讲义教程说明basic implementation process for gpns

BasicImplementationProcessForGPNS 二GPNS标 三GPNS实 系统设 申请 配置漫游域管 BUI链路管理 通用配 SYSLOG配 SNMP配 AAA配 802.1X配 配置案 RADIUS配 SNMP配 7.1验 AAA配 角色配 SNMP配 GPNS；即万豪全球网络资产标准；与传统HSIA最大的不同点，就是在GPNS项目中，几实现这能，则需要在接入交换机上开启802.1x认证和mac认证，并与SLIM通信，通过在GPNS中，办公网设备均接入Juniper进行数据的过滤和转发，而客房网则仍使用网关GPNSVLANVLANPC349VLAN：vlan vlan APvlan vlan vlan Micros服务器（餐饮服务器vlan PC和笔记本有线vlan 办公网、考勤vlan PC无线vlan PDAvlan VOIPvlan vlan vlan vlan vlan 、网监系vlan vlan vlan vlan vlan guest-vlanvlan vlan1050--vlan IP备进行和域；所以在万豪网中每一个万豪酒店中办公设备的IP地址具有唯一性；基于这一/22，株洲美的万豪酒店的IP地址：/22；还需要注意的是，GPNS项目Juniper中配置基于源地址的PBR。GPNS中，每个网络设备名都有严格的标准“Marsha_Code”+“Device_Code”+“Device_Sequence_Number”+“-”+“Floor_Number”+“-”+GPNS15A表。GPNSGPNSGPNS415GPNSfeature拿到几个资料：1IP地址段；2、如果酒店相关服务器已经安装上架，那么可以问酒；3信息表；4LOGO；5、酒店详细地址，方便制作认证页面；IPSCHEMETEMTE-22.xls；2《公网地址预分配表.xlsx；3《switchnameandipadd.xlsx4《MarriottHoImplementInfo.xlsx；5《_GPNS_Guest_交换机端口对应表.xlsx》3、互联网进入酒店；4、万豪路由器到达现场并成功和万豪总部建立连接HIBOSSLIMSLIMSLIMHIBOSSLIMSLIM基础配置包括系统参数设置，添加管理员账号，添加登录设备账号等操作；这些操作均是SLIM系统管理>IDCASELicensemichael.抄送人：san.h邮件：酒店名称SLIMLicense申请License（请根据合同信息填写ETH0系统管理>添加管理员账号后进行设备登陆账号添加，用于管理设备；审计>设备登陆账号管理基础配置进行完之后；接下来进行安全准入的配置;安全准入是指将办公网终端设备到办公网VLAN使用，客人终端设备到客房VLAN使用的认证过程;首先进行认证策略管理；端口认端口认证>漫游域管理VLAN范围端口认证>VLAN范围添加认证PCPC；添加证MC（认证MAC针对酒店办公网非802.1x认证终端，如、POS机等等端口认证>MAC（网络配置>BUI网络配置>BUI配置本文档中Juniper使用的型号为SRX220H；固件版本为12.1X44-首先对Juniper进行设备命名，如酒店Marsha_Code为CSXZH，安装在4楼机setsystemhost-nameCSXZHFW01-04-配置以及时setsystem-setsystemtime-zoneroot的setsystemroot-authenticationin-text-setsystemauthentication-orderradiussetsystemauthentication-orderDNSsetsystemname-server7setsystemname-serverradius-server地址，radiusSLIMCSXZH@GPNS1812setsystemradius-server50portsetsystemradius-server50accounting-portsetsystemradius-server50secretsetsystemradius-server50source-address29setsystemradius-optionsattributesnas-ip-address29setsystemloginuseramttwuidsetsystemloginuseramttwclasssuper-setsystemloginuseramttwauthenticationencrypted-passwordamttwitesetsystemloginuserread-onlyuid2000setsystemloginuserread-onlyclassread-onlysetsystemloginusersuper-useruid2002setsystemloginusersuper-userclasssuper-配置系统登陆协议，只允许ssh和https对进行登陆，并且只允许从1口、2口和websetsystemservicessetsystemservicesxnm-clear-setsystemservicesweb-managementhttpsportsetsystemservicesweb-managementhttpssystem-generated-setsystemservicesweb-managementhttpsinterfacege-0/0/1.0setsystemservicesweb-managementhttpsinterfacege-0/0/2.0setsystemservicesweb-managementhttpsinterfacevlan.300DHCPvlan300vlan450DHCPIPsetsystemservicesdhcppool/25address-rangelowsetsystemservicesdhcppool/25address-rangehigh26setsystemservicesdhcppool/25um-lease-time1800setsystemservicesdhcppool/25name-server40setsystemservicesdhcppool/25name-server7setsystemservicesdhcppool/25name-serversetsystemservicesdhcppool/25wins-server40setsystemservicesdhcppool/25wins-server42setsystemservicesdhcppool/25wins-server8setsystemservicesdhcppool/25routersetsystemservicesdhcppool92/27address-rangelow96setsystemservicesdhcppool92/27address-rangehigh22setsystemservicesdhcppool92/27um-lease-time1800setsystemservicesdhcppool92/27name-server40setsystemservicesdhcppool92/27name-server7setsystemservicesdhcppool92/27name-serversetsystemservicesdhcppool92/27wins-server40setsystemservicesdhcppool92/27wins-server42setsystemservicesdhcppool92/27wins-server8setsystemservicesdhcppool92/27router93配置syslog，配置以后可以将产生的系统日志消息，网络等日志到外部服（50（4setsystemsyslogarchivesize100ksetsystemsyslogarchivefiles3setsystemsysloguser*anysetsystemsysloghost50authorizationinfosetsystemsysloghost50daemoninfosetsystemsysloghost50securityinfosetsystemsysloghost50userinfosetsystemsysloghost50 mandsinfosetsystemsysloghost3authorizationinfosetsystemsysloghost3daemoninfosetsystemsysloghost3userinfosetsystemsysloghost3 mandsinfosetsystemsysloghost4authorizationinfosetsystemsysloghost4daemoninfosetsystemsysloghost4userinfosetsystemsysloghost4 mandsinfosetsystemsyslogfilemessagesanycriticalsetsystemsyslogfilemessagesauthorizationsetsystemsyslog mands配置允许存在的最大配置条目和IOS数，为50setsystemmax-configurations-on-flash49setsystemmax-configuration-rollbacks49SNMP配置setsnmpviewjweb-view-alloid.1setsnmpcommunityFZQ6cmROauthorizationread-onlysetsnmpcommunityPD6TE9RWviewjweb-view-allsetsnmpcommunityPD6TE9RWauthorizationread-writesetsnmpcommunityCSXZH3amttauthorizationread-onlysetsnmpcommunityCSXZH4amttviewjweb-view-allsetsnmpcommunityCSXZH4amttauthorizationread-writesetsnmptrap-groupGPNScategoriesauthenticationsetsnmptrap-groupGPNScategorieschassissetsnmptrap-groupGPNScategorieslinksetsnmptrap-groupGPNScategoriesremote-operationssetsnmptrap-groupGPNScategoriesstartupsetsnmptrap-groupGPNScategoriesrmon-alarmsetsnmptrap-groupGPNScategoriesconfigurationsetsnmptrap-groupGPNStargets50setsnmptrap-groupmarrk1categoriesauthenticationsetsnmptrap-groupmarrk1categorieschassissetsnmptrap-groupmarrk1categoriessetsnmptrap-groupmarrk1categoriesremote-operationssetsnmptrap-groupmarrk1categoriesstartupsetsnmptrap-groupmarrk1categoriesrmon-alarmsetsnmptrap-groupmarrk1categoriesconfigurationsetsnmptrap-groupmarrk1targets30setsnmptrap-groupmarrk1targets6以上配置均为通用配置，除了IP地址，每个万豪酒店配置几乎一样；当然，只有以上SYSLOGSYSLOG的目的是把交换机产生的系统日志发送到指定的服务器（SLIM服务器、MI服务；logginglogging34loggingfacilitysyslogSNMP配置SNMP团体名实现SLIM和HIBOS能够到交换机相应信息的功能另外要注意的是；万豪的MAARK1也需要交换机的相应信息，所以需要添加两组团体名snmp-servercommunity"CSXZH4GPNS"operatorunrestrictedsnmp-servercommunity"CSXZH3GPNS"operatorsnmp-servercommunity"FZQ6cmRO"snmp-servercommunity"PD6TE9RW"operatorsnmp-serverhost50communitysnmp-serverhost6community"FZQ6cmRO"trap-levelcriticalsnmp-servertrap-source52snmp-servercontact"AMTTSupportCenter v2.9"location"locatedat4FloorIDF,FromtoptobottomThe01."AAARadiusServerSLIMIP50GPNS@2015radius-serverhost50key"GPNS@2015"登陆验证；这里定义了net、web、ssh三种登陆方式；aaaauthenticationloginprivilege-aaaauthenticationnetloginradiuslocalaaaauthenticationnetenableradiuslocalaaaauthenticationwebloginradiuslocalaaaauthenticationwebenableradiuslocalaaaauthenticationsshloginradiuslocalaaaauthenticationsshenableradiusSLIM进行审计aaaaccountingcommandsinterim-updateradiusaaaaccountingexecstart-stopradiusaaaaccountingnetworkstart-stopradiusaaaaccountingsystemstart-stopradius802.1XSLiMVLAN，交换机必须开启802.1X认证，在配置802.1X时需要注意以下几点：SLiMVLANVLAN交换机互联的端口不要开启802.1XRADIUSEAP（ExtendAuthenticationProtocol）1-10802.1X802.1XMAC地址进行认802.1X802.1x的端口接入不支持802.1x认证的主机（如）时不发起Mac认证请求。aaaauthenticationport-accesseap-radiusaaaport-accessauthenticator1-20aaaport-accessauthenticator1-20-limit32aaaport-accessmac-based1-20aaaport-accessmac-based1-20addr-limit32aaaport-accessauthenticatoractiveaaaport-accessmac-based1unauth-vid SLIMDown的时候，1vlanCSXZHSW01-13#CSXZHSW01-13#shrunning-configRunningconfiguration:;J9776AConfigurationEditor;Createdonreleasehostname"CSXZHSW01-bannermotd"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!Thissystem,whichincludesthedatastoredherein,is \n!!proprietaryandtoMarriottInternational,Inc.!! \n!!(Marriott).ThissystemisforMarriottauthorizednel!! \n!!only.Unauthorizedaccessisprohibitedandwill \n!!prosecutedtothefullextentofapplicable logginglogging34loggingfacilitysyslogradius-serverhost50key"GPNS@2015"timesyncsntpsntpsntpserverpriority1timetimezoneipdefault-gatewayinterfacename"Room1501"interfacename"Room1503"interfacename"Room1505"interfacename"Room1506"interfacename"Room1507"interfacename"Room1508"interfacename"Room1509"interfacename"Room1510"interfacename"Room1511"interfacename"Room1512"interfacename"Room1515"interfacename"Room1517"interfacename"Room1519"interfacename"Room1521"interfacename"Room1522"interfacename"Room1523"interfacenameinterfacename"Room1526"interfacename"Room1527"interfacename"Room1528"snmp-servercommunity"CSXZH4GPNS"operatorunrestrictedsnmp-servercommunity"CSXZH3GPNS"operatorsnmp-servercommunity"FZQ6cmRO"snmp-servercommunity"PD6TE9RW"operatorunrestrictedsnmp-serverhost50community"CSXZH3GPNS"snmp-serverhost6community"FZQ6cmRO"trap-levelcriticalsnmp-servertrap-source66snmp-servercontact"AMTTSupportCenter v2.9"location"locatedat13FloorIDF,FromtoptobottomThe01."aaaaccountingcommandsinterim-updateradiusaaaaccountingexecstart-stopradiusaaaaccountingnetworkstart-stopradiusaaaaccountingsystemstart-stopradiusaaaauthenticationloginprivilege-modeaaaauthentication netloginradiuslocalaaaauthentication netenableradiuslocalaaaauthenticationwebloginradiuslocalaaaauthenticationwebenableradiuslocalaaaauthenticationsshloginradiuslocalaaaauthenticationsshenableradiuslocalaaaauthenticationport-accesseap-radiusaaaport-accessauthenticator1-20aaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator -limitaaaport-accessauthenticator20 -limit32aaaport-accessauthenticatoractiveaaaport-accessmac-based1-aaaport-accessmac-based1addr-limitaaaport-accessmac-based1unauth-vidaaaport-accessmac-based2addr-limitaaaport-accessmac-based2unauth-vidaaaport-accessmac-based3addr-limitaaaport-accessmac-based3unauth-vidaaaport-accessmac-based4addr-limitaaaport-accessmac-based4unauth-vidaaaport-accessmac-based5addr-limitaaaport-accessmac-based5unauth-vidaaaport-accessmac-based6addr-limitaaaport-accessmac-based6unauth-vidaaaport-accessmac-based7addr-limitaaaport-accessmac-based7unauth-vidaaaport-accessmac-based8addr-limitaaaport-accessmac-based8unauth-vidaaaport-accessmac-based9addr-limitaaaport-accessmac-based9unauth-vidaaaport-accessmac-based10addr-limitaaaport-accessmac-based10unauth-vidaaaport-accessmac-based11addr-limitaaaport-accessmac-based11unauth-vidaaaport-accessmac-based12addr-limitaaaport-accessmac-based12unauth-vidaaaport-accessmac-based13addr-limitaaaport-accessmac-based13unauth-vidaaaport-accessmac-based14addr-limitaaaport-accessmac-based14unauth-vidaaaport-accessmac-based15addr-limitaaaport-accessmac-based15unauth-vidaaaport-accessmac-based16addr-limitaaaport-accessmac-based16unauth-vidaaaport-accessmac-based17addr-limitaaaport-accessmac-based17unauth-vidaaaport-accessmac-based18addr-limitaaaport-accessmac-based18unauth-vidaaaport-accessmac-based19addr-limitaaaport-accessmac-based19unauth-vidaaaport-accessmac-based20addr-limitaaaport-accessmac-based20unauth-vidvlannamenountagged1-ipaddressdhcp-bootpvlanname"Network_LAN_Switch_management"tagged23-28ipaddress66vlanname"Wireless_Access_Points_101"untagged21-22tagged23-28noipaddressvlantagged23-28noipaddressvlanname"Servers_Trusted_non-credit_card"tagged23-28noipaddressvlantagged23-28noipaddressvlanname"Associate_PCs_Laptops_Wired"tagged23-28noipaddressvlanname"Associate_ tagged23-28noipaddressvlanname"Associate_Laptops_Wireless"tagged21-28noipaddressvlanname"Associate_PDAs_Micros_iPads"tagged23-28noipaddressvlantagged23-28noipaddressvlanname"Back_ground_music"tagged23-28noipaddressvlanname"Business_Center"tagged23-28noipaddressvlanname"Room_Controls"tagged23-28noipaddressvlanname"Digital_Signage"tagged23-28noipaddressvlanname"Ext_ tagged23-28noipaddressvlanname"Key_Card_Lock"tagged23-28noipaddressvlanname"Guest_Wireless"tagged21-28noipvlan1001name"Conference_Wireless"tagged21-28noipaddressvlanname"Guest_ tagged21-28noipaddressvlanname"Room1501"untagged1tagged23-28noipaddressvlanname"Room1503"untagged2tagged23-28noipaddressvlanname"Room1505"untagged3tagged23-28noipaddressvlanname"Room1506"untagged4tagged23-28noipaddressvlanname"Room1507"untagged5tagged23-28noipaddressvlanname"Room1508"untagged6tagged23-28noipname"Room1509"untagged7tagged23-28noipaddressvlanname"Room1510"untagged8tagged23-28noipaddressvlanname"Room1511"untagged9tagged23-28noipaddressvlanname"Room1512"untagged10tagged23-28noipaddressvlanname"Room1515"untagged11tagged23-28noipaddressvlanname"Room1517"untagged12tagged23-28noipaddressvlanname"Room1519"untagged13tagged23-28noipaddressvlanname"Room1521"untagged14taggedtagged23-28noipaddressvlanname"Room1522"untagged15tagged23-28noipaddressvlanname"Room1523"untagged16tagged23-28noipaddressvlanname"Room1525"untagged17tagged23-28noipaddressvlanname"Room1526"untagged18tagged23-28noipaddressvlanname"Room1527"untagged1