Juniper ERX700/ERX1400配置及故障诊断(3)

2.3 MACRO的使用ERX提供该命令可以使得用户的拨号端口的创建可以批量自动完成。在使用之前首先需要创建扩展名为.mac的script 文件。以下是在以太端口(fa4/0和fa4/1)上配置拨号数据的script 文本：<# fa4 #>―――――――――――子程序名字<# vlanid:=962 #><# while vlanid<=964 #>――――第一组循环interface fa4/0.vlanidvlan id vlanidencap pppoeinterface fa4/0.vlanid.1encapsulation pppppp authentication papprofile any pppoe<# vlanid:=vlanid+1 #><# vlanid:=962 #><# while vlanid<=964 #>――――第二组循环interface fa4/1.vlanidvlan id vlanidencap pppoeinterface fa4/1.vlanid.1encapsulation pppppp authentication papprofile any pppoe<# vlanid:=vlanid+1 #><# endwhile #>每个.mac文件由一个或多个子程序组成,每个子程序可以由多个循环组成但是不能嵌套。将该mac例如：fast.mac上传到erx，通过以下命令运行该script:macro test fast.mac   fa4   ----------macro每次只能运行一个子程序test是一个关键字用于测试该script是否有语法错，如果没有macro会将执行结果输出到telnet窗口上。如果确认配置无误，将test关键字去掉使得输出结果真正生效(期间不会有屏幕输出)macro fast.mac fa4 2.4 拨号端口同时配置为DHCP可以实现在以太和1483桥接端口上既能进行拨号又能通过dhcp上网.interface atm 12/0.332 point-to-pointatm pvc 332 3 32 aal5snap 0 0 0encapsulation pppoepppoe acName wenzhouip unnumbered lo0配置dhcp relay :set dhcp relay x.x.x.x ―――――――dhcp server ip需要注意的是的低版本(3.4.1之前)的erx不支持在以太端口上同时配置拨号和dhcp 2.5 利用AUTO-CONFIGURE配置动态拨号端口动态拨号端口的创建是指不需要为每一个拨号用户手工创建pppoe/ppp拨号端口，当端口监测到新的拨号会话时自动创建pppoe端口和相应的ppp子端口。对于atm端口：interface atm 5/1.6105   point-to-pointatm pvc 6105 6 105 aal5snap 0 0 0   auto-configure pppoeprofile pppoe "pppoe-1" profile "pppoe-1"ip unnumbered loopback 0ppp authentication pappppoe sessions 1     ――――限制同时在线的拨号端口对于以太端口：interface atm 5/1.6105   point-to-pointatm pvc 6105 6 105 aal5snap 0 0 0   auto-configure pppoeprofile pppoe "pppoe-1" pppoe sessions 1     两者的配置区别是：在以太端口上的session数限制必须在pppoe端口下配置。需要注意5.0以前的版本上不支持在以太端口上创建auto-configure。2.6 MPLS的配置Ø ldp的分发方式：erx默认是data-driven 方式分发ldp label在与其他厂家进行互通时需要进行修改为topology-driven方式。mpls topology-driven-lspØ 限制ldp label :通常情况下，erx会对将所有active的路由表项绑定label,在实际使用中（例如mpls/vpn）我们只需要将本地的loopback绑定label并进行分发即可，可以通过配置ACL对label的分发进行限制。access-list onlyme permit ip host 202.96.209.34 any mpls ldp advertise-labels for onlyme   Ø 关于router id 在配置使用ibgp时要求ibgp的source-address 必须和router-id一致，如果没有认为指定router-id，erx会自动选择一个ip 为router-id，这样可能导致bgp无法建立连接。Ip router-id x.x.x.x -----------和ibgp的update-source 一致。Ø 观察bgp路由接收情况show ip bgp vpnv4 vrf xxx [y.y.y.y]可以检查是否收到remote pe分发的vpn路由以及本地广播的vpn路由是否正确。如果加上某个具体的路由y.y.y.y ，可以检查该vpn路由的label等属性。gongyeyuan-erx1400#sh ip bgp vpnv4 vrf suzhouLocal BGP identifier 61.177.2.96, local AS 64513 14 routes (784 bytes) 14 destinations (1008 bytes) of which 14 have a route 12 routes selected for route table installation 3 path attribute entries (444 bytes) Local-RIB version 29. FIB version 29.Status codes: > best, * invalid, s suppressed, d dampened, r rejected,         a auto-summarized Prefix         Peer         Next-hop       MED LocPrf Weight Origin> 0.0.0.0/0       61.177.2.238   61.177.2.238     1   100     0 inc.   > 10.0.0.0/30     61.177.2.238   61.177.2.238     0   100     0 inc.   …….…….> 61.155.130.192/27 61.177.2.238   61.177.2.238     0   100     0 inc.   > 172.16.1.0/24     0.0.0.0       0.0.0.0         0       32768 inc.   ――本地vpn路由> 192.168.1.1/32   0.0.0.0       0.0.0.0         0       32768 inc.   ――本地vpn路由> 218.30.129.248/29 61.177.2.238   61.177.2.238     0   100     0 inc.   gongyeyuan-erx1400#sh ip bgp vpnv4 vrf suzhou 10.0.0.0BGP route information for prefix 10.0.0.0/30 Received route learned from internal peer 61.177.2.238 (best route)   Route placed in IP forwarding table   Best to advertise to external peers   Address Family Identifier (AFI) is ip-v4   Subsequent Address Family Identifier (SAFI) is unicast   Route Distinguisher (RD) is 61.177.2.96:100   Original Route Distinguisher (RD) is 61.177.2.238:100   MPLS in-label is none   MPLS out-label is 589842―――――――――――vpn 路由中携带的内层 label   Next hop IP address is 61.177.2.238 (metric 30)   Multi-exit discriminator is 0   Local preference is 100   Weight is 0   Origin is Incomplete   AS path is empty Extended communities RT:64513:100 Ø Vpn路由接收失败现象，vrf路由表中没有相应的vpn路由。两个原因:vpn import/export 配置和远端PE的配置不一致，或者本地pe 到远端pe的lsp没有建立。前者可以通过检查配置确认，后者主要检查mpls方面的工作状态：show mpls interface---检查上联端口是否启动mplssh mpls interfaceInterface GigabitEthernet13/0.12 UpRSVP not configuredLDP/CR-LDP enabled with profile defaultIP interfaces on this MPLS interface:   221.224.242.78/30     Session to 61.177.2.253 is operational (active)     Session negotiated LDP advertisement mode is Downstream Unsolicited     Session statistics:       803 label alloc, 5417 label learned,       803 accum label alloc, 5417 accum label learned,       last restart time = 00:11:20       Rcvd: 0 notf, 5559 msg, 5517 mapping, 0 request           0 abort, 0 release, 0 withdraw, 1 addr           0 addr withdraw, 6447033 msgId           0 bad mapping, 0 bad request, 0 bad abort, 0 bad release           0 bad withdraw, 0 bad addr, 0 bad addr withdraw           0 unknown msg type err           last info err code = 0x00000000, 0 loop detected       Sent: 0 notf, 839 msg, 803 mapping, 0 request           0 abort, 0 release, 0 withdraw, 1 addr           0 addr withdraw, 839 msgId     Adjacency statistics:       156 hello recv, 136 hello sent, 0 bad hello recv       adj setup time = 00:11:20       last hello recv time = 00:00:02, last hello sent time = 00:00:04MPLS Statistics:   Rcvd: 1 failed lbl lookup, 758 octets, 0 hcOctets       14 pkts, 0 hcPkts, 0 errors, 0 discards   Sent: 0 octets, 0 hcOctets, 0 pkts       0 hcPkts, 0 errors, 0 discards   1 adjacency, 1 session, 1 accum adjace―――检测到mpls neighbor   156 hello recv, 137 hello sent, 0 hello rej   1 adj setup, 0 adj deleted,…………………show ip tcp statistics------------检查ldp的tcp连接是否正常gongyeyuan-erx1400#sh ip tcp statistics TCP Global Statistics:……..……. Local addr: 0.0.0.0, Local port: 646 Remote addr: 0.0.0.0, Remote port: 0 State: LISTEN Authentication: None Rcvd: 6 total pkts, 0 in-sequence pkts, 0 bytes     0 chksum err pkts, 0 bad offset pkts, 0 short pkts     0 duplicate pkts, 0 out of order pkts Sent: 0 total pkts, 0 data pkts, 0 bytes     0 retransmitted pkts, 0 retransmitted bytes Local addr: 61.177.2.96, Local port: 646 Remote addr: 61.177.2.251, Remote port: 41892 State: ESTABLISHED Authentication: None Rcvd: 433 total pkts, 372 in-sequence pkts, 148603 bytes     0 chksum err pkts, 0 bad offset pkts, 0 short pkts     0 duplicate pkts, 0 out of order pkts Sent: 170 total pkts, 53 data pkts, 5653 bytes     0 retransmitted pkts, 0 retransmitted bytes….….show ip mpls binding   x.x.x.x ----检查ldplabel 的接收和绑定情况,x.x.x.x地址为remote pe 的loopback,正常情况下，每一个remote pe 都会被绑定相对应的一个outgoing label 用于转发本地pe到远端pe的vpn数据gongyeyuan-erx1400#sh mpls ip binding 61.177.2.238 61.177.2.238/32   In   60 neighbor 61.177.2.251   Out   45 neighbor 61.177.2.251show mpls forwarding destination ----检查pe之间的lsp 是否已经建立以及数据转发情况，destination 后的ip 地址为remote pe的loopback也是ibgp neighbour 地址gongyeyuan-erx1400#sh mpls forwarding destination 61.177.2.238LSP vpnIngress-83 to   61.177.2.238/255.255.255.255 Out label is Variable Interface   38 pkts, 0 hcPkts, 3084 octets   0 hcOctets, 0 errors, 0 discardPktsLabels: 589842 589843 LSP lsp-3db102ee-32-98 to   61.177.2.238/255.255.255.255 In label 60 on GigabitEthernet9/0.10   0 pkts, 0 hcPkts, 0 octets   0 hcOctets, 0 errors, 0 discardPkts Out label 45 on GigabitEthernet13/0 nbr 221.224.242.5 ------------lsp的outgoing label   38 pkts, 0 hcPkts, 3236 octets   0 hcOctets, 0 errors, 0 discardPkts   queue 0: traffic class best-effort, bound to GigabitEthernet13/0     Queue length 0 bytes     Forwarded packets 0, bytes 0     Dropped committed packets 0, bytes 0     Dropped conformed packets 0, bytes 0     Dropped exceeded packets 0, bytes 0 stacked labels:vpnIngress-83     61.177.2.238/32   Out                           on tun mpls:lsp-3db102ee-32-1bshow mpls forwardinggongyeyuan-erx1400#sh mpls forwarding LSP vpnEgL16-1 for 0.0.0.0 In label 16 on stack --------------------------lsp的incoming label   35 pkts, 0 hcPkts, 2970 octets0 hcOctets, 0 errors, 0 discardPkts和juniper 路由器不同，erx使用UHP(ultimate hop pop)方式处理egress router 的label，所以通常可以看到lsp的incoming label是16而非0或1。本地产生的vpn数据如 ping vrf x.x.x.x 也会被转发到pe—pe的lsp上，所以可以结合show mpls forwarding destination 观察vpn数据的转发情况。