网络拓扑:
组网需求:
FWA作为PPPoE Client,FWB作为PPPoE Server,FWA通过PPPoE方式从FWB获取IP地址,使PC1和PC2可以互相访问。其中,PPPoE Server采用PAP方式验证PPPoE Client,用户名为usera,密码为Password1,FWB为FWA分配的IP地址是10.2.0.2
操作步骤
一、配置FWB(Server)
1、配置接口IP,并加入对应安全区域
<USG6000V1>system-view[USG6000V1]sysname FWB[FWB]interface GigabitEthernet 1/0/3[FWB-GigabitEthernet1/0/3]ip address 10.4.0.1 24[FWB-GigabitEthernet1/0/3]quit[FWB]firewall zone untrust[FWB-zone-untrust]add interface GigabitEthernet 1/0/1[FWB-zone-untrust]quit[FWB]firewall zone trust[FWB-zone-trust]add interface GigabitEthernet 1/0/3[FWB-zone-trust]quit
2、增加PPPoE用户
[FWB]user-manage user usera[FWB-localuser-usera]password Password1[FWB-localuser-usera]quit
3、配置地址池
[FWB]ip pool global1[FWB-ip-pool-global1]section 1 10.2.0.2[FWB-ip-pool-global1]quit
4、配置业务方案引用地址池
[FWB]aaa[FWB-aaa]service-scheme scheme1[FWB-aaa-service-scheme1]ip-pool global1[FWB-aaa-service-scheme1]quit
5、配置VT接口
[FWB]interface Virtual-Template 1[FWB-Virtual-Template1]ppp authentication-mode papThe command is used to configure the PPP authentication mode on the local end. Confirm that the peer end adopts the corresponding PPP authentication. Continue[Y/N]:y[FWB-Virtual-Template1]ip address 10.2.0.1 24[FWB-Virtual-Template1]remote service-scheme scheme1[FWB-Virtual-Template1]quit[FWB]firewall zone untrust[FWB-zone-untrust]add interface Virtual-Template 1[FWB-zone-untrust]quit
6、绑定VT接口和物理接口
[FWB]interface GigabitEthernet 1/0/1[FWB-GigabitEthernet1/0/1]pppoe-server bind virtual-template 1[FWB-GigabitEthernet1/0/1]quit
7、配置安全策略
[FWB]security-policy [FWB-policy-security]rule name policy1[FWB-policy-security-rule-policy1]source-zone trust[FWB-policy-security-rule-policy1]source-address 10.4.0.0 24[FWB-policy-security-rule-policy1]destination-zone untrust[FWB-policy-security-rule-policy1]destination-address 10.3.0.0 24[FWB-policy-security-rule-policy1]action permit[FWB-policy-security-rule-policy1]quit[FWB-policy-security]rule name policy2[FWB-policy-security-rule-policy2]source-zone untrust[FWB-policy-security-rule-policy2]source-address 10.3.0.0 24[FWB-policy-security-rule-policy2]destination-zone trust[FWB-policy-security-rule-policy2]destination-address 10.4.0.0 24[FWB-policy-security-rule-policy2]action permit [FWB-policy-security-rule-policy2]quit
8、配置路由
[FWB]ip route-static 10.3.0.0 24 Virtual-Template 1 10.2.0.2
二、配置FWA(Client)
1、配置接口IP,并加入对应安全区域
<USG6000V1>system-view[USG6000V1]sysname FWA[FWA]interface GigabitEthernet 1/0/3[FWA-GigabitEthernet1/0/3]ip address 10.3.0.1 24[FWA-GigabitEthernet1/0/3]quit[FWA]firewall zone trust [FWA-zone-trust]add interface GigabitEthernet 1/0/3[FWA-zone-trust]quit[FWA]firewall zone untrust[FWA-zone-untrust]add interface GigabitEthernet 1/0/1[FWA-zone-untrust]quit
2、配置PPPoE拨号
[FWA]dialer-rule 1 ip permit[FWA]interface Dialer 1[FWA-Dialer1]dialer user usera[FWA-Dialer1]dialer-group 1[FWA-Dialer1]dialer bundle 1[FWA-Dialer1]ip address ppp-negotiate[FWA-Dialer1]ppp pap local-user usera password cipher Password1[FWA-Dialer1]quit[FWA]firewall zone untrust[FWA-zone-untrust]add interface Dialer 1[FWA-zone-untrust]quit
3、配置PPPoE会话
[FWA]interface GigabitEthernet 1/0/1[FWA-GigabitEthernet1/0/1]pppoe-client dial-bundle-number 1 ipv4[FWA-GigabitEthernet1/0/1]quit
4、配置安全策略
[FWA]security-policy[FWA-policy-security]rule name policy1[FWA-policy-security-rule-policy1]source-zone trust[FWA-policy-security-rule-policy1]source-address 10.3.0.0 24[FWA-policy-security-rule-policy1]destination-zone untrust[FWA-policy-security-rule-policy1]destination-address 10.4.0.0 24[FWA-policy-security-rule-policy1]action permit[FWA-policy-security-rule-policy1]quit[FWA-policy-security]rule name policy2[FWA-policy-security-rule-policy2]source-zone untrust[FWA-policy-security-rule-policy2]source-address 10.4.0.0 24[FWA-policy-security-rule-policy2]destination-zone trust[FWA-policy-security-rule-policy2]destination-address 10.3.0.0 24[FWA-policy-security-rule-policy2]action permit [FWA-policy-security-rule-policy2]quit
5、配置路由
[FWA]ip route-static 10.4.0.0 24 Dialer 1
三、验证
1、查看PPPoE Client 端
[FWA]display pppoe-client session summary dial-bundle-number 1PPPoE Client Session:ID Bundle Dialer Intf Client-MAC Server-MAC State1 1 1 GE1/0/100e0fc202870 00e0fc7f34a0 PPPUP
2、查看PPPoE Server端
[FWB]display pppoe-server session all SID Intf State OIntfRemMAC LocMAC1 Virtual-Template1:0 UP GE1/0/1 00e0.fc20.2870 00e0.fc7f.34a0