所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - 用户接入 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置三层IPoE接入(web认证)示例

配置三层IPoE接入(web认证)示例

介绍一个三层IPoE接入(web认证)业务的配置示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。

组网需求

图6-3所示,三层IPoE接入组网需求为:

  • 用户归属于isp2域,经DHCP Relay设备DeviceA,从DeviceB的GE1/0/2接口下以三层IPoE方式接入。

  • 用户采用Web认证,并采用RADIUS认证模式和RADIUS计费模式。

  • RADIUS服务器地址为192.168.8.249,认证和计费端口分别是1812和1813,采用标准RADIUS协议,密钥为it-is-my-secret1。

  • DNS服务器地址为192.168.8.252。

  • Web认证服务器地址为192.168.8.251,密钥为webvlan。

图6-3  三层IPoE配置举例组网图
说明:

本例中interface1,interface2,interface3,interface4分别代表GE 1/0/1,GE 1/0/2,GE1/0/1.1,GE 1/0/2.1。



配置思路

三层IPoE接入的配置思路如下,以下除了DHCP中继功能外,其他功能都是在DeviceB上配置的:

  1. 配置DeviceA的DHCP中继功能

  2. 配置认证方案和计费方案

  3. 配置RADIUS服务器组

  4. 配置地址池

  5. 配置Web认证的认证前域和认证域

  6. 配置Web认证服务器

  7. 配置UCL规则和流量管理策略

  8. 配置BAS接口和上行接口

数据准备

完成此配置举例,需要准备以下数据:

  • 认证模板的名称和认证方式

  • 计费模板的名称和计费方式

  • RADIUS服务器组名称,RADIUS认证服务器和RADIUS计费服务器的IP地址、端口号

  • 地址池名称、网关地址、DNS服务器地址

  • 域的名称

  • Web认证服务器地址

  • UCL规则

  • 流量管理策略

  • BAS接口参数

操作步骤

  1. DeviceA和DeviceB上分别配置接口IP地址。

    # 配置DeviceA。

    <DeviceA> system-view
    [~DeviceA] interface GigabitEthernet1/0/2
    [*DeviceA-GigabitEthernet1/0/2] ip address 11.11.11.1 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/2] quit
    [*DeviceA] interface GigabitEthernet1/0/1.1
    [*DeviceA-GigabitEthernet1/0/1.1] ip address 192.168.1.2 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/1.1] vlan-type dot1q 1
    [*DeviceA-GigabitEthernet1/0/1.1] commit
    [~DeviceA-GigabitEthernet1/0/1.1] quit

    # 配置DeviceB。

    [~DeviceB] interface GigabitEthernet1/0/2.1
    [*DeviceB-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/2.1] vlan-type dot1q 1
    [*DeviceB-GigabitEthernet1/0/2.1] commit
    [~DeviceB-GigabitEthernet1/0/2.1] quit
    

  2. DeviceA上配置Relay功能。

    [~DeviceA] interface GigabitEthernet1/0/2
    [*DeviceA-GigabitEthernet1/0/2] dhcp select relay
    [*DeviceA-GigabitEthernet1/0/2] ip relay address 192.168.1.1
    [*DeviceA-GigabitEthernet1/0/2] commit
    [~DeviceA-GigabitEthernet1/0/2] quit
    

  3. DeviceB上配置网络侧地址池,网关与Relay (DeviceA) 入接口的IP地址在同一个网段。

    <DeviceB> system-view
    [~DeviceB] ip pool huawei bas local
    [*DeviceB-ip-pool-huawei] gateway 11.11.11.1 24
    [*DeviceB-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
    [*DeviceB-ip-pool-huawei] dns-server 192.168.8.252
    [*DeviceB-ip-pool-huawei] commit
    [~DeviceB-ip-pool-huawei] quit
    

  4. 配置AAA方案

    # 配置认证方案。

    [~DeviceB] aaa
    [*DeviceB-aaa] authentication-scheme auth2
    [*DeviceB-aaa-authen-auth2] authentication-mode radius
    [*DeviceB-aaa-authen-auth2] commit
    [~DeviceB-aaa-authen-auth2] quit

    # 配置计费方案。

    [~DeviceB-aaa] accounting-scheme acct2
    [*DeviceB-aaa-accounting-acct2] accounting-mode radius
    [*DeviceB-aaa-accounting-acct2] commit
    [~DeviceB-aaa-accounting-acct2] quit
    [~DeviceB-aaa] quit

  5. 配置RADIUS服务器组

    [~DeviceB] radius-server group rd2
    [*DeviceB-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*DeviceB-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*DeviceB-radius-rd2] radius-server type standard
    [*DeviceB-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
    [*DeviceB-radius-rd2] commit
    [~DeviceB-radius-rd2] quit

  6. 配置域

    # 配置default0域,作为Web认证的认证前域。

    [~DeviceB] user-group huawei
    [*DeviceB] aaa
    [*DeviceB-aaa] domain default0
    [*DeviceB-aaa-domain-default0] user-group huawei
    [*DeviceB-aaa-domain-default0] web-server 192.168.8.251
    [*DeviceB-aaa-domain-default0] web-server url http://192.168.8.251
    [*DeviceB-aaa-domain-default0] ip-pool huawei
    [*DeviceB-aaa-domain-default0] commit
    [~DeviceB-aaa-domain-default0] quit

    # 配置isp2域,作为Web认证的认证域。

    [~DeviceB-aaa] domain isp2
    [*DeviceB-aaa-domain-isp2] authentication-scheme auth2
    [*DeviceB-aaa-domain-isp2] accounting-scheme acct2
    [*DeviceB-aaa-domain-isp2] radius-server group rd2
    [*DeviceB-aaa-domain-isp2] portal-server 192.168.8.251
    [*DeviceB-aaa-domain-isp2] portal-server url http://192.168.8.251/portal/admin/
    [*DeviceB-aaa-domain-isp2] commit
    [~DeviceB-aaa-domain-isp2] quit
    [~DeviceB-aaa] quit

  7. 配置Web认证服务器

    [~DeviceB] web-auth-server 192.168.8.251 key webvlan

  8. 配置UCL

    # 配置UCL规则。

    [~DeviceB] acl 6000
    [*DeviceB-acl-ucl-6000] rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
    [*DeviceB-acl-ucl-6000] rule 15 permit ip source ip-address 127.0.0.1 0  destination user-group huawei
    说明:

    配置针对127.0.0.1的UCL是为了让上送DeviceB设备CPU的用户报文能顺利通过。

    [*DeviceB-acl-ucl-6000] rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
    [*DeviceB-acl-ucl-6000] rule 25 permit ip source ip-address 192.168.8.252 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
    [*DeviceB-acl-ucl-6000] rule 35 permit ip source ip-address 192.168.8.249 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
    [*DeviceB-acl-ucl-6000] rule 45 permit ip source ip-address 192.168.8.251 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] commit
    [~DeviceB-acl-ucl-6000] quit
    [~DeviceB] acl 6001
    [*DeviceB-acl-ucl-6001] rule 10 permit tcp source user-group huawei destination-port eq www
    [*DeviceB-acl-ucl-6001] rule 15 permit tcp source user-group huawei destination-port eq 8080
    [~DeviceB-acl-ucl-6001] commit
    [~DeviceB-acl-ucl-6001] quit
    [~DeviceB] acl 6002
    [*DeviceB-acl-ucl-6002] rule 5 permit ip source ip-address any destination user-group huawei
    [*DeviceB-acl-ucl-6002] commit
    [~DeviceB-acl-ucl-6002] quit

    # 配置流量管理策略。

    [~DeviceB] traffic classifier web_permit
    [*DeviceB-classifier-web_permit] if-match acl 6000
    [*DeviceB-classifier-web_permit] commit
    [~DeviceB-classifier-web_permit] quit
    [~DeviceB] traffic behavior web_permit
    [*DeviceB-behavior-web_permit] permit
    [*DeviceB-behavior-web_permit] commit
    [~DeviceB-behavior-web_permit] quit
    [~DeviceB] traffic classifier web_deny
    [*DeviceB-classifier-web_deny] if-match acl 6001
    [*DeviceB-classifier-web_deny] commit
    [~DeviceB-classifier-web_deny] quit
    [~DeviceB] traffic behavior web_deny
    [*DeviceB-behavior-web_deny] http-redirect
    [*DeviceB-behavior-web_deny] commit
    [~DeviceB-behavior-web_deny] quit
    [~DeviceB] traffic classifier web_out
    [*DeviceB-classifier-web_out] if-match acl 6002
    [*DeviceB-classifier-web_out] commit
    [~DeviceB-classifier-web_out] quit
    [~DeviceB] traffic behavior web_out
    [*DeviceB-behavior-web_out] deny
    [*DeviceB-behavior-web_out] commit
    [~DeviceB-behavior-web_out] quit
    [~DeviceB] traffic policy web 
    [*DeviceB-policy-web] classifier web_permit behavior web_permit
    [*DeviceB-policy-web] classifier web_deny behavior web_deny
    [*DeviceB-policy-web] commit
    [~DeviceB-policy-web] quit
    [~DeviceB] traffic policy web_out 
    [*DeviceB-policy-web_out] classifier web_permit behavior web_permit
    [*DeviceB-policy-web_out] classifier web_out behavior web_out
    [*DeviceB-policy-web_out] commit
    [~DeviceB-policy-web_out] quit
    

    # 在全局下应用用户侧流量管理策略。

    [*DeviceB] traffic-policy web inbound
    [*DeviceB] traffic-policy web_out outbound
    

  9. 配置接口

    # 配置BAS接口。

    [*DeviceB] interface GigabitEthernet 1/0/2.1
    [*DeviceB-GigabitEthernet1/0/2.1] vlan-type dot1q 1
    [*DeviceB-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0 
    [*DeviceB-GigabitEthernet1/0/2.1] bas
    [*DeviceB-GigabitEthernet1/0/2.1-bas] access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
    说明:

    对于不通过DeviceB获得IP地址的三层用户,需要在系统视图下配置layer3-subscriber start-ip-address [ end-ip-address ] [ vpn-instance instance-name ] domain-name domain-name指定三层用户指定所在IP地址段以及相关联的认证域的域名。

    [*DeviceB-GigabitEthernet1/0/2.1-bas] commit
    [~DeviceB-GigabitEthernet1/0/2.1-bas] quit
    [~DeviceB-GigabitEthernet1/0/2.1] quit

    # 配置上行接口。

    [*DeviceB] interface GigabitEthernet 1/0/1
    [*DeviceB-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/1] commit
    [~DeviceB-GigabitEthernet1/0/1] quit

配置文件

  • DeviceA的配置文件

    #
     sysname DeviceA
    #
    interface 1/0/2
     undo shutdown
     ip address 11.11.11.1 255.255.255.0
     ip relay address 192.168.1.1
     dhcp select relay
    #
    interface GigabitEthernet1/0/1.1
     vlan-type dot1q 1
     ip address 192.168.1.2 255.255.255.0
    #
    return
  • DeviceB的配置文件

    #
     sysname DeviceB
    #
    user-group huawei
    #
    radius-server group rd2
     radius-server authentication 192.168.8.249 1812 weight 0
     radius-server accounting 192.168.8.249 1813 weight 0
     radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%       
    #
    acl number 6000
    rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0 
    rule 15 permit ip source ip-address 127.0.0.1 0  destination user-group huawei
    rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
    rule 25 permit ip source ip-address 192.168.8.252 0  destination user-group huawei
    rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
    rule 35 permit ip source ip-address 192.168.8.249 0  destination user-group huawei
    rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
    rule 45 permit ip source ip-address 192.168.8.251 0  destination user-group huawei
    #
    acl number 6001
    rule 10 permit tcp source user-group huawei destination-port eq www
    rule 15 permit tcp source user-group huawei destination-port eq 8080
    #
    acl number 6002
    rule 5 deny ip source ip-address any destination user-group huawei
    #
    traffic classifier web_permit operator or
    if-match acl 6000
    traffic classifier web_deny operator or
    if-match acl 6001
    traffic classifier web_out operator or
    if-match acl 6002
    #
    traffic behavior web_permit
    traffic behavior web_deny
    http-redirect
    traffic behavior web_out
    deny
    #
    traffic policy web
    share-mode
    classifier web_permit behavior web_permit
    classifier web_deny behavior web_deny
    traffic policy web_out
    share-mode
    classifier web_permit behavior web_permit
    classifier web_out behavior web_out
    #
    ip pool huawei bas local
     gateway 11.11.11.1 255.255.255.0
     section 0 11.11.11.2 11.11.11.255 
     dns-server 192.168.8.252
    #
    aaa  
     authentication-scheme auth2
     #
      accounting-scheme acct2 
     #  
     domain default0
      user-group huawei
      web-server 192.168.8.251
      web-server url http://192.168.8.251
      ip-pool huawei
     domain isp2
      authentication-scheme auth2
      accounting-scheme acct2
      radius-server group rd2
      portal-server 192.168.8.251
      portal-server url http://192.168.8.251/portal/admin/
    #
    interface GigabitEthernet1/0/2
     undo shutdown
    #
    interface GigabitEthernet1/0/2.1
     vlan-type dot1q 1
     ip address 192.168.1.1 255.255.255.0
     bas
     #
      access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
    #
     traffic-policy web inbound
     traffic-policy web_out outbound
    #
     web-auth-server 192.168.8.251 key webvlan
    #
    return
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028564

浏览量:16458

下载量:209

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页