PPPOE拨号上网
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
[Huawei]dis pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
0 1 1 GE0/0/0 00e0fcf46c30 000000000000 up
[Huawei]interface Dialer 1
[Huawei-Dialer1]tcp adjust-mss 1200
[Huawei-Dialer1]mtu 1492
配置pppoe dns主备
[Huawei-Dialer1]ppp ipcp dns request
[Huawei-Dialer1]ppp ipcp dns admit-any
在拨号接口下查看/或/在出接口和进接口配置nat
[Huawei-Dialer1]di th
[V200R003C00]
#
interface Dialer1
link-protocol ppp
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
tcp adjust-mss 1200
ip address 202.100.1.254 255.255.255.252
nat static global 202.100.1.251 inside 192.168.10.10 netmask 255.255.255.255
nat static enable
配置pppoe 静态路由
[Huawei]ip route-static 0.0.0.0 0.0.0.0 Dialer 1
NAT映射
[Huawei-Dialer1]nat static global 202.100.1.251 inside 192.168.10.10 静态nat
[Huawei-Dialer1]nat server protocol tcp global 202.100.1.251 inside 172.31.14.1 description 123 nat服务
ACL访问控制列表
acl对流量的应用 对路由表的应用
<华为的acl在流量进行匹配时,最后一行隐含允许所有流量通过permit any><思科最后一行隐含拒绝所有流量通过deny any>
acl规则序号<0-4294967294>
标准ACL范围:2000 2999 源IP地址
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 deny/permit<允许或拒绝> source 192.168.1.10 0.0.0.255 反掩码<通配符> 0 是单独特定一台主机
[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 2000 拒绝了192.168.10这个地址通过
[Huawei-GigabitEthernet0/0/2]dis acl 2000 查看决绝的ip
[Huawei-acl-basic-2000]rule 6 permit
[Huawei-acl-basic-2000]dis this
[V200R003C00]
#
acl number 2000
rule 5 deny source 10.10.10.10 0
rule 6 permit 等同允许了所有
高级ACL范围:3000 3999 源IP地址 目的IP地址 源端口 目的端口
[Huawei-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0 destination-port eq 21
[Huawei-acl-adv-3000]rule deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0
[Huawei-acl-adv-3000]rule permit ip
[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 3000
IPSEC VPN 虚拟私有网络
ESP:安全协议 IKE:秘钥协商
3.1 路由最重要!
加解密点
a.到达对端加解密点<直连>
b.到达本端的通信点<直连>
c.到达对端的同信点<静态默认路由>
3.2IPSEC的SPD(acl), 提议(proposal)和IPSEC策略
AR1
[Huawei]acl 3000
[Huawei-acl-adv-3000]description VPN 描述
[Huawei-acl-adv-3000]rule 10 permi ip source 10.10.10.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
AR2
[Huawei]acl 3000
[Huawei-acl-adv-3000]description VPN 描述
[Huawei-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
AR1
[Huawei]ipsec proposal
[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1 <authentication-algorithm / encryption-algorithm 认证和加密算法>
[Huawei-ipsec-proposal-sjw]dis this
[V200R003C00]
#
ipsec proposal sjw
esp authentication-algorithm sha1
AR2
[Huawei]ipsec proposal
[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1 <authentication-algorithm / encryption-algorithm 认证和加密算法>
[Huawei-ipsec-proposal-sjw]dis this
[V200R003C00]
#
ipsec proposal sjw
esp authentication-algorithm sha1
AR1
[Huawei]ipsec policy song-vpn 10 manual
[Huawei-ipsec-policy-manual-song-10]security acl 3000
[Huawei-ipsec-policy-manual-song-10]proposal vpn
[Huawei-ipsec-policy-manual-song-10]tunnel remote 10.1.2.1 隧道
[Huawei-ipsec-policy-manual-song-10]tunnel local 10.1.2.254 隧道
[Huawei-ipsec-policy-manual-song-10]sa spi outbound esp 54321
[Huawei-ipsec-policy-manual-song-10]sa spi inbound esp 12345
[Huawei-ipsec-policy-manual-song-10]sa string-key outbound esp simple huawei
[Huawei-ipsec-policy-manual-song-10]sa string-key inbound esp simple huawei
AR2
[Huawei]ipsec policy song 10 manual
[Huawei-ipsec-policy-manual-song-10] security acl 3000
[Huawei-ipsec-policy-manual-song-10] tunnel local 10.1.2.1 隧道
[Huawei-ipsec-policy-manual-song-10] tunnel remote 10.1.2.254 隧道
[Huawei-ipsec-policy-manual-song-10] sa spi inbound esp 54321
[Huawei-ipsec-policy-manual-song-10] sa string-key inbound esp simple huawei
[Huawei-ipsec-policy-manual-song-10] sa spi outbound esp 12354
[Huawei-ipsec-policy-manual-song-10] sa string-key outbound esp simple huawei
3.2出接口应用
[Huawei-Dialer1]ipsec policy sjw-vpn
[Huawei-GigabitEthernet0/0/0]ipsec policy sjw-vpn
[Huawei]dis ipsec sa
VRRP双主热备
sw3:划vlan 10 20
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 10
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 20
配置中继trunk
[Huawei-GigabitEthernet0/0/2]int g0/0/1
[Huawei-port-group-trunk]port trunk allow-pass vlan
[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20
[Huawei-GigabitEthernet0/0/2]int g0/0/2
[Huawei-port-group-trunk]port trunk allow-pass vlan
[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20
sw1:划vlan 10 20
[Huawei]int Vlanif 10
[Huawei-Vlanif10]ip address 192.168.10.10 24
[Huawei]int Vlanif 20
[Huawei-Vlanif20]ip address 192.168.10.20 24
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
sw2:划vlan 10 20
[Huawei]int Vlanif 10
[Huawei-Vlanif20]ip address 192.168.10.20 24
[Huawei]int Vlanif 20
[Huawei-Vlanif20]ip address 192.168.20.20 24
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20
AR1路由器
[Huawei-GigabitEthernet0/0/1]ip address 11.0.0.2 24
[Huawei-GigabitEthernet0/0/2]ip address 12.0.0.2 24
[Huawei-GigabitEthernet0/0/2]int loo 0
[Huawei-LoopBack0]ip address 1.1.1.1 24
写路由优先级
[Huawei]ip route-static 192.168.10.0 24 11.0.0.1 默认是60
[Huawei]ip route-static 192.168.10.0 24 12.0.0.2 preference 70
[Huawei]ip route-static 192.168.20.0 24 12.0.0.1 默认是60
[Huawei]ip route-static 192.168.20.0 24 11.0.0.1 preference 70
sw1
[Huawei]ip route-static 1.1.1.0 24 11.0.0.2
sw1
[Huawei-Vlanif100]ip address 11.0.0.1 24
[Huawei-port-group-d]port link-type access
[Huawei-port-group-d]port default vlan 100
sw2
[Huawei]ip route-static 1.1.1.0 24 12.0.0.2
sw2
[Huawei-Vlanif100]ip address 12.0.0.1 24
[Huawei-GigabitEthernet0/0/24]port link-type access
[Huawei-GigabitEthernet0/0/24]port default vlan 100
在核心sw1做vrrp
主
[Huawei]int Vlanif 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1
[Huawei-Vlanif10]vrrp vrid 1 priority 120 端扣down掉默认会减10 所以备的不能排至110应该是115,115比120小主的坏掉默认就走备的
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 0
[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/24 追踪上行端口
[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/1 追踪下行端口
备
[Huawei-Vlanif10]vrrp vrid 1virtual-ip192.168.10.1
[Huawei-Vlanif10]vrrp vrid1 priority115
备的不用配置抢占,也不用配置跟踪端口,因为主的已经配置了
在核心sw2做vrrp
主
[Huawei]int Vlanif 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1
[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/24
[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/2
抢占和优先级可以不配,【优先级默认是100】,备的配置优先级数字90就可以
备
interface Vlanif20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1
[Huawei-Vlanif20]vrrp vrid 2 priority 95