电信M6000(BRAS)开局配置模版及常见业务配置指导(5)

class cmNetworkControl_NNI bandwidth percent 5

set dscp inherit-from 8021p $

class cmDiamond_NNI bandwidth percent 5

set dscp inherit-from 8021p $

class class-default bandwidth percent 30

set dscp inherit-from 8021p $ !

policy-map pmGEOutput_UNI class cmCopper_UNI bandwidth percent 5 $

class cmSilver_UNI bandwidth percent 5 $

class cmGold_UNI

bandwidth percent 10 $

class cmCritical_UNI priority-llq

police 100000 12500 $

class cmPlatinum_UNI bandwidth percent 30 $

class cmNetworkControl_UNI bandwidth percent 5 $

class cmDiamond_UNI bandwidth percent 5 $

class class-default bandwidth percent 30 $ !

policy-map pmXGEOutput_NNI class cmCopper_NNI bandwidth percent 5

set dscp inherit-from 8021p $

class cmSilver_NNI bandwidth percent 5

set dscp inherit-from 8021p $

class cmGold_NNI

bandwidth percent 10

set dscp inherit-from 8021p $

class cmCritical_NNI police 1000000 125000 priority-llq

set dscp inherit-from 8021p $

class cmPlatinum_NNI bandwidth percent 30

set dscp inherit-from 8021p $

class cmNetworkControl_NNI bandwidth percent 5

set dscp inherit-from 8021p $

class cmDiamond_NNI bandwidth percent 5

set dscp inherit-from 8021p $

class class-default bandwidth percent 30

set dscp inherit-from 8021p $ !

//网络侧接口绑定QoS策略，GE口和10GE口对应不同策略，注意不要绑错 service-policy gei-0/0/0/1 output pmGEOutput_NNI overwrite !

service-policy gei-0/1/0/1 output pmGEOutput_NNI overwrite !

//用户侧接口绑定QoS策略

service-policy gei-0/0/0/2 output pmGEOutput_UNI overwrite !

6.3.10. 网管配置

ipv4-access-list ACL_telnet

rule 1 permit 61.166.150.0 0.0.0.255 rule 2 permit 61.166.10.0 0.0.0.255 rule 3 permit 222.219.184.34 0.0.0.0 $ !

line telnet access-class ipv4 ACL_telnet !

ipv4-access-list ACL_snmp

rule 1 permit 222.219.184.34 0.0.0.0 $ !

snmp-server access-list ipv4 ACL_snmp snmp-server enable server-working

snmp-server community zteadmin@2892 showclear view AllView ro //showclear参数使团体串以明文方式在配置中显示，不加此参数以密文方式显示。 snmp-server host 222.219.184.34 inform version 2c zteadmin@2892 snmp-server host 222.219.184.34 trap version 2c zteadmin@2892

logging on

syslog-server host 222.219.184.34

syslog-server source ipv4 116.55.61.52

6.3.11. 安全加固配置

//垃圾流量过滤

ipv4-access-list ACL_Anti_virus rule 1 deny tcp any any eq 135 rule 2 deny tcp any any eq 137 rule 3 deny tcp any any eq 138 rule 4 deny tcp any any eq 139 rule 5 deny tcp any any eq 445 rule 6 deny tcp any any eq 5554 rule 7 deny tcp any any eq 901 rule 8 deny tcp any any eq 2745 rule 9 deny tcp any any eq 3127 rule 10 deny tcp any any eq 3128 rule 11 deny tcp any any eq 6129 rule 12 deny tcp any any eq 6667 rule 13 deny tcp any any eq 4444 rule 14 deny tcp any any eq 1025 rule 15 deny tcp any any eq 593 rule 16 deny udp any any eq 135 rule 17 deny udp any any eq 137 rule 18 deny udp any any eq 138 rule 19 deny udp any any eq 139 rule 20 deny udp any any eq 445 rule 21 deny udp any any eq 9995 rule 22 deny udp any any eq 9996 rule 23 deny udp any any eq 1434 rule 24 deny tcp any any eq 7306 rule 25 deny tcp any any eq 7626 rule 26 deny tcp any any eq 12346 rule 27 deny tcp any any eq 1999 rule 100 permit ip any any !

interface gei-0/0/0/1

ipv4-access-group ingress ACL_Anti_virus !

interface gei-0/1/0/1

ipv4-access-group ingress ACL_Anti_virus !

//伪造源地址过滤

interface gei-0/0/0/1

ipv4 verify unicast source reachable-via any !

interface gei-0/1/0/1

ipv4 verify unicast source reachable-via any !

//控制平面未使用的服务关闭

no ip source-route //关闭IP源路由

//开启认证抑制功能，避免异常认证攻击影响业务 subscriber-manage

user offline-exception-record enable //开启用户异常离线原因记录，便于分析掉线原因

user online-failed-record enable //开启用户上线失败记录，便于分析上线失败原因

authentic-request-ctrl control enable

authentic-request-ctrl request-interval 30

authentic-request-ctrl request-count 5 forbid-period 180 reset-period 5 说明：30秒内如果检测到用户发起5次认证，且都认证失败，则认为用户帐号异常，将对用户停止认证响应180秒，180秒后认证仍不通过继续抑制，5分钟后失败记数清零。

6.3.12. 配置保存

Write

6.4. BRAS业务配置指导

BRAS业务的控制主要通过3个模块实现：DOMAIN模块、VBUI模块、VCC模块。 ? DOMAIN模块：负责用户的认证、授权、计费等AAA功能 ? VBUI模块 ：业务三层接口、提供地址池等 ? VCC模块：用户接入电路管理

三个模块在业务层面的绑定关系如下举例说明：

M6000V1.00.60的绑定关系为：VBUI<---->Domain<---->VCC Domain的配置

subscriber-manage domain 1

bind authentication-template 1 bind authorization-template 1 bind accounting-template 1 alias dmPPPoE

$ sal 1

default domain dmPPPoE permit domain dmVPDN permit domain dmPPPoE none domain dmVPDN keep $ ！

VBUI和Domain绑定，通过在vbui下的access-domain命令实现 vbui-configuration interface vbui1

ip-pool pool-name pl1-pppoe pool-id 1 access-domain dmPPPoE ...

Domain和VCC绑定，通过vcc配置中电路和Sal绑定。 vcc-configuration

interface gei-0/1/0/10.1

encapsulation ppp-over-ethernet pppox template 1 bind sal 1 $

注：M6000V1.00.30的绑定关系为：Domain<---->VBUI<---->VCC，所以各模块之间的绑定配置在两个版本之间有较大差异。

6.4.1.

业务需求说明：

Pppoe宽带拨号业务

用户以PPPoE方式拨号接入，Radius认证，终结QinQ 业务配置前提：

1. 调通网络

2. 完成3.3.4 Radius基本数据配置

3. 完成3.3.5 AAA全局认证、授权、计费基本配置

配置思路如下： 1. 2. 3. 4. 5. 6.

具体配置如下：

subscriber-manage //进入用户配置模式 pppox-cfg 1 //创建pppox模版

ppp keepalive timer 60 count 3 //设置ppp会话保活时间参数 $

authentication-template 1 //创建用户认证模版、授权模版、计费模版

bind aaa-authen-template 1 $

authorization-template 1 bind aaa-author-template 1

ppp url-mode portal //此配置用于开启PPPoE用户页面推送功能，推送URL由Radius下发

user-priority-input inherit-from out-8021p //从用户接入QinQ外层VLAN 802.1p中继承优先级，并会传递到上行口出口封装的对应标记中，包括EXP、IPP等。 $

accounting-template 1

bind aaa-accounting-template 1 $

domain 1 //创建用户域 bind authentication-template 1 bind authorization-template 1 bind accounting-template 1

创建PPPoX模版pppox-cfg 1 ;

创建用户AAA认证、授权、计费模版； 创建用户域domain 1 ; 创建域绑定句柄sal 1；

创建用户3层逻辑接口vbui1及地址池；

配置用户接入电路，包括子接口、QinQ封装、接入封装类型，并和vbui1及pppox模版绑定。