7750BRAS维护与配置(SR功能篇)

第60页共77页 7750SR/BRAS维护与配置(SR功能篇）

1. 设备配置命令说明 41.1. System基本配置 41.2. Log配置 71.3. Port配置 91.3.1上行端口和互联PORT端口配置 91.3.2下联端口配置 101.4. IGP协议配置 141.4.1OSPF协议配置 141.4.2ISIS协议配置 171.5. Mpls、LDP协议配置 191.6. 设备安全配置（security） 241.6.1设备访问安全 241.6.2主CPU保护 281.7. VPN-BGP配置 351.8. Policy配置 381.9. 业务配置 401.9.1IES业务配置 411.9.2二层VPNvpls业务配置 451.9.3三层VPNVPRN业务配置 481.10. SNMP配置 521.11. Cflowd配置 532. 业务运行状态检查命令 552.1查看设备Port端口运行状态 552.1.1查看设备所有Port端口运行状态 552.1.2查看设备单个Port端口运行状态 572.2查看Service业务运行状态 602.3检查路由器接口运行状态 622.3.1查看所有接口状态 622.3.1查看单个业务的接口状态 642.4查看设备MAC地址表信息 662.4.1查看所有MAC地址表 662.4.2查看单个业务的MAC地址表 692.5查看设备路由表信息 702.5.1查看所有路由表地址表 702.5.2查看某个业务的路由表 723. 故障排除方法说明 733.1光路正常但port端口down 733.2 ping不通对端地址 733.3 ISIS邻接关系无法建立 733.4 BGP邻居无法正常建立 733.5 BGP表中有路由，但路由没有被放进vpn路由表中 733.6 VPN中用户CE设备无法访问远端 743.7VPLS故障分析 743.7.1按照下列配置做mac-filter 743.7.2在VPLS中应用MAC-FILTER 753.8.3通过分析LOG找出问题 754删除Service配置步骤 764.1删除单个sapService配置步骤 764.2删除多个sapService配置步骤 76设备配置命令说明System基本配置chassis-mode要配置为C，以支持新的feature。关闭外部参考时钟（一般现场均没有接）多链路负载平衡SNMP报文大小9216telnet的session限制为设置为最大数7。最好定义预设登陆消息，避免设备信息泄露时间同步由用户提供时钟源（一般是上级路由器，也可能是一台服务器，可能加密）时区自定义为GMT808（BJ08）（BEIJ08）配置示例：configuresystemname"ZJJIH-MC-CMNET-SR/BRAS3-DYYDJF1"chassis-modecl4-load-balancinglsr-load-balancinglbl-ipsync-if-timingbeginref1shutdownexitref2shutdownexitbitsshutdownexitcommitexitsnmppacket-size9216exitlogin-controlftpinbound-max-sessions5exittelnetinbound-max-sessions7outbound-max-sessions7idle-timeout15exitpre-login-message"Authorisedaccessonly,ThissystemisthepropertyofInternet,DisconnectIMMEDIATELYifyouarenotanauthoriseduser!Contactmanagerforhelp."nologin-bannerexittimentpauthentication-key1key"OAwgNUlbzgI"hash2typemessage-digestserverkey1version3preferserverkey1version3server9noshutdownexitsntpshutdownexitzoneBJ08（zoneGMT808zoneBEIJ08）exitthresholdsrmonexitexitexit#echo"RedundancyConfiguration"#redundancysynchronizeconfig（boot-env）exit检查命令：showchassis查看chassismode是否为C。Showtime查看系统时间。修改时间adminset-time2010/11/1219:04:38adminset-time-set-time<date><time><date>:YYYY/MM/DD<time>:hh:mm[:ss]#echo"CardConfiguration"#card5card-typeiom2-20gmda1mda-typem10-1gb-sfp-bingressmcast-path-managementshutdownexitexitexitmda2mda-typem2-oc48-sfpingressmcast-path-managementshutdownexitexitexitexit注：mcast-path-management为加强安全，关闭mcast-path，Log配置配置本地log用于保存7750SR的日常设备信息，log-id为50，file-id为50。配置示例：根据log99报告情况，适当抑制一些报告，避免系统报告太多#echo"LogConfiguration"#logevent-control"chassis"2063generateevent-control"system"2006suppressevent-control"system"2007suppressevent-control"system"2008suppressevent-control"system"2009suppressevent-control"system"2011suppressfile-id30locationcf3:rollover600retention24exitlog-id30time-formatlocalfromdebug-tracetofile30exitsyslog1address50facilitylocal4levelcriticalexitlog-id97frommainsecuritychangetosyslog1exitsyslog2description"To-Syslog-Server"addressfacilitylocal5levelcriticalexitlog-id96frommainsecuritychangetosyslog2exitsnmp-trap-group98trap-target"4:162"address4snmpv2cnotify-community"SR/BRAS11-DYYDJF1"exitlog-id98frommaintosnmpexitexitl#echo"FilterLogConfiguration"#filterlog102createexitexit检查命令：Showloglog-id10查看本地LOGShowlogevent-control查看系统报告数量和开关情况Port配置1.3.1上行端口和互联PORT端口配置根据上行或互联的端口类型和协商方式配置。根据端口不同，配置相应协议Ethernet,sonnet-sdh，根据时钟同步要求，确定是否提取时钟clock-sourcenode-timed3．多链路捆绑，多个端口属性必须一致4．多链路捆绑，链路协议需要和对端一致，对端启用lacp，本地也启用lacp5．多链路捆绑，active表示主动发链路消息，passive表示只是被动回应链路消息至少有一端必须是active例子一：10GEconfigport2/1/1description"ToZJJXI-MB-CMNET-RT02ge-1/1/010G"ethernetmtu1550exitnoshutdown例子二：1GEconfigureport1/1/1description"To_JH_JH_NE5000E_1ge"ethernetmtu1550noautonegotiateexitnoshutdown例子三：10GPOSconfigureport6/1/1description"TO-QZ-QZ-NJ-t320-so-2/1/1"sonet-sdhframingsdhclock-sourcenode-timedpathmtu4472scramblenoshutdownexitexitnoshutdownexit例子四：2.5GPOSconfigureport6/1/1description"To_QZ_XDL_R1_T320_1.MAN_so-6/0/1"sonet-sdhframingsdhpathmtu4470scramblereport-alarmpaisprdipreinoshutdownexitexitnoshutdownexit例子三：多端口捆绑lag2*1GEconfigureport1/1/1description"ToZJJXI-MC-CMNET-RT07-TXYDJF_7750ge-1/1/11Glag1-1"ethernetmtu1550noautonegotiateexitnoshutdownconfigureport1/1/2description"ToZJJXI-MC-CMNET-RT07-TXYDJF_7750ge-1/1/21Glag1-2"ethernetmtu1550noautonegotiateexitnoshutdownconfigurelag1description"ToZJJXI-MC-CMNET-RT07-TXYDJF_7750lag12G"port1/1/1port1/1/2noshutdown1.3.2下联端口配置根据下联交换机的端口类型和协商方式灵活配置。采用7750物理端口与下联设备直联就不需要封装dot1Q，如果有VLAN则需要封装dot1Q或qinq目前移动要求全部采用QINQ方式。端口下配置的用户数据，如需配置IES、VLL、VPLS、VPRN等数据就需要设置mode为access。与下联设备不需要协商需要配置noautonegotiate。4．多链路捆绑，多个端口属性必须一致5．多链路捆绑，链路协议需要和对端一致，对端启用lacp，本地也启用lacp6．多链路捆绑，lactive表示主动发链路消息，passive表示只是被动回应链路消息配置示例：下联二层路由器:单端口QINQconfigureport1/1/4description"NanH-S6503"ethernetmodeaccessencap-typeqinqnoautonegotiateexitnoshutdownexitexitallconfigureport1/1/15description"JHWY-xiacheng-OLT"ethernetmodeaccessencap-typeqinqnoautonegotiateexitnoshutdownexitexitall下联二层路由器：多链路捆绑configureport1/1/3description"LAG2-To-GuangDian-LAG-port1"ethernetmodeaccessencap-typeqinqnoautonegotiateexitnoshutdownexitallconfigureport1/1/4description"LAG2-To-GuangDian-LAG-port2"ethernetmodeaccessencap-typeqinqnoautonegotiateexitnoshutdownconfigurelag2description"To-GuangDian-LAG2"modeaccessencap-typeqinqport1/1/3port1/1/4lacpactiveadministrative-key32768noshutdown检查命令：Showport查看端口状态是否UP。showlag查看LAG状态是否up*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showport===============================================================================PortsonSlot1===============================================================================PortAdminLinkPortCfgOperLAG/PortPortPortSFP/XFP/IdStateStateMTUMTUBndlModeEncpTypeMDIMDX1/1/1UpYesUp155015501netwnullxcmeGIGE-LX10KM1/1/2UpYesUp155015501netwnullxcmeGIGE-LX10KM1/1/3DownNoDown92129212-netwnullxcmeGIGE-LX80KM1/1/4DownNoDown92129212-netwnullxcmeGIGE-LX40KM1/1/5UpYesUp15221522-accsqinqxcmeGIGE-LX10KM1/1/6UpYesUp15221522-accsqinqxcmeGIGE-LX40KM1/1/7UpYesUp15221522-accsqinqxcmeGIGE-LX40KM1/1/8UpNoDown15221522-accsqinqxcmeGIGE-LX10KM1/1/9UpYesUp15221522-accsqinqxcmeGIGE-LX10KM1/1/10UpYesUp152215223accsqinqxcmeGIGE-LX40KM1/1/11UpNoDown152215223accsqinqxcmeGIGE-LX40KM1/1/12UpYesUp152215224accsqinqxcmeGIGE-LX40KM1/1/13UpNoDown152215224accsqinqxcmeGIGE-LX40KM1/1/14UpYesUp15221522-accsqinqxcmeGIGE-LX40KM1/1/15UpYesUp15221522-accsqinqxcmeGIGE-LX40KM1/1/16UpYesUp15221522-accsqinqxcmeGIGE-LX10KM1/1/17UpYesUp15221522-accsqinqxcmeGIGE-LX10KM1/1/18UpYesUp15181518-accsdotqxcmeGIGE-LX10KM1/1/19UpNoDown152215225accsqinqxcmeGIGE-LX80KM1/1/20UpYesUp152215225accsqinqxcmeGIGE-LX10KM===============================================================================PortsonSlot2===============================================================================PortAdminLinkPortCfgOperLAG/PortPortPortSFP/XFP/IdStateStateMTUMTUBndlModeEncpTypeMDIMDX2/1/1UpYesUp15501550-netwnullxgige10GBASE-LR10*===============================================================================PortsonSlotA===============================================================================PortAdminLinkPortCfgOperLAG/PortPortPortSFP/XFP/IdStateStateMTUMTUBndlModeEncpTypeMDIMDXA/1UpNoDown15141514-netwnullfaste===============================================================================PortsonSlotB===============================================================================PortAdminLinkPortCfgOperLAG/PortPortPortSFP/XFP/IdStateStateMTUMTUBndlModeEncpTypeMDIMDXB/1UpNoDown15141514-netwnullfaste===============================================================================*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showlag===============================================================================LagData===============================================================================Lag-idAdmOprPort-ThresholdUp-Link-CountMCAct/Stdby1upup02N/A2downdown00N/A3upup01N/A4upup01N/A5upup01N/A11downdown00N/ATotalLag-ids:6SingleChassis:6MCAct:0MCStdby:0===============================================================================*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#

IGP协议配置1.4.1OSPF协议配置1设备的唯一标识地址系统默认名字为system，配置IP地址X.X.X.X。2设备管理地址loopback配置IP地址Y.Y.Y.Y3配置系统自治号为64850。4打开多链路负载均衡ECMP设置为16。5配置设备router-id为协议互联地址，必须是loopback/32地址，一般使用system地址。配置示例：a定义network互联接口#echo"IPConfiguration"#interface"ge-2/1/1"address30/30description"ToZJJXI-MB-CMNET-RT02ge-1/0/110G"port2/1/1exitinterface"lag1"address54/30description"ToZJJXI-MC-CMNET-RT03-NanHu_7750lag12G"portlag-1exitinterface"loopback0"address7/32loopbackexitinterface"system"address8/32local-dhcp-server"pppoe"exitautonomous-system64850ecmp8//equalcostmulti-pathrouter-id8exitallb定义access互联接口configureserviceies10002customer10002createinterface"to-gaozhongyuanqu6503"createaddress3/30sap1/1/14:18.0createexitexitnoshutdownexitexitallC在OSPF协议加入接口configurerouterospfasbrreference-bandwidth40000000export"export-direct-to-ospf"graceful-restartexitareainterface"system"exitinterface"lag1"metric10exitinterface"ge-2/1/1"exitinterface"loopback0"exitinterface"to-gaozhongyuanqu6503"exitexitexit检查命令：showrouterospfinterface查看interface是否UP。showrouterecmp查看ecmp是否打开。showrouterospfneighter查看邻居状态是否正常showrouterospfstatusshowrouterospfdatabase查看OSPF路由数据库-database[type{router|network|summary|asbr-summary|external|nssa|all}][area<area-id>][adv-router<router-id>][<link-state-id>][detail]*A:ZJJXI-MC-CMNET-RT002-XieXi_7750>config>service#showrouterospfinterface=============================================================================OSPFInterfaces=============================================================================IfNameAreaIdDesignatedRtrBkupDesigRtrAdmOpersystem7UpDRlag179UpDRge-2/1/1367UpBDRloopback07UpDRto-gaozhongyuanqu65037UpDRNo.ofOSPFInterfaces:5=============================================================================*A:ZJJXI-MC-CMNET-RT002-XieXi_7750>config>service#*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showrouterospfneighbor=============================================================================OSPFNeighbors=============================================================================Interface-NameRtrIdStatePriRetxQTTLlag19Full1037ge-2/1/136Full1035No.ofNeighbors:2=============================================================================

1.4.2ISIS协议配置配置ISIS为leverl-1配置area-id为86.4661.0573（按照规划配置）将system、上联，互联的接口、与下联设备互联接口加入到ISIS进程。配置示例：isislevel-capabilitylevel-1area-id86.4665.0514traffic-engineeringlevel1wide-metrics-onlyexitinterface"system"level-capabilitylevel-1exitinterface"to_SYL12416-1_1"level-capabilitylevel-1level1metric200exitexitinterface"to_SYL12416-1_2"level-capabilitylevel-1level1metric200exitexitinterface"to_DBL12416-1_1"level-capabilitylevel-1level1metric200exitexitinterface"to_DBL12416-1_2"level-capabilitylevel-1level1metric200

exitexitexit检查命令：showrouterisisadjacency查看ISIS邻接是否建立。

Mpls、LDP协议配置将system、上联设备的接口，互联设备的接口加入到MPLS和LDP进程。按照需要将下联设备的接口加入到MPLS和LDP进程。配置示例：a配置标签限制策略configurerouterpolicy-optionsbeginprefix-list"system1"prefix/0prefix-length-range32-32exitpolicy-statement"label-filter"entry10fromprefix-list"system1"exitactionacceptexitexitentry20actionrejectexitexitcommitexitallb配置MPLS接口（routerid地址必须加入MPLS）configureroutermplsnoshutdowninterface"system"exitinterface"ge-1/1/1"exitinterface"ge-1/1/2"exitexitc配置LDP接口（引用标签限制策略）ldpexport"label-filter"interface-parametersinterface"ge-1/1/1"exitinterface"ge-1/1/2"exitexittargeted-sessionexitexitexitall检查命令：showroutermplsinterface查看Mpls接口是否正常upshowrouterldpsession查看LDP邻接是否成功建立Established。showrouterldpdiscovery查看LDP邻接是否成功建立Establ。showrouterldpbinding查看LDP标签发布情况l。showrouterldpbindingprefixx.x.x.x/32查看LDP某个目的地的标签发布情况。*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showroutermplsinterface==================================================MPLSInterfaces==================================================InterfacePort-idAdmOprTE-metricsystemsystemUpUpNoneAdminGroupsNoneSrlgGroupsNonelag1lag-1UpUpNoneAdminGroupsNoneSrlgGroupsNonege-2/1/12/1/1UpUpNoneAdminGroupsNoneSrlgGroupsNoneInterfaces:3==================================================*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showrouterldpsession==================================================LDPSessions==================================================PeerLDPIdAdjTypeStateMsgSentMsgRecvUpTime0:0LinkEstablished4340179430313918d02:08:220:0LinkEstablished3049446188783117d17:09:49No.ofSessions:2==================================================*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showrouterldpdiscovery==================================================LDPHelloAdjacencies==================================================InterfaceNameLocalAddrPeerAddrAdjTypeStatelag180LinkEstabge-2/1/180LinkEstabNo.ofHelloAdjacencies:2==================================================*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showrouterldpbindingsprefix0/32==================================================LDPLSRID:8==================================================Legend:U-LabelInUse,N-LabelNotInUse,W-LabelWithdrawnWP-LabelWithdrawPending==================================================LDPPrefixBindings==================================================PrefixPeerIngLblEgrLblEgrIntfEgrNextHop0/320128578N12022/1/1290/320128578U128458----No.ofPrefixBindings:2==================================================*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showrouterldpbindingsactiveprefix0/32==================================================Legend:(S)-Static(M)-Multi-homedSecondarySupport(B)-BGPNextHop==================================================LDPPrefixBindings(Active)==================================================PrefixOpIngLblEgrLblEgrIntf/LspIdEgrNextHop0/32Push--12022/1/1290/32Swap12857812022/1/129No.ofPrefixActiveBindings:2*A:ZJJXI-MC-CMNET-RT002-XieXi_7750#showrouterldpbindings-bindings[fec-type<prefixes|services>][detail|summary][session<ip-addr[:label-space]>]-bindings[fec-typep2mp][p2mp-id<identifier>root<ip-address>][detail|summary][session<ip-addr[:label-space]>]-bindings<label-type><start-label>[<end-label>]-bindings{prefix<ip-prefix/mask>[detail]}[session<ip-addr[:label-space]>]-bindingsactive[fec-typeprefixes][prefix<ip-prefix/mask>][egress-nh<ip-prefix/mask>|egress-if<port-id>|egress-lsp<tunnel-id>][summary]-bindingsactive[fec-typep2mp][p2mp-id<identifier>root<ip-address>][egress-nh<ip-prefix/mask>|egress-if<port-id>|egress-lsp<tunnel-id>][summary]-bindingsservice-id<service-id>[detail]-bindingsvc-type<vc-type>[{vc-id<vc-id>|agi<agi>}[session<ip-addr[:label-space]>]]-bindingsp2mp-id<identifier>root<ip-address>[detail]<fec-type>:prefixes|services|p2mp-keywords<ip-addr[:label-sp*>:ip-addr-a.b.c.dlabel-space-[0..65535]<ip-prefix/mask>:ip-prefixa.b.c.d(hostbitsmustbe0)mask[0..32]<vc-type>:<ethernet|vlan|mirror|frdlci|atmsdu|atmcell|atmvcc|atmvpc|ipipe|satop-e1|satop-t1|cesopsn|cesopsn-cas>-keywords<vc-id>:[1..4294967295]<service-id>:[1..2147483648]|<svc-name:64charmax><label-type>:ingress-label|egress-label-keywords<start-label>:[16..1048575]<end-label>:[17..1048575]<active>:keyword<detail>:keyword<agi>:<ip-addr:comm-val>|<2byte-asnumber:ext-comm-val>|<4byte-asnumber:comm-val>ip-addr-a.b.c.dcomm-val-[0..65535]2byte-asnumber-[1..65535]ext-comm-val-[0..4294967295]4byte-asnumber-[1..4294967295]<identifier>:[0..4294967295]<ip-address>:a.b.c.d<tunnel-id>:[0..4294967295]<port-id>:slot[/mda[/port]]orslot/mda/port[.channel]aps-id-aps-<group-id>[.channel]aps-keywordgroup-id-[1..64]ccag-id-slot/mda/<path-id>[cc-type]path-id-[a|b]cc-type-[.sap-net|.net-sap]

设备安全配置（security）1.6.1设备访问安全开启telnet、snmp服务。并对访问IP进行限制。全网7750SR设备关闭FTP，SSH服务。配置IPV6-filter。对每台7750SR的普通上网用户和每个VPRN用户都要进行IPV6包的过滤。配置示例：configuresystemsecuritytelnet-servernoftp-servermanagement-access-filterip-filterdefault-actionpermitentry1description"forssh,entry001-100"src-ip9/32dst-port2265535actionpermitexitentry2src-ip6/27dst-port2265535actionpermitexitentry100description"forsshsecurity,rejectotherip"dst-port2265535actiondenyexitentry101description"fortelnet,entry101-200"src-ip9/32dst-port2365535actionpermitexitentry102src-ip6/27dst-port2365535actionpermitexitentry200description"fortelnetsecurity,rejectotherip"dst-port2365535actiondenyexitentry201description"forsnmpsecurity,entry201-300"src-ip/23dst-port16165535actionpermitexitentry202src-ip40/28dst-port16165535actionpermitexitentry300description"forsnmpsecurity,rejectotherip"dst-port16165535actiondenyexitexitexitpasswordauthentication-ordertacpluslocalexit-on-rejectattempts3time5lockout0exittacplusaccountingauthorizationserver1address41secret"c0U/mpLwwC03lOPC3MHySE"hash2server2address83secret"WZBK9MwJl5FLJURrtaiD6."hash2exitsource-addressxxx.xxx.xxx.xxx//defaultsystemaddressifnotdefineexitall注：exit-on-reject--提供AAA认证取TACPLUS内容,如果加了EXIT-ONF-REJECT，则3A服务器上没有这个用户名密码的话，则本地帐号也无法登陆

本地用户权限管理：1系统默认账号user"admin"password"VeuGBy9agmYtpDhhW0yi359H.JvK5.8c"hash2accessconsoleftpsnmp

consolemember"administrative"exitexit创建一个新权限，并且应用（注：对本地用户有效，AAA认证由服务器控制）例子a：开放全部权限并应用与用户账号profile"zcuc"default-actionpermit-allexituser"zcuc"password"f9GWVwcz08n3aMW6R1aHek"hash2accessconsoleftpsnmpconsolemember"default"member"zcuc"exitexit例子b：有限制的权限并且应用于用户账号profile"showonly"default-actionpermit-allentry10match"configure"actiondenyexitentry20match"admin"actiondenyexitentry30match"debug"actiondenyexitentry40match"tools"actiondenyexitentry50match"clear"actiondenyexitentry60match"file"actiondenyexitentry70match"bof"actiondenyexitexituser"hzjk"pa