- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
02-H3C vBRAS支持DHCP限速典型配置举例-5W100
本章节下载: 02-H3C vBRAS支持DHCP限速典型配置举例-5W100 (166.39 KB)
H3C vBRAS系列虚拟宽带远程接入服务器DHCP限速典型配置举例
|
Copyright © 2018 新华三技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
|
本文档介绍vBRAS虚拟路由器对大量DHCP报文DHCP discover报文进行限速,保证认证过的用户能正常上线,避免性能恶化;对未认证过的DHCP request的续约报文直接丢弃,降少对DHCP进程的压力。该功能特性在存在大量DHCP报文的场景中,可以保证认证过的用户可以正常上线。本特性适用于vBRAS设备作为接入设备且存在大量DHCP报文的环境,还有新用户要上线的场景中。
· 本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
· 本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
· 本文档假设您已了解VXLAN、IPoE等特性。
如图1所示:
· Host经由二层网络以IPoE方式接入到vBRAS。
· vBRAS设备承载DHCP服务器角色为Host动态分配IP地址。
· RADIUS作为认证、授权和计费服务器。
· vBRAS通过对DHCP discover和request(未认证)报文限速特性对vBRAS自身性能压力适当限制,避免性能恶化。
图1 DHCP限速典型配置举例组网图
vBRAS设备作为DHCP服务器及接入设备。RADIUS Server作为认证、授权和计费服务器。L2 Switch仅作透传设备。
本举例是在vBRAS1000_H3C-CMW710-E1116-X64版本上进行配置和验证的。
· DHCP报文限速特性主要以ip subscriber dhcp rate-limit命令控制开启,配置该命令后,IPoE将实现:
¡ IPoE对DHCP discover报文进行限速,保证已认证的用户能正常上线,避免性能恶化。
¡ IPoE对未认证的DHCP request的续约报文直接丢弃,降少对DHCP进程的压力。
· ip subscriber dhcp rate-limit rate命令用来开启DHCP接入用户的DHCPv4报文限速功能。其中,rate表示每秒接收DHCPv4报文的最大个数,取值范围为1~500000000。请根据实际应用场景中可能出现的并发DHCP discover报文数配置报文限速值的大小。
(1) 配置RADIUS客户端信息,即在clients.conf文件中增加如下信息。
client 4.4.4.2/32 {
ipaddr = 4.4.4.2
netmask=32
secret=radius
}
以上信息表示:RADIUS客户端的IP地址为4.4.4.2,共享密钥为字符串radius。
(2) 配置合法用户信息,即在users文件中增加如下信息。
test Cleartext-Password :="test"
以上信息表示:用户名为test,用户密码为字符串test。
(1) 配置各接口IP地址(配置过程略)。
(2) 配置RADIUS方案。
# 创建RADIUS方案rs1,并配置主认证和主计费服务器,以及通信密钥。
<VBRAS> system-view
[vBRAS] radius scheme rs1
[vBRAS-radius-rs1] primary authentication 4.4.4.1
[vBRAS-radius-rs1] primary accounting 4.4.4.1
[vBRAS-radius-rs1] key authentication simple radius
[vBRAS-radius-rs1] key accounting simple radius
# 配置发送给RADIUS服务器的用户名不携带ISP域名。
[vBRAS-radius-rs1] user-name-format without-domain
[vBRAS-radius-rs1] quit
(3) DHCP相关配置。
# 开启DHCP服务。
[vBRAS] dhcp enable
# 创建地址池9,并配置网关和动态分配的IP地址网段。
[vBRAS] dhcp server ip-pool 9
[vBRAS-dhcp-pool-9] gateway-list 9.1.1.1
[vBRAS-dhcp-pool-9] network 9.1.0.0 16
[vBRAS-dhcp-pool-9] quit
(4) 配置认证域。
# 创建ISP域ipoe,并配置该域使用RADIUS方案rs1。
[vBRAS] domain name ipoe
[vBRAS-isp-ipoe] authentication ipoe radius-scheme rs1
[vBRAS-isp-ipoe] authorization ipoe radius-scheme rs1
[vBRAS-isp-ipoe] accounting ipoe radius-scheme rs1
[vBRAS-isp-ipoe] quit
(5) 配置IPoE。
# 进入接口GigabitEthernet1/2/0视图。
[vBRAS] interface gigabitethernet 1/2/0
# 为接口配置IP地址9.1.1.1/16。
[vBRAS-GigabitEthernet1/2/0] ip address 9.1.1.1 16
# 开启IPoE功能,并配置二层接入模式。
[vBRAS–GigabitEthernet1/2/0] ip subscriber l2-connected enable
# 开启DHCP报文触发方式。
[vBRAS–GigabitEthernet1/2/0] ip subscriber initiator dhcp enable
# 开启未知源IP报文触发方式。
[vBRAS–GigabitEthernet1/2/0] ip subscriber initiator unclassified-ip enable
# 设置DHCP报文触发方式使用的认证域为IPoE。
[vBRAS–GigabitEthernet1/2/0] ip subscriber dhcp domain ipoe
# 配置IPoE个人接入用户的认证用户名为1。
[vBRAS–GigabitEthernet1/2/0] ip subscriber username string 1
# 设置动态用户的认证密码为明文radius。
[vBRAS–GigabitEthernet1/2/0] ip subscriber password plaintext radius
[vBRAS–GigabitEthernet1/2/0] quit
# 配置设备DHCPv4报文的接受速率为每秒1000个。
[vBRAS] ip subscriber dhcp rate-limit 1000
# 测试仪构造DHCP discover报文,以3000f/s的速率将报文打入设备,每间隔约1s查看因限速而丢弃的报文数。其中,显示信息DHCP-DISCOVERs dropped by rate limiting对应的值即丢弃的报文数。
[vBRAS] probe
[vBRAS-probe] display system internal ip subscriber statistics
Trans2Main : 0
Add session rcvd : 0
…
Batch add session : 0
Update traffic : 0
Update auth info : 0
IPv4 IPoE sessions : 28774 (up to 655360)
IPv6 IPoE sessions : 0 (up to 655360)
IPv4 IPoE trigger sessions : 28774
IPv6 IPoE trigger sessions : 0
IPv4 IPoE Abnormal logout user : 0 (up to 655360)
IPv6 IPoE Abnormal logout user : 0 (up to 655360)
Packets queued : 2156
Packets failed to be queued : 0
Packets relayed by MBUF : 0
Packets to daemon : 90
Packet encapsulations to daemon : 90
Packet encapsulations failed to daemon : 0
Packets dropped : 2191
Packets in linked list : 90
Packet flag for linked list : 0
Packets dropped by fast forwarding table : 0
Packets dropped in memory alert : 0
DHCP-DISCOVERs dropped by rate limiting : 2191
DHCP-REQUESTs dropped by rate limiting : 0
DHCP DISCOVER : 1064
DHCP OFFER : 1092
DHCP REQUEST : 0
DHCP ACK : 0
DHCP RELEASE : 0
DHCP ACK matching no IPoE user : 0
DHCP6 SOLICIT : 0
DHCP6 REQUET : 0
DHCP6 REPLY : 0
DHCP6 REPLY matching no IPoE user : 0
DHCP6 RELEASE : 0
IPoE entry-to-DRV cost : 0 ms
All IPoE entries-to-DRV cost : 0 ms
# 测试仪构造DHCP request报文,对应的MAC地址为设备上已认证的会话,以3000f/s的速率将报文打入设备,每间隔约1s查看因限速而丢弃的报文数。其中,显示信息DHCP-REQUESTs dropped by rate limiting对应的值即丢弃的报文数。
[vBRAS-probe] display system internal ip subscriber statistics
Trans2Main : 0
Add session rcvd : 0
…
Update traffic : 0
Update auth info : 0
IPv4 IPoE sessions : 29290 (up to 655360)
IPv6 IPoE sessions : 0 (up to 655360)
IPv4 IPoE trigger sessions : 29290
IPv6 IPoE trigger sessions : 0
IPv4 IPoE Abnormal logout user : 0 (up to 655360)
IPv6 IPoE Abnormal logout user : 0 (up to 655360)
Packets queued : 0
Packets failed to be queued : 0
Packets relayed by MBUF : 0
Packets to daemon : 0
Packet encapsulations to daemon : 0
Packet encapsulations failed to daemon : 0
Packets dropped : 0
Packets in linked list : 0
Packet flag for linked list : 0
Packets dropped by fast forwarding table : 0
Packets dropped in memory alert : 0
DHCP-DISCOVERs dropped by rate limiting : 0
DHCP-REQUESTs dropped by rate limiting : 0
DHCP DISCOVER : 0
DHCP OFFER : 0
DHCP REQUEST : 0
DHCP ACK : 0
DHCP RELEASE : 0
DHCP ACK matching no IPoE user : 0
DHCP6 SOLICIT : 0
DHCP6 REQUET : 0
DHCP6 REPLY : 0
DHCP6 REPLY matching no IPoE user : 0
DHCP6 RELEASE : 0
IPoE entry-to-DRV cost : 0 ms
All IPoE entries-to-DRV cost : 0 ms
# 测试仪构造DHCP request报文,对应的MAC地址为设备上未认证的会话,以3000f/s的速率将报文打入设备,每间隔约1s查看因限速而丢弃的报文数。其中,显示信息DHCP-REQUESTs dropped by rate limiting对应的值即丢弃的报文数。
[vBRAS-probe] display system internal ip subscriber statistics
Trans2Main : 0
…
Update traffic : 0
Update auth info : 0
IPv4 IPoE sessions : 19375 (up to 655360)
IPv6 IPoE sessions : 0 (up to 655360)
IPv4 IPoE trigger sessions : 19375
IPv6 IPoE trigger sessions : 0
IPv4 IPoE Abnormal logout user : 0 (up to 655360)
IPv6 IPoE Abnormal logout user : 0 (up to 655360)
Packets queued : 2168
Packets failed to be queued : 0
Packets relayed by MBUF : 0
Packets to daemon : 2168
Packet encapsulations to daemon : 1947
Packet encapsulations failed to daemon : 0
Packets dropped : 1822
Packets in linked list : 2168
Packet flag for linked list : 0
Packets dropped by fast forwarding table : 0
Packets dropped in memory alert : 0
DHCP-DISCOVERs dropped by rate limiting : 0
DHCP-REQUESTs dropped by rate limiting : 1822
DHCP DISCOVER : 0
DHCP OFFER : 0
DHCP REQUEST : 5151
DHCP ACK : 0
DHCP RELEASE : 0
DHCP ACK matching no IPoE user : 0
DHCP6 SOLICIT : 0
DHCP6 REQUET : 0
DHCP6 REPLY : 0
DHCP6 REPLY matching no IPoE user : 0
DHCP6 RELEASE : 0
IPoE entry-to-DRV cost : 0 ms
All IPoE entries-to-DRV cost : 0 ms
vBRAS的配置文件如下:
#
sysname vBRAS
#
telnet server enable
#
irf mac-address persistent always
irf auto-update enable
irf auto-merge enable
irf member 1 priority 1
#
dhcp enable
#
ip subscriber dhcp rate-limit 1000
#
password-recovery enable
#
irf-port 1
#
dhcp server ip-pool 9
gateway-list 9.1.1.1
network 9.1.0.0 mask 255.255.0.0
#
interface NULL0
#
interface GigabitEthernet1/1/0
port link-mode route
ip address 4.4.4.2 255.255.255.0
undo dhcp select server
#
interface GigabitEthernet1/2/0
port link-mode route
ip address 9.1.1.1 255.255.0.0
ip subscriber l2-connected enable
ip subscriber initiator dhcp enable
ip subscriber password ciphertext $c$3$fPa0hi3YLApW4vfVHgblkRn3ZweMspo=
ip subscriber dhcp domain ipoe
ip subscriber username string test
#
interface GigabitEthernet1/3/0
port link-mode route
#
interface GigabitEthernet1/4/0
port link-mode route
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode none
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
radius scheme rs1
primary authentication 4.4.4.1
primary accounting 4.4.4.1
key authentication cipher $c$3$rgURxMHHy8nK1v7BJtTA3uY0kK0kHWslUQ==
key accounting cipher $c$3$p/WIsTN2dvp8VIWrVSmGVNOLvJK5llUORg==
user-name-format without-domain
#
domain name ipoe
authorization-attribute ip-pool 9
authentication ipoe radius-scheme rs1
authorization ipoe radius-scheme rs1
accounting ipoe radius-scheme rs1
#
domain name system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user abc class manage
password hash $h$6$PQbeCOM/GuQI9aXI$yDUEQuJV0RCiP0Qx5a5ZRKdKc6QPheNYbVr3rEBvv37L1PixVKLLhGkb6J11R1RlwQzQ52xGGgYmRcBu4TELPQ==
service-type ftp
authorization-attribute work-directory flash:/
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ftp server enable
#
return
· H3C vBRAS系列虚拟宽带远程接入服务器 http://press.h3c.com/data/infoblade/Comware V7平台B75分支中文/1.2.07 三层技术-IP业务/1.2.07.03 DHCP/DHCP命令.htm配置指导
· H3C vBRAS系列虚拟宽带远程接入服务器 http://press.h3c.com/data/infoblade/Comware V7平台B75分支中文/1.2.07 三层技术-IP业务/1.2.07.03 DHCP/DHCP命令.htm命令参考
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
