• 产品与解决方案
  • 行业解决方案
  • 服务
  • 支持
  • 合作伙伴
  • 新华三人才研学中心
  • 关于我们

H3C vBRAS典型配置案例集-5W100

04-H3C vBRAS支持IPoE Web NAT穿越功能典型配置举例-5W100

本章节下载 04-H3C vBRAS支持IPoE Web NAT穿越功能典型配置举例-5W100  (614.82 KB)

04-H3C vBRAS支持IPoE Web NAT穿越功能典型配置举例-5W100

H3C vBRAS系列虚拟宽带远程接入服务器IPoE Web支持NAT穿越功能典型配置举例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

H3C_彩色.emf

 



1  简介

本文档介绍H3C vBRAS系列虚拟路由器IPoE Web NAT功能典型配置举例。H3C vBRAS虚拟路由器有别于H3C公司以往的各系列物理路由器,是一款运行在标准服务器虚拟机上的纯软件路由器产品。NAT功能是在内部网络和外部网络之间建立连接时产生地址映射关系,使IPoE Web用户能够在内部网络访问外部网络的组网环境。

2  配置前提

·     本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。

·     本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。

·     本文档假设您已了解ACL、QoS、策略路由、AAA、NAT等特性。

3  配置举例

3.1  组网需求

图1所示:

·     Host作为DHCP Client经由VXLAN网络以IPoE方式接入到vBRAS。

·     vBRAS作为DHCP服务器为Host动态分配IP地址。

·     RADIUS服务器通过交换机与vBRAS路由可达。

·     由一台已安装H3C iMC的公网服务器承担Portal认证服务器和Portal Web服务器的职责。

图1 IPoE Web NAT功能典型配置举例组网图

 

3.2  配置思路

设备配置IPoE Web认证。在IPoE Web配置基础上配置备份组和地址转换组。在ACL中匹配用户流量,同时设备开启NAT会话的备份统计功能,最后在认证前域配置私网地址类型,接口下开启NAT转换功能。

3.3  使用版本

本举例是在vBRAS1000_H3C-CMW710-E1116-X64版本上进行配置和验证的。

3.4  配置注意事项

IPoE Web认证配置与Portal认证配置,有相互干扰部分,建议两者不要同时在同一接口下配置。

3.5  配置步骤

3.5.1  配置Portal Server

1. 配置Portal主页

(1)     单击导航树中[接入策略管理/Portal服务管理/服务器配置]菜单项,进入服务器配置页面。

(2)     配置Portal主页(采用缺省配置即可),单击<确定>按钮完成操作。

图2 服务器配置页面

 

2. 增加Portal认证的地址组范围

(1)     单击导航树中[接入策略管理/Portal服务管理/IP地址组配置]菜单项,进入IP地址组配置页面。

(2)     单击<增加>按钮,进入增加IP地址组页面。

(3)     输入IP地址组名,输入起始地址11.0.0.2,终止地址11.0.255.254,类型选择NAT。。其余参数采用缺省配置。用户主机IP地址必须包含在该IP地址组范围内,设备配置的转换地址须包含在转换地址范围内。

(4)     单击<确定>按钮完成操作。

图3 增加IP地址组页面

 

3. 增加Portal接入设备信息

(1)     单击导航树中[接入策略管理/Portal服务管理/设备配置]菜单项,进入设备配置页面。

(2)     单击<增加>按钮,进入增加设备信息页面。

(3)     输入设备名,输入IP地址100.100.1.3,该地址为与接入用户相连的设备接口IP地址。输入密钥123456,组网方式选择“直连”。其余参数采用缺省配置。

(4)     单击<确定>按钮完成操作。

图4 增加设备信息页面

 

4. 增加端口组信息

(1)     单击导航树中[接入策略管理/Portal服务管理/设备配置]菜单项,进入设备配置页面。

(2)     在设备列表中,单击端口组信息管理图标,进入端口组信息配置页面。

(3)     单击<增加>按钮,进入增加端口组信息页面。

(4)     配置端口组信息相关参数后,单击<确定>按钮完成操作。

图5 增加端口组信息页面

 

(5)     输入端口组名,选择IP地址组,用户接入网络时使用的IP地址必须属于所选的IP地址组。其余参数采用缺省配置。

(6)     单击<确定>按钮完成操作。

3.5.2  配置vBRAS

# 配置IPoE WEB认证(配置过程略)。

# 创建备份组,并将节点加入备份组,其中slot1配置为主节点,slot2配置为备节点。

[vBRAS] failover group 1

[vBRAS-failover-group-1] bind slot 1 primary

[vBRAS-failover-group-1] bind slot 2 secondary

[vBRAS-failover-group-1] quit

# 创建冗余组,并为其添加成员接口和备份组。

[vBRAS] redundancy group A_Wifi

[vBRAS-redundancy-group-A_Wifi] member interface Reth2

[vBRAS-redundancy-group-A_Wifi] member interface Reth3

[vBRAS-redundancy-group-A_Wifi] member failover group 1

# 在冗余组A_Wifi下,创建冗余组节点1,并将其与主板绑定,成为主节点。

[vBRAS-redundancy-group-A_Wifi] node 1

[vBRAS-redundancy-group-A_Wifi-node-1] bind slot 1

[vBRAS-redundancy-group-A_Wifi-node-1] priority 100

[vBRAS-redundancy-group-A_Wifi-node-1] track 1 interface ten-gigabitethernet 1/5/0

[vBRAS-redundancy-group-A_Wifi-node-1] track 2 interface ten-gigabitethernet 1/6/0

[vBRAS-redundancy-group-A_Wifi-node-1] quit

# 在冗余组A_Wifi下,创建冗余组节点2,并将其与备板绑定,成为备节点。

[vBRAS-redundancy-group-A_Wifi] node 2

[vBRAS-redundancy-group-A_Wifi-node-2] bind slot 2

[vBRAS-redundancy-group-A_Wifi-node-2] track 3 interface ten-gigabitethernet 2/5/0

[vBRAS-redundancy-group-A_Wifi-node-2] track 4 interface ten-gigabitethernet 2/6/0

[vBRAS-redundancy-group-A_Wifi-node-2] quit

[vBRAS-redundancy-group-A_Wifi] quit

# 创建地址组,并配置NAT地址组与备份组绑定,设置端口块范围,配置端口块大小,添加NAT转换地址成员。

[vBRAS] nat address-group 1

[vBRAS-address-group-1] failover-group 1

[vBRAS-address-group-1] port-range 1000 65535

[vBRAS-address-group-1] port-block block-size 200

[vBRAS-address-group-1] address 211.9.83.1 211.9.83.254

[vBRAS-address-group-1] quit

# 配置ACL,匹配需转换的源IP地址。

[vBRAS] acl advanced 3000

[vBRAS-acl-ipv4-adv-3000] rule 0 permit ip source 11.0.0.0 0.0.255.255

[vBRAS-acl-ipv4-adv-3000] quit

# 对匹配指定ACL中permit规则的业务,配置处理此业务的备份组。

[vBRAS] session service-location acl 3000 failover-group 1

# 开启会话统计功能和NAT动态端口块备份功能。

[vBRAS] session statistics enable

# 开启NAT端口块备份功能。

[vBRAS] nat port-block synchronization enable

# 配置认证前域地址类型为私网IPv4地址,URL地址参数增加用户的私网IP。

[vBRAS] domain name a-wifi_pre

[vBRAS-a-wifi_pre] user-address-type private-ipv4

[vBRAS-a-wifi_pre] web-server url-parameter userip source-address

[vBRAS-a-wifi_pre] quit

# 创建以太网冗余接口3,并配置出方向动态地址转换。

[vBRAS] interface reth 3

[vBRAS-Reth3] nat outbound 3000 address-group 1

3.6  验证配置

# 在vBRAS查看用户状态,用户处于认证前域,详细信息中包含分配的私网IP地址、转换后的公网IP地址以及端口块。

<vBRAS> display ip subscriber session verbose                                                                                                                                                 

Basic:                                                                                                                                                                                         

  Description                 : -                                                                                                                                                              

  Username                    : admin                                                                                                                                                         

  Domain                      : a-wifi_pre                                                                                                                                                    

  VPN instance                : N/A                                                                                                                                                            

  IP address                  : 11.0.89.53                                                                                                                                                     

  User address type           : private-ipv4                                                                                                                                                  

  MAC address                 : 000c-2956-4dcc                                                                                                                                                

  Service-VLAN/Customer-VLAN  : -/-                                                                                                                                                            

  Access interface            : Vsi1                                                                                                                                                           

  User ID                     : 0x38200186                                                                                                                                                    

  VPI/VCI(for ATM)            : -/-                                                                                                                                                           

  VSI Index                   : 0                                                                                                                                                              

  VSI link ID                 : 83886080                                                                                                                                                       

  VXLAN ID                    : 1002                                                                                                                                                          

  DNS servers                 : 27.27.27.200                                                                                                                                                  

  IPv6 DNS servers            : N/A                                                                                                                                                            

  DHCP lease                  : 86400 sec                                                                                                                                                      

  DHCP remain lease           : N/A                                                                                                                                                           

  Access time                 : Apr  2 15:10:32 2018                                                                                                                                          

  Online time(hh:mm:ss)       : 00:00:26                                                                                                                                                       

  Service node                : Slot 1 CPU 0                                                                                                                                                   

  Authentication type         : Web pre-auth                                                                                                                                                  

  IPv4 access type            : DHCP                                                                                                                                                          

  IPv4 detect state           : N/A

  State                       : Online

                                                       

AAA:

  ITA policy name             : N/A

  IP pool                     : a-wifi_pre

  IPv6 pool                   : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : N/A

  Session duration            : 111 sec, remaining: N/A

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : Apr  2 15:10:32 2018

  Redirect URL                : http://28.28.28.100:8080/portal

                                         

QoS:

  User profile                : N/A

  Session group profile       : N/A

  User group ACL              : a-wifi (active)

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

                                 

NAT:

  Global IP address          : 211.9.86.224

  Port block                 : 10000-10999

                                  

Flow statistic:

  Uplink   packets/bytes      : 15/780

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0

# 查看用户生成的动态端口块表项

<vBRAS>display nat port-block dynamic

Slot 1:

Local VPN     Local IP         Global IP        Port block   Connections  Extend

---           11.0.89.53       211.9.86.224     11000-11999  1            ---

Total mappings found: 1

                                                   

Slot 2:

Local VPN     Local IP         Global IP        Port block   Connections  Extend

---           11.0.89.53       211.9.86.224     11000-11999  1            ---

Total mappings found: 1

# 登录Web界面,输入任意IP地址,重定向至iMC Portal登录页面,如下图所示。

图6 iMC Portal登录页面

 

# 用户认证通过后,执行以下命令查看详细信息。详细信息中包含分配的私网IP地址、转换后的公网IP地址以及端口块。                                                                                                                                                                                                                                                                      

<vBRAS>display ip subscriber session verbose                                                                                                                                                  

Basic:                                                                                                                                                                                         

  Description                 : -                                                                                                                                                             

  Username                    : admin                                                                                                                                             

  Domain                      : a-wifi                                                                                                                                                         

  VPN instance                : N/A                                                                                                                                                            

  IP address                  : 11.0.89.53                                                                                                                                                    

  User address type           : private-ipv4                                                                                                                                                  

  MAC address                 : 000c-2956-4dcc                                                                                                                                                 

  Service-VLAN/Customer-VLAN  : -/-                                                                                                                                                            

  Access interface            : Vsi1                                                                                                                                                          

  User ID                     : 0x38200188                                                                                                                                                    

  VPI/VCI(for ATM)            : -/-                                                                                                                                                            

  VSI Index                   : 0                                                                                                                                                              

  VSI link ID                 : 83886080                                                                                                                                                      

  VXLAN ID                    : 1002                                                                                                                                                           

  DNS servers                 : 27.27.27.200                                                                                                                                                   

  IPv6 DNS servers            : N/A                                                                                                                                                            

  DHCP lease                  : 86400 sec                                                                                                                                                     

  DHCP remain lease           : N/A                                                                                                                                                           

  Access time                 : Apr  2 15:14:27 2018                                                                                                                                           

  Online time(hh:mm:ss)       : 00:00:08                                                                                                                                                       

  Service node                : Slot 1 CPU 0                                                                                                                                                  

  Authentication type         : Web                                                                                                                                               

  IPv4 access type            : DHCP

  IPv4 detect state           : N/A

  State                       : Online

                                  

AAA:

  ITA policy name             : N/A

  IP pool                     : a-wifi_pre

  IPv6 pool                   : N/A

  Primary DNS server          : N/A

  Secondary DNS server        : N/A

  Primary IPv6 DNS server     : N/A

  Secondary IPv6 DNS server   : N/A

  Session idle cut            : 60 sec, 10240 bytes, direction:Both

  Session duration            : 86400 sec, remaining: N/A

  Traffic quota               : N/A

  Traffic remained            : N/A

  Acct start-fail action      : Online

  Acct update-fail action     : Online

  Acct quota-out action       : Offline

  Dual-stack accounting mode  : Merge

  Max IPv4 multicast addresses: 4

  IPv4 multicast address list : N/A

  Max IPv6 multicast addresses: 4

  IPv6 multicast address list : N/A

  Accounting start time       : Apr  2 15:16:10 2018

                                                

QoS:

  User profile                : N/A

  Session group profile       : N/A

  User group ACL              : N/A

  Inbound CAR                 : N/A

  Outbound CAR                : N/A

  Inbound user priority       : N/A

  Outbound user priority      : N/A

                                  

NAT:

  Global IP address          : 211.9.86.224

  Port block                 : 12000-12999

                                           

Flow statistic:

  Uplink   packets/bytes      : 2683/139706

  Downlink packets/bytes      : 0/0

  IPv6 uplink   packets/bytes : 0/0

  IPv6 downlink packets/bytes : 0/0                                             

# 输入用户名admin,密码123456,提示用户上线成功,IPoE会话显示用户已经上线。

图7 用户上线成功页面

 

3.7  配置文件

vBRAS的配置文件如下:

#

 sysname vBRAS

#

failover group 1

 bind slot 1 primary

 bind slot 2 secondary

#

 telnet server enable

#

 irf mac-address persistent always

 irf auto-update enable

 irf auto-merge enable

 irf domain 1016231237

 irf member 1 priority 32

 irf member 2 priority 31

#

 router id 100.100.1.2

#

track 1 interface Ten-GigabitEthernet1/5/0

#

track 2 interface Ten-GigabitEthernet1/6/0

#

track 3 interface Ten-GigabitEthernet2/5/0

#

track 4 interface Ten-GigabitEthernet2/6/0

#

isis 100

 cost-style wide

 network-entity 04.5090.0100.0100.0100.0088.00

 #

 address-family ipv4 unicast

#

 mpls lsr-id 100.100.1.2

#

 ppp flow-statistics frequency fast

#

 ip fast-forwarding aging-time 60

#

 dhcp enable

 dhcp relay client-information record

#

 lldp global enable

#

 ip subscriber timer traffic 30000

#

 flow-interval 60

#

 password-recovery enable

#

vlan 1

#

irf-port 1

 port group interface GigabitEthernet1/3/0 type data

 port group interface GigabitEthernet1/4/0 type control

#

irf-port 2

 port group interface GigabitEthernet2/3/0 type data

 port group interface GigabitEthernet2/4/0 type control

#

traffic classifier 31 operator and

 if-match acl 3899

#

traffic classifier a-wifi_deny operator and

 if-match acl 3528

#

traffic classifier a-wifi_http operator and

 if-match acl 3526

#

traffic classifier a-wifi_https operator and

 if-match acl 3527

#

traffic classifier a-wifi_out operator and

 if-match acl 3529

#

traffic classifier a-wifi_permit operator and

 if-match acl 3525

#

traffic classifier tetong operator and

 if-match acl 3999

#

traffic classifier web_deny operator and

#

traffic behavior a-wifi_deny

 filter deny

#

traffic behavior a-wifi_http

 redirect http-to-cpu

#

traffic behavior a-wifi_https

 redirect https-to-cpu

#

traffic behavior a-wifi_out

 filter permit

#

traffic behavior a-wifi_permit

 filter permit

#

traffic behavior tetong

 remark qos-local-id 3999

#

traffic behavior web_deny

#

qos policy a-wifi

 classifier a-wifi_permit behavior a-wifi_permit

 classifier a-wifi_http behavior a-wifi_http

 classifier a-wifi_https behavior a-wifi_https

 classifier a-wifi_deny behavior a-wifi_deny

#

qos policy out

 classifier a-wifi_out behavior a-wifi_out

 classifier a-wifi_deny behavior a-wifi_deny

#

qos policy tetong

 classifier tetong behavior tetong

#

qos policy web

#

dhcp server ip-pool a-wifi_pre

 gateway-list 11.0.0.1 export-route

 network 11.0.0.0 mask 255.255.0.0 export-route

 address range 11.0.0.2 11.0.255.254

 dns-list 27.27.27.200

#

policy-based-route tetong permit node 3999

 if-match qos-local-id 3999

 apply next-hop 5.1.1.1

 apply next-hop 29.29.0.2

#

nqa entry 1 1

 type icmp-echo

  destination ip 28.28.28.100

  frequency 500

  history-record enable

  history-record number 10

  probe count 3

  probe timeout 500

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

 nqa schedule 1 1 start-time now lifetime forever

#

mpls ldp

#

 l2vpn enable

 l2vpn statistics interval 60

#

vsi a-wifi

 gateway vsi-interface 1

 vxlan 1002

  tunnel 0

#

interface Reth1

 ip address 172.16.17.88 255.255.255.0

 member interface GigabitEthernet1/1/0 priority 32

 member interface GigabitEthernet2/1/0 priority 31

#

interface Reth2

 description downlink

 mtu 2000

 ip address 100.100.100.2 255.255.255.0

 member interface Ten-GigabitEthernet1/5/0.1000 priority 101

 member interface Ten-GigabitEthernet2/5/0.1000 priority 100

#

interface Reth3

 description uplink

 ip address 200.200.200.2 255.255.255.0

 isis enable 100

 isis circuit-level level-2

 isis circuit-type p2p

 isis small-hello

 mpls enable

 mpls ldp enable

 member interface Ten-GigabitEthernet1/6/0.2000 priority 101

 member interface Ten-GigabitEthernet2/6/0.2000 priority 100

 nat outbound 3000 address-group 1

 mad arp enable

#

interface Reth255

 ip address 5.1.1.25 255.255.255.0

 member interface Ten-GigabitEthernet1/5/0.50 priority 99

 member interface Ten-GigabitEthernet2/5/0.50 priority 100

#

interface Virtual-Template1

 ppp authentication-mode pap domain ppp

 ppp account-statistics enable

#

interface Virtual-Template11

 ppp authentication-mode pap domain ppp

#

interface NULL0

#

interface LoopBack1

 ip address 100.100.1.1 255.255.255.255

#

interface LoopBack2

 description LoopBack

 ip address 100.100.1.2 255.255.255.255

 isis enable 100

#

interface LoopBack3

 ip address 100.100.1.3 255.255.255.255

 isis enable 100

#

interface GigabitEthernet1/1/0

 ip address dhcp-alloc

#

interface GigabitEthernet1/2/0

#

interface GigabitEthernet1/3/0

#

interface GigabitEthernet1/4/0

#

interface GigabitEthernet2/1/0

#

interface GigabitEthernet2/2/0

#

interface GigabitEthernet2/3/0

#

interface GigabitEthernet2/4/0

#

interface Ten-GigabitEthernet1/5/0

 mtu 2000

 ip address dhcp-alloc

#

interface Ten-GigabitEthernet1/5/0.50

 vlan-type dot1q vid 50

#

interface Ten-GigabitEthernet1/5/0.1000

 vlan-type dot1q vid 1000

#

interface Ten-GigabitEthernet1/6/0

 ip address dhcp-alloc

#

interface Ten-GigabitEthernet1/6/0.2000

 vlan-type dot1q vid 2000

#

interface Ten-GigabitEthernet2/5/0

#

interface Ten-GigabitEthernet2/5/0.50

 vlan-type dot1q vid 50

#

interface Ten-GigabitEthernet2/5/0.1000

 vlan-type dot1q vid 1000

#

interface Ten-GigabitEthernet2/6/0

#

interface Ten-GigabitEthernet2/6/0.2000

 vlan-type dot1q vid 2000

#

interface Vsi-interface1

 ip policy-based-route tetong

 portal bas-ip 100.100.1.3

 portal apply mac-trigger-server mts

 ip subscriber l2-connected enable

 ip subscriber initiator dhcp enable

 ip subscriber initiator unclassified-ip enable

 ip subscriber timer quiet 120

 undo ip subscriber user-detect ip

 ip subscriber authentication-method web

 ip subscriber roaming enable

 ip subscriber password ciphertext $c$3$XSv6wTRQGTLHWDzfCsGEQ+G536Q3T5R9bg==

 ip subscriber unclassified-ip domain a-wifi_pre

 ip subscriber pre-auth domain a-wifi_pre

 ip subscriber username string admin

 ip subscriber pre-auth track 11 fail-permit user-group fail

#

interface Vsi-interface2

 ip subscriber l2-connected enable

 ip subscriber initiator dhcp enable

 ip subscriber initiator unclassified-ip enable

 ip subscriber roaming enable

 ip subscriber password ciphertext $c$3$XSv6wTRQGTLHWDzfCsGEQ+G536Q3T5R9bg==

 ip subscriber dhcp domain a-wifi_pre

#

interface Tunnel0 mode vxlan

 source 100.100.1.1

 destination 31.31.31.31

#

bgp 65009

 router-id 100.100.1.2

 #

 address-family ipv4 unicast

  network 11.0.0.0 255.255.0.0

  network 211.9.80.0 255.255.240.0

 #

 address-family vpnv4

 #

 ip vpn-instance vrf1

  #

  address-family ipv4 unicast

   import-route direct

   import-route static

#

 scheduler logfile size 16

#

line class aux

 user-role network-operator

#

line class console

 user-role network-admin

#

line class vty

 user-role network-operator

#

line aux 0 1

 user-role network-operator

#

line con 0 1

 user-role network-admin

#

line vty 0 63

 authentication-mode none

 user-role network-admin

 user-role network-operator

 idle-timeout 0 0

#

 ip route-static 11.0.0.0 16 NULL0 preference 180 description Blackhole-Route

 ip route-static 31.31.31.31 32 100.100.100.1

 ip route-static 172.16.0.0 16 172.16.17.1

 ip route-static 211.9.80.0 20 NULL0 preference 180 description Blackhole-Route

#

 mad exclude interface GigabitEthernet1/1/0

#

 snmp-agent

 snmp-agent local-engineid 800063A280FA163E07CF5200000001

 snmp-agent community write private

 snmp-agent community read public

 snmp-agent sys-info version all

#

 ssh server enable

 ssh user root service-type all authentication-type password

#

 undo arp resolving-route enable

 arp source-mac aging-time 60

#

 qos apply policy a-wifi global inbound

 qos apply policy out global outbound

#

redundancy group A_Wifi

 preempt-delay 5

 member interface Reth2

 member interface Reth3

 member failover group 1

 node 1

  bind slot 1

  priority 100

  track 1 interface Ten-GigabitEthernet1/5/0

  track 2 interface Ten-GigabitEthernet1/6/0

 node 2

  bind slot 2

  track 3 interface Ten-GigabitEthernet2/5/0

  track 4 interface Ten-GigabitEthernet2/6/0

#

acl advanced 3000

 rule 0 permit ip source 11.0.0.0 0.0.255.255

#

acl advanced 3099

 rule 0 permit ip destination 29.29.0.1 0 user-group a-wifi

 rule 5 permit ip source 29.29.0.1 0 user-group a-wifi

#

acl advanced 3525

 rule 0 permit ip destination 28.28.28.100 0 user-group a-wifi

 rule 1 permit ip destination 27.27.27.200 0 user-group a-wifi

 rule 5 permit ip vpn-instance vrf1 destination 28.28.28.100 0 user-group a-wifi

 rule 10 permit ip user-group fail

#

acl advanced 3526

 rule 0 permit tcp destination-port eq www user-group a-wifi

 rule 5 permit tcp vpn-instance vrf1 destination-port eq www user-group a-wifi

#

acl advanced 3527

 rule 0 permit tcp destination-port eq 443 user-group a-wifi

 rule 5 permit tcp vpn-instance vrf1 destination-port eq 443 user-group a-wifi

#

acl advanced 3528

 rule 0 permit ip user-group a-wifi

 rule 5 permit ip vpn-instance vrf1 user-group a-wifi

#

acl advanced 3529

 rule 0 permit ip source 28.28.28.100 0 user-group a-wifi

 rule 1 permit ip source 27.27.27.200 0 user-group a-wifi

 rule 5 permit ip vpn-instance vrf1 source 28.28.28.100 0 user-group a-wifi

#

acl advanced 3899

 rule 0 permit ip destination 100.100.1.1 0

#

acl advanced 3999

 description for_tetong_user

 rule 0 deny ip destination 28.28.28.100 0

 rule 5 permit ip

#

user-profile free1

 free-rule acl 3099

#

user-profile ita

 qos car inbound any cir 10000 cbs 625000 ebs 0

 qos car outbound any cir 10000 cbs 625000 ebs 0

 qos apply policy ita inbound

 qos apply policy ita outbound

#

user-profile tetong

 qos apply policy tetong inbound

#

radius scheme aaa

 primary authentication 172.16.15.200

 primary accounting 172.16.15.200

 key authentication cipher $c$3$itzc+vpeFDkhR1RnKJUsmyT6XdbuSmdNbw==

 key accounting cipher $c$3$721n+GQFC7t0pV48LIXKz5+4cbrhop2I1w==

 timer realtime-accounting 2

 user-name-format without-domain

 attribute 31 mac-format section three separator - lowercase

 username-authorization apply

#

radius scheme imc

 primary authentication 28.28.28.100 key cipher $c$3$VZu0tiAzF7dsNLte//lIN2qiTA5tQOwPrg==

 primary accounting 28.28.28.100 key cipher $c$3$sVaIfL3KQcnQth+As4Qdx6rbEmnK/QhY0w==

 user-name-format without-domain

#

radius scheme jsct

 primary authentication 28.28.28.100

 primary accounting 28.28.28.100

 key authentication cipher $c$3$5h3Z95wgcIYC6H1lWl+o8Sb/RQSZtP04Pg==

 key accounting cipher $c$3$LciZpm5DvPcpuDZgEoBFnEnAs9PF+8HzCA==

 timer realtime-accounting 3

 user-name-format without-domain

 nas-ip 100.100.1.3

#

radius dynamic-author server

 client ip 172.16.15.200 key cipher $c$3$aa50yCTQvxx6DzUQl2ePmLhY6TK1IqC7vg==

#

domain name a-wifi

 state block time-range offline

 state block time-range name a-wifi-online

 authorization-attribute idle-cut 1

 nas-id domain-a-wifi

 authentication ipoe radius-scheme jsct

 authorization ipoe radius-scheme jsct

 accounting ipoe radius-scheme jsct

#

domain name a-wifi_pre

 authorization-attribute user-group a-wifi

 authorization-attribute ip-pool a-wifi_pre

 authorization-attribute session-timeout 111

 service-type stb

 session-time include-idle-time

 nas-id h3c/vbras:a-wifi_pre

 authentication ipoe none

 authorization ipoe none

 accounting ipoe none

 user-address-type private-ipv4

 web-server url http://28.28.28.100:8080/portal

 web-server ip 28.28.28.100

 web-server url-parameter userip source-address

 web-server url-parameter mac source-mac section 1 uppercase

 web-server url-parameter oriUrl original-url

 web-server url-parameter nas-id nas-id

 web-server url-parameter remote-id remote-id

#

domain name awifi

 authorization-attribute user-profile tetong

 authorization-attribute car inbound cir 4194303 outbound cir 4194303 pir 4194303

 nas-id domain-a-wifi

 authentication ipoe radius-scheme aaa

 authorization ipoe radius-scheme aaa

 accounting ipoe radius-scheme aaa

#

domain name system

#

 domain default enable a-wifi

#

role name level-0

 description Predefined level-0 role

#

role name level-1

 description Predefined level-1 role

#

role name level-2

 description Predefined level-2 role

#

role name level-3

 description Predefined level-3 role

#

role name level-4

 description Predefined level-4 role

#

role name level-5

 description Predefined level-5 role

#

role name level-6

 description Predefined level-6 role

#

role name level-7

 description Predefined level-7 role

#

role name level-8

 description Predefined level-8 role

#

role name level-9

 description Predefined level-9 role

#

role name level-10

 description Predefined level-10 role

#

role name level-11

 description Predefined level-11 role

#

role name level-12

 description Predefined level-12 role

#

role name level-13

 description Predefined level-13 role

#

role name level-14

 description Predefined level-14 role

#

user-group a-wifi

#

user-group fail

#

user-group system

#

local-user root class manage

 password hash $h$6$zR1H0VQKmsPSrlki$QB3JtZ08KMBi8Gv85yP7uFPqnoF5l0biJjfApRvDod6fdejdI6o1vtjhSLvhfMsge/GBT+FZjAfbkkuQo307wg==

 service-type ftp

 service-type ssh telnet http https

 authorization-attribute user-role network-admin

#

local-user ip class network

 authorization-attribute user-role network-operator

#

local-user ipoe class network

 password cipher $c$3$FD4eC+mzM7K89XgqLWUievRGDyg11cfiqw==

 service-type ipoe

 authorization-attribute session-timeout 111

 authorization-attribute user-role network-operator

#

 ftp server enable

#

 session service-location acl 3000 failover-group 1

 session service-location acl 3001 failover-group 1

 session statistics enable

 session synchronization enable

 session synchronization dns http

#

nat port-block synchronization enable

#

nat address-group 1

 failover-group 1

 port-range 1000 65535

 port-block block-size 1000 extended-block-number 2

 address 211.9.83.1 211.9.83.254

#

portal server A-wifi

 ip 28.28.28.100 key cipher $c$3$jlIVq1QmzD/7Ym8rm9WdCnVeYtViHM0BFA==

#

portal mac-trigger-server mts

 ip 28.28.28.100

 binding-retry interval 3

 aging-time 100

#

 netconf soap http enable

 netconf soap https enable

#

 http-redirect https-port 6000

#

return

4  相关资料

·     H3C vBRAS系列虚拟宽带远程接入服务器 http://press.h3c.com/jsp/ir/fileList.do?classID=103&fileID=165210配置指导

·     H3C vBRAS系列虚拟宽带远程接入服务器 http://press.h3c.com/jsp/ir/fileList.do?classID=103&fileID=165210命令参考

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!

新华三官网
联系我们