文档名称 文档密级:
rule 55 deny udp destination-port eq 135
rule 60 deny udp destination-port eq netbios-ns rule 65 deny tcp destination-port eq 2745 rule 70 deny tcp destination-port eq 3127 rule 75 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 6129 rule 85 deny udp destination-port eq 1434
rule 90 deny ip source user-group help destination ip-address any rule 95 deny ip source user-group iptv destination ip-address any
[ACL6000是一个用户ACL,前面定义了防病毒部分,最后两条定义了HELP以及IPTV里面的用户不能访问任何地址]
acl number 6001
rule 5 permit ip source user-group iptv destination ip-address 202.102.249.0 0.0.0.255
rule 10 permit ip source user-group iptv destination ip-address 61.168.222.0 0.0.1.255
rule 15 permit ip source user-group iptv destination ip-address 61.168.224.0 0.0.3.255
rule 20 permit ip source user-group iptv destination ip-address 61.168.228.0 0.0.1.255
rule 25 permit ip source user-group iptv destination ip-address 61.158.216.0 0.0.1.255
rule 30 permit ip source user-group iptv destination ip-address 61.158.218.0 0.0.0.255
rule 35 permit ip source user-group iptv destination ip-address 202.102.224.68 0
rule 40 permit ip source user-group iptv destination ip-address 202.102.227.68 0
[定义了IPTV用户组里的用户可以访问的地址]
traffic classifier limit operator or if-match acl 6000
traffic classifier action operator or if-match acl 6001
traffic behavior limit deny
traffic behavior action
[定义流量动作,后面定义策略的时候与流量分类相关联]
#
traffic policy limit
classifier action behavior action classifier limit behavior limit
[定义流量策略,第一条名为ACTION的分类中匹配到的报文,执行名为ACTION的流量
2020-3-1
华为机密,未经许可不得扩散
第61页, 共75页
文档名称 文档密级:
动作中所定义的动作,就是允许,第二条行为类似,但动作是拒绝。需要注意,两条策略的顺序不能反,否则所有流量都会被拒绝]
traffic-policy limit inbound traffic-policy limit outbound
[由于上述策略都是针对用户侧的用户定义的,所以需要在全局下下发] interface GigabitEthernet1/0/0 mtu 1524
description To-[LY-XiGong-GSR]G1/0/4
ip address 125.45.253.178 255.255.255.252 ospf network-type p2p mpls mpls ldp #
interface GigabitEthernet1/0/1 mtu 1524
description To-[LY-LaoCheng-GSR]G3/0/6 ip address 125.45.253.202 255.255.255.252 ospf network-type p2p mpls mpls ldp
interface LoopBack0
ip address 125.40.254.110 255.255.255.255 [这个地址用来和RR建立IPV4 BGP邻居]
#
interface LoopBack10
ip address 125.40.254.111 255.255.255.255 [这个地址用来和RR建立VPNV4 BGP邻居]
bgp 65130
router-id 125.40.254.110 group ha-ly-vpn internal
peer ha-ly-vpn password cipher S;IKAY5^0NWQ=^Q`MAF4<1!! peer ha-ly-vpn connect-interface LoopBack10 peer 61.168.232.245 as-number 65130 peer 61.168.232.245 group ha-ly-vpn peer 61.168.232.247 as-number 65130 peer 61.168.232.247 group ha-ly-vpn group ha-ly internal
peer ha-ly password cipher S;IKAY5^0NWQ=^Q`MAF4<1!! peer ha-ly connect-interface LoopBack0 peer 61.168.255.245 as-number 65130 peer 61.168.255.245 group ha-ly
peer 61.168.255.247 as-number 65130
2020-3-1
华为机密,未经许可不得扩散
第62页, 共75页
文档名称 文档密级:
peer 61.168.255.247 group ha-ly #
ipv4-family unicast
undo synchronization
network 61.54.44.128 255.255.255.240 network 218.28.152.32 255.255.255.240 network 218.28.152.48 255.255.255.240 network 218.28.152.136 255.255.255.248 import-route unr
undo peer 61.168.232.245 enable undo peer 61.168.232.247 enable peer ha-ly-vpn enable peer ha-ly enable
peer ha-ly route-policy setcommunity export peer ha-ly next-hop-local
peer ha-ly advertise-community peer 61.168.255.245 enable
peer 61.168.255.245 group ha-ly peer 61.168.255.247 enable
peer 61.168.255.247 group ha-ly #
ipv4-family vpnv4 policy vpn-target
peer ha-ly-vpn enable
peer ha-ly-vpn next-hop-local
peer ha-ly-vpn advertise-community peer 61.168.232.247 enable
peer 61.168.232.247 group ha-ly-vpn peer 61.168.232.245 enable
peer 61.168.232.245 group ha-ly-vpn ip pool dial local
gateway 61.168.104.1 255.255.248.0 section 0 61.168.104.2 61.168.111.254 excluded-ip-address 61.168.104.2 conflict-ip-address 61.168.108.187 dns-server 202.102.224.68
dns-server 202.102.227.68 secondary aaa
authentication-scheme radius
[定义一个认证SCHEME,名称为radius,缺省的认证模式就是使用RADIUS服务器,所以不用再配置其它命令,使用缺省就可以] domain iptv.ha
authentication-scheme radius
2020-3-1
华为机密,未经许可不得扩散
第63页, 共75页
文档名称 文档密级:
accounting-scheme radius ip-pool iptv
ospf 1 router-id 125.40.254.110 area 0.0.1.123
network 125.40.254.110 0.0.0.0 network 125.40.254.111 0.0.0.0 network 125.45.253.176 0.0.0.3 network 125.45.253.200 0.0.0.3
3.6 专线用户配置
专线用户一般指静态IP用户,在ME60上,我们一般通过定义二层subscriber与leasee line两种方式来定义静态IP用户。在本期项目中,我们一般通过定义二层subscriber的方式来定义静态IP用户,可以实现从地址池中连续分配地址给专线用户。
对于leased line用户,需要静态用户侧静态配置IP地址,ME60可以对用户进行带宽、计费、访问控制等方面的管理。
3.6.1 通过subscriber方式定义静态IP用户
配置范例如下:
ip pool static local gateway 123.7.2.1 255.255.255.0 section 0 123.7.2.2 123.7.2.254 excluded-ip-address 123.7.2.2 123.7.2.254
[定义地址池,注意,该地址池中除了网关地址外均不允许动态分配,即均使用静态分配方式]
domain static authentication-scheme default0 accounting-scheme default0 ip-pool static [定义静态用户所在的域,该域不认证、不计费]
static-user 123.7.224.10 123.7.224.10 interface GigabitEthernet1/0/2.1643
//测试,是否能够正常绑定//vlan199 qinq 643 detect domain-name static static-user 123.7.224.12 123.7.224.13 interface GigabitEthernet1/0/2.1635
2020-3-1
华为机密,未经许可不得扩散
第64页, 共75页