锐捷eg上线配置指导3.1

最近更新

1、新上线的医院,在升级网关版本前需要先执行这些操作:
新上线的EG,需要先查看有没有:/mnt/sata0/lianlian目录,和 /mnt/sata0/python目录,如果没有这两个目录或有目录但目录为空则需要手动创建对应的目录,
然后执行以下命令 :
在/mnt/sata0/lianlian目录下执行: wget http://111.47.170.136:8091/lianlian.tar 和 tar -xf lianlian.tar
在/mnt/sata0目录下执行: wget http://111.47.170.136:8091/python.tar 和 tar -xf python.tar
run-system-shell
pkill python
pkill waas.elf
cd /data/httpcache/
wget http://111.47.170.136:8091/httpcache.conf
rm /mnt/sata0/cachedb/ap_report.db
/sbin/waas.elf -d
然后接着升级网关。
cd /mnt/sata0
wget http://111.47.170.136:8091/EG_RGOS11.1_03242317_install.bin

bin文件下载完成后执行:(如果执行失败则手动输入命令再执行)
upgrade EG_RGOS11.1_03242317_install.bin

升级完后,开始进行配置,参见章节2。

2、所有的医院通用的配置:(若是新上线的医院需要先执行章节1部分的处理)

config
no ip dns server host app.lianlian.com 10.1.0.1
no ip dns server host appapi.lianlian.com 10.1.0.1
no ip dns server host down.lianlian.com 10.1.0.1
no ip dns server host appdown.lianlian.com 10.1.0.1
no ip dns server host appimg2.lianlian.com 10.1.0.1

no app-auth direct-domain http://www.lianlianbox.com
no app-auth direct-domain http://down.lianlianbox.com
no app-auth direct-domain http://photocdn.sohu.com
no app-auth direct-domain http://appimg.lianlianbox.com
no app-auth direct-domain http://boxdown.lianlianbox.com
no app-auth direct-url svrsecure-g3-aia.verisign.com
no app-auth direct-url ocsp.apple.com
no app-auth direct-url apple.com
no app-auth direct-url sd.symcd.com
no app-auth direct-url photocdn.sohu.com
no app-auth direct-url lianlianbox.com
no app-auth direct-url sd.symcb.com
no app-auth direct-url m.iqiyi.com

app-auth enable
app-auth ad-url http://10.1.0.1
app-auth direct-url http://weixin.qq.com
app-auth direct-url http://ppq.apple.com
app-auth direct-url http://phobos.apple.com
app-auth direct-url http://xp.apple.com
app-auth direct-url http://auth.gotowifi.com.cn
app-auth direct-url http://down.lianlianbox.com
app-auth direct-url http://photocdn.sohu.com
app-auth direct-url http://appimg.lianlianbox.com
app-auth direct-url http://boxdown.lianlianbox.com
app-auth direct-url http://init.itunes.apple.com
app-auth direct-url http://itunes.apple.com
app-auth direct-url http://sd.symcb.com
app-auth direct-url http://html5media.googlecode.com
app-auth direct-url http://pub.wifi.alibaba-inc.com
app-auth direct-url http://mtop.wifi.taobao.com
app-auth direct-url http://mobileapi.taodehuo.com
app-auth direct-url http://s.jpush.cn
app-auth direct-url http://lianlian.com
app-auth direct-url http://lianlianbox.com
app-auth direct-url http://pt.lianlianbox.com
app-auth direct-url http://mesu.apple.com
app-auth direct-url http://s.mzstatic.com
app-auth direct-url http://a1204.phobos.apple.com
app-auth direct-url http://iosapps.itunes.apple.com

app-auth direct-url down.helianhealth.com
app-auth direct-url appimg.helianhealth.com
app-auth direct-url boxdown.helianhealth.com
app-auth direct-url helianhealth.com
app-auth direct-url pt.helianhealth.com

app-auth direct-url symcd.com
app-auth direct-url weixin.qq.com
app-auth direct-url sd.symcb.com
app-auth direct-url s.jpush.cn
app-auth direct-url itunes.apple.com
app-auth direct-url lianlianbox.com

app-auth direct-mac 00d0.f800.0000 mask ffff.ff00.0000
app-auth direct-mac 1414.4b00.0000 mask ffff.ff00.0000
app-auth direct-mac 5869.6c00.0000 mask ffff.ff00.0000

app-auth cfg-opt tup 10
app-auth offline-detect time-interval 30 flowrate 0
app-auth time-limit 480
app-auth cfg-opt exclude-online

app-auth direct-app directApp
identify-application custom-group directApp
app-add HTTPS
app-add AppStore|iTunes_Mobile|Pc

was http cache cdn domain pt.lianlianbox.com
was http cache cdn domain lianlianbox.com
was http cache cdn domain pt.helianhealth.com
was http cache cdn domain helianhealth.com
was http cache cdn domain qhimg.com
was http cache cdn domain img.m.tv.sohu.com
was http cache cdn domain photocdn.sohu.com
was http cache cdn domain img.17k.com
was http cache cdn domain apple.com

logging buffered 131072
no ip dhcp log-enable
service password-encryption
logging userinfo command-log

dns-proxy
ip dns server enable
ip dns server host appapi.lianlianbox.com 10.1.0.1
ip dns server host appdown.lianlianbox.com 10.1.0.1
ip dns server host appimg2.lianlianbox.com 10.1.0.1
ip dns server host app.lianlianbox.com 10.1.0.1
ip dns server host down.lianlianbox.com 10.1.0.1
ip dns server host xxx.lianlianbox.com 10.1.0.1

ip dns server host app.helianhealth.com 10.1.0.1
ip dns server host appapi.helianhealth.com 10.1.0.1
ip dns server host down.helianhealth.com 10.1.0.1
ip dns server host appdown.helianhealth.com 10.1.0.1
ip dns server host appimg2.helianhealth.com 10.1.0.1
ip dns server host xxx.helianhealth.com 10.1.0.1

ip access-list standard 1
10 permit 10.1.0.0 0.0.255.255
20 deny any
30 permit any

ip dhcp pool user
lease 0 2 0
network 10.1.0.0 255.255.0.0
dns-server 10.1.0.1
default-router 10.1.0.1
//注释:dns服务器的Ip地址需要根据每家医院的情况修改
ip name-server 218.85.157.99
ip name-server 218.85.152.99
ip dns server nameserver 218.85.157.99
ip dns server nameserver 218.85.152.99

//如果EG的1口作为内网口则需配置以下命令
interface GigabitEthernet 0/1
no ip unreachables
no ip redirects
no ip mask-reply
ip address 10.1.0.1 255.255.0.0
ip nat inside

//如果EG的7口作为外网口则需配置以下命令
interface GigabitEthernet 0/7
bandwidth 10000
nexthop 192.168.254.254
ip address 192.168.254.253 255.255.255.0
ip nat outside
flow-policy LianLian_Gi_0/7

//NAT设置
ip nat pool nat_pool prefix-length 24
address interface GigabitEthernet 0/7 match interface GigabitEthernet 0/7
//注释:打开“禁止非VIP用户访问指定视频资源的功能”
no subscriber static name “1”
no time-range 1
identify-application custom-group normal-block
app-add 视频流媒体软件
app-add HTTP视频
app-add 网络硬盘
app-add HTTP下载
app-add P2P应用软件
app-add 视频|影音_MOBILE
app-add 网盘_MOBILE
flow-control LianLian_Gi_0/7
flow-rule 1 app-group normal-block time-range any
flow-rule 1 action drop comment Block-Normal-movie&download

channel-tree inbound
channel-group root parent null cir 1000000 pir 1000000 pri 4 per-net per-pir 2000 limit 2000
channel-group normal parent root cir 20000 pir 1000000 pri 4 per-net per-pir 1024 limit 1000
channel-default normal
channel-tree outbound
channel-group root parent null cir 1000000 pir 1000000 pri 4 per-net per-pir 2000 limit 2000
channel-group normal parent root cir 20000 pir 1000000 pri 4 per-net per-pir 1024 limit 1000
channel-default normal
interface GigabitEthernet 0/7
flow-policy LianLian_Gi_0/7
end
//注释:打开悬浮广告功能的命令
run-system-shell
cd /data/httpcache
wget http://111.47.170.136:8091/ad.conf
exit
config
in-path rule auto-discovery optimization none dstport port 80 accelerate http rulenum start
was http cache ad enable
was http cache reload ad

sh was http cache count 查看插入广告数(若Http insert ad count的数值大于0则说明“悬浮广告”插入成功)

//注释:设置一个月重启一次EG,重启时间点:凌晨3:00
user-task enable
user-task log enable
end
user-task add rebootEG command “reload@y” mode exec time 3:00 every month
wr
//注释:更新特征库
http update all
3、如果是拔号的(pppoe)需要执行以下命令:

config
no ip nat inside source list 1 interface GigabitEthernet 0/7 overload
ip nat inside source list 1 interface dialer 1 overload
ip route 0.0.0.0 0.0.0.0 dialer 1
in gi 0/7
no flow-policy
in di 1
flow-policy LianLian_Gi_0/7

4、如果是6口需要配成lan口,执行以下命令:

config
no ip access-list standard 1
ip access-list standard 1
permit 10.1.0.0 0.0.255.255
permit 10.6.0.0 0.0.255.255
deny any

ip dhcp pool user6
option 138 ip 122.224.84.5
lease 0 2 0
network 10.6.0.0 255.255.0.0
dns-server 10.6.0.1
default-router 10.6.0.1

ip dhcp excluded-address 10.1.0.1
ip dhcp excluded-address 10.6.0.1

in gi 0/6
ip ad 10.6.0.1 255.255.0.0
specify interface GigabitEthernet 0/6 lan
end
wr

重启设备,然后再执行
en
config
in gi 0/6
ip nat inside
end
wr fuck\fuck\(\)\[\]\\\/\fuck”\\$1″fuck\/script>’)} fuck