所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - 用户接入 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置IPoEv6接入(web认证)示例

配置IPoEv6接入(web认证)示例

介绍一个IPoEv6接入(web认证)业务的配置示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。

组网需求

图6-11所示,IPoEv6接入组网需求为:

  • 用户归属于isp2域,从DeviceA的GE1/0/2接口下以IPoEv6方式接入。

  • 用户采用Web认证,Web认证服务器地址为192.168.8.251。

图6-11  IPoEv6接入配置举例组网图
说明:

本例中interface1代表GE 1/0/2



配置思路

IPoEv6接入的配置思路如下:

  1. 配置IPv6本地地址池

  2. 配置Web认证的认证前域和认证域

  3. 配置Web认证服务器及与Web认证服务器直连的接口

  4. 配置UCL规则和流量管理策略

  5. 配置BAS接口

数据准备

完成此配置举例,需要准备以下数据:

  • IPv6地址池名称

  • 域的名称

  • Web认证服务器地址

  • UCL规则

  • 流量管理策略

  • BAS接口参数

操作步骤

  1. 配置IPv6本地地址池

    # 配置DeviceA。

    <DeviceA> system-view
    [~DeviceA] ipv6 prefix prefix1
    [*DeviceA-ipv6-prefix-prefix1] prefix 2000:2021::/64
    [*DeviceA-ipv6-prefix-prefix1] commit
    [~DeviceA-ipv6-prefix-prefix1] quit
    [~DeviceA] ipv6 pool pool_local bas local
    [~DeviceA-ipv6-pool-pool_local] prefix prefix1
    [*DeviceA-ipv6-pool-pool_local] commit
    [~DeviceA-ipv6-pool-pool_local] quit
    [~DeviceA] dhcpv6 duid llt
    [~DeviceA] commit

  2. 配置域

    # 配置default0域,作为Web认证的认证前域。

    [~DeviceA] user-group web-before
    [*DeviceA] commit
    [~DeviceA] aaa
    [~DeviceA-aaa] domain default0
    [~DeviceA-aaa-domain-default0] user-group web-before
    [*DeviceA-aaa-domain-default0] web-server url http://[2000::1]/portal/default.portal
    [*DeviceA-aaa-domain-default0] web-server identical-url
    [*DeviceA-aaa-domain-default0] ipv6-pool pool_local
    [*DeviceA-aaa-domain-default0] authentication-scheme none
    [*DeviceA-aaa-domain-default0] accounting-scheme none
    [*DeviceA-aaa-domain-default0] commit
    [~DeviceA-aaa-domain-default0] quit

    # 配置isp2域,作为Web认证的认证域。

    [~DeviceA-aaa] domain isp2
    [~DeviceA-aaa-domain-isp2] authentication-scheme none
    [*DeviceA-aaa-domain-isp2] accounting-scheme none
    [*DeviceA-aaa-domain-isp2] commit
    [~DeviceA-aaa-domain-isp2] quit
    [~DeviceA-aaa] quit

  3. 配置Web认证服务器及与Web认证服务器直连的接口

    [~DeviceA] web-auth-server 192.168.8.251 port 50100 key cipher Huawei
    [*DeviceA] commit
    [~DeviceA] interface gigabitethernet 1/0/2
    [*DeviceA-GigabitEthernet1/0/2] ip address 192.168.8.250 24
    [*DeviceA-GigabitEthernet1/0/2] commit

  4. 配置UCL

    # 配置UCL规则。

    [~DeviceA] acl ipv6 6200
    [*DeviceA-acl6-ucl-6200] rule 5 permit tcp source user-group any destination ipv6-address 2000::1/64
    [*DeviceA-acl6-ucl-6200] commit
    [~DeviceA-acl6-ucl-6200] quit
    [~DeviceA] acl ipv6 6300
    [~DeviceA-acl6-ucl-6300] rule 5 permit tcp source user-group web-before destination-port eq www
    [*DeviceA-acl6-ucl-6300] commit
    [~DeviceA-acl6-ucl-6300] quit

    # 配置流量管理策略。

    [~DeviceA] traffic classifier web_permit
    [~DeviceA-classifier-web_permit] if-match ipv6 acl 6200
    [*DeviceA-classifier-web_permit] commit
    [~DeviceA-classifier-web_permit] quit
    [~DeviceA] traffic behavior web_permit
    [~DeviceA-behavior-web_permit] permit
    [*DeviceA-behavior-web_permit] commit
    [~DeviceA-behavior-web_permit] quit
    [~DeviceA] traffic classifier web_http-redirect
    [~DeviceA-classifier-web_http-redirect] if-match ipv6 acl 6300
    [*DeviceA-classifier-web_http-redirect] commit
    [~DeviceA-classifier-web_http-redirect] quit
    [~DeviceA] traffic behavior web_http-redirect
    [~DeviceA-behavior-web_http-redirect] http-redirect
    [*DeviceA-behavior-web_http-redirect] commit
    [~DeviceA-behavior-web_http-redirect] quit
    [~DeviceA] traffic policy web
    [~DeviceA-policy-web] classifier web_permit behavior web_permit
    [*DeviceA-policy-web] classifier web_http-redirect behavior web_http-redirect
    [*DeviceA-policy-web] commit
    [~DeviceA-policy-web] quit

    # 在全局下应用用户侧流量管理策略。

    [*DeviceA] traffic-policy web inbound
    [*DeviceA] commit

  5. 配置BAS接口。

    [~DeviceA] interface GigabitEthernet 1/0/2.1
    [~DeviceA-GigabitEthernet1/0/2.1] user-vlan 1 
    [*DeviceA-GigabitEthernet1/0/2.1] ipv6 enable
    [*DeviceA-GigabitEthernet1/0/2.1] ipv6 address auto link-local
    [*DeviceA-GigabitEthernet1/0/2.1] ipv6 nd autoconfig managed-address-flag
    [*DeviceA-GigabitEthernet1/0/2.1] commit
    [~Devicea-GigabitEthernet1/0/2.1] bas
    [~DeviceA-GigabitEthernet1/0/2.1-bas] access-type layer2-subscriber default-domain pre-authentication default0 authentication isp2
    [*DeviceA-GigabitEthernet1/0/2.1-bas] authentication-method-ipv6 web
    [*DeviceA-GigabitEthernet1/0/2.1-bas] commit
    [~DeviceA-GigabitEthernet1/0/2.1-bas] quit
    [~DeviceA-GigabitEthernet1/0/2.1] quit

配置文件

  • DeviceA的配置文件

    #
     sysname DeviceA
    #
    user-group web-before
    #
    ipv6 prefix prefix1
     prefix 2000:2021::/64 
    #
    ipv6 pool pool_local bas local
     prefix prefix1
    #
    acl ipv6 number 6200
    rule 5 permit tcp source user-group any destination ipv6-address 2000::1/64
    #
    acl ipv6 number 6300
    rule 5 permit tcp source user-group web-before destination-port eq www
    #
    traffic classifier web_permit 
    if-match ipv6 acl 6200
    traffic classifier web_http-redirect
    if-match ipv6 acl 6300
    #
    traffic behavior web_permit
    permit
    traffic behavior web_http-redirect
    http-redirect
    #
    traffic policy web 
    share-mode
    classifier web_permit behavior web_permit
    classifier web_http-redirect behavior web_http-redirect
    #
    aaa  
     #
     domain default0
      user-group web-before
      web-server url http://[2000::1]/portal/default.portal
      web-server identical-url
      ipv6-pool pool_local
      authentication-scheme none
      accounting-scheme none
     domain isp2
      authentication-scheme none
      accounting-scheme none
    #
    interface GigabitEthernet1/0/2
     undo shutdown
     ip address 192.168.8.250 24
    #
    interface GigabitEthernet1/0/2.1
     user-vlan 1
     ipv6 enable
     ipv6 address auto link-local
     ipv6 nd autoconfig managed-address-flag
     bas
     #
      access-type layer2-subscriber default-domain  pre-authentication  default0 authentication isp2
      authentication-method-ipv6 web
    #
     traffic-policy web inbound
    #
     web-auth-server 192.168.8.251 port 50100 key cipher Huawei
    #
    return
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028564

浏览量:18889

下载量:224

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页