所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - 用户接入 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置IPoE双栈接入(Web认证)示例

配置IPoE双栈接入(Web认证)示例

介绍一个双栈接入(Web)的配置示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。

组网需求

图6-12所示:

  • 用户归属于isp5域,从NE40E的GE1/0/2接口下接入,并采用Web认证方法。

  • 采用RADIUS认证和RADIUS计费。

  • RADIUS服务器地址为10.6.55.55,认证和计费端口分别是1645和1646,采用标准RADIUS协议,密钥为hello。

  • 两台DNS服务器的地址分别为3001:0410::1:2、10.10.10.1。

  • Web服务器的地址分别为10.6.55.56,3001::3,密钥为it-is-my-secret1。

图6-12  双栈接入(Web)配置举例组网图
说明:

本例中interface1,interface2分别代表GE1/0/1,GE1/0/2



配置思路

双栈接入(Web)的配置思路如下:

  1. 配置AAA方案

  2. 配置Web认证服务器

  3. 配置RADIUS服务器组

  4. 配置ACL,使用户Web认证前只能访问Web服务器

  5. 配置IPv4本地地址池

  6. 配置IPv6本地前缀池

  7. 配置IPv6本地地址池,在地址池下绑定前缀池

  8. 配置认证前域和认证后域

  9. 配置接口

数据准备

为完成此配置例,需准备如下的数据:

  • 认证模板的名称和认证方式

  • 计费模板的名称和计费方式

  • RADIUS服务器组名称,RADIUS认证服务器和RADIUS计费服务器的IP地址、端口号

  • 本地前缀池名称

  • 待分配的IPv6前缀/前缀长度

  • 本地地址池名称

  • 域名

操作步骤

  1. 配置AAA方案

    # 配置认证方案

    [*Device] aaa
    [*Device-aaa] authentication-scheme auth5
    [*Device-aaa-authen-auth5] authentication-mode radius
    [*Device-aaa-authen-auth5] commit
    [~Device-aaa-authen-auth5] quit

    # 配置计费方案

    [*Device-aaa] accounting-scheme acct5
    [*Device-aaa-accounting-acct5] accounting-mode radius
    [*Device-aaa-accounting-acct5] commit
    [~Device-aaa-accounting-acct5] quit
    [~Device-aaa] quit

  2. 配置Web认证服务器。

    [*Device] web-auth-server 10.6.55.56 key cipher Root@123

  3. 配置RADIUS服务器组

    [*Device] radius-server group rd5
    [*Device-radius-rd5] radius-server authentication 10.6.55.55 1645
    [*Device-radius-rd5] radius-server accounting 10.6.55.55 1646
    [*Device-radius-rd5] radius-server type standard
    [*Device-radius-rd5] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-rd5] commit
    [~Device-radius-rd5] quit

  4. 配置ACL,使用户Web认证前只能访问Web服务器

    # 配置用户组

    [*Device] user-group huawei

    # 配置ACL规则

    [*Device] acl 6000 match-order auto
    [*Device-acl-ucl-6000] rule deny ip source user-group huawei destination ip-address any
    [*Device-acl-ucl-6000] rule permit ip source user-group huawei destination ip-address 129.6.55.56 0.0.0.255
    [*Device-acl-ucl-6000] commit
    [~Device-acl-ucl-6000] quit

    # 配置流分类器

    [*Device] traffic classifier c1
    [*Device-classifier-c1] if-match acl 6000
    [*Device-classifier-c1] commit
    [~Device-classifier-c1] quit

    # 配置流动作

    [*Device] traffic behavior b1
    [*Device-behavior-b1] permit
    [*Device-behavior-b1] commit
    [~Device-behavior-b1] quit

    # 配置流量策略

    [*Device] traffic policy policy
    [*Device-trafficpolicy-policy] classifier c1 behavior b1
    [*Device-trafficpolicy-policy] commit
    [~Device-trafficpolicy-policy] quit

    # 全局下应用流量策略

    [*Device] traffic-policy policy inbound
    [*Device] traffic-policy policy outbound

  5. 配置IPv4用户侧本地地址池

    [*Device] ip pool pool2 bas local
    [*Device-ip-pool-pool2] gateway 10.10.10.2 255.255.255.0
    [*Device-ip-pool-pool2] section 0 10.10.10.3 10.10.10.100
    [*Device-ip-pool-pool2] dns-server 10.10.10.1
    [*Device-ip-pool-pool2] commit
    [~Device-ip-pool-pool2] quit

  6. 配置IPv6本地前缀池

    [*Device] ipv6 prefix pre1 delegation
    [*Device-ipv6-prefix-pre1] prefix 2001:2421::/48
    [*Device-ipv6-prefix-pre1] slaac-unshare-only
    [*Device-ipv6-prefix-pre1] commit
    [~Device-ipv6-prefix-pre1] quit

  7. 配置IPv6用户侧本地地址池

    [*Device] ipv6 pool pool1 bas delegation
    [*Device-ipv6-pool-pool1] prefix pre1
    [*Device-ipv6-pool-pool1] dns-server 3001:0410::1:2
    [*Device-ipv6-pool-pool1] commit
    [~Device-ipv6-pool-pool1] quit

  8. 配置域

    # 配置认证前域domain1

    [*Device] aaa
    [*Device-aaa] domain domain1
    [*Device-aaa-domain-domain1] prefix-assign-mode unshared
    [*Device-aaa-domain-domain1] user-group huawei
    [*Device-aaa-domain-domain1] ipv6-pool pool1
    [*Device-aaa-domain-domain1] ip-pool pool2
    [*Device-aaa-domain-domain1] web-server 10.6.55.56 3001::3
    [*Device-aaa-domain-domain1] web-server url isp1.com
    [*Device-aaa-domain-domain1] commit
    [~Device-aaa-domain-domain1] quit

    # 配置认证后域isp5

    [*Device-aaa] domain isp5
    [*Device-aaa-domain-isp5] authentication-scheme auth5
    [*Device-aaa-domain-isp5] accounting-scheme acct5
    [*Device-aaa-domain-isp5] radius-server group rd5
    [*Device-aaa-domain-isp5] commit
    [~Device-aaa-domain-isp5] quit
    [~Device-aaa] quit

  9. 配置接口

    # 配置BAS接口

    [*Device] interface GigabitEthernet 1/0/2
    [*Device-GigabitEthernet1/0/2] bas
    [*Device-GigabitEthernet1/0/2-bas] access-type layer2-subscriber default-domain pre-authentication domain1 authentication isp5
    [*Device-GigabitEthernet1/0/2-bas] authentication-method web
    [*Device-GigabitEthernet1/0/2-bas] authentication-method-ipv6 web
    [*Device-GigabitEthernet1/0/2-bas] commit
    [~Device-GigabitEthernet1/0/2-bas] quit

    # 启动接口的IPv6功能

    [*Device-GigabitEthernet1/0/2] ipv6 enable
    [*Device-GigabitEthernet1/0/2] ipv6 address auto link-local
    [*Device-GigabitEthernet1/0/2] commit
    [~Device-GigabitEthernet1/0/2] quit

    # 配置上行接口

    [*Device] interface GigabitEthernet 1/0/1
    [*Device-GigabitEthernet1/0/1] ipv6 enable
    [*Device-GigabitEthernet1/0/1] ipv6 address auto link-local
    [*Device-GigabitEthernet1/0/1] ipv6 address 2001::/64 eui-64

  10. 验证配置结果。

    # 查看名为pool2的地址池信息。显示其网关地址为10.10.10.2,地址范围为10.10.10.3~10.10.10.100,DNS服务器地址为10.10.10.1。

    <HUAWEI> display ip pool name pool2
    Pool-Name      : pool2
      Pool-No        : 0 
      Pool-constant-index :- 
      Lease          : 3 Days 0 Hours 0 Minutes
      NetBois Type   : N-Node
      DNS-Suffix     : -
    
      DNS1         :10.10.10.1
      Position       : Local           Status           : Unlocked
      Gateway        : 10.10.10.2      Mask             : 255.255.255.0
      Vpn instance   : --
      Profile-Name   : -               Server-Name      : -
      Codes: CFLCT(conflicted)
      ---------------------------------------------------------------------------
      ID           start             end total  used  idle CFLCT disable reserved
      ---------------------------------------------------------------------------
       0      10.10.10.3    10.10.10.100    98     0    98     0       0        0
      --------------------------------------------------------------------------- 

    # 查看名为pre1的前缀池信息。显示其类型为本地前缀池,前缀地址为2010:2021::/64。

    <HUAWEI> display ipv6 prefix pre1
     ------------------------------------------------------------------------------
     Prefix Name        : pre1                
     Prefix Index       : 3
     Prefix constant index: -
     Prefix Type        : DELEGATION          
     Prefix Address     : 2001:2421::                                       
     Prefix Length      : 48                  
     Reserved Type      : NONE  
     Valid Lifetime     : 3 Days 0 Hours 0 Minutes
     Preferred Lifetime : 2 Days 0 Hours 0 Minutes
     IfLocked           : Unlocked            
     Vpn instance       : -       
     PD Prefix Len      : 64
     PD Prefix/C-DUID   : -
     slaac-unshare-only : TRUE                
     pd-unshare-only    : FALSE               
     Free Prefix Count  : 65536
     Used Prefix Count  : 0
     Binded Prefix Count (Free): 0
     Binded Prefix Count (Used): 0
     Flexibly-Allocted Prefix Count: 0
     Reserved Prefix Count: 0
     Excluded Prefix Count: 0
     ------------------------------------------------------------------------------
    

    # 查看名为pool1的地址池信息。显示其类型为用户侧本地地址池,绑定了本地前缀池pre1。

    <HUAWEI> display ipv6 pool pool1
     ----------------------------------------------------------------------
     Pool name          : pool1                            
     Pool No            : 2     
     Pool-constant-index :- 
     Pool type          : BAS DELEGATION      
     Preference         : 255   
     Renew time         : 50    
     Rebind time        : 80    
     Status             : UNLOCKED  
     Refresh interval   : infinite
     Used by domain     : 0     
     Dhcpv6 Unicast     : disable
     Dhcpv6 rapid-commit: disable
     Dns list           : -
     Dns server master  : -
     Dns server slave   : -
     AFTR name          : - 
     ----------------------------------------------------------------------
     Prefix-Name                      Prefix-Type 
     ----------------------------------------------------------------------
     pre1                             DELEGATION
     ----------------------------------------------------------------------
    

    查看域isp5的配置信息。显示域下绑定了IPv6地址池pool1和IPv4地址池pool2。

    <HUAWEI> display domain isp5
    ------------------------------------------------------------------------------
      Domain-name                     : isp5
      Domain-state                    : Active
      Authentication-scheme-name      : auth5
      Accounting-scheme-name          : acct5
      Authorization-scheme-name       :
      Primary-DNS-IP-address          : -
      Second-DNS-IP-address           : -
      Web-server-URL-parameter        : No
      Slave Web-IP-address            : -
      Slave Web-URL                   : -
      Slave Web-auth-server           : - 
      Slave Web-auth-state            : - 
      Portal-server-URL-parameter     : No
      Primary-NBNS-IP-address         : -
      Second-NBNS-IP-address          : -
      User-group-name                 : -
      Idle-data-attribute (time,flow) : 0, 60
      Install-BOD-Count               : 0
      Report-VSM-User-Count           : 0
      Value-added-service             : COPS
      User-access-limit               : 279552
      Online-number                   : 0
      Web-IP-address                  : -
      Web-URL                         : -
      Portal-server-IP                : -
      Portal-URL                      : -
      Portal-force-times              : 2
      PPPoE-user-URL                  : Disable
      IPUser-ReAuth-Time(second)      : 300
      mscg-name-portal-key            : -
      Portal-user-first-url-key       : -
      Ancp auto qos adapt             : Disable
      RADIUS-server-template          : rd5
      Two-acct-template               : -
      HWTACACS-server-template        : -
      Bill Flow                       : Disable
      Tunnel-acct-2867                : Disabled
    
      Flow Statistic:
      Flow-Statistic-Up               : Yes
      Flow-Statistic-Down             : Yes
      Source-IP-route                 : Disable
      IP-warning-threshold            : -
      IPv6-warning-threshold          : - 
      Multicast Forwarding            : Yes
      Multicast Virtual               : No
      Max-multilist num               : 4
      Multicast-profile               : -
      Multicast-profile ipv6          : -
      IP-address-pool-name            : pool2
      IPv6-Pool-name                  : pool1
       Quota-out                     : Offline
      Service-type                    : -
      User-basic-service-ip-type      : -/-/-
      PPP-ipv6-address-protocol       : Ndra
      IPv6-information-protocol       : Stateless dhcpv6
      IPv6-PPP-assign-interfaceid     : Disable
      Trigger-packet-wait-delay       : 60s
      Peer-backup                     : enable    
      ------------------------------------------------------------------------------
    

配置文件

  • 路由器的配置文件

    #
     sysname Device
    #
     ipv6
    # user-group huawei
    
    #
    radius-server group rd5
     radius-server authentication 10.6.55.55 1645 weight 0
     radius-server accounting 10.6.55.55 1646 weight 0
     radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
    #
    acl number 6000  match-order auto
     rule 5 permit ip source user-group huawei destination ip-address 10.6.55.0 0.0
    .0.255
     rule 10 deny ip source user-group huawei destination ip-address any
    #
    traffic classifier class1 operator or
    traffic classifier c1 operator or
     if-match acl 6000
    #
    traffic behavior database
    traffic behavior b1
    #
    traffic policy policy
     share-mode
     classifier c1 behavior b1
    #
    interface Virtual-Template1
     ppp authentication-mode chap
    #
    ip pool pool2 bas local
     gateway 10.10.10.2 255.255.255.0
     section 0 10.10.10.3 10.10.10.100
     dns-server 10.10.10.1
    #
    ipv6 prefix pre1 delegation
     prefix 2001:2421::/48
     slaac-unshare-only
    #
    ipv6 pool pool1 bas delegation
     dns-server 3001:410::1:2
     prefix pre1
    #
    aaa
     authentication-scheme default0
     authentication-scheme default1
     authentication-scheme default
     authentication-scheme auth5
      authentication-mode  radius
     #
     authorization-scheme default
     #
     accounting-scheme default0
     accounting-scheme default1
     accounting-scheme default
     accounting-scheme acct5
      accounting-mode radius
     #
    domain domain1
     prefix-assign-mode unshared
     ip-pool pool2
     ipv6-pool pool1
      user-group huawei
     web-server 10.6.55.56 3001::3
     web-server url isp1.com
    domain isp5
     authentication-scheme auth5
     accounting-scheme acct5
      radius-server group rd5
    #
    interface GigabitEthernet1/0/2
    undo shutdown
     ipv6 enable
     ipv6 address auto link-local
     bas
     #
      access-type layer2-subscriber default-domain pre-authentication domain1 authentication isp5
      authentication-method web
      authentication-method-ipv6 web
    #
    interface GigabitEthernet1/0/1
    undo shutdown
     ipv6 enable
     ipv6 address 2001::/64 eui-64
     ipv6 address auto link-local
    #
     traffic-policy policy inbound
     traffic-policy policy outbound
    #
     web-auth-server 10.6.55.56 port 50100 key cipher %^%#oNUw%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
    #
    return
    
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028564

浏览量:19550

下载量:225

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页