Alcatel-7750配置指南
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Alcatel 7750 SR 配置指南
1.设备配置命令说明 (2)
3.1 S YSTEM基本配置 (2)
3.2 L OG配置 (3)
3.3 P ORT配置 (3)
3.4 ISIS协议配置 (5)
3.5 M PLS、LDP协议配置 (6)
3.6 S ECURITY 配置 (7)
3.7 VPN-BGP配置 (9)
3.8 P OLICY配置 (10)
3.9 S ERVICE配置 (11)
3.10 IES业务配置 (11)
3.11 VPLS 业务配置 (13)
3.12 VPRN业务配置 (15)
2.故障排除方法说明 (17)
2.1 光路正常但PORT端口DOWN (17)
2.2 PING 不通对端地址 (17)
2.3 ISIS邻接关系无法建立 (18)
2.4 BGP邻居无法正常建立 (18)
2.5 BGP表中有路由,但路由没有被放进VPN路由表中 (18)
2.6 VPN中用户CE设备无法访问远端 (18)
3.业务运行状态检查命令 (19)
3.1 查看S ERVICE业务运行状态 (19)
3.2 检查路由器接口运行状态 (19)
3.3 查看设备P ORT端口运行状态 (20)
3.4 查看设备MAC地址表信息 (21)
4.删除SERVICE配置步骤 (22)
1.设备配置命令说明
3.1 System基本配置
1.chassis-mode 要配置为C,以支持新的feature。
2.telnet 的session限制为设置为最大数7。
3.时区自定义为BEIJ 08。
配置示例:
system
name "YZ-SYL-R-AC7750-01"
chassis-mode c
snmp
packet-size 9216
exit
login-control
telnet
inbound-max-sessions 7
outbound-max-sessions 7
exit
no login-banner
exit
time
sntp
shutdown
exit
zone BEIJ 08
exit
thresholds
rmon
exit
exit
exit
检查命令:
show chassis 查看chassis mode是否为C。
Show time 查看系统时间。
3.2 Log配置
1.配置本地log用于保存7750SR的日常设备信息,log-id 为11,file-id 为11。
配置示例:
log
file-id 11
location cf3:
exit
snmp-trap-group 98
trap-destination 61.177.191.180 "snmpv2c" notify-community "alcateltrap"
trap-destination 61.177.191.188 "snmpv2c" notify-community "yzsnmprw123"
exit
log-id 11
from security change
to file 11
exit
log-id 98
from main security
to snmp 1024
exit
exit
检查命令:
Show log log-id 10
查看本地LOG
3.3 Port配置
PORT配置根据下联交换机的端口类型和协商方式灵活配置。
1.采用7750物理端口与下联设备直联就不需要封装dot1Q,如果有VLAN则需要封装dot1Q。
2.端口下配置的用户数据,如需配置IES、VLL、VPLS、VPRN等数据就需要设置mode为access。
3.与下联设备不需要协商需要配置no autonegotiate。
配置示例:
port 1/1/1
ethernet
exit
no shutdown
exit
port 1/1/2
Ethernet
mode access
encap-type dot1q
no autonegotiate
exit
no shutdown
exit
检查命令:
Show port
查看端口状态是否UP。
1.设备的唯一标识地址系统默认名字为system,配置IP地址。
2.配置系统自治号为64665。
3.打开多链路负载均衡ECMP设置为8。
4.配置设备router-id 为system地址。
配置示例:
router
interface "system"
address 58.220.170.3/32
exit
interface "to_DBL12416-1_1"
address 58.220.165.34/30
port 2/1/1
exit
interface "to_DBL12416-1_2"
address 58.220.165.38/30
port 1/1/2
exit
interface "to_SYL12416-1_1"
address 58.220.165.42/30
port 1/1/1
exit
interface "to_SYL12416-1_2"
address 58.220.165.46/30
port 2/1/2
exit
autonomous-system 64665
ecmp 8 - equal cost multi-path router-id 58.220.170.3
检查命令:
show router interface
查看interface是否UP。
show router ecmp
查看ecmp是否打开。
3.4 ISIS协议配置
1.配置ISIS为leverl-1
2.配置area-id 为86.4665.0514
3.将system、与GSR互联的接口、与下联设备互联接口加入到ISIS进程。
配置示例:
isis
level-capability level-1
area-id 86.4665.0514
traffic-engineering
level 1
wide-metrics-only
exit
interface "system"
level-capability level-1
exit
interface "to_SYL12416-1_1"
level-capability level-1
level 1
metric 200
exit
exit
interface "to_SYL12416-1_2"
level-capability level-1
level 1
metric 200
exit
exit
interface "to_DBL12416-1_1"
level-capability level-1
level 1
metric 200
exit
exit
interface "to_DBL12416-1_2"
level-capability level-1
level 1
metric 200
exit
exit
exit
检查命令:
show router isis adjacency
查看ISIS邻接是否建立。
3.5 Mpls、LDP协议配置
1.将system、与GSR互联的接口、与下联设备互联接口加入到MPLS和LDP进程。
配置示例:
mpls
interface "system"
exit
interface "to_SYL12416-1_1"
exit
interface "to_SYL12416-1_2"
exit
interface "to_DBL12416-1_1"
exit
interface "to_DBL12416-1_2"
exit
no shutdown
exit
ldp
import "block_0_fec"
interface-parameters
interface "to_SYL12416-1_1"
exit
interface "to_SYL12416-1_2"
exit
interface "to_DBL12416-1_1"
exit
interface "to_DBL12416-1_2"
exit
exit
targeted-session
exit
exit
exit
检查命令:
show router mpls interface
show router ldp session
查看LDP邻接是否建立成功。
3.6 Security 配置
1.开启telnet、snmp服务。
并对访问IP进行限制。
2.全网7750SR设备关闭SSH服务。
3.配置IPV6-filter。
对每台7750SR的普通上网用户和每个VPRN用户都要进行IPV6包的过滤。
配置示例:
system
security
telnet-server
ftp-server
management-access-filter
default-action permit
entry 10
description "fortelnet"
action permit
src-ip 61.177.176.0/22
exit
entry 20
action permit
src-ip 61.177.191.0/27
exit
entry 30
action permit
src-ip 222.189.226.0/23
exit
entry 40
action permit
src-ip 58.220.165.0/24
exit
entry 50
action permit
src-ip 58.220.166.0/23
exit
entry 60
action permit
src-ip 58.220.168.0/23
exit
entry 70
action permit
src-ip 61.177.191.180/32
exit
entry 80
action permit
src-ip 58.220.170.0/24
exit
entry 90
action permit
src-ip 10.108.0.5/32
exit
entry 100
action deny
protocol 6
dst-port 23 65535
exit
entry 190
action deny
protocol 17
dst-port 161 65535
exit
exit
password
authentication-order tacplus local
exit
tacplus
accounting
authorization
timeout 10
single-connection
server 1 address 221.231.148.6 secret "z05szr1ZBJCPeLCQOtckOk" hash2
server 2 address 61.177.64.146 secret "WZBK9MwJl5GOacy0i5JXTE" hash2
exit
user "admin"
password "VeuGBy9agmYtpDhhW0yi359H.JvK5.8c" hash2
access console ftp snmp
console
member "administrative"
exit
exit
snmp
community "yzsnmpro123" r version both
community "yzsnmprw123" rwa version both
exit
per-peer-queuing
cpm-filter
ip-filter
shutdown
exit
ipv6-filter
entry 10 create
log 110
match
router Base
exit
exit
entry 20 create
match
router ***(VPRN Service ID)
exit
exit
no shutdown
exit
exit
检查命令:
Show system security cpm-filter ipv6-filter
查看IPV6包的数量。
3.7 VPN-BGP 配置
1.所有7750SR和GSR建立VPN-BGP IBGP邻居关系,GSR核心作为RR。
bgp
family ipv4 vpn-ipv4
multipath 8
ibgp-multipath
router-id 58.220.170.3
group "ibgp"
type internal
export "prefix2bgp"
peer-as 64665
local-address 58.220.170.3
neighbor 61.177.176.253
exit
neighbor 61.177.176.254
exit
exit
exit
exit
检查命令:
show router bgp neighbor
查看BGP邻居是否建立成功。
3.8 Policy配置
1、设置对LDP 0.0.0.0/0的FEC安全过滤。
2、配置静态黑洞路由,并通过设置指定的Prefix list发布到BGP。
配置示例:
static-route 61.132.39.88/29 black-hole preference 200
-----(省略)-----
policy-options
begin
prefix-list "0_fec"
prefix 0.0.0.0/0 exact
exit
prefix-list "networks"
prefix 61.132.38.96/28 exact
-----(省略)-----
exit
policy-statement "prefix2bgp"
entry 10
from
prefix-list "networks"
exit
to
protocol bgp
exit
action accept
origin igp
exit
exit
exit
policy-statement "block_0_fec"
entry 10
from
prefix-list "0_fec"
exit
action reject
exit
default-action accept
exit
exit
commit
exit
3.9 Service配置
1.配置customer 10与IES server 关联。
customer 11与VPRN&VPLS server 关联。
2.每个VPRN 都有一个server-id。
3.每个IES也有一个server-id,定义规则为总位数是8位,1-4位为port号(如1/1/1为1101),5-8为VLAN ID,不足4位用0补齐。
4.Server 下的Interface命名规则是连接用户简称。
配置示例:
service
customer 1 create
description "Default customer"
exit
customer 10 create
description "to_IES"
exit
customer 11 create
description "to_VPRN&VPLS"
exit
3.10 IES业务配置
configure service
ies 12014002 customer 10 create (ies号与sap-id对应,后4位为vlan-id)
interface "jiansheju" create (建立一个逻辑interface)
address 61.132.39.89/29 (配置地址及Mask)
sap 1/2/1:4002 create(为该interface绑定一个sap)
exit
exit
no shutdown (激活这个service)
注意:一个interface下仅仅可以绑定一个sap,sap 叫做Service Access Point。
同时一个sap仅仅可以绑定在唯一一个service中,比如本例1/2/1:4002就不能再被绑定到其他service中去。
添加静态blcakhole及Prefix list配置,用于在BGP中发布路由
static-route 61.132.39.88/29 black-hole preference 200
prefix-list "networks"
prefix 61.132.38.96/28 exact
exit
policy-statement "prefix2bgp"
entry 10
from
prefix-list "networks"
exit
to
protocol bgp
exit
action accept
origin igp
exit
exit
exit
bgp
family ipv4 vpn-ipv4
multipath 8
ibgp-multipath
router-id 58.220.170.3
group "ibgp"
type internal
export "prefix2bgp"
peer-as 64665
local-address 58.220.170.3
neighbor 61.177.176.253
exit
neighbor 61.177.176.254
exit
exit
exit
exit
检查命令:
Show service service-using
查看已配置的service
Show router arp
查看arp表
3.11 vpls 业务配置
1、配置全网SR设备全互联的SDP,用于VPLS的业务开展
sdp 102 mpls create (定义SDP封装为mpls,gre可选)
far-end 58.220.170.34 (定义远端地址,一定要为system地址)
ldp (用ldp作为mpls的标签分发协议)
path-mtu 1514 (path-mtu要大于等于service mtu)
keep-alive
shutdown
exit
no shutdown (激活keep-alive检测对端是否工作正常) exit
sdp 103 mpls create
far-end 58.220.170.1
ldp
keep-alive
shutdown
exit
no shutdown
exit
………………
注意:SDP叫做service distribute point,概念类似与cisco的tunnel interface,SDP具有单向性,配
置时需要对两端均进行配置。
7750通过使用SDP,将本地的流量泛洪到远端。
SDP可以为mpls封装,也可以为gre封装,默认情况下采用t-ldp对分配的标签进行自动映射,
vpls 1001 customer 11 create (建立vpls 1001)
description "xiaofang-vpls"
stp
shutdown
exit
sap 1/1/3:1401 create (将sap binding进该vpls)
description "hangjiangzhidui"
ingress
qos 10
exit
egress
qos 10
exit
exit
sap 1/2/2:4013 create (将sap binding进该vpls)
description "guanglingchanyezhidui"
ingress
qos 10
exit
egress
qos 10
exit
exit
mesh-sdp 104:1001 create (binding指向对端sdp进vpls)
exit
mesh-sdp 109:1001 create
exit
mesh-sdp 112:1001 create
exit
mesh-sdp 113:1001 create
exit
mesh-sdp 115:1001 create
exit
mesh-sdp 117:1001 create
exit
exit
注意:在vpls中的sap mtu必须要大于等于service mtu,在port被定义为access模式和dot1q封装后,mtu为1518,剥去4字节的vlan-tag 后mtu应当为1514。
如果service mtu设的过大,那么vpls中sap
会起不来,并且报错port mtu too small.
检查命令:
Show service service-using
查看已配置的service
Show router arp
查看arp表
oam mac-ping service 1001 destination ff:ff:ff:ff:ff:ff
3.12 vprn业务配置
1、配置VPRN业务,两个不同VPN节点路由可以互访。
configure service
vprn 514001001customer 11 create (创建vprn业务)
description "wuxiandian-vprn"
route-distinguisher 514:1001 (配置RD值)
auto-bind ldp (使用ldp协议分发的标签)
vrf-target target:514:1001 (配置RT值,RT取与RD相同值)
interface "wuxiandian" create (建立一个逻辑interface)
address 192.168.1.2/30
sap 2/2/1:4029 create
ingress
qos 2
exit
egress
qos 2
exit
exit
exit
static-route 172.17.22.0/24 next-hop 192.168.1.1 (配置VPN静态路由)
exit
exit
2、需要配置进行策略控制的VPRN业务,用于限制不同VPN站点间的访问。
configure router policy-options
begin(开始编辑一定需要输入begin关键词)
community "wuxiandian-vpn-in1" members "target:1001:2" (定义该字符串匹配RT1001:2)
community "wuxiandian-vpn-in2" members "target:1001:3"
community "wuxiandian-vpn-out" members "target:1001:1"
policy-statement "wuxiandian-vpn-in"
entry 10 (条项序列号10,越小越优先)
from
protocol bgp-vpn (从bgp-vpn收到的ipv4-vpn路由)
community "wuxiandian-vpn-in1" (匹配RT 1001:2)
exit
action accept (定义条项10的行为为允许)
exit
exit
entry 20 (条项序列号20,越小越优先)
from
protocol bgp-vpn (从bgp-vpn收到的ipv4-vpn路由)
community "wuxiandian-vpn-in2" (匹配RT 1001:3)
exit
action accept
exit
exit
exit
policy-statement "wuxiandian-vpn-out"
entry 10 (条项序列号10,越小越优先)
action accept
community add "wuxiandian-vpn-out" (匹配RT 1001:1)
exit
exit
exit
commit (编辑完一定要commit策略才会生效) configure service vprn 514001001 customer 11 create
description "wuxiandian-vprn"
vrf-import "wuxiandian-vpn-in" (应用VPN路由导入策略)
vrf-export "wuxiandian-vpn-out" (应用VPN路由导出策略)
route-distinguisher 514:1001
auto-bind ldp
interface "wuxiandian" create
address 192.168.1.2/30
sap 2/2/1:4029 create
ingress
qos 2 (应用QOS限速策略)
exit
egress
qos 2
exit
exit
exit
static-route 172.17.22.0/24 next-hop 192.168.1.1 (配置VPN静态路由)
shutdown
exit
exit
注:如果需要import多个RT值,需要分别定义vrf-import 及vrf-export策略,策略在policy-option中进行编辑
检查命令
show service service-using
ping router 514001001 172.17.22.1
show router 514001001 route-table
show router 514001002 static-route
show router 514001002 route-table protocol local
show router 514001002 route-table summary
show router 514001002 route-table protocol bgp-vpn
show service id 514001001 arp
2.故障排除方法说明
2.1 光路正常但port端口down
检查两端端口是否进行协商,7750 port默认为自协商开启
configure port x/x/x ethernet no auto (关闭端口自协商)
验证命令show port
2.2 ping 不通对端地址
检查port 是否采用正确的封装模式,interface下binding的port是否正确
configure port x/x/x ethernet encap-type dot1q/null
2.3 ISIS 邻接关系无法建立
检查两端的ISIS参数是否一致
show router ISIS adj x.x.x.x detail
show router isis interface
2.4 BGP邻居无法正常建立
使用命令show router bgp neighbor检查邻居关系,如显示为no-type则表明本地AS号没有被配置或者BGP type 没有被配置,如果显示Bad Peer AS则说明对端指向本地的as号配错了。
并且检查两端BGP配置中的authentication-key及family-address等其他参数。
2.5 BGP表中有路由,但路由没有被放进vpn路由表中
检查BGP路由的下一跳地址是否可达,并且由于是vpn路由,7750要求下一跳的ldp也要可达。
show router bgp routes prefix
2.6 VPN中用户CE设备无法访问远端
首先应该检查本端VPN实例是否配置完整,包括RD、RT策略、LDP等
接着应该检查本端PE与本端CE的连通性,在PE使用ping router xxxxx address,并查看arp表
然后检查7750的VPN路由表,看远端路由学习是否正常show router xxxxx route-table
使用ping router xxxxx remote-address看本端PE是否能成功访问远端
在远端PE重复上述检查过程
3.业务运行状态检查命令
3.1 查看Service业务运行状态
show service service-using 该命令可以查看设备上用户service的开展情况,包括IES和VPRN
A:WX-AZ-R-AC7750-01# show service service-using
===================================================== ==========================
Services
===================================================== ==========================
ServiceId Type Adm Opr CustomerId Last Mgmt Change
-------------------------------------------------------------------------------
10001 VPRN Up Up 11 09/01/2006 00:00:19 10004 VPRN Up Up 11 09/01/2006 00:00:19 10012 VPRN Up Up 11 09/01/2006 00:00:19 10018 VPRN Up Up 11 09/01/2006 00:00:19 10027 VPRN Up Up 11 09/01/2006 00:00:19 10065 VPRN Up Up 11 09/01/2006 00:00:19 11130050 IES Up Up 10 09/01/2006 00:00:19 11130051 IES Up Up 10 09/01/2006 00:00:19 11130053 IES Up Up 10 09/01/2006 00:00:19 11130055 IES Up Up 10 09/01/2006 00:00:19 11130056 IES Up Up 10 09/01/2006 00:00:19 11130059 IES Up Up 10 09/01/2006 00:00:19 3.2 检查路由器接口运行状态
show router interface 命令用于查看路由器接口运行情况
A:WX-AZ-R-AC7750-01# show router interface
===================================================== ==========================
Interface T able (Router: Base)
===================================================== ==========================
Interface-Name Adm Opr(v4/v6) Mode Port/SapId IP-Address PfxState
-------------------------------------------------------------------------------
system Up Up/Down Network system
61.177.100.129/32 n/a
to_GM7750-2_1 Up Down/Down Network 1/1/1
58.215.70.54/30 n/a
to_GM7750-2_2 Up Down/Down Network 1/1/2
58.215.70.58/30 n/a
to_QY7750-1_1 Up Up/Down Network 2/1/1
58.215.70.62/30 n/a
to_QY7750-1_2 Up Up/Down Network 2/1/2
58.215.70.66/30 n/a
to_WX-AZ-S-C3550-01_1 Up Up/Down IES 1/1/3:50
61.160.36.1/30 n/a
to_WX-DHT-S-C3550-01_1 Up Up/Down IES 1/1/6:50
61.160.36.13/30 n/a
to_WX-DK-S-S3552F-01_1 Up Up/Down IES 1/1/8:50
端口状态分Adm状态-管理状态,Opr状态端口实际的工作状态.
port/sapId代表该interface使用的是那个端口
3.3 查看设备Port端口运行状态
通过show port可以看到路由器物理端口的状态,包括mode,mtu,encapsulation等等
A:WX-AZ-R-AC7750-01# show port
===================================================== =========================
Ports on Slot 1
===================================================== =========================
Port Admin Link Port Cfg Oper LAG/ Port Port Port SFP/XFP/
Id State State MTU MTU Bndl Mode Encp Type MDIMDX
------------------------------------------------------------------------------
1/1/1 Up No Down 9212 9212 - netw null gige GIGE-LX 80KM 1/1/2 Up No Down 9212 9212 - netw null gige GIGE-LX 80KM 1/1/3 Up Yes Up 1518 1518 - accs dotq gige GIGE-LX 10KM
1/1/4 Up Yes Up 1518 1518 - accs dotq gige GIGE-LX 10KM
1/1/5 Up Yes Up 1518 1518 - accs dotq gige GIGE-LX 40KM
如果该端口要加入service,必须将其模式改为access模式,
如果该端口要使用多个vlan来对应多个业务,则必须将port封装模式改成dot1q
3.4 查看设备MAC地址表信息
可以通过show router arp 查看用户的mac地址有没有被7750学到
show router arp
A:WX-AZ-R-AC7750-01# show router arp
===================================================== ==========================
ARP T able (Router: Base)
===================================================== ==========================
IP Address MAC Address Expiry Type Interface
-------------------------------------------------------------------------------
61.177.100.129 00:03:fa:8c:54:88 00h00m00s Oth system
58.215.70.54 00:03:fa:c6:ee:1c 00h00m00s Oth to_GM7750-2_1
58.215.70.58 00:03:fa:c6:ee:1d 00h00m00s Oth to_GM7750-2_2
58.215.70.61 00:03:fa:c6:ec:ad 02h39m58s Dyn[I] to_QY7750-1_1
58.215.70.62 00:16:4d:13:56:50 00h00m00s Oth[I] to_QY7750-1_1
58.215.70.65 00:03:fa:c6:eb:59 02h45m45s Dyn[I] to_QY7750-1_2
58.215.70.66 00:16:4d:13:56:51 00h00m00s Oth[I] to_QY7750-1_2
61.160.36.1 00:03:fa:c6:ee:1e 00h00m00s Oth[I] to_WX-AZ-S-C3550-01_1 61.160.36.2 00:0b:5f:33:72:80 02h01m45s Dyn[I] to_WX-AZ-S-C3550-01_1 218.90.136.9 00:03:fa:c6:ee:1e 00h00m00s Oth[I] to_anzhen3550-1_51 218.90.136.10 00:22:aa:5d:6d:c7 03h57m59s Dyn[I] to_anzhen3550-1_51
61.177.109.113 00:03:fa:c6:ee:1e 00h00m00s Oth[I] to_anzhen3550-1_53
61.177.109.114 00:e0:fc:1d:27:ce 03h58m42s Dyn[I] to_anzhen3550-1_53 222.191.241.17 00:03:fa:c6:ee:1e 00h00m00s Oth[I] to_anzhen3550-1_55 222.191.241.18 00:0a:eb:cb:5f:d1 03h56m49s Dyn[I] to_anzhen3550-1_55 218.90.136.21 00:03:fa:c6:ee:1e 00h00m00s Oth[I] to_anzhen3550-1_56
另外,show router arp 命令可以接具体参数,查看具体接口或IP地址对应mac的关系
A:WX-AZ-R-AC7750-01# show router arp
-arp [<ip-int-name|ip-address>|mac <ieee-mac-address>|summary]
如show router arp to_GM7750 或show router arp 218.90.152.33等
4.删除Service配置步骤
如果要删除或修改一个service,有以下步骤
1 首先将interface中的sap shutdown并移除
interface to_xxxxx_80
sap 1/1/8:200 shutdown
no sap 1/1/8:200
2 接着将interface shutdown并从ies中移除
interface to_xxxxx_80 shutdown
no interface to_xxxxx_80
3 最后将ies shutdown并从service中移除
ies 11180200 shutdown
no ies 11180200
如须更换sap,须将sap shutdown 移除后再配置新的sap上去interface to_xxxxx_80
sap 1/1/8:200 shutdown
no sap 1/1/8:200
sap 1/1/8:2000 create
ingress qos 10
egress qos 10。