05-H3C vBRAS转控分离场景支持PPPoE联动CGN NAT典型配置举例
本章节下载: 05-H3C vBRAS转控分离场景支持PPPoE联动CGN NAT典型配置举例 (187.12 KB)
H3C vBRAS转控分离场景支持PPPoE联动CGN NAT典型配置举例
资料版本:5W100-20190625
产品版本:E1218 and later
Copyright © 2019 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
本文档介绍路由器转控分离模式下PPPoE与NAT联动的典型配置举例。
为解决传统BRAS(Broadband Remote Access Server,宽带远程接入服务器)中存在的转发平面和控制平面能力不匹配、无法共享资源以及新业务部署不及时等问题,引入了vBRAS(Virtual Broadband Remote Access Server,虚拟化宽带远程接入服务器)概念。vBRAS的思想是分离控制平面和数据平面,即:
· 把用户识别与发起认证请求、身份认证、地址分配与管理和接入控制等控制平面业务提取出来由一台单独的设备CP(Control Plane,控制平面)来完成。其中,CP一般由vBRAS虚拟宽带远程接入服务器担任。
· 用户数据报文转发、流量控制等数据平面业务由另一台单独的设备DP(Data Plane,数据平面)来完成。其中,DP可由三层交换机、路由器或者vBRAS虚拟宽带远程接入服务器担任。本文中的DP均以vBRAS虚拟宽带远程接入服务器为例进行介绍。
CP和DP之间通过OpenFlow通道和VXLAN(Virtual eXtensible LAN,可扩展虚拟局域网络)隧道来实现表项下发和协议报文的交互。其中,OpenFlow通道作为CP和DP之间的表项下发通道,VXLAN隧道作为CP和DP之间协议报文交互的通道。
CGN(Carrier Grade NAT,运营商级网络地址转换),也称LSN(Large-scale NAT,大规模网络地址转换)。传统NAT多部署在CPE(Customer Premises Equipment,用户侧设备)上,实现少量用户地址的转换。而CGN部署在运营商网络中,通过在VBRAS上配置CGN功能,实现大量用户的地址转换,在支持并发用户数、性能、溯源等方面有很大提升。
· 本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
· 本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
· 本文档假设您已了解VXLAN、NAT、PPPoE等特性。
在如图1所示的转发控制分离组网中,有如下组网需求:
· POP交换机,作为AC(Attachment Circuit,接入电路)接口负责用户VXLAN(Virtual eXtensible LAN,可扩展虚拟局域网络)接入。
· 主机Host作为PPPoE Client,运行PPPoE客户端拨号软件。
· VBRAS-CP设备,工作在NAT的控制模式,负责公网IP地址和端口块资源的分配。用户上线之前获得私网IPv4地址,上线成功后由CP为其分配公网IP地址和端口块资源。同时CP设备作为工作在会话表项控制模式的PPPoE Server,将向VBRAS-DP设备发送PPPoE会话。
· VBRAS-DP设备,工作在NAT的转发模式,负责公司内网用户的私网IP地址和端口的转换。同时DP设备作为工作在转发模式的PPPoE Server,根据从CP设备收到的PPPoE会话指导数据报文转发。
· POP交换机和VBRAS-DP、VBRAS-DP和VBRAS-CP均建立VXLAN隧道。
· 采用NAT端口块动态映射方式复用两个外网地址18.1.1.100和18.1.1.101,外网地址的端口范围为1024~65535,端口块大小为100。
图1 CGN NAT典型配置举例组网图
(1) 配置 PPPoE转控分离的基础配置。
(2) 配置RADIUS服务器,以Free RADIUS为例,为用户进行认证和授权。
(3) 在CP上配置用户主业务计费服务器、NAT地址组和DHCP地址池,并把用户信息同步给DP。
(4) 在DP上配置备份组、ACL和NAT地址组,标记用户并转发业务流量。
· 此文档只针对CGN功能给出配置举例,PPPoE转控分离的基础配置请参照《H3C vBRAS转控分离场景支持PPPoE业务典型配置举例》。
· 配置备份组功能通过指定备份组,设备会将需要进行动态NAT(包括动态地址转换和NAT端口块动态映射)或NAT端口块静态映射的流量引到指定的备份组处理,提高了NAT业务处理的性能。
· 用户上线后,无法更改NAT端口块配置。只有在所有用户下线后,才能更改NAT端口块配置。
# 在RADIUS server上配置RADIUS客户端信息。在clients.conf文件中增加如下信息:
client 172.16.54.237 {
ipaddr = 172.16.54.237
secret = 123456
shortname = radius
}
# 配置合法用户信息。在users文件中增加如下信息:
user1 Cleartext-Password := "pass1"
以上信息表示:用户名为user1,密码为pass1。
(1) 配置各接口的IP地址和路由协议,转控分离的基础配置,具体配置步骤请参照《H3C vBRAS转控分离场景支持PPPoE业务典型配置举例》文档。
(2) 配置RADIUS方案
# 创建名称为radius的RADIUS方案并进入该方案视图,该方案用于指定RADIUS server作为认证、授权和计费服务器。
<CP> system-view
[CP] radius scheme radius
# 配置主认证和主计费服务器及其通信密钥。
[CP-radius-radius] primary authentication 172.16.55.5
[CP-radius-radius] primary accounting 172.16.55.5
[CP-radius-radius] key authentication simple 123456
[CP-radius-radius] key accounting simple 123456
# 配置发送给RADIUS服务器的用户名不携带ISP域名。
[CP-radius-radius] user-name-format without-domain
[CP-radius-radius] quit
(3) 配置ISP域。
# 创建并进入名称为system的ISP域。
[CP]domain name system
# 配置ISP域使用的RADIUS方案。
[CP-isp-system] authentication ppp radius-scheme radius
[CP-isp-system] authorization ppp radius-scheme radius
[CP-isp-system] accounting ppp radius-scheme radius
(4) 配置NAT。
# 配置CP的NAT工作模式为控制模式。
<CP> system-view
[cp] nat work-mode control-plane
# 配置NAT地址池。
[cp] nat address-pool cp
# 配置公网地址的端口块大小。
[cp-address-pool-cp] ip-block size 1
# 配置公网地址的端口范围。
[cp-address-pool-cp] port-range 1024 65535
# 配置端口块参数。
[cp-address-pool-cp] port-block block-size 100
# 添加地址成员。
[cp-address-pool-cp] address 18.1.1.100 18.1.1.101
[cp-address-pool-cp] quit
#认证域指定地址池及授权地址类型为私网IPv4地址。
[cp] domain name system
[cp-isp-system] authorization-attribute ip-pool cp
[cp-isp-system] authentication ppp radius-scheme radius
[cp-isp-system] authorization ppp radius-scheme radius
[cp-isp-system] accounting ppp radius-scheme radius
# 设置当前ISP域用户地址类型为私网IPv4地址。
[cp-isp-system] user-address-type private-ipv4
[cp-isp-system] quit
(5) VXLAN、DHCP、PPPoE配置略。
(1) 配置各接口IP地址、路由,具体配置步骤略。
(2) 配置NAT。
# 配置DP的NAT工作方式为转发模式。
<dp> system-view
[dp] nat work-mode data-plane
# 创建NAT地址组1,并绑定备份组。
[dp] nat address-group 1
[dp-address-group-1] failover-group dp
# 配置公网地址的端口范围。
[dp-address-group-1] port-range 1024 65535
# 配置端口块参数。
[dp-address-group-1] port-block block-size 100
[dp-address-group-1] quit
(3) 配置备份组。
# 创建备份组,并将节点加入备份组,其中slot1配置为主节点,slot2配置为备节点。
[dp] failover group dp
[dp-failover-group-dp] bind slot 1 primary
[dp-failover-group-dp] bind slot 2 secondary
[dp-failover-group-dp] quit
(4) 配置ACL及在接口应用NAT。
# 配置ACL,仅允许来自3.3.0.0/16网段的报文通过。
[dp] acl advanced 3100
[dp-acl-ipv4-adv-3100] rule 5 permit ip source 3.3.0.0 0.0.255.255
[dp-acl-ipv4-adv-3100] quit
# 配置处理基于会话业务的备份组,即仅允许将匹配ACL 3100的报文引流到备份组nat的主节点上进行业务处理。
[dp] session service-location acl 3100 failover-group dp
# 配置出接口动态地址转换。
[dp] interface Ten-GigabitEthernet1/6/0
[dp-Ten-GigabitEthernet1/6/0] ip address 18.1.1.1 255.255.255.0
[dp-Ten-GigabitEthernet1/6/0] nat outbound 3100 address-group 1
(5) VXLAN、PPPoE配置省略
配置完成后,客户端使用用户名user1、密码pass1,通过CP上线,并通过DP可接入到Internet。
# CP上显示PPPoE用户的详细信息,可查看到用户端口块的信息。
[cp]display ppp access-user user-type pppoe verbose
Basic:
Interface: BAS0
PPP index: 0x140004b00
User ID: 0x28000004
Username: user1
Domain: system
Access interface: Vsi1
Service-VLAN/Customer-VLAN: 6/9
VXLAN ID: 10
MAC address: 0010-9405-0002
IP address: 3.3.0.1
IPv6 address: -
IPv6 PD prefix: -
IPv6 ND prefix: -
User address type: private-ipv4
VPN instance: -
Access type: PPPoE
Authentication type: PAP
PPPoE:
Session ID: 1
AAA:
Authentication state: Authenticated
Authorization state: Authorized
Realtime accounting switch: Open
Realtime accounting interval: 720s
Login time: 2019-02-19 06:27:04:296
Accounting start time: 2019-02-19 06:27:04:561
Online time(hh:mm:ss): 00:00:14
Accounting state: Accounting
Acct start-fail action: Online
Acct update-fail action: Online
Acct quota-out action: Offline
Dual-stack accounting mode: Separate
Idle cut: 865000 sec 10240 bytes, direction: Both
Session timeout: -
Time remained: -
Traffic quota: -
Traffic remained: -
Redirect WebURL: -
ITA policy name: -
MRU: 1492 bytes
IPv4 MTU: 1492 bytes
IPv6 MTU: 1492 bytes
Subscriber ID: -
ACL&QoS:
User profile: -
Session group profile: -
User group acl: -
Inbound CAR: -
Outbound CAR: -
User inbound priority: -
User outbound priority: -
NAT:
Global IP address: 18.1.1.100
Port block: 1024-1123
Flow Statistic:
IPv4 uplink packets/bytes: 0/0
IPv4 downlink packets/bytes: 0/0
IPv6 uplink packets/bytes: 0/0
IPv6 downlink packets/bytes: 0/0
# CP上显示动态端口块表项。
[cp]display nat port-block dynamic
Local VPN Local IP Global IP Port block Connections Extend
--- 3.3.0.1 18.1.1.100 1024-1123 0 ---
Total mappings found: 1
# CP上显示所有NAT统计信息的详细信息。
[cp]display nat statistics
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 645
Active static port block entries: 0
Active dynamic port block entries: 1
# DP上显示PPPoE用户的详细信息,可查看到用户端口块的信息。
[dp]display ppp access-user user-type pppoe verbose
Basic:
Interface: BAS1
PPP index: 0x1400048db
User ID: 0x2800040f
Username: -
Domain: -
Access interface: Vsi1
Service-VLAN/Customer-VLAN: 6/9
VXLAN ID: 10
MAC address: 0010-9405-0002
IP address: 3.3.0.1
IPv6 address: -
IPv6 PD prefix: -
IPv6 ND prefix: -
User address type: private-ipv4
VPN instance: -
Access type: PPPoE
Authentication type: -
PPPoE:
Session ID: 1
AAA:
Redirect WebURL: -
MRU: 1492 bytes
IPv4 MTU: 1492 bytes
IPv6 MTU: 1492 bytes
Subscriber ID: -
ACL&QoS:
User profile: -
Session group profile: -
User group acl: -
Inbound CAR: -
Outbound CAR: -
User inbound priority: -
User outbound priority: -
NAT:
Global IP address: 18.1.1.100
Port block: 1024-1123
# DP上显示动态端口块表项。
[dp]display nat port-block dynamic
Slot 1:
Local VPN Local IP Global IP Port block Connections Extend
--- 3.3.0.1 18.1.1.100 1024-1123 0 ---
Total mappings found: 1
# DP上显示所有NAT统计信息的详细信息。
[dp]display nat statistics
Slot 1:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 645
Active static port block entries: 0
Active dynamic port block entries: 1
· CP
#
clock protocol none
#
sysname cp1_38
#
telnet server enable
#
irf mac-address persistent always
irf auto-update enable
irf auto-merge enable
irf member 1 priority 1
irf member 2 priority 32
#
ospf 1
area 0.0.0.0
network 3.1.1.1 0.0.0.0
network 18.1.1.0 0.0.0.255
#
mpls lsr-id 3.1.1.1
#
ppp flow-statistics frequency fast
ppp access-user log enable successful-login failed-login normal-logout abnormal-logout
undo ppp authentication chasten
#
dhcp enable
dhcp relay client-information record
#
flow-interval 5
#
password-recovery enable
#
irf-port 1
port group interface GigabitEthernet1/2/0
#
irf-port 2
port group interface GigabitEthernet2/2/0
#
openflow controller enable
#
dhcp server ip-pool cp
gateway-list 3.3.1.1 export-route
network 3.3.0.0 mask 255.255.255.0 export-route
forbidden-ip 3.3.1.1
#
mpls ldp
lsr-id 3.1.1.1
#
l2vpn enable
reserved vxlan 100
#
vsi vpna
gateway vsi-interface 1
vxlan 10
tunnel 1
#
interface Virtual-Template1
ppp authentication-mode pap chap domain system
ppp account-statistics enable
#
interface NULL0
#
interface LoopBack1
ip address 3.1.1.1 255.255.255.255
#
interface GigabitEthernet1/1/0
port link-mode route
#
interface GigabitEthernet1/2/0
port link-mode route
#
interface GigabitEthernet2/1/0
port link-mode route
ip address 172.16.55.106 255.255.255.0
#
interface GigabitEthernet2/2/0
port link-mode route
#
interface GigabitEthernet2/3/0
port link-mode route
#
interface Ten-GigabitEthernet1/3/0
port link-mode route
#
interface Ten-GigabitEthernet1/4/0
port link-mode route
#
interface Ten-GigabitEthernet1/5/0
port link-mode route
ip address 18.1.1.2 255.255.255.0
ospfv3 1 area 0.0.0.0
#
interface Ten-GigabitEthernet2/4/0
port link-mode route
undo ipv6 nd ra halt
#
interface Ten-GigabitEthernet2/5/0
port link-mode route
#
interface Vsi-interface1
mac-address 7425-8ae4-158c
undo ipv6 nd ra halt
distributed-gateway local
pppoe-server bind virtual-template 1
pppoe-server control-plane-mode session
#
interface Tunnel1 mode vxlan
source 3.1.1.1
destination 7.1.1.1
#
bgp 100
non-stop-routing
router-id 3.1.1.1
peer 7.1.1.1 as-number 100
peer 7.1.1.1 connect-interface LoopBack1
#
address-family ipv4 unicast
import-route static
peer 7.1.1.1 enable
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0 1
user-role network-operator
#
line con 0 1
user-role network-admin
#
line vty 0 10
authentication-mode none
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
line vty 11 63
user-role network-operator
#
ip route-static 172.16.0.0 16 172.16.55.1
#
radius scheme radius
primary authentication 172.16.55.5 key cipher $c$3$S92xTraV5GVoK4S9yRykj4lG97zMQw==
primary accounting 172.16.55.5 key cipher $c$3$9HbiFNInnjWDtAxSFg5BgcDdUyeXlg==
user-name-format without-domain
#
domain name system
authorization-attribute ip-pool cp
authentication ppp radius-scheme radius
authorization ppp radius-scheme radius
accounting ppp radius-scheme radius
user-address-type private-ipv4
accounting dual-stack separate
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user user1 class network
password cipher $c$3$HpwGTYtW6ZpTkOX47/jjGFbnBvprb6Lv
service-type ppp
authorization-attribute user-role network-operator
#
session synchronization enable
#
nat log port-block usage threshold 50
nat port-block synchronization enable
nat work-mode control-plane
#
nat address-pool cp
ip-block size 1
port-range 1024 65535
port-block block-size 100
address 18.1.1.100 18.1.1.200
#
return
· DP
sysname dp
#
failover group dp
bind slot 1 primary
bind slot 2 secondary
#
telnet server enable
#
irf mac-address persistent always
irf auto-update enable
irf auto-merge enable
irf member 1 priority 10
irf member 2 priority 1
#
lacp system-priority 100
#
ospf 1
area 0.0.0.0
network 7.1.1.1 0.0.0.0
network 15.1.1.0 0.0.0.255
network 18.1.1.0 0.0.0.255
#
pppoe-server work-mode data-plane
#
ppp access-user log enable successful-login failed-login normal-logout abnormal-logout
undo ppp authentication chasten
#
dhcp enable
#
lldp global enable
#
password-recovery enable
#
irf-port 1
#
openflow instance 1
default table-miss permit
undo tcp-connection backup
flow-table mac-ip 1
classification global
data-plane enable
controller 1 address ip 3.1.1.1 local address ip 7.1.1.1
active instance
#
openflow controller enable
#
l2vpn enable
reserved vxlan 100
#
vsi vpna
gateway vsi-interface 1
vxlan 10
tunnel 1
tunnel 6
#
interface Virtual-Template0
timer-hold 0
ppp account-statistics enable
#
interface Virtual-Template1
ppp account-statistics enable
ipv6 address auto link-local
undo ipv6 nd ra halt
#
interface NULL0
#
interface LoopBack1
ip address 7.1.1.1 255.255.255.255
#
interface GigabitEthernet1/1/0
port link-mode route
#
interface GigabitEthernet1/2/0
port link-mode route
#
interface GigabitEthernet1/3/0
port link-mode route
#
interface GigabitEthernet1/4/0
port link-mode route
#
interface GigabitEthernet2/1/0
port link-mode route
#
interface GigabitEthernet2/2/0
port link-mode route
#
interface GigabitEthernet2/3/0
port link-mode route
ip address 23.1.1.1 255.255.255.0
#
interface GigabitEthernet2/8/0
port link-mode route
#
interface Ten-GigabitEthernet1/5/0
port link-mode route
#
interface Ten-GigabitEthernet1/6/0
port link-mode route
ip address 18.1.1.1 255.255.255.0
nat outbound 3100 address-group 1
#
interface Ten-GigabitEthernet1/7/0
port link-mode route
#
interface Ten-GigabitEthernet1/8/0
port link-mode route
ip address 15.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet2/4/0
port link-mode route
#
interface Ten-GigabitEthernet2/5/0
port link-mode route
#
interface Ten-GigabitEthernet2/6/0
port link-mode route
#
interface Ten-GigabitEthernet2/7/0
port link-mode route
#
interface Vsi-interface0
distributed-gateway local
pppoe-server bind virtual-template 0
#
interface Vsi-interface1
distributed-gateway local
pppoe-server bind virtual-template 1
#
interface Tunnel1 mode vxlan
source 7.1.1.1
destination 3.1.1.1
#
interface Tunnel6 mode vxlan-dci
source 7.1.1.1
destination 5.5.5.5
#
bgp 100
non-stop-routing
router-id 7.1.1.1
peer 5.5.5.5 as-number 100
peer 5.5.5.5 connect-interface LoopBack1
peer 3.1.1.1 as-number 100
peer 3.1.1.1 connect-interface LoopBack1
#
address-family ipv4 unicast
import-route direct
import-route static
peer 5.5.5.5 enable
peer 3.1.1.1 enable
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0 1
user-role network-operator
#
line con 0 1
user-role network-admin
#
line vty 0 4
authentication-mode none
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
ip route-static 0.0.0.0 0 18.1.1.2
ip route-static 172.16.55.0 24 172.16.55.1
ip route-static 172.16.55.0 24 172.16.54.1
#
userlog flow export source-ip 172.16.54.237
userlog flow export host b port 65535
#
snmp-agent
snmp-agent local-engineid 800063A2805CDD70C4BD1700000001
snmp-agent community write private
snmp-agent community read public
snmp-agent log get-operation
snmp-agent log set-operation
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 172.16.55.5 params securityname public v2c
#
acl advanced 3100
rule 5 permit ip source 3.3.0.0 0.0.255.255
#
domain name system
authentication ppp local
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
session service-location acl 3100 failover-group dp
session statistics enable
session synchronization enable
#
nat log enable
nat log port-block usage threshold 50
nat log port-block port-usage threshold 40
nat port-block synchronization enable
nat work-mode data-plane
#
nat address-group 1
failover-group dp
port-range 1024 65535
port-block block-size 100
#
l2tp enable
#
return
· H3C vBRAS系列虚拟宽带远程接入服务器 配置指导-E1218
· H3C vBRAS系列虚拟宽带远程接入服务器 命令参考-E1218
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!