说明:因为没有DHCP SERVER和WEB server,所以都是本地DHCP的,WEB SERVER用本地的,不过不影响大家学习,把地址改一下就行了。
1端口默认为web方式,可以接入web,RADIUS认证,地址段172.16.0.1/24
2端口fast认证,本地认证,地址段172.16.1.1/24
3端口绑定认证,本地认证,地址段172.16.2.1/24
4端口接入静态用户,本地认证,地址段172.16.3.1/24
5端口接入pppoe、dot1x用户,radius认证,地址段172.16.4.1/24(pppoe),172.16.5.1/24(1x)
6端口接入二层专线用户,本地认证,地址段172.16.6.1/24
7端口本来想接入三层专线的,后改到12端口了,这个端口的数据没用。
8端口接入PPPOE专线用户(但由于没有环境,所以数据没有配置完,这个就不要看了)
9端口接入PNP用户,RADIUS认证,地址段172.16.7.1/24
11端口接入VPN用户,RADIUS+LNS二次认证(只有数据,没有环境做测试),地址段172.16.8.1/24
12端口为三层用户接入端口,接入三层专线和三层WEB认证,地址段172.17.0.1/24(三层专线),地址段172.17.1.1/24(三层认证)
[MA5200F]display cu
#
version 7123
sysname MA5200F
#
system language-mode english
#
FTP server enable
#
l2tp enable
#
radius-server group default
radius-server group huawei
radius-server authentication 10.164.47.171 1812
radius-server accounting 10.164.47.171 1813
radius-server group login
#
web-server
directory flash:/web/
default-page /index.html
#
info-center timestamp debugging date
undo trap-statistics 70f2000
undo trap-statistics 70f2001
undo trap-statistics 70f2002
undo trap-statistics 70f2003
undo trap-statistics 70f2004
undo trap-statistics 70f2005
undo trap-statistics 70f2008
undo trap-statistics 70f2009
undo trap-statistics 70f200c
undo trap-statistics 70f200d
undo trap-statistics 70f200e
undo trap-statistics 70f200f
undo trap-statistics 70f2017
undo trap-statistics 70f2018
undo trap-statistics 70f201a
undo trap-statistics 70f201b
undo trap-statistics 70f201c
undo trap-statistics 70f201d
undo trap-statistics 7032000
undo trap-statistics 7032001
undo trap-statistics 7032002
#
login local-user aaa
login local-user ma5200 password simple ma5200
login local-user ma5200 service-type ftp
login local-user ma5200 ftp-directory flash:/
#
interface Ethernet1
#
interface Ethernet2
#
interface Ethernet3
#
interface Ethernet4
#
interface Ethernet5
pppoe-server bind Virtual-Template 1
#
interface Ethernet6
#
interface Ethernet6.1
ip address 172.17.6.1 255.255.255.0
#
interface Ethernet7
#
interface Ethernet8
#
interface Ethernet8.0
#
interface Ethernet9
#
interface Ethernet10
#
interface Ethernet11
pppoe-server bind Virtual-Template 1
#
interface Ethernet12
#
interface Ethernet12.0
ip address 192.168.1.1 255.255.255.252
#
interface Ethernet13
#
interface Ethernet14
#
interface Ethernet15
#
interface Ethernet16
#
interface Ethernet17
#
interface Ethernet18
#
interface Ethernet19
#
interface Ethernet20
#
interface Ethernet21
#
interface Ethernet22
#
interface Ethernet23
#
interface Ethernet24
#
interface Virtual-Template1
#
interface Pos25
flag c2 0 j0 0 j1
#
interface Pos26
flag c2 0 j0 0 j1
#
interface Pos27
flag c2 0 j0 0 j1
#
interface Pos28
ppp authentication-mode none
peer default ip address 192.168.0.1
ip address 192.168.0.1 255.255.255.252
#
interface NULL0
#
interface LoopBack0
#
interface Nm-Ethernet0
ip address 10.164.47.20 255.255.255.0
#
acl number 101 match-order auto
rule 0 user-net deny ip source 100
#
l2tp-group 1
tunnel name Huawei-ma5200f
start l2tp ip 10.164.47.22
#
ip pool bind local
gateway 172.16.2.1 255.255.255.0
section 0 172.16.2.2 172.16.2.254
#
ip pool dot1x local
gateway 172.16.5.1 255.255.255.0
section 0 172.16.5.2 172.16.5.254
#
ip pool fast local
gateway 172.16.1.1 255.255.255.0
section 0 172.16.1.2 172.16.1.254
#
ip pool l2lease local
gateway 172.16.6.1 255.255.255.0
section 0 172.16.6.2 172.16.6.254
#
ip pool pnp local
gateway 172.16.7.1 255.255.255.0
section 0 172.16.7.2 172.16.7.254
#
ip pool pppoe local
gateway 172.16.4.1 255.255.255.0
section 0 172.16.4.2 172.16.4.254
#
ip pool pppoelease remote
gateway 172.18.0.1 255.255.255.0
#
ip pool static local
gateway 172.16.3.1 255.255.255.0
section 0 172.16.3.2 172.16.3.254
excluded-ip-address 172.16.3.2 172.16.3.254
#
ip pool vpn local
gateway 172.16.8.1 255.255.255.0
section 0 172.16.8.2 172.16.8.254
#
ip pool web local
gateway 172.16.0.1 255.255.255.0
section 0 172.16.0.2 172.16.0.254
#
dot1x-template 1
#
aaa
authentication-scheme local
authentication-mode local
authentication-scheme radius
accounting-scheme radius
accounting-scheme local
accounting-mode local
domain default0
web-server 127.0.0.1
ucl-group 100
ip-pool web
ip-pool fast
domain web
authentication-scheme radius
accounting-scheme radius
radius-server group huawei
ip-pool web
domain fast
authentication-scheme local
accounting-scheme local
ip-pool fast
domain bind
authentication-scheme local
accounting-scheme local
ip-pool bind
domain static
authentication-scheme local
accounting-scheme local
ip-pool static
domain pppoe
authentication-scheme radius
accounting-scheme radius
radius-server group huawei
ip-pool pppoe
domain dot1x
authentication-scheme radius
accounting-scheme radius
radius-server group huawei
eap-end chap
ip-pool dot1x
domain pnp
authentication-scheme local
accounting-scheme local
ip-pool pnp
domain vpn
authentication-scheme local
accounting-scheme local
ip-pool vpn
l2tp-group 1
domain l2lease
authentication-scheme local
accounting-scheme local
ip-pool l2lease
domain l3lease
authentication-scheme local
accounting-scheme local
domain pppoelease
authentication-scheme radius
accounting-scheme radius
radius-server group huawei
ip-pool pppoelease
domain l3
authentication-scheme radius
accounting-scheme radius
radius-server group huawei
web-server 127.0.0.1
#
local-aaa-server
batch-user ethernet 3 1 10 domain bind
batch-user ethernet 3 1 10 domain bind authentication-type A
batch-user ethernet 2 1 10 domain fast
batch-user ethernet 2 1 10 domain fast authentication-type A
batch-user ethernet 6 1 10 domain l2lease
batch-user ethernet 6 1 10 domain l2lease authentication-type A
batch-user ethernet 7 1 10 domain l3lease
batch-user ethernet 7 1 10 domain l3lease authentication-type A
batch-user ethernet 12 0 1 domain l3lease
batch-user ethernet 12 0 1 domain l3lease authentication-type A
batch-user ethernet 4 1 10 domain static
batch-user ethernet 4 1 10 domain static authentication-type A
#
cluster
ip-pool 172.0.0.1 255.255.255.0
build MA5200F
add-member 1 mac-address 00e0-fc0c-f252
#
ip route-static 0.0.0.0 0.0.0.0 192.168.0.2
ip route-static 10.0.0.0 255.0.0.0 10.164.47.1
ip route-static 172.17.0.0 255.255.252.0 192.168.1.2
ip route-static 172.17.1.0 255.255.255.0 192.168.1.2
#
access-group 101
#
user-interface con 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
set authentication password simple 5200
idle-timeout 0 0
#
layer3-subscriber 172.17.0.2 172.17.0.100 domain-name l3lease
layer3-subscriber 172.17.1.2 172.17.1.100 domain-name l3
portvlan ethernet 1 vlan 1 10
access-type layer2-subscriber
default-domain authentication web
authentication-method pppoe dot1x web
portvlan ethernet 1 vlan 100 1
access-type relay-leased-line outport ethernet 12 200
portvlan ethernet 2 vlan 1 10
access-type layer2-subscriber
default-domain authentication fast
authentication-method fast
portvlan ethernet 3 vlan 1 10
access-type layer2-subscriber
default-domain authentication bind
authentication-method bind
portvlan ethernet 4 vlan 1 1
access-type layer2-subscriber
default-domain authentication bind
authentication-method bind
static-user 172.16.3.2 172.16.3.10 domain-name static detec
portvlan ethernet 5 vlan 1 10
access-type layer2-subscriber
default-domain authentication pppoe
authentication-method pppoe dot1x
portvlan ethernet 6 vlan 1 10
access-type vlan-leased-line default-domain pre-authentication l2lease
portvlan ethernet 7 vlan 1 10
access-type vlan-leased-line default-domain pre-authentication l3lease
portvlan ethernet 8 vlan 1 10
access-type pppoe-leased-line
default-domain authentication pppoelease
portvlan ethernet 9 vlan 1 10
access-type layer2-subscriber
authentication-method web
pnp
portvlan ethernet 10 vlan 1 10
access-type layer3-subscriber
default-domain authentication l3
portvlan ethernet 11 vlan 1 10
access-type layer2-subscriber
default-domain authentication vpn
authentication-method pppoe
portvlan ethernet 12 vlan 0 1
access-type layer3-subscriber
default-domain authentication l3
portvlan ethernet 13 vlan 0 2
access-type system-reserved
