适用范围

本案例介绍在BRAS综合场景中,ME60作为网关认证设备,实现用户的接入认证(IPoE接入、PPPoE接入、MAC认证等),适用于用户规模较大(20000+用户)的高校园区场景。

业务需求

某校园网要实现学生宿舍区和教师办公区的有线无线网络一体化认证,包括如下需求:

  • 接入需求有线、无线网络同时部署,并支持有线、无线用户的接入。校园内网用户能访问外网ISP1、ISP2(比如互联网、教育网),外网用户也能访问内网中的服务器资源。
  • 认证需求有线、无线用户接入网络均需进行认证,有线采用PPPoE认证,无线采用IPoE认证,哑终端采用MAC认证。
  • 网络权限需求有线、无线用户基于学生、教师等角色有不同的账号和网络权限,如表2-130。学生账号和教师账号由学校本地AAA服务器进行管理,包括认证、计费、授权。商业账号由学校AAA服务器进行AAA Proxy转发至运营商AAA服务器进行认证。
  • 表2-130 网络权限
    账号类型 上网方式 认证方式 网络权限 带宽控制
    学生账号 有线 PPPoE 访问校园内网 10M
    学生账号 无线 IPoE
    教师账号 有线 PPPoE 访问校园内网;通过校园网访问校园外网ISP1和ISP2 校园内网:20M

    校园外网:50M
    教师账号 无线 IPoE
    商业账号 有线 PPPoE 访问校园内网;通过商业通道访问外网ISP1和ISP2 校园内网:学生:10M;教师:20M

    校园外网:50M
    商业账号 无线 IPoE
    哑终端(打印机、传真机等) 有线 MAC 访问校园内网 20M
  • 计费需求学生、教师等访问校园内网不计费,访问校园外网运营商网络ISP1和ISP2计费。
  • 安全需求对进出校园网的流量要进行识别、过滤,确保网络安全。

方案设计

拓扑设计

ME60做网关认证点的组网图如图2-99所示。

图2-99 ME60做网关认证点的组网图

业务设计

  • 接入需求设计ME60作为有线用户和无线用户的网关认证点,为用户动态分配IP地址,同时提供有线用户和无线用户的认证。核心交换机S12700E-8是所有汇聚交换机的连接点,并内置随板AC(无需额外购买硬件AC,减少网络设备投资)。在S12700E-8上配置随板AC功能,管理全网的AP,实现无线网络的接入。S5735-L作为接入交换机,上行汇聚至S6730-H,通过QinQ实现用户隔离。内层VLAN代表区域内的不同接口(如学生宿舍区和教师办公区接入交换机的下行接口划分VLAN2001~3500),外层VLAN代表不同区域的不同楼层(如学生宿舍区汇聚交换机的下行接口划分VLAN101~200;教师办公区汇聚交换机的下行接口划分VLAN201~400)。

    核心交换机S12700E-8透传QinQ报文到ME60,ME60进行QinQ终结。

    出口防火墙USG6680承担外网出口业务,隔离内外网区域,通过NAT功能实现内外网互访。防火墙开启智能选路功能,根据出口链路带宽动态地选择出接口,实现链路资源的合理利用和用户体验的提升。

  • 认证需求设计ME60作为认证设备,为有线无线用户提供丰富的认证方式,包括IPoE认证、PPPoE认证、MAC认证等,满足用户灵活认证的需求。WEB认证通过后才能访问外网。
  • 网络权限和计费需求设计在ME60上配置DAA功能,能实现不同用户、不同目的地址的差异化限速和计费需求。
  • 安全需求设计在出口防火墙上配置安全策略,可以针对用户上网报文进行过滤,防止用户访问非法网站,同时可对用户网络报文进行监控和追溯。

网元软件版本要求

本方案适用的产品和版本如表2-131所示。

表2-131 方案涉及产品的软件版本列表

产品名 产品版本
S12700E-8 V200R019C10
S6730-H V200R019C10
S5735-L V200R019C10
ME60 V800R008C10
USG6315E V800R007C00

部署思路和数据规划

部署思路

步骤 部署思路 涉及设备
1 配置接入交换机的接口和VLAN,使得网络二层互通 S5735-L_A、S5735-L_B
2 配置汇聚交换机的接口和VLAN,使得网络二层互通
3 配置核心交换机的接口、VLAN、IP地址、路由等,使得网络互通 S12700E-8

 

 
4 配置核心交换机的DHCP功能,为AP分配IP地址
5 配置核心交换机的WLAN业务,实现无线用户接入
6 配置ME60的接口、VLAN、IP地址、路由等,使能网络互通 ME60
7 在ME60上配置IPoE接入,为校园网学生、教师无线用户提供IPoE接入认证
8 在ME60上配置PPPoE接入,为校园网学生、教师有线用户提供PPPoE接入认证
9 在ME60上配置MAC认证,校园网的打印机、传真机等哑终端使用MAC认证
10 在防火墙上配置接口、IP地址、路由协议等,使得网络互通 USG6315E_A、USG6315E_B
11 在防火墙上配置各接口所属的安全区域
12 在防火墙上配置智能选路,根据链路带宽负载分担
13 在防火墙上配置双机热备,网络中主用设备出现故障时,备用设备能够平滑地接替主用设备的工作,从而实现业务的不间断运行
14 在防火墙上配置安全策略
15 在防火墙上配置NAT,让内网用户可以访问Internet
16 在防火墙上配置NAT Server,保证外部用户可以访问内网HTTP服务器
17 在防火墙上启用智能DNS功能,确保不同运营商的用户访问请求获得最适合的解析地址
18 在防火墙上配置攻击防范和应用行为控制

数据规划

以下描述的是案例中涉及的VLAN、接口、IP地址、路由以及各业务的数据规划。

表2-132 VLAN规划表

产品名称 参数项 描述
S5735-L_A VLAN600 学生宿舍区哑终端所属的VLAN。
VLAN2001~3000 学生宿舍区有线接入用户的内层VLAN。
VLAN3001~3500 学生宿舍区无线接入用户的内层VLAN。
VLAN4004 学生宿舍区AP的管理VLAN。
S5735-L_B VLAN600 教室/办公区哑终端所属的VLAN。
VLAN2001~3000 教室/办公区有线接入用户的内层VLAN。
VLAN3001~3500 教室/办公区无线接入用户的内层VLAN。
VLAN4004 教室/办公区AP的管理VLAN。
S6730-H_A VLAN600 学生宿舍区哑终端所属的VLAN。
VLAN101~200 学生宿舍区有线接入用户的外层VLAN。
VLAN1601~1800 学生宿舍区无线接入用户的外层VLAN。
VLAN4004 学生宿舍区AP的管理VLAN。
 

S6730-H_B

 

 

 VLAN600 教室/办公区哑终端所属的VLAN。
VLAN201~400 教室/办公区有线接入用户的外层VLAN。
VLAN1801~2000 教室/办公区无线接入用户的外层VLAN。
VLAN4004 教室/办公区AP的管理VLAN。
S12700E-8 VLAN600 哑终端所属的VLAN。
VLAN101~400 有线用户外层VLAN
VLAN1601~2000 无线用户外层VLAN
VLAN4010 核心交换机上连ME60所属的VLAN。
VLAN4004 AP的管理VLAN。

表2-133 接口和IP规划表

产品名称 接口编号 IP地址
USG6315E_A GE1/0/6 172.16.11.1/30
GE1/0/7 172.16.11.5/30
GE1/0/1 203.0.113.1/24
GE1/0/2 192.0.2.2/24
Loopback0 172.16.10.1/32
USG6315E_B GE1/0/6 172.16.11.2/30
GE1/0/7 172.16.11.9/30
GE1/0/1 203.0.113.2/24
GE1/0/2 192.0.2.1/24
Loopback0 172.16.10.2/32
ME60 GE1/0/1 172.16.11.6/30
GE1/0/2 172.16.11.10/30
GE1/1/1.4010 172.16.11.14/30
Loopback0 172.16.10.3/32
S12700E-8 Loopback0 172.16.10.4/32
VLANIF4010 172.16.11.13/30

表2-134 静态路由表

设备 目的地址 下一跳IP地址
USG6315E_A 10.253.0.0/17 172.16.11.6/30
10.253.128.0/17 172.16.11.6/30
10.254.0.0/17 172.16.11.6/30
10.254.128.0/17 172.16.11.6/30
172.16.10.2/32 172.16.11.6/30
172.16.10.3/32 172.16.11.6/30
172.16.10.4/32 172.16.11.6/30
192.168.10.0/24 172.16.11.6/30
USG6315E_B 10.253.0.0/17 172.16.11.10/30
10.253.128.0/17 172.16.11.10/30
10.254.0.0/17 172.16.11.10/30
10.254.128.0/17 172.16.11.10/30
172.16.10.1/32 172.16.11.10/30
172.16.10.3/32 172.16.11.10/30
172.16.10.4/32 172.16.11.10/30
192.168.10.0/24 172.16.11.10/30
ME60

 

 

 172.16.10.1/32 172.16.11.5/30
172.16.10.2/32 172.16.11.9/30
172.16.10.4/32 172.16.11.13/30
0.0.0.0/0 172.16.11.5/30
0.0.0.0/0 172.16.11.9/30
S12700E-8

 

 172.16.10.1/32 172.16.11.14/30
172.16.10.2/32 172.16.11.14/30
172.16.10.3/32 172.16.11.14/30

表2-135 IPoE接入参数规划

参数项 参数值
AAA方案
  • 认证方案:authen、none
  • 计费方案:acc、none
Radius服务器
  • RADIUS服务器名称:radius
  • 认证服务器IP地址:192.168.10.55,端口号1812
  • 计费服务器IP地址:192.168.10.55,端口号1813
  • 授权服务器IP地址:192.168.10.55、192.168.10.241
  • Radius服务器的源接口:LoopBack0,即ME60和RADIUS服务器通信时发送报文使用的接口
  • Radius服务器共享秘钥:YsHsjx_202206
WEB服务器
  • WEB服务器的源接口:LoopBack0,即ME60和WEB服务器通信时发送报文使用的接口
  • WEB服务器IP地址:192.168.10.53,端口号50100
地址池
  • 地址池名称:xuesheng
    • 网关地址:10.254.0.1,地址掩码255.255.128.0
    • 网段地址:10.254.0.2~10.254.127.254
    • DNS服务器IP地址:192.168.10.2、10.255.57.5
    • 租期:12小时
  • 地址池名称:pre-pool
    • 网关地址:10.253.0.1,地址掩码255.255.128.0
    • 网段地址:10.253.0.2~10.253.127.254
    • DNS服务器IP地址:192.168.10.2、10.255.57.5
    • 租期:12小时
  • 地址池名称:jiaoshi
    • 网关地址:10.254.128.1,地址掩码255.255.128.0
    • 网段地址:10.254.128.2~10.254.255.254
    • DNS服务器IP地址:192.168.10.2、10.255.57.5
    • 租期:12小时
认证前域
  • 认证前域pre-authen,限制用户只能访问WEB服务器
  • 域下绑定的认证方案none,计费方案none,用户组pre-web,地址池pre-pool
UCL规则 配置用户在认证前域时,重定向到Web认证页面的UCL规则

  • UCL规则:6010,能访问认证服务器、授权服务器、计费服务器、WEB服务器、DNS服务器
  • UCL规则:6011,匹配用户组pre-web的上线用户,重定向到WEB认证页面
认证域
  • 域名称xs,域下绑定的认证方案authen、计费方案acc、RADIUS服务器radius、地址池xuesheng
  • 域名称jg,域下绑定的认证方案authen、计费方案acc、RADIUS服务器radius、地址池jiaoshi
BAS接口
  • BAS接口编号为GE 1/1/1.1001
    • BAS接口类型为二层普通用户接口,认证前域为pre-authen,认证域为xs
    • BAS接口的认证方法为WEB认证
  • BAS接口编号为GE 1/1/1.1003
    • BAS接口类型为二层普通用户接口,认证前域为pre-authen,认证域为jg
    • BAS接口的认证方法为WEB认证

说明:

由于Web认证用户在未认证前属于非法用户,无法获取IP地址,也没有权限访问Web认证服务器,因而也无法进行Web认证。为了解决这个矛盾,所有未认证的Web认证用户都被归到某个缺省域(基于接口配置),称为认证前缺省域,简称为认证前域。未认证用户可以从认证前域pre-authen中获取IP地址,并通过认证前域pre-authen赋予的权限访问Web服务器。完成Web认证之后,通过认证域xs进行Radius服务器认证。

表2-136 PPPoE接入参数规划

参数项 参数值
AAA方案 同IPoE接入参数规划的AAA方案
Radius服务器 同IPoE接入参数规划的Radius服务器
地址池
  • 地址池名称:pre-ppp
    • 网关地址:10.253.128.1,地址掩码255.255.128.0
    • 网段地址:10.253.128.2~10.253.255.254
    • DNS服务器IP地址:192.168.10.2、10.255.57.5
    • 租期:12小时
  • 地址池名称:xuesheng
    • 网关地址:10.254.0.1,地址掩码255.255.128.0
    • 网段地址:10.254.0.2~10.254.127.254
    • DNS服务器IP地址:192.168.10.2、10.255.57.5
    • 租期:12小时
  • 地址池名称:jiaoshi
    • 网关地址:10.254.128.1,地址掩码255.255.128.0
    • 网段地址:10.254.128.2~10.254.255.254
    • DNS服务器IP地址:192.168.10.2、10.255.57.5
    • 租期:12小时
用户组 用户组pre-ppp,限制认证前域无法访问网络
认证前域
  • 认证前域pre-ppp,限制用户只能访问WEB服务器
  • 域下绑定的认证方案none,计费方案none,用户组pre-ppp,地址池pre-ppp
UCL规则 配置用户在认证前域时,重定向到Web认证页面的UCL规则

  • UCL规则:6012,能访问认证服务器、授权服务器、计费服务器、DNS服务器
  • UCL规则:6013,匹配用户组pre-ppp的上线用户,重定向到WEB认证页面
认证域 同IPoE接入参数规划的认证域
虚拟模板接口 接口编号为1,用户认证方式为auto
BAS接口
  • BAS接口编号为GE 1/1/1.1000
    • BAS接口绑定虚拟模板接口1
    • 配置用户侧VLAN,当收到两层VLAN tag的报文,接口会剥掉两层VLAN Tag后进行三层转发
    • BAS接口类型为二层普通用户接口,认证前域为pre-ppp,认证域为xs
    • BAS接口的认证方法为PPP WEB认证
  • BAS接口编号为GE 1/1/1.1002
    • BAS接口绑定虚拟模板接口1
    • 配置用户侧VLAN,当收到两层VLAN tag的报文,接口会剥掉两层VLAN Tag后进行三层转发
    • BAS接口类型为二层普通用户接口,认证前域为pre-ppp,认证域为jg
    • BAS接口的认证方法为PPP WEB认证

表2-137 MAC认证参数规划

参数项 参数值
AAA方案
  • 认证方案:mac、authen、none
  • 计费方案:acc、none
Radius服务器
  • RADIUS服务器名称:mac、radius
  • 认证服务器IP地址:192.168.10.55,端口号1812
  • 计费服务器IP地址:192.168.10.55,端口号1813
  • 授权服务器IP地址:192.168.10.55、192.168.10.241
  • Radius服务器的源接口:LoopBack0,即ME60和RADIUS服务器通信时发送报文使用的接口
  • Radius服务器共享秘钥:%$%$]&yT6A~x)JPlIv#3CKo2Vs\R%$%$
WEB服务器 同IPoE接入参数规划的WEB服务器
地址池
  • 地址池名称:pre-pool
    • 网关地址:10.253.0.1,地址掩码255.255.128.0
    • 网段地址:10.253.0.2~10.253.127.254
    • DNS服务器IP地址:192.168.10.2、10.255.57.5
    • 租期:12小时
  • 地址池名称:jiaoshi
    • 网关地址:10.254.128.1,地址掩码255.255.128.0
    • 网段地址:10.254.128.2~10.254.255.254
    • DNS服务器IP地址:192.168.10.2、10.255.57.5
    • 租期:12小时
用户组 用户组pre-web,限制认证前域无法访问网络
认证域(认证失败后重定向的域)
  • 认证前域pre-authen,限制用户只能访问WEB服务器
  • 域下绑定的认证方案none,计费方案none,用户组pre-web,地址池pre-pool
UCL规则 配置用户在认证失败后,重定向到域pre-authen时,重定向到Web认证页面的UCL规则

  • UCL规则:6010,能访问认证服务器、授权服务器、计费服务器、WEB服务器、DNS服务器
  • UCL规则:6011,匹配用户组pre-web的上线用户,重定向到WEB认证页面
认证前域 域名称mac,域下绑定的认证方案mac,计费方案acc,RADIUS服务器mac,地址池pre-pool,并需要使能MAC认证功能
认证域 域名称jg,域下绑定的认证方案authen、计费方案acc、RADIUS服务器radius、地址池jiaoshi
BAS接口
  • BAS接口编号为GE 1/1/1.1101
  • BAS接口类型为二层普通用户接口,认证前域为mac,认证后域为jg
  • BAS接口的认证方法为WEB认证

表2-138 DAA参数规划

参数项 参数值
DAA使能 全局使能增值业务功能
AAA方案 同IPoE接入参数规划的AAA方案
Radius服务器 同IPoE接入参数规划的Radius服务器
WEB服务器 同IPoE接入参数规划的WEB服务器
地址池 同IPoE接入参数规划的地址池
用户组
  • 用户组pre-web,限制认证前域无法访问网络
  • 用户组xuesheng,代表学生
  • 用户组jiaoshi,代表教师
  • 用户组shangye,代表商业账号用户

说明:

用户组user-group配置方式有三种,包括:

  • 通过域下配置用户组user-group。
  • 通过DAA业务策略模板配置用户组user-group。
  • 通过RADIUS服务器下发用户组user-group。

这三种方式中,DAA业务策略模板配置用户组user-group的优先级最高,RADIUS服务器下发用户组user-group的优先级次之,域下配置用户组user-group的优先级最低。本配置案例通过RADIUS服务器下发用户组。
认证前域 同IPoE接入参数规划的认证前域
UCL规则 配置用户在认证前域时,重定向到Web认证页面的UCL规则

  • UCL规则:6010,能访问认证服务器、授权服务器、计费服务器、WEB服务器、DNS服务器
  • UCL规则:6011,匹配用户组pre-web的上线用户,重定向到WEB认证页面
  • UCL规则:6003,教师能访问校园内网、RADIUS、WEB、DNS等服务器
  • UCL规则:6005,学生能访问校园内网、RADIUS、WEB、DNS等服务器
  • UCL规则:6001,学生和教师能通过商业账号访问校园内网和外网,RADIUS、WEB、DNS等服务器
QoS模板 QoS模板名10M、20M、50M
DAA业务策略
  • DAA业务策略名10M、20M、50M
  • 计费方式为不计费
  • 使能DAA业务分离功能
  • DAA业务费率级别为1,并绑定QoS模板10M 、20M、50M
认证域
  • 域名称xs,域下绑定的认证方案authen、计费方案acc、RADIUS服务器radius、地址池xuesheng、DAA业务计费方式不计费、DAA业务策略10M
  • 域名称jg,域下绑定的认证方案authen、计费方案acc、RADIUS服务器radius、地址池jiaoshi、DAA业务计费方式不计费、DAA业务策略20M

说明:

DAA业务策略50M通过RADIUS服务器下发。
BAS接口 同IPoE接入参数规划的BAS接口

部署步骤

配置接入交换机S5735-L

  1. 在接入交换机S5735-L_A上配置VLAN。# 创建学生宿舍区有线用户内层VLAN为2001~3000,无线用户内层VLAN为3001~3500,哑终端VLAN为600,AP的管理VLAN为4004。 
    <S5735-L_A> system-view 
[S5735-L_A] vlan batch 600 2001 to 3500 4004

    # 配置连接有线用户的下行接口加入内层VLAN,每个接口加入不同VLAN。以接口GE0/0/3加入VLAN 2001为例。

    [S5735-L_A] interface GigabitEthernet 0/0/3   
[S5735-L_A-GigabitEthernet0/0/3] port link-type access   
[S5735-L_A-GigabitEthernet0/0/3] port default vlan 2001  
[S5735-L_A-GigabitEthernet0/0/3] stp edged-port enable
[S5735-L_A-GigabitEthernet0/0/3] quit

    # 配置连接AP的端口GE0/0/4加入VLAN4004(管理VLAN),放通业务VLAN和管理VLAN。

    [S5735-L_A] interface GigabitEthernet 0/0/4   
[S5735-L_A-GigabitEthernet0/0/4] port link-type trunk
[S5735-L_A-GigabitEthernet0/0/4] port trunk pvid vlan 4004
[S5735-L_A-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1
[S5735-L_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 3001 to 3500 4004
[S5735-L_A-GigabitEthernet0/0/4] port-isolate enable group 1
[S5735-L_A-GigabitEthernet0/0/4] stp edged-port enable
[S5735-L_A-GigabitEthernet0/0/4] quit

    # 配置连接哑终端的端口GE0/0/5加入VLAN600。

    [S5735-L_A] interface GigabitEthernet 0/0/5  
[S5735-L_A-GigabitEthernet0/0/5] port link-type access   
[S5735-L_A-GigabitEthernet0/0/5] port default vlan 600  
[S5735-L_A-GigabitEthernet0/0/5] stp edged-port enable
[S5735-L_A-GigabitEthernet0/0/5] quit

     

  1. 在接入交换机S5735-L_A上配置上行接口,放通所有业务VLAN和管理VLAN。 
    [S5735-L_A] interface GigabitEthernet 0/0/1   
[S5735-L_A-GigabitEthernet0/0/1] port link-type trunk
[S5735-L_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5735-L_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004
[S5735-L_A-GigabitEthernet0/0/1] quit

     

  2. 在接入交换机S5735-L_B上配置VLAN。# 创建教师办公区有线用户内层VLAN为2001~3000,无线用户内层VLAN为3001~3500,哑终端VLAN为600,AP的管理VLAN为4004。 
    <S5735-L_B> system-view 
[S5735-L_B] vlan batch 600 2001 to 3500 4004

    # 配置连接有线用户的下行接口加入内层VLAN,每个接口加入不同VLAN。以接口GE0/0/3加入VLAN 2001为例。

    [S5735-L_B] interface GigabitEthernet 0/0/3   
[S5735-L_B-GigabitEthernet0/0/3] port link-type access   
[S5735-L_B-GigabitEthernet0/0/3] port default vlan 2001  
[S5735-L_B-GigabitEthernet0/0/3] stp edged-port enable
[S5735-L_B-GigabitEthernet0/0/3] quit

    # 配置连接AP的端口GE0/0/4加入VLAN4004(管理VLAN),放通业务VLAN和管理VLAN。

    [S5735-L_B] interface GigabitEthernet 0/0/4   
[S5735-L_B-GigabitEthernet0/0/4] port link-type trunk
[S5735-L_B-GigabitEthernet0/0/4] port trunk pvid vlan 4004
[S5735-L_B-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1
[S5735-L_B-GigabitEthernet0/0/4] port trunk allow-pass vlan 3001 to 3500 4004
[S5735-L_B-GigabitEthernet0/0/4] port-isolate enable group 1
[S5735-L_B-GigabitEthernet0/0/4] stp edged-port enable
[S5735-L_B-GigabitEthernet0/0/4] quit

    # 配置连接哑终端的端口GE0/0/5加入VLAN600。

    [S5735-L_B] interface GigabitEthernet 0/0/5  
[S5735-L_B-GigabitEthernet0/0/5] port link-type access   
[S5735-L_B-GigabitEthernet0/0/5] port default vlan 600 
[S5735-L_B-GigabitEthernet0/0/5] stp edged-port enable
[S5735-L_B-GigabitEthernet0/0/5] quit

     

  3. 在接入交换机S5735-L_B上配置上行接口,放通所有业务VLAN和管理VLAN。 
    [S5735-L_B] interface GigabitEthernet 0/0/1   
[S5735-L_B-GigabitEthernet0/0/1] port link-type trunk
[S5735-L_B-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5735-L_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004
[S5735-L_B-GigabitEthernet0/0/1] quit

     

配置汇聚交换机S6730-H

  1. 在汇聚交换机S6730-H_A上配置VLAN。# 创建学生宿舍区有线用户外层VLAN为101~200,无线用户外层VLAN为1601~1800,哑终端VLAN为600,AP的管理VLAN为4004。 
    <S6730-H_A> system-view 
[S6730-H_A] vlan batch 101 to 200 600 1601 to 1800 4004

    # 在下行接口为有线用户和无线用户配置外层VLAN,每个接口加入不同VLAN。同时放通AP的管理VLAN和哑终端VLAN。以接口XGE1/0/1为例,为有线用户加入外层VLAN 101,为无线用户加入外层VLAN1601。

    [S6730-H_A] interface XGigabitEthernet 1/0/1   
[S6730-H_A-XGigabitEthernet1/0/1] port link-type hybrid
[S6730-H_A-XGigabitEthernet1/0/1] undo port hybrid vlan 1   
[S6730-H_A-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004 
[S6730-H_A-XGigabitEthernet1/0/1] port hybrid untagged vlan 101 1601
[S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 101   
[S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1601 
[S6730-H_A-XGigabitEthernet1/0/1] quit

     

  1. 在汇聚交换机S6730-H_A上配置上行接口,放通所有业务VLAN和管理VLAN。 
    [S6730-H_A] interface XGigabitEthernet 3/0/0   
[S6730-H_A-XGigabitEthernet3/0/0] port link-type trunk    
[S6730-H_A-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1    
[S6730-H_A-XGigabitEthernet3/0/0] port trunk allow-pass vlan 101 to 200 600 1601 to 1800 4004
[S6730-H_A-XGigabitEthernet3/0/0] quit

     

  1. 在汇聚交换机S6730-H_B上配置VLAN。# 创建教师办公区有线用户外层VLAN为201~400,无线用户外层VLAN为1801~2000,哑终端VLAN为600,AP的管理VLAN为4004。 
    <S6730-H_B> system-view 
[S6730-H_B] vlan batch 201 to 400 600 1801 to 2000 4004

    # 在下行接口为有线用户和无线用户配置外层VLAN,每个接口加入不同VLAN。同时放通AP的管理VLAN和哑终端VLAN。以接口XGE1/0/1为例,为有线用户加入外层VLAN 201,为无线用户加入外层VLAN1801。

    [S6730-H_B] interface XGigabitEthernet 1/0/1   
[S6730-H_B-XGigabitEthernet1/0/1] port link-type hybrid   
[S6730-H_B-XGigabitEthernet1/0/1] undo port hybrid vlan 1 
[S6730-H_B-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004   
[S6730-H_B-XGigabitEthernet1/0/1] port hybrid untagged vlan 201 1801
[S6730-H_B-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 201   
[S6730-H_B-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1801
[S6730-H_B-XGigabitEthernet1/0/1] quit

     

  1. 在汇聚交换机S6730-H_B上配置上行接口,放通所有业务VLAN和管理VLAN。 
    [S6730-H_B] interface XGigabitEthernet 3/0/0   
[S6730-H_B-XGigabitEthernet3/0/0] port link-type trunk    
[S6730-H_B-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1    
[S6730-H_B-XGigabitEthernet3/0/0] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004
[S6730-H_B-XGigabitEthernet3/0/0] quit

     

配置核心交换机S12700E-8

  1. 配置NAC模式为统一模式,以保证用户能够正常接入网络。 
    <S12700E-8> system-view 
[S12700E-8] authentication unified-mode

     

    设备默认为统一模式。通过命令display authentication mode查看设备当前的认证模式。传统模式与统一模式相互切换后,设备会自动重启。

     

  2. 创建VLAN,创建有线用户外层VLAN为101~400,无线用户外层VLAN为1601~2000,无线业务VLAN为3001~3500,哑终端VLAN为600,AP的管理VLAN为4004,与ME60对接的VLAN为4010。 
    [S12700E-8] vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010

     

  3. 配置上下行接口加入VLAN。

    # 配置下行接口。

    [S12700E-8] interface XGigabitEthernet 4/0/1  
[S12700E-8-XGigabitEthernet4/0/1] port link-type trunk
[S12700E-8-XGigabitEthernet4/0/1] undo port trunk allow-pass vlan 1 
[S12700E-8-XGigabitEthernet4/0/1] port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004  
[S12700E-8-XGigabitEthernet4/0/1] port-isolate enable group 1
[S12700E-8-XGigabitEthernet4/0/1] quit
[S12700E-8] interface XGigabitEthernet 4/0/2 
[S12700E-8-XGigabitEthernet4/0/2] port link-type trunk
[S12700E-8-XGigabitEthernet4/0/2] undo port trunk allow-pass vlan 1 
[S12700E-8-XGigabitEthernet4/0/2] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004   
[S12700E-8-XGigabitEthernet4/0/2] port-isolate enable group 1
[S12700E-8-XGigabitEthernet4/0/2] quit

    # 配置上行接口。

    [S12700E-8] interface XGigabitEthernet 5/0/7  
[S12700E-8-XGigabitEthernet4/0/1] port link-type trunk
[S12700E-8-XGigabitEthernet4/0/1] undo port trunk allow-pass vlan 1 
[S12700E-8-XGigabitEthernet4/0/1] port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010 
[S12700E-8-XGigabitEthernet4/0/1] quit

     

  4. 配置接口IP地址。 
    [S12700E-8] interface Vlanif 4010  
[S12700E-8-Vlanif4010] ip address 172.16.11.13 30   
[S12700E-8-Vlanif4010] quit
[S12700E-8] interface LoopBack0 
[S12700E-8-LoopBack0] ip address 172.16.10.4 32
[S12700E-8-LoopBack0] quit

     

  5. 配置静态路由,往防火墙、ME60的下一跳地址为172.16.11.14。 
    [S12700E-8] ip route-static 172.16.10.1 32 172.16.11.14 
[S12700E-8] ip route-static 172.16.10.2 32 172.16.11.14 
[S12700E-8] ip route-static 172.16.10.3 32 172.16.11.14

     

  6. 配置S12700E-8作为DHCP服务器,为AP分配IP地址。

    # 配置基于接口地址池的DHCP服务器,其中,VLANIF4004接口为AP提供IP地址。

    [S12700E-8] dhcp enable  
[S12700E-8] interface Vlanif4004
[S12700E-8-Vlanif4004] ip address 10.250.0.1 20
[S12700E-8-Vlanif4004] arp-proxy enable
[S12700E-8-Vlanif4004] arp-proxy inner-sub-vlan-proxy enable
[S12700E-8-Vlanif4004] dhcp select interface  
[S12700E-8-Vlanif4004] quit

    # 配置AC的源接口。

    [S12700E-8] capwap source interface vlanif4004

     

  7. 配置AP上线。# 创建AP组,用于将相同配置的AP都加入同一AP组中。 
    [S12700E-8] wlan
[S12700E-8-wlan-view] ap-group name ap-group1 
[S12700E-8-wlan-ap-group-ap-group1] quit

    # 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。

    [S12700E-8-wlan-view] regulatory-domain-profile name domain1 
[S12700E-8-wlan-regulate-domain-domain1] country-code cn 
[S12700E-8-wlan-regulate-domain-domain1] quit 
[S12700E-8-wlan-view] ap-group name ap-group1 
[S12700E-8-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y  
[S12700E-8-wlan-ap-group-ap-group1] quit

    # 离线导入AP,并将AP加入AP组“ap-group1”中。根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为00e0-fc76-e360的AP部署在1号区域,命名此AP为area_1。

    [S12700E-8-wlan-view] ap auth-mode mac-auth 
[S12700E-8-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[S12700E-8-wlan-ap-0] ap-name area_1 
[S12700E-8-wlan-ap-0] ap-group ap-group1 
[S12700E-8-wlan-ap-0] quit

    # 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。

    [S12700E-8-wlan-view] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor  : normal          [1]
Extra information:
P  : insufficient power supply
-----------------------------------------------------------------------------------------------------------------------
ID   MAC            Name           Group     IP            Type            State STA Uptime        ExtraInfo
-----------------------------------------------------------------------------------------------------------------------
0    00e0-fc76-e360 area_1      ap-group1 10.250.12.109    AP4050DN        nor   0   1D:0H:34M:33S -
-----------------------------------------------------------------------------------------------------------------------
Total: 1

     

  8. 配置WLAN业务参数。# 创建名为“wlan-security”的安全模板,并配置安全策略。配置安全策略为open
    [S12700E-8-wlan-view] security-profile name wlan-security 
[S12700E-8-wlan-sec-prof-wlan-security] security open
[S12700E-8-wlan-sec-prof-wlan-security] quit

    # 创建名为“wlan-ssid”的SSID模板,并配置SSID名称为“wlan-net”。

    [S12700E-8-wlan-view] ssid-profile name wlan-ssid 
[S12700E-8-wlan-ssid-prof-wlan-ssid] ssid wlan-net 
[S12700E-8-wlan-ssid-prof-wlan-ssid] quit

    # 创建名为“new-vap-traffic-1”的traffic模板,配置用户隔离模式为二层隔离三层互通。

    [S12700E-8-wlan-view] traffic-profile name new-vap-traffic-1
[S12700E-8-wlan-traffic-prof-new-vap-traffic-1] user-isolate l2
[S12700E-8-wlan-traffic-prof-new-vap-traffic-1] quit

    # 创建名为“wlan-vap”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。

    [S12700E-8-wlan-view] vap-profile name wlan-vap
[S12700E-8-wlan-vap-prof-wlan-vap] forward-mode direct-forward 
[S12700E-8-wlan-vap-prof-wlan-vap] service-vlan vlan-id 3001 
[S12700E-8-wlan-vap-prof-wlan-vap] security-profile wlan-security 
[S12700E-8-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid 
[S12700E-8-wlan-vap-prof-wlan-vap] traffic-profile name new-vap-traffic-1
[S12700E-8-wlan-traffic-prof-new-vap-traffic-1] quit

    # 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-vap”的配置。

    [S12700E-8-wlan-view] ap-group name ap-group1 
[S12700E-8-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 
[S12700E-8-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 
[S12700E-8-wlan-ap-group-ap-group1] quit

     

  9. 配置AP射频的信道和功率。

    射频的信道和功率自动调优功能默认开启,如果不关闭此功能则会导致手动配置不生效。举例中AP射频的信道和功率仅为示例,实际配置中请根据AP的国家码和网规结果进行配置。

    # 关闭AP射频的信道和功率自动调优功能,并配置AP射频的信道和功率。

    [S12700E-8-wlan-view] rrm-profile name default  
[S12700E-8-wlan-rrm-prof-default] calibrate auto-channel-select disable 
[S12700E-8-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[S12700E-8-wlan-rrm-prof-default] quit
[S12700E-8-wlan-view] ap-id 0 
[S12700E-8-wlan-ap-0] radio 0 
[S12700E-8-wlan-radio-0/0] channel 20mhz 6 
Warning: This action may cause service interruption. Continue?[Y/N]y 
[S12700E-8-wlan-radio-0/0] eirp 127 
[S12700E-8-wlan-radio-0/0] quit
[S12700E-8-wlan-ap-0] radio 1 
[S12700E-8-wlan-radio-0/1] channel 20mhz 149 
Warning: This action may cause service interruption. Continue?[Y/N]y 
[S12700E-8-wlan-radio-0/1] eirp 127 
[S12700E-8-wlan-radio-0/1] quit 
[S12700E-8-wlan-ap-0] quit

     

配置ME60

  1. 配置接口IP地址。 
    <ME60> system-view
[~ME60] interface gigabitethernet 1/0/1
[~ME60-GigabitEthernet1/0/1] ip address 172.16.11.6 255.255.255.252
[*ME60-GigabitEthernet1/0/1] undo shutdown
[*ME60-GigabitEthernet1/0/1] commit
[~ME60-GigabitEthernet1/0/1] quit
[~ME60] interface gigabitethernet 1/0/2
[~ME60-GigabitEthernet1/0/1] ip address 172.16.11.10 255.255.255.252
[*ME60-GigabitEthernet1/0/1] undo shutdown
[*ME60-GigabitEthernet1/0/1] commit
[~ME60-GigabitEthernet1/0/1] quit
[~ME60] interface gigabitethernet 1/1/1.4010
[*ME60-GigabitEthernet1/1/1.4010] vlan-type dot1q 4010 
[*ME60-GigabitEthernet1/1/1.4010] ip address 172.16.11.14 255.255.255.252 
[*ME60-GigabitEthernet1/1/1.4010] commit 
[~ME60-GigabitEthernet1/1/1.4010] quit
[~ME60] interface LoopBack0 
[~ME60-LoopBack0] ip address 172.16.10.3 32
[~ME60-LoopBack0] quit

     

  2. 配置静态路由,分别配置到防火墙和S12700E-8的静态路由。 
    [~ME60] ip route-static 172.16.10.1 255.255.255.255 172.16.11.5
[*ME60] ip route-static 172.16.10.2 255.255.255.255 172.16.11.9
[*ME60] ip route-static 172.16.10.4 255.255.255.255 172.16.11.13
[*ME60] commit

     

  3. 配置IPoE接入,为校园网学生、教师无线用户提供IPoE接入认证。ME60作为网关认证设备,无线认证通过后给用户分配一个私网IP地址,能够指定其访问权限。WEB认证通过后才能访问外网。
    1. 配置AAA方案# 配置认证方案。 
      [~ME60] aaa
[~ME60-aaa] http-redirect enable
[*ME60-aaa] authentication-scheme none
[*ME60-aaa-authen-none] authentication-mode radius
[*ME60-aaa-authen-none] commit
[~ME60-aaa-authen-none] quit

      # 配置计费方案。

      [~ME60-aaa] accounting-scheme acc
[*ME60-aaa-accounting-acc] accounting-mode none
[*ME60-aaa-accounting-acc] accounting interim interval 15
[*ME60-aaa-accounting-acc] commit
[~ME60-aaa-accounting-acc] quit
[~ME60-aaa] quit
    1. 配置RADIUS服务器。 
      [~ME60] radius-server source interface LoopBack0
[~ME60] radius-server group radius
[*ME60-radius-radius] radius-server authentication 192.168.10.55 1812 weight 0
[*ME60-radius-radius] radius-server accounting 192.168.8.249 1813 weight 0 
[*ME60-radius-radius] radius-server type standard
[*ME60-radius-radius] radius-server shared-key-cipher %$%$]&yT6A~x)JPlIv#3CKo2Vs\R%$%$
[*ME60-radius-radius] commit
[~ME60-radius-radius] quit
    2. 配置RADIUS授权服务器 
      [~ME60] radius-server authorization 192.168.10.55 shared-key-cipher YsHsjx_202206
[~ME60] radius-server authorization 192.168.10.241 shared-key-cipher YsHsjx_202206
    3. 配置WEB服务器 
      [~ME60] web-auth-server source interface LoopBack0
[~ME60] web-auth-server 192.168.10.53 port 50100 key cipher YsHsjx_202206
    4. 配置地址池# 配置地址池xuesheng。 
      [~ME60] ip pool xuesheng bas local 
[*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0
[*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254
[*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5 
[*ME60-ip-pool-xuesheng] lease 0 12 0
[*ME60-ip-pool-xuesheng] commit
[~ME60-ip-pool-xuesheng] quit

      # 配置地址池per-pool。

      [~ME60] ip pool per-pool bas local 
[*ME60-ip-pool-per-pool] gateway 10.253.0.1 255.255.128.0
[*ME60-ip-pool-per-pool] section 0 10.253.0.2 10.253.127.254
[*ME60-ip-pool-per-pool] dns-server 192.168.10.2 10.255.57.5  
[*ME60-ip-pool-per-pool] lease 0 12 0
[*ME60-ip-pool-per-pool] commit
[~ME60-ip-pool-per-pool] quit

      # 配置地址池jiaoshi。

      [~ME60] ip pool jiaoshi bas local 
[*ME60-ip-pool-jiaoshi] gateway 10.254.128.1 255.255.128.0
[*ME60-ip-pool-jiaoshi] section 0 10.254.128.2 10.254.255.254
[*ME60-ip-pool-jiaoshi] excluded-ip-address 10.254.128.2 10.254.129.254
[*ME60-ip-pool-jiaoshi] dns-server 192.168.10.2 10.255.57.5 
[*ME60-ip-pool-jiaoshi] lease 0 12 0
[*ME60-ip-pool-jiaoshi] commit
[~ME60-ip-pool-jiaoshi] quit
    5. 配置用户组pre-web 
      [~ME60] user-group pre-web
    6. 配置域# 配置pre-authen域,为WEB认证的认证前域。 
      [~ME60] aaa
[~ME60-aaa] domain pre-authen
[*ME60-aaa-domain-pre-authen] user-group pre-web 
[*ME60-aaa-domain-pre-authen] authentication-scheme none
[*ME60-aaa-domain-pre-authen] accounting-scheme none
[*ME60-aaa-domain-pre-authen] ip-pool pre-pool
[*ME60-aaa-domain-pre-authen] web-server 192.168.10.53
[*ME60-aaa-domain-pre-authen] web-server url http://192.168.10.53/help/help.html
[*ME60-aaa-domain-pre-authen] commit
[~ME60-aaa-domain-pre-authen] quit

      # 配置xs域,为WEB认证的认证域。

      [~ME60-aaa] domain xs
[*ME60-aaa-domain-xs] user-group pre-web 
[*ME60-aaa-domain-xs] authentication-scheme authen
[*ME60-aaa-domain-xs] accounting-scheme acc
[*ME60-aaa-domain-xs] ip-pool xuesheng
[*ME60-aaa-domain-xs] value-added-service account-type none
[*ME60-aaa-domain-xs] value-added-service policy 10m
[*ME60-aaa-domain-xs] radius-server group radius
[*ME60-aaa-domain-xs] quota-out online
[*ME60-aaa-domain-xs] commit
[~ME60-aaa-domain-xs] quit

      # 配置jg域,为WEB认证的认证域。

      [~ME60-aaa] domain jg
[*ME60-aaa-domain-jg] user-group pre-web 
[*ME60-aaa-domain-jg] authentication-scheme authen
[*ME60-aaa-domain-jg] accounting-scheme acc
[*ME60-aaa-domain-jg] ip-pool jiaoshi
[*ME60-aaa-domain-jg] value-added-service account-type none
[*ME60-aaa-domain-jg] value-added-service policy 20m
[*ME60-aaa-domain-jg] radius-server group radius
[*ME60-aaa-domain-jg] quota-out online
[~ME60-aaa-domain-jg] quit
[~ME60-aaa] quit
    7. 配置UCL 
      [~ME60] acl 6010 
[*ME60-acl-ucl-6010] rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0 
[*ME60-acl-ucl-6010] rule 6 permit ip source user-group pre-web destination ip-address 192.168.10.53 0 
[*ME60-acl-ucl-6010] rule 7 permit ip source user-group pre-web destination ip-address 192.168.10.55 0 
[*ME60-acl-ucl-6010] rule 10 permit ip source user-group pre-web destination ip-address 192.168.10.241 0 
[*ME60-acl-ucl-6010] rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5 0 
[*ME60-acl-ucl-6010] commit
[~ME60-acl-ucl-6010] quit
[~ME60] acl 6011
[*ME60-acl-ucl-6011] rule 5 permit tcp source user-group pre-web destination-port eq www
[*ME60-acl-ucl-6011] rule 10 permit tcp source user-group pre-web destination-port eq 8080 
[*ME60-acl-ucl-6011] rule 20 permit ip source user-group pre-web 
[*ME60-acl-ucl-6011] commit
[~ME60-acl-ucl-6011] quit
    8. 配置流量管理策略 
      [~ME60] traffic classifier 6010 operator or
[*ME60-classifier-6010] if-match acl 6010 
[*ME60-classifier-6010] commit
[~ME60-classifier-6010] quit
[~ME60] traffic classifier 6011 operator or
[*ME60-classifier-6011] if-match acl 6011 
[*ME60-classifier-6011] commit
[~ME60-classifier-6011] quit
[~ME60] traffic behavior 6010
[*ME60-behavior-6010] permit
[*ME60-behavior-6010] commit
[~ME60-behavior-6010] quit
[~ME60] traffic behavior 6011
[*ME60-behavior-6011] http-redirect 
[*ME60-behavior-6011] commit
[~ME60-behavior-6011] quit
[~ME60] traffic policy traffic-policy-1  
[*ME60-trafficpolicy-traffic-policy-1] share-mode
[*ME60-trafficpolicy-traffic-policy-1] classifier 6010 behavior 6010
[*ME60-trafficpolicy-traffic-policy-1] classifier 6011 behavior 6011
[*ME60-trafficpolicy-traffic-policy-1] commit
[~ME60-trafficpolicy-traffic-policy-1] quit
[~ME60] traffic-policy traffic-policy-1 inbound
[~ME60] traffic-policy traffic-policy-1 outbound
    9. 配置BAS接口 
      [~ME60] interface gigabitethernet1/1/1.1001
[*ME60-GigabitEthernet1/1/1.1001] description xuesheng-web
[*ME60-GigabitEthernet1/1/1.1001] user-vlan 3001 3500 qinq 1601 1800
[*ME60-GigabitEthernet1/1/1.1001-vlan-3001-3500-QinQ-1601-1800] quit
[*ME60-GigabitEthernet1/1/1.1001] bas
[*ME60-GigabitEthernet1/1/1.1001-bas] access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs
[*ME60-GigabitEthernet1/1/1.1001-bas] dhcp session-mismatch action offline
[*ME60-GigabitEthernet1/1/1.1001-bas] authentication-method web
[*ME60-GigabitEthernet1/1/1.1001-bas] commit
[~ME60-GigabitEthernet1/1/1.1001-bas] quit
[~ME60-GigabitEthernet1/1/1.1001] quit
[~ME60] interface gigabitethernet1/1/1.1003
[*ME60-GigabitEthernet1/1/1.1003] description jiaoshi-web
[*ME60-GigabitEthernet1/1/1.1003] user-vlan 3001 3500 qinq 1801 2000
[*ME60-GigabitEthernet1/1/1.1003-vlan-3001-3500-QinQ-1801-2000] commit
[~ME60-GigabitEthernet1/1/1.1003-vlan-3001-3500-QinQ-1801-2000] quit
[~ME60-GigabitEthernet1/1/1.1003] bas
[*ME60-GigabitEthernet1/1/1.1003-bas] access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg
[*ME60-GigabitEthernet1/1/1.1003-bas] dhcp session-mismatch action offline
[*ME60-GigabitEthernet1/1/1.1003-bas] authentication-method web
[*ME60-GigabitEthernet1/1/1.1003-bas] commit
[~ME60-GigabitEthernet1/1/1.1003-bas] quit
[~ME60-GigabitEthernet1/1/1.1003] quit

     

     

  4. 配置PPPoE接入,为校园网学生、教师有线用户提供PPPoE接入认证。ME60作为网关认证设备,将用户的账号、密码发送到Radius服务器进行认证,认证通过后分配IP地址。以学生PPPoE接入为例,配置方法如下(此处仅介绍PPPoE接入相关配置,AAA方案、Radius服务器和认证域配置,请参见IPoE接入的配置)。
    1. 配置地址池# 配置地址池xuesheng。 
      [~ME60] ip pool xuesheng bas local 
[*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0
[*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254
[*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5 
[*ME60-ip-pool-xuesheng] lease 0 12 0
[*ME60-ip-pool-xuesheng] commit
[~ME60-ip-pool-xuesheng] quit

      # 配置地址池pre-ppp。

      [~ME60] ip pool pre-ppp bas local 
[*ME60-ip-pool-pre-ppp] gateway 10.253.128.1 255.255.128.0
[*ME60-ip-pool-pre-ppp] section 0 10.253.128.2 10.253.255.254
[*ME60-ip-pool-pre-ppp] dns-server 192.168.10.2 10.255.57.5 
[*ME60-ip-pool-pre-ppp] lease 0 12 0
[*ME60-ip-pool-pre-ppp] commit
[~ME60-ip-pool-pre-ppp] quit
    2. 配置用户组pre-ppp 
      [~ME60] user-group pre-ppp
    3. 配置认证前域pre-ppp 
      [~ME60] aaa
[~ME60-aaa] domain pre-ppp
[*ME60-aaa-domain-pre-ppp] user-group pre-ppp 
[*ME60-aaa-domain-pre-ppp] authentication-scheme none
[*ME60-aaa-domain-pre-ppp] accounting-scheme none
[*ME60-aaa-domain-pre-ppp] ip-pool pre-ppp
[*ME60-aaa-domain-pre-ppp] web-server 192.168.10.55
[*ME60-aaa-domain-pre-ppp] web-server url http://192.168.10.55/help/help.html
[*ME60-aaa-domain-pre-ppp] commit
[~ME60-aaa-domain-pre-ppp] quit
[~ME60-aaa] quit
    4. 配置UCL 
      [~ME60] acl 6012 
[*ME60-acl-ucl-6012] rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0 
[*ME60-acl-ucl-6012] rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0 
[*ME60-acl-ucl-6012] rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2 0 
[*ME60-acl-ucl-6012] commit
[~ME60-acl-ucl-6012] quit
[~ME60] acl 6013
[*ME60-acl-ucl-6013] rule 5 permit tcp source user-group pre-ppp destination-port eq www
[*ME60-acl-ucl-6013] rule 10 permit tcp source user-group pre-ppp destination-port eq 8080 
[*ME60-acl-ucl-6013] rule 20 deny ip source user-group pre-ppp
[*ME60-acl-ucl-6013] commit
[~ME60-acl-ucl-6013] quit
    5. 配置流量管理策略 
      [~ME60] traffic classifier 6012 operator or
[*ME60-classifier-6012] if-match acl 6012 
[*ME60-classifier-6012] commit 
[~ME60-classifier-6012] quit
[~ME60] traffic classifier 6013 operator or
[*ME60-classifier-6013] if-match acl 6013
[*ME60-classifier-6013] commit 
[~ME60-classifier-6013] quit
[~ME60] traffic behavior 6012
[*ME60-behavior-6012] permit
[*ME60-behavior-6012] commit
[~ME60-behavior-6012] quit
[~ME60] traffic behavior 6013
[*ME60-behavior-6013] http-redirect
[*ME60-behavior-6013] commit
[~ME60-behavior-6013] quit
[~ME60] traffic policy traffic-policy-1  
[*ME60-trafficpolicy-traffic-policy-1] share-mode
[*ME60-trafficpolicy-traffic-policy-1] classifier 6012 behavior 6012
[*ME60-trafficpolicy-traffic-policy-1] classifier 6013 behavior 6013
[*ME60-trafficpolicy-traffic-policy-1] commit
[~ME60-trafficpolicy-traffic-policy-1] quit
[~ME60] traffic-policy traffic-policy-1 inbound
[~ME60] traffic-policy traffic-policy-1 outbound
    6. 配置虚拟模板接口 
      [~ME60] interface virtual-template 1
[*ME60-Virtual-Template1] ppp authentication-mode auto
[*ME60-Virtual-Template1] commit
[~ME60-Virtual-Template1] quit
    7. 配置虚拟以太网接口 
      [~ME60] interface GigabitEthernet1/1/1.1000
[*ME60-GigabitEthernet1/1/1.1000] pppoe-server bind virtual-template 1
[*ME60-GigabitEthernet1/1/1.1000] description xuesheng-ppp 
[*ME60-GigabitEthernet1/1/1.1000] user-vlan 2001 3000 qinq 101 200
[*ME60-GigabitEthernet1/1/1.1000-vlan-2001-3000-QinQ-101-200] commit
[~ME60-GigabitEthernet1/1/1.1000-vlan-2001-3000-QinQ-101-200] quit
    8. 配置BAS接口 
      [~ME60-GigabitEthernet1/1/1.1000] bas
[*ME60-GigabitEthernet1/1/1.1000-bas] access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs
[*ME60-GigabitEthernet1/1/1.1000-bas] dhcp session-mismatch action offline
[*ME60-GigabitEthernet1/1/1.1000-bas] authentication-method ppp web
[*ME60-GigabitEthernet1/1/1.1000-bas] commit
[~ME60-GigabitEthernet1/1/1.1000-bas] quit
[~ME60-GigabitEthernet1/1/1.1000] quit

     

  5. 配置MAC认证,校园网的打印机、传真机等哑终端使用MAC认证。MAC认证主要用于简化WEB认证过程。若配置了MAC认证,在WEB认证过程中,WEB认证用户只需在第一次认证时输入用户名和密码,同时RADIUS服务器会记录下用户的MAC地址,当用户再需要WEB认证时,RADIUS服务器便可以根据其MAC信息进行认证,而不需要用户再次输入用户名和密码。此处仅介绍MAC认证相关配置,AAA方案、Radius服务器、WEB服务器、地址池、UCL规则等配置,请参见IPoE、PPPOE接入的配置。
    1. 在AAA视图下配置直接使用用户连接请求报文携带的MAC地址作为纯用户名。 
      [~ME60] aaa
[~ME60-aaa] default-user-name include mac-address -
[*ME60-aaa] default-password cipher YsHsjx_202206
[*ME60-aaa] authentication-scheme mac
[*ME60-aaa-authen-mac] authening authen-fail online authen-domain pre-authen
[*ME60-aaa-authen-mac] commit
[~ME60-aaa-authen-mac] quit
[~ME60-aaa] quit
    2. 配置RADIUS服务器组mac。 
      [~ME60] radius-server group mac
[*ME60-radius-mac] radius-server authentication 192.168.10.55 1812 weight 0
[*ME60-radius-mac] radius-server accounting 192.168.10.55 1813 weight 0
[*ME60-radius-mac] radius-server shared-key-cipher YsHsjx_202206
[*ME60-radius-mac] commit
[~ME60-radius-mac] quit
    3. 在MAC认证域mac下配置MAC认证使能,绑定RADIUS组mac及认证模板mac。 
      [~ME60] aaa
[~ME60-aaa] domain mac
[*ME60-aaa-domain-mac] radius-server group mac
[*ME60-aaa-domain-mac] authentication-scheme mac
[*ME60-aaa-domain-mac] accounting-scheme acc
[*ME60-aaa-domain-mac] ip-pool pre-pool
[*ME60-aaa-domain-mac] mac-authentication enable
[*ME60-aaa-domain-mac] commit
[~ME60-aaa-domain-mac] quit
[~ME60-aaa] quit
    4. 配置BAS口下的认证前域,认证后域以及认证方法。 
      [~ME60] interface GigabitEthernet1/1/1.1101
[*ME60-GigabitEthernet1/1/1.1101] description mac-web
[*ME60-GigabitEthernet1/1/1.1101] user-vlan 600
[*ME60-GigabitEthernet1/1/1.1101-vlan-600-600] commit
[~ME60-GigabitEthernet1/1/1.1101-vlan-600-600] quit
[~ME60-GigabitEthernet1/1/1.1101] bas
[*ME60-GigabitEthernet1/1/1.1101-bas] access-type layer2-subscriber default-domain pre-authentication mac authentication jg 
[*ME60-GigabitEthernet1/1/1.1101-bas] dhcp session-mismatch action offline 
[*ME60-GigabitEthernet1/1/1.1101-bas] authentication-method web
[*ME60-GigabitEthernet1/1/1.1101-bas] commit
[~ME60-GigabitEthernet1/1/1.1101-bas] quit
[~ME60-GigabitEthernet1/1/1.1101] quit

     

  6. 配置DAA,实现对用户接入业务访问目的地址的差别进行管理,并根据不同目的地址定义不同的费率级别进行收费和不同的带宽控制。学生、教师、商业、哑终端用户访问校园内网带宽不同,例如,学生10M、老师20M、哑终端20M。商业账号与校园网教师/学生账号绑定,学生和老师访问校园外网50M。下面只介绍DAA相关配置,AAA方案、RADIUS服务器、WEB服务器等配置请参见IPoE接入的配置。
    1. 使能增值业务。 
      [~ME60] value-added-service enable
    1. 配置用户组。 
      [~ME60] user-group xuesheng
[~ME60] user-group jiaoshi
[~ME60] user-group shangye
    2. 配置增值业务策略。# 配置UCL规则6001。 
      [~ME60] acl number 6001
[*ME60-acl-ucl-6001] rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0 0.255.255.255
[*ME60-acl-ucl-6001] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group shangye  
[*ME60-acl-ucl-6001] rule 15 permit ip source user-group shangye destination ip-address 172.16.0.0 0.15.255.255
[*ME60-acl-ucl-6001] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group shangye 
[*ME60-acl-ucl-6001] rule 25 permit ip source user-group shangye destination ip-address 192.168.0.0 0.0.255.255 
[*ME60-acl-ucl-6001] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group shangye
[*ME60-acl-ucl-6001] commit
[~ME60-acl-ucl-6001] quit

      # 配置UCL规则6003。

      [~ME60] acl number 6003
[*ME60-acl-ucl-6003] rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0 0.255.255.255 
[*ME60-acl-ucl-6003] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group jiaoshi  
[*ME60-acl-ucl-6003] rule 15 permit ip source user-group jiaoshi destination ip-address 172.16.0.0 0.15.255.255 
[*ME60-acl-ucl-6003] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group jiaoshi 
[*ME60-acl-ucl-6003] rule 25 permit ip source user-group jiaoshi destination ip-address 192.168.0.0 0.0.255.255 
[*ME60-acl-ucl-6003] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group jiaoshi
[*ME60-acl-ucl-6003] commit
[~ME60-acl-ucl-6003] quit

      # 配置UCL规则6005。

      [~ME60] acl number 6005
[*ME60-acl-ucl-6005] rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0 0.255.255.255 
[*ME60-acl-ucl-6005] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group xuesheng 
[*ME60-acl-ucl-6005] rule 15 permit ip source user-group xuesheng destination ip-address 172.16.0.0 0.15.255.255
[*ME60-acl-ucl-6005] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group xuesheng
[*ME60-acl-ucl-6005] rule 25 permit ip source user-group xuesheng destination ip-address 192.168.0.0 0.0.255.255
[*ME60-acl-ucl-6005] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng
[*ME60-acl-ucl-6005] commit
[~ME60-acl-ucl-6005] quit

      # 配置流分类6001。

      [~ME60] traffic classifier 6001 operator or
[*ME60-classifier-6001] if-match acl 6001
[*ME60-classifier-6001] commit
[~ME60-classifier-6001] quit

      # 配置流分类6003。

      [~ME60] traffic classifier 6003 operator or
[*ME60-classifier-6003] if-match acl 6003
[*ME60-classifier-6003] commit
[~ME60-classifier-6003] quit

      # 配置流分类6005。

      [~ME60] traffic classifier 6005 operator or
[*ME60-classifier-6005] if-match acl 6005
[*ME60-classifier-6005] commit
[~ME60-classifier-6005] quit

      # 配置DAA流动作6001。

      [~ME60] traffic behavior 6001
[*ME60-behavior-6001] tariff-level 1
[*ME60-behavior-6001] car
[*ME60-behavior-6001] traffic-statistic
[*ME60-behavior-6001] commit
[~ME60-behavior-6001] quit

      # 配置DAA流动作6003。

      [~ME60] traffic behavior 6003
[*ME60-behavior-6003] tariff-level 1
[*ME60-behavior-6003] car
[*ME60-behavior-6003] traffic-statistic
[*ME60-behavior-6003] commit
[~ME60-behavior-6003] quit

      # 配置DAA流动作6005。

      [~ME60] traffic behavior 6005
[*ME60-behavior-6005] tariff-level 1
[*ME60-behavior-6005] car
[*ME60-behavior-6005] traffic-statistic
[*ME60-behavior-6005] commit
[~ME60-behavior-6005] quit

      # 配置DAA流量策略traffic_policy_daa 。

      [~ME60] traffic policy traffic_policy_daa
[*ME60-trafficpolicy-traffic_policy_daa] share-mode 
[*ME60-trafficpolicy-traffic_policy_daa] classifier 6003 behavior 6003 
[*ME60-trafficpolicy-traffic_policy_daa] classifier 6005 behavior 6005
[*ME60-trafficpolicy-traffic_policy_daa] commit
[~ME60-trafficpolicy-traffic_policy_daa] quit

      # 配置全局下应用DAA流量策略traffic_policy_daa。

      [~ME60] accounting-service-policy traffic_policy_daa
    3. 配置QoS模板。 
      [~ME60] qos-profile 10M
[*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard inbound
[*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard outbound
[*ME60-qos-profile-10M] quit
[*ME60] qos-profile 20M
[*ME60-qos-profile-20M] car cir 20000 cbs 3740000 green pass red discard inbound
[*ME60-qos-profile-20M] car cir 20000 cbs 3740000 green pass red discard outbound
[*ME60-qos-profile-20M] quit
[*ME60] qos-profile 50M
[*ME60-qos-profile-50M] car cir 50000 cbs 9350000 green pass red discard inbound
[*ME60-qos-profile-50M] car cir 50000 cbs 9350000 green pass red discard outbound
[*ME60-qos-profile-50M] commit
[*ME60-qos-profile-50M] quit
    4. 配置DAA业务策略。 
      [~ME60] value-added-service policy 10m daa
[*ME60-vas-policy-10m] accounting-scheme none 
[*ME60-vas-policy-10m] traffic-separate enable
[*ME60-vas-policy-10m] tariff-level 1 qos-profile 10M
[*ME60-vas-policy-10m] quit
[*ME60] value-added-service policy 20m daa
[*ME60-vas-policy-20m] accounting-scheme none 
[*ME60-vas-policy-20m] traffic-separate enable
[*ME60-vas-policy-20m] tariff-level 1 qos-profile 20M
[*ME60-vas-policy-20m] quit
[*ME60] value-added-service policy 50m daa
[*ME60-vas-policy-50m] accounting-scheme none 
[*ME60-vas-policy-50m] traffic-separate enable
[*ME60-vas-policy-50m] tariff-level 1 qos-profile 50M
[*ME60-vas-policy-50m] commit
[~ME60-vas-policy-50m] quit
    5. 配置域。 
      [~ME60] aaa
[~ME60-aaa] domain xs
[*ME60-aaa-domain-xs] value-added-service account-type none
[*ME60-aaa-domain-xs] value-added-service policy 10m
[*ME60-aaa-domain-xs] commit
[~ME60-aaa-domain-xs] quit
[~ME60-aaa] domain jg
[*ME60-aaa-domain-jg] value-added-service account-type none
[*ME60-aaa-domain-jg] value-added-service policy 20m
[~ME60-aaa-domain-jg] commit
[~ME60-aaa-domain-jg] quit

     

配置防火墙USG6315E

  1. 配置接口。# 配置USG6315E_A接口。 
    <USG6315E_A> system-view
[USG6315E_A] interface loopback 0
[USG6315E_A-LoopBack0] ip address 172.16.10.1 32  
[USG6315E_A-LoopBack0] quit
[USG6315E_A] interface gigabitethernet 1/0/1
[USG6315E_A-GigabitEthernet1/0/1] ip address 203.0.113.1 24 
[USG6315E_A-GigabitEthernet1/0/1] gateway 203.0.113.254
[USG6315E_A-GigabitEthernet1/0/1] quit
[USG6315E_A] interface gigabitethernet 1/0/2
[USG6315E_A-GigabitEthernet1/0/2] ip address 192.0.2.2 24 
[USG6315E_A-GigabitEthernet1/0/2] gateway 192.0.2.254
[USG6315E_A-GigabitEthernet1/0/2] quit
[USG6315E_A] interface gigabitethernet 1/0/6
[USG6315E_A-GigabitEthernet1/0/6] ip address 172.16.11.1 30  
[USG6315E_A-GigabitEthernet1/0/6] quit
[USG6315E_A] interface gigabitethernet 1/0/7
[USG6315E_A-GigabitEthernet1/0/7] ip address 172.16.11.5 30  
[USG6315E_A-GigabitEthernet1/0/7] quit

    # 配置USG6315E_B接口。

    <USG6315E_B> system-view
[USG6315E_B] interface loopback 0
[USG6315E_B-LoopBack0] ip address 172.16.10.2 32  
[USG6315E_B-LoopBack0] quit
[USG6315E_B] interface gigabitethernet 1/0/1
[USG6315E_B-GigabitEthernet1/0/1] ip address 203.0.113.2 24  
[USG6315E_B-GigabitEthernet1/0/1] gateway 203.0.113.254
[USG6315E_B-GigabitEthernet1/0/1] quit
[USG6315E_B] interface gigabitethernet 1/0/2
[USG6315E_B-GigabitEthernet1/0/2] ip address 192.0.2.1 24  
[USG6315E_B-GigabitEthernet1/0/2] gateway 192.0.2.254
[USG6315E_B-GigabitEthernet1/0/2] quit
[USG6315E_B] interface gigabitethernet 1/0/6
[USG6315E_B-GigabitEthernet1/0/6] ip address 172.16.11.2 30  
[USG6315E_B-GigabitEthernet1/0/6] quit
[USG6315E_B] interface gigabitethernet 1/0/7
[USG6315E_B-GigabitEthernet1/0/7] ip address 172.16.11.9 30  
[USG6315E_B-GigabitEthernet1/0/7] quit

     

  2. 配置各接口所属安全区域。# 将各接口加入到安全区域,将连接内网的接口加入安全区域trust,将连接ISP1的接口加入安全区域isp1,将连接ISP2的接口加入安全区域isp2,将心跳口加入DMZ区域。 
    [USG6315E_A] firewall zone trust
[USG6315E_A-zone-trust] set priority 85
[USG6315E_A-zone-trust] add interface gigabitethernet 1/0/7 
[USG6315E_A-zone-trust] quit
[USG6315E_A] firewall zone name isp1                     
[USG6315E_A-zone-isp1] set priority 10
[USG6315E_A-zone-isp1] add interface gigabitethernet 1/0/1  
[USG6315E_A-zone-isp1] quit
[USG6315E_A] firewall zone name isp2                     
[USG6315E_A-zone-isp2] set priority 15
[USG6315E_A-zone-isp2] add interface gigabitethernet 1/0/2  
[USG6315E_A-zone-isp2] quit
[USG6315E_A] firewall zone dmz
[USG6315E_A-zone-dmz] set priority 50
[USG6315E_A-zone-dmz] add interface gigabitethernet 1/0/6  
[USG6315E_A-zone-dmz] quit
[USG6315E_B] firewall zone trust
[USG6315E_B-zone-trust] set priority 85
[USG6315E_B-zone-trust] add interface gigabitethernet 1/0/7  
[USG6315E_B-zone-trust] quit
[USG6315E_B] firewall zone name isp1                     
[USG6315E_B-zone-isp1] set priority 10
[USG6315E_B-zone-isp1] add interface gigabitethernet 1/0/1  
[USG6315E_B-zone-isp1] quit
[USG6315E_B] firewall zone name isp2                    
[USG6315E_B-zone-isp2] set priority 15
[USG6315E_B-zone-isp2] add interface gigabitethernet 1/0/2  
[USG6315E_B-zone-isp2] quit
[USG6315E_B] firewall zone dmz
[USG6315E_B-zone-dmz] set priority 50
[USG6315E_B-zone-dmz] add interface gigabitethernet 1/0/6 
[USG6315E_B-zone-dmz] quit

     

  3. 配置路由和智能选路。# 配置静态路由。 
    [USG6315E_A] ip route-static 10.253.0.0 255.255.128.0 172.16.11.6
[USG6315E_A] ip route-static 10.253.128.0 255.255.128.0 172.16.11.6
[USG6315E_A] ip route-static 10.254.0.0 255.255.128.0 172.16.11.6
[USG6315E_A] ip route-static 10.254.128.0 255.255.128.0 172.16.11.6
[USG6315E_A] ip route-static 172.16.10.2 255.255.255.255 172.16.11.6
[USG6315E_A] ip route-static 172.16.10.3 255.255.255.255 172.16.11.6
[USG6315E_A] ip route-static 172.16.10.4 255.255.255.255 172.16.11.6
[USG6315E_A] ip route-static 192.168.10.0 255.255.255.0 172.16.11.6
[USG6315E_B] ip route-static 10.253.0.0 255.255.128.0 172.16.11.10
[USG6315E_B] ip route-static 10.253.128.0 255.255.128.0 172.16.11.10
[USG6315E_B] ip route-static 10.254.0.0 255.255.128.0 172.16.11.10
[USG6315E_B] ip route-static 10.254.128.0 255.255.128.0 172.16.11.10
[USG6315E_B] ip route-static 172.16.10.1 255.255.255.255 172.16.11.10
[USG6315E_B] ip route-static 172.16.10.3 255.255.255.255 172.16.11.10
[USG6315E_B] ip route-static 172.16.10.4 255.255.255.255 172.16.11.10
[USG6315E_B] ip route-static 192.168.10.0 255.255.255.0 172.16.11.10

    # 配置IP-Link,探测各ISP提供的链路状态是否正常。

    [USG6315E_A] ip-link check enable 
[USG6315E_A] ip-link name ip_link_1
[USG6315E_A-iplink-ip_link_1] destination 203.0.113.254 interface gigabitethernet 1/0/1
[USG6315E_A-iplink-ip_link_1] quit
[USG6315E_A] ip-link name ip_link_2
[USG6315E_A-iplink-ip_link_2] destination 192.0.2.254 interface gigabitethernet 1/0/2
[USG6315E_A-iplink-ip_link_2] quit
[USG6315E_B] ip-link check enable 
[USG6315E_B] ip-link name ip_link_1
[USG6315E_B-iplink-ip_link_1] destination 203.0.113.254 interface gigabitethernet 1/0/1
[USG6315E_B-iplink-ip_link_1] quit
[USG6315E_B] ip-link name ip_link_2
[USG6315E_B-iplink-ip_link_2] destination 192.0.2.254 interface gigabitethernet 1/0/2
[USG6315E_B-iplink-ip_link_2] quit

    # 配置缺省路由,下一跳分别指向两个ISP的接入点。

    [USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1
[USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2
[USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1
[USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2

    # 配置智能选路,根据链路带宽负载分担。

    [USG6315E_A] multi-interface
[USG6315E_A-multi-inter] mode proportion-of-bandwidth
[USG6315E_A-multi-inter] add interface gigabitethernet1/0/1
[USG6315E_A-multi-inter] add interface gigabitethernet1/0/2
[USG6315E_A-multi-inter] quit
[USG6315E_A] interface gigabitethernet 1/0/1
[USG6315E_A-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[USG6315E_A-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[USG6315E_A-GigabitEthernet1/0/1] quit
[USG6315E_A] interface gigabitethernet 1/0/2
[USG6315E_A-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
[USG6315E_A-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
[USG6315E_A-GigabitEthernet1/0/2] quit
[USG6315E_B] multi-interface
[USG6315E_B-multi-inter] mode proportion-of-bandwidth
[USG6315E_B-multi-inter] add interface gigabitethernet1/0/1
[USG6315E_B-multi-inter] add interface gigabitethernet1/0/2
[USG6315E_B-multi-inter] quit
[USG6315E_B] interface gigabitethernet 1/0/1
[USG6315E_B-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[USG6315E_B-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[USG6315E_B-GigabitEthernet1/0/1] quit
[USG6315E_B] interface gigabitethernet 1/0/2
[USG6315E_B-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
[USG6315E_B-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
[USG6315E_B-GigabitEthernet1/0/2] quit

     

  4. 配置双机热备。# 配置VGMP组监控上下行业务接口。 
    [USG6315E_A] hrp track interface gigabitethernet 1/0/7
[USG6315E_B] hrp track interface gigabitethernet 1/0/7

    # 在USG6315E_A和USG6315E_B上分别配置会话快速备份功能,指定心跳口并启用双机热备功能。

    [USG6315E_A] hrp mirror session enable
[USG6315E_A] hrp interface gigabitethernet 1/0/6 remote 172.16.11.2
[USG6315E_A] hrp enable
[USG6315E_B] hrp mirror session enable
[USG6315E_B] hrp interface gigabitethernet 1/0/6 remote 172.16.11.1
[USG6315E_B] hrp enable

     

  5. 配置安全策略,允许本地和DMZ区域间互访,允许内部网络用户访问外网,允许外部网络用户访问HTTP服务器。

    双机热备状态成功建立后,USG6315E_A的安全策略配置会自动备份到USG6315E_B上。下面步骤仅体现USG6315E_A的配置。

    [USG6315E_A] security-policy 
[USG6315E_A-policy-security] rule name policy_dmz       
[USG6315E_A-policy-security-rule-policy_dmz] source-zone local 
[USG6315E_A-policy-security-rule-policy_dmz] source-zone dmz 
[USG6315E_A-policy-security-rule-policy_dmz] destination-zone local
[USG6315E_A-policy-security-rule-policy_dmz] destination-zone dmz
[USG6315E_A-policy-security-rule-policy_dmz] action permit  
[USG6315E_A-policy-security-rule-policy_dmz] quit
[USG6315E_A-policy-security] rule name trust_to_untrust  
[USG6315E_A-policy-security-rule-trust_to_untrust] source-zone trust
[USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp1
[USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp2
[USG6315E_A-policy-security-rule-trust_to_untrust] action permit
[USG6315E_A-policy-security-rule-trust_to_untrust] quit
[USG6315E_A-policy-security] rule name untrust_to_trust  
[USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp1
[USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp2
[USG6315E_A-policy-security-rule-untrust_to_trust] destination-zone trust
[USG6315E_A-policy-security-rule-untrust_to_trust] destination-address 192.168.10.0 24 
[USG6315E_A-policy-security-rule-untrust_to_trust] action permit
[USG6315E_A-policy-security-rule-untrust_to_trust] quit
[USG6315E_A-policy-security] quit

     

  6. 配置NAT策略。# 在USG6315E_A上创建地址池addressgroup1(203.0.113.1~203.0.113.5)和addressgroup2(192.0.2.1~192.0.2.5)。在USG6315E_A上配置的地址池会自动备份到USG6315E_B上。 
    [USG6315E_A] nat address-group addressgroup1
[USG6315E_A-address-group-addressgroup1] section 0 203.0.113.1 203.0.113.5
[USG6315E_A-address-group-addressgroup1] mode pat
[USG6315E_A-address-group-addressgroup1] route enable
[USG6315E_A-address-group-addressgroup1] quit
[USG6315E_A] nat address-group addressgroup2
[USG6315E_A-address-group-addressgroup2] section 1 192.0.2.1 192.0.2.5
[USG6315E_A-address-group-addressgroup2] mode pat
[USG6315E_A-address-group-addressgroup2] route enable
[USG6315E_A-address-group-addressgroup2] quit

    # 配置源NAT策略,使内网用户通过转换后的公网IP地址访问Internet。

    [USG6315E_A] nat-policy
[USG6315E_A-policy-nat] rule name policy_nat_1
[USG6315E_A-policy-nat-rule-policy_nat_1] source-zone trust
[USG6315E_A-policy-nat-rule-policy_nat_1] destination-zone isp1
[USG6315E_A-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
[USG6315E_A-policy-nat-rule-policy_nat_1] quit
[USG6315E_A-policy-nat] rule name policy_nat_2
[USG6315E_A-policy-nat-rule-policy_nat_2] source-zone trust
[USG6315E_A-policy-nat-rule-policy_nat_2] destination-zone isp2
[USG6315E_A-policy-nat-rule-policy_nat_2] action source-nat address-group addressgroup2
[USG6315E_A-policy-nat-rule-policy_nat_2] quit
[USG6315E_A-policy-nat] quit

    # 需要联系ISP的网络管理员配置目的地址为地址池addressgroup1和addressgroup2的路由,下一跳为FW对应的接口地址。

     

  7. 配置NAT Server。# 假设内网的HTTP服务器分别向ISP1和ISP2申请了公网IP地址(203.0.113.10、192.0.2.10)对外提供服务,ISP1和ISP2的外网用户分别通过各自对应的公网地址访问HTTP服务器。# 配置服务器静态映射。 
    [USG6315E_A] nat server web_for_isp1 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 80 no-reverse
[USG6315E_A] nat server web_for_isp2 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 80 no-reverse

    # 需要联系ISP的网络管理员配置目的地址为HTTP服务器对外映射IP地址的路由,下一跳为FW对应的接口地址。

    # 配置黑洞路由。

    [USG6315E_A] ip route-static 203.0.113.100 32 NULL 0
[USG6315E_A] ip route-static 192.0.2.100 32 NULL 0
[USG6315E_B] ip route-static 203.0.113.100 32 NULL 0
[USG6315E_B] ip route-static 192.0.2.100 32 NULL 0

    # 开启报文从同一接口进入和发出功能。

    [USG6315E_A] interface gigabitethernet 1/0/1
[USG6315E_A-GigabitEthernet1/0/1] redirect-reverse next-hop 203.0.113.254
[USG6315E_A-GigabitEthernet1/0/1] quit
[USG6315E_A] interface gigabitethernet 1/0/2
[USG6315E_A-GigabitEthernet1/0/2] redirect-reverse next-hop 192.0.2.254
[USG6315E_A-GigabitEthernet1/0/2] quit
[USG6315E_B] interface gigabitethernet 1/0/1
[USG6315E_B-GigabitEthernet1/0/1] redirect-reverse next-hop 203.0.113.254
[USG6315E_B-GigabitEthernet1/0/1] quit
[USG6315E_B] interface gigabitethernet 1/0/2
[USG6315E_B-GigabitEthernet1/0/2] redirect-reverse next-hop 192.0.2.254
[USG6315E_B-GigabitEthernet1/0/2] quit

     

  8. 配置智能DNS。 
    [USG6315E_A] dns-smart enable
[USG6315E_A] dns-smart group 1 type multi
[USG6315E_A-dns-smart-group-1] out-interface gigabitethernet 1/0/1 map 203.0.113.10
[USG6315E_A-dns-smart-group-1] out-interface gigabitethernet 1/0/2 map 192.0.2.10
[USG6315E_A-dns-smart-group-1] quit

     

  9. 配置攻击防范。 
    [USG6315E_A] firewall defend land enable
[USG6315E_A] firewall defend smurf enable
[USG6315E_A] firewall defend fraggle enable
[USG6315E_A] firewall defend winnuke enable
[USG6315E_A] firewall defend source-route enable
[USG6315E_A] firewall defend route-record enable
[USG6315E_A] firewall defend time-stamp enable
[USG6315E_A] firewall defend ping-of-death enable
[USG6315E_A] interface gigabitethernet 1/0/1
[USG6315E_A-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
[USG6315E_A-GigabitEthernet1/0/1] quit
[USG6315E_A] interface gigabitethernet 1/0/2
[USG6315E_A-GigabitEthernet1/0/2] anti-ddos flow-statistic enable
[USG6315E_A-GigabitEthernet1/0/2] quit
[USG6315E_A] anti-ddos baseline-learn start
[USG6315E_A] anti-ddos baseline-learn tolerance-value 100
[USG6315E_A] anti-ddos baseline-learn apply
[USG6315E_A] anti-ddos syn-flood source-detect
[USG6315E_A] anti-ddos udp-flood dynamic-fingerprint-learn
[USG6315E_A] anti-ddos udp-frag-flood dynamic-fingerprint-learn
[USG6315E_A] anti-ddos http-flood defend alert-rate 2000
[USG6315E_A] anti-ddos http-flood source-detect mode basic

     

  10. 配置应用行为控制。

    本功能需要License授权,并通过动态加载功能加载相应组件包后方可使用。

    # 创建应用行为控制文件,用于禁止学习时间进行HTTP操作和FTP操作。

    [USG6315E_A] profile type app-control name profile_app_work
[USG6315E_A-profile-app-control-profile_app_work] http-control post action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control proxy action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control web-browse action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file delete action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_work] quit

    # 创建应用行为控制文件,用于休息时间只允许进行HTTP浏览网页、HTTP代理上网和HTTP文件下载。

    [USG6315E_A] profile type app-control name profile_app_rest
[USG6315E_A-profile-app-control-profile_app_rest] http-control post action deny
[USG6315E_A-profile-app-control-profile_app_rest] http-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file delete action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_rest] quit

    # 创建名称为working_hours的时间段,该时间段为上课时间。

    [USG6315E_A] time-range working_hours
[USG6315E_A-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
[USG6315E_A-time-range-working_hours] quit

    # 创建名称为off_hours的时间段,该时间段为非上课时间。

    [USG6315E_A] time-range off_hours
[USG6315E_A-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
[USG6315E_A-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day
[USG6315E_A-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day
[USG6315E_A-time-range-off_hours] quit

    # 配置安全策略policy_sec_work,通过引用时间段“working_hours”和应用行为控制配置文件“profile_app_work”用来控制学生在学习时间段的应用行为。

    [USG6315E_A] security-policy
[USG6315E_A-policy-security] rule name policy_sec_work
[USG6315E_A-policy-security-rule-policy_sec_work] source-zone trust
[USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp1
[USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp2
[USG6315E_A-policy-security-rule-policy_sec_work] user any
[USG6315E_A-policy-security-rule-policy_sec_work] time-range working_hours
[USG6315E_A-policy-security-rule-policy_sec_work] profile app-control profile_app_work
[USG6315E_A-policy-security-rule-policy_sec_work] action permit
[USG6315E_A-policy-security-rule-policy_sec_work] quit

    # 配置安全策略policy_sec_rest,通过引用时间段“off_hours”以及应用行为控制配置文件“profile_app_rest”用来控制学生在非学习时间段的应用行为。

    [USG6315E_A-policy-security] rule name policy_sec_rest
[USG6315E_A-policy-security-rule-policy_sec_rest] source-zone trust
[USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp1
[USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp2
[USG6315E_A-policy-security-rule-policy_sec_rest] user any
[USG6315E_A-policy-security-rule-policy_sec_rest] time-range off_hours
[USG6315E_A-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest
[USG6315E_A-policy-security-rule-policy_sec_rest] action permit
[USG6315E_A-policy-security-rule-policy_sec_rest] quit

结果验证

  1. 在核心交换机S12700E-8上查看AP上线情况。 
    [S12700E-8] display ap all 
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor  : normal          [1]
Extra information:
P  : insufficient power supply
-----------------------------------------------------------------------------------------------------------------------
ID   MAC            Name           Group     IP            Type            State STA Uptime        ExtraInfo
-----------------------------------------------------------------------------------------------------------------------
0    00e0-fc12-3455 area_1         ap-group1 10.250.12.109 AP4050DN        nor   0   1D:0H:34M:33S -
-----------------------------------------------------------------------------------------------------------------------
Total: 1

     

  2. 用户1和用户2分别通过有线和无线的认证方式在学生宿舍区接入网络,认证通过后,可以在ME60上看到用户信息(有线用户可溯源到具体哪个接入交换的哪个端口接入、无线用户可溯源到具体的哪个AP接入);同时在ME60上可以看到在线用户的信息,查看用户是否获取到相应的访问权限,再检查用户1是否可以访问认证后域,用户2是否可以访问认证后域。
  3. 用户1和用户2分别通过有线和无线的认证方式在教师办公区接入网络,认证通过后,可以在ME60上看到用户信息(有线用户可溯源到具体哪个接入交换的哪个端口接入、无线用户可溯源到具体的哪个AP接入);同时在ME60上可以看到在线用户的信息,查看用户是否获取到相应的访问权限,再检查用户1是否可以访问认证后域,用户2是否可以访问认证后域。

配置文件

S5735-L_A S5735-L_B 
#
sysname S5735-L_A
#
vlan batch 600 2001 to 3500 4004 
#
interface GigabitEthernet0/0/1
 port link-type trunk  
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 600 2001 to 3500 4004  
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 2001
 stp edged-port enable
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk pvid vlan 4004
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 3001 to 3500 4004
 stp edged-port enable
 port-isolate enable group 1
#
interface GigabitEthernet0/0/5
 port link-type access
 port default vlan 600
 stp edged-port enable
#
return
 
#
sysname S5735-L_B
#
vlan batch 600 2001 to 3500 4004 
#
interface GigabitEthernet0/0/1
 port link-type trunk  
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 600 2001 to 3500 4004  
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 2001
 stp edged-port enable
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk pvid vlan 4004
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 3001 to 3500 4004
 stp edged-port enable
 port-isolate enable group 1
#
interface GigabitEthernet0/0/5
 port link-type access
 port default vlan 600
 stp edged-port enable
# 
return
S6730-H_A S6730-H_B 
#
sysname S6730-H_A
#
vlan batch 101 to 200 600 1601 to 1800 4004 
#
interface XGigabitEthernet1/0/1
 port link-type hybrid 
 undo port hybrid vlan 1
 port hybrid tagged vlan 600 4004
 port hybrid untagged vlan 101 1601
 port vlan-stacking vlan 2001 to 3000 stack-vlan 101
 port vlan-stacking vlan 3001 to 3500 stack-vlan 1601
#

interface XGigabitEthernet3/0/0
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 101 to 200 600 1601 to 1800 4004 
#
return
 
#
sysname S6730-H_B
#
vlan batch 201 to 400 600 1801 to 2000 4004 
#
interface XGigabitEthernet1/0/1
 port link-type hybrid 
 undo port hybrid vlan 1
 port hybrid tagged vlan 600 4004
 port hybrid untagged vlan 201 1801
 port vlan-stacking vlan 2001 to 3000 stack-vlan 201
 port vlan-stacking vlan 3001 to 3500 stack-vlan 1801
#

interface XGigabitEthernet3/0/0
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 
#
return
S12700E-8 
#
sysname S12700E-8
#
vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010
#
dhcp enable
#
interface Vlanif4004
 ip address 10.250.0.1 255.255.240.0
 arp-proxy enable
 arp-proxy inner-sub-vlan-proxy enable
 dhcp select interface
#
interface Vlanif4010
 ip address 172.16.11.13 255.255.255.252
#
interface XGigabitEthernet4/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004
 port-isolate enable group 1
#
interface XGigabitEthernet4/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004
 port-isolate enable group 1
#
interface XGigabitEthernet5/0/7
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010
#
interface LoopBack0
 ip address 172.16.10.4 255.255.255.255
#
ip route-static 172.16.10.1 255.255.255.255 172.16.11.14
ip route-static 172.16.10.2 255.255.255.255 172.16.11.14
ip route-static 172.16.10.3 255.255.255.255 172.16.11.14
#
capwap source interface vlanif4004
#
wlan 
 traffic-profile name new-vap-traffic-1
  user-isolate l2
 security-profile name wlan-security
  security open
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  service-vlan vlan-id 3001
  ssid-profile wlan-ssid
  security-profile wlan-security
  traffic-profile new-vap-traffic-1 
 regulatory-domain-profile name domain1
 rrm-profile name default                                                       
  calibrate auto-channel-select disable                                         
  calibrate auto-txpower-select disable 
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 type-id 75 ap-mac 00e0-fc76-e370 ap-sn 21500831023GJ1006553
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
#
return
ME60 
#
sysname ME60
#                                                                               
value-added-service enable
#                                                                               
user-group pre-web                                                              
user-group pre-ppp                                                              
user-group xuesheng                                                             
user-group jiaoshi                                                              
#
radius-server source interface LoopBack0 
radius-server authorization 192.168.10.55 shared-key-cipher %^%#&|-oI:&#&%<ZBPF\0s@"-vgF~lVjpAB5w[5XP4=4%^%#                                                          
radius-server authorization 192.168.10.241 shared-key-cipher %^%#O1n13EDPo9e7bHWac{b7-FtB(:e}f@pT-p6l=$<*%^%#  
#                                                                               
radius-server group radius                                                      
 radius-server shared-key-cipher %^%#l$~9,kQZF!:j]$R54Ka~=3]%L8^w7,E+Ft2X*}:@%^%#                                                                               
 radius-server authentication 192.168.10.55 1812 weight 0                                   
 radius-server accounting 192.168.8.249 1813 weight 0                                                  
 undo radius-server user-name domain-included 
# 
radius-server group mac
 radius-server shared-key-cipher  %^%#/W@Y%>vX8EzCg<LzjKV$G(0j&;2"}:5Nzy3pc[=+%^%#
 radius-server authentication 192.168.10.55 1812 weight 0
 radius-server accounting 192.168.10.55 1813 weight 0     
#                                                                               
qos-profile 50M                                                                 
 car cir 50000 cbs 9350000 green pass red discard inbound
 car cir 50000 cbs 9350000 green pass red discard outbound
#                                                                               
qos-profile 20M                                                                 
 car cir 20000 cbs 3740000 green pass red discard inbound                       
 car cir 20000 cbs 3740000 green pass red discard outbound                      
#                                                                               
qos-profile 10M                                                                 
 car cir 10000 cbs 1870000 green pass red discard inbound                       
 car cir 10000 cbs 1870000 green pass red discard outbound 
#                                                                               
ip pool jiaoshi bas local                                                       
 gateway 10.254.128.1 255.255.128.0                                             
 section 0 10.254.128.2 10.254.255.254                                          
 excluded-ip-address 10.254.128.2 10.254.129.254                                
 dns-server 192.168.10.2 10.255.57.5                                            
 lease 0 12 0                                                                   
#                                                                               
ip pool pre-pool bas local                                                      
 gateway 10.253.0.1 255.255.128.0                                               
 section 0 10.253.0.2 10.253.127.254                                            
 dns-server 192.168.10.2 10.255.57.5                                            
 lease 0 12 0                                                                   
#                                                                               
ip pool pre-ppp bas local                                                       
 gateway 10.253.128.1 255.255.128.0                                             
 section 0 10.253.128.2 10.253.255.254                                          
 dns-server 192.168.10.2 10.255.57.5                                            
 lease 0 12 0                                                                   
#                                                                               
ip pool xuesheng bas local                                                      
 gateway 10.254.0.1 255.255.128.0                                               
 section 0 10.254.0.2 10.254.127.254                                            
 dns-server 192.168.10.2 10.255.57.5                                            
 lease 0 12 0 
#
acl number 6001                                    
 rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0 0.255.255.255
 rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group shangye
 rule 15 permit ip source user-group shangye destination ip-address 172.16.0.0 0.15.255.255
 rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group shangye
 rule 25 permit ip source user-group shangye destination ip-address 192.168.0.0 0.0.255.255
 rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group shangye
#                                                                               
acl number 6003                                                                 
 rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0 0.255.255.255                                                                       
 rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group jiaoshi                                                                      
 rule 15 permit ip source user-group jiaoshi destination ip-address 172.16.0.0 0.15.255.255                                                                     
 rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group jiaoshi                                                                     
 rule 25 permit ip source user-group jiaoshi destination ip-address 192.168.0.0 0.0.255.255                                                                     
 rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group jiaoshi                                         
#                                                                               
acl number 6005 
 rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0 0.255.255.255                                                                      
 rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group xuesheng                                                                     
 rule 15 permit ip source user-group xuesheng destination ip-address 172.16.0.0 0.15.255.255                                                                    
 rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group xuesheng                                                                    
 rule 25 permit ip source user-group xuesheng destination ip-address 192.168.0.0 0.0.255.255                                                                    
 rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng 
#                                                                               
acl number 6010                                                                 
 rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0
 rule 6 permit ip source user-group pre-web destination ip-address 192.168.10.53 0
 rule 7 permit ip source user-group pre-web destination ip-address 192.168.10.55 0
 rule 10 permit ip source user-group pre-web destination ip-address 192.168.10.241 0
 rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5 0                                                                  
#                                                                               
acl number 6011                                                                 
 rule 5 permit tcp source user-group pre-web destination-port eq www            
 rule 10 permit tcp source user-group pre-web destination-port eq 8080          
 rule 20 permit ip source user-group pre-web                                    
#                                                                               
acl number 6012                                                                                                 
 rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0
 rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0
 rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2 0                                                      
#                                                                               
acl number 6013                                                                 
 rule 5 permit tcp source user-group pre-ppp destination-port eq www            
 rule 10 permit tcp source user-group pre-ppp destination-port eq 8080          
 rule 20 deny ip source user-group pre-ppp                                      
#                                                                               
traffic classifier 6001 operator or                                             
 if-match acl 6001
#                                                                               
traffic classifier 6003 operator or                                             
 if-match acl 6003                                                              
#                                                                               
traffic classifier 6005 operator or                                             
 if-match acl 6005                                                              
#                                                                               
traffic classifier 6010 operator or                                             
 if-match acl 6010                                                              
#                                                                               
traffic classifier 6011 operator or                                             
 if-match acl 6011                                                              
#                                                                               
traffic classifier 6012 operator or                                             
 if-match acl 6012                                                              
#                                                                               
traffic classifier 6013 operator or                                             
 if-match acl 6013                                                              
#                                                                               
traffic behavior 6001                                                           
 car                                                                            
 tariff-level 1                                                                 
 traffic-statistic 
#                                                                               
traffic behavior 6003                                                           
 car                                                                            
 tariff-level 1                                                                 
 traffic-statistic                                                              
#                                                                               
traffic behavior 6005                                                           
 car                                                                            
 tariff-level 1                                                                 
 traffic-statistic                                                              
#                                                                               
traffic behavior 6010                                                           
#                                                                               
traffic behavior 6011                                                           
 http-redirect                                                                  
#                                                                               
traffic behavior 6012                                                           
#                                                                               
traffic behavior 6013                                                           
 http-redirect                                                                  
#                                                                               
traffic policy traffic-policy-1                                                 
 share-mode                                                                     
 classifier 6010 behavior 6010 precedence 1                                     
 classifier 6011 behavior 6011 precedence 2                                     
 classifier 6012 behavior 6012 precedence 3                                     
 classifier 6013 behavior 6013 precedence 4                                     
#                                                                               
traffic policy traffic_policy_daa                                               
 share-mode                                                                     
 classifier 6003 behavior 6003 precedence 1                                     
 classifier 6005 behavior 6005 precedence 2 
#
aaa 
 http-redirect enable 
 default-password cipher %$%$MD{\.!~j'P#Jl%3cJBm6#QWv%$%$
 default-user-name include mac-address -                                        
 local-user root password irreversible-cipher +Hv$!xKCa#UY6\$GWJ!N4[QH.O/'HIa@AoURN`>;R"Z8PtIa\3AZAy6Sa60(C6GCN 
 #                  
 authentication-scheme none  
 #                                                                              
 authentication-scheme authen
 #               
 accounting-scheme none                    
   accounting-mode none 
 #            
 accounting-scheme acc                     
  accounting interim interval 15   
 #                                                                              
 domain pre-authen                                                              
  authentication-scheme none                                                    
  accounting-scheme none                                                        
  ip-pool pre-pool                                                              
  user-group pre-web                                                            
  web-server 192.168.10.53                                                     
  web-server url http://192.168.10.53/help/help.html   
 #                                                                              
 domain xs                                                                      
  authentication-scheme authen                                                  
  accounting-scheme acc                                                         
  radius-server group radius                                                    
  ip-pool xuesheng                                                              
  ip-pool jiaoshi                                                               
  value-added-service account-type none                                         
  value-added-service policy 10m                                                
  user-group pre-web                                                            
  web-server 192.168.10.53                                                      
  web-server url http://192.168.10.53/help/help.html                            
  portal-server 192.168.10.100                                                  
  portal-server url http://192.168.10.100/portal/                               
  quota-out online                                                              
 #                                                                              
 domain jg                                                                      
  authentication-scheme authen                                                  
  accounting-scheme acc                                                         
  radius-server group radius                                                    
  ip-pool jiaoshi                                                               
  value-added-service account-type none                                         
  value-added-service policy 20m  
  user-group pre-web                                               
  portal-server 192.168.10.100                                                  
  portal-server url http://192.168.10.100/portal/                               
  quota-out online                                                              
 #                                                                              
 domain pre-ppp                                                                 
  authentication-scheme none                                                    
  accounting-scheme none                                                        
  ip-pool pre-ppp                                                               
  user-group pre-ppp                                                            
  web-server 192.168.10.55                                                     
  web-server url http://192.168.10.55/help/help.html                                  
 #                                                                              
 domain mac                                                                     
  authentication-scheme mac                                                     
  accounting-scheme acc                                                         
  radius-server group mac                                                       
  ip-pool pre-pool                                                              
  mac-authentication enable                                                     
#                                                                               
value-added-service policy 10m daa 
 accounting-scheme none                                             
 traffic-separate enable    
 tariff-level 1 qos-profile 10M                                                    
#                                                                               
value-added-service policy 20m daa                                              
 accounting-scheme none                                                         
 traffic-separate enable                                                        
 tariff-level 1 qos-profile 20M  
#                                                                               
value-added-service policy 50m daa                                              
 accounting-scheme none                                                         
 traffic-separate enable                                                        
 tariff-level 1 qos-profile 50M
# 
 interface Virtual-Template1                              
  ppp authentication-mode auto 
#                                            
interface GigabitEthernet1/0/1 
  undo shutdown 
  ip address 172.16.11.6 255.255.255.252
#
interface GigabitEthernet1/0/2 
  undo shutdown 
  ip address 172.16.11.10 255.255.255.252                                                                 
#                                                                               
interface GigabitEthernet 1/1/1.1000                                            
 description xuesheng-ppp                                                       
 user-vlan 2001 3000 qinq 101 200                                               
 pppoe-server bind Virtual-Template 1                                           
 bas                                                                            
 #                                                                              
  access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs 
  dhcp session-mismatch action offline     
  authentication-method ppp web                                                 
 #         
# 
interface GigabitEthernet 1/1/1.1001            
 description xuesheng-web 
 user-vlan 3001 3500 qinq 1601 1800
 bas  
 #                                               
  access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs 
  dhcp session-mismatch action offline 
  authentication-method web                     
 # 
#                                                                               
interface GigabitEthernet 1/1/1.1002                                            
 description jiaoshi-ppp                                                        
 user-vlan 2001 3000 qinq 201 400                                               
 pppoe-server bind Virtual-Template 1                                           
 bas                                                                            
 #                                                                              
  access-type layer2-subscriber default-domain pre-authentication pre-ppp authen
tication jg                                                                     
  dhcp session-mismatch action offline                                          
  authentication-method ppp web                                                 
 #   
# 
interface GigabitEthernet 1/1/1.1003             
  description jiaoshi-web 
  user-vlan 3001 3500 qinq 1801 2000 
  bas                              
  #                                               
   access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg 
   dhcp session-mismatch action offline 
   authentication-method web                     
  # 
#                                                                               
interface GigabitEthernet 1/1/1.1101                                            
 description mac-web                                                           
 user-vlan 600                                                                  
 bas                                                                            
 #                                                                              
  access-type layer2-subscriber default-domain pre-authentication mac authentication jg 
  dhcp session-mismatch action offline                                                                         
  authentication-method web                                                     
 #                                                                              
#                                                                               
interface GigabitEthernet 1/1/1.4010                                            
 vlan-type dot1q 4010                                                           
 ip address 172.16.11.14 255.255.255.252                                                                                 
#         
interface LoopBack0 
  ip address 172.16.10.3 255.255.255.255                             
# 
ip route-static 172.16.10.1 255.255.255.255 172.16.11.5      
ip route-static 172.16.10.2 255.255.255.255 172.16.11.9      
ip route-static 172.16.10.4 255.255.255.255 172.16.11.13 
#                                     
 web-auth-server source interface LoopBack0     
 web-auth-server 192.168.10.53 port 50100 key cipher %^%#S2#I1~`Kc/>vz1F4u3q+_DHT)ZE^`"n:w>!li(<C%^%# 
#                                           
traffic-policy traffic-policy-1 inbound 
traffic-policy traffic-policy-1 outbound 
#                                                                               
accounting-service-policy traffic_policy_daa 
#                                                                               
return
USG6315E_A USG6315E_B 
#
sysname USG6315E_A
#
hrp enable
hrp interface GigabitEthernet 1/0/6 remote 172.16.11.2
hrp mirror session enable
hrp track interface GigabitEthernet 1/0/7
#
dns-smart enable
# 
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
irewall defend land enable
#                                                                               
ip-link check enable                                                            
ip-link name ip_link_1                                                          
 destination 203.0.113.254 interface GigabitEthernet1/0/1 mode icmp               
ip-link name ip_link_2                                                          
 destination 192.0.2.254 interface GigabitEthernet1/0/2 mode icmp 
#
time-range off_hours
 period-range 00:00:00 to 23:59:59 off-day
 period-range 00:00:00 to 08:59:59 working-day
 period-range 17:30:01 to 23:59:59 working-day
time-range working_hours
 period-range 09:00:00 to 17:30:00 working-day
#
interface GigabitEthernet1/0/1
 ip address 203.0.113.1 255.255.255.0
 anti-ddos flow-statistic enable 
 gateway 203.0.113.254
 bandwidth ingress 800000 threshold 95
 bandwidth egress 800000 threshold 95
 redirect-reverse next-hop 203.0.113.254
#
interface GigabitEthernet1/0/2 
 ip address 192.0.2.2 255.255.255.0
 anti-ddos flow-statistic enable  
 gateway 192.0.2.254
 bandwidth ingress 200000 threshold 90
 bandwidth egress 200000 threshold 90
 redirect-reverse next-hop 192.0.2.254 
#
interface GigabitEthernet1/0/6
 ip address 172.16.11.1 255.255.255.252
#
interface GigabitEthernet1/0/7
 ip address 172.16.11.5 255.255.255.252
#
interface LoopBack0
 ip address 172.16.10.1 255.255.255.255
#  
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet1/0/7
# 
firewall zone dmz 
 set priority 50 
 add interface GigabitEthernet1/0/6
#  
firewall zone name isp1 id 4
 set priority 10  
 add interface GigabitEthernet1/0/1
# 
firewall zone name isp2 id 5  
 set priority 15  
 add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1
ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2
ip route-static 10.253.0.0 255.255.128.0 172.16.11.6
ip route-static 10.253.128.0 255.255.128.0 172.16.11.6
ip route-static 10.254.0.0 255.255.128.0 172.16.11.6 
ip route-static 10.254.128.0 255.255.128.0 172.16.11.6
ip route-static 172.16.10.2 255.255.255.255 172.16.11.6
ip route-static 172.16.10.3 255.255.255.255 172.16.11.6
ip route-static 172.16.10.4 255.255.255.255 172.16.11.6
ip route-static 192.168.10.0 255.255.255.0 172.16.11.6
ip route-static 203.0.113.100 255.255.255.255 NULL 0
ip route-static 192.0.2.100 255.255.255.255 NULL 0
#
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
anti-ddos baseline-learn start
anti-ddos baseline-learn apply
anti-ddos baseline-learn tolerance-value 100
#
 nat server web_for_isp1 0 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 www no-reverse
 nat server web_for_isp2 1 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 www no-reverse
#
profile type app-control name profile_app_work
  http-control web-browse action deny
 http-control proxy action deny           
 http-control post action deny
  http-control file direction upload action deny
 http-control file direction download action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#
profile type app-control name profile_app_rest
 http-control post action deny
 http-control file direction upload action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#                                                                               
nat address-group addressgroup1 0                                               
 mode pat                                                                       
 route enable                                                                   
 section 0 203.0.113.1 203.0.113.5                                                  
#                                                                               
nat address-group addressgroup2 1                                               
 mode pat                                                                       
 route enable                                                                   
 section 1 192.0.2.1 192.0.2.5 
#
dns-smart group 1 type multi
 out-interface GigabitEthernet 1/0/1 map 203.0.113.10
 out-interface GigabitEthernet 1/0/2 map 192.0.2.10
multi-interface
 mode proportion-of-bandwidth
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#
security-policy  
 rule name trust_to_untrust 
  source-zone trust
  destination-zone isp1
  destination-zone isp2  
  action permit
 rule name untrust_to_trust
  source-zone isp1
  source-zone isp2
  destination-zone trust
  destination-address 192.168.10.0 mask 255.255.255.0
  action permit
 rule name policy_dmz 
  source-zone local 
  source-zone dmz 
  destination-zone local 
  destination-zone dmz  
  action permit 
 rule name policy_sec_work
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  time-range working_hours
  profile app-control profile_app_work
  action permit
 rule name policy_sec_rest
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  time-range off_hours
  profile app-control profile_app_rest
  action permit
#
nat-policy
 rule name policy_nat_1
  source-zone trust
  destination-zone isp1    
  action source-nat address-group addressgroup1
 rule name policy_nat_2
  source-zone trust
  destination-zone isp2
  action source-nat address-group addressgroup2
#
return
 
#
sysname USG6315E_B
#
hrp enable
hrp interface GigabitEthernet 1/0/6 remote 172.16.11.1
hrp mirror session enable
hrp track interface GigabitEthernet 1/0/7
#
dns-smart enable
# 
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
irewall defend land enable
#                                                                               
ip-link check enable                                                            
ip-link name ip_link_1                                                          
 destination 203.0.113.254 interface GigabitEthernet1/0/1 mode icmp               
ip-link name ip_link_2                                                          
 destination 192.0.2.254 interface GigabitEthernet1/0/2 mode icmp 
#
time-range off_hours
 period-range 00:00:00 to 23:59:59 off-day
 period-range 00:00:00 to 08:59:59 working-day
 period-range 17:30:01 to 23:59:59 working-day
time-range working_hours
 period-range 09:00:00 to 17:30:00 working-day
#
interface GigabitEthernet1/0/1
 ip address 203.0.113.2 255.255.255.0
 anti-ddos flow-statistic enable 
 gateway 203.0.113.254
 bandwidth ingress 800000 threshold 95
 bandwidth egress 800000 threshold 95
 redirect-reverse next-hop 203.0.113.254
#
interface GigabitEthernet1/0/2 
 ip address 192.0.2.1 255.255.255.0
 anti-ddos flow-statistic enable  
 gateway 192.0.2.254
 bandwidth ingress 200000 threshold 90
 bandwidth egress 200000 threshold 90
 redirect-reverse next-hop 192.0.2.254 
#
interface GigabitEthernet1/0/6
 ip address 172.16.11.2 255.255.255.252
#
interface GigabitEthernet1/0/7
 ip address 172.16.11.9 255.255.255.252
#
interface LoopBack0
 ip address 172.16.10.2 255.255.255.255
#  
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet1/0/7
# 
firewall zone dmz 
 set priority 50 
 add interface GigabitEthernet1/0/6
#  
firewall zone name isp1 id 4 
 set priority 10  
 add interface GigabitEthernet1/0/1
# 
firewall zone name isp2 id 5  
 set priority 15  
 add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1
ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2
ip route-static 10.253.0.0 255.255.128.0 172.16.11.10
ip route-static 10.253.128.0 255.255.128.0 172.16.11.10
ip route-static 10.254.0.0 255.255.128.0 172.16.11.10
ip route-static 10.254.128.0 255.255.128.0 172.16.11.10
ip route-static 172.16.10.1 255.255.255.255 172.16.11.10
ip route-static 172.16.10.3 255.255.255.255 172.16.11.10
ip route-static 172.16.10.4 255.255.255.255 172.16.11.10
ip route-static 192.168.10.0 255.255.255.0 172.16.11.10
ip route-static 203.0.113.100 255.255.255.255 NULL 0
ip route-static 192.0.2.100 255.255.255.255 NULL 0
#
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
anti-ddos baseline-learn start
anti-ddos baseline-learn apply
anti-ddos baseline-learn tolerance-value 100
#
 nat server web_for_isp1 0 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 www no-reverse
 nat server web_for_isp2 1 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 www no-reverse
#
profile type app-control name profile_app_work
  http-control web-browse action deny
 http-control proxy action deny           
 http-control post action deny
  http-control file direction upload action deny
 http-control file direction download action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#
profile type app-control name profile_app_rest
 http-control post action deny
 http-control file direction upload action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#                                                                               
nat address-group addressgroup1 0                                               
 mode pat                                                                       
 route enable                                                                   
 section 0 203.0.113.1 203.0.113.5                                                  
#                                                                               
nat address-group addressgroup2 1                                               
 mode pat                                                                       
 route enable                                                                   
 section 1 192.0.2.1 192.0.2.5 
#
dns-smart group 1 type multi
 out-interface GigabitEthernet 1/0/1 map 203.0.113.10
 out-interface GigabitEthernet 1/0/2 map 192.0.2.10
multi-interface
 mode proportion-of-bandwidth
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#
security-policy 
 rule name trust_to_untrust 
  source-zone trust
  destination-zone isp1
  destination-zone isp2  
  action permit
 rule name untrust_to_trust
  source-zone isp1
  source-zone isp2
  destination-zone trust
  destination-address 192.168.10.0 mask 255.255.255.0
  action permit
 rule name policy_dmz 
  source-zone local 
  source-zone dmz 
  destination-zone local 
  destination-zone dmz  
  action permit  
 rule name policy_sec_work
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  time-range working_hours
  profile app-control profile_app_work
  action permit
 rule name policy_sec_rest
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  time-range off_hours
  profile app-control profile_app_rest
  action permit
#
nat-policy
 rule name policy_nat_1
  source-zone trust
  destination-zone isp1    
  action source-nat address-group addressgroup1
 rule name policy_nat_2
  source-zone trust
  destination-zone isp2
  action source-nat address-group addressgroup2
#
return
声明:
本站所有文章,如无特殊说明或标注,均为本站原创发布。
任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。
如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。