适用范围
本案例介绍在BRAS综合场景中,ME60作为网关认证设备,实现用户的接入认证(IPoE接入、PPPoE接入、MAC认证等),适用于用户规模较大(20000+用户)的高校园区场景。
业务需求
某校园网要实现学生宿舍区和教师办公区的有线无线网络一体化认证,包括如下需求:
- 接入需求有线、无线网络同时部署,并支持有线、无线用户的接入。校园内网用户能访问外网ISP1、ISP2(比如互联网、教育网),外网用户也能访问内网中的服务器资源。
- 认证需求有线、无线用户接入网络均需进行认证,有线采用PPPoE认证,无线采用IPoE认证,哑终端采用MAC认证。
- 网络权限需求有线、无线用户基于学生、教师等角色有不同的账号和网络权限,如表2-130。学生账号和教师账号由学校本地AAA服务器进行管理,包括认证、计费、授权。商业账号由学校AAA服务器进行AAA Proxy转发至运营商AAA服务器进行认证。
- 表2-130 网络权限
账号类型 上网方式 认证方式 网络权限 带宽控制 学生账号 有线 PPPoE 访问校园内网 10M 学生账号 无线 IPoE 教师账号 有线 PPPoE 访问校园内网;通过校园网访问校园外网ISP1和ISP2 校园内网:20M 校园外网:50M
教师账号 无线 IPoE 商业账号 有线 PPPoE 访问校园内网;通过商业通道访问外网ISP1和ISP2 校园内网:学生:10M;教师:20M 校园外网:50M
商业账号 无线 IPoE 哑终端(打印机、传真机等) 有线 MAC 访问校园内网 20M - 计费需求学生、教师等访问校园内网不计费,访问校园外网运营商网络ISP1和ISP2计费。
- 安全需求对进出校园网的流量要进行识别、过滤,确保网络安全。
方案设计
拓扑设计
ME60做网关认证点的组网图如图2-99所示。
图2-99 ME60做网关认证点的组网图
业务设计
- 接入需求设计ME60作为有线用户和无线用户的网关认证点,为用户动态分配IP地址,同时提供有线用户和无线用户的认证。核心交换机S12700E-8是所有汇聚交换机的连接点,并内置随板AC(无需额外购买硬件AC,减少网络设备投资)。在S12700E-8上配置随板AC功能,管理全网的AP,实现无线网络的接入。S5735-L作为接入交换机,上行汇聚至S6730-H,通过QinQ实现用户隔离。内层VLAN代表区域内的不同接口(如学生宿舍区和教师办公区接入交换机的下行接口划分VLAN2001~3500),外层VLAN代表不同区域的不同楼层(如学生宿舍区汇聚交换机的下行接口划分VLAN101~200;教师办公区汇聚交换机的下行接口划分VLAN201~400)。
核心交换机S12700E-8透传QinQ报文到ME60,ME60进行QinQ终结。
出口防火墙USG6680承担外网出口业务,隔离内外网区域,通过NAT功能实现内外网互访。防火墙开启智能选路功能,根据出口链路带宽动态地选择出接口,实现链路资源的合理利用和用户体验的提升。
- 认证需求设计ME60作为认证设备,为有线无线用户提供丰富的认证方式,包括IPoE认证、PPPoE认证、MAC认证等,满足用户灵活认证的需求。WEB认证通过后才能访问外网。
- 网络权限和计费需求设计在ME60上配置DAA功能,能实现不同用户、不同目的地址的差异化限速和计费需求。
- 安全需求设计在出口防火墙上配置安全策略,可以针对用户上网报文进行过滤,防止用户访问非法网站,同时可对用户网络报文进行监控和追溯。
部署思路和数据规划
部署思路
步骤 | 部署思路 | 涉及设备 |
---|---|---|
1 | 配置接入交换机的接口和VLAN,使得网络二层互通 | S5735-L_A、S5735-L_B |
2 | 配置汇聚交换机的接口和VLAN,使得网络二层互通 | |
3 | 配置核心交换机的接口、VLAN、IP地址、路由等,使得网络互通 | S12700E-8
|
4 | 配置核心交换机的DHCP功能,为AP分配IP地址 | |
5 | 配置核心交换机的WLAN业务,实现无线用户接入 | |
6 | 配置ME60的接口、VLAN、IP地址、路由等,使能网络互通 | ME60 |
7 | 在ME60上配置IPoE接入,为校园网学生、教师无线用户提供IPoE接入认证 | |
8 | 在ME60上配置PPPoE接入,为校园网学生、教师有线用户提供PPPoE接入认证 | |
9 | 在ME60上配置MAC认证,校园网的打印机、传真机等哑终端使用MAC认证 | |
10 | 在防火墙上配置接口、IP地址、路由协议等,使得网络互通 | USG6315E_A、USG6315E_B |
11 | 在防火墙上配置各接口所属的安全区域 | |
12 | 在防火墙上配置智能选路,根据链路带宽负载分担 | |
13 | 在防火墙上配置双机热备,网络中主用设备出现故障时,备用设备能够平滑地接替主用设备的工作,从而实现业务的不间断运行 | |
14 | 在防火墙上配置安全策略 | |
15 | 在防火墙上配置NAT,让内网用户可以访问Internet | |
16 | 在防火墙上配置NAT Server,保证外部用户可以访问内网HTTP服务器 | |
17 | 在防火墙上启用智能DNS功能,确保不同运营商的用户访问请求获得最适合的解析地址 | |
18 | 在防火墙上配置攻击防范和应用行为控制 |
数据规划
以下描述的是案例中涉及的VLAN、接口、IP地址、路由以及各业务的数据规划。
表2-132 VLAN规划表
产品名称 | 参数项 | 描述 |
---|---|---|
S5735-L_A | VLAN600 | 学生宿舍区哑终端所属的VLAN。 |
VLAN2001~3000 | 学生宿舍区有线接入用户的内层VLAN。 | |
VLAN3001~3500 | 学生宿舍区无线接入用户的内层VLAN。 | |
VLAN4004 | 学生宿舍区AP的管理VLAN。 | |
S5735-L_B | VLAN600 | 教室/办公区哑终端所属的VLAN。 |
VLAN2001~3000 | 教室/办公区有线接入用户的内层VLAN。 | |
VLAN3001~3500 | 教室/办公区无线接入用户的内层VLAN。 | |
VLAN4004 | 教室/办公区AP的管理VLAN。 | |
S6730-H_A | VLAN600 | 学生宿舍区哑终端所属的VLAN。 |
VLAN101~200 | 学生宿舍区有线接入用户的外层VLAN。 | |
VLAN1601~1800 | 学生宿舍区无线接入用户的外层VLAN。 | |
VLAN4004 | 学生宿舍区AP的管理VLAN。 | |
S6730-H_B
|
VLAN600 | 教室/办公区哑终端所属的VLAN。 |
VLAN201~400 | 教室/办公区有线接入用户的外层VLAN。 | |
VLAN1801~2000 | 教室/办公区无线接入用户的外层VLAN。 | |
VLAN4004 | 教室/办公区AP的管理VLAN。 | |
S12700E-8 | VLAN600 | 哑终端所属的VLAN。 |
VLAN101~400 | 有线用户外层VLAN | |
VLAN1601~2000 | 无线用户外层VLAN | |
VLAN4010 | 核心交换机上连ME60所属的VLAN。 | |
VLAN4004 | AP的管理VLAN。 |
表2-133 接口和IP规划表
产品名称 | 接口编号 | IP地址 |
---|---|---|
USG6315E_A | GE1/0/6 | 172.16.11.1/30 |
GE1/0/7 | 172.16.11.5/30 | |
GE1/0/1 | 203.0.113.1/24 | |
GE1/0/2 | 192.0.2.2/24 | |
Loopback0 | 172.16.10.1/32 | |
USG6315E_B | GE1/0/6 | 172.16.11.2/30 |
GE1/0/7 | 172.16.11.9/30 | |
GE1/0/1 | 203.0.113.2/24 | |
GE1/0/2 | 192.0.2.1/24 | |
Loopback0 | 172.16.10.2/32 | |
ME60 | GE1/0/1 | 172.16.11.6/30 |
GE1/0/2 | 172.16.11.10/30 | |
GE1/1/1.4010 | 172.16.11.14/30 | |
Loopback0 | 172.16.10.3/32 | |
S12700E-8 | Loopback0 | 172.16.10.4/32 |
VLANIF4010 | 172.16.11.13/30 |
表2-134 静态路由表
设备 | 目的地址 | 下一跳IP地址 |
---|---|---|
USG6315E_A | 10.253.0.0/17 | 172.16.11.6/30 |
10.253.128.0/17 | 172.16.11.6/30 | |
10.254.0.0/17 | 172.16.11.6/30 | |
10.254.128.0/17 | 172.16.11.6/30 | |
172.16.10.2/32 | 172.16.11.6/30 | |
172.16.10.3/32 | 172.16.11.6/30 | |
172.16.10.4/32 | 172.16.11.6/30 | |
192.168.10.0/24 | 172.16.11.6/30 | |
USG6315E_B | 10.253.0.0/17 | 172.16.11.10/30 |
10.253.128.0/17 | 172.16.11.10/30 | |
10.254.0.0/17 | 172.16.11.10/30 | |
10.254.128.0/17 | 172.16.11.10/30 | |
172.16.10.1/32 | 172.16.11.10/30 | |
172.16.10.3/32 | 172.16.11.10/30 | |
172.16.10.4/32 | 172.16.11.10/30 | |
192.168.10.0/24 | 172.16.11.10/30 | |
ME60
|
172.16.10.1/32 | 172.16.11.5/30 |
172.16.10.2/32 | 172.16.11.9/30 | |
172.16.10.4/32 | 172.16.11.13/30 | |
0.0.0.0/0 | 172.16.11.5/30 | |
0.0.0.0/0 | 172.16.11.9/30 | |
S12700E-8
|
172.16.10.1/32 | 172.16.11.14/30 |
172.16.10.2/32 | 172.16.11.14/30 | |
172.16.10.3/32 | 172.16.11.14/30 |
表2-135 IPoE接入参数规划
参数项 | 参数值 |
---|---|
AAA方案 |
|
Radius服务器 |
|
WEB服务器 |
|
地址池 |
|
认证前域 |
|
UCL规则 | 配置用户在认证前域时,重定向到Web认证页面的UCL规则
|
认证域 |
|
BAS接口 |
说明: 由于Web认证用户在未认证前属于非法用户,无法获取IP地址,也没有权限访问Web认证服务器,因而也无法进行Web认证。为了解决这个矛盾,所有未认证的Web认证用户都被归到某个缺省域(基于接口配置),称为认证前缺省域,简称为认证前域。未认证用户可以从认证前域pre-authen中获取IP地址,并通过认证前域pre-authen赋予的权限访问Web服务器。完成Web认证之后,通过认证域xs进行Radius服务器认证。 |
表2-136 PPPoE接入参数规划
参数项 | 参数值 |
---|---|
AAA方案 | 同IPoE接入参数规划的AAA方案 |
Radius服务器 | 同IPoE接入参数规划的Radius服务器 |
地址池 |
|
用户组 | 用户组pre-ppp,限制认证前域无法访问网络 |
认证前域 |
|
UCL规则 | 配置用户在认证前域时,重定向到Web认证页面的UCL规则
|
认证域 | 同IPoE接入参数规划的认证域 |
虚拟模板接口 | 接口编号为1,用户认证方式为auto |
BAS接口 |
|
表2-137 MAC认证参数规划
参数项 | 参数值 |
---|---|
AAA方案 |
|
Radius服务器 |
|
WEB服务器 | 同IPoE接入参数规划的WEB服务器 |
地址池 |
|
用户组 | 用户组pre-web,限制认证前域无法访问网络 |
认证域(认证失败后重定向的域) |
|
UCL规则 | 配置用户在认证失败后,重定向到域pre-authen时,重定向到Web认证页面的UCL规则
|
认证前域 | 域名称mac,域下绑定的认证方案mac,计费方案acc,RADIUS服务器mac,地址池pre-pool,并需要使能MAC认证功能 |
认证域 | 域名称jg,域下绑定的认证方案authen、计费方案acc、RADIUS服务器radius、地址池jiaoshi |
BAS接口 |
|
表2-138 DAA参数规划
参数项 | 参数值 |
---|---|
DAA使能 | 全局使能增值业务功能 |
AAA方案 | 同IPoE接入参数规划的AAA方案 |
Radius服务器 | 同IPoE接入参数规划的Radius服务器 |
WEB服务器 | 同IPoE接入参数规划的WEB服务器 |
地址池 | 同IPoE接入参数规划的地址池 |
用户组 |
说明: 用户组user-group配置方式有三种,包括:
这三种方式中,DAA业务策略模板配置用户组user-group的优先级最高,RADIUS服务器下发用户组user-group的优先级次之,域下配置用户组user-group的优先级最低。本配置案例通过RADIUS服务器下发用户组。 |
认证前域 | 同IPoE接入参数规划的认证前域 |
UCL规则 | 配置用户在认证前域时,重定向到Web认证页面的UCL规则
|
QoS模板 | QoS模板名10M、20M、50M |
DAA业务策略 |
|
认证域 |
说明: DAA业务策略50M通过RADIUS服务器下发。 |
BAS接口 | 同IPoE接入参数规划的BAS接口 |
部署步骤
配置接入交换机S5735-L
- 在接入交换机S5735-L_A上配置VLAN。# 创建学生宿舍区有线用户内层VLAN为2001~3000,无线用户内层VLAN为3001~3500,哑终端VLAN为600,AP的管理VLAN为4004。
<S5735-L_A> system-view [S5735-L_A] vlan batch 600 2001 to 3500 4004
# 配置连接有线用户的下行接口加入内层VLAN,每个接口加入不同VLAN。以接口GE0/0/3加入VLAN 2001为例。
[S5735-L_A] interface GigabitEthernet 0/0/3 [S5735-L_A-GigabitEthernet0/0/3] port link-type access [S5735-L_A-GigabitEthernet0/0/3] port default vlan 2001 [S5735-L_A-GigabitEthernet0/0/3] stp edged-port enable [S5735-L_A-GigabitEthernet0/0/3] quit
# 配置连接AP的端口GE0/0/4加入VLAN4004(管理VLAN),放通业务VLAN和管理VLAN。
[S5735-L_A] interface GigabitEthernet 0/0/4 [S5735-L_A-GigabitEthernet0/0/4] port link-type trunk [S5735-L_A-GigabitEthernet0/0/4] port trunk pvid vlan 4004 [S5735-L_A-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1 [S5735-L_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 3001 to 3500 4004 [S5735-L_A-GigabitEthernet0/0/4] port-isolate enable group 1 [S5735-L_A-GigabitEthernet0/0/4] stp edged-port enable [S5735-L_A-GigabitEthernet0/0/4] quit
# 配置连接哑终端的端口GE0/0/5加入VLAN600。
[S5735-L_A] interface GigabitEthernet 0/0/5 [S5735-L_A-GigabitEthernet0/0/5] port link-type access [S5735-L_A-GigabitEthernet0/0/5] port default vlan 600 [S5735-L_A-GigabitEthernet0/0/5] stp edged-port enable [S5735-L_A-GigabitEthernet0/0/5] quit
- 在接入交换机S5735-L_A上配置上行接口,放通所有业务VLAN和管理VLAN。
[S5735-L_A] interface GigabitEthernet 0/0/1 [S5735-L_A-GigabitEthernet0/0/1] port link-type trunk [S5735-L_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [S5735-L_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004 [S5735-L_A-GigabitEthernet0/0/1] quit
- 在接入交换机S5735-L_B上配置VLAN。# 创建教师办公区有线用户内层VLAN为2001~3000,无线用户内层VLAN为3001~3500,哑终端VLAN为600,AP的管理VLAN为4004。
<S5735-L_B> system-view [S5735-L_B] vlan batch 600 2001 to 3500 4004
# 配置连接有线用户的下行接口加入内层VLAN,每个接口加入不同VLAN。以接口GE0/0/3加入VLAN 2001为例。
[S5735-L_B] interface GigabitEthernet 0/0/3 [S5735-L_B-GigabitEthernet0/0/3] port link-type access [S5735-L_B-GigabitEthernet0/0/3] port default vlan 2001 [S5735-L_B-GigabitEthernet0/0/3] stp edged-port enable [S5735-L_B-GigabitEthernet0/0/3] quit
# 配置连接AP的端口GE0/0/4加入VLAN4004(管理VLAN),放通业务VLAN和管理VLAN。
[S5735-L_B] interface GigabitEthernet 0/0/4 [S5735-L_B-GigabitEthernet0/0/4] port link-type trunk [S5735-L_B-GigabitEthernet0/0/4] port trunk pvid vlan 4004 [S5735-L_B-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1 [S5735-L_B-GigabitEthernet0/0/4] port trunk allow-pass vlan 3001 to 3500 4004 [S5735-L_B-GigabitEthernet0/0/4] port-isolate enable group 1 [S5735-L_B-GigabitEthernet0/0/4] stp edged-port enable [S5735-L_B-GigabitEthernet0/0/4] quit
# 配置连接哑终端的端口GE0/0/5加入VLAN600。
[S5735-L_B] interface GigabitEthernet 0/0/5 [S5735-L_B-GigabitEthernet0/0/5] port link-type access [S5735-L_B-GigabitEthernet0/0/5] port default vlan 600 [S5735-L_B-GigabitEthernet0/0/5] stp edged-port enable [S5735-L_B-GigabitEthernet0/0/5] quit
- 在接入交换机S5735-L_B上配置上行接口,放通所有业务VLAN和管理VLAN。
[S5735-L_B] interface GigabitEthernet 0/0/1 [S5735-L_B-GigabitEthernet0/0/1] port link-type trunk [S5735-L_B-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [S5735-L_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004 [S5735-L_B-GigabitEthernet0/0/1] quit
配置汇聚交换机S6730-H
- 在汇聚交换机S6730-H_A上配置VLAN。# 创建学生宿舍区有线用户外层VLAN为101~200,无线用户外层VLAN为1601~1800,哑终端VLAN为600,AP的管理VLAN为4004。
<S6730-H_A> system-view [S6730-H_A] vlan batch 101 to 200 600 1601 to 1800 4004
# 在下行接口为有线用户和无线用户配置外层VLAN,每个接口加入不同VLAN。同时放通AP的管理VLAN和哑终端VLAN。以接口XGE1/0/1为例,为有线用户加入外层VLAN 101,为无线用户加入外层VLAN1601。
[S6730-H_A] interface XGigabitEthernet 1/0/1 [S6730-H_A-XGigabitEthernet1/0/1] port link-type hybrid [S6730-H_A-XGigabitEthernet1/0/1] undo port hybrid vlan 1 [S6730-H_A-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004 [S6730-H_A-XGigabitEthernet1/0/1] port hybrid untagged vlan 101 1601 [S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 101 [S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1601 [S6730-H_A-XGigabitEthernet1/0/1] quit
- 在汇聚交换机S6730-H_A上配置上行接口,放通所有业务VLAN和管理VLAN。
[S6730-H_A] interface XGigabitEthernet 3/0/0 [S6730-H_A-XGigabitEthernet3/0/0] port link-type trunk [S6730-H_A-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1 [S6730-H_A-XGigabitEthernet3/0/0] port trunk allow-pass vlan 101 to 200 600 1601 to 1800 4004 [S6730-H_A-XGigabitEthernet3/0/0] quit
- 在汇聚交换机S6730-H_B上配置VLAN。# 创建教师办公区有线用户外层VLAN为201~400,无线用户外层VLAN为1801~2000,哑终端VLAN为600,AP的管理VLAN为4004。
<S6730-H_B> system-view [S6730-H_B] vlan batch 201 to 400 600 1801 to 2000 4004
# 在下行接口为有线用户和无线用户配置外层VLAN,每个接口加入不同VLAN。同时放通AP的管理VLAN和哑终端VLAN。以接口XGE1/0/1为例,为有线用户加入外层VLAN 201,为无线用户加入外层VLAN1801。
[S6730-H_B] interface XGigabitEthernet 1/0/1 [S6730-H_B-XGigabitEthernet1/0/1] port link-type hybrid [S6730-H_B-XGigabitEthernet1/0/1] undo port hybrid vlan 1 [S6730-H_B-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004 [S6730-H_B-XGigabitEthernet1/0/1] port hybrid untagged vlan 201 1801 [S6730-H_B-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 201 [S6730-H_B-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1801 [S6730-H_B-XGigabitEthernet1/0/1] quit
- 在汇聚交换机S6730-H_B上配置上行接口,放通所有业务VLAN和管理VLAN。
[S6730-H_B] interface XGigabitEthernet 3/0/0 [S6730-H_B-XGigabitEthernet3/0/0] port link-type trunk [S6730-H_B-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1 [S6730-H_B-XGigabitEthernet3/0/0] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 [S6730-H_B-XGigabitEthernet3/0/0] quit
配置核心交换机S12700E-8
- 配置NAC模式为统一模式,以保证用户能够正常接入网络。
<S12700E-8> system-view [S12700E-8] authentication unified-mode
设备默认为统一模式。通过命令display authentication mode查看设备当前的认证模式。传统模式与统一模式相互切换后,设备会自动重启。
- 创建VLAN,创建有线用户外层VLAN为101~400,无线用户外层VLAN为1601~2000,无线业务VLAN为3001~3500,哑终端VLAN为600,AP的管理VLAN为4004,与ME60对接的VLAN为4010。
[S12700E-8] vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010
- 配置上下行接口加入VLAN。
# 配置下行接口。
[S12700E-8] interface XGigabitEthernet 4/0/1 [S12700E-8-XGigabitEthernet4/0/1] port link-type trunk [S12700E-8-XGigabitEthernet4/0/1] undo port trunk allow-pass vlan 1 [S12700E-8-XGigabitEthernet4/0/1] port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004 [S12700E-8-XGigabitEthernet4/0/1] port-isolate enable group 1 [S12700E-8-XGigabitEthernet4/0/1] quit [S12700E-8] interface XGigabitEthernet 4/0/2 [S12700E-8-XGigabitEthernet4/0/2] port link-type trunk [S12700E-8-XGigabitEthernet4/0/2] undo port trunk allow-pass vlan 1 [S12700E-8-XGigabitEthernet4/0/2] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 [S12700E-8-XGigabitEthernet4/0/2] port-isolate enable group 1 [S12700E-8-XGigabitEthernet4/0/2] quit
# 配置上行接口。
[S12700E-8] interface XGigabitEthernet 5/0/7 [S12700E-8-XGigabitEthernet4/0/1] port link-type trunk [S12700E-8-XGigabitEthernet4/0/1] undo port trunk allow-pass vlan 1 [S12700E-8-XGigabitEthernet4/0/1] port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010 [S12700E-8-XGigabitEthernet4/0/1] quit
- 配置接口IP地址。
[S12700E-8] interface Vlanif 4010 [S12700E-8-Vlanif4010] ip address 172.16.11.13 30 [S12700E-8-Vlanif4010] quit [S12700E-8] interface LoopBack0 [S12700E-8-LoopBack0] ip address 172.16.10.4 32 [S12700E-8-LoopBack0] quit
- 配置静态路由,往防火墙、ME60的下一跳地址为172.16.11.14。
[S12700E-8] ip route-static 172.16.10.1 32 172.16.11.14 [S12700E-8] ip route-static 172.16.10.2 32 172.16.11.14 [S12700E-8] ip route-static 172.16.10.3 32 172.16.11.14
- 配置S12700E-8作为DHCP服务器,为AP分配IP地址。
# 配置基于接口地址池的DHCP服务器,其中,VLANIF4004接口为AP提供IP地址。
[S12700E-8] dhcp enable [S12700E-8] interface Vlanif4004 [S12700E-8-Vlanif4004] ip address 10.250.0.1 20 [S12700E-8-Vlanif4004] arp-proxy enable [S12700E-8-Vlanif4004] arp-proxy inner-sub-vlan-proxy enable [S12700E-8-Vlanif4004] dhcp select interface [S12700E-8-Vlanif4004] quit
# 配置AC的源接口。
[S12700E-8] capwap source interface vlanif4004
- 配置AP上线。# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[S12700E-8] wlan [S12700E-8-wlan-view] ap-group name ap-group1 [S12700E-8-wlan-ap-group-ap-group1] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[S12700E-8-wlan-view] regulatory-domain-profile name domain1 [S12700E-8-wlan-regulate-domain-domain1] country-code cn [S12700E-8-wlan-regulate-domain-domain1] quit [S12700E-8-wlan-view] ap-group name ap-group1 [S12700E-8-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [S12700E-8-wlan-ap-group-ap-group1] quit
# 离线导入AP,并将AP加入AP组“ap-group1”中。根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为00e0-fc76-e360的AP部署在1号区域,命名此AP为area_1。
[S12700E-8-wlan-view] ap auth-mode mac-auth [S12700E-8-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360 [S12700E-8-wlan-ap-0] ap-name area_1 [S12700E-8-wlan-ap-0] ap-group ap-group1 [S12700E-8-wlan-ap-0] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[S12700E-8-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [1] Extra information: P : insufficient power supply ----------------------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1 ap-group1 10.250.12.109 AP4050DN nor 0 1D:0H:34M:33S - ----------------------------------------------------------------------------------------------------------------------- Total: 1
- 配置WLAN业务参数。# 创建名为“wlan-security”的安全模板,并配置安全策略。配置安全策略为open。
[S12700E-8-wlan-view] security-profile name wlan-security [S12700E-8-wlan-sec-prof-wlan-security] security open [S12700E-8-wlan-sec-prof-wlan-security] quit
# 创建名为“wlan-ssid”的SSID模板,并配置SSID名称为“wlan-net”。
[S12700E-8-wlan-view] ssid-profile name wlan-ssid [S12700E-8-wlan-ssid-prof-wlan-ssid] ssid wlan-net [S12700E-8-wlan-ssid-prof-wlan-ssid] quit
# 创建名为“new-vap-traffic-1”的traffic模板,配置用户隔离模式为二层隔离三层互通。
[S12700E-8-wlan-view] traffic-profile name new-vap-traffic-1 [S12700E-8-wlan-traffic-prof-new-vap-traffic-1] user-isolate l2 [S12700E-8-wlan-traffic-prof-new-vap-traffic-1] quit
# 创建名为“wlan-vap”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[S12700E-8-wlan-view] vap-profile name wlan-vap [S12700E-8-wlan-vap-prof-wlan-vap] forward-mode direct-forward [S12700E-8-wlan-vap-prof-wlan-vap] service-vlan vlan-id 3001 [S12700E-8-wlan-vap-prof-wlan-vap] security-profile wlan-security [S12700E-8-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid [S12700E-8-wlan-vap-prof-wlan-vap] traffic-profile name new-vap-traffic-1 [S12700E-8-wlan-traffic-prof-new-vap-traffic-1] quit
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-vap”的配置。
[S12700E-8-wlan-view] ap-group name ap-group1 [S12700E-8-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 [S12700E-8-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 [S12700E-8-wlan-ap-group-ap-group1] quit
- 配置AP射频的信道和功率。
射频的信道和功率自动调优功能默认开启,如果不关闭此功能则会导致手动配置不生效。举例中AP射频的信道和功率仅为示例,实际配置中请根据AP的国家码和网规结果进行配置。
# 关闭AP射频的信道和功率自动调优功能,并配置AP射频的信道和功率。
[S12700E-8-wlan-view] rrm-profile name default [S12700E-8-wlan-rrm-prof-default] calibrate auto-channel-select disable [S12700E-8-wlan-rrm-prof-default] calibrate auto-txpower-select disable [S12700E-8-wlan-rrm-prof-default] quit [S12700E-8-wlan-view] ap-id 0 [S12700E-8-wlan-ap-0] radio 0 [S12700E-8-wlan-radio-0/0] channel 20mhz 6 Warning: This action may cause service interruption. Continue?[Y/N]y [S12700E-8-wlan-radio-0/0] eirp 127 [S12700E-8-wlan-radio-0/0] quit [S12700E-8-wlan-ap-0] radio 1 [S12700E-8-wlan-radio-0/1] channel 20mhz 149 Warning: This action may cause service interruption. Continue?[Y/N]y [S12700E-8-wlan-radio-0/1] eirp 127 [S12700E-8-wlan-radio-0/1] quit [S12700E-8-wlan-ap-0] quit
配置ME60
- 配置接口IP地址。
<ME60> system-view [~ME60] interface gigabitethernet 1/0/1 [~ME60-GigabitEthernet1/0/1] ip address 172.16.11.6 255.255.255.252 [*ME60-GigabitEthernet1/0/1] undo shutdown [*ME60-GigabitEthernet1/0/1] commit [~ME60-GigabitEthernet1/0/1] quit [~ME60] interface gigabitethernet 1/0/2 [~ME60-GigabitEthernet1/0/1] ip address 172.16.11.10 255.255.255.252 [*ME60-GigabitEthernet1/0/1] undo shutdown [*ME60-GigabitEthernet1/0/1] commit [~ME60-GigabitEthernet1/0/1] quit [~ME60] interface gigabitethernet 1/1/1.4010 [*ME60-GigabitEthernet1/1/1.4010] vlan-type dot1q 4010 [*ME60-GigabitEthernet1/1/1.4010] ip address 172.16.11.14 255.255.255.252 [*ME60-GigabitEthernet1/1/1.4010] commit [~ME60-GigabitEthernet1/1/1.4010] quit [~ME60] interface LoopBack0 [~ME60-LoopBack0] ip address 172.16.10.3 32 [~ME60-LoopBack0] quit
- 配置静态路由,分别配置到防火墙和S12700E-8的静态路由。
[~ME60] ip route-static 172.16.10.1 255.255.255.255 172.16.11.5 [*ME60] ip route-static 172.16.10.2 255.255.255.255 172.16.11.9 [*ME60] ip route-static 172.16.10.4 255.255.255.255 172.16.11.13 [*ME60] commit
- 配置IPoE接入,为校园网学生、教师无线用户提供IPoE接入认证。ME60作为网关认证设备,无线认证通过后给用户分配一个私网IP地址,能够指定其访问权限。WEB认证通过后才能访问外网。
- 配置AAA方案# 配置认证方案。
[~ME60] aaa [~ME60-aaa] http-redirect enable [*ME60-aaa] authentication-scheme none [*ME60-aaa-authen-none] authentication-mode radius [*ME60-aaa-authen-none] commit [~ME60-aaa-authen-none] quit
# 配置计费方案。
[~ME60-aaa] accounting-scheme acc [*ME60-aaa-accounting-acc] accounting-mode none [*ME60-aaa-accounting-acc] accounting interim interval 15 [*ME60-aaa-accounting-acc] commit [~ME60-aaa-accounting-acc] quit [~ME60-aaa] quit
- 配置RADIUS服务器。
[~ME60] radius-server source interface LoopBack0 [~ME60] radius-server group radius [*ME60-radius-radius] radius-server authentication 192.168.10.55 1812 weight 0 [*ME60-radius-radius] radius-server accounting 192.168.8.249 1813 weight 0 [*ME60-radius-radius] radius-server type standard [*ME60-radius-radius] radius-server shared-key-cipher %$%$]&yT6A~x)JPlIv#3CKo2Vs\R%$%$ [*ME60-radius-radius] commit [~ME60-radius-radius] quit
- 配置RADIUS授权服务器
[~ME60] radius-server authorization 192.168.10.55 shared-key-cipher YsHsjx_202206 [~ME60] radius-server authorization 192.168.10.241 shared-key-cipher YsHsjx_202206
- 配置WEB服务器
[~ME60] web-auth-server source interface LoopBack0 [~ME60] web-auth-server 192.168.10.53 port 50100 key cipher YsHsjx_202206
- 配置地址池# 配置地址池xuesheng。
[~ME60] ip pool xuesheng bas local [*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0 [*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254 [*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-xuesheng] lease 0 12 0 [*ME60-ip-pool-xuesheng] commit [~ME60-ip-pool-xuesheng] quit
# 配置地址池per-pool。
[~ME60] ip pool per-pool bas local [*ME60-ip-pool-per-pool] gateway 10.253.0.1 255.255.128.0 [*ME60-ip-pool-per-pool] section 0 10.253.0.2 10.253.127.254 [*ME60-ip-pool-per-pool] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-per-pool] lease 0 12 0 [*ME60-ip-pool-per-pool] commit [~ME60-ip-pool-per-pool] quit
# 配置地址池jiaoshi。
[~ME60] ip pool jiaoshi bas local [*ME60-ip-pool-jiaoshi] gateway 10.254.128.1 255.255.128.0 [*ME60-ip-pool-jiaoshi] section 0 10.254.128.2 10.254.255.254 [*ME60-ip-pool-jiaoshi] excluded-ip-address 10.254.128.2 10.254.129.254 [*ME60-ip-pool-jiaoshi] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-jiaoshi] lease 0 12 0 [*ME60-ip-pool-jiaoshi] commit [~ME60-ip-pool-jiaoshi] quit
- 配置用户组pre-web
[~ME60] user-group pre-web
- 配置域# 配置pre-authen域,为WEB认证的认证前域。
[~ME60] aaa [~ME60-aaa] domain pre-authen [*ME60-aaa-domain-pre-authen] user-group pre-web [*ME60-aaa-domain-pre-authen] authentication-scheme none [*ME60-aaa-domain-pre-authen] accounting-scheme none [*ME60-aaa-domain-pre-authen] ip-pool pre-pool [*ME60-aaa-domain-pre-authen] web-server 192.168.10.53 [*ME60-aaa-domain-pre-authen] web-server url http://192.168.10.53/help/help.html [*ME60-aaa-domain-pre-authen] commit [~ME60-aaa-domain-pre-authen] quit
# 配置xs域,为WEB认证的认证域。
[~ME60-aaa] domain xs [*ME60-aaa-domain-xs] user-group pre-web [*ME60-aaa-domain-xs] authentication-scheme authen [*ME60-aaa-domain-xs] accounting-scheme acc [*ME60-aaa-domain-xs] ip-pool xuesheng [*ME60-aaa-domain-xs] value-added-service account-type none [*ME60-aaa-domain-xs] value-added-service policy 10m [*ME60-aaa-domain-xs] radius-server group radius [*ME60-aaa-domain-xs] quota-out online [*ME60-aaa-domain-xs] commit [~ME60-aaa-domain-xs] quit
# 配置jg域,为WEB认证的认证域。
[~ME60-aaa] domain jg [*ME60-aaa-domain-jg] user-group pre-web [*ME60-aaa-domain-jg] authentication-scheme authen [*ME60-aaa-domain-jg] accounting-scheme acc [*ME60-aaa-domain-jg] ip-pool jiaoshi [*ME60-aaa-domain-jg] value-added-service account-type none [*ME60-aaa-domain-jg] value-added-service policy 20m [*ME60-aaa-domain-jg] radius-server group radius [*ME60-aaa-domain-jg] quota-out online [~ME60-aaa-domain-jg] quit [~ME60-aaa] quit
- 配置UCL
[~ME60] acl 6010 [*ME60-acl-ucl-6010] rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0 [*ME60-acl-ucl-6010] rule 6 permit ip source user-group pre-web destination ip-address 192.168.10.53 0 [*ME60-acl-ucl-6010] rule 7 permit ip source user-group pre-web destination ip-address 192.168.10.55 0 [*ME60-acl-ucl-6010] rule 10 permit ip source user-group pre-web destination ip-address 192.168.10.241 0 [*ME60-acl-ucl-6010] rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5 0 [*ME60-acl-ucl-6010] commit [~ME60-acl-ucl-6010] quit [~ME60] acl 6011 [*ME60-acl-ucl-6011] rule 5 permit tcp source user-group pre-web destination-port eq www [*ME60-acl-ucl-6011] rule 10 permit tcp source user-group pre-web destination-port eq 8080 [*ME60-acl-ucl-6011] rule 20 permit ip source user-group pre-web [*ME60-acl-ucl-6011] commit [~ME60-acl-ucl-6011] quit
- 配置流量管理策略
[~ME60] traffic classifier 6010 operator or [*ME60-classifier-6010] if-match acl 6010 [*ME60-classifier-6010] commit [~ME60-classifier-6010] quit [~ME60] traffic classifier 6011 operator or [*ME60-classifier-6011] if-match acl 6011 [*ME60-classifier-6011] commit [~ME60-classifier-6011] quit [~ME60] traffic behavior 6010 [*ME60-behavior-6010] permit [*ME60-behavior-6010] commit [~ME60-behavior-6010] quit [~ME60] traffic behavior 6011 [*ME60-behavior-6011] http-redirect [*ME60-behavior-6011] commit [~ME60-behavior-6011] quit [~ME60] traffic policy traffic-policy-1 [*ME60-trafficpolicy-traffic-policy-1] share-mode [*ME60-trafficpolicy-traffic-policy-1] classifier 6010 behavior 6010 [*ME60-trafficpolicy-traffic-policy-1] classifier 6011 behavior 6011 [*ME60-trafficpolicy-traffic-policy-1] commit [~ME60-trafficpolicy-traffic-policy-1] quit [~ME60] traffic-policy traffic-policy-1 inbound [~ME60] traffic-policy traffic-policy-1 outbound
- 配置BAS接口
[~ME60] interface gigabitethernet1/1/1.1001 [*ME60-GigabitEthernet1/1/1.1001] description xuesheng-web [*ME60-GigabitEthernet1/1/1.1001] user-vlan 3001 3500 qinq 1601 1800 [*ME60-GigabitEthernet1/1/1.1001-vlan-3001-3500-QinQ-1601-1800] quit [*ME60-GigabitEthernet1/1/1.1001] bas [*ME60-GigabitEthernet1/1/1.1001-bas] access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs [*ME60-GigabitEthernet1/1/1.1001-bas] dhcp session-mismatch action offline [*ME60-GigabitEthernet1/1/1.1001-bas] authentication-method web [*ME60-GigabitEthernet1/1/1.1001-bas] commit [~ME60-GigabitEthernet1/1/1.1001-bas] quit [~ME60-GigabitEthernet1/1/1.1001] quit [~ME60] interface gigabitethernet1/1/1.1003 [*ME60-GigabitEthernet1/1/1.1003] description jiaoshi-web [*ME60-GigabitEthernet1/1/1.1003] user-vlan 3001 3500 qinq 1801 2000 [*ME60-GigabitEthernet1/1/1.1003-vlan-3001-3500-QinQ-1801-2000] commit [~ME60-GigabitEthernet1/1/1.1003-vlan-3001-3500-QinQ-1801-2000] quit [~ME60-GigabitEthernet1/1/1.1003] bas [*ME60-GigabitEthernet1/1/1.1003-bas] access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg [*ME60-GigabitEthernet1/1/1.1003-bas] dhcp session-mismatch action offline [*ME60-GigabitEthernet1/1/1.1003-bas] authentication-method web [*ME60-GigabitEthernet1/1/1.1003-bas] commit [~ME60-GigabitEthernet1/1/1.1003-bas] quit [~ME60-GigabitEthernet1/1/1.1003] quit
- 配置AAA方案# 配置认证方案。
- 配置PPPoE接入,为校园网学生、教师有线用户提供PPPoE接入认证。ME60作为网关认证设备,将用户的账号、密码发送到Radius服务器进行认证,认证通过后分配IP地址。以学生PPPoE接入为例,配置方法如下(此处仅介绍PPPoE接入相关配置,AAA方案、Radius服务器和认证域配置,请参见IPoE接入的配置)。
- 配置地址池# 配置地址池xuesheng。
[~ME60] ip pool xuesheng bas local [*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0 [*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254 [*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-xuesheng] lease 0 12 0 [*ME60-ip-pool-xuesheng] commit [~ME60-ip-pool-xuesheng] quit
# 配置地址池pre-ppp。
[~ME60] ip pool pre-ppp bas local [*ME60-ip-pool-pre-ppp] gateway 10.253.128.1 255.255.128.0 [*ME60-ip-pool-pre-ppp] section 0 10.253.128.2 10.253.255.254 [*ME60-ip-pool-pre-ppp] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-pre-ppp] lease 0 12 0 [*ME60-ip-pool-pre-ppp] commit [~ME60-ip-pool-pre-ppp] quit
- 配置用户组pre-ppp
[~ME60] user-group pre-ppp
- 配置认证前域pre-ppp
[~ME60] aaa [~ME60-aaa] domain pre-ppp [*ME60-aaa-domain-pre-ppp] user-group pre-ppp [*ME60-aaa-domain-pre-ppp] authentication-scheme none [*ME60-aaa-domain-pre-ppp] accounting-scheme none [*ME60-aaa-domain-pre-ppp] ip-pool pre-ppp [*ME60-aaa-domain-pre-ppp] web-server 192.168.10.55 [*ME60-aaa-domain-pre-ppp] web-server url http://192.168.10.55/help/help.html [*ME60-aaa-domain-pre-ppp] commit [~ME60-aaa-domain-pre-ppp] quit [~ME60-aaa] quit
- 配置UCL
[~ME60] acl 6012 [*ME60-acl-ucl-6012] rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0 [*ME60-acl-ucl-6012] rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0 [*ME60-acl-ucl-6012] rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2 0 [*ME60-acl-ucl-6012] commit [~ME60-acl-ucl-6012] quit [~ME60] acl 6013 [*ME60-acl-ucl-6013] rule 5 permit tcp source user-group pre-ppp destination-port eq www [*ME60-acl-ucl-6013] rule 10 permit tcp source user-group pre-ppp destination-port eq 8080 [*ME60-acl-ucl-6013] rule 20 deny ip source user-group pre-ppp [*ME60-acl-ucl-6013] commit [~ME60-acl-ucl-6013] quit
- 配置流量管理策略
[~ME60] traffic classifier 6012 operator or [*ME60-classifier-6012] if-match acl 6012 [*ME60-classifier-6012] commit [~ME60-classifier-6012] quit [~ME60] traffic classifier 6013 operator or [*ME60-classifier-6013] if-match acl 6013 [*ME60-classifier-6013] commit [~ME60-classifier-6013] quit [~ME60] traffic behavior 6012 [*ME60-behavior-6012] permit [*ME60-behavior-6012] commit [~ME60-behavior-6012] quit [~ME60] traffic behavior 6013 [*ME60-behavior-6013] http-redirect [*ME60-behavior-6013] commit [~ME60-behavior-6013] quit [~ME60] traffic policy traffic-policy-1 [*ME60-trafficpolicy-traffic-policy-1] share-mode [*ME60-trafficpolicy-traffic-policy-1] classifier 6012 behavior 6012 [*ME60-trafficpolicy-traffic-policy-1] classifier 6013 behavior 6013 [*ME60-trafficpolicy-traffic-policy-1] commit [~ME60-trafficpolicy-traffic-policy-1] quit [~ME60] traffic-policy traffic-policy-1 inbound [~ME60] traffic-policy traffic-policy-1 outbound
- 配置虚拟模板接口
[~ME60] interface virtual-template 1 [*ME60-Virtual-Template1] ppp authentication-mode auto [*ME60-Virtual-Template1] commit [~ME60-Virtual-Template1] quit
- 配置虚拟以太网接口
[~ME60] interface GigabitEthernet1/1/1.1000 [*ME60-GigabitEthernet1/1/1.1000] pppoe-server bind virtual-template 1 [*ME60-GigabitEthernet1/1/1.1000] description xuesheng-ppp [*ME60-GigabitEthernet1/1/1.1000] user-vlan 2001 3000 qinq 101 200 [*ME60-GigabitEthernet1/1/1.1000-vlan-2001-3000-QinQ-101-200] commit [~ME60-GigabitEthernet1/1/1.1000-vlan-2001-3000-QinQ-101-200] quit
- 配置BAS接口
[~ME60-GigabitEthernet1/1/1.1000] bas [*ME60-GigabitEthernet1/1/1.1000-bas] access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs [*ME60-GigabitEthernet1/1/1.1000-bas] dhcp session-mismatch action offline [*ME60-GigabitEthernet1/1/1.1000-bas] authentication-method ppp web [*ME60-GigabitEthernet1/1/1.1000-bas] commit [~ME60-GigabitEthernet1/1/1.1000-bas] quit [~ME60-GigabitEthernet1/1/1.1000] quit
- 配置地址池# 配置地址池xuesheng。
- 配置MAC认证,校园网的打印机、传真机等哑终端使用MAC认证。MAC认证主要用于简化WEB认证过程。若配置了MAC认证,在WEB认证过程中,WEB认证用户只需在第一次认证时输入用户名和密码,同时RADIUS服务器会记录下用户的MAC地址,当用户再需要WEB认证时,RADIUS服务器便可以根据其MAC信息进行认证,而不需要用户再次输入用户名和密码。此处仅介绍MAC认证相关配置,AAA方案、Radius服务器、WEB服务器、地址池、UCL规则等配置,请参见IPoE、PPPOE接入的配置。
- 在AAA视图下配置直接使用用户连接请求报文携带的MAC地址作为纯用户名。
[~ME60] aaa [~ME60-aaa] default-user-name include mac-address - [*ME60-aaa] default-password cipher YsHsjx_202206 [*ME60-aaa] authentication-scheme mac [*ME60-aaa-authen-mac] authening authen-fail online authen-domain pre-authen [*ME60-aaa-authen-mac] commit [~ME60-aaa-authen-mac] quit [~ME60-aaa] quit
- 配置RADIUS服务器组mac。
[~ME60] radius-server group mac [*ME60-radius-mac] radius-server authentication 192.168.10.55 1812 weight 0 [*ME60-radius-mac] radius-server accounting 192.168.10.55 1813 weight 0 [*ME60-radius-mac] radius-server shared-key-cipher YsHsjx_202206 [*ME60-radius-mac] commit [~ME60-radius-mac] quit
- 在MAC认证域mac下配置MAC认证使能,绑定RADIUS组mac及认证模板mac。
[~ME60] aaa [~ME60-aaa] domain mac [*ME60-aaa-domain-mac] radius-server group mac [*ME60-aaa-domain-mac] authentication-scheme mac [*ME60-aaa-domain-mac] accounting-scheme acc [*ME60-aaa-domain-mac] ip-pool pre-pool [*ME60-aaa-domain-mac] mac-authentication enable [*ME60-aaa-domain-mac] commit [~ME60-aaa-domain-mac] quit [~ME60-aaa] quit
- 配置BAS口下的认证前域,认证后域以及认证方法。
[~ME60] interface GigabitEthernet1/1/1.1101 [*ME60-GigabitEthernet1/1/1.1101] description mac-web [*ME60-GigabitEthernet1/1/1.1101] user-vlan 600 [*ME60-GigabitEthernet1/1/1.1101-vlan-600-600] commit [~ME60-GigabitEthernet1/1/1.1101-vlan-600-600] quit [~ME60-GigabitEthernet1/1/1.1101] bas [*ME60-GigabitEthernet1/1/1.1101-bas] access-type layer2-subscriber default-domain pre-authentication mac authentication jg [*ME60-GigabitEthernet1/1/1.1101-bas] dhcp session-mismatch action offline [*ME60-GigabitEthernet1/1/1.1101-bas] authentication-method web [*ME60-GigabitEthernet1/1/1.1101-bas] commit [~ME60-GigabitEthernet1/1/1.1101-bas] quit [~ME60-GigabitEthernet1/1/1.1101] quit
- 在AAA视图下配置直接使用用户连接请求报文携带的MAC地址作为纯用户名。
- 配置DAA,实现对用户接入业务访问目的地址的差别进行管理,并根据不同目的地址定义不同的费率级别进行收费和不同的带宽控制。学生、教师、商业、哑终端用户访问校园内网带宽不同,例如,学生10M、老师20M、哑终端20M。商业账号与校园网教师/学生账号绑定,学生和老师访问校园外网50M。下面只介绍DAA相关配置,AAA方案、RADIUS服务器、WEB服务器等配置请参见IPoE接入的配置。
- 使能增值业务。
[~ME60] value-added-service enable
- 配置用户组。
[~ME60] user-group xuesheng [~ME60] user-group jiaoshi [~ME60] user-group shangye
- 配置增值业务策略。# 配置UCL规则6001。
[~ME60] acl number 6001 [*ME60-acl-ucl-6001] rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0 0.255.255.255 [*ME60-acl-ucl-6001] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group shangye [*ME60-acl-ucl-6001] rule 15 permit ip source user-group shangye destination ip-address 172.16.0.0 0.15.255.255 [*ME60-acl-ucl-6001] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group shangye [*ME60-acl-ucl-6001] rule 25 permit ip source user-group shangye destination ip-address 192.168.0.0 0.0.255.255 [*ME60-acl-ucl-6001] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group shangye [*ME60-acl-ucl-6001] commit [~ME60-acl-ucl-6001] quit
# 配置UCL规则6003。
[~ME60] acl number 6003 [*ME60-acl-ucl-6003] rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0 0.255.255.255 [*ME60-acl-ucl-6003] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group jiaoshi [*ME60-acl-ucl-6003] rule 15 permit ip source user-group jiaoshi destination ip-address 172.16.0.0 0.15.255.255 [*ME60-acl-ucl-6003] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group jiaoshi [*ME60-acl-ucl-6003] rule 25 permit ip source user-group jiaoshi destination ip-address 192.168.0.0 0.0.255.255 [*ME60-acl-ucl-6003] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group jiaoshi [*ME60-acl-ucl-6003] commit [~ME60-acl-ucl-6003] quit
# 配置UCL规则6005。
[~ME60] acl number 6005 [*ME60-acl-ucl-6005] rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0 0.255.255.255 [*ME60-acl-ucl-6005] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group xuesheng [*ME60-acl-ucl-6005] rule 15 permit ip source user-group xuesheng destination ip-address 172.16.0.0 0.15.255.255 [*ME60-acl-ucl-6005] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group xuesheng [*ME60-acl-ucl-6005] rule 25 permit ip source user-group xuesheng destination ip-address 192.168.0.0 0.0.255.255 [*ME60-acl-ucl-6005] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng [*ME60-acl-ucl-6005] commit [~ME60-acl-ucl-6005] quit
# 配置流分类6001。
[~ME60] traffic classifier 6001 operator or [*ME60-classifier-6001] if-match acl 6001 [*ME60-classifier-6001] commit [~ME60-classifier-6001] quit
# 配置流分类6003。
[~ME60] traffic classifier 6003 operator or [*ME60-classifier-6003] if-match acl 6003 [*ME60-classifier-6003] commit [~ME60-classifier-6003] quit
# 配置流分类6005。
[~ME60] traffic classifier 6005 operator or [*ME60-classifier-6005] if-match acl 6005 [*ME60-classifier-6005] commit [~ME60-classifier-6005] quit
# 配置DAA流动作6001。
[~ME60] traffic behavior 6001 [*ME60-behavior-6001] tariff-level 1 [*ME60-behavior-6001] car [*ME60-behavior-6001] traffic-statistic [*ME60-behavior-6001] commit [~ME60-behavior-6001] quit
# 配置DAA流动作6003。
[~ME60] traffic behavior 6003 [*ME60-behavior-6003] tariff-level 1 [*ME60-behavior-6003] car [*ME60-behavior-6003] traffic-statistic [*ME60-behavior-6003] commit [~ME60-behavior-6003] quit
# 配置DAA流动作6005。
[~ME60] traffic behavior 6005 [*ME60-behavior-6005] tariff-level 1 [*ME60-behavior-6005] car [*ME60-behavior-6005] traffic-statistic [*ME60-behavior-6005] commit [~ME60-behavior-6005] quit
# 配置DAA流量策略traffic_policy_daa 。
[~ME60] traffic policy traffic_policy_daa [*ME60-trafficpolicy-traffic_policy_daa] share-mode [*ME60-trafficpolicy-traffic_policy_daa] classifier 6003 behavior 6003 [*ME60-trafficpolicy-traffic_policy_daa] classifier 6005 behavior 6005 [*ME60-trafficpolicy-traffic_policy_daa] commit [~ME60-trafficpolicy-traffic_policy_daa] quit
# 配置全局下应用DAA流量策略traffic_policy_daa。
[~ME60] accounting-service-policy traffic_policy_daa
- 配置QoS模板。
[~ME60] qos-profile 10M [*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard inbound [*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard outbound [*ME60-qos-profile-10M] quit [*ME60] qos-profile 20M [*ME60-qos-profile-20M] car cir 20000 cbs 3740000 green pass red discard inbound [*ME60-qos-profile-20M] car cir 20000 cbs 3740000 green pass red discard outbound [*ME60-qos-profile-20M] quit [*ME60] qos-profile 50M [*ME60-qos-profile-50M] car cir 50000 cbs 9350000 green pass red discard inbound [*ME60-qos-profile-50M] car cir 50000 cbs 9350000 green pass red discard outbound [*ME60-qos-profile-50M] commit [*ME60-qos-profile-50M] quit
- 配置DAA业务策略。
[~ME60] value-added-service policy 10m daa [*ME60-vas-policy-10m] accounting-scheme none [*ME60-vas-policy-10m] traffic-separate enable [*ME60-vas-policy-10m] tariff-level 1 qos-profile 10M [*ME60-vas-policy-10m] quit [*ME60] value-added-service policy 20m daa [*ME60-vas-policy-20m] accounting-scheme none [*ME60-vas-policy-20m] traffic-separate enable [*ME60-vas-policy-20m] tariff-level 1 qos-profile 20M [*ME60-vas-policy-20m] quit [*ME60] value-added-service policy 50m daa [*ME60-vas-policy-50m] accounting-scheme none [*ME60-vas-policy-50m] traffic-separate enable [*ME60-vas-policy-50m] tariff-level 1 qos-profile 50M [*ME60-vas-policy-50m] commit [~ME60-vas-policy-50m] quit
- 配置域。
[~ME60] aaa [~ME60-aaa] domain xs [*ME60-aaa-domain-xs] value-added-service account-type none [*ME60-aaa-domain-xs] value-added-service policy 10m [*ME60-aaa-domain-xs] commit [~ME60-aaa-domain-xs] quit [~ME60-aaa] domain jg [*ME60-aaa-domain-jg] value-added-service account-type none [*ME60-aaa-domain-jg] value-added-service policy 20m [~ME60-aaa-domain-jg] commit [~ME60-aaa-domain-jg] quit
- 使能增值业务。
配置防火墙USG6315E
- 配置接口。# 配置USG6315E_A接口。
<USG6315E_A> system-view [USG6315E_A] interface loopback 0 [USG6315E_A-LoopBack0] ip address 172.16.10.1 32 [USG6315E_A-LoopBack0] quit [USG6315E_A] interface gigabitethernet 1/0/1 [USG6315E_A-GigabitEthernet1/0/1] ip address 203.0.113.1 24 [USG6315E_A-GigabitEthernet1/0/1] gateway 203.0.113.254 [USG6315E_A-GigabitEthernet1/0/1] quit [USG6315E_A] interface gigabitethernet 1/0/2 [USG6315E_A-GigabitEthernet1/0/2] ip address 192.0.2.2 24 [USG6315E_A-GigabitEthernet1/0/2] gateway 192.0.2.254 [USG6315E_A-GigabitEthernet1/0/2] quit [USG6315E_A] interface gigabitethernet 1/0/6 [USG6315E_A-GigabitEthernet1/0/6] ip address 172.16.11.1 30 [USG6315E_A-GigabitEthernet1/0/6] quit [USG6315E_A] interface gigabitethernet 1/0/7 [USG6315E_A-GigabitEthernet1/0/7] ip address 172.16.11.5 30 [USG6315E_A-GigabitEthernet1/0/7] quit
# 配置USG6315E_B接口。
<USG6315E_B> system-view [USG6315E_B] interface loopback 0 [USG6315E_B-LoopBack0] ip address 172.16.10.2 32 [USG6315E_B-LoopBack0] quit [USG6315E_B] interface gigabitethernet 1/0/1 [USG6315E_B-GigabitEthernet1/0/1] ip address 203.0.113.2 24 [USG6315E_B-GigabitEthernet1/0/1] gateway 203.0.113.254 [USG6315E_B-GigabitEthernet1/0/1] quit [USG6315E_B] interface gigabitethernet 1/0/2 [USG6315E_B-GigabitEthernet1/0/2] ip address 192.0.2.1 24 [USG6315E_B-GigabitEthernet1/0/2] gateway 192.0.2.254 [USG6315E_B-GigabitEthernet1/0/2] quit [USG6315E_B] interface gigabitethernet 1/0/6 [USG6315E_B-GigabitEthernet1/0/6] ip address 172.16.11.2 30 [USG6315E_B-GigabitEthernet1/0/6] quit [USG6315E_B] interface gigabitethernet 1/0/7 [USG6315E_B-GigabitEthernet1/0/7] ip address 172.16.11.9 30 [USG6315E_B-GigabitEthernet1/0/7] quit
- 配置各接口所属安全区域。# 将各接口加入到安全区域,将连接内网的接口加入安全区域trust,将连接ISP1的接口加入安全区域isp1,将连接ISP2的接口加入安全区域isp2,将心跳口加入DMZ区域。
[USG6315E_A] firewall zone trust [USG6315E_A-zone-trust] set priority 85 [USG6315E_A-zone-trust] add interface gigabitethernet 1/0/7 [USG6315E_A-zone-trust] quit [USG6315E_A] firewall zone name isp1 [USG6315E_A-zone-isp1] set priority 10 [USG6315E_A-zone-isp1] add interface gigabitethernet 1/0/1 [USG6315E_A-zone-isp1] quit [USG6315E_A] firewall zone name isp2 [USG6315E_A-zone-isp2] set priority 15 [USG6315E_A-zone-isp2] add interface gigabitethernet 1/0/2 [USG6315E_A-zone-isp2] quit [USG6315E_A] firewall zone dmz [USG6315E_A-zone-dmz] set priority 50 [USG6315E_A-zone-dmz] add interface gigabitethernet 1/0/6 [USG6315E_A-zone-dmz] quit [USG6315E_B] firewall zone trust [USG6315E_B-zone-trust] set priority 85 [USG6315E_B-zone-trust] add interface gigabitethernet 1/0/7 [USG6315E_B-zone-trust] quit [USG6315E_B] firewall zone name isp1 [USG6315E_B-zone-isp1] set priority 10 [USG6315E_B-zone-isp1] add interface gigabitethernet 1/0/1 [USG6315E_B-zone-isp1] quit [USG6315E_B] firewall zone name isp2 [USG6315E_B-zone-isp2] set priority 15 [USG6315E_B-zone-isp2] add interface gigabitethernet 1/0/2 [USG6315E_B-zone-isp2] quit [USG6315E_B] firewall zone dmz [USG6315E_B-zone-dmz] set priority 50 [USG6315E_B-zone-dmz] add interface gigabitethernet 1/0/6 [USG6315E_B-zone-dmz] quit
- 配置路由和智能选路。# 配置静态路由。
[USG6315E_A] ip route-static 10.253.0.0 255.255.128.0 172.16.11.6 [USG6315E_A] ip route-static 10.253.128.0 255.255.128.0 172.16.11.6 [USG6315E_A] ip route-static 10.254.0.0 255.255.128.0 172.16.11.6 [USG6315E_A] ip route-static 10.254.128.0 255.255.128.0 172.16.11.6 [USG6315E_A] ip route-static 172.16.10.2 255.255.255.255 172.16.11.6 [USG6315E_A] ip route-static 172.16.10.3 255.255.255.255 172.16.11.6 [USG6315E_A] ip route-static 172.16.10.4 255.255.255.255 172.16.11.6 [USG6315E_A] ip route-static 192.168.10.0 255.255.255.0 172.16.11.6 [USG6315E_B] ip route-static 10.253.0.0 255.255.128.0 172.16.11.10 [USG6315E_B] ip route-static 10.253.128.0 255.255.128.0 172.16.11.10 [USG6315E_B] ip route-static 10.254.0.0 255.255.128.0 172.16.11.10 [USG6315E_B] ip route-static 10.254.128.0 255.255.128.0 172.16.11.10 [USG6315E_B] ip route-static 172.16.10.1 255.255.255.255 172.16.11.10 [USG6315E_B] ip route-static 172.16.10.3 255.255.255.255 172.16.11.10 [USG6315E_B] ip route-static 172.16.10.4 255.255.255.255 172.16.11.10 [USG6315E_B] ip route-static 192.168.10.0 255.255.255.0 172.16.11.10
# 配置IP-Link,探测各ISP提供的链路状态是否正常。
[USG6315E_A] ip-link check enable [USG6315E_A] ip-link name ip_link_1 [USG6315E_A-iplink-ip_link_1] destination 203.0.113.254 interface gigabitethernet 1/0/1 [USG6315E_A-iplink-ip_link_1] quit [USG6315E_A] ip-link name ip_link_2 [USG6315E_A-iplink-ip_link_2] destination 192.0.2.254 interface gigabitethernet 1/0/2 [USG6315E_A-iplink-ip_link_2] quit [USG6315E_B] ip-link check enable [USG6315E_B] ip-link name ip_link_1 [USG6315E_B-iplink-ip_link_1] destination 203.0.113.254 interface gigabitethernet 1/0/1 [USG6315E_B-iplink-ip_link_1] quit [USG6315E_B] ip-link name ip_link_2 [USG6315E_B-iplink-ip_link_2] destination 192.0.2.254 interface gigabitethernet 1/0/2 [USG6315E_B-iplink-ip_link_2] quit
# 配置缺省路由,下一跳分别指向两个ISP的接入点。
[USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1 [USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2 [USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1 [USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2
# 配置智能选路,根据链路带宽负载分担。
[USG6315E_A] multi-interface [USG6315E_A-multi-inter] mode proportion-of-bandwidth [USG6315E_A-multi-inter] add interface gigabitethernet1/0/1 [USG6315E_A-multi-inter] add interface gigabitethernet1/0/2 [USG6315E_A-multi-inter] quit [USG6315E_A] interface gigabitethernet 1/0/1 [USG6315E_A-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95 [USG6315E_A-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95 [USG6315E_A-GigabitEthernet1/0/1] quit [USG6315E_A] interface gigabitethernet 1/0/2 [USG6315E_A-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90 [USG6315E_A-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90 [USG6315E_A-GigabitEthernet1/0/2] quit [USG6315E_B] multi-interface [USG6315E_B-multi-inter] mode proportion-of-bandwidth [USG6315E_B-multi-inter] add interface gigabitethernet1/0/1 [USG6315E_B-multi-inter] add interface gigabitethernet1/0/2 [USG6315E_B-multi-inter] quit [USG6315E_B] interface gigabitethernet 1/0/1 [USG6315E_B-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95 [USG6315E_B-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95 [USG6315E_B-GigabitEthernet1/0/1] quit [USG6315E_B] interface gigabitethernet 1/0/2 [USG6315E_B-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90 [USG6315E_B-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90 [USG6315E_B-GigabitEthernet1/0/2] quit
- 配置双机热备。# 配置VGMP组监控上下行业务接口。
[USG6315E_A] hrp track interface gigabitethernet 1/0/7 [USG6315E_B] hrp track interface gigabitethernet 1/0/7
# 在USG6315E_A和USG6315E_B上分别配置会话快速备份功能,指定心跳口并启用双机热备功能。
[USG6315E_A] hrp mirror session enable [USG6315E_A] hrp interface gigabitethernet 1/0/6 remote 172.16.11.2 [USG6315E_A] hrp enable [USG6315E_B] hrp mirror session enable [USG6315E_B] hrp interface gigabitethernet 1/0/6 remote 172.16.11.1 [USG6315E_B] hrp enable
- 配置安全策略,允许本地和DMZ区域间互访,允许内部网络用户访问外网,允许外部网络用户访问HTTP服务器。
双机热备状态成功建立后,USG6315E_A的安全策略配置会自动备份到USG6315E_B上。下面步骤仅体现USG6315E_A的配置。
[USG6315E_A] security-policy [USG6315E_A-policy-security] rule name policy_dmz [USG6315E_A-policy-security-rule-policy_dmz] source-zone local [USG6315E_A-policy-security-rule-policy_dmz] source-zone dmz [USG6315E_A-policy-security-rule-policy_dmz] destination-zone local [USG6315E_A-policy-security-rule-policy_dmz] destination-zone dmz [USG6315E_A-policy-security-rule-policy_dmz] action permit [USG6315E_A-policy-security-rule-policy_dmz] quit [USG6315E_A-policy-security] rule name trust_to_untrust [USG6315E_A-policy-security-rule-trust_to_untrust] source-zone trust [USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp1 [USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp2 [USG6315E_A-policy-security-rule-trust_to_untrust] action permit [USG6315E_A-policy-security-rule-trust_to_untrust] quit [USG6315E_A-policy-security] rule name untrust_to_trust [USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp1 [USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp2 [USG6315E_A-policy-security-rule-untrust_to_trust] destination-zone trust [USG6315E_A-policy-security-rule-untrust_to_trust] destination-address 192.168.10.0 24 [USG6315E_A-policy-security-rule-untrust_to_trust] action permit [USG6315E_A-policy-security-rule-untrust_to_trust] quit [USG6315E_A-policy-security] quit
- 配置NAT策略。# 在USG6315E_A上创建地址池addressgroup1(203.0.113.1~203.0.113.5)和addressgroup2(192.0.2.1~192.0.2.5)。在USG6315E_A上配置的地址池会自动备份到USG6315E_B上。
[USG6315E_A] nat address-group addressgroup1 [USG6315E_A-address-group-addressgroup1] section 0 203.0.113.1 203.0.113.5 [USG6315E_A-address-group-addressgroup1] mode pat [USG6315E_A-address-group-addressgroup1] route enable [USG6315E_A-address-group-addressgroup1] quit [USG6315E_A] nat address-group addressgroup2 [USG6315E_A-address-group-addressgroup2] section 1 192.0.2.1 192.0.2.5 [USG6315E_A-address-group-addressgroup2] mode pat [USG6315E_A-address-group-addressgroup2] route enable [USG6315E_A-address-group-addressgroup2] quit
# 配置源NAT策略,使内网用户通过转换后的公网IP地址访问Internet。
[USG6315E_A] nat-policy [USG6315E_A-policy-nat] rule name policy_nat_1 [USG6315E_A-policy-nat-rule-policy_nat_1] source-zone trust [USG6315E_A-policy-nat-rule-policy_nat_1] destination-zone isp1 [USG6315E_A-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1 [USG6315E_A-policy-nat-rule-policy_nat_1] quit [USG6315E_A-policy-nat] rule name policy_nat_2 [USG6315E_A-policy-nat-rule-policy_nat_2] source-zone trust [USG6315E_A-policy-nat-rule-policy_nat_2] destination-zone isp2 [USG6315E_A-policy-nat-rule-policy_nat_2] action source-nat address-group addressgroup2 [USG6315E_A-policy-nat-rule-policy_nat_2] quit [USG6315E_A-policy-nat] quit
# 需要联系ISP的网络管理员配置目的地址为地址池addressgroup1和addressgroup2的路由,下一跳为FW对应的接口地址。
- 配置NAT Server。# 假设内网的HTTP服务器分别向ISP1和ISP2申请了公网IP地址(203.0.113.10、192.0.2.10)对外提供服务,ISP1和ISP2的外网用户分别通过各自对应的公网地址访问HTTP服务器。# 配置服务器静态映射。
[USG6315E_A] nat server web_for_isp1 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 80 no-reverse [USG6315E_A] nat server web_for_isp2 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 80 no-reverse
# 需要联系ISP的网络管理员配置目的地址为HTTP服务器对外映射IP地址的路由,下一跳为FW对应的接口地址。
# 配置黑洞路由。
[USG6315E_A] ip route-static 203.0.113.100 32 NULL 0 [USG6315E_A] ip route-static 192.0.2.100 32 NULL 0 [USG6315E_B] ip route-static 203.0.113.100 32 NULL 0 [USG6315E_B] ip route-static 192.0.2.100 32 NULL 0
# 开启报文从同一接口进入和发出功能。
[USG6315E_A] interface gigabitethernet 1/0/1 [USG6315E_A-GigabitEthernet1/0/1] redirect-reverse next-hop 203.0.113.254 [USG6315E_A-GigabitEthernet1/0/1] quit [USG6315E_A] interface gigabitethernet 1/0/2 [USG6315E_A-GigabitEthernet1/0/2] redirect-reverse next-hop 192.0.2.254 [USG6315E_A-GigabitEthernet1/0/2] quit [USG6315E_B] interface gigabitethernet 1/0/1 [USG6315E_B-GigabitEthernet1/0/1] redirect-reverse next-hop 203.0.113.254 [USG6315E_B-GigabitEthernet1/0/1] quit [USG6315E_B] interface gigabitethernet 1/0/2 [USG6315E_B-GigabitEthernet1/0/2] redirect-reverse next-hop 192.0.2.254 [USG6315E_B-GigabitEthernet1/0/2] quit
- 配置智能DNS。
[USG6315E_A] dns-smart enable [USG6315E_A] dns-smart group 1 type multi [USG6315E_A-dns-smart-group-1] out-interface gigabitethernet 1/0/1 map 203.0.113.10 [USG6315E_A-dns-smart-group-1] out-interface gigabitethernet 1/0/2 map 192.0.2.10 [USG6315E_A-dns-smart-group-1] quit
- 配置攻击防范。
[USG6315E_A] firewall defend land enable [USG6315E_A] firewall defend smurf enable [USG6315E_A] firewall defend fraggle enable [USG6315E_A] firewall defend winnuke enable [USG6315E_A] firewall defend source-route enable [USG6315E_A] firewall defend route-record enable [USG6315E_A] firewall defend time-stamp enable [USG6315E_A] firewall defend ping-of-death enable [USG6315E_A] interface gigabitethernet 1/0/1 [USG6315E_A-GigabitEthernet1/0/1] anti-ddos flow-statistic enable [USG6315E_A-GigabitEthernet1/0/1] quit [USG6315E_A] interface gigabitethernet 1/0/2 [USG6315E_A-GigabitEthernet1/0/2] anti-ddos flow-statistic enable [USG6315E_A-GigabitEthernet1/0/2] quit [USG6315E_A] anti-ddos baseline-learn start [USG6315E_A] anti-ddos baseline-learn tolerance-value 100 [USG6315E_A] anti-ddos baseline-learn apply [USG6315E_A] anti-ddos syn-flood source-detect [USG6315E_A] anti-ddos udp-flood dynamic-fingerprint-learn [USG6315E_A] anti-ddos udp-frag-flood dynamic-fingerprint-learn [USG6315E_A] anti-ddos http-flood defend alert-rate 2000 [USG6315E_A] anti-ddos http-flood source-detect mode basic
- 配置应用行为控制。
本功能需要License授权,并通过动态加载功能加载相应组件包后方可使用。
# 创建应用行为控制文件,用于禁止学习时间进行HTTP操作和FTP操作。
[USG6315E_A] profile type app-control name profile_app_work [USG6315E_A-profile-app-control-profile_app_work] http-control post action deny [USG6315E_A-profile-app-control-profile_app_work] http-control proxy action deny [USG6315E_A-profile-app-control-profile_app_work] http-control web-browse action deny [USG6315E_A-profile-app-control-profile_app_work] http-control file direction upload action deny [USG6315E_A-profile-app-control-profile_app_work] http-control file direction download action deny [USG6315E_A-profile-app-control-profile_app_work] ftp-control file delete action deny [USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction upload action deny [USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction download action deny [USG6315E_A-profile-app-control-profile_app_work] quit
# 创建应用行为控制文件,用于休息时间只允许进行HTTP浏览网页、HTTP代理上网和HTTP文件下载。
[USG6315E_A] profile type app-control name profile_app_rest [USG6315E_A-profile-app-control-profile_app_rest] http-control post action deny [USG6315E_A-profile-app-control-profile_app_rest] http-control file direction upload action deny [USG6315E_A-profile-app-control-profile_app_rest] ftp-control file delete action deny [USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction upload action deny [USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction download action deny [USG6315E_A-profile-app-control-profile_app_rest] quit
# 创建名称为working_hours的时间段,该时间段为上课时间。
[USG6315E_A] time-range working_hours [USG6315E_A-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day [USG6315E_A-time-range-working_hours] quit
# 创建名称为off_hours的时间段,该时间段为非上课时间。
[USG6315E_A] time-range off_hours [USG6315E_A-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day [USG6315E_A-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day [USG6315E_A-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day [USG6315E_A-time-range-off_hours] quit
# 配置安全策略policy_sec_work,通过引用时间段“working_hours”和应用行为控制配置文件“profile_app_work”用来控制学生在学习时间段的应用行为。
[USG6315E_A] security-policy [USG6315E_A-policy-security] rule name policy_sec_work [USG6315E_A-policy-security-rule-policy_sec_work] source-zone trust [USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp1 [USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp2 [USG6315E_A-policy-security-rule-policy_sec_work] user any [USG6315E_A-policy-security-rule-policy_sec_work] time-range working_hours [USG6315E_A-policy-security-rule-policy_sec_work] profile app-control profile_app_work [USG6315E_A-policy-security-rule-policy_sec_work] action permit [USG6315E_A-policy-security-rule-policy_sec_work] quit
# 配置安全策略policy_sec_rest,通过引用时间段“off_hours”以及应用行为控制配置文件“profile_app_rest”用来控制学生在非学习时间段的应用行为。
[USG6315E_A-policy-security] rule name policy_sec_rest [USG6315E_A-policy-security-rule-policy_sec_rest] source-zone trust [USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp1 [USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp2 [USG6315E_A-policy-security-rule-policy_sec_rest] user any [USG6315E_A-policy-security-rule-policy_sec_rest] time-range off_hours [USG6315E_A-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest [USG6315E_A-policy-security-rule-policy_sec_rest] action permit [USG6315E_A-policy-security-rule-policy_sec_rest] quit
结果验证
- 在核心交换机S12700E-8上查看AP上线情况。
[S12700E-8] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [1] Extra information: P : insufficient power supply ----------------------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------------------- 0 00e0-fc12-3455 area_1 ap-group1 10.250.12.109 AP4050DN nor 0 1D:0H:34M:33S - ----------------------------------------------------------------------------------------------------------------------- Total: 1
- 用户1和用户2分别通过有线和无线的认证方式在学生宿舍区接入网络,认证通过后,可以在ME60上看到用户信息(有线用户可溯源到具体哪个接入交换的哪个端口接入、无线用户可溯源到具体的哪个AP接入);同时在ME60上可以看到在线用户的信息,查看用户是否获取到相应的访问权限,再检查用户1是否可以访问认证后域,用户2是否可以访问认证后域。
- 用户1和用户2分别通过有线和无线的认证方式在教师办公区接入网络,认证通过后,可以在ME60上看到用户信息(有线用户可溯源到具体哪个接入交换的哪个端口接入、无线用户可溯源到具体的哪个AP接入);同时在ME60上可以看到在线用户的信息,查看用户是否获取到相应的访问权限,再检查用户1是否可以访问认证后域,用户2是否可以访问认证后域。
配置文件
S5735-L_A | S5735-L_B |
---|---|
# sysname S5735-L_A # vlan batch 600 2001 to 3500 4004 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 600 2001 to 3500 4004 # interface GigabitEthernet0/0/3 port link-type access port default vlan 2001 stp edged-port enable # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 4004 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 3001 to 3500 4004 stp edged-port enable port-isolate enable group 1 # interface GigabitEthernet0/0/5 port link-type access port default vlan 600 stp edged-port enable # return |
# sysname S5735-L_B # vlan batch 600 2001 to 3500 4004 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 600 2001 to 3500 4004 # interface GigabitEthernet0/0/3 port link-type access port default vlan 2001 stp edged-port enable # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 4004 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 3001 to 3500 4004 stp edged-port enable port-isolate enable group 1 # interface GigabitEthernet0/0/5 port link-type access port default vlan 600 stp edged-port enable # return |
S6730-H_A | S6730-H_B |
---|---|
# sysname S6730-H_A # vlan batch 101 to 200 600 1601 to 1800 4004 # interface XGigabitEthernet1/0/1 port link-type hybrid undo port hybrid vlan 1 port hybrid tagged vlan 600 4004 port hybrid untagged vlan 101 1601 port vlan-stacking vlan 2001 to 3000 stack-vlan 101 port vlan-stacking vlan 3001 to 3500 stack-vlan 1601 # interface XGigabitEthernet3/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 101 to 200 600 1601 to 1800 4004 # return |
# sysname S6730-H_B # vlan batch 201 to 400 600 1801 to 2000 4004 # interface XGigabitEthernet1/0/1 port link-type hybrid undo port hybrid vlan 1 port hybrid tagged vlan 600 4004 port hybrid untagged vlan 201 1801 port vlan-stacking vlan 2001 to 3000 stack-vlan 201 port vlan-stacking vlan 3001 to 3500 stack-vlan 1801 # interface XGigabitEthernet3/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 # return |
S12700E-8 |
---|
# sysname S12700E-8 # vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010 # dhcp enable # interface Vlanif4004 ip address 10.250.0.1 255.255.240.0 arp-proxy enable arp-proxy inner-sub-vlan-proxy enable dhcp select interface # interface Vlanif4010 ip address 172.16.11.13 255.255.255.252 # interface XGigabitEthernet4/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004 port-isolate enable group 1 # interface XGigabitEthernet4/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 port-isolate enable group 1 # interface XGigabitEthernet5/0/7 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010 # interface LoopBack0 ip address 172.16.10.4 255.255.255.255 # ip route-static 172.16.10.1 255.255.255.255 172.16.11.14 ip route-static 172.16.10.2 255.255.255.255 172.16.11.14 ip route-static 172.16.10.3 255.255.255.255 172.16.11.14 # capwap source interface vlanif4004 # wlan traffic-profile name new-vap-traffic-1 user-isolate l2 security-profile name wlan-security security open ssid-profile name wlan-ssid ssid wlan-net vap-profile name wlan-vap service-vlan vlan-id 3001 ssid-profile wlan-ssid security-profile wlan-security traffic-profile new-vap-traffic-1 regulatory-domain-profile name domain1 rrm-profile name default calibrate auto-channel-select disable calibrate auto-txpower-select disable ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-id 0 type-id 75 ap-mac 00e0-fc76-e370 ap-sn 21500831023GJ1006553 ap-group ap-group1 radio 0 channel 20mhz 6 eirp 127 radio 1 channel 20mhz 149 eirp 127 # return |
ME60 |
---|
# sysname ME60 # value-added-service enable # user-group pre-web user-group pre-ppp user-group xuesheng user-group jiaoshi # radius-server source interface LoopBack0 radius-server authorization 192.168.10.55 shared-key-cipher %^%#&|-oI:&#&%<ZBPF\0s@"-vgF~lVjpAB5w[5XP4=4%^%# radius-server authorization 192.168.10.241 shared-key-cipher %^%#O1n13EDPo9e7bHWac{b7-FtB(:e}f@pT-p6l=$<*%^%# # radius-server group radius radius-server shared-key-cipher %^%#l$~9,kQZF!:j]$R54Ka~=3]%L8^w7,E+Ft2X*}:@%^%# radius-server authentication 192.168.10.55 1812 weight 0 radius-server accounting 192.168.8.249 1813 weight 0 undo radius-server user-name domain-included # radius-server group mac radius-server shared-key-cipher %^%#/W@Y%>vX8EzCg<LzjKV$G(0j&;2"}:5Nzy3pc[=+%^%# radius-server authentication 192.168.10.55 1812 weight 0 radius-server accounting 192.168.10.55 1813 weight 0 # qos-profile 50M car cir 50000 cbs 9350000 green pass red discard inbound car cir 50000 cbs 9350000 green pass red discard outbound # qos-profile 20M car cir 20000 cbs 3740000 green pass red discard inbound car cir 20000 cbs 3740000 green pass red discard outbound # qos-profile 10M car cir 10000 cbs 1870000 green pass red discard inbound car cir 10000 cbs 1870000 green pass red discard outbound # ip pool jiaoshi bas local gateway 10.254.128.1 255.255.128.0 section 0 10.254.128.2 10.254.255.254 excluded-ip-address 10.254.128.2 10.254.129.254 dns-server 192.168.10.2 10.255.57.5 lease 0 12 0 # ip pool pre-pool bas local gateway 10.253.0.1 255.255.128.0 section 0 10.253.0.2 10.253.127.254 dns-server 192.168.10.2 10.255.57.5 lease 0 12 0 # ip pool pre-ppp bas local gateway 10.253.128.1 255.255.128.0 section 0 10.253.128.2 10.253.255.254 dns-server 192.168.10.2 10.255.57.5 lease 0 12 0 # ip pool xuesheng bas local gateway 10.254.0.1 255.255.128.0 section 0 10.254.0.2 10.254.127.254 dns-server 192.168.10.2 10.255.57.5 lease 0 12 0 # acl number 6001 rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0 0.255.255.255 rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group shangye rule 15 permit ip source user-group shangye destination ip-address 172.16.0.0 0.15.255.255 rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group shangye rule 25 permit ip source user-group shangye destination ip-address 192.168.0.0 0.0.255.255 rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group shangye # acl number 6003 rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0 0.255.255.255 rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group jiaoshi rule 15 permit ip source user-group jiaoshi destination ip-address 172.16.0.0 0.15.255.255 rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group jiaoshi rule 25 permit ip source user-group jiaoshi destination ip-address 192.168.0.0 0.0.255.255 rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group jiaoshi # acl number 6005 rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0 0.255.255.255 rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group xuesheng rule 15 permit ip source user-group xuesheng destination ip-address 172.16.0.0 0.15.255.255 rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group xuesheng rule 25 permit ip source user-group xuesheng destination ip-address 192.168.0.0 0.0.255.255 rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng # acl number 6010 rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0 rule 6 permit ip source user-group pre-web destination ip-address 192.168.10.53 0 rule 7 permit ip source user-group pre-web destination ip-address 192.168.10.55 0 rule 10 permit ip source user-group pre-web destination ip-address 192.168.10.241 0 rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5 0 # acl number 6011 rule 5 permit tcp source user-group pre-web destination-port eq www rule 10 permit tcp source user-group pre-web destination-port eq 8080 rule 20 permit ip source user-group pre-web # acl number 6012 rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0 rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0 rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2 0 # acl number 6013 rule 5 permit tcp source user-group pre-ppp destination-port eq www rule 10 permit tcp source user-group pre-ppp destination-port eq 8080 rule 20 deny ip source user-group pre-ppp # traffic classifier 6001 operator or if-match acl 6001 # traffic classifier 6003 operator or if-match acl 6003 # traffic classifier 6005 operator or if-match acl 6005 # traffic classifier 6010 operator or if-match acl 6010 # traffic classifier 6011 operator or if-match acl 6011 # traffic classifier 6012 operator or if-match acl 6012 # traffic classifier 6013 operator or if-match acl 6013 # traffic behavior 6001 car tariff-level 1 traffic-statistic # traffic behavior 6003 car tariff-level 1 traffic-statistic # traffic behavior 6005 car tariff-level 1 traffic-statistic # traffic behavior 6010 # traffic behavior 6011 http-redirect # traffic behavior 6012 # traffic behavior 6013 http-redirect # traffic policy traffic-policy-1 share-mode classifier 6010 behavior 6010 precedence 1 classifier 6011 behavior 6011 precedence 2 classifier 6012 behavior 6012 precedence 3 classifier 6013 behavior 6013 precedence 4 # traffic policy traffic_policy_daa share-mode classifier 6003 behavior 6003 precedence 1 classifier 6005 behavior 6005 precedence 2 # aaa http-redirect enable default-password cipher %$%$MD{\.!~j'P#Jl%3cJBm6#QWv%$%$ default-user-name include mac-address - local-user root password irreversible-cipher +Hv$!xKCa#UY6\$GWJ!N4[QH.O/'HIa@AoURN`>;R"Z8PtIa\3AZAy6Sa60(C6GCN # authentication-scheme none # authentication-scheme authen # accounting-scheme none accounting-mode none # accounting-scheme acc accounting interim interval 15 # domain pre-authen authentication-scheme none accounting-scheme none ip-pool pre-pool user-group pre-web web-server 192.168.10.53 web-server url http://192.168.10.53/help/help.html # domain xs authentication-scheme authen accounting-scheme acc radius-server group radius ip-pool xuesheng ip-pool jiaoshi value-added-service account-type none value-added-service policy 10m user-group pre-web web-server 192.168.10.53 web-server url http://192.168.10.53/help/help.html portal-server 192.168.10.100 portal-server url http://192.168.10.100/portal/ quota-out online # domain jg authentication-scheme authen accounting-scheme acc radius-server group radius ip-pool jiaoshi value-added-service account-type none value-added-service policy 20m user-group pre-web portal-server 192.168.10.100 portal-server url http://192.168.10.100/portal/ quota-out online # domain pre-ppp authentication-scheme none accounting-scheme none ip-pool pre-ppp user-group pre-ppp web-server 192.168.10.55 web-server url http://192.168.10.55/help/help.html # domain mac authentication-scheme mac accounting-scheme acc radius-server group mac ip-pool pre-pool mac-authentication enable # value-added-service policy 10m daa accounting-scheme none traffic-separate enable tariff-level 1 qos-profile 10M # value-added-service policy 20m daa accounting-scheme none traffic-separate enable tariff-level 1 qos-profile 20M # value-added-service policy 50m daa accounting-scheme none traffic-separate enable tariff-level 1 qos-profile 50M # interface Virtual-Template1 ppp authentication-mode auto # interface GigabitEthernet1/0/1 undo shutdown ip address 172.16.11.6 255.255.255.252 # interface GigabitEthernet1/0/2 undo shutdown ip address 172.16.11.10 255.255.255.252 # interface GigabitEthernet 1/1/1.1000 description xuesheng-ppp user-vlan 2001 3000 qinq 101 200 pppoe-server bind Virtual-Template 1 bas # access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs dhcp session-mismatch action offline authentication-method ppp web # # interface GigabitEthernet 1/1/1.1001 description xuesheng-web user-vlan 3001 3500 qinq 1601 1800 bas # access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs dhcp session-mismatch action offline authentication-method web # # interface GigabitEthernet 1/1/1.1002 description jiaoshi-ppp user-vlan 2001 3000 qinq 201 400 pppoe-server bind Virtual-Template 1 bas # access-type layer2-subscriber default-domain pre-authentication pre-ppp authen tication jg dhcp session-mismatch action offline authentication-method ppp web # # interface GigabitEthernet 1/1/1.1003 description jiaoshi-web user-vlan 3001 3500 qinq 1801 2000 bas # access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg dhcp session-mismatch action offline authentication-method web # # interface GigabitEthernet 1/1/1.1101 description mac-web user-vlan 600 bas # access-type layer2-subscriber default-domain pre-authentication mac authentication jg dhcp session-mismatch action offline authentication-method web # # interface GigabitEthernet 1/1/1.4010 vlan-type dot1q 4010 ip address 172.16.11.14 255.255.255.252 # interface LoopBack0 ip address 172.16.10.3 255.255.255.255 # ip route-static 172.16.10.1 255.255.255.255 172.16.11.5 ip route-static 172.16.10.2 255.255.255.255 172.16.11.9 ip route-static 172.16.10.4 255.255.255.255 172.16.11.13 # web-auth-server source interface LoopBack0 web-auth-server 192.168.10.53 port 50100 key cipher %^%#S2#I1~`Kc/>vz1F4u3q+_DHT)ZE^`"n:w>!li(<C%^%# # traffic-policy traffic-policy-1 inbound traffic-policy traffic-policy-1 outbound # accounting-service-policy traffic_policy_daa # return |
USG6315E_A | USG6315E_B |
---|---|
# sysname USG6315E_A # hrp enable hrp interface GigabitEthernet 1/0/6 remote 172.16.11.2 hrp mirror session enable hrp track interface GigabitEthernet 1/0/7 # dns-smart enable # firewall defend time-stamp enable firewall defend route-record enable firewall defend source-route enable firewall defend winnuke enable firewall defend fraggle enable firewall defend ping-of-death enable firewall defend smurf enable irewall defend land enable # ip-link check enable ip-link name ip_link_1 destination 203.0.113.254 interface GigabitEthernet1/0/1 mode icmp ip-link name ip_link_2 destination 192.0.2.254 interface GigabitEthernet1/0/2 mode icmp # time-range off_hours period-range 00:00:00 to 23:59:59 off-day period-range 00:00:00 to 08:59:59 working-day period-range 17:30:01 to 23:59:59 working-day time-range working_hours period-range 09:00:00 to 17:30:00 working-day # interface GigabitEthernet1/0/1 ip address 203.0.113.1 255.255.255.0 anti-ddos flow-statistic enable gateway 203.0.113.254 bandwidth ingress 800000 threshold 95 bandwidth egress 800000 threshold 95 redirect-reverse next-hop 203.0.113.254 # interface GigabitEthernet1/0/2 ip address 192.0.2.2 255.255.255.0 anti-ddos flow-statistic enable gateway 192.0.2.254 bandwidth ingress 200000 threshold 90 bandwidth egress 200000 threshold 90 redirect-reverse next-hop 192.0.2.254 # interface GigabitEthernet1/0/6 ip address 172.16.11.1 255.255.255.252 # interface GigabitEthernet1/0/7 ip address 172.16.11.5 255.255.255.252 # interface LoopBack0 ip address 172.16.10.1 255.255.255.255 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/7 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/6 # firewall zone name isp1 id 4 set priority 10 add interface GigabitEthernet1/0/1 # firewall zone name isp2 id 5 set priority 15 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1 ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2 ip route-static 10.253.0.0 255.255.128.0 172.16.11.6 ip route-static 10.253.128.0 255.255.128.0 172.16.11.6 ip route-static 10.254.0.0 255.255.128.0 172.16.11.6 ip route-static 10.254.128.0 255.255.128.0 172.16.11.6 ip route-static 172.16.10.2 255.255.255.255 172.16.11.6 ip route-static 172.16.10.3 255.255.255.255 172.16.11.6 ip route-static 172.16.10.4 255.255.255.255 172.16.11.6 ip route-static 192.168.10.0 255.255.255.0 172.16.11.6 ip route-static 203.0.113.100 255.255.255.255 NULL 0 ip route-static 192.0.2.100 255.255.255.255 NULL 0 # anti-ddos syn-flood source-detect anti-ddos udp-flood dynamic-fingerprint-learn anti-ddos udp-frag-flood dynamic-fingerprint-learn anti-ddos http-flood defend alert-rate 2000 anti-ddos http-flood source-detect mode basic anti-ddos baseline-learn start anti-ddos baseline-learn apply anti-ddos baseline-learn tolerance-value 100 # nat server web_for_isp1 0 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 www no-reverse nat server web_for_isp2 1 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 www no-reverse # profile type app-control name profile_app_work http-control web-browse action deny http-control proxy action deny http-control post action deny http-control file direction upload action deny http-control file direction download action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # profile type app-control name profile_app_rest http-control post action deny http-control file direction upload action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # nat address-group addressgroup1 0 mode pat route enable section 0 203.0.113.1 203.0.113.5 # nat address-group addressgroup2 1 mode pat route enable section 1 192.0.2.1 192.0.2.5 # dns-smart group 1 type multi out-interface GigabitEthernet 1/0/1 map 203.0.113.10 out-interface GigabitEthernet 1/0/2 map 192.0.2.10 multi-interface mode proportion-of-bandwidth add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/2 # security-policy rule name trust_to_untrust source-zone trust destination-zone isp1 destination-zone isp2 action permit rule name untrust_to_trust source-zone isp1 source-zone isp2 destination-zone trust destination-address 192.168.10.0 mask 255.255.255.0 action permit rule name policy_dmz source-zone local source-zone dmz destination-zone local destination-zone dmz action permit rule name policy_sec_work source-zone trust destination-zone isp1 destination-zone isp2 time-range working_hours profile app-control profile_app_work action permit rule name policy_sec_rest source-zone trust destination-zone isp1 destination-zone isp2 time-range off_hours profile app-control profile_app_rest action permit # nat-policy rule name policy_nat_1 source-zone trust destination-zone isp1 action source-nat address-group addressgroup1 rule name policy_nat_2 source-zone trust destination-zone isp2 action source-nat address-group addressgroup2 # return |
# sysname USG6315E_B # hrp enable hrp interface GigabitEthernet 1/0/6 remote 172.16.11.1 hrp mirror session enable hrp track interface GigabitEthernet 1/0/7 # dns-smart enable # firewall defend time-stamp enable firewall defend route-record enable firewall defend source-route enable firewall defend winnuke enable firewall defend fraggle enable firewall defend ping-of-death enable firewall defend smurf enable irewall defend land enable # ip-link check enable ip-link name ip_link_1 destination 203.0.113.254 interface GigabitEthernet1/0/1 mode icmp ip-link name ip_link_2 destination 192.0.2.254 interface GigabitEthernet1/0/2 mode icmp # time-range off_hours period-range 00:00:00 to 23:59:59 off-day period-range 00:00:00 to 08:59:59 working-day period-range 17:30:01 to 23:59:59 working-day time-range working_hours period-range 09:00:00 to 17:30:00 working-day # interface GigabitEthernet1/0/1 ip address 203.0.113.2 255.255.255.0 anti-ddos flow-statistic enable gateway 203.0.113.254 bandwidth ingress 800000 threshold 95 bandwidth egress 800000 threshold 95 redirect-reverse next-hop 203.0.113.254 # interface GigabitEthernet1/0/2 ip address 192.0.2.1 255.255.255.0 anti-ddos flow-statistic enable gateway 192.0.2.254 bandwidth ingress 200000 threshold 90 bandwidth egress 200000 threshold 90 redirect-reverse next-hop 192.0.2.254 # interface GigabitEthernet1/0/6 ip address 172.16.11.2 255.255.255.252 # interface GigabitEthernet1/0/7 ip address 172.16.11.9 255.255.255.252 # interface LoopBack0 ip address 172.16.10.2 255.255.255.255 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/7 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/6 # firewall zone name isp1 id 4 set priority 10 add interface GigabitEthernet1/0/1 # firewall zone name isp2 id 5 set priority 15 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1 ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2 ip route-static 10.253.0.0 255.255.128.0 172.16.11.10 ip route-static 10.253.128.0 255.255.128.0 172.16.11.10 ip route-static 10.254.0.0 255.255.128.0 172.16.11.10 ip route-static 10.254.128.0 255.255.128.0 172.16.11.10 ip route-static 172.16.10.1 255.255.255.255 172.16.11.10 ip route-static 172.16.10.3 255.255.255.255 172.16.11.10 ip route-static 172.16.10.4 255.255.255.255 172.16.11.10 ip route-static 192.168.10.0 255.255.255.0 172.16.11.10 ip route-static 203.0.113.100 255.255.255.255 NULL 0 ip route-static 192.0.2.100 255.255.255.255 NULL 0 # anti-ddos syn-flood source-detect anti-ddos udp-flood dynamic-fingerprint-learn anti-ddos udp-frag-flood dynamic-fingerprint-learn anti-ddos http-flood defend alert-rate 2000 anti-ddos http-flood source-detect mode basic anti-ddos baseline-learn start anti-ddos baseline-learn apply anti-ddos baseline-learn tolerance-value 100 # nat server web_for_isp1 0 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 www no-reverse nat server web_for_isp2 1 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 www no-reverse # profile type app-control name profile_app_work http-control web-browse action deny http-control proxy action deny http-control post action deny http-control file direction upload action deny http-control file direction download action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # profile type app-control name profile_app_rest http-control post action deny http-control file direction upload action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # nat address-group addressgroup1 0 mode pat route enable section 0 203.0.113.1 203.0.113.5 # nat address-group addressgroup2 1 mode pat route enable section 1 192.0.2.1 192.0.2.5 # dns-smart group 1 type multi out-interface GigabitEthernet 1/0/1 map 203.0.113.10 out-interface GigabitEthernet 1/0/2 map 192.0.2.10 multi-interface mode proportion-of-bandwidth add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/2 # security-policy rule name trust_to_untrust source-zone trust destination-zone isp1 destination-zone isp2 action permit rule name untrust_to_trust source-zone isp1 source-zone isp2 destination-zone trust destination-address 192.168.10.0 mask 255.255.255.0 action permit rule name policy_dmz source-zone local source-zone dmz destination-zone local destination-zone dmz action permit rule name policy_sec_work source-zone trust destination-zone isp1 destination-zone isp2 time-range working_hours profile app-control profile_app_work action permit rule name policy_sec_rest source-zone trust destination-zone isp1 destination-zone isp2 time-range off_hours profile app-control profile_app_rest action permit # nat-policy rule name policy_nat_1 source-zone trust destination-zone isp1 action source-nat address-group addressgroup1 rule name policy_nat_2 source-zone trust destination-zone isp2 action source-nat address-group addressgroup2 # return |
本站所有文章,如无特殊说明或标注,均为本站原创发布。
任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。
如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。
评论(0)