No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring RUI+EDSG in Shared Address Pool Mode

Example for Configuring RUI+EDSG in Shared Address Pool Mode

This section provides an example for configuring Redundancy User Information (RUI)+enhanced dynamic service gateway (EDSG) in shared address pool mode.

Usage Scenario

With the rapid development of IP technologies, various value-added services are widely used on the Internet. Carrier-class services, such as emerging IPTV, NGN, 4G, VIP customers' leased line, and VPN interconnection, have high requirements for IP network reliability. IP network reliability for carrier-class services includes device, link, and network reliability. On a bearer network, the availability of a network device is required to reach 99.999%; that is, the device downtime in a year must be less than 5 minutes. High reliability is a basic requirement for carrier-class devices and must be considered by telecom carriers during network construction.

The NE40E functions as an edge router that carries multiple services. It is connected to a core network to implement Layer 3 routing functions and to the aggregation layer to terminate Layer 2 user packets for user access. The NE40E can carry multiple services, such as triple play services (HSI, VoIP, and IPTV). Therefore, The NE40E must have high reliability. The NE40E provides service-level high-reliability technologies. Non-stop data flow forwarding does not mean that user services are not interrupted. If a network node or link fails, user traffic is switched to a backup device. If user information is not synchronized to a backup device, user services are still interrupted. High reliability has been considered when the NE40E is designed to function as a network edge service aggregation and control device, which ensures that users' HSI, IPTV, and VoIP services are not interrupted if a network node or link fault occurs. RUI is designed to meet the preceding reliability requirements.

Requirements on Software and Hardware

  • Requirements on software: V800R009C00 or later
  • Requirements on hardware: User access boards are installed

Requirements on Interconnected Devices

  • Upstream device: There are no special requirements. The upstream device is generally a CR for route switching and supports MPLS and MPLS L3VPN. It is recommended that the upstream device be able to provide MPLS L2VPN capabilities. In multi-device backup scenarios, protection tunnels must be established. If no direct link can be deployed between NE40Es, a protection path must be established from the IP core network. An MPLS tunnel is ideal.
  • Downstream device: An aggregation switch is used as the downstream device to learn MAC addresses from Layer 2 VLAN packets.

Solution Limitations

  • In shared address pool mode, an address pool (an IP network segment) is planned based on services. A service (for example, Internet access or VoIP service) corresponds to a domain's configuration. If terminals that go online through different access links have a service (for example, Internet access service), the terminals share address pool resources in a domain. This mode is called multi-link address pool sharing.
  • During the actual deployment, planning address pools based on links is difficult, because the number of public addresses is limited and dividing address pools causes address resource waste. Address pools can be divided based on authentication domains, which allows an address pool on the NE40E to be shared between links or backup groups. In this situation, forwarding control cannot be performed by advertising or withdrawing a network segment route of an address pool. To implement forwarding control, using a shared address pool and tunnel protection is recommended.

Networking Requirements

Carriers can divide networks accessed by users into different subnets based on traffic destination addresses. When different users access the subnets, different rate limit and accounting are performed for the users. EDSG implements subnet division, rate limit, and accounting management on NE40Es. As applications accessed by users become diversified, high reliability is required for EDSG services. To meet this requirement, deploy RUI so that EDSG service traffic is smoothly switched to the backup device if the master device fails. RUI ensures normal traffic accounting without the need of users' re-dialup.

On the network shown in Figure 11-8, the user goes online from Device A (master device) through PPPoE dialup. Device A and Device B implement RUI over VRRP and BFD. Device A backs up EDSG services to Device B (backup device). If Device A fails, service traffic is switched to Device B. Traffic statistics on Device A and Device B remain consistent.

Figure 11-8 Example for configuring RUI+EDSG in shared address pool mode
NOTE:

Interface 1 interface 2 and interface 3 in this example are GE1/0/0, GE2/0/0 and GE3/0/0, respectively.



Device Interface IP Address
Device A GE 1/0/0 10.0.1.1/24
GE 2/0/0 10.0.0.1/24
GE 3/0/0 10.1.1.6/24
Loopback 0 1.1.1.1/32
Loopback 1 22.22.22.22/32
Device B GE 1/0/0 10.0.1.2/24
GE 2/0/0 10.0.2.1/24
GE 3/0/0 10.1.1.7/24
Loopback 0 2.2.2.2/32
Loopback 1 88.88.88.88/32

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic user access functions and ensure that the two NE40Es have the same configuration. For details, see HUAWEI NetEngine40E Universal Service Router Configuration Guide - User Access.

  2. Configure routes to ensure IP connectivity between devices. For details, see HUAWEI NetEngine40E Universal Service Router Configuration Guide - IP Routing.

  3. Establish a dual-device backup platform.

  4. Configure an RBS, address pool, and RBP.

  5. Configure a protection path for returned network-side traffic.

  6. Bind an RBP to an interface from which the user goes online.

  7. Configure EDSG services on Device A and Device B. For details, see HUAWEI NetEngine40E Universal Service Router Multiservice Control Gateway Configuration Guide - Value-added Service.

Data Preparation

To complete the configuration, you need the following data:

  • VRRP ID

  • IP address of each interface on routers that back up each other

  • Backup ID, which works together with an RBS to identify an RBP to which the user belongs

  • Name of a hybrid address pool

  • EDSG-related parameters

Procedure

  1. Establish a dual-device backup platform. The configuration on Device A is used in this example. The configuration on Device B is similar to that on Device A.

    NOTE:

    In this example, only RUI-related settings are described.

    # Configure a BFD session on the access side to rapidly detect faults in interfaces or links and trigger a master/backup VRRP switchover. 10.0.1.2 is the IP address of GE 1/0/0.2 on Device B.

    [*DeviceA] bfd 
    [*DeviceA] commit 
    [~DeviceA-bfd] quit 
    [*DeviceA] bfd bfd bind peer-ip 10.0.1.2 
    [*DeviceA-bfd-session-bfd] discriminator local 1 
    [*DeviceA-bfd-session-bfd] discriminator remote 2 
    [*DeviceA-bfd-session-bfd] commit 
    [~DeviceA-bfd-session-bfd] quit 

    # Configure a VRRP backup group on GE 1/0/0.2, and configure the VRRP backup group to track the BFD session and network-side interface.

    [*DeviceA] interface gigabitethernet 1/0/0.2 
    [*DeviceA-GigabitEthernet1/0/0.2] vlan-type dot1q 200
    [*DeviceA-GigabitEthernet1/0/0.2] ip address 10.0.1.1 255.255.255.0 
    [*DeviceA-GigabitEthernet1/0/0.2] vrrp vrid 1 virtual-ip 10.0.1.100 
    [*DeviceA-GigabitEthernet1/0/0.2] admin-vrrp vrid 1 
    [*DeviceA-GigabitEthernet1/0/0.2] vrrp vrid 1 priority 120 
    [*DeviceA-GigabitEthernet1/0/0.2] vrrp vrid 1 preempt-mode timer delay 600
    [*DeviceA-GigabitEthernet1/0/0.2] vrrp vrid 1 track bfd-session 1 peer 
    [*DeviceA-GigabitEthernet1/0/0.2] vrrp vrid 1 track interface gigabitethernet 2/0/0 reduced 50
    [*DeviceA-GigabitEthernet1/0/0.2] commit 
    [~DeviceA-GigabitEthernet1/0/0.2] quit
    NOTE:

    Different priorities must be configured for devices in a VRRP backup group. The device with a high priority is the master device.

  2. Configure an RBS, address pool, and RBP.

    # Configure an RBS.

    [*DeviceA] remote-backup-service service1 
    [*DeviceA-rm-backup-srv-service1] peer 88.88.88.88 source 22.22.22.22 port 2046 
    [*DeviceA-rm-backup-srv-service1] track interface gigabitethernet 2/0/0
    [*DeviceA-rm-backup-srv-service1] commit 
    [~DeviceA-rm-backup-srv-service1] quit
    NOTE:

    Run the track bfd-session command in the RBS view to monitor the peer BFD sessions that are established on the network side on Device A and Device B, rapidly monitoring the peer status. For configuration details, see track bfd-session in HUAWEI NetEngine40E Universal Service Router Command Reference - Reliability.

    # Configure a local address pool and backup address pool on Device A (master device).
    [*DeviceA] ip pool hsi bas local
    [*DeviceA-ip-pool-hsi] gateway 1.1.1.1 24
    [*DeviceA-ip-pool-hsi] section 0 1.1.1.2 1.1.1.254
    [*DeviceA-ip-pool-hsi] commit 
    [~DeviceA-ip-pool-hsi] quit
    [*DeviceA] ip pool hsi-main-bak bas local
    [*DeviceA-ip-pool-hsi-main-bak] gateway 2.2.2.2 24
    [*DeviceA-ip-pool-hsi-main-bak] section 0 2.2.2.3 2.2.2.254
    [*DeviceA-ip-pool-hsi-main-bak] commit 
    [~DeviceA-ip-pool-hsi-main-bak] quit
    

    # Configure an address pool named hsi-main on Device B and configure it as a local address pool.

    [*DeviceB] ip pool hsi-main bas local
    [*DeviceB-ip-pool-hsi-main] gateway 2.2.2.2 24
    [*DeviceB-ip-pool-hsi-main] section 0 2.2.2.3 2.2.2.254
    [*DeviceB-ip-pool-hsi-main] commit 
    [~DeviceB-ip-pool-hsi-main] quit
    

    # Configure a backup address pool named hsi-bak and configure it as an RUI-slave address pool.

    [*DeviceB] ip pool hsi-bak bas local rui-slave
    [*DeviceB-ip-pool-hsi-bak] gateway 1.1.1.1 24
    [*DeviceB-ip-pool-hsi-bak] section 0 1.1.1.2 1.1.1.254
    [*DeviceB-ip-pool-hsi-bak] commit 
    [~DeviceB-ip-pool-hsi-bak] quit

    # Configure an RBP on Device A and Device B.

    [*DeviceA] remote-backup-profile profile1 
    [*DeviceA-rm-backup-prf-profile1] peer-backup hot 
    [*DeviceA-rm-backup-prf-profile1] vrrp-id 1 interface gigabitethernet 1/0/0.2 
    [*DeviceA-rm-backup-prf-profile1] backup-id 10 remote-backup-service service1 
    [*DeviceA-rm-backup-prf-profile1] service-type bras 
    [*DeviceA-rm-backup-prf-profile1] commit 
    [~DeviceA-rm-backup-prf-profile1] quit 

    [*DeviceB] remote-backup-profile profile1 
    [*DeviceB-rm-backup-prf-profile1] peer-backup hot 
    [*DeviceB-rm-backup-prf-profile1] vrrp-id 1 interface gigabitethernet 1/0/0.2 
    [*DeviceB-rm-backup-prf-profile1] backup-id 10 remote-backup-service service1 
    [*DeviceB-rm-backup-prf-profile1] service-type bras 
    [*DeviceB-rm-backup-prf-profile1] ip-pool hsi include hsi-bak node 5
    [*DeviceB-rm-backup-prf-profile1] ip-pool hsi-main include hsi-main-bak node 10
    [*DeviceB-rm-backup-prf-profile1] commit 
    
    [~DeviceB-rm-backup-prf-profile1] quit 

  3. Bind the configured address pools to the RBS and configure a protection path for returned network-side traffic.

    [*DeviceA] remote-backup-service service1 
    [*DeviceA-rm-backup-srv-service1] ip-pool hsi
    [*DeviceA-rm-backup-srv-service1] ip-pool hsi-bak
    [*DeviceA-rm-backup-srv-service1] protect redirect ip-nexthop 10.1.1.7 interface gigabitethernet 3/0/0
    [*DeviceA-rm-backup-srv-service1] commit 
    

    [*DeviceB] remote-backup-service service1 
    [*DeviceB-rm-backup-srv-service1] ip-pool hsi-main
    [*DeviceB-rm-backup-srv-service1] ip-pool hsi-bak
    [*DeviceB-rm-backup-srv-service1] protect redirect ip-nexthop 10.1.1.6 interface gigabitethernet 3/0/0
    [*DeviceA-rm-backup-srv-service1] commit 
    

  4. Bind the RBP to GE 1/0/0.1 from which users go online. The configuration on Device A is used in this example. The configuration on Device B is similar to that on Device A.

    [~DeviceA] interface gigabitethernet 1/0/0
    [*A-GigabitEthernet1/0/0.1] remote-backup-profile profile1 
    [*DeviceA-rm-backup-srv-service1] commit 
    [~A-GigabitEthernet1/0/0.1] quit 

  5. Configure EDSG services.
    1. Enable the value-added service function.

      [~DeviceA] value-added-service enable

    2. Configure a policy server.

      # Set parameters as follows:
      • RADIUS server group name: rad_group1
      • RADIUS authentication server's IP address: 10.10.10.2
      • RADIUS authentication server's interface number: 1812
      • RADIUS accounting server's IP address: 10.10.10.2
      • RADIUS accounting server's interface number: 1813
      • Shared key for the RADIUS authentication and accounting servers: huawei@123
      [~DeviceA] radius-server group rad_group1
      [*DeviceA-radius-rad_group1] radius-server authentication 10.10.10.2 1812
      [*DeviceA-radius-rad_group1] radius-server accounting 10.10.10.2 1813
      [*DeviceA-radius-rad_group1] radius-server shared-key-cipher-cipher huawei@123
      [*DeviceA-radius-rad_group1] commit
      [~DeviceA-radius-rad_group1] quit
      NOTE:

      For details about how to configure a RADIUS server group, see Configuring a RADIUS Server in HUAWEI NetEngine40E Configuration Guide - User Access.

    3. Configure an EDSG traffic policy.

      1. Create service groups.

        # Create a service group named s_1m.

        [~DeviceA] service-group s_1m

        # Create a service group named s_2m.

        [~DeviceA] service-group s_2m
        NOTE:

        You must run the service-group command to create service groups regardless of whether the NE40E obtains an EDSG service policy from local configurations or a RADIUS server.

      2. Configure an ACL and define ACL rules for each service group.

        # Configure ACL 6020 and define ACL rules for the service group named s_1m.

        [~DeviceA] acl number 6020
        [*DeviceA-acl-ucl-6020] rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
        [*DeviceA-acl-ucl-6020] rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
        [*DeviceA-acl-ucl-6020] commit
        [~DeviceA-acl-ucl-6020] quit

        # Configure ACL 6021 and define ACL rules for the service group named s_2m.

        [~DeviceA] acl number 6021
        [*DeviceA-acl-ucl-6021] rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0 0.0.0.255
        [*DeviceA-acl-ucl-6021] rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-group s_2m
        [*DeviceA-acl-ucl-6021] commit
        [~DeviceA-acl-ucl-6021] quit
      3. Define traffic classifiers.

        # Define a traffic classifier named c1.

        [~DeviceA] traffic classifier c1 operator or
        [*DeviceA-classifier-c1] if-match acl 6020
        [*DeviceA-classifier-c1] commit
        [~DeviceA-classifier-c1] quit

        # Define a traffic classifier named c2.

        [~DeviceA] traffic classifier c2 operator or
        [*DeviceA-classifier-c2] if-match acl 6021
        [*DeviceA-classifier-c2] commit
        [~DeviceA-classifier-c2] quit
      4. Define traffic behaviors.

        # Define a traffic behavior named b1.

        [~DeviceA] traffic behavior b1
        [*DeviceA-behavior-b1] commit
        [~DeviceA-behavior-b1] quit

        # Define a traffic behavior b2.

        [~DeviceA] traffic behavior b2
        [*DeviceA-behavior-b2] commit
        [~DeviceA-behavior-b2] quit
      5. Configure an EDSG traffic policy.

        # Configure an EDSG traffic policy named traffic_policy_edsg, and associate c1 and c2 with b1 and b2, respectively.

        [~DeviceA] traffic policy traffic_policy_edsg
        [*DeviceA-policy-traffic_policy_edsg] share-mode
        [*DeviceA-policy-traffic_policy_edsg] classifier c1 behavior b1
        [*DeviceA-policy-traffic_policy_edsg] classifier c2 behavior b2
        [*DeviceA-policy-traffic_policy_edsg] commit
        [~DeviceA-policy-traffic_policy_edsg] quit
      6. Apply the EDSG traffic policy globally.

        [~DeviceA] traffic-policy traffic_policy_edsg inbound
        [~DeviceA] traffic-policy traffic_policy_edsg outbound
        [~DeviceA] commit

    4. Configure an AAA authentication scheme and accounting scheme.

      # Configure an AAA authentication scheme named auth1 and specify RADIUS authentication as the authentication mode.

      [~DeviceA] aaa
      [*DeviceA-aaa] authentication-scheme auth1
      [*DeviceA-aaa-authen-auth1] authentication-mode radius
      [*DeviceA-aaa-authen-auth1] commit
      [~DeviceA-aaa-authen-auth1] quit

      # Configure an AAA accounting scheme named acct1 and specify RADIUS accounting as the accounting mode.

      [~DeviceA-aaa] accounting-scheme acct1
      [*DeviceA-aaa-accounting-acct1] accounting-mode radius
      [*DeviceA-aaa-accounting-acct1] quit
      [*DeviceA-aaa] commit
      [~DeviceA-aaa] quit

    5. Configure a mode in which EDSG service policies are obtained.

      # Configure the mode "first from local configurations and then from an RADIUS server." In this mode, the NE40E first attempts to obtain an EDSG service policy from local configurations. If no EDSG service policy is locally configured, the NE40E obtains an EDSG service policy from an RADIUS server.

      [~DeviceA] service-policy download local radius rad_group1 password cipher huawei@123
      [~DeviceA] commit

    6. Configure EDSG service policies.

      1. Configure an EDSG service policy for traffic over network 1.

        # Create an EDSG service policy named service_edsg1.

        [~DeviceA] service-policy name service_edsg1 edsg

        # Bind s_1m to service_edsg1.

        [*DeviceA-service-policy-service_edsg1] service-group s_1m

        # Bind rad_group1 to service_edsg1.

        [*DeviceA-service-policy-service_edsg1] radius-server group rad_group1

        # Bind auth1 to service_edsg1.

        [*DeviceA-service-policy-service_edsg1] authentication-scheme auth1

        # Bind acct1 to service_edsg1.

        [*DeviceA-service-policy-service_edsg1] accounting-scheme acct1

        # Set the bandwidth for uplink traffic rate limit for service_edsg1 to 1 Mbit/s.

        [*DeviceA-service-policy-service_edsg1] rate-limit cir 1000 inbound

        # Set the bandwidth for downlink traffic rate limit for service_edsg1 to 1 Mbit/s.

        [*DeviceA-service-policy-service_edsg1] rate-limit cir 1000 outbound
        [*DeviceA-service-policy-service_edsg1] commit
        [~DeviceA-service-policy-service_edsg1] quit
      2. Configure an EDSG service policy for traffic over network 2.

        # Create an EDSG service policy named service_edsg2.

        [~DeviceA] service-policy name service_edsg2 edsg

        # Bind s_2m to service_edsg2.

        [*DeviceA-service-policy-service_edsg2] service-group s_2m

        # Bind rad_group1 to service_edsg2.

        [*DeviceA-service-policy-service_edsg2] radius-server group rad_group1

        # Bind auth1 to service_edsg2.

        [*DeviceA-service-policy-service_edsg2] authentication-scheme auth1

        # Bind acct1 to service_edsg2.

        [*DeviceA-service-policy-service_edsg2] accounting-scheme acct1

        # Set the bandwidth for uplink traffic rate limit for service_edsg2 to 2 Mbit/s.

        [*DeviceA-service-policy-service_edsg2] rate-limit cir 2000 inbound

        # Set the bandwidth for downlink traffic rate limit for service_edsg2 to 2 Mbit/s.

        [*DeviceA-service-policy-service_edsg2] rate-limit cir 2000 outbound
        [*DeviceA-service-policy-service_edsg2] commit
        [~DeviceA-service-policy-service_edsg2] quit

    7. Bind the local address pool and RADIUS server group to an AAA domain.

      # Bind edsg_pool and rad_group1 to an AAA domain.

      [~DeviceA] aaa
      [*DeviceA-aaa] domain domain1
      [*DeviceA-aaa-domain-domain1] ip-pool edsg_pool
      [*DeviceA-aaa-domain-domain1] radius-server group rad_group1
      [*DeviceA-aaa-domain-domain1] quit
      [*DeviceA-aaa] commit
      [~DeviceA-aaa] quit

    8. Configure the prepaid function.

      1. Configure a prepaid profile for traffic over network 1.

        # Create a prepaid profile named prepaid1.

        [~DeviceA] prepaid-profile prepaid1

        # Bind rad_group1 to prepaid1.

        [~DeviceA-prepaid-profile-prepaid1] radius-server group rad_group1

        # Bind auth1 to prepaid2.

        [~DeviceA-prepaid-profile-prepaid1] authentication-scheme auth1

        # Bind acct1 to prepaid2.

        [~DeviceA-prepaid-profile-prepaid1] accounting-scheme acct1

        # Configure a password used for the NE40E to apply for an EDSG service quota from the RADIUS server group.

        [~DeviceA-prepaid-profile-prepaid1] password cipher huawei@123

        # Set the time threshold for the NE40E to reapply for a time quota for EDSG services from the RADIUS server to 60s.

        [~DeviceA-prepaid-profile-prepaid1] threshold time 60 seconds

        # Set the traffic volume threshold for the BRAS to reapply for a traffic volume quota for EDSG services from the RADIUS server to 10 Mbytes.

        [~DeviceA-prepaid-profile-prepaid1] threshold volume 10 mbytes
        [~DeviceA-prepaid-profile-prepaid1] commit
        [~DeviceA-prepaid-profile-prepaid1] quit
      2. Configure a prepaid profile for traffic over network 2.

        # Create a prepaid profile named prepaid2.

        [~DeviceA] prepaid-profile prepaid2

        # Bind rad_group1 to prepaid2.

        [~DeviceA-prepaid-profile-prepaid2] radius-server group rad_group1

        # Bind auth1 to prepaid2.

        [~DeviceA-prepaid-profile-prepaid2] authentication-scheme auth1

        # Bind acct1 to prepaid2.

        [~DeviceA-prepaid-profile-prepaid2] accounting-scheme acct1

        # Configure a password used for the NE40E to apply for an EDSG service quota from the RADIUS server group.

        [~DeviceA-prepaid-profile-prepaid2] password cipher huawei@123

        # Set the time threshold for the NE40E to reapply for a time quota for EDSG services from the RADIUS server to 300s.

        [~DeviceA-prepaid-profile-prepaid2] threshold time 300 seconds

        # Set the traffic volume threshold for the NE40E to reapply for a traffic volume quota for EDSG services from the RADIUS server to 20 Mbytes.

        [~DeviceA-prepaid-profile-prepaid2] threshold volume 20 mbytes
        [~DeviceA-prepaid-profile-prepaid2] commit
        [~DeviceA-prepaid-profile-prepaid2] quit
      3. Apply the prepaid profiles in the EDSG service policy view.

        # Apply prepaid1 to service_edsg1.

        [~DeviceA] service-policy name service_edsg1 edsg
        [~DeviceA-service-policy-service_edsg1] prepaid-profile prepaid1
        [~DeviceA-service-policy-service_edsg1] commit
        [~DeviceA-service-policy-service_edsg1] commit

        # Apply prepaid2 to service_edsg2.

        [~DeviceA] service-policy name service_edsg2 edsg
        [~DeviceA-service-policy-service_edsg2] prepaid-profile prepaid2
        [~DeviceA-service-policy-service_edsg2] commit
        [~DeviceA-service-policy-service_edsg2] quit

    9. Configure interfaces.

      1. Create a virtual template.

        [~DeviceA] interface Virtual-Template 1
        [*DeviceA-Virtual-Template1] commit
        [~DeviceA-Virtual-Template1] quit
      2. Configure a BAS interface.

        [~DeviceA] interface GigabitEthernet1/0/2.1
        [*DeviceA-GigabitEthernet1/0/2.1] user-vlan 1000 2000
        [*DeviceA-GigabitEthernet1/0/2.1] user-vlan 1 1000 qinq 100
        [*DeviceA-GigabitEthernet1/0/2.1] pppoe-server bind virtual-template 1
        [*DeviceA-GigabitEthernet1/0/2.1] bas
        [*DeviceA-GigabitEthernet1/0/2.1-bas] access-type layer2-subscriber default-domain pre-authentication domain1
        [*DeviceA-GigabitEthernet1/0/2.1-bas] authentication-method ppp web 
        [*DeviceA-GigabitEthernet1/0/2.1-bas] quit
        [*DeviceA-GigabitEthernet1/0/2.1] commit
        [~DeviceA-GigabitEthernet1/0/2.1] quit
      3. Configure an uplink interface.

        [~DeviceA] interface GigabitEthernet1/0/0.1
        [*DeviceA-GigabitEthernet1/0/0.1] vlan-type dot1q 1
        [*DeviceA-GigabitEthernet1/0/0.1] ip address 192.168.100.1 255.255.255.0
        [*DeviceA-GigabitEthernet1/0/0.1] commit
        [~DeviceA-GigabitEthernet1/0/0.1] quit
        [~DeviceA] interface GigabitEthernet1/0/0.2
        [*DeviceA-GigabitEthernet1/0/0.2] vlan-type dot1q 1
        [*DeviceA-GigabitEthernet1/0/0.2] ip address 192.168.200.1 255.255.255.0
        [*DeviceA-GigabitEthernet1/0/0.2] commit
        [~DeviceA-GigabitEthernet1/0/0.2] quit
      4. Configure the interface connected to the policy server, AAA server, and portal server.

        [~DeviceA] interface GigabitEthernet1/0/1
        [*DeviceA-GigabitEthernet1/0/1] ip address 10.10.10.1 255.255.255.0
        [*DeviceA-GigabitEthernet1/0/1] commit
        [~DeviceA-GigabitEthernet1/0/1] quit

    10. Configure login users.

      # Configure the AAA server to deliver the RADIUS attribute User-Password with a value of huawei@123 for the PPPoE users (users 1 and 2).

      NOTE:

      The shared key configured for a RADIUS server group determines the content of the User-Password attribute.

      # Configure the AAA server to deliver the RADIUS attribute HW-Account-Info containing Aservice_edsg1 for user 1.

      # Configure the AAA server to deliver the RADIUS attribute HW-Account-Info containing Aservice_edsg2 for user 2.

      NOTE:

      The content of the HW-Account-Info attribute starts with "A" followed by a service name. This attribute is used in user authentication response packets to deliver EDSG services that automatically take effect (directly activated after delivery).

  6. Verify the configuration.

    After successfully configuring the RBP, run the display remote-backup-profile command. The remote backup service type is bras. The RBP named profile1 is bound to GigabitEthernet1/0/0.1 from which users attempt to get online. Device A is in the Master state.

    <~DeviceA> display remote-backup-profile profile1 
    -----------------------------------------------
     Profile-Index        : 0x803
     Profile-Name         : profile1
     Service            : bras
     Remote-backup-service: service1
     Backup-ID            : 10
     track protocol       : VRRP
     VRRP-ID              : 1
     VRRP-Interface       : GigabitEthernet1/0/0.2
     Interface            :
                            GigabitEthernet1/0/0.1
     State           	 : Master
     Peer-state      	 : Slave
     Backup mode          : hot
     Slot-Number          : 1
     Card-Number          : 0
     Port-Number          : 0
     IP-Pool              : hsi
     Traffic threshold    : 50(MB)
     Traffic interval     : 10(minutes)     
    <~DeviceB> display remote-backup-profile profile1 
    -----------------------------------------------
     Profile-Index        : 0x803
     Profile-Name         : profile1
     Service            : bras
     Remote-backup-service: service1
     Backup-ID            : 10
     track protocol       : VRRP
     VRRP-ID              : 1
     VRRP-Interface       : GigabitEthernet1/0/0.2
     Interface            :
                            GigabitEthernet1/0/0.1
     State              : Slave
     Peer-state      	 : Master
     Backup mode          : hot
     Slot-Number          : 1
     Card-Number          : 0
     Port-Number          : 0
     IP-Pool              : hsi
     Traffic threshold    : 50(MB)
     Traffic interval     : 10(minutes)     

    After successfully configuring the RBS, run the display remote-backup-service command. The TCP connection is in the Connected state.

    <~DeviceA> display remote-backup-service service1 
    ----------------------------------------------------------
     Service-Index    : 0
     Service-Name     : service1
     TCP-State        : Connected
     Peer-ip          : 88.88.88.88
     Source-ip        : 22.22.22.22
     TCP-Port         : 2046
     Track-BFD        : --
     Track-interface0 : GigabitEthernet2/0/0
     Track-interface1 : --
    ----------------------------------------------------------
    
    ip pool:
             hsi metric 10
             hsi-bak metric 10
    ipv6 pool:  
    NAT instance : nat1
    ----------------------------------------------------------
     Rbs-ID         : 0
     Protect-type   : ip-redirect
     Next-hop       : 10.1.1.7
     Vlanid         : 0
     Peer-ip        : 10.1.1.7
     Vrfid          : 0
     Tunnel-index   : 0x0
     Tunnel-state   : UP
     Tunnel-OperFlag: NORMAL
     Spec-interface : GigabitEthernet3/0/0
     Out-interface  : GigabitEthernet3/0/0
     User-number    : 0
    

    After users go online, run the display backup-user command to view user information that is backed up.

    <~DeviceA> display backup-user
      Remote-backup-service: service1
      Total Users Numer: 10
    ------------------------------------------------------------------------
     100     101     102     103     104     105     106     107     108     109
    ------------------------------------------------------------------------
    

    Run the display access-user interface command to view online user information on a specified interface.

    <~DeviceA> display access-user interface GigabitEthernet 1/0/0.1
      ------------------------------------------------------------------------------
      UserID  Username                Interface      IP address       MAC
              Vlan          IPv6 address             Access type
      ------------------------------------------------------------------------------
      120     user@lsh                GE1/0/0.1      2.2.2.10         0002-0101-0101
              50/-            -                       IPoE
      101      user@lsh                GE1/0/0.1      2.2.2.9         0002-0101-0102          -
              50/-            -                       IPoE
      102      user@lsh                GE1/0/0.1      2.2.2.8         0002-0101-0103          -
              50/-            -                       IPoE
      103      user@lsh                GE1/0/0.1      2.2.2.7         0002-0101-0104          -
              50/-            -                       IPoE
      104      user@lsh                GE1/0/0.1      2.2.2.6         0002-0101-0105          -
              50/-            -                       IPoE
      105      user@lsh                GE1/0/0.1      2.2.2.5         0002-0101-0106          -
              50/-            -                       IPoE
      106      user@lsh                GE1/0/0.1      2.2.2.4         0002-0101-0107          -
              50/-            -                       IPoE
      107      user@lsh                GE1/0/0.1      2.2.2.3         0002-0101-0108          -
              50/-            -                       IPoE
      108      user@lsh                GE1/0/0.1      2.2.2.2         0002-0101-0109          -
              50/-            -                       IPoE
      109      user@lsh                GE1/0/0.1      2.2.2.11        0002-0101-0110          -
              50/-            -                       IPoE
      --------------------------------------------------------------------------
      Normal users                       : 0
      RUI Local users                    : 10
      RUI Remote users                   : 0
      Total users                        : 10

    View the configuration of the EDSG service policy on Device A.

    <DeviceA> display service-policy configuration name service_edsg1
    ------------------------------------------------
    Service-policy-index         : 0
      Service-policy-name          : service1
      Service-policy-type          : EDSG
      Policy-storage-type          : configuration
      Reference-count              : 0
      Service-class-inbound        :ef
      Service-class-outbound       :ef
      Authentication-scheme-name   : -
      Accounting-scheme-name       : default1
      Radius-server-template       : template1
      Service-group-name           : -
      Service-group-priority       : -
      Inbound-cir                  : 100(kbps)
      Inbound-pir                  : 100(kbps)
      Inbound-cbs                  : 100(bytes)
      Inbound-pbs                  : 3000(bytes)
      Outbound-cir                 : 10000(kbps)
      Outbound-pir                 : -
      Outbound-cbs                 : -
      Outbound-pbs                 : -
      Prepaid-profile-name         : -
      Diameter monitor key         : -
      Inbound-match-usergroup      : no
      Outbound-match-usergroup     : no
     ------------------------------------------------ 
    

Configuration Files

  • Device A configuration file

    #
     sysname DeviceA
    #
    ip pool hsi bas local 
     gateway 1.1.1.1 255.255.255.0 
     section 0 1.1.1.2 1.1.1.254 
    #
    ip pool hsi-main-bak bas local rui-slave 
     gateway 2.2.2.2 255.255.255.0
     section 0 2.2.2.3 2.2.2.254 
    #
    aaa
     domain userdomain1 
     authentication-scheme default0 
     accounting-scheme default0 
     ip-pool hsi 
     ip-pool hsi-main-bak
    #
    bfd bfd bind peer-ip 10.0.1.2 
     discriminator local 1 
     discriminator remote 2 
     commit 
    #
    interface gigabitethernet 1/0/0.2 
     vlan-type dot1q 200 
     ip address 10.0.1.1 255.255.255.0 
     vrrp vrid 1 virtual-ip 10.0.1.100 
     admin-vrrp vrid 1 
     vrrp vrid 1 priority 120 
     vrrp vrid 1 preempt-mode timer delay 600
     vrrp vrid 1 track bfd-session 1 peer 
     vrrp vrid 1 track interface gigabitethernet 2/0/0 reduced 50
    #
    remote-backup-service service1 
     peer 88.88.88.88 source 22.22.22.22 port 2046 
     track interface gigabitethernet 2/0/0  
     ip-pool hsi
     ip-pool hsi-main-bak
     protect redirect ip-nexthop 10.1.1.7 interface gigabitethernet 3/0/0
    #
    remote-backup-profile profile1 
     service-type bras
     backup-id 10 remote-backup-service service1 
     peer-backup hot 
     vrrp-id 1 interface gigabitethernet 1/0/0.2 
    #
    interface gigabitethernet 1/0/0.1
     user-vlan 50 
     remote-backup-profile profile1 
     bas 
     access-type layer2-subscriber 
     authentication-method  web 
     vlan-type dot1q 1
     ip address 192.168.100.1 255.255.255.0
    #
    interface gigabitethernet 3/0/0
     undo shutdown 
     ip address 10.1.1.6 255.255.255.0 
    #
    value-added-service enable
    #
    radius-server group rad_group1
     radius-server authentication 10.10.10.2 1812 weight 0
     radius-server accounting 10.10.10.2 1813 weight 0
     radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^%#    
    #
    ip pool edsg_pool bas local
     gateway 172.32.0.0 255.255.0.0
     section 0 172.32.0.0 172.32.255.255
    #
    aaa
     authentication-scheme auth1
      authentication-scheme radius
     accounting-scheme acct1
      accounting-mode radius
     domain domain1
      ip-pool edsg_pool
      radius-server group rad_group1
    #
    service-group s_1m
    service-group s_2m
    #
    acl number 6020
     rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
     rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
     #
    acl number 6021
     rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0 0.0.0.255
     rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-group s_2m
    #
    traffic classifier c1 operator or
     if-match acl 6020
    #
    traffic classifier c2 operator or
     if-match acl 6021
    #
    traffic behavior b1
    #
    traffic behavior b2
    #
    traffic policy traffic_policy_edsg           
     share-mode
     classifier c1 behavior b1
     classifier c2 behavior b2
    #
    traffic-policy traffic_policy_edsg inbound
    traffic-policy traffic_policy_edsg outbound
    #
    aaa
     authentication-scheme auth1                                                    
     #  
     accounting-scheme acct1                                                        
     #
    # 
    http-redirect-profile http_redirect_profile                                     
     web-server url http://www.sample.com                                              
     web-server mode post                                                           
    #                                               
    prepaid-profile prepaid1                                                        
     password cipher huawei@123                               
     authentication-scheme auth1                                                    
     accounting-scheme acct1                                                        
     radius-server group rad_group1                                                     
     threshold time 60 seconds                                                      
     threshold volume 10 mbytes                                                     
    #                                         
    prepaid-profile prepaid2                                                        
     password cipher huawei@123                               
     authentication-scheme auth1                                                    
     accounting-scheme acct1                                                        
     radius-server group rad_group1                                                     
     threshold time 300 seconds                                                     
     threshold volume 20 mbytes                                                     
     quota-out redirect http_redirect_profile                                       
    #                              
    service-policy download local radius rad_group1 password cipher huawei@123
    #
    service-policy name service_edsg1 edsg
     radius-server group rad_group1
     service-group s_1m
     authentication-scheme auth1
     accounting-scheme acct1
     rate-limit cir 1000 inbound
     rate-limit cir 1000 outbound
     prepaid-profile prepaid1
    #
    service-policy name service_edsg2 edsg
     radius-server group rad_group1
     service-group s_2m
     authentication-scheme auth1
     accounting-scheme acct1
     rate-limit cir 2000 inbound
     rate-limit cir 2000 outbound
     prepaid-profile prepaid2
    #
    interface GigabitEthernet1/0/2.1
     user-vlan 1000 2000
     user-vlan 1 1000 qinq 100
     bas
     #
      access-type layer2-subscriber default-domain pre-authentication domain1
      authentication-method ppp web  
    #
     return 
  • Device B configuration file

    #
     sysname DeviceB
    #
    ip pool hsi-main bas local 
     gateway 2.2.2.2 255.255.255.0 
     section 0 2.2.2.3 2.2.2.253 
    #
    ip pool hsi-bak bas local rui-slave 
     gateway 1.1.1.1 255.255.255.0
     # LOCAL
       section 0 1.1.1.2 1.1.1.253
     # REMOTE
       dhcp-server group gm1
    #
    aaa
     domain userdomain1 
     authentication-scheme default0 
     accounting-scheme default0 
    #
    bfd bfd bind peer-ip 10.0.1.1 
     discriminator local 2 
     discriminator remote 1 
     commit 
    #
    interface gigabitethernet 1/0/0.2 
     vlan-type dot1q 200 
     ip address 10.0.1.2 255.255.255.0 
     vrrp vrid 1 virtual-ip 10.0.1.100 
     admin-vrrp vrid 1 
     vrrp vrid 1 track bfd-session 2 peer 
     vrrp vrid 1 track interface gigabitethernet 2/0/0 reduced 50
    #
    remote-backup-service service1 
     peer 22.22.22.22 source 88.88.88.88 port 2046 
     track interface gigabitethernet 2/0/0  
     ip-pool hsi-main 
     ip-pool hsi-bak
     protect redirect ip-nexthop 10.1.1.6 interface gigabitethernet 3/0/0
    #
    remote-backup-profile profile1 
     peer-backup hot 
     service-type bras
     backup-id 10 remote-backup-service service1 
     peer-backup hot 
     vrrp-id 1 interface gigabitethernet 1/0/0.2 
     ip-pool hsi include hsi-main node 5
     ip-pool hsi include hsi-bak node 10
    #
    interface gigabitethernet 1/0/0.1
     user-vlan 50 
     remote-backup-profile profile1 
     bas 
     access-type layer2-subscriber 
     authentication-method  web 
     vlan-type dot1q 1
     ip address 192.168.100.1 255.255.255.0
    #
    interface gigabitethernet 3/0/0
     undo shutdown 
     ip address 10.1.1.7 255.255.255.0 #
    value-added-service enable
    #
    radius-server group rad_group1
     radius-server authentication 10.10.10.2 1812 weight 0
     radius-server accounting 10.10.10.2 1813 weight 0
     radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^%#    
    #
    ip pool edsg_pool bas local
     gateway 172.32.0.0 255.255.0.0
     section 0 172.32.0.0 172.32.255.255
    #
    aaa
     authentication-scheme auth1
      authentication-scheme radius
     accounting-scheme acct1
      accounting-mode radius
     domain domain1
      ip-pool edsg_pool
      radius-server group rad_group1
    #
    service-group s_1m
    service-group s_2m
    #
    acl number 6020
     rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0 0.0.0.255
     rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-group s_1m
     #
    acl number 6021
     rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0 0.0.0.255
     rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-group s_2m
    #
    traffic classifier c1 operator or
     if-match acl 6020
    #
    traffic classifier c2 operator or
     if-match acl 6021
    #
    traffic behavior b1
    #
    traffic behavior b2
    #
    traffic policy traffic_policy_edsg           
     share-mode
     classifier c1 behavior b1
     classifier c2 behavior b2
    #
    traffic-policy traffic_policy_edsg inbound
    traffic-policy traffic_policy_edsg outbound
    #
    aaa
     authentication-scheme auth1                                                    
     #  
     accounting-scheme acct1                                                        
     #
    # 
    http-redirect-profile http_redirect_profile                                     
     web-server url http://www.sample.com                                              
     web-server mode post                                                           
    #                                               
    prepaid-profile prepaid1                                                        
     password cipher huawei@123                               
     authentication-scheme auth1                                                    
     accounting-scheme acct1                                                        
     radius-server group rad_group1                                                     
     threshold time 60 seconds                                                      
     threshold volume 10 mbytes                                                     
    #                                         
    prepaid-profile prepaid2                                                        
     password cipher huawei@123                               
     authentication-scheme auth1                                                    
     accounting-scheme acct1                                                        
     radius-server group rad_group1                                                     
     threshold time 300 seconds                                                     
     threshold volume 20 mbytes                                                     
     quota-out redirect http_redirect_profile                                       
    #                              
    service-policy download local radius rad_group1 password cipher huawei@123
    #
    service-policy name service_edsg1 edsg
     radius-server group rad_group1
     service-group s_1m
     authentication-scheme auth1
     accounting-scheme acct1
     rate-limit cir 1000 inbound
     rate-limit cir 1000 outbound
     prepaid-profile prepaid1
    #
    service-policy name service_edsg2 edsg
     radius-server group rad_group1
     service-group s_2m
     authentication-scheme auth1
     accounting-scheme acct1
     rate-limit cir 2000 inbound
     rate-limit cir 2000 outbound
     prepaid-profile prepaid2
    #
    interface GigabitEthernet1/0/2.1
     user-vlan 1000 2000
     user-vlan 1 1000 qinq 100
     bas
     #
      access-type layer2-subscriber default-domain pre-authentication domain1
      authentication-method ppp web  
    #
     return 
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17485

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next