评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置DAA业务示例
介绍一个DAA业务的配置示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。
组网需求
如图3-1所示,要求:
用户所属域为isp1,限制带宽为20Mbit/s。
isp1域的用户使用基本增值业务的业务策略为:计费模式为RADIUS计费,属于用户组isp1的用户访问192.168.100.0/24网段按费率级别1计费,限制带宽为10Mbit/s;访问192.168.200.0/24网段按费率级别5计费,限制带宽为5Mbit/s。
RADIUS认证服务器的IP地址为10.10.10.2,端口1812;RADIUS计费服务器的IP地址为10.10.10.2,端口1813,其余采用默认值。
组网图
配置思路
- 配置AAA
- 配置地址池
- 使能增值业务
- 配置用户组
- 配置DAA流量策略
- 配置QoS模板
- 配置DAA业务模板
- 配置域
- 配置接口
数据准备
完成此配置举例,需要准备以下数据:
- 认证方案的名称和认证模式
- 计费方案的名称和计费模式
- RADIUS服务器组名称,RADIUS认证服务器和RADIUS计费服务器的IP地址、端口号
- 地址池名称、网关地址、用户组名称、不同网段的IP地址
- ACL规则和DAA流量策略
- QoS模板和DAA业务模板
- 域的名称
- 接口参数
操作步骤
配置AAA
# 配置认证方案。
<HUAWEI> system-view[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] quit
# 配置计费方案。
[*HUAWEI-aaa] accounting-scheme acct1
[*HUAWEI-aaa-accounting-acct1] accounting-mode radius
[*HUAWEI-aaa-accounting-acct1] quit
[*HUAWEI-aaa] quit
# 配置RADIUS服务器组。
[*HUAWEI] radius-server group group1
[*HUAWEI-radius-group1] radius-server authentication 10.10.10.2 1812
[*HUAWEI-radius-group1] radius-server accounting 10.10.10.2 1813
[*HUAWEI-radius-group1] radius-server shared-key huawei
[*HUAWEI-radius-group1] commit
[~HUAWEI-radius-group1] quit
配置地址池
[~HUAWEI] ip pool pool1 bas local
[~HUAWEI-ip-pool-pool1] gateway 172.16.100.1 24
[~HUAWEI-ip-pool-pool1] section 0 172.16.100.2 172.16.100.200
[~HUAWEI-ip-pool-pool1] quit
使能增值业务
[~HUAWEI] value-added-service enable
配置用户组
[~HUAWEI] user-group isp1
配置DAA流量策略
# 配置用户ACL 6000。
[~HUAWEI] acl number 6000
[*HUAWEI-acl-ucl-6000] rule 5 permit ip source user-group isp1 destination ip-address 192.168.100.0 0.0.0.255
[*HUAWEI-acl-ucl-6000] rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination user-group isp1
[*HUAWEI-acl-ucl-6000] quit
# 配置用户ACL 6001。
[*HUAWEI] acl number 6001
[*HUAWEI-acl-ucl-6001] rule 10 permit ip source user-group isp1 destination ip-address 192.168.200.0 0.0.0.255
[*HUAWEI-acl-ucl-6001] rule 15 permit ip source ip-address 192.168.200.0 0.0.0.255 destination user-group isp1
[*HUAWEI-acl-ucl-6001] quit
# 配置流分类器tc1。
[*HUAWEI] traffic classifier tc1
[*HUAWEI-classifier-tc1] if-match acl 6000
[*HUAWEI-classifier-tc1] quit
# 配置流分类器tc2。
[*HUAWEI] traffic classifier tc2
[*HUAWEI-classifier-tc2] if-match acl 6001
[*HUAWEI-classifier-tc2] quit
# 配置DAA流动作tb1,设置第一种费率级别的动作。
[*HUAWEI] traffic behavior tb1
[*HUAWEI-behavior-tb1] tariff-level 1
[*HUAWEI-behavior-tb1] car
[*HUAWEI-behavior-tb1] traffic-statistic
[*HUAWEI-behavior-tb1] quit
# 配置DAA流动作tb2,设置第二种费率级别的动作。
[*HUAWEI] traffic behavior tb2
[*HUAWEI-behavior-tb2] tariff-level 5
[*HUAWEI-behavior-tb2] car
[*HUAWEI-behavior-tb2] traffic-statistic
[*HUAWEI-behavior-tb2] quit
# 配置流策略traffic_policy_daa1,绑定流分类及动作。
[*HUAWEI] traffic policy traffic_policy_daa1
[*HUAWEI-trafficpolicy-traffic_policy_daa1] classifier tc1 behavior tb1
[*HUAWEI-trafficpolicy-traffic_policy_daa1] classifier tc2 behavior tb2
[*HUAWEI-trafficpolicy-traffic_policy_daa1] quit
# 全局下应用DAA流量策略。
[*HUAWEI] accounting-service-policy traffic_policy_daa1
配置QoS模板
# 配置QoS模板qos-prof1。
[*HUAWEI] qos-profile qos-prof1
[*HUAWEI-qos-profile-qos-prof1] car cir 5000 inbound
[*HUAWEI-qos-profile-qos-prof1] car cir 5000 outbound
[*HUAWEI-qos-profile-qos-prof1] quit
# 配置QoS模板qos-prof2。
[*HUAWEI] qos-profile qos-prof2
[*HUAWEI-qos-profile-qos-prof2] car cir 10000 inbound
[*HUAWEI-qos-profile-qos-prof2] car cir 10000 outbound
[*HUAWEI-qos-profile-qos-prof2] quit
# 配置QoS模板qos-prof3。
[*HUAWEI] qos-profile qos-prof3
[*HUAWEI-qos-profile-qos-prof3] car cir 20000 inbound
[*HUAWEI-qos-profile-qos-prof3] car cir 20000 outbound
[*HUAWEI-qos-profile-qos-prof3] commit
[~HUAWEI-qos-profile-qos-prof3] quit
配置DAA业务模板。
# 配置DAA业务模板vp-daa。业务模板配置在用户的上线域下,或者radius在认证回应中下发。
[~HUAWEI] value-added-service policy vp-daa daa
[~HUAWEI-vas-policy-vp-daa] accounting-scheme acct1
# 配置费率级别和对应的QoS模板。
[~HUAWEI-vas-policy-vp-daa] tariff-level 1 qos-profile qos-prof2
[~HUAWEI-vas-policy-vp-daa] tariff-level 5 qos-profile qos-prof1
[~HUAWEI-vas-policy-vp-daa] quit
配置域
[~HUAWEI] aaa
[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
[*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
[*HUAWEI-aaa-domain-isp1] radius-server group group1
[*HUAWEI-aaa-domain-isp1] commit
[~HUAWEI-aaa-domain-isp1] user-group isp1
[~HUAWEI-aaa-domain-isp1] value-added-service policy vp-daa
[~HUAWEI-aaa-domain-isp1] value-added-service account-type radius group1
[~HUAWEI-aaa-domain-isp1] ip-pool pool1
[~HUAWEI-aaa-domain-isp1] qos-profile qos-prof3 inbound
[~HUAWEI-aaa-domain-isp1] qos-profile qos-prof3 outbound
[~HUAWEI-aaa-domain-isp1] quit
[~HUAWEI-aaa] quit
如果选择从RADIUS服务器下发DAA策略,则用户域下可不用绑定DAA策略模板。此时,RADIUS服务器在认证回应报文中利用HW-Policy-Name(26-95)私有属性下发DAA策略模板名。
配置接口
# 创建虚模板接口。
[~HUAWEI] interface Virtual-Template 1
[*HUAWEI-Virtual-Template1] commit
[~HUAWEI-Virtual-Template1] quit
# 配置BAS接口
[~HUAWEI] interface GigabitEthernet 0/1/2
[~HUAWEI-GigabitEthernet0/1/2] pppoe-server bind virtual-template 1
[*HUAWEI-Virtual-Template1] commit
[~HUAWEI-GigabitEthernet0/1/2] bas
[~HUAWEI-GigabitEthernet0/1/2-bas] access-type layer2-subscriber default-domain authentication isp1
[~HUAWEI-GigabitEthernet0/1/2-bas] quit
[~HUAWEI-GigabitEthernet0/1/2] quit
# 配置上行接口
[~HUAWEI] interface GigabitEthernet 0/1/0.1
[~HUAWEI-GigabitEthernet0/1/0.1] vlan-type dot1q 1
[~HUAWEI-GigabitEthernet0/1/0.1] ip address 192.168.100.1 255.255.255.0
[~HUAWEI-GigabitEthernet0/1/0.1] quit
[~HUAWEI] interface GigabitEthernet 0/1/0.2
[~HUAWEI-GigabitEthernet0/1/0.2] vlan-type dot1q 2
[~HUAWEI-GigabitEthernet0/1/0.2] ip address 192.168.200.1 255.255.255.0
[~HUAWEI-GigabitEthernet0/1/0.2] quit
# 配置连接radius服务器接口
[~HUAWEI] interface GigabitEthernet 0/1/1
[~HUAWEI-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0
验证配置结果
执行命令display value-added-service policy查看业务策略信息。
<HUAWEI>display value-added-service policy------------------------------------------------------------------ Index Service Policy Name Used Num Type User Num ------------------------------------------------------------------ 0 vp-daa 1 DAA 1 ------------------------------------------------------------------ Total 1,1 printed
执行命令display value-added-service user查看所有用户增值业务相关的信息。
<HUAWEI> display value-added-service user daa---------------------------------------------------------------- The used user id table are: 95 ---------------------------------------------------------------- Total users:1执行命令display value-added-service user user-id查看DAA指定用户增值业务相关的信息统计。
<HUAWEI> display value-added-service user user-id 95 daa tariff-level 1------------------------------------------------------------------------- Daa user service table: Service user id : 95 Service type : Default dsg Service IP type : IPv4 Service policy : vp-daa Account method : Radius Account start time : 2017-04-07 08:14:36 Normal-server-group : -- Flow up packets(high,low) : (0,0) Flow up bytes(high,low) : (0,0) Flow down packets(high,low) : (0,0) Flow down bytes(high,low) : (0,0) IPV6 Flow up packets(high,low) : (0,0) IPV6 Flow up bytes(high,low) : (0,0) IPV6 Flow down packets(high,low) : (0,0) IPV6 Flow down bytes(high,low) : (0,0) Up committed information rate <kbps> : 10000 Up Peak information rate <kbps> : No limit Up committed burst size <bytes> : - Up Peak burst size <bytes> : - Down committed information rate <kbps> : 10000 Down Peak information rate <kbps> : No limit Down committed burst size <bytes> : - Down Peak burst size <bytes> : -
配置文件
# sysname HUAWEI # user-group isp1 # value-added-service enable # qos-profile qos-prof3 car cir 20000 cbs 1870000 green pass red discard inbound car cir 20000 cbs 1870000 green pass red discard outbound qos-profile qos-prof2 car cir 10000 cbs 1870000 green pass red discard inbound car cir 10000 cbs 1870000 green pass red discard outbound qos-profile qos-prof1 car cir 5000 cbs 935000 green pass red discard inbound car cir 5000 cbs 935000 green pass red discard outbound # radius-server group group1 radius-server authentication 10.10.10.2 1812 weight 0 radius-server accounting 10.10.10.2 1813 weight 0 # acl number 6000 rule 5 permit ip source user-group isp1 destination ip-address 192.168.100.0 0.0.0.255 rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination user-group isp1 # acl number 6001 rule 10 permit ip source user-group isp1 destination ip-address 192.168.200.0 0.0.0.255 rule 15 permit ip source ip-address 192.168.200.0 0.0.0.255 destination user-group isp1 # traffic classifier tc2 operator or if-match acl 6001 traffic classifier tc1 operator or if-match acl 6000 # traffic behavior tb1 tariff-level 1 car traffic-statistic traffic behavior tb2 tariff-level 5 car traffic-statistic # traffic policy traffic_policy_daa1 share-mode classifier tc1 behavior tb1 classifier tc2 behavior tb2 # ip pool pool1 bas local gateway 172.16.100.1 255.255.255.0 section 0 172.16.100.2 172.16.100.200 # dot1x-template 1 # aaa authentication-scheme auth1 # authorization-scheme default # accounting-scheme acct1 # domain isp1 authentication-scheme auth1 accounting-scheme acct1 ip-pool pool1 value-added-service policy vp-daa radius-server group group1 user-group isp1 qos-profile qos-prof3 inbound qos-profile qos-prof3 outbound # value-added-service policy vp-daa daa accounting-scheme acct1 user-group isp1 tariff-level 1 qos-profile qos-prof2 tariff-level 5 qos-profile qos-prof1 # interface Virtual-Template1 ppp authentication-mode auto # interface GigabitEthernet0/1/0.1 vlan-type dot1q 1 ip address 192.168.100.1 255.255.255.0 # interface GigabitEthernet0/1/0.2 vlan-type dot1q 2 ip address 192.168.200.1 255.255.255.0 # interface GigabitEthernet0/1/1 undo shutdown ip address 10.10.10.1 255.255.255.0 interface GigabitEthernet0/1/2 pppoe-server bind Virtual-Template 1 undo shutdown bas # access-type layer2-subscriber default-domain authentication isp1 # # accounting-service-policy traffic_policy_daa1 # return
