Higher Education Campus Network Deployment (ME60 Used as the Gateway and Authentication Point + Firewall Used as the Egress)
Application Scenario and Service Requirements
Application Scenario
This example describes the broadband remote access server (BRAS) scenario, where an ME60 functions as a gateway and an authentication point to implement user access authentication (IPoE access, PPPoE access, and MAC address authentication). It is applicable to higher education campus networks with large numbers of users (more than 20,000).
Service Requirements
A higher education campus network needs to implement integrated authentication on wired and wireless networks in dormitories and teachers' office areas. The requirements are as follows:
- Access requirements
Both wired and wireless networks are deployed, allowing for access of both wired and wireless users.
Internal network users can access external networks ISP1 and ISP2 (such as the Internet and education network), and external network users can access server resources on the internal network.
- Authentication requirements
Wired and wireless users need to be authenticated before accessing networks. Wired users are authenticated using PPPoE, wireless users are authenticated using IPoE, and dumb terminals are authenticated based on their MAC addresses.
- Network access rights requirements
Wired and wireless users have different accounts and network access rights based on roles such as students and teachers, as described in Table 2-130.
Student and teacher accounts are managed by a local authentication, authorization, and accounting (AAA) server, which are used for authentication, accounting, and authorization. The local AAA server also functions as an AAA proxy to forward business accounts to the carrier's AAA server for authentication.
Table 2-130 Network access rights requirementsAccount Type
Network Access Mode
Authentication Mode
Network Access Rights
Bandwidth Control
Student account
Wired
PPPoE
Access the campus internal network.
10 Mbit/s
Student account
Wireless
IPoE
Teacher account
Wired
PPPoE
Access the campus internal network, and access external networks ISP1 and ISP2 through the campus network.
Campus internal network: 20 Mbit/s
External network: 50 Mbit/s
Teacher account
Wireless
IPoE
Business account
Wired
PPPoE
Access the campus internal network, and access external networks ISP1 and ISP2 through carriers' broadband networks.
Campus internal network: 10 Mbit/s for students and 20 Mbit/s for teachers
External network: 50 Mbit/s
Business account
Wireless
IPoE
Dumb terminals, such as printers and fax machines
Wired
MAC address authentication
Access the campus internal network.
20 Mbit/s
- Accounting requirements
Students and teachers are not charged when accessing the campus internal network, and are charged when accessing external networks ISP1 and ISP2.
- Security requirements
For network security purposes, network devices need to identify and filter traffic entering and leaving the campus network.
Solution Design
Networking Diagram
Figure 2-96 shows the networking in which an ME60 functions as a gateway and an authentication point.
Service Design
- Access requirements design
An ME60 is deployed as a gateway and an authentication point for wired and wireless users to dynamically assign IP addresses to users and authenticate them.
All aggregation switches are connected to a core switch S12700E-8 that provides the native AC function (no additional hardware AC is required, reducing investment in network devices). The native AC function can be configured on the S12700E-8 to manage APs on the entire network and implement wireless network access.
S5735-L switches are deployed as access switches and are connected to S6730-H switches at the aggregation layer. 802.1Q in 802.1Q (QinQ) is configured on access switches to isolate users. Inner VLAN IDs are assigned to different interfaces in areas; for example, VLANs 2001 to 3500 are assigned to downlink interfaces of access switches in the student dormitory area and teaching and office areas. Outer VLAN IDs are assigned to different floors in different areas; for example, VLANs 101 to 200 are assigned to downlink interfaces of aggregation switches in the student dormitory area, and VLANs 201 to 400 are assigned to downlink interfaces of aggregation switches in the teaching and office areas.
The S12700E-8 transparently transmits QinQ packets to the ME60, and the ME60 terminates QinQ packets.
The egress firewalls USG6680 function as the egress gateway of the external network to isolate external networks from the internal network. They are enabled with network address translation (NAT) to implement communication between the internal and external networks. Additionally, they are enabled with intelligent uplink selection to dynamically select outbound interfaces based on the egress link bandwidth, improving link resource utilization and user experience.
- Authentication requirements design
As an authentication device, the ME60 provides wired and wireless users with various authentication modes, including IPoE authentication, PPPoE authentication, and MAC address authentication.
Users can access external networks only after passing web authentication.
- Network access rights and accounting requirements design
The ME60 is configured with destination address accounting (DAA) to implement rate limiting and accounting based on different users and destination addresses.
- Security requirements
Egress firewalls are configured with security policies to filter users' Internet access packets to prevent users from accessing unauthorized websites, as well as to monitor and trace user packets.
Device Requirements and Versions
Table 2-131 lists the products and their software versions used in this example.
Deployment Roadmap and Data Plan
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
|---|---|---|
1 |
Configure interfaces and VLANs on access switches to enable Layer 2 connectivity. |
S5735-L_A and S5735-L_B |
2 |
Configure interfaces and VLANs on aggregation switches to enable Layer 2 connectivity. |
|
3 |
Configure interfaces, VLANs, IP addresses, and routing on the core switch to enable network connectivity. |
S12700E-8 |
4 |
Enable the Dynamic Host Configuration Protocol (DHCP) on the core switch to assign IP addresses to APs. |
|
5 |
Configure the WLAN service on the core switch to implement access of wireless users. |
|
6 |
Configure interfaces, VLANs, IP addresses, and routing on the ME60 to enable network connectivity. |
ME60 |
7 |
Configure IPoE access authentication on the ME60 for wireless student and teacher users. |
|
8 |
Configure PPPoE access authentication on the ME60 for wired student and teacher users. |
|
9 |
Configure MAC address authentication on the ME60 for dumb terminals such as printers and fax machines. |
|
10 |
Configure interfaces, IP addresses, and routing on egress firewalls to enable network connectivity. |
USG6315E_A and USG6315E_B |
11 |
Configure the security zone to which each interface belongs on egress firewalls. |
|
12 |
Configure intelligent uplink selection on firewalls to implement load balancing based on link bandwidth. |
|
13 |
Configure hot standby on firewalls. If the active firewall is faulty, the standby firewall can smoothly take over services from the active firewall, ensuring service continuity. |
|
14 |
Configure security policies on firewalls. |
|
15 |
Configure NAT on firewalls so that users on the campus network can access the Internet. |
|
16 |
Configure NAT Server on firewalls so that users on external networks can access the internal HTTP server. |
|
17 |
Enable the smart domain name service (DNS) function on firewalls so that users from different ISPs can obtain addresses on their own ISP networks. |
|
18 |
Configure attack defense and application behavior control on firewalls. |
Data Plan
The following tables describe the data plans for VLANs, interfaces, IP addresses, routes, and services.
Device |
Item |
Description |
|---|---|---|
S5735-L_A |
VLAN 600 |
VLAN to which dumb terminals in the student dormitory area belong |
VLANs 2001 to 3000 |
Inner VLANs for wired users in the student dormitory area |
|
VLANs 3001 to 3500 |
Inner VLANs for wireless users in the student dormitory area |
|
VLAN 4004 |
Management VLAN for APs in the student dormitory area |
|
S5735-L_B |
VLAN 600 |
VLAN to which dumb terminals in the teaching and office areas belong |
VLANs 2001 to 3000 |
Inner VLANs for wired users in the teaching and office areas |
|
VLANs 3001 to 3500 |
Inner VLANs for wireless users in the teaching and office areas |
|
VLAN 4004 |
Management VLAN for APs in the teaching and office areas |
|
S6730-H_A |
VLAN 600 |
VLAN to which dumb terminals in the student dormitory area belong |
VLANs 101 to 200 |
Outer VLANs for wired users in the student dormitory area |
|
VLANs 1601 to 1800 |
Outer VLANs for wireless users in the student dormitory area |
|
VLAN 4004 |
Management VLAN for APs in the student dormitory area |
|
|
S6730-H_B |
VLAN 600 |
VLAN to which dumb terminals in the teaching and office areas belong |
VLANs 201 to 400 |
Outer VLANs for wired users in the teaching and office areas |
|
VLANs 1801 to 2000 |
Outer VLANs for wireless users in the teaching and office areas |
|
VLAN 4004 |
Management VLAN for APs in the teaching and office areas |
|
S12700E-8 |
VLAN 600 |
VLAN to which dumb terminals belong |
VLANs 101 to 400 |
Outer VLANs for wired users |
|
VLANs 1601 to 2000 |
Outer VLANs for wireless users |
|
VLAN 4010 |
VLAN to which the core switch's interface connected to the ME60 belongs |
|
VLAN 4004 |
Management VLAN for APs |
Device |
Interface Number |
IP Address |
|---|---|---|
USG6315E_A |
GE1/0/6 |
172.16.11.1/30 |
GE1/0/7 |
172.16.11.5/30 |
|
GE1/0/1 |
203.0.113.1/24 |
|
GE1/0/2 |
192.0.2.2/24 |
|
Loopback 0 |
172.16.10.1/32 |
|
USG6315E_B |
GE1/0/6 |
172.16.11.2/30 |
GE1/0/7 |
172.16.11.9/30 |
|
GE1/0/1 |
203.0.113.2/24 |
|
GE1/0/2 |
192.0.2.1/24 |
|
Loopback 0 |
172.16.10.2/32 |
|
ME60 |
GE1/0/1 |
172.16.11.6/30 |
GE1/0/2 |
172.16.11.10/30 |
|
GE1/1/1.4010 |
172.16.11.14/30 |
|
Loopback 0 |
172.16.10.3/32 |
|
S12700E-8 |
Loopback 0 |
172.16.10.4/32 |
VLANIF 4010 |
172.16.11.13/30 |
Device |
Destination Address |
Next-Hop IP Address |
|---|---|---|
USG6315E_A |
10.253.0.0/17 |
172.16.11.6/30 |
10.253.128.0/17 |
172.16.11.6/30 |
|
10.254.0.0/17 |
172.16.11.6/30 |
|
10.254.128.0/17 |
172.16.11.6/30 |
|
172.16.10.2/32 |
172.16.11.6/30 |
|
172.16.10.3/32 |
172.16.11.6/30 |
|
172.16.10.4/32 |
172.16.11.6/30 |
|
192.168.10.0/24 |
172.16.11.6/30 |
|
USG6315E_B |
10.253.0.0/17 |
172.16.11.10/30 |
10.253.128.0/17 |
172.16.11.10/30 |
|
10.254.0.0/17 |
172.16.11.10/30 |
|
10.254.128.0/17 |
172.16.11.10/30 |
|
172.16.10.1/32 |
172.16.11.10/30 |
|
172.16.10.3/32 |
172.16.11.10/30 |
|
172.16.10.4/32 |
172.16.11.10/30 |
|
192.168.10.0/24 |
172.16.11.10/30 |
|
ME60 |
172.16.10.1/32 |
172.16.11.5/30 |
172.16.10.2/32 |
172.16.11.9/30 |
|
172.16.10.4/32 |
172.16.11.13/30 |
|
0.0.0.0/0 |
172.16.11.5/30 |
|
0.0.0.0/0 |
172.16.11.9/30 |
|
S12700E-8 |
172.16.10.1/32 |
172.16.11.14/30 |
172.16.10.2/32 |
172.16.11.14/30 |
|
172.16.10.3/32 |
172.16.11.14/30 |
Item |
Data |
|---|---|
AAA schemes |
|
RADIUS server |
|
Web server |
|
Address pool |
|
Pre-authentication domain |
|
User control list (UCL) rules |
A UCL rule needs to be configured to redirect users in the pre-authentication domain to the web authentication page.
|
Authentication domain |
|
Broadband access server (BAS) interfaces |
NOTE:
Web authentication users are considered unauthorized users before they are authenticated. Therefore, they cannot obtain IP addresses or access the web authentication server. This means web authentication cannot be performed on these users. To resolve this problem, all unauthenticated web authentication users are assigned to a default domain configured on an interface. This default domain is called the default pre-authentication domain. Unauthenticated web authentication users can obtain IP addresses from the pre-authentication domain pre-authen and access the web authentication server through the network access rights granted to the pre-authentication domain. After users pass web authentication, they will be authenticated by the RADIUS server through the authentication domain xs. |
Item |
Data |
|---|---|
AAA schemes |
Same as the AAA schemes for IPoE access |
RADIUS server |
Same as the RADIUS server for IPoE access |
Address pool |
|
User group |
User group pre-ppp, for which a pre-authentication domain is configured |
Pre-authentication domain |
|
UCL rules |
A UCL rule needs to be configured to redirect users in the pre-authentication domain to the web authentication page.
|
Authentication domain |
Same as the authentication domain for IPoE access |
Virtual template interface |
Interface number: 1; user authentication mode: auto |
BAS interfaces |
|
Item |
Data |
|---|---|
AAA schemes |
|
RADIUS server |
|
Web server |
Same as the web server for IPoE access |
Address pool |
|
User group |
User group pre-web, for which a pre-authentication domain is configured |
Authentication domain (domain to which users are redirected after they fail authentication) |
|
UCL rules |
UCL rules need to be configured to redirect users who fail the authentication to the domain pre-authen and to the web authentication page.
|
Pre-authentication domain |
The domain name is mac. The authentication scheme mac, accounting scheme acc, RADIUS server mac, IP address pool pre-pool are bound to the pre-authentication domain. MAC address authentication needs to be enabled. |
Authentication domain |
The domain name is jg. The authentication scheme authen, accounting scheme acc, RADIUS server radius, and IP address pool jiaoshi are bound to the authentication domain. |
BAS interface |
|
Item |
Data |
|---|---|
DAA enablement |
Globally enabling the value-added service function |
AAA schemes |
Same as the AAA schemes for IPoE access |
RADIUS server |
Same as the RADIUS server for IPoE access |
Web server |
Same as the web server for IPoE access |
Address pool |
Same as the IP address pool for IPoE access |
User groups |
NOTE:
You can configure a user group using any of the following methods:
The user group configured using a DAA service policy template has the highest priority, followed by the one delivered by a RADIUS server, and then the one configured in a domain. In this example, user groups are delivered by the RADIUS server. |
Pre-authentication domain |
Same as the pre-authentication domain for IPoE access |
UCL rules |
A UCL rule needs to be configured to redirect users in the pre-authentication domain to the web authentication page.
|
QoS profiles |
Names of QoS profiles: 10M, 20M, and 50M |
DAA service policy |
|
Authentication domains |
NOTE:
The DAA service policy 50M is delivered by a RADIUS server. |
BAS interfaces |
Same as the BAS interfaces for IPoE access |
Deployment Procedure
Configuring Access Switches (S5735-L)
- Configure VLANs on S5735-L_A.
# Create VLANs in a batch for users, dumb terminals, and APs in the student dormitory area, including inner VLANs 2001 to 3000 for wired users, inner VLANs 3001 to 3500 for wireless users, VLAN 600 for dumb terminals, and management VLAN 4004 for APs.
<S5735-L_A> system-view [S5735-L_A] vlan batch 600 2001 to 3500 4004
# Add downlink interfaces connected to wired users to inner VLANs, with each interface being added to a unique VLAN. The following example describes how to add GE0/0/3 to VLAN 2001.
[S5735-L_A] interface GigabitEthernet 0/0/3 [S5735-L_A-GigabitEthernet0/0/3] port link-type access [S5735-L_A-GigabitEthernet0/0/3] port default vlan 2001 [S5735-L_A-GigabitEthernet0/0/3] stp edged-port enable [S5735-L_A-GigabitEthernet0/0/3] quit
# Add GE0/0/4 connected to an AP to management VLAN 4004, and enable the interface to allow packets from service VLANs and the management VLAN to pass through.
[S5735-L_A] interface GigabitEthernet 0/0/4 [S5735-L_A-GigabitEthernet0/0/4] port link-type trunk [S5735-L_A-GigabitEthernet0/0/4] port trunk pvid vlan 4004 [S5735-L_A-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1 [S5735-L_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 3001 to 3500 4004 [S5735-L_A-GigabitEthernet0/0/4] port-isolate enable group 1 [S5735-L_A-GigabitEthernet0/0/4] stp edged-port enable [S5735-L_A-GigabitEthernet0/0/4] quit
# Add GE0/0/5 connected to a dumb terminal to VLAN 600.
[S5735-L_A] interface GigabitEthernet 0/0/5 [S5735-L_A-GigabitEthernet0/0/5] port link-type access [S5735-L_A-GigabitEthernet0/0/5] port default vlan 600 [S5735-L_A-GigabitEthernet0/0/5] stp edged-port enable [S5735-L_A-GigabitEthernet0/0/5] quit
- Configure an uplink interface on S5735-L_A to allow packets from all service VLANs and the management VLAN to pass through.
[S5735-L_A] interface GigabitEthernet 0/0/1 [S5735-L_A-GigabitEthernet0/0/1] port link-type trunk [S5735-L_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [S5735-L_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004 [S5735-L_A-GigabitEthernet0/0/1] quit
- Configure VLANs on S5735-L_B.
# Create VLANs in a batch for users, dumb terminals, and APs in the teaching and office areas, including inner VLANs 2001 to 3000 for wired users, inner VLANs 3001 to 3500 for wireless users, VLAN 600 for dumb terminals, and management VLAN 4004 for APs.
<S5735-L_B> system-view [S5735-L_B] vlan batch 600 2001 to 3500 4004
# Add downlink interfaces connected to wired users to inner VLANs, with each interface being added to a unique VLAN. The following example describes how to add GE0/0/3 to VLAN 2001.
[S5735-L_B] interface GigabitEthernet 0/0/3 [S5735-L_B-GigabitEthernet0/0/3] port link-type access [S5735-L_B-GigabitEthernet0/0/3] port default vlan 2001 [S5735-L_B-GigabitEthernet0/0/3] stp edged-port enable [S5735-L_B-GigabitEthernet0/0/3] quit
# Add GE0/0/4 connected to an AP to management VLAN 4004, and enable the interface to allow packets from service VLANs and the management VLAN to pass through.
[S5735-L_B] interface GigabitEthernet 0/0/4 [S5735-L_B-GigabitEthernet0/0/4] port link-type trunk [S5735-L_B-GigabitEthernet0/0/4] port trunk pvid vlan 4004 [S5735-L_B-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1 [S5735-L_B-GigabitEthernet0/0/4] port trunk allow-pass vlan 3001 to 3500 4004 [S5735-L_B-GigabitEthernet0/0/4] port-isolate enable group 1 [S5735-L_B-GigabitEthernet0/0/4] stp edged-port enable [S5735-L_B-GigabitEthernet0/0/4] quit
# Add GE0/0/5 connected to a dumb terminal to VLAN 600.
[S5735-L_B] interface GigabitEthernet 0/0/5 [S5735-L_B-GigabitEthernet0/0/5] port link-type access [S5735-L_B-GigabitEthernet0/0/5] port default vlan 600 [S5735-L_B-GigabitEthernet0/0/5] stp edged-port enable [S5735-L_B-GigabitEthernet0/0/5] quit
- Configure an uplink interface on S5735-L_B to allow packets from all service VLANs and the management VLAN to pass through.
[S5735-L_B] interface GigabitEthernet 0/0/1 [S5735-L_B-GigabitEthernet0/0/1] port link-type trunk [S5735-L_B-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [S5735-L_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004 [S5735-L_B-GigabitEthernet0/0/1] quit
Configuring Aggregation Switches (S6730-H)
- Configure VLANs on S6730-H_A.
# Create VLANs in a batch for users, dumb terminals, and APs in the student dormitory area, including outer VLANs 101 to 200 for wired users, outer VLANs 1601 to 1800 for wireless users, VLAN 600 for dumb terminals, and management VLAN 4004 for APs.
<S6730-H_A> system-view [S6730-H_A] vlan batch 101 to 200 600 1601 to 1800 4004
# Configure outer VLANs for wired and wireless users on downlink interfaces, with each interface being added to a unique VLAN. Additionally, enable the interfaces to allow packets from the management VLAN of APs and the VLAN of dumb terminals to pass through. The following uses XGE1/0/1 as an example to describe how to configure outer VLAN 101 for wired users and outer VLAN 1601 for wireless users.
[S6730-H_A] interface XGigabitEthernet 1/0/1 [S6730-H_A-XGigabitEthernet1/0/1] port link-type hybrid [S6730-H_A-XGigabitEthernet1/0/1] undo port hybrid vlan 1 [S6730-H_A-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004 [S6730-H_A-XGigabitEthernet1/0/1] port hybrid untagged vlan 101 1601 [S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 101 [S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1601 [S6730-H_A-XGigabitEthernet1/0/1] quit
- Configure an uplink interface on S6730-H_A to allow packets from all service VLANs and the management VLAN to pass through.
[S6730-H_A] interface XGigabitEthernet 3/0/0 [S6730-H_A-XGigabitEthernet3/0/0] port link-type trunk [S6730-H_A-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1 [S6730-H_A-XGigabitEthernet3/0/0] port trunk allow-pass vlan 101 to 200 600 1601 to 1800 4004 [S6730-H_A-XGigabitEthernet3/0/0] quit
- Configure VLANs on S6730-H_B.
# Create VLANs in a batch for users, dumb terminals, and APs in the teaching and office areas, including outer VLANs 201 to 400 for wired users, outer VLANs 1801 to 2000 for wireless users, VLAN 600 for dumb terminals, and management VLAN 4004 for APs.
<S6730-H_B> system-view [S6730-H_B] vlan batch 201 to 400 600 1801 to 2000 4004
# Configure outer VLANs for wired and wireless users on downlink interfaces, with each interface being added to a unique VLAN. Additionally, enable the interfaces to allow packets from the management VLAN of APs and the VLAN of dumb terminals to pass through. The following uses XGE1/0/1 as an example to describe how to configure outer VLAN 201 for wired users and outer VLAN 1801 for wireless users.
[S6730-H_B] interface XGigabitEthernet 1/0/1 [S6730-H_B-XGigabitEthernet1/0/1] port link-type hybrid [S6730-H_B-XGigabitEthernet1/0/1] undo port hybrid vlan 1 [S6730-H_B-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004 [S6730-H_B-XGigabitEthernet1/0/1] port hybrid untagged vlan 201 1801 [S6730-H_B-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 201 [S6730-H_B-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1801 [S6730-H_B-XGigabitEthernet1/0/1] quit
- Configure an uplink interface on S6730-H_B to allow packets from all service VLANs and the management VLAN to pass through.
[S6730-H_B] interface XGigabitEthernet 3/0/0 [S6730-H_B-XGigabitEthernet3/0/0] port link-type trunk [S6730-H_B-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1 [S6730-H_B-XGigabitEthernet3/0/0] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 [S6730-H_B-XGigabitEthernet3/0/0] quit
Configuring the Core Switch (S12700E-8)
- Set the NAC mode to unified so that users can connect to the network properly.
<S12700E-8> system-view [S12700E-8] authentication unified-mode
By default, the unified mode is used. You can run the display authentication mode command to check the current NAC mode on a switch. The switch will restart automatically after the NAC mode is changed between common and unified modes.
- Create VLANs in a batch, including outer VLANs 101 to 400 for wired users, outer VLANs 1601 to 2000 for wireless users, VLANs 3001 to 3500 for wireless services, VLAN 600 for dumb terminals, management VLAN 4004 for APs, and VLAN 4010 for connecting to the ME60.
[S12700E-8] vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010
- Add uplink and downlink interfaces to VLANs.# Configure downlink interfaces.
[S12700E-8] interface XGigabitEthernet 4/0/1 [S12700E-8-XGigabitEthernet4/0/1] port link-type trunk [S12700E-8-XGigabitEthernet4/0/1] undo port trunk allow-pass vlan 1 [S12700E-8-XGigabitEthernet4/0/1] port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004 [S12700E-8-XGigabitEthernet4/0/1] port-isolate enable group 1 [S12700E-8-XGigabitEthernet4/0/1] quit [S12700E-8] interface XGigabitEthernet 4/0/2 [S12700E-8-XGigabitEthernet4/0/2] port link-type trunk [S12700E-8-XGigabitEthernet4/0/2] undo port trunk allow-pass vlan 1 [S12700E-8-XGigabitEthernet4/0/2] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 [S12700E-8-XGigabitEthernet4/0/2] port-isolate enable group 1 [S12700E-8-XGigabitEthernet4/0/2] quit
# Configure an uplink interface.[S12700E-8] interface XGigabitEthernet 5/0/7 [S12700E-8-XGigabitEthernet4/0/1] port link-type trunk [S12700E-8-XGigabitEthernet4/0/1] undo port trunk allow-pass vlan 1 [S12700E-8-XGigabitEthernet4/0/1] port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010 [S12700E-8-XGigabitEthernet4/0/1] quit
- Configure IP addresses for interfaces.
[S12700E-8] interface Vlanif 4010 [S12700E-8-Vlanif4010] ip address 172.16.11.13 30 [S12700E-8-Vlanif4010] quit [S12700E-8] interface LoopBack0 [S12700E-8-LoopBack0] ip address 172.16.10.4 32 [S12700E-8-LoopBack0] quit
- Configure static routes to firewalls and the ME60, with the next-hop address being 172.16.11.14.
[S12700E-8] ip route-static 172.16.10.1 32 172.16.11.14 [S12700E-8] ip route-static 172.16.10.2 32 172.16.11.14 [S12700E-8] ip route-static 172.16.10.3 32 172.16.11.14
- Configure the S12700E-8 as a DHCP server to assign IP addresses to APs.# Configure the switch as a DHCP server to assign IP addresses to APs from the IP address pool on VLANIF 4004.
[S12700E-8] dhcp enable [S12700E-8] interface Vlanif4004 [S12700E-8-Vlanif4004] ip address 10.250.0.1 20 [S12700E-8-Vlanif4004] arp-proxy enable [S12700E-8-Vlanif4004] arp-proxy inner-sub-vlan-proxy enable [S12700E-8-Vlanif4004] dhcp select interface [S12700E-8-Vlanif4004] quit
# Configure the AC's source interface.
[S12700E-8] capwap source interface vlanif4004
- Configure APs to go online.
# Create an AP group to which APs with the same configurations will be added.
[S12700E-8] wlan [S12700E-8-wlan-view] ap-group name ap-group1 [S12700E-8-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and apply the profile to the AP group.
[S12700E-8-wlan-view] regulatory-domain-profile name domain1 [S12700E-8-wlan-regulate-domain-domain1] country-code cn [S12700E-8-wlan-regulate-domain-domain1] quit [S12700E-8-wlan-view] ap-group name ap-group1 [S12700E-8-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [S12700E-8-wlan-ap-group-ap-group1] quit
# Import an AP offline and add the AP to the AP group ap-group1. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP with MAC address 00e0-fc76-e360 as area_1 if it is deployed in area 1.
[S12700E-8-wlan-view] ap auth-mode mac-auth [S12700E-8-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360 [S12700E-8-wlan-ap-0] ap-name area_1 [S12700E-8-wlan-ap-0] ap-group ap-group1 [S12700E-8-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online properly.
[S12700E-8-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [1] Extra information: P : insufficient power supply ----------------------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1 ap-group1 10.250.12.109 AP4050DN nor 0 1D:0H:34M:33S - ----------------------------------------------------------------------------------------------------------------------- Total: 1
- Configure WLAN service parameters.
# Create security profile wlan-security, and configure security policy open in the profile.
[S12700E-8-wlan-view] security-profile name wlan-security [S12700E-8-wlan-sec-prof-wlan-security] security open [S12700E-8-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[S12700E-8-wlan-view] ssid-profile name wlan-ssid [S12700E-8-wlan-ssid-prof-wlan-ssid] ssid wlan-net [S12700E-8-wlan-ssid-prof-wlan-ssid] quit
# Create traffic profile new-vap-traffic-1, and enable user isolation at Layer 2 and communication at Layer 3.
[S12700E-8-wlan-view] traffic-profile name new-vap-traffic-1 [S12700E-8-wlan-traffic-prof-new-vap-traffic-1] user-isolate l2 [S12700E-8-wlan-traffic-prof-new-vap-traffic-1] quit
# Create VAP profile wlan-vap, set the service data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile.
[S12700E-8-wlan-view] vap-profile name wlan-vap [S12700E-8-wlan-vap-prof-wlan-vap] forward-mode direct-forward [S12700E-8-wlan-vap-prof-wlan-vap] service-vlan vlan-id 3001 [S12700E-8-wlan-vap-prof-wlan-vap] security-profile wlan-security [S12700E-8-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid [S12700E-8-wlan-vap-prof-wlan-vap] traffic-profile name new-vap-traffic-1 [S12700E-8-wlan-traffic-prof-new-vap-traffic-1] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.
[S12700E-8-wlan-view] ap-group name ap-group1 [S12700E-8-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 [S12700E-8-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 [S12700E-8-wlan-ap-group-ap-group1] quit
- Configure channels and power for the AP radios.
The automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when the two functions are disabled. The channel and power settings for the AP radios in this example are for reference only. In practice, configure the channel and power of AP radios based on the actual country code and network planning.
# Disable automatic channel and power calibration functions, and configure channel and power for the AP radios.
[S12700E-8-wlan-view] rrm-profile name default [S12700E-8-wlan-rrm-prof-default] calibrate auto-channel-select disable [S12700E-8-wlan-rrm-prof-default] calibrate auto-txpower-select disable [S12700E-8-wlan-rrm-prof-default] quit [S12700E-8-wlan-view] ap-id 0 [S12700E-8-wlan-ap-0] radio 0 [S12700E-8-wlan-radio-0/0] channel 20mhz 6 Warning: This action may cause service interruption. Continue?[Y/N]y [S12700E-8-wlan-radio-0/0] eirp 127 [S12700E-8-wlan-radio-0/0] quit [S12700E-8-wlan-ap-0] radio 1 [S12700E-8-wlan-radio-0/1] channel 20mhz 149 Warning: This action may cause service interruption. Continue?[Y/N]y [S12700E-8-wlan-radio-0/1] eirp 127 [S12700E-8-wlan-radio-0/1] quit [S12700E-8-wlan-ap-0] quit
Configuring the ME60
- Configure IP addresses for interfaces.
<ME60> system-view [~ME60] interface gigabitethernet 1/0/1 [~ME60-GigabitEthernet1/0/1] ip address 172.16.11.6 255.255.255.252 [*ME60-GigabitEthernet1/0/1] undo shutdown [*ME60-GigabitEthernet1/0/1] commit [~ME60-GigabitEthernet1/0/1] quit [~ME60] interface gigabitethernet 1/0/2 [~ME60-GigabitEthernet1/0/1] ip address 172.16.11.10 255.255.255.252 [*ME60-GigabitEthernet1/0/1] undo shutdown [*ME60-GigabitEthernet1/0/1] commit [~ME60-GigabitEthernet1/0/1] quit [~ME60] interface gigabitethernet 1/1/1.4010 [*ME60-GigabitEthernet1/1/1.4010] vlan-type dot1q 4010 [*ME60-GigabitEthernet1/1/1.4010] ip address 172.16.11.14 255.255.255.252 [*ME60-GigabitEthernet1/1/1.4010] commit [~ME60-GigabitEthernet1/1/1.4010] quit [~ME60] interface LoopBack0 [~ME60-LoopBack0] ip address 172.16.10.3 32 [~ME60-LoopBack0] quit
- Configure static routes to firewalls and the S12700E-8.
[~ME60] ip route-static 172.16.10.1 255.255.255.255 172.16.11.5 [*ME60] ip route-static 172.16.10.2 255.255.255.255 172.16.11.9 [*ME60] ip route-static 172.16.10.4 255.255.255.255 172.16.11.13 [*ME60] commit
- Enable IPoE access to provide IPoE access authentication for wireless student and teacher users on the campus network. As a gateway and an authentication device, the ME60 assigns private IP addresses to wireless users who are successfully authenticated and grants network access rights to these users accordingly. Users can access external networks only after passing web authentication.
- Configure AAA schemes.
# Configure an authentication scheme.
[~ME60] aaa [~ME60-aaa] http-redirect enable [*ME60-aaa] authentication-scheme none [*ME60-aaa-authen-none] authentication-mode radius [*ME60-aaa-authen-none] commit [~ME60-aaa-authen-none] quit
# Configure an accounting scheme.
[~ME60-aaa] accounting-scheme acc [*ME60-aaa-accounting-acc] accounting-mode none [*ME60-aaa-accounting-acc] accounting interim interval 15 [*ME60-aaa-accounting-acc] commit [~ME60-aaa-accounting-acc] quit [~ME60-aaa] quit
- Configure a RADIUS server.
[~ME60] radius-server source interface LoopBack0 [~ME60] radius-server group radius [*ME60-radius-radius] radius-server authentication 192.168.10.55 1812 weight 0 [*ME60-radius-radius] radius-server accounting 192.168.8.249 1813 weight 0 [*ME60-radius-radius] radius-server type standard [*ME60-radius-radius] radius-server shared-key-cipher %$%$]&yT6A~x)JPlIv#3CKo2Vs\R%$%$ [*ME60-radius-radius] commit [~ME60-radius-radius] quit
- Configure RADIUS authorization servers.
[~ME60] radius-server authorization 192.168.10.55 shared-key-cipher YsHsjx_202206 [~ME60] radius-server authorization 192.168.10.241 shared-key-cipher YsHsjx_202206
- Configure a web server.
[~ME60] web-auth-server source interface LoopBack0 [~ME60] web-auth-server 192.168.10.53 port 50100 key cipher YsHsjx_202206 - Configure IP address pools.
# Configure IP address pool xuesheng.
[~ME60] ip pool xuesheng bas local [*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0 [*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254 [*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-xuesheng] lease 0 12 0 [*ME60-ip-pool-xuesheng] commit [~ME60-ip-pool-xuesheng] quit
# Configure IP address pool per-pool.
[~ME60] ip pool per-pool bas local [*ME60-ip-pool-per-pool] gateway 10.253.0.1 255.255.128.0 [*ME60-ip-pool-per-pool] section 0 10.253.0.2 10.253.127.254 [*ME60-ip-pool-per-pool] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-per-pool] lease 0 12 0 [*ME60-ip-pool-per-pool] commit [~ME60-ip-pool-per-pool] quit
# Configure IP address pool jiaoshi.
[~ME60] ip pool jiaoshi bas local [*ME60-ip-pool-jiaoshi] gateway 10.254.128.1 255.255.128.0 [*ME60-ip-pool-jiaoshi] section 0 10.254.128.2 10.254.255.254 [*ME60-ip-pool-jiaoshi] excluded-ip-address 10.254.128.2 10.254.129.254 [*ME60-ip-pool-jiaoshi] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-jiaoshi] lease 0 12 0 [*ME60-ip-pool-jiaoshi] commit [~ME60-ip-pool-jiaoshi] quit
- Configure user group pre-web.
[~ME60] user-group pre-web
- Configure domains.
# Configure domain pre-authen as the pre-authentication domain for web authentication.
[~ME60] aaa [~ME60-aaa] domain pre-authen [*ME60-aaa-domain-pre-authen] user-group pre-web [*ME60-aaa-domain-pre-authen] authentication-scheme none [*ME60-aaa-domain-pre-authen] accounting-scheme none [*ME60-aaa-domain-pre-authen] ip-pool pre-pool [*ME60-aaa-domain-pre-authen] web-server 192.168.10.53 [*ME60-aaa-domain-pre-authen] web-server url http://192.168.10.53/help/help.html [*ME60-aaa-domain-pre-authen] commit [~ME60-aaa-domain-pre-authen] quit
# Configure domain xs as an authentication domain for web authentication.
[~ME60-aaa] domain xs [*ME60-aaa-domain-xs] user-group pre-web [*ME60-aaa-domain-xs] authentication-scheme authen [*ME60-aaa-domain-xs] accounting-scheme acc [*ME60-aaa-domain-xs] ip-pool xuesheng [*ME60-aaa-domain-xs] value-added-service account-type none [*ME60-aaa-domain-xs] value-added-service policy 10m [*ME60-aaa-domain-xs] radius-server group radius [*ME60-aaa-domain-xs] quota-out online [*ME60-aaa-domain-xs] commit [~ME60-aaa-domain-xs] quit
# Configure domain jg as an authentication domain for web authentication.
[~ME60-aaa] domain jg [*ME60-aaa-domain-jg] user-group pre-web [*ME60-aaa-domain-jg] authentication-scheme authen [*ME60-aaa-domain-jg] accounting-scheme acc [*ME60-aaa-domain-jg] ip-pool jiaoshi [*ME60-aaa-domain-jg] value-added-service account-type none [*ME60-aaa-domain-jg] value-added-service policy 20m [*ME60-aaa-domain-jg] radius-server group radius [*ME60-aaa-domain-jg] quota-out online [~ME60-aaa-domain-jg] quit [~ME60-aaa] quit
- Configure UCLs.
[~ME60] acl 6010 [*ME60-acl-ucl-6010] rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0 [*ME60-acl-ucl-6010] rule 6 permit ip source user-group pre-web destination ip-address 192.168.10.53 0 [*ME60-acl-ucl-6010] rule 7 permit ip source user-group pre-web destination ip-address 192.168.10.55 0 [*ME60-acl-ucl-6010] rule 10 permit ip source user-group pre-web destination ip-address 192.168.10.241 0 [*ME60-acl-ucl-6010] rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5 0 [*ME60-acl-ucl-6010] commit [~ME60-acl-ucl-6010] quit [~ME60] acl 6011 [*ME60-acl-ucl-6011] rule 5 permit tcp source user-group pre-web destination-port eq www [*ME60-acl-ucl-6011] rule 10 permit tcp source user-group pre-web destination-port eq 8080 [*ME60-acl-ucl-6011] rule 20 permit ip source user-group pre-web [*ME60-acl-ucl-6011] commit [~ME60-acl-ucl-6011] quit
- Configure a traffic policy.
[~ME60] traffic classifier 6010 operator or [*ME60-classifier-6010] if-match acl 6010 [*ME60-classifier-6010] commit [~ME60-classifier-6010] quit [~ME60] traffic classifier 6011 operator or [*ME60-classifier-6011] if-match acl 6011 [*ME60-classifier-6011] commit [~ME60-classifier-6011] quit [~ME60] traffic behavior 6010 [*ME60-behavior-6010] permit [*ME60-behavior-6010] commit [~ME60-behavior-6010] quit [~ME60] traffic behavior 6011 [*ME60-behavior-6011] http-redirect [*ME60-behavior-6011] commit [~ME60-behavior-6011] quit [~ME60] traffic policy traffic-policy-1 [*ME60-trafficpolicy-traffic-policy-1] share-mode [*ME60-trafficpolicy-traffic-policy-1] classifier 6010 behavior 6010 [*ME60-trafficpolicy-traffic-policy-1] classifier 6011 behavior 6011 [*ME60-trafficpolicy-traffic-policy-1] commit [~ME60-trafficpolicy-traffic-policy-1] quit [~ME60] traffic-policy traffic-policy-1 inbound [~ME60] traffic-policy traffic-policy-1 outbound
- Configure BAS interfaces.
[~ME60] interface gigabitethernet1/1/1.1001 [*ME60-GigabitEthernet1/1/1.1001] description xuesheng-web [*ME60-GigabitEthernet1/1/1.1001] user-vlan 3001 3500 qinq 1601 1800 [*ME60-GigabitEthernet1/1/1.1001-vlan-3001-3500-QinQ-1601-1800] quit [*ME60-GigabitEthernet1/1/1.1001] bas [*ME60-GigabitEthernet1/1/1.1001-bas] access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs [*ME60-GigabitEthernet1/1/1.1001-bas] dhcp session-mismatch action offline [*ME60-GigabitEthernet1/1/1.1001-bas] authentication-method web [*ME60-GigabitEthernet1/1/1.1001-bas] commit [~ME60-GigabitEthernet1/1/1.1001-bas] quit [~ME60-GigabitEthernet1/1/1.1001] quit [~ME60] interface gigabitethernet1/1/1.1003 [*ME60-GigabitEthernet1/1/1.1003] description jiaoshi-web [*ME60-GigabitEthernet1/1/1.1003] user-vlan 3001 3500 qinq 1801 2000 [*ME60-GigabitEthernet1/1/1.1003-vlan-3001-3500-QinQ-1801-2000] commit [~ME60-GigabitEthernet1/1/1.1003-vlan-3001-3500-QinQ-1801-2000] quit [~ME60-GigabitEthernet1/1/1.1003] bas [*ME60-GigabitEthernet1/1/1.1003-bas] access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg [*ME60-GigabitEthernet1/1/1.1003-bas] dhcp session-mismatch action offline [*ME60-GigabitEthernet1/1/1.1003-bas] authentication-method web [*ME60-GigabitEthernet1/1/1.1003-bas] commit [~ME60-GigabitEthernet1/1/1.1003-bas] quit [~ME60-GigabitEthernet1/1/1.1003] quit
- Configure AAA schemes.
- Enable PPPoE access to provide PPPoE access authentication for wired student and teacher users on the campus network. As a gateway and an authentication device, the ME60 sends user names and passwords to the RADIUS server for authentication, and assigns IP address to users after they are successfully authenticated.
The following describes only the PPPoE access configuration for students. For details about how to configure AAA schemes, a RADIUS server, and authentication domains, see the IPoE access configuration.
- Configure IP address pools.
# Configure IP address pool xuesheng.
[~ME60] ip pool xuesheng bas local [*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0 [*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254 [*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-xuesheng] lease 0 12 0 [*ME60-ip-pool-xuesheng] commit [~ME60-ip-pool-xuesheng] quit
# Configure IP address pool pre-ppp.
[~ME60] ip pool pre-ppp bas local [*ME60-ip-pool-pre-ppp] gateway 10.253.128.1 255.255.128.0 [*ME60-ip-pool-pre-ppp] section 0 10.253.128.2 10.253.255.254 [*ME60-ip-pool-pre-ppp] dns-server 192.168.10.2 10.255.57.5 [*ME60-ip-pool-pre-ppp] lease 0 12 0 [*ME60-ip-pool-pre-ppp] commit [~ME60-ip-pool-pre-ppp] quit
- Configure user group pre-ppp.
[~ME60] user-group pre-ppp
- Configure pre-authentication domain pre-ppp.
[~ME60] aaa [~ME60-aaa] domain pre-ppp [*ME60-aaa-domain-pre-ppp] user-group pre-ppp [*ME60-aaa-domain-pre-ppp] authentication-scheme none [*ME60-aaa-domain-pre-ppp] accounting-scheme none [*ME60-aaa-domain-pre-ppp] ip-pool pre-ppp [*ME60-aaa-domain-pre-ppp] web-server 192.168.10.55 [*ME60-aaa-domain-pre-ppp] web-server url http://192.168.10.55/help/help.html [*ME60-aaa-domain-pre-ppp] commit [~ME60-aaa-domain-pre-ppp] quit [~ME60-aaa] quit
- Configure UCLs.
[~ME60] acl 6012 [*ME60-acl-ucl-6012] rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0 [*ME60-acl-ucl-6012] rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0 [*ME60-acl-ucl-6012] rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2 0 [*ME60-acl-ucl-6012] commit [~ME60-acl-ucl-6012] quit [~ME60] acl 6013 [*ME60-acl-ucl-6013] rule 5 permit tcp source user-group pre-ppp destination-port eq www [*ME60-acl-ucl-6013] rule 10 permit tcp source user-group pre-ppp destination-port eq 8080 [*ME60-acl-ucl-6013] rule 20 deny ip source user-group pre-ppp [*ME60-acl-ucl-6013] commit [~ME60-acl-ucl-6013] quit
- Configure a traffic policy.
[~ME60] traffic classifier 6012 operator or [*ME60-classifier-6012] if-match acl 6012 [*ME60-classifier-6012] commit [~ME60-classifier-6012] quit [~ME60] traffic classifier 6013 operator or [*ME60-classifier-6013] if-match acl 6013 [*ME60-classifier-6013] commit [~ME60-classifier-6013] quit [~ME60] traffic behavior 6012 [*ME60-behavior-6012] permit [*ME60-behavior-6012] commit [~ME60-behavior-6012] quit [~ME60] traffic behavior 6013 [*ME60-behavior-6013] http-redirect [*ME60-behavior-6013] commit [~ME60-behavior-6013] quit [~ME60] traffic policy traffic-policy-1 [*ME60-trafficpolicy-traffic-policy-1] share-mode [*ME60-trafficpolicy-traffic-policy-1] classifier 6012 behavior 6012 [*ME60-trafficpolicy-traffic-policy-1] classifier 6013 behavior 6013 [*ME60-trafficpolicy-traffic-policy-1] commit [~ME60-trafficpolicy-traffic-policy-1] quit [~ME60] traffic-policy traffic-policy-1 inbound [~ME60] traffic-policy traffic-policy-1 outbound
- Configure a virtual template.
[~ME60] interface virtual-template 1 [*ME60-Virtual-Template1] ppp authentication-mode auto [*ME60-Virtual-Template1] commit [~ME60-Virtual-Template1] quit
- Configure a virtual Ethernet interface.
[~ME60] interface GigabitEthernet1/1/1.1000 [*ME60-GigabitEthernet1/1/1.1000] pppoe-server bind virtual-template 1 [*ME60-GigabitEthernet1/1/1.1000] description xuesheng-ppp [*ME60-GigabitEthernet1/1/1.1000] user-vlan 2001 3000 qinq 101 200 [*ME60-GigabitEthernet1/1/1.1000-vlan-2001-3000-QinQ-101-200] commit [~ME60-GigabitEthernet1/1/1.1000-vlan-2001-3000-QinQ-101-200] quit
- Configure a BAS interface.
[~ME60-GigabitEthernet1/1/1.1000] bas [*ME60-GigabitEthernet1/1/1.1000-bas] access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs [*ME60-GigabitEthernet1/1/1.1000-bas] dhcp session-mismatch action offline [*ME60-GigabitEthernet1/1/1.1000-bas] authentication-method ppp web [*ME60-GigabitEthernet1/1/1.1000-bas] commit [~ME60-GigabitEthernet1/1/1.1000-bas] quit [~ME60-GigabitEthernet1/1/1.1000] quit
- Configure IP address pools.
- Configure MAC address authentication for dumb terminals such as printers and fax machines. MAC address authentication is used to simplify web authentication. When MAC address authentication is configured, a web authentication user only needs to enter the user name and password at the first authentication, and the RADIUS server records the user's MAC address. Upon the next web authentication of the user, the RADIUS server performs authentication based on the user's MAC address, removing the need to enter the user name and password again.
The following describes only the configuration of MAC address authentication. For details about how to configure AAA schemes, a RADIUS server, a web server, IP address pools, and UCL rules, see the IPoE and PPPoE access configurations.
- In the AAA view, configure the ME60 to use the MAC address carried in access request packets as the pure user name.
[~ME60] aaa [~ME60-aaa] default-user-name include mac-address - [*ME60-aaa] default-password cipher YsHsjx_202206 [*ME60-aaa] authentication-scheme mac [*ME60-aaa-authen-mac] authening authen-fail online authen-domain pre-authen [*ME60-aaa-authen-mac] commit [~ME60-aaa-authen-mac] quit [~ME60-aaa] quit - Configure RADIUS server group mac.
[~ME60] radius-server group mac [*ME60-radius-mac] radius-server authentication 192.168.10.55 1812 weight 0 [*ME60-radius-mac] radius-server accounting 192.168.10.55 1813 weight 0 [*ME60-radius-mac] radius-server shared-key-cipher YsHsjx_202206 [*ME60-radius-mac] commit [~ME60-radius-mac] quit - Enable MAC address authentication in the MAC address authentication domain mac, and bind the RADIUS server group mac and authentication profile mac to this domain.
[~ME60] aaa [~ME60-aaa] domain mac [*ME60-aaa-domain-mac] radius-server group mac [*ME60-aaa-domain-mac] authentication-scheme mac [*ME60-aaa-domain-mac] accounting-scheme acc [*ME60-aaa-domain-mac] ip-pool pre-pool [*ME60-aaa-domain-mac] mac-authentication enable [*ME60-aaa-domain-mac] commit [~ME60-aaa-domain-mac] quit [~ME60-aaa] quit
- Configure a pre-authentication domain, post-authentication domain, and authentication method on a BAS interface.
[~ME60] interface GigabitEthernet1/1/1.1101 [*ME60-GigabitEthernet1/1/1.1101] description mac-web [*ME60-GigabitEthernet1/1/1.1101] user-vlan 600 [*ME60-GigabitEthernet1/1/1.1101-vlan-600-600] commit [~ME60-GigabitEthernet1/1/1.1101-vlan-600-600] quit [~ME60-GigabitEthernet1/1/1.1101] bas [*ME60-GigabitEthernet1/1/1.1101-bas] access-type layer2-subscriber default-domain pre-authentication mac authentication jg [*ME60-GigabitEthernet1/1/1.1101-bas] dhcp session-mismatch action offline [*ME60-GigabitEthernet1/1/1.1101-bas] authentication-method web [*ME60-GigabitEthernet1/1/1.1101-bas] commit [~ME60-GigabitEthernet1/1/1.1101-bas] quit [~ME60-GigabitEthernet1/1/1.1101] quit
- In the AAA view, configure the ME60 to use the MAC address carried in access request packets as the pure user name.
- Configure DAA at different tariff levels to implement bandwidth control defined on the basis of different destination addresses of user access traffic. You can configure different bandwidths for students, teachers, business users, and dumb terminals to access the campus internal network, for example, 10 Mbit/s for students, 20 Mbit/s for teachers, and 20 Mbit/s for dumb terminals. Bind business accounts to teacher or student accounts on the campus network, and configure a bandwidth of 50 Mbit/s for students and teachers to access external networks.
The following describes only the DAA configuration. For details about how to configure AAA schemes, a RADIUS server, and a web server, see the IPoE access configuration.
- Enable the value-added service function.
[~ME60] value-added-service enable
- Configure user groups.
[~ME60] user-group xuesheng [~ME60] user-group jiaoshi [~ME60] user-group shangye
- Configure value-added service policies.
# Configure UCL 6001.
[~ME60] acl number 6001 [*ME60-acl-ucl-6001] rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0 0.255.255.255 [*ME60-acl-ucl-6001] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group shangye [*ME60-acl-ucl-6001] rule 15 permit ip source user-group shangye destination ip-address 172.16.0.0 0.15.255.255 [*ME60-acl-ucl-6001] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group shangye [*ME60-acl-ucl-6001] rule 25 permit ip source user-group shangye destination ip-address 192.168.0.0 0.0.255.255 [*ME60-acl-ucl-6001] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group shangye [*ME60-acl-ucl-6001] commit [~ME60-acl-ucl-6001] quit
# Configure UCL 6003.
[~ME60] acl number 6003 [*ME60-acl-ucl-6003] rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0 0.255.255.255 [*ME60-acl-ucl-6003] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group jiaoshi [*ME60-acl-ucl-6003] rule 15 permit ip source user-group jiaoshi destination ip-address 172.16.0.0 0.15.255.255 [*ME60-acl-ucl-6003] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group jiaoshi [*ME60-acl-ucl-6003] rule 25 permit ip source user-group jiaoshi destination ip-address 192.168.0.0 0.0.255.255 [*ME60-acl-ucl-6003] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group jiaoshi [*ME60-acl-ucl-6003] commit [~ME60-acl-ucl-6003] quit
# Configure UCL 6005.
[~ME60] acl number 6005 [*ME60-acl-ucl-6005] rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0 0.255.255.255 [*ME60-acl-ucl-6005] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group xuesheng [*ME60-acl-ucl-6005] rule 15 permit ip source user-group xuesheng destination ip-address 172.16.0.0 0.15.255.255 [*ME60-acl-ucl-6005] rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group xuesheng [*ME60-acl-ucl-6005] rule 25 permit ip source user-group xuesheng destination ip-address 192.168.0.0 0.0.255.255 [*ME60-acl-ucl-6005] rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng [*ME60-acl-ucl-6005] commit [~ME60-acl-ucl-6005] quit
# Configure traffic classifier 6001.
[~ME60] traffic classifier 6001 operator or [*ME60-classifier-6001] if-match acl 6001 [*ME60-classifier-6001] commit [~ME60-classifier-6001] quit
# Configure traffic classifier 6003.
[~ME60] traffic classifier 6003 operator or [*ME60-classifier-6003] if-match acl 6003 [*ME60-classifier-6003] commit [~ME60-classifier-6003] quit
# Configure traffic classifier 6005.
[~ME60] traffic classifier 6005 operator or [*ME60-classifier-6005] if-match acl 6005 [*ME60-classifier-6005] commit [~ME60-classifier-6005] quit
# Configure DAA traffic behavior 6001.
[~ME60] traffic behavior 6001 [*ME60-behavior-6001] tariff-level 1 [*ME60-behavior-6001] car [*ME60-behavior-6001] traffic-statistic [*ME60-behavior-6001] commit [~ME60-behavior-6001] quit
# Configure DAA traffic behavior 6003.
[~ME60] traffic behavior 6003 [*ME60-behavior-6003] tariff-level 1 [*ME60-behavior-6003] car [*ME60-behavior-6003] traffic-statistic [*ME60-behavior-6003] commit [~ME60-behavior-6003] quit
# Configure DAA traffic behavior 6005.
[~ME60] traffic behavior 6005 [*ME60-behavior-6005] tariff-level 1 [*ME60-behavior-6005] car [*ME60-behavior-6005] traffic-statistic [*ME60-behavior-6005] commit [~ME60-behavior-6005] quit
# Configure DAA traffic policy traffic_policy_daa.
[~ME60] traffic policy traffic_policy_daa [*ME60-trafficpolicy-traffic_policy_daa] share-mode [*ME60-trafficpolicy-traffic_policy_daa] classifier 6003 behavior 6003 [*ME60-trafficpolicy-traffic_policy_daa] classifier 6005 behavior 6005 [*ME60-trafficpolicy-traffic_policy_daa] commit [~ME60-trafficpolicy-traffic_policy_daa] quit
# Apply the DAA traffic policy traffic_policy_daa globally.
[~ME60] accounting-service-policy traffic_policy_daa
- Configure QoS profiles.
[~ME60] qos-profile 10M [*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard inbound [*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard outbound [*ME60-qos-profile-10M] quit [*ME60] qos-profile 20M [*ME60-qos-profile-20M] car cir 20000 cbs 3740000 green pass red discard inbound [*ME60-qos-profile-20M] car cir 20000 cbs 3740000 green pass red discard outbound [*ME60-qos-profile-20M] quit [*ME60] qos-profile 50M [*ME60-qos-profile-50M] car cir 50000 cbs 9350000 green pass red discard inbound [*ME60-qos-profile-50M] car cir 50000 cbs 9350000 green pass red discard outbound [*ME60-qos-profile-50M] commit [*ME60-qos-profile-50M] quit
- Configure DAA service policies.
[~ME60] value-added-service policy 10m daa [*ME60-vas-policy-10m] accounting-scheme none [*ME60-vas-policy-10m] traffic-separate enable [*ME60-vas-policy-10m] tariff-level 1 qos-profile 10M [*ME60-vas-policy-10m] quit [*ME60] value-added-service policy 20m daa [*ME60-vas-policy-20m] accounting-scheme none [*ME60-vas-policy-20m] traffic-separate enable [*ME60-vas-policy-20m] tariff-level 1 qos-profile 20M [*ME60-vas-policy-20m] quit [*ME60] value-added-service policy 50m daa [*ME60-vas-policy-50m] accounting-scheme none [*ME60-vas-policy-50m] traffic-separate enable [*ME60-vas-policy-50m] tariff-level 1 qos-profile 50M [*ME60-vas-policy-50m] commit [~ME60-vas-policy-50m] quit
- Configure domains.
[~ME60] aaa [~ME60-aaa] domain xs [*ME60-aaa-domain-xs] value-added-service account-type none [*ME60-aaa-domain-xs] value-added-service policy 10m [*ME60-aaa-domain-xs] commit [~ME60-aaa-domain-xs] quit [~ME60-aaa] domain jg [*ME60-aaa-domain-jg] value-added-service account-type none [*ME60-aaa-domain-jg] value-added-service policy 20m [~ME60-aaa-domain-jg] commit [~ME60-aaa-domain-jg] quit
- Enable the value-added service function.
Configuring Firewalls (USG6315E)
- Configure interfaces.
# Configure interfaces on USG6315E_A.
<USG6315E_A> system-view [USG6315E_A] interface loopback 0 [USG6315E_A-LoopBack0] ip address 172.16.10.1 32 [USG6315E_A-LoopBack0] quit [USG6315E_A] interface gigabitethernet 1/0/1 [USG6315E_A-GigabitEthernet1/0/1] ip address 203.0.113.1 24 [USG6315E_A-GigabitEthernet1/0/1] gateway 203.0.113.254 [USG6315E_A-GigabitEthernet1/0/1] quit [USG6315E_A] interface gigabitethernet 1/0/2 [USG6315E_A-GigabitEthernet1/0/2] ip address 192.0.2.2 24 [USG6315E_A-GigabitEthernet1/0/2] gateway 192.0.2.254 [USG6315E_A-GigabitEthernet1/0/2] quit [USG6315E_A] interface gigabitethernet 1/0/6 [USG6315E_A-GigabitEthernet1/0/6] ip address 172.16.11.1 30 [USG6315E_A-GigabitEthernet1/0/6] quit [USG6315E_A] interface gigabitethernet 1/0/7 [USG6315E_A-GigabitEthernet1/0/7] ip address 172.16.11.5 30 [USG6315E_A-GigabitEthernet1/0/7] quit
# Configure interfaces on USG6315E_B.
<USG6315E_B> system-view [USG6315E_B] interface loopback 0 [USG6315E_B-LoopBack0] ip address 172.16.10.2 32 [USG6315E_B-LoopBack0] quit [USG6315E_B] interface gigabitethernet 1/0/1 [USG6315E_B-GigabitEthernet1/0/1] ip address 203.0.113.2 24 [USG6315E_B-GigabitEthernet1/0/1] gateway 203.0.113.254 [USG6315E_B-GigabitEthernet1/0/1] quit [USG6315E_B] interface gigabitethernet 1/0/2 [USG6315E_B-GigabitEthernet1/0/2] ip address 192.0.2.1 24 [USG6315E_B-GigabitEthernet1/0/2] gateway 192.0.2.254 [USG6315E_B-GigabitEthernet1/0/2] quit [USG6315E_B] interface gigabitethernet 1/0/6 [USG6315E_B-GigabitEthernet1/0/6] ip address 172.16.11.2 30 [USG6315E_B-GigabitEthernet1/0/6] quit [USG6315E_B] interface gigabitethernet 1/0/7 [USG6315E_B-GigabitEthernet1/0/7] ip address 172.16.11.9 30 [USG6315E_B-GigabitEthernet1/0/7] quit
- Add interfaces to security zones.
# Add each interface to the corresponding security zone. Specifically, add the interfaces connected to the internal network to security zone trust, add the interfaces connected to the ISP1 network to security zone isp1, add the interfaces connected to the ISP2 network to security zone isp2, and add the heartbeat interfaces between firewalls to the DMZ.
[USG6315E_A] firewall zone trust [USG6315E_A-zone-trust] set priority 85 [USG6315E_A-zone-trust] add interface gigabitethernet 1/0/7 [USG6315E_A-zone-trust] quit [USG6315E_A] firewall zone name isp1 [USG6315E_A-zone-isp1] set priority 10 [USG6315E_A-zone-isp1] add interface gigabitethernet 1/0/1 [USG6315E_A-zone-isp1] quit [USG6315E_A] firewall zone name isp2 [USG6315E_A-zone-isp2] set priority 15 [USG6315E_A-zone-isp2] add interface gigabitethernet 1/0/2 [USG6315E_A-zone-isp2] quit [USG6315E_A] firewall zone dmz [USG6315E_A-zone-dmz] set priority 50 [USG6315E_A-zone-dmz] add interface gigabitethernet 1/0/6 [USG6315E_A-zone-dmz] quit [USG6315E_B] firewall zone trust [USG6315E_B-zone-trust] set priority 85 [USG6315E_B-zone-trust] add interface gigabitethernet 1/0/7 [USG6315E_B-zone-trust] quit [USG6315E_B] firewall zone name isp1 [USG6315E_B-zone-isp1] set priority 10 [USG6315E_B-zone-isp1] add interface gigabitethernet 1/0/1 [USG6315E_B-zone-isp1] quit [USG6315E_B] firewall zone name isp2 [USG6315E_B-zone-isp2] set priority 15 [USG6315E_B-zone-isp2] add interface gigabitethernet 1/0/2 [USG6315E_B-zone-isp2] quit [USG6315E_B] firewall zone dmz [USG6315E_B-zone-dmz] set priority 50 [USG6315E_B-zone-dmz] add interface gigabitethernet 1/0/6 [USG6315E_B-zone-dmz] quit
- Configure routes and intelligent uplink selection.
# Configure static routes.
[USG6315E_A] ip route-static 10.253.0.0 255.255.128.0 172.16.11.6 [USG6315E_A] ip route-static 10.253.128.0 255.255.128.0 172.16.11.6 [USG6315E_A] ip route-static 10.254.0.0 255.255.128.0 172.16.11.6 [USG6315E_A] ip route-static 10.254.128.0 255.255.128.0 172.16.11.6 [USG6315E_A] ip route-static 172.16.10.2 255.255.255.255 172.16.11.6 [USG6315E_A] ip route-static 172.16.10.3 255.255.255.255 172.16.11.6 [USG6315E_A] ip route-static 172.16.10.4 255.255.255.255 172.16.11.6 [USG6315E_A] ip route-static 192.168.10.0 255.255.255.0 172.16.11.6 [USG6315E_B] ip route-static 10.253.0.0 255.255.128.0 172.16.11.10 [USG6315E_B] ip route-static 10.253.128.0 255.255.128.0 172.16.11.10 [USG6315E_B] ip route-static 10.254.0.0 255.255.128.0 172.16.11.10 [USG6315E_B] ip route-static 10.254.128.0 255.255.128.0 172.16.11.10 [USG6315E_B] ip route-static 172.16.10.1 255.255.255.255 172.16.11.10 [USG6315E_B] ip route-static 172.16.10.3 255.255.255.255 172.16.11.10 [USG6315E_B] ip route-static 172.16.10.4 255.255.255.255 172.16.11.10 [USG6315E_B] ip route-static 192.168.10.0 255.255.255.0 172.16.11.10
# Enable the IP-link function to detect whether ISP links are working properly.
[USG6315E_A] ip-link check enable [USG6315E_A] ip-link name ip_link_1 [USG6315E_A-iplink-ip_link_1] destination 203.0.113.254 interface gigabitethernet 1/0/1 [USG6315E_A-iplink-ip_link_1] quit [USG6315E_A] ip-link name ip_link_2 [USG6315E_A-iplink-ip_link_2] destination 192.0.2.254 interface gigabitethernet 1/0/2 [USG6315E_A-iplink-ip_link_2] quit [USG6315E_B] ip-link check enable [USG6315E_B] ip-link name ip_link_1 [USG6315E_B-iplink-ip_link_1] destination 203.0.113.254 interface gigabitethernet 1/0/1 [USG6315E_B-iplink-ip_link_1] quit [USG6315E_B] ip-link name ip_link_2 [USG6315E_B-iplink-ip_link_2] destination 192.0.2.254 interface gigabitethernet 1/0/2 [USG6315E_B-iplink-ip_link_2] quit
# Configure two default routes on each firewall, with the next hops pointing to the access points of the two ISP networks respectively.
[USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1 [USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2 [USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1 [USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2
# Configure intelligent uplink selection to implement load balancing based on link bandwidth.
[USG6315E_A] multi-interface [USG6315E_A-multi-inter] mode proportion-of-bandwidth [USG6315E_A-multi-inter] add interface gigabitethernet1/0/1 [USG6315E_A-multi-inter] add interface gigabitethernet1/0/2 [USG6315E_A-multi-inter] quit [USG6315E_A] interface gigabitethernet 1/0/1 [USG6315E_A-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95 [USG6315E_A-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95 [USG6315E_A-GigabitEthernet1/0/1] quit [USG6315E_A] interface gigabitethernet 1/0/2 [USG6315E_A-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90 [USG6315E_A-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90 [USG6315E_A-GigabitEthernet1/0/2] quit [USG6315E_B] multi-interface [USG6315E_B-multi-inter] mode proportion-of-bandwidth [USG6315E_B-multi-inter] add interface gigabitethernet1/0/1 [USG6315E_B-multi-inter] add interface gigabitethernet1/0/2 [USG6315E_B-multi-inter] quit [USG6315E_B] interface gigabitethernet 1/0/1 [USG6315E_B-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95 [USG6315E_B-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95 [USG6315E_B-GigabitEthernet1/0/1] quit [USG6315E_B] interface gigabitethernet 1/0/2 [USG6315E_B-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90 [USG6315E_B-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90 [USG6315E_B-GigabitEthernet1/0/2] quit
- Configure the Huawei Redundancy Protocol (HRP) function.
# Configure a VRRP Group Management Protocol (VGMP) group on each firewall to monitor uplink and downlink service interfaces.
[USG6315E_A] hrp track interface gigabitethernet 1/0/7 [USG6315E_B] hrp track interface gigabitethernet 1/0/7
# On USG6315E_A and USG6315E_B, configure quick session backup, specify the heartbeat interface, and enable HRP.
[USG6315E_A] hrp mirror session enable [USG6315E_A] hrp interface gigabitethernet 1/0/6 remote 172.16.11.2 [USG6315E_A] hrp enable [USG6315E_B] hrp mirror session enable [USG6315E_B] hrp interface gigabitethernet 1/0/6 remote 172.16.11.1 [USG6315E_B] hrp enable
- Configure security policies to allow communication between the local zone and DMZ, allow internal network users to access external networks, and allow external network users to access the internal HTTP server.
After a hot standby group is successfully established between the active and standby firewalls, the security policies configured on USG6315E_A will be automatically synchronized to USG6315E_B. The following describe only the configuration on USG6315E_A.
[USG6315E_A] security-policy [USG6315E_A-policy-security] rule name policy_dmz [USG6315E_A-policy-security-rule-policy_dmz] source-zone local [USG6315E_A-policy-security-rule-policy_dmz] source-zone dmz [USG6315E_A-policy-security-rule-policy_dmz] destination-zone local [USG6315E_A-policy-security-rule-policy_dmz] destination-zone dmz [USG6315E_A-policy-security-rule-policy_dmz] action permit [USG6315E_A-policy-security-rule-policy_dmz] quit [USG6315E_A-policy-security] rule name trust_to_untrust [USG6315E_A-policy-security-rule-trust_to_untrust] source-zone trust [USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp1 [USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp2 [USG6315E_A-policy-security-rule-trust_to_untrust] action permit [USG6315E_A-policy-security-rule-trust_to_untrust] quit [USG6315E_A-policy-security] rule name untrust_to_trust [USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp1 [USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp2 [USG6315E_A-policy-security-rule-untrust_to_trust] destination-zone trust [USG6315E_A-policy-security-rule-untrust_to_trust] destination-address 192.168.10.0 24 [USG6315E_A-policy-security-rule-untrust_to_trust] action permit [USG6315E_A-policy-security-rule-untrust_to_trust] quit [USG6315E_A-policy-security] quit
- Configure NAT policies.
# On USG6315E_A, create address pools addressgroup1 (203.0.113.1 to 203.0.113.5) and addressgroup2 (192.0.2.1 to 192.0.2.5). The address pools configured on USG6315E_A will be automatically synchronized to USG6315E_B.
[USG6315E_A] nat address-group addressgroup1 [USG6315E_A-address-group-addressgroup1] section 0 203.0.113.1 203.0.113.5 [USG6315E_A-address-group-addressgroup1] mode pat [USG6315E_A-address-group-addressgroup1] route enable [USG6315E_A-address-group-addressgroup1] quit [USG6315E_A] nat address-group addressgroup2 [USG6315E_A-address-group-addressgroup2] section 1 192.0.2.1 192.0.2.5 [USG6315E_A-address-group-addressgroup2] mode pat [USG6315E_A-address-group-addressgroup2] route enable [USG6315E_A-address-group-addressgroup2] quit
# Configure source NAT policies to allow internal network users to access the Internet through post-NAT public IP addresses.
[USG6315E_A] nat-policy [USG6315E_A-policy-nat] rule name policy_nat_1 [USG6315E_A-policy-nat-rule-policy_nat_1] source-zone trust [USG6315E_A-policy-nat-rule-policy_nat_1] destination-zone isp1 [USG6315E_A-policy-nat-rule-policy_nat_1] action nat address-group addressgroup1 [USG6315E_A-policy-nat-rule-policy_nat_1] quit [USG6315E_A-policy-nat] rule name policy_nat_2 [USG6315E_A-policy-nat-rule-policy_nat_2] source-zone trust [USG6315E_A-policy-nat-rule-policy_nat_2] destination-zone isp2 [USG6315E_A-policy-nat-rule-policy_nat_2] action nat address-group addressgroup2 [USG6315E_A-policy-nat-rule-policy_nat_2] quit [USG6315E_A-policy-nat] quit
# Contact ISP network administrators to configure routes with the destination addresses in addressgroup1 and addressgroup2 and with the next hops being the interface addresses of the firewalls.
- Configure NAT Server.
# Assume that the HTTP server on the internal network applies to ISP1 and ISP2 for public IP addresses (203.0.113.10 and 192.0.2.10) so that the external network users of ISP1 and ISP2 can access the HTTP server through their respective public IP addresses.
# Configure static server mapping.
[USG6315E_A] nat server web_for_isp1 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 80 no-reverse [USG6315E_A] nat server web_for_isp2 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 80 no-reverse
# Contact ISP network administrators to configure a route with the destination address being the public IP address of the HTTP server and the next hop being the firewall interface address.
# Configure blackhole routes.
[USG6315E_A] ip route-static 203.0.113.100 32 NULL 0 [USG6315E_A] ip route-static 192.0.2.100 32 NULL 0 [USG6315E_B] ip route-static 203.0.113.100 32 NULL 0 [USG6315E_B] ip route-static 192.0.2.100 32 NULL 0
# Configure the same interface to receive and send packets.
[USG6315E_A] interface gigabitethernet 1/0/1 [USG6315E_A-GigabitEthernet1/0/1] redirect-reverse next-hop 203.0.113.254 [USG6315E_A-GigabitEthernet1/0/1] quit [USG6315E_A] interface gigabitethernet 1/0/2 [USG6315E_A-GigabitEthernet1/0/2] redirect-reverse next-hop 192.0.2.254 [USG6315E_A-GigabitEthernet1/0/2] quit [USG6315E_B] interface gigabitethernet 1/0/1 [USG6315E_B-GigabitEthernet1/0/1] redirect-reverse next-hop 203.0.113.254 [USG6315E_B-GigabitEthernet1/0/1] quit [USG6315E_B] interface gigabitethernet 1/0/2 [USG6315E_B-GigabitEthernet1/0/2] redirect-reverse next-hop 192.0.2.254 [USG6315E_B-GigabitEthernet1/0/2] quit
- Configure smart DNS.
[USG6315E_A] dns-smart enable [USG6315E_A] dns-smart group 1 type multi [USG6315E_A-dns-smart-group-1] out-interface gigabitethernet 1/0/1 map 203.0.113.10 [USG6315E_A-dns-smart-group-1] out-interface gigabitethernet 1/0/2 map 192.0.2.10 [USG6315E_A-dns-smart-group-1] quit
- Configure attack defense.
[USG6315E_A] firewall defend land enable [USG6315E_A] firewall defend smurf enable [USG6315E_A] firewall defend fraggle enable [USG6315E_A] firewall defend winnuke enable [USG6315E_A] firewall defend source-route enable [USG6315E_A] firewall defend route-record enable [USG6315E_A] firewall defend time-stamp enable [USG6315E_A] firewall defend ping-of-death enable [USG6315E_A] interface gigabitethernet 1/0/1 [USG6315E_A-GigabitEthernet1/0/1] anti-ddos flow-statistic enable [USG6315E_A-GigabitEthernet1/0/1] quit [USG6315E_A] interface gigabitethernet 1/0/2 [USG6315E_A-GigabitEthernet1/0/2] anti-ddos flow-statistic enable [USG6315E_A-GigabitEthernet1/0/2] quit [USG6315E_A] anti-ddos baseline-learn start [USG6315E_A] anti-ddos baseline-learn tolerance-value 100 [USG6315E_A] anti-ddos baseline-learn apply [USG6315E_A] anti-ddos syn-flood source-detect [USG6315E_A] anti-ddos udp-flood dynamic-fingerprint-learn [USG6315E_A] anti-ddos udp-frag-flood dynamic-fingerprint-learn [USG6315E_A] anti-ddos http-flood defend alert-rate 2000 [USG6315E_A] anti-ddos http-flood source-detect mode basic
- Configure application behavior control.
This function requires a license and dynamic installation of the corresponding component package.
# Create an application behavior control file to prohibit HTTP and FTP operations during the class time.
[USG6315E_A] profile type app-control name profile_app_work [USG6315E_A-profile-app-control-profile_app_work] http-control post action deny [USG6315E_A-profile-app-control-profile_app_work] http-control proxy action deny [USG6315E_A-profile-app-control-profile_app_work] http-control web-browse action deny [USG6315E_A-profile-app-control-profile_app_work] http-control file direction upload action deny [USG6315E_A-profile-app-control-profile_app_work] http-control file direction download action deny [USG6315E_A-profile-app-control-profile_app_work] ftp-control file delete action deny [USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction upload action deny [USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction download action deny [USG6315E_A-profile-app-control-profile_app_work] quit
# Create an application behavior control file to allow only HTTP web browsing, HTTP proxy surfing, and HTTP file download during the break time.
[USG6315E_A] profile type app-control name profile_app_rest [USG6315E_A-profile-app-control-profile_app_rest] http-control post action deny [USG6315E_A-profile-app-control-profile_app_rest] http-control file direction upload action deny [USG6315E_A-profile-app-control-profile_app_rest] ftp-control file delete action deny [USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction upload action deny [USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction download action deny [USG6315E_A-profile-app-control-profile_app_rest] quit
# Create time range working_hours, which indicates the class time.
[USG6315E_A] time-range working_hours [USG6315E_A-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day [USG6315E_A-time-range-working_hours] quit
# Create time range off_hours, which indicates the break time.
[USG6315E_A] time-range off_hours [USG6315E_A-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day [USG6315E_A-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day [USG6315E_A-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day [USG6315E_A-time-range-off_hours] quit
# Configure the security policy policy_sec_work and reference the time range working_hours and application behavior control file profile_app_work to control the application behavior of students during the class time.
[USG6315E_A] security-policy [USG6315E_A-policy-security] rule name policy_sec_work [USG6315E_A-policy-security-rule-policy_sec_work] source-zone trust [USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp1 [USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp2 [USG6315E_A-policy-security-rule-policy_sec_work] user any [USG6315E_A-policy-security-rule-policy_sec_work] time-range working_hours [USG6315E_A-policy-security-rule-policy_sec_work] profile app-control profile_app_work [USG6315E_A-policy-security-rule-policy_sec_work] action permit [USG6315E_A-policy-security-rule-policy_sec_work] quit
# Configure the security policy policy_sec_rest and reference the time range off_hours and application behavior control file profile_app_rest to control the application behavior of students during the break time.
[USG6315E_A-policy-security] rule name policy_sec_rest [USG6315E_A-policy-security-rule-policy_sec_rest] source-zone trust [USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp1 [USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp2 [USG6315E_A-policy-security-rule-policy_sec_rest] user any [USG6315E_A-policy-security-rule-policy_sec_rest] time-range off_hours [USG6315E_A-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest [USG6315E_A-policy-security-rule-policy_sec_rest] action permit [USG6315E_A-policy-security-rule-policy_sec_rest] quit
Verifying the Deployment
- Check the AP online status on the core switch S12700E-8.
[S12700E-8] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [1] Extra information: P : insufficient power supply ----------------------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------------------- 0 00e0-fc12-3455 area_1 ap-group1 10.250.12.109 AP4050DN nor 0 1D:0H:34M:33S - ----------------------------------------------------------------------------------------------------------------------- Total: 1
- User 1 and user 2 access the network in the student dormitory through wired authentication and wireless authentication, respectively. After the authentication succeeds, you can check the user information on the ME60, including the interface of the access switch from which the wired user goes online and the AP from which the wireless user goes online. On the ME60, you can check information about online users, check whether users have obtained corresponding network access rights, and check whether user 1 and user 2 can access the post-authentication domain.
- User 1 and user 2 access the network in the teaching and office areas through wired authentication and wireless authentication, respectively. After the authentication succeeds, you can check the user information on the ME60, including the interface of the access switch from which the wired user goes online and the AP from which the wireless user goes online. On the ME60, you can check information about online users, check whether users have obtained corresponding network access rights, and check whether user 1 and user 2 can access the post-authentication domain.
Configuration Files
S5735-L_A |
S5735-L_B |
|---|---|
# sysname S5735-L_A # vlan batch 600 2001 to 3500 4004 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 600 2001 to 3500 4004 # interface GigabitEthernet0/0/3 port link-type access port default vlan 2001 stp edged-port enable # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 4004 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 3001 to 3500 4004 stp edged-port enable port-isolate enable group 1 # interface GigabitEthernet0/0/5 port link-type access port default vlan 600 stp edged-port enable # return |
# sysname S5735-L_B # vlan batch 600 2001 to 3500 4004 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 600 2001 to 3500 4004 # interface GigabitEthernet0/0/3 port link-type access port default vlan 2001 stp edged-port enable # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 4004 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 3001 to 3500 4004 stp edged-port enable port-isolate enable group 1 # interface GigabitEthernet0/0/5 port link-type access port default vlan 600 stp edged-port enable # return |
S6730-H_A |
S6730-H_B |
|---|---|
# sysname S6730-H_A # vlan batch 101 to 200 600 1601 to 1800 4004 # interface XGigabitEthernet1/0/1 port link-type hybrid undo port hybrid vlan 1 port hybrid tagged vlan 600 4004 port hybrid untagged vlan 101 1601 port vlan-stacking vlan 2001 to 3000 stack-vlan 101 port vlan-stacking vlan 3001 to 3500 stack-vlan 1601 # interface XGigabitEthernet3/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 101 to 200 600 1601 to 1800 4004 # return |
# sysname S6730-H_B # vlan batch 201 to 400 600 1801 to 2000 4004 # interface XGigabitEthernet1/0/1 port link-type hybrid undo port hybrid vlan 1 port hybrid tagged vlan 600 4004 port hybrid untagged vlan 201 1801 port vlan-stacking vlan 2001 to 3000 stack-vlan 201 port vlan-stacking vlan 3001 to 3500 stack-vlan 1801 # interface XGigabitEthernet3/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 # return |
S12700E-8 |
|---|
# sysname S12700E-8 # vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010 # dhcp enable # interface Vlanif4004 ip address 10.250.0.1 255.255.240.0 arp-proxy enable arp-proxy inner-sub-vlan-proxy enable dhcp select interface # interface Vlanif4010 ip address 172.16.11.13 255.255.255.252 # interface XGigabitEthernet4/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004 port-isolate enable group 1 # interface XGigabitEthernet4/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004 port-isolate enable group 1 # interface XGigabitEthernet5/0/7 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010 # interface LoopBack0 ip address 172.16.10.4 255.255.255.255 # ip route-static 172.16.10.1 255.255.255.255 172.16.11.14 ip route-static 172.16.10.2 255.255.255.255 172.16.11.14 ip route-static 172.16.10.3 255.255.255.255 172.16.11.14 # capwap source interface vlanif4004 # wlan traffic-profile name new-vap-traffic-1 user-isolate l2 security-profile name wlan-security security open ssid-profile name wlan-ssid ssid wlan-net vap-profile name wlan-vap service-vlan vlan-id 3001 ssid-profile wlan-ssid security-profile wlan-security traffic-profile new-vap-traffic-1 regulatory-domain-profile name domain1 rrm-profile name default calibrate auto-channel-select disable calibrate auto-txpower-select disable ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-id 0 type-id 75 ap-mac 00e0-fc76-e370 ap-sn 21500831023GJ1006553 ap-group ap-group1 radio 0 channel 20mhz 6 eirp 127 radio 1 channel 20mhz 149 eirp 127 # return |
ME60 |
|---|
#
sysname ME60
#
value-added-service enable
#
user-group pre-web
user-group pre-ppp
user-group xuesheng
user-group jiaoshi
#
radius-server source interface LoopBack0
radius-server authorization 192.168.10.55 shared-key-cipher %^%#&|-oI:&#&%<ZBPF\0s@"-vgF~lVjpAB5w[5XP4=4%^%#
radius-server authorization 192.168.10.241 shared-key-cipher %^%#O1n13EDPo9e7bHWac{b7-FtB(:e}f@pT-p6l=$<*%^%#
#
radius-server group radius
radius-server shared-key-cipher %^%#l$~9,kQZF!:j]$R54Ka~=3]%L8^w7,E+Ft2X*}:@%^%#
radius-server authentication 192.168.10.55 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
undo radius-server user-name domain-included
#
radius-server group mac
radius-server shared-key-cipher %^%#/W@Y%>vX8EzCg<LzjKV$G(0j&;2"}:5Nzy3pc[=+%^%#
radius-server authentication 192.168.10.55 1812 weight 0
radius-server accounting 192.168.10.55 1813 weight 0
#
qos-profile 50M
car cir 50000 cbs 9350000 green pass red discard inbound
car cir 50000 cbs 9350000 green pass red discard outbound
#
qos-profile 20M
car cir 20000 cbs 3740000 green pass red discard inbound
car cir 20000 cbs 3740000 green pass red discard outbound
#
qos-profile 10M
car cir 10000 cbs 1870000 green pass red discard inbound
car cir 10000 cbs 1870000 green pass red discard outbound
#
ip pool jiaoshi bas local
gateway 10.254.128.1 255.255.128.0
section 0 10.254.128.2 10.254.255.254
excluded-ip-address 10.254.128.2 10.254.129.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool pre-pool bas local
gateway 10.253.0.1 255.255.128.0
section 0 10.253.0.2 10.253.127.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool pre-ppp bas local
gateway 10.253.128.1 255.255.128.0
section 0 10.253.128.2 10.253.255.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool xuesheng bas local
gateway 10.254.0.1 255.255.128.0
section 0 10.254.0.2 10.254.127.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
acl number 6001
rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0 0.255.255.255
rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group shangye
rule 15 permit ip source user-group shangye destination ip-address 172.16.0.0 0.15.255.255
rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group shangye
rule 25 permit ip source user-group shangye destination ip-address 192.168.0.0 0.0.255.255
rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group shangye
#
acl number 6003
rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0 0.255.255.255
rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group jiaoshi
rule 15 permit ip source user-group jiaoshi destination ip-address 172.16.0.0 0.15.255.255
rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group jiaoshi
rule 25 permit ip source user-group jiaoshi destination ip-address 192.168.0.0 0.0.255.255
rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group jiaoshi
#
acl number 6005
rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0 0.255.255.255
rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group xuesheng
rule 15 permit ip source user-group xuesheng destination ip-address 172.16.0.0 0.15.255.255
rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group xuesheng
rule 25 permit ip source user-group xuesheng destination ip-address 192.168.0.0 0.0.255.255
rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng
#
acl number 6010
rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0
rule 6 permit ip source user-group pre-web destination ip-address 192.168.10.53 0
rule 7 permit ip source user-group pre-web destination ip-address 192.168.10.55 0
rule 10 permit ip source user-group pre-web destination ip-address 192.168.10.241 0
rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5 0
#
acl number 6011
rule 5 permit tcp source user-group pre-web destination-port eq www
rule 10 permit tcp source user-group pre-web destination-port eq 8080
rule 20 permit ip source user-group pre-web
#
acl number 6012
rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0
rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0
rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2 0
#
acl number 6013
rule 5 permit tcp source user-group pre-ppp destination-port eq www
rule 10 permit tcp source user-group pre-ppp destination-port eq 8080
rule 20 deny ip source user-group pre-ppp
#
traffic classifier 6001 operator or
if-match acl 6001
#
traffic classifier 6003 operator or
if-match acl 6003
#
traffic classifier 6005 operator or
if-match acl 6005
#
traffic classifier 6010 operator or
if-match acl 6010
#
traffic classifier 6011 operator or
if-match acl 6011
#
traffic classifier 6012 operator or
if-match acl 6012
#
traffic classifier 6013 operator or
if-match acl 6013
#
traffic behavior 6001
car
tariff-level 1
traffic-statistic
#
traffic behavior 6003
car
tariff-level 1
traffic-statistic
#
traffic behavior 6005
car
tariff-level 1
traffic-statistic
#
traffic behavior 6010
#
traffic behavior 6011
http-redirect
#
traffic behavior 6012
#
traffic behavior 6013
http-redirect
#
traffic policy traffic-policy-1
share-mode
classifier 6010 behavior 6010 precedence 1
classifier 6011 behavior 6011 precedence 2
classifier 6012 behavior 6012 precedence 3
classifier 6013 behavior 6013 precedence 4
#
traffic policy traffic_policy_daa
share-mode
classifier 6003 behavior 6003 precedence 1
classifier 6005 behavior 6005 precedence 2
#
aaa
http-redirect enable
default-password cipher %$%$MD{\.!~j'P#Jl%3cJBm6#QWv%$%$
default-user-name include mac-address -
local-user root password irreversible-cipher +Hv$!xKCa#UY6\$GWJ!N4[QH.O/'HIa@AoURN`>;R"Z8PtIa\3AZAy6Sa60(C6GCN
#
authentication-scheme none
#
authentication-scheme authen
#
accounting-scheme none
accounting-mode none
#
accounting-scheme acc
accounting interim interval 15
#
domain pre-authen
authentication-scheme none
accounting-scheme none
ip-pool pre-pool
user-group pre-web
web-server 192.168.10.53
web-server url http://192.168.10.53/help/help.html
#
domain xs
authentication-scheme authen
accounting-scheme acc
radius-server group radius
ip-pool xuesheng
ip-pool jiaoshi
value-added-service account-type none
value-added-service policy 10m
user-group pre-web
web-server 192.168.10.53
web-server url http://192.168.10.53/help/help.html
portal-server 192.168.10.100
portal-server url http://192.168.10.100/portal/
quota-out online
#
domain jg
authentication-scheme authen
accounting-scheme acc
radius-server group radius
ip-pool jiaoshi
value-added-service account-type none
value-added-service policy 20m
user-group pre-web
portal-server 192.168.10.100
portal-server url http://192.168.10.100/portal/
quota-out online
#
domain pre-ppp
authentication-scheme none
accounting-scheme none
ip-pool pre-ppp
user-group pre-ppp
web-server 192.168.10.55
web-server url http://192.168.10.55/help/help.html
#
domain mac
authentication-scheme mac
accounting-scheme acc
radius-server group mac
ip-pool pre-pool
mac-authentication enable
#
value-added-service policy 10m daa
accounting-scheme none
traffic-separate enable
tariff-level 1 qos-profile 10M
#
value-added-service policy 20m daa
accounting-scheme none
traffic-separate enable
tariff-level 1 qos-profile 20M
#
value-added-service policy 50m daa
accounting-scheme none
traffic-separate enable
tariff-level 1 qos-profile 50M
#
interface Virtual-Template1
ppp authentication-mode auto
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.11.6 255.255.255.252
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.11.10 255.255.255.252
#
interface GigabitEthernet 1/1/1.1000
description xuesheng-ppp
user-vlan 2001 3000 qinq 101 200
pppoe-server bind Virtual-Template 1
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs
dhcp session-mismatch action offline
authentication-method ppp web
#
#
interface GigabitEthernet 1/1/1.1001
description xuesheng-web
user-vlan 3001 3500 qinq 1601 1800
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs
dhcp session-mismatch action offline
authentication-method web
#
#
interface GigabitEthernet 1/1/1.1002
description jiaoshi-ppp
user-vlan 2001 3000 qinq 201 400
pppoe-server bind Virtual-Template 1
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-ppp authen
tication jg
dhcp session-mismatch action offline
authentication-method ppp web
#
#
interface GigabitEthernet 1/1/1.1003
description jiaoshi-web
user-vlan 3001 3500 qinq 1801 2000
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg
dhcp session-mismatch action offline
authentication-method web
#
#
interface GigabitEthernet 1/1/1.1101
description mac-web
user-vlan 600
bas
#
access-type layer2-subscriber default-domain pre-authentication mac authentication jg
dhcp session-mismatch action offline
authentication-method web
#
#
interface GigabitEthernet 1/1/1.4010
vlan-type dot1q 4010
ip address 172.16.11.14 255.255.255.252
#
interface LoopBack0
ip address 172.16.10.3 255.255.255.255
#
ip route-static 172.16.10.1 255.255.255.255 172.16.11.5
ip route-static 172.16.10.2 255.255.255.255 172.16.11.9
ip route-static 172.16.10.4 255.255.255.255 172.16.11.13
#
web-auth-server source interface LoopBack0
web-auth-server 192.168.10.53 port 50100 key cipher %^%#S2#I1~`Kc/>vz1F4u3q+_DHT)ZE^`"n:w>!li(<C%^%#
#
traffic-policy traffic-policy-1 inbound
traffic-policy traffic-policy-1 outbound
#
accounting-service-policy traffic_policy_daa
#
return
|
USG6315E_A |
USG6315E_B |
|---|---|
# sysname USG6315E_A # hrp enable hrp interface GigabitEthernet 1/0/6 remote 172.16.11.2 hrp mirror session enable hrp track interface GigabitEthernet 1/0/7 # dns-smart enable # firewall defend time-stamp enable firewall defend route-record enable firewall defend source-route enable firewall defend winnuke enable firewall defend fraggle enable firewall defend ping-of-death enable firewall defend smurf enable irewall defend land enable # ip-link check enable ip-link name ip_link_1 destination 203.0.113.254 interface GigabitEthernet1/0/1 mode icmp ip-link name ip_link_2 destination 192.0.2.254 interface GigabitEthernet1/0/2 mode icmp # time-range off_hours period-range 00:00:00 to 23:59:59 off-day period-range 00:00:00 to 08:59:59 working-day period-range 17:30:01 to 23:59:59 working-day time-range working_hours period-range 09:00:00 to 17:30:00 working-day # interface GigabitEthernet1/0/1 ip address 203.0.113.1 255.255.255.0 anti-ddos flow-statistic enable gateway 203.0.113.254 bandwidth ingress 800000 threshold 95 bandwidth egress 800000 threshold 95 redirect-reverse next-hop 203.0.113.254 # interface GigabitEthernet1/0/2 ip address 192.0.2.2 255.255.255.0 anti-ddos flow-statistic enable gateway 192.0.2.254 bandwidth ingress 200000 threshold 90 bandwidth egress 200000 threshold 90 redirect-reverse next-hop 192.0.2.254 # interface GigabitEthernet1/0/6 ip address 172.16.11.1 255.255.255.252 # interface GigabitEthernet1/0/7 ip address 172.16.11.5 255.255.255.252 # interface LoopBack0 ip address 172.16.10.1 255.255.255.255 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/7 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/6 # firewall zone name isp1 id 4 set priority 10 add interface GigabitEthernet1/0/1 # firewall zone name isp2 id 5 set priority 15 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1 ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2 ip route-static 10.253.0.0 255.255.128.0 172.16.11.6 ip route-static 10.253.128.0 255.255.128.0 172.16.11.6 ip route-static 10.254.0.0 255.255.128.0 172.16.11.6 ip route-static 10.254.128.0 255.255.128.0 172.16.11.6 ip route-static 172.16.10.2 255.255.255.255 172.16.11.6 ip route-static 172.16.10.3 255.255.255.255 172.16.11.6 ip route-static 172.16.10.4 255.255.255.255 172.16.11.6 ip route-static 192.168.10.0 255.255.255.0 172.16.11.6 ip route-static 203.0.113.100 255.255.255.255 NULL 0 ip route-static 192.0.2.100 255.255.255.255 NULL 0 # anti-ddos syn-flood source-detect anti-ddos udp-flood dynamic-fingerprint-learn anti-ddos udp-frag-flood dynamic-fingerprint-learn anti-ddos http-flood defend alert-rate 2000 anti-ddos http-flood source-detect mode basic anti-ddos baseline-learn start anti-ddos baseline-learn apply anti-ddos baseline-learn tolerance-value 100 # nat server web_for_isp1 0 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 www no-reverse nat server web_for_isp2 1 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 www no-reverse # profile type app-control name profile_app_work http-control web-browse action deny http-control proxy action deny http-control post action deny http-control file direction upload action deny http-control file direction download action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # profile type app-control name profile_app_rest http-control post action deny http-control file direction upload action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # nat address-group addressgroup1 0 mode pat route enable section 0 203.0.113.1 203.0.113.5 # nat address-group addressgroup2 1 mode pat route enable section 1 192.0.2.1 192.0.2.5 # dns-smart group 1 type multi out-interface GigabitEthernet 1/0/1 map 203.0.113.10 out-interface GigabitEthernet 1/0/2 map 192.0.2.10 multi-interface mode proportion-of-bandwidth add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/2 # security-policy rule name trust_to_untrust source-zone trust destination-zone isp1 destination-zone isp2 action permit rule name untrust_to_trust source-zone isp1 source-zone isp2 destination-zone trust destination-address 192.168.10.0 mask 255.255.255.0 action permit rule name policy_dmz source-zone local source-zone dmz destination-zone local destination-zone dmz action permit rule name policy_sec_work source-zone trust destination-zone isp1 destination-zone isp2 time-range working_hours profile app-control profile_app_work action permit rule name policy_sec_rest source-zone trust destination-zone isp1 destination-zone isp2 time-range off_hours profile app-control profile_app_rest action permit # nat-policy rule name policy_nat_1 source-zone trust destination-zone isp1 action nat address-group addressgroup1 rule name policy_nat_2 source-zone trust destination-zone isp2 action nat address-group addressgroup2 # return |
# sysname USG6315E_B # hrp enable hrp interface GigabitEthernet 1/0/6 remote 172.16.11.1 hrp mirror session enable hrp track interface GigabitEthernet 1/0/7 # dns-smart enable # firewall defend time-stamp enable firewall defend route-record enable firewall defend source-route enable firewall defend winnuke enable firewall defend fraggle enable firewall defend ping-of-death enable firewall defend smurf enable irewall defend land enable # ip-link check enable ip-link name ip_link_1 destination 203.0.113.254 interface GigabitEthernet1/0/1 mode icmp ip-link name ip_link_2 destination 192.0.2.254 interface GigabitEthernet1/0/2 mode icmp # time-range off_hours period-range 00:00:00 to 23:59:59 off-day period-range 00:00:00 to 08:59:59 working-day period-range 17:30:01 to 23:59:59 working-day time-range working_hours period-range 09:00:00 to 17:30:00 working-day # interface GigabitEthernet1/0/1 ip address 203.0.113.2 255.255.255.0 anti-ddos flow-statistic enable gateway 203.0.113.254 bandwidth ingress 800000 threshold 95 bandwidth egress 800000 threshold 95 redirect-reverse next-hop 203.0.113.254 # interface GigabitEthernet1/0/2 ip address 192.0.2.1 255.255.255.0 anti-ddos flow-statistic enable gateway 192.0.2.254 bandwidth ingress 200000 threshold 90 bandwidth egress 200000 threshold 90 redirect-reverse next-hop 192.0.2.254 # interface GigabitEthernet1/0/6 ip address 172.16.11.2 255.255.255.252 # interface GigabitEthernet1/0/7 ip address 172.16.11.9 255.255.255.252 # interface LoopBack0 ip address 172.16.10.2 255.255.255.255 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/7 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/6 # firewall zone name isp1 id 4 set priority 10 add interface GigabitEthernet1/0/1 # firewall zone name isp2 id 5 set priority 15 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 track ip-link ip_link_1 ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_2 ip route-static 10.253.0.0 255.255.128.0 172.16.11.10 ip route-static 10.253.128.0 255.255.128.0 172.16.11.10 ip route-static 10.254.0.0 255.255.128.0 172.16.11.10 ip route-static 10.254.128.0 255.255.128.0 172.16.11.10 ip route-static 172.16.10.1 255.255.255.255 172.16.11.10 ip route-static 172.16.10.3 255.255.255.255 172.16.11.10 ip route-static 172.16.10.4 255.255.255.255 172.16.11.10 ip route-static 192.168.10.0 255.255.255.0 172.16.11.10 ip route-static 203.0.113.100 255.255.255.255 NULL 0 ip route-static 192.0.2.100 255.255.255.255 NULL 0 # anti-ddos syn-flood source-detect anti-ddos udp-flood dynamic-fingerprint-learn anti-ddos udp-frag-flood dynamic-fingerprint-learn anti-ddos http-flood defend alert-rate 2000 anti-ddos http-flood source-detect mode basic anti-ddos baseline-learn start anti-ddos baseline-learn apply anti-ddos baseline-learn tolerance-value 100 # nat server web_for_isp1 0 zone isp1 protocol tcp global 203.0.113.10 8080 inside 192.168.10.10 www no-reverse nat server web_for_isp2 1 zone isp2 protocol tcp global 192.0.2.10 8080 inside 192.168.10.10 www no-reverse # profile type app-control name profile_app_work http-control web-browse action deny http-control proxy action deny http-control post action deny http-control file direction upload action deny http-control file direction download action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # profile type app-control name profile_app_rest http-control post action deny http-control file direction upload action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # nat address-group addressgroup1 0 mode pat route enable section 0 203.0.113.1 203.0.113.5 # nat address-group addressgroup2 1 mode pat route enable section 1 192.0.2.1 192.0.2.5 # dns-smart group 1 type multi out-interface GigabitEthernet 1/0/1 map 203.0.113.10 out-interface GigabitEthernet 1/0/2 map 192.0.2.10 multi-interface mode proportion-of-bandwidth add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/2 # security-policy rule name trust_to_untrust source-zone trust destination-zone isp1 destination-zone isp2 action permit rule name untrust_to_trust source-zone isp1 source-zone isp2 destination-zone trust destination-address 192.168.10.0 mask 255.255.255.0 action permit rule name policy_dmz source-zone local source-zone dmz destination-zone local destination-zone dmz action permit rule name policy_sec_work source-zone trust destination-zone isp1 destination-zone isp2 time-range working_hours profile app-control profile_app_work action permit rule name policy_sec_rest source-zone trust destination-zone isp1 destination-zone isp2 time-range off_hours profile app-control profile_app_rest action permit # nat-policy rule name policy_nat_1 source-zone trust destination-zone isp1 action nat address-group addressgroup1 rule name policy_nat_2 source-zone trust destination-zone isp2 action nat address-group addressgroup2 # return |