01-H3C vBRAS转控分离场景支持PPPoE业务典型配置举例
本章节下载: 01-H3C vBRAS转控分离场景支持PPPoE业务典型配置举例 (164.98 KB)
H3C vBRAS转控分离场景支持PPPoE业务典型配置举例
资料版本:5W100-20190625
产品版本:E1218 and later
Copyright © 2019 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知
目 录
3.4.1 配置RADIUS服务器(以Free RADIUS服务器为例)
本文档介绍了vBRAS(Virtual Broadband Remote Access Server,虚拟宽带远程接入服务器)转控分离场景下支持PPPoE的典型配置举例。
· 本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
· 本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
· 本文档假设您已了解PPPoE、VXLAN、OpenFlow等特性。
· Host经由PoP交换机以PPPoE方式接入到vBRAS。
· vBRAS为转发控制分离方式部署,DP和CP之间建立VXLAN隧道和OpenFlow连接。
· POP交换机和DP之间、DP与CP之间分别建立VXLAN隧道,用于承载CP与Host之间的PPPoE协商报文。
· RADIUS作为认证、授权和计费服务器。
图1 PPPoE转控分离典型配置举例组网图
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
|
PoP |
Loop0 |
1.1.1.101/32 |
DP |
Loop1 |
1.1.1.2/32 |
Vlan101 |
101.1.1.1/24 |
Loop1 |
1.1.1.102/32 |
||
CP |
Loop1 |
1.1.1.1/32 |
RAGG1 |
101.1.1.2/24 |
|
Reth222 |
222.1.1.1/24 |
Reth222 |
222.1.1.2/24 |
(1) 配置CP和DP的工作模式,其中CP工作在会话表项控制模式
(2) 在DP和CP上分别配置VXLAN隧道和VSI实例
(3) 在DP和CP上分别配置OpenFlow实例和OpenFlow控制器
(4) 在DP和CP上配置VSI虚接口,虚拟模板接口
(5) 在CP上配置AAA相关配置,和PPPoE业务的相关配置
(1) DP、CP设备上的ip地址及路由协议的配置略,请根据现场需求配置
(2) PoP交换机上的配置略,请根据现场需求配置
(1) 配置RADIUS客户端信息,即在clients.conf文件中增加如下信息。
client 172.16.35.102 /32{
ipaddr = 172.16.35.102
netmask=32
secret=H3C
}
以上信息表示:RADIUS客户端的IP地址为172.16.35.102,共享密钥为字符串H3C。
(2) 配置合法用户信息,即在users文件中增加如下信息。
test Cleartext-Password := "test"
Framed-Pool=" public1",
以上信息表示:用户名为test,用户密码为字符串test;并为下发地址池属性,地址池名称为public1
(1) 配置各接口IP地址和路由协议(略)
(2) 配置DP的工作模式,DP工作在数据平面
# 配置DP的工作模式为数据平面
[DP]pppoe-server work-mode data-plane
(3) 配置DP上的VXLAN隧道和VSI
# 在DP上开启L2VPN能力
<DP> system-view
[DP] l2vpn enable
#在DP上分别创建VXLAN隧道和VXLAN-DCI隧道,其中VXLAN隧道101用与POP交换机互联(POP交换机上同样创建VSI和VXLAN隧道,此处POP交换机的配置略过),VXLAN 隧道1用于DP向CP上送PPPoE协议报文
[DP] interface Tunnel1 mode vxlan
[DP-Tunnel1] source 1.1.1.2
[DP-Tunnel1] destination 1.1.1.1
[DP-Tunnel1] quit
[DP] interface Tunnel101 mode vxlan-dci
[DP-Tunnel101] source 1.1.1.102
[DP-Tunnel101] destination 1.1.1.101
[DP-Tunnel101] quit
# 在DP上创建VSI实例,并关联VXLAN ID 1和隧道 1、101
[DP] vsi 1
[DP-vsi-1] gateway vsi-interface 1
[DP-vsi-1] vxlan 1
[DP-vsi-1-vxlan-1] tunnel 1
[DP-vsi-1-vxlan-1] tunnel 101
[DP-vsi-1-vxlan-1] quit
[DP-vsi-1] quit
(4) 配置DP上的OpenFlow实例
# 创建OpnFlow实例1并指定为全局实例。
[DP] openflow instance 1
[DP-of-inst-1] classification global
# 配置控制器CP的IP地址为1.1.1.1及缺省table miss动作。
[DP-of-inst-1] controller 1 address ip 1.1.1.1 local address ip 1.1.1.2
[DP-of-inst-1] default table-miss permit
# 配置流表类型和流表ID
[DP-of-inst-1] flow-table mac-ip 0
# 配置主备倒换过程能够重连。
[DP-of-inst-1] undo tcp-connection backup
# 开启OpenFlow数据转发平面功能。
[DP-of-inst-1] data-plane enable
# 激活实例。
[DP-of-inst-1] active instance
[DP-of-inst-1] quit
(5) 配置虚拟模板接口
#创建虚拟模板接口1,可以选择使能PPP计费统计功能
[DP] interface Virtual-Template 1
[DP-Virtual-Template1] ppp account-statistics enable
[DP-Virtual-Template1] quit
# 在接口VSI-interface1上启用PPPoE Server协议,并将该接口与虚拟模板接口1绑定。
[DP] interface vsi-interface 1
[DP-Vsi-interface1] distributed-gateway local
[DP-Vsi-interface1] pppoe-server bind virtual-template 1
[DP-Vsi-interface1] quit
(1) 配置各接口IP地址和路由协议(略)
(2) 配置CP的工作模式,CP工作在控制模式
#在CP上开启L2VPN能力
<CP> system-view
[CP]l2vpn enable
#配置CP的工作模式为控制平面,同时指定其控制模式为session
[CP] interface Vsi-interface 1
[CP-Vsi-interface1] pppoe-server control-plane-mode session
[CP-Vsi-interface1] quit
(3) 配置CP上的VXLAN隧道和VSI
#在CP上创建VXLAN隧道和VSI实例
[CP] interface Tunnel1 mode vxlan
[CP-Tunnel1] source 1.1.1.1
[CP-Tunnel1] destination 1.1.1.2
[CP-Tunnel1] quit
[CP] vsi 1
[CP-vsi-1] gateway vsi-interface 1
[CP-vsi-1] vxlan 1
[CP-vsi-1-vxlan-1] tunnel 1
[CP-vsi-1-vxlan-1] quit
[CP-vsi-1] quit
#在CP创建VSI接口,并配置CP的VSI接口使用与DP的VSI接口相同的MAC地址
[CP]interface Vsi-interface 1
[CP-Vsi-interface1] interface Vsi-interface1
[CP-Vsi-interface1] distributed-gateway local
[CP-Vsi-interface1] mac-address 7425-8ae3-ba33
[CP-Vsi-interface1] quit
(4) 开启OpenFlow控制器功能
# 开启CP作为OpenFlow控制器功能。
[CP] openflow controller enable
(5) 在CP上配置地址池
#使能dhcp
[CP] dhcp enable
#创建地址池,名为public,并配置网关和分配的IP地址网段,同时配置发布网关路由。
[CP]dhcp server ip-pool public1 subnet-alloc
[CP-dhcp-pool-public1] gateway-list 50.1.0.1 export-route
[CP-dhcp-pool-public1] network 50.1.0.0 mask 255.255.0.0 export-route
[CP-dhcp-pool-public1] subnet mask-length 24
[CP-dhcp-pool-public1] forbidden-ip 50.1.0.1
[CP-dhcp-pool-public1] quit
(6) 在CP上Radius方案
[CP] radius scheme rs1
[CP-radius-rs1] primary authentication 172.16.36.201
[CP-radius-rs1] primary accounting 172.16.36.201
[CP-radius-rs1] key authentication simple H3C
[CP-radius-rs1] key accounting cipher simple H3C
[CP-radius-rs1] user-name-format without-domain
(7) 在CP上配置ISP域,配置域用户使用Radius AAA方案
[CP]domain name public1
[CP-isp-public1]authentication ppp radius-scheme rs1
[CP-isp-public1]authorization ppp radius-scheme rs1
[CP-isp-public1]accounting ppp radius-scheme rs1
# 配置虚拟模板接口1的参数,采用PAP认证对端。
[CP] interface virtual-template 1
[CP-Virtual-Template1] ppp authentication-mode chap pap domain default enable public1
[CP-Virtual-Template1] ppp account-statistics enable
[CP-Virtual-Template1] quit
# 在接口VSI-interface1上启用PPPoE Server协议,并将该接口与虚拟模板接口1绑定。
[CP] interface vsi-interface 1
[CP-Vsi-interface1] pppoe-server bind virtual-template 1
[CP-Vsi-interface1] quit
(1) 在CP上配置用户上线的日志功能:
[CP]ppp access-user log enable successful-login failed-login normal-logout abnormal-logout
(2) TC模拟pppoe用户上线,查看用户上线成功:
[CP]%Jan 22 10:05:11:199 2019 CP PPP/6/PPP_USER_LOGON_SUCCESS: -UserName=test-IPAddr=50.1.0.11-IfName=Vsi-interface1-OuterVLAN=10
01-InnerVLAN=100-MACAddr=0010-9400-1001; The user came online successfully.
[CP]display ppp access-user user-type pppoe
Interface MAC address IP address Username
S/C-VLAN IPv6 PDPrefix IPv6 address
BAS0 0010-9400-1001 50.1.0.11 test
1001/100 - -
(3) 在DP上查看用户信息:
[DP-Route-Aggregation1]quit
[DP]display ppp access-user user-type pppoe
Interface MAC address IP address Username
S/C-VLAN IPv6 PDPrefix IPv6 address
BAS0 0010-9400-1001 50.1.0.11 -
1001/100 - -
#
sysname CP
#
telnet server enable
#
irf mac-address persistent always
irf auto-update enable
irf auto-merge enable
irf member 1 priority 32
irf member 2 priority 31
#
ospf 1
non-stop-routing
area 0.0.0.0
#
ppp access-user log enable failed-login abnormal-logout
undo ppp authentication chasten
#
dhcp enable
dhcp relay client-information record
#
password-recovery enable
#
irf-port 1
port group interface GigabitEthernet1/3/0
#
irf-port 2
port group interface GigabitEthernet2/3/0
#
· DP
#
sysname DP
#
failover group dp
bind slot 1 primary
bind slot 2 secondary
#
telnet server enable
#
irf mac-address persistent always
irf auto-update enable
irf auto-merge enable
irf domain 101
irf member 1 priority 32
irf member 2 priority 31
#
lacp system-priority 100
#
track 1 interface Ten-GigabitEthernet1/5/0
#
track 2 interface Ten-GigabitEthernet1/4/0
#
track 3 interface Ten-GigabitEthernet2/3/0
#
track 4 interface Ten-GigabitEthernet2/2/0
#
isis 1
#
isis 101
network-entity 10.0000.0000.1010.00
#
address-family ipv4 unicast
import-route static route-policy dp1
#
ospf 1 router-id 1.1.1.2
description toCP
non-stop-routing
area 0.0.0.0
area 0.0.0.101
#
address-family ipv4 unicast
#
ospf 101 router-id 1.1.1.102
description toCR&POP
non-stop-routing
area 0.0.0.0
#
mpls lsr-id 103.103.103.103
mpls label advertise non-null
#
pppoe-server work-mode data-plane
#
dhcp enable
#
lldp global enable
#
flow-interval 5
#
password-recovery enable
#
irf-port 1
port group interface GigabitEthernet1/3/0 type control
port group interface GigabitEthernet1/6/0 type data
#
irf-port 2
port group interface GigabitEthernet2/5/0 type control
port group interface GigabitEthernet2/6/0 type data
#
openflow instance 1
default table-miss permit
undo tcp-connection backup
flow-table mac-ip 0 extensibility 1
classification global
data-plane enable
controller 1 address ip 1.1.1.1 local address ip 1.1.1.2
active instance
#
mpls ldp
#
l2vpn enable
#
vsi 1
gateway vsi-interface 1
vxlan 1
tunnel 1
tunnel 101
#
interface Reth222
description toCP
ip address 222.1.1.2 255.255.255.0
ospf 1 area 0.0.0.0
member interface GigabitEthernet1/2/0 priority 100
member interface GigabitEthernet2/4/0 priority 50
#
interface Route-Aggregation1
description toPOP
jumboframe enable 9728
ip address 101.1.1.2 255.255.255.0
ospf 101 area 0.0.0.0
isis enable 101
link-aggregation mode dynamic
mad enable
lacp irf-select master-first
#
interface Virtual-Template1
ppp account-statistics enable
#
interface NULL0
#
interface LoopBack1
description toCP
ip address 1.1.1.2 255.255.255.255
ospf 1 area 0.0.0.0
#
interface LoopBack102
description toPOP_vxlantunnel101
ip address 1.1.1.102 255.255.255.255
ospf 101 area 0.0.0.0
#
interface GigabitEthernet1/1/0
port link-mode route
ip binding vpn-instance mgt1
ip address 172.16.36.101 255.255.255.0
#
interface GigabitEthernet1/2/0
port link-mode route
description to-DSW-1/0/30
#
interface GigabitEthernet1/3/0
port link-mode route
description IRF-port
#
interface GigabitEthernet1/6/0
port link-mode route
#
interface GigabitEthernet2/1/0
port link-mode route
ip binding vpn-instance mgt2
ip address 172.16.16.101 255.255.255.0
#
interface GigabitEthernet2/4/0
port link-mode route
description memberofReth222
#
interface GigabitEthernet2/5/0
port link-mode route
description irf-link
#
interface GigabitEthernet2/6/0
port link-mode route
description irf link
#
interface Ten-GigabitEthernet1/4/0
port link-mode route
description toSW16.11-1/0/6
port link-aggregation group 1
#
interface Ten-GigabitEthernet1/5/0
port link-mode route
description to16.11-1/0/5
port link-aggregation group 1
#
interface Ten-GigabitEthernet2/2/0
port link-mode route
description to16/11-1/0/4
port link-aggregation group 1
#
interface Ten-GigabitEthernet2/3/0
port link-mode route
description to16/11-1/0/3
port link-aggregation group 1
#
interface Vsi-interface1
pppoe-server bind virtual-template 1
#
interface Tunnel1 mode vxlan
description toCP
source 1.1.1.2
destination 1.1.1.1
#
interface Tunnel101 mode vxlan-dci
description toPOP
source 1.1.1.102
destination 1.1.1.101
#
route-policy dp1 permit node 1
if-match interface NULL0
#
route-policy public permit node 1
if-match ip address prefix-list 1
#
route-policy tag5000 permit node 1
if-match tag 5000
#
ip prefix-list 1 index 10 permit 202.1.0.0 16 greater-equal 24
ip prefix-list 1 index 20 permit 202.1.1.2 32
ip prefix-list 1 index 30 permit 202.1.1.3 32
ip prefix-list dp1 index 1 permit 50.0.0.0 8
#
scheduler logfile size 16
#
line class aux
authentication-mode none
user-role network-admin
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
authentication-mode none
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
line aux 0 1
user-role network-operator
#
line con 0 1
user-role network-admin
#
line vty 0 63
authentication-mode none
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
ip route-static vpn-instance mgt1 172.16.0.0 16 172.16.36.1
ip route-static vpn-instance mgt2 172.16.0.0 16 172.16.16.1
ipv6 route-static 32:: 120 33::1
#
mad exclude interface GigabitEthernet1/1/0
mad exclude interface GigabitEthernet2/1/0
#
redundancy group 1
preempt-delay 5
member interface Reth101
member interface Reth222
node 1
bind slot 1
priority 100
track 1 interface Ten-GigabitEthernet1/5/0
track 2 interface Ten-GigabitEthernet1/4/0
node 2
bind slot 2
priority 50
track 3 interface Ten-GigabitEthernet2/3/0
track 4 interface Ten-GigabitEthernet2/2/0
#
acl advanced 3000
rule 5 permit ip source 50.1.0.0 0.0.255.255
#
domain name system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group lsf
#
user-group system
#
local-user admin class manage
password hash $h$6$YkVX5VPFdwQWIrZI$+eFmPGs7Dqsbes0IYaTQ/HyfZav53vPb9IYaEywizr5DZhkJfB66lcDwPCMSHpH7FqrFA9LVPDuLOzqEvftDMQ==
service-type http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user ftp class manage
password hash $h$6$eYYdkkew8QhysJgS$TzrQChQY5aht1vTidTSAvoUw7WEyM6XB9iJMhYDxiLjt4oI9xm+Lo0w6lkpAXaZPJ9Iz9yu97OudD/HPc8usVg==
service-type ftp
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user test class network
password cipher $c$3$px1kaqZl81G0fZy+hQXnc47EeTmPGC8=
service-type ppp
authorization-attribute user-role network-operator
#
ftp server enable
#
session service-location acl 3000 failover-group dp
session statistics enable
session synchronization enable
#
nat log enable
nat log port-block usage threshold 50
nat log port-block port-usage threshold 50
nat log port-block-assign
nat log port-block-withdraw
nat log port-alloc-fail
nat log port-block-alloc-fail
nat port-block synchronization enable
nat work-mode data-plane
#
netconf soap http enable
netconf soap https enable
#
return
· H3C vBRAS系列虚拟宽带远程接入服务器 配置指导-E1218
· H3C vBRAS系列虚拟宽带远程接入服务器 命令参考-E1218
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!