| |
| en:dpi:bras_bng:bras_pppoe:pppoe_management [2025/09/29 15:00] – created elena.krasnobryzh | en:dpi:bras_bng:bras_pppoe:pppoe_management [2025/09/29 16:28] (current) – elena.krasnobryzh |
|---|
| {{indexmenu_n>3}} | {{indexmenu_n>3}} |
| ======Managing PPPoE authorization by VLAN and Service Name====== | ======Managing PPPoE authorization by VLAN and Service Name====== |
| | <note>The Service-Name tag is available from DPI version 12.3</note> |
| | |
| | The Service-Name tag is necessary for establishing the authorization procedure according to RFC requirements; SSG fully supports this tag in compliance with all requirements.\\ |
| | The tag indicates that a service name follows. The ''TAG_VALUE'' field is a string of UTF-8 characters without a terminating NULL character. A zero value of the ''TAG_LENGTH'' field is used to indicate acceptability of any service. An example of using the Service-Name tag could be indicating the name ISP2, class, or quality of service. |
| | |
| | Management is performed separately for each VLAN id.\\ |
| | ''fdpi_cli help vlan group'' — call the guide for managing Service-Name. |
| | |
| | =====Displaying Group Properties===== |
| | ''fdpi_cli vlan group 0 show all'' — display all properties for all groups |
| | |
| | ''fdpi_cli vlan group <id> show all'' — display all properties for a group with a specific id. Here id is the VLAN number for which to display Service-Name information.\\ |
| | **Example:** ''fdpi_cli vlan group 1150 show all'' |
| | |
| | ''fdpi_cli vlan group <id> show auth pppoe'' — show PPPoE authorization policy |
| | |
| | ''fdpi_cli vlan group <id> show auth all'' — show policy for all authorization protocols |
| | |
| | ''fdpi_cli vlan group <id> auth pppoe show service-name all'' — show the policy for using service names for authorization via PPPoE |
| | |
| | =====Allowing Authorization===== |
| | ''fdpi_cli vlan group <id> allow auth pppoe'' — allow authorization via PPPoE in a specific VLAN |
| | |
| | ''fdpi_cli vlan group <id> auth pppoe allow add service-name name='<service_name>' '' — allow authorization via PPPoE for a specific Service-Name. When establishing a PPPoE session during the Discovery stage after receiving a PADI packet, a temporary delay (delay parameter) is permissible before sending a PADO packet. Valid values for the delay parameter: 0, 1, 2, 3, 4, 5. |
| | |
| | ''fdpi_cli vlan group <id> auth pppoe allow add service-name name='<service_name>' delay=<delay>'' — allow authorization via PPPoE for a specific Service-Name with a delay (measured in seconds) |
| | **Example:** ''fdpi_cli vlan group 1150 auth pppoe allow add service-name name='test1' delay=5'' |
| | |
| | =====Denying Authorization===== |
| | To deny authorization for a specific VLAN, first remove all existing rules for that VLAN. That is, to allow specific Service-Names, first deny all and only then allow specific tags. |
| | |
| | ''fdpi_cli vlan group <id> deny auth pppoe'' — deny authorization via PPPoE in a specific VLAN |
| | |
| | ''fdpi_cli vlan group <id> auth pppoe deny add service-name name='<service_name>' '' — deny authorization via PPPoE for a specific Service-Name\\ |
| | **Example:** allow authorization only for specific Service-Names:\\ |
| | ''fdpi_cli vlan group 1250 deny auth pppoe''\\ |
| | ''fdpi_cli vlan group 1250 auth pppoe allow add service-name name='test2' ''\\ |
| | ''fdpi_cli vlan group 1250 auth pppoe allow add service-name name='test3' delay=3'' |
| | |
| | **Example:** deny authorization only for specific Service-Names:\\ |
| | ''fdpi_cli vlan group 350 allow auth pppoe''\\ |
| | ''fdpi_cli vlan group 350 auth pppoe deny add service-name name='test-sname' ''\\ |
| | ''fdpi_cli vlan group 350 auth pppoe deny add service-name name='test-sname-too' ''\\ |
| | The sequence of commands is important when entering rules. For example, if a general authorization denial is entered after allowing rules, then authorization with any Service-Name in vlan 1250 will be unavailable:\\ |
| | ''fdpi_cli vlan group 1250 auth pppoe allow add service-name name='test2' ''\\ |
| | ''fdpi_cli vlan group 1250 auth pppoe allow add service-name name='test3' delay=3''\\ |
| | ''fdpi_cli vlan group 1250 deny auth pppoe''\\ |
| | This restriction also applies to individual deny/allow rules. |
| | |
| | **Example:** allow authorization with Service-Name "test-sname".\\ |
| | ''fdpi_cli vlan group 350 auth pppoe deny add service-name name='test-sname' ''\\ |
| | ''fdpi_cli vlan group 350 auth pppoe allow add service-name name='test-sname' ''\\ |
| | |
| | Example: deny authorization with Service-Name "test-sname". |
| | fdpi_cli vlan group 350 auth pppoe deny add service-name name='test-sname' |
| | fdpi_cli vlan group 350 auth pppoe allow add service-name name='test-sname' |
| | fdpi_cli vlan group 350 auth pppoe deny add service-name name='test-sname' |
| | |
| | =====Other Commands===== |
| | ''fdpi_cli vlan group <id> auth pppoe delete service-name name='<service_name>' '' — delete Service-Name and its properties |
| | |
| | ''fdpi_cli vlan group 0 delete all'' — delete all rules for all configured VLANs (equivalent to processing VLAN by default) |
