CR16005E-F 堆叠加CGN的典型配置讲解有案例吗
- 0关注
- 0收藏,54浏览
您好,请知:
以下是配置案例,请参考:
H3C vBRAS系列虚拟宽带远程接入服务器CGN NAT典型配置举例
3 配置举例
3.1 组网需求
如图1所示:
· Switch与堆叠的vBRAS建立VXLAN隧道,将PPPoE/IPoE报文上送到vBRAS侧。
· vBRAS上配置NAT业务联动(通过在认证ISP域中指定具体的用户地址类型),用户通过AAA认证并分配得到私网地址之后,NAT网关会立即为该用户分配公网地址以及端口块,并将用户的私网IP地址、分配的公网地址及该端口块的映射关系通知给vBRAS(如果NAT网关上可分配的公网资源已耗尽,vBRAS会强制用户下线,也不会对用户进行计费)。
· vBRAS记录该地址映射关系,并将这个映射关系上报给AAA服务器。之后,该用户访问外部网络时直接使用NAT网关已经分配的公网地址和端口块。
· 通过此联动功能,AAA服务器能够获得并统一维护所有用户的地址映射关系,提供更便捷的用户溯源服务。
图1 CGN NAT典型配置举例组网图
3.2 配置思路
vBRAS设备需要支持PPPoE/IPoE与CGN NAT联动,其中交换机为用户接入相连的设备,负责报文转发与流量控制等,vBRAS为PPPoE/IPoE控制模块设备,负责用户识别与发起认证请求、身份认证、NAT地址转换和接入控制。在交换机和vBRAS之间建立VXLAN隧道,VXLAN隧道提供交换机与vBRAS间的协议报文通道和流量转发。
3.3 使用版本
本举例是在vBRAS1000_H3C-CMW710-E1116-X64版本上进行配置和验证的。
3.4 配置注意事项
· 配置备份组功能通过指定备份组,设备会将需要进行动态NAT(包括动态地址转换和NAT端口块动态映射)或NAT端口块静态映射的流量引到指定的备份组处理,提高了NAT业务处理的性能。
· 目前,支持vBRAS联动功能的用户地址类型包括私网IP地址(private-ipv4)、私网双栈地址(private-ds)和轻量级双栈地址(ds-lite)。
· 用户上线后,无法更改NAT端口块配置。只有在所有用户下线后,才能更改NAT端口块配置。
· 在IRF组网且NAT与BRAS联动的场景中,建议同时开启NAT端口块备份功能和会话业务热备份功能(通过session synchronization enable命令),以保证主备倒换时尽可能缩短流量中断的时间。
3.5 配置步骤
3.5.1 配置交换机
# 创建VLAN 200。
<Sysname> system-view
[Switch] vlan 200
[Switch-vlan2] quit
# 创建VLAN 接口 200并配置IP地址。
[Switch] interface Vlan-interface 200
[Switch-Vlan-interface200] ip address 200.0.0.2 24
[Switch-Vlan-interface200] quit
# 开启L2VPN功能。
[Switch] l2vpn enable
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[Switch] interface tunnel 804 mode vxlan
[Switch-Tunnel804] source 200.0.0.2
[Switch-Tunnel804] destination 200.0.0.14
[Switch-Tunnel804] quit
# 创建VSI实例14,并配置VXLAN隧道Tunnel804与VXLAN 804关联。
[Switch] vsi 14
[Switch-vsi-14] vxlan 804
[Switch-vsi-14-vxlan-804] tunnel 804
[Switch-vsi-14-Tunnel-804] quit
[Switch-vsi-14] quit
# 配置连接用户端的交换机接口。
[Switch] interface ten-gigabitethernet 1/0/23
[Switch-Ten-GigabitEthernet1/0/23] port link-mode bridge
[Switch-Ten-GigabitEthernet1/0/23] port link-type trunk
[Switch-Ten-GigabitEthernet1/0/23] undo port trunk permit vlan 1
[Switch-Ten-GigabitEthernet1/0/23] port trunk permit vlan 75 121 to 123 200 801 to 901 1001 to 1003 2000
[Switch-Ten-GigabitEthernet1/0/23] undo stp enable
[Switch-Ten-GigabitEthernet1/0/23] service-instance 14
[Switch-Ten-GigabitEthernet1/0/23-srv14] encapsulation s-vid 804
[Switch-Ten-GigabitEthernet1/0/23-srv14] xconnect vsi 14 access-mode ethernet
[Switch-Ten-GigabitEthernet1/0/23-srv14] quit
[Switch-Ten-GigabitEthernet1/0/23] quit
# 配置连接vBRAS端的交换机接口。
[Switch] interface ten-gigabitethernet 1/0/24
[Switch-Ten-GigabitEthernet1/0/24] port link-mode bridge
[Switch-Ten-GigabitEthernet1/0/23] port link-type hybrid
[Switch-Ten-GigabitEthernet1/0/23] undo port hybrid vlan 1
[Switch-Ten-GigabitEthernet1/0/23] port hybrid vlan 70 to 75 112 to 113 121 to 123 200 to 201 701 to 800 805 900 to 901 tagged
3.5.2 配置vBRAS侧PPPoE与CGN NAT联动
# 配置与交换机相连的以太网冗余接口8192。
<vBRAS_B75> system
[vBRAS_B75] interface reth 8192
[vBRAS_B75-Reth8192] ip address 200.0.0.14 255.255.255.0
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 1/7/0 priority 255
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 2/7/0 priority 100
# 开启L2VPN功能。
[vBRAS_B75] l2vpn enable
# 启用DHCP服务。
[vBRAS_B75] dhcp enable
# 创建DHCP地址池pool1,并为其分配网关地址、IP地址网段和DNS服务器地址。
[vBRAS_B75] dhcp server ip-pool pool1
[vBRAS_B75-dhcp-pool-pool1] gateway-list 192.168.0.1 export-route
[vBRAS_B75-dhcp-pool-pool1] network 192.168.0.0 16
[vBRAS_B75-dhcp-pool-pool1] dns-list 8.8.8.8
# 配置DHCP地址池pool1禁用IP地址192.168.0.1。
[vBRAS_B75-dhcp-pool-pool1] forbidden-ip 192.168.0.1
[vBRAS_B75-dhcp-pool-pool1] quit
# 配置ACL,仅允许来自192.168.0.0/16网段的报文通过。
[vBRAS_B75] acl advanced 3000
[vBRAS_B75-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.0.0 0.0.255.255
[vBRAS_B75-acl-ipv4-adv-3000] quit
# 创建备份组,并将节点加入备份组,其中slot1配置为主节点,slot2配置为备节点。
[vBRAS_B75] failover group nat
[vBRAS_B75-failover-group-nat] bind slot 1 primary
[vBRAS_B75-failover-group-nat] bind slot 2 secondary
[vBRAS_B75-failover-group-nat] quit
# 创建NAT地址组1,并绑定备份组。
[vBRAS_B75] nat address-group 1
[vBRAS_B75-address-group-1] failover-group nat
# 配置公网地址的端口范围。
[vBRAS_B75-address-group-1] port-range 1500 65499
# 配置端口块参数。
[vBRAS_B75-address-group-1] port-block block-size 1000
# 添加地址成员。
[vBRAS_B75-address-group-1] address 27.204.231.0 27.204.231.0
[vBRAS_B75-address-group-1] address 27.204.231.1 27.204.231.1
[vBRAS_B75-address-group-1] address 27.204.231.127 27.204.231.255
[vBRAS_B75-address-group-1] quit
# 配置处理基于会话业务的备份组,即仅允许将匹配ACL 3000的报文引流到备份组nat的主节点上进行业务处理。
[vBRAS_B75] session service-location acl 3000 failover-group nat
# 开启会话统计功能、会话业务热备份功能和NAT动态端口块备份功能。
[vBRAS_B75] session statistics enable
[vBRAS_B75] session synchronization enable
[vBRAS_B75] nat port-block synchronization enable
# 配置与私网相连的以太网冗余接口54。
[vBRAS_B75] interface reth 54
[vBRAS_B75-Reth54] ip address 16.31.12.14 255.255.255.0
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 1/6/0.54 priority 255
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 2/6/0.54 priority 100
# 配置出方向动态地址转换。
[vBRAS_B75-Reth54] nat outbound 3000 address-group 1
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[vBRAS_B75-Tunnel804] interface tunnel 804 mode vxlan
[vBRAS_B75-Tunnel804] source 200.0.0.14
[vBRAS_B75-Tunnel804] destination 200.0.0.2
[vBRAS_B75-Tunnel804] quit
# 创建名称为radius的RADIUS方案并进入该方案视图。
[vBRAS_B75] radius scheme radius
# 配置RADIUS方案的主认证和主计费服务器及其通信密钥。
[vBRAS_B75-radius-radius] primary authentication 172.16.53.2
[vBRAS_B75-radius-radius] primary accounting 172.16.53.2
[vBRAS_B75-radius-radius] key authentication simple 123
[vBRAS_B75-radius-radius] key accounting simple 123
# 配置发送给RADIUS服务器的用户名不携带ISP域名。
[vBRAS_B75-radius-radius] user-name-format without-domain
[vBRAS_B75-radius-radius] quit
# 创建并进入名称为zzz的ISP域。
[vBRAS_B75] domain name zzz
# 设置当前ISP域下的用户授权地址池为pool1。
[vBRAS_B75-isp-zzz] authorization-attribute ip-pool pool1
# 配置ISP域使用的RADIUS方案radius。
[vBRAS_B75-isp-zzz] authentication ppp radius-scheme radius
[vBRAS_B75-isp-zzz] authorization ppp radius-scheme radius
[vBRAS_B75-isp-zzz] accounting ppp radius-scheme radius
#设置当前ISP域的用户地址类型为私网IPv4地址。
[vBRAS_B75-isp-zzz] user-address-type private-ipv4
[vBRAS_B75-isp-zzz] quit
# 配置虚拟模板接口1的参数,采用PAP/CHAP认证对端,开启计费功能。
[vBRAS_B75] interface virtual-template 1
[vBRAS_B75-Virtual-Template1] ppp authentication-mode chap pap domain zzz
[vBRAS_B75-Virtual-Template1] ppp account-statistics enable
# 创建VSI虚接口110。
[vBRAS_B75] interface vsi-interface 110
# 在VSI虚接口110上启用PPPoE Server协议,并将接口与虚拟模板接口1绑定。
[vBRAS_B75-Vsi-interface110] pppoe-server bind virtual-template 1
[vBRAS_B75-Vsi-interface110] quit
# 创建VSI实例14,并为其指定网关、创建VXLAN和关联隧道。
[vBRAS_B75] vsi 14
[vBRAS_B75-vsi-14] gateway vsi-interface 110
[vBRAS_B75-vsi-14] vxlan 804
[vBRAS_B75-vsi-14-vxlan-804] tunnel 804
[vBRAS_B75-vsi-14-vxlan-804] quit
[vBRAS_B75-vsi-14] quit
# 创建冗余组,并为其添加成员接口和备份组。
[vBRAS_B75] redundancy group test
[vBRAS_B75-redundancy-group-test] member interface reth 54
[vBRAS_B75-redundancy-group-test] member interface reth 8192
[vBRAS_B75-redundancy-group-test] member failover group nat
# 在冗余组test下,创建冗余组节点1,并将其与主板绑定,成为主节点。
[vBRAS_B75-redundancy-group-test] node 1
[vBRAS_B75-redundancy-group-test-node-1] bind slot 1
[vBRAS_B75-redundancy-group-test-node-1] priority 100
[vBRAS_B75-redundancy-group-test-node-1] track 1 interface ten-gigabitethernet 1/6/0
[vBRAS_B75-redundancy-group-test-node-1] track 2 interface ten-gigabitethernet 1/7/0
[vBRAS_B75-redundancy-group-test-node-1] quit
# 在冗余组test下,创建冗余组节点 2,并将其与备板绑定,成为备节点。
[vBRAS_B75-redundancy-group-test] node 2
[vBRAS_B75-redundancy-group-test-node-2] bind slot 2
[vBRAS_B75-redundancy-group-test-node-2] priority 10
[vBRAS_B75-redundancy-group-test-node-2] track 3 interface ten-gigabitethernet 2/6/0
[vBRAS_B75-redundancy-group-test-node-2] track 4 interface ten-gigabitethernet 2/7/0
3.5.3 配置vBRAS侧IPoE与CGN NAT联动
# 配置与交换机相连的以太网冗余接口8192。
<vBRAS_B75> system
[vBRAS_B75] interface reth 8192
[vBRAS_B75-Reth8192] ip address 200.0.0.14 255.255.255.0
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 1/7/0 priority 255
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 2/7/0 priority 100
# 开启L2VPN功能。
[vBRAS_B75] l2vpn enable
# 启用DHCP服务。
[vBRAS_B75] dhcp enable
# 创建DHCP地址池pool1,并为其分配网关地址、IP地址网段和DNS服务器地址。
[vBRAS_B75] dhcp server ip-pool pool1
[vBRAS_B75-dhcp-pool-pool1] gateway-list 192.168.0.1 export-route
[vBRAS_B75-dhcp-pool-pool1] network 192.168.0.0 16
[vBRAS_B75-dhcp-pool-pool1] dns-list 8.8.8.8
# 配置DHCP地址池pool1禁用IP地址192.168.0.1。
[vBRAS_B75-dhcp-pool-pool1] forbidden-ip 192.168.0.1
[vBRAS_B75-dhcp-pool-pool1] quit
# 配置ACL,仅允许来自192.168.0.0/16网段的报文通过。
[vBRAS_B75] acl advanced 3000
[vBRAS_B75-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.0.0 0.0.255.255
[vBRAS_B75-acl-ipv4-adv-3000] quit
# 创建备份组,并将节点加入备份组,其中slot1配置为主节点,slot2配置为备节点。
[vBRAS_B75] failover group nat
[vBRAS_B75-failover-group-nat] bind slot 1 primary
[vBRAS_B75-failover-group-nat] bind slot 2 secondary
[vBRAS_B75-failover-group-nat] quit
# 创建NAT地址组1,并绑定备份组。
[vBRAS_B75] nat address-group 1
[vBRAS_B75-address-group-1] failover-group nat
# 配置公网地址的端口范围。
[vBRAS_B75-address-group-1] port-range 1500 65499
# 配置端口块参数。
[vBRAS_B75-address-group-1] port-block block-size 1000
# 添加地址成员。
[vBRAS_B75-address-group-1] address 27.204.231.0 27.204.231.0
[vBRAS_B75-address-group-1] address 27.204.231.1 27.204.231.1
[vBRAS_B75-address-group-1] address 27.204.231.127 27.204.231.255
[vBRAS_B75-address-group-1] quit
# 配置处理基于会话业务的备份组,即仅允许将匹配ACL 3000的报文引流到备份组nat的主节点上进行业务处理。
[vBRAS_B75] session service-location acl 3000 failover-group nat
# 开启会话统计功能、会话业务热备份功能和NAT动态端口块备份功能。
[vBRAS_B75] session statistics enable
[vBRAS_B75] session synchronization enable
[vBRAS_B75] nat port-block synchronization enable
# 配置与私网相连的以太网冗余接口54。
[vBRAS_B75] interface reth 54
[vBRAS_B75-Reth54] ip address 16.31.12.14 255.255.255.0
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 1/6/0.54 priority 255
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 2/6/0.54 priority 100
# 配置出方向动态地址转换。
[vBRAS_B75-Reth54] nat outbound 3000 address-group 1
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[vBRAS_B75-Tunnel804] interface tunnel 804 mode vxlan
[vBRAS_B75-Tunnel804] source 200.0.0.14
[vBRAS_B75-Tunnel804] destination 200.0.0.2
[vBRAS_B75-Tunnel804] quit
# 创建名称为radius的RADIUS方案并进入该方案视图。
[vBRAS_B75] radius scheme radius
# 配置RADIUS方案的主认证和主计费服务器及其通信密钥。
[vBRAS_B75-radius-radius] primary authentication 172.16.53.2
[vBRAS_B75-radius-radius] primary accounting 172.16.53.2
[vBRAS_B75-radius-radius] key authentication simple 123
[vBRAS_B75-radius-radius] key accounting simple 123
# 配置发送给RADIUS服务器的用户名不携带ISP域名。
[vBRAS_B75-radius-radius] user-name-format without-domain
[vBRAS_B75-radius-radius] quit
# 创建并进入名称为zzz的ISP域。
[vBRAS_B75] domain name zzz
# 设置当前ISP域下的用户授权地址池为pool1。
[vBRAS_B75-isp-zzz] authorization-attribute ip-pool pool1
# 配置ISP域使用的RADIUS方案radius。
[vBRAS_B75-isp-zzz] authentication ipoe radius-scheme radius
[vBRAS_B75-isp-zzz] authorization ipoe radius-scheme radius
[vBRAS_B75-isp-zzz] accounting ipoe radius-scheme radius
#设置当前ISP域的用户地址类型为私网IPv4地址。
[vBRAS_B75-isp-zzz] user-address-type private-ipv4
[vBRAS_B75-isp-zzz] quit
# 创建VSI虚接口110。
[vBRAS_B75] interface vsi-interface 110
[vBRAS_B75-Vsi-interface110] ip address 192.168.0.1 255.255.0.0
# 在VSI虚接口110上,开启IPoE功能,并配置二层接入模式。
[vBRAS_B75-Vsi-interface110] ip subscriber l2-connected enable
[vBRAS_B75-Vsi-interface110] ip subscriber initiator dhcp enable
[vBRAS_B75-Vsi-interface110] ip subscriber dhcp username include vendor-class separator @ source-mac
[vBRAS_B75-Vsi-interface110] ip subscriber password plaintext 123
[vBRAS_B75-Vsi-interface110] ip subscriber dhcp domain zzz
[vBRAS_B75-Vsi-interface110] quit
# 创建VSI实例14,并为其指定网关、创建VXLAN和关联隧道。
[vBRAS_B75] vsi 14
[vBRAS_B75-vsi-14] gateway vsi-interface 110
[vBRAS_B75-vsi-14] vxlan 804
[vBRAS_B75-vsi-14-vxlan-804] tunnel 804
[vBRAS_B75-vsi-14-vxlan-804] quit
[vBRAS_B75-vsi-14] quit
# 创建冗余组,并为其添加成员接口和备份组。
[vBRAS_B75] redundancy group test
[vBRAS_B75-redundancy-group-test] member interface reth 54
[vBRAS_B75-redundancy-group-test] member interface reth 8192
[vBRAS_B75-redundancy-group-test] member failover group nat
# 在冗余组test下,创建冗余组节点 1,并将其与主板绑定,成为主节点。
[vBRAS_B75-redundancy-group-test] node 1
[vBRAS_B75-redundancy-group-test-node-1] bind slot 1
[vBRAS_B75-redundancy-group-test-node-1] priority 100
[vBRAS_B75-redundancy-group-test-node-1] track 1 interface Ten-GigabitEthernet1/6/0
[vBRAS_B75-redundancy-group-test-node-1] track 2 interface Ten-GigabitEthernet1/7/0
#在冗余组test下,创建冗余组节点 2,并将其与备板绑定,成为备节点。
[vBRAS_B75-redundancy-group-test] node 2
[vBRAS_B75-redundancy-group-test-node-2] bind slot 2
[vBRAS_B75-redundancy-group-test-node-2] priority 10
[vBRAS_B75-redundancy-group-test-node-2] track 3 interface Ten-GigabitEthernet2/6/0
[vBRAS_B75-redundancy-group-test-node-2] track 4 interface Ten-GigabitEthernet2/7/0
Copyright © 2018 新华三技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
|
目 录
1 简介
本文档介绍运营商级网络地址转换的典型配置举例。CGN(Carrier Grade NAT,运营商级网络地址转换),也称LSN(Large-scale NAT,大规模网络地址转换)。传统NAT多部署在CPE(Customer Premises Equipment,用户侧设备)上,实现少量用户地址的转换。而CGN部署在运营商网络中,通过将承担CGN功能的单板插在其他功能(如BRAS)的设备上,实现大量用户的地址转换,在支持并发用户数、性能、溯源等方面有很大提升。
2 配置前提
· 本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
· 本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
· 本文档假设您已了解VXLAN、NAT、PPPoE/IPoE等特性。
3 配置举例
3.1 组网需求
如图1所示:
· Switch与堆叠的vBRAS建立VXLAN隧道,将PPPoE/IPoE报文上送到vBRAS侧。
· vBRAS上配置NAT业务联动(通过在认证ISP域中指定具体的用户地址类型),用户通过AAA认证并分配得到私网地址之后,NAT网关会立即为该用户分配公网地址以及端口块,并将用户的私网IP地址、分配的公网地址及该端口块的映射关系通知给vBRAS(如果NAT网关上可分配的公网资源已耗尽,vBRAS会强制用户下线,也不会对用户进行计费)。
· vBRAS记录该地址映射关系,并将这个映射关系上报给AAA服务器。之后,该用户访问外部网络时直接使用NAT网关已经分配的公网地址和端口块。
· 通过此联动功能,AAA服务器能够获得并统一维护所有用户的地址映射关系,提供更便捷的用户溯源服务。
图1 CGN NAT典型配置举例组网图
3.2 配置思路
vBRAS设备需要支持PPPoE/IPoE与CGN NAT联动,其中交换机为用户接入相连的设备,负责报文转发与流量控制等,vBRAS为PPPoE/IPoE控制模块设备,负责用户识别与发起认证请求、身份认证、NAT地址转换和接入控制。在交换机和vBRAS之间建立VXLAN隧道,VXLAN隧道提供交换机与vBRAS间的协议报文通道和流量转发。
3.3 使用版本
本举例是在vBRAS1000_H3C-CMW710-E1116-X64版本上进行配置和验证的。
3.4 配置注意事项
· 配置备份组功能通过指定备份组,设备会将需要进行动态NAT(包括动态地址转换和NAT端口块动态映射)或NAT端口块静态映射的流量引到指定的备份组处理,提高了NAT业务处理的性能。
· 目前,支持vBRAS联动功能的用户地址类型包括私网IP地址(private-ipv4)、私网双栈地址(private-ds)和轻量级双栈地址(ds-lite)。
· 用户上线后,无法更改NAT端口块配置。只有在所有用户下线后,才能更改NAT端口块配置。
· 在IRF组网且NAT与BRAS联动的场景中,建议同时开启NAT端口块备份功能和会话业务热备份功能(通过session synchronization enable命令),以保证主备倒换时尽可能缩短流量中断的时间。
3.5 配置步骤
3.5.1 配置交换机
# 创建VLAN 200。
<Sysname> system-view
[Switch] vlan 200
[Switch-vlan2] quit
# 创建VLAN 接口 200并配置IP地址。
[Switch] interface Vlan-interface 200
[Switch-Vlan-interface200] ip address 200.0.0.2 24
[Switch-Vlan-interface200] quit
# 开启L2VPN功能。
[Switch] l2vpn enable
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[Switch] interface tunnel 804 mode vxlan
[Switch-Tunnel804] source 200.0.0.2
[Switch-Tunnel804] destination 200.0.0.14
[Switch-Tunnel804] quit
# 创建VSI实例14,并配置VXLAN隧道Tunnel804与VXLAN 804关联。
[Switch] vsi 14
[Switch-vsi-14] vxlan 804
[Switch-vsi-14-vxlan-804] tunnel 804
[Switch-vsi-14-Tunnel-804] quit
[Switch-vsi-14] quit
# 配置连接用户端的交换机接口。
[Switch] interface ten-gigabitethernet 1/0/23
[Switch-Ten-GigabitEthernet1/0/23] port link-mode bridge
[Switch-Ten-GigabitEthernet1/0/23] port link-type trunk
[Switch-Ten-GigabitEthernet1/0/23] undo port trunk permit vlan 1
[Switch-Ten-GigabitEthernet1/0/23] port trunk permit vlan 75 121 to 123 200 801 to 901 1001 to 1003 2000
[Switch-Ten-GigabitEthernet1/0/23] undo stp enable
[Switch-Ten-GigabitEthernet1/0/23] service-instance 14
[Switch-Ten-GigabitEthernet1/0/23-srv14] encapsulation s-vid 804
[Switch-Ten-GigabitEthernet1/0/23-srv14] xconnect vsi 14 access-mode ethernet
[Switch-Ten-GigabitEthernet1/0/23-srv14] quit
[Switch-Ten-GigabitEthernet1/0/23] quit
# 配置连接vBRAS端的交换机接口。
[Switch] interface ten-gigabitethernet 1/0/24
[Switch-Ten-GigabitEthernet1/0/24] port link-mode bridge
[Switch-Ten-GigabitEthernet1/0/23] port link-type hybrid
[Switch-Ten-GigabitEthernet1/0/23] undo port hybrid vlan 1
[Switch-Ten-GigabitEthernet1/0/23] port hybrid vlan 70 to 75 112 to 113 121 to 123 200 to 201 701 to 800 805 900 to 901 tagged
3.5.2 配置vBRAS侧PPPoE与CGN NAT联动
# 配置与交换机相连的以太网冗余接口8192。
<vBRAS_B75> system
[vBRAS_B75] interface reth 8192
[vBRAS_B75-Reth8192] ip address 200.0.0.14 255.255.255.0
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 1/7/0 priority 255
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 2/7/0 priority 100
# 开启L2VPN功能。
[vBRAS_B75] l2vpn enable
# 启用DHCP服务。
[vBRAS_B75] dhcp enable
# 创建DHCP地址池pool1,并为其分配网关地址、IP地址网段和DNS服务器地址。
[vBRAS_B75] dhcp server ip-pool pool1
[vBRAS_B75-dhcp-pool-pool1] gateway-list 192.168.0.1 export-route
[vBRAS_B75-dhcp-pool-pool1] network 192.168.0.0 16
[vBRAS_B75-dhcp-pool-pool1] dns-list 8.8.8.8
# 配置DHCP地址池pool1禁用IP地址192.168.0.1。
[vBRAS_B75-dhcp-pool-pool1] forbidden-ip 192.168.0.1
[vBRAS_B75-dhcp-pool-pool1] quit
# 配置ACL,仅允许来自192.168.0.0/16网段的报文通过。
[vBRAS_B75] acl advanced 3000
[vBRAS_B75-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.0.0 0.0.255.255
[vBRAS_B75-acl-ipv4-adv-3000] quit
# 创建备份组,并将节点加入备份组,其中slot1配置为主节点,slot2配置为备节点。
[vBRAS_B75] failover group nat
[vBRAS_B75-failover-group-nat] bind slot 1 primary
[vBRAS_B75-failover-group-nat] bind slot 2 secondary
[vBRAS_B75-failover-group-nat] quit
# 创建NAT地址组1,并绑定备份组。
[vBRAS_B75] nat address-group 1
[vBRAS_B75-address-group-1] failover-group nat
# 配置公网地址的端口范围。
[vBRAS_B75-address-group-1] port-range 1500 65499
# 配置端口块参数。
[vBRAS_B75-address-group-1] port-block block-size 1000
# 添加地址成员。
[vBRAS_B75-address-group-1] address 27.204.231.0 27.204.231.0
[vBRAS_B75-address-group-1] address 27.204.231.1 27.204.231.1
[vBRAS_B75-address-group-1] address 27.204.231.127 27.204.231.255
[vBRAS_B75-address-group-1] quit
# 配置处理基于会话业务的备份组,即仅允许将匹配ACL 3000的报文引流到备份组nat的主节点上进行业务处理。
[vBRAS_B75] session service-location acl 3000 failover-group nat
# 开启会话统计功能、会话业务热备份功能和NAT动态端口块备份功能。
[vBRAS_B75] session statistics enable
[vBRAS_B75] session synchronization enable
[vBRAS_B75] nat port-block synchronization enable
# 配置与私网相连的以太网冗余接口54。
[vBRAS_B75] interface reth 54
[vBRAS_B75-Reth54] ip address 16.31.12.14 255.255.255.0
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 1/6/0.54 priority 255
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 2/6/0.54 priority 100
# 配置出方向动态地址转换。
[vBRAS_B75-Reth54] nat outbound 3000 address-group 1
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[vBRAS_B75-Tunnel804] interface tunnel 804 mode vxlan
[vBRAS_B75-Tunnel804] source 200.0.0.14
[vBRAS_B75-Tunnel804] destination 200.0.0.2
[vBRAS_B75-Tunnel804] quit
# 创建名称为radius的RADIUS方案并进入该方案视图。
[vBRAS_B75] radius scheme radius
# 配置RADIUS方案的主认证和主计费服务器及其通信密钥。
[vBRAS_B75-radius-radius] primary authentication 172.16.53.2
[vBRAS_B75-radius-radius] primary accounting 172.16.53.2
[vBRAS_B75-radius-radius] key authentication simple 123
[vBRAS_B75-radius-radius] key accounting simple 123
# 配置发送给RADIUS服务器的用户名不携带ISP域名。
[vBRAS_B75-radius-radius] user-name-format without-domain
[vBRAS_B75-radius-radius] quit
# 创建并进入名称为zzz的ISP域。
[vBRAS_B75] domain name zzz
# 设置当前ISP域下的用户授权地址池为pool1。
[vBRAS_B75-isp-zzz] authorization-attribute ip-pool pool1
# 配置ISP域使用的RADIUS方案radius。
[vBRAS_B75-isp-zzz] authentication ppp radius-scheme radius
[vBRAS_B75-isp-zzz] authorization ppp radius-scheme radius
[vBRAS_B75-isp-zzz] accounting ppp radius-scheme radius
#设置当前ISP域的用户地址类型为私网IPv4地址。
[vBRAS_B75-isp-zzz] user-address-type private-ipv4
[vBRAS_B75-isp-zzz] quit
# 配置虚拟模板接口1的参数,采用PAP/CHAP认证对端,开启计费功能。
[vBRAS_B75] interface virtual-template 1
[vBRAS_B75-Virtual-Template1] ppp authentication-mode chap pap domain zzz
[vBRAS_B75-Virtual-Template1] ppp account-statistics enable
# 创建VSI虚接口110。
[vBRAS_B75] interface vsi-interface 110
# 在VSI虚接口110上启用PPPoE Server协议,并将接口与虚拟模板接口1绑定。
[vBRAS_B75-Vsi-interface110] pppoe-server bind virtual-template 1
[vBRAS_B75-Vsi-interface110] quit
# 创建VSI实例14,并为其指定网关、创建VXLAN和关联隧道。
[vBRAS_B75] vsi 14
[vBRAS_B75-vsi-14] gateway vsi-interface 110
[vBRAS_B75-vsi-14] vxlan 804
[vBRAS_B75-vsi-14-vxlan-804] tunnel 804
[vBRAS_B75-vsi-14-vxlan-804] quit
[vBRAS_B75-vsi-14] quit
# 创建冗余组,并为其添加成员接口和备份组。
[vBRAS_B75] redundancy group test
[vBRAS_B75-redundancy-group-test] member interface reth 54
[vBRAS_B75-redundancy-group-test] member interface reth 8192
[vBRAS_B75-redundancy-group-test] member failover group nat
# 在冗余组test下,创建冗余组节点1,并将其与主板绑定,成为主节点。
[vBRAS_B75-redundancy-group-test] node 1
[vBRAS_B75-redundancy-group-test-node-1] bind slot 1
[vBRAS_B75-redundancy-group-test-node-1] priority 100
[vBRAS_B75-redundancy-group-test-node-1] track 1 interface ten-gigabitethernet 1/6/0
[vBRAS_B75-redundancy-group-test-node-1] track 2 interface ten-gigabitethernet 1/7/0
[vBRAS_B75-redundancy-group-test-node-1] quit
# 在冗余组test下,创建冗余组节点 2,并将其与备板绑定,成为备节点。
[vBRAS_B75-redundancy-group-test] node 2
[vBRAS_B75-redundancy-group-test-node-2] bind slot 2
[vBRAS_B75-redundancy-group-test-node-2] priority 10
[vBRAS_B75-redundancy-group-test-node-2] track 3 interface ten-gigabitethernet 2/6/0
[vBRAS_B75-redundancy-group-test-node-2] track 4 interface ten-gigabitethernet 2/7/0
3.5.3 配置vBRAS侧IPoE与CGN NAT联动
# 配置与交换机相连的以太网冗余接口8192。
<vBRAS_B75> system
[vBRAS_B75] interface reth 8192
[vBRAS_B75-Reth8192] ip address 200.0.0.14 255.255.255.0
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 1/7/0 priority 255
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 2/7/0 priority 100
# 开启L2VPN功能。
[vBRAS_B75] l2vpn enable
# 启用DHCP服务。
[vBRAS_B75] dhcp enable
# 创建DHCP地址池pool1,并为其分配网关地址、IP地址网段和DNS服务器地址。
[vBRAS_B75] dhcp server ip-pool pool1
[vBRAS_B75-dhcp-pool-pool1] gateway-list 192.168.0.1 export-route
[vBRAS_B75-dhcp-pool-pool1] network 192.168.0.0 16
[vBRAS_B75-dhcp-pool-pool1] dns-list 8.8.8.8
# 配置DHCP地址池pool1禁用IP地址192.168.0.1。
[vBRAS_B75-dhcp-pool-pool1] forbidden-ip 192.168.0.1
[vBRAS_B75-dhcp-pool-pool1] quit
# 配置ACL,仅允许来自192.168.0.0/16网段的报文通过。
[vBRAS_B75] acl advanced 3000
[vBRAS_B75-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.0.0 0.0.255.255
[vBRAS_B75-acl-ipv4-adv-3000] quit
# 创建备份组,并将节点加入备份组,其中slot1配置为主节点,slot2配置为备节点。
[vBRAS_B75] failover group nat
[vBRAS_B75-failover-group-nat] bind slot 1 primary
[vBRAS_B75-failover-group-nat] bind slot 2 secondary
[vBRAS_B75-failover-group-nat] quit
# 创建NAT地址组1,并绑定备份组。
[vBRAS_B75] nat address-group 1
[vBRAS_B75-address-group-1] failover-group nat
# 配置公网地址的端口范围。
[vBRAS_B75-address-group-1] port-range 1500 65499
# 配置端口块参数。
[vBRAS_B75-address-group-1] port-block block-size 1000
# 添加地址成员。
[vBRAS_B75-address-group-1] address 27.204.231.0 27.204.231.0
[vBRAS_B75-address-group-1] address 27.204.231.1 27.204.231.1
[vBRAS_B75-address-group-1] address 27.204.231.127 27.204.231.255
[vBRAS_B75-address-group-1] quit
# 配置处理基于会话业务的备份组,即仅允许将匹配ACL 3000的报文引流到备份组nat的主节点上进行业务处理。
[vBRAS_B75] session service-location acl 3000 failover-group nat
# 开启会话统计功能、会话业务热备份功能和NAT动态端口块备份功能。
[vBRAS_B75] session statistics enable
[vBRAS_B75] session synchronization enable
[vBRAS_B75] nat port-block synchronization enable
# 配置与私网相连的以太网冗余接口54。
[vBRAS_B75] interface reth 54
[vBRAS_B75-Reth54] ip address 16.31.12.14 255.255.255.0
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 1/6/0.54 priority 255
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 2/6/0.54 priority 100
# 配置出方向动态地址转换。
[vBRAS_B75-Reth54] nat outbound 3000 address-group 1
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[vBRAS_B75-Tunnel804] interface tunnel 804 mode vxlan
[vBRAS_B75-Tunnel804] source 200.0.0.14
[vBRAS_B75-Tunnel804] destination 200.0.0.2
[vBRAS_B75-Tunnel804] quit
# 创建名称为radius的RADIUS方案并进入该方案视图。
[vBRAS_B75] radius scheme radius
# 配置RADIUS方案的主认证和主计费服务器及其通信密钥。
[vBRAS_B75-radius-radius] primary authentication 172.16.53.2
[vBRAS_B75-radius-radius] primary accounting 172.16.53.2
[vBRAS_B75-radius-radius] key authentication simple 123
[vBRAS_B75-radius-radius] key accounting simple 123
# 配置发送给RADIUS服务器的用户名不携带ISP域名。
[vBRAS_B75-radius-radius] user-name-format without-domain
[vBRAS_B75-radius-radius] quit
# 创建并进入名称为zzz的ISP域。
[vBRAS_B75] domain name zzz
# 设置当前ISP域下的用户授权地址池为pool1。
[vBRAS_B75-isp-zzz] authorization-attribute ip-pool pool1
# 配置ISP域使用的RADIUS方案radius。
[vBRAS_B75-isp-zzz] authentication ipoe radius-scheme radius
[vBRAS_B75-isp-zzz] authorization ipoe radius-scheme radius
[vBRAS_B75-isp-zzz] accounting ipoe radius-scheme radius
#设置当前ISP域的用户地址类型为私网IPv4地址。
[vBRAS_B75-isp-zzz] user-address-type private-ipv4
[vBRAS_B75-isp-zzz] quit
# 创建VSI虚接口110。
[vBRAS_B75] interface vsi-interface 110
[vBRAS_B75-Vsi-interface110] ip address 192.168.0.1 255.255.0.0
# 在VSI虚接口110上,开启IPoE功能,并配置二层接入模式。
[vBRAS_B75-Vsi-interface110] ip subscriber l2-connected enable
[vBRAS_B75-Vsi-interface110] ip subscriber initiator dhcp enable
[vBRAS_B75-Vsi-interface110] ip subscriber dhcp username include vendor-class separator @ source-mac
[vBRAS_B75-Vsi-interface110] ip subscriber password plaintext 123
[vBRAS_B75-Vsi-interface110] ip subscriber dhcp domain zzz
[vBRAS_B75-Vsi-interface110] quit
# 创建VSI实例14,并为其指定网关、创建VXLAN和关联隧道。
[vBRAS_B75] vsi 14
[vBRAS_B75-vsi-14] gateway vsi-interface 110
[vBRAS_B75-vsi-14] vxlan 804
[vBRAS_B75-vsi-14-vxlan-804] tunnel 804
[vBRAS_B75-vsi-14-vxlan-804] quit
[vBRAS_B75-vsi-14] quit
# 创建冗余组,并为其添加成员接口和备份组。
[vBRAS_B75] redundancy group test
[vBRAS_B75-redundancy-group-test] member interface reth 54
[vBRAS_B75-redundancy-group-test] member interface reth 8192
[vBRAS_B75-redundancy-group-test] member failover group nat
# 在冗余组test下,创建冗余组节点 1,并将其与主板绑定,成为主节点。
[vBRAS_B75-redundancy-group-test] node 1
[vBRAS_B75-redundancy-group-test-node-1] bind slot 1
[vBRAS_B75-redundancy-group-test-node-1] priority 100
[vBRAS_B75-redundancy-group-test-node-1] track 1 interface Ten-GigabitEthernet1/6/0
[vBRAS_B75-redundancy-group-test-node-1] track 2 interface Ten-GigabitEthernet1/7/0
#在冗余组test下,创建冗余组节点 2,并将其与备板绑定,成为备节点。
[vBRAS_B75-redundancy-group-test] node 2
[vBRAS_B75-redundancy-group-test-node-2] bind slot 2
[vBRAS_B75-redundancy-group-test-node-2] priority 10
[vBRAS_B75-redundancy-group-test-node-2] track 3 interface Ten-GigabitEthernet2/6/0
[vBRAS_B75-redundancy-group-test-node-2] track 4 interface Ten-GigabitEthernet2/7/0
3.6 验证配置
3.6.1 PPPoE与CGN NAT联动验证配置
配置完成后,PC端使用用户名ppp、密码123,通过vBRAS可接入到Internet。PC的IP地址为vBRAS所指定的地址。
# 显示PPPoE用户的详细信息,可查看到用户端口块的信息。
[vBRAS_B75] display ppp access-user user-type pppoe verbose
Basic:
Interface: BAS1
PPP index: 0x140004344
User ID: 0x28000008
Username: ppp
Domain: zzz
Access interface: Vsi110
Service-VLAN/Customer-VLAN: 804/804
VXLAN ID: 804
MAC address: 0010-9400-000d
IP address: 192.168.156.101
Primary DNS server: 8.8.8.8
IPv6 address: -
IPv6 PD prefix: -
IPv6 ND prefix: -
User address type: private-ipv4
VPN instance: -
Access type: PPPoE
Authentication type: CHAP
PPPoE:
Session ID: 1
AAA:
Authentication state: Authenticated
Authorization state: Authorized
Realtime accounting switch: Open
Realtime accounting interval: 720s
Login time: 2018-03-12 15:21:56:838
Accounting start time: 2018-03-12 15:21:56:865
Online time(hh:mm:ss): 00:07:39
Accounting state: Accounting
Acct start-fail action: Online
Acct update-fail action: Online
Acct quota-out action: Offline
Dual-stack accounting mode: Merge
Idle cut: 0 sec 0 bytes, direction: Both
Session timeout: -
Time remained: -
Traffic quota: -
Traffic remained: -
Redirect WebURL: -
ITA policy name: -
MRU: 1492 bytes
IPv4 MTU: 1492 bytes
IPv6 MTU: 1492 bytes
ACL&QoS:
User profile: -
Session group profile: -
User group acl: -
Inbound CAR: -
Outbound CAR: -
User inbound priority: -
User outbound priority: -
NAT:
Global IP address:27.204.231.128
Port block:2500-3499
Flow Statistic:
IPv4 uplink packets/bytes: 0/0
IPv4 downlink packets/bytes: 0/0
IPv6 uplink packets/bytes: 0/0
IPv6 downlink packets/bytes: 0/0
# 显示动态端口块表项。
[vBRAS_B75] display nat port-block dynamic
Slot 1:
Local VPN Local IP Global IP Port block Connections Extend
--- 192.168.156.101 27.204.231.128 2500-3499 0 ---
Total mappings found: 1
Slot 2:
Local VPN Local IP Global IP Port block Connections Extend
--- 192.168.156.101 27.204.231.128 2500-3499 0 ---
Total mappings found: 1
# 显示所有NAT统计信息的详细信息。
[vBRAS_B75] display nat statistics
Slot 1:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 8384
Active static port block entries: 0
Active dynamic port block entries: 1
Slot 2:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 8384
Active static port block entries: 0
Active dynamic port block entries: 1
3.6.2 IPoE与CGN NAT联动验证配置
# 显示IPoE用户的详细信息。
[vBRAS_B75] display ip subscriber session verbose
Basic:
Description : -
Username : @001094000010
Domain : zzz
VPN instance : N/A
IP address : 192.168.0.3
User address type : private-ipv4
MAC address : 0010-9400-0010
Service-VLAN/Customer-VLAN : 804/804
Access interface : Vsi110
User ID : 0x38200002
VPI/VCI(for ATM) : -/-
VSI Index : 0
VSI link ID : 83886884
VXLAN ID : 804
DNS servers : 8.8.8.8
IPv6 DNS servers : N/A
DHCP lease : 86400 sec
DHCP remain lease : 86043 sec
Access time : Mar 12 16:05:30 2018
Online time(hh:mm:ss) : 00:05:56
Service node : Slot 1 CPU 0
Authentication type : Bind
IPv4 access type : DHCP
IPv4 detect state : Detecting
State : Online
AAA:
ITA policy name : N/A
IP pool : pool1
IPv6 pool : N/A
Primary DNS server : N/A
Secondary DNS server : N/A
Primary IPv6 DNS server : N/A
Secondary IPv6 DNS server : N/A
Session idle cut : N/A
Session duration : N/A, remaining: N/A
Traffic quota : N/A
Traffic remained : N/A
Acct start-fail action : Online
Acct update-fail action : Online
Acct quota-out action : Offline
Dual-stack accounting mode : Merge
Max IPv4 multicast addresses: 4
IPv4 multicast address list : N/A
Max IPv6 multicast addresses: 4
IPv6 multicast address list : N/A
Accounting start time : Mar 12 16:05:30 2018
QoS:
User profile : ip (inactive)
Session group profile : N/A
User group ACL : N/A
Inbound CAR : N/A
Outbound CAR : N/A
Inbound user priority : N/A
Outbound user priority : N/A
NAT:
Global IP address : 27.204.231.201
Port block : 3500-4499
Flow statistic:
Uplink packets/bytes : 0/0
Downlink packets/bytes : 0/0
IPv6 uplink packets/bytes : 0/0
IPv6 downlink packets/bytes : 0/0
# 显示动态端口块表项。
[vBRAS_B75] display nat port-block dynamic
Slot 1:
Local VPN Local IP Global IP Port block Connections Extend
--- 192.168.0.3 27.204.231.201 3500-4499 0 ---
Total mappings found: 1
Slot 2:
Local VPN Local IP Global IP Port block Connections Extend
--- 192.168.0.3 27.204.231.201 3500-4499 0 ---
Total mappings found: 1
# 显示所有NAT统计信息的详细信息。
[vBRAS_B75] display nat statistics
Slot 1:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 8384
Active static port block entries: 0
Active dynamic port block entries: 1
Slot 2:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 8384
Active static port block entries: 0
Active dynamic port block entries: 1
3.7 配置文件
vBRAS的配置文件如下:
#
sysname vBRAS_B75
#
failover group nat
bind slot 1 primary
bind slot 2 secondary
#
ip vpn-instance mgt
#
ip vpn-instance vpn4
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
irf auto-merge enable
irf member 1 priority 32
irf member 2 priority 1
#
track 1 interface Ten-GigabitEthernet1/6/0
#
track 2 interface Ten-GigabitEthernet1/7/0
#
track 3 interface Ten-GigabitEthernet2/6/0
#
track 4 interface Ten-GigabitEthernet2/7/0
#
ospf 1
area 0.0.0.0
#
ppp access-user log enable successful-login failed-login normal-logout abnormal
-logout
#
ip fast-forwarding aging-time 300
#
dhcp enable
dhcp relay client-information record
#
ip subscriber access-user log enable successful-login failed-login logout
#
password-recovery enable
#
irf-port 1
port group interface GigabitEthernet1/2/0 type control
port group interface GigabitEthernet1/3/0 type data
#
irf-port 2
port group interface GigabitEthernet2/2/0 type control
port group interface GigabitEthernet2/3/0 type data
#
openflow controller enable
#
dhcp server ip-pool 192
gateway-list 192.14.0.1 export-route
network 192.14.0.0 mask 255.255.0.0
forbidden-ip 192.14.0.255
#
dhcp server ip-pool 193
gateway-list 193.14.0.1 export-route
network 193.14.0.0 mask 255.255.0.0
forbidden-ip 193.14.0.1
forbidden-ip 193.14.0.255
#
dhcp server ip-pool pool1
gateway-list 192.168.0.1 export-route
network 192.168.0.0 mask 255.255.0.0
dns-list 8.8.8.8
forbidden-ip 192.168.0.1
#
ipv6 dhcp pool 2014
gateway-list 2014::1
remote-server 2014::2
#
mpls ldp
#
l2vpn enable
#
vsi 14
gateway vsi-interface 110
vxlan 804
tunnel 804
#
mpls bfd enable
#
interface Reth3
nat outbound 3000 address-group 1
#
interface Reth54
description downlink-port
ip address 16.31.12.14 255.255.255.0
mac-address 7425-8ae3-1234
member interface Ten-GigabitEthernet1/6/0.54 priority 255
member interface Ten-GigabitEthernet2/6/0.54 priority 100
pppoe-server bind virtual-template 3
#
interface Reth8192
description uplink-port
ip address 200.0.0.14 255.255.255.0
member interface Ten-GigabitEthernet1/7/0 priority 255
member interface Ten-GigabitEthernet2/7/0 priority 100
#
interface Virtual-Template1
mtu 1492
timer-hold 0
ppp authentication-mode chap pap domain zzz
ppp account-statistics enable
#
interface Virtual-Template2
timer-hold 0
service slot 2
ppp authentication-mode chap pap domain 123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123
ppp account-statistics enable
#
interface Virtual-Template3
mtu 1492
timer-hold 0
ppp authentication-mode chap pap domain local
ppp account-statistics enable
#
interface Virtual-Template23
#
interface NULL0
#
interface GigabitEthernet1/1/0
port link-mode route
ip address 172.16.12.67 255.255.255.0
#
interface GigabitEthernet1/2/0
port link-mode route
#
interface GigabitEthernet1/3/0
port link-mode route
#
interface GigabitEthernet2/1/0
port link-mode route
ip binding vpn-instance vpn4
ip address 172.16.12.68 255.255.255.0
#
interface GigabitEthernet2/2/0
port link-mode route
#
interface GigabitEthernet2/3/0
port link-mode route
#
interface Ten-GigabitEthernet1/4/0
port link-mode route
description ens4f0 vf3
#
interface Ten-GigabitEthernet1/5/0
port link-mode route
description ens4f1 vf3
#
interface Ten-GigabitEthernet1/6/0
port link-mode route
description ens5f0 vf3
#
interface Ten-GigabitEthernet1/6/0.54
vlan-type dot1q vid 54
#
interface Ten-GigabitEthernet1/7/0
port link-mode route
description ens5f1 vf3
#
interface Ten-GigabitEthernet1/7/0.1
ip address 2.1.1.1 255.255.255.0
vlan-type dot1q vid 200
#
interface Ten-GigabitEthernet2/4/0
port link-mode route
#
interface Ten-GigabitEthernet2/5/0
port link-mode route
#
interface Ten-GigabitEthernet2/6/0
port link-mode route
#
interface Ten-GigabitEthernet2/6/0.54
vlan-type dot1q vid 54
#
interface Ten-GigabitEthernet2/7/0
port link-mode route
#
interface Ten-GigabitEthernet2/7/0.1
vlan-type dot1q vid 200
#
interface Vsi-interface1
#
interface Vsi-interface110
ip address 192.168.0.1 255.255.0.0
ip subscriber l2-connected enable
ip subscriber initiator dhcp enable
ip subscriber dhcp username include vendor-class separator @ source-mac
ip subscriber password ciphertext $c$3$qwPiImQ8pWQr/2Ilr89XksiQ/8V49w==
ip subscriber dhcp domain zzz
pppoe-server bind virtual-template 1
#
interface Tunnel804 mode vxlan
source 200.0.0.14
destination 200.0.0.2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0 1
user-role network-operator
#
line con 0 1
user-role network-admin
#
line vty 0 10
authentication-mode none
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
line vty 11 63
authentication-mode none
user-role network-operator
#
ip route-static 0.0.0.0 0 172.16.12.1
ip route-static 172.16.0.0 16 172.16.12.1
ip route-static 172.16.0.0 16 172.16.17.1
ip route-static 172.16.52.0 24 172.16.12.1
ip route-static vpn-instance vpn4 172.16.0.0 16 172.16.12.1
#
info-center logbuffer size 1024
#
snmp-agent
snmp-agent local-engineid 800063A28052540017203700000001
snmp-agent community write private
snmp-agent community read publi
snmp-agent community read public
snmp-agent sys-info version all
#
arp timer aging 1440
#
redundancy group test
preempt-delay 5
member interface Reth54
member interface Reth8192
member failover group nat
node 1
bind slot 1
priority 100
track 1 interface Ten-GigabitEthernet1/6/0
track 2 interface Ten-GigabitEthernet1/7/0
node 2
bind slot 2
priority 10
track 3 interface Ten-GigabitEthernet2/6/0
track 4 interface Ten-GigabitEthernet2/7/0
#
acl advanced 3000
rule 0 permit ip source 192.168.0.0 0.0.255.255
#
radius session-control enable
#
radius scheme radius
primary authentication 172.16.53.2
primary accounting 172.16.53.2
accounting-on enable
key authentication cipher $c$3$5PKl8o1GWWDIXsruHNOlWGbfWC8cWQ==
key accounting cipher $c$3$Y68d1AD75kfI7/1FW5NOnOCmGf42Iw==
user-name-format without-domain
#
radius scheme rs1
primary authentication 172.16.12.248
primary accounting 172.16.12.248
key authentication cipher $c$3$7Gc5zw3bEXR8AYwyVqEe5Zs1aHxMKQ==
key accounting cipher $c$3$izlLFns+BibFyMQ44a6/DTwLKCrJ1w==
user-name-format without-domain
#
domain name !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
state block
#
domain name %%
#
domain name ()
#
domain name ()_+!!#$%^^&()
authorization-attribute ip-pool 192
authentication login radius-scheme radius
authorization login radius-scheme radius
accounting login radius-scheme radius
#
domain name zzz
authorization-attribute ip-pool pool1
authentication ppp radius-scheme radius
authorization ppp radius-scheme radius
accounting ppp radius-scheme radius
authentication ipoe radius-scheme radius
authorization ipoe radius-scheme radius
accounting ipoe radius-scheme radius
user-address-type private-ipv4
#
domain default enable 123456789012345678901234567890123456789012345678901234567
89012345678901234567890123456789012345678901234567890123456789012345678901234567
89012345678901234567890123456789012345678901234567890123456789012345678901234567
8901234567890123456789012345678901234
aaa abnormal-offline-record enable
aaa normal-offline-record enable
aaa offline-record enable
aaa online-fail-record enable
#
role default-role enable
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user ftp class manage
password hash $h$6$rwDMX16u/m20RTvD$zMOoeaL7BWKTX6jqLVkTRLPI0ruTR/u9BcYqTGKgeeJ
RlWZkmKiJvZOVKZFdwyZRdR6BtGFod5B1wU2A44bxPA==
service-type ftp
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user netconf class manage
password hash $h$6$FlkeroEZMPK9A77u$fDmg7d9YKRCsB7NUGDKJ2kuwhBl5QwXVRTEdln/PfB9
1YX6adtOBtHOEa1jxqmTYPD2j20DY7x1vPwLYxE1Jbg==
service-type http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user root class manage
password hash $h$6$PGDmfTCfrRnzPsg6$/mA/ALm5x4MDDdYL78atqtzUD/c9PT/NBbp+JNH20r0
pyCrD/y6NslPmhkjboP5UCov5DgogvEAWI5xexEBr3g==
service-type telnet
authorization-attribute user-role network-operator
#
local-user h3c class network
password cipher $c$3$glkcoI0S7vESuuKc0c5FmY2ZKyMxbg==
service-type ipoe
authorization-attribute user-role network-operator
#
local-user root class network
password cipher $c$3$SEbnDP8DNuFAAsPq6L28uxrMnRtWSw==
authorization-attribute user-role network-operator
#
local-user user class network
password cipher $c$3$sgrJNrFcOJ5OLYRUhjCaLyJkJfyvl18vMA==
service-type ipoe
service-type ppp
authorization-attribute user-role network-operator
#
ftp server enable
#
session service-location acl 3000 failover-group nat
session statistics enable
session synchronization enable
#
nat log enable
nat log flow-begin
nat log flow-end
nat port-block synchronization enable
#
nat address-group 1
failover-group nat
port-range 1500 65499
port-block block-size 1000
address 27.204.231.0 27.204.231.0
address 27.204.231.1 27.204.231.1
address 27.204.231.127 27.204.231.255
#
l2tp-group 1 mode lns
allow l2tp virtual-template 2
tunnel timer hello 1000
undo tunnel authentication
tunnel name LNS
#
l2tp enable
#
netconf soap http enable
netconf soap https enable
netconf soap idle-timeout 999
#
return
Copyright © 2018 新华三技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
|
目 录
1 简介
本文档介绍运营商级网络地址转换的典型配置举例。CGN(Carrier Grade NAT,运营商级网络地址转换),也称LSN(Large-scale NAT,大规模网络地址转换)。传统NAT多部署在CPE(Customer Premises Equipment,用户侧设备)上,实现少量用户地址的转换。而CGN部署在运营商网络中,通过将承担CGN功能的单板插在其他功能(如BRAS)的设备上,实现大量用户的地址转换,在支持并发用户数、性能、溯源等方面有很大提升。
2 配置前提
· 本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
· 本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
· 本文档假设您已了解VXLAN、NAT、PPPoE/IPoE等特性。
3 配置举例
3.1 组网需求
如图1所示:
· Switch与堆叠的vBRAS建立VXLAN隧道,将PPPoE/IPoE报文上送到vBRAS侧。
· vBRAS上配置NAT业务联动(通过在认证ISP域中指定具体的用户地址类型),用户通过AAA认证并分配得到私网地址之后,NAT网关会立即为该用户分配公网地址以及端口块,并将用户的私网IP地址、分配的公网地址及该端口块的映射关系通知给vBRAS(如果NAT网关上可分配的公网资源已耗尽,vBRAS会强制用户下线,也不会对用户进行计费)。
· vBRAS记录该地址映射关系,并将这个映射关系上报给AAA服务器。之后,该用户访问外部网络时直接使用NAT网关已经分配的公网地址和端口块。
· 通过此联动功能,AAA服务器能够获得并统一维护所有用户的地址映射关系,提供更便捷的用户溯源服务。
图1 CGN NAT典型配置举例组网图
3.2 配置思路
vBRAS设备需要支持PPPoE/IPoE与CGN NAT联动,其中交换机为用户接入相连的设备,负责报文转发与流量控制等,vBRAS为PPPoE/IPoE控制模块设备,负责用户识别与发起认证请求、身份认证、NAT地址转换和接入控制。在交换机和vBRAS之间建立VXLAN隧道,VXLAN隧道提供交换机与vBRAS间的协议报文通道和流量转发。
3.3 使用版本
本举例是在vBRAS1000_H3C-CMW710-E1116-X64版本上进行配置和验证的。
3.4 配置注意事项
· 配置备份组功能通过指定备份组,设备会将需要进行动态NAT(包括动态地址转换和NAT端口块动态映射)或NAT端口块静态映射的流量引到指定的备份组处理,提高了NAT业务处理的性能。
· 目前,支持vBRAS联动功能的用户地址类型包括私网IP地址(private-ipv4)、私网双栈地址(private-ds)和轻量级双栈地址(ds-lite)。
· 用户上线后,无法更改NAT端口块配置。只有在所有用户下线后,才能更改NAT端口块配置。
· 在IRF组网且NAT与BRAS联动的场景中,建议同时开启NAT端口块备份功能和会话业务热备份功能(通过session synchronization enable命令),以保证主备倒换时尽可能缩短流量中断的时间。
3.5 配置步骤
3.5.1 配置交换机
# 创建VLAN 200。
<Sysname> system-view
[Switch] vlan 200
[Switch-vlan2] quit
# 创建VLAN 接口 200并配置IP地址。
[Switch] interface Vlan-interface 200
[Switch-Vlan-interface200] ip address 200.0.0.2 24
[Switch-Vlan-interface200] quit
# 开启L2VPN功能。
[Switch] l2vpn enable
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[Switch] interface tunnel 804 mode vxlan
[Switch-Tunnel804] source 200.0.0.2
[Switch-Tunnel804] destination 200.0.0.14
[Switch-Tunnel804] quit
# 创建VSI实例14,并配置VXLAN隧道Tunnel804与VXLAN 804关联。
[Switch] vsi 14
[Switch-vsi-14] vxlan 804
[Switch-vsi-14-vxlan-804] tunnel 804
[Switch-vsi-14-Tunnel-804] quit
[Switch-vsi-14] quit
# 配置连接用户端的交换机接口。
[Switch] interface ten-gigabitethernet 1/0/23
[Switch-Ten-GigabitEthernet1/0/23] port link-mode bridge
[Switch-Ten-GigabitEthernet1/0/23] port link-type trunk
[Switch-Ten-GigabitEthernet1/0/23] undo port trunk permit vlan 1
[Switch-Ten-GigabitEthernet1/0/23] port trunk permit vlan 75 121 to 123 200 801 to 901 1001 to 1003 2000
[Switch-Ten-GigabitEthernet1/0/23] undo stp enable
[Switch-Ten-GigabitEthernet1/0/23] service-instance 14
[Switch-Ten-GigabitEthernet1/0/23-srv14] encapsulation s-vid 804
[Switch-Ten-GigabitEthernet1/0/23-srv14] xconnect vsi 14 access-mode ethernet
[Switch-Ten-GigabitEthernet1/0/23-srv14] quit
[Switch-Ten-GigabitEthernet1/0/23] quit
# 配置连接vBRAS端的交换机接口。
[Switch] interface ten-gigabitethernet 1/0/24
[Switch-Ten-GigabitEthernet1/0/24] port link-mode bridge
[Switch-Ten-GigabitEthernet1/0/23] port link-type hybrid
[Switch-Ten-GigabitEthernet1/0/23] undo port hybrid vlan 1
[Switch-Ten-GigabitEthernet1/0/23] port hybrid vlan 70 to 75 112 to 113 121 to 123 200 to 201 701 to 800 805 900 to 901 tagged
3.5.2 配置vBRAS侧PPPoE与CGN NAT联动
# 配置与交换机相连的以太网冗余接口8192。
<vBRAS_B75> system
[vBRAS_B75] interface reth 8192
[vBRAS_B75-Reth8192] ip address 200.0.0.14 255.255.255.0
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 1/7/0 priority 255
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 2/7/0 priority 100
# 开启L2VPN功能。
[vBRAS_B75] l2vpn enable
# 启用DHCP服务。
[vBRAS_B75] dhcp enable
# 创建DHCP地址池pool1,并为其分配网关地址、IP地址网段和DNS服务器地址。
[vBRAS_B75] dhcp server ip-pool pool1
[vBRAS_B75-dhcp-pool-pool1] gateway-list 192.168.0.1 export-route
[vBRAS_B75-dhcp-pool-pool1] network 192.168.0.0 16
[vBRAS_B75-dhcp-pool-pool1] dns-list 8.8.8.8
# 配置DHCP地址池pool1禁用IP地址192.168.0.1。
[vBRAS_B75-dhcp-pool-pool1] forbidden-ip 192.168.0.1
[vBRAS_B75-dhcp-pool-pool1] quit
# 配置ACL,仅允许来自192.168.0.0/16网段的报文通过。
[vBRAS_B75] acl advanced 3000
[vBRAS_B75-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.0.0 0.0.255.255
[vBRAS_B75-acl-ipv4-adv-3000] quit
# 创建备份组,并将节点加入备份组,其中slot1配置为主节点,slot2配置为备节点。
[vBRAS_B75] failover group nat
[vBRAS_B75-failover-group-nat] bind slot 1 primary
[vBRAS_B75-failover-group-nat] bind slot 2 secondary
[vBRAS_B75-failover-group-nat] quit
# 创建NAT地址组1,并绑定备份组。
[vBRAS_B75] nat address-group 1
[vBRAS_B75-address-group-1] failover-group nat
# 配置公网地址的端口范围。
[vBRAS_B75-address-group-1] port-range 1500 65499
# 配置端口块参数。
[vBRAS_B75-address-group-1] port-block block-size 1000
# 添加地址成员。
[vBRAS_B75-address-group-1] address 27.204.231.0 27.204.231.0
[vBRAS_B75-address-group-1] address 27.204.231.1 27.204.231.1
[vBRAS_B75-address-group-1] address 27.204.231.127 27.204.231.255
[vBRAS_B75-address-group-1] quit
# 配置处理基于会话业务的备份组,即仅允许将匹配ACL 3000的报文引流到备份组nat的主节点上进行业务处理。
[vBRAS_B75] session service-location acl 3000 failover-group nat
# 开启会话统计功能、会话业务热备份功能和NAT动态端口块备份功能。
[vBRAS_B75] session statistics enable
[vBRAS_B75] session synchronization enable
[vBRAS_B75] nat port-block synchronization enable
# 配置与私网相连的以太网冗余接口54。
[vBRAS_B75] interface reth 54
[vBRAS_B75-Reth54] ip address 16.31.12.14 255.255.255.0
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 1/6/0.54 priority 255
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 2/6/0.54 priority 100
# 配置出方向动态地址转换。
[vBRAS_B75-Reth54] nat outbound 3000 address-group 1
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[vBRAS_B75-Tunnel804] interface tunnel 804 mode vxlan
[vBRAS_B75-Tunnel804] source 200.0.0.14
[vBRAS_B75-Tunnel804] destination 200.0.0.2
[vBRAS_B75-Tunnel804] quit
# 创建名称为radius的RADIUS方案并进入该方案视图。
[vBRAS_B75] radius scheme radius
# 配置RADIUS方案的主认证和主计费服务器及其通信密钥。
[vBRAS_B75-radius-radius] primary authentication 172.16.53.2
[vBRAS_B75-radius-radius] primary accounting 172.16.53.2
[vBRAS_B75-radius-radius] key authentication simple 123
[vBRAS_B75-radius-radius] key accounting simple 123
# 配置发送给RADIUS服务器的用户名不携带ISP域名。
[vBRAS_B75-radius-radius] user-name-format without-domain
[vBRAS_B75-radius-radius] quit
# 创建并进入名称为zzz的ISP域。
[vBRAS_B75] domain name zzz
# 设置当前ISP域下的用户授权地址池为pool1。
[vBRAS_B75-isp-zzz] authorization-attribute ip-pool pool1
# 配置ISP域使用的RADIUS方案radius。
[vBRAS_B75-isp-zzz] authentication ppp radius-scheme radius
[vBRAS_B75-isp-zzz] authorization ppp radius-scheme radius
[vBRAS_B75-isp-zzz] accounting ppp radius-scheme radius
#设置当前ISP域的用户地址类型为私网IPv4地址。
[vBRAS_B75-isp-zzz] user-address-type private-ipv4
[vBRAS_B75-isp-zzz] quit
# 配置虚拟模板接口1的参数,采用PAP/CHAP认证对端,开启计费功能。
[vBRAS_B75] interface virtual-template 1
[vBRAS_B75-Virtual-Template1] ppp authentication-mode chap pap domain zzz
[vBRAS_B75-Virtual-Template1] ppp account-statistics enable
# 创建VSI虚接口110。
[vBRAS_B75] interface vsi-interface 110
# 在VSI虚接口110上启用PPPoE Server协议,并将接口与虚拟模板接口1绑定。
[vBRAS_B75-Vsi-interface110] pppoe-server bind virtual-template 1
[vBRAS_B75-Vsi-interface110] quit
# 创建VSI实例14,并为其指定网关、创建VXLAN和关联隧道。
[vBRAS_B75] vsi 14
[vBRAS_B75-vsi-14] gateway vsi-interface 110
[vBRAS_B75-vsi-14] vxlan 804
[vBRAS_B75-vsi-14-vxlan-804] tunnel 804
[vBRAS_B75-vsi-14-vxlan-804] quit
[vBRAS_B75-vsi-14] quit
# 创建冗余组,并为其添加成员接口和备份组。
[vBRAS_B75] redundancy group test
[vBRAS_B75-redundancy-group-test] member interface reth 54
[vBRAS_B75-redundancy-group-test] member interface reth 8192
[vBRAS_B75-redundancy-group-test] member failover group nat
# 在冗余组test下,创建冗余组节点1,并将其与主板绑定,成为主节点。
[vBRAS_B75-redundancy-group-test] node 1
[vBRAS_B75-redundancy-group-test-node-1] bind slot 1
[vBRAS_B75-redundancy-group-test-node-1] priority 100
[vBRAS_B75-redundancy-group-test-node-1] track 1 interface ten-gigabitethernet 1/6/0
[vBRAS_B75-redundancy-group-test-node-1] track 2 interface ten-gigabitethernet 1/7/0
[vBRAS_B75-redundancy-group-test-node-1] quit
# 在冗余组test下,创建冗余组节点 2,并将其与备板绑定,成为备节点。
[vBRAS_B75-redundancy-group-test] node 2
[vBRAS_B75-redundancy-group-test-node-2] bind slot 2
[vBRAS_B75-redundancy-group-test-node-2] priority 10
[vBRAS_B75-redundancy-group-test-node-2] track 3 interface ten-gigabitethernet 2/6/0
[vBRAS_B75-redundancy-group-test-node-2] track 4 interface ten-gigabitethernet 2/7/0
3.5.3 配置vBRAS侧IPoE与CGN NAT联动
# 配置与交换机相连的以太网冗余接口8192。
<vBRAS_B75> system
[vBRAS_B75] interface reth 8192
[vBRAS_B75-Reth8192] ip address 200.0.0.14 255.255.255.0
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 1/7/0 priority 255
[vBRAS_B75-Reth8192] member interface ten-gigabitethernet 2/7/0 priority 100
# 开启L2VPN功能。
[vBRAS_B75] l2vpn enable
# 启用DHCP服务。
[vBRAS_B75] dhcp enable
# 创建DHCP地址池pool1,并为其分配网关地址、IP地址网段和DNS服务器地址。
[vBRAS_B75] dhcp server ip-pool pool1
[vBRAS_B75-dhcp-pool-pool1] gateway-list 192.168.0.1 export-route
[vBRAS_B75-dhcp-pool-pool1] network 192.168.0.0 16
[vBRAS_B75-dhcp-pool-pool1] dns-list 8.8.8.8
# 配置DHCP地址池pool1禁用IP地址192.168.0.1。
[vBRAS_B75-dhcp-pool-pool1] forbidden-ip 192.168.0.1
[vBRAS_B75-dhcp-pool-pool1] quit
# 配置ACL,仅允许来自192.168.0.0/16网段的报文通过。
[vBRAS_B75] acl advanced 3000
[vBRAS_B75-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.0.0 0.0.255.255
[vBRAS_B75-acl-ipv4-adv-3000] quit
# 创建备份组,并将节点加入备份组,其中slot1配置为主节点,slot2配置为备节点。
[vBRAS_B75] failover group nat
[vBRAS_B75-failover-group-nat] bind slot 1 primary
[vBRAS_B75-failover-group-nat] bind slot 2 secondary
[vBRAS_B75-failover-group-nat] quit
# 创建NAT地址组1,并绑定备份组。
[vBRAS_B75] nat address-group 1
[vBRAS_B75-address-group-1] failover-group nat
# 配置公网地址的端口范围。
[vBRAS_B75-address-group-1] port-range 1500 65499
# 配置端口块参数。
[vBRAS_B75-address-group-1] port-block block-size 1000
# 添加地址成员。
[vBRAS_B75-address-group-1] address 27.204.231.0 27.204.231.0
[vBRAS_B75-address-group-1] address 27.204.231.1 27.204.231.1
[vBRAS_B75-address-group-1] address 27.204.231.127 27.204.231.255
[vBRAS_B75-address-group-1] quit
# 配置处理基于会话业务的备份组,即仅允许将匹配ACL 3000的报文引流到备份组nat的主节点上进行业务处理。
[vBRAS_B75] session service-location acl 3000 failover-group nat
# 开启会话统计功能、会话业务热备份功能和NAT动态端口块备份功能。
[vBRAS_B75] session statistics enable
[vBRAS_B75] session synchronization enable
[vBRAS_B75] nat port-block synchronization enable
# 配置与私网相连的以太网冗余接口54。
[vBRAS_B75] interface reth 54
[vBRAS_B75-Reth54] ip address 16.31.12.14 255.255.255.0
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 1/6/0.54 priority 255
[vBRAS_B75-Reth54] member interface ten-gigabitethernet 2/6/0.54 priority 100
# 配置出方向动态地址转换。
[vBRAS_B75-Reth54] nat outbound 3000 address-group 1
# 创建VXLAN隧道Tunnel804,并配置其源和目的IP地址。
[vBRAS_B75-Tunnel804] interface tunnel 804 mode vxlan
[vBRAS_B75-Tunnel804] source 200.0.0.14
[vBRAS_B75-Tunnel804] destination 200.0.0.2
[vBRAS_B75-Tunnel804] quit
# 创建名称为radius的RADIUS方案并进入该方案视图。
[vBRAS_B75] radius scheme radius
# 配置RADIUS方案的主认证和主计费服务器及其通信密钥。
[vBRAS_B75-radius-radius] primary authentication 172.16.53.2
[vBRAS_B75-radius-radius] primary accounting 172.16.53.2
[vBRAS_B75-radius-radius] key authentication simple 123
[vBRAS_B75-radius-radius] key accounting simple 123
# 配置发送给RADIUS服务器的用户名不携带ISP域名。
[vBRAS_B75-radius-radius] user-name-format without-domain
[vBRAS_B75-radius-radius] quit
# 创建并进入名称为zzz的ISP域。
[vBRAS_B75] domain name zzz
# 设置当前ISP域下的用户授权地址池为pool1。
[vBRAS_B75-isp-zzz] authorization-attribute ip-pool pool1
# 配置ISP域使用的RADIUS方案radius。
[vBRAS_B75-isp-zzz] authentication ipoe radius-scheme radius
[vBRAS_B75-isp-zzz] authorization ipoe radius-scheme radius
[vBRAS_B75-isp-zzz] accounting ipoe radius-scheme radius
#设置当前ISP域的用户地址类型为私网IPv4地址。
[vBRAS_B75-isp-zzz] user-address-type private-ipv4
[vBRAS_B75-isp-zzz] quit
# 创建VSI虚接口110。
[vBRAS_B75] interface vsi-interface 110
[vBRAS_B75-Vsi-interface110] ip address 192.168.0.1 255.255.0.0
# 在VSI虚接口110上,开启IPoE功能,并配置二层接入模式。
[vBRAS_B75-Vsi-interface110] ip subscriber l2-connected enable
[vBRAS_B75-Vsi-interface110] ip subscriber initiator dhcp enable
[vBRAS_B75-Vsi-interface110] ip subscriber dhcp username include vendor-class separator @ source-mac
[vBRAS_B75-Vsi-interface110] ip subscriber password plaintext 123
[vBRAS_B75-Vsi-interface110] ip subscriber dhcp domain zzz
[vBRAS_B75-Vsi-interface110] quit
# 创建VSI实例14,并为其指定网关、创建VXLAN和关联隧道。
[vBRAS_B75] vsi 14
[vBRAS_B75-vsi-14] gateway vsi-interface 110
[vBRAS_B75-vsi-14] vxlan 804
[vBRAS_B75-vsi-14-vxlan-804] tunnel 804
[vBRAS_B75-vsi-14-vxlan-804] quit
[vBRAS_B75-vsi-14] quit
# 创建冗余组,并为其添加成员接口和备份组。
[vBRAS_B75] redundancy group test
[vBRAS_B75-redundancy-group-test] member interface reth 54
[vBRAS_B75-redundancy-group-test] member interface reth 8192
[vBRAS_B75-redundancy-group-test] member failover group nat
# 在冗余组test下,创建冗余组节点 1,并将其与主板绑定,成为主节点。
[vBRAS_B75-redundancy-group-test] node 1
[vBRAS_B75-redundancy-group-test-node-1] bind slot 1
[vBRAS_B75-redundancy-group-test-node-1] priority 100
[vBRAS_B75-redundancy-group-test-node-1] track 1 interface Ten-GigabitEthernet1/6/0
[vBRAS_B75-redundancy-group-test-node-1] track 2 interface Ten-GigabitEthernet1/7/0
#在冗余组test下,创建冗余组节点 2,并将其与备板绑定,成为备节点。
[vBRAS_B75-redundancy-group-test] node 2
[vBRAS_B75-redundancy-group-test-node-2] bind slot 2
[vBRAS_B75-redundancy-group-test-node-2] priority 10
[vBRAS_B75-redundancy-group-test-node-2] track 3 interface Ten-GigabitEthernet2/6/0
[vBRAS_B75-redundancy-group-test-node-2] track 4 interface Ten-GigabitEthernet2/7/0
3.6 验证配置
3.6.1 PPPoE与CGN NAT联动验证配置
配置完成后,PC端使用用户名ppp、密码123,通过vBRAS可接入到Internet。PC的IP地址为vBRAS所指定的地址。
# 显示PPPoE用户的详细信息,可查看到用户端口块的信息。
[vBRAS_B75] display ppp access-user user-type pppoe verbose
Basic:
Interface: BAS1
PPP index: 0x140004344
User ID: 0x28000008
Username: ppp
Domain: zzz
Access interface: Vsi110
Service-VLAN/Customer-VLAN: 804/804
VXLAN ID: 804
MAC address: 0010-9400-000d
IP address: 192.168.156.101
Primary DNS server: 8.8.8.8
IPv6 address: -
IPv6 PD prefix: -
IPv6 ND prefix: -
User address type: private-ipv4
VPN instance: -
Access type: PPPoE
Authentication type: CHAP
PPPoE:
Session ID: 1
AAA:
Authentication state: Authenticated
Authorization state: Authorized
Realtime accounting switch: Open
Realtime accounting interval: 720s
Login time: 2018-03-12 15:21:56:838
Accounting start time: 2018-03-12 15:21:56:865
Online time(hh:mm:ss): 00:07:39
Accounting state: Accounting
Acct start-fail action: Online
Acct update-fail action: Online
Acct quota-out action: Offline
Dual-stack accounting mode: Merge
Idle cut: 0 sec 0 bytes, direction: Both
Session timeout: -
Time remained: -
Traffic quota: -
Traffic remained: -
Redirect WebURL: -
ITA policy name: -
MRU: 1492 bytes
IPv4 MTU: 1492 bytes
IPv6 MTU: 1492 bytes
ACL&QoS:
User profile: -
Session group profile: -
User group acl: -
Inbound CAR: -
Outbound CAR: -
User inbound priority: -
User outbound priority: -
NAT:
Global IP address:27.204.231.128
Port block:2500-3499
Flow Statistic:
IPv4 uplink packets/bytes: 0/0
IPv4 downlink packets/bytes: 0/0
IPv6 uplink packets/bytes: 0/0
IPv6 downlink packets/bytes: 0/0
# 显示动态端口块表项。
[vBRAS_B75] display nat port-block dynamic
Slot 1:
Local VPN Local IP Global IP Port block Connections Extend
--- 192.168.156.101 27.204.231.128 2500-3499 0 ---
Total mappings found: 1
Slot 2:
Local VPN Local IP Global IP Port block Connections Extend
--- 192.168.156.101 27.204.231.128 2500-3499 0 ---
Total mappings found: 1
# 显示所有NAT统计信息的详细信息。
[vBRAS_B75] display nat statistics
Slot 1:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 8384
Active static port block entries: 0
Active dynamic port block entries: 1
Slot 2:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 8384
Active static port block entries: 0
Active dynamic port block entries: 1
3.6.2 IPoE与CGN NAT联动验证配置
# 显示IPoE用户的详细信息。
[vBRAS_B75] display ip subscriber session verbose
Basic:
Description : -
Username : @001094000010
Domain : zzz
VPN instance : N/A
IP address : 192.168.0.3
User address type : private-ipv4
MAC address : 0010-9400-0010
Service-VLAN/Customer-VLAN : 804/804
Access interface : Vsi110
User ID : 0x38200002
VPI/VCI(for ATM) : -/-
VSI Index : 0
VSI link ID : 83886884
VXLAN ID : 804
DNS servers : 8.8.8.8
IPv6 DNS servers : N/A
DHCP lease : 86400 sec
DHCP remain lease : 86043 sec
Access time : Mar 12 16:05:30 2018
Online time(hh:mm:ss) : 00:05:56
Service node : Slot 1 CPU 0
Authentication type : Bind
IPv4 access type : DHCP
IPv4 detect state : Detecting
State : Online
AAA:
ITA policy name : N/A
IP pool : pool1
IPv6 pool : N/A
Primary DNS server : N/A
Secondary DNS server : N/A
Primary IPv6 DNS server : N/A
Secondary IPv6 DNS server : N/A
Session idle cut : N/A
Session duration : N/A, remaining: N/A
Traffic quota : N/A
Traffic remained : N/A
Acct start-fail action : Online
Acct update-fail action : Online
Acct quota-out action : Offline
Dual-stack accounting mode : Merge
Max IPv4 multicast addresses: 4
IPv4 multicast address list : N/A
Max IPv6 multicast addresses: 4
IPv6 multicast address list : N/A
Accounting start time : Mar 12 16:05:30 2018
QoS:
User profile : ip (inactive)
Session group profile : N/A
User group ACL : N/A
Inbound CAR : N/A
Outbound CAR : N/A
Inbound user priority : N/A
Outbound user priority : N/A
NAT:
Global IP address : 27.204.231.201
Port block : 3500-4499
Flow statistic:
Uplink packets/bytes : 0/0
Downlink packets/bytes : 0/0
IPv6 uplink packets/bytes : 0/0
IPv6 downlink packets/bytes : 0/0
# 显示动态端口块表项。
[vBRAS_B75] display nat port-block dynamic
Slot 1:
Local VPN Local IP Global IP Port block Connections Extend
--- 192.168.0.3 27.204.231.201 3500-4499 0 ---
Total mappings found: 1
Slot 2:
Local VPN Local IP Global IP Port block Connections Extend
--- 192.168.0.3 27.204.231.201 3500-4499 0 ---
Total mappings found: 1
# 显示所有NAT统计信息的详细信息。
[vBRAS_B75] display nat statistics
Slot 1:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 8384
Active static port block entries: 0
Active dynamic port block entries: 1
Slot 2:
Total session entries: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 8384
Active static port block entries: 0
Active dynamic port block entries: 1
3.7 配置文件
vBRAS的配置文件如下:
#
sysname vBRAS_B75
#
failover group nat
bind slot 1 primary
bind slot 2 secondary
#
ip vpn-instance mgt
#
ip vpn-instance vpn4
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
irf auto-merge enable
irf member 1 priority 32
irf member 2 priority 1
#
track 1 interface Ten-GigabitEthernet1/6/0
#
track 2 interface Ten-GigabitEthernet1/7/0
#
track 3 interface Ten-GigabitEthernet2/6/0
#
track 4 interface Ten-GigabitEthernet2/7/0
#
ospf 1
area 0.0.0.0
#
ppp access-user log enable successful-login failed-login normal-logout abnormal
-logout
#
ip fast-forwarding aging-time 300
#
dhcp enable
dhcp relay client-information record
#
ip subscriber access-user log enable successful-login failed-login logout
#
password-recovery enable
#
irf-port 1
port group interface GigabitEthernet1/2/0 type control
port group interface GigabitEthernet1/3/0 type data
#
irf-port 2
port group interface GigabitEthernet2/2/0 type control
port group interface GigabitEthernet2/3/0 type data
#
openflow controller enable
#
dhcp server ip-pool 192
gateway-list 192.14.0.1 export-route
network 192.14.0.0 mask 255.255.0.0
forbidden-ip 192.14.0.255
#
dhcp server ip-pool 193
gateway-list 193.14.0.1 export-route
network 193.14.0.0 mask 255.255.0.0
forbidden-ip 193.14.0.1
forbidden-ip 193.14.0.255
#
dhcp server ip-pool pool1
gateway-list 192.168.0.1 export-route
network 192.168.0.0 mask 255.255.0.0
dns-list 8.8.8.8
forbidden-ip 192.168.0.1
#
ipv6 dhcp pool 2014
gateway-list 2014::1
remote-server 2014::2
#
mpls ldp
#
l2vpn enable
#
vsi 14
gateway vsi-interface 110
vxlan 804
tunnel 804
#
mpls bfd enable
#
interface Reth3
nat outbound 3000 address-group 1
#
interface Reth54
description downlink-port
ip address 16.31.12.14 255.255.255.0
mac-address 7425-8ae3-1234
member interface Ten-GigabitEthernet1/6/0.54 priority 255
member interface Ten-GigabitEthernet2/6/0.54 priority 100
pppoe-server bind virtual-template 3
#
interface Reth8192
description uplink-port
ip address 200.0.0.14 255.255.255.0
member interface Ten-GigabitEthernet1/7/0 priority 255
member interface Ten-GigabitEthernet2/7/0 priority 100
#
interface Virtual-Template1
mtu 1492
timer-hold 0
ppp authentication-mode chap pap domain zzz
ppp account-statistics enable
#
interface Virtual-Template2
timer-hold 0
service slot 2
ppp authentication-mode chap pap domain 123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123
ppp account-statistics enable
#
interface Virtual-Template3
mtu 1492
timer-hold 0
ppp authentication-mode chap pap domain local
ppp account-statistics enable
#
interface Virtual-Template23
#
interface NULL0
#
interface GigabitEthernet1/1/0
port link-mode route
ip address 172.16.12.67 255.255.255.0
#
interface GigabitEthernet1/2/0
port link-mode route
#
interface GigabitEthernet1/3/0
port link-mode route
#
interface GigabitEthernet2/1/0
port link-mode route
ip binding vpn-instance vpn4
ip address 172.16.12.68 255.255.255.0
#
interface GigabitEthernet2/2/0
port link-mode route
#
interface GigabitEthernet2/3/0
port link-mode route
#
interface Ten-GigabitEthernet1/4/0
port link-mode route
description ens4f0 vf3
#
interface Ten-GigabitEthernet1/5/0
port link-mode route
description ens4f1 vf3
#
interface Ten-GigabitEthernet1/6/0
port link-mode route
description ens5f0 vf3
#
interface Ten-GigabitEthernet1/6/0.54
vlan-type dot1q vid 54
#
interface Ten-GigabitEthernet1/7/0
port link-mode route
description ens5f1 vf3
#
interface Ten-GigabitEthernet1/7/0.1
ip address 2.1.1.1 255.255.255.0
vlan-type dot1q vid 200
#
interface Ten-GigabitEthernet2/4/0
port link-mode route
#
interface Ten-GigabitEthernet2/5/0
port link-mode route
#
interface Ten-GigabitEthernet2/6/0
port link-mode route
#
interface Ten-GigabitEthernet2/6/0.54
vlan-type dot1q vid 54
#
interface Ten-GigabitEthernet2/7/0
port link-mode route
#
interface Ten-GigabitEthernet2/7/0.1
vlan-type dot1q vid 200
#
interface Vsi-interface1
#
interface Vsi-interface110
ip address 192.168.0.1 255.255.0.0
ip subscriber l2-connected enable
ip subscriber initiator dhcp enable
ip subscriber dhcp username include vendor-class separator @ source-mac
ip subscriber password ciphertext $c$3$qwPiImQ8pWQr/2Ilr89XksiQ/8V49w==
ip subscriber dhcp domain zzz
pppoe-server bind virtual-template 1
#
interface Tunnel804 mode vxlan
source 200.0.0.14
destination 200.0.0.2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0 1
user-role network-operator
#
line con 0 1
user-role network-admin
#
line vty 0 10
authentication-mode none
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
line vty 11 63
authentication-mode none
user-role network-operator
#
ip route-static 0.0.0.0 0 172.16.12.1
ip route-static 172.16.0.0 16 172.16.12.1
ip route-static 172.16.0.0 16 172.16.17.1
ip route-static 172.16.52.0 24 172.16.12.1
ip route-static vpn-instance vpn4 172.16.0.0 16 172.16.12.1
#
info-center logbuffer size 1024
#
snmp-agent
snmp-agent local-engineid 800063A28052540017203700000001
snmp-agent community write private
snmp-agent community read publi
snmp-agent community read public
snmp-agent sys-info version all
#
arp timer aging 1440
#
redundancy group test
preempt-delay 5
member interface Reth54
member interface Reth8192
member failover group nat
node 1
bind slot 1
priority 100
track 1 interface Ten-GigabitEthernet1/6/0
track 2 interface Ten-GigabitEthernet1/7/0
node 2
bind slot 2
priority 10
track 3 interface Ten-GigabitEthernet2/6/0
track 4 interface Ten-GigabitEthernet2/7/0
#
acl advanced 3000
rule 0 permit ip source 192.168.0.0 0.0.255.255
#
radius session-control enable
#
radius scheme radius
primary authentication 172.16.53.2
primary accounting 172.16.53.2
accounting-on enable
key authentication cipher $c$3$5PKl8o1GWWDIXsruHNOlWGbfWC8cWQ==
key accounting cipher $c$3$Y68d1AD75kfI7/1FW5NOnOCmGf42Iw==
user-name-format without-domain
#
radius scheme rs1
primary authentication 172.16.12.248
primary accounting 172.16.12.248
key authentication cipher $c$3$7Gc5zw3bEXR8AYwyVqEe5Zs1aHxMKQ==
key accounting cipher $c$3$izlLFns+BibFyMQ44a6/DTwLKCrJ1w==
user-name-format without-domain
#
domain name !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
state block
#
domain name %%
#
domain name ()
#
domain name ()_+!!#$%^^&()
authorization-attribute ip-pool 192
authentication login radius-scheme radius
authorization login radius-scheme radius
accounting login radius-scheme radius
#
domain name zzz
authorization-attribute ip-pool pool1
authentication ppp radius-scheme radius
authorization ppp radius-scheme radius
accounting ppp radius-scheme radius
authentication ipoe radius-scheme radius
authorization ipoe radius-scheme radius
accounting ipoe radius-scheme radius
user-address-type private-ipv4
#
domain default enable 123456789012345678901234567890123456789012345678901234567
89012345678901234567890123456789012345678901234567890123456789012345678901234567
89012345678901234567890123456789012345678901234567890123456789012345678901234567
8901234567890123456789012345678901234
aaa abnormal-offline-record enable
aaa normal-offline-record enable
aaa offline-record enable
aaa online-fail-record enable
#
role default-role enable
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user ftp class manage
password hash $h$6$rwDMX16u/m20RTvD$zMOoeaL7BWKTX6jqLVkTRLPI0ruTR/u9BcYqTGKgeeJ
RlWZkmKiJvZOVKZFdwyZRdR6BtGFod5B1wU2A44bxPA==
service-type ftp
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user netconf class manage
password hash $h$6$FlkeroEZMPK9A77u$fDmg7d9YKRCsB7NUGDKJ2kuwhBl5QwXVRTEdln/PfB9
1YX6adtOBtHOEa1jxqmTYPD2j20DY7x1vPwLYxE1Jbg==
service-type http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user root class manage
password hash $h$6$PGDmfTCfrRnzPsg6$/mA/ALm5x4MDDdYL78atqtzUD/c9PT/NBbp+JNH20r0
pyCrD/y6NslPmhkjboP5UCov5DgogvEAWI5xexEBr3g==
service-type telnet
authorization-attribute user-role network-operator
#
local-user h3c class network
password cipher $c$3$glkcoI0S7vESuuKc0c5FmY2ZKyMxbg==
service-type ipoe
authorization-attribute user-role network-operator
#
local-user root class network
password cipher $c$3$SEbnDP8DNuFAAsPq6L28uxrMnRtWSw==
authorization-attribute user-role network-operator
#
local-user user class network
password cipher $c$3$sgrJNrFcOJ5OLYRUhjCaLyJkJfyvl18vMA==
service-type ipoe
service-type ppp
authorization-attribute user-role network-operator
#
ftp server enable
#
session service-location acl 3000 failover-group nat
session statistics enable
session synchronization enable
#
nat log enable
nat log flow-begin
nat log flow-end
nat port-block synchronization enable
#
nat address-group 1
failover-group nat
port-range 1500 65499
port-block block-size 1000
address 27.204.231.0 27.204.231.0
address 27.204.231.1 27.204.231.1
address 27.204.231.127 27.204.231.255
#
l2tp-group 1 mode lns
allow l2tp virtual-template 2
tunnel timer hello 1000
undo tunnel authentication
tunnel name LNS
#
l2tp enable
#
netconf soap http enable
netconf soap https enable
netconf soap idle-timeout 999
#
return
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论