`
l2tp-user radius-force //指定域用户使用RADIUS下发的L2TP属性 2、Juniper设备 aaa domain-map xxx.com tunnel 1 address x.x.x.x source-address z.z.z.z client-name XXX password \
3、中兴设备
radius authentication-group XXX //配置radius认证组 server 1 X.X.X.X key XXX port 1812 //radius服务器地址,key,端口配置
algorithm first timeout 3 max-retries 3 deadtime 5 calling-station-format 1 nas-port-id-format china-tel user-name-format include-domain //认证时带域名 vendor enable
radius accounting-group XXX //配置radius计费组 server 1 X.X.X.X key XXX port 1813 algorithm first timeout 3 max-retries 3 deadtime 5 calling-station-format 1 nas-port-id-format china-tel user-name-format include-domain vendor enable local-buffer disable life-time 2 interim-packet-quota 80
vpdn enable //使能vpdn
vpdn-group:XXX //VPDN配置 service-type:LAC proxy-authentication:No //代理认证配置 new-random:Yes //序列号设置 l2tp hidden:Yes //AVP隐藏设置 `
l2tp sequencing:No l2tp tunnel authentication:Yes //隧道认证设置 l2tp tunnel password:XXX //隧道密码 l2tp tunnel hello:30s //hello时间间隔设置 l2tp tunnel receive-window:4 l2tp tunnel retransmit retries:5 //SCCRQ报文重传次数 l2tp tunnel retransmit timeout:5s //SCCRQ报文重传间隔 l2tp tunnel timeout:60s //隧道老化时间 domain:XXX //关联域名,是domain name不是domain number local name:XXX //LNS上的terminate-from hostname max-session:16000 max-session-per-tunnel:16000 source-ip:X.X.X.X //隧道源IP initiate-to[0] ip:Y.Y.Y.Y //隧道目的ip(可配置多个,根据优先级和配置顺序
domain 100 domain status enable accounting-group XXX //radius计费的计费组
accounting-type radius //计费方式 authentication-group XXX //radius认证的认证组 authentication-type radius //认证方式 max-subscriber 96000 ppp web-force timer 5 count 0 alias XXX //域名,可配置多个 subscriber-template ip address vrf tunnel domain //所有从该域上来的用户为vpdn用户
第6节 MPLS VPN
■ 配置内容:
1、三层MPLS VPN配置; 2、标签过滤;
3、PE与CE之间的路由方式:静态路由、OSPF、BGP; ■ 规范要求: 一、MPLS配置
1、设置MPLS router-id为Loopback0
2、设备上只对Loopback0地址分配MPLS LDP标签
3、使用LDP协议分发MPLS 标签,并统一配置为下游主动标签分发方式(DU)、有序标签控制方式(Ordered)、自由标签保留方式(Liberal)。 4、LDP定时器设置:
`
A、Hello时间间隔定时器设定为5秒; B、Hello保持定时器设定为15秒; C、LDP会话Keepalive间隔定时器设定为10秒; D、LDP会话Keepalive保持定时器设定为30秒; 二、MBGP 配置
1、BGP基本配置(本地AS号、Router ID、对等体IP地址和AS号、更新报文源端口)BGP本地AS号根据各个地市实际分配AS配置(参见附录); 2、关闭与CR的正常BGP邻居
3、统一采用loopback0建立IBGP邻居
4、Timer 设置: keepalive设为30s,hold time设为90s; 5、记录邻居变化
6、设置MinRouteAdvertisementInterva为5s 7、使用NETWOK方式宣告路由 8、团体属性发送标准和扩展 9、发布以下属性:
(1)ebgp的优先级为20 (2)ibgp 的优先级100 (3)本地优先级为100 三、VRF规划 参见相关规划
四、RD和RT规划 参见相关规划
五、VRF、RD和RT配置实例 六、网元接入模式 规范要求:
静态ADSL接入方式; 动态ADSL接入方式; 专线接入方式 ■ 配置示例: 1、华为设备 一、MPLS配置
MPLS: 1: mpls lsr-id X.X.X.X 2: mpls lsp-trigger host/ ip-prefix XXX //只对32位地址路由分配标签,也可以定义策略 mpls ldp 3: 缺省情况下,标签分配控制方式为有序方式ordered;标签保持方式为自由方式liberal;标签发布方式为下游自主方式DU。 4: [GigabitEthernetX/X/X] mpls ldp timer hello-hold 15 //hello保持定时器 [GigabitEthernetX/X/X] mpls ldp timer keepalive-hold 30 //LDP会话Keepalive保持定时器设定 `
二、MBGP 配置
bgp XXXX //配置BGP,根据自治系统号定 preference 20 100 100 peer X.X.X.X log-change peer X.X.X.X as-number XXX peer X.X.X.X connect-interface LoopBack0 peer X.X.X.X ebgp-max-hop 2 peer X.X.X.X timer keepalive 30 hold 90 peer 1.1.1.2 route-update-interval 5 ipv4-family vpnv4 undo policy vpn-target peer X.X.X.X enable peer X.X.X.X advertise-community ipv4-family unicast undo peer X.X.X.X enable //关闭正常邻居 五、VRF、RD和RT配置实例 ip vpn-instance XXXX route-distinguisher XXX:YYYY vpn-target XXX:YYYY export-extcommunity vpn-target XXX:YYYY import-extcommunity 六、网元接入模式 动态用户:
[Quidway] ip pool pool1 local
[Quidway-ip-pool-pool1] gateway 172.82.0.1 255.255.0.0 [Quidway-ip-pool-pool1] section 0 172.82.0.2 172.82.0.200 [Quidway-ip-pool-pool1] dns-server 192.168.7.252
[Quidway-ip-pool-pool1] vpn-instance vpn2 //将地址池绑定入VPN [Quidway-ip-pool-pool1] quit
[Quidway] aaa
[Quidway-aaa] domain isp1
[Quidway-aaa-domain-isp1] authentication-scheme auth1 [Quidway-aaa-domain-isp1] accounting-scheme acct1 [Quidway-aaa-domain-isp1] radius-server group rd1 [Quidway-aaa-domain-isp1] ip-pool pool1
[Quidway-aaa-domain-isp1] vpn-instance vpn2 //将域绑定入VPN [Quidway-aaa-domain-isp1] quit [Quidway-aaa]quit
interface XXXX
user-vlan XXX XXX qinq XX bas access-type layer2-subscriber
vpn-instance XXXX //将相关BAS接口绑入VPN
`
authentication-method bind
静态用户:
[Quidway] ip pool pool1 local
[Quidway-ip-pool-pool1] gateway 172.82.0.1 255.255.0.0 [Quidway-ip-pool-pool1] section 0 172.82.0.2 172.82.0.200 [Quidway-ip-pool-pool1] dns-server 192.168.7.252
[Quidway-ip-pool-pool1] vpn-instance vpn2 //将地址池绑定入VPN [Quidway-ip-pool-pool1] quit
[Quidway] aaa
[Quidway-aaa] domain isp1
[Quidway-aaa-domain-isp1] authentication-scheme auth1 [Quidway-aaa-domain-isp1] accounting-scheme acct1 [Quidway-aaa-domain-isp1] radius-server group rd1 [Quidway-aaa-domain-isp1] ip-pool pool1
[Quidway-aaa-domain-isp1] vpn-instance vpn2 //将域绑定入VPN [Quidway-aaa-domain-isp1] quit [Quidway-aaa]quit
interface XXXX
user-vlan XXX XXX qinq XX bas access-type layer2-subscriber
vpn-instance XXX //将相关BAS接口绑入VPN authentication-method bind
static-user X.X.X.X X.X.X.X vpn-instance XXXX interface XXX vlan XXX qinq XXX detect domain-name XXX //静态用户配置
2、Juniper设备
三层mpls VPN配置示例 Ip route 0.0.0.0 0.0.0.0.0 61.157.77.144 router ospf 100 network 61.157.77.144 0.0.0.3 area 0.0.0.1 address 222.211.185.1 area 0.0.0.1 router bgp xxx no synchronization no auto-summary neighbor internal peer-group / neighbor external peer-group neighbor internal remote-as xxx / neighbor external remote-as xxx