所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - 用户接入 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置三层IPoE接入(Portal推送)示例

配置三层IPoE接入(Portal推送)示例

介绍一个三层IPoE接入(Portal推送)的配置示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。

组网需求

图6-4所示,三层IPoE接入组网需求为:

  • 用户归属于isp2域,经DHCP Relay设备DeviceA,从DeviceB的GE1/0/2.1接口下以三层IPoE方式接入。

  • 用户采用Web认证,并采用RADIUS认证模式和RADIUS计费模式。

  • RADIUS服务器地址为192.168.8.249,认证和计费端口分别是1812和1813,采用标准RADIUS协议,密钥为it-is-my-secret1。

  • DNS服务器地址为192.168.8.252。

  • Web服务器、Web认证服务器和Portal服务器集成到一台设备上,Portal服务器地址为192.168.8.251。

  • 为了提升Portal推送的准确率,需要配置基于流的Portal推送。如果用户访问指定的网页(IP地址:4.4.4.4),要进行Portal推送。

图6-4  三层IPoE(Portal推送)配置举例组网图
说明:

本例中interface1,interface2,interface3,interface4分别代表GE 1/0/1,GE 1/0/2,GE1/0/1.1,GE 1/0/2.1。



配置思路

配置思路如下,以下除了DHCP中继功能外,其他功能都是在DeviceB上配置的:

  1. 配置DeviceA的DHCP中继功能

  2. 配置认证方案和计费方案

  3. 配置RADIUS服务器组

  4. 配置地址池

  5. 配置Web认证的认证前域和认证域

  6. 配置Web认证服务器

  7. 配置Portal服务器

  8. 配置Portal业务策略

  9. 配置UCL规则和流量管理策略

  10. 配置BAS接口和上行接口

数据准备

完成此配置举例,需要准备以下数据:

  • 认证模板的名称和认证方式

  • 计费模板的名称和计费方式

  • RADIUS服务器组名称,RADIUS认证服务器和RADIUS计费服务器的IP地址、端口号

  • 地址池名称、网关地址、DNS服务器地址

  • 域的名称

  • Portal业务策略

  • Portal服务器地址

  • UCL规则

  • 流量管理策略

  • BAS接口参数

操作步骤

  1. DeviceA和DeviceB上分别配置接口IP地址。

    # 配置DeviceA。

    <DeviceA> system-view
    [~DeviceA] interface GigabitEthernet1/0/2
    [*DeviceA-GigabitEthernet1/0/2] ip address 11.11.11.1 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/2] commit
    [~DeviceA-GigabitEthernet1/0/2] quit
    [*DeviceA] interface GigabitEthernet1/0/1.1
    [*DeviceA-GigabitEthernet1/0/1.1] ip address 192.168.1.2 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/1.1] vlan-type dot1q 1
    [*DeviceA-GigabitEthernet1/0/1.1] commit
    [~DeviceA-GigabitEthernet1/0/1.1] quit

    # 配置DeviceB。

    [~DeviceB] interface GigabitEthernet1/0/2.1
    [*DeviceB-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/2.1] vlan-type dot1q 1
    [*DeviceB-GigabitEthernet1/0/2.1] commit
    [~DeviceB-GigabitEthernet1/0/2.1] quit
    

  2. DeviceA上配置Relay功能。

    [~DeviceA] interface GigabitEthernet1/0/2
    [*DeviceA-GigabitEthernet1/0/2] dhcp select relay
    [*DeviceA-GigabitEthernet1/0/2] ip relay address 192.168.1.1
    [*DeviceA-GigabitEthernet1/0/2] commit
    [~DeviceA-GigabitEthernet1/0/2] quit
    

  3. DeviceB上配置网络侧地址池,网关与Relay (DeviceA) 入接口的IP地址在同一个网段。

    <DeviceB> system-view
    [~DeviceB] ip pool huawei bas local
    [*DeviceB-ip-pool-huawei] gateway 11.11.11.1 24
    [*DeviceB-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
    [*DeviceB-ip-pool-huawei] dns-server 192.168.8.252
    [*DeviceB-ip-pool-huawei] commit
    [~DeviceB-ip-pool-huawei] quit
    

  4. 配置AAA方案

    # 配置认证方案。

    [~DeviceB] aaa
    [*DeviceB-aaa] authentication-scheme auth2
    [*DeviceB-aaa-authen-auth2] authentication-mode radius
    [*DeviceB-aaa-authen-auth2] commit
    [~DeviceB-aaa-authen-auth2] quit

    # 配置计费方案。

    [*DeviceB-aaa] accounting-scheme acct2
    [*DeviceB-aaa-accounting-acct2] accounting-mode radius
    [*DeviceB-aaa-accounting-acct2] commit
    [~DeviceB-aaa-accounting-acct2] quit
    [~DeviceB-aaa] quit

  5. 配置RADIUS服务器组

    [~DeviceB] radius-server group rd2
    [*DeviceB-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*DeviceB-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*DeviceB-radius-rd2] radius-server type standard
    [*DeviceB-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
    [*DeviceB-radius-rd2] commit
    [~DeviceB-radius-rd2] quit

  6. 配置域

    # 配置default0域,作为Web认证的认证前域。

    [~DeviceB] user-group huawei
    [~DeviceB] aaa
    [*DeviceB-aaa] domain default0
    [*DeviceB-aaa-domain-default0] user-group huawei
    [*DeviceB-aaa-domain-default0] web-server 192.168.8.251
    [*DeviceB-aaa-domain-default0] web-server url http://192.168.8.251
    [*DeviceB-aaa-domain-default0] ip-pool huawei
    [*DeviceB-aaa-domain-default0] commit
    [~DeviceB-aaa-domain-default0] quit
    [~DeviceB-aaa] quit

    # 配置Portal业务策略。

    [~DeviceB] service-group portal-group
    [~DeviceB] service-policy name portal-policy portal
    [*DeviceB-service-policy-portal-policy] service-group portal-group
    [*DeviceB-service-policy-portal-policy] commit
    [~DeviceB-service-policy-portal-policy] quit

    # 配置认证域isp2,域下绑定Portal业务策略。

    [~DeviceB] aaa
    [*DeviceB-aaa] domain isp2
    [*DeviceB-aaa-domain-isp2] authentication-scheme auth2
    [*DeviceB-aaa-domain-isp2] accounting-scheme acct2
    [*DeviceB-aaa-domain-isp2] radius-server group rd2
    [*DeviceB-aaa-domain-isp2] portal-server 192.168.8.251
    [*DeviceB-aaa-domain-isp2] portal-server url http://192.168.8.251/portal/admin/
    [*DeviceB-aaa-domain-isp2] service-policy portal-policy
    [*DeviceB-aaa-domain-isp2] commit
    [~DeviceB-aaa-domain-isp2] quit
    [~DeviceB-aaa] quit

  7. 配置Web认证服务器

    [~DeviceB] web-auth-server 192.168.8.251

  8. 配置UCL

    # 配置用户在前域时,重定向到Web认证页面的UCL规则,其中UCL 6000里配置的是允许用户访问的网页的IP地址。

    [~DeviceB] acl 6000
    [*DeviceB-acl-ucl-6000] rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
    [*DeviceB-acl-ucl-6000] rule 15 permit ip source ip-address 127.0.0.1 0  destination user-group huawei
    说明:

    配置针对127.0.0.1的UCL是为了让上送DeviceB设备CPU的用户报文能顺利通过。

    [*DeviceB-acl-ucl-6000] rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
    [*DeviceB-acl-ucl-6000] rule 25 permit ip source ip-address 192.168.8.252 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
    [*DeviceB-acl-ucl-6000] rule 35 permit ip source ip-address 192.168.8.249 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
    [*DeviceB-acl-ucl-6000] rule 45 permit ip source ip-address 192.168.8.251 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] commit
    [~DeviceB-acl-ucl-6000] quit
    [~DeviceB] acl 6001
    [*DeviceB-acl-ucl-6001] rule 10 permit tcp source user-group huawei destination-port eq www
    [*DeviceB-acl-ucl-6001] rule 15 permit tcp source user-group huawei destination-port eq 8080
    [*DeviceB-acl-ucl-6001] rule 20 permit ip source user-group huawei
    [*DeviceB-acl-ucl-6001] commit
    [~DeviceB-acl-ucl-6001] quit
    

    # 配置用户在认证域时,访问指定的网页会被重定向到Portal推送页面的UCL规则,其中4.4.4.4为指定的某个网页的IP地址,192.168.8.251为PORTAL服务器地址。

    [~DeviceB] acl 7000
    [*DeviceB-acl-ucl-7000] rule 5 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq www
    [*DeviceB-acl-ucl-7000] rule 10 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq 8080
    [*DeviceB-acl-ucl-7000] rule 15 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq www
    [*DeviceB-acl-ucl-7000] rule 20 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq 8080
    [*DeviceB-acl-ucl-7000] commit
    [~DeviceB-acl-ucl-7000] quit

    # 配置流量管理策略。

    [~DeviceB] traffic classifier web_permit
    [*DeviceB-classifier-web_permit] if-match acl 6000
    [*DeviceB-classifier-web_permit] commit
    [~DeviceB-classifier-web_permit] quit
    [~DeviceB] traffic behavior web_permit
    [*DeviceB-behavior-web_permit] permit
    [*DeviceB-behavior-web_permit] commit
    [~DeviceB-behavior-web_permit] quit
    [~DeviceB] traffic classifier web_deny
    [*DeviceB-classifier-web_deny] if-match acl 6001
    [*DeviceB-classifier-web_deny] commit
    [~DeviceB-classifier-web_deny] quit
    
    [~DeviceB] traffic behavior web_deny
    [*DeviceB-behavior-web_deny] http-redirect
    [*DeviceB-behavior-web_deny] commit
    [~DeviceB-behavior-web_deny] quit
    [~DeviceB] traffic behavior portal
    [*DeviceB-behavior-portal] if-match acl 7000
    [*DeviceB-behavior-portal] commit
    [~DeviceB-behavior-portal] quit
    [~DeviceB] traffic behavior portal
    [*DeviceB-behavior-portal] redirect-cpu portal
    [*DeviceB-behavior-portal] commit
    [~DeviceB-behavior-portal] quit
    [~DeviceB] traffic policy l3-ipoe
    [*DeviceB-policy-l3-ipoe] classifier portal behavior portal
    [*DeviceB-policy-l3-ipoe] classifier web_permit behavior web_permit
    [*DeviceB-policy-l3-ipoe] classifier web_deny behavior web_deny
    [*DeviceB-policy-l3-ipoe] commit
    [~DeviceB-policy-l3-ipoe] quit
    

    # 在全局下应用用户侧流量管理策略。

    [~DeviceB] traffic-policy l3-ipoe inbound
    [~DeviceB] traffic-policy l3-ipoe outbound
    

  9. 配置接口

    # 配置BAS接口。

    [~DeviceB] interface GigabitEthernet 1/0/2.1
    [*DeviceB-GigabitEthernet1/0/2.1] vlan-type dot1q 1
    [*DeviceB-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0 
    [*DeviceB-GigabitEthernet1/0/2.1] bas
    [*DeviceB-GigabitEthernet1/0/2.1-bas] access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
    [*DeviceB-GigabitEthernet1/0/2.1-bas] commit
    [~DeviceB-GigabitEthernet1/0/2.1-bas] quit
    [~DeviceB-GigabitEthernet1/0/2.1] quit

    # 配置上行接口。

    [~DeviceB] interface GigabitEthernet 1/0/1
    [*DeviceB-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/1] commit
    [~DeviceB-GigabitEthernet1/0/1] quit

配置文件

  • DeviceA的配置文件

    #
     sysname DeviceA
    #
    interface GigabitEthernet1/0/2
     undo shutdown
     ip address 11.11.11.1 255.255.255.0
     ip relay address 192.168.1.1
     dhcp select relay
    #
    interface GigabitEthernet1/0/1.1
     vlan-type dot1q 1
     ip address 192.168.1.2 255.255.255.0
    #
    return
  • DeviceB的配置文件

    #
     sysname DeviceB
    #
    user-group huawei
    #
    radius-server group rd2
     radius-server authentication 192.168.8.249 1812 weight 0
     radius-server accounting 192.168.8.249 1813 weight 0
     radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%       
    #
    acl number 6000
    rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0 
    rule 15 permit ip source ip-address 127.0.0.1 0  destination user-group huawei
    rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
    rule 25 permit ip source ip-address 192.168.8.252 0  destination user-group huawei
    rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
    rule 35 permit ip source ip-address 192.168.8.249 0  destination user-group huawei
    rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
    rule 45 permit ip source ip-address 192.168.8.251 0  destination user-group huawei
    #
    acl number 6001
    rule 10 permit tcp source user-group huawei destination-port eq www
    rule 15 permit tcp source user-group huawei destination-port eq 8080
    rule 20 permit ip source user-group huawei
    #
    acl number 7000                                                               
    rule 5 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq www
    rule 10 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq 8080
    rule 15 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq www
    rule 20 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq 8080
    #
    traffic classifier web_permit operator or
    if-match acl 6000
    traffic classifier web_deny operator or
    if-match acl 6001
    traffic classifier portal operator or
    if-match acl 7000
    
    #
    traffic behavior web_permit
    traffic behavior web_deny
    http-redirect
    traffic behavior portal
    redirect-cpu portal
    
    #
    traffic policy l3-ipoe
    share-mode
    classifier portal behavior portal
    classifier web_permit behavior web_permit
    classifier web_deny behavior web_deny
    #
    ip pool huawei bas local
     gateway 11.11.11.1 255.255.255.0
     section 0 11.11.11.2 11.11.11.255 
     dns-server 192.168.8.252
    #
    aaa  
     authentication-scheme auth2
     #
      accounting-scheme acct2 
     #  
     domain default0
      user-group huawei
      web-server 192.168.8.251
      web-server url http://192.168.8.251
      ip-pool huawei
     domain isp2
      authentication-scheme auth2
      accounting-scheme acct2
      radius-server group rd2
      portal-server 192.168.8.251
      portal-server url http://192.168.8.251/portal/admin/
      service-policy portal-policy
    #
    interface GigabitEthernet1/0/2
     undo shutdown
    #
    interface GigabitEthernet1/0/2.1
     vlan-type dot1q 1
     ip address 192.168.1.1 255.255.255.0
     bas
     #
      access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
    #
     ip route-static 11.11.11.0 255.255.255.0 192.168.1.2
    #
     traffic-policy l3-ipoe inbound
     traffic-policy l3-ipoe outbound
    #
     web-auth-server 192.168.8.251
    #
    return
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028564

浏览量:16390

下载量:207

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页