中兴M6000的NAT配置
1、建立私网地址的vbui接口
interface vbui101
description nat-pppoe-pool
ip address 100.64.0.1 255.255.0.0
2、建立acl源地址为nat私网地址
ipv4-access-list nat
rule 1 permit 100.64.0.0 0.0.255.255
3、配置cgn
cgn
advanced-nat-service//这里面是开启应用层网关,NAT基本都需要
advanced-nat-service enable
dns-algenable
ftp-algenable
icmp-algenable
pptp-algenable
$
cgn-pool nat-pppoe-1 poolid 1
pool-typeport-range 4096 allowed-range 4096 65535 //定义端口范围
section 1x.y.20.1 x.y.21.254//这里面定义公网地址池
section 2x.y.22.1 x.y.23.254
section 3x.y.56.1 x.y.57.254
section 4x.y.58.1 x.y.59.254
$
domain 1001 type brasipv4-issued //建立一个nat domain域
dynamicsource rule-id 1 ipv4-list nat permit poolnat-pppoe-1//这里定义私网地址池关联的公网pool,这里是私网nat关联nat-pppoe-1
$
4、配置授权模板
先配置一个aaa-authorization-template
aaa-authorization-template 101
aaa-authorization-type mix-radius//设为mix-radius,估计是相当于none和radius同时都可以
subscriber-manage
authorization-template101
bind aaa-author-template 101 //绑定前面建立的模板
bind nat-domain 1001 //绑定之前在cgn里面建立的natdomain
nat-type inside//指明nat类型,要设置为inside
user-priority-input 0
l2tp tunnel-client-endpoint ip x.y.174.3//这个要根据BAS的loopback地址来改
//在授权模板里面还可以对用户进行手工限速,一般普通拨号的不用这样做,由radisu限速,只有通过dhcp接入的才进行手工限速
sub-car-input ipv4 cir 10240 cbs 512
sub-car-output ipv4 cir 10240 cbs 512
5、建立域
subscriber-manage
domain 101
bind authentication-template 101 //认证和记帐都跟普通的一样
bind authorization-template 101 //主要是授权要绑定之前建立的授权模板
bind accounting-template 101
alias nat-pppoe
alias NAT-PPPOE
6、建立vbui接口地址池
跟普通的地址池一样,只是需要指定portrange-poolid,即我们在cgn里面建立的pool
vbui-configuration
interface vbui101
ip-poolpool-name nat-pppoe-pool-1 pool-id 5
access-domain nat-pppoe
access-domain NAT-PPPOE
pppoe-dns-server 202.103.225.68
pppoe-dns-server 202.103.224.68 second
portrange-poolid1//注意这个要指定之前cgn建立的pool
member 1
start-ip 100.64.0.2 end-ip 100.64.15.255
$
member 2
start-ip 100.64.16.0 end-ip 100.64.31.255
$
member 3
start-ip 100.64.32.0 end-ip 100.64.47.255
$
member 4
start-ip 100.64.48.0 end-ip 100.64.63.255
$
$
ip-poolpool-name nat-pppoe-pool-2 pool-id 39
access-domain nat-pppoe
access-domain NAT-PPPOE
pppoe-dns-server 202.103.225.68
pppoe-dns-server 202.103.224.68 second
portrange-poolid 1 //注意这个要指定之前cgn建立的pool
member 1
start-ip 100.64.64.0 end-ip 100.64.79.255
$
member 2
start-ip 100.64.80.0 end-ip 100.64.95.255
$
member 3
start-ip 100.64.96.0 end-ip 100.64.111.255
$
member 4
start-ip 100.64.112.0 end-ip 100.64.127.255
$
$
$
中兴M6000-16X又不一样
1、建立私网地址的vbui接口
interface vbui2
description nat-pppoe-pool
ip address 100.64.0.1 255.255.0.0
2、建立acl源地址为nat私网地址
ipv4-access-list nat
rule 1 permit 100.64.0.0 0.0.255.255
3、配置cgn
cgn nat 1
location//这里面跟之前M6000不一样,需要指定cgn板卡
node 1SPU-0/7/1
node 2SPU-0/7/2
node 3SPU-0/7/3
node 4SPU-0/7/4
node 5SPU-0/10/1
node 6SPU-0/10/2
node 7SPU-0/10/3
node 8SPU-0/10/4
$
advanced-service
enable
alg ftpenable icmp enable dns enable pptp enable
$
cgn-pool nat-pppoe-1 poolid 1 modepat //这里面要指定模式为pat
port-rangeenable 4096
port-allowed-range 4096 65535
section 1x.y.4.1 x.y.7.254
section 2x.y.72.1 x.y.75.254
section 3x.y.110.1 x.y.111.254
$
domain nat-pppoe 1 type brasipv4-issued//这里也跟以前不一样,M6000是有nat domain的,但16X则没有,只有普通的域
dynamicsource rule-id 1 ipv4-list nat permit pool nat-pppoe-1
$
$
4、配置授权模板
这个相较以前来说,简化很多了
subscriber-manage
authorization-template 101
authorization-type mix-radius
bind nat-domain-name nat-pppoe//这里面直接绑定域了,以前是要绑定nat-domain的
nat-type inside//指明nat类型,要设置为inside
user-priority-input 0
l2tp tunnel-client-endpoint ip x.y.174.142//这个要根据BAS的loopback地址来改
//在授权模板里面还可以对用户进行手工限速,一般普通拨号的不用这样做,由radisu限速,只有通过dhcp接入的才进行手工限速
sub-car-input ipv4 cir 10240 cbs 512
sub-car-output ipv4 cir 10240 cbs 512
5、建立域
subscriber-manage
domain nat-pppoe
bindaccounting-template 1
bindauthentication-template 1
bindauthorization-template 101
6、建立vbui接口地址池
interface vbui2
ip-poolpool-name nat-pppoe-pool-1 pool-id 2
access-domain nat-pppoe
access-domain NAT-PPPOE
access-domain dhcp
pppoe-dns-server 202.103.224.68
pppoe-dns-server 202.103.225.68 second
portrange-poolnamenat-pppoe-1//注意这个要指定之前cgn建立的pool,16X是指定名称,而M6000是指定ID
member 1
start-ip 100.64.0.2 end-ip 100.64.15.255
$
member 2
start-ip 100.64.16.0 end-ip 100.64.31.255
$
member 3
start-ip 100.64.32.0 end-ip 100.64.47.255
$
member 4
start-ip 100.64.48.0 end-ip 100.64.63.255
$
member 5
start-ip 100.64.64.0 end-ip 100.64.79.255
$
member 6
start-ip 100.64.80.0 end-ip 100.64.95.254
$
member 7
start-ip 100.64.96.0 end-ip 100.64.111.254
$
$
ip-poolpool-name nat-pppoe-pool-2 pool-id 4
access-domain nat-pppoe
access-domain NAT-PPPOE
pppoe-dns-server 202.103.224.68
pppoe-dns-server 202.103.225.68 second
portrange-poolname nat-pppoe-1
member 1
start-ip 100.64.112.0 end-ip 100.64.127.254
$
member 2
start-ip 100.64.128.0 end-ip 100.64.143.254
$
member 3
start-ip 100.64.144.0 end-ip 100.64.159.254
$
$
$