电信M6000(BRAS)开局配置模版及其常见业务配置指导

/.云南电信M6000(BRAS)开局模版及常用业务配置指导V1.62012年7月目录TOC\o"1-3"\h\z\uHYPERLINK\l"_Toc329697576"1.设备资源命名规范PAGEREF_Toc329697576\h5HYPERLINK\l"_Toc329697577"1.1.网元命名规范PAGEREF_Toc329697577\h5HYPERLINK\l"_Toc329697578"1.2.环回接口描述规范PAGEREF_Toc329697578\h6HYPERLINK\l"_Toc329697579"1.3.网络接口描述规范PAGEREF_Toc329697579\h6HYPERLINK\l"_Toc329697580"1.4.空闲端口要求PAGEREF_Toc329697580\h7HYPERLINK\l"_Toc329697581"2.M6000设备相关资源规划PAGEREF_Toc329697581\h7HYPERLINK\l"_Toc329697582"3.参数准备PAGEREF_Toc329697582\h8HYPERLINK\l"_Toc329697583"4.流程准备PAGEREF_Toc329697583\h9HYPERLINK\l"_Toc329697584"5.开局版本PAGEREF_Toc329697584\h9HYPERLINK\l"_Toc329697585"6.数据配置PAGEREF_Toc329697585\h9HYPERLINK\l"_Toc329697586"6.1.连接设备PAGEREF_Toc329697586\h9HYPERLINK\l"_Toc329697587"6.2.M6000开局基本配置PAGEREF_Toc329697587\h10HYPERLINK\l"_Toc329697588"6.2.1.校准设备MACPAGEREF_Toc329697588\h10HYPERLINK\l"_Toc329697589"6.2.2.定义设备名称PAGEREF_Toc329697589\h11HYPERLINK\l"_Toc329697590"6.2.3.配置本地登录帐号PAGEREF_Toc329697590\h11HYPERLINK\l"_Toc329697591"6.2.4.修改初始enable密码PAGEREF_Toc329697591\h12HYPERLINK\l"_Toc329697592"6.2.5.设置管理会话闲置超时时间10分钟PAGEREF_Toc329697592\h12HYPERLINK\l"_Toc329697593"6.2.6.Loopback接口配置PAGEREF_Toc329697593\h12HYPERLINK\l"_Toc329697594"6.2.7.物理接口配置：PAGEREF_Toc329697594\h12HYPERLINK\l"_Toc329697595"6.2.8.配置缺省路由PAGEREF_Toc329697595\h12HYPERLINK\l"_Toc329697596"6.2.9.NTP时间同步配置PAGEREF_Toc329697596\h12HYPERLINK\l"_Toc329697597"6.2.10.保存开局基本配置PAGEREF_Toc329697597\h13HYPERLINK\l"_Toc329697598"6.3.M6000网络及基本应用配置PAGEREF_Toc329697598\h13HYPERLINK\l"_Toc329697599"6.3.1.OSPF协议配置PAGEREF_Toc329697599\h13HYPERLINK\l"_Toc329697600"6.3.2.ISIS路由协议配置PAGEREF_Toc329697600\h13HYPERLINK\l"_Toc329697601"6.3.3.MPLS协议配置PAGEREF_Toc329697601\h14HYPERLINK\l"_Toc329697602"6.3.4.BGP协议配置PAGEREF_Toc329697602\h15HYPERLINK\l"_Toc329697603"6.3.5.新增路由网段的通告PAGEREF_Toc329697603\h16HYPERLINK\l"_Toc329697604"6.3.6.组播协议配置PAGEREF_Toc329697604\h16HYPERLINK\l"_Toc329697605"6.3.7.Radius基本数据配置PAGEREF_Toc329697605\h17HYPERLINK\l"_Toc329697606"6.3.8.AAA全局认证、、计费基本模版创建PAGEREF_Toc329697606\h19HYPERLINK\l"_Toc329697607"6.3.9.QoS基本配置PAGEREF_Toc329697607\h19HYPERLINK\l"_Toc329697608"6.3.10.网管配置PAGEREF_Toc329697608\h22HYPERLINK\l"_Toc329697609"6.3.11.安全加固配置PAGEREF_Toc329697609\h23HYPERLINK\l"_Toc329697610"6.3.12.配置保存PAGEREF_Toc329697610\h24HYPERLINK\l"_Toc329697611"6.4.BRAS业务配置指导PAGEREF_Toc329697611\h24HYPERLINK\l"_Toc329697612"6.4.1.Pppoe宽带拨号业务PAGEREF_Toc329697612\h24HYPERLINK\l"_Toc329697613"6.4.2.VPDN业务（含绿网业务）PAGEREF_Toc329697613\h26HYPERLINK\l"_Toc329697614"6.4.3.IPTV业务PAGEREF_Toc329697614\h28HYPERLINK\l"_Toc329697615"6.4.4.静态IP专线业务PAGEREF_Toc329697615\h30HYPERLINK\l"_Toc329697616"6.4.4.1.BRAS方式开通静态IP专线PAGEREF_Toc329697616\h30HYPERLINK\l"_Toc329697617"6.4.4.2.SR方式开通静态IP专线业务PAGEREF_Toc329697617\h32HYPERLINK\l"_Toc329697618"6.4.5.Web+Portal认证业务PAGEREF_Toc329697618\h34HYPERLINK\l"_Toc329697619"6.4.6.ITMSVPN业务（MPLSL3VPN）PAGEREF_Toc329697619\h36HYPERLINK\l"_Toc329697620"6.4.7.FTTH语音业务PAGEREF_Toc329697620\h38HYPERLINK\l"_Toc329697621"6.4.8.VPLS业务（MPLSL2VPN）PAGEREF_Toc329697621\h40HYPERLINK\l"_Toc329697622"6.5.用户侧链路捆绑配置PAGEREF_Toc329697622\h42HYPERLINK\l"_Toc329697623"6.6.其他特殊需求配置PAGEREF_Toc329697623\h43HYPERLINK\l"_Toc329697624"6.6.1.PPPoE宽带业务叠加IPTV业务PAGEREF_Toc329697624\h43HYPERLINK\l"_Toc329697625"6.6.2.PPPoE宽带业务叠加静态IP专线业务PAGEREF_Toc329697625\h44设备资源命名规范网元命名规范城市缩写-县缩写-节点缩写-设备属性-设备编号.网络(业务)类型.别称符号符号字符字符字符字符字符字符字符数字字符字符字符字母字符数<81<81<81固定11131≤7选项必选必选可选可选必选必选必选必选必选必选必选可选可选字母大小需要采用统一，全部大写。除了已标出的符号，各标识两端、中间不带任何空格、符号，只能采用数字和字母。城市缩写，取城市名称拼音的首字母大写，如GZ。县缩写，取县名称拼音的首字母大写。节点缩写，取节点名称拼音的首字母大写，如城市、县及两节点的首字母均有重叠，分两种情况，当后一个字不同时则后一个取全拼，如南油（NYou）和南园（Nyuan）；如当后一个字相同时则前一个字取全拼，例如同和（TongH）和太和（TaiH）。设备属性，规定如下：出口路由器：CR，如汇聚路由器兼做出口路由器则用CR汇聚路由器：BRBRAS：BAS业务路由器：SR汇聚交换机：DSW园区交换机：ASW楼道交换机：LSWDslam：DSLOLT：OLTONU：ONU设备编号，取阿拉伯数字，从1开始。网络类型：城域网：MAN城域网二平面：M2N别称：只能为字母和数字，各地市根据组网按需规划。环回接口描述规范For-功能描述符号字符字符字符串字符数31≤30选项必选必选必选：For：固定字符串。功能描述：描述该loopback端口特殊功能，为有意义的英文字符串。如：Management、Multicast、VPN、GlobalRouting、BGPLoadbalance等。interface“system”#缺省使用system关键字作为loopback端口descriptionFor-Management网络接口描述规范端口描述包含下面几部分：|uT:(上行)pT:(平行)dT:(下行)对端设备名称:(链路传输编号)对端端口类型对端端口标志（VR）符号字符字符字符字符字符数字/字符字符字符数3≤201≤15≤10≤8≤10选项必选必选必选必选必选可选可选“对端端口类型”要根据对端不同设备类型进行区分规范，“对端端口标志”表示链路对端设备对应端口的具体标志规范，“(链路传输编号)”表示链路的传输号,如果同机房内设备互联无传输编号,则为(Local)。调测期间的链路描述最后增加“::PROCESSING”，调测完成加业务后取消“::PROCESSING”。端口类型如下表：端口类型端口描述以太(GE)GE*/*/*以太(10GE)10GE*/*/*例子：新庄AC7750ge-0/0/0上联鼓楼CRS-1Te0/0/0/0端口，该端口正在调试中，描述如下：uT:NJ-GL-CR.MAN.CRS-1:(传输代号)10GE0/0/0/0::PROCESSING注：已有网络可保持原有模式，新建和在建网络根据以上要求实施。空闲端口要求规范要求设备上的所有空闲未用的端口统一shutdown，便于网管监控。M6000设备端口缺省是关闭的。M6000设备相关资源规划为便于资源管理和后期维护，对设备相关资源进行初步规划资源类型范围用途vbui接口：按业务类型进行规划，资源数量1～2000vbui1-99pppoe拨号、VPDN（含绿网）vbui100-199Web+portal接入，DHCP接入vbui200-299IPTV业务vbui300-899预留vbui900-999静态IP业务（含下层设备网管）vbui1000-vbui2000用于MPLSVPN中以上业务。Vbui1000用于ITMSVPN...子接口：参考省公司VLAN规划进行规划，资源数量1～4094.1-99下层设备网管接口.1000-1999pppoe拨号、VPDN（含绿网）.2000-2999IPTV业务.4000ITMSVPNDomain规划：参数准备全局参数—整个城域网一致的参数。下表中红色字体参数请根据各城域网实际情况确定。参数名参数值备注AS号64948iBGP协议需要，全网一致组播RP地址116.55.62.254全网一致组播地址段239.254.180.0/24CR1名称CX-339Ju-CR-1.MAN.NE40x16-1CR1iBGPRR地址218.62.159.70CR1用于和Client建立iBGP的loopbackCR2名称CX-339Ju-CR-2.MAN.NE40x16-2CR2iBGPRR地址218.62.159.69CR2用于和Client建立iBGP的loopbackSNMPcommunityzteadmin@2892Telnet白名单61.166.150.0/2461.166.10.0/24222.219.184.34/32允许telnet设备的地址SNMP白名单222.219.184.34/32允许通过SNMP管理设备的地址SNMPtrap地址222.219.184.34发送SNMPtrap信息的地址SYSlog服务器地址222.219.184.34日志服务器地址站点相关参数参数名参数值备注局点名楚雄市339局设备名称CX-339Ju-BAS-4.MAN.M6000-1loopback1116.55.61.52/32协议loopback，必选loopback2116.55.61.54/32组播loopback，后期IPTV业务要放入VPN，建议规划loopback3VPNloopback，可选CR1接口GE0/3/0/2对端互联物理接口与CR1互联地址112.114.191.86/30CR2接口GE0/3/0/2与CR2互联地址112.114.191.94/30热备互联地址双机热备需要初始登录帐号zxr10/zxr1015级enable密码zte@adminPPPoE业务地址182.244.76.0/24用于普通宽带上网IPTV业务地址182.244.116.0/24用于IPTV业务ITMS业务地址10.124.251.0/24用于E8-2终端管理Web+Portal业务地址222.219.185.0/25用于WLAN业务流程准备提前3天请各地市客户发起如下几项业务申请流程：如相关业务地址不够，需要提前申请；BRAS设备的loopback地址申请加入Radius业务平台；BRAS设备loopback地址和web+portal业务地址段申请加入Portal业务平台；IPTV业务地址段加入到IPTV平台；和用户确认IPTV平台所在IP地址段。开局版本本期工程M6000开局版本要求使用：V1.0.60_1.0.58数据配置连接设备通过console口连接设备，波特率为9600通过以下命令进入配置模式，缺省enable密码为:zxr10zxr10>enablepassword:zxr10#conftzxr10(conf)#此后进入配置模式，可以进行数据配置。M6000开局基本配置这部分配置确保M6000能正常上线，并能远程登录校准设备MAC设备MAC由主控板决定，但设备到现场可能机框和主控板分开发货，这样可能导致设备MAC标签和实际MAC不相符，需要进行验证和必要的更改。具体如下：获取设备的基准MAC地址设备发货时，会在设备正面铭牌的上方贴一个小纸条，上面有设备的基准MAC地址。如发现MAC不一致，重启机架，在boot模式中修改设备的基准MAC地址。步骤1通过MPUF单板的串口登陆至MPUF步骤2重启设备，在串口界面出现如下信息时按任意键打断启动：Pressanykeytostopautoboot:3步骤3串口界面出现如下提示信息时输入“y”，进入boot设置模式：PDoyouwanttomanualconfig?(Yy/Nn)y步骤4串口界面出现如下，在[ZBoot]:提示符后输入“1”：BootMenuSelectionasfollow:0-Autoboot/*按照当前设置自动启动*/1-ManualBOOTConfig/*设置单板启动配置项*/2-ShowBOOTConfig/*打印当前单板启动各项配置信息*/?-Printthishelplist/*打印该帮助菜单*/[ZBoot]:1步骤5网络启动时BOOT设置菜单内容如下：ConfigAsSC?(Yy/Nn):y/*设置SC*/BootMode(1:LocalFlash;2:Net):1/*当前BOOT启动方式1为本地启动*/BaseMACAddr:0:1:22:33:44:55/*设置设备的基准MAC*/MacTotal:32/*设置设备MAC最大偏移量，最大值为63*/LocalIP:169.1.11.27/*设置设备网管口IP地址*/NetMask:255.255.0.0/*设置设备网管口子网掩码*/GatewayIP:169.1.106.3/*设置设备启动的FTP网关*/ServerIP:169.1.106.3/*设置设备启动的FTPIP*/FileName:M6000_1.10.0.B12.set/*设置设备启动的版本文件名*/FTPPath:/*设置设备下载版本文件的FTP路径*/FTPUsername:M6000/*设置FTP用户名*/FTPPassword:*****/*设置FTP密码*/SerialAuthenticate(Yy/Nn):n/*串口认证*/EnablePassword:******/*设置enable密码*/Manualbootnow?(Yy/Nn)y/*输入y回车即可启动单板*/定义设备名称命名规则：详细规范，请参考《云南电信IP骨干城域网路由组网和配置规范》，以云南临沧(LC)临翔区新局(LXQXJ)总第3台BAS，第一台M6000为例，命令：hostnameLC-LXQXJ-BAS-3.MAN.M6000-1配置本地登录帐号（复制粘贴）aaa-authentication-template2001aaa-authentication-typelocal!aaa-authorization-template2001aaa-authorization-typenone!system-userauthentication-template1bind-authentication-template2001$authorization-template1bind-authorization-template2001local-privilege-level1$usernamezxr10passwordzxr10authentication-template1authorization-template1!修改初始enable密码enablesecretlevel15zte@admin!设置管理会话闲置超时时间10分钟lineconsoleidle-timeout10linetelnetidle-timeout10Loopback接口配置interfaceloopback1descriptionFor-GlobalRoutingipaddress116.55.61.52255.255.255.255!interfaceloopback2descriptionFor-Multicastipaddress116.55.61.54255.255.255.255!物理接口配置：interfacegei-0/0/0/1negotiationnegotiation-force//这里与30版本不同，不需要到pm模式下配置descriptionuT:CX-339Ju-CR-1.MAN.NE40x16-1:GE0/3/0/2::PROCESSINGipaddress112.114.191.86255.255.255.252noshutdown//设备端口缺省是关闭的!interfacegei-0/1/0/1negotiationnegotiation-forcedescriptionuT:CX-339Ju-CR-2.MAN.NE40x16-2:GE0/3/0/2::PROCESSINGipaddress112.114.191.94255.255.255.252noshutdown!配置缺省路由iproute0.0.0.00.0.0.0112.114.191.85254//配置静态默认路由，优先级254iproute0.0.0.00.0.0.0112.114.191.93254NTP时间同步配置目前各地州以两台CR作为时间服务器clocktimezoneBeijing8ntpserver218.62.159.69priority1//服务器地址就是本地市CR的loopbackntpserver218.62.159.70priority2ntpenable保存开局基本配置Write完成以上基本配置后，查看OSPF协议邻居建立情况，如能正常建立，并能学习到缺省路由，则可以通过远程登录方式登录设备了。M6000网络协议及基本应用配置OSPF协议配置routerospf1router-id116.55.61.52auto-costreference-bandwidth100000//100G带宽作为cost值计算基准maximum-paths8redistributeconnectedpassive-interfaceloopback1passive-interfaceloopback2network112.114.191.840.0.0.3area0network112.114.191.920.0.0.3area0network116.55.61.520.0.0.0area0network116.55.61.540.0.0.0area0interfacegei-0/0/0/1networkpoint-to-point$interfacegei-0/1/0/1networkpoint-to-point$!配置验证：CX-339Ju-BAS-4.MAN.M6000-1#showipospfneighborOSPFRouterwithID(116.55.61.52)(ProcessID878)NeighborIDPriStateDeadTimeAddressInterface218.62.159.701FULL/--00:00:40112.114.191.93gei-0/1/0/1ISIS路由协议配置routerisisarea86.4948.0878//ISIS区域ID，格式为“国家代码+AS号后四位+固话区号”system-id1160.5506.1052//ISIS系统ID，由设备loopback地址进行转换is-typelevel-2-onlydistance160metric-stylewideset-overload-biton-start-upwait-for-bgpfast-floodi-spfmaximum-paths8passive-interfaceloopback1passive-interfaceloopback2interfaceloopback1iprouterisis$interfaceloopback2iprouterisis$interfacegei-0/0/0/1iprouterisiscircuit-typelevel-2-onlymetric3000networkpoint-to-point$interfacegei-0/1/0/1iprouterisiscircuit-typelevel-2-onlymetric3000networkpoint-to-point$!说明：电信城域网改为ISIS+BGP后，ISIS仅用于通告设备的loopback、互联地址等，业务接口或网段不通过ISIS通告。配置验证：DQ-DeQin-XJ-BAS-1.MAN.M6000-1#showisisadjacencyProcessID:0InterfaceSystemidStateLevHoldsSNPA(802.2)PriMTgei-0/1/0/1DQ-XGLL-ZXJ-CRUPL226PPP0-2.MAN.NE40X16gei-0/0/0/1DQ-XGLL-ZXJ-CRUPL228PPP0-1.MAN.NE40X16MPLS协议配置mplsldpinstance1router-idloopback1access-fechost-route-only//只接受32位掩码主机路由的标签分发interfacegei-0/0/0/1$interfacegei-0/1/0/1$!配置验证：DQ-DeQin-XJ-BAS-1.MAN.M6000-1#showmplsldpneighborinstance1PeerLDPIdent:218.62.159.135:0;LocalLDPIdent:116.248.191.246:0TCPconnection:218.62.159.135.49282-116.248.191.246.646State:Oper;Msgssent/rcvd:4071/4070;DownstreamUpTime:16:52:50LDPdiscoverysources:gei-0/0/0/1;SrcIPaddr:116.248.191.181AddressesboundtopeerLDPIdent:116.248.191.1116.248.191.149116.248.191.153116.248.191.161116.248.191.181116.248.191.197218.62.157.109218.62.159.135222.221.29.101222.221.29.105PeerLDPIdent:218.62.159.136:0;LocalLDPIdent:116.248.191.246:0TCPconnection:218.62.159.136.55395-116.248.191.246.646State:Oper;Msgssent/rcvd:4071/4081;DownstreamUpTime:16:52:50LDPdiscoverysources:gei-0/1/0/1;SrcIPaddr:116.248.191.185AddressesboundtopeerLDPIdent:116.248.191.5116.248.191.145116.248.191.157116.248.191.165116.248.191.185116.248.191.193116.248.191.201218.62.157.105218.62.159.136222.221.29.102222.221.29.106BGP协议配置云南电信BGP协议目前有两个作用，通告城域网业务网段地址；通告VPN路由及私网标签。BGP进程创建了两个Peer-group，pgGRR和pgVRR。pgGRR用于通告城域网业务网段（全局），pgVRR用于VPN路由。设备向pgGRR邻居通告路由时需要携带no-export属性，但个别网段如果通告不出去的话，可能是和CR上的network产生冲突，需要去除no-export属性，这样的网段要在ipprefix-listpl_NoExport163中deny掉。具体配置如下：//创建前缀列表，以后需要特殊处理的列表加到此prefix-list中，并把seq设置在10000以前即可。ipprefix-listpl_NoExport163seq10000permit0.0.0.00le32!//创建route-maproute-maprm_NoExport163permit10matchipaddressprefix-listpl_NoExport163setcommunityno-export!route-maprm_NoExport163permit20!//配置bgp协议routerbgp64948distancebgpinternal200distancebgpexternal70nosynchronizationmaximum-paths8bgprouter-id116.55.61.52neighborpgVRRpeer-groupneighborpgVRRremote-as64948noneighborpgVRRactivateneighborpgVRRupdate-sourceloopback1neighborpgGRRpeer-groupneighborpgGRRremote-as65232neighborpgGRRactivateneighborpgGRRroute-maprm_NoExport163outneighborpgGRRsend-communityneighborpgGRRupdate-sourceloopback2neighbor218.62.159.69peer-grouppgVRRneighbor218.62.159.70peer-grouppgVRRneighbor218.62.159.69peer-grouppgGRRneighbor218.62.159.70peer-grouppgGRRaddress-familyvpnv4neighborpgVRRactivate$配置验证：IPv4邻居关系DQ-DeQin-XJ-BAS-1.MAN.M6000-1#showipbgpsummaryNeighborVerAsMsgRcvdMsgSendUp/DownState/PfxRcd116.248.191.2304652322295199316:33:410116.248.191.2314652322293199116:32:320VPNv4邻居关系DQ-DeQin-XJ-BAS-1.MAN.M6000-1#showbgpvpnv4unicastsummaryNeighborVerAsMsgRcvdMsgSendUp/DownState/PfxRcd218.62.159.1354652322224201316:41:4219218.62.159.1364652322685201316:41:4219新增路由网段的通告新增地址段的通告分两种情况：VPN业务地址：VPN中通过重分布方式发布了直连路由，只要完成三层接口的配置就会自动通告出去了，不需要额外配置；公网业务地址：需要通过bgp进行发布，完成三层接口的配置后，通过以下命令进行发布routerbgp64948network!配置验证：DQ-DeQin-XJ-BAS-1.MAN.M6000-1#showipbgpneighborout116.248.191.230RoutesSenttoThisneighbor:DestNextHopMetricLocPrfPath182.246.244.0/24116.248.191.245100i172.1.204.0/24116.248.191.245100i组播协议配置ipmulticast-routingrouterpimsmstatic-rp116.55.62.254interfacegei-0/0/0/1pimsm$interfacegei-0/1/0/1pimsm$interfaceloopback2pimsm//需要开启此接口的PIMSM，以激活接口的IGMP功能$routerigmpinterfaceloopback2//把loopback2静态加入组播频道实现拉流static-group239.254.180.1static-group239.254.180.2……[略]static-group239.254.180.254!配置验证：查看PIMSM邻居DQ-DeQin-XJ-BAS-1.MAN.M6000-1#showippimsmneighborNeighborAddressInterfaceDRPriorityUptimeExpiresVer116.248.191.185gei-0/1/0/1117:05:2700:01:16V2116.248.191.181gei-0/0/0/1117:05:2800:01:39V2查看组播路由DQ-DeQin-XJ-BAS-1.MAN.M6000-1#showipmroutesummaryIPmulticastroutingtablesummary(*,G):255routes(S,G):59routesTotal:314routesDQ-DeQin-XJ-BAS-1.MAN.M6000-1#showipmrouteIPMulticastRoutingTable(*,239.254.208.1),RP:116.248.191.252,TYPE:DYNAMIC,FLAGS:NSIncominginterface:gei-0/1/0/1,flags:NSOutgoinginterfacelist:loopback2,flags:F(182.240.223.23,239.254.208.1),TYPE:DYNAMIC,FLAGS:Incominginterface:gei-0/1/0/1,flags:Outgoinginterfacelist:loopback2,flags:F(*,239.254.208.2),RP:116.248.191.252,TYPE:DYNAMIC,FLAGS:NSIncominginterface:gei-0/1/0/1,flags:NSOutgoinginterfacelist:loopback2,flags:F(182.240.223.22,239.254.208.2),TYPE:DYNAMIC,FLAGS:Incominginterface:gei-0/1/0/1,flags:Outgoinginterfacelist:loopback2,flags:F….Radius基本数据配置Radiusgroup1/2/3都是为了满足现网业务需求必须配置的，不能遗漏。Group1用于不带域名的业务应用，如普通pppoe上网；Group2用于带域名的业务应用，如VPDN、Web+portal；Group3是为了配合DM功能配置的Radius下发DM消息将用户踢下线，一般用于欠费或其他特殊需求，为保证DM消息的合法性，M6000会

检测

工程第三方检测合同工程防雷检测合同植筋拉拔检测方案传感器技术课后答案检测机构通用要求培训

DM消息源地址是否是Radius组中的地址，如不匹配将丢弃。云南省电信Radius发送DM信息使用了另外地址61.166.150.103来发送，所以需要配置group3来配合DM功能，实际不会引用，但必须配置。radiusauthentication-group1server161.166.150.99masterkey88----89port1645server261.166.150.100key88----89port1645deadtime0nas-ip-address116.55.61.52!radiusauthentication-group2server161.166.150.99masterkey88----89port1645server261.166.150.100key88----89port1645deadtime0user-name-formatinclude-domainnas-ip-address116.55.61.52!radiusauthentication-group3server161.166.150.103key88----89port1645nas-ip-address116.55.61.52!radiusaccounting-group1server161.166.150.99masterkey88----89port1646server261.166.150.100key88----89port1646deadtime0nas-ip-address116.55.61.52local-bufferenable!radiusaccounting-group2server161.166.150.99masterkey88----89port1646server261.166.150.100key88----89port1646deadtime0user-name-formatinclude-domainnas-ip-address116.55.61.52local-bufferenable!radiusaccounting-group3server161.166.150.103key88----89port1646nas-ip-address116.55.61.52local-bufferenable!Radius可用性验证：如果设备的loopback加入了Radius中，采用下面错误的帐号能返回“reject”信息，如提示“unreachable”loopback还未加入Radius，或未生效。Radius通信异常DQ-DeQin-XJ-BAS-1.MAN.M6000-1#radius-pingauthentication-group1testtestchapPingradiusauthentication-group1withtestat17:58:27!Pingserver161.166.150.99at17:58:27!Pingserver261.166.150.100at17:58:27!....Requesttimedout.Server1unreachable!Requesttimedout.Server2unreachable!Radius可用CX-339Ju-BAS-4.MAN.M6000-1#radius-pingauthentication-group1testestchapPingradiusauthentication-group1withtesat17:59:46!Pingserver161.166.150.99at17:59:46!Pingserver261.166.150.100at17:59:46!Replyfromserver2rejectat17:59:46!Replyfromserver1rejectat17:59:46!AAA全局认证、授权、计费基本模版创建aaa-authentication-template1//Radius认证，不带域名aaa-authentication-typeradiusauthentication-radius-group1!aaa-authentication-template2//本地认证aaa-authentication-typelocal!aaa-authentication-template3//Radius认证，带域名aaa-authentication-typeradiusauthentication-radius-group2!aaa-authentication-template4//不认证aaa-authentication-typenone!aaa-authorization-template1aaa-authorization-typeradius!aaa-authorization-template2aaa-authorization-typemix-radius//IPTV组播业务要配置为此方式，否则用户无法加入组播组。!aaa-authorization-template3aaa-authorization-typemix-radius!aaa-accounting-template1aaa-accounting-typeradiusaccounting-radius-groupfirst1!aaa-accounting-template2aaa-accounting-typenone!aaa-accounting-template3aaa-accounting-typeradiusaccounting-radius-groupfirst2!QoS基本配置class-mapcmCopper_NNImatch-anymatchprecedence1matchmpls-exp1!class-mapcmSilver_NNImatch-anymatchprecedence2matchmpls-exp2!class-mapcmGold_NNImatch-anymatchprecedence3matchmpls-exp3!class-mapcmCritical_NNImatch-anymatchprecedence4matchmpls-exp4!class-mapcmPlatinum_NNImatch-anymatchprecedence5matchmpls-exp5!class-mapcmNetworkControl_NNImatch-anymatchprecedence6matchmpls-exp6!class-mapcmDiamond_NNImatch-anymatchprecedence7matchmpls-exp7!class-mapcmCopper_UNImatch-anymatchprecedence1matchout-8021p1!class-mapcmSilver_UNImatch-anymatchprecedence2matchout-8021p2!class-mapcmGold_UNImatch-anymatchprecedence3matchout-8021p3!class-mapcmCritical_UNImatch-anymatchprecedence4matchout-8021p4!class-mapcmPlatinum_UNImatch-anymatchprecedence5matchout-8021p5!class-mapcmNetworkControl_UNImatch-anymatchprecedence6matchout-8021p6!class-mapcmDiamond_UNImatch-anymatchprecedence7matchout-8021p7!policy-mappmGEOutput_NNIclasscmCopper_NNIbandwidthpercent5setdscpinherit-from8021p$classcmSilver_NNIbandwidthpercent5setdscpinherit-from8021p$classcmGold_NNIbandwidthpercent10setdscpinherit-from8021p$classcmCritical_NNIpriority-llqsetdscpinherit-from8021ppolice10000012500$classcmPlatinum_NNIbandwidthpercent30setdscpinherit-from8021p$classcmNetworkControl_NNIbandwidthpercent5setdscpinherit-from8021p$classcmDiamond_NNIbandwidthpercent5setdscpinherit-from8021p$classclass-defaultbandwidthpercent30setdscpinherit-from8021p$!policy-mappmGEOutput_UNIclasscmCopper_UNIbandwidthpercent5$classcmSilver_UNIbandwidthpercent5$classcmGold_UNIbandwidthpercent10$classcmCritical_UNIpriority-llqpolice10000012500$classcmPlatinum_UNIbandwidthpercent30$classcmNetworkControl_UNIbandwidthpercent5$classcmDiamond_UNIbandwidthpercent5$classclass-defaultbandwidthpercent30$!policy-mappmXGEOutput_NNIclasscmCopper_NNIbandwidthpercent5setdscpinherit-from8021p$classcmSilver_NNIbandwidthpercent5setdscpinherit-from8021p$classcmGold_NNIbandwidthpercent10setdscpinherit-from8021p$classcmCritical_NNIpolice1000000125000priority-llqsetdscpinherit-from8021p$classcmPlatinum_NNIbandwidthpercent30setdscpinherit-from8021p$classcmNetworkControl_NNIbandwidthpercent5setdscpinherit-from8021p$classcmDiamond_NNIbandwidthpercent5setdscpinherit-from8021p$classclass-defaultbandwidthpercent30setdscpinherit-from8021p$!//网络侧接口绑定QoS策略，GE口和10GE口对应不同策略，注意不要绑错service-policygei-0/0/0/1outputpmGEOutput_NNIoverwrite!service-policygei-0/1/0/1outputpmGEOutput_NNIoverwrite!//用户侧接口绑定QoS策略service-policygei-0/0/0/2outputpmGEOutput_UNIoverwrite!网管配置ipv4-access-listACL_telnetrule1permit61.166.150.00.0.0.255rule2permit61.166.10.00.0.0.255rule3permit222.219.184.340.0.0.0$!linetelnetaccess-classipv4ACL_telnet!ipv4-access-listACL_snmprule1permit222.219.184.340.0.0.0$!snmp-serveraccess-listipv4ACL_snmpsnmp-se