Inband Networking

This provides an example of the configuration when the PDSN9660 interworks with the authentication, authorization and accounting (AAA) server through inband networking.

Networking Requirement

See Figure 3-9. The PDSN9660 is connected to the AAA server through router A and router B. The interworking is realized through inband networking. The PDSN9660 must interwork with the AAA server to perform the authentication, charging, and address assignment for the users. Therefore, you must configure the interworking between the PDSN9660 and the AAA server.

l To improve bandwidth and enhance reliability, you can employ the load-sharing mode for

the Eth-trunk interface to distribute traffic to different links to the same destination.

l To further enhance reliability, the Eth-trunk2 and Eth-trunk3 interfaces that each work in

load-sharing mode can serve as backup interfaces for each other.

l The Open Shortest Path First (OSPF) dynamic routing mode is employed for complex

network topology with a large number of network devices and IP routes to implement reliability networking through redundant routes.

l The PDSN interworks with the AAA server through outband networking. The data packets

to the packet data network (PDN) and the Remote Authentication Dial In User Service (RADIUS) signaling packets are sent through different physical interfaces.

l The virtual private network (VPN) networking mode is employed to improve

communication security. Bind the physical interface, logical interface, Domain, and AAA server to the same VPN. Specify this VPN as the VPN instance of the specified route.

Figure 3-9 Networking for the interworking between the PDSN9660 and the AAA server

PDSN9660 Router A IP/MPLS backbone Eth-Trunk 2 10.3.37.94/28 10.3.37.81 Piif3/0/0 10.8.20.1/32 AAA server

Data Collection

Plan the data as follows.

VPN

Name of a VPN instance vpn_Pi

Router distinguisher (RD) value 300:1 Eth-Trunk2

Eth-Trunk2 Bound with GigabitEthernet1/0/2 and

GigabitEthernet1/0/3 IP address and subnet mask of the Eth-trunk2

interface

10.3.37.94/255.255.255.240 Operating mode of the Eth-trunk2 interface Load-sharing mode

Cost value of the Eth-trunk2 interface 100 Priority for selecting a designated router (DR) 0 IP address of the interface on router A that is connected to the Eth-trunk2 interface

10.3.37.81 IP address segment of the Eth-trunk2

interface

10.3.37.80/28 Wildcard mask of the Eth-trunk2 interface 0.0.0.15

Eth-Trunk3

Eth-Trunk3 Bound with GigabitEthernet2/0/2 and

GigabitEthernet2/0/3 IP address and subnet mask of the Eth-trunk3

interface

10.3.37.78/255.255.255.240 Operating mode of the Eth-trunk3 interface Load-sharing mode

Cost value of the Eth-trunk3 interface 200 Priority for selecting a DR 0 IP address of the interface on router B that is connected to the Eth-trunk3 interface

10.3.37.65 IP address segment of the Eth-trunk3

interface

10.3.37.64/28 Wildcard mask of the Eth-trunk3 interface 0.0.0.15 IP address network segments of the Piif3/0/0

and Piif3/1/0 interfaces

Wildcard masks of the Piif3/0/0 and Piif3/1/0 interfaces

0.0.0.3 OSPF

OSPF process number 2

Router ID 10.8.20.1

Area ID 0

Authentication mode md5

Authentication ID 1

Authentication password abcd in encrypted texts RADIUS server

RADIUS server group isprg

IP address of the RADIUS authentication server

10.168.10.1

Destination port number 1812

VPN instance vpn_Pi

Key ispchina

IP address of the RADIUS accounting server 10.168.10.1

Destination port number 1813

VPN instance vpn_Pi

Key ispchina

Domain bound to the RADIUS server group Domain1

Configuration Procedure

1. Create a VPN instance.

<PDSN>system-view

[PDSN]ip vpn-instance vpn_Pi

[PDSN-vpn-instance-vpn_Pi]route-distinguisher 300:1

2. Configure the Eth-trunk2 interface.

[PDSN]interface eth-trunk2

[PDSN-Eth-Trunk2]workmode loadbalance [PDSN-Eth-Trunk2]description Pi_eth_trunk [PDSN-Eth-Trunk2]ip binding vpn-instance vpn_Pi

[PDSN-Eth-Trunk2]ip address 10.3.37.94 255.255.255.240 [PDSN-Eth-Trunk2]ospf cost 100

[PDSN-Eth-Trunk2]ospf dr-priority 0 [PDSN-Eth-Trunk2]quit

[PDSN-GigabitEthernet1/0/2]quit

Bind the GigabitEthernet1/0/3 interface to the Eth-trunk2 interface.

[PDSN]interface GigabitEthernet1/0/3 [PDSN-GigabitEthernet1/0/3]eth-trunk 2 [PDSN-GigabitEthernet1/0/3]quit

4. Configure the Eth-trunk3 interface.

[PDSN]interface eth-trunk3

[PDSN-Eth-Trunk3]workmode loadbalance [PDSN-Eth-Trunk3]description Pi_eth_trunk [PDSN-Eth-Trunk3]ip binding vpn-instance vpn_Pi

[PDSN-Eth-Trunk3]ip address 10.3.37.78 255.255.255.240 [PDSN-Eth-Trunk3]ospf cost 200

[PDSN-Eth-Trunk3]ospf dr-priority 0 [PDSN-Eth-Trunk3]quit

5. Bind the physical interfaces to the Eth-trunk3 interface.

Bind the PigabitEthernet2/0/2 interface to the Eth-trunk3 interface.

[PDSN]interface GigabitEthernet2/0/2 [PDSN-GigabitEthernet2/0/2]eth-trunk 3 [PDSN-GigabitEthernet2/0/2]quit

Bind the GigabitEthernet2/0/3 interface to the Eth-trunk3 interface.

[PDSN]interface GigabitEthernet2/0/3 [PDSN-GigabitEthernet2/0/3]eth-trunk 3 [PDSN-GigabitEthernet2/0/3]quit

6. Configure the Piif3/0/0 interface.

[PDSN]interface piif3/0/0

[PDSN-Piif3/0/0]ip binding vpn-instance vpn_Pi [PDSN-Piif3/0/0]ip address 10.8.20.1 255.255.255.255 [PDSN-Piif3/0/0]quit

7. Configure the Piif3/1/0 interface.

[PDSN]interface Piif3/1/0

[PDSN-Piif3/1/0]ip binding vpn-instance vpn_Pi [PDSN-Piif3/1/0]ip address 10.8.20.2 255.255.255.255 [PDSN-Piif3/1/0]quit

8. Configure the OSPF dynamic route.

[PDSN]ospf 2 router-id 10.8.20.1 vpn-instance vpn_Pi [PDSN-ospf-2]import-route static

[PDSN-ospf-2]vpn-instance-capability simple [PDSN-ospf-2]area 0.0.0.0

[PDSN-ospf-2-area-0.0.0.0]authentication-mode md5 1 cipher abcd [PDSN-ospf-2-area-0.0.0.0]network 10.3.37.80 0.0.0.15

[PDSN-ospf-2-area-0.0.0.0]network 10.3.37.64 0.0.0.15 [PDSN-ospf-2-area-0.0.0.0]network 10.8.20.0 0.0.0.3 [PDSN-ospf-2-area-0.0.0.0]quit

[PDSN-ospf-2]quit

9. Configure the RADIUS server.

# Configure the RADIUS server group isprg.

[PDSN-access]radius-server group isprg

# Configure the RADIUS authentication server. The IP address is 10.168.10.1. The destination port number is 1812. The RADIUS authentication server is bound to the VPN instance vpn_Pi. The key is ispchina.

[PDSN-access-radius-isprg]radius-server authentication ip 10.168.10.1 vpn- instance vpn_Pi port 1812 key ispchina

# Configure the RADIUS accounting server. The IP address is 10.168.10.1. The destination port number is 1813. The RADIUS accounting server is bound to the VPN instance vpn_Pi. The key is ispchina.

[PDSN-access-radius-isprg]radius-server accounting ip 10.168.10.1 vpn-instance vpn_Pi port 1813 key ispchina

[PDSN-access-radius-isprg]quit [PDSN-access]quit

10. Bind the RADIUS server group to the domain. # Enter the domain view.

[PDSN]domain domain1

[PDSN-domain-domain1]vpn-instance vpn_Pi

# Bind the RADIUS server group isprg to the domain instance domain 1.

[PDSN-domain-domain1]radius-server group isprg [PDSN-domain-domain1]quit

[PDSN]quit

11. Save the current configuration.

<PDSN>save

NOTE

l If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal.

l You must specify the IP address of the Pi interface to check whether the connection between the Pi interface and the peer device is normal.

Interworking Test

Run ping to check whether the link to the AAA server is normal.

<PDSN>ping -vpn-instance vpn_Pi -a 10.8.20.1 10.168.10.1 <PDSN>ping -vpn-instance vpn_Pi -a 10.8.20.2 10.168.10.1

In document System Integration-(V900R007C02 02) (Page 83-87)