L2TP ¸ù¾ÝͨµÀ½¨Á¢µÄ·½Ê½²»Í¬¿É·ÖΪ¾²Ì¬»ò¶¯Ì¬Á½ÖÖ¡£
¾²Ì¬L2TP ÓÉLAC ²à¸ù¾ÝÓû§Ãû@ÓòÃûÀ´Ö¸¶¨ËíµÀ²ÎÊý£¬ËíµÀ²ÎÊýÔÚME60 Ö¸¶¨£¬¾²Ì¬·½Ê½ÏÂÓû§Ö»Äܲ¦ÈëÌض¨µÄLAC ²à£¬´Ë·½Ê½ÊÊÓÃÓÚ²¦ºÅµØµãÏà¶Ô¹Ì¶¨µÄ¿Í»§£»
¶¯Ì¬L2TP ·½Ê½Ê±LAC ²à½«²¦ºÅµÄÓû§Ãû@ÓòÃû·¢ËÍÖÁradius ·þÎñÆ÷£¬ÓÉradius ·þÎñÆ÷¶ÔÓû§½øÐÐÈÏÖ¤²¢Ï·¢ÓëÓû§¹ØÁªµÄL2TP ËíµÀ²ÎÊý¸øLAC,ÔÙÓÉLAC À´ÎªÓû§½¨Á¢ËíµÀ¡£
ÔÚ±¾ÆÚÏîÄ¿ÖУ¬ME60ÉϵÄÅäÖòÎÊýÓÉRADIUSÏ·¢£¬¼´¶¯Ì¬ËíµÀ½¨Á¢Ä£Ê½¡£
3.4.4.1 L2TPÅäÖýéÉÜ
ʹÄÜL2TP ¹¦ÄÜ
²½Öè 1 Ö´ÐÐÃüÁîsystem-view£¬½øÈëϵͳÊÓͼ¡£ ²½Öè 2 Ö´ÐÐÃüÁîl2tp enable£¬Ê¹ÄÜL2TP ¹¦ÄÜ¡£ ----½áÊø
Ö»ÓÐʹÄÜL2TP ¹¦Äܺó£¬L2TP ¹¦ÄܲÅÄÜʹÓ㬷ñÔò¼´±ãÅäÖÃÁËL2TP µÄ²ÎÊý£¬ME60 Ò² ²»»áÌṩÏà¹Ø¹¦ÄÜ¡£
ȱʡÇé¿öÏ£¬ME60 δʹÄÜL2TP ¹¦ÄÜ¡£
´´½¨L2TP ×é
²½Öè 1 Ö´ÐÐÃüÁîsystem-view£¬½øÈëϵͳÊÓͼ¡£
²½Öè 2 Ö´ÐÐÃüÁîl2tp-group group-name£¬´´½¨L2TP ×é²¢½øÈëL2TP ×éÊÓͼ¡£
ÔÚME60 ÉÏ¿ÉÒÔÓÐ1000 ¸öL2TP ×飬³ýÈ¥¡°default-lns¡±ºÍ¡°default-lac¡±£¬Êµ¼Ê¿ÉÒÔ´´½¨ 998 ¸öL2TP ×é¡£
²½Öè 3 Ö´ÐÐÃüÁîdescription text£¬ÅäÖÃL2TP ×éµÄÃèÊöÐÅÏ¢£¨¿ÉÑ¡£©¡£
ÉèÖñ¾¶ËËíµÀÃû
²½Öè 1 Ö´ÐÐÃüÁîsystem-view£¬½øÈëϵͳÊÓͼ¡£
²½Öè 2 Ö´ÐÐÃüÁîl2tp-group group-name£¬½øÈëL2TP ×éÊÓͼ¡£ ²½Öè 3 Ö´ÐÐÃüÁîtunnel name name£¬ÉèÖñ¾¶ËËíµÀÃû³Æ¡£
ÅäÖÃLAC ²àµÄL2TP Á¬½Ó
²½Öè 1 Ö´ÐÐÃüÁîsystem-view£¬½øÈëϵͳÊÓͼ¡£
²½Öè 2 Ö´ÐÐÃüÁîl2tp-group group-name£¬½øÈëL2TP ×éÊÓͼ¡£
²½Öè 3 Ö´ÐÐÃüÁîstart l2tp [ ip ip-address [ weight weight ] ] &<1-8>£¬ÅäÖÃLAC ²àµÄL2TP Á¬½Ó¡£
ÅäÖÃËíµÀÔ´½Ó¿Ú
²½Öè 1 Ö´ÐÐÃüÁîsystem-view£¬½øÈëϵͳÊÓͼ¡£
²½Öè 2 Ö´ÐÐÃüÁîl2tp-group group-name£¬½øÈëL2TP ×éÊÓͼ¡£
²½Öè 3 Ö´ÐÐÃüÁîtunnel source interface-type interface-number£¬ÅäÖÃËíµÀÔ´½Ó¿Ú¡£
Ö¸¶¨ÓòµÄL2TP ×é
²½Öè 1 Ö´ÐÐÃüÁîsystem-view£¬½øÈëϵͳÊÓͼ¡£ ²½Öè 2 Ö´ÐÐÃüÁîaaa£¬½øÈëAAA ÊÓͼ¡£
²½Öè 3 Ö´ÐÐÃüÁîdomain domain-name£¬½øÈëÓòÊÓͼ¡£ ²½Öè 4 Ö´ÐÐÃüÁîl2tp-group group-name£¬Ö¸¶¨ÓòµÄL2TP ×é¡£
Ö¸¶¨ÓòÓû§Ê¹ÓÃRADIUS Ï·¢µÄL2TP ÊôÐÔ
²½Öè 1 Ö´ÐÐÃüÁîsystem-view£¬½øÈëϵͳÊÓͼ¡£ ²½Öè 2 Ö´ÐÐÃüÁîaaa£¬½øÈëAAA ÊÓͼ¡£
²½Öè 3 Ö´ÐÐÃüÁîdomain domain-name£¬½øÈëÓòÊÓͼ¡£
²½Öè 4 Ö´ÐÐÃüÁîl2tp-user radius-force£¬Ö¸¶¨ÓòÓû§Ê¹ÓÃRADIUS Ï·¢µÄL2TP ÊôÐÔ¡£ ----½áÊø
L2TP ×éÃûºÍËíµÀÀàÐÍÁ½¸öÊôÐÔ±ØÐëͬʱÏ·¢£¬ÓÉRADIUS Ï·¢µÄL2TP ÊôÐÔ·½¿ÉÉúЧ£¬L2TP Óà »§µÄ¹¦ÄܲſÉÒÔʵÏÖ¡£
3.4.4.2 ÅäÖ÷¶Àý
l2tp-group czt.ha mandatory-lcp start l2tp ip 10.19.66.82 //¼ò»¯// tunnel source LoopBack0 //ÅäÖÃL2TP×é//
domain czt.ha authentication-scheme radius
accounting-scheme radius radius-server group czt.ha l2tp-group czt.ha l2tp-user radius-force //ÅäÖÃÓò²ÎÊý//
3.5 »ú¶¥ºÐÒµÎñÅäÖÃ
3.5.1 ÒµÎñ¸ÅÊö
ºÓÄÏÈ«Ê¡ÒÑ¿ªÍ¨´óÁ¿»ú¶¥ºÐÒµÎñ¡£Íþ¿ÆÄ·ÊÓƵ·þÎñÆ÷Ä¿Ç°·Ö²¼ÔÚÒ»¼¶»ò¶þ¼¶£¨ÏؾֺËÐÄ£©»ã¾Û½»»»»úÅԲࡣ»ú¶¥ºÐÉÏÏߺóÊ×ÏÈ·ÃÎʱ¾µØÃÅ»§ÍøÕ¾¡£ÃÅ»§ÍøÕ¾¸ù¾Ý»ú¶¥ºÐµÄMAC µØÖ··µ»Ø¸Ã»ú¶¥ºÐ×î½ü±ßÔµ·þÎñÆ÷£¨EMS£¬»òLVS£©IP µØÖ·¡£»ú¶¥ºÐ¸ù¾Ý¸ÃµØÖ·Ö±½Ó·ÃÎÊEMS¡£µ«ÊÇÈç¹û¸ÃEMS ÉÏûÓÐÓû§ÐèÒª¿´µÄ½ÚÄ¿Ôò»ú¶¥ºÐ»á·ÃÎÊÖÐÐÄ·þÎñÆ÷£¨CMS£©£»¸Ã½ÚÄ¿½«ÔÚÏÐʱÏ·¢µ½EMS¡£
¸ÃÀàÓû§½ñºó¿ÉÒÔͨ¹ýÒÔÏÂÁ½ÖÖ·½Ê½ÉÏÍø£º
1) ͨ¹ýPPPOE ·½Ê½£¬ÓÉÉÌÎñ¿í´øϵͳ³ÐÔØ£»ÕâÖÖ·½Ê½»ú¶¥ºÐÒª²ÉÓÃPPPOE ģʽ£¬ÇÒ²ÉÓû§Ãû¼ÓÓòÃûºó׺²¦ºÅ¡£ÓÉÁª´´radius ϵͳ½øÐÐÕ˺ÅÈÏÖ¤¡£½¨ÒéÊÐÇø¼°ÏسÇÄÚ¸î½Ó½ÚµãÏ ËùÓлú¶¥ºÐÓû§È«²¿²ÉÓÃPPPOE ·½Ê½¡£
2) ÑÓÓÃÔÀ´DHCP ·½Ê½£¬»ú¶¥ºÐÓû§ÈÔͨ¹ýÔ»ã¾Û½»»»»ú²ÉÓÃDHCP ·½Ê½½øÐеØÖ·»ñÈ¡¡£½¨ÒéÏسÇÒÔϸî½ÓÓû§²ÉÓø÷½Ê½¡£
3.5.2 ÑÓÓÃDHCP ·½Ê½
ÐèÒªÔÚ»ã¾Û½»»»»úÉϽ«¸ÃÀàÓû§½øÐÐVLAN ·ÖÀ룻¶ÔÓÚQinQ ·½Ê½Ï¿ÉÒÔͨ¹ýÔö¼ÓÉÏÁª¶Ë¿Ú¼´¿É£¬Ê¹ÆäÈÔȻͨ¹ýÔÓз½Ê½¿ªÍ¨£»ÆäÓŵã¾ÍÊǶÔÓÚ¸î½ÓÓû§²»Óõ½Óû§¼ÒÀïÐ޸Ļú¶¥ºÐÅäÖ㬼õС¸î½Ó¹¤×÷Á¿¡£
3.5.3 ²ÉÓÃPPPOE ·½Ê½
3.5.3.1 ÒµÎñ¸ÅÊö
1£© »ú¶¥ºÐÓû§²»²ÉÓÃÇ¿ÖÆ¿Í»§¶Ë£¨»ú¶¥ºÐ²»Ö§³Ö£©£» 2£© ME60ÉÏ´´½¨iptv context ³ÐÔØ»ú¶¥ºÐÓû§£»
3£© »ú¶¥ºÐÐèÒª²ÉÓÃPPPOE ·½Ê½£¬²ÉÓÃÕÊ»§¼Óºó׺ÓòÃû·½Ê½¡£¶ÔÓÚ¸î½ÓµÄ»ú¶¥ºÐ£¬Ðè¶Ôÿ¸öÓû§ÉÏÃÅ·þÎñ°Ñ»ú¶¥ºÐÐÞ¸ÄΪPPPOE ·½Ê½¡£
4£© ¸î½Ó¹ý³ÌÖиù¾ÝÁ÷Á¿Çé¿öÔö¼ÓME60µ½»ú¶¥ºÐ·þÎñÆ÷Ö±ÁªµÄ»ã¾Û½»»»»úÖ®¼äµÄ´ø¿í¡£
¸î½ÓÍêÈ«ºóÐèÒª½«»ú¶¥ºÐ·þÎñÆ÷Ö±½ÓϹÒME60ÅԲࣻ±ÜÃâÀË·ÑME60Óë½»»»»úÖ®¼äµÄ´ø¿í¡£
3.5.3.2 »ú¶¥ºÐÒµÎñÅäÖ÷¶Àý
user-group iptv
[¶¨ÒåÒ»¸öuser-group£¬Ãû³ÆΪIPTV£¬Õâ¸öUSER-GROUPÔÚºóÃæµÄÅäÖÃÖлáºÍÒ»¸öÓû§ÓòÏà¹ØÁª£¬ÕâÑùÔÚ¶¨Òå·ÃÎÊ¿ØÖÆÁбíµÄʱºò¾Í¿ÉÒÔÒýÓÃÏàÓ¦USER-GROUP£¬Ò²¾ÍÊÇ´ú±íÁËÒ»¸öÓû§ÓòÖеÄËùÓÐÓû§£¬´Ó¶øÐγÉÁËÓû§·ÃÎÊ¿ØÖÆÁÐ±í£¬ÓëÆÕͨ·ÃÎÊ¿ØÖÆÁÐ±í²»Í¬µÄµØ·½ÊÇ£¬Óû§·ÃÎÊ¿ØÖÆÁбí³ýÁ˵ØÖ·¡¢¶Ë¿ÚºÅÖ®Í⣬»¹¿ÉÒÔ¶¨ÒåijһÅúÓû§ÎªÔ´»òÕßÄ¿µÄ¡£ÔÚME60ÉÏ£¬Óû§·ÃÎÊ¿ØÖÆÁбíÁбíºÅÊÇÔÚ6000ÒÔÉÏ¡£¶ÔÓÚÐèÒª¶ÔÓû§²àÏ·¢µÄ·ÃÎÊ¿ØÖÆÁÐ±í£¬¶¼ÐèÒª¶¨ÒåÕâ¸ö·¶Î§µÄ¿ØÖÆÁÐ±í£¬²¢ÔÚÈ«¾ÖģʽÏÂÏ·¢¡£×¢Ò⣺ÔÚÓû§ACLÖУ¬ÊÇ·ñ¶¨ÒåUSER-GROUPÊÇ¿ÉÑ¡Ïî¡£]
acl number 3001 rule 5 permit ip #
acl number 6000 match-order auto
rule 5 deny tcp destination-port eq 135 rule 10 deny tcp destination-port eq 136 rule 15 deny tcp destination-port eq 137 rule 20 deny tcp destination-port eq 138 rule 25 deny tcp destination-port eq 139 rule 30 deny tcp destination-port eq 445 rule 35 deny tcp destination-port eq 4444 rule 40 deny udp destination-port eq 445
rule 45 deny udp destination-port eq netbios-ssn rule 50 deny udp destination-port eq netbios-dgm rule 55 deny udp destination-port eq 135
rule 60 deny udp destination-port eq netbios-ns rule 65 deny tcp destination-port eq 2745 rule 70 deny tcp destination-port eq 3127 rule 75 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 6129 rule 85 deny udp destination-port eq 1434
rule 90 deny ip source user-group help destination ip-address any rule 95 deny ip source user-group iptv destination ip-address any
[ACL6000ÊÇÒ»¸öÓû§ACL£¬Ç°Ã涨ÒåÁË·À²¡¶¾²¿·Ö£¬×îºóÁ½Ìõ¶¨ÒåÁËHELPÒÔ¼°IPTVÀïÃæµÄÓû§²»ÄÜ·ÃÎÊÈκεØÖ·]
acl number 6001
rule 5 permit ip source user-group iptv destination ip-address 202.102.249.0 0.0.0.255
rule 10 permit ip source user-group iptv destination ip-address 61.168.222.0 0.0.1.255
rule 15 permit ip source user-group iptv destination ip-address 61.168.224.0 0.0.3.255
rule 20 permit ip source user-group iptv destination ip-address 61.168.228.0 0.0.1.255
rule 25 permit ip source user-group iptv destination ip-address 61.158.216.0 0.0.1.255
rule 30 permit ip source user-group iptv destination ip-address 61.158.218.0 0.0.0.255
rule 35 permit ip source user-group iptv destination ip-address 202.102.224.68 0
rule 40 permit ip source user-group iptv destination ip-address 202.102.227.68 0
[¶¨ÒåÁËIPTVÓû§×éÀïµÄÓû§¿ÉÒÔ·ÃÎʵĵØÖ·]
traffic classifier limit operator or if-match acl 6000
traffic classifier action operator or if-match acl 6001
traffic behavior limit deny
traffic behavior action
[¶¨ÒåÁ÷Á¿¶¯×÷£¬ºóÃ涨Òå²ßÂÔµÄʱºòÓëÁ÷Á¿·ÖÀàÏà¹ØÁª]
#
traffic policy limit
classifier action behavior action classifier limit behavior limit
[¶¨ÒåÁ÷Á¿²ßÂÔ£¬µÚÒ»ÌõÃûΪACTIONµÄ·ÖÀàÖÐÆ¥Åäµ½µÄ±¨ÎÄ£¬Ö´ÐÐÃûΪACTIONµÄÁ÷Á¿¶¯×÷ÖÐËù¶¨ÒåµÄ¶¯×÷£¬¾ÍÊÇÔÊÐí£¬µÚ¶þÌõÐÐΪÀàËÆ£¬µ«¶¯×÷ÊǾܾø¡£ÐèҪעÒ⣬Á½Ìõ²ßÂÔµÄ˳Ðò²»ÄÜ·´£¬·ñÔòËùÓÐÁ÷Á¿¶¼»á±»¾Ü¾ø]
traffic-policy limit inbound traffic-policy limit outbound
[ÓÉÓÚÉÏÊö²ßÂÔ¶¼ÊÇÕë¶ÔÓû§²àµÄÓû§¶¨ÒåµÄ£¬ËùÒÔÐèÒªÔÚÈ«¾ÖÏÂÏ·¢] interface GigabitEthernet1/0/0 mtu 1524
description To-[LY-XiGong-GSR]G1/0/4
ip address 125.45.253.178 255.255.255.252 ospf network-type p2p mpls mpls ldp #
interface GigabitEthernet1/0/1 mtu 1524
description To-[LY-LaoCheng-GSR]G3/0/6 ip address 125.45.253.202 255.255.255.252 ospf network-type p2p mpls