Login
- Table of Contents
-
- 14-High Availability Configuration Guide
- 00-Preface
- 01-Interface backup configuration
- 02-CFD configuration
- 03-DLDP configuration
- 04-Layer 3 connection keepalive configuration
- 05-Error code detection configuration
- 06-VRRP configuration
- 07-RBM-based hot backup configuration
- 08-VSRP configuration
- 09-BFD configuration
- 10-Track configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-VSRP configuration | 462.58 KB |
VSRP control channel fast detection
Support of service modules for VSRP
Restrictions and guidelines: Subinterface configuration consistency
Specifying a virtual IPv6 address
Restrictions and guidelines for configuring VSRP for IPoE
Specifying a TCP port number for establishing an IPv4 IPoE data channel
Specifying a TCP port number for establishing an IPv6 IPoE data channel
Restrictions and guidelines for configuring VSRP for PPPoE
Associating a PPPoE-server-enabled interface with a VSRP instance
Specifying the TCP port number for establishing PPPoE service backup data channels
Restrictions and guidelines for configuring VSRP for L2TP
Prerequisites for configuring VSRP for L2TP
Associating an L2TP group with a VSRP instance
Specifying the source address for an L2TP tunnel
Specifying an L2TP tunnel ID range
Specifying the TCP port number for establishing L2TP service backup data channels
Restrictions and guidelines for configuring VSRP for portal
Specifying the TCP port number for establishing portal service backup data channels
Configuring VSRP for DHCPv4 server
Associating a DHCPv4 address pool with a VSRP instance
Associating a client-side interface with a VSRP instance
Specifying the TCP port number for establishing DHCPv4 server service backup data channels
Configuring VSRP for DHCPv6 server
Restrictions and guidelines for configuring VSRP for a DHCPv6 address pool
Associating a DHCPv6 address pool with a VSRP instance
Associating a client-side interface with a VSRP instance
Specifying the TCP port number for establishing DHCPv6 server service backup data channels
Display and maintenance commands for VSRP
Example: Configuring VSRP for IPv4 IPoE
Example: Configuring VSRP for IPv6 IPoE
Example: Configuring VSRP for PPPoE
Example: Configuring VSRP for L2TP
Example: Configuring VSRP for portal
Configuring VSRP
About VSRP
Virtual Service Redundancy Protocol (VSRP) backs up running services between devices to avoid service interruption.
Basic concepts
VSRP includes the following components:
· VSRP group—A VSRP group contains two peer devices that are enabled with VSRP.
· VSRP peer—The member devices in a VSRP group are the peer of each other, with one as master and the other as backup. You must configure the peer IP address on each device to create a VSRP group.
· VSRP instance—A VSRP instance is associated with one service (for example, an IPoE service) to back up service data from the master to the backup for service continuity.
· VSRP control channel and data channel—The VSRP peers in a VSRP group synchronize VSRP instance state information and service data by establishing TCP control and data channels.
¡ Control channel—The master backs up the status of all VSRP instances on the VSRP group to the backup in real time over the control channel.
¡ Data channel—VSRP establishes a data channel to back up data in real time for each service associated with a VSRP instance on the VSRP group. This backup mechanism ensures that the backup device takes over the services when the master fails.
Both the TCP control and data channels are initiated by the peer with lower IP address to the peer with higher IP address.
VSRP operating mechanism
VSRP takes advantage of VRRP to determine the role of each peer device in a VSRP group as master or backup.
As shown in Figure 1, a VSRP group contains two peer devices, which must be assigned to the same VRRP group.
VSRP determines the roles of the peer devices in the VSRP group in consistent with their roles in the VRRP group.
The master forwards traffic and backs up the services to the backup device either at a regular interval or when traffic reaches the specified threshold.
When the master in the VSRP group fails, the backup takes over to ensure service continuity. For more information about VRRP, see "Configuring VRRP."
VSRP is typically used on a network that contains broadband remote access servers (BRASs). To ensure service continuity, the master BRAS backs up authentication, accounting, and management information to the backup BRAS in real time.
VSRP backup modes
A VSRP instance supports the following backup modes:
· Hot backup mode (1:1 backup)—The backup device issues backup data to the data plane as soon as it receives the data from the master. In this mode, the backup takes over quickly when the master fails. This mode is applicable to scenarios where a device acts as the backup in only one VSRP group.
· Warm backup mode (N:1 backup)—The backup device issues received backup data to the data plane when the master fails. This mode has a longer failover delay than hot backup mode. This mode is applicable to scenarios where a device acts as the backup in more than one VSRP group.
VSRP control channel fast detection
By default, a VSRP group detects the state of the failover link based only on the state of the TCP control channel. To fast detect the state of the failover link, you can perform the following tasks:
1. Use NQA or BFD to monitor the state of the failover link.
2. Establish the collaboration between the failover link state and NQA or BFD through the Track function.
A VSRP group operates differently depending on the state of the track entry associated with the VSRP group:
· When the track entry is in Positive or NotReady state, a device attempts to establish a TCP control channel with its peer.
· When the track entry changes to Negative state, the device terminates the TCP control channel.
Support of service modules for VSRP
VSRP can work with any of the following service modules in the current version:
· IPoE.
· PPPoE.
· L2TP.
· Portal.
· DHCPv4.
· DHCPv6.
Restrictions and guidelines: Subinterface configuration consistency
As a best practice to maintain data consistency, make sure the peer devices in a VSRP group have consistent main interface and subinterface configuration, including but not limited to the following settings:
· Subinterface numbers.
· VLAN configuration.
· VPN configuration.
VSRP tasks at a glance
To configure VSRP, perform the following tasks:
2. Configuring a VSRP instance
3. Specifying a virtual IPv6 address
This task is required if you enable VSRP for IPoE or DHCPv6 on a IPv6 network.
4. Configuring VSRP for a service module
¡ Configuring VSRP for DHCPv4 server
¡ Configuring VSRP for DHCPv6 server
Prerequisites for VSRP
Perform the following tasks on the two peer devices in a VSRP group:
1. Configure VRRP to operate in standard mode.
2. Configure a VRRP group on the two peer devices to determine their role in the VSRP group.
|
|
NOTE: Binding a VSRP group to an existing VRRP group does not affect the functionality of the VRRP group. |
Configuring a VSRP group
1. Enter system view.
system-view
2. Create a VSRP group and enter the VSRP peer view.
vsrp peer peer-name
3. Configure TCP connection parameters for establishing VSRP channels to the peer. Choose one option as needed:
¡ Configure parameters for establishing IPv4 VSRP channels to the peer.
peer peer-ip-address local local-ip-address [ port port-id ]
¡ Configure parameters for establishing IPv6 VSRP channels to the peer.
peer ipv6 peer-ipv6-address local local-ipv6-address [ port port-id ]
The TCP port in this command is for establishing the control channel, which cannot be a TCP port number in use. By default, TCP port 60032 is used if no TCP port is specified.
You can specify the TCP ports for establishing data channels by service type in system view when you configure VSRP for each service.
4. (Optional.) Associate a VSRP group with a track entry.
track track-entry-number
Configuring a VSRP instance
About this task
A VSRP instance backs up data for its associated service.
A VSRP instance can be bound to only one VSRP group. Each VSRP instance on a VSRP group is identified by a unique backup ID.
The master forwards traffic and backs up service data to the backup device at the specified interval or when the specified traffic threshold is reached.
Restrictions and guidelines
The NAS parameters (IP address, interface, and host name) on a VSRP instance are shared by the VSRP member devices for the associated service. Configure NAS settings on a VSRP instance if its associated service requires the NAS parameters to remain unchanged after a master/backup switchover. For example, the settings are applicable to the following scenarios:
· Avoid re-authentication on master/backup switchover by maintaining the same NAS-IP-address, NAS-Port, and host name in packets sent to the RADIUS server.
· Maintain the same Option 82 values in packets sent to the DHCP server.
Procedure
1. Enter system view.
system-view
2. Create a VSRP instance and enter VSRP instance view.
vsrp instance instance-name
3. Specify a backup ID for the VSRP instance.
backup id backup-id peer peer-name
By default, a VSRP instance has no ID.
4. Bind the VSRP instance to a VRRP group. Choose one option as needed:
¡ Bind the VSRP instance to an IPv4 VRRP group.
bind vrrp vrid virtual-router-id interface interface-type interface-number
By default, a VSRP instance is not bound to an IPv4 VRRP group.
¡ Bind the VSRP instance to an IPv6 VRRP group.
bind vrrp ipv6 vrid virtual-router-id interface interface-type interface-number
By default, a VSRP instance is not bound to an IPv6 VRRP group.
5. Set the backup mode of the VSRP instance.
backup mode { hot | warm }
By default, a VSRP instance operates in hot backup mode.
6. (Optional.) Set a traffic backup interval or a traffic threshold that triggers a traffic backup.
traffic backup { interval interval-value | threshold threshold-value } *
By default, a VSRP instance backs up traffic at 10-minute intervals or when the traffic reaches 50 MB.
7. (Optional.) Configure NAS parameters.
nas { id host-name | ip ip-address | port interface-type interface-number }
By default, no NAS parameters are configured.
Specifying a virtual IPv6 address
About this task
To enable VSRP for IPv6 services (such as IPv6 IPoE and DHCPv6), you must specify a virtual IPv6 address for the service-enabled interface. This is applicable to some special networks, such as a network that contains BRAS devices. In a VSRP instance, you must configure the same virtual IPv6 address on the master and the backup. Then the master advertises the virtual IPv6 address as the gateway address in RA messages to the hosts. In this way, traffic from the hosts can be directed to the master.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following types of interfaces are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
¡ VLAN interface.
¡ Layer 3 RPR logical interface.
3. Specify a virtual IPv6 address for the interface that is associated with a VSRP instance.
ipv6 virtual-address ipv6-address vsrp vsrp-instance
By default, no virtual IPv6 address is specified for the interface.
Configuring VSRP for IPoE
About VSRP for IPoE
To back up dynamic IPoE sessions on an interface, associate that interface with a VSRP instance.
Restrictions and guidelines for configuring VSRP for IPoE
· VSRP for IPoE does not support leased users.
· You must associate the peer IPoE-enabled interfaces on the master and the backup with the same VSRP instance.
· If you configure VLAN termination on the subinterfaces on the master and backup, make sure the subinterfaces terminate the same VLAN IDs.
· On a device, you cannot associate multiple interfaces with the same VSRP instance. You can associate subinterfaces of an interface with the same or different VSRP instances.
· Any change to a VSRP instance can make online IPoE users go offline on the IPoE-enabled interface associated with that instance.
· For DHCPv4 or DHCPv6 users, you must associate the DHCPv4 or DHCPv6 address pool and the IPoE-enabled interface with the same VSRP instance.
· For static individual users to access the network, make sure you configure the same static IPoE sessions on the master and backup.
· You must configure the same DHCP address pool on the master and backup. Make sure the IPoE users obtain the same gateway address after a master and backup switchover.
· An address pool can belong to only one VSRP instance. VSRP instances cannot share an address pool.
Enabling VSRP for IPv4 IPoE
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following types of interfaces are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
3. Associate the IPv4 IPoE-enabled interface with a VSRP instance.
ip subscriber vsrp-instance instance-name
By default, an IPv4 IPoE-enabled interface is not associated with a VSRP instance.
Specifying a TCP port number for establishing an IPv4 IPoE data channel
About this task
To back up IPv4 IPoE sessions, the master and the backup must establish a TCP data channel. You can change the TCP port number for establishing the data channel.
Restrictions and guidelines
For the data channel to be established correctly, you must specify the same TCP port number on the master and backup.
Procedure
1. Enter system view.
system-view
2. Specify a TCP port number for establishing the data channel through which IPv4 IPoE sessions are backed up.
ip subscriber vsrp-port port-number
The default TCP port number is 60033.
Enabling VSRP for IPv6 IPoE
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following types of interfaces are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
3. Associate the IPv6 IPoE-enabled interface with a VSRP instance.
ipv6 subscriber vsrp-instance instance-name
By default, an IPv6 IPoE-enabled interface is not associated with any VSRP instance.
Specifying a TCP port number for establishing an IPv6 IPoE data channel
About this task
To back up IPv6 IPoE sessions, the master and the backup must establish a TCP data channel. You can change the TCP port number for establishing the data channel.
Restrictions and guidelines
For the data channel to be established correctly, you must specify the same TCP port number on the master and backup.
Procedure
1. Enter system view.
system-view
2. Specify a TCP port number for establishing the data channel through which IPv6 IPoE sessions are backed up.
ipv6 subscriber vsrp-port port-number
The default TCP port number is 60040.
Configuring VSRP for PPPoE
About VSRP for PPPoE
VSRP for PPPoE ensures PPPoE service continuity by avoiding single points of failure.
After you associate a PPPoE-server-enabled interface with a VSRP instance, the master backs up PPPoE sessions on the interface to the backup through a data channel. This backup mechanism ensures that the online PPPoE users remain online without re-authentication, because the new master has obtained their accounting and authorization information.
Restrictions and guidelines for configuring VSRP for PPPoE
When you configure VSRP for PPPoE, you must follow the following restrictions and guidelines:
· Associate the peer PPPoE-server-enabled interfaces on the master and the backup with the same VSRP instance.
· Configure the same address pool and address pool route settings on the master and the backup.
· Assign an address pool to only one VSRP instance. VSRP instances cannot share an address pool.
· All online PPPoE clients on an interface are cleared when the interface is associated with a VSRP instance. Make sure no online PPPoE clients exist on an interface when you associate with a VSRP instance.
Associating a PPPoE-server-enabled interface with a VSRP instance
Restrictions and guidelines
To enable VSRP for PPPoE, you must associate a PPPoE server-enabled interface with a VSRP instance. For more information about the PPPoE server, see Layer 2—WAN Access Configuration Guide.
To use VSRP for PPPoE, you must specify an IP address pool and an address pool route on the PPPoE server. The server can use the address pool to assign IP addresses to the PPPoE clients. Moreover, you must associate the same VSRP instance with the following items:
· The interface that assigns IP addresses to the clients.
· The address pool route.
For more information about the IP address pool and the address pool route, see Layer 2—WAN Access Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following types of interfaces are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
¡ EFM interface.
¡ EFM subinterface.
3. Associate the interface with a VSRP instance.
pppoe-server vsrp-instance vsrp-instance-name
By default, the interface is not associated with a VSRP instance.
Specifying the TCP port number for establishing PPPoE service backup data channels
About this task
VSRP uses the same TCP port number to establish data channels for PPPoE and PPP session backup. To back up the PPPoE sessions on an interface, the master and the backup must establish a TCP data channel. You can change the TCP port number for establishing the data channel.
Restrictions and guidelines
To establish PPPoE service backup data channels successfully, you must specify the same TCP port number on the master and backup devices.
The specified port number cannot be a TCP port number in use.
Procedure
1. Enter system view.
system-view
2. Specify a TCP port number for establishing the data channel through which PPP sessions are backed up.
ppp vsrp-port port-number
The default TCP port number is 60035.
3. Specify a TCP port number for VSRP to establish data channels for PPP session backup.
pppoe-server vsrp-port port-number
The default TCP port number is 60034.
Configuring VSRP for L2TP
About VSRP for L2TP
You can use VSRP to back up L2TP tunnels and sessions from a master LAC to a backup LAC by associating a LAC-mode L2TP group with a VSRP instance.
When the master LAC fails, the backup takes over the L2TP services to ensure service continuity.
Restrictions and guidelines for configuring VSRP for L2TP
VSRP is available only for LAC that provides access for PPPoE clients. To use VSRP for L2TP, you must also configure VSRP for PPPoE server on the LACs. For more information, see "Configuring VSRP for PPPoE."
Prerequisites for configuring VSRP for L2TP
Before you enable VSRP for L2TP, configure L2TP on the master LAC, the backup LAC, and the LNS for the LACs to establish L2TP tunnels with the LNS. Make sure the LACs have the same L2TP settings. For more information about configuring L2TP, see Layer 2—WAN Access Configuration Guide.
Associating an L2TP group with a VSRP instance
Restrictions and guidelines
· You must associate the peer L2TP groups on the master and backup LACs with the same VSRP instance.
· Associating an L2TP group with a VSRP instance will remove the existing L2TP tunnels in the L2TP group.
· You cannot change or remove the association between an L2TP group and a VSRP instance when an L2TP tunnel exists in the L2TP group.
Procedure
1. Enter system view.
system-view
2. Enter L2TP group view in LAC mode.
l2tp-group group-number [ mode lac ]
3. Associate the L2TP group with a VSRP instance.
vsrp-instance vsrp-instance-name
By default, an L2TP group is not associated with a VSRP instance.
Specifying the source address for an L2TP tunnel
About this task
You must specify the same L2TP tunnel source address on the master and backup LACs. This source address is used as the source address of tunneled packets. With the L2TP tunnel source address specified, the master LAC generates a static route to the source address. The static route has the loopback interface as the output interface.
After a master and backup switchover, the original master deletes the static route and uses a dynamic routing protocol to advertise the route deletion. Meanwhile, the new master generates a static route to the tunnel source address and uses a dynamic routing protocol to advertise the route. In this way, the traffic from the LNS can be automatically switched to the new master LAC. The LNS considers that the original L2TP tunnel remains established.
Restrictions and guidelines
· The tunnel source address can be the loopback interface address with a 32-bit mask. However, it cannot be the IP address of any physical port on either device in the VSRP instance. Moreover, the tunnel source address cannot conflict with any IP address on the network.
· As a best practice, specify different L2TP tunnel source addresses for the L2TP tunnels in different L2TP groups.
· To specify an L2TP tunnel source address, you must associate the corresponding L2TP group with a VSRP instance first.
· You cannot change or remove the specified tunnel source address for the existing L2TP tunnel in an L2TP group.
· When you enable VSRP for L2TP, the tunnel source address specified by the tunnel vsrp source-ip command rather than that specified by the source-ip command takes effect. If you configure the source-ip command but do not configure the tunnel vsrp source-ip command, VSRP for L2TP cannot operate correctly. For more information about the source-ip command, see Layer 2—WAN Access Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter L2TP group view in LAC mode.
l2tp-group group-number [ mode lac ]
3. Specify the source IP address for the L2TP tunnel.
tunnel vsrp source-ip ip-address
By default, the source IP address of the L2TP tunnel is the IP address of the local tunnel interface.
Specifying an L2TP tunnel ID range
Restrictions and guidelines
To avoid tunnel ID conflicts after a master/backup switchover, you must specify different L2TP tunnel ID ranges on the peer LACs in the following scenario:
You cannot change the L2TP tunnel ID range for an LAC when it has an L2TP tunnel.
Procedure
1. Enter system view.
system-view
2. Specify an L2TP tunnel ID range.
l2tp tunnel id low-id high-id
By default, the L2TP tunnel ID range is 1 to 65535.
Specifying the TCP port number for establishing L2TP service backup data channels
About this task
To back up L2TP services for an L2TP group, the master and the backup must establish a TCP data channel. You can change the TCP port number for establishing the data channel.
Restrictions and guidelines
The specified port number cannot be a TCP port number in use.
Procedure
1. Enter system view.
system-view
2. Specify a TCP port number for VSRP to establish data channels for L2TP service backup.
l2tp vsrp-port port-number
The default TCP port number is 60036.
Configuring VSRP for portal
About VSRP for portal
You can use VSRP to back up the portal sessions on a portal-enabled interface in real time by associating that interface with a VSRP instance. When the interface on the master device fails, the interface on the backup device can take over to provide portal services.
Restrictions and guidelines for configuring VSRP for portal
· You must associate the peer interfaces on the master and backup access devices with the same VSRP instance.
· If you configure VLAN termination on the subinterfaces on the master and backup access devices, make sure the peer subinterfaces terminate the same VLAN IDs.
· VSRP backup for a portal-enabled interface takes effect on all IPv4 and IPv6 portal users that use direct authentication on that interface.
· You cannot associate different interfaces on a device with the same VSRP instance.
· You can associate different subinterfaces of an interface with the same VSRP instance or with different VSRP instances.
· Any change to the VSRP instance that is associated with a portal-enabled interface can make portal users on the interface go offline.
Enabling VSRP for portal
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following types of interfaces are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
3. Associate the interface with a VSRP instance.
portal vsrp-instance vsrp-instance-name
By default, a portal-enabled interface is not associated with a VSRP instance.
Specifying the TCP port number for establishing portal service backup data channels
About this task
To back up the portal sessions on an interface, the master and the backup must establish a TCP data channel. You can change the TCP port number for establishing the data channel.
Restrictions and guidelines
To establish portal service backup data channels successfully, you must specify the same TCP port number on the master and backup devices.
The specified port number cannot be a TCP port number in use.
Procedure
1. Enter system view.
system-view
2. Specify a TCP port number for VSRP to establish portal service backup data channels.
portal vsrp-port port-number
The default TCP port number is 60038.
Configuring VSRP for DHCPv4 server
About VSRP for DHCPv4 server
You can use VSRP to back up the address assignment data for a DHCPv4 address pool by associating that address pool with a VSRP instance.
If the peer client-side interfaces on the master and backup DHCPv4 servers have different interface names, you must also associate the interfaces with the same VSRP instance. The peer client-side interfaces are client-side interfaces that connect the master and backup DHCPv4 servers to the same subnet.
When the VSRP instance state is Master, the DHCPv4 server to which the DHCPv4 address pool belongs is the master device. When the VSRP instance state is Backup, the DHCPv4 server to which the DHCPv4 address pool belongs is the backup device.
In a VSRP group, the master DHCPv4 server assigns IP addresses together with other configuration parameters to DHCPv4 clients. The backup DHCPv4 server only receives the address pool data backed up from the master DHCPv4 server. The DHCPv4 address pool data includes lease bindings and conflicting IP addresses. For more information about DHCPv4, see Layer 3—IP Services Configuration Guide.
VSRP for DHCPv4 server service is typically used in BRAS scenarios in which the master DHCPv4 server assigns IP addresses and other configuration parameters to IPoE or PPPoE users.
Associating a DHCPv4 address pool with a VSRP instance
1. Enter system view.
system-view
2. Create a DHCPv4 address pool and enter its view.
dhcp server ip-pool pool-name
3. Associate the address pool with a VSRP instance.
vsrp-instance vsrp-instance-name
By default, a DHCPv4 address pool is not associated with any VSRP instance.
Associating a client-side interface with a VSRP instance
About this task
If the peer client-side interfaces on the master and backup DHCPv4 servers have different interface names, you must also associate the interfaces to the same VSRP instance.
This configuration is not required if the peer client-side interfaces have the same interface name.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following types of interfaces are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
¡ Layer 3 RPR logical interfaces.
3. Associate the interface with a VSRP instance.
dhcp vsrp-instance vsrp-instance-name
By default, a DHCPv4 client-side interface is not associated with a VSRP instance.
Specifying the TCP port number for establishing DHCPv4 server service backup data channels
About this task
To back up address assignment data for a DHCPv4 address pool, the master DHCPv4 server must establish a data channel with the backup DHCPv4 server. You can change the port number for establishing the data channel.
Restrictions and guidelines
To establish DHCPv4 server service backup data channels successfully, you must specify the same TCP port number on the master and backup devices.
The specified port number cannot be a TCP port number in use.
Procedure
1. Enter system view.
system-view
2. Specify a TCP port number for VSRP to establish DHCPv4 server service backup data channels.
dhcp vsrp port port-number
The default TCP port number is 60037.
Configuring VSRP for DHCPv6 server
About VSRP for DHCPv6 server
You can use VSRP to back up the address assignment data for a DHCPv6 address pool by associating that address pool with a VSRP instance.
If the peer client-side interfaces on the master and backup DHCPv6 servers have different interface names, you must also associate the interfaces with the same VSRP instance. The peer client-side interfaces are client-side interfaces that connect the master and backup DHCPv6 servers to the same subnet.
When the VSRP instance state is Master, the DHCPv6 server to which the DHCPv6 address pool belongs is the master device. When the VSRP instance state is Backup, the DHCPv6 server to which the DHCPv6 address pool belongs is the backup device.
In a VSRP group, the master DHCPv6 server assigns IP addresses together with other configuration parameters to DHCPv6 clients. The backup DHCPv6 server only receives the address pool data backed up from the master DHCPv6 server. The DHCPv6 address pool data includes lease bindings and conflicting IP addresses. For more information about DHCPv6, see Layer 3—IP Services Configuration Guide.
VSRP for DHCPv6 server service is typically used in BRAS scenarios in which the master DHCPv6 server assigns IP addresses and other configuration parameters to IPoE or PPPoE users.
Restrictions and guidelines for configuring VSRP for a DHCPv6 address pool
For DHCPv6 clients to correctly renew leases or release IPv6 addresses after a switchover, use the virtual-duid command to generate the same virtual DUID for the master and the backup.
Associating a DHCPv6 address pool with a VSRP instance
1. Enter system view.
system-view
2. Create a DHCPv6 address pool and enter its view.
ipv6 dhcp pool pool-name
3. Associate the address pool with a VSRP instance.
vsrp-instance vsrp-instance-name
By default, a DHCPv6 address pool is not associated with a VSRP instance.
4. Specify a virtual DUID for the DHCPv6 server.
virtual-duid { enterprise-number enterprise-number identifier identifier | hardware-type hardware-type address address }
By default, no virtual DUID is specified for a DHCPv6 server. The DHCPv6 server uses its reall DUID.
Associating a client-side interface with a VSRP instance
About this task
If the peer client-side interfaces on the master and backup DHCPv6 servers have different interface names, you must also associate the interfaces to the same VSRP instance.
This configuration is not required if the peer client-side interfaces have the same interface name.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following types of interfaces are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
¡ Layer 3 RPR logical interface.
3. Associate the interface with a VSRP instance.
ipv6 dhcp vsrp-instance vsrp-instance-name
By default, a DHCPv6 client-side interface is not associated with a VSRP instance.
Specifying the TCP port number for establishing DHCPv6 server service backup data channels
About this task
To back up address assignment data for a DHCPv6 address pool, the master DHCPv6 server must establish a data channel with the backup DHCPv6 server. You can change the port number for establishing the data channel.
Restrictions and guidelines
To establish DHCPv6 server service backup data channels successfully, you must specify the same TCP port number on the master and backup devices.
The specified port number cannot be a TCP port number in use.
Procedure
1. Enter system view.
system-view
2. Specify a TCP port number for VSRP to establish DHCPv6 server service backup data channels.
ipv6 dhcp vsrp port port-number
The default TCP port number is 60038.
Display and maintenance commands for VSRP
Execute display commands in any view.
|
Task |
Command |
|
Display VSRP instance information. |
display vsrp instance [ instance-name ] |
|
Display VSRP group information. |
display vsrp peer [ peer-name ] |
|
Display PPP sessions backed up by VSRP instances. |
display ppp sync-session [ vsrp-instance vsrp-instance-name ] |
|
Display PPPoE sessions backed up by VSRP instances. |
display pppoe-server sync-session [ vsrp-instance vsrp-instance-name ] |
|
Display L2TP sessions backed up by VSRP instances. |
display l2tp session vsrp [ vsrp-instance-name ] |
|
Display L2TP tunnel information backed up by VSRP instances. |
display l2tp tunnel vsrp [ vsrp-instance-name ] |
|
Display information about the VSRP instance that backs up L2TP services. |
display l2tp vsrp [ vsrp-instance-name ] |
VSRP configuration examples
Example: Configuring VSRP for IPv4 IPoE
Network configuration
As shown in Figure 2, the hosts use IPoE to access the BRAS devices (Device A and Device B). The two BRAS devices are in a VSRP group. DHCPv4 address pool 1 is enabled on the BRAS devices. The hosts obtain IP addresses through DHCP from the master. Perform the following tasks:
· Enable IPoE and enable the DHCPv4 user on GigabitEthernet 1/0/1 of both Device A and Device B.
· Create VRRP group 1 on GigabitEthernet 1/0/1.10, and configure the subinterface to terminate VLAN-tagged packets whose outermost VLAN ID is 10.
· Enable OSPF on Device A and Device B to ensure that they can learn and advertise routes on their uplinks.
· Enable VSRP for IPv4 IPoE to back up IPoE sessions in real time.
· Use the RADIUS server for authentication, authorization, and accounting of IPv4 IPoE users.
Procedure
1. Assign IP addresses to interfaces, as shown in Figure 2. (Details not shown.)
2. Configure the RADIUS server:
|
|
NOTE: This example uses a FreeRADIUS server that runs on Linux. |
# Add the NAS IP address and shared key configuration to the clients.conf configuration file. (The NAS IP addresses for the two clients are 4.4.4.2 and 5.5.5.2, respectively, and the shared key is radius.)
client 4.4.4.2/32 {
ipaddr = 4.4.4.2
netmask=32
secret=radius
}
client 5.5.5.2/32 {
ipaddr = 5.5.5.2
netmask=24
secret=radius
}
# Add the IPoE user configuration to the users file. (The MAC addresses of the three IPoE users are 0010-9400-0001, 0010-9400-0002, and 0010-9400-0003. The password is radius, and the name of the authorized address pool is 1.)
001094000001 Cleartext-Password :="radius"
Framed-Pool = 1
001094000002 Cleartext-Password :="radius"
Framed-Pool = 1
001094000003 Cleartext-Password :="radius"
Framed-Pool = 1
3. Configure Device A:
a. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter RADIUS scheme view.
<DeviceA> system-view
[DeviceA] radius scheme rs1
# Specify the primary authentication server and primary accounting server.
[DeviceA-radius-rs1] primary authentication 10.20.30.1
[DeviceA-radius-rs1] primary accounting 10.20.30.1
# Set the shared key for secure RADIUS authentication and accounting communication.
[DeviceA-radius-rs1] key authentication simple radius
[DeviceA-radius-rs1] key accounting simple radius
# Configure Device A to remove the domain name in the username sent to the RADIUS servers for RADIUS scheme rs1.
[DeviceA-radius-rs1] user-name-format without-domain
# Specify the source IP address as 2.2.2.1 (the gateway address for the hosts) for outgoing RADIUS packets.
[DeviceA-radius-rs1] nas-ip 2.2.2.1
[DeviceA-radius-rs1] quit
# Enable the session-control feature.
[DeviceA] radius session-control enable
b. Configure an authentication domain:
# Create ISP domain dm1 and enter ISP domain view.
[DeviceA] domain dm1
# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting for IPoE users.
[DeviceA-isp-dm1] authentication ipoe radius-scheme rs1
[DeviceA-isp-dm1] authorization ipoe radius-scheme rs1
[DeviceA-isp-dm1] accounting ipoe radius-scheme rs1
[DeviceA-isp-dm1] quit
c. Configure the DHCP server:
# Enable DHCP.
[DeviceA] dhcp enable
# Create DHCP address pool 1 and associate the pool with VSRP instance vs1.
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] vsrp-instance vs1
# Assign gateway address 2.2.2.1 to the hosts, and export the host route destined for the hosts and the route destined for 2.2.2.0/24.
[DeviceA-dhcp-pool-1] network 2.2.2.0 mask 255.255.255.0 export-route
[DeviceA-dhcp-pool-1] gateway-list 2.2.2.1 export-route
# Exclude the gateway address from dynamic allocation.
[DeviceA-dhcp-pool-1] forbidden-ip 2.2.2.1
[DeviceA-dhcp-pool-1] quit
d. Configure a VRRP group:
# Enter GigabitEthernet 1/0/1.10 interface view.
[DeviceA] interface gigabitethernet 1/0/1.10
# Create VRRP group 1 and set its virtual IP address to 3.3.3.3.
[DeviceA–GigabitEthernet1/0/1.10] vrrp vrid 1 virtual-ip 3.3.3.3
# Configure GigabitEthernet 1/0/1.10 to terminate VLAN 10.
[DeviceA-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
# Set the priority of Device A to 250 in VRRP group 1 on GigabitEthernet 1/0/1.10. Device A is assigned a higher priority than Device B in VRRP group 1, so Device A can become the master.
[DeviceA-GigabitEthernet1/0/1.10] vrrp vrid 1 priority 250
# Configure Device A to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[DeviceA–GigabitEthernet1/0/1.10] vrrp vrid 1 preempt-mode delay 5000
[DeviceA–GigabitEthernet1/0/1.10] quit
# Create track entry 1 to monitor the link status of the uplink interface GigabitEthernet 1/0/2. When the uplink fails, the track entry transits to Negative state.
[DeviceA] track 1 interface gigabitethernet 1/0/2
# Associate VRRP group 1 on GigabitEthernet 1/0/1.10 with track entry 1, and decrease the device priority by 200 when the state of track entry 1 changes to Negative.
[DeviceA] interface gigabitethernet 1/0/1.10
[DeviceA-GigabitEthernet1/0/1.10] vrrp vrid 1 track 1 priority reduced 200
[DeviceA-GigabitEthernet1/0/1.10] quit
e. Configure VSRP instance vs1:
# Create VSRP group pr1 and enter VSRP peer view.
[DeviceA] vsrp peer pr1
# Specify the local IP address as 4.4.4.2 and the peer IP address as 5.5.5.2 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[DeviceA-vsrp-peer-pr1] peer 5.5.5.2 local 4.4.4.2
[DeviceA-vsrp-peer-pr1] quit
# Create VSRP instance vs1 and enter its view.
[DeviceA] vsrp instance vs1
# Associate VSRP instance vs1 with VSRP group pr1 and set its backup ID to 1.
[DeviceA-vsrp-instance-vs1] backup id 1 peer pr1
# Bind VSRP instance vs1 to VRRP group 1 on GigabitEthernet 1/0/1.10.
[DeviceA-vsrp-instance-vs1] bind vrrp vrid 1 interface gigabitethernet 1/0/1.10
# Specify the logical NAS IP address as 2.2.2.1.
[DeviceA-vsrp-instance-vs1] nas ip 2.2.2.1
# Specify the logical interface as GigabitEthernet 1/0/2.
[DeviceA-vsrp-instance-vs1] nas port gigabitethernet 1/0/2
[DeviceA-vsrp-instance-vs1] quit
f. Configure IPoE authentication on GigabitEthernet 1/0/1:
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceA] interface gigabitethernet 1/0/1
# Enable IPv4 IPoE and specify Layer 2 access mode.
[DeviceA–GigabitEthernet1/0/1] ip subscriber l2-connected enable
# Enable GigabitEthernet 1/0/1 to initiate an IPoE session when it receives the first DHCP Discover or DHCP Request packet.
[DeviceA–GigabitEthernet1/0/1] ip subscriber initiator dhcp enable
# Configure ISP domain dm1 for DHCPv4 users.
[DeviceA–GigabitEthernet1/0/1] ip subscriber dhcp domain dm1
# Set the password to radius in plain text for the dynamic IPv4 IPoE users.
[DeviceA–GigabitEthernet1/0/1] ip subscriber password plaintext radius
# Associate GigabitEthernet 1/0/1 with VSRP instance vs1.
[DeviceA–GigabitEthernet1/0/1] ip subscriber vsrp-instance vs1
[DeviceA–GigabitEthernet1/0/1] dhcp vsrp-instance vs1
[DeviceA–GigabitEthernet1/0/1] quit
# Specify TCP port 1025 for VSRP to establish data channels for IPoE session backup.
[DeviceA] ip subscriber vsrp-port 1025
g. Configure OSPF:
# Enable OSPF process 1 and set its router ID to 4.4.4.2 (the IP address of GigabitEthernet 1/0/2).
<DeviceA> system-view
[DeviceA] ospf 1 router-id 4.4.4.2
# Configure OSPF to redistribute the static route filtered by routing policy 1. When Device A acts as the master and assigns IP addresses to the hosts, it advertises the static route destined for the subnet where the hosts reside to Device C. In this way, Device C can select the route to a host based on the state of Device A and Device B in the VSRP instance.
[DeviceA-ospf-1] import-route static route-policy 1
[DeviceA-ospf-1] quit
# Configure routing policy 1 to permit routes destined for network 2.2.2.0/24.
[DeviceA] ip prefix-list 1 permit 2.2.2.0 24
[DeviceA] route-policy 1 permit node 1
[DeviceA-route-policy-1-1] if-match ip address prefix-list 1
[DeviceA-route-policy-1-1] quit
# Create Area 0 and specify GigabitEthernet 1/0/2 whose IP address is on network 4.4.4.0/24 to run OSPF in Area 0.
[DeviceA] ospf
[DeviceA-ospf-1] area 0.0.0.0
[DeviceA-ospf-1-area-0.0.0.0] network 4.4.4.0 0.0.0.255
4. Configure Device B:
a. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter RADIUS scheme view.
<DeviceB> system-view
[DeviceB] radius scheme rs1
# Specify the primary authentication server and primary accounting server.
[DeviceB-radius-rs1] primary authentication 10.20.30.1
[DeviceB-radius-rs1] primary accounting 10.20.30.1
# Set the shared key for secure RADIUS authentication and accounting communication.
[DeviceB-radius-rs1] key authentication simple radius
[DeviceB-radius-rs1] key accounting simple radius
# Configure Device B to remove the domain name in the username sent to the RADIUS servers for RADIUS scheme rs1.
[DeviceB-radius-rs1] user-name-format without-domain
# Specify the source IP address as 2.2.2.1 (the gateway address for the hosts) for outgoing RADIUS packets.
[DeviceB-radius-rs1] nas-ip 2.2.2.1
[DeviceB-radius-rs1] quit
# Enable the session-control feature.
[DeviceB] radius session-control enable
b. Configure an authentication domain:
# Create ISP domain dm1 and enter ISP domain view.
[DeviceB] domain dm1
# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting for IPoE users.
[DeviceB-isp-dm1] authentication ipoe radius-scheme rs1
[DeviceB-isp-dm1] authorization ipoe radius-scheme rs1
[DeviceB-isp-dm1] accounting ipoe radius-scheme rs1
[DeviceB-isp-dm1] quit
c. Configure the DHCP server:
# Enable DHCP.
[DeviceB] dhcp enable
# Create DHCP address pool 1 and associate the pool with VSRP instance vs1.
[DeviceB] dhcp server ip-pool 1
[DeviceB-dhcp-pool-1] vsrp-instance vs1
# Assign gateway address 2.2.2.1 to the hosts, and export the host route destined for the hosts and the route destined for 2.2.2.0/24.
[DeviceB-dhcp-pool-1] network 2.2.2.0 mask 255.255.255.0 export-route
[DeviceB-dhcp-pool-1] gateway-list 2.2.2.1 export-route
# Exclude the gateway address from dynamic allocation.
[DeviceB-dhcp-pool-1] forbidden-ip 2.2.2.1
[DeviceB-dhcp-pool-1] quit
d. Configure a VRRP group:
# Enter GigabitEthernet 1/0/1.10 interface view.
[DeviceB] interface gigabitethernet 1/0/1.10
# Create VRRP group 1 and set its virtual IP address to 3.3.3.3.
[DeviceB–GigabitEthernet1/0/1.10] vrrp vrid 1 virtual-ip 3.3.3.3
# Configure GigabitEthernet 1/0/1.10 to terminate VLAN 10.
[DeviceB-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
# Set the priority of Device B to 200 in VRRP group 1 on GigabitEthernet 1/0/1.10. Device B is assigned a lower priority than Device B in VRRP group 1, so Device A can become the master.
[DeviceB-GigabitEthernet1/0/1.10] vrrp vrid 1 priority 200
# Configure Device B to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[DeviceB–GigabitEthernet1/0/1.10] vrrp vrid 1 preempt-mode delay 5000
[DeviceB–GigabitEthernet1/0/1.10] quit
e. Configure VSRP instance vs1:
# Create VSRP group pr1 and enter VSRP peer view.
[DeviceB] vsrp peer pr1
# Specify the local IP address as 5.5.5.2 and the peer IP address as 4.4.4.2 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[DeviceB-vsrp-peer-pr1] peer 4.4.4.2 local 5.5.5.2
[DeviceB-vsrp-peer-pr1] quit
# Create VSRP instance vs1 and enter its view.
[DeviceB] vsrp instance vs1
# Associate VSRP instance vs1 with VSRP group pr1 and set its backup ID to 1.
[DeviceB-vsrp-instance-vs1] backup id 1 peer pr1
# Bind VSRP instance vs1 to VRRP group 1 on GigabitEthernet 1/0/1.10.
[DeviceB-vsrp-instance-vs1] bind vrrp vrid 1 interface gigabitethernet 1/0/1.10
# Specify the logical NAS IP address as 2.2.2.1.
[DeviceB-vsrp-instance-vs1] nas ip 2.2.2.1
# Specify the logical interface as GigabitEthernet 1/0/2.
[DeviceB-vsrp-instance-vs1] nas port gigabitethernet 1/0/2
[DeviceB-vsrp-instance-vs1] quit
f. Configure IPoE authentication on GigabitEthernet 1/0/1:
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceB] interface gigabitethernet 1/0/1
# Enable IPv4 IPoE and specify the Layer 2 access mode.
[DeviceB–GigabitEthernet1/0/1] ip subscriber l2-connected enable
# Enable GigabitEthernet 1/0/1 to initiate an IPoE session when it receives the first DHCP Discover or DHCP Request packet.
[DeviceB–GigabitEthernet1/0/1] ip subscriber initiator dhcp enable
# Configure ISP domain dm1 for DHCPv4 users.
[DeviceB–GigabitEthernet1/0/1] ip subscriber dhcp domain dm1
# Set the password to radius in plain text for the dynamic IPv4 IPoE users.
[DeviceB–GigabitEthernet1/0/1] ip subscriber password plaintext radius
# Associate GigabitEthernet 1/0/1 with VSRP instance vs1.
[DeviceB–GigabitEthernet1/0/1] ip subscriber vsrp-instance vs1
[DeviceB–GigabitEthernet1/0/1] dhcp vsrp-instance vs1
[DeviceB–GigabitEthernet1/0/1] quit
# Specify TCP port number 1025 for VSRP to establish data channels for IPoE session backup.
[DeviceB] ip subscriber vsrp-port 1025
g. Configure OSPF:
# Enable OSPF process 1 and set its router ID to 5.5.5.2 (the IP address of GigabitEthernet 1/0/2).
[DeviceB] ospf 1 router-id 5.5.5.2
# Configure OSPF to redistribute the static route filtered by routing policy 1. When Device B acts as the master and assigns IP addresses to the hosts, it advertises the static route destined for the subnet where the hosts reside to Device C. In this way, Device C can select the route to a host based on the state of Device A and Device B in the VSRP instance.
[DeviceB-ospf-1] import-route static route-policy 1
[DeviceB-ospf-1] quit
# Configure routing policy 1 to permit routes destined for network 2.2.2.0/24.
[DeviceB] ip prefix-list 1 permit 2.2.2.0 24
[DeviceB] route-policy 1 permit node 1
[DeviceB-route-policy-1-1] if-match ip address prefix-list 1
[DeviceB-route-policy-1-1] quit
# Create Area 0 and specify GigabitEthernet 1/0/2 whose IP address is on network 5.5.5.0/24 to run OSPF in Area 0.
[DeviceB] ospf
[DeviceB-ospf-1] area 0.0.0.0
[DeviceB-ospf-1-area-0.0.0.0] network 5.5.5.0 0.0.0.255
5. Configure Device C:
# Enable OSPF process 1 and set its router ID to 4.4.4.1 (the IP address of GigabitEthernet 1/0/1).
<DeviceC> system-view
[DeviceC] ospf 1 router-id 4.4.4.1
# Configure OSPF Area 0.
[DeviceC-ospf-1] area 0.0.0.0
[DeviceC-ospf-1-area-0.0.0.0] network 4.4.4.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] network 5.5.5.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
6. Configure the L2 Switch:
a. Create VLAN 10.
<L2Switch> system-view
[L2Switch] vlan 10
[L2Switch-vlan10] quit
b. Configure VLAN settings on the interfaces that connect to Device A and Device B:
# Assign GigabitEthernet 1/0/2 to VLAN 10.
[L2Switch] interface gigabitethernet 1/0/2
[L2Switch-GigabitEthernet1/0/2] port link-type trunk
[L2Switch-GigabitEthernet1/0/2] port trunk permit vlan 10
[L2Switch-GigabitEthernet1/0/2] quit
# Assign GigabitEthernet 1/0/3 to VLAN 10.
[L2Switch] interface gigabitethernet 1/0/3
[L2Switch-GigabitEthernet1/0/3] port link-type trunk
[L2Switch-GigabitEthernet1/0/3] port trunk permit vlan 10
[L2Switch-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify that Device A and Device B have the same IPoE user information about authenticated IPoE users.
· On the master:
[DeviceA] display ip subscriber session
Type: D-Dhcp S-Static U-Unclassified-ip N-Ndrs
Interface IP address MAC address Type State
--------------------------------------------------------------------------------
GE1/0/1 2.2.2.4 0010-9400-0001 D Online
GE1/0/1 2.2.2.5 0010-9400-0002 D Online
GE1/0/1 2.2.2.6 0010-9400-0003 D Online
· On the backup:
[DeviceB] display ip subscriber session
Type: D-Dhcp S-Static U-Unclassified-ip N-Ndrs
Interface IP address MAC address Type State
--------------------------------------------------------------------------------
GE1/0/1 2.2.2.4 0010-9400-0001 D Backup
GE1/0/1 2.2.2.5 0010-9400-0002 D Backup
GE1/0/1 2.2.2.6 0010-9400-0003 D Backup
Example: Configuring VSRP for IPv6 IPoE
Network configuration
As shown in Figure 3, the hosts use IPoE to access the BRAS devices (Device A and Device B). The two BRAS devices are in a VSRP group. DHCPv6 address pool 1 is enabled on the BRAS devices. The hosts obtain IP addresses through DHCP from the master. Perform the following tasks:
· Enable IPoE and enable the DHCPv6 user on GigabitEthernet 1/0/1 of both Device A and Device B.
· Enable OSPF on Device A and Device B to ensure that they can learn and advertise routes on their uplinks.
· Enable VSRP for IPv6 IPoE to back up IPv6 IPoE sessions in real time.
· Use the RADIUS server for authentication, authorization, and accounting of IPv6 IPoE users.
Figure 3 Network diagram
Procedure
1. Assign IPv6 addresses to interfaces, as shown in Figure 3. (Details not shown.)
2. Configure the RADIUS server:
|
|
NOTE: This example uses a FreeRADIUS server that runs on Linux. |
# Add the NAS IP address and shared key configuration to the clients.conf configuration file. (The NAS IP addresses for the two clients are 4::2 and 5::2, respectively, and the shared key is radius.)
client 4::2/64 {
ipaddr = 4::2
netmask=64
secret=radius
}
client 5::2/64 {
ipaddr = 5::2
netmask=64
secret=radius
}
# Add the IPv6 IPoE user configuration to the users file. (The MAC addresses of the three IPoE users are 0010-9400-0001, 0010-9400-0002, and 0010-9400-0003. The password is radius, and the name of the authorized address pool is 1.)
001094000001 Cleartext-Password :="radius"
Framed-Pool = 1
001094000002 Cleartext-Password :="radius"
Framed-Pool = 1
001094000003 Cleartext-Password :="radius"
Framed-Pool = 1
3. Configure Device A:
a. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter RADIUS scheme view.
<DeviceA> system-view
[DeviceA] radius scheme rs1
# Specify the primary authentication server and primary accounting server.
[DeviceA-radius-rs1] primary authentication 100::1
[DeviceA-radius-rs1] primary accounting 100::1
# Set the shared key for secure RADIUS authentication and accounting communication.
[DeviceA-radius-rs1] key authentication simple radius
[DeviceA-radius-rs1] key accounting simple radius
# Configure Device A to remove the domain name in the username sent to the RADIUS servers for RADIUS scheme rs1.
[DeviceA-radius-rs1] user-name-format without-domain
# Specify the source IPv6 address as 1::1 for outgoing RADIUS packets.
[DeviceA-radius-rs1] nas-ip ipv6 1::1
[DeviceA-radius-rs1] quit
# Enable the session-control feature.
[DeviceA] radius session-control enable
b. Configure an authentication domain:
# Create ISP domain dm1 and enter ISP domain view.
[DeviceA] domain dm1
# Configure authentication, authorization, and accounting methods for IPoE users.
[DeviceA-isp-dm1] authentication ipoe radius-scheme rs1
[DeviceA-isp-dm1] authorization ipoe radius-scheme rs1
[DeviceA-isp-dm1] accounting ipoe radius-scheme rs1
[DeviceA-isp-dm1] quit
c. Configure a loopback interface:
# Enable OSPFv3 process 1 and specify Area 0 on Loopback 0.
[DeviceA] interface loopback 0
[DeviceA-LoopBack0] ospfv3 1 area 0
# Set the OSPFv3 cost to 30 for Loopback 0. Make sure this enables the RADIUS server to choose the route to Loopback 0 based on the cost.
[DeviceA-LoopBack0] ospfv3 cost 30
[DeviceA-LoopBack0] quit
d. Configure the DHCPv6 server:
# Enable DHCP.
[DeviceA] dhcp enable
# Enable DHCPv6 server on GigabitEthernet 1/0/1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA–GigabitEthernet1/0/1] ipv6 dhcp select server
# Disable RA message suppression on GigabitEthernet 1/0/1.
[DeviceA–GigabitEthernet1/0/1] undo ipv6 nd ra halt
# Set the M flag to 1 and the O flag to 1 in RA advertisements to be sent. The receiving hosts can obtain IPv6 addresses and other configuration information from the DHCPv6 server.
[DeviceA–GigabitEthernet1/0/1] ipv6 nd autoconfig managed-address-flag
[DeviceA–GigabitEthernet1/0/1] ipv6 nd autoconfig other-flag
[DeviceA–GigabitEthernet1/0/1] quit
# Create address pool 1.
[DeviceA] ipv6 dhcp pool 1
# Specify subnet 3::/64 in address pool 1 and advertise the subnet.
[DeviceA-dhcp6-pool-1] network 3::/64 export-route
[DeviceA-dhcp6-pool-1] gateway-list 3::1
# Associate DHCPv6 address pool 1 with VSRP instance vs1.
[DeviceA-dhcp6-pool-1] vsrp-instance vs1
# Configure DHCPv6 address pool 1 to use the virtual DUID generated based on enterprise number 2 and identifier ff.
[DeviceA-dhcp6-pool-1] virtual-duid enterprise-number 2 identifier ff
[DeviceA-dhcp6-pool-1] quit
# Exclude IPv6 address 3::1 from dynamic allocation.
[DeviceA] ipv6 dhcp server forbidden-address 3::1
e. Configure a VRRP group:
# Configure GigabitEthernet 1/0/1.10 to terminate VLAN 10.
[DeviceA] interface gigabitethernet 1/0/1.10
[DeviceA–GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
# Create IPv6 VRRP group 1 and set its virtual IP address to fe80::2.
[DeviceA–GigabitEthernet1/0/1.10] vrrp ipv6 vrid 1 virtual-ip fe80::2 link-local
# Configure GigabitEthernet 1/0/1.10 to automatically generate a link-local address.
[DeviceA–GigabitEthernet1/0/1.10] ipv6 address auto link-local
# Set the priority of Device A to 250 in VRRP group 1 on GigabitEthernet 1/0/1.10. Device A is assigned a higher priority than Device B in VRRP group 1, so Device A can become the master.
[DeviceA-GigabitEthernet1/0/1.10] vrrp ipv6 vrid 1 priority 250
# Configure Device A to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[DeviceA–GigabitEthernet1/0/1.10] vrrp ipv6 vrid 1 preempt-mode delay 5000
[DeviceA–GigabitEthernet1/0/1.10] quit
# Create track entry 1 to monitor the link status of uplink interface GigabitEthernet 1/0/2. When the uplink fails, the track entry transits to Negative state.
[DeviceA] track 1 interface gigabitethernet 1/0/2
# Associate VRRP group 1 on GigabitEthernet 1/0/1.10 with track entry 1 and decrease the device priority by 200 when the state of track entry 1 changes to Negative.
[DeviceA] interface gigabitethernet 1/0/1.10
[DeviceA-GigabitEthernet1/0/1.10] vrrp ipv6 vrid 1 track 1 priority reduced 200
[DeviceA-GigabitEthernet1/0/1.10] quit
f. Configure VSRP instance vs1:
# Create VSRP group pr1 and enter VSRP peer view.
[DeviceA] vsrp peer pr1
# Specify the local IP address as 4::2 and the peer IP address as 5::2 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[DeviceA-vsrp-peer-pr1] peer ipv6 5::2 local 4::2
[DeviceA-vsrp-peer-pr1] quit
# Create VSRP instance vs1 and enter its view.
[DeviceA] vsrp instance vs1
# Associate VSRP instance vs1 with VSRP group pr1 and set its backup ID to 1.
[DeviceA-vsrp-instance-vs1] backup id 1 peer pr1
# Bind VSRP instance vs1 to IPv6 VRRP group 1 on GigabitEthernet 1/0/1.10.
[DeviceA-vsrp-instance-vs1] bind vrrp ipv6 vrid 1 interface gigabitethernet 1/0/1.10
# Specify the logical host name as abc.
[DeviceA-vsrp-instance-vs1] nas id abc
# Specify the logical interface as GigabitEthernet 1/0/2.
[DeviceA-vsrp-instance-vs1] nas port gigabitethernet 1/0/2
[DeviceA-vsrp-instance-vs1] quit
g. Specify a virtual IPv6 address for GigabitEthernet 1/0/1:
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceA] interface gigabitethernet 1/0/1
# Specify a virtual IPv6 address of fe80::100 for GigabitEthernet 1/0/1 that is associated with VSRP instance vs1.
[DeviceA–GigabitEthernet1/0/1] ipv6 virtual-address fe80::100 vsrp vs1
h. Configure IPoE authentication on GigabitEthernet 1/0/1:
# Enable IPoE and specify Layer 2 access mode.
[DeviceA–GigabitEthernet1/0/1] ip subscriber l2-connected enable
# Enable GigabitEthernet 1/0/1 to initiate an IPoE session when it receives the first DHCP Solicitor or DHCP Request packet.
[DeviceA–GigabitEthernet1/0/1] ip subscriber initiator dhcpv6 enable
# Configure ISP domain dm1 for DHCPv6 users.
[DeviceA–GigabitEthernet1/0/1] ip subscriber dhcp domain dm1
# Set the password to radius in plain text for the dynamic IPoE users.
[DeviceA–GigabitEthernet1/0/1] ip subscriber password plaintext radius
# Associate GigabitEthernet 1/0/1 with VSRP instance vs1.
[DeviceA–GigabitEthernet1/0/1] ip subscriber vsrp-instance vs1
[DeviceA–GigabitEthernet1/0/1] dhcp vsrp-instance vs1
[DeviceA–GigabitEthernet1/0/1] quit
# Specify TCP port 1026 for VSRP to establish data channels for IPoE session backup.
[DeviceA] ip subscriber vsrp-port 1026
i. Configure OSPFv3:
# Enable OSPFv3 process 1 and set its router ID to 1.1.1.1.
[DeviceA] ospfv3
[DeviceA-ospfv3-1]router-id 1.1.1.1
# Configure OSPFv3 to redistribute the static route filtered by routing policy 1. When Device A acts as the master and assigns IP addresses to the hosts, it advertises the static route destined for the subnet where the hosts reside to Device C. In this way, Device C can select the route to a host based on the state of Device A and Device B in the VSRP instance.
[DeviceA-ospfv3-1] import-route static route-policy 1
[DeviceA-ospfv3-1] quit
# Configure routing policy 1 to permit routes destined for network 3::/64.
[DeviceA] ipv6 prefix-list 1 permit 3:: 64
[DeviceA] route-policy 1 permit node 1
[DeviceA-route-policy-1-1] if-match ipv6 address prefix-list 1
[DeviceA-route-policy-1-1] quit
# Enable OSPFv3 and specify Area 0 on GigabitEthernet 1/0/2.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA–GigabitEthernet1/0/2] ospfv3 1 area 0
4. Configure Device B:
a. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter RADIUS scheme view.
<DeviceB> system-view
[DeviceB] radius scheme rs1
# Specify the primary authentication server and primary accounting server.
[DeviceB-radius-rs1] primary authentication 100::1
[DeviceB-radius-rs1] primary accounting 100::1
# Set the shared key for secure RADIUS authentication and accounting communication.
[DeviceB-radius-rs1] key authentication simple radius
[DeviceB-radius-rs1] key accounting simple radius
# Configure Device B to remove the domain name in the username sent to the RADIUS servers for RADIUS scheme rs1.
[DeviceB-radius-rs1] user-name-format without-domain
[DeviceB-radius-rs1] quit
# Enable the session-control feature.
[DeviceB] radius session-control enable
b. Configure an authentication domain:
# Create ISP domain dm1 and enter ISP domain view.
[DeviceB] domain dm1
# Configure authentication, authorization, and accounting methods for IPoE users.
[DeviceB-isp-dm1] authentication ipoe radius-scheme rs1
[DeviceB-isp-dm1] authorization ipoe radius-scheme rs1
[DeviceB-isp-dm1] accounting ipoe radius-scheme rs1
[DeviceB-isp-dm1] quit
c. Configure a loopback interface:
# Enable OSPFv3 process 1 and specify Area 0 on Loopback 0.
[DeviceB] interface loopback 0
[DeviceB-LoopBack0] ospfv3 1 area 0
# Set the OSPFv3 cost to 100 for Loopback 0. The RADIUS server can choose the route to Loopback 0 based on the cost.
[DeviceB-LoopBack0] ospfv3 cost 100
[DeviceB-LoopBack0] quit
d. Configure the DHCPv6 server:
# Enable DHCP.
[DeviceB] dhcp enable
# Enable DHCPv6 server on GigabitEthernet 1/0/1.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB–GigabitEthernet1/0/1] ipv6 dhcp select server
# Disable RA message suppression on GigabitEthernet 1/0/1.
[DeviceB–GigabitEthernet1/0/1] undo ipv6 nd ra halt
# Set the M flag to 1 and the O flag to 1 in RA advertisements to be sent. The receiving hosts can obtain IPv6 addresses and other configuration information from the DHCPv6 server.
[DeviceB–GigabitEthernet1/0/1] ipv6 nd autoconfig managed-address-flag
[DeviceB–GigabitEthernet1/0/1] ipv6 nd autoconfig other-flag
[DeviceB–GigabitEthernet1/0/1] quit
# Create address pool 1.
[DeviceB] ipv6 dhcp pool 1
# Specify subnet 3::/64 in address pool 1 and advertise the subnet.
[DeviceB-dhcp6-pool-1] network 3::/64 export-route
[DeviceB-dhcp6-pool-1] gateway-list 3::1
# Associate DHCPv6 address pool 1 with VSRP instance vs1.
[DeviceB-dhcp6-pool-1] vsrp-instance vs1
# Configure DHCPv6 address pool 1 to use the virtual DUID generated based on enterprise number 2 and identifier ff.
[DeviceB-dhcp6-pool-1] virtual-duid enterprise-number 2 identifier ff
[DeviceB-dhcp6-pool-1] quit
# Exclude IPv6 address 3::1 from dynamic allocation.
[DeviceB] ipv6 dhcp server forbidden-address 3::1
e. Configure a VRRP group:
# Configure GigabitEthernet 1/0/1.10 to terminate VLAN 10.
[DeviceB] interface gigabitethernet 1/0/1.10
[DeviceB–GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
# Configure GigabitEthernet 1/0/1.10 to automatically generate a link-local address.
[DeviceB–GigabitEthernet1/0/1.10] ipv6 address auto link-local
# Create IPv6 VRRP group 1 and set its virtual IP address to fe80::2.
[DeviceB–GigabitEthernet1/0/1.10] vrrp ipv6 vrid 1 virtual-ip fe80::2 link-local
# Set the priority of Device B to 200 in VRRP group 1 on GigabitEthernet 1/0/1.10. Device B is assigned a lower priority than Device A in VRRP group 1, so Device A can become the master.
[DeviceB-GigabitEthernet1/0/1.10] vrrp ipv6 vrid 1 priority 200
# Configure Device B to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[DeviceB–GigabitEthernet1/0/1.10] vrrp ipv6 vrid 1 preempt-mode delay 5000
[DeviceB–GigabitEthernet1/0/1.10] quit
f. Configure VSRP instance vs1:
# Create VSRP group pr1 and enter VSRP peer view.
[DeviceB] vsrp peer pr1
# Specify the local IP address as 5::2 and the peer IP address as 4::2 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[DeviceB-vsrp-peer-pr1] peer ipv6 4::2 local 5::2
[DeviceB-vsrp-peer-pr1] quit
# Create VSRP instance vs1 and enter its view.
[DeviceB] vsrp instance vs1
# Associate VSRP instance vs1 with VSRP group pr1 and set its backup ID to 1.
[DeviceB-vsrp-instance-vs1] backup id 1 peer pr1
# Bind VSRP instance vs1 to IPv6 VRRP group 1 on GigabitEthernet 1/0/1.10.
[DeviceB-vsrp-instance-vs1] bind vrrp ipv6 vrid 1 interface gigabitethernet 1/0/1.10
# Specify the logical host name as abc.
[DeviceB-vsrp-instance-vs1] nas id abc
# Specify the logical interface as GigabitEthernet 1/0/2.
[DeviceB-vsrp-instance-vs1] nas port gigabitethernet 1/0/2
[DeviceB-vsrp-instance-vs1] quit
g. Specify a virtual IPv6 address on GigabitEthernet 1/0/1:
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceB] interface gigabitethernet 1/0/1
# Specify a virtual IPv6 address of fe80::100 for GigabitEthernet 1/0/1.
[DeviceB–GigabitEthernet1/0/1] ipv6 virtual-address fe80::100 vsrp vs1
h. Configure IPoE authentication on GigabitEthernet 1/0/1:
# Enable IPoE and specify Layer 2 access mode.
[DeviceB–GigabitEthernet1/0/1] ip subscriber l2-connected enable
# Enable GigabitEthernet 1/0/1 to initiate an IPoE session when it receives the first DHCP Solicitor or DHCP Request packet.
[DeviceB–GigabitEthernet1/0/1] ip subscriber initiator dhcpv6 enable
# Configure ISP domain dm1 for DHCPv6 users.
[DeviceB–GigabitEthernet1/0/1] ip subscriber dhcp domain dm1
# Set the password to radius in plain text for the dynamic IPoE users.
[DeviceB–GigabitEthernet1/0/1] ip subscriber password plaintext radius
# Associate GigabitEthernet 1/0/1 with VSRP instance vs1.
[DeviceB–GigabitEthernet1/0/1] ip subscriber vsrp-instance vs1
[DeviceB–GigabitEthernet1/0/1] dhcp vsrp-instance vs1
[DeviceB–GigabitEthernet1/0/1] quit
# Specify TCP port 1026 for VSRP to establish data channels for IPoE session backup.
[DeviceB] ip subscriber vsrp-port 1026
i. Configure OSPFv3:
# Enable OSPFv3 process 1 and set its router ID to 2.2.2.2.
[DeviceB] ospfv3
[DeviceB-ospfv3-1]router-id 2.2.2.2
# Configure OSPFv3 to redistribute the static route filtered by routing policy 1. When Device B acts as the master and assigns IP addresses to the hosts, it advertises the static route destined for the subnet where the hosts reside to Device C. In this way, Device C can select the route to a host based on the state of Device A and Device B in the VSRP instance.
[DeviceB-ospfv3-1] import-route static route-policy 1
[DeviceB-ospfv3-1] quit
# Configure routing policy 1 to permit routes destined for network 3::/64.
[DeviceB] ipv6 prefix-list 1 permit 3:: 64
[DeviceB] route-policy 1 permit node 1
[DeviceB-route-policy-1-1] if-match ipv6 address prefix-list 1
[DeviceB-route-policy-1-1] quit
# Enable OSPFv3 and specify Area 0 on GigabitEthernet 1/0/2.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB–GigabitEthernet1/0/2] ospfv3 1 area 0
5. Configure Device C:
# Enable OSPFv3 process 1 and set its router ID to 3.3.3.3.
<DeviceC> system-view
[DeviceC] ospfv3
[DeviceC-ospfv3-1] router-id 3.3.3.3
# Enable OSPFv3 process 1 and specify Area 0 on GigabitEthernet 1/0/3.
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] ospfv3 1 area 0
[DeviceC-GigabitEthernet1/0/3] quit
# Enable OSPFv3 process 1 and specify Area 0 on GigabitEthernet 1/0/1.
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC–GigabitEthernet1/0/1] ospfv3 1 area 0
[DeviceC–GigabitEthernet1/0/1] quit
# Enable OSPFv3 process 1 and specify Area 0 on GigabitEthernet 1/0/2.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC–GigabitEthernet1/0/2] ospfv1 1 area 0
[DeviceC–GigabitEthernet1/0/2] quit
a. Create VLAN 10.
<L2Switch> system-view
[L2Switch] vlan 10
[L2Switch-vlan10] quit
b. Configure VLAN settings on the interfaces that connect to Device A and Device B:
# Assign GigabitEthernet 1/0/2 to VLAN 10.
[L2Switch] interface gigabitethernet 1/0/2
[L2Switch-GigabitEthernet1/0/2] port link-type trunk
[L2Switch-GigabitEthernet1/0/2] port trunk permit vlan 10
[L2Switch-GigabitEthernet1/0/2] quit
# Assign GigabitEthernet 1/0/3 to VLAN 10.
[L2Switch] interface GigabitEthernet 1/0/3
[L2Switch-GigabitEthernet1/0/3] port link-type trunk
[L2Switch-GigabitEthernet1/0/3] port trunk permit vlan 10
[L2Switch-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify that Device A and Device B have the same IPoE user information about authenticated IPoE users.
· On the master:
[DeviceA] display ipv6 subscriber session
Type: D-Dhcp S-Static U-Unclassified-ip N-Ndrs
Interface IP address MAC address Type State
--------------------------------------------------------------------------------
GE1/0/1 3::1 0010-9400-0001 D Online
GE1/0/1 3::2 0010-9400-0002 D Online
GE1/0/1 3::3 0010-9400-0003 D Online
· On the backup:
[DeviceB] display ipv6 subscriber session
Type: D-Dhcp S-Static U-Unclassified-ip N-Ndrs
Interface IP address MAC address Type State
--------------------------------------------------------------------------------
GE1/0/1 3::1 0010-9400-0001 D Backup
GE1/0/1 3::2 0010-9400-0002 D Backup
GE1/0/1 3::3 0010-9400-0003 D Backup
Example: Configuring VSRP for PPPoE
Network configuration
As shown in Figure 4, the host runs PPPoE client dialup software. To ensure service availability, enable VSRP for PPPoE on BRAS A (the master PPPoE server) and BRAS B (the backup PPPoE server). When BRAS A fails, BRAS B takes over the PPPoE services to avoid service interruption. Use the RADIUS server for authentication, authorization, and accounting of the PPPoE client.
Procedure
1. Assign IP addresses to interfaces, as shown in Figure 4. Configure routes for the host, the BRASs, the core router, and the RADIUS server to reach one another. (Details not shown.)
2. Configure the RADIUS server:
|
|
NOTE: This example uses a FreeRADIUS server that runs on Linux. |
# Add the NAS IP address and shared key configuration to the clients.conf configuration file. (The NAS IP addresses for the three clients are 4.4.4.1, 6.6.6.1, and 5.5.5.1, and the shared key is radius.)
client 4.4.4.1/32 {
ipaddr = 4.4.4.1
netmask=24
secret=radius
}
client 6.6.6.1/32 {
ipaddr = 6.6.6.1
netmask=24
secret=radius
}
client 5.5.5.1/32 {
ipaddr = 5.5.5.1
netmask=24
secret=radius
}
# Add the PPPoE client configuration to the users file. (The username of the PPPoE client is user1, and the password is pass1.)
user1 Cleartext-Password :="pass1"
3. Configure BRAS A:
a. Configure a VRRP group:
# Assign an IP address to Gigabitethernet 1/0/1.
<BRASA> system-view
[BRASA] interface gigabitethernet 1/0/1
[BRASA-GigabitEthernet1/0/1] ip address 5.5.5.98 255.255.255.0
# Create IPv4 VRRP group 1 and set its virtual IP address to 5.5.5.100.
[BRASA-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 5.5.5.100
# Set the priority of BRAS A to 105 in VRRP group 1 on GigabitEthernet 1/0/1.
[BRASA-GigabitEthernet1/0/1] vrrp vrid 1 priority 105
# Configure BRAS A to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[BRASA-GigabitEthernet1/0/1] vrrp vrid 1 preempt-mode delay 5000
[BRASA-GigabitEthernet1/0/1] quit
# Create track entry 1 to monitor the link status of uplink interface GigabitEthernet 1/0/2. When the uplink fails, the track entry transits to Negative state.
[BRASA] track 1 interface gigabitethernet 1/0/2
# Associate VRRP group 1 on GigabitEthernet 1/0/1 with track entry 1 and decrease the device priority by 100 when the state of track entry 1 changes to Negative.
[BRASA] interface gigabitethernet 1/0/1
[BRASA-GigabitEthernet1/0/1] vrrp vrid 1 track 1 priority reduced 100
[BRASA-GigabitEthernet1/0/1] quit
b. Configure a VSRP instance:
# Create interface Loopback 1 and assign the interface an IP address of 1.1.1.1.
[BRASA] interface loopback 1
[BRASA-Loopback1] ip address 1.1.1.1 32
[BRASA-Loopback1] quit
# Create VSRP group 1 and enter VSRP peer view.
[BRASA] vsrp peer 1
# Specify the local address as 1.1.1.1 and the peer address as 2.2.2.2 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[BRASA-vsrp-peer-1] peer 2.2.2.2 local 1.1.1.1
[BRASA-vsrp-peer-1] quit
# Create VSRP instance 1 and associate it with VSRP group 1. Set the backup ID of the VSRP instance to 1.
[BRASA] vsrp instance 1
[BRASA-vsrp-instance-1] backup id 1 peer 1
# Bind VSRP instance 1 to VRRP group 1 on GigabitEthernet 1/0/1 and set VSRP instance 1 to operate in hot backup mode.
[BRASA-vsrp-instance-1] bind vrrp vrid 1 interface gigabitethernet 1/0/1
[BRASA-vsrp-instance-1] backup mode hot
# Specify the logical NAS IP address as 5.5.5.1.
[BRASA-vsrp-instance-1] nas ip 5.5.5.1
# Specify the logical interface as GigabitEthernet 1/0/2.
[BRASA-vsrp-instance-1] nas port gigabitethernet 1/0/2
[BRASA-vsrp-instance-1] quit
c. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter RADIUS scheme view.
[BRASA] radius scheme rs1
# Specify the primary authentication server and primary accounting server.
[BRASA-radius-rs1] primary authentication 10.20.30.1
[BRASA-radius-rs1] primary accounting 10.20.30.1
# Set the shared key for secure RADIUS authentication and accounting communication.
[BRASA-radius-rs1] key authentication simple radius
[BRASA-radius-rs1] key accounting simple radius
# Configure BRAS A to remove the domain name in the username sent to the RADIUS servers for RADIUS scheme rs1.
[BRASA-radius-rs1] user-name-format without-domain
# Specify the source IP address as 5.5.5.1 (the gateway address for the host) for outgoing RADIUS packets.
[BRASA-radius-rs1] nas-ip 5.5.5.1
[BRASA-radius-rs1] quit
# Enable the session-control feature.
[BRASA] radius session-control enable
d. Configure an authentication domain:
# Create ISP domain dm1 and enter ISP domain view.
[BRASA] domain dm1
# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting for PPP users.
[BRASA-isp-dm1] authentication ppp radius-scheme rs1
[BRASA-isp-dm1] authorization ppp radius-scheme rs1
[BRASA-isp-dm1] accounting ppp radius-scheme rs1
[BRASA-isp-dm1] authorization-attribute ip-pool pool1
[BRASA-isp-dm1] quit
e. Configure PPPoE authentication:
# Configure address pool pool1. Add the IP address range from 5.5.5.2 to 5.5.5.10 to the pool.
[BRASA] ip pool pool1 5.5.5.2 5.5.5.10
# Specify 5.5.5.1 as a gateway address in the address pool.
[BRASA] ip pool pool1 gateway 5.5.5.1
# Specify 5.5.5.0 as a PPP address pool route and associate the route with VSRP instance 1.
[BRASA] ppp ip-pool route 5.5.5.0 255.255.255.0 vsrp-instance 1
# Specify TCP port 10000 as the TCP port for VSRP to establish data channels for PPP and PPPoE session backup.
[BRASA] ppp vsrp-port 10000
# Create interface Virtual-Template 10 and assign it an IP address of 5.5.5.1.
[BRASA] interface virtual-template 10
[BRASA-Virtual-Template10] ip address 5.5.5.1 24
# Configure Virtual-Template 10 to use CHAP for authentication and use address pool pool1 to assign IP addresses.
[BRASA-Virtual-Template10] ppp authentication-mode chap domain dm1
[BRASA-Virtual-Template10] remote address pool pool1
# Enable PPP accounting.
[BRASA-Virtual-Template10] ppp account-statistics enable
[BRASA-Virtual-Template10] quit
# Enable a PPPoE server on GigabitEthernet 1/0/1 and bind GigabitEthernet 1/0/1 to interface Virtual-Template 10.
[BRASA] interface gigabitethernet 1/0/1
[BRASA-GigabitEthernet1/0/1] pppoe-server bind virtual-template 10
# Associate GigabitEthernet 1/0/1 with VSRP instance 1.
[BRASA-GigabitEthernet1/0/1] pppoe-server vsrp-instance 1
[BRASA-GigabitEthernet1/0/1] quit
4. Configure BRAS B:
a. Configure a VRRP group:
# Assign an IP address to GigabitEthernet 1/0/1.
<BRASB> system-view
[BRASB] interface gigabitethernet 1/0/1
[BRASB-GigabitEthernet1/0/1] ip address 5.5.5.99 255.255.255.0
# Create IPv4 VRRP group 1 and set its virtual IP address to 5.5.5.100.
[BRASB-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 5.5.5.100
# Configure BRAS B to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[BRASB–GigabitEthernet1/0/1] vrrp vrid 1 preempt-mode delay 5000
[BRASB–GigabitEthernet1/0/1] quit
b. Configure a VSRP instance:
# Create interface Loopback 1 and assign the interface an IP address of 2.2.2.2.
[BRASB] interface loopback 1
[BRASB-Loopback1] ip address 2.2.2.2 32
[BRASB-Loopback1] quit
# Create VSRP group 1 and enter VSRP peer view.
[BRASB] vsrp peer 1
# Specify the local IP address as 2.2.2.2 and the peer IP address as 1.1.1.1 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[BRASB-vsrp-peer-1] peer 1.1.1.1 local 2.2.2.2
[BRASB-vsrp-peer-1] quit
# Create VSRP instance 1 and associate it with VSRP group 1. Set the backup ID of the VSRP instance to 1.
[BRASB] vsrp instance 1
[BRASB-vsrp-instance-1] backup id 1 peer 1
# Bind VSRP instance 1 to VRRP group 1 on GigabitEthernet 1/0/1 and set VSRP instance 1 to operate in hot backup mode.
[BRASB-vsrp-instance-1] bind vrrp vrid 1 interface gigabitethernet 1/0/1
[BRASB-vsrp-instance-1] backup mode hot
# Specify the logical NAS IP address as 5.5.5.1.
[BRASB-vsrp-instance-1] nas ip 5.5.5.1
# Specify the logical interface as GigabitEthernet 1/0/2.
[BRASB-vsrp-instance-1] nas port gigabitethernet 1/0/2
[BRASB-vsrp-instance-1] quit
c. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter RADIUS scheme view.
[BRASB] radius scheme rs1
# Specify the primary authentication server and primary accounting server.
[BRASB-radius-rs1] primary authentication 10.20.30.1
[BRASB-radius-rs1] primary accounting 10.20.30.1
# Set the shared key for secure RADIUS authentication and accounting communication.
[BRASB-radius-rs1] key authentication simple radius
[BRASB-radius-rs1] key accounting simple radius
# Configure BRAS B to remove the domain name in the username sent to the RADIUS servers for RADIUS scheme rs1.
[BRASB-radius-rs1] user-name-format without-domain
# Specify the source IP address as 5.5.5.1 (the gateway address for the host) for outgoing RADIUS packets.
[BRASB-radius-rs1] nas-ip 5.5.5.1
[BRASB-radius-rs1] quit
# Enable the session-control feature.
[BRASB] radius session-control enable
d. Configure an authentication domain:
# Create ISP domain dm1 and enter ISP domain view.
[BRASB] domain dm1
# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting for PPP users.
[BRASB-isp-dm1] authentication ppp radius-scheme rs1
[BRASB-isp-dm1] authorization ppp radius-scheme rs1
[BRASB-isp-dm1] accounting ppp radius-scheme rs1
[BRASB-isp-dm1] authorization-attribute ip-pool pool1
[BRASB-isp-dm1] quit
e. Configure PPPoE authentication:
# Configure address pool pool1. Add the IP address range from 5.5.5.2 to 5.5.5.10 to the pool.
[BRASB] ip pool pool1 5.5.5.2 5.5.5.10
# Specify 5.5.5.1 as a gateway address in the address pool.
[BRASB] ip pool pool1 gateway 5.5.5.1
# Specify 5.5.5.0 as a PPP address pool route and associate the route with VSRP instance 1.
[BRASB] ppp ip-pool route 5.5.5.0 255.255.255.0 vsrp-instance 1
# Specify TCP port 10000 as the TCP port for VSRP to establish data channels for PPP and PPPoE session backup.
[BRASB] ppp vsrp-port 10000
# Create interface Virtual-Template 10 and assign it an IP address of 5.5.5.1.
[BRASB] interface virtual-template 10
[BRASA-Virtual-Template10] ip address 5.5.5.1 24
# Configure Virtual-Template 10 to use CHAP for authentication and use address pool pool1 to assign IP addresses.
[BRASB-Virtual-Template10] ppp authentication-mode chap domain dm1
[BRASB-Virtual-Template10] remote address pool pool1
# Enable PPP accounting.
[BRASB-Virtual-Template10] ppp account-statistics enable
[BRASB-Virtual-Template10] quit
# Enable a PPPoE server on GigabitEthernet 1/0/1 and bind GigabitEthernet 1/0/1 to interface Virtual-Template 10.
[BRASB] interface gigabitethernet 1/0/1
[BRASB-GigabitEthernet1/0/1] pppoe-server bind virtual-template 10
# Associate GigabitEthernet 1/0/1 with VSRP instance 1.
[BRASB-GigabitEthernet1/0/1] pppoe-server vsrp-instance 1
[BRASB-GigabitEthernet1/0/1] quit
Verifying the configuration
1. Enter username user1 and password pass1 on the PPPoE client software to initiate a connection request to the PPPoE server.
2. Verify that BRAS A (the master) and BRAS B (the backup) have the same PPP and PPPoE sessions after the client accesses the network.
# Display PPP sessions synchronized by VSRP instances on BRAS A.
[BRASA] display ppp sync-session
VSRP instance: 1
VSRP instance state: Master
Total synchronized PPP sessions: 1
SID MAC address Interface IP address Username
1 000c-2984-90d2 GE1/0/1 5.5.5.2 user1
# Display PPPoE sessions synchronized by VSRP instances on BRAS A.
[BRASA] display pppoe-server sync-session
VSRP instance: 1
VSRP instance state: Master
Total synchronized PPPoE sessions: 1
SID Service VLAN Customer VLAN MAC address Interface
1 N/A N/A 000c-2984-90d2 GE1/0/1
# Display PPP sessions synchronized by VSRP instances on BRAS B.
[BRASB] display ppp sync-session
VSRP instance: 1
VSRP instance state: Backup
Total synchronized PPP sessions: 1
SID MAC address Interface IP address Username
1 000c-2984-90d2 GE1/0/1 5.5.5.2 user1
# Display PPPoE sessions synchronized by VSRP instances on BRAS B.
[BRASB] display pppoe-server sync-session
VSRP instance: 1
VSRP instance state: Backup
Total synchronized PPPoE sessions: 1
SID Service VLAN Customer VLAN MAC address Interface
1 N/A N/A 000c-2984-90d2 GE1/0/1
3. Verify that BRAS B becomes the master and takes over the PPPoE services when BRAS A fails (for example, GigabitEthernet 1/0/1 is down).
# Display PPP sessions synchronized by VSRP instances on BRAS B.
[BRASB] display ppp sync-session
VSRP instance: 1
VSRP instance state: Master
Total synchronized PPP sessions: 1
SID MAC address Interface IP address Username
1 000c-2984-90d2 GE1/0/1 5.5.5.2 user1
# Display PPPoE sessions synchronized by VSRP instances on BRAS B.
[BRASB] display pppoe-server sync-session
VSRP instance: 1
VSRP instance state: Master
Total synchronized PPPoE sessions: 1
SID Service VLAN Customer VLAN MAC address Interface
1 N/A N/A 000c-2984-90d2 GE1/0/1
Example: Configuring VSRP for L2TP
Network configuration
As shown in Figure 5, enable VSRP for L2TP on LAC 1 (the master) and LAC 2 (the backup). When LAC 1 fails, LAC 2 can take over the L2TP services to avoid service interruption.
Procedure
1. Assign IP addresses to interfaces, as shown in Figure 5. Configure routes for the remote user, the LACs, the LNS, and the RADIUS servers to reach one another. (Details not shown.)
2. Configure RADIUS server 1 and RADIUS server 2. (Details not shown.)
3. Configure the LNS:
# Create a RADIUS scheme named rad and enter RADIUS scheme view.
<LNS> system-view
[LNS] radius scheme rad
# Specify the primary authentication server with IP address 7.7.7.2 and UDP port number 1812.
[LNS-radius-rad] primary authentication 7.7.7.2 1812
# Set the shared key for secure RADIUS authentication communication.
[LNS-radius-rad] key authentication simple auth2pass
# Specify the source IP address as 7.7.7.1 (the IP address of GigabitEthernet 1/0/2) for outgoing RADIUS packets.
[LNS-radius-rad] nas-ip 7.7.7.1
[LNS-radius-rad] quit
# Create address pool pool1 and add the IP address range from 192.168.0.2 to 192.168.0.10 to the pool.
[LNS] ip pool pool1 192.168.0.2 192.168.0.10
# Specify 192.168.0.1 as a gateway address in the address pool.
[LNS] ip pool pool1 gateway 192.168.0.1
# Create ISP domain bbb and configure the domain to use RADIUS scheme rad for authentication, authorization, and accounting for PPP users.
[LNS] domain bbb
[LNS-isp-bbb] authentication ppp radius-scheme rad
[LNS-isp-bbb] authorization ppp radius-scheme rad
[LNS-isp-bbb] accounting ppp radius-scheme rad
[LNS-isp-bbb] authorization-attribute ip-pool pool1
[LNS-isp-bbb] quit
# Enable L2TP.
[LNS] l2tp enable
# Create interface Virtual-Template 1, and set the PPP authentication mode to PAP.
[LNS] interface virtual-template 1
[LNS-Virtual-Template1] ppp authentication-mode pap domain bbb
[LNS-Virtual-Template1] quit
# Create L2TP group 1 in LNS mode.
[LNS] l2tp-group 1 mode lns
# Configure the local tunnel name as LNS.
[LNS-l2tp1] tunnel name LNS
# Specify Virtual-Template 1 for receiving calls from the specified LAC.
[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC
# Disable tunnel authentication.
[LNS-l2tp1] undo tunnel authentication
[LNS-l2tp1] quit
4. Configure LAC 1:
# Create a RADIUS scheme named rad and enter RADIUS scheme view.
<LAC1> system-view
[LAC1] radius scheme rad
# Specify the primary authentication server with IP address 1.1.1.3 and UDP port number 1812.
[LAC1-radius-rad] primary authentication 1.1.1.3 1812
# Specify the primary accounting server with IP address 1.1.1.3 and UDP port number 1813.
[LAC1-radius-rad] primary accounting 1.1.1.3 1813
# Set the shared key for secure RADIUS authentication communication.
[LAC1-radius-rad] key authentication simple auth1pass
# Specify the source IP address as 1.1.1.100 (the virtual IP address of VRRP group 1) for outgoing RADIUS packets.
[LAC1-radius-rad] nas-ip 1.1.1.100
[LAC1-radius-rad] quit
# Create ISP domain bbb and enter ISP domain view.
[LAC1] domain bbb
# Configure the domain to use RADIUS scheme rad for authentication, authorization, and accounting for PPP users.
[LAC1-isp-bbb] authentication ppp radius-scheme rad
[LAC1-isp-bbb] authorization ppp radius-scheme rad
[LAC1-isp-bbb] accounting ppp radius-scheme rad
[LAC1-isp-bbb] quit
# Create interface Virtual-Template 1 and set the PPP authentication mode to PAP.
[LAC1] interface virtual-template 1
[LAC1-Virtual-Template1] ppp authentication-mode pap domain bbb
[LAC1-Virtual-Template1] quit
# Enable L2TP.
[LAC1] l2tp enable
# Create L2TP group 1 in LAC mode.
[LAC1] l2tp-group 1 mode lac
# Configure the local tunnel name as LAC.
[LAC1-l2tp1] tunnel name LAC
# Specify PPP user user1 as the condition for the LAC to initiate tunneling requests.
[LAC1-l2tp1] user fullusername user1
# Specify the LNS IP address as 5.5.5.1.
[LAC1-l2tp1] lns-ip 5.5.5.1
# Disable tunnel authentication.
[LAC1-l2tp1] undo tunnel authentication
# Associate L2TP group 1 with VSRP instance l2tp1.
[LAC1-l2tp1] vsrp-instance l2tp1
# Specify the source IP address for the L2TP tunnel as 6.6.6.1.
[LAC1-l2tp1] tunnel vsrp source-ip 6.6.6.1
[LAC1-l2tp1] quit
# Configure the PPPoE server.
[LAC1] interface gigabitethernet 1/0/1
[LAC1-GigabitEthernet1/0/1] pppoe-server bind virtual-template 1
# Associate the PPPoE server-enabled interface with VSRP instance l2tp1.
[LAC1-GigabitEthernet1/0/1] pppoe-server vsrp-instance l2tp1
[LAC1-GigabitEthernet1/0/1] quit
# Create track entry 2 to monitor the link status of uplink interface GigabitEthernet 1/0/2.
[LAC1] track 2 interface gigabitethernet 1/0/2
# Create VRRP group 1 set its virtual IP address to 1.1.1.100.
[LAC1] interface gigabitethernet 1/0/1
[LAC1-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.100
# Set the priority of LAC 1 to 120 in VRRP group 1 on GigabitEthernet 1/0/1.
[LAC1-GigabitEthernet1/0/1] vrrp vrid 1 priority 120
# Configure LAC 1 to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[LAC1-GigabitEthernet1/0/1] vrrp vrid 1 preempt-mode delay 5000
# Associate VRRP group 1 on GigabitEthernet 1/0/1 with track entry 2 and decrease the device priority by 50 when the state of track entry 2 changes to Negative.
[LAC1-GigabitEthernet1/0/1] vrrp vrid 1 track 2 priority reduced 50
[LAC1-GigabitEthernet1/0/1] quit
# Create VSRP group pname, and enter VSRP peer view.
[LAC1] vsrp peer pname
# Specify the local IP address as 2.2.2.2 and the peer IP address as 3.3.3.3 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[LAC1-vsrp-peer-pname] peer 3.3.3.3 local 2.2.2.2
[LAC1-vsrp-peer-pname] quit
# Create VSRP instance l2tp1 and associate it with VSRP group pname. Set the backup ID of the VSRP instance to 10.
[LAC1] vsrp instance l2tp1
[LAC1-vsrp-instance-l2tp1] backup id 10 peer pname
# Bind VSRP instance l2tp1 to VRRP group 1 on GigabitEthernet 1/0/1.
[LAC1-vsrp-instance-l2tp1] bind vrrp vrid 1 interface gigabitethernet 1/0/1
[LAC1-vsrp-instance-l2tp1] quit
5. Configure LAC 2:
# Create a RADIUS scheme named rad and enter RADIUS scheme view.
<LAC2> system-view
[LAC2] radius scheme rad
# Specify the primary authentication server with IP address 1.1.1.3 and UDP port number 1812.
[LAC2-radius-rad] primary authentication 1.1.1.3 1812
# Specify the primary accounting server with IP address 1.1.1.3 and UDP port number 1813.
[LAC2-radius-rad] primary accounting 1.1.1.3 1813
# Set the shared key for secure RADIUS authentication communication.
[LAC2-radius-rad] key authentication simple auth1pass
# Specify the source IP address as 1.1.1.100 (the virtual IP address of VRRP group 1) for outgoing RADIUS packets.
[LAC2-radius-rad] nas-ip 1.1.1.100
[LAC2-radius-rad] quit
# Create ISP domain bbb and enter ISP domain view.
[LAC2] domain bbb
# Configure the domain to use RADIUS scheme rad for authentication, authorization, and accounting for PPP users.
[LAC2-isp-bbb] authentication ppp radius-scheme rad
[LAC2-isp-bbb] authorization ppp radius-scheme rad
[LAC2-isp-bbb] accounting ppp radius-scheme rad
[LAC2-isp-bbb] quit
# Create interface Virtual-Template 1 and set the PPP authentication mode to PAP.
[LAC2] interface virtual-template 1
[LAC2-Virtual-Template1] ppp authentication-mode pap domain bbb
[LAC2-Virtual-Template1] quit
# Enable L2TP.
[LAC2] l2tp enable
# Create L2TP group 1 in LAC mode.
[LAC2] l2tp-group 1 mode lac
# Configure the local tunnel name as LAC.
[LAC2-l2tp1] tunnel name LAC
# Specify PPP user user1 as the condition for the LAC to initiate tunneling requests.
[LAC2-l2tp1] user fullusername user1
# Specify the LNS IP address as 5.5.5.1.
[LAC2-l2tp1] lns-ip 5.5.5.1
# Disable tunnel authentication.
[LAC2-l2tp1] undo tunnel authentication
# Associate L2TP group 1 with VSRP instance l2tp1.
[LAC2-l2tp1] vsrp-instance l2tp1
# Specify the source IP address for the L2TP tunnel as 6.6.6.1.
[LAC2-l2tp1] tunnel vsrp source-ip 6.6.6.1
[LAC2-l2tp1] quit
# Configure the PPPoE server.
[LAC2] interface gigabitethernet 1/0/1
[LAC2-GigabitEthernet1/0/1] pppoe-server bind virtual-template 1
# Associate the PPPoE server with VSRP instance l2tp1.
[LAC2-GigabitEthernet1/0/1] pppoe-server vsrp-instance l2tp1
[LAC2-GigabitEthernet1/0/1] quit
# Associate track entry 1 with BFD to monitor the link between local IP address 1.1.1.2 and remote IP address 1.1.1.1 by sending BFD echo packets through GigabitEthernet 1/0/1.
[LAC2] track 1 bfd echo interface gigabitethernet 1/0/1 remote ip 1.1.1.1 local ip 1.1.1.2
# Create VRRP group 1 and set its virtual IP address to 1.1.1.100.
[LAC2] interface gigabitethernet 1/0/1
[LAC2-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.100
# Configure LAC 2 to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[LAC2–GigabitEthernet1/0/1] vrrp vrid 1 preempt-mode delay 5000
[LAC2-GigabitEthernet1/0/1] quit
# Create VSRP group pname and enter VSRP peer view.
[LAC2] vsrp peer pname
# Specify the local IP address as 3.3.3.3 and the peer address as 2.2.2.2 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[LAC2-vsrp-peer-pname] peer 2.2.2.2 local 3.3.3.3
[LAC2-vsrp-peer-pname] quit
# Create VSRP instance l2tp1 and associate it with VSRP group pname. Set the backup ID of the VSRP instance to 10.
[LAC2] vsrp instance l2tp1
[LAC2-vsrp-instance-l2tp1] backup id 10 peer pname
# Bind VSRP instance l2tp1 to VRRP group 1 on GigabitEthernet 1/0/1.
[LAC2-vsrp-instance-l2tp1] bind vrrp vrid 1 interface gigabitethernet 1/0/1
[LAC2-vsrp-instance-l2tp1] quit
6. Enter the username user1 and password pwd on the PPPoE client dialup software to initiate a connection request on the remote user.
Verifying the configuration
# Verify that LAC 1 (the master) has synchronized L2TP service data to LAC 2 (the backup).
[LAC1] display l2tp vsrp
VSRP instance name: l2tp1
VSRP mode: Hot
VSRP status: Switched
Local VSRP state: Master/Up
Remote VSRP state: Slave
VSRP channel state: Synced
Sent messages: 2
Received messages: 114954
Discarded sent messages: 0
Discarded received messages: 0
Sent tunnel adding messages: 0
Received tunnel adding messages: 3004
Sent tunnel deleting messages: 0
Received tunnel deleting messages: 3000
Sent session adding messages: 0
Received session adding messages: 3004
Sent session deleting messages: 0
Received session deleting messages: 3000
Current tunnels: 4
Current sessions: 4
Added tunnels: 3004
Deleted tunnels: 3000
Added sessions: 3004
Deleted sessions: 3000
# Verify that LAC 1 and LAC 2 have the same L2TP sessions.
[LAC1] display l2tp session vsrp
VSRP instance name: l2tp1
Local session ID: 467
Remote session ID: 32060
Local tunnel ID: 28532
State: Established
User ID: 0002ffffffff0cda41c693a1
Interface: Virtual-Access1
[LAC2] display l2tp session vsrp
VSRP instance name: l2tp1
Local session ID: 467
Remote session ID: 32060
Local tunnel ID: 28532
State: Established
User ID: 0002ffffffff0cda41c693a1
Interface: Virtual-Access1
# Verify that LAC 1 and LAC 2 have the same L2TP tunnel information.
[LAC1] display l2tp tunnel vsrp
VSRP instance name: l2tp1
Local tunnel ID: 28532
Remote tunnel ID: 4
State: Established
Sessions: 1
Remote address: 5.5.5.1
Remote port: 1701
Remote name: LNS
Local address: 6.6.6.1
Send sequence number(Ns): 3
Receive sequence number(Nr): 2
[LAC2] display l2tp tunnel vsrp
VSRP instance name: l2tp1
Local tunnel ID: 28532
Remote tunnel ID: 4
State: Established
Sessions: 1
Remote address: 5.5.5.1
Remote port: 1701
Remote name: LNS
Local address: 6.6.6.1
Send sequence number(Ns): 3
Receive sequence number(Nr): 2
# Shut down LAC 1.
# Verify that LAC 2 becomes the master and takes over the L2TP services. LAC 1 becomes the backup. The data channel between them is disconnected.
[LAC2] display l2tp vsrp
VSRP instance name: l2tp1
VSRP mode: Hot
VSRP status: Switched
Local VSRP state: Master/Up
Remote VSRP state: Slave
VSRP channel state: Disconnected
Sent messages: 2
Received messages: 114954
Discarded sent messages: 0
Discarded received messages: 0
Sent tunnel adding messages: 0
Received tunnel adding messages: 3004
Sent tunnel deleting messages: 0
Received tunnel deleting messages: 3000
Sent session adding messages: 0
Received session adding messages: 3004
Sent session deleting messages: 0
Received session deleting messages: 3000
Current tunnels: 4
Current sessions: 4
Added tunnels: 3004
Deleted tunnels: 3000
Added sessions: 3004
Deleted sessions: 3000
Example: Configuring VSRP for portal
Network configuration
The host in VLAN 1000 obtains an IP address through DHCP and uses portal authentication to access the network.
Enable OSPF on Router A and Router B to ensure that they can learn and advertise routes on their upstream links.
Enable VSRP for portal on Router A and Router B, and perform the following tasks:
· On GigabitEthernet 1/0/1.1000, perform the following tasks:
¡ Configure portal authentication.
¡ Specify an IP address pool for the subinterface to assign IP addresses before portal authentication is enabled.
¡ Configure the subinterface to terminate VLAN-tagged packets whose outermost VLAN ID is 1000.
· On GigabitEthernet 1/0/1.1001, perform the following tasks:
¡ Configure a VRRP group.
¡ Configure the subinterface to terminate VLAN-tagged packets whose outermost VLAN ID is 1001.
· Use the RADIUS server for authentication and accounting of the portal user. This example uses the server as both the portal server and the RADIUS server.
Procedure
1. Assign IP addresses to interfaces, as shown in Figure 6. (Details not shown.)
2. Configure the server as both a RADIUS server and a portal server to perform authentication and accounting for the portal users.
In the configuration, add the IP addresses 1.1.1.2, 2.1.1.2, and 9.2.0.1 to the RADIUS server and the IP address 9.2.0.1 to the portal server.
3. Configure Router A:
a. Configure OSPF:
# Enable OSPF process 1 and specify its router ID as 1.1.1.2 (the IP address of GigabitEthernet 1/0/2).
<RouterA> system-view
[RouterA] ospf 1 router-id 1.1.1.2
# Configure OSPF to redistribute the static route filtered by routing policy 1. When Router A acts as the master and assigns an IP address to the host, it advertises the static route destined for the subnet where the host resides to Router C. In this way, Router C can select the route to the host based on the state of Router A and Router B in the VSRP instance.
[RouterA-ospf-1] import-route static route-policy 1
[RouterA-ospf-1] quit
# Enable OSPF process 1 on GigabitEthernet 1/0/2 that is in Area 0.
[RouterA] interface gigabitethernet 1/0/2
[RouterA-GigabitEthernet1/0/2] ospf 1 area 0.0.0.0
[RouterA-GigabitEthernet1/0/2] quit
b. Configure DHCP:
# Enable DHCP.
[RouterA] dhcp enable
# Create a DHCP pool named p1 and associate p1 with VSRP instance v1.
[RouterA] dhcp server ip-pool p1
[RouterA-dhcp-pool-p1] vsrp-instance v1
# Assign gateway address 9.2.0.1 to the host, and export the host route destined for the host and the route destined for 9.2.0.0/16. When Router A acts as the master, it assigns an IP address to the host. Then, Router A adds the host route destined for the host and the route destined for the subnet where the host resides to the routing table.
[RouterA-dhcp-pool-p1] gateway-list 9.2.0.1 export-route
[RouterA-dhcp-pool-p1] network 9.2.0.0 mask 255.255.0.0 export-route
[RouterA-dhcp-pool-p1] forbidden-ip 9.2.0.1
[RouterA-dhcp-pool-p1] quit
# Configure routing policy 1 to permit routes destined for 9.2.0.0/16.
[RouterA] ip prefix-list 1 permit 9.2.0.0 16
[RouterA] route-policy 1 permit node 1
[RouterA-route-policy-1-1] if-match ip address prefix-list 1
[RouterA-route-policy-1-1] quit
c. Configure a VRRP group:
# Configure GigabitEthernet 1/0/1.1001 to terminate VLAN 1001.
[RouterA] interface gigabitethernet 1/0/1.1001
[RouterA-GigabitEthernet1/0/1.1001] vlan-type dot1q vid 1001
# Create VRRP group 1 and set its virtual IP address to 8.2.0.3.
[RouterA-GigabitEthernet1/0/1.1001] vrrp vrid 1 virtual-ip 8.2.0.3
# Set the priority of the router to 250 in VRRP group 1 on GigabitEthernet 1/0/1.1001. Router A is assigned a higher priority than Router B in VRRP group 1, so Router A can become the master.
[RouterA-GigabitEthernet1/0/1.1001] vrrp vrid 1 priority 250
# Configure Router A to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[RouterA-GigabitEthernet1/0/1.1001] vrrp vrid 1 preempt-mode delay 5000
[RouterA-GigabitEthernet1/0/1.1001] quit
# Create track entry 1 to monitor the link status of uplink interface GigabitEthernet 1/0/2. When the uplink fails, the track entry transits to Negative state.
[RouterA] track 1 interface gigabitethernet 1/0/2
# Associate VRRP group 1 on GigabitEthernet 1/0/1.1001 with track entry 1 and decrease the router priority by 200 when the state of track entry 1 changes to Negative.
[RouterA] interface gigabitethernet 1/0/1.1001
[RouterA-GigabitEthernet1/0/1.1001] vrrp vrid 1 track 1 priority reduced 200
[RouterA-GigabitEthernet1/0/1.1001] quit
d. Configure a VSRP instance:
# Create VSRP group c2 and enter VSRP peer view.
[RouterA] vsrp peer c2
# Specify the local IP address as 1.1.1.2 and the peer IP address as 2.1.1.2 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[RouterA-vsrp-peer-c2] peer 2.1.1.2 local 1.1.1.2
[RouterA-vsrp-peer-c2] quit
# Create VSRP instance v1 and enter VSRP instance view.
[RouterA] vsrp instance v1
# Associate the VSRP instance with VSRP group c2 and set its backup ID to 1.
[RouterA-vsrp-instance-v1] backup id 1 peer c2
# Bind VSRP instance v1 to VRRP group 1 on GigabitEthernet1/0/1.1001.
[RouterA-vsrp-instance-v1] bind vrrp vrid 1 interface gigabitethernet 1/0/1.1001
# Specify the NAS IP address as 9.2.0.1 (the gateway address of the host). This enables the router to use NAS-IP-address 9.2.0.1 in packets sent to the RADIUS server.
[RouterA-vsrp-instance-v1] nas ip 9.2.0.1
[RouterA-vsrp-instance-v1] quit
e. Configure AAA:
# Enable the session-control feature.
[RouterA] radius session-control enable
# Create a RADIUS scheme named imc and enter RADIUS scheme view.
[RouterA] radius scheme imc
# Specify the primary authentication server and primary accounting server.
[RouterA-radius-imc] primary authentication 111.8.0.244 key simple p124
[RouterA-radius-imc] primary accounting 111.8.0.244 key simple p124
# Configure the router to remove the domain name in the username sent to the RADIUS servers for RADIUS scheme imc.
[RouterA-radius-imc] user-name-format without-domain
# Specify the source IP address as 9.2.0.1 for outgoing RADIUS packets.
[RouterA-radius-imc] nas-ip 9.2.0.1
[RouterA-radius-imc] quit
# Create ISP domain portal and configure the domain to use RADIUS scheme imc for authentication, authorization, and accounting for portal users.
[RouterA] domain portal
[RouterA-isp-portal] authentication portal radius-scheme imc
[RouterA-isp-portal] authorization portal radius-scheme imc
[RouterA-isp-portal] accounting portal radius-scheme imc
[RouterA-isp-portal] quit
f. Configure portal authentication:
# Configure GigabitEthernet 1/0/1.1000 to terminate VLAN 1000.
[RouterA] interface gigabitethernet 1/0/1.1000
[RouterA-GigabitEthernet1/0/1.1000] vlan-type dot1q vid 1000
# Enable direct IPv4 portal authentication on GigabitEthernet 1/0/1.1000.
[RouterA-GigabitEthernet1/0/1.1000] portal enable method direct
# Configure the authentication domain for IPv4 portal users as portal on GigabitEthernet 1/0/1.1000.
[RouterA-GigabitEthernet1/0/1.1000] portal domain portal
# Configure the BAS-IP attribute of outgoing portal packets as 9.2.0.1 (the gateway address of the host) on GigabitEthernet 1/0/1.1000.
[RouterA-GigabitEthernet1/0/1.1000] portal bas-ip 9.2.0.1
# Reference portal Web server ab on GigabitEthernet 1/0/1.1000 for portal authentication.
[RouterA-GigabitEthernet1/0/1.1000] portal apply web-server ab
# Specify IP address pool p1 for the subinterface to assign IP addresses before portal authentication is enabled.
[RouterA-GigabitEthernet1/0/1.1000] portal pre-auth ip-pool p1
# Associate the portal-enabled interface GigabitEthernet 1/0/1.1000 with VSRP instance v1.
[RouterA-GigabitEthernet1/0/1.1000] portal vsrp-instance v1
[RouterA-GigabitEthernet1/0/1.1000] quit
# Create portal Web server ab and configure the URL for portal Web server ab as http://111.8.0.244:8080/portal.
[RouterA] portal web-server ab
[RouterA-portal-websvr-ab] url http://111.8.0.244:8080/portal
[RouterA-portal-websvr-ab] quit
# Create portal authentication server pt and enter its view.
[RouterA] portal server pt
# Configure the IP address of IPv4 portal authentication server pt as 111.8.0.244 and the plaintext key as h3c.
[RouterA-portal-server-pt] ip 111.8.0.244 key simple h3c
[RouterA-portal-server-pt] quit
4. Configure Router B:
a. Configure OSPF:
# Enable OSPF process 1 and specify its router ID as 2.1.1.2 (the IP address of GigabitEthernet1/0/2).
<RouterB> system-view
[RouterB] ospf 1 router-id 2.1.1.2
# Configure OSPF to redistribute the static route filtered by routing policy 1. When Router B acts as the master and assigns an IP address to the host, it advertises the static route destined for the subnet to Router C. In this way, Router C can select the route to the host based on the state of Router A and Router B in the VSRP instance.
[RouterB-ospf-1] import-route static route-policy 1
[RouterB-ospf-1] quit
# Enable OSPF process 1 on GigabitEthernet 1/0/2 that is in Area 0.
[RouterB] interface gigabitethernet 1/0/2
[RouterB-GigabitEthernet1/0/2] ospf 1 area 0.0.0.0
# Set the OSPF cost to 10 on GigabitEthernet 1/0/2.
[RouterB-GigabitEthernet1/0/2] ospf cost 10
[RouterB-GigabitEthernet1/0/2] quit
b. Configure DHCP:
# Enable DHCP.
[RouterB] dhcp enable
# Create a DHCP pool named p1 and associate p1 with VSRP instance v1.
[RouterB] dhcp server ip-pool p1
[RouterB-dhcp-pool-p1] vsrp-instance v1
# Assign gateway address 9.2.0.1 to the host, and export the host route destined for the host and the route destined for 9.2.0.0/16. When Router B acts as the master, it assigns an IP address to the host. Then Router B adds the host route destined for the host and the route destined for the subnet where the host resides to the routing table.
[RouterB-dhcp-pool-p1] gateway-list 9.2.0.1 export-route
[RouterB-dhcp-pool-p1] network 9.2.0.0 mask 255.255.0.0 export-route
[RouterB-dhcp-pool-p1] forbidden-ip 9.2.0.1
[RouterB-dhcp-pool-p1] quit
# Configure routing policy 1 to permit routes destined for network 9.2.0.0/16.
[RouterB] ip prefix-list 1 permit 9.2.0.0 16
[RouterB] route-policy 1 permit node 1
[RouterB-route-policy-1-1] if-match ip address prefix-list 1
[RouterB-route-policy-1-1] quit
c. Configure a VRRP group:
# Configure GigabitEthernet 1/0/1.1001 to terminate VLAN 1001.
[RouterB] interface gigabitethernet 1/0/1.1001
[RouterB-GigabitEthernet1/0/1.1001] vlan-type dot1q vid 1001
# Create VRRP group 1 and set its virtual IP address to 8.2.0.3.
[RouterB-GigabitEthernet1/0/1.1001] vrrp vrid 1 virtual-ip 8.2.0.3
# Set the priority of the router to 200 in VRRP group 1 on GigabitEthernet 1/0/1.1001.
[RouterB-GigabitEthernet1/0/1.1001] vrrp vrid 1 priority 200
[RouterB-GigabitEthernet1/0/1.1001] quit
# Configure Router B to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.
[RouterB-GigabitEthernet1/0/1.1001] vrrp vrid 1 preempt-mode delay 5000
[RouterB-GigabitEthernet1/0/1.1001] quit
d. Configure a VSRP instance:
# Create VSRP group c2 and enter VSRP peer view.
[RouterB] vsrp peer c2
# Specify the local IP address as 2.1.1.2 and the peer IP address as 1.1.1.2 for VSRP to establish VSRP channels. The default TCP port number for the control channel is used.
[RouterB-vsrp-peer-c2] peer 1.1.1.2 local 2.1.1.2
[RouterB-vsrp-peer-c2] quit
# Create VSRP instance v1 and enter VSRP instance view.
[RouterB] vsrp instance v1
# Associate the VSRP instance with VSRP group c2 and set its backup ID to 1.
[RouterB-vsrp-instance-v1] backup id 1 peer c2
# Bind VSRP instance v1 to VRRP group 1 on GigabitEthernet1/0/1.1001.
[RouterB-vsrp-instance-v1] bind vrrp vrid 1 interface gigabitethernet 1/0/1.1001
# Specify the NAS IP address as 9.2.0.1 (the gateway address of the host). This enables the router to use NAS-IP-address 9.2.0.1 in packets sent to the RADIUS server.
[RouterB-vsrp-instance-v1] nas ip 9.2.0.1
[RouterB-vsrp-instance-v1] quit
e. Configure AAA:
# Enable the session-control feature.
[RouterB] radius session-control enable
# Create a RADIUS scheme named imc and enter RADIUS scheme view.
[RouterB] radius scheme imc
# Specify the primary authentication server and primary accounting server.
[RouterB-radius-imc] primary authentication 111.8.0.244 key simple p124
[RouterB-radius-imc] primary accounting 111.8.0.244 key simple p124
# Configure the router to remove the domain name in the username sent to the RADIUS servers for RADIUS scheme imc.
[RouterB-radius-imc] user-name-format without-domain
# Specify the source IP address as 9.2.0.1 for outgoing RADIUS packets.
[RouterB-radius-imc] nas-ip 9.2.0.1
[RouterB-radius-imc] quit
# Create ISP domain portal and configure the domain to use RADIUS scheme imc for authentication, authorization, and accounting for portal users.
[RouterB] domain portal
[RouterB-isp-portal] authentication portal radius-scheme imc
[RouterB-isp-portal] authorization portal radius-scheme imc
[RouterB-isp-portal] accounting portal radius-scheme imc
[RouterB-isp-portal] quit
f. Configure portal authentication:
# Configure GigabitEthernet 1/0/1.1000 to terminate VLAN 1000.
[RouterB] interface gigabitethernet 1/0/1.1000
[RouterB-GigabitEthernet1/0/1.1000] vlan-type dot1q vid 1000
# Enable direct IPv4 portal authentication on GigabitEthernet 1/0/1.1000.
[RouterB-GigabitEthernet1/0/1.1000] portal enable method direct
# Configure the authentication domain for IPv4 portal users as portal on GigabitEthernet 1/0/1.1000.
[RouterB-GigabitEthernet1/0/1.1000] portal domain portal
# Configure the BAS-IP attribute of outgoing portal packets as 9.2.0.1 (the gateway IP address of the host) on GigabitEthernet 1/0/1.1000.
[RouterB-GigabitEthernet1/0/1.1000] portal bas-ip 9.2.0.1
# Reference portal Web server ab on GigabitEthernet 1/0/1.1000 for portal authentication.
[RouterB-GigabitEthernet1/0/1.1000] portal apply web-server ab
# Specify IP address pool p1 for the subinterface to assign IP addresses before portal authentication is enabled.
[RouterB-GigabitEthernet1/0/1.1000] portal pre-auth ip-pool p1
# Associate the portal-enabled interface GigabitEthernet 1/0/1.1000 with VSRP instance v1.
[RouterB-GigabitEthernet1/0/1.1000] portal vsrp-instance v1
[RouterB-GigabitEthernet1/0/1.1000] quit
# Create portal Web server ab and configure the URL for portal Web server ab as http://111.8.0.244:8080/portal.
[RouterB] portal web-server ab
[RouterB-portal-websvr-ab] url http://111.8.0.244:8080/portal
[RouterB-portal-websvr-ab] quit
# Create portal authentication server pt and enter its view.
[RouterB] portal server pt
# Configure the IP address of IPv4 portal authentication server pt as 111.8.0.244 and the plaintext key as h3c.
[RouterB-portal-server-pt] ip 111.8.0.244 key simple h3c
[RouterB-portal-server-pt] quit
5. Configure Router C:
# Enable OSPF process 1 and set its router ID to 1.1.1.1 (the IP address of GigabitEthernet 1/0/1).
[RouterC] ospf 1 router-id 1.1.1.1
# Configure OSPF Area 0.
[RouterC-ospf-1] area 0.0.0.0
[RouterC-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255
[RouterC-ospf-1] quit
6. Configure the L2 Switch:
a. Configure VLANs:
# Create VLAN 1000 and VLAN 1001. The host is in VLAN 1000 and the VRRP messages are transmitted in VLAN 1001.
<L2Switch> system-view
[L2Switch] vlan 1000
[L2Switch-vlan1000] quit
[L2Switch] vlan 1001
[L2Switch-vlan1001] quit
b. Configure the interfaces:
# Assign the user access interface GigabitEthernet 1/0/1 to VLAN 1000.
[L2Switch] interface gigabitethernet 1/0/1
[L2Switch-GigabitEthernet1/0/1] port access vlan 1000
[L2Switch-GigabitEthernet1/0/1] quit
# Assign the trunk port GigabitEthernet 1/0/2 to VLAN 1000 and VLAN 1001.
[L2Switch] interface gigabitethernet 1/0/2
[L2Switch-GigabitEthernet1/0/2] port link-type trunk
[L2Switch-GigabitEthernet1/0/2] port trunk permit vlan 1000 to 1001
[L2Switch-GigabitEthernet1/0/2] quit
# Assign the trunk port GigabitEthernet 1/0/3 to VLAN 1000 and VLAN 1001.
[L2Switch] interface GigabitEthernet1/0/3
[L2Switch-GigabitEthernet1/0/3] port link-type trunk
[L2Switch-GigabitEthernet1/0/3] port trunk permit vlan 1000 to 1001
[L2Switch-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify that Router A acts as the master in VSRP instance v1.
[RouterA] display portal interface gigabitethernet 1/0/1
Portal information of GigabitEthernet1/0/1
VSRP Instance: v1
VSRP State: Master
Authorization Stict checking
ACL Disabled
User profile Disabled
IPv4:
Portal status: Enabled
Portal VSRP status: M_Synced
Authentication type: Direct
Portal Web server: pt
Authentication domain: portal
Max Portal users: Not configured
Pre-auth IP pool: p1
BAS-IP: 5.1.1.1
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Mask
Destination authentication subnet:
IP address Mask
IPv6:
Portal status: Disabled
Authentication type: Disabled
Portal Web server: Not configured
Authentication domain: Not configured
Max Portal users: Not configured
Pre-auth IP pool: Not configured
BAS-IPv6: Not configured
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Prefix length
Destination authentication subnet:
IP address Prefix length
# Verify that Router B acts as the backup in VSRP instance v1.
[RouterB] display portal interface gigabitethernet 1/0/1
Portal information of GigabitEthernet1/0/1
VSRP Instance: v1
VSRP State: Backup
Authorization Strict checking
ACL Disabled
User profile Disabled
IPv4:
Portal status: Enabled
Portal VSRP status: B_Synced
Authentication type: Direct
Portal Web server: v4
Authentication domain: portal
Max Portal users: Not configured
Pre-auth IP pool: p1
BAS-IP: 5.1.1.1
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Mask
Destination authentication subnet:
IP address Mask
IPv6:
Portal status: Disabled
Authentication type: Disabled
Portal Web server: Not configured
Authentication domain: Not configured
Max Portal users: Not configured
Pre-auth IP pool: Not configured
BAS-IPv6: Not configured
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Prefix length
Destination authentication subnet:
IP address Prefix length
# Verify that Router A and Router B have the same portal user information.
<RouterA> display portal user all
Total portal users: 1
Username: test
Portal server: pt
State: Online
VPN instance: --
MAC IP VLAN Interface
fc4d-d434-ed98 9.2.0.5 -- GigabitEthernet1/0/1
Authorization information:
IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: N/A
CAR: N/A
<RouterB> display portal user all
Total portal users: 1
Username: test
Portal server: pt
State: Online
VPN instance: --
MAC IP VLAN Interface
fc4d-d434-ed98 9.2.0.5 -- GigabitEthernet1/0/1
Authorization information:
IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: N/A
CAR: N/A
