Network Diagram
EVE-NG Diagram
สิ่งที่เราปรับปรุงในคราวนี้
1. ที่ BNG เปลี่ยนการใช้ Physical Loop เป็นการใช้
Port cross connect (PXC) คือการใช้แค่พอร์ทเดียวในการทำ Loop ประหยัดพอร์ทได้ 1 พอร์ท สามารถใช้แทน physical loop แบบเดิมได้เลย ถ้ามีคนไปดูหน้าการ์ด คงบอกว่าพอร์ทว่างมีไว้ทำไม
Pseudowire Port (PW-Port) คือการผูก physical port เข้ากับ vc-id ประหยัดได้ 2 พอร์ท ไม่ต้องใช้ Loop เลย แต่มีข้อเสียคือต้อง tag-vlan เข้ามาตั้งแต่ต้นทาง และ traffic ต้องเข้าออกทาง physical พอร์ทนี้เท่านั้น ประหยัดแต่ไม่ยืดหยุ่น
2. ทำ Primary/Secondary Radius โดย
PPPoE Radius Primary=Radius1 และ Secondary=Radius2
IPoE Radiuss Primary=Radius2 และ Secondary=Radius1
3. ใช้ Python Script สำหรับ PPPoE access-accept ในตัวอย่างนี้เอาไว้ปรับแต่ง message ที่คุยกับ Radius เพราะบางที Radius ก็ไม่ได้รับส่งด้วย Attribute ของ NOKIA
4. ใช้ Mikrotik Router ซึ่งเป็นเร้าเตอร์ที่บ้านผมเองในการทำ NAT ออกเน็ต แทนการใช้ NAT-PC
5. แบ่ง MPLS domain ออกเป็นส่วน คือส่วนที่รันด้วย OSPF กับ ISIS และ ปรับปรุง L2VPN Architecture ใหม่
สารบัญ
เนื่องจากเนื้อหาค่อนข้างเยอะ ผมจึงทำสารบัญไว้ คลิกที่หัวข้อเพื่อไปเนื้อหานั้นได้เลยครับ
1. ISP Transmission infra-structure
1.1 การคอนฟิก infra-structure
2. ISP Transmission MPLS L2VPN
2.1 การคอนฟิก L2VPN สำหรับ PPPoE
2.2 การคอนฟิก L2VPN สำหรับ IPoE
2.3 แสดงสถานะ MPLS L2VPN PPPoE, IPoE
3. ฝั่ง Core สำหรับ Internet และ Radius โดยใช้ BGP
3.1 คอนฟิกฝั่ง Core สำหรับ Internet และ Radius โดยใช้ BGP
3.2 แสดงสถานะคอนฟิกฝั่ง Core BGP session และ Route-Table
4. การคอนฟิก BNG Subscriber Management และ Redundant
4.1 การคอนฟิก BNG Subscriber management และ redundant
4.2 แสดงสถานะ BNG
5 ให้ PC-Authen และออกเน็ต
6 ไฟล์แนบ เช่น configuration ของทุกโหนด capture traffic และอื่นๆ
1. ISP Transmission infra-structure
1.1 การคอนฟิก Infra-structure
BNG1(10.10.10.1) คอนฟิก Infra-structure ด้วย OSPF MPLS LDP/configure port 1/1/2
description "To_NOKIA-AGG"
ethernet
mode hybrid
encap-type dot1q
exit
no shutdown
exit
/configure router
interface "system"
address 10.10.10.1/32
no shutdown
exit
interface "to_NOKIA-AGG"
address 192.168.13.1/24
port 1/1/2:0
no shutdown
exit
/configure router
ospf 0
area 0.0.0.0
interface "system"
no shutdown
exit
interface "to_NOKIA-AGG"
interface-type point-to-point
no shutdown
exit
exit
no shutdown
exit
/configure router
ldp
interface-parameters
interface "to_NOKIA-AGG" dual-stack
ipv4
no shutdown
exit
no shutdown
exit
exit
targeted-session
peer 10.10.10.2
no shutdown
exit
peer 10.10.10.3
no shutdown
exit
peer 10.10.10.4
no shutdown
exit
exit
no shutdown
exit
BNG2(10.10.10.2) คอนฟิก Infra-structure ด้วย OSPF MPLS LDP
/configure port 1/1/2
description "To_Huawei_eNSP"
ethernet
mode hybrid
encap-type dot1q
exit
no shutdown
exit
/configure router
interface "system"
address 10.10.10.2/32
no shutdown
exit
interface "to_Huawei"
address 192.168.24.2/24
port 1/1/2:0
no shutdown
exit
/configure router
ospf 0
area 0.0.0.0
interface "system"
no shutdown
exit
interface "to_Huawei"
interface-type point-to-point
no shutdown
exit
exit
no shutdown
exit
/configure router
ldp
interface-parameters
interface "to_Huawei" dual-stack
ipv4
no shutdown
exit
no shutdown
exit
exit
targeted-session
peer 10.10.10.1
no shutdown
exit
peer 10.10.10.3
no shutdown
exit
peer 10.10.10.4
no shutdown
exit
exit
no shutdown
exit
NOKIA-AGG(10.10.10.3) คอนฟิก Infra-structure ด้วย OSPF, ISIS, MPLS LDP
ที่โหนดนี้ได้ทำ Redistribute System IP address จาก OSPF ไป ISIS เพื่อให้โหนดไซต์ Access เห็น การ Redistribute ควรระวังเรื่อง Routing Loop. ในตัวอย่างนี้ Huawei จะ learn NOKIA-AGG system(10.10.10.3) จาก OSPF และ ISIS แต่จะเลือก OSPF เป็น best route เพราะค่า Preference
/configure
port 1/1/1
description "To_NOKIA-ACC"
ethernet
exit
no shutdown
exit
port 1/1/2
description "To_BNG1"
ethernet
exit
no shutdown
exit
port 1/1/3
description "To_HUAWEI"
ethernet
exit
no shutdown
exit
/configure router
interface "system"
address 10.10.10.3/32
no shutdown
exit
interface "to_BNG1"
address 192.168.13.3/24
port 1/1/2
no shutdown
exit
interface "to_Huawei"
address 192.168.34.3/24
port 1/1/3
no shutdown
exit
interface "to_NOKIA-ACC"
address 192.168.35.3/24
port 1/1/1
no shutdown
exit
router-id 10.10.10.3
/configure router
ospf
area 0.0.0.0
interface "system"
no shutdown
exit
interface "to_BNG1"
interface-type point-to-point
mtu 8686
no shutdown
exit
interface "to_Huawei"
interface-type point-to-point
no shutdown
exit
exit
exit
/configure router
isis
level-capability level-2
area-id 49.0100.0000.0000.0003.00
export "ISIS-Export"
interface "to_NOKIA-ACC"
level-capability level-2
interface-type point-to-point
no shutdown
exit
no shutdown
exit
/configure router
ldp
interface-parameters
interface "to_BNG1"
exit
interface "to_Huawei"
exit
interface "to_NOKIA-ACC"
exit
exit
targeted-session
peer 10.10.10.1
exit
peer 10.10.10.2
exit
peer 10.10.10.5
exit
peer 10.10.10.6
exit
exit
no shutdown
exit
/configure router
policy-options
begin
prefix-list "system-int"
prefix 10.10.10.3/32 exact
exit
policy-statement "ISIS-Export"
entry 10
from
prefix-list "system-int"
exit
action accept
exit
exit
default-action reject
exit
commit
exit
Huawei(10.10.10.4) คอนฟิก Infra-structure ด้วย OSPF, ISIS, MPLS LDP
เหมือนเดิมครับ Huawei ต้องรันใน eNSP แล้วใช้ Port Binding เพื่อต่อกับเร้าเตอร์ตัวอื่น
ที่โหนดนี้ได้ทำ Redistribute loopback0 จาก OSPF ไป ISIS เหมือนกันกับ NOKIA-AGG
[Huawei] display current-configuration
# mpls lsr-id 10.10.10.4 mpls label advertise non-null # mpls ldp # mpls ldp remote-peer to_bng1 remote-ip 10.10.10.1 # mpls ldp remote-peer to_bng2 remote-ip 10.10.10.2 # mpls ldp remote-peer to_cisco remote-ip 10.10.10.6 # mpls ldp remote-peer to_nokia-acc remote-ip 10.10.10.5 # mpls ldp remote-peer to_nokia-agg remote-ip 10.10.10.3 # # isis 1 description "ACCESS" is-level level-2 network-entity 49.0100.0000.0000.0004.00 is-name Huawei import-route direct route-policy ISIS-Export # interface GigabitEthernet0/0/0 description "To_Nokia-BNG2" ip address 192.168.24.4 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 mpls mpls ldp # interface GigabitEthernet0/0/1 description "To_Nokia-AGG" ip address 192.168.34.4 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 mpls mpls ldp # interface GigabitEthernet0/0/2 description "To_Cisco" ip address 192.168.46.4 255.255.255.0 isis enable 1 isis circuit-type p2p isis circuit-level level-2 mpls mpls ldp # # interface LoopBack0 ip address 10.10.10.4 255.255.255.255 ospf enable 1 area 0.0.0.0 # ospf 1 router-id 10.10.10.4 area 0.0.0.0 # route-policy ISIS-Export permit node 10 if-match ip-prefix Loopback0 # ip ip-prefix Loopback0 index 10 permit 10.10.10.4 32 #
NOKIA-ACC(10.10.10.5) คอนฟิก Infra-structure ด้วย ISIS MPLS LDP
/configure
port 1/1/1
description "To_NOKIA-AGG"
ethernet
exit
no shutdown
exit
port 1/1/2
description "To_Cisco"
ethernet
exit
no shutdown
exit
/configure router
interface "system"
address 10.10.10.5/32
no shutdown
exit
interface "to_Cisco"
address 192.168.56.5/24
port 1/1/2
no shutdown
exit
interface "to_NOKIA-AGG"
address 192.168.35.5/24
port 1/1/1
no shutdown
exit
/configure router
isis
level-capability level-2
area-id 49.0100.0000.0000.0005.00
interface "system"
level-capability level-2
passive
no shutdown
exit
interface "to_Cisco"
level-capability level-2
interface-type point-to-point
no shutdown
exit
interface "to_NOKIA-AGG"
level-capability level-2
interface-type point-to-point
no shutdown
exit
no shutdown
exit
/configure router
ldp
interface-parameters
interface "to_Cisco"
exit
interface "to_NOKIA-AGG"
exit
exit
targeted-session
peer 10.10.10.3
exit
peer 10.10.10.4
exit
peer 10.10.10.6
exit
exit
no shutdown
exit
Cisco(10.10.10.5) คอนฟิก Infra-structure ด้วย ISIS MPLS LDP
Cisco#show running-config ! mpls label protocol ldp mpls ldp neighbor 10.10.10.3 targeted ldp mpls ldp neighbor 10.10.10.4 targeted ldp mpls ldp neighbor 10.10.10.5 targeted ldp ! ! interface Loopback0 ip address 10.10.10.6 255.255.255.255 ip router isis isis circuit-type level-2-only ! interface FastEthernet0/0 description To_Huawei_0/0/2(e2) ip address 192.168.46.6 255.255.255.0 ip router isis duplex auto speed auto mpls ldp discovery transport-address 10.10.10.6 mpls label protocol ldp mpls ip isis circuit-type level-2-only isis network point-to-point ! interface FastEthernet0/1 description To_NOKIA-ACC_1/1/2 ip address 192.168.56.6 255.255.255.0 ip router isis duplex auto speed auto mpls ldp discovery transport-address 10.10.10.6 mpls label protocol ldp mpls ip isis circuit-type level-2-only isis network point-to-point ! router isis net 49.0100.0000.0000.0006.00 is-type level-2-only ! mpls ldp router-id Loopback0 force !
1.2 แสดงสถานะ infra-structure
แสดงสถานะ OSPF , ISIS neighbor , LDP session ที่คอนฟิกไป สำหรับการแสดงผลลัพธ์ผมตัด route-table ออก เพราะอยากให้ทำ Blog สั้นลง ส่วนถ้าใครอยากดูผลลัพธ์แบบเต็มดาวน์โหลดไฟล์แนบด้านล่างสุดของเพจนี้เลยครับBNG1(10.10.10.1) แสดงสถานะ ospf neighbor และ ldp-session
A:BNG1# show router ospf neighbor =============================================================================== Interface-Name Rtr Id State Pri RetxQ TTL Area-Id ------------------------------------------------------------------------------- to_NOKIA-AGG 10.10.10.3 Full 1 0 31 0.0.0.0 ------------------------------------------------------------------------------- No. of Neighbors: 1 =============================================================================== A:BNG1# show router ldp session ============================================================================== Peer LDP Id Adj Type State Msg Sent Msg Recv Up Time ------------------------------------------------------------------------------ 10.10.10.2:0 Targeted Established 59 61 0d 00:04:50 10.10.10.3:0 Both Established 143 148 0d 00:04:58 10.10.10.4:0 Targeted Established 58 56 0d 00:04:48 ------------------------------------------------------------------------------ No. of IPv4 Sessions: 3 ==============================================================================
BNG2(10.10.10.2) แสดงสถานะ ospf, isis neighbor และ ldp-session
A:BNG2# show router ospf neighbor =============================================================================== Interface-Name Rtr Id State Pri RetxQ TTL Area-Id ------------------------------------------------------------------------------- to_Huawei 10.10.10.4 Full 1 0 32 0.0.0.0 ------------------------------------------------------------------------------- No. of Neighbors: 1 =============================================================================== A:BNG2# show router ldp session ============================================================================== Peer LDP Id Adj Type State Msg Sent Msg Recv Up Time ------------------------------------------------------------------------------ 10.10.10.1:0 Targeted Established 64 64 0d 00:05:01 10.10.10.3:0 Targeted Established 61 62 0d 00:05:07 10.10.10.4:0 Both Established 8778 7170 0d 05:23:50 ------------------------------------------------------------------------------ No. of IPv4 Sessions: 3 ==============================================================================
NOKIA-AGG(10.10.10.3) แสดงสถานะ ospf, isis neighbor และ ldp-session
A:NOKIA-AGG# show router ospf neighbor =============================================================================== Interface-Name Rtr Id State Pri RetxQ TTL Area-Id ------------------------------------------------------------------------------- to_BNG1 10.10.10.1 Full 1 0 36 0.0.0.0 to_Huawei 10.10.10.4 Full 1 0 36 0.0.0.0 ------------------------------------------------------------------------------- No. of Neighbors: 2 =============================================================================== A:NOKIA-AGG# show router isis adjacency =============================================================================== System ID Usage State Hold Interface MT-ID ------------------------------------------------------------------------------- NOKIA-ACC L2 Up 26 to_NOKIA-ACC 0 ------------------------------------------------------------------------------- Adjacencies : 1 =============================================================================== A:NOKIA-AGG# show router ldp session ============================================================================== Peer LDP Id Adj Type State Msg Sent Msg Recv Up Time ------------------------------------------------------------------------------ 10.10.10.1:0 Both Established 606 604 0d 00:22:04 10.10.10.2:0 Targeted Established 245 247 0d 00:21:41 10.10.10.4:0 Both Established 602 496 0d 00:22:07 10.10.10.5:0 Both Established 609 606 0d 00:22:03 10.10.10.6:0 Targeted Established 247 423 0d 00:21:58 ------------------------------------------------------------------------------ No. of Sessions: 5 ==============================================================================
Huawei(10.10.10.4) แสดงสถานะ ospf, isis neighbor และ ldp-session
Huawei#display ospf peer brief ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.0 GigabitEthernet0/0/0 10.10.10.2 Full 0.0.0.0 GigabitEthernet0/0/1 10.10.10.3 Full ---------------------------------------------------------------------------- Huawei#display isis peer System Id Interface Circuit Id State HoldTime Type PRI ------------------------------------------------------------------------------- Cisco GE0/0/2 0000000000 Up 27s L2 -- Huawei#display mpls ldp session ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 10.10.10.1:0 Operational DU Active 0000:00:51 240/346 10.10.10.2:0 Operational DU Active 0000:19:49 7135/7890 10.10.10.3:0 Operational DU Active 0000:00:51 312/346 10.10.10.5:0 Operational DU Passive 0000:00:53 249/358 10.10.10.6:0 Operational DU Passive 0000:19:49 4757/5434 ------------------------------------------------------------------------------ TOTAL: 5 session(s) Found.
NOKIA-ACC(10.10.10.5) แสดงสถานะ isis neighbor และ ldp-session
A:NOKIA-ACC# show router isis adjacency =============================================================================== System ID Usage State Hold Interface MT-ID ------------------------------------------------------------------------------- Cisco L2 Up 27 to_Cisco 0 NOKIA-AGG L2 Up 26 to_NOKIA-AGG 0 ------------------------------------------------------------------------------- Adjacencies : 2 =============================================================================== A:NOKIA-ACC# show router ldp session ============================================================================== Peer LDP Id Adj Type State Msg Sent Msg Recv Up Time ------------------------------------------------------------------------------ 10.10.10.3:0 Both Established 691 695 0d 00:25:14 10.10.10.4:0 Targeted Established 310 251 0d 00:27:10 10.10.10.6:0 Both Established 745 951 0d 00:27:23 ------------------------------------------------------------------------------ No. of Sessions: 3 ==============================================================================
Cisco(10.10.10.5) แสดงสถานะ isis neighbor และ ldp-session
Cisco#show isis neighbors
System Id Type Interface IP Address State Holdtime Circuit Id
Huawei L2 Fa0/0 192.168.46.4 UP 26 01
NOKIA-ACC L2 Fa0/1 192.168.56.5 UP 21 00
Cisco#
Cisco#show mpls ldp neighbor
Peer LDP Ident: 10.10.10.4:0; Local LDP Ident 10.10.10.6:0
TCP connection: 10.10.10.4.646 - 10.10.10.6.40315
State: Oper; Msgs sent/rcvd: 5310/4778; Downstream
Up time: 18:58:52
LDP discovery sources:
Targeted Hello 10.10.10.6 -> 10.10.10.4, active, passive
FastEthernet0/0, Src IP addr: 192.168.46.4
Addresses bound to peer LDP Ident:
192.168.46.4 10.10.10.4 192.168.24.4 192.168.34.4
Peer LDP Ident: 10.10.10.5:0; Local LDP Ident 10.10.10.6:0
TCP connection: 10.10.10.5.646 - 10.10.10.6.32453
State: Oper; Msgs sent/rcvd: 35/31; Downstream
Up time: 00:03:34
LDP discovery sources:
FastEthernet0/1, Src IP addr: 192.168.56.5
Targeted Hello 10.10.10.6 -> 10.10.10.5, active, passive
Addresses bound to peer LDP Ident:
10.10.10.5 192.168.35.5 192.168.56.5
Peer LDP Ident: 10.10.10.3:0; Local LDP Ident 10.10.10.6:0
TCP connection: 10.10.10.3.646 - 10.10.10.6.19643
State: Oper; Msgs sent/rcvd: 16/11; Downstream
Up time: 00:01:16
LDP discovery sources:
Targeted Hello 10.10.10.6 -> 10.10.10.3, active, passive
Addresses bound to peer LDP Ident:
10.10.10.3 192.168.13.3 192.168.34.3 192.168.35.3
2. ISP Transmission MPLS L2VPN
2.1 การคอนฟิก L2VPN สำหรับ PPPoE
BNG1, BNG2 คอนฟิก L2VPN สำหรับ PPPoE (pw-port 1 vc-id 110)
ที่ BNG จะเป็นคอนฟิก sdp ที่ทำ pw-port คือการผูก sdp, physical port และ vc-id เข้าได้ด้วย ไม่ต้องคอนฟิก epipe หรือ vpls
#== BNG1 pw-port ========================#=== BNG2 pw-port==============
/configure service #/configure service
sdp 103 mpls create # sdp 204 mpls create
description "To_NOKIA-AGG" # description "To_Huawei"
far-end 10.10.10.3 # far-end 10.10.10.4
ldp # ldp
path-mtu 1514 # path-mtu 1514
binding # binding
port 1/1/2 # port 1/1/2
pw-port 1 vc-id 110 create # pw-port 1 vc-id 110 create
no shutdown # no shutdown
exit # exit
exit # exit
no shutdown # no shutdown
exit # exit
NOKIA-AGG(10.10.10.3) คอนฟิก L2VPN สำหรับ PPPoE VPLS 110
sdp type spoke เพราะต้องการให้ farward traffic ระหว่าง sdp
/configure service
sdp 31 mpls create
description "To_BNG1"
far-end 10.10.10.1
ldp
no shutdown
exit
sdp 34 mpls create
description "To_Huawei"
far-end 10.10.10.4
ldp
no shutdown
exit
sdp 35 mpls create
description "To_NOKIA-ACC"
far-end 10.10.10.5
ldp
no shutdown
exit
/configure service
vpls 110 customer 1 create
description "PPPOE_SERVICE_SRRP_PATH"
service-name "PPPOE_SERVICE_SRRP_PATH"
spoke-sdp 31:110 create
no shutdown
exit
spoke-sdp 34:110 create
no shutdown
exit
spoke-sdp 35:110 create
no shutdown
exit
no shutdown
exit
Huawei(10.10.10.4) คอนฟิก L2VPN สำหรับ PPPoE vsi-id 110
pseudo wire(pw) peer type spoke (upe) เพราะต้องการให้ farward traffic ระหว่าง pseudo wire
[Huawei]display current-configuration # mpls l2vpn # vsi PPPOE_SERVICE_SRRP_PATH static description "PPPOE_SERVICE_SRRP_PATH" pwsignal ldp vsi-id 110 peer 10.10.10.2 upe peer 10.10.10.2 pw BNG2 peer 10.10.10.3 upe peer 10.10.10.3 pw NOKIA_AGG peer 10.10.10.5 upe peer 10.10.10.5 pw NOKIA_ACC encapsulation ethernet #
NOKIA-ACC(10.10.10.5) คอนฟิก L2VPN สำหรับ PPPoE epipe 110
epipe นี้ทำ active/standby sdp และ tag-vlan 110 เข้าไปใน sdp
/configure port 1/1/3
description "To_PPPoE-1_PC"
ethernet
mode access
exit
no shutdown
exit
/configure service
sdp 53 mpls create
description "To_NOKIA-AGG"
far-end 10.10.10.3
ldp
no shutdown
exit
sdp 54 mpls create
description "To_Huawei"
far-end 10.10.10.4
ldp
no shutdown
exit
/configure service
epipe 110 customer 1 create
description "IPOE-PW-PORT"
service-name "IPOE-PW-PORT"
endpoint "BACKUP-PW" create
revert-time 20
standby-signaling-master
exit
sap 1/1/3 create
description "To_PPPoE-1_PC"
exit
spoke-sdp 53:110 endpoint "BACKUP-PW" create
vlan-vc-tag 110
force-vlan-vc-forwarding
precedence primary
no shutdown
exit
spoke-sdp 54:110 endpoint "BACKUP-PW" create
vlan-vc-tag 110
force-vlan-vc-forwarding
precedence 1
no shutdown
exit
no shutdown
exit
2.2 การคอนฟิก L2VPN สำหรับ IPoE
BNG1 และ BNG2 คอนฟิก PXC port เพื่อทำ Loop สำหรับ Epipe และ Group-interface
#=== BNG1 and BNG2 configure pxc port ===#
/configure
port-xc
pxc 2 create
port 1/1/5
no shutdown
exit
exit
port 1/1/5
description "PXC"
ethernet
dot1x
tunneling
exit
mode hybrid
encap-type dot1q
exit
no otu
no shutdown
exit
port pxc-2.a
description "PXC-in-EPIPE"
ethernet
exit
no shutdown
exit
port pxc-2.b
description "PXC-in-Grp-Interface"
ethernet
exit
no shutdown
exit
BNG1(10.10.10.1) คอนฟิก L2VPN สำหรับ IPoE
/configure service
sdp 14 mpls create
description "To_Huawei_eNSP"
far-end 10.10.10.4
ldp
no shutdown
exit
/configure service
epipe 120 name "IPOE_SERVICE_PXC-2" customer 1 create
description "IPOE_SERVICE_PXC-2"
sap pxc-2.a:120 create
description "PXC_Port_1/1/5"
no shutdown
exit
spoke-sdp 14:120 create
no shutdown
exit
no shutdown
exit
BNG2(10.10.10.2) คอนฟิก L2VPN สำหรับ IPoE
/configure service
sdp 24 mpls create
description "To_Huawei"
far-end 10.10.10.4
ldp
no shutdown
exit
/configure service
epipe 120 name "IPOE_SERVICE_PXC-2" customer 1 create
description "IPOE_SERVICE_PXC-2"
sap pxc-2.a:120 create
description "PXC_Port_1/1/5"
no shutdown
exit
spoke-sdp 24:120 create
no shutdown
exit
no shutdown
exit
Huawei(10.10.10.4) คอนฟิก L2VPN สำหรับ IPoE
โดยโหนดนี้จะทำเป็น switch-l2vc ทำตี Pseudo wire ไปหา BNG2(srrp Master), backup pw ไปหาBNG1(srrp backup)
[Huawei]display current-configuration # mpls switch-l2vc 10.10.10.6 120 between 10.10.10.2 120 backup 10.10.10.1 120 encapsulation ethernet #
Cisco(10.10.10.6) คอนฟิก L2VPN สำหรับ IPoE
โหนดนี้ตี Pseudo wire ไปหา Huawei โดยไม่ได้ทำ Backup (เพราะผมทำแล้ว backup peer down ยังแก้ปัญหาไม่ได้ ถ้าแค่ primary อย่างเดียวทำได้ โดยทดสอบตีไปหา NOKIA-AGG ก็ ok )
Cisco#show run ! pseudowire-class BNG-PW encapsulation mpls ! interface FastEthernet1/0 description "To_PC_IPOE" no ip address xconnect 10.10.10.4 120 encapsulation mpls pw-class BNG-PW !
2.3 แสดงสถานะ MPLS L2VPN PPPoE, IPoE
BNG1(10.10.10.1) แสดงสถานะ sdp-using ดังนี้12:12 สำหรับ srrp-ipoe-path,
12:100 สำหรับ BNG redundant-interface
14:120 สำหรับ service IPoE
103:110 เป็น sdp ที่คอนฟิก pw-port 1 vc-id 110 สำหรับ PPPoE service และ srrp-pppoe-path
A:BNG1# show service sdp-using =============================================================================== SvcId SdpId Type Far End Opr I.Label E.Label ------------------------------------------------------------------------------- 12 12:12 Spok 10.10.10.2 Up 262131 262133 100 12:100 Spok 10.10.10.2 Up 262130 262132 120 14:120 Spok 10.10.10.4 Up 262141 1026 2147483649 103:110 Spok 10.10.10.3 Up 262133 262132 ------------------------------------------------------------------------------- Number of SDPs : 4 ------------------------------------------------------------------------------- ===============================================================================
BNG2(10.10.10.2) แสดงสถานะ sdp-using เหมือนกันกับ BNG1
A:BNG2# show service sdp-using =============================================================================== SvcId SdpId Type Far End Opr I.Label E.Label ------------------------------------------------------------------------------- 12 21:12 Spok 10.10.10.1 Up 262133 262131 100 21:100 Spok 10.10.10.1 Up 262132 262130 120 24:120 Spok 10.10.10.4 Up 262138 1025 2147483649 204:110 Spok 10.10.10.4 Up 262139 1027 ------------------------------------------------------------------------------- Number of SDPs : 4 ------------------------------------------------------------------------------- ===============================================================================
NOKIA-AGG(10.10.10.3) แสดงสถานะ sdp-using
มี service เดียวคือ vpls 110 สำหรับ pppoe ตี Pseudo wire ไซต์ข้างๆ ด้วย type spoke ตามดีไซน์
A:NOKIA-AGG# show service sdp-using =============================================================================== SvcId SdpId Type Far End Opr I.Label E.Label ------------------------------------------------------------------------------- 110 31:110 Spok 10.10.10.1 Up 262134 262135 110 34:110 Spok 10.10.10.4 Up 262138 1028 110 35:110 Spok 10.10.10.5 Up 262132 262136 ------------------------------------------------------------------------------- Number of SDPs : 3 ------------------------------------------------------------------------------- ===============================================================================
Huawei(10.10.10.4) แสดงสถานะ vsi 110 peer service pppoe จะเห็นว่า Pseudo wire ไปหา NOKIA-ACC(10.10.10.5) เป็น State STANDBY ไม่มีการรับส่งทราฟฟิก และ switch l2vc สำหรับ ipoe
[Huawei]display vsi remote ldp Vsi Peer VC Group Encap MTU Vsi State ID RouterID Label ID Type Value Index Code 110 10.10.10.2 262138 0 ethernet 1500 0 FORWARD 110 10.10.10.5 262134 0 ethernet 1500 0 STANDBY 110 10.10.10.3 262136 0 ethernet 1500 0 FORWARD [Huawei]display mpls switch-l2vc brief Total Switch VC : 1, 1 up, 0 down *Switch-l2vc type : LDP<---->LDP <---->LDP Peer IP Address : 10.10.10.6, 10.10.10.2, 10.10.10.1 VC ID : 120, 120, 120 VC Type : Ethernet VC State : up Session State : up, up, up
NOKIA-ACC(10.10.10.5) แสดงสถานะ sap และ sdp ที่คอนฟิกใน epipe 110 service PPPoE
โดย sdp primary ไปหา NOKIA-AGG(10.10.10.3), Backup ไปหา Huawei(10.10.10.4)
A:NOKIA-ACC# show service id 110 base Identifier Type AdmMTU OprMTU Adm Opr ------------------------------------------------------------------------------- sap:1/1/3:0 q-tag 1518 1518 Up Up sdp:53:110 S(10.10.10.3) Spok 0 8914 Up Up sdp:54:110 S(10.10.10.4) Spok 0 8914 Up Up =============================================================================== A:NOKIA-ACC#
Cisco (10.10.10.6) แสดงสถานะ xconnect ที่คอนฟิกที่ port Fa1/0 serivce IPoE
Cisco#show mpls l2transport vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Fa1/0 Ethernet 10.10.10.4 120 UP
3. ฝั่ง Core สำหรับ Internet และ Radius โดยใช้ BGP
ใช้ IP ขา Wan ในการทำ bgp peer.
BNG จะประกาศ loopback radius และประกาศ subscriber address ที่ track srrp state เพื่อใช้ในการควบคุมทราฟฟิกที่มาจาก Internet ให้ลงมาที่ BNG ที่สถานะเป็น Master เพื่อให้ทราฟฟิกขาขึ้นและขาลงจะได้เป็นทางเดียวกัน (symmetric route) ส่วนการคอนฟิก srrp, group-interface , subscriber-interface จะแสดงไว้ในส่วนของ BNG Subscriber management
Mikrotik เป็นอุปกรณ์จริงที่อยู่ที่บ้าน ทำหน้าเป็น NAT และทางออก Internet โดยจะประกาศ default-route ให้ vSRX
3.1 การคอนฟิกฝั่ง Core สำหรับ Internet และ Radius โดยใช้ BGP
BNG1(10.10.10.1) คอนฟิก eBGP peer ไปหา vSRX/configure port 1/1/1
description "To_vSRX"
ethernet
mode access
exit
no shutdown
exit
/configure service
vprn 100 name "BNG-SERVICE" customer 1 create
description "BNG-Service"
router-id 10.10.10.1
autonomous-system 65000
route-distinguisher 65000:100
interface "loopback_radius" create
address 10.5.4.1/32
loopback
exit
interface "to_vSRX" create
address 192.168.17.1/24
sap 1/1/1 create
exit
exit
bgp
group "vSRX"
export "eBGP-EXPORT"
peer-as 65008
neighbor 192.168.17.7
exit
exit
no shutdown
exit
BNG2 (10.10.10.2) คอนฟิก eBGP peer ไปหา vSRX
/configure port 1/1/1
description "To_vSRX"
ethernet
mode access
exit
no shutdown
exit
/configure service
vprn 100 name "BNG-SERVICE" customer 1 create
description "BNG-Service"
router-id 10.10.10.2
autonomous-system 65000
route-distinguisher 65000:100
interface "loopback_radius" create
address 10.5.4.2/32
loopback
exit
interface "to_vSRX" create
address 192.168.27.2/24
sap 1/1/1 create
exit
exit
bgp
group "vSRX"
export "eBGP-EXPORT"
peer-as 65008
neighbor 192.168.27.7
exit
exit
no shutdown
exit
BNG1 และ BNG2 configure Router Policy ให้ track srrp state และประการ Loopback_radius
#=== BNG1 and BNG2 track srrp state ======#
/configure router
policy-options
begin
prefix-list "SUBSCRIBER"
prefix 172.16.11.0/24 exact
prefix 172.16.12.0/24 exact
exit
prefix-list "Loopback_Radius"
prefix 10.5.4.2/32 exact
exit
policy-statement "eBGP-EXPORT"
entry 5
from
prefix-list "Loopback_Radius"
exit
action accept
exit
exit
entry 10
from
prefix-list "SUBSCRIBER"
state srrp-master
exit
action accept
metric set 2000
exit
exit
entry 20
from
prefix-list "SUBSCRIBER"
exit
action accept
metric set 3000
exit
exit
default-action drop
exit
exit
commit
exit
Juniper vSRX (10.10.10.7) คอนฟิก eBGP peer ไปหา BNG และ iBGP peer ไปหา Mikrotik
ยังคงทำหน้าเป็น Firewall ที่ allow all โดยให้ Radius อยู่ zone trust, Mikrotik อยู่ zone untrust , BNG อยู่ zone SUBSCRIBER. ส่วน bgp ก็จะประกาศ default-route ที่มาจาก mikrotik ส่งไปให้ BNG และประกาศ subscriber addressไปให้ Mikrotik โดยเซ็ต next-hop self ด้วย
root@vSRX# show | display set set interfaces ge-0/0/0 unit 0 family inet address 192.168.17.7/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.27.7/24 set interfaces ge-0/0/2 unit 0 family inet address 192.168.78.7/24 set interfaces ge-0/0/3 unit 0 family inet address 11.11.11.1/24 set interfaces ge-0/0/4 unit 0 family inet address 12.12.12.1/24 set routing-options router-id 10.10.10.7 set routing-options autonomous-system 65008 set protocols bgp group BNG export eBGP-EXPORT set protocols bgp group BNG peer-as 65000 set protocols bgp group BNG neighbor 192.168.17.1 set protocols bgp group BNG neighbor 192.168.27.2 set protocols bgp group iBGP export iBGP-EXPORT set protocols bgp group iBGP peer-as 65008 set protocols bgp group iBGP local-as 65008 set protocols bgp group iBGP neighbor 192.168.78.8 set policy-options policy-statement eBGP-EXPORT term term1 from protocol direct set policy-options policy-statement eBGP-EXPORT term term1 then accept set policy-options policy-statement eBGP-EXPORT term term2 from protocol bgp set policy-options policy-statement eBGP-EXPORT term term2 then accept set policy-options policy-statement iBGP-EXPORT term term1 from protocol direct set policy-options policy-statement iBGP-EXPORT term term1 then next-hop self set policy-options policy-statement iBGP-EXPORT term term1 then accept set policy-options policy-statement iBGP-EXPORT term term2 from protocol bgp set policy-options policy-statement iBGP-EXPORT term term2 then next-hop self set policy-options policy-statement iBGP-EXPORT term term2 then accept set security policies from-zone SUBSCRIBER to-zone trust policy Policy-1 match source-address any set security policies from-zone SUBSCRIBER to-zone trust policy Policy-1 match destination-address any set security policies from-zone SUBSCRIBER to-zone trust policy Policy-1 match application any set security policies from-zone SUBSCRIBER to-zone trust policy Policy-1 then permit set security policies from-zone SUBSCRIBER to-zone untrust policy To_internet match source-address any set security policies from-zone SUBSCRIBER to-zone untrust policy To_internet match destination-address any set security policies from-zone SUBSCRIBER to-zone untrust policy To_internet match application any set security policies from-zone SUBSCRIBER to-zone untrust policy To_internet then permit set security policies from-zone trust to-zone SUBSCRIBER policy Policy-1 match source-address any set security policies from-zone trust to-zone SUBSCRIBER policy Policy-1 match destination-address any set security policies from-zone trust to-zone SUBSCRIBER policy Policy-1 match application any set security policies from-zone trust to-zone SUBSCRIBER policy Policy-1 then permit set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/4.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic protocols bgp set security zones security-zone SUBSCRIBER interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone SUBSCRIBER interfaces ge-0/0/0.0 host-inbound-traffic protocols bgp set security zones security-zone SUBSCRIBER interfaces ge-0/0/1.0 host-inbound-traffic system-services ping set security zones security-zone SUBSCRIBER interfaces ge-0/0/1.0 host-inbound-traffic protocols bgp [edit] root@vSRX#
Mikrotik คอนฟิกผ่าน winbox
Mikrotik คอนฟิก interface address และ NAT สำหรับ Subscriber
Mikrotik คอนฟิก iBGP peer ไปหา vSRX และเซ็ท default-route originate ด้วย
Configure Radius สำหรับ Authentication
Radius1 (11.11.11.11) primary for PPPoE, secondary for IPoE
Radius2 (12.12.12.12) Primary for IPoE secondary for PPPoE
3.2 แสดงสถานะคอนฟิกฝั่ง Core BGP session และ Route-Table
BNG1(10.10.10.1) สถานะ bgp และ route-table
BGP peer state established. ได้รับ Default-route และ Radius route มาจาก vSRX.
A:BNG1# show router 100 bgp neighbor
===============================================================================
-------------------------------------------------------------------------------
Peer : 192.168.17.7
Description : (Not Specified)
Group : vSRX
-------------------------------------------------------------------------------
Peer AS : 65008 Peer Port : 54654
Peer Address : 192.168.17.7
Local AS : 65000 Local Port : 179
Local Address : 192.168.17.1
Peer Type : External Dynamic Peer : No
State : Established Last State : Established
#--- snipped ---
*A:BNG1# show router 100 route-table
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
0.0.0.0/0 Remote BGP 00h27m19s 170
192.168.17.7 0
11.11.11.0/24 Remote BGP 00h27m19s 170
192.168.17.7 0
12.12.12.0/24 Remote BGP 00h27m19s 170
192.168.17.7 0
#----- snipped----
BNG2(10.10.10.2) สถานะ bgp และ route-table
BGP peer state established. ได้รับ Default-route และ Radius route มาจาก vSRX.
A:BNG2# show router 100 bgp neighbor
===============================================================================
-------------------------------------------------------------------------------
Peer : 192.168.27.7
Description : (Not Specified)
Group : vSRX
-------------------------------------------------------------------------------
Peer AS : 65008 Peer Port : 55020
Peer Address : 192.168.27.7
Local AS : 65000 Local Port : 179
Local Address : 192.168.27.2
Peer Type : External Dynamic Peer : No
State : Established Last State : Established
#--- snipped ---
A:BNG2# show router 100 route-table
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
0.0.0.0/0 Remote BGP 00h27m04s 170
192.168.27.7 0
11.11.11.0/24 Remote BGP 00h27m04s 170
192.168.27.7 0
12.12.12.0/24 Remote BGP 00h27m04s 170
192.168.27.7 0
#----- snipped ----
vSRX (10.10.10.7) สถานะ bgp และ route-table
BGP state established. ได้รับ default มาจาก Mikrotik และ ได้รับ Subscriber route มาจาก BNG ด้วย Med ที่ถูกต้อง
root@vSRX> show bgp neighbor Peer: 192.168.17.1+179 AS 65000 Local: 192.168.17.7+59773 AS 65008 Type: External State: Established Flags: <Sync> #--- snipped --- Peer: 192.168.27.2+179 AS 65000 Local: 192.168.27.7+64241 AS 65008 Type: External State: Established Flags: <Sync> #--- snipped --- Peer: 192.168.78.8+46150 AS 65008 Local: 192.168.78.7+179 AS 65008 Type: Internal State: Established Flags: <Sync> #--- snipped --- root@vSRX> show route inet.0: 15 destinations, 17 routes (15 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[BGP/170] 19:42:13, localpref 100 AS path: ? > to 192.168.78.8 via ge-0/0/2.0 172.16.11.0/24 *[BGP/170] 00:05:16, MED 2000, localpref 100 AS path: 65000 I > to 192.168.17.1 via ge-0/0/0.0 [BGP/170] 00:05:36, MED 3000, localpref 100 AS path: 65000 I > to 192.168.27.2 via ge-0/0/1.0 172.16.12.0/24 *[BGP/170] 21:01:11, MED 2000, localpref 100 AS path: 65000 I > to 192.168.27.2 via ge-0/0/1.0 [BGP/170] 00:05:16, MED 3000, localpref 100 AS path: 65000 I > to 192.168.17.1 via ge-0/0/0.0 #--- snipped ---
Mikrotik สถานะ route-table
ได้รับ subscriber route มาจาก vSRX และ gateway ถูก
4. การคอนฟิก BNG Subscriber Management และ Redundant
4.1 การคอนฟิก BNG Subscriber Management และ Redundant
BNG1 กับ BNG2 คอนฟิก multi-chasis เพื่อ sync object ระหว่างโหนด#=== BNG1 Multi-Chassis =========================#=== BNG2 Multi-Chassis =========================
/configure redundancy #/configure redundancy
multi-chassis # multi-chassis
peer 10.10.10.2 create # peer 10.10.10.1 create
source-address 10.10.10.1 # source-address 10.10.10.2
sync # sync
local-dhcp-server # local-dhcp-server
srrp # srrp
sub-mgmt ipoe pppoe # sub-mgmt ipoe pppoe
port pxc-2.b sync-tag "SYNC-IPOE" create # port pxc-2.b sync-tag "SYNC-IPOE" create
exit # exit
port pw-1 sync-tag "SYNC-PPPOE" create # port pw-1 sync-tag "SYNC-PPPOE" create
exit # exit
no shutdown # no shutdown
exit # exit
no shutdown # no shutdown
BNG1 and BNG2 คอนฟิก local dhcp server and fail-over
#=== BNG1 DHCP Server and Fail-Over configuration #=== BNG2 DHCP Server and Fail-Over configuration =====#
/configure service vprn 100 #/configure service vprn 100
dhcp # dhcp
local-dhcp-server "DHCP-SERVER-IPOE" create # local-dhcp-server "DHCP-SERVER-IPOE" create
use-gi-address scope pool # use-gi-address scope pool
pool "POOL-IPOE-1" create # pool "POOL-IPOE-1" create
options # options
dns-server 8.8.4.4 # dns-server 8.8.4.4
exit # exit
subnet 172.16.12.0/24 create # subnet 172.16.12.0/24 create
options # options
default-router 172.16.12.1 # default-router 172.16.12.1
exit # exit
address-range 172.16.12.4 172.16.12.254 # address-range 172.16.12.4 172.16.12.254
exit # exit
exit # exit
failover # failover
peer 10.10.10.2 tag "SYNC-DHCP-IPOE" # peer 10.10.10.1 tag "SYNC-DHCP-IPOE"
no shutdown # no shutdown
exit # exit
no shutdown # no shutdown
exit # exit
local-dhcp-server "DHCP-SERVER-PPPOE" create # local-dhcp-server "DHCP-SERVER-PPPOE" create
use-gi-address scope pool # use-gi-address scope pool
pool "POOL-PPPOE-1" create # pool "POOL-PPPOE-1" create
options # options
dns-server 8.8.8.8 # dns-server 8.8.8.8
exit # exit
subnet 172.16.11.0/24 create # subnet 172.16.11.0/24 create
options # options
default-router 172.16.11.1 # default-router 172.16.11.1
exit # exit
address-range 172.16.11.4 172.16.11.254 # address-range 172.16.11.4 172.16.11.254
exit # exit
exit # exit
failover # failover
peer 10.10.10.2 tag "SYNC-DHCP-PPPOE" # peer 10.10.10.1 tag "SYNC-DHCP-PPPOE"
no shutdown # no shutdown
exit # exit
no shutdown # no shutdown
exit # exit
exit # exit
interface "loopback_DHCP-IPOE" create # interface "loopback_DHCP-IPOE" create
address 100.100.100.12/32 # address 100.100.101.12/32
local-dhcp-server "DHCP-SERVER-IPOE" # local-dhcp-server "DHCP-SERVER-IPOE"
loopback # loopback
exit # exit
interface "loopback_DHCP-PPPOE" create # interface "loopback_DHCP-PPPOE" create
address 100.100.100.11/32 # address 100.100.101.11/32
local-dhcp-server "DHCP-SERVER-PPPOE" # local-dhcp-server "DHCP-SERVER-PPPOE"
loopback # loopback
exit # exit
BNG1 and BNG2 เตรียม python file สำหรับ PPPoE access-accept
อาจใช้ winscp เพื่อ ftp file หรือ vi หรือ วิธีอื่นๆ ตามสะดวกนะครับ
Python นี้จะทำหน้าที่เปลี่ยนจาก reply message จาก radius ที่มาด้วยค่า SUB-PPPOE-10M|SLA-PPPOE-10M จากนั้นก็แยก sub profile กับ sla profile ออกกันด้วยเครื่องหมาย "|" แล้วเซ็ตค่านั้นให้ให้กับ BNG เลย
file location: cf3:\python-script\cotton_accept.py
# Cotton NOKIA Radius python script
from alc import radius
# reply_msg = "SUB-PPPOE-10M|SLA-PPPOE-10M"
if radius.attributes.isSet(18):
print "REPLY_MSG = ", radius.attributes.get(18)
reply_msg = radius.attributes.get(18).split("|")
if len(reply_msg) == 2:
sub_profile = reply_msg[0]
sla_profile = reply_msg[1]
radius.attributes.setVSA(6527, 12, sub_profile)
radius.attributes.setVSA(6527, 13, sla_profile )
print "Set alcatel redius attribute ok"
else:
print "Can't get reply message from radius"
สำหรับใครที่ต้องการศึกษา Python Script Support for ESM สามารถศึกษาได้จากลิ้งค์ด้านล่างเพิ่มเติม
support python version 2.4.2 นะครับ
https://documentation.nokia.com/html/0_add-h-f/93-0098-HTML/7750_SR_OS_Triple_Play_Guide/Appendix-Python.html
BNG1 และ BNG2 การคอนฟิก python script policy สำหรับ access-accept เท่านั้น
#=== BNG1 and BNG2 pyhon script policy for PPPoE access-accept ===#
/configure
python
python-script "accept_python" create
action-on-fail passthrough
primary-url "cf3:\python-script\cotton_accept.py"
no shutdown
exit
python-policy "cotton-pppoe-accept" create
radius access-accept direction ingress script "accept_python"
exit
exit
BNG1 and BNG2 การคอนฟิก Radius Server Policy
Radius Server มี 2 Server เพื่อทำ Primary/Secondary
ในแล็บนี้ python script policy จะ apply ที่ radius server policy ของ PPPoE เท่านั้น IPoE จะไม่ใช้ python policy
#=== BNG1 Radius server policy configuration ===================================#
/configure service vprn 100
interface "loopback_radius" create
address 10.5.4.1/32
loopback
exit
radius-server
server "radius1-pppoe" address 11.11.11.11 secret Radius1! create
description "pri=pppoe secret=Radius1!"
exit
server "radius2-ipoe" address 12.12.12.12 secret Radius2! create
description "pri=ipoe secret=Radius2!"
exit
exit
/configure aaa
radius-server-policy "RADIUS-PRI-IPOE" create
servers
router 100
source-address 10.5.4.1
server 1 name "radius2-ipoe"
server 2 name "radius1-pppoe"
exit
exit
radius-server-policy "RADIUS-PRI-PPPOE" create
python-policy "cotton-pppoe-accept"
servers
router 100
source-address 10.5.4.1
server 1 name "radius1-pppoe"
server 2 name "radius2-ipoe"
exit
exit
exit
#=== BNG2 Radius server policy configuration ===================================#
/configure service vprn 100
interface "loopback_radius" create
address 10.5.4.2/32
loopback
exit
radius-server
server "radius1-pppoe" address 11.11.11.11 secret Radius1! create
description "pri=pppoe secret=Radius1!"
exit
server "radius2-ipoe" address 12.12.12.12 secret Radius2! create
description "pri=ipoe secret=Radius2!"
exit
exit
/configure aaa
radius-server-policy "RADIUS-PRI-IPOE" create
servers
router 100
source-address 10.5.4.2
server 1 name "radius2-ipoe"
server 2 name "radius1-pppoe"
exit
exit
radius-server-policy "RADIUS-PRI-PPPOE" create
python-policy "cotton-pppoe-accept"
servers
router 100
source-address 10.5.4.2
server 1 name "radius1-pppoe"
server 2 name "radius2-ipoe"
exit
exit
exit
BNG1 and BNG2 การคอนฟิก authentication and accounting policy
Subscriber profile and SLA profile
#=== BNG1 and BNG2 Authen, AccountPolicy , Sub profile and SLA profile ===#
/configure subscriber-mgmt
authentication-policy "AUTHEN-IPOE" create
radius-server-policy "RADIUS-PRI-IPOE"
exit
authentication-policy "AUTHEN-PPPOE" create
pppoe-access-method pap-chap
radius-server-policy "RADIUS-PRI-PPPOE"
exit
radius-accounting-policy "RADIUS-ACCOUTING-IPOE" create
session-accounting interim-update
update-interval 5
include-radius-attribute
subscriber-id
user-name
std-acct-attributes
exit
session-id-format number
radius-server-policy "RADIUS-PRI-IPOE"
exit
radius-accounting-policy "RADIUS-ACCOUTING-PPPOE" create
session-accounting interim-update
update-interval 5
include-radius-attribute
subscriber-id
user-name
std-acct-attributes
exit
session-id-format number
radius-server-policy "RADIUS-PRI-PPPOE"
exit
sla-profile "DEFAULT-SLA-IPOE" create
exit
sla-profile "DEFAULT-SLA-PPPOE" create
exit
sla-profile "SLA-IPOE-PKG-1" create
exit
sla-profile "SLA-PPPOE-10M" create
exit
sub-profile "DEFAULT-SUB-IPOE" create
exit
sub-profile "DEFAULT-SUB-PPPOE" create
exit
sub-profile "SUB-IPOE-PKG-1" create
radius-accounting
policy "RADIUS-ACCOUTING-IPOE"
exit
exit
sub-profile "SUB-PPPOE-10M" create
radius-accounting
policy "RADIUS-ACCOUTING-PPPOE"
exit
exit
sub-ident-policy "SUB-INDENT" create
sub-profile-map
use-direct-map-as-default
exit
sla-profile-map
use-direct-map-as-default
exit
exit
exit
Diagram สำหรับ SRRP และ Redundant interface
redundant interface เอาไว้สำหรับ รับส่งทราฟฟิกระหว่าง group-interface BNG1, BNG2 ในกรณ์ที่ ทราฟฟิกที่ลงมาจาก Internet มาเข้าที่ BNG (backup)
BNG (backup) จะส่งทราฟฟิกให้ BNG(master) ผ่านทาง redundant interface ก่อน
จากนั้น BNG master ค่อยส่งทราฟฟิกไปให้ subscriber user
แต่ในแล็บนี้ Redundant ในภาวะปกติจะไม่ได้ใช้งาน เพราะเรา control traffic ให้ลงตัว Master เท่านั้นด้วยการ track srrp
#==== BNG1 redundant-interface ======================#
/configure service
sdp 12 mpls create
description "To_BNG2"
far-end 10.10.10.2
ldp
no shutdown
exit
/configure service vprn 100
redundant-interface "bng-redundant" create
address 192.168.0.0/31
ip-mtu 1500
spoke-sdp 12:100 create
no shutdown
exit
exit
#==== BNG2 redundant-interface ======================#
/configure service
sdp 21 mpls create
description "To_BNG1"
far-end 10.10.10.1
ldp
no shutdown
exit
/configure service vprn 100
redundant-interface "bng-redundant" create
address 192.168.0.1/31
ip-mtu 1500
spoke-sdp 21:100 create
no shutdown
exit
exit
BNG1 and BNG2 configure PPPoE subscriber-interface, group-interface
ก็จะมีคอนฟิกในส่วนของ SRRP 11 (pw-1:11) , DHCP Server และเพื่อให้บริการ subscriber (pw-1:110)
#==== BNG1 provide PPPoE ( MASTER ) =========================================#
/configure service vprn 100
subscriber-interface "SUB-PPPOE" create
address 172.16.11.2/24 gw-ip-address 172.16.11.1 track-srrp 11
group-interface "GRP-PPPOE-1" create
dhcp
server 100.100.100.11
trusted
lease-populate 32767
client-applications ppp
gi-address 172.16.11.2
no shutdown
exit
authentication-policy "AUTHEN-PPPOE"
redundant-interface "bng-redundant"
sap pw-1:11 create
description "srrp-message-path"
exit
sap pw-1:110 create
sub-sla-mgmt
def-sub-id use-auto-id
def-sub-profile "DEFAULT-SUB-PPPOE"
def-sla-profile "DEFAULT-SLA-PPPOE"
sub-ident-policy "SUB-INDENT"
multi-sub-sap 32767
no shutdown
exit
exit
srrp 11 create
message-path pw-1:11
priority 200
no shutdown
exit
pppoe
session-limit 32767
sap-session-limit 32767
no shutdown
exit
exit
exit
#==== BNG2 provide PPPoE ( BACKUP ) =========================================#
/configure service vprn 100
subscriber-interface "SUB-PPPOE" create
address 172.16.11.3/24 gw-ip-address 172.16.11.1 track-srrp 11
group-interface "GRP-PPPOE-1" create
dhcp
server 100.100.101.11
trusted
lease-populate 32767
client-applications ppp
gi-address 172.16.11.3
no shutdown
exit
authentication-policy "AUTHEN-PPPOE"
redundant-interface "bng-redundant"
sap pw-1:11 create
description "srrp-message-path"
exit
sap pw-1:110 create
sub-sla-mgmt
def-sub-id use-auto-id
def-sub-profile "DEFAULT-SUB-PPPOE"
def-sla-profile "DEFAULT-SLA-PPPOE"
sub-ident-policy "SUB-INDENT"
multi-sub-sap 32767
no shutdown
exit
exit
srrp 11 create
message-path pw-1:11
priority 150
no shutdown
exit
pppoe
session-limit 32767
sap-session-limit 32767
no shutdown
exit
exit
exit
BNG1 and BNG2 configure IPoE subscriber-interface, group-interface
ก็จะมีคอนฟิกในส่วนของ SRRP 12 (pxc-2.b:12) , DHCP และเพื่อให้บริการ subscriber (pxc-2.b:120)
#==== BNG1 provide IPoE ( BACKUP ) =========================================#
subscriber-interface "SUB-IPOE" create
address 172.16.12.2/24 gw-ip-address 172.16.12.1 track-srrp 12
group-interface "GRP-IPOE-1" create
dhcp
server 100.100.100.12
trusted
lease-populate 32767
gi-address 172.16.12.2
no shutdown
exit
authentication-policy "AUTHEN-IPOE"
redundant-interface "bng-redundant"
sap pxc-2.b:12 create
description "SRRP-12-MESSAGE-PATH"
exit
sap pxc-2.b:120 create
sub-sla-mgmt
def-sub-id use-auto-id
def-sub-profile "DEFAULT-SUB-IPOE"
def-sla-profile "DEFAULT-SLA-IPOE"
sub-ident-policy "SUB-INDENT"
multi-sub-sap 32767
no shutdown
exit
exit
srrp 12 create
message-path pxc-2.b:12
priority 150
no shutdown
exit
arp-host
host-limit 32767
sap-host-limit 32767
no shutdown
exit
exit
exit
#==== BNG2 provide IPoE ( MASTER ) =========================================#
/configure service vprn 100
subscriber-interface "SUB-IPOE" create
address 172.16.12.3/24 gw-ip-address 172.16.12.1 track-srrp 12
group-interface "GRP-IPOE-1" create
dhcp
server 100.100.101.12
trusted
lease-populate 32767
gi-address 172.16.12.3
no shutdown
exit
authentication-policy "AUTHEN-IPOE"
redundant-interface "bng-redundant"
sap pxc-2.b:12 create
description "SRRP-12-MESSAGE-PATH"
exit
sap pxc-2.b:120 create
sub-sla-mgmt
def-sub-id use-auto-id
def-sub-profile "DEFAULT-SUB-IPOE"
def-sla-profile "DEFAULT-SLA-IPOE"
sub-ident-policy "SUB-INDENT"
multi-sub-sap 32767
no shutdown
exit
exit
srrp 12 create
message-path pxc-2.b:12
priority 200
no shutdown
exit
arp-host
host-limit 32767
sap-host-limit 32767
no shutdown
exit
exit
exit
PPPoE message path ใช้ pw-1:11 โดย pw-1 คอนฟิกได้ที่ BNG1 sdp 103, BNG2 sdp 204 โดยผูกกับ port 1/1/2 vc-id 110 ในที่นี้ design ให้ srrp ใช้ vc-id เดียวกันกับทราฟฟิก และให้วิ่งผ่าน NOKIA-AGG vpls 110 และ Huawei vsi id 110 ที่ BNG จะไม่มีคอนฟิก epipe หรือ vpls เพิ่ม
BNG1 and BNG2 คอนฟิก Epipe สำหรับ IPoE srrp-message
#==== BNG1 Epipe for IPoE srrp path =========================================#
/configure service
epipe 12 name "IPOE-SRRP-PATH" customer 1 create
description "IPOE-SRRP-PATH"
sap pxc-2.a:12 create
no shutdown
exit
spoke-sdp 12:12 create
no shutdown
exit
no shutdown
exit
#==== BNG2 Epipe for IPoE srrp path =========================================#
/configure service
epipe 12 name "IPOE-SRRP-PATH" customer 1 create
description "IPOE-SRRP-PATH"
sap pxc-2.a:12 create
no shutdown
exit
spoke-sdp 21:12 create
no shutdown
exit
no shutdown
exit
4.2 แสดงสถานะ BNG
BNG1 and BNG2 แสดงสถานะ multi-chassisA:BNG1# show redundancy multi-chassis sync =============================================================================== Multi-chassis Peer Table =============================================================================== Peer ------------------------------------------------------------------------------- Peer IP Address : 10.10.10.2 Description : (Not Specified) Authentication : Disabled Source IP Address : 10.10.10.1 Admin State : Enabled Warm standby : No Remote warm standby : No ------------------------------------------------------------------------------- Sync-status ------------------------------------------------------------------------------- Client Applications : SUBMGMT-IPOE SUBMGMT-PPPOE SRRP DHCPServer Sync Admin State : Up Sync Oper State : Up Sync Oper Flags : DB Sync State : inSync #------ snip ------------ A:BNG2# show redundancy multi-chassis sync =============================================================================== Multi-chassis Peer Table =============================================================================== Peer ------------------------------------------------------------------------------- Peer IP Address : 10.10.10.1 Description : (Not Specified) Authentication : Disabled Source IP Address : 10.10.10.2 Admin State : Enabled Warm standby : No Remote warm standby : No ------------------------------------------------------------------------------- Sync-status ------------------------------------------------------------------------------- Client Applications : SUBMGMT-IPOE SUBMGMT-PPPOE SRRP DHCPServer Sync Admin State : Up Sync Oper State : Up Sync Oper Flags : DB Sync State : inSync #------ snip ------------
BNG1 and BNG2 แสดงสถานะ SRRP
PPPoE จะ Master ที่ BNG1, IPoE จะ Mater ที่ BNG2
A:BNG1# show srrp =============================================================================== SRRP Table =============================================================================== ID Service Group Interface Admin Oper ------------------------------------------------------------------------------- 12 100 GRP-IPOE-1 Up backupShunt 11 100 GRP-PPPOE-1 Up master ------------------------------------------------------------------------------- No. of SRRP Entries: 2 =============================================================================== A:BNG2# show srrp =============================================================================== SRRP Table =============================================================================== ID Service Group Interface Admin Oper ------------------------------------------------------------------------------- 12 100 GRP-IPOE-1 Up master 11 100 GRP-PPPOE-1 Up backupShunt ------------------------------------------------------------------------------- No. of SRRP Entries: 2 ===============================================================================
BNG1 and BNG2 แสดงสถานะ dhcp failover-server sync กันปกติ
A:BNG1# show router 100 dhcp local-dhcp-server "DHCP-SERVER-PPPOE" failover-server-stats ================================================================== Failover config for server DHCP-SERVER-PPPOE ================================================================== Failover Admin State inService Failover Oper State normal #--- snip ---- A:BNG1# show router 100 dhcp local-dhcp-server "DHCP-SERVER-IPOE" failover-server-stats ================================================================== Failover config for server DHCP-SERVER-IPOE ================================================================== Failover Admin State inService Failover Oper State normal #--- snip ---- A:BNG2# show router 100 dhcp local-dhcp-server "DHCP-SERVER-PPPOE" failover-server-stats ================================================================== Failover config for server DHCP-SERVER-PPPOE ================================================================== Failover Admin State inService Failover Oper State normal #--- snip ---- A:BNG2# show router 100 dhcp local-dhcp-server "DHCP-SERVER-IPOE" failover-server-stats ================================================================== Failover config for server DHCP-SERVER-IPOE ================================================================== Failover Admin State inService Failover Oper State normal #--- snip ----
ทดสอบ Subscriber Authentication
BNG1 แสดงสถานะ subscriber ที่มาเกาะ และสถานะ dhcp lease state
จะเห็น active subscriber ทั้ง PPPoE และ IPoE
*A:BNG1# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber 50:01:00:13:00:00|pw-1:110|1 (SUB-PPPOE-10M)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:pw-1:110 - sla:SLA-PPPOE-10M
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
172.16.11.9
50:01:00:13:00:00 PPP 1 IPCP 100 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Subscriber 50:01:00:14:00:00|pxc-2.b:120 (SUB-IPOE-PKG-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:pxc-2.b:120 - sla:SLA-IPOE-PKG-1
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
172.16.12.5
50:01:00:14:00:00 N/A DHCP 100 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG1# show router 100 dhcp local-dhcp-server "DHCP-SERVER-PPPOE" leases
===============================================================================
Leases for DHCP server DHCP-SERVER-PPPOE router 100
===============================================================================
IP Address Lease State Mac Address Remaining Clnt Fail
PPP user name/Opt82 Circuit Id LifeTime Type Ctrl
User-db/Sticky-lease Hostname
-------------------------------------------------------------------------------
172.16.11.9 stable 50:01:00:13:00:00 0h11m35s ppp local
abc1@cotton.com
-------------------------------------------------------------------------------
1 leases found
===============================================================================
*A:BNG1# show router 100 dhcp local-dhcp-server "DHCP-SERVER-IPOE" leases
===============================================================================
Leases for DHCP server DHCP-SERVER-IPOE router 100
===============================================================================
IP Address Lease State Mac Address Remaining Clnt Fail
PPP user name/Opt82 Circuit Id LifeTime Type Ctrl
User-db/Sticky-lease Hostname
-------------------------------------------------------------------------------
172.16.12.5 stable 50:01:00:14:00:00 14d23h21m dhcp local
-------------------------------------------------------------------------------
1 leases found
===============================================================================
BNG2 แสดงสถานะ active subscriber ที่มาเกาะ และสถานะ dhcp lease state
จะเห็นว่ามีแค่ active subscriber ของ IPoE เท่านั้น ควรจะเห็น PPPoE ด้วย แต่สถานะ dhcp lease เห็นทั้งสอง( dhcp sync ปกติ)
*A:BNG2# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber 50:01:00:14:00:00|pxc-2.b:120 (SUB-IPOE-PKG-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:pxc-2.b:120 - sla:SLA-IPOE-PKG-1
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
172.16.12.5
50:01:00:14:00:00 N/A DHCP 100 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of active subscribers : 1
===============================================================================
*A:BNG2# show router 100 dhcp local-dhcp-server "DHCP-SERVER-PPPOE" leases
===============================================================================
Leases for DHCP server DHCP-SERVER-PPPOE router 100
===============================================================================
IP Address Lease State Mac Address Remaining Clnt Fail
PPP user name/Opt82 Circuit Id LifeTime Type Ctrl
User-db/Sticky-lease Hostname
-------------------------------------------------------------------------------
172.16.11.9 stable 50:01:00:13:00:00 0h12m44s ppp local
abc1@cotton.com
-------------------------------------------------------------------------------
1 leases found
===============================================================================
*A:BNG2# show router 100 dhcp local-dhcp-server "DHCP-SERVER-IPOE" leases
===============================================================================
Leases for DHCP server DHCP-SERVER-IPOE router 100
===============================================================================
IP Address Lease State Mac Address Remaining Clnt Fail
PPP user name/Opt82 Circuit Id LifeTime Type Ctrl
User-db/Sticky-lease Hostname
-------------------------------------------------------------------------------
172.16.12.5 stable 50:01:00:14:00:00 14d23h22m dhcp local
-------------------------------------------------------------------------------
1 leases found
===============================================================================
สำหรับ PPPoE sync-lost ที่ BNG2 ผมยังไม่รู้ว่าปัญหาอยู่ที่ใหน ถ้าแก้ได้หรือรู้ว่าอยู่ตรงใหนผมจะกลับมาอัพเดทอีกทีครับ ตอนนี้ show log ไว้ก่อนละกัน
สิ่งที่ลองเทสแก้ปัญหาไปแล้วคือ เปลี่ยนตัว Master ก็ยัง sync-lost , เพิ่ม physical Link BNG1-BNG2 ก็ยัง sync-lost และลองคอมมานอื่นๆ ก็ยังไม่ได้ เลยไม่แน่ใจว่าเป็นเพราะลองในแล็บหรือป่าว ถ้ามีโอกาสผมจะลองเอาคอนฟิกชุดนี้ใช้กับอุปกรณ์จริงแล้วมาเล่าให้ฟังครับ
A:BNG2# show log log-id 99 =============================================================================== Event Log 99 =============================================================================== Description : Default System Log Memory Log contents [size=500 next event=5 (not wrapped)] 4 2019/06/01 04:47:37.806 UTC WARNING: MC_REDUNDANCY #2005 Base "subMgmtPppoe lost sync with peer 10.10.10.1." 3 2019/06/01 04:47:36.739 UTC WARNING: DHCPS #2018 vprn100 DHCPS "Lease for server "DHCP-SERVER-PPPOE" ip-address "172.16.11.10" client (mac=50:01:00:13:00:00) configuration created" 2 2019/06/01 04:47:36.739 UTC WARNING: DHCPS #2008 vprn100 Local address leased by peer "BNDUPD message could not be processed for DHCP lease (serverName=DHCP-SERVER-PPPOE, ipAddr=172.16.11.10) sender (mac=50:01:00:13:00:00) -- reason: peerConflict" 1 2019/06/01 04:47:22.139 UTC INDETERMINATE: LOGGER #2010 Base Clear LOGGER "Clear function clearLogId has been run with parameters: log-id="99" context="". The completion result is: success. Additional error text, if any, is: " A:BNG2# A:BNG2# tools dump redundancy multi-chassis sync-database peer 10.10.10.1 application sub-mgmt-pppoe sync-tag SYNC-PPPOE The following totals are for: peer ip 10.10.10.1, port/lag/sdp ALL, sync-tag SYNC-PPPOE, application SUBMGMT-PPPOE Valid Entries: 1 Locally Deleted Entries: 1 Locally Deleted Alarmed Entries: 1 Pending Global Delete Entries: 0 Omcr Alarmed Entries: 0 Omcr Standby Entries: 0 Associated Shared Records (ALL): 0 Associated Shared Records (LD): 0
5 ให้ PC-Authen และออกเน็ต
PPPoE-Client และทดสอบออกเน็ต
IPoE Client และทดสอบออกเน็ต
ไฟล์ต่างๆ ของแล็บนี้ครับ
capture traffic สำหรับ PPPoE โดย capture ที่1 pppoe client port Ethernet0
2 BNG1 port 1/1/2
3 Radius1_PPPoE port Ethernet0
download files: https://drive.google.com/open?id=1mj662HhMkhxQIlj-I_FPJlzBlyDdrCOD
capture traffic สำหรับ IPoE
1 ipoe client port Ethernet0
2 BNG2 port 1/1/2
3 Radius2_IPoE port Ethernet0
download files: https://drive.google.com/open?id=1aBYkVjlpb9eTC4Z9-ygZ2CbJ4MKptKKw
Full configurayion file ของทุกโหนด
download files: https://drive.google.com/open?id=1nQ_iZLclInnSXTx-fxfKg-qclDJ42F1x
show configuration status file ของทุกโหนด
download files: https://drive.google.com/open?id=1GGvEIQnFzmvgztdStOTAsNnwRlR4exPG
BNG1, BNG2 show debug
download files: https://drive.google.com/open?id=1H0WzbMMIYHlRxpL0i1YM8oJrdQwquYzi
software version
BNG1, BNG2 Nokia 7750SR version C-15.0.R5
NOKIA-AGG, NOKIA-ACC version TiMOS-L-12.0.R6
Cisco3725 Version 12.4(15)T14
Juniper vSRX firefly-perimeter version 12.1X47-D15.4
eNSP version 1.2.00.510 V100R002C00
TekRADIUS LT version 5.5.3.0
Mikrotik hAP lite RB941-2nd-TH
สำหรับแล็บนี้ ก็มีเพียงเท่านี้ครับ
แล็บนี้ไม่ใช่ดีไซน์ที่ดีที่สุด เพียงแต่อยากนำเสนอวิธีการคอนฟิกพื้นฐาน ความหลายของ solution และ อุปกร์ที่ใช้ครับ สำหรับแล็บ BNG ผมคงหยุดไว้เพียงเท่านี้ รอบหน้าอาจเจอกันที่ MPLS L3VPN, HoVPN และ RSVP-TE ครับ
No comments:
Post a Comment