MX960 PPPoE配置注释.doc

MX960 PPPoE配置注释 普天国脉网络科技有限公司版权所有 侵权必究文档类别设备维护 工程实施 流程规范 配置案例 故障案例 行政管理 基础理论 文档密级内部公开 内部限制 外部公开 外部限制 绝密文档 文档作者童建喜文档审核文档摘要当前文档版本V1.0文档所属部门杭州售后服务支持部文档使用对象售后技术支持工程师记修订录版本修订日期修订说明编写/修订人V1.02013-09-9第一次发布童建喜目录1.配置注释42.相关维护命令312.1.如何查看用户在线数量312.2.如何查看根据用户名查该用户所在的VLAN信息312.3.如何查看当前用户会话数或者ppp会话数322.4.PPPOE中地址池分配IP机制322.5.如何查看BRAS上收到PPPoE各个阶段的报文统计数量332.6.怎么查看BRAS中不同VR中不同地址池的使用情况382.7.PPPoE在没有匹配限速策略时，默认获得的速度是多少392.8.如何查看PPPoE用户被分配的带宽大小392.9.如何配置PPPoE中QinQ的内层和外层标签的范围412.10.如何根据用户名查看用户所在地址池和分配的IP地址421. 配置注释* WARNING * * Authorised access only, all of your done will be recorded! * * IMMEDIATELY disconnect if you are not an authorised user! * * *YWGD_MX480-1.RE0 (ttyp0)login: login: guomaiPassword:- JUNOS 11.4X27.51 built 2013-07-15 19:29:27 UTCmasterguomaiYWGD_MX480-1.RE0 sh6 unknown command.guomaiYWGD_MX480-1.RE0 show configuration | no-more # Last commit: 2013-08-09 12:12:46 CST by guomaiversion 11.4X27.51;groups re0 system host-name YWGD_MX480-1.RE0; re1 system host-name YWGD_MX480-1.RE1;定义两个group re0和re1来命名主备RE（引擎）； apply-groups re0 re1 ;在此处应用group re0和re1；dynamic-profiles pppoe定义一个动态模板（dynamic profile）叫pppoe； predefined-variable-defaults input-filter 512k; output-filter 512k;定义默认限速策略的预配置，即当radius返回的限速策略异常就会调用该默认512k策略； routing-instances $junos-routing-instance interface $junos-interface-name unicast;在动态模板中配置关于routing-instances（即VR）动态变量 routing-options access-internal route $junos-subscriber-ip-address qualified-next-hop $junos-interface-name;配置关于pppoe用户的内部路由 interfaces pp0 定义pp0接口 unit $junos-interface-unit no-traps;pppoe用户上下线时引起的pp0接口up/down信息不会发送给snmp网管设备 ppp-options pap采用ppp中pap的认证方式; pppoe-options underlying-interface $junos-underlying-interface; server;配置设备运行在pppoe server模式 keepalives interval 30; family inet rpf-check; filter input $junos-input-filter; output $junos-output-filter;配置策略变量，即radius返回的策略会通过该变量应用到各个用户子接口上 unnumbered-address $junos-loopback-interface; autovlan定义一个名叫autovlan的dynamic profile interfaces $junos-interface-ifd-name unit $junos-interface-unit vlan-id $junos-vlan-id;配置动态vlan变量 family pppoe duplicate-protection;开启重复拨号保护 dynamic-profile pppoe;在此调用pppoe dynamic profile short-cycle-protection lockout-time-min 1; lockout-time-max 900; system time-zone Asia/Shanghai;配置该设备的时区为Asia/Shanghai ports console log-out-on-disconnect; root-authentication 设置超级用户root的密码 encrypted-password $1$dWomk0w2$05fWN35qBcDZCtoeJxW86.; # SECRET-DATA dynamic-profile-options versioning; login message *n* WARNING *n* *n* Authorised access only, all of your done will be recorded! *n* *n* IMMEDIATELY disconnect if you are not an authorised user! *n* *n* *n*n; class super-user-remote idle-timeout 120;远程用户登录的时限，这里为120s无操作就断开连接 permissions all; user guomai创建一个guomai用户 uid 2000; class super-user权限类别为超级用户权限; authentication 设置guomai用户的密码 encrypted-password $1$qxE/F8LR$H5EPD2W1LQzr8HkQjAdwP.; # SECRET-DATA user ywgd uid 2001; class super-user; authentication encrypted-password $1$6jYddKE5$vUTQBONcH9xwfcUH6CEmH0; # SECRET-DATA services ftp; telnet;开启系统服务，这里开启了ftp和telnet服务 syslog 配置系统日志 user * any emergency;Emergency级别的告警日志直接弹出通告所有登录用户 file messages any warning; authorization info; explicit-priority;将所有warning及以上级别syslog和认证信息都放在名叫messages文件中 file interactive-commands interactive-commands any;将命令操作日志记录在名叫interactive-commands文件中 file troubleshooting any any; archive size 10m files 10; explicit-priority; time-format year; commit synchronize;Commit同步，保存时将主备引擎同步 ddos-protection protocols pppoe padt fpc 0 bandwidth-scale 60; burst-scale 60; fpc 1 bandwidth-scale 60; burst-scale 60;配置ddos的保护，这里主要是针对pppoe中padt报文 chassis redundancy failover on-loss-of-keepalives; on-disk-failure; graceful-switchover配置平滑的引擎切换; aggregated-devices ethernet device-count 8;配置聚合口（ae口）个数的最大值 alarm management-ethernet link-down ignore;忽略管理接口fxp的link-down告警 interfaces xe-0/0/0 description TO_CR16008-1_Tg1/3/0/1;配置接口描述 flexible-vlan-tagging需要处理vlan tag的接口需要配置成vlan-tagging模式; auto-configure vlan-ranges dynamic-profile autovlan 调用dynamic profile autovlan accept pppoe;只对pppoe的报文响应 ranges any;配置可以接受的vlan id 范围 remove-when-no-subscribers;当不存在pppoe用户session时自动清除用户的vlans link-mode full-duplex; gigether-options no-auto-negotiation全双工，不自动协商; unit 11 description TO_manage; vlan-id 900; family inet address 1/24;新起一个带vlan-id子接口， xe-0/1/0 description TO_CR16008-2_Tg1/3/0/2; flexible-vlan-tagging; auto-configure vlan-ranges dynamic-profile autovlan accept pppoe; ranges any; remove-when-no-subscribers; link-mode full-duplex; gigether-options no-auto-negotiation; ge-1/0/0 description to_MX480-2_ge-1/0/0; gigether-options 802.3ad ae1; ge-1/0/1 description to_MX480-2_ge-1/0/1; gigether-options 802.3ad ae1;将ge-1/0/0和ge-1/0/1聚合成ae1 ge-1/1/0 description TO_wasu_OTN-G3; speed 1g; link-mode full-duplex; gigether-options no-auto-negotiation; unit 0 family inet address 42/30; ge-1/1/9 unit 0 family inet address /24; ae1 flexible-vlan-tagging; unit 10 description TO_MX480-2_ae1.10_for_wasu; vlan-id 10; family inet address 49/30;将物理接口聚合后，所有的配置只需在ae口上进行 fxp0Fxp0为MX480上的管理接口 unit 0 family inet address /24; lo0配置loopback0接口 unit 0 family inet filter input Protect_RE_ACL;在入方向调用filter Protect_RE_ACL address /32; unit 1 family inet address 21/32; snmp community TswcbyyQjsjhfl14! authorization read-only; client-list-name SNMPAccessACL;配置snmp，这里创建了一个名叫TswcbyyQjsjhfl14!团体，只读权限 routing-options nonstop-routing;引擎切换时不会引起路由的震荡 static route /16 next-hop ;配置静态路由 forwarding-table export please-load-balance-traffic;调用policy please-load-balance-traffic，配置流量转发负载均衡 protocols ppp-service dns-group-profile dns;调用dns-group-profile lldp在以下几个接口上配置lldp（链路层发现协议） interface ge-1/0/0; interface ge-1/0/1; interface ge-1/1/0; interface ge-1/1/9; policy-options prefix-list ftp-permit; prefix-list ospf-permit 41/32; 50/32;定义一个名叫ospf-permit的prefix-list，并添加列表中添加ip前缀 prefix-list bgp-permit apply-path protocols bgp group neighbor ;在prefix-list中使用正则表达式来添加匹配的信息 prefix-list bfd-permit; prefix-list snmp-permit; prefix-list ntp-permit; prefix-list tacacs_permit; prefix-list radius-permit 38/32; 39/32; prefix-list rsvp-permit; prefix-list ldp-permit; prefix-list msdp-permit apply-path protocols msdp group peer ; prefix-list tacacs-permit; prefix-list gre-permit; prefix-list telnet-permit /0; prefix-list MAN_RT /8; /15; /16; /15; /16; policy-statement please-load-balance-traffic then load-balance per-packet;定义policy please-load-balance-traffic，动作为根据每个包来负载均衡 policy-statement static-to-ospf term 1 from protocol static; route-filter /19 exact; route-filter /19 exact; route-filter /19 exact; route-filter /19 exact; then accept; firewall family inet filter Protect_RE_ACL 定义一个filter Protect_RE_ACL term ospf from source-prefix-list ospf-permit; protocol ospf;新建一个term为ospf，匹配条件为prefix-list ospf-permit中的ip前缀并且是启用ospf的； then accept;执行的动作为accept term bgp from source-prefix-list bgp-permit; protocol tcp; port bgp; then count bgp; accept; term fragment1 from first-fragment; then count fragment1; discard;将匹配的报文个数统计在frament1中，然后丢弃 term fragment2 from is-fragment; then count fragment2; discard; term icmp-ping from protocol icmp; icmp-type echo-request echo-reply ; then policer 10m; count icmp-ping; accept; term icmp-ttl from protocol icmp; icmp-type time-exceeded; icmp-code ttl-eq-zero-during-transit; then policer 500k; count icmp-ttl; accept; term traceroute from protocol udp; destination-port 33434-33678; then policer 500k; count traceroute; accept; term telnet_ssh from source-prefix-list telnet-permit; protocol tcp; port telnet ssh ; then policer 3m; count telnet_ssh; accept; term radius from source-prefix-list radius-permit; source-port radius; then accept; term tacacs from source-prefix-list tacacs-permit; protocol tcp; source-port tacacs; then policer 500k; count tacacs; accept; term ntp from protocol udp; source-port ntp; then policer 500k; count ntp_permit; accept; term snmp from source-prefix-list snmp-permit; protocol udp; destination-port snmp; then policer 3m; count snmp; accept;