Eltex Documentation
Дерево страниц

Сравнение версий

Старая версия 6

changes.mady.by.user Сервисный центр Wi-Fi

Сохранено

по сравнению с

Новая версия 7

changes.mady.by.user Сервисный центр Wi-Fi

Сохранено

Ключ

  • Эта строка добавлена.
  • Эта строка удалена.
  • Изменено форматирование.

...

Без форматирования
security zone trusted
exit
security zone untrusted
exit
security zone users
exit


bridge 10
  description "users"
  security-zone users
  ip firewall disable
  ip address 192.168.132.1/22
  ip helper-address 100.123.0.2
  protected-ports local
  enable
exit

interface gigabitethernet 1/0/1.3500
  description "UpLink"
  security-zone untrusted
  ip address 172.31.240.3/29
exit
interface gigabitethernet 1/0/1.2300
  description "mgmt"
  security-zone trusted
  ip firewall disable
  ip address 100.123.0.176/24
exit
interface gigabitethernet 1/0/1.2336
  bridge-group 10
exit
interface gigabitethernet 1/0/1.2337
  bridge-group 10
exit

ip dhcp-relay

ip route 0.0.0.0/0 172.31.240.1

ip telnet server
ip ssh server

...

Без форматирования
object-group network bras_users
  ip address-range 192.168.132.2-192.168.135.254
exit

bridge 10
  description "users"
  security-zone users
  ip firewall disable
  ip address 192.168.132.1/22
  ip helper-address 100.123.0.2
  service-subscriber-control object-group bras_users
  location data10
  protected-ports local
  enable
exit


Примечание

Обратим внимание на настройку "service-subscriber-control object-group bras_users" - мы указали, что авторизацию будут проходить только пользователи, имеющие адреса из диапазона, указанного в группе bras_users. Это необходимо для того, что бы обеспечить беспрепятственное прохождение трафика с адреса bridge 10 и широковещательного трафика подсети. Вместо нее можно использовать настройку "service-subscriber-control any", которая заблокирует прохождение любого трафика до прохождения авторизации.

...

Без форматирования
object-group service dhcp_server
  port-range 67
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dns
  port-range 53
exit
object-group service redirect
  port-range 3128-3131
exit

object-group network users
  ip prefix 192.168.132.0/22
exit
object-group network SoftWLC
  ip address-range 100.123.0.2
exit
object-group network bras_users
  ip address-range 192.168.132.2-192.168.135.254
exit

radius-server timeout 10
radius-server retransmit 5
radius-server host 100.123.0.2
  key ascii-text testing123
  timeout 11
  priority 20
  source-address 100.123.0.176
  auth-port 31812
  acct-port 31813
  retransmit 10
  dead-interval 10
exit
aaa radius-profile PCRF
  radius-server host 100.123.0.2
exit
das-server COA
  key ascii-text encrypted 88B11079B9014FAAF7B9
  port 3799
  clients object-group SoftWLC
exit
aaa das-profile COA
  das-server COA
exit

security zone trusted
exit
security zone untrusted
exit
security zone users
exit

ip access-list extended WELCOME
  rule 1
    action permit
    match protocol tcp
    match destination-port 443
    enable
  exit
  rule 2
    action permit
    match protocol tcp
    match destination-port 8443
    enable
  exit
  rule 3
    action permit
    match protocol tcp
    match destination-port 80
    enable
  exit
  rule 4
    action permit
    match protocol tcp
    match destination-port 8080
    enable
  exit
exit

ip access-list extended INTERNET
  rule 1
    action permit
    enable
  exit
exit

ip access-list extended unauthUSER
  rule 1
    action permit
    match protocol udp
    match source-port 68
    match destination-port 67
    enable
  exit
  rule 2
    action permit
    match protocol udp
    match destination-port 53
    enable
  exit
exit

subscriber-control filters-server-url http://100.123.0.2:7070/filters/file
subscriber-control
  aaa das-profile COA
  aaa sessions-radius-profile PCRF
  aaa services-radius-profile PCRF
  nas-ip-address 100.123.0.176
  session mac-authentication
  bypass-traffic-acl unauthUSER
  default-service
    class-map unauthUSER
    filter-name remote gosuslugi
    filter-action permit
    default-action redirect http://100.123.0.2:8080/eltex_portal/
  exit
  enable
exit

snmp-server
snmp-server system-shutdown
snmp-server community "private1" rw
snmp-server community "public11" ro

snmp-server host 100.123.0.2
  source-address 100.123.0.176
exit

bridge 10
  description "users"
  security-zone users
  ip address 192.168.132.1/22
  ip helper-address 100.123.0.2
  service-subscriber-control object-group bras_users
  location data10
  protected-ports local
  enable
exit

interface gigabitethernet 1/0/1.3500
  description "UpLink"
  security-zone untrusted
  ip address 172.31.240.3/29
exit
interface gigabitethernet 1/0/1.2300
  description "mgmt"
  security-zone trusted
  ip address 100.123.0.176/24
exit
interface gigabitethernet 1/0/1.2336
  bridge-group 10
exit
interface gigabitethernet 1/0/1.2337
  bridge-group 10
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted self
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted users
  rule 1
    action permit
    enable
  exit
exit
security zone-pair users self
  rule 1
    action permit
    match protocol udp
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
  rule 2
    action permit
    match protocol tcp
    match destination-port redirect
    enable
  exit
exit
security zone-pair users trusted
  rule 1
    action permit
    match protocol udp
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
  rule 2
    action permit
    match protocol udp
    match destination-port dns
    enable
  exit
exit

nat source
  pool nat_addr
    ip address-range 172.31.240.3
  exit
  ruleset nat_source
    to zone untrusted
    rule 1
      match source-address users
      action source-nat pool nat_addr
      enable
    exit
  exit
exit

ip dhcp-relay

ip route 0.0.0.0/0 172.31.240.1

ip telnet server
ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.123.0.2
exit

...