Screenshots and examples provided in this documentation are for illustration only. They might differ depending on the hardware model, software version, and configuration. Examples in this document might use devices that differ from your device in hardware model, configuration, or software version.

It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your device.

About MAN

To achieve high-speed and sustainable development of telecommunications services, it is necessary to seek breakthroughs in network capacity, business models, service provisioning, and O&M. For this purpose, China Telecom has proposed a new MAN solution that focuses on fixed-mobile consolidation, business and network separation, and cloud-network collaboration.

The new MAN evolves from the existing telecommunications MAN structure by incorporating the fabric network architecture and a vBRAS CUPS system to restructure traditional MSE services. It also introduces SRv6 solutions and new hardware for end-to-end network segmentation. Based on technologies like SRv6, EVPN, and FlexE, with the vBRAS system acting as the business control point and coupled with automated service deployment by the SDN controller, this design paves the way for the China Telecom's future-oriented new MAN.

The vBRAS CUPS technology centrally pools the business control layer for reliable service access and efficient resource usage. This technology deploys the CT cloud as the brain of the new-generation MAN to enable intelligent management and scheduling.

Figure 1 Target topology for the new MAN

System description

Technical background

To address issues in traditional BRASs such as mismatched capabilities between the control plane and forwarding plane, lack of resource sharing, and slow new service deployment, the industry has proposed the vBRAS system architecture based on the CUPS technology.

The vBRAS system architecture based on the CUPS technology contains two roles: vBRAS-CP (CP for short) and vBRAS-UP (UP for short), which together fulfill BRAS functions.

· Control planes (CPs)—Provide control plane functions such as user authentication, and address allocation and management.

· User planes (UPs)—Provide user plane functions such as user data traffic forwarding and traffic control. A UP can be one of the following types depending on its form factor:

¡pUP—A physical device acting as a UP. You typically deploy a pUP to provide high forwarding performance, for example, for large-size flow services such as broadband access and IPTV.

¡vUP—A virtual device acting as a UP. With strong computing capability, vUPs can handle large-session, small-traffic demands such as ITMS and VoIP services.

Figure 2 Logic function schematic diagram

System architecture

The vBRAS CUPS architecture was designed in compliance with the ETSI network function virtualization (NFV) framework, as shown in Figure 3. This architecture replaces traditional expensive BRAS physical hardware with cheap commercial x86 servers. It abstracts the network functionalities of traditional BRAS servers into software entities called vBRAS servers. You can quickly add or remove vBRAS servers to accommodate new services or changes that arise as business grows. Each vBRAS server is a failure domain and is self-healing. The issues in one vBRAS server do not affect other vBRAS servers. In addition, this architecture also supports automated deployment.

Figure 3 vBRAS CUPS system architecture

The vBRAS CUPS architecture contains the following components:

· vBRAS-CP—Provides control plane services such as user identification and address allocation and management. A vBRAS-CP is deployed as an expandable pool of resources to provide strong compute performance. A vBRAS-CP is also called a CP for simplicity. The vBRAS-CP architecture contains the following layers:

¡Virtualized network function (VNF) layer—Contains virtualized network functions built on top of network function virtualization infrastructure (NFVI) to provide the same network services as physical network devices. This layer deploys VNFs in the VM form factor and it contains CTRL-VMs, BRAS-VMs, FWD-VMs, and DB-VMs to fulfill vBRAS-CP functionalities.

¡NFVI layer—Virtualizes compute, storage, and network hardware resources into virtualized resources for deployment of VNFs. The vBRAS CUPS architecture uses the H3C CAS cloud platform as the NFVI.

¡x86 server layer—Provides underlying physical hardware resources.

· vBRAS-UP—Provides forwarding plane services to forward data packets and control traffic. A vBRAS-UP is also called a UP for simplicity. A UP can be one of the following types depending on its form factor:

¡vBRAS-pUP—The UP is a physical device. A vBRAS-pUP is also called a pUP for simplicity. You typically deploy a pUP to provide high forwarding performance, for example, for large-size flow services such as broadband access and IPTV.

¡vBRAS-vUP—The UP is a virtual device. A vBRAS-vUP is also called a vUP for simplicity. With strong computing capability, vUPs can handle large-session, small-traffic demands such as ITMS and VoIP services. A distributed vUP contains MPU-VMs and LPU-VMs.

· Each CP and UP pair has a set of management, control, and protocol channels for management, control, and network service purposes, respectively.

¡Management channel—A NETCONF connection for the CP to obtain data from the UP or configure the UP. For example, the CP can use this channel to create subinterfaces and issue BRAS services to the UP.

¡Control channel—A Control-/User-plane Separation Protocol (CUSP) channel for control purposes when a physical router or vBRAS acts as a UP. The CP deploys service table entries and the UP obtains service table entries or reports its interface resource information over this channel.

¡Protocol channel—A VXLAN Generic Protocol Extension (GPE) tunnel over which the CP and the UP exchange network service protocol packets, such as DHCP, ARP, and PPPoE protocol packets. VXLAN GPE extends VXLAN to provide additional capabilities. The UP can transfer information such as port type, port number, and VLAN ID in the extended VXLAN header to the CP for purposes such as authentication and IP address allocation.

· Service system—Contains servers such as AAA servers, DHCP servers, and portal servers to provide network services including user authentication, authorization, accounting, address allocation, and security policy management.

· Element management system (EMS)—Provides remote management of network elements and network maintenance.

· Management and orchestration (MANO) system—Provides lifecycle management and orchestration of network resources, including the hardware and software resources in the NFVI and VNFs. The MANO system contains the following components:

¡Virtualized infrastructure manager (VIM)—Manages, monitors, and optimizes physical and virtual resources. This architecture uses the H3C CloudOS as the VIM.

¡Virtualized network function manager (VNFM)—Provides lifecycle management of VNFs. This architecture uses the H3C VNFM-Manager as the VNFM.

¡Network function virtualization orchestrator (NFVO)—Orchestrates and manages the infrastructure and upper layer software resources to provide network services. This architecture uses the H3C VNFM-vBRAS as the NFVO.

vBRAS-CP and vBRAS-UP functionalities

As shown in Figure 4, the CPs and UPs in a vBRAS CUPS system are vBRAS-CPs and vBRAS-UPs, respectively.

Figure 4 Architecture of a vBRAS CUPS system

A vBRAS-CP provides access control and management. The following are its major components:

· ACC—Provides user access control. It processes access requests received from a vBRAS-UP for establishment of network connections for users, such as PPPoE and IPoE connections.

· UCM—Provides user session management and user policy management.

¡User session entry management—Generates and pushes user session entries to vBRAS-UPs. The vBRAS-UPs forward user traffic based on the session entries.

¡User policy management—Manages authentication, accounting, authorization, address allocation, and QoS policies.

· AAA—Works with the AAA server to provide authentication, authorization, and accounting for users.

· UNICFG—Configures BRAS services and automatically deploys the configuration to all its managed vBRAS-UPs.

· DHCP—Manages IP address resources.

· UPMGR—Manages vBRAS-UP Join and Exit events and the communication channels between the vBRAS-CP and vBRAS-UPs.

vBRAS-UPs are user policy enforcement points located at the edges of a Layer 3 network. They provide UP functionalities, including traffic forwarding, traffic statistics, and QoS policy enforcement.

Software architecture

vBRAS-CP

As shown in Figure 5, a vBRAS-CP contains CTRL-VMs, BRAS-VMs, FWD-VMs, and DB-VMs.

Figure 5 Software architecture of a vBRAS-CP

Table 2 Functionalities of the VMs in a vBRAS-UP

VM	Functionalities	Slot number assignment	Remarks
CTRL-VM	· CP and UP management. · Configuration management. · Address allocation. · CP backup and recovery. · Elastic capacity scalability.	1 and 2	Each vBRAS-CP has one CTRL-VM or two CTRL-VMs. Two CTRL-VMs automatically form a CTRL-VM group, with the group number fixed at 1. Each CTRL-VM group is one network element as a whole. In a CTRL-VM group, one CTRL-VM is the master, and the other is the standby node. The standby CTRL-VM backs up the master while the master is operating correctly and takes over when the master CTRL-VM fails.
BRAS-VM	BRAS-VMs are managed by the master CTRL-VM. They provide the following functionalities: · Remote interface management. · User management. · User access control. · AAA. · UP backup and recovery.	97 to 224	Each vBRAS-CP has one or multiple BRAS-VMs. Every two BRAS-VMs with consecutive slot numbers form a BRAS-VM group, starting from slot 97. The BRAS-VM groups are numbered starting from 66. For example, the BRAS-VMs in slots 97 and 98 form BRAS-VM group 66. The BRAS-VMs in slots 99 and 100 form BRAS-VM group 67. Each BRAS-VM group is one network element as a whole. In a BRAS-VM group, one BRAS-VM is the master, and the other is the standby node. The standby BRAS-VM backs up the master while the master is operating correctly and takes over when the master BRAS-VM fails.
FWD-VM	FWD-VMs are managed by the master CTRL-VM. They provide the following functionalities: · Communication and packet forwarding between BRAS-VMs and UPs. · Packet forwarding between BRAS-VMs and external systems such as RADIUS servers and Web servers.	5 and 6 (The value range from 7 to 96 is reserved for future use.)	Each vBRAS-CP contains a maximum of two FWD-VMs. Each FWD-VM is a network element. They do not form a group as do the CTRL-VMs.
DB-VM	DB-VMs store data backed up from CTRL-VMs and BRAS-VMs.	N/A	You must deploy a minimum of four DB-VMs. The DB-VMs form a Codis cluster.

vBRAS-UP

No special requirements are imposed on pUPs and vUPs in a centralized architecture. A distributed vUP contains MPU-VMs and LPU-VMs.

Figure 6 Software architecture of a distributed vBRAS-UP

Table 3 Functionalities of the VMs in a vBRAS-UP

VM	Functionalities	Slot number assignment	Remarks
MPU-VM	· Manages vUPs. · Provides control plane and management plane services of the vUP system.	1 and 2	A vBRAS-UP has one MPU-VM or two MPU-VMs. One MPU-VM is the master, and the other is the standby node. The standby MPU-VM backs up the master while the master is operating correctly and takes over when the master MPU-VM fails.
LPU-VM	· Processes user services. · Forwards packets.	5 to 36	A vBRAS-UP has one or multiple LPU-VMs. Multiple LPU-VMs form a scale group. For more information about scale groups, see vUP scaling in CP and UP Separation Configuration Guide.

Functionalities

Slot number assignment

Remarks

MPU-VM

· Manages vUPs.

· Provides control plane and management plane services of the vUP system.

1 and 2

A vBRAS-UP has one MPU-VM or two MPU-VMs.

One MPU-VM is the master, and the other is the standby node. The standby MPU-VM backs up the master while the master is operating correctly and takes over when the master MPU-VM fails.

LPU-VM

· Processes user services.

· Forwards packets.

5 to 36

A vBRAS-UP has one or multiple LPU-VMs.

Multiple LPU-VMs form a scale group.

For more information about scale groups, see vUP scaling in CP and UP Separation Configuration Guide.

Operating mechanism

A vBRAS system allows dynamic PPPoE, L2TP, and IPoE access.

Figure 7 uses PPPoE as an example to describe how a vBRAS system establishes a network session for a user to access the network.

Figure 7 PPPoE access procedure

A vBRAS CUPS system uses the following procedure to provide network access services to a PPPoE user:

1. A UP receives a PPPoE discovery packet from a host. (The packets sent in the discovery phase are collectively called discovery packets.)

2. The UP sends the packet over the protocol channel (a VXLAN GPE tunnel) to the CP.

3. Upon receiving the discovery packet, the CP selects an access interface based on the load balancing UP backup profile.

4. The CP creates a PPPoE session and sends an authentication request to the AAA server. The request contains the user's username and password.

5. The CP takes action depending on the authentication result received from the AAA server.

¡ If the authentication fails, the CP notifies the UP to disconnect the user.

¡ If the authentication succeeds, the CP proceeds to the NCP negotiation phase.

6. If NCP negotiation succeeds, the CP pushes the PPPoE session entry to the UP over the control channel (for example, a CUSP channel).

7. The CP sends an accounting start request to the AAA server to start accounting for the user.

8. The UP collects user traffic statistics regularly and sends the statistics to the CP over the control channel.

9. The CP sends the traffic statistics to the AAA server for user accounting.

CUPS technology

CP-UP channels

About CP-UP channels

Before deploying user services, you must set up channels for each CP and UP pair for communication. The channels are used for exchanging protocol packets and deploying BRAS service configuration and entries.

As shown in Figure 8, you must set up a management channel, a control channel, and a protocol channel for a CP and UP pair.

Figure 8 CP-UP channels

Channel types

Management channel

The management channel is a NETCONF connection for the CP to obtain data from the UP or configure the UP. For example, the CP can use this channel to create subinterfaces and issue BRAS services to the UP.

Figure 9 Management channel

Control channel

The control channel is a Control-/User-plane Separation Protocol (CUSP) channel for control purposes. The CP deploys user entries (for example, PPPoE or IPoE user entries) and the UP obtains user entries or reports its interface resource information over this channel.

Figure 10 Control channel

Protocol channel

The protocol channel is a VXLAN Generic Protocol Extension (GPE) tunnel over which the CP and the UP exchange network service protocol packets, such as DHCP, ARP, and PPPoE protocol packets.

Figure 11 Protocol channel

Operating mechanism

As shown in Figure 12, the CP and UP operate over the CP-UP channels as follows when a user comes online:

1. Establish a NETCONF management channel between the CP and UP.

2. The CP uses the NETCONF management channel to deploy configuration to the UP, such as CUSP, VXLAN, and BRAS service configuration.

3. The UP uses the configuration to establish the CUSP control channel and VXLAN protocol channel with the CP.

4. A user sends an online request to the UP.

5. The UP forwards the online request over the VXLAN protocol channel to the CP.

6. The CP processes the online request.

7. The CP interacts with the AAA and DHCP servers to complete user authentication and address allocation, and creates a user entry.

8. The CP deploys the user entry to the UP over the CUSP control channel.

Figure 12 Operating mechanism

After the user comes online successfully, the UP guides user data packet forwarding based on the received user entry and periodically reports user traffic statistics to the CP over the CUSP control channel. Upon receiving user traffic statistics, the CP sends the statistics to the AAA server for user accounting.

Typical networking

As shown in Figure 13, the vBRAS CUPS network uses a vBRAS-CP as the control plane to provide strong compute performance and a vUP and pUPs as the user plane.

· A vUP can provide high compute performance for small-size-flow and session-intensive services such as ITMS and VoIP.

· A pUP can provide high forwarding performance for large-size flow services such as broadband access and IPTV.

Figure 13 Network diagram

CPDR

Technical background

Facing unforeseeable events such as earthquakes and fires, local data backup cannot ensure no loss of backup data and cannot meet the carriers’ requirements for the availability, real-time performance, and security of service systems. To minimize enterprise losses due to backup data loss caused by unforeseeable events, the industry has introduced remote disaster recovery.

Control plane disaster recovery (CPDR) backs up data between the CPs in two data centers on a vBRAS CUPS network. When a DC suffers from a disaster, the other DC can rapidly take over user services.

Figure 14 CPDR functionality

Basic concepts

CPDR has the following basic concepts:

· CPDR group—CPs use CPDR groups to manage UPs. In a CPDR group pair, one group is the master and the other is the backup.

· Master and backup roles—A CP has the master role if the master CPDR group is created on it, and has a backup role if the back CPDR group is created on it. Only the master CP processes user services. A CPDR group can use the following types of roles:

¡ Configured role—Role configured by using the set role command. The configured role does not change if no configuration changes occur.

¡ Negotiated role—Role negotiated based on the specified settings. The negotiated role does not change if no configuration changes occur.

¡ Running role—Role that actually takes effect.

- When the heartbeat channel is correctly set up, the running role is the negotiated role.

- If the heartbeat channel is not set up because of network failure or incorrect IP address configuration for the CPDR channel, the CPDR groups cannot negotiate roles. In this case, the running role is the configured role.

The running role for a CPDR group might change upon a master/backup switchover or reconnection of the heartbeat channel. Unless otherwise specified, the master or backup role is represented by the running role of the CPDR group.

· CPDR group ID—A CPDR group is unique on a per CP basis. The master and backup CPs form a redundant pair with a CPDR group ID. The CPDR groups in the same redundant pair must have the same ID.

· CPDR group priority—Used in role election for CPDR groups. The CPDR group with a higher priority is the master.

· Faulty CU connections—Number of UPs with CUSP connection failures in a CPDR group.

· CU connection failure ratio—The CU connection failure ratio is calculated as follows:

¡ If a UP backup group has multiple UPs added to a CPDR group, value 1 is subtracted from total UPs in the CPDR group. Among a number of n such UP backup groups, if a number of m UP backup groups contain faulty UPs, the CU connection failure ratio = (faulty CU connections - m) / (total UPs in the CPDR group - n) × 100%.

¡ In other cases, the CU connection failure ratio = (faulty CU connections) / (total UPs in the CPDR group) × 100%.

· CPDR tunnel group—In the N:1 backup network, you must configure the parameters (such as the local and peer IP addresses) for establishing CPDR channels for each CPDR group based on CPDR tunnel group.

· CPDR tunnel group ID—As a best practice, bind the CPDR tunnel group with the same ID to the master and backup CPDR groups in a pair.

· Heartbeat channel—A TCP connection established between two CTRL-VMs for configuration negotiation, heartbeat channel detection, and CU connection state and CPDR group data synchronization.

· Data backup channel—A TCP connection established between two BRAS-VMs for backing up user data and service module data.

· Protection channel—A GRE tunnel established between two FWD-VMs. When the FWD-VM in the backup CPDR group receives a packet destined for the CPDR loopback interface, it forwards the packet to the FWD-VM in the master CPDR group through the protection channel. (A CPDR loopback interface is specified in the radius source-interface and web-auth source-interface commands.) This ensures that only the CP in the master CPDR group processes packets used for communication between the servers (such as RADIUS server and Web authentication server) and the CPs.

Benefits

When a fault occurs in the local disaster recovery backup center network, the remote disaster recovery backup center can quickly take over user services.

· Users are not aware of any network fault, which improves their network access experience.

· It improves the risk-resistance capability of carriers, which significantly enhances the network reliability.

Operating mechanism

CPDR operates as follows:

1. CPDR establishes a heartbeat channel and multiple data backup channels between the master and backup CPs.

2. CPDR creates CPDR groups on the master and backup CPs, and adds UPs to the CPDR groups.

3. The UPs establish CUSP channels to the CPs of the master and backup CPDR groups, respectively.

4. The master and backup CPDR groups notify their roles through the CUSP channels to the UPs. The UPs take the CP in the master CPDR group as the master CP, and the CP in the backup CPDR group as the backup CP. The UPs exchange protocol and service packets with only the master CP.

5. The UPs deliver user packets to the master CP, and the master CP performs user authentication and authorization.

6. When the master CP is unavailable or the CU connection failure ratio meets the specified criteria, the backup CP takes over. The new master will recover user data from the backup CP or require the user to come online again, depending on the configured backup mode.

Figure 15 Operating mechanism

Backup modes

CPDR supports the hot backup and cold backup modes.

Hot backup mode

In hot backup mode, the master CP backs up user data to the backup CP through the data backup channel. When a master/backup switchover occurs, the new master CP quickly takes over user services based on the locally backed up user data. The users stay online after a master/backup switchover.

Figure 16 Hot backup mode

Cold backup mode

In cold backup mode, the master CP does not back up user data to the backup CP. The users must come online on the new CP again after a master/backup switchover.

Figure 17 Cold backup mode

Application modes

CPDR supports the load sharing, master/backup, and N:1 backup application modes.

Load sharing mode

In load sharing mode, both master and backup CPs work simultaneously. You create two pairs of CPDR groups for load sharing. Each CPDR group pair contains a master and a backup (with the same ID) and contains the same UPs. Different CPDR groups on the same CP have different master and backup roles. Different CPs only manage a part of the UP services, reducing the service pressure on a single point and improving the device usage.

In this mode, you must create two CPDR groups on both CPs, and assign different roles to the same CPDR group on the CPs to form a CPDR group pair. For example, if you assign the master role to a CPDR group on one CP, you must assign the backup role to the same CPDR group on the other CP.

Master/backup mode

In master/backup mode, the master CP works, and the backup CP backs up data. You create a pair of CPDR groups (a master and a backup) that contain the same UPs for backup. When a switchover occurs on the CP where the master CPDR group resides, the CP where the backup CPDR group resides can take over the user services on these UPs.

In this mode, you must create the same CPDR group (with the same name and ID) on the two CPs and assign the master role to the CPDR group on one CP and the backup role to the CPDR group on the other CP.

N:1 backup mode

In N:1 backup mode, N master CPs work simultaneously and one backup CP backs up data. You create N pairs of CPDR groups on N + 1 CPs. Each CPDR group pair contains a master and a backup (with the same ID) and contains the same UPs. Deploy N master CPDR groups to N master CPs and N backup CPDR groups to one backup CP. This deployment enables multiple data centers to share one backup data center. For example, you can specify CP 1 and CP 2 as master CPs and CP 3 as the backup CP to implement 2:1 backup as follows:

· On CP 1, create CPDR group with name group1 and ID 1, and assign the master role to the CPDR group.

· On CP 2, create CPDR group with name group2 and ID 2, and assign the master role to the CPDR group.

· On CP 3, create CPDR group with name group1 and ID 1, and assign the backup role to the CPDR group. Create CPDR group with name group2 and ID 2, and assign the backup role to the CPDR group.

Role switchover modes

CPDR supports automatic role switchover and manual role switchover through a command. By default, a CPDR group does not automatically perform a master/backup switchover upon failures. To perform a switchover, you must execute the switchover force command. For user service continuity, configure automatic role switchover upon CPDR group failure on both the master and backup CPDR groups to enable the backup to automatically take over when the master fails.

Automatic role switchover

Automatic role switchover upon CPDR group failure

· About automatic role switchover upon CPDR group failure

By default, automatic role switchover upon CPDR group failure is disabled. A CPDR group does not automatically perform a master/backup switchover upon failures.

After you enable automatic role switchover upon CPDR group failure, the backup CPDR group takes over as the master if the following criteria are still met after the specified switchover delay timer expires.

¡ The CU connection failure ratio on the master CPDR group reaches or exceeds the specified threshold.

¡ The CU connection failure ratio on the backup CPDR group is lower than that on the master CPDR group.

· Commands

¡ Use switchover auto enable to enable automatic role switchover upon CPDR group failure. By default, this feature is disabled.

¡ Use switchover control-tunnel-down threshold to configure the CU connection failure ratio threshold to trigger switchover. The default setting is 100%.

¡ Use switchover control-tunnel-down delay to configure the delay timer for switchover upon CU connection failure. The default setting is 30 seconds.

Automatic role switchover upon failure recovery of the original master

· About automatic role switchover upon failure recovery of the original master

By default, a backup CPDR group (original master) does not automatically switch back to the master role when the failure is recovered. To perform a switchover, configure this mode on the original master to enable it to automatically switch back to master upon failure recovery.

With this mode configured, the backup CPDR group starts a delay timer when the CU connection failure ratio on the backup drops to or below the failure recovery threshold. When the delay timer expires, the backup CPDR group sends a switchover request to the peer if the criterion is still met.

¡ If the backup CPDR group receives a response that acknowledges the request within 15 seconds (no configurable), it starts switchover to master. The peer starts switchover to backup.

¡ If the backup CPDR group receives a response that denies the request within 15 seconds, it starts the delay timer again. When the delay timer expires, the backup CPDR group sends a switchover request to the peer again if the switchover criterion is still met.

¡ If the backup CPDR group receives no response within 15 seconds, it starts switchover to master.

· Commands

¡ Use failure-recovery auto enable to enable automatic role switchover upon failure recovery of the original master. By default, this feature is disabled.

¡ Use failure-recovery threshold to configure the CU connection failure ratio threshold to trigger switchover on the original master. The default setting is 0%.

¡ Use failure-recovery delay to configure the delay timer for switchover upon failure recovery on the original master. The default setting is 1800 seconds.

Manual role switchover

About manual role switchover

By default, a CPDR group does not automatically perform a master/backup switchover upon failures. To manually perform a switchover, execute the switchover force command.

After the original master recovers from a failure, you can use the command to perform a manual role switchover. The command is not saved to the configuration file.

You can perform manual role switchover on the master or backup CP.

· After you execute the switchover force to-backup command on the master CP, if the CPDR channels are normal, the master CP switches to backup, and the backup CP switches to master. If the CPDR channels are abnormal, role switchover is not allowed.

· After you execute the switchover force to-master command on the backup CP, the backup CP switches to master (ignoring the heartbeat channel state) and increases the priority. The master CP switches to backup (after the heartbeat channel recovers from a failure).

· After you execute the switchover force to-master command on the master CP, the master CP keeps its role unchanged and increases the priority by 1.

· After you execute the switchover force to-backup command on the backup CP, the backup CP retains its role and priority.

Manual switchover to the backup role

When you execute the switchover force to-backup command, the system identifies whether the current CPDR group is stable:

· If the CPDR group is stable, the system identifies the running role of the current CTRL-VM.

¡ If the running role is the master CP, the system identifies whether a heartbeat channel is established.

- If a heartbeat channel has been established, the system notifies the backup CP of role switchover.

- If no heartbeat channel is established, the system forcibly switches the master CP to backup.

¡ If the running role is the backup CP, its role remains unchanged.

· If the CPDR group is unstable, manual role switchover is not allowed. The system will prompt a command deployment error.

Manual switchover to the master role

When you execute the switchover force to-master command, the system identifies whether the current CPDR group is stable:

· If the CPDR group is stable, the system identifies the running role of the current CTRL-VM.

¡ If the running role is the master CP, its role remains unchanged and its priority increases. The new priority is deployed to the BRAS-VM.

¡ If the running role is the backup CP, the system forcibly switches the backup CP to master and the peer master CP to backup.

· If the CPDR group is unstable, manual role switchover is not allowed.

Switchover delay timer

Delay timer for automatic role switchover upon CPDR group failure

· About the delay timer for automatic role switchover upon CPDR group failure

Configure the delay timer for the backup CPDR group to be switched to master when it detects the master CPDR group is faulty. After you enable automatic role switchover upon CPDR group failure, the backup CPDR group takes over as the master if the following criteria are still met after the specified switchover delay timer expires.

¡ The CU connection failure ratio on the master CPDR group reaches or exceeds the specified threshold.

¡ The CU connection failure ratio on the backup CPDR group is lower than that on the master CPDR group.

· Commands

Use switchover control-tunnel-down delay to configure the delay timer for switchover upon CU connection failure. The default setting is 30 seconds.

Delay timer for automatic role switchover upon failure recovery of the original master

· About the delay timer for automatic role switchover upon failure recovery of the original master

After you enable automatic role switchover upon failure recovery of the original master, the backup CPDR group starts a delay timer when the CU connection failure ratio on the backup drops to or below the failure recovery threshold. When the delay timer expires, the backup CPDR group sends a switchover request to the peer if the criterion is still met.

· Commands

Use the failure-recovery delay command to configure the delay timer for switchover upon failure recovery of the original master. The default setting is 1800 seconds.

UP backup

Background

In a vBRAS CP and UP separation (CUPS) scenario, UPs implement forwarding plane functions, such as user traffic forwarding and traffic control. Users access the network and come online through UPs. When a UP fails or a link between the user and the UP fails, service are interrupted for all users that come online through this UP.

You can add multiple UPs to a UP backup group. The interfaces on the UPs form a backup or load sharing relationship. This provides device-level redundancy protection and enhances network availability.

Figure 18 UP backup functionality

Basic concepts

UP backup performs backup based on the interface granularity, providing availability protection for user services at the UP side. The basic concepts for the UP backup feature are as follows:

· UP backup group—A UP backup group contains multiple UPs for interface-based user service backup.

· UP backup profile—You can create UP backup profiles in corresponding UP backup modes based on service demands, and specify the master and backup interfaces for the UP backup profiles.

· Master interface—The interface that carries user services.

· Backup interface—The interface used as backup for the master interface. When the master interface fails, the backup interface takes over to forward user traffic.

· Master UP—The UP where the master interface resides in the associated UP backup profile.

· Backup UP—The UP where the backup interface resides in the associated UP backup profile.

· Switchover—When the master interface fails, the backup interface takes over to forward user traffic.

· Switch-back—When the master interface recovers, traffic switches back to the master interface.

Operating mechanism

A CP manages multiple UPs, and performs backup between interfaces on different UPs. When the master UP or interface fails, the CP instructs the backup UP or interface to immediately take over to ensure uninterrupted user traffic and reduce the impact on services caused by device failure.

Backup modes

Based on application scenarios, UP backup supports 1:1 hot standby mode, N:1 warm standby mode, 1:N warm load balancing mode, and load balancing mode.

1:1 hot standby mode

In 1:1 hot standby mode, a master interface and a backup interface back up each other. The CP device issues session information to both the master and backup interfaces. When the master interface fails, the backup UP immediately takes over to ensure user service continuity. This mode is applicable to the scenarios with relatively high availability requirements.

N:1 warm standby mode

In N:1 warm standby mode, multiple master interfaces use one backup interface for backup. The master interfaces load share services. The CP issues the user session information to only the master UP. When a master interface or master UP fails, the CP issues session information to the original backup UP. The original backup UP then takes over the user services with short user service interruption time.

The following warm standby modes are available:

· Common warm standby mode—The backup interface provides backup services only for the master interface that fails first. If an additional master interface fails, no more backup interfaces are available, and users cannot come online through this master interface.

· Enhanced warm standby mode—The backup interface can provide backup services for multiple master interfaces to enhance service availability.

1:N warm load balancing mode

1:N warm load balancing mode contains a number of N + 1 (1 ≤ N ≤ 15) master interfaces and does not contain any backup interfaces. A master interface forms a backup relationship with each of the N master interfaces. Each pair of master interfaces (a primary master interface and a secondary master interface) corresponds to a unique virtual MAC address automatically generated by the system. A number of N + 1 master interfaces can form a total of N × (N + 1) backup pairs and N × (N + 1) virtual MAC addresses.

When a user comes online, the CP selects the master interface with the fewest online users from the UP backup profile as the primary master. If multiple interfaces have the fewest online users, the CP selects one of them based on specific principles as the primary master. When any master interface fails, user traffic on the master interface are automatically load shared among the other N interfaces based on the virtual MAC address.

Load balancing mode

This mode contains N master interfaces and does not contain any backup interfaces. The master interfaces load share services. When a master UP or master UP fails, users coming online through this interface will not switch to other master interfaces. Instead, the users will be forced offline. Then the users can come online again through another master interface without any faults.

Fault detection

In the vBRAS CUPS scenario, the system must perform fault detection for master/backup switchover to implement UP backup. UP backup supports fault detection mechanisms based on user-side interface state, network-side interface state, and CUSP state.

The CP will receive fault information reported through different detection methods as configured, and instructs master/backup switchover based on the information.

Fault detection based on user-side interface state

In the vBRAS CUPS scenario, the CP issues a tag to the user-side interface used when users come online to identify the interface. The up/down state of the user-side interface can then be reported to the CP through the CUSP protocol. When the user-side interface fails, the master interface state changes to down. The UP then reports the fault information to the CP to trigger master/backup switchover.

Fault detection based on network-side interface state

In the vBRAS CUPS scenario, the UP uses the Track feature to monitor the up/down state of the network-side interface. When a network-side interface failure occurs, Track notifies the track entry status to the UP, which then reports the failure information to CP, triggering master/backup switchover.

You can configure fault detection based on network-side interface state as needed.

Fault detection based on CUSP connection state

In the vBRAS CUPS scenario, the CP performs master/backup UP or interface switchover based on the CUSP connection state. When the CUSP connection between the CP and a UP recovers, the CP performs master/backup switchover for the UP or interface on the UP after a period of time upon the recovery. The CP can detect the CUSP connection state without requiring report from the UP.

If CUSP state-based detection is configured, link flapping might result in frequent master/backup switchovers. You can configure the switchover delay upon CUSP channel failure and CUSP channel failure recovery. This configuration prevents the CP to frequently perform master/backup UP or interface switchovers when link flapping occurs between the CP and UP. Too short a switchover delay might cause frequent master/backup switchovers, which affect the normal operation of UP backup. Too long a switchover delay might cause late master/backup switchovers when a CUSP channel is interrupted, which causes long traffic interruption time.

You can configure fault detection based on CUSP connection state as needed. You can associate the CUSP connection with Bidirectional Forwarding Detection (BFD) based on network requirements. This configuration enables the CUSP controller to create a BFD session for a new CUSP connection to fast detect CUSP connection faults.

Fault detection between UPs

In a vBRAS CUPS network, the CUSP connection between UP and CP passes through multiple levels of devices. If the CUSP connection state is abnormal but the UP is operating correctly, a master/backup switchover will be performed, resulting in a waste of resources. The CUSP channel state cannot be used to determine UP failure.

To resolve the issue that an actual UP failure cannot be reported to the CP because the CUSP connection is disconnected, you can configure a UP to use Track to monitor the network-side link state on another UP in the same UP backup group.

Associate the Track module on the monitoring UP with the Track module on the monitored UP, and use Track to monitor network-side interface failures on the monitored UP. When a network-side interface failure occurs on the monitored UP, Track notifies the track entry status to the monitoring UP, which then reports the failure information to CP.

Upon receiving the failure information, the CP instructs the master/backup interface switchover on the UP where the faulty interface resides based on the state of the CUSP connection between the CP and UP. If the CP detects that the CUSP connection with the monitored UP is disconnected, a master/backup switchover is performed. If the CP does not detect the CUSP connection failure, the master/backup switchover is not performed. Fault detection between UPs applies to the scenario where the network-side interface shares the same link egress as the CUSP protocol.

Switchover upon failure

This document takes the 1:2 warm standby mode as an example to illustrate the switchover processes for UP backup in different service scenarios.

Switchover upon failure in the CGN service scenario

Carrier Grade NAT (CGN) is also called large-scale NAT (LSN). Traditionally, NAT is typically deployed on the Customer Premises Equipment (CPE), which translates a small number of user IP addresses. You can deploy CGN to the ISP network by inserting a CGN module into a device such as (BRAS). This implements IP address translation for a large number of users, greatly improving the number of supported concurrent users, performance, and source tracking.

The CGN service adopts the hot standby deployment mode within the chassis and cold backup deployment mode between chassis. The CGN service and the master/backup relationship of UPs do not affect each other. When a CGN service or UP master/backup switchover occurs, users remain online. The CGN service will re-apply for a public IP address for users.

In the CGN service scenario, a master/backup switchover is triggered upon user-side interface failure of the UP, network-side interface failure of the UP, UP failure, or CGN module failure.

1. User-side interface failure of the UP

As shown in Figure 19, a network-side interface failure on UP 1 triggers a master/backup switchover for the UP. The CGN service is not backed up and switches over with the UP. User traffic on UP 1 is then load shared among UP 2 and UP 3. After UP switchover, the CGN service automatically re-applies a public IP address on the new UP for users that switch over to the new UP.

Figure 19 User-side interface of the UP

2. UP failure or network-side interface failure

As shown in Figure 20, failure of UP 1 or a network-side interface failure on UP 1 triggers a master/backup switchover for the UP. The CGN service is not backed up and switches over with the UP. User traffic on UP 1 is then load shared among UP 2 and UP 3. After UP switchover, the CGN service automatically re-applies a public IP address on the new UP for users that switch over to the new UP.

Figure 20 UP failure or network-side interface failure

3. CGN module failure

As shown in Figure 21, if only one CGN module fails on UP 1, switchover is not performed. If both CGN modules fail, a network-side failure is triggered and reported to the CP, and a master/backup switchover is performed for the UP. The CGN service is not backed up and switches over with the UP. User traffic on UP 1 is then load shared among UP 2 and UP 3. After UP switchover, the CGN service automatically re-applies a public IP address on the new UP for users that switch over to the new UP.

Figure 21 CGN module failure

Switchover upon failure in the L2TP service scenario

Layer 2 Tunneling Protocol (L2TP) establishes point-to-point L2TP tunnels over a public network (such as the Internet) to transfer encapsulated Point-to-Point Protocol (PPP) data frames. This enables remote users (such as offsite enterprise branch users and business travelers) to use PPP to access the public network and then communicate with the enterprise's internal network through the L2TP tunnel. This facilitates secure, cost-effective, and efficient remote access to a private enterprise network for remote users.

Currently, L2TP services are deployed without using the backup mechanism. As shown in Figure 22, the paths for both uplink and downlink traffic for users are consistent, and no switchover bypass situations exist.

Figure 22 L2TP user traffic processing

In the L2TP service scenario, when a user-side interface failure of the UP, network-side interface failure of the UP, or UP failure occurs, users go offline because L2TP services are not backed up. They can come online through dial-up again. In earlier versions of the vBRAS CUPS environment, master/backup switchover in the L2TP service scenario requires using a protection tunnel. The mechanism is different from the implementation described in this document. In this document, each UP uses a fixed loopback interface address to communicate with the LNS. This facilitates deployment because no backup mechanism is used and no protection tunnel is required to be configured.

1. User-side interface failure of the UP

As shown in Figure 23, the user-side interface on UP 1 is faulty, the CUSP control channel is operating correctly, and the service link is disconnected. UP 1 reports the fault information to CP through the CUSP protocol. CP then informs the UP to perform master/backup switchover. Upon detecting no L2TP service backup configuration on UP 1, CP forces users on UP 1 to go offline. Subsequent offline users can dial up again to come online through UP 2 and UP 3 in a load-balanced manner.

Figure 23 User-side interface failure of the UP

When the failure is recovered, UP 1 reports the failure recovery information to CP through the CUSP protocol. CP informs UP 1 to switch to master, and then informs UP 2 and UP 3 to switch to backup. After the failure is recovered, upon detecting no L2TP service backup configuration on UP 2 and UP 3, CP forces users on UP 2 and UP 3 to go offline. Subsequent offline users can dial up again to come online through UP 1. Both uplink and downlink user traffic switch back to the links attached to UP 1.

2. UP failure or network-side interface failure

As shown in Figure 24, when UP 1 or the network-side interface on UP 1 is faulty, both the CUSP control channel and the service link are disconnected. CP detects the CUSP connection state anomaly and informs the UP to perform master/backup switchover. Upon detecting no L2TP service backup configuration on UP 1, CP forces users on UP 1 to go offline. Subsequent offline users can dial up again to come online through UP 2 and UP 3 in a load-balanced manner.

Figure 24 UP failure or network-side interface failure

When the failure is recovered, CP detects that the CUSP connection is restored, and then restores the connection to the UP. After the CP-to-UP connection failure is recovered, CP informs UP 1 to switch to master, and then informs UP 2 and UP 3 to switch to backup. After the failure is recovered, upon detecting no L2TP service backup configuration on UP 2 and UP 3, CP forces users on UP 2 and UP 3 to go offline. Subsequent offline users can dial up again to come online through UP 1. Both uplink and downlink user traffic switches back to the links attached to UP 1.

Switchover upon failure in the other service scenarios

In other scenarios, switchover upon failure is not associated with protocol tunnels. Instead, it is associated with only the priority of user routes. User traffic is switched according to route switchover.

1. User-side interface failure of the UP

As shown in Figure 23, the user-side interface on UP 1 is faulty, the CUSP control channel is operating correctly, and the service link is disconnected. UP 1 reports the fault information to CP through the CUSP protocol. CP then informs the UP to perform master/backup switchover. The priority for the route issued to UP 1 by CP decreases (the route cost is changed from 10 to 20), and priority for the routes issued to UP 2 and UP 3 increases (the route cost is changed from 20 to 9). When a failure occurs, CR learns the routes with higher priority (with cost 9). After route convergence, both uplink and downlink traffic are load-balanced to the links attached to UP 2 and UP 3.

Figure 25 User-side interface of the UP

When the failure is recovered, UP 1 reports the failure recovery information to CP through the CUSP protocol. CP informs UP 1 to switch to master, and then informs UP 2 and UP 3 to switch to backup, reducing packet loss during switch-back. In the switch-back process, the route issued to UP 1 by CP increases (the route cost is changed from 20 to 10), and priority for the routes issued to UP 2 and UP 3 decreases (the route cost is changed from 9 to 20). When the failure is recovered, CR learns the routes with higher priority (with cost 10). After route convergence, both uplink and downlink traffic switch back to the links attached to UP 1.

2. UP failure or network-side interface failure

As shown in Figure 26, when UP 1 or the network-side interface on UP 1 is faulty, both the CUSP control channel and the service link are disconnected. Upon detecting the CUSP connection state anomaly and receiving the track entry status indicating the interface failure, CP informs the UP to perform master/backup switchover. The priority for the route issued to UP 1 by CP decreases (the route cost is changed from 10 to 20), and priority for the routes issued to UP 2 and UP 3 increases (the route cost is changed from 20 to 9). When a failure occurs, CR learns the routes with higher priority (with cost 9). After route convergence, both uplink and downlink traffic are load-balanced to the links attached to UP 2 and UP 3.

Figure 26 UP failure or network-side interface failure

When the failure is recovered, CP detects that the CUSP connection is restored, and then restores the connection to the UP. After the CP-to-UP connection failure is recovered, CP informs UP 1 to switch to master, and then informs UP 2 and UP 3 to switch to backup, reducing packet loss during switch-back. In the switch-back process, the route issued to UP 1 by CP increases (the route cost is changed from 20 to 10), and priority for the routes issued to UP 2 and UP 3 decreases (the route cost is changed from 9 to 20). When the failure is recovered, CR learns the routes with higher priority (with cost 10). After route convergence, both uplink and downlink traffic switch back to the links attached to UP 1.

Configuring key modules

Configuring the CUSP controller

In a CUPS network, the CUSP control channel includes the following basic components:

· CUSP controller—The server of the CUSP protocol, located on the CP.

· CUSP agent—The client of the CUSP protocol, located on the UP.

Configuring the listening IP address for the CUSP controller

Commands

Use listening-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] to configure the listening IP for a CUSP controller.

Usage guidelines

For the CUSP controller to act as a server and wait for CUSP connection requests from CUSP clients, you must specify a listening IP address for the CUSP controller.

If you execute this command multiple times, the most recent configuration takes effect.

This command is supported only on CPs.

Examples

cusp controller //Enter CUSP controller view.

listening-ip 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C //Configure the listening IP for the CUSP controller.

Configuring a CUSP agent

Commands

Use agent agent-name to create a Control-/User-plane Separation Protocol (CUSP) agent on a CUSP controller and enter its view, or enter the view of an existing CUSP agent.

Usage guidelines

Recommended configuration

To facilitate CUSP agent management on a CUSP controller, as a best practice, use this command to specify a CUSP agent name the same as the CUSP agent name configured on the corresponding UP.

Restrictions and guidelines

· You can execute this command multiple times to add multiple CUSP agents. On a CUSP controller, you can add up to 1024 CUSP agents.

· This command is supported only on CPs.

Examples

cusp controller //Enter CUSP controller view.

agent bras_up1 // Create CUSP agent bras_up1 on the CUSP controller and enter its view.

agent-ip 2.1.1.101 // Specify the IP address of a CUSP agent to which a CUSP controller can connect.

Configuring the NETCONF client

In a CUPS network, the CP acts as a NETCONF client, and the UP acts as a NETCONF server.

You can configure NETCONF parameters for a management channel in NETCONF client view on a CP. After a management channel is set up between the CP and a UP, the CP can configure and manage the UP.

Configuring a NETCONF connection profile

Commands

Use connection connection-name to create a NETCONF connection profile (which is used for connecting to a remote UP) and enter its view, or enter the view of an existing NETCONF connection profile.

Usage guidelines

Before a NETCONF over SSH connection is set up between a CP and a UP, you must configure NETCONF connection setup parameters in each NETCONF connection profile to be bound to the UP.

You cannot modify settings of a NETCONF connection profile that has been bound to a UP.

Examples

netconf-client // Enter NETCONF client view.

source-address 180.96.185.8 //Specify the source IP address used for setting up a NETCONF connection to a UP.

connection bras_up1 //Create a NETCONF connection profile named bras_up1 (which is used for connecting to a remote UP) and enter its view.

user-name admin password simple 123 //Specify the username and password used for setting up a NETCONF connection to a UP.

destination-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C //Specify the IP address of a UP to which a NETCONF connection will be set up.

Configuring a UP management instance

Configuring the parameters for the protocol channel between the CP and UP

Commands

Use protocol-tunnel vxlan vxlan-id source { ipv4-address | ipv6 ipv6-address } destination { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] to configure parameters for the protocol channel between a UP and the CP.

Usage guidelines

Operating mechanism

A VXLAN tunnel is established between the CP and UP and used as the protocol channel for exchanging protocol packets, such as ARP, IP, and DHCP protocol packets.

When you execute this command, make sure the source IP specified is the destination IP of the protocol channel on the UP, and the destination IP specified is the source IP of the protocol channel on the UP.

Restrictions and guidelines

· The VXLAN tunnels on the CP and UP must have the same VXLAN ID.

· If you execute this command multiple times with the same VXLAN ID, source IP address, and destination IP address, the most recent configuration takes effect.

· Different UPs correspond to different VXLAN tunnels. The source IP address and destination IP address of each VXLAN tunnel must be unique. That is, a source IP address and destination IP address pair corresponds to a unique VXLAN ID.

· A CP can be configured with up to two protocol channels, which are typically used in the CPDR scenario. When you are establishing VXLAN protocol channels with the same UP and different disaster recovery CPs, the VXLAN IDs must be different.

Examples

up-manage id 1026 //Create UP 1026, and enter its UP-manage view.

protocol-tunnel vxlan 11026 source 180.96.185.8 destination 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C //Configure parameters for the protocol channel between a CP and the UP.

Configuring UP-config

Commands

Use up-config to enter UP-config view.

Usage guidelines

In UP-config view on a CP in the CUPS scenario, you can execute the commands available on a UP and deploy these commands to the UP.

Examples

up-manage id 1026 //Create UP 1026, and enter its UP-manage view.

up-config //Enter UP-config view.

cusp agent bras_up1 //Create a CUSP agent and enter its view.

local-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C //Specify the local IP address for a CUSP agent.

bfd enable template BFD_CUSP //Enable BFD for CUSP.

controller address 58.223.243.8 //Specify the CUSP controller IP address on CP1.

controller address 180.96.185.8 //Specify the CUSP controller IP address on CP2.

cu-agent //Create a CUSP agent and enter its view.

protocol-tunnel vxlan 11026 source 2.1.1.101 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C //Configure parameters for the protocol channel between CP1 and the UP.

protocol-tunnel vxlan 21026 source 2.1.1.101 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C //Configure parameters for the protocol channel between CP1 and the UP.

Configuring CPDR

Configuring CPDR groups

Commands

Use cp disaster-recovery group group-name [ id group-id ] to create a CPDR group and enter CPDR group view, or enter the view of an existing CPDR group.

Usage guidelines

Application scenarios

CPDR supports the following application modes:

· Master/backup—You create a pair of CPDR groups (a master and a backup) that contain the same UPs for backup. In this mode, you must create the same CPDR group (with the same name and ID) on the two CPs and assign the master role to the CPDR group on one CP and the backup role to the CPDR group on the other CP.

· Load sharing—You create two pairs of CPDR groups for load sharing. Each CPDR group pair contains a master and a backup (with the same ID) and contains the same UPs. In this mode, you must create two CPDR groups on both CPs, and assign different roles to the same CPDR group on the CPs to form a CPDR group pair. For example, if you assign the master role to a CPDR group on one CP, you must assign the backup role to the same CPDR group on the other CP.

· N:1 backup—You create N pairs of CPDR groups on N + 1 CPs. Each CPDR group pair contains a master and a backup (with the same ID) and contains the same UPs. Deploy N master CPDR groups to N master CPs and N backup CPDR groups to one backup CP. This deployment enables multiple data centers to share one backup data center. For example, you can specify CP 1 and CP 2 as master CPs and CP 3 as the backup CP to implement 2:1 backup as follows:

¡ On CP 1, create CPDR group with name group1 and ID 1, and assign the master role to the CPDR group.

¡ On CP 2, create CPDR group with name group2 and ID 2, and assign the master role to the CPDR group.

¡ On CP 3, create CPDR group with name group1 and ID 1, and assign the backup role to the CPDR group. Create CPDR group with name group2 and ID 2, and assign the backup role to the CPDR group.

Operating mechanism

Create a pair of CPDR groups on the CPs in different data centers. In a CPDR group pair, specify one group as the master and the other as the backup.

Restrictions and guidelines

Specify the same ID for the members in a CPDR group pair. As a best practice, specify the same name for the members, too.

Examples

cp disaster-recovery group 1 id 1 //Configure the name and ID for a CPDR group.

set role master //Assign the master role to the CPDR group

up-id 1024 to 1025 //Add UPs to the CPDR group.

mode hot //Configure the hot backup mode (default) for the CPDR group.

switchover auto enable //Enable automatic role switchover upon CPDR group failure.

radius source-interface LoopBack3 //Specify the source interface for sending RADIUS packets. You must specify different loopback interfaces for different CPDR groups on the CP.

ip-pool adsl //Bind an IPv4 address pool to the CPDR group. If you also specify an IP address pool group as the authorization attribute for users in the authorization domain, the system assigns an IP address in the intersection of the IP address pool and IP address pool group.

Configuring CPDR channels

Commands

Use cp disaster-recovery tunnel ipv4 local local-ip-address peer peer-ip-address [ vpn-instance vpn-instance-name ] to configure CPDR channels and specify the local and peer addresses for the channels.

Usage guidelines

Operating mechanism

The master and backup CPs must establish CPDR channels to communicate with each other. CPDR channels include a heartbeat channel, multiple data backup channels, and a protection channel.

· Heartbeat channel—A TCP connection established between two CTRL-VMs for configuration negotiation, heartbeat channel detection, and CU connection state and CPDR group data synchronization.

· Data backup channel—A TCP connection established between two BRAS-VMs for backing up user data and service module data. Data backup channel have the following types:

¡ Common data backup channel—Established by each CPDR group on the BRAS-VM for each UP under management, which means each UP has a common data backup channel.

¡ Dedicated data backup channel—Established by UCM, AM, and AM6 modules that do not use common data backup channels to back up data.

Restrictions and guidelines

· After you configure this feature, the CTRL-VMs use the specified local and peer IP addresses to establish a heartbeat channel. The BRAS-VMs use the IP addresses to establish data backup channels. The FWD-VMs use the IP addresses to establish a protection channel.

· Follow these guidelines when you configure the command:

¡ Make sure the local IP address of the master CP is the peer IP address of the backup CP, and the peer IP address of the master CP is the local IP address of the backup CP.

¡ Make sure the master and backup CPs use the same IP protocol stack to establish CPDR channels and belong to the same VPN instance or the public network.

¡ As a best practice, use the IP addresses of the loopback interfaces on the master and backup CPs as the local and peer IP addresses.

· Modifying the parameters for the command enables the CP to disconnect the existing CPDR channels and then reestablish the channels based on the new parameters.

· This command applies to all CPDR groups. The tunnel ipv4 command in CPDR tunnel group view has the same functions, but it applies to only the CPDR groups in the specified CPDR tunnel group.

· The CPDR channels specified for this command cannot be the same as the CPDR channels specified in CPDR tunnel group view (including the local IP address, peer IP address, and VPN instance).

· If you execute this command multiple times, the most recent configuration takes effect.

Examples

cp disaster-recovery tunnel ipv4 local 180.96.185.8 peer 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C //Specify the IP addresses used for establishing a CUSP channel on the CP for establishing CPDR channels.

Binding an IP address pool to a CPDR group

Commands

Use ip-pool pool-name to bind an IPv4 address pool to a CPDR group.

Use ipv6-pool pool-name to bind an IPv6 address pool to a CPDR group.

Usage guidelines

If the CPDR groups uses the load sharing method, the UPs in multiple CPDR groups share the same AAA-authorized IP pool group, IP address assignment conflicts might occur, causing address synchronization anomalies between the CPs.

To resolve this issue, bind an IP pool to each CPDR group in CPDR group view. After configuration, the CP assigns only IP addresses that belong to both of the following IP pools:

· AAA-authorized IP address pool groups.

· IP address pools bound to the CPDR group.

Examples

CPDR group 1 has UPs 1024 and 1025, master CP CP1, and backup CP CP2.

CPDR group 2 has UPs 1026, 1027, and 1028, master CP CP2, and backup CP CP1.

Configure ISP domain 163.js for onboarding users in both the CPDR groups and authorize an IP address pool group in the domain. Bind different IP address pools to the CPDR groups.

ip pool-group ab //Configure an IP address pool group.

pool a //Add IP address pool a to the IP address pool group.

pool b //Add IP address pool b to the IP address pool group.

domain name 163.js //Configure an ISP domain.

authorization-attribute ip-pool-group ab //Specify IP address pool group ab as the authorization attribute for users in the ISP domain.

cp disaster-recovery group 1 //Configure CPDR group 1.

ip-pool a //Associate IPv4 address pool a with CPDR group 1.

cp disaster-recovery group 2 //Configure CPDR group 2.

ip-pool b //Associate IPv4 address pool b with CPDR group 2.

Configuring UP backup

Configuring a UP backup group

Syntax

up-backup-group group-name

Usage guidelines

You cannot delete a UP backup group if it contains a UP with UP backup profile configuration.

You cannot delete a UP backup group if UPs in it are migrating.

Examples

up-backup-group 2 //Backup group name.

Adding a UP to a UP backup group

Syntax

Use backup up-id up-id [ local-ip local-ip-address ] to add a UP to a UP backup group.

Usage guidelines

Operating mechanism

Repeat this command to add multiple UPs to a UP backup group. When one UP is faulty, the system switches its user traffic to another UP to ensure service continuity.

The BRAS-VM for the UP backup group is the BRAS-VM for the first member UP added to the UP backup group.

Restrictions and guidelines

· If a UP belongs to a different BRAS-VM than the target UP backup group and it has online users, the UP cannot join the UP backup group.

· A UP can be added to only one UP backup group.

· UPs added to the same UP backup group must have different local-ip-address settings.

· You cannot delete UPs from a UP backup group if it contains a UP with UP backup profile configuration.

· In a vBRAS CUPS network, if multiple BRAS-VM groups exist on CP, you can migrate a specific UP from the current BRAS-VM group to another BRAS-VM group. After migration, the association between UP and BRAS-VM group is changed.

· You cannot add a migrating UP to or delete it from a UP backup group.

· For a UP backup group in which UPs are migrating, you cannot perform the following operations:

¡ Add UPs to the UP backup group.

¡ Delete UPs from the UP backup group.

¡ Delete the UP backup group.

· When a protection tunnel exists, make sure the local device IP address specified for the UP backup group is consistent with the IP address configured for the local device to create the specified VSRP peer.

Examples

up-backup-group 2 //Create UP backup group 2 and enter its view.

backup up-id 1026 local-ip 2.1.1.101 //Add UP 1026 to UP backup group 2 and configure the IP address of the local device for VSRP channels as 2.1.1.101.

backup up-id 1027 local-ip 2.1.1.102 //Add UP 1027 to UP backup group 2 and configure the IP address of the local device for VSRP channels as 2.1.1.102.

backup up-id 1028 local-ip 2.1.1.103 //Add UP 1028 to UP backup group 2 and configure the IP address of the local device for VSRP channels as 2.1.1.103.

Associating a UP with Track

Commands

Use up-id up-id network-state track uplink-group group-name to enable the CP to monitor the network state of a UP.

Usage guidelines

Application scenarios

In the vBRAS CUPS network, the UP uses the Track feature to monitor the up/down state of the network-side interface. When the network interface goes down, Track notifies the UP. The UP then reports the event to the CP. Upon receiving the event, the CP instructs the UP to perform a master/backup switchover.

The UP will send the specified resource group name to the CP in addition to the failure information. The CP can identify the UP and a group of interfaces on the UP by resource group name in order to instruct the UP to perform master/backup interface switchover.

Restrictions and guidelines

· If you execute this command multiple times for the same UP ID in the same UP backup profile, the most recent configuration takes effect.

Examples

up-backup-profile 2 warm-load-balance //Create UP backup profile 2 in warm load balancing mode and enter its view.

up-id 1026 network-state track uplink-group JH-CN-PUP1026

up-id 1027 network-state track uplink-group JH-CN-PUP1027

up-id 1028 network-state track uplink-group JH-CN-PUP1028

up-id 1029 network-state track uplink-group JH-CN-PUP1029

Configuring a UP backup profile

Syntax

Use up-backup-profile profile-id { hot-standby | load-balance | warm-load-balance | warm-standby [ enhanced ] } to create a UP backup profile and enter its view, or enter the view of an existing UP backup profile.

Usage guidelines

Application scenarios

· 1:1 hot standby mode

You can use the up-backup-profile profile-id hot-standby command to create a UP backup profile in 1:1 hot standby mode.

In hot-standby UP backup profile view, you can use the backup-group master master-interface-type { master-interface-number | master-interface-number.subnumber } backup backup-interface-type { backup-interface-number | backup-interface-number.subnumber } vrid virtual-router-id [ resource-id resource-id ] command to specify a master and backup interface pair.

The resource-id resource-id option specifies a resource ID to identify a master and backup interface pair, in the range of 1 to 65535. If you do not specify this option, the system automatically assigns a resource ID.

In the CPDR network environment, make sure the manually configured resource IDs are consistent on different CPs. If this condition is not met, users might go offline upon a master/backup switchover.

The vrid virtual-router-id option specifies a VRRP group by its virtual router ID for generating a virtual MAC address. To avoid MAC address change upon master/backup switchover, the UP uses the virtual MAC address generated with the virtual router ID specified with the vrid virtual-router-id option to respond to user requests. In 1:1 hot standby mode, each pair of master and backup interfaces share one virtual MAC address. When the backup interface takes over, the virtual MAC address is also issued to the backup interface.

· N:1 warm standby mode

You can use the up-backup-profile profile-id warm-standby [ enhanced ] command to create a UP backup profile in N:1 warm standby mode.

In hot-standby or N:1 warm-standby UP backup profile view, you can use the interface-backup-mode command to specify an interface backup mode for the UP backup profile.

In N:1 warm-standby UP backup profile view, you can use the backup-interface command to specify a backup interface for the UP backup profile, and use the master-interface command to specify a master interface for the UP backup profile.

· 1:N warm load balancing mode

You can use the up-backup-profile profile-id warm-load-balance command to create a UP backup profile in 1: N warm load balancing mode.

In 1:N warm-load-balancing UP backup profile view, you can use master-interface to specify a master interface for the UP backup profile.

· Load balancing mode

You can use the up-backup-profile profile-id load-balance command to create a UP backup profile in load balancing mode.

In load-balancing UP backup profile view, you can use the master-interface command to specify a master interface for the UP backup profile.

Restrictions and guidelines

· To create a UP backup profile, you must specify the backup mode for it. To enter the view of an existing UP backup profile, the backup mode is not required.

· You cannot edit the backup mode for an existing UP backup profile.

· Deleting a UP backup profile with the undo up-backup-profile command removes all settings of the profile. You cannot delete a UP backup profile that has online users.

Examples

up-backup-profile 2 warm-standby //Create UP backup profile 2 in warm standby mode and enter its view.

backup-interface Remote-RAGG1028/701 //Specify a backup interface for the UP backup profile.

master-interface Remote-RAGG1026/701 vrid 100 //Specify a master interface for the UP backup profile.

master-interface Remote-RAGG1027/701 vrid 200 //Specify a master interface for the UP backup profile.

undo failure-recovery-switch enable //Disable the original master UP or interface to switch back to master upon failure recovery.

nas logic-port Remote-RAGG1026/701 //Configure the logical access interface for the UP backup profile.

up-id 1026 switchover track up-peer-id 1028 up-peer-name 1028track1026 //Configure the CP to perform master/backup switchover for interfaces on UP 1026 according to the track entry state reported by the monitoring UP 1028.

up-id 1027 switchover track up-peer-id 1028 up-peer-name 1028track1027 //Configure the CP to perform master/backup switchover for interfaces on UP 1027 according to the track entry state reported by the monitoring UP 1028.

up-id 1028 switchover track up-peer-id 1026 up-peer-name 1026track1028 //Configure the CP to perform master/backup switchover for interfaces on UP 1028 according to the track entry state reported by the monitoring UP 1026.

load-balance-mode interface by-qinq //Specify the interface-based method to select master interfaces in the UP backup profile, and enable the CP to group users by inner VLAN and outer VLAN in user packets and load-share traffic by group.

Configuring address pools

Configuring the subnet allocation mode and prefix range allocation mode

Commands

Use subnet alloc-mode { interface [ support-physic ] | up-backup-profile [ route-refresh ] | up-id } to specify a subnet allocation mode for an IP pool.

Use dynamic address alloc-mode { interface [ support-physic ] | up-backup-profile [ route-refresh ] | up-id } to specify an IPv6 subnet allocation mode for an IPv6 pool.

Use dynamic prefix alloc-mode { interface [ support-physic ] | up-backup-profile [ route-refresh ] | up-id } to specify an IPv6 prefix range allocation mode for an IPv6 pool.

Usage guidelines

Operating mechanism

In UP-backup-profile allocation mode, the control plane allocates the network route with a higher preference value to the master UP. When a master/backup switchover occurs in hot backup mode, the backup UP needs to forward traffic. To ensure that traffic can go to the backup UP, specify the route-refresh keyword. The network route allocated to the backup UP will have a higher preference value than that allocated to the master UP.

Restrictions and guidelines

If you switch the subnet or prefix range allocation mode for an address pool, the IP pool will reclaim all previously issued subnets or prefix ranges and reallocate them. Therefore, before dynamically allocating subnets or prefix ranges from an address pool, you must validate the allocation mode.

Examples

· Example: Configuring the subnet allocation mode for an ODAP IP pool

ip pool odap4 odap pool-index 2 //Create an ODAP IP pool named odap4, specify index 2 for the IP pool, and enter the view of the IP pool.

subnet alloc-mode up-backup-profile //Configure the IP pool to allocate subnets by UP backup profile ID.

· Example: Configuring the subnet allocation mode and prefix range allocation mode for an ODAP IPv6 pool

ipv6 pool odap6 odap pool-index 3 //Create an ODAP IPv6 pool named odap6, specify index 3 for the IPv6 pool, and enter the view of the IPv6 pool.

dynamic address alloc-mode up-backup-profile //Configure the IPv6 pool to allocate subnets by UP backup profile ID.

dynamic prefix alloc-mode up-backup-profile //Configure the IPv6 pool to allocate prefix ranges by UP backup profile ID.

Configuring IP pools

Commands

Use ip pool pool-name { bas { local | remote } | nat-central | odap } [ pool-index index-number ] to create an IP pool and enter its view or enter the view of an existing IP pool.

Usage guidelines

Application scenarios

The local BAS IP pools are widely used in static IPoE user scenarios.

Operating mechanism

If no index is specified when you are creating an address pool, the device will automatically allocate an index to the IP pool from the unused ones in sequence.

A NAT-central IP pool allocates public network addresses to the NAT module, while the private network addresses of the NAT module are still from common ODAP address pools.

Restrictions and guidelines

· IP pool names must be unique on one device.

· You can create multiple IP pools of the same type on one device.

· When you delete an IP pool, the address binding information already allocated within the pool will also be deleted.

· You can assign an index to only one IP pool. To release the index assigned to an IP pool, you must delete the pool by using the undo ip pool command, which makes some clients go offline or fail to come online. As a best practice to avoid such events, make sure you have a thoughtful index planning when you create IP pools.

Examples

· Example: Configuring an ODAP IP pool

ip pool 1 odap pool-index 1 //Create an ODAP IP pool named 1, specify index 1 for the IP pool, and enter the view of the IP pool.

vpn-instance vpn1 //Bind the IP pool to VPN-instance vpn1.

network 100.99.0.0 mask 255.255.0.0 //Configure primary IP subnet 100.99.0.0/16 for dynamic address allocation.

network 100.100.0.0 mask 255.255.0.0 secondary //Configure secondary IP subnet 100.100.0.0/16 for dynamic address allocation.

subnet mask-length 24 //Set the mask length to 24 for dynamically allocated subnets.

subnet idle-time 900 //Set the delay time for the DHCP server to reclaim idle subnets to 900 seconds.

subnet alloc-mode up-backup-profile //Configure the IP pool to allocate subnets by UP backup profile ID.

subnet utilization mark high 100 low 75 //Set the high utilization mark to 100%, and the low utilization mark to 75%.

dns-list 218.2.2.2 218.4.4.4 // specify DNS server addresses 218.2.2.2 and 218.4.4.4.

ip-in-use threshold 90 //Set the IP address usage threshold to 90% for the IP pool.

ip-subnet-in-use threshold 90 //Set the subnet usage threshold to 90% for the IP pool.

· Example: Configuring a NAT-central address pool

ip pool 2 nat-central pool-index 2 //Create a NAT-central IP pool named 2, specify index 2 for the IP pool, and enter the view of the IP pool.

network 174.99.1.0 mask 255.255.255.0 //Configure primary IP subnet 174.99.1.0/24 for dynamic address allocation.

network 174.99.2.0 mask 255.255.255.0 secondary //Configure secondary subnet 174.99.2.0/24 for dynamic address allocation.

subnet mask-length 26 //Set the mask length to 26 for dynamically allocated subnets.

expired day 0 hour 2 //Set the lease duration to 0 days 2 hours for the IP pool.

ip-subnet-in-use threshold 75 //Set the subnet usage threshold to 90% for the IP pool.

· Example: Configuring a remote BAS IP pool (on the DHCP relay agent)

interface Remote-Vsi1024/1001.11 //Enter interface view.

dhcp select relay //Enable the DHCP relay agent on the interface.

ip pool 3 bas remote pool-index 3 //Create a remote BAS IP pool named 3, specify index 3 for the IP pool, and enter the view of the IP pool.

binding interface Remote-Vsi1024/1001.11 //Bind the IP pool to interface Remote-Vsi1024/1001.11.

gateway 119.1.0.1 mask 255.255.0.0 //In the IP pool, specify gateway IP address 119.1.0.1 and network mask length 16 (specify network 119.1.0.1/16 for dynamic address allocation).

forbidden-ip 119.1.0.1 //Exclude IP address 119.1.0.1 from dynamic allocation in the IP pool.

dhcp-server source-address interface LoopBack 5 //In the IP pool, specify the IP address of interface Loopback5 as the source IP address for DHCP requests.

remote-server 2.12.0.1 public //Specify DHCP server 10.1.1.1 on the public network for the IP pool.

· Example: Configuring a local BAS IP pool

ip pool 4 bas Local pool-index 4 //Create a local BAS IP pool named 4, specify index 4 for the IP pool, and enter the view of the IP pool.

gateway 29.64.168.1 mask 255.255.0.0 //In the IP pool, specify gateway IP address 29.64.168.1 and network mask length 16 (specify network 29.64.168.1/16 for dynamic address allocation).

vpn-instance VPN-OLT-UP1026 //Bind the IP pool to VPN instance VPN-OLT-UP1026.

binding up-id 1026 //Bind the IP pool to UP 1026.

reserve expired-ip mode client-id limit 2560000 //Configure the DHCP server to reserve up to 2560000 IP addresses based on client IDs in the IP pool.

ip subscriber session static ip 29.64.168.2 29.64.168.252 domain static_1026 interface Remote-RAGG1026/709.2944 vpn-instance VPN-OLT-UP1026 //Configure an IPv4 IPoE global static individual session.

Configuring IPv6 pools

Commands

Use ipv6 pool pool-name { bas { local | remote } | odap } [ pool-index index-number ] to create an IPv6 pool and enter its view or enter the view of an existing IPv6 pool.

Usage guidelines

Application scenarios

The local BAS IP pools are widely used in static IPoE user scenarios.

Operating mechanism

If no index is specified when you are creating an address pool, the device will automatically allocate an index to the IP pool from the unused ones in sequence.

Restrictions and guidelines

· IPv6 pool names must be unique on one device.

· You can create multiple IPv6 pools of the same type on one device.

· When you delete an IPv6 pool, the address binding information and prefix binding information already allocated within the pool will also be deleted.

· You can assign an index to only one IP pool. To release the index assigned to an IP pool, you must delete the pool by using the undo ipv6 pool command, which makes some clients go offline or fail to come online. As a best practice to avoid such events, make sure you have a thoughtful index planning when you create IP pools.

Examples

· Example: Configuring an ODAP IPv6 pool

interface Remote-Vsi1024/1001.11 //Enter interface view.

ipv6 dhcp select server //Enable the DHCPv6 server on the interface.

ipv6 address auto link-local //Automatically generate a link-local address for an interface.

ipv6 nd autoconfig managed-address-flag //Set the managed address configuration (M) flag to 1 so that the host can acquire an IPv6 address through the DHCPv6 server.

ipv6 nd autoconfig other-flag //Set the other stateful configuration flag (O) to 1 so that the host can acquire information other than IPv6 address through the DHCPv6 server.

undo ipv6 nd ra halt //Disable RA message suppression.

ipv6 dhcp prefix-pool 1 prefix 240E:3A0:160F::/48 assign-len 56 //Create prefix pool 1, and specify the prefix 240E:3A0:160F::/48 with the assigned prefix length 56.

ipv6 pool odap6 odap pool-index 14 //Create an ODAP IPv6 pool named odap6, specify index 14 for the IPv6 pool, and enter the view of the IPv6 pool.

vpn-instance vpn6 //Bind the IP pool to VPN instance vpn6.

network 4000::/48 //Configure the IPv6 subnet for dynamic address allocation in the IP pool.

dns-server 240E:5A::6666 //Configure the DNS server address.

prefix-pool 1 //Associate the IP pool with prefix pool 1.

dynamic prefix alloc-mode up-backup-profile //Configure the IPv6 pool to allocate prefix ranges by UP backup profile ID.

dynamic address assign-length 60 //Specify the prefix length as 60 for dynamic IPv6 address block assignment.

dynamic prefix assign-length 64 //Specify IPv6 prefix length 64 for IPv6 prefix range assignment in the IPv6 pool.

dynamic prefix idle-time 900 //Set the delay time to 900 seconds for the DHCPv6 server to reclaim idle IPv6 prefix ranges.

subnet utilization mark high 100 low 95 //Set the high utilization mark to 100% and the low utilization mark to 95% for IPv6 address blocks or prefix ranges.

pd-in-use threshold 90 //Set the prefix usage threshold to 90% for the IPv6 pool.

pd-subnet-in-use threshold 90 //Set the prefix range usage threshold to 90% for the IPv6 pool.

· Example: Configuring a remote BAS IPv6 pool (on the DHCPv6 relay agent)

interface Remote-Vsi1024/1001.11 //Enter interface view.

ipv6 dhcp select relay //Enable the DHCP relay agent on the interface.

ipv6 address auto link-local //Automatically generate a link-local address for an interface.

ipv6 nd autoconfig managed-address-flag //Set the managed address configuration (M) flag to 1 so that the host can acquire an IPv6 address through the DHCP server.

ipv6 nd autoconfig other-flag //Set the other stateful configuration flag (O) to 1 so that the host can acquire information other than IPv6 address through the DHCPv6 server.

undo ipv6 nd ra halt //Disable RA message suppression.

ipv6 pool remote 6 bas remote pool-index 2 //Create a remote BAS IPv6 pool named remote6, specify index 2 for the IPv6 pool, and enter the view of the IPv6 pool.

vpn-instance vpn1 //Bind the remote BAS IPv6 pool to VPN-instance vpn1.

binding up-id 1088 //Bind the remote BAS IPv6 pool to UP 1088.

network 45::/64 export-route //Configure the IPv6 subnet for dynamic address allocation in the IPv6 pool.

gateway-list 45::1 //Specify gateway address 45::1 in the IPv6 pool.

dhcpv6-server source-address interface LoopBack 5 //In the IPv6 pool, specify the IPv6 address of interface Loopback5 as the source IPv6 address for DHCPv6 requests.

remote-server 85::8 public //Specify DHCPv6 server 2.12.0.1 on the public network for the IP pool.

· Example: Configuring a local BAS IPv6 pool

interface Remote-Vsi1024/1001.11 //Enter interface view.

ipv6 dhcp select server //Enable the DHCPv6 server on the interface.

ipv6 address auto link-local //Automatically generate a link-local address for an interface.

ipv6 nd autoconfig managed-address-flag //Set the managed address configuration (M) flag to 1 so that the host can acquire an IPv6 address through the DHCP server.

ipv6 nd autoconfig other-flag //Set the other stateful configuration flag (O) to 1 so that the host can acquire information other than IPv6 address through the DHCPv6 server.

undo ipv6 nd ra halt //Disable RA message suppression.

ipv6 pool static_1026 bas local pool-index 60 //Create a local BAS IPv6 pool named static_1026, specify index 60 for the IP pool, and enter the view of the IP pool.

network 4000::/64 export-route //Configure the IPv6 subnet for dynamic address allocation in the IPv6 pool.

gateway-list 4000::1 //Specify gateway address 4000::1 in the IPv6 pool.

vpn-instance VPN-OLT-UP1026 //Bind the IP pool to VPN instance VPN-OLT-UP1026.

binding up-id 1026 //Bind the IP pool to UP 1026.

ip subscriber session static ipv6 4000::2 4000::100 domain static_1026 interface Remote-RAGG1026/709.2944 vpn-instance VPN-OLT-UP1026 //Configure an IPv6 IPoE global static individual session.

Configuring IP pool groups

Commands

Use ip pool-group pool-group-name to create an IP pool group and enter its view or enter the view of an existing IP pool group.

Usage guidelines

Operating mechanism

For a user that matches an IP pool group, the DHCP server selects an IP address from an available IP pool in the matching group.

Restrictions and guidelines

· IP pools within the same group must be of the same type.

· You can add multiple IP pools to the same IP pool group, and a single IP pool can also be included in multiple IP pool groups.

· Before you add an IP pool to an IP pool group, make sure the IP pool is on the public network or in the same VPN instance as the IP pool group.

· If both an IP pool and an IP pool group exist in AAA authorization user attributes, authenticated users can only obtain IP addresses from the IP pool. The users cannot obtain IP addresses from the IP pool group even if the authorization IP pool has no assignable IP addresses.

· On a CUPS network, the following situation might exist:

¡ The type of the authorization IP pool group is ODAP.

¡ An IP pool is bound to the CPDR group.

In this situation, a user can come online only when it obtains an IP address that belongs to the intersection set of the ODAP IP pool group and the CPDR IP pool. For more information about CPDR group configuration, see CPDR group configuration in CP and UP Separation Configuration Guide.

Examples

ip pool-group poolgroup1 //Create IP pool poolgroup1 and enter its view.

vpn-instance vpn1 //Bind the IP pool group to VPN instance vpn1

pool pool1 //Add IP pool pool1 to the IP pool group poolgroup1.

pool pool2 //Add IP address pool pool2 to the IP address pool group poolgroup1.

Configuring IPv6 pool groups

Commands

Use ipv6 pool-group pool-group-name to create an IPv6 pool group and enter its view or enter the view of an existing IPv6 pool group.

Usage guidelines

Operating mechanism

For a user that matches an IPv6 pool group, the DHCPv6 server selects an address from an available IPv6 pool in the matching group.

Restrictions and guidelines

· IPv6 pools within the same group must be of the same type.

· You can add multiple IPv6 pools to the same IPv6 pool group, and a single IPv6 pool can also be included in multiple IPv6 pool groups.

· Before you add an IPv6 pool to an IPv6 pool group, make sure the IPv6 pool is on the public network or in the same VPN instance as the IPv6 pool group.

· If both an IPv6 pool and an IPv6 pool group exist in AAA authorization user attributes, authenticated users can only obtain IPv6 addresses from the IPv6 pool. The users cannot obtain IPv6 addresses from the IPv6 pool group even if the authorization IPv6 pool has no assignable IP addresses.

· On a CUPS network, the following situation might exist:

¡ The type of the authorization IPv6 pool group is ODAP.

¡ An IPv6 pool is bound to the CPDR group.

In this situation, a user can come online only when it obtains an IPv6 address that belongs to the intersection set of the ODAP IPv6 pool group and the CPDR IPv6 pool. For more information about CPDR group configuration, see CPDR group configuration in CP and UP Separation Configuration Guide.

Examples

ipv6 pool-group poolgroup6 //Create IPv6 pool poolgroup6 and enter its view.

vpn-instance vpn6 //Bind the IPv6 pool group to VPN instance vpn6.

pool pool1 //Add IPv6 pool pool1 to the IPv6 pool group poolgroup6.

pool pool2 //Add IPv6 pool pool2 to the IPv6 pool group poolgroup6.

Configuring AAA schemes

Commands

Use radius scheme radius-scheme-name to create a RADIUS scheme and enter its view, or enter the view of an existing RADIUS scheme.

(Optional.) Use vpn-instance vpn-instance-name to specify a VPN instance for a RADIUS scheme.

Use primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] * to specify a primary RADIUS authentication server.

Use secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] * to specify a secondary RADIUS authentication server.

Use primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] * to specify a primary RADIUS accounting server.

Use secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] * to specify a secondary RADIUS accounting server.

Use user-name-format { keep-original | with-domain | without-domain } to specify the format of the username to be sent to a RADIUS server.

Use server-load-sharing enable to enable RADIUS server load sharing.

Use radius nas-ip ipv4-address to specify a source IP address for outgoing RADIUS packets.

Use username-authorization apply to configure the device to use server-assigned usernames for AAA processes subsequent to authentication.

Usage guidelines

· AAA scheme:

¡Authentication and accounting by using RADIUS.

¡When the remote accounting server fails to start accounting, the user remains online.

· RADIUS authentication server:

¡Configure at least two primary and secondary RADIUS authentication and accounting servers, and at least two RADIUS authorization servers.

¡Configure the address of interface Loopback0 as the source address for sent authentication packets.

¡Configure the IP address and port number of the authentication server in the RADIUS server group.

¡Configure the IP address and port number of the accounting server in the RADIUS server group.

¡Set the shared key for each RADIUS server in the RADIUS server group.

¡Configure the IP address and shared key for the RADIUS authorization server.

¡Allow RADIUS packets to carry the CAR value.

Examples

radius scheme js.163.radius //Create a RADIUS scheme and enter its view.

primary authentication 192.168.40.200 key simple 123 weight 50 //Specify a UDP port number and shared key for the primary RADIUS authentication server.

secondary authentication 192.168.40.201 key simple 123 weight 50 //Specify an IP address and port number for the secondary authentication server.

primary accounting 192.168.40.200 key simple 123 weight 50 //Specify a UDP port number for and the shared key for secure communication with the primary RADIUS accounting server.

secondary accounting 192.168.40.201 key simple 123 weight 50 //Specify an IP address and port number for the secondary accounting server.

timer realtime-accounting 120 //Set the real-time accounting interval.

radius nas-ip 58.223.116.200 //Specify a source IP address for outgoing RADIUS packets.

attribute 6 value outbound user-type ipoe //Set the value for RADIUS attribute 6 (set the Service-Type field carried in the IPoE user authentication and accounting requests to Outbound-User.

server-load-sharing enable //Enable RADIUS server load sharing.

response-pending-limit authentication 255 //Set the maximum number of pending RADIUS authentication requests.

NAS-Port-ID three-/four-dimensional interfaces

Commands

Use access-user four-dimension-mode enable to configure the device to use four-dimensional interfaces to communicate with AAA servers.

Usage guidelines

Operating mechanism

By default, when the CP communicates with AAA servers, the device uses three-dimensional interface numbers in interface information, for example, NAS-Port-ID. When you need to specify the access UP of a user on the AAA server, use this command to configure the device to use four-dimensional interfaces to communicate with AAA servers. After you execute this command, one dimension of UP ID is added to the original three-dimension interface numbers of the CP, and the interface number format is up-id/original three-dimensional interface number.

Restrictions and guidelines

· In a CUPS network, you only need to execute this command on the CP and do not need to execute this command on UPs. More specifically, the remote interface number on the CP is in the format of UP ID/actual interface number on the UP. For example, Remote-GE1024/1/0/2, where 1024 is the UP ID and 1/0/2 is a three-dimensional interface number.

· On a UP backup network, to ensure that the primary and backup interfaces report the same NAS-Port-ID, use the nas logic-port command in UP backup profile view to specify the NAS-Port-ID.

Examples

access-user four-dimension-mode enable //Configure the device to use four-dimensional interfaces to communicate with AAA servers.

up-backup-profile 2 warm-standby //Create a warn-standby UP backup profile and enter its view.

nas logic-port Remote-RAGG1026/701 //Configure the logical access interface for the UP backup profile.

backup-interface Remote-RAGG1028/701 //Specify a backup interface for the UP backup profile.

master-interface Remote-RAGG1026/701 vrid 100 //Specify a master interface for the UP backup profile.

master-interface Remote-RAGG1027/701 vrid 200 //Specify a master interface for the UP backup profile.

Configuring an ISP domain

Commands

Use domain name isp-name to create an ISP domain and enter ISP domain view, or enter the view of an existing ISP domain.

Use authorization-attribute { vpn-instance VPN instance name | user-group User group name | primary-dns IP address | secondary-dns IP address | ip-pool ipv4-pool-name | ip-pool-group ipv4-pool-group-name | ipv6-pool IPv6 address pool name | ipv6-pool-group IPv6 address pool group name | ipv6-nd-prefix-pool IPv6 ND prefix pool name | ipv6-nd-prefix-pool-group iPv6 ND prefix pool group name | user-profile profile-name | user-priority { inbound | outbound } priority } command to configure authorization attributes for users in the ISP domain. The authorization attributes include authorization VPN, user group, primary and backup DNS server addresses, IPv4 and IPv6 address pools, IPv4 and IPv6 address pool groups, ND prefix pool, ND prefix pool group, user profile, and user priority.

Use user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 } to specify the user address type in the ISP domain.

Use service-type { hsi | stb | voip } to specify the service type for users in the ISP domain.

Use authentication ppp radius-scheme radius-scheme-name none to specify RADIUS scheme-based authentication for PPP users.

Use authentication ipoe radius-scheme radius-scheme-name none to specify RADIUS scheme-based authentication for IPoE users.

Use authorization ppp radius-scheme radius-scheme-name none to specify RADIUS scheme-based authorization for PPP users.

Use authorization ipoe radius-scheme radius-scheme-name none to specify RADIUS scheme-based authorization for PPP users

Use accounting ppp radius-scheme radius-scheme-name none to specify RADIUS scheme-based accounting for PPP users.

Use accounting ipoe radius-scheme radius-scheme-name none to specify RADIUS scheme-based accounting for IPoE users.

Use authentication-method none authorization-attribute session-timeout time to configure authorization attributes for none-authentication users.

Use user-group name group-name bind nat-instance instance-name to bind a load-sharing user group to a NAT instance.

Use l2tp-user radius-force to enable the forcible use of RADIUS server-authorized L2TP attributes. This command enables the device to decide whether to process an authenticated user as an L2TP user only based on the server-assigned L2TP attributes.

Use user-profile profile-name to configure a user profile.

Use qos car inbound any cir committed-information-rate to configure the inbound rate limit.

Use qos car outbound any cir committed-information-rate to configure the outbound rate limit.

Usage guidelines

Configuration requirements

· Make sure the domain name format comply with the local requirements.

· Configure the authentication and accounting methods for users in the domain.

· Configure a RADIUS server group for the domain.

· Configure an IP address pool for users in the domain.

Restrictions and guidelines

· Configure the QoS profile for domain users and uniformly apply the inbound and outbound rate limits through RADIUS attribute authorization. Devices from different manufacturers use custom RADIUS attributes to issue QoS profile names for user service traffic rate matching. If the RADIUS authorization of the QoS profile fails, the default QoS profile in the ISP domain applies to limit the user's traffic rate.

· Configure the critical domain function to prevent users from being unable to access the network during a RADIUS fault and limit the critical duration to avoid users being in the critical state for too long.

Examples

domain name 163.js //Create an ISP domain and enter its view.

authorization-attribute user-group weibeian //Authorize a user group.

authorization-attribute ip-pool-group adsl //Authorize an IPv4 address pool or address pool group.

authorization-attribute ipv6-pool wxlxq.163.js-pd-01 //Authorize an IPv6 address pool.

authorization-attribute ipv6-nd-prefix-pool wxlxq.163.js-nd-01 //Authorize an ND prefix pool.

authorization-attribute primary-dns ip 218.2.2.2 //Authorize a primary DNS address. This address can be configured in the address pool or in the domain. As a best practice, configure the DNS address in the domain. If you configure it in an address pool, users cannot obtain the DNS address in scenarios where AAA authorizes fixed IP addresses.

authorization-attribute secondary-dns ip 218.4.4.4 //Authorize a secondary DNS address.

authorization-attribute user-priority inbound 0 //Authorize a user inbound traffic priority.

authorization-attribute user-priority outbound 0 //Authorize a user outbound traffic priority.

l2tp-user radius-force //Enable the forcible use of RADIUS server-authorized L2TP attributes.

authentication ppp radius-scheme js.163.radius none //Specify the authentication method for PPP users as RADIUS scheme.

authorization ppp radius-scheme js.163.radius none //Specify the authorization method for PPP users as RADIUS scheme.

accounting ppp radius-scheme js.163.radius //Specify the accounting method for PPP users as RADIUS scheme.

user-address-type public-ds //Specify the user address type in the ISP domain.

Configuring the UP mode

Commands

Use work-mode user-plane to configure a device to operate in user plane (UP) mode.

Usage guidelines

Application scenarios

In a CUPS network, you must use this command to configure the device acting as an UP to operate in user plane mode. In this mode, the device performs only the data forwarding service.

Restrictions and guidelines

· You cannot configure the device to operate in user plane mode in any of the following cases:

¡ IPoE is enabled on any interface of the device by using the ip subscriber enable command.

¡ PPPoE is enabled on any interface of the device by using the pppoe-server bind command.

¡ L2TP is enabled on the device by using the l2tp enable command.

· You cannot cancel the user plane mode for a device that is operating user plane mode and being managed by a CP.

· The CP device does not need to enable the control plane mode.

Examples

work-mode user-plane //Configure a device to operate in user plane (UP) mode.

Configuring L2TP

Configuring an L2TP group

Commands

Use l2tp-group group-number [ group-name group-name ] [ mode { lac | lns } ] to create an L2TP group.

Usage guidelines

Operating mechanism

An L2TP tunnel can be created based on local L2TP group information or based on the L2TP tunnel attribute authorized by AAA.

Restrictions and guidelines

When creating a tunnel based on the local L2TP group information, specify the tunnel's LNS address, tunnel authentication password, and match conditions correctly.

Examples

Create L2TP group 3. When a user logs in, if the username includes the wxdsj domain and matches L2TP group 3, a tunnel is automatically created.

· Configure an LAC

l2tp-group 3 mode lac //Create an L2TP group in LAC mode.

lns-ip 2.12.0.8 weight 10 2.12.0.7 weight 10 //Specify the LNS IP address and weight.

user domain wxdsj //Configure the domain name that triggers the LAC to initiate tunneling requests to the LNS.

tunnel name wxdsj //Configure the local tunnel name.

tunnel password simple 123456 //Configure the tunnel authentication password.

· Configure an LNS

l2tp-group 8 mode lns //Create an L2TP group in LNS mode.

allow l2tp virtual-template 5 remote wxdsj //Configure the LNS to accept L2TP tunneling requests from an LAC, and to specify a VT interface for tunnel setup.

tunnel timer hello 1000 //Set the Hello interval.

tunnel password simple 123456 //Configure the tunnel authentication password.

Create a tunnel with the L2TP tunnel attributes authorized by AAA. When a user comes online, AAA authorizes the LNS address, tunnel authentication password, tunnel name, domain name, and other information.

· The device uses the authorized domain name to match an L2TP group, and automatically creates a tunnel accordingly.

L2TP group 1 matches domain name 163.js and acts as the default-lac-group. In this case, the device automatically a tunnel based on L2TP group 1 when AAA authorizes domain name 163.js or when it authorizes an unknown domain or does not authorize a domain.

l2tp-group 1 group-name dc1-lac mode lac /Create an L2TP group in LAC mode.

user domain 163.js /Configure the domain name that triggers the LAC to initiate tunneling requests to the LNS.

default-lac-group enable //Configure the current L2TP group as the default L2TP group.

· Configure an LNS

l2tp-group 6 mode lns //Create an L2TP group in LNS mode.

allow l2tp virtual-template 5 remote first Configure the LNS to accept L2TP tunneling requests from an LAC, and to specify a VT interface for tunnel setup.

tunnel timer hello 1000 //Set the Hello interval.

tunnel password simple 123456 //Configure the tunnel authentication password.

Configuration examples

BRAS access services in a MAN include home broadband, ITV, and L2TP. This chapter provides the configuration examples for these services.

Table 4 Main BRAS access services in a MAN

UP type	Service type	Access method	Service characteristics
vUP	VoIP (fixed line) and ITMS	IPv4: DHCP+VPN	A large number of sessions exist, but the traffic size is small.
pUP	Home broadband public network users	IPv4: PPPoE IPv6: NDRA, NDRA+IAPD	AAA authorizes a domain, and users obtain IP addresses from the authorized domain.
	Home broadband private network (CGN)	IPv4: PPPoE+CGN IPv6: NDRA, NDRA+IAPD	AAA authorizes a domain, and users obtain IP addresses from the authorized domain.
	Fixed IP home broadband users	IPv4: PPPoE	AAA authorizes a static IP address.
	Home broadband users with unpaid fees	L2TP LAC	AAA authorizes tunnel attributes.
	VPDN (welfare lottery and sports lottery)	L2TP LAC	AAA authorizes tunnel attributes.
	Local taxation bureaus and finance bureaus	L2TP LAC	Tunnels are created locally.
	ITV-IPoE	IPv4: DHCP	Group membership is assigned on the A-leaf device. On-demand traffic is transmitted through the UP. Multicast traffic is replicated on the A-leaf device instead of the UP.
	ITV-PPPoE	IPv4: PPPoE	Group membership is assigned on the UP. Both on-demand traffic and multicast traffic is transmitted through the UP.

NOTE:

The network diagrams in this chapter are logical and do not present the interfaces connecting devices or the interface IP addresses. Please plan interfaces and IP addresses as needed.

Example: Configuring CPDR and UP 1:3 warm standby mode for PPPoE

NOTE:

To provide data forwarding services for high-volume home broadband services, pUPs are typically used. To ensure high reliability, you can use a 1:N warm standby (1≤N≤3) mechanism to carry home broadband services. In order to meet the needs of different scenarios, you can configure multiple backup mechanisms for example, 1:3 warm standby and 1:1 warm standby. In this example, 1:3 warm standby mode is used for illustration.

Network configuration

In a vBRAS CUPS system as shown in the following figure, clients access CPs through PPPoE. The packets from clients reach UPs through a Layer 2 network, encapsulated with VXLAN-GPE, and are forwarded by the CR to CPs. The specific requirements are as follows:

· Use an ODAP address pool to assign IP addresses to users.

· Use a RADIUS server as the authentication, authorization, and accounting server.

· Configure master/backup hot backup on CPs in the two data centers. When the master CP fails, existing users stay online, and new users can come online from the new master (the original backup CP).

· Assign the four UPs to a UP backup group, and configure 1:3 warm standby mode. All UPs are master UPs.

· The loopback addresses used by UP 1 (UP ID is 1026), CP 1, and CP 2 to establish CU connections are 2.1.1.101, 180.96.185.8, and 58.223.243.8, respectively.

· The loopback addresses used by UP 2 (UP ID is 1027), CP 1, and CP 2 to establish CU connections are 2.1.1.102, 180.96.185.8, and 58.223.243.8, respectively.

· The loopback addresses used by UP 3 (UP ID is 1028), CP 1, and CP 2 to establish CU connections are 2.1.1.103, 180.96.185.8, and 58.223.243.8, respectively.

· The loopback addresses used by UP 4 (UP ID is 1029), CP 1, and CP 2 to establish CU connections are 2.1.1.104, 180.96.185.8, and 58.223.243.8, respectively.

Figure 27 Network diagram

Analysis

Use pUPs to carry home broadband services, because this type of service has high volumes of traffic. Typically, UP 1:3 warm standby mode and master/backup CPDR are used.

For the device to operate in user plane mode, execute the work-mode user-plane command.

To implement CPDR, perform the following tasks:

· On CP 1 and CP 2, create a CPDR group with name g2 and ID 2. Specify the CPDR group as the master on CP 1 and the backup on CP 2.

· Add UPs 1026, 1027, 1028, 1029 to CPDR group g2.

To deploy configurations and service entries to UPs and exchange protocol packets with UPs, configure CP-UP channels.

To implement the UP 1:3 warm standby mode, configure the UP warm load balancing mode.

For users to come online, configure PPPoE, AAA, and address pools.

For CPDR, you can use one loopback interface as the CP-UP tunnel interface, the CPDR tunnel interface, and the communication interface between the CP and RADIUS server. This mode features simple configuration. You can also use three different loopback interfaces. This mode features flexible configuration. In this example, one loopback interface is used as both the CP-UP tunnel interface and CPDR tunnel interface. One loopback interface is used as the communication interface between the CP and RADIUS server.

Prerequisites

Configure IP addresses for interfaces, and make sure devices can reach each other at Layer 3.

Configure the AAA server correctly. (Details not shown.)

Restrictions and guidelines

Make sure the required configurations, such as CP-UP channel, UP backup, CPDR, PPPoE, and AAA, are performed on both CP 1 and CP 2.

The remote interface, address pool, domain, UP backup configurations must be the same on the two CPs.

Procedure

Configuring CPDR settings

1. Configure CP 1:

# Specify local IPv4 address 180.96.185.8 and peer IPv4 address 58.223.243.8 used for establishing CPDR channels.

<CP1> system-view

[CP1] ip vpn-instance CP2UP_L3VPN_H3C

[CP1-vpn-instance CP2UP_L3VPN_H3C] quit

[CP1] cp disaster-recovery tunnel ipv4 local 180.96.185.8 peer 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

# Create CPDR group g2 and enter CPDR group view.

[CP1] cp disaster-recovery group g2 id 2

# Assign the master role to CPDR group g2.

[CP1-cpdr-group-g2] set role master

# Add UPs 1026, 1027, 1028, 1029 to CPDR group g2.

[CP1-cpdr-group-g2] up-id 1026 1027 1028 1029

# Specify the hot backup mode for CPDR group g2. (The hot backup mode is used by default, and you can skip this configuration.)

[CP1-cpdr-group-g2] mode hot

# Enable automatic role switchover upon CPDR group failure.

[CP1-cpdr-group-g2] switchover auto enable

# Specify the source interface for sending RADIUS packets.

[CP1-cpdr-group-g2] radius source-interface LoopBack3

# Enable strict CU connection failure ratio calculation.

[CP1-cpdr-group-g2] fault-ratio-calculate strict

[CP1-cpdr-group-g2] quit

2. Configure CP 2:

# Specify local IPv4 address 58.223.243.8 and peer IPv4 address 180.96.185.8 used for establishing CPDR channels.

<CP2> system-view

[CP2] ip vpn-instance CP2UP_L3VPN_H3C

[CP2-vpn-instance CP2UP_L3VPN_H3C] quit

[CP2] cp disaster-recovery tunnel ipv4 local 58.223.243.8 peer 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

# Create CPDR group g2 and enter CPDR group view.

[CP2] cp disaster-recovery group g2 id 2

# Specify CPDR group g1 as the backup CPDR group.

[CP2-cpdr-group-g1] set role backup

# Add UPs 1026, 1027, 1028, 1029 to CPDR group g2.

[CP2-cpdr-group-g2] up-id 1026 1027 1028 1029

# Specify the hot backup mode for CPDR group g2. (The hot backup mode is used by default, and you can skip this configuration.)

[CP2-cpdr-group-g2] mode hot

# Enable automatic role switchover upon CPDR group failure.

[CP2-cpdr-group-g2] switchover auto enable

# Specify the source interface for sending RADIUS packets.

[CP2-cpdr-group-g2] radius source-interface LoopBack3

# Enable strict CU connection failure ratio calculation.

[CP2-cpdr-group-g2] fault-ratio-calculate strict

[CP2-cpdr-group-g2] quit

Configuring CP-UP channels

1. Configure UP 1:

a. Configure the device to operate in user plane mode.

# Configure the device to operate in user plane mode.

<UP1> system-view

[UP1] work-mode user-plane

b. Configure the UP as the NETCONF server.

# Enable the Stelnet server.

[UP1] ssh server enable

# Enable NETCONF over SSH.

[UP1] netconf ssh server enable

# Enable scheme authentication for user lines VTY 0 through VTY 63, through which the NETCONF over SSH clients log in.

[UP1] line vty 0 63

[UP1-line-vty0-63] authentication-mode scheme

[UP1-line-vty0-63] quit

# Add a device management user named admin and set the password to 123456TESTplat&! in plaintext form. Authorize the user to use the SSH service and assign the network-admin user role to the user.

[UP1] local-user admin class manage

[UP1-luser-manage-netconf] password simple 123456TESTplat&!

[UP1-luser-manage-netconf] service-type ssh

[UP1-luser-manage-netconf] authorization-attribute user-role network-admin

[UP1-luser-manage-netconf] quit

# Configure a BFD template. The parameter values are based on the actual network conditions. The BFD template must be configured on both the CPs and UPs.

[UP1] bfd template BFD_CUSP

[UP1-bfd-template-BFD_CUSP] bfd min-transmit-interval 200

[UP1-bfd-template-BFD_CUSP] bfd min-receive-interval 200

[UP1-bfd-template-BFD_CUSP] bfd detect-multiplier 10

[UP1-bfd-template-BFD_CUSP] quit

# Configure the server type as NETCONF and authentication mode as password authentication for SSH user admin.

[UP1] ssh user admin service-type netconf authentication-type password

2. Configure UP 2, UP 3, and UP 4:

# Configure UP 2, UP 3, and UP 4 in the same way UP 1 is configured. (Details not shown.)

3. Configure CP 1:

a. Configure the management channel for the NETCONF client:

# Create a VPN instance. This VPN instance is used for CP-UP communication to prevent attacks from the public network and hide addresses.

<CP1> system-view

[CP1] ip vpn-instance CP2UP_L3VPN_H3C

[CP1-vpn-instance CP2UP_L3VPN_H3C] quit

# Enter NETCONF client view.

[CP1] netconf-client

# Configure the source IP address for setting up a NETCONF connection to a UP.

[CP1-netconf-client] source-address 180.96.185.8

# Create NETCONF connection profile 1026 and enter NETCONF connection profile view.

[CP1-netconf-client] connection 1026

# Specify username admin and password 123456TESTplat&! for the NETCONF connection established between CP 1 and UP 1.

[CP1-netconf-client-connection-1026] user-name admin password simple 123456TESTplat&!

# Enable CP 1 to send NETCONF connection requests to the IP address of UP 1 (2.1. 1.101).

[CP1-netconf-client-connection-1026] destination-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

[CP1-netconf-client-connection-1026] quit

# Create NETCONF connection profile 1027 and enter NETCONF connection profile view.

[CP1-netconf-client] connection 1027

# Specify username admin and password 123456TESTplat&! for the NETCONF connection established between CP 1 and UP 2.

[CP1-netconf-client-connection-1027] user-name admin password simple 123456TESTplat&!

# Enable CP 1 to send NETCONF connection requests to the IP address of UP 2 (2.1.1.102).

[CP1-netconf-client-connection-1027] destination-address 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

[CP1-netconf-client-connection-1027] quit

# Configure NETCONF connection 1028 and enter NETCONF connection profile view.

[CP1-netconf-client] connection 1028

# Specify username admin and password 123456TESTplat&! for the NETCONF connection established between CP 1 and UP 3.

[CP1-netconf-client-connection-1028] user-name admin password simple 123456TESTplat&!

# Enable CP 1 to send NETCONF connection requests to the IP address of UP 3 (2.1.1.103).

[CP1-netconf-client-connection-1028] destination-address 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

[CP1-netconf-client-connection-1028] quit

# Create NETCONF connection profile 1029 and enter NETCONF connection profile view.

[CP1-netconf-client] connection 1029

# Specify username admin and password 123456TESTplat&! for the NETCONF connection established between CP 1 and UP 4.

[CP1-netconf-client-connection-1029] user-name admin password simple 123456TESTplat&!

# Enable CP 1 to send NETCONF connection requests to the IP address of UP 4 (2.1.1.104).

[CP1-netconf-client-connection-1029] destination-address 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

[CP1-netconf-client-connection-1029] quit

[CP1-netconf-client] quit

# Create UP 1026 and enter UP-manage view.

[CP1] up-manage id 1026

# Bind UP 1026 to NETCONF connection profile 1026.

[CP1-up-manage-1026] bind netconf-connection 1026

[CP1-up-manage-1026] quit

# Create UP 1027 and enter UP-manage view.

[CP1] up-manage id 1027

# Bind UP 1027 to NETCONF connection profile 1027.

[CP1-up-manage-1027] bind netconf-connection 1027

[CP1-up-manage-1027] quit

# Create UP 1028 and enter UP-manage view.

[CP1] up-manage id 1028

# Bind UP 1028 to NETCONF connection profile 1028.

[CP1-up-manage-1028] bind netconf-connection 1028

[CP1-up-manage-1028] quit

# Create UP 1029 and enter UP-manage view.

[CP1] up-manage id 1029

# Bind UP 1029 to NETCONF connection profile 1029.

[CP1-up-manage-1029] bind netconf-connection 1029

[CP1-up-manage-1029] quit

b. Configure protocol channels for the CP:

# Configure a protocol channel between CP 1 and UP 1, with VXLAN ID 11026, source IP address 180.96.185.8, and destination IP address 2.1.1.101.

[CP1] up-manage id 1026

[CP1-up-manage-1026] protocol-tunnel vxlan 11026 source 180.96.185.8 destination 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1026] quit

# Configure a protocol channel between CP 1 and UP 2, with VXLAN ID 11027, source IP address 180.96.185.8, and destination IP address 2.1.1.102.

[CP1] up-manage id 1027

[CP1-up-manage-1027] protocol-tunnel vxlan 11027 source 180.96.185.8 destination 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1027] quit

# Configure a protocol channel between CP 1 and UP 3, with VXLAN ID 11028, source IP address 180.96.185.8, and destination IP address 2.1.1.103.

[CP1] up-manage id 1028

[CP1-up-manage-1028] protocol-tunnel vxlan 11028 source 180.96.185.8 destination 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1028] quit

# Configure a protocol channel between CP 1 and UP 4, with VXLAN ID 11029, source IP address 180.96.185.8, and destination IP address 2.1.1.104.

[CP1] up-manage id 1029

[CP1-up-manage-1029] protocol-tunnel vxlan 11029 source 180.96.185.8 destination 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1029] quit

c. Configure protocol channels for UPs:

# Create UP 1026 and enter UP-config view.

[CP1] up-manage id 1026

[CP1-up-manage-1026] up-config

# In CU-agent view, configure a protocol channel between UP 1 and CP 1, with VXLAN ID 11026, source IP address 2.1.1.101, and destination IP address 180.96.185.8. Configure a protocol channel between UP 1 and CP 2, with VXLAN ID 21026, source IP address 2.1.1.101, and destination IP address 58.223.243.8.

[CP1-up-manage-1026-up-config] cu-agent

[CP1-up-manage-1026-up-config-cu-agent] protocol-tunnel vxlan 11026 source 2.1.1.101 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1026-up-config-cu-agent] protocol-tunnel vxlan 21026 source 2.1.1.101 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1026-up-config-cu-agent] quit

[CP1-up-manage-1026-up-config] quit

[CP1-up-manage-1026] quit

# Create UP 1027 and enter UP-config view.

[CP1] up-manage id 1027

[CP1-up-manage-1027] up-config

# In CU-agent view, configure a protocol channel between UP 2 and CP 1, with VXLAN ID 11027, source IP address 2.1.1.102, and destination IP address 180.96.185.8. Configure a protocol channel between UP 2 and CP 2, with VXLAN ID 21027, source IP address 2.1.1.102, and destination IP address 58.223.243.8.

[CP1-up-manage-1027-up-config] cu-agent

[CP1-up-manage-1027-up-config-cu-agent] protocol-tunnel vxlan 11027 source 2.1.1.102 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1027-up-config-cu-agent] protocol-tunnel vxlan 21027 source 2.1.1.102 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1027-up-config-cu-agent] quit

[CP1-up-manage-1027-up-config] quit

[CP1-up-manage-1027] quit

# Create UP 1028 and enter UP-config view.

[CP1] up-manage id 1028

[CP1-up-manage-1028] up-config

# In CU-agent view, configure a protocol channel between UP 3 and CP 1, with VXLAN ID 11028, source IP address 2.1.1.103, and destination IP address 180.96.185.8. Configure a protocol channel between UP 3 and CP 2, with VXLAN ID 21028, source IP address 2.1.1.103, and destination IP address 58.223.243.8.

[CP1-up-manage-1028-up-config] cu-agent

[CP1-up-manage-1028-up-config-cu-agent] protocol-tunnel vxlan 11028 source 2.1.1.103 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1028-up-config-cu-agent] protocol-tunnel vxlan 21028 source 2.1.1.103 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1028-up-config-cu-agent] quit

[CP1-up-manage-1028-up-config] quit

[CP1-up-manage-1028] quit

# Create UP 1029 and enter UP-config view.

[CP1] up-manage id 1029

[CP1-up-manage-1029] up-config

# In CU-agent view, configure a protocol channel between UP 4 and CP 1, with VXLAN ID 11029, source IP address 2.1.1.104, and destination IP address 180.96.185.8. Configure a protocol channel between UP 4 and CP 2, with VXLAN ID 21029, source IP address 2.1.1.104, and destination IP address 58.223.243.8.

[CP1-up-manage-1029-up-config] cu-agent

[CP1-up-manage-1029-up-config-cu-agent] protocol-tunnel vxlan 11029 source 2.1.1.104 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1029-up-config-cu-agent] protocol-tunnel vxlan 21029 source 2.1.1.104 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1029-up-config-cu-agent] quit

[CP1-up-manage-1029-up-config] quit

[CP1-up-manage-1029] quit

d. Configure control channels for the CP:

# Enable the CUSP controller feature and enter CUSP controller view.

[CP1] cusp controller

# Specify the listening IP address as 180.96.185.8 for the CUSP controller.

[CP1-cusp-controller] listening-ip 180.96.185.8

# Enable BFD for CUSP.

[CP1-cusp-controller] bfd enable template BFD_CUSP

# Create CUSP agent up1 and enter CUSP agent view.

[CP1-cusp-controller] agent up1

# Configure the IP address for CUSP agent up1 as 2.1.1.101.

[CP1-cusp-controller-agent-up1] agent-ip 2.1.1.101

[CP1-cusp-controller-agent-up1] quit

# Create CUSP agent up2 and enter CUSP agent view.

[CP1-cusp-controller] agent up2

# Configure the IP address for CUSP agent up2 as 2.1.1.102.

[CP1-cusp-controller-agent-up2] agent-ip 2.1.1.102

[CP1-cusp-controller-agent-up2] quit

# Create CUSP agent up3 and enter CUSP agent view.

[CP1-cusp-controller] agent up3

# Configure the IP address for CUSP agent up3 as 2.1.1.103.

[CP1-cusp-controller-agent-up3] agent-ip 2.1.1.103

[CP1-cusp-controller-agent-up3] quit

# Create CUSP agent up4 and enter CUSP agent view.

[CP1-cusp-controller] agent up4

# Configure the IP address for CUSP agent up4 as 2.1.1.104.

[CP1-cusp-controller-agent-up4] agent-ip 2.1.1.104

[CP1-cusp-controller-agent-up4] quit

[CP1-cusp-controller] quit

# Enable control channel establishment for UP 1026 by using CUSP agent up1.

[CP1] up-manage id 1026

[CP1-up-manage-1026] control-tunnel cusp-agent up1

[CP1-up-manage-1026] quit

# Enable control channel establishment for UP 1027 by using CUSP agent up2.

[CP1] up-manage id 1027

[CP1-up-manage-1027] control-tunnel cusp-agent up2

[CP1-up-manage-1027] quit

# Enable control channel establishment for UP 1028 by using CUSP agent up3.

[CP1] up-manage id 1028

[CP1-up-manage-1028] control-tunnel cusp-agent up3

[CP1-up-manage-1028] quit

# Enable control channel establishment for UP 1029 by using CUSP agent up4.

[CP1] up-manage id 1029

[CP1-up-manage-1029] control-tunnel cusp-agent up4

[CP1-up-manage-1029] quit

e. Configure control channels for UPs:

# Configure a BFD template. The parameter values are based on the actual network conditions. The BFD template must be configured on both the CPs and UPs.

[CP1] bfd template BFD_CUSP

[CP1-bfd-template-BFD_CUSP] bfd min-transmit-interval 200

[CP1-bfd-template-BFD_CUSP] bfd min-receive-interval 200

[CP1-bfd-template-BFD_CUSP] bfd detect-multiplier 10

[CP1-bfd-template-BFD_CUSP] quit

# Enter UP-config view.

[CP1] up-manage id 1026

[CP1-up-manage-1026] up-config

# Create CUSP agent up1 and enter CUSP agent view.

[CP1-up-manage-1026-up-config] cusp agent up1

# Enable UP 1 to establish CUSP connections with CP 1 (180.96.185.8) and CP 2 (58.223.243.8) by using source IP address 2.1.1.101, and enable BFD for CUSP.

[CP1-up-manage-1026-up-config-cusp-agent-up1] local-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1026-up-config-cusp-agent-up1] controller address 180.96.185.8

[CP1-up-manage-1026-up-config-cusp-agent-up1] controller address 58.223.243.8

[CP1-up-manage-1026-up-config-cusp-agent-up1] bfd enable template BFD_CUSP

[CP1-up-manage-1026-up-config-cusp-agent-up1] quit

[CP1-up-manage-1026-up-config] quit

[CP1-up-manage-1026] quit

# Enter UP-config view.

[CP1] up-manage id 1027

[CP1-up-manage-1027] up-config

# Create CUSP agent up2 and enter CUSP agent view.

[CP1-up-manage-1027-up-config] cusp agent up2

# Enable UP 2 to establish CUSP connections with CP 1 (180.96.185.8) and CP 2 (58.223.243.8) by using source IP address 2.1.1.102, and enable BFD for CUSP.

[CP1-up-manage-1027-up-config-cusp-agent-up2] local-address 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1027-up-config-cusp-agent-up2] controller address 180.96.185.8

[CP1-up-manage-1027-up-config-cusp-agent-up2] controller address 58.223.243.8

[CP1-up-manage-1027-up-config-cusp-agent-up2] bfd enable template BFD_CUSP

[CP1-up-manage-1027-up-config-cusp-agent-up2] quit

[CP1-up-manage-1027-up-config] quit

[CP1-up-manage-1027] quit

# Enter UP-config view.

[CP1] up-manage id 1028

[CP1-up-manage-1028] up-config

# Create CUSP agent up3 and enter CUSP agent view.

[CP1-up-manage-1028-up-config] cusp agent up3

# Enable UP 3 to establish CUSP connections with CP 1 (180.96.185.8) and CP 2 (58.223.243.8) by using source IP address 2.1.1.103, and enable BFD for CUSP.

[CP1-up-manage-1028-up-config-cusp-agent-up3] local-address 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1028-up-config-cusp-agent-up3] controller address 180.96.185.8

[CP1-up-manage-1028-up-config-cusp-agent-up3] controller address 58.223.243.8

[CP1-up-manage-1028-up-config-cusp-agent-up3] bfd enable template BFD_CUSP

[CP1-up-manage-1028-up-config-cusp-agent-up3] quit

[CP1-up-manage-1028-up-config] quit

[CP1-up-manage-1028] quit

# Enter UP-config view.

[CP1] up-manage id 1029

[CP1-up-manage-1029] up-config

# Create CUSP agent up4 and enter CUSP agent view.

[CP1-up-manage-1029-up-config] cusp agent up4

# Enable UP 4 to establish CUSP connections with CP 1 (180.96.185.8) and CP 2 (58.223.243.8) by using source IP address 2.1.1.104, and enable BFD for CUSP.

[CP1-up-manage-1029-up-config-cusp-agent-up4] local-address 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

[CP1-up-manage-1029-up-config-cusp-agent-up4] controller address 180.96.185.8

[CP1-up-manage-1029-up-config-cusp-agent-up4] controller address 58.223.243.8

[CP1-up-manage-1029-up-config-cusp-agent-up4] bfd enable template BFD_CUSP

[CP1-up-manage-1029-up-config-cusp-agent-up4] quit

[CP1-up-manage-1029-up-config] quit

[CP1-up-manage-1029] quit

f. Create remote interfaces:

# Create remote UP interface Route-Aggregation701 for UP 1026.

[CP1] up-manage id 1026

[CP1-up-manage-1026] remote interface Route-Aggregation701

[CP1-up-manage-1026] quit

# Create remote UP interface Route-Aggregation701 for UP 1027.

[CP1] up-manage id 1027

[CP1-up-manage-1027] remote interface Route-Aggregation701

[CP1-up-manage-1027] quit

# Create remote UP interface Route-Aggregation701 for UP 1028.

[CP1] up-manage id 1028

[CP1-up-manage-1028] remote interface Route-Aggregation701

[CP1-up-manage-1028] quit

# Create remote UP interface Route-Aggregation701 for UP 1029.

[CP1] up-manage id 1029

[CP1-up-manage-1029] remote interface Route-Aggregation701

[CP1-up-manage-1029] quit

4. Configure CP 2:

a. Configure the management channel for the NETCONF client:

# Create a VPN instance. This VPN instance is used for CP-UP communication to prevent attacks from the public network and hide addresses.

<CP2> system-view

[CP2] ip vpn-instance CP2UP_L3VPN_H3C

[CP2-vpn-instance CP2UP_L3VPN_H3C] quit

# Enter NETCONF client view.

[CP2] netconf-client

# Configure the source IP address for setting up a NETCONF connection to a UP.

[CP2-netconf-client] source-address 58.223.243.8

# Create NETCONF connection profile 1026 and enter NETCONF connection profile view.

[CP2-netconf-client] connection 1026

# Specify username admin and password 123456TESTplat&! for the NETCONF connection established between CP 2 and UP 1.

[CP2-netconf-client-connection-1026] user-name admin password simple 123456TESTplat&!

# Enable CP 2 to send NETCONF connection requests to the IP address of UP 1 (2.1.1.101).

[CP2-netconf-client-connection-1026] destination-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

[CP2-netconf-client-connection-1026] quit

# Create NETCONF connection profile 1027 and enter NETCONF connection profile view.

[CP2-netconf-client] connection 1027

# Specify username admin and password 123456TESTplat&! for the NETCONF connection established between CP 2 and UP 2.

[CP2-netconf-client-connection-1027] user-name admin password simple 123456TESTplat&!

# Enable CP 2 to send NETCONF connection requests to the IP address of UP 2 (2.1.1.102).

[CP2-netconf-client-connection-1027] destination-address 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

[CP2-netconf-client-connection-1027] quit

# Configure NETCONF connection 1028 and enter NETCONF connection profile view.

[CP2-netconf-client] connection 1028

# Specify username admin and password 123456TESTplat&! for the NETCONF connection established between CP 2 and UP 3.

[CP2-netconf-client-connection-1028] user-name admin password simple 123456TESTplat&!

# Enable CP 2 to send NETCONF connection requests to the IP address of UP 2 (2.1.1.103).

[CP2-netconf-client-connection-1028] destination-address 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

[CP2-netconf-client-connection-1028] quit

# Create NETCONF connection profile 1029 and enter NETCONF connection profile view.

[CP2-netconf-client] connection 1029

# Specify username admin and password 123456TESTplat&! for the NETCONF connection established between CP 2 and UP 4.

[CP2-netconf-client-connection-1029] user-name admin password simple 123456TESTplat&!

# Enable CP 2 to send NETCONF connection requests to the IP address of UP 4 (2.1.1.104).

[CP2-netconf-client-connection-1029] destination-address 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

[CP2-netconf-client-connection-1029] quit

[CP2-netconf-client] quit

# Create UP 1026 and enter UP-manage view.

[CP2] up-manage id 1026

# Bind UP 1026 to NETCONF connection profile 1026.

[CP2-up-manage-1026] bind netconf-connection 1026

[CP2-up-manage-1026] quit

# Create UP 1027 and enter UP-manage view.

[CP2] up-manage id 1027

# Bind UP 1027 to NETCONF connection profile 1027.

[CP2-up-manage-1027] bind netconf-connection 1027

[CP2-up-manage-1027] quit

# Create UP 1028 and enter UP-manage view.

[CP2] up-manage id 1028

# Bind UP 1028 to NETCONF connection profile 1028.

[CP2-up-manage-1028] bind netconf-connection 1028

[CP2-up-manage-1028] quit

# Create UP 1029 and enter UP-manage view.

[CP2] up-manage id 1029

# Bind UP 1029 to NETCONF connection profile 1029.

[CP2-up-manage-1029] bind netconf-connection 1029

[CP2-up-manage-1029] quit

b. Configure protocol channels for the CP:

# Configure a protocol channel between CP 2 and UP 1, with VXLAN ID 21026, source IP address 58,223,243.8, and destination IP address 2.1. 1.101.

[CP2] up-manage id 1026

[CP2-up-manage-1026] protocol-tunnel vxlan 21026 source 58.223.243.8 destination 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1026] quit

# Configure a protocol channel between CP 2 and UP 2, with VXLAN ID 21027, source IP address 58,223,243.8, and destination IP address 2.1.1.102.

[CP2] up-manage id 1027

[CP2-up-manage-1027] protocol-tunnel vxlan 21027 source 58.223.243.8 destination 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1027] quit

# Configure a protocol channel between CP 2 and UP 3, with VXLAN ID 21028, source IP address 58,223,243.8, and destination IP address 2.1.1.103.

[CP2] up-manage id 1028

[CP2-up-manage-1028] protocol-tunnel vxlan 21028 source 58.223.243.8 destination 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1028] quit

# Configure a protocol channel between CP 2 and UP 4, with VXLAN ID 21029, source IP address 58,223,243.8, and destination IP address 2.1.1.104.

[CP2] up-manage id 1029

[CP2-up-manage-1029] protocol-tunnel vxlan 21029 source 58.223.243.8 destination 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1029] quit

c. Configure protocol channels for UPs:

# Create UP 1026 and enter UP-config view.

[CP2] up-manage id 1026

[CP2-up-manage-1026] up-config

[CP2-up-manage-1026-up-config] cu-agent

[CP2-up-manage-1026-up-config-cu-agent] protocol-tunnel vxlan 11026 source 2.1.1.101 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1026-up-config-cu-agent] protocol-tunnel vxlan 21026 source 2.1.1.101 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1026-up-config-cu-agent] quit

[CP2-up-manage-1026-up-config] quit

[CP2-up-manage-1026] quit

# Create UP 1027 and enter UP-config view.

[CP2] up-manage id 1027

[CP2-up-manage-1027] up-config

[CP2-up-manage-1027-up-config] cu-agent

[CP2-up-manage-1027-up-config-cu-agent] protocol-tunnel vxlan 11027 source 2.1.1.102 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1027-up-config-cu-agent] protocol-tunnel vxlan 21027 source 2.1.1.102 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1027-up-config-cu-agent] quit

[CP2-up-manage-1027-up-config] quit

[CP2-up-manage-1027] quit

# Create UP 1028 and enter UP-config view.

[CP2] up-manage id 1028

[CP2-up-manage-1028] up-config

[CP2-up-manage-1028-up-config] cu-agent

[CP2-up-manage-1028-up-config-cu-agent] protocol-tunnel vxlan 11028 source 2.1.1.103 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1028-up-config-cu-agent] protocol-tunnel vxlan 21028 source 2.1.1.103 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1028-up-config-cu-agent] quit

[CP2-up-manage-1028-up-config] quit

[CP2-up-manage-1028] quit

# Create UP 1029 and enter UP-config view.

[CP2] up-manage id 1029

[CP2-up-manage-1029] up-config

[CP2-up-manage-1029-up-config] cu-agent

[CP2-up-manage-1029-up-config-cu-agent] protocol-tunnel vxlan 11029 source 2.1.1.104 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1029-up-config-cu-agent] protocol-tunnel vxlan 21029 source 2.1.1.104 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1029-up-config-cu-agent] quit

[CP2-up-manage-1029-up-config] quit

[CP2-up-manage-1029] quit

d. Configure the control channel for the CP:

# Enable the CUSP controller feature and enter CUSP controller view.

[CP2] cusp controller

# Specify the listening IP address as 58.223.243.8 for the CUSP controller, and enable BFD for CUSP.

[CP2-cusp-controller] listening-ip 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

[CP2-cusp-controller] bfd enable template BFD_CUSP

# Create CUSP agent up1 and enter CUSP agent view.

[CP2-cusp-controller] agent up1

# Configure the IP address for CUSP agent up1 as 2.1. 1.101.

[CP2-cusp-controller-agent-up1] agent-ip 2.1.1.101

[CP2-cusp-controller-agent-up1] quit

# Create CUSP agent up2 and enter CUSP agent view.

[CP2-cusp-controller] agent up2

# Configure the IP address for CUSP agent up2 as 2.1.1.102.

[CP2-cusp-controller-agent-up2] agent-ip 2.1.1.102

[CP2-cusp-controller-agent-up2] quit

# Create CUSP agent up3 and enter CUSP agent view.

[CP2-cusp-controller] agent up3

# Configure the IP address for CUSP agent up3 as 2.1.1.103.

[CP2-cusp-controller-agent-up3] agent-ip 2.1.1.103

[CP2-cusp-controller-agent-up3] quit

# Create CUSP agent up4 and enter CUSP agent view.

[CP2-cusp-controller] agent up4

# Configure the IP address for CUSP agent up4 as 2.1.1.104.

[CP2-cusp-controller-agent-up4] agent-ip 2.1.1.104

[CP2-cusp-controller-agent-up4] quit

[CP2-cusp-controller] quit

# Enable control channel establishment for UP 1026 by using CUSP agent up1.

[CP2] up-manage id 1026

[CP2-up-manage-1026] control-tunnel cusp-agent up1

[CP2-up-manage-1026] quit

# Enable control channel establishment for UP 1027 by using CUSP agent up2.

[CP2] up-manage id 1027

[CP2-up-manage-1027] control-tunnel cusp-agent up2

[CP2-up-manage-1027] quit

# Enable control channel establishment for UP 1028 by using CUSP agent up3.

[CP2] up-manage id 1028

[CP2-up-manage-1028] control-tunnel cusp-agent up3

[CP2-up-manage-1028] quit

# Enable control channel establishment for UP 1029 by using CUSP agent up4.

[CP2] up-manage id 1029

[CP2-up-manage-1029] control-tunnel cusp-agent up4

[CP2-up-manage-1029] quit

e. Configure the control channel for UPs:

# Configure a BFD template. The parameter values are based on the actual network conditions. The BFD template must be configured on both the CP and UPs.

[CP2] bfd template BFD_CUSP

[CP2-bfd-template-BFD_CUSP] bfd min-transmit-interval 200

[CP2-bfd-template-BFD_CUSP] bfd min-receive-interval 200

[CP2-bfd-template-BFD_CUSP] bfd detect-multiplier 10

[CP2-bfd-template-BFD_CUSP] quit

# Enter UP-config view.

[CP2] up-manage id 1026

[CP2-up-manage-1026] up-config

# Create CUSP agent up1 and enter CUSP agent view.

[CP2-up-manage-1026-up-config] cusp agent up1

# Enable UP 1 to establish CUSP connections with CP 1 (180.96.185.8) and CP 2 (58.223.243.8) by using source IP address 2.1.1.101, and enable BFD for CUSP.

[CP2-up-manage-1026-up-config-cusp-agent-up1] local-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1026-up-config-cusp-agent-up1] controller address 180.96.185.8

[CP2-up-manage-1026-up-config-cusp-agent-up1] controller address 58.223.243.8

[CP2-up-manage-1026-up-config-cusp-agent-up1] bfd enable template BFD_CUSP

[CP2-up-manage-1026-up-config-cusp-agent-up1] quit

[CP2-up-manage-1026-up-config] quit

[CP2-up-manage-1026] quit

# Enter UP-config view.

[CP2] up-manage id 1027

[CP2-up-manage-1027] up-config

# Create CUSP agent up2 and enter CUSP agent view.

[CP2-up-manage-1027-up-config] cusp agent up2

# Enable UP 2 to establish CUSP connections with CP 1 (180.96.185.8) and CP 2 (58.223.243.8) by using source IP address 2.1.1.102, and enable BFD for CUSP.

[CP2-up-manage-1027-up-config-cusp-agent-up1] local-address 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1027-up-config-cusp-agent-up1] controller address 180.96.185.8

[CP2-up-manage-1027-up-config-cusp-agent-up1] controller address 58.223.243.8

[CP2-up-manage-1027-up-config-cusp-agent-up1] bfd enable template BFD_CUSP

[CP2-up-manage-1027-up-config-cusp-agent-up1] quit

[CP2-up-manage-1027-up-config] quit

[CP2-up-manage-1027] quit

# Enter UP-config view.

[CP2] up-manage id 1028

[CP2-up-manage-1028] up-config

# Create CUSP agent up3 and enter CUSP agent view.

[CP2-up-manage-1028-up-config] cusp agent up3

# Enable UP 3 to establish CUSP connections with CP 1 (180.96.185.8) and CP 2 (58.223.243.8) by using source IP address 2.1.1.103, and enable BFD for CUSP.

[CP2-up-manage-1028-up-config-cusp-agent-up1] local-address 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1028-up-config-cusp-agent-up1] controller address 180.96.185.8

[CP2-up-manage-1028-up-config-cusp-agent-up1] controller address 58.223.243.8

[CP2-up-manage-1028-up-config-cusp-agent-up1] bfd enable template BFD_CUSP

[CP2-up-manage-1028-up-config-cusp-agent-up1] quit

[CP2-up-manage-1028-up-config] quit

[CP2-up-manage-1028] quit

# Enter UP-config view.

[CP2] up-manage id 1029

[CP2-up-manage-1029] up-config

# Create CUSP agent up4 and enter CUSP agent view.

[CP2-up-manage-1029-up-config] cusp agent up4

# Enable UP 4 to establish CUSP connections with CP 1 (180.96.185.8) and CP 2 (58.223.243.8) by using source IP address 2.1.1.104, and enable BFD for CUSP.

[CP2-up-manage-1029-up-config-cusp-agent-up4] local-address 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

[CP2-up-manage-1029-up-config-cusp-agent-up4] controller address 180.96.185.8

[CP2-up-manage-1029-up-config-cusp-agent-up4] controller address 58.223.243.8

[CP2-up-manage-1029-up-config-cusp-agent-up4] bfd enable template BFD_CUSP

[CP2-up-manage-1029-up-config-cusp-agent-up4] quit

[CP2-up-manage-1029-up-config] quit

[CP2-up-manage-1029] quit

f. Create remote interfaces:

# Create remote UP interface Route-Aggregation701 for UP 1026.

[CP2] up-manage id 1026

[CP2-up-manage-1026] remote interface Route-Aggregation701

[CP2-up-manage-1026] quit

# Create remote UP interface Route-Aggregation701 for UP 1027.

[CP2] up-manage id 1027

[CP2-up-manage-1027] remote interface Route-Aggregation701

[CP2-up-manage-1027] quit

# Create remote UP interface Route-Aggregation701 for UP 1028.

[CP2] up-manage id 1028

[CP2-up-manage-1028] remote interface Route-Aggregation701

[CP2-up-manage-1028] quit

# Create remote UP interface Route-Aggregation701 for UP 1029.

[CP2] up-manage id 1029

[CP2-up-manage-1029] remote interface Route-Aggregation701

[CP2-up-manage-1029] quit

Configuring UP backup

1. Configure CP 1:

a. Configure a UP backup group.

[CP1] up-backup-group group2

[CP1-up-backup-group-group2] backup up-id 1026

[CP1-up-backup-group-group2] backup up-id 1027

[CP1-up-backup-group-group2] backup up-id 1028

[CP1-up-backup-group-group2] backup up-id 1029

[CP1-up-backup-group-group2] quit

b. Configure a UP backup profile:

# Create UP backup profile 2 in warm standby mode.

[CP1] up-backup-profile 2 warm-load-balance

# Specify master interfaces for the UP backup profile.

[CP1-up-backup-profile-2] master-interface Remote-RAGG1026/701 vrid 1

[CP1-up-backup-profile-2] master-interface Remote-RAGG1027/701 vrid 2

[CP1-up-backup-profile-2] master-interface Remote-RAGG1028/701 vrid 3

[CP1-up-backup-profile-2] master-interface Remote-RAGG1029/701 vrid 4

# Specify the interface-based method to select master interfaces and load balances traffic based on the outer VLAN and inner VLAN.

[CP1-up-backup-profile-2] load-balance-mode interface by-qinq

# Disable the original master UP or interface from switching back to master upon failure recovery.

[CP1-up-backup-profile-2] undo failure-recovery-switch enable

# Configure the logical access interface for UP backup profile 1 as Remote-RAGG1026/701. When the CP sends RADIUS packets to the RADIUS server, it adds the logical access interface specified in this command to the NAS-Port-ID attribute in the RADIUS packets.

[CP1-up-backup-profile-2] nas logic-port Remote-RAGG1026/701

# Configure the switchover delay upon CUSP channel failure as 5 seconds.

[CP1-up-backup-profile-2] control-tunnel-down switchover delay 5

# Configure the switchover delay upon CUSP channel failure recovery as 60000 milliseconds.

[CP1-up-backup-profile-2] control-tunnel-up switchover msec-delay 60000

2. Configure CP 2:

Configure CP 2 in the same way CP 1 is configured. (Details not shown.)

Configuring UP monitoring

1. Configure UP 1:

# Create a static BFD session and enter its view. The static BFD session detects the next-hop address for the network-side interface and two output interfaces for the next hop.

[UP1] bfd static up1toSLEAF1 peer-ipv6 2:1:1::5 source-ipv6 2:1:1::101 discriminator auto

[UP1-bfd-static-session-up1oSLEAF1] bfd multi-hop detect-multiplier 10

[UP1-bfd-static-session-up1oSLEAF1] quit

[UP1] bfd static up1toSLEAF2 peer-ipv6 2:1:1::6 source-ipv6 2:1:1::101 discriminator auto

[UP1-bfd-static-session-up1oSLEAF2] bfd multi-hop detect-multiplier 10

[UP1-bfd-static-session-up1oSLEAF2] quit

[UP1] track 1 bfd static up1oSLEAF1

[UP1] track 2 bfd static up1oSLEAF2

[UP1-track-1] quit

# Create Boolean OR list 5 and enter its view. Add track entries 1 and 2 as tracked objects to the list.

[UP1] track 5 list boolean or

[UP1-track-5] object 1

[UP1-track-5] object 2

[UP1-track-5] quit

# Disable master/backup interface switchover on the UP, and specify track entry 5 to monitor the link between the UP and the upstream router.

[UP1] user-plane control-tunnel-down switchover track 5

# Configure network-side bandwidth detection.

[UP1] track 12 bfd echo interface HundredGigE2/2/1 remote ipv6 176:1:1:13::7 local ipv6 176:1:1:13::6

[UP1] track 13 bfd echo interface HundredGigE2/1/1 remote ipv6 176:1:1:2::3 local ipv6 176:1:1:2::2

[UP1] track 14 bfd echo interface HundredGigE4/2/1 remote ipv6 176:1:1:1::3 local ipv6 176:1:1:1::2

[UP1] track 15 bfd echo interface HundredGigE4/1/1 remote ipv6 176:1:1:13::3 local ipv6 176:1:1:13::2

# Create a percentage threshold list and enter its view. Set the negative state threshold to 49% and the positive state threshold to 50% for the percentage threshold list.

[UP1] track 16 list threshold percentage

[UP1-track-16] threshold percentage negative 49 positive 50

[UP1-track-16] object 12

[UP1-track-16] object 13

[UP1-track-16] object 14

[UP1-track-16] object 15

[UP1-track-16] quit

# Create Boolean AND list 11 and enter its view. Add track entry 16 as a tracked object to the list.

[UP1] track 11 list boolean and

[UP1-track-11] object 16

[UP1-track-11] quit

# Associate the UP with track entry 11.

[UP1] user-plane switchover track 11 uplink-group JH-CN-PUP1026

2. Configure UP 2:

# Create a static BFD session and enter its view. The static BFD session detects the next-hop address for the network-side interface.

[UP2] bfd static up2toSLEAF1 peer-ipv6 2:1:1::5 source-ipv6 2:1:1::102 discriminator auto

[UP2-bfd-static-session-up2toSLEAF1] bfd multi-hop detect-multiplier 10

[UP2-bfd-static-session-up2toSLEAF1] quit

[UP2] bfd static up2toSLEAF2 peer-ipv6 2:1:1::6 source-ipv6 2:1:1::102 discriminator auto

[UP2-bfd-static-session-up2toSLEAF2] bfd multi-hop detect-multiplier 10

[UP2-bfd-static-session-up2toSLEAF2] quit

[UP2] track 1 bfd static up2toSLEAF1

[UP2] track 2 bfd static up2toSLEAF2

[UP2-track-1] quit

# Create Boolean OR list 5 and enter its view. Add track entries 1 and 2 as tracked objects to the list.

[UP2] track 5 list boolean or

[UP2-track-5] object 1

[UP2-track-5] object 2

[UP2-track-5] quit

# Disable master/backup interface switchover on the UP, and specify track entry 5 to monitor the link between the UP and the upstream router.

[UP2] user-plane control-tunnel-down switchover track 5

# Configure network-side bandwidth detection.

[UP2] track 12 bfd echo interface HundredGigE2/2/1 remote ipv6 176:2:1:13::7 local ipv6 176:2:1:13::6

[UP2] track 13 bfd echo interface HundredGigE2/1/1 remote ipv6 176:2:1:2::3 local ipv6 176:2:1:2::2

[UP2] track 14 bfd echo interface HundredGigE4/2/1 remote ipv6 176:2:1:1::3 local ipv6 176:2:1:1::2

[UP2] track 15 bfd echo interface HundredGigE4/1/1 remote ipv6 176:2:1:13::3 local ipv6 176:2:1:13::2

# Create a percentage threshold list and enter its view. Set the negative state threshold to 49% and the positive state threshold to 50% for the percentage threshold list.

[UP2] track 16 list threshold percentage

[UP2-track-16] threshold percentage negative 49 positive 50

[UP2-track-16] object 12

[UP2-track-16] object 13

[UP2-track-16] object 14

[UP2-track-16] object 15

[UP2-track-16] quit

# Create Boolean AND list 11 and enter its view. Add track entry 16 as a tracked object to the list.

[UP2] track 11 list boolean and

[UP2-track-11] object 16

[UP2-track-11] quit

# Associate the UP with track entry 11.

[UP2] user-plane switchover track 11 uplink-group JH-CN-PUP1027

3. Configure UP 3:

# Create a static BFD session and enter its view. The static BFD session detects the next-hop address for the network-side interface.

[UP3] bfd static up3toSLEAF1 peer-ipv6 2:1:1::5 source-ipv6 58:223:116::136 discriminator auto

[UP3-bfd-static-session-up3SLEAF1] bfd multi-hop detect-multiplier 10

[UP3-bfd-static-session-up3SLEAF1] quit

[UP3] bfd static up3toSLEAF2 peer-ipv6 2:1:1::6 source-ipv6 58:223:116::136 discriminator auto

[UP3-bfd-static-session-up3toSLEAF2] bfd multi-hop detect-multiplier 10

[UP3-bfd-static-session-up3toSLEAF2] quit

[UP3] track 1 bfd static up3toSLEAF1

[UP3] track 2 bfd static up3toSLEAF2

[UP3-track-1] quit

# Create Boolean OR list 5 and enter its view. Add track entries 1 and 2 as tracked objects to the list.

[UP3] track 5 list boolean or

[UP3-track-5] object 1

[UP3-track-5] object 2

[UP3-track-5] quit

# Disable master/backup interface switchover on the UP, and specify track entry 5 to monitor the link between the UP and the upstream router.

[UP3] user-plane control-tunnel-down switchover track 5

# Configure network-side bandwidth detection.

[UP3] track 12 bfd echo interface HundredGigE2/2/1 remote ipv6 176:3:1:13::7 local ipv6 176:3:1:13::6

[UP3] track 13 bfd echo interface HundredGigE2/1/1 remote ipv6 176:3:1:2::3 local ipv6 176:3:1:2::2

[UP3] track 14 bfd echo interface HundredGigE4/2/1 remote ipv6 176:3:1:1::3 local ipv6 176:3:1:1::2

[UP3] track 15 bfd echo interface HundredGigE4/1/1 remote ipv6 176:3:1:13::3 local ipv6 176:3:1:13::2

# Create a percentage threshold list and enter its view. Set the negative state threshold to 49% and the positive state threshold to 50% for the percentage threshold list.

[UP3] track 16 list threshold percentage

[UP3-track-16] threshold percentage negative 49 positive 50

[UP3-track-16] object 12

[UP3-track-16] object 13

[UP3-track-16] object 14

[UP3-track-16] object 15

[UP3-track-16] quit

# Create Boolean AND list 11 and enter its view. Add track entry 16 as a tracked object to the list.

[UP3] track 11 list boolean and

[UP3-track-11] object 16

[UP3-track-11] quit

# Associate the UP with track entry 11.

[UP3] user-plane switchover track 11 uplink-group JH-CN-PUP1028

4. Configure UP 4:

# Create a static BFD session and enter its view. The static BFD session detects the next-hop address for the network-side interface.

[UP4] bfd static up3toSLEAF1 peer-ipv6 2:1:1::5 source-ipv6 2:1:1::104 discriminator auto

[UP4-bfd-static-session-up3SLEAF1] bfd multi-hop detect-multiplier 10

[UP4-bfd-static-session-up3SLEAF1] quit

[UP4] bfd static up3toSLEAF2 peer-ipv6 2:1:1::6 source-ipv6 2:1:1::104 discriminator auto

[UP4-bfd-static-session-up3toSLEAF2] bfd multi-hop detect-multiplier 10

[UP4-bfd-static-session-up3toSLEAF2] quit

[UP4] track 1 bfd static up3toSLEAF1

[UP4] track 2 bfd static up3toSLEAF2

[UP4-track-1] quit

# Create Boolean OR list 5 and enter its view. Add track entries 1 and 2 as tracked objects to the list.

[UP4] track 5 list boolean or

[UP4-track-5] object 1

[UP4-track-5] object 2

[UP4-track-5] quit

# Disable master/backup interface switchover on the UP, and specify track entry 5 to monitor the link between the UP and the upstream router.

[UP4] user-plane control-tunnel-down switchover track 5

# Configure network-side bandwidth detection.

[UP4] track 12 bfd echo interface HundredGigE2/2/1 remote ipv6 176:4:1:13::7 local ipv6 176:4:1:13::6

[UP4] track 13 bfd echo interface HundredGigE2/1/1 remote ipv6 176:4:1:2::3 local ipv6 176:4:1:2::2

[UP4] track 14 bfd echo interface HundredGigE4/2/1 remote ipv6 176:4:1:1::3 local ipv6 176:4:1:1::2

[UP4] track 15 bfd echo interface HundredGigE4/1/1 remote ipv6 176:4:1:13::3 local ipv6 176:4:1:13::2

# Create a percentage threshold list and enter its view. Set the negative state threshold to 49% and the positive state threshold to 50% for the percentage threshold list.

[UP4] track 16 list threshold percentage

[UP4-track-16] threshold percentage negative 49 positive 50

[UP4-track-16] object 12

[UP4-track-16] object 13

[UP4-track-16] object 14

[UP4-track-16] object 15

[UP4-track-16] quit

# Create Boolean AND list 11 and enter its view. Add track entry 16 as a tracked object to the list.

[UP4] track 11 list boolean and

[UP4-track-11] object 16

[UP4-track-11] quit

# Associate the UP with track entry 11.

[UP4] user-plane switchover track 11 uplink-group JH-CN-PUP1029

5. Configure CP 1:

In UP backup profile 2, configure the CP to perform master/backup switchover for a UP or interfaces on the UP according to the track entry state reported by the specified monitoring UP.

[CP1] up-backup-profile 2 warm-load-balance

[CP1-up-backup-profile-2] up-id 1026 network-state track uplink-group JH-CN-PUP1026

[CP1-up-backup-profile-2] up-id 1027 network-state track uplink-group JH-CN-PUP1027

[CP1-up-backup-profile-2] up-id 1028 network-state track uplink-group JH-CN-PUP1028

[CP1-up-backup-profile-2] up-id 1029 network-state track uplink-group JH-CN-PUP1029

[CP1-up-backup-profile-2] quit

6. Configure CP 2:

Configure CP 2 in the same way CP 1 is configured. (Details not shown.)

Configuring PPPoE for public network home broadband

1. Configure CP 1:

a. Configure a RADIUS scheme:

# Configure primary and secondary RADIUS servers.

[CP1] radius scheme js.163.radius

[CP1-radius-js.163.radius] primary authentication 192.168.40.200 key simple 123456 weight 50

[CP1-radius-js.163.radius] primary accounting 192.168.40.200 key simple 123456 weight 50

[CP1-radius-js.163.radius] secondary authentication 192.168.40.201 key simple 123456 weight 50

[CP1-radius-js.163.radius] secondary accounting 192.168.40.201 key simple 123456 weight 50

# Enable the RADIUS server load sharing feature.

[CP1-radius-js.163.radius] server-load-sharing enable

# Set the real-time accounting interval to 120 minutes.

[CP1-radius-js.163.radius] timer realtime-accounting 120

# Set the maximum number of RADIUS request transmission attempts to 2.

[CP1-radius-js.163.radius] retry 2

# Specify the IP address of the source interface specified in the radius source-interface command as the NAS IPv4 address of RADIUS packets.

[CP1-radius-js.163.radius] nas-ip 58.223.116.200

If you specify an IP address other than the IP address of the source interface specified in the radius source-interface command, you must add the IP address for a client for the client to come online successfully. The source-ip command in RADIUS scheme view does not affect the NAS IP address in outgoing RADIUS packets. The NAS IP address in outgoing RADIUS packets is always the IP address of the source interface specified in the radius source-interface command.

# Set the maximum number of pending RADIUS requests.

[CP1-radius-js.163.radius] response-pending-limit authentication 255

[CP1-radius-js.163.radius] quit

b. Configure an ISP domain on the CP:

# In ISP domain 163.js, specify a user group and an address pool group as the authorization user group and authorization address pool group.

[CP1] domain name 163.js

[CP1-isp-163.js] authorization-attribute user-group weibeian

[CP1-isp-163.js] authorization-attribute ip-pool-group adsl-group

# Specify a PD prefix pool group and an ND prefix pool group as the authorization PD prefix pool group and authorization ND prefix pool group. The configuration on an endpoint determines whether the user IPv6 address uses a PD prefix or a ND prefix.

[CP1-isp-163.js] authorization-attribute ipv6-pool-group wxlxq.163.js-pd-group

[CP1-isp-163.js] authorization-attribute ipv6-nd-prefix-pool-group wxlxq.163.js-nd-group

# Configure primary and secondary DNS servers for users.

[CP1-isp-163.js] authorization-attribute primary-dns ip 218.2.2.2

[CP1-isp-163.js] authorization-attribute secondary-dns ip 218.4.4.4

# Specify a user priority for users. The device uses the specified user priority to perform QoS priority mapping on user packets, and then assigns the user packets to a queue based on the target priority. Packets in a high-priority queue are preferentially scheduled when congestion occurs.

[CP1-isp-163.js] authorization-attribute user-priority inbound 0

[CP1-isp-163.js] authorization-attribute user-priority outbound 0

# Configure users to rely on IPv4 addresses to use the basic services.

[CP1-isp-163.js] basic-service-ip-type ipv4

[CP1-isp-163.js] authentication ppp radius-scheme js.163.radius none

[CP1-isp-163.js] authorization ppp radius-scheme js.163.radius none

[CP1-isp-163.js] accounting ppp radius-scheme js.163.radius

# Specify the public-DS address type.

[CP1-isp-163.js] user-address-type public-ds

# Set the start-accounting delay to 10 seconds. The start-accounting delay is the period of time that the device waits before sending a start-accounting request.

[CP1-isp-163.js] accounting start-delay 35

[CP1-isp-163.js] quit

c. Configure the DHCP server:

IPv4:

# Configure an ODAP IP pool named adsl.

[CP1] ip pool adsl odap

[CP1-ip-pool-adsl] network 174.1.0.0 mask 255.255.0.0

[CP1-ip-pool-adsl] subnet mask-length 24

[CP1-ip-pool-adsl] subnet idle-time 900

[CP1-ip-pool-adsl] subnet utilization mark high 100 low 75

[CP1-ip-pool-adsl] ip-in-use threshold 90

[CP1-ip-pool-adsl] allocate-new-ip enable

[CP1-ip-pool-adsl] ip-subnet-in-use threshold 90

[CP1-ip-pool-adsl] subnet alloc-mode up-backup-profile

# Specify the secondary network segment for dynamic allocation.

[CP1-ip-pool-adsl] network 174.5.0.0 mask 255.255.0.0 secondary

[CP1-ip-pool-adsl-secondary] quit

# Specify the gateway IP address and the network mask for the IP pool.

[CP1-ip-pool-adsl] gateway 174.1.0.254 mask 255.255.0.0

[CP1-ip-pool-adsl] gateway 174.5.0.254 mask 255.255.0.0

[CP1-ip-pool-adsl] quit

# Configure an IP pool group.

[CP1] ip pool-group adsl-group

[CP1-ip-pool-adsl-group] pool adsl

[CP1-ip-pool-adsl-group] quit

IPv6:

# Create prefix pools.

[CP1] ipv6 dhcp prefix-pool 1 prefix 240E:3A0:160F::/48 assign-len 56

[CP1] ipv6 dhcp prefix-pool 2 prefix 240E:3A1:16F0::/44 assign-len 52

# Create an IPv6 ND address pool.

[CP1] ipv6 pool wxlxq.163.js-nd-01 odap

[CP1-ipv6-pool-wxlxq.163.js-nd-01] prefix-pool 1

[CP1-ipv6-pool-wxlxq.163.js-nd-01] dns-server 240E:5A::6666

[CP1-ipv6-pool-wxlxq.163.js-nd-01] dns-server 240E:5B::6666

[CP1-ipv6-pool-wxlxq.163.js-nd-01] dynamic prefix alloc-mode up-backup-profile

[CP1-ipv6-pool-wxlxq.163.js-nd-01] dynamic prefix assign-length 64

[CP1-ipv6-pool-wxlxq.163.js-nd-01] dynamic prefix idle-time 900

[CP1-ipv6-pool-wxlxq.163.js-nd-01] dynamic utilization mark high 100 low 95

[CP1-ipv6-pool-wxlxq.163.js-nd-01] pd-in-use threshold 90

[CP1-ipv6-pool-wxlxq.163.js-nd-01] pd-subnet-in-use threshold 90

[CP1-ipv6-pool-wxlxq.163.js-nd-01] quit

# Configure an IPv6 ND address pool group.

[CP1] ipv6 pool-group wxlxq.163.js-nd-group

[CP1-ipv6-pool-wxlxq.163.js-nd-group] pool wxlxq.163.js-nd-01

[CP1-ipv6-pool-wxlxq.163.js-nd-group] quit

# Create an IPv6 PD address pool.

[CP1] ipv6 pool wxlxq.163.js-pd-01 odap

# Apply prefix pool 2 to the address pool.

[CP1-ipv6-pool-wxlxq.163.js-pd-01] prefix-pool 2

# Specify IPv6 DNS server addresses.

[CP1-ipv6-pool-wxlxq.163.js-pd-01] dns-server 240E:5A::6666

[CP1-ipv6-pool-wxlxq.163.js-pd-01] dns-server 240E:5B::6666

[CP1-ipv6-pool-wxlxq.163.js-pd-01] dynamic prefix alloc-mode up-backup-profile

[CP1-ipv6-pool-wxlxq.163.js-pd-01] dynamic prefix assign-length 60

[CP1-ipv6-pool-wxlxq.163.js-pd-01] dynamic prefix idle-time 900

[CP1-ipv6-pool-wxlxq.163.js-pd-01] dynamic utilization mark high 100 low 95

[CP1-ipv6-pool-wxlxq.163.js-pd-01] pd-in-use threshold 90

[CP1-ipv6-pool-wxlxq.163.js-pd-01] pd-subnet-in-use threshold 90

[CP1-ipv6-pool-wxlxq.163.js-pd-01] quit

# Configure an PD pool group.

[CP1] ipv6 pool-group wxlxq.163.js-pd-group

[CP1-ipv6-pool-wxlxq.163.js-pd-group] pool wxlxq.163.js-pd-01

[CP1-ipv6-pool-wxlxq.163.js-pd-group] quit

# Set the DUID to abcd1234 for the DHCPv6 server.

[CP1] ipv6 dhcp duid abcd1234

# Create a CPDR group named g2, and bind IPv4 address pool adsl to the CPDR group.

[CP1] cp disaster-recovery group g2

[CP1-cpdr-group-g2] ip-pool adsl

# Bind IPv6 address pools wxlxq.163.js-nd-01 and wxlxq.163.js-pd-01 to the CPDR group.

[CP1-cpdr-group-g2] ipv6-pool wxlxq.163.js-nd-01

[CP1-cpdr-group-g2] ipv6-pool wxlxq.163.js-pd-01

[CP1-cpdr-group-g2] quit

d. Configure PPPoE:

# Configure Virtual-Template 1 to authenticate the peer by using PAP, CHAP, MS-CHAP, and MS-CHAP-V2, with 163.js as the non-forced PPP authentication domain.

[CP1] interface virtual-template 1

[CP1-Virtual-Template1] ppp authentication-mode pap chap ms-chap ms-chap-v2 domain default enable 163.js

# Set the LCP negotiation delay timer. If two ends of a PPP link vary greatly in the LCP negotiation packet processing rate, execute this command on the end with a higher processing rate. The LCP negotiation delay timer prevents frequent LCP negotiation packet retransmission.

[CP1-Virtual-Template1] ppp lcp delay 1000

# Configure Virtual-Template 1 not to perform keepalive detection when the uplink traffic of PPP users is updated.

[CP1-Virtual-Template1] ppp keepalive datacheck

Assign an IP address to Virtual-Template 1. When PPPoE users of the RADIUS direct authorization type exist in the network, configure this IP address for PPP negotiation.

[CP1-Virtual-Template1] ip address 1.1.1.1 24

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent on Virtual-Template 1.

[CP1-Virtual-Template1] ipv6 nd autoconfig other-flag

[CP1-Virtual-Template1] quit

# Create an interface range that contains Remote-RAGG1026/701.2, Remote-RAGG1027/701.2, Remote-RAGG1028/701.2, and Remote-RAGG1029/701.2, and enter the interface range view. In this example, all the subinterfaces have been created.

[CP1] interface range Remote-RAGG1026/701.2 Remote-RAGG1027/701.2 Remote-RAGG1028/701.2 Remote-RAGG1029/701.2

# Enable the PPPoE server on the subinterfaces and bind them to Virtual-Template 1.

[CP1–Remote-if-range] pppoe-server bind virtual-template 1

# Configure user VLAN QinQ termination on the subinterfaces to terminate VLAN-tagged packets with an inner VLAN ID in the range of 1001 to 2000 and an outer VLAN ID in the range of 1 to 4094.

[CP1–Remote-if-range] user-vlan dot1q vid 1001 to 2000 second-dot1q any

# Configure the NAS-Port-ID attribute to automatically include BAS information on the subinterfaces.

[CP1–Remote-if-range] pppoe-server access-line-id bas-info

# Specify a roaming domain on the subinterfaces. The device uses the roaming domain to authenticate a user if the user is assigned to the ISP domain carried in the username but the assigned domain does not exist.

[CP1–Remote-if-range] aaa roam-domain 163.js

[CP1–Remote-if-range] ipv6 dhcp select server

[CP1–Remote-if-range] ipv6 address auto link-local

[CP1–Remote-if-range] undo ipv6 nd ra halt

[CP1–Remote-if-range] quit

2. Configure CP 2:

Configure CP 2 in the same way CP 1 is configured. (Details not shown.)

Verifying the configuration

Verifying the UP warm standby configuration

# Display UP backup profile information.

[CP1] display up-backup-profile 2

Profile ID: 2

Backup mode: Warm load balancing

NAS logical interface: Remote-RAGG1026/701

Failure recovery: Disabled

CUSP tunnel down switchover Delay time: 5 seconds

CUSP tunnel up switchover Delay time: 60000 milliseconds

Route advertise: Enabled Cost: 10 20

Interface backup mode: Inherit-main

Load balancing mode: Interface Group users: By SVLAN and CVLAN

UP 1026 uplink group name: JH-CN-PUP1026

UP 1027 uplink group name: JH-CN-PUP1027

UP 1028 uplink group name: JH-CN-PUP1028

UP 1029 uplink group name: JH-CN-PUP1029

Master: Remote-RAGG1027/701, state=master(normal), VRID=2

Master: Remote-RAGG1029/701, state=master(normal), VRID=4

Master: Remote-RAGG1026/701, state=master(normal), VRID=1

Master: Remote-RAGG1028/701, state=master(normal), VRID=3

# Display the primary and secondary interface information for a virtual MAC address in a warm-load-balancing UP backup profile.

[CP1] display up-backup-profile 2 virtual-mac

Virtual MAC Master Backup

0000-5e00-0111 Remote-RAGG1027/701(working) Remote-RAGG1026/701

0000-5e00-0113 Remote-RAGG1027/701(working) Remote-RAGG1028/701

0000-5e00-0114 Remote-RAGG1027/701(working) Remote-RAGG1029/701

0000-5e00-0132 Remote-RAGG1029/701(working) Remote-RAGG1027/701

0000-5e00-0131 Remote-RAGG1029/701(working) Remote-RAGG1026/701

0000-5e00-0133 Remote-RAGG1029/701(working) Remote-RAGG1028/701

0000-5e00-0102 Remote-RAGG1026/701(working) Remote-RAGG1027/701

0000-5e00-0103 Remote-RAGG1026/701(working) Remote-RAGG1028/701

0000-5e00-0104 Remote-RAGG1026/701(working) Remote-RAGG1029/701

0000-5e00-0122 Remote-RAGG1028/701(working) Remote-RAGG1027/701

0000-5e00-0121 Remote-RAGG1028/701(working) Remote-RAGG1026/701

0000-5e00-0124 Remote-RAGG1028/701(working) Remote-RAGG1029/701

The output shows that Remote-RAGG1026/701, Remote-RAGG1027/701, Remote-RAGG1028/701, and Remote-RAGG1029/701 are all primary interfaces and back up one another. User services are load shared among the primary interfaces.

Verifying the CPDR configuration

# Display information about CPDR group 2 on CP 1.

[CP1] display cp disaster-recovery group 2

Group name: 2

Status: Stable

Remaining switchover delay time: -

Current CUSP connection failure ratio:

Local: 0

Peer: 0

Local info:

Configured role: Master

Negotiated role: Master

Backup mode: Hot

Auto switchover: Enabled

Auto switchback: Disabled

Auto switchover delay: 30s

Auto switchback delay: 1800s

CUSP connection failure ratio to trigger auto switchover: 100%

CUSP connection failure ratio to trigger auto switchback: 0

Local IP: 180.96.185.8

Peer IP: 58.223.243.8

RADIUS source interface: LoopBack3

Web-auth source interface: N/A

Running role: Master

Running priority: 211

IP pool: adsl

IPv6 pool: wxlxq.163.js-nd-01

wxlxq.163.js-pd-01

Peer Info:

Running role: Backup

Running priority: 211

CUSP Info from BRAS-VM:

UP ID Local-connect Peer-connect

1026 Connected Connected

1027 Connected Connected

1028 Connected Connected

1029 Connected Connected

CUSP Info from heartbeat tunnel:

UP ID Local-connect Peer-connect

1026 Connected Connected

1027 Connected Connected

1028 Connected Connected

1029 Connected Connected

Total users: 400000

UP ID Users

1026 100000

1027 100000

1028 100000

1029 100000

# Display information about CPDR group 2 on CP 2.

[CP2] display cp disaster-recovery group 2

Group name: 2

Status: Stable

Remaining switchover delay time: -

Current CUSP connection failure ratio:

Local: 0

Peer: 0

Local info:

Configured role: Backup

Negotiated role: Backup

Backup mode: Hot

Auto switchover: Enabled

Auto switchback: Disabled

Auto switchover delay: 30s

Auto switchback delay: 1800s

CUSP connection failure ratio to trigger auto switchover: 100%

CUSP connection failure ratio to trigger auto switchback: 0

Local IP: 58.223.243.8

Peer IP: 180.96.185.8

RADIUS source interface: LoopBack3

Web-auth source interface: N/A

Running role: Backup

Running priority: 211

IP pool: adsl

IPv6 pool: wxlxq.163.js-nd-01

wxlxq.163.js-pd-01

Peer Info:

Running role: Master

Running priority: 211

CUSP Info from BRAS-VM:

UP ID Local-connect Peer-connect

1026 Connected Connected

1027 Connected Connected

1028 Connected Connected

1029 Connected Connected

CUSP Info from heartbeat tunnel:

UP ID Local-connect Peer-connect

1026 Connected Connected

1027 Connected Connected

1028 Connected Connected

1029 Connected Connected

Total users: 400000

UP ID Users

1026 100000

1027 100000

1028 100000

1029 100000

The output shows that CP 1 is the master and CP 2 is the backup. Users come online through the master CP. When the master CP fails, user services are switched to the backup CP.

Displaying access user information

# Display the online PPPoE user information on the CP.

[CP1] display access-user interface Remote-RAGG1026/701.2

Slot 99:

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x8024227a R-RAGG1026/701.2 174.8.14.0 0071-9418-6eaa 1001/3

701-20002@1 PPPoE

240E:3A0:160F:2100:C8B4:C2F:0:60BF

[CP1] display access-user interface Remote-RAGG1027/701.2

Slot 99:

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x80320d83 R-RAGG1027/701.2 174.9.14.0 0071-9418-6ea9 1001/2

701-20001@1 PPPoE

240E:3A0:160F:2200:5CC0:190F:0:4DA

[CP1] display access-user interface Remote-RAGG1028/701.2

Slot 99:

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x80242285 R-RAGG1028/701.2 174.10.14.0 0071-9418-6eab 1001/4

701-20003@1 PPPoE

240E:3A0:160F:2300:C8B4:C2F:0:60BF

[CP1] display access-user interface Remote-RAGG1029/701.2

Slot 99:

UserID Interface IP address MAC address S-/C-VLAN

Username Access type

IPv6 address

0x8024235a R-RAGG1029/701.2 174.11.14.0 0071-9418-6eac 1001/5

701-20004@1 PPPoE

240E:3A0:160F:2400:C8B4:C2F:0:60BF

The output shows that users are load shared among the four master UPs (UP 1026, UP 1027, UP 1028, and UP 1029).

Configuration files

CP 1:

netconf-client

source-address 180.96.185.8

connection 1026

user-name admin password cipher $c$3$hzpbTXx1p2pXNlV/Xp7gRQvh3ey3ZbJ9

destination-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

connection 1027

user-name admin password cipher $c$3$hybxV4PiRMF+h5L/JlhyHB8nT0G7Jboh

destination-address 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

connection 1028

user-name admin password cipher $c$3$qAF2g2AUBnAg7ciNQS+UxOdj2XD65CM2u7YzJXjCtA==

destination-address 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

connection 1029

user-name admin password cipher $c$3$qAF2g2AUBnAg7ciNQS+UxOdj2XD65CM2u7YzJXjCtA==

destination-address 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

cusp controller

listening-ip 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

agent up1

agent-ip 2.1.1.101

agent up2

agent-ip 2.1.1.102

agent up3

agent-ip 2.1.1.103

agent up4

agent-ip 2.1.1.104

bfd template BFD_CUSP

bfd min-transmit-interval 200

bfd min-receive-interval 200

bfd detect-multiplier 10

up-manage id 1026

bind netconf-connection 1026

control-tunnel cusp-agent up1

protocol-tunnel vxlan 11026 source 180.96.185.8 destination 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

remote interface Route-Aggregation701

up-config

cusp agent up1

local-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

controller address 58.223.243.8

controller address 180.96.185.8

cu-agent

protocol-tunnel vxlan 11026 source 2.1.1.101 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

protocol-tunnel vxlan 21026 source 2.1.1.101 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

up-manage id 1027

bind netconf-connection 1027

control-tunnel cusp-agent up2

protocol-tunnel vxlan 11027 source 180.96.185.8 destination 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

remote interface Route-Aggregation701

up-config

cusp agent up2

local-address 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

controller address 58.223.243.8

controller address 180.96.185.8

cu-agent

protocol-tunnel vxlan 11027 source 2.1.1.102 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

protocol-tunnel vxlan 21027 source 2.1.1.102 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

up-manage id 1028

bind netconf-connection 1028

control-tunnel cusp-agent up3

protocol-tunnel vxlan 11028 source 180.96.185.8 destination 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

remote interface Route-Aggregation701

up-config

cusp agent up3

local-address 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

controller address 58.223.243.8

controller address 180.96.185.8

cu-agent

protocol-tunnel vxlan 11028 source 2.1.1.103 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

protocol-tunnel vxlan 21028 source 2.1.1.103 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

up-manage id 1029

bind netconf-connection 1029

control-tunnel cusp-agent up4

protocol-tunnel vxlan 11029 source 180.96.185.8 destination 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

remote interface Route-Aggregation701

up-config

cusp agent up4

local-address 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

controller address 58.223.243.8

controller address 180.96.185.8

cu-agent

protocol-tunnel vxlan 11029 source 2.1.1.104 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

protocol-tunnel vxlan 21029 source 2.1.1.104 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

cp disaster-recovery group 2 id 2

set role master

up-id 1026 to 1029

ip-pool adsl

ipv6-pool wxlxq.163.js-nd-01

ipv6-pool wxlxq.163.js-pd-01

switchover auto enable

radius source-interface LoopBack3

fault-ratio-calculate strict

up-backup-profile 2 warm-load-balance

undo failure-recovery-switch enable

nas logic-port Remote-RAGG1026/701

up-id 1026 network-state track uplink-group JH-CN-PUP1026

up-id 1027 network-state track uplink-group JH-CN-PUP1027

up-id 1028 network-state track uplink-group JH-CN-PUP1028

up-id 1029 network-state track uplink-group JH-CN-PUP1029

control-tunnel-up switchover msec-delay 60000

control-tunnel-down switchover delay 5

load-balance-mode interface by-qinq

master-interface Remote-RAGG1026/701 vrid 1

master-interface Remote-RAGG1027/701 vrid 2

master-interface Remote-RAGG1028/701 vrid 3

master-interface Remote-RAGG1029/701 vrid 4

radius scheme js.163.radius

primary authentication 192.168.40.200 weight 50

primary accounting 192.168.40.200 weight 50

secondary authentication 192.168.40.201 weight 50

secondary accounting 192.168.40.201 weight 50

key authentication cipher $c$3$W4uoj3l9gRnIc1f/XoVKxqWetGAq18kSew==

key accounting cipher $c$3$r/6e0cec9ZYi8iiGOUtpnvqX233YZfNkrQ==

timer realtime-accounting 120

nas-ip 58.223.116.200

server-load-sharing enable

response-pending-limit authentication 255

domain name 163.js

authorization-attribute user-group weibeian

authorization-attribute ip-pool-group adsl-group

authorization-attribute ipv6-pool-group wxlxq.163.js-pd-group

authorization-attribute ipv6-nd-prefix-pool-group wxlxq.163.js-nd-group

authorization-attribute primary-dns ip 218.2.2.2

authorization-attribute secondary-dns ip 218.4.4.4

authorization-attribute user-priority inbound 0

authorization-attribute user-priority outbound 0

basic-service-ip-type ipv4

authentication ppp radius-scheme js.163.radius none

authorization ppp radius-scheme js.163.radius none

accounting ppp radius-scheme js.163.radius

user-address-type public-ds

accounting start-delay 35

ip pool adsl odap pool-index 2

network 174.1.0.0 mask 255.255.0.0

subnet mask-length 24

subnet idle-time 900

subnet alloc-mode up-backup-profile

subnet utilization mark high 100 low 75

ip-in-use threshold 90

allocate-new-ip enable

ip-subnet-in-use threshold 90

network 174.5.0.0 mask 255.255.0.0 secondary

gateway 174.1.0.254 mask 255.255.0.0

gateway 174.5.0.254 mask 255.255.0.0

ip pool-group adsl-group

pool adsl

ipv6 pool wxlxq.163.js-nd-01 odap pool-index 13

dns-server 240E:5A::6666

dns-server 240E:5B::6666

prefix-pool 1

dynamic prefix alloc-mode up-backup-profile

dynamic prefix assign-length 64

dynamic prefix idle-time 900

dynamic utilization mark high 100 low 95

pd-in-use threshold 90

pd-subnet-in-use threshold 90

ipv6 pool wxlxq.163.js-pd-01 odap pool-index 14

dns-server 240E:5A::6666

dns-server 240E:5B::6666

prefix-pool 2

dynamic prefix alloc-mode up-backup-profile

dynamic prefix assign-length 60

dynamic prefix idle-time 900

dynamic utilization mark high 100 low 95

pd-in-use threshold 90

pd-subnet-in-use threshold 90

ipv6 dhcp prefix-pool 1 prefix 240E:3A0:160F::/48 assign-len 56

ipv6 dhcp prefix-pool 2 prefix 240E:3A1:16F0::/44 assign-len 52

ipv6 pool-group wxlxq.163.js-nd-group

pool wxlxq.163.js-nd-01

ipv6 pool-group wxlxq.163.js-pd-group

pool wxlxq.163.js-pd-01

ipv6 dhcp duid abcd1234

interface Virtual-Template1

description 163.js

ppp authentication-mode pap chap ms-chap ms-chap-v2 domain default enable 163.js

ppp lcp delay 1000

ppp keepalive datacheck

ip address 1.1.1.1 255.255.255.0

ipv6 nd autoconfig other-flag

interface Remote-RAGG1026/701.2

description adsl

user-vlan dot1q vid 1001 to 2000 second-dot1q any

ipv6 dhcp select server

ipv6 address auto link-local

undo ipv6 nd ra halt

pppoe-server access-line-id bas-info

pppoe-server bind virtual-template 1

aaa roam-domain 163.js

interface Remote-RAGG1027/701.2

description adsl

user-vlan dot1q vid 1001 to 2000 second-dot1q any

ipv6 dhcp select server

ipv6 address auto link-local

undo ipv6 nd ra halt

pppoe-server access-line-id bas-info

pppoe-server bind virtual-template 1

aaa roam-domain 163.js

interface Remote-RAGG1028/701.2

description adsl

user-vlan dot1q vid 1001 to 2000 second-dot1q any

ipv6 dhcp select server

ipv6 address auto link-local

undo ipv6 nd ra halt

pppoe-server access-line-id bas-info

pppoe-server bind virtual-template 1

aaa roam-domain 163.js

interface Remote-RAGG1029/701.2

description adsl

user-vlan dot1q vid 1001 to 2000 second-dot1q any

ipv6 dhcp select server

ipv6 address auto link-local

undo ipv6 nd ra halt

pppoe-server access-line-id bas-info

pppoe-server bind virtual-template 1

aaa roam-domain 163.js

CP 2:

netconf-client

source-address 58.223.243.8

connection 1026

user-name admin password cipher $c$3$HgMBH37nq8K9nF2ZiruHccvzI6D/X6od

destination-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

connection 1027

user-name admin password cipher $c$3$ivsBOqOmMPSrtRFgOHKMRJuKm5sAoC5z

destination-address 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

connection 1028

user-name admin password cipher $c$3$A7uD2dTkB9Djwl3ZC7PfTtXuG9S1x18M/H5/NxDRJg==

destination-address 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

connection 1029

user-name admin password cipher $c$3$A7uD2dTkB9Djwl3ZC7PfTtXuG9S1x18M/H5/NxDRJg==

destination-address 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

cusp controller

listening-ip 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

agent up1

agent-ip 2.1.1.101

agent up2

agent-ip 2.1.1.102

agent up3

agent-ip 2.1.1.103

agent up4

agent-ip 2.1.1.104

bfd template BFD_CUSP

bfd min-transmit-interval 200

bfd min-receive-interval 200

bfd detect-multiplier 10

up-manage id 1026

bind netconf-connection 1026

control-tunnel cusp-agent up1

protocol-tunnel vxlan 21026 source 58.223.243.8 destination 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

remote interface Route-Aggregation701

up-config

cusp agent up1

local-address 2.1.1.101 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

controller address 58.223.243.8

controller address 180.96.185.8

cu-agent

protocol-tunnel vxlan 11026 source 2.1.1.101 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

protocol-tunnel vxlan 21026 source 2.1.1.101 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

up-manage id 1027

bind netconf-connection 1027

control-tunnel cusp-agent up2

protocol-tunnel vxlan 21027 source 58.223.243.8 destination 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

remote interface Route-Aggregation701

up-config

cusp agent up2

local-address 2.1.1.102 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

controller address 58.223.243.8

controller address 180.96.185.8

cu-agent

protocol-tunnel vxlan 11027 source 2.1.1.102 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

protocol-tunnel vxlan 21027 source 2.1.1.102 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

up-manage id 1028

bind netconf-connection 1028

control-tunnel cusp-agent up3

protocol-tunnel vxlan 21028 source 58.223.243.8 destination 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

remote interface Route-Aggregation701

up-config

cusp agent up3

local-address 2.1.1.103 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

controller address 58.223.243.8

controller address 180.96.185.8

cu-agent

protocol-tunnel vxlan 11028 source 2.1.1.103 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

protocol-tunnel vxlan 21028 source 2.1.1.103 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

up-manage id 1029

bind netconf-connection 1029

control-tunnel cusp-agent up4

protocol-tunnel vxlan 21029 source 58.223.243.8 destination 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

remote interface Route-Aggregation701

up-config

cusp agent up4

local-address 2.1.1.104 vpn-instance CP2UP_L3VPN_H3C

bfd enable template BFD_CUSP

controller address 58.223.243.8

controller address 180.96.185.8

cu-agent

protocol-tunnel vxlan 11029 source 2.1.1.104 destination 180.96.185.8 vpn-instance CP2UP_L3VPN_H3C

protocol-tunnel vxlan 21029 source 2.1.1.104 destination 58.223.243.8 vpn-instance CP2UP_L3VPN_H3C

cp disaster-recovery group 2 id 2

set role backup

up-id 1026 to 1029

ip-pool adsl

ipv6-pool wxlxq.163.js-nd-01

ipv6-pool wxlxq.163.js-pd-01

switchover auto enable

radius source-interface LoopBack3

fault-ratio-calculate strict

up-backup-profile 2 warm-load-balance

undo failure-recovery-switch enable

nas logic-port Remote-RAGG1026/701

up-id 1026 network-state track uplink-group JH-CN-PUP1026

up-id 1027 network-state track uplink-group JH-CN-PUP1027

up-id 1028 network-state track uplink-group JH-CN-PUP1028

up-id 1029 network-state track uplink-group JH-CN-PUP1029

control-tunnel-up switchover msec-delay 60000

control-tunnel-down switchover delay 5

load-balance-mode interface by-qinq

master-interface Remote-RAGG1026/701 vrid 1

master-interface Remote-RAGG1027/701 vrid 2

master-interface Remote-RAGG1028/701 vrid 3

master-interface Remote-RAGG1029/701 vrid 4

radius scheme js.163.radius

primary authentication 192.168.40.200 weight 50

primary accounting 192.168.40.200 weight 50

secondary authentication 192.168.40.201 weight 50

secondary accounting 192.168.40.201 weight 50

key authentication cipher $c$3$W4uoj3l9gRnIc1f/XoVKxqWetGAq18kSew==

key accounting cipher $c$3$r/6e0cec9ZYi8iiGOUtpnvqX233YZfNkrQ==

timer realtime-accounting 120

nas-ip 58.223.116.200

server-load-sharing enable

response-pending-limit authentication 255

domain name 163.js

authorization-attribute user-group weibeian

authorization-attribute ip-pool-group adsl-group

authorization-attribute ipv6-pool-group wxlxq.163.js-pd-group

authorization-attribute ipv6-nd-prefix-pool-group wxlxq.163.js-nd-group

authorization-attribute primary-dns ip 218.2.2.2

authorization-attribute secondary-dns ip 218.4.4.4

authorization-attribute user-priority inbound 0

authorization-attribute user-priority outbound 0

basic-service-ip-type ipv4

authentication ppp radius-scheme js.163.radius none

authorization ppp radius-scheme js.163.radius none

accounting ppp radius-scheme js.163.radius

user-address-type public-ds

accounting start-delay 35

ip pool adsl odap pool-index 2

network 174.1.0.0 mask 255.255.0.0

subnet mask-length 24

subnet idle-time 900

subnet alloc-mode up-backup-profile

subnet utilization mark high 100 low 75

ip-in-use threshold 90

allocate-new-ip enable

ip-subnet-in-use threshold 90

network 174.5.0.0 mask 255.255.0.0 secondary

gateway 174.1.0.254 mask 255.255.0.0

gateway 174.5.0.254 mask 255.255.0.0

ip pool-group adsl-group

pool adsl

ipv6 pool wxlxq.163.js-nd-01 odap pool-index 13

dns-server 240E:5A::6666

dns-server 240E:5B::6666

prefix-pool 1

dynamic prefix alloc-mode interface

dynamic prefix assign-length 64

dynamic prefix idle-time 900

dynamic utilization mark high 100 low 95

pd-in-use threshold 90

pd-subnet-in-use threshold 90

ipv6 pool wxlxq.163.js-pd-01 odap pool-index 14

dns-server 240E:5A::6666

dns-server 240E:5B::6666

prefix-pool 2

dynamic prefix alloc-mode interface

dynamic prefix assign-length 60

dynamic prefix idle-time 900

dynamic utilization mark high 100 low 95

pd-in-use threshold 90

pd-subnet-in-use threshold 90

ipv6 dhcp prefix-pool 1 prefix 240E:3A0:160F::/48 assign-len 56

ipv6 dhcp prefix-pool 2 prefix 240E:3A1:16F0::/44 assign-len 52

ipv6 pool-group wxlxq.163.js-nd-group

pool wxlxq.163.js-nd-01

ipv6 pool-group wxlxq.163.js-pd-group

pool wxlxq.163.js-pd-01

ipv6 dhcp duid abcd1234

interface Virtual-Template1

description 163.js

ppp authentication-mode pap chap ms-chap ms-chap-v2 domain default enable 163.js

ppp lcp delay 1000

ppp keepalive datacheck

ip address 1.1.1.1 255.255.255.0

ipv6 nd autoconfig other-flag

interface Remote-RAGG1026/701.2

description adsl

user-vlan dot1q vid 1001 to 2000 second-dot1q any

ipv6 dhcp select server

ipv6 address auto link-local

undo ipv6 nd ra halt

pppoe-server access-line-id bas-info

pppoe-server bind virtual-template 1

aaa roam-domain 163.js

interface Remote-RAGG1027/701.2

description adsl

user-vlan dot1q vid 1001 to 2000 second-dot1q any

ipv6 dhcp select server

ipv6 address auto link-local

undo ipv6 nd ra halt

pppoe-server access-line-id bas-info

pppoe-server bind virtual-template 1

aaa roam-domain 163.js

interface Remote-RAGG1028/701.2

description adsl

user-vlan dot1q vid 1001 to 2000 second-dot1q any

ipv6 dhcp select server

ipv6 address auto link-local

undo ipv6 nd ra halt

pppoe-server access-line-id bas-info

pppoe-server bind virtual-template 1

aaa roam-domain 163.js

interface Remote-RAGG1029/701.2

description adsl

user-vlan dot1q vid 1001 to 2000 second-dot1q any

ipv6 dhcp select server

ipv6 address auto link-local

undo ipv6 nd ra halt

pppoe-server access-line-id bas-info

pppoe-server bind virtual-template 1

aaa roam-domain 163.js

UP 1:

work-mode user-plane

netconf ssh server enable

ssh server enable

ssh user admin service-type all authentication-type password

local-user admin class manage

password hash $h$6$fKFmbDEhfCRMytYI$w4aXJHfoRzZnG6A5/gon/bitlQmInK0IW2wp76zCEnDSa9woo+1GcnMLJe2gUReBRd0gLq7mhhsqfmF3ouCe3Q==

service-type ssh

authorization-attribute user-role network-admin

authorization-attribute user-role network-operator

bfd template BFD_CUSP

bfd min-transmit-interval 200

bfd min-receive-interval 200

bfd detect-multiplier 10

bfd static up1toSLEAF1 peer-ipv6 2:1:1::5 source-ipv6 2:1:1::101 discriminator auto

bfd multi-hop detect-multiplier 10

bfd static up1toSLEAF2 peer-ipv6 2:1:1::6 source-ipv6 2:1:1::101 discriminator auto

bfd multi-hop detect-multiplier 10

track 12 bfd echo interface HundredGigE2/2/1 remote ipv6 176:1:1:13::7 local ipv6 176:1:1:13::6

track 13 bfd echo interface HundredGigE2/1/1 remote ipv6 176:1:1:2::3 local ipv6 176:1:1:2::2

track 14 bfd echo interface HundredGigE4/2/1 remote ipv6 176:1:1:1::3 local ipv6 176:1:1:1::2

track 15 bfd echo interface HundredGigE4/1/1 remote ipv6 176:1:1:13::3 local ipv6 176:1:1:13::2

track 1 bfd static up1toSLEAF1

track 2 bfd static up1toSLEAF2

track 5 list boolean or

object 1

object 2

track 16 list threshold percentage

threshold percentage negative 49 positive 50

object 12

object 13

object 14

object 15

track 11 list boolean and

object 16

user-plane switchover track 11 uplink-group JH-CN-PUP1026

user-plane control-tunnel-down switchover track 5

UP 2:

work-mode user-plane

netconf ssh server enable

ssh server enable

ssh user admin service-type all authentication-type password

local-user admin class manage

password hash $h$6$fKFmbDEhfCRMytYI$w4aXJHfoRzZnG6A5/gon/bitlQmInK0IW2wp76zCEnDSa9woo+1GcnMLJe2gUReBRd0gLq7mhhsqfmF3ouCe3Q==

service-type ssh

authorization-attribute user-role network-admin

authorization-attribute user-role network-operator

bfd template BFD_CUSP

bfd min-transmit-interval 200

bfd min-receive-interval 200

bfd detect-multiplier 10

bfd static up2toSLEAF1 peer-ipv6 2:1:1::5 source-ipv6 2:1:1::102 discriminator auto

bfd multi-hop detect-multiplier 10

bfd static up2toSLEAF2 peer-ipv6 2:1:1::6 source-ipv6 2:1:1::102 discriminator auto

bfd multi-hop detect-multiplier 10

track 12 bfd echo interface HundredGigE2/2/1 remote ipv6 176:2:1:13::7 local ipv6 176:2:1:13::6

track 13 bfd echo interface HundredGigE2/1/1 remote ipv6 176:2:1:2::3 local ipv6 176:2:1:2::2

track 14 bfd echo interface HundredGigE4/2/1 remote ipv6 176:2:1:1::3 local ipv6 176:2:1:1::2

track 15 bfd echo interface HundredGigE4/1/1 remote ipv6 176:2:1:13::3 local ipv6 176:2:1:13::2

track 1 bfd static up2toSLEAF1

track 2 bfd static up2toSLEAF2

track 5 list boolean or

object 1

object 2

track 16 list threshold percentage

threshold percentage negative 49 positive 50

object 12

object 13

object 14

object 15

track 11 list boolean and

object 16

user-plane switchover track 11 uplink-group JH-CN-PUP1027

user-plane control-tunnel-down switchover track 5

UP 3:

work-mode user-plane

netconf ssh server enable

ssh server enable

ssh user admin service-type all authentication-type password

local-user admin class manage

password hash $h$6$fKFmbDEhfCRMytYI$w4aXJHfoRzZnG6A5/gon/bitlQmInK0IW2wp76zCEnDSa9woo+1GcnMLJe2gUReBRd0gLq7mhhsqfmF3ouCe3Q==

service-type ssh

authorization-attribute user-role network-admin

authorization-attribute user-role network-operator

bfd template BFD_CUSP

bfd min-transmit-interval 200

bfd min-receive-interval 200

bfd detect-multiplier 10

bfd static up3toSLEAF1 peer-ipv6 2:1:1::5 source-ipv6 58:223:116::136 discriminator auto

bfd multi-hop detect-multiplier 10

bfd static up3toSLEAF2 peer-ipv6 2:1:1::6 source-ipv6 58:223:116::136 discriminator auto

bfd multi-hop detect-multiplier 10

track 12 bfd echo interface HundredGigE2/2/1 remote ipv6 176:3:1:13::7 local ipv6 176:3:1:13::6

track 13 bfd echo interface HundredGigE2/1/1 remote ipv6 176:3:1:2::3 local ipv6 176:3:1:2::2

track 14 bfd echo interface HundredGigE4/2/1 remote ipv6 176:3:1:1::3 local ipv6 176:3:1:1::2

track 15 bfd echo interface HundredGigE4/1/1 remote ipv6 176:3:1:13::3 local ipv6 176:3:1:13::2

track 1 bfd static up3toSLEAF1

track 2 bfd static up3toSLEAF2

track 5 list boolean or

object 1

object 2

track 16 list threshold percentage

threshold percentage negative 49 positive 50

object 12

object 13

object 14

object 15

track 11 list boolean and

object 16

user-plane switchover track 11 uplink-group JH-CN-PUP1028

user-plane control-tunnel-down switchover track 5

UP 4:

work-mode user-plane

netconf ssh server enable

ssh server enable

ssh user admin service-type all authentication-type password

local-user admin class manage

password hash $h$6$fKFmbDEhfCRMytYI$w4aXJHfoRzZnG6A5/gon/bitlQmInK0IW2wp76zCEnDSa9woo+1GcnMLJe2gUReBRd0gLq7mhhsqfmF3ouCe3Q==

service-type ssh

authorization-attribute user-role network-admin

authorization-attribute user-role network-operator

bfd template BFD_CUSP

bfd min-transmit-interval 200

bfd min-receive-interval 200

bfd detect-multiplier 10

bfd static up4toSLEAF1 peer-ipv6 2:1:1::5 source-ipv6 2:1:1::104 discriminator auto

bfd multi-hop detect-multiplier 10

bfd static up4toSLEAF2 peer-ipv6 2:1:1::6 source-ipv6 2:1:1::104 discriminator auto

bfd multi-hop detect-multiplier 10

track 12 bfd echo interface HundredGigE2/2/1 remote ipv6 176:4:1:13::7 local ipv6 176:4:1:13::6

track 13 bfd echo interface HundredGigE2/1/1 remote ipv6 176:4:1:2::3 local ipv6 176:4:1:2::2

track 14 bfd echo interface HundredGigE4/2/1 remote ipv6 176:4:1:1::3 local ipv6 176:4:1:1::2

track 15 bfd echo interface HundredGigE4/1/1 remote ipv6 176:4:1:13::3 local ipv6 176:4:1:13::2

track 1 bfd static up4toSLEAF1

track 2 bfd static up4toSLEAF2

track 5 list boolean or

object 1

object 2

track 16 list threshold percentage

threshold percentage negative 49 positive 50

object 12

object 13

object 14

object 15

track 11 list boolean and

object 16

user-plane switchover track 11 uplink-group JH-CN-PUP1029

user-plane control-tunnel-down switchover track 5

Example: Configuring CPDR and UP 1:3 warm standby mode for IPoE

Network configuration

In a vBRAS CUPS system as shown in the following figure, clients access CPs through IPoE. The packets from clients reach UPs through a Layer 2 network, encapsulated with VXLAN-GPE, and are forwarded by the CR to CPs. The specific requirements are as follows:

· Use an ODAP address pool to assign IP addresses to users.

· Use a RADIUS server as the authentication, authorization, and accounting server.

· Configure master/backup hot backup on CPs in the two data centers. When the master CP fails, existing users stay online, and new users can come online from the new master (the original backup CP).

· Assign the four UPs to a UP backup group, and configure 1:3 warm standby mode. All UPs are master UPs.

· The loopback addresses used by UP 1 (UP ID is 1026), CP 1, and CP 2 to establish CU connections are 2.1.1.101, 180.96.185.8, and 58.223.243.8, respectively.

· The loopback addresses used by UP 2 (UP ID is 1027), CP 1, and CP 2 to establish CU connections are 2.1.1.102, 180.96.185.8, and 58.223.243.8, respectively.

· The loopback addresses used by UP 3 (UP ID is 1028), CP 1, and CP 2 to establish CU connections are 2.1.1.103, 180.96.185.8, and 58.223.243.8, respectively.

· The loopback addresses used by UP 4 (UP ID is 1029), CP 1, and CP 2 to establish CU connections are 2.1.1.104, 180.96.185.8, and 58.223.243.8, respectively.

Figure 28 Network diagram

Analysis

Use pUPs to carry ITV services, because this type of service has high volumes of traffic. Typically, UP 1:3 warm standby mode and master/backup CPDR are used for IPoE access.

For the device to operate in user plane mode, execute the work-mode user-plane command.

To implement CPDR, perform the following tasks:

· On CP 1 and CP 2, create a CPDR group with name g2 and ID 2. Specify the CPDR group as the master on CP 1 and the backup on CP 2.

· Add UPs 1026, 1027, 1028, 1029 to CPDR group g2.

To deploy configurations and service entries to UPs and exchange protocol packets with UPs, configure CP-UP channels.

To implement the UP 1:3 warm standby mode, configure the UP warm load balancing mode.

For users to come online, configure IPoE, AAA, and address pools.

Prerequisites

Configure IP addresses for interfaces, and make sure devices can reach each other at Layer 3.

Configure the AAA server correctly. (Details not shown.)

Restrictions and guidelines

Make sure the required configurations, such as CP-UP channel, UP backup, CPDR, IPoE, and AAA, are performed on both CP 1 and CP 2.