防火墙出口双栈案例
- 0关注
- 1收藏,1052浏览
问题描述:
防火墙出口双栈案例,想模拟器模拟的,拓扑就接入-核心-防火墙,有需求内网虚拟化服务器要起IPV6做映射的,请问防火墙双栈如何做,官网没案例
组网及组网描述:
- 2021-06-02提问
- 举报
-
(0)
http://h3c.com/cn/d_202011/1353482_30005_0.htm#_Toc54611564
- 2021-06-02回答
- 评论(1)
- 举报
-
(0)
参考一下这个呢 中国移动BAC IPv4/IPv6双栈配置案例(E2507P12) 一、 组网需求: CAPWAP/LWAPP隧道仍由IPv4承载,AP管理地址不变。 AC仍采用IPv4地址与Portal、AAA服务器通信,nas-ip沿用IPv4。 AC与Portal 之间传递的User IP 需支持用户的IPv4/IPv6 地址。实现一次认证、双栈放行。 二、 组网图: 图一 三、 配置步骤: 1、配置思路 1.1 全局开启IPv6 1.2 配置IPv4、IPv6互联地址 1.3 配置DHCPv6、DHCPv4 1.4 配置IPv4、IPv6 portal及radius相关信息 2、配置步骤 2.1 全局开启ipv6 ipv6 # 2.2 配置上行互联IPv4、IPv6地址 interface Vlan-interface19 ipv6 address 2409:8088:800:1030::10:9372/126 ip address 1.1.1.3 255.255.255.240 vrrp vrid 1 virtual-ip 1.1.1.2 vrrp vrid 1 priority 120 # 2.3 配置DHCPv6、DHCPv4 ipv6 dhcp pool 1 network 2409:88A8:850::/50 # dhcp server ip-pool ac01 network 10.42.30.0 mask 255.255.255.0 network ip range 10.42.30.1 10.42.30.254 gateway-list 10.42.30.1 dns-list 211.138.24.66 211.138.30.66 expired day 0 hour 0 minute 30 # 2.4 配置IPv4、IPv6 portal及radius portal server cmcchenan1 ip 211.138.30.42 url http://211.138.30.42:7080/index.php server-type cmcc portal server ipv6test ipv6 2001:DA8:E800:E4B8::1 key cipher $c$3$vkLQapngT0BgVHIgFoq5OQ4GThICuMYpWBs9 url http://218.206.248.116:6080/index.php # radius scheme ipv6 server-type extended primary authentication 10.10.10.10 1745 primary accounting 10.10.10.10 1746 key authentication cipher $c$3$K4K/RjpaPDYGsR1e5WBAcCjVPAK2x4PUW/m/ key accounting cipher $c$3$Gs5LElHnylUNPdepvcU43jFK7ERz5qDcICBo timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # radius scheme cmcchenan server-type extended primary authentication 10.10.10.10 1645 primary accounting 10.10.10.10 1646 key authentication cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oOo6pbn/wU+Ht+T key accounting cipher $c$3$cut2e+1uljuwJgFtF8t+v5E8QqZSlUTlB6ut timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # 2.6 配置用户网关 interface Vlan-interface1005 description GateWay_of_CMCC undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag ipv6 address 2409:88A8:850::2/50 ip address 10.42.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.42.30.1 vrrp vrid 2 priority 120 vrrp vrid 2 track 2 reduced 50 dhcp select relay dhcp relay server-select 1 portal control-mode mac portal server cmcchenan method direct portal server ipv6test method direct portal domain cmcchenan portal domain ipv6 ipv6test portal nas-id 3438037137100460 portal nas-port-type wireless portal backup-group 1 portal nas-ip 1.1.1.2 access-user detect type arp retransmit 5 interval 120 ipv6 dhcp server apply pool 1 3、配置文件 AC侧关键配置: version 5.20, ESS 2507P12 # dhcp relay server-group 1 ip 1.1.1.3 # ipv6 # portal server cmcchenan1 ip 211.138.30.42 url http://211.138.30.42:7080/index.php server-type cmcc portal server ipv6test ipv6 2001:DA8:E800:E4B8::1 key cipher $c$3$vkLQapngT0BgVHIgFoq5OQ4GThICuMYpWBs9 url http://218.206.248.116:6080/index.php # ipv6 dhcp server enable # radius scheme ipv6 server-type extended primary authentication 10.10.10.10 1745 primary accounting 10.10.10.10 1746 key authentication cipher $c$3$K4K/RjpaPDYGsR1e5WBAcCjVPAK2x4PUW/m/ key accounting cipher $c$3$Gs5LElHnylUNPdepvcU43jFK7ERz5qDcICBo timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # radius scheme cmcchenan server-type extended primary authentication 10.10.10.10 1645 primary accounting 10.10.10.10 1646 key authentication cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oOo6pbn/wU+Ht+T key accounting cipher $c$3$cut2e+1uljuwJgFtF8t+v5E8QqZSlUTlB6ut timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # domain ipv6test authentication portal radius-scheme ipv6 authorization portal radius-scheme ipv6 accounting portal radius-scheme ipv6 access-limit disable state active idle-cut enable 15 1024 self-service-url disable # domain cmcchenan authentication portal radius-scheme cmcchenan authorization portal radius-scheme cmcchenan accounting portal radius-scheme cmcchenan access-limit disable state active idle-cut enable 15 1024 self-service-url disable # ipv6 dhcp pool 1 network 2409:88A8:850::/50 # dhcp server ip-pool ac01 network 10.42.30.0 mask 255.255.255.0 network ip range 10.42.30.1 10.42.30.254 gateway-list 10.42.30.1 dns-list 211.138.24.66 211.138.30.66 expired day 0 hour 0 minute 30 # wlan service-template 11 clear ssid CMCC-eDU bind WLAN-ESS 11 service-template enable # interface WLAN-ESS11 port access vlan 1005 # interface Vlan-interface19 ipv6 address 2409:8088:800:1030::10:9372/126 ip address 1.1.1.3 255.255.255.240 vrrp vrid 1 virtual-ip 1.1.1.2 vrrp vrid 1 priority 120 # interface Vlan-interface1005 description GateWay_of_CMCC undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag ipv6 address 2409:88A8:850::2/50 ip address 10.42.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.42.30.1 vrrp vrid 2 priority 120 vrrp vrid 2 track 2 reduced 50 dhcp select relay dhcp relay server-select 1 portal control-mode mac portal server cmcchenan method direct portal server ipv6test method direct portal domain cmcchenan portal domain ipv6 ipv6test portal nas-id 3438037137100460 portal nas-port-type wireless portal backup-group 1 portal nas-ip 1.1.1.2 access-user detect type arp retransmit 5 interval 120 ipv6 dhcp server apply pool 1 # wlan ap ceshi model WA2610E-GNP id 5 serial-id 219801A0CSC129019915 radio 1 channel 1 service-template 11 nas-id 3419037137100460 client-rate-limit direction inbound mode static cir 512 client-rate-limit direction outbound mode static cir 2048 radio enable # ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 # ipv6 route-static :: 0 2409:8088:800:1030::10:9371 # 四、 结果验证: 1、获取IP地址 2、IPv4 portal认证 3、IPv4认证成功后,访问IPv4和IPv6资源 4、IPv6 portal认证 5、IPv6认证成功后,访问IPv6和IPv4资源 6、认证请求报文 7、计费开始报文
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
参考一下这个呢 中国移动BAC IPv4/IPv6双栈配置案例(E2507P12) 一、 组网需求: CAPWAP/LWAPP隧道仍由IPv4承载,AP管理地址不变。 AC仍采用IPv4地址与Portal、AAA服务器通信,nas-ip沿用IPv4。 AC与Portal 之间传递的User IP 需支持用户的IPv4/IPv6 地址。实现一次认证、双栈放行。 二、 组网图: 图一 三、 配置步骤: 1、配置思路 1.1 全局开启IPv6 1.2 配置IPv4、IPv6互联地址 1.3 配置DHCPv6、DHCPv4 1.4 配置IPv4、IPv6 portal及radius相关信息 2、配置步骤 2.1 全局开启ipv6 ipv6 # 2.2 配置上行互联IPv4、IPv6地址 interface Vlan-interface19 ipv6 address 2409:8088:800:1030::10:9372/126 ip address 1.1.1.3 255.255.255.240 vrrp vrid 1 virtual-ip 1.1.1.2 vrrp vrid 1 priority 120 # 2.3 配置DHCPv6、DHCPv4 ipv6 dhcp pool 1 network 2409:88A8:850::/50 # dhcp server ip-pool ac01 network 10.42.30.0 mask 255.255.255.0 network ip range 10.42.30.1 10.42.30.254 gateway-list 10.42.30.1 dns-list 211.138.24.66 211.138.30.66 expired day 0 hour 0 minute 30 # 2.4 配置IPv4、IPv6 portal及radius portal server cmcchenan1 ip 211.138.30.42 url http://211.138.30.42:7080/index.php server-type cmcc portal server ipv6test ipv6 2001:DA8:E800:E4B8::1 key cipher $c$3$vkLQapngT0BgVHIgFoq5OQ4GThICuMYpWBs9 url http://218.206.248.116:6080/index.php # radius scheme ipv6 server-type extended primary authentication 10.10.10.10 1745 primary accounting 10.10.10.10 1746 key authentication cipher $c$3$K4K/RjpaPDYGsR1e5WBAcCjVPAK2x4PUW/m/ key accounting cipher $c$3$Gs5LElHnylUNPdepvcU43jFK7ERz5qDcICBo timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # radius scheme cmcchenan server-type extended primary authentication 10.10.10.10 1645 primary accounting 10.10.10.10 1646 key authentication cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oOo6pbn/wU+Ht+T key accounting cipher $c$3$cut2e+1uljuwJgFtF8t+v5E8QqZSlUTlB6ut timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # 2.6 配置用户网关 interface Vlan-interface1005 description GateWay_of_CMCC undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag ipv6 address 2409:88A8:850::2/50 ip address 10.42.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.42.30.1 vrrp vrid 2 priority 120 vrrp vrid 2 track 2 reduced 50 dhcp select relay dhcp relay server-select 1 portal control-mode mac portal server cmcchenan method direct portal server ipv6test method direct portal domain cmcchenan portal domain ipv6 ipv6test portal nas-id 3438037137100460 portal nas-port-type wireless portal backup-group 1 portal nas-ip 1.1.1.2 access-user detect type arp retransmit 5 interval 120 ipv6 dhcp server apply pool 1 3、配置文件 AC侧关键配置: version 5.20, ESS 2507P12 # dhcp relay server-group 1 ip 1.1.1.3 # ipv6 # portal server cmcchenan1 ip 211.138.30.42 url http://211.138.30.42:7080/index.php server-type cmcc portal server ipv6test ipv6 2001:DA8:E800:E4B8::1 key cipher $c$3$vkLQapngT0BgVHIgFoq5OQ4GThICuMYpWBs9 url http://218.206.248.116:6080/index.php # ipv6 dhcp server enable # radius scheme ipv6 server-type extended primary authentication 10.10.10.10 1745 primary accounting 10.10.10.10 1746 key authentication cipher $c$3$K4K/RjpaPDYGsR1e5WBAcCjVPAK2x4PUW/m/ key accounting cipher $c$3$Gs5LElHnylUNPdepvcU43jFK7ERz5qDcICBo timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # radius scheme cmcchenan server-type extended primary authentication 10.10.10.10 1645 primary accounting 10.10.10.10 1646 key authentication cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oOo6pbn/wU+Ht+T key accounting cipher $c$3$cut2e+1uljuwJgFtF8t+v5E8QqZSlUTlB6ut timer realtime-accounting 30 user-name-format keep-original nas-ip 1.1.1.2 retry stop-accounting 10 # domain ipv6test authentication portal radius-scheme ipv6 authorization portal radius-scheme ipv6 accounting portal radius-scheme ipv6 access-limit disable state active idle-cut enable 15 1024 self-service-url disable # domain cmcchenan authentication portal radius-scheme cmcchenan authorization portal radius-scheme cmcchenan accounting portal radius-scheme cmcchenan access-limit disable state active idle-cut enable 15 1024 self-service-url disable # ipv6 dhcp pool 1 network 2409:88A8:850::/50 # dhcp server ip-pool ac01 network 10.42.30.0 mask 255.255.255.0 network ip range 10.42.30.1 10.42.30.254 gateway-list 10.42.30.1 dns-list 211.138.24.66 211.138.30.66 expired day 0 hour 0 minute 30 # wlan service-template 11 clear ssid CMCC-eDU bind WLAN-ESS 11 service-template enable # interface WLAN-ESS11 port access vlan 1005 # interface Vlan-interface19 ipv6 address 2409:8088:800:1030::10:9372/126 ip address 1.1.1.3 255.255.255.240 vrrp vrid 1 virtual-ip 1.1.1.2 vrrp vrid 1 priority 120 # interface Vlan-interface1005 description GateWay_of_CMCC undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag ipv6 address 2409:88A8:850::2/50 ip address 10.42.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.42.30.1 vrrp vrid 2 priority 120 vrrp vrid 2 track 2 reduced 50 dhcp select relay dhcp relay server-select 1 portal control-mode mac portal server cmcchenan method direct portal server ipv6test method direct portal domain cmcchenan portal domain ipv6 ipv6test portal nas-id 3438037137100460 portal nas-port-type wireless portal backup-group 1 portal nas-ip 1.1.1.2 access-user detect type arp retransmit 5 interval 120 ipv6 dhcp server apply pool 1 # wlan ap ceshi model WA2610E-GNP id 5 serial-id 219801A0CSC129019915 radio 1 channel 1 service-template 11 nas-id 3419037137100460 client-rate-limit direction inbound mode static cir 512 client-rate-limit direction outbound mode static cir 2048 radio enable # ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 # ipv6 route-static :: 0 2409:8088:800:1030::10:9371 # 四、 结果验证: 1、获取IP地址 2、IPv4 portal认证 3、IPv4认证成功后,访问IPv4和IPv6资源 4、IPv6 portal认证 5、IPv6认证成功后,访问IPv6和IPv4资源 6、认证请求报文 7、计费开始报文