No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring BRAS Access Through L3VPN Termination

Example for Configuring BRAS Access Through L3VPN Termination

This section provides an example for configuring BRAS access through L3VPN termination.

Networking Requirements

Router B uses OSPF to exchange traffic with Router A through interfaces on multiple boards in load-balancing mode. Traffic from the same user may be sent from different boards. Router B uses PBR to send traffic from the same user but different boards through the backplane to the same authentication board for Layer 3 user authentication, as shown in Figure 6-14.

NOTE:
Only Layer 3 static user access is supported in scenarios with BRAS access through L3VPN termination.
Requirements are as follows:
  • Router A sends upstream traffic to different interfaces on Router B in load-balancing mode.
  • Router B adds all the inbound interfaces to an L3VPN and configures PBR. Then, Router B routes all traffic from the same user to the specified next hop based on the source IP address/VLAN ID/DSCP priority. The outbound interface of the next hop directly connects to the BAS interface and resides on the same network segment as the BAS interface.

  • After user traffic arrives at the BAS interface and the user goes online, user forwarding entries are delivered. Subsequent user traffic will then be authenticated and forwarded based on these forwarding entries.

  • Downstream traffic is forwarded through the BAS interface to the L3VPN domain based on user forwarding entries.

  • Router B then sends downstream traffic in the L3VPN domain to Router A along routes (the traffic can be load-balanced). Then, Router A forwards the traffic to the user.

Figure 6-14 Configuring BRAS access through L3VPN termination

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure PBR to redirect user traffic to the primary and backup next hops. If the primary next hop fails, traffic automatically switches to the backup next hop to trigger the user to go online.

  2. Configure user access interfaces A1 and A2.

  3. Configure C1 and C2 IP addresses as the redirection next hop IP addresses.

  4. Configure C1 and C2 as the primary and backup BAS interfaces for B1 and B2.

  5. Interfaces A1, A2, B1, and B2 belong to the same L3VPN. Interfaces B1, B2, C1, and C2 belong to the same network segment. If the PBR redirection next hop is C1 or C2, traffic can be forwarded through B1 or B2.

Data Preparation

To complete the configuration, you need the following data:

  • VE group number

  • Local L3VPN name

  • OSPF configurations

  • Layer 3 user authentication mode, accounting mode, and authentication domain name

  • Interface IP addresses

Configuration Procedure

  1. Configure a local L3VPN.

    Configure a local L3VPN on Router B and add A1, A2, B1, and B2 to this L3VPN.

    <HUAWEI> system-view
    [~HUAWEI] ip vpn-instance access
    [*HUAWEI-vpn-instance-access] ipv4-family
    [*HUAWEI-vpn-instance-access] route-distinguisher 200:1
    [*HUAWEI-vpn-instance-access] vpn-target 111:1 both
    [*HUAWEI-vpn-instance-access] quit
  2. Configure PBR.

    Configure PBR to redirect user traffic to the primary and backup next hops based on the source IP address. If the primary next hop fails, traffic automatically switches to the backup next hop to trigger the user to go online.

    [~HUAWEI] acl 3000
    [*HUAWEI-acl-adv-3000] rule permit source 192.168.1.1 255.255.255.255
    [*HUAWEI-acl-adv-3000] quit
    [~HUAWEI] traffic classifier class1
    [*HUAWEI-classifier-class1] if-match acl 3000
    [*HUAWEI-classifier-class1] quit
    [~HUAWEI] traffic behavior behavior1
    [*HUAWEI-behavior-behavior1] redirect ipv4-MultiNhp nhp 192.168.112.2 vpn access nhp 192.168.223.2 vpn access non-revertive
    [*HUAWEI-behavior-behavior1] quit
    [~HUAWEI] traffic policy loadbalance
    [*HUAWEI-trafficpolicy-loadbalance] share-mode
    [*HUAWEI-trafficpolicy-loadbalance] classifier class1 behavior behavior1
    [*HUAWEI-trafficpolicy-loadbalance] quit
  3. Configure user access interfaces A1 and A2.

    [~HUAWEI] interface GigabitEthernet1/0/3.100
    [*HUAWEI-GigabitEthernet1/0/3.100] vlan-type dot1q 100
    [*HUAWEI-GigabitEthernet1/0/3.100] ip binding vpn-instance access
    [*HUAWEI-GigabitEthernet1/0/3.100] ip address 192.168.111.1 255.255.255.0
    [*HUAWEI-GigabitEthernet1/0/3.100]  traffic-policy loadbalance inbound
    [*HUAWEI-GigabitEthernet1/0/3.100] ospf enable 100 area 0.0.0.0
    [*HUAWEI-GigabitEthernet1/0/3.100] quit
    [~HUAWEI] interface GigabitEthernet2/2/7.100
    [*HUAWEI-GigabitEthernet2/2/7.100] vlan-type dot1q 100
    [*HUAWEI-GigabitEthernet2/2/7.100] ip binding vpn-instance access
    [*HUAWEI-GigabitEthernet2/2/7.100] ip address 192.168.222.1 255.255.255.0
    [*HUAWEI-GigabitEthernet2/2/7.100] traffic-policy loadbalance inbound
    [*HUAWEI-GigabitEthernet2/2/7.100] ospf enable 100 area 0.0.0.0
    [*HUAWEI-GigabitEthernet2/2/7.100] quit
  4. Configure the B1 IP address as the redirection next hop IP address.

    [~HUAWEI] interface Virtual-Ethernet1/0/0
    [*HUAWEI-Virtual-Ethernet1/0/0] ve-group 1 l3-terminate
    [*HUAWEI-Virtual-Ethernet1/0/0] quit
    [~HUAWEI] interface Virtual-Ethernet1/0/0.100
    [*HUAWEI-Virtual-Ethernet1/0/0.100] vlan-type dot1q 100
    [*HUAWEI-Virtual-Ethernet1/0/0.100] ip address 192.168.112.1 255.255.255.0
    [*HUAWEI-Virtual-Ethernet1/0/0.100] quit

    Configure B2 as the backup interface for B1.

    [~HUAWEI] interface Virtual-Ethernet2/0/0
    [*HUAWEI-Virtual-Ethernet2/0/0] ve-group 1 l3-terminate
    [*HUAWEI-Virtual-Ethernet2/0/0] quit
    [~HUAWEI] interface Virtual-Ethernet2/0/0.100
    [*HUAWEI-Virtual-Ethernet2/0/0.100] vlan-type dot1q 100
    [*HUAWEI-Virtual-Ethernet2/0/0.100] ip address 192.168.223.1 255.255.255.0
    [*HUAWEI-Virtual-Ethernet2/0/0.100] quit
  5. Configure an authentication domain on the BAS interface.

    # Configure an authentication scheme.

    [~HUAWEI] aaa
    [*HUAWEI-aaa-authen-auth2] authentication-scheme auth2
    [*HUAWEI-aaa-authen-auth2] authentication-mode radius
    [*HUAWEI-aaa-authen-auth2] commit
    [~HUAWEI-aaa-authen-auth2] quit

    # Configure an accounting scheme.

    [*HUAWEI] accounting-scheme acct2
    [*HUAWEI-aaa-accounting-acct2] accounting-mode radius
    [*HUAWEI-aaa-accounting-acct2] commit
    [~HUAWEI-aaa-accounting-acct2] quit
    [~HUAWEI-aaa] quit

    # Configure a RADIUS server group.

    [~HUAWEI] radius-server group rd2
    [*HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*HUAWEI-radius-rd2] radius-server type standard
    [*HUAWEI-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
    [*HUAWEI-radius-rd2] commit
    [~HUAWEI-radius-rd2] quit

    # Configure an address pool.

    [~HUAWEI] ip pool pool2 bas local
    [*HUAWEI-ip-pool-pool2] gateway 10.82.1.1 255.255.255.0
    [*HUAWEI-ip-pool-pool2] section 0 10.82.1.2 10.82.1.200
    [*HUAWEI-ip-pool-pool2] dns-server 192.168.8.252
    [*HUAWEI-ip-pool-pool2] vpn-instance vpn1
    [*HUAWEI-ip-pool-pool2] commit
    [~HUAWEI-ip-pool-pool2] quit

    # Configure a domain.

    [~HUAWEI-BRAS] aaa
    [~HUAWEI-BRAS-aaa] domain ipv4
    [*HUAWEI-BRAS-aaa-domain-ipv4] commit
    [~HUAWEI-BRAS-aaa-domain-ipv4] authentication-scheme none
    [*HUAWEI-BRAS-aaa-domain-ipv4] accounting-scheme none
    [*HUAWEI-BRAS-aaa-domain-ipv4] commit
    [~HUAWEI-BRAS-aaa-domain-ipv4] ip-pool ipv4
    [*HUAWEI-BRAS-aaa-domain-ipv4] quit
    [~HUAWEI-BRAS-aaa] quit
  6. Configure a user to go online through C1.

    [~HUAWEI] interface Virtual-Ethernet1/0/1
    [*HUAWEI-Virtual-Ethernet1/0/1] ve-group 1 l3-access
    [*HUAWEI-Virtual-Ethernet1/0/1] quit
    [~HUAWEI] interface Virtual-Ethernet1/0/1.100
    [*HUAWEI-Virtual-Ethernet1/0/1.100] vlan-type dot1q 100
    [*HUAWEI-Virtual-Ethernet1/0/0.100] ip binding vpn-instance access
    [*HUAWEI-Virtual-Ethernet1/0/1.100]  ip address 192.168.112.2 255.255.255.0
    [HUAWEI-Virtual-Ethernet1/0/1.100] bas
    [*HUAWEI-Virtual-Ethernet1/0/1.100-bas] access-type layer3-subscriber default-domain pre-authentication fastweb
    [*HUAWEI-Virtual-Ethernet1/0/1.100-bas] default-user-name-template fastweb
    [*HUAWEI-Virtual-Ethernet1/0/1.100-bas] default-password-template fastweb
    [*HUAWEI-Virtual-Ethernet1/0/1.100-bas] quit
    [~HUAWEI-Virtual-Ethernet1/0/1.100] quit

    Configure a user to go online through C2.

    [~HUAWEI] interface Virtual-Ethernet2/0/1
    [*HUAWEI-Virtual-Ethernet2/0/1] ve-group 1 l3-access
    [*HUAWEI-Virtual-Ethernet2/0/1] quit
    [~HUAWEI] interface Virtual-Ethernet2/0/1.100
    [*HUAWEI-Virtual-Ethernet2/0/1.100] vlan-type dot1q 100
    [*HUAWEI-Virtual-Ethernet2/0/0.100] ip binding vpn-instance access
    [*HUAWEI-Virtual-Ethernet2/0/1.100]  ip address 192.168.223.2 255.255.255.0
    [*HUAWEI-Virtual-Ethernet2/0/1.100] bas
    [*HUAWEI-Virtual-Ethernet2/0/1.100-bas] access-type layer3-subscriber default-domain pre-authentication fastweb
    [*HUAWEI-Virtual-Ethernet2/0/1.100-bas] default-user-name-template fastweb
    [*HUAWEI-Virtual-Ethernet2/0/1.100-bas] default-password-template fastweb
    [*HUAWEI-Virtual-Ethernet2/0/1.100-bas] quit
    [*HUAWEI-Virtual-Ethernet2/0/1.100] quit
  7. Configure a Layer 3 static user.

    [~HUAWEI] layer3-subscriber 192.168.1.1 vpn-instance access domain-name fastweb

Configuration Files

  • Router B configuration file

    #
     sysname HUAWEI
    #
    ip vpn-instance access
     ipv4-family
     route-distinguisher 200:1
     vpn-target 111:1 export-extcommunity
     vpn-target 111:1 import-extcommunity
    #
    acl 3000
     rule permit source 192.168.1.1 255.255.255.255
    #
    traffic classifier classifier1
     if-match acl 3000
    #
    traffic behavior behavior1
     redirect ipv4-MultiNhp nhp 192.168.112.2 vpn access nhp 192.168.223.2 vpn access non-revertive
    #
    traffic policy loadbalance
     share-mode
     classifier classifier1 behavior behavior1
    #
    #
    interface gigabitethernet1/0/3.100
    vlan-type dot1q 100
    ip binding vpn-instance access 
    ip address 192.168.111.1 255.255.255.0
    traffic-policy loadbalance inbound
    ospf enable 100 area 0.0.0.0
    interface GigabitEthernet2/2/7.100 
    vlan-type dot1q 100
    ip binding vpn-instance access
    ip address 192.168.222.1 255.255.255.0
    traffic-policy loadbalance inbound
    ospf enable 100 area 0.0.0.0
    #
    #
    interface Virtual-Ethernet1/0/0
    ve-group 1 l3-terminate
    interface Virtual-Ethernet1/0/0.100
    vlan-type dot1q 100
    ip binding vpn-instance access
    ip address 192.168.112.1 255.255.255.0
    interface Virtual-Ethernet2/0/0
    ve-group 1 l3-terminate
    interface Virtual-Ethernet2/0/0.100
    vlan-type dot1q 100
    ip binding vpn-instance access
    ip address 192.168.223.1 255.255.255.0
    #
    aaa
     authentication-scheme auth2
      authentication-mode radius
    #
     accounting-scheme acct2
      accounting-mode radius
      radius-server group rd2 
      radius-server authentication 192.168.8.249 1812
      radius-server accounting 192.168.8.249 1813
      radius-server type standard
      radius-server shared-key-cipher it-is-my-secret1
      ip pool pool2 bas local
      gateway 10.82.1.1 255.255.255.0 
      section 0 10.82.1.2 10.82.1.200
      dns-server 192.168.8.252
      vpn-instance vpn1
    #
    aaa
      domain ipv4
      authentication-scheme none
      accounting-scheme none
      ip-pool ipv4
    interface Virtual-Ethernet1/0/1 
     ve-group 1 l3-access
    #
    interface Virtual-Ethernet1/0/1.100
     vlan-type dot1q 100
     interface Virtual-Ethernet1/0/1.100
     ip address 192.168.112.2 255.255.255.0
      access-type layer3-subscriber default-domain pre-authentication fastweb
      default-user-name-template fastweb
      default-password-template fastweb
    #
    interface Virtual-Ethernet2/0/1
     ve-group 1 l3-access
    #
    interface Virtual-Ethernet2/0/1.100
    vlan-type dot1q 100
     ip address 192.168.223.1 255.255.255.0
    #
          bas
     access-type layer3-subscriber default-domain pre-authentication fastweb
      default-user-name-template fastweb
      default-password-template fastweb
    #
    layer3-subscriber 192.168.1.1 domain-name fastweb
    #
    ospf 100
     area 0.0.0.0
    #
    return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17286

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next