring an LAC-auto-initiated L2TP tunnel ························································· 271
Troubleshooting L2TP ············································································································· 273
Failure to access the private network ··················································································· 273
Data transmission failure ··································································································· 274
L2TP user offline ············································································································· 274
Configuring PPPoE ······································································· 275
About PPPoE ························································································································ 275
PPPoE network structure ········································································································· 275
Router-initiated network structure ······················································································· 275
Host-initiated network structure ·························································································· 276
Protocols and standards ·········································································································· 276
Restrictions: Hardware compatibility with IPoE ············································································· 276
Restrictions and guidelines: PPPoE configuration ········································································· 276
Configuring the PPPoE server ·································································································· 277
PPPoE server tasks at a glance ························································································· 277
Configuring a PPPoE session ···························································································· 277
Setting the maximum number of PPPoE sessions ·································································· 278
Limiting the PPPoE access rate ·························································································· 278
Configuring the NAS-Port-ID attribute ·················································································· 279
Enabling PPPoE users to come online despite the PPPoE-NAT444 collaboration failure ················ 280
Setting the maximum number of PADI packets that the device can receive per second ·················· 281
Configuring PPPoE user blocking ······················································································· 281
ix
Enabling PPPoE logging ··································································································· 282
Display and maintenance commands for PPPoE ·········································································· 282
PPPoE configuration examples ································································································· 283
Example: Configuring the PPPoE server ·············································································· 283
Example: Assigning the PPPoE server IP address through the local DHCP server ························ 284
Example: Assigning the PPPoE server IP address through a remote DHCP server ························ 285
Example: Assigning the PPPoE server IPv6 address through ND and IPv6CP negotiation ·············· 287
Example: Assigning the PPPoE server IPv6 address through DHCPv6 ······································· 289
Example: Assigning the PPPoE server IPv6 address through prefix delegation by DHCPv6 ············ 290
Example: Configuring PPPoE server RADIUS-based IP address assignment ······························· 291
Configuring portal authentication ····················································· 294
About portal ·························································································································· 294
Advantages of portal authentication ····················································································· 294
Extended portal functions ·································································································· 294
Portal system ················································································································· 294
Portal authentication using a remote portal server ·································································· 295
Local portal service ·········································································································· 296
Portal authentication modes ······························································································ 296
Portal authentication process ····························································································· 297
Portal filtering rules ·········································································································· 299
MAC-based quick portal authentication ················································································ 299
Restrictions: Hardware compatibility with portal ············································································ 300
Restrictions and guidelines: Portal configuration ··········································································· 300
Portal tasks at a glance ··········································································································· 300
Prerequisites for portal ············································································································ 302
Configuring a portal authentication server ··················································································· 302
Configuring a portal Web server ································································································ 303
Configure basic parameters for a portal Web server ································································ 303
Configuring a match rule for URL redirection ········································································· 304
Configuring a local portal Web service ························································································ 304
Restrictions and guidelines for configuring a local portal Web service ········································· 304
Customizing authentication pages ······················································································· 304
Configuring parameters for a local portal Web service ····························································· 306
Specifying a portal authentication domain ··················································································· 307
About portal authentication domains ···················································································· 307
Restrictions and guidelines for specifying a portal authentication domain····································· 307
Specifying a portal authentication domain on an interface ························································ 308
Configuring a portal preauthentication policy ················································································ 308
About portal preauthentication policies ················································································· 308
Restrictions and guidelines ································································································ 308
Procedure ······················································································································ 308
Specifying a preauthentication IP address pool ············································································ 309
About preauthentication IP address pools ············································································· 309
Restrictions and guidelines ································································································ 309
Procedure ······················································································································ 310
Enabling portal authentication on an interface ·············································································· 310
Restrictions and guidelines ································································································ 310
Procedure ······················································································································ 311
Specifying a portal Web server on an interface ············································································· 311
Controlling portal user access ··································································································· 312
Configuring a portal-free rule ····························································································· 312
Configuring an authentication source subnet ········································································· 313
Setting the maximum number of portal users ········································································· 314
Enabling strict-checking on portal authorization information ······················································ 315
Allowing only users with DHCP-assigned IP addresses to pass portal authentication ····················· 316
Configuring support of Web proxy for portal authentication ······················································· 316
Blocking portal users that fail portal authentication ·································································· 317
Enabling portal roaming ···································································································· 317
Configuring the portal fail-permit feature ··············································································· 318
Configuring portal detection features ·························································································· 319
Configuring online detection of portal users ··········································································· 319
x
Configuring portal authentication server detection ·································································· 320
Configuring portal Web server detection ··············································································· 321
Configuring portal user synchronization ················································································ 321
Configuring portal packet attributes ···························································································· 322
Configuring the BAS-IP or BAS-IPv6 attribute ········································································ 322
Specifying the device ID ··································································································· 323
Configuring attributes for RADIUS packets ·················································································· 324
Specifying a format for the NAS-Port-Id attribute ···································································· 324
Applying a NAS-ID profile to an interface ·············································································· 324
Configuring MAC-based quick portal authentication ······································································· 325
Restrictions and guidelines for configuring MAC-based quick portal authentication ························ 325
Configuring a MAC binding server ······················································································· 325
Specifying a MAC binding server on an interface ···································································· 326
Configuring portal HTTP attack defense ······················································································ 326
Setting the user traffic backup threshold ····················································································· 327
Logging out online portal users ································································································· 327
Enabling portal user login/logout logging ····················································································· 328
Configuring Web redirect ········································································································· 328
About Web redirect ·········································································································· 328
Restrictions and guidelines ································································································ 328
Procedure ······················································································································ 328
Display and maintenance commands for portal ············································································ 329
Portal configuration examples ··································································································· 330
Example: Configuring direct portal authentication ··································································· 330
Example: Configuring re-DHCP portal authentication ······························································ 338
Example: Configuring cross-subnet portal authentication ························································· 342
Example: Configuring extended direct portal authentication ······················································ 345
Example: Configuring extended re-DHCP portal authentication ················································· 349
Example: Configuring extended cross-subnet portal authentication ············································ 353
Example: Configuring portal server detection and portal user synchronization ······························ 356
Example: Configuring cross-subnet portal authentication for MPLS L3VPNs ································ 364
Example: Configuring direct portal authentication with a preauthentication policy ·························· 366
Example: Configuring re-DHCP portal authentication with a preauthentication policy ····················· 368
Example: Configuring direct portal authentication using a local portal Web service ························ 370
Example: Configuring MAC-based quick portal authentication ··················································· 373
Troubleshooting portal ············································································································ 381
No portal authentication page is pushed for users ·································································· 381
Cannot log out portal users on the access device ··································································· 382
Cannot log out portal users on the RADIUS server ································································· 382
Users logged out by the access device still exist on the portal authentication server ······················ 382
Re-DHCP portal authenticated users cannot log in successfully ················································ 383
Configuring IPoE ·········································································· 384
About IPoE ··························································································································· 384
IPoE access modes ········································································································· 384
IPoE users ····················································································································· 384
IPoE session ·················································································································· 385
IPoE addressing ·············································································································· 386
IPoE authentication methods ····························································································· 386
IPoE access procedure by using bind authentication ······························································· 386
Support for MPLS L3VPN ································································································· 389
Support for ITA ··············································································································· 390
Restrictions: Hardware compatibility with IPoE ············································································· 390
Restrictions and guidelines: IPoE configuration ············································································ 390
IPoE tasks at a glance ············································································································ 390
Prerequisites for IPoE ············································································································· 391
Enabling IPoE and setting the IPoE access mode ········································································· 391
Configuring bind authentication ································································································· 391
Configuring dynamic individual users ························································································· 392
Dynamic individual user configuration tasks at a glance ··························································· 392
Enabling dynamic individual users ······················································································ 392
Configuring authentication user naming conventions for dynamic individual users ························· 393
xi
Configuring passwords for dynamic individual users ······························································· 396
Configuring ISP domains for dynamic individual users ····························································· 396
Configuring the maximum number of dynamic IPoE sessions ··················································· 397
Configuring trusted DHCP options for DHCP users ································································· 398
Configuring trusted ISP domains for DHCP users ··································································· 398
Configuring trusted source IP addresses for unclassified-IP users·············································· 399
Enabling dynamic individual users to come online despite the IPoE-NAT collaboration failure ·········· 400
Configuring static individual users ······························································································ 400
Static individual user configuration tasks at a glance ······························································· 400
Enabling static individual users ··························································································· 400
Configuring static IPoE sessions on an interface ···································································· 401
Configuring global static IPoE sessions ················································································ 402
Configuring authentication user naming conventions for static individual users ····························· 402
Configuring passwords for static individual users ···································································· 403
Configuring ISP domains for static individual users ································································· 404
Configuring leased users ········································································································· 404
Leased user configuration tasks at a glance ·········································································· 404
Configuring interface-leased users ······················································································ 405
Configuring subnet-leased users ························································································ 405
Configuring L2VPN-leased users ························································································ 406
Configuring ISP domains for leased users ············································································ 406
Configuring service-specific ISP domains ···················································································· 407
Configuring the quiet feature for users ························································································ 408
Configuring online detection for users ························································································· 408
Configuring NAS-Port-Type for an interface ················································································· 409
Configuring NAS-Port-ID formats ······························································································· 410
Enabling IPoE access-out authentication ···················································································· 410
Setting the traffic statistics update timer for IPoE sessions ······························································ 411
Enabling logging for IPoE users ································································································ 411
Display and maintenance commands for IPoE ············································································· 412
IPoE configuration examples ···································································································· 416
Example: Configuring an unclassified-IP user ········································································ 416
Example: Configuring a DHCP user····················································································· 418
Example: Configuring an IPv6-ND-RS user ··········································································· 420
Example: Configuring an ARP-based static user ···································································· 421
Example: Configuring subnet-leased users ··········································································· 423
Example: Configuring an interface-leased user ······································································ 427
Example: Configuring an L2VPN-leased user ········································································ 429
Example: Configuring a VPN DHCP user ·············································································· 433
Example: Configuring online detection ················································································· 436
Troubleshooting IPoE ············································································································· 438
DHCP clients failed to come online ····················································································· 438
Index ························································································· 439
1
Configuring AAA
About AAA
AAA implementation
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
• Authentication—Identifies users and verifies their validity.
• Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
• Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA network diagram
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1
AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
You can use different servers to implement different security functions. For example, you can use an
HWTACACS server for authentication and authorization, and use a RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
Remote user
NAS
RADIUS server
HWTACACS server
Internet
Network
2
The device performs dynamic password authentication.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
• Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
• Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
• Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
3
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
4
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
• The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 g
ives the main
values and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4
Accounting-Reques
t
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5
Accounting-Respon
se
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
• The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
• The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
• The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369
  • Page 370 370
  • Page 371 371
  • Page 372 372
  • Page 373 373
  • Page 374 374
  • Page 375 375
  • Page 376 376
  • Page 377 377
  • Page 378 378
  • Page 379 379
  • Page 380 380
  • Page 381 381
  • Page 382 382
  • Page 383 383
  • Page 384 384
  • Page 385 385
  • Page 386 386
  • Page 387 387
  • Page 388 388
  • Page 389 389
  • Page 390 390
  • Page 391 391
  • Page 392 392
  • Page 393 393
  • Page 394 394
  • Page 395 395
  • Page 396 396
  • Page 397 397
  • Page 398 398
  • Page 399 399
  • Page 400 400
  • Page 401 401
  • Page 402 402
  • Page 403 403
  • Page 404 404
  • Page 405 405
  • Page 406 406
  • Page 407 407
  • Page 408 408
  • Page 409 409
  • Page 410 410
  • Page 411 411
  • Page 412 412
  • Page 413 413
  • Page 414 414
  • Page 415 415
  • Page 416 416
  • Page 417 417
  • Page 418 418
  • Page 419 419
  • Page 420 420
  • Page 421 421
  • Page 422 422
  • Page 423 423
  • Page 424 424
  • Page 425 425
  • Page 426 426
  • Page 427 427
  • Page 428 428
  • Page 429 429
  • Page 430 430
  • Page 431 431
  • Page 432 432
  • Page 433 433
  • Page 434 434
  • Page 435 435
  • Page 436 436
  • Page 437 437
  • Page 438 438
  • Page 439 439
  • Page 440 440
  • Page 441 441
  • Page 442 442
  • Page 443 443
  • Page 444 444
  • Page 445 445
  • Page 446 446
  • Page 447 447
  • Page 448 448
  • Page 449 449
  • Page 450 450
  • Page 451 451
  • Page 452 452
  • Page 453 453
  • Page 454 454
  • Page 455 455
  • Page 456 456
  • Page 457 457
  • Page 458 458
  • Page 459 459
  • Page 460 460
  • Page 461 461
  • Page 462 462
  • Page 463 463
  • Page 464 464
  • Page 465 465
  • Page 466 466
  • Page 467 467
  • Page 468 468
  • Page 469 469
  • Page 470 470
  • Page 471 471
  • Page 472 472
  • Page 473 473
  • Page 474 474
  • Page 475 475
  • Page 476 476
  • Page 477 477
  • Page 478 478
  • Page 479 479
  • Page 480 480
  • Page 481 481
  • Page 482 482
  • Page 483 483
  • Page 484 484
  • Page 485 485
  • Page 486 486
  • Page 487 487
  • Page 488 488
  • Page 489 489
  • Page 490 490
  • Page 491 491
  • Page 492 492
  • Page 493 493
  • Page 494 494
  • Page 495 495
  • Page 496 496
  • Page 497 497
  • Page 498 498
  • Page 499 499
  • Page 500 500
  • Page 501 501
  • Page 502 502

H3C SR8800-F Configuration manual

Category
Software
Type
Configuration manual

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI