No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring BRAS Access Through L2VPN Termination

Example for Configuring BRAS Access Through L2VPN Termination

This section provides an example for configuring BRAS access through L2VPN termination.

Networking Requirements

Router B uses OSPF to exchange traffic with Router A through interfaces on multiple boards in load-balancing mode. Traffic from the same user may be sent from different boards. Router B uses PBR to send traffic from the same user but different boards through the backplane to the same authentication board for user authentication, as shown in Figure 6-13.

Requirements are as follows:
  • Router A sends upstream traffic to different interfaces on Router B in load-balancing mode.
  • Router B adds all the inbound interfaces to an L2VPN and configures PBR. Then, Router B routes all traffic from the same user to the specified next hop based on the source IP address/VLAN ID/DSCP priority. The outbound interface of the next hop directly connects to the BAS interface and resides on the same network segment as the BAS interface.

  • After user traffic arrives at the BAS interface and the user goes online, user forwarding entries are delivered. Subsequent user traffic will then be authenticated and forwarded based on these forwarding entries.

  • Downstream traffic is forwarded through the BAS interface to the L2VPN domain based on user forwarding entries.

  • Router B then sends downstream traffic in the L2VPN domain to Router A along routes (the traffic can be load-balanced). Then, Router A forwards the traffic to the user.

Figure 6-13 Configuring BRAS access through L2VPN termination

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure PBR to redirect user traffic to the primary and backup next hops. If the primary next hop fails, traffic automatically switches to the backup next hop to trigger the user to go online.

  2. Configure user access interfaces A1 and A2.

  3. Configure C1 and C2 IP addresses as the redirection next hop IP addresses.

  4. Configure C1 and C2 as the primary and backup BAS interfaces for B1 and B2.

  5. Interfaces A1, A2, B1, and B2 belong to the same L2VPN. Interfaces B1, B2, C1, and C2 belong to the same network segment. If the PBR redirection next hop is C1 or C2, traffic can be forwarded through B1 or B2.

Data Preparation

To complete the configuration, you need the following data:

  • VE group number

  • Local L2VPN name

  • OSPF configurations

  • Layer 2 user authentication mode, accounting mode, and authentication domain name

  • Interface IP addresses

Configuration Procedure

  1. Configure a local L2VPN.

    Configure a local L2VPN on Router B and add A1, A2, B1, and B2 to this L2VPN.

    <HUAWEI> system-view
    [~HUAWEI] ip vpn-instance access
    [*HUAWEI-vpn-instance-access] ipv4-family
    [*HUAWEI-vpn-instance-access] route-distinguisher 200:1
    [*HUAWEI-vpn-instance-access] vpn-target 111:1 both
    [*HUAWEI-vpn-instance-access] quit
  2. Configure PBR.

    Configure PBR to redirect user traffic to the primary and backup next hops based on the source IP address. If the primary next hop fails, traffic automatically switches to the backup next hop to trigger the user to go online.

    [~HUAWEI] acl 3000
    [~HUAWEI-acl4-advance-3000] rule permit source 192.168.1.1 255.255.255.255
    [~HUAWEI-acl4-advance-3000] quit
    [~HUAWEI] traffic classifier class1
    [*HUAWEI-classifier-class1] if-match acl 3000
    [*HUAWEI-classifier-class1] quit
    [*HUAWEI] traffic behavior behavior1
    [*HUAWEI-behavior-behavior1] redirect ipv4-MultiNhp nhp 192.168.112.2 vpn access nhp 192.168.223.2 vpn access non-revertive
    [*HUAWEI-behavior-behavior1] quit
    [*HUAWEI] traffic policy loadbalance
    [*HUAWEI-trafficpolicy-loadbalance] share-mode
    [*HUAWEI-trafficpolicy-loadbalance] classifier class1 behavior behavior1
    [*HUAWEI-trafficpolicy-loadbalance] quit
  3. Configure user access interfaces A1 and A2.

    [~HUAWEI] interface GigabitEthernet1/0/3.100
    [*HUAWEI-GigabitEthernet1/0/3.100] vlan-type dot1q 100
    [*HUAWEI-GigabitEthernet1/0/3.100] ip binding vpn-instance access
    [*HUAWEI-GigabitEthernet1/0/3.100] ip address 192.168.111.1 255.255.255.0
    [*HUAWEI-GigabitEthernet1/0/3.100]  traffic-policy loadbalance inbound
    [*HUAWEI-GigabitEthernet1/0/3.100] ospf enable 100 area 0.0.0.0
    [*HUAWEI-GigabitEthernet1/0/3.100] quit
    [~HUAWEI] interface GigabitEthernet2/2/7.100
    [*HUAWEI-GigabitEthernet2/2/7.100] vlan-type dot1q 100
    [*HUAWEI-GigabitEthernet2/2/7.100] ip binding vpn-instance access
    [*HUAWEI-GigabitEthernet2/2/7.100] ip address 192.168.222.1 255.255.255.0
    [*HUAWEI-GigabitEthernet2/2/7.100] traffic-policy loadbalance inbound
    [*HUAWEI-GigabitEthernet2/2/7.100] ospf enable 100 area 0.0.0.0
    [*HUAWEI-GigabitEthernet2/2/7.100] quit
  4. Configure the B1 IP address as the redirection next hop IP address.

    [~HUAWEI] interface Virtual-Ethernet1/0/0
    [*HUAWEI-Virtual-Ethernet1/0/0] ve-group 1 l2-terminate
    [*HUAWEI-Virtual-Ethernet1/0/0] quit
    [~HUAWEI] interface Virtual-Ethernet1/0/0.100
    [*HUAWEI-Virtual-Ethernet1/0/0.100] vlan-type dot1q 100
    [*HUAWEI-Virtual-Ethernet1/0/0.100] ip binding vpn-instance access
    [*HUAWEI-Virtual-Ethernet1/0/0.100] ip address 192.168.112.1 255.255.255.0
    [*HUAWEI-Virtual-Ethernet1/0/0.100] quit

    Configure B2 as the backup interface for B1.

    [~HUAWEI] interface Virtual-Ethernet2/0/0
    [*HUAWEI-Virtual-Ethernet2/0/0] ve-group 1 l2-terminate
    [*HUAWEI-Virtual-Ethernet2/0/0] quit
    [~HUAWEI] interface Virtual-Ethernet2/0/0.100
    [*HUAWEI-Virtual-Ethernet2/0/0.100] vlan-type dot1q 100
    [*HUAWEI-Virtual-Ethernet2/0/0.100] ip binding vpn-instance access
    [*HUAWEI-Virtual-Ethernet2/0/0.100] ip address 192.168.223.1 255.255.255.0
    [*HUAWEI-Virtual-Ethernet2/0/0.100] quit
  5. Configure an authentication domain on the BAS interface.

    # Configure an authentication scheme.

    [~HUAWEI] aaa
    [*HUAWEI-aaa-authen-auth2] authentication-scheme auth2
    [*HUAWEI-aaa-authen-auth2] authentication-mode radius
    [*HUAWEI-aaa-authen-auth2] commit
    [~HUAWEI-aaa-authen-auth2] quit

    # Configure an accounting scheme.

    [*HUAWEI] accounting-scheme acct2
    [*HUAWEI-aaa-accounting-acct2] accounting-mode radius
    [*HUAWEI-aaa-accounting-acct2] commit
    [~HUAWEI-aaa-accounting-acct2] quit
    [~HUAWEI-aaa] quit

    # Configure a RADIUS server group.

    [~HUAWEI] radius-server group rd2
    [*HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*HUAWEI-radius-rd2] radius-server type standard
    [*HUAWEI-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
    [*HUAWEI-radius-rd2] commit
    [~HUAWEI-radius-rd2] quit

    # Configure an address pool.

    [~HUAWEI] ip pool pool2 bas local
    [*HUAWEI-ip-pool-pool2] gateway 10.82.1.1 255.255.255.0
    [*HUAWEI-ip-pool-pool2] section 0 10.82.1.2 10.82.1.200
    [*HUAWEI-ip-pool-pool2] dns-server 192.168.8.252
    [*HUAWEI-ip-pool-pool2] vpn-instance vpn1
    [*HUAWEI-ip-pool-pool2] commit
    [~HUAWEI-ip-pool-pool2] quit

    # Configure a domain.

    [~HUAWEI] aaa
    [~HUAWEI-aaa] domain ipv4
    [*HUAWEI-aaa-domain-ipv4] commit
    [~HUAWEI-aaa-domain-ipv4] authentication-scheme none
    [*HUAWEI-aaa-domain-ipv4] accounting-scheme none
    [*HUAWEI-aaa-domain-ipv4] commit
    [~HUAWEI-aaa-domain-ipv4] ip-pool ipv4
    [*HUAWEI-aaa-domain-ipv4] quit
    [~HUAWEI-aaa] quit
  6. Configure a user to go online through C1.

    [~HUAWEI] interface Virtual-Ethernet1/0/1
    [*HUAWEI-Virtual-Ethernet1/0/1] ve-group 1 l2-terminate
    [*HUAWEI-Virtual-Ethernet1/0/1] quit
    [~HUAWEI] interface Virtual-Ethernet1/0/1.100
    [*HUAWEI-Virtual-Ethernet1/0/1.100] vlan-type dot1q 100
    [*HUAWEI-Virtual-Ethernet1/0/1.100]  ip address 192.168.112.2 255.255.255.0
    [HUAWEI-Virtual-Ethernet1/0/1.100] bas
    [*HUAWEI-Virtual-Ethernet1/0/1.100-bas] access-type layer2-subscriber default-domain authentication fastweb
    [*HUAWEI-Virtual-Ethernet1/0/1.100-bas] default-user-name-template fastweb
    [*HUAWEI-Virtual-Ethernet1/0/1.100-bas] default-password-template fastweb
    [*HUAWEI-Virtual-Ethernet1/0/1.100-bas] quit
    [~HUAWEI-Virtual-Ethernet1/0/1.100] quit

    Configure a user to go online through C2.

    [~HUAWEI] interface Virtual-Ethernet2/0/1
    [*HUAWEI-Virtual-Ethernet2/0/1] ve-group 1 l2-terminate
    [*HUAWEI-Virtual-Ethernet2/0/1] quit
    [~HUAWEI] interface Virtual-Ethernet2/0/1.100
    [*HUAWEI-Virtual-Ethernet2/0/1.100] vlan-type dot1q 100
    [*HUAWEI-Virtual-Ethernet2/0/1.100]  ip address 192.168.223.2 255.255.255.0
    [*HUAWEI-Virtual-Ethernet2/0/1.100] bas
    [*HUAWEI-Virtual-Ethernet2/0/1.100-bas] access-type layer2-subscriber default-domain authentication fastweb
    [*HUAWEI-Virtual-Ethernet2/0/1.100-bas] default-user-name-template fastweb
    [*HUAWEI-Virtual-Ethernet2/0/1.100-bas] default-password-template fastweb
    [*HUAWEI-Virtual-Ethernet2/0/1.100-bas] quit
    [*HUAWEI-Virtual-Ethernet2/0/1.100] quit
  7. Configure a Layer 2 static user.

    [~HUAWEI] static-user 192.168.1.1 interface Virtual-Ethernet2/0/1.100 vlan 100 detect

Configuration Files

  • Router B configuration file

    #
     sysname HUAWEI
    #
    ip vpn-instance access
     ipv4-family
     route-distinguisher 200:1
     vpn-target 111:1 export-extcommunity
     vpn-target 111:1 import-extcommunity
    #
    acl 3000
     rule permit source 192.168.1.1 255.255.255.255
    #
    traffic classifier classifier1
     if-match acl 3000
    #
    traffic behavior behavior1
     redirect ipv4-MultiNhp nhp 192.168.112.2 vpn access nhp 192.168.223.2 vpn access non-revertive
    #
    traffic policy loadbalance
     share-mode
     classifier classifier1 behavior behavior1
    #
    #
    interface gigabitethernet1/0/3.100
    vlan-type dot1q 100
    ip binding vpn-instance access 
    ip address 192.168.111.1 255.255.255.0
    traffic-policy loadbalance inbound
    ospf enable 100 area 0.0.0.0
    interface GigabitEthernet2/2/7.100 
    vlan-type dot1q 100
    ip binding vpn-instance access
    ip address 192.168.222.1 255.255.255.0
    traffic-policy loadbalance inbound
    ospf enable 100 area 0.0.0.0
    #
    #
    interface Virtual-Ethernet1/0/0
    ve-group 1 l2-terminate
    interface Virtual-Ethernet1/0/0.100
    vlan-type dot1q 100
    ip binding vpn-instance access
    ip address 192.168.112.1 255.255.255.0
    interface Virtual-Ethernet2/0/0
    ve-group 1 l2-terminate
    interface Virtual-Ethernet2/0/0.100
    vlan-type dot1q 100
    ip binding vpn-instance access
    ip address 192.168.223.1 255.255.255.0
    #
    aaa
    authentication-scheme auth2
    authentication-mode radius
    #
    accounting-scheme acct2
    accounting-mode radius
    radius-server group rd2 
    radius-server authentication 192.168.8.249 1812
    radius-server accounting 192.168.8.249 1813
    radius-server type standard
    radius-server shared-key-cipher it-is-my-secret1
    ip pool pool2 bas local
    gateway 10.82.1.1 255.255.255.0 
    section 0 10.82.1.2 10.82.1.200
    dns-server 192.168.8.252
    vpn-instance vpn1
    #
    aaa
    domain ipv4
    authentication-scheme none
    accounting-scheme none
    ip-pool ipv4
    interface Virtual-Ethernet1/0/1 
     ve-group 1 l2-terminate
    #
    interface Virtual-Ethernet1/0/1.100
     vlan-type dot1q 100
     interface Virtual-Ethernet1/0/1.100
     ip address 192.168.112.2 255.255.255.0
      access-type layer2-subscriber default-domain authentication fastweb
      default-user-name-template fastweb
      default-password-template fastweb
    #
    interface Virtual-Ethernet2/0/1
     ve-group 1 l2-terminate
    #
    interface Virtual-Ethernet2/0/1.100
    vlan-type dot1q 100
     ip address 192.168.223.1 255.255.255.0
    #
    bas
     access-type layer2-subscriber default-domain authentication fastweb
      default-user-name-template fastweb
      default-password-template fastweb
    #
    static-user 192.168.1.1 interface Virtual-Ethernet2/0/1.100 vlan 100 detect
    #
    ospf 100
     area 0.0.0.0
    #
    return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17296

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next