address-family vpnv4
neighbor pgVRR activate $
配置验证: IPv4邻居关系 DQ-DeQin-XJ-BAS-1.MAN.M6000-1#show ip bgp summary Neighbor Ver As MsgRcvd MsgSend Up/Down State/PfxRcd 116.248.191.230 4 65232 2295 1993 16:33:41 0 116.248.191.231 4 65232 2293 1991 16:32:32 0 VPNv4邻居关系 DQ-DeQin-XJ-BAS-1.MAN.M6000-1#show bgp vpnv4 unicast summary Neighbor Ver As MsgRcvd MsgSend Up/Down State/PfxRcd 218.62.159.135 4 65232 2224 2013 16:41:42 19 218.62.159.136 4 65232 2685 2013 16:41:42 19 6.3.5. 新增路由网段的通告
新增地址段的通告分两种情况:
1) VPN业务地址:VPN中通过重分布方式发布了直连路由,只要完成三层接口的配
置就会自动通告出去了,不需要额外配置;
2) 公网业务地址:需要通过bgp进行发布,完成三层接口的配置后,通过以下命
令进行发布
router bgp 64948
network
配置验证: DQ-DeQin-XJ-BAS-1.MAN.M6000-1#show ip bgp neighbor out 116.248.191.230 Routes Sent to This neighbor: Dest NextHop Metric LocPrf Path 182.246.244.0/24 116.248.191.245 100 i 172.1.204.0/24 116.248.191.245 100 i 6.3.6. 组播协议配置
ip multicast-routing router pimsm
static-rp 116.55.62.254 interface gei-0/0/0/1 pimsm
$
interface gei-0/1/0/1 pimsm $
interface loopback2 pimsm //需要开启此接口的PIMSM,以激活接口的IGMP功能 $
router igmp
interface loopback2 //把loopback2静态加入组播频道实现拉流 static-group 239.254.180.1 static-group 239.254.180.2 ……[略]
static-group 239.254.180.254
!
配置验证: 查看PIMSM邻居 DQ-DeQin-XJ-BAS-1.MAN.M6000-1#show ip pimsm neighbor Neighbor Address Interface DR Priority Uptime Expires Ver 116.248.191.185 gei-0/1/0/1 1 17:05:27 00:01:16 V2 116.248.191.181 gei-0/0/0/1 1 17:05:28 00:01:39 V2 查看组播路由 DQ-DeQin-XJ-BAS-1.MAN.M6000-1#show ip mroute summary IP multicast routing table summary (*,G): 255 routes (S,G): 59 routes Total: 314 routes DQ-DeQin-XJ-BAS-1.MAN.M6000-1#show ip mroute IP Multicast Routing Table (*, 239.254.208.1), RP: 116.248.191.252, TYPE: DYNAMIC, FLAGS: NS Incoming interface: gei-0/1/0/1, flags: NS Outgoing interface list: loopback2, flags: F (182.240.223.23, 239.254.208.1), TYPE: DYNAMIC, FLAGS: Incoming interface: gei-0/1/0/1, flags: Outgoing interface list: loopback2, flags: F (*, 239.254.208.2), RP: 116.248.191.252, TYPE: DYNAMIC, FLAGS: NS Incoming interface: gei-0/1/0/1, flags: NS Outgoing interface list: loopback2, flags: F (182.240.223.22, 239.254.208.2), TYPE: DYNAMIC, FLAGS: Incoming interface: gei-0/1/0/1, flags: Outgoing interface list: loopback2, flags: F …. 6.3.7. Radius基本数据配置
Radius group 1/2/3都是为了满足现网业务需求必须配置的,不能遗漏。
3) Group1用于不带域名的业务应用,如普通pppoe上网; 4) Group2用于带域名的业务应用,如VPDN、Web+portal;
5) Group3是为了配合DM功能配置的1,实际不会引用,但必须配置。
radius authentication-group 1
server 1 61.166.150.99 master key 88----89 port 1645 server 2 61.166.150.100 key 88----89 port 1645 deadtime 0
nas-ip-address 116.55.61.52
1
Radius下发DM消息将用户踢下线,一般用于欠费或其他特殊需求,为保证DM消息的合法性,M6000会检测DM消息源地址是否是Radius组中的地址,如不匹配将丢弃。云南省电信Radius发送DM信息使用了另外地址61.166.150.103来发送,所以需要配置group 3来配合DM功能
!
radius authentication-group 2
server 1 61.166.150.99 master key 88----89 port 1645 server 2 61.166.150.100 key 88----89 port 1645 deadtime 0
user-name-format include-domain nas-ip-address 116.55.61.52 !
radius authentication-group 3
server 1 61.166.150.103 key 88----89 port 1645 nas-ip-address 116.55.61.52 !
radius accounting-group 1
server 1 61.166.150.99 master key 88----89 port 1646 server 2 61.166.150.100 key 88----89 port 1646 deadtime 0
nas-ip-address 116.55.61.52 local-buffer enable !
radius accounting-group 2
server 1 61.166.150.99 master key 88----89 port 1646 server 2 61.166.150.100 key 88----89 port 1646 deadtime 0
user-name-format include-domain nas-ip-address 116.55.61.52 local-buffer enable !
radius accounting-group 3
server 1 61.166.150.103 key 88----89 port 1646 nas-ip-address 116.55.61.52 local-buffer enable !
Radius可用性验证:
如果设备的loopback加入了Radius中,采用下面错误的帐号能返回“reject”信息,如提示“unreachable”loopback还未加入Radius,或未生效。
Radius通信异常 DQ-DeQin-XJ-BAS-1.MAN.M6000-1#radius-ping authentication-group 1 test test chap Ping radius authentication-group 1 with test at 17:58:27! Ping server 1 61.166.150.99 at 17:58:27! Ping server 2 61.166.150.100 at 17:58:27! .... Request timed out. Server 1 unreachable! Request timed out. Server 2 unreachable! Radius可用 CX-339Ju-BAS-4.MAN.M6000-1#radius-ping authentication-group 1 tes test chap Ping radius authentication-group 1 with tes at 17:59:46! Ping server 1 61.166.150.99 at 17:59:46! Ping server 2 61.166.150.100 at 17:59:46! Reply from server 2 reject at 17:59:46! Reply from server 1 reject at 17:59:46! 6.3.8. AAA全局认证、授权、计费基本模版创建
//Radius认证,不带域名
aaa-authentication-template 1 aaa-authentication-type radius authentication-radius-group 1
!
aaa-authentication-template 2 //本地认证 aaa-authentication-type local !
aaa-authentication-template 3 //Radius认证,带域名 aaa-authentication-type radius authentication-radius-group 2 !
aaa-authentication-template 4 //不认证 aaa-authentication-type none !
aaa-authorization-template 1 aaa-authorization-type radius !
aaa-authorization-template 2
aaa-authorization-type mix-radius //IPTV组播业务要配置为此方式,否则用户无法加入组播组。 !
aaa-authorization-template 3
aaa-authorization-type mix-radius !
aaa-accounting-template 1 aaa-accounting-type radius
accounting-radius-group first 1 !
aaa-accounting-template 2 aaa-accounting-type none !
aaa-accounting-template 3 aaa-accounting-type radius
accounting-radius-group first 2 !
6.3.9. QoS基本配置
class-map cmCopper_NNI match-any match precedence 1 match mpls-exp 1 !
class-map cmSilver_NNI match-any match precedence 2 match mpls-exp 2 !
class-map cmGold_NNI match-any match precedence 3 match mpls-exp 3 !
class-map cmCritical_NNI match-any match precedence 4 match mpls-exp 4 !
class-map cmPlatinum_NNI match-any match precedence 5 match mpls-exp 5 !
class-map cmNetworkControl_NNI match-any
match precedence 6 match mpls-exp 6 !
class-map cmDiamond_NNI match-any match precedence 7 match mpls-exp 7 !
class-map cmCopper_UNI match-any match precedence 1 match out-8021p 1 !
class-map cmSilver_UNI match-any match precedence 2 match out-8021p 2 !
class-map cmGold_UNI match-any match precedence 3 match out-8021p 3 !
class-map cmCritical_UNI match-any match precedence 4 match out-8021p 4 !
class-map cmPlatinum_UNI match-any match precedence 5 match out-8021p 5 !
class-map cmNetworkControl_UNI match-any match precedence 6 match out-8021p 6 !
class-map cmDiamond_UNI match-any match precedence 7 match out-8021p 7 !
policy-map pmGEOutput_NNI class cmCopper_NNI bandwidth percent 5
set dscp inherit-from 8021p $
class cmSilver_NNI bandwidth percent 5
set dscp inherit-from 8021p $
class cmGold_NNI
bandwidth percent 10
set dscp inherit-from 8021p $
class cmCritical_NNI priority-llq
set dscp inherit-from 8021p police 100000 12500 $
class cmPlatinum_NNI bandwidth percent 30
set dscp inherit-from 8021p $