Operation Procedure
Step 11 Run network to set the network segments that the area contains End
3.13 Commissioning the Data for the Interworking with the AAA Server
3.14.2 Outband Networking
This provides an example of the configuration when the PDSN9660 interworks with the authentication, authorization and accounting (AAA) server through outband networking.
Networking Requirement
The PDSN9660 is connected to a packet data network (PDN), which is the Internet or an intranet, through router A and router B. The PDSN9660 is connected to the AAA server through router C and interworks with the AAA server through outband networking. See Figure 3-10. The PDSN9660 must interwork with the AAA server to perform authentication, charging, and address assignment for users. Therefore, you must configure the interworking between the PDSN9660 and the AAA server.
l The networking for the interworking between the PDSN and a PDN is as follows: – To improve bandwidth and enhance reliability, you can employ the Eth-trunk load-
sharing mode to distribute traffic to different links to the same destination.
– The Eth-trunk8 and Eth-trunk9 interfaces that each work in load-sharing mode can be
a backup for each other. This can further enhance reliability.
– The Open Shortest Path First (OSPF) dynamic routing mode is employed for complex
network topology with a large number of network devices and IP routes to implement reliability networking through redundant routes.
l The PDSN interworks with the AAA server through outband networking. The data packets
to a PDN and the Remote Authentication Dial in User Service (RADIUS) signaling packets are sent through different physical interfaces.
When the VPNs are employed, the physical interface and route for data packets and the Domain are bound to a VPN and the physical interface for RADIUS signaling packets, Pi interface, route, and AAA server are bound to another VPN.
Figure 3-10 Networking for the interworking between the PDSN9660 and the AAA server
Piif3/1/0 10.8.50.1/32 PDSN9660 Router B Eth-Trunk 8 10.3.37.46/28 10.3.37.49 Eth-Trunk 9 10.3.37.62/28 PDN Router C 10.3.37.81 Eth-Trunk 2 10.3.37.94/28 192.168.110.1 AAA server IP/MPLS backbone Router A 10.3.37.33
Data Collection
l Plan the data for the interworking with a PDN as follows:
VPN Name of the VPN instance vpn_pdn Router distinguisher (RD) value 200:1
Eth-trunk8
Eth-trunk8 Bound with GigabitEthernet1/0/8 and
GigabitEthernet1/0/9 IP address and subnet mask of the Eth-
trunk8 interface
10.3.37.46/255.255.255.240 Operating mode of the Eth-trunk8 interface Load-sharing mode
Cost value of the Eth-trunk8 interface 100 Priority for selecting a designated router
(DR)
0 IP address of the interface on router A that is connected to the Eth-trunk8 interface
10.3.37.33 IP address segment of the Eth-trunk8
interface
10.3.37.32/28 Wildcard mask of the Eth-trunk8 interface 0.0.0.15
Eth-trunk9
Eth-trunk9 Bound with GigabitEthernet2/0/8 and
GigabitEthernet2/0/9 IP address and subnet mask of the Eth-
trunk9 interface
10.3.37.62/255.255.255.240 Operating mode of the Eth-trunk9 interface Load-sharing mode
Cost value of the Eth-trunk9 interface 200 Priority for selecting a DR 0 IP address of the interface on router B that is connected to the Eth-trunk9 interface
10.3.37.49 IP address segment of the Eth-trunk9
interface
10.3.37.48/28 Wildcard mask of the Eth-trunk9 interface 0.0.0.15
OSPF
OSPF process number 2
Router ID 10.8.20.1
Area ID 0
Authentication mode md5
Authentication ID 1
Authentication password abcd in encrypted texts Domain
Address segment for the mobile station (MS)
192.168.200.0/24 and 192.168.210.0/24 Next hop P interface of downlink routes pif3/0/0 and pif3/1/0
l Plan the data for the interworking with the AAA server as follows:
VPN Name of the VPN instance vpn_Pi
RD value 300:1
Eth-trunk2
Eth-trunk2 Bound with GigabitEthernet1/0/2 and
GigabitEthernet2/0/2 IP address and subnet mask of the Eth- 10.3.37.94/255.255.255.240
IP address of the interface on router C that is connected to the Eth-trunk2 interface
10.3.37.94 Pi interface Name of the Pi interface Piif3/0/0
IP address and subnet mask 10.8.50.1/255.255.255.255 RADIUS server
RADIUS server group isprg
IP address of the RADIUS authentication server
10.168.10.1
Destination port number 1812
VPN instance vpn_Pi
Key ispchina
IP address of the RADIUS accounting server
10.168.10.1
Destination port number 1813
VPN instance vpn_Pi
Key ispchina
Domain bound to the RADIUS server group
domain1
Configuration Procedure
1. Configure the interworking with a PDN. (1) Create a VPN instance.
<PDSN>system-view
[PDSN]ip vpn-instance vpn_pdn
[PDSN-vpn-instance-vpn_pdn]route-distinguisher 200:1
(2) Configure the Eth-trunk8 interface.
[PDSN]interface eth-trunk8
[PDSN-Eth-Trunk8]workmode loadbalance [PDSN-Eth-Trunk8]description pdn_eth_trunk [PDSN-Eth-Trunk8]ip binding vpn-instance vpn_pdn [PDSN-Eth-Trunk8]ip address 10.3.37.46 255.255.255.240 [PDSN-Eth-Trunk8]ospf cost 100
[PDSN-Eth-Trunk8]ospf dr-priority 0 [PDSN-Eth-Trunk8]quit
(3) Bind the physical interfaces to the Eth-trunk8 interface.
Bind the GigabitEthernet1/0/8 interface to the Eth-trunk8 interface.
[PDSN]interface GigabitEthernet1/0/8 [PDSN-GigabitEthernet1/0/8]eth-trunk 8 [PDSN-GigabitEthernet1/0/8]quit
Bind the GigabitEthernet1/0/9 interface to the Eth-trunk8 interface.
[PDSN]interface GigabitEthernet1/0/9 [PDSN-GigabitEthernet1/0/9]eth-trunk 8
[PDSN-GigabitEthernet1/0/9]quit
(4) Configure the Eth-trunk9 interface.
[PDSN]interface eth-trunk9
[PDSN-Eth-Trunk9]workmode loadbalance [PDSN-Eth-Trunk9]description pdn_eth_trunk [PDSN-Eth-Trunk9]ip binding vpn-instance vpn_pdn [PDSN-Eth-Trunk9]ip address 10.3.37.62 255.255.255.240 [PDSN-Eth-Trunk9]ospf cost 200
[PDSN-Eth-Trunk9]ospf dr-priority 0 [PDSN-Eth-Trunk9]quit
(5) Bind the physical interfaces to the Eth-trunk9 interface.
Bind the GigabitEthernet2/0/8 interface to the Eth-trunk9 interface.
[PDSN]interface GigabitEthernet2/0/8 [PDSN-GigabitEthernet2/0/8]eth-trunk 9 [PDSN-GigabitEthernet2/0/8]quit
Bind the GigabitEthernet2/0/9 interface to the Eth-trunk9 interface.
[PDSN]interface GigabitEthernet2/0/9 [PDSN-GigabitEthernet2/0/9]eth-trunk 9 [PDSN-GigabitEthernet2/0/9]quit
(6) Configure the OSPF dynamic route.
[PDSN]ospf 2 router-id 10.3.37.46 vpn-instance vpn_pdn [PDSN-ospf-2]import-route static
[PDSN-ospf-2]vpn-instance-capability simple [PDSN-ospf-2]area 0.0.0.0
[PDSN-ospf-2-area-0.0.0.0]authentication-mode md5 1 cipher abcd [PDSN-ospf-2-area-0.0.0.0]network 10.3.37.32 0.0.0.15
[PDSN-ospf-2-area-0.0.0.0]network 10.3.37.48 0.0.0.15 [PDSN-ospf-2-area-0.0.0.0]quit
[PDSN-ospf-2]quit
(7) Configure the routes for downlink packets to an MS.
# Set the destination IP addresses to 192.168.200.0/24 and 192.168.210.0/24, which are the network segments of the MS. Set the next hops to pif3/0/0 and pif3/1/0.
[PDSN]ip route-static vpn-instance vpn_pdn 192.168.200.0 24 pif3/0/0 [PDSN]ip route-static vpn-instance vpn_pdn 192.168.210.0 24 pif3/1/0
(8) Bind the VPN to the domain and configure the PDSN9660 not to automatically generate downlink routes for users of the domain.
[PDSN]domain domain1
[PDSN-domain-domain1]vpn-instance vpn_pdn [PDSN-domain-domain1]static-ip route disable [PDSN-domain-domain1]quit
2. Configure the interworking with the AAA server. (1) Create a VPN instance.
[PDSN]ip vpn-instance vpn_Pi
[PDSN-vpn-instance-vpn_Pi]route-distinguisher 300:1
(2) Configure the Eth-trunk2 interface.
[PDSN]interface eth-trunk2 [PDSN-Eth-Trunk2]workmode backup
[PDSN-Eth-Trunk2]description Pi_eth_trunk [PDSN-Eth-Trunk2]ip binding vpn-instance vpn_Pi
[PDSN-Eth-Trunk2]ip address 10.3.37.94 255.255.255.240 [PDSN-Eth-Trunk2]quit
Bind the GigabitEthernet2/0/2 interface to the Eth-trunk2 interface.
[PDSN]interface GigabitEthernet2/0/2 [PDSN-GigabitEthernet2/0/2]eth-trunk 2 [PDSN-GigabitEthernet2/0/2]quit
(4) Configure the Pi interface.
# Create the Pi interface on the SPU of group 3.
[PDSN]interface Piif3/0/0
# Bind the Pi interface to the VPN instance before configuring the IP address of the interface. Otherwise, the configured IP address is deleted when the binding operation is performed.
[PDSN-Piif3/0/0]ip binding vpn-instance vpn_Pi
# Set the IP address of the Pi interface to 10.8.50.1 and the subnet mask to 255.255.255.255.
[PDSN-Piif3/0/0]ip address 10.8.50.1 255.255.255.255
# Return to the system view.
[PDSN-Piif3/0/0]quit
(5) Configure the default route to the AAA server. Set the IP address of the next hop router to 10.3.37.81.
[PDSN]ip route-static vpn-instance vpn_Pi 0.0.0.0 0.0.0.0 10.3.37.81
NOTE
On router C, you need to configure a static route to the PDSN9660. The destination IP address of the static route is 10.8.50.1. This is the IP address of the piif3/0/0 interface on the PDSN9660. The next hop is the Eth-trunk2 interface on the PDSN9660.
(6) Configure the RADIUS server.
# Configure the RADIUS server group isprg.
[PDSN-access]radius-server group isprg
# Configure the RADIUS authentication server. The IP address is 10.168.10.1. The destination port number is 1812. The RADIUS authentication server is bound to the VPN instance vpn_Pi. The key is ispchina.
[PDSN-access-radius-isprg]radius-server authentication ip 10.168.10.1 vpn- instance vpn_Pi port 1812 key ispchina
# Configure the RADIUS accounting server. The IP address is 10.168.10.1. The destination port number is 1813. The RADIUS accounting server is bound to the VPN instance vpn_Pi. The key is ispchina.
[PDSN-access-radius-isprg]radius-server accounting ip 10.168.10.1 vpn- instance vpn_Pi port 1813 key ispchina
[PDSN-access-radius-isprg]quit [PDSN-access]quit
(7) Bind the RADIUS server group to the domain. # Enter the domain view.
[PDSN]domain domain1
# Bind the RADIUS server group isprg to the domain domain1.
[PDSN-domain-domain1]radius-server group isprg [PDSN-domain-domain1]quit
[PDSN]quit
(8) Save the current configuration.
Interworking Test
Run ping to check whether the link to the AAA server is normal.
<PDSN>ping -vpn-instance vpn_Pi -a 10.8.50.1 10.168.10.1
NOTE
l If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal.
l You must specify the IP address of the Pi interface to check whether the connection between the Pi interface and the peer device is normal.