• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防火墙出口双栈案例

2021-06-02提问
  • 0关注
  • 1收藏,1091浏览
粉丝:0人 关注:0人

问题描述:

防火墙出口双栈案例,想模拟器模拟的,拓扑就接入-核心-防火墙,有需求内网虚拟化服务器要起IPV6做映射的,请问防火墙双栈如何做,官网没案例

组网及组网描述:


1 个回答
粉丝:9人 关注:0人

http://h3c.com/cn/d_202011/1353482_30005_0.htm#_Toc54611564

参考一下这个呢 中国移动BAC IPv4/IPv6双栈配置案例(E2507P12) 一、 组网需求: CAPWAP/LWAPP隧道仍由IPv4承载,AP管理地址不变。 AC仍采用IPv4地址与Portal、AAA服务器通信,nas-ip沿用IPv4。 AC与Portal 之间传递的User IP 需支持用户的IPv4/IPv6 地址。实现一次认证、双栈放行。 二、 组网图: 图一 三、 配置步骤: 1、配置思路 1.1 全局开启IPv6 1.2 配置IPv4、IPv6互联地址 1.3 配置DHCPv6、DHCPv4 1.4 配置IPv4、IPv6 portal及radius相关信息 2、配置步骤 2.1 全局开启ipv6 ipv6 # 2.2 配置上行互联IPv4、IPv6地址 interface Vlan-interface19 ipv6 address 2409:8088:800:1030::10:9372/126 ip address 1.1.1.3 255.255.255.240 vrrp vrid 1 virtual-ip 1.1.1.2 vrrp vrid 1 priority 120 # 2.3 配置DHCPv6、DHCPv4 ipv6 dhcp pool 1 network 2409:88A8:850::/50 # dhcp server ip-pool ac01 network 10.42.30.0 mask 255.255.255.0 network ip range 10.42.30.1 10.42.30.254 gateway-list 10.42.30.1 dns-list 211.138.24.66 211.138.30.66 expired day 0 hour 0 minute 30 # 2.4 配置IPv4、IPv6 portal及radius portal server cmcchenan1 ip 211.138.30.42 url http://211.138.30.42:7080/index.php server-type cmcc portal server ipv6test ipv6 2001:DA8:E800:E4B8::1 key cipher $c$3$vkLQapngT0BgVHIgFoq5OQ4GThICuMYpWBs9 url http://218.206.248.116:6080/index.php # radius scheme ipv6 server-type extended primary authentication 10.10.10.10 1745 primary accounting 10.10.10.10 1746 key authentication cipher $c$3$K4K/RjpaPDYGsR1e5WBAcCjVPAK2x4PUW/m/ key accounting cipher $c$3$Gs5LElHnylUNPdepvcU43jFK7ERz5qDcICBo timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # radius scheme cmcchenan server-type extended primary authentication 10.10.10.10 1645 primary accounting 10.10.10.10 1646 key authentication cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oOo6pbn/wU+Ht+T key accounting cipher $c$3$cut2e+1uljuwJgFtF8t+v5E8QqZSlUTlB6ut timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # 2.6 配置用户网关 interface Vlan-interface1005 description GateWay_of_CMCC undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag ipv6 address 2409:88A8:850::2/50 ip address 10.42.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.42.30.1 vrrp vrid 2 priority 120 vrrp vrid 2 track 2 reduced 50 dhcp select relay dhcp relay server-select 1 portal control-mode mac portal server cmcchenan method direct portal server ipv6test method direct portal domain cmcchenan portal domain ipv6 ipv6test portal nas-id 3438037137100460 portal nas-port-type wireless portal backup-group 1 portal nas-ip 1.1.1.2 access-user detect type arp retransmit 5 interval 120 ipv6 dhcp server apply pool 1 3、配置文件 AC侧关键配置: version 5.20, ESS 2507P12 # dhcp relay server-group 1 ip 1.1.1.3 # ipv6 # portal server cmcchenan1 ip 211.138.30.42 url http://211.138.30.42:7080/index.php server-type cmcc portal server ipv6test ipv6 2001:DA8:E800:E4B8::1 key cipher $c$3$vkLQapngT0BgVHIgFoq5OQ4GThICuMYpWBs9 url http://218.206.248.116:6080/index.php # ipv6 dhcp server enable # radius scheme ipv6 server-type extended primary authentication 10.10.10.10 1745 primary accounting 10.10.10.10 1746 key authentication cipher $c$3$K4K/RjpaPDYGsR1e5WBAcCjVPAK2x4PUW/m/ key accounting cipher $c$3$Gs5LElHnylUNPdepvcU43jFK7ERz5qDcICBo timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # radius scheme cmcchenan server-type extended primary authentication 10.10.10.10 1645 primary accounting 10.10.10.10 1646 key authentication cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oOo6pbn/wU+Ht+T key accounting cipher $c$3$cut2e+1uljuwJgFtF8t+v5E8QqZSlUTlB6ut timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # domain ipv6test authentication portal radius-scheme ipv6 authorization portal radius-scheme ipv6 accounting portal radius-scheme ipv6 access-limit disable state active idle-cut enable 15 1024 self-service-url disable # domain cmcchenan authentication portal radius-scheme cmcchenan authorization portal radius-scheme cmcchenan accounting portal radius-scheme cmcchenan access-limit disable state active idle-cut enable 15 1024 self-service-url disable # ipv6 dhcp pool 1 network 2409:88A8:850::/50 # dhcp server ip-pool ac01 network 10.42.30.0 mask 255.255.255.0 network ip range 10.42.30.1 10.42.30.254 gateway-list 10.42.30.1 dns-list 211.138.24.66 211.138.30.66 expired day 0 hour 0 minute 30 # wlan service-template 11 clear ssid CMCC-eDU bind WLAN-ESS 11 service-template enable # interface WLAN-ESS11 port access vlan 1005 # interface Vlan-interface19 ipv6 address 2409:8088:800:1030::10:9372/126 ip address 1.1.1.3 255.255.255.240 vrrp vrid 1 virtual-ip 1.1.1.2 vrrp vrid 1 priority 120 # interface Vlan-interface1005 description GateWay_of_CMCC undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag ipv6 address 2409:88A8:850::2/50 ip address 10.42.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.42.30.1 vrrp vrid 2 priority 120 vrrp vrid 2 track 2 reduced 50 dhcp select relay dhcp relay server-select 1 portal control-mode mac portal server cmcchenan method direct portal server ipv6test method direct portal domain cmcchenan portal domain ipv6 ipv6test portal nas-id 3438037137100460 portal nas-port-type wireless portal backup-group 1 portal nas-ip 1.1.1.2 access-user detect type arp retransmit 5 interval 120 ipv6 dhcp server apply pool 1 # wlan ap ceshi model WA2610E-GNP id 5 serial-id 219801A0CSC129019915 radio 1 channel 1 service-template 11 nas-id 3419037137100460 client-rate-limit direction inbound mode static cir 512 client-rate-limit direction outbound mode static cir 2048 radio enable # ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 # ipv6 route-static :: 0 2409:8088:800:1030::10:9371 # 四、 结果验证: 1、获取IP地址 2、IPv4 portal认证 3、IPv4认证成功后,访问IPv4和IPv6资源 4、IPv6 portal认证 5、IPv6认证成功后,访问IPv6和IPv4资源 6、认证请求报文 7、计费开始报文

zhiliaoy 发表时间:2021-06-02 更多>>

参考一下这个呢 中国移动BAC IPv4/IPv6双栈配置案例(E2507P12) 一、 组网需求: CAPWAP/LWAPP隧道仍由IPv4承载,AP管理地址不变。 AC仍采用IPv4地址与Portal、AAA服务器通信,nas-ip沿用IPv4。 AC与Portal 之间传递的User IP 需支持用户的IPv4/IPv6 地址。实现一次认证、双栈放行。 二、 组网图: 图一 三、 配置步骤: 1、配置思路 1.1 全局开启IPv6 1.2 配置IPv4、IPv6互联地址 1.3 配置DHCPv6、DHCPv4 1.4 配置IPv4、IPv6 portal及radius相关信息 2、配置步骤 2.1 全局开启ipv6 ipv6 # 2.2 配置上行互联IPv4、IPv6地址 interface Vlan-interface19 ipv6 address 2409:8088:800:1030::10:9372/126 ip address 1.1.1.3 255.255.255.240 vrrp vrid 1 virtual-ip 1.1.1.2 vrrp vrid 1 priority 120 # 2.3 配置DHCPv6、DHCPv4 ipv6 dhcp pool 1 network 2409:88A8:850::/50 # dhcp server ip-pool ac01 network 10.42.30.0 mask 255.255.255.0 network ip range 10.42.30.1 10.42.30.254 gateway-list 10.42.30.1 dns-list 211.138.24.66 211.138.30.66 expired day 0 hour 0 minute 30 # 2.4 配置IPv4、IPv6 portal及radius portal server cmcchenan1 ip 211.138.30.42 url http://211.138.30.42:7080/index.php server-type cmcc portal server ipv6test ipv6 2001:DA8:E800:E4B8::1 key cipher $c$3$vkLQapngT0BgVHIgFoq5OQ4GThICuMYpWBs9 url http://218.206.248.116:6080/index.php # radius scheme ipv6 server-type extended primary authentication 10.10.10.10 1745 primary accounting 10.10.10.10 1746 key authentication cipher $c$3$K4K/RjpaPDYGsR1e5WBAcCjVPAK2x4PUW/m/ key accounting cipher $c$3$Gs5LElHnylUNPdepvcU43jFK7ERz5qDcICBo timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # radius scheme cmcchenan server-type extended primary authentication 10.10.10.10 1645 primary accounting 10.10.10.10 1646 key authentication cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oOo6pbn/wU+Ht+T key accounting cipher $c$3$cut2e+1uljuwJgFtF8t+v5E8QqZSlUTlB6ut timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # 2.6 配置用户网关 interface Vlan-interface1005 description GateWay_of_CMCC undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag ipv6 address 2409:88A8:850::2/50 ip address 10.42.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.42.30.1 vrrp vrid 2 priority 120 vrrp vrid 2 track 2 reduced 50 dhcp select relay dhcp relay server-select 1 portal control-mode mac portal server cmcchenan method direct portal server ipv6test method direct portal domain cmcchenan portal domain ipv6 ipv6test portal nas-id 3438037137100460 portal nas-port-type wireless portal backup-group 1 portal nas-ip 1.1.1.2 access-user detect type arp retransmit 5 interval 120 ipv6 dhcp server apply pool 1 3、配置文件 AC侧关键配置: version 5.20, ESS 2507P12 # dhcp relay server-group 1 ip 1.1.1.3 # ipv6 # portal server cmcchenan1 ip 211.138.30.42 url http://211.138.30.42:7080/index.php server-type cmcc portal server ipv6test ipv6 2001:DA8:E800:E4B8::1 key cipher $c$3$vkLQapngT0BgVHIgFoq5OQ4GThICuMYpWBs9 url http://218.206.248.116:6080/index.php # ipv6 dhcp server enable # radius scheme ipv6 server-type extended primary authentication 10.10.10.10 1745 primary accounting 10.10.10.10 1746 key authentication cipher $c$3$K4K/RjpaPDYGsR1e5WBAcCjVPAK2x4PUW/m/ key accounting cipher $c$3$Gs5LElHnylUNPdepvcU43jFK7ERz5qDcICBo timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # radius scheme cmcchenan server-type extended primary authentication 10.10.10.10 1645 primary accounting 10.10.10.10 1646 key authentication cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oOo6pbn/wU+Ht+T key accounting cipher $c$3$cut2e+1uljuwJgFtF8t+v5E8QqZSlUTlB6ut timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # domain ipv6test authentication portal radius-scheme ipv6 authorization portal radius-scheme ipv6 accounting portal radius-scheme ipv6 access-limit disable state active idle-cut enable 15 1024 self-service-url disable # domain cmcchenan authentication portal radius-scheme cmcchenan authorization portal radius-scheme cmcchenan accounting portal radius-scheme cmcchenan access-limit disable state active idle-cut enable 15 1024 self-service-url disable # ipv6 dhcp pool 1 network 2409:88A8:850::/50 # dhcp server ip-pool ac01 network 10.42.30.0 mask 255.255.255.0 network ip range 10.42.30.1 10.42.30.254 gateway-list 10.42.30.1 dns-list 211.138.24.66 211.138.30.66 expired day 0 hour 0 minute 30 # wlan service-template 11 clear ssid CMCC-eDU bind WLAN-ESS 11 service-template enable # interface WLAN-ESS11 port access vlan 1005 # interface Vlan-interface19 ipv6 address 2409:8088:800:1030::10:9372/126 ip address 1.1.1.3 255.255.255.240 vrrp vrid 1 virtual-ip 1.1.1.2 vrrp vrid 1 priority 120 # interface Vlan-interface1005 description GateWay_of_CMCC undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag ipv6 address 2409:88A8:850::2/50 ip address 10.42.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.42.30.1 vrrp vrid 2 priority 120 vrrp vrid 2 track 2 reduced 50 dhcp select relay dhcp relay server-select 1 portal control-mode mac portal server cmcchenan method direct portal server ipv6test method direct portal domain cmcchenan portal domain ipv6 ipv6test portal nas-id 3438037137100460 portal nas-port-type wireless portal backup-group 1 portal nas-ip 1.1.1.2 access-user detect type arp retransmit 5 interval 120 ipv6 dhcp server apply pool 1 # wlan ap ceshi model WA2610E-GNP id 5 serial-id 219801A0CSC129019915 radio 1 channel 1 service-template 11 nas-id 3419037137100460 client-rate-limit direction inbound mode static cir 512 client-rate-limit direction outbound mode static cir 2048 radio enable # ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 # ipv6 route-static :: 0 2409:8088:800:1030::10:9371 # 四、 结果验证: 1、获取IP地址 2、IPv4 portal认证 3、IPv4认证成功后,访问IPv4和IPv6资源 4、IPv6 portal认证 5、IPv6认证成功后,访问IPv6和IPv4资源 6、认证请求报文 7、计费开始报文

zhiliaoy 发表时间:2021-06-02

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明