Example for Configuring IPv4 PPPoE
This section provides an example for configuring basic IPv4 PPPoE functions.
Networking Requirements
As shown in Figure 1, FW_A functions as a PPPoE client, and FW_B functions as a PPPoE server. FW_B assigns an IP address to FW_A allowing PCs on networks A and B to communicate.
FW_B (server) runs PAP to authenticate FW_A (client). The user name is set to usera, and the password is set to Password1. FW_B assigns FW_A an IP address 10.2.0.2.
Procedure
- # Configure FW_B.
# Configure interfaces and assign them to security zones.
<FW_B> system-view [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ip address 10.4.0.1 24 [FW_B-GigabitEthernet0/0/3] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_B-zone-untrust] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/3 [FW_B-zone-trust] quit
# Add a PPPoE user.
[FW_B] user-manage user usera [FW_B-localuser-usera] password Password1 [FW_B-localuser-usera] quit
# Configure an IP address pool.
[FW_B] ip pool global1 [FW_B-ip-pool-global1] section 1 10.2.0.2 [FW_B-ip-pool-global1] quit
# Configure a service scheme to adopt the IP address pool.
[FW_B] aaa [FW_B-aaa] service-scheme scheme1 [FW_B-aaa-service-scheme1] ip-pool global1 [FW_B-aaa-service-scheme1] quit [FW_B-aaa] quit
# Set VT interface parameters.
PAP is not a secure protocol, and CHAP is recommended.[FW_B] interface virtual-template 1 [FW_B-Virtual-Template1] ppp authentication-mode pap The command is used to configure the PPP authentication mode on the local end. Confirm that the peer end adopts the corresponding PPP authentication. Continue[Y/N]: y [FW_B-Virtual-Template1] ip address 10.2.0.1 24 [FW_B-Virtual-Template1] remote service-scheme scheme1 [FW_B-Virtual-Template1] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface virtual-template 1 [FW_B-zone-untrust] quit
# Bind the VT interface to the physical interface.
[FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] pppoe-server bind virtual-template 1 [FW_B-GigabitEthernet0/0/1] quit
# Configure security policies.
[FW_B] security-policy [FW_B-policy-security] rule name policy_sec_1 [FW_B-policy-security-rule-policy_sec_1] source-zone trust [FW_B-policy-security-rule-policy_sec_1] source-address 10.4.0.0 24 [FW_B-policy-security-rule-policy_sec_1] destination-zone untrust [FW_B-policy-security-rule-policy_sec_1] destination-address 10.3.0.0 24 [FW_B-policy-security-rule-policy_sec_1] action permit [FW_B-policy-security-rule-policy_sec_1] quit [FW_B-policy-security] rule name policy_sec_2 [FW_B-policy-security-rule-policy_sec_2] source-zone untrust [FW_B-policy-security-rule-policy_sec_2] source-address 10.3.0.0 24 [FW_B-policy-security-rule-policy_sec_2] destination-zone trust [FW_B-policy-security-rule-policy_sec_2] destination-address 10.4.0.0 24 [FW_B-policy-security-rule-policy_sec_2] action permit [FW_B-policy-security-rule-policy_sec_2] quit [FW_B-policy-security] quit
# Configure a static route.
[FW_B] ip route-static 10.3.0.0 24 virtual-template 1 10.2.0.2 - Configure FW_A.
# Configure interfaces and assign them to security zones.
<FW_A> system-view [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW_A-GigabitEthernet0/0/3] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_A-zone-untrust] quit
# Configure PPPoE dial-up.
[FW_A] dialer-rule 1 ip permit [FW_A] interface dialer 1 [FW_A-Dialer1] dialer user usera [FW_A-Dialer1] dialer-group 1 [FW_A-Dialer1] dialer bundle 1 [FW_A-Dialer1] ip address ppp-negotiate [FW_A-Dialer1] ppp pap local-user usera password cipher Password1 [FW_A-Dialer1] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface dialer 1 [FW_A-zone-untrust] quit
# Configure a PPPoE session.
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] pppoe-client dial-bundle-number 1 ipv4
# Configure security policies.
[FW_A] security-policy [FW_A-policy-security] rule name policy_sec_1 [FW_A-policy-security-rule-policy_sec_1] source-zone trust [FW_A-policy-security-rule-policy_sec_1] source-address 10.3.1.0 24 [FW_A-policy-security-rule-policy_sec_1] destination-zone untrust [FW_A-policy-security-rule-policy_sec_1] destination-address 10.4.1.0 24 [FW_A-policy-security-rule-policy_sec_1] action permit [FW_A-policy-security-rule-policy_sec_1] quit [FW_A-policy-security] rule name policy_sec_2 [FW_A-policy-security-rule-policy_sec_2] source-zone untrust [FW_A-policy-security-rule-policy_sec_2] source-address 10.4.1.0 24 [FW_A-policy-security-rule-policy_sec_2] destination-zone trust [FW_A-policy-security-rule-policy_sec_2] destination-address 10.3.1.0 24 [FW_A-policy-security-rule-policy_sec_2] action permit [FW_A-policy-security-rule-policy_sec_2] quit [FW_A-policy-security] quit
# Configure a static route.
[FW_A] ip route-static 10.4.0.0 24 dialer 1
Example
After completing the configuration, check statistics about
PPPoE session packets.
- Check statistics about PPPoE packets of the PPPoE server.
[FW_B] display pppoe-server session all SID Intf State OIntf RemMAC LocMAC 1 Virtual-Template1:0 UP GE0/0/1 0022.a100.11ab 0018.82cf.ebed
- Check statistics about PPPoE packets of the PPPoE client.
[FW_A] display pppoe-client session summary dial-bundle-number 1 PPPoE Client Session: ID Bundle Dialer Intf Client-MAC Server-MAC State 1 1 1 GE0/0/1 0022a10011ab 001882cfebed PPPUP
Configuration Scripts
Configuration script for FW_A:
# sysname FW_A # dialer-rule 1 ip permit # interface Dialer1 link-protocol ppp ppp pap local-user usera password cipher %$%$UQ"HLOehx>*n^PPqyBQVaNE<%$%$ ip address ppp-negotiate dialer user usera dialer-group 1 dialer bundle 1 # interface GigabitEthernet0/0/1 pppoe-client dial-bundle-number 1 ipv4 undo shutdown # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 add interface Dialer1 # ip route-static 10.4.0.0 24 Dialer1 # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust source-address 10.3.1.0 24 destination-address 10.4.1.0 24 action permit rule name policy_sec_2 source-zone untrust destination-zone trust source-address 10.4.1.0 24 destination-address 10.3.1.0 24 action permit # return
Configuration script for FW_B:
# sysname FW_B # aaa service-scheme scheme1 ip-pool global1 # interface Virtual-Template1 ppp authentication-mode pap remote service-scheme scheme1 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/1 pppoe-server bind Virtual-Template 1 undo shutdown # interface GigabitEthernet0/0/3 undo shutdown ip address 10.4.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 add interface Virtual-Template1 # ip pool global1 section 1 10.2.0.2 # ip route-static 10.3.0.0 255.255.255.0 Virtual-Template 1 10.2.0.2 # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust source-address 10.4.1.0 24 destination-address 10.3.1.0 24 action permit rule name policy_sec_2 source-zone untrust destination-zone trust source-address 10.3.1.0 24 destination-address 10.4.1.0 24 action permit # return # The following user creation configuration is stored in the database, but not in the configuration profile. user-manage user usera password Password1