| 杭州华三通信技术有限公司Hangzhou H3C Technology Co., Ltd. |
文档编号 Document ID |
密级 Confidentiality level |
| 内部公开 |
||
| 文档状态 Document Status |
||
MSR系列网关优化配置指导v1.00
| 拟制 Prepared by |
刘雄威 |
Date 日期 |
2008-9-02 |
| 评审人 Reviewed by |
Date 日期 |
||
| 批准 Approved by |
Date 日期 |
Hangzhou H3C Technology Co., Ltd.
杭州华三通信技术有限公司
版权所有 侵权必究
All rights reserved
修订记录 Revision Record
| 日期 Date |
修订 Revision Version |
修改 Sec No. |
修改描述 Change Description |
作者 Author |
| 2008-10-14 |
V1.00 |
根据评审意见进行修改 |
刘雄威 |
|
| 2009-11-10 |
V1.01 |
MSR5006已支持V5版本,删除MSR5006单独的配置说明 |
刘雄威 |
|
目 录
1 网关配置优化概述... 3
1.1 启用防火墙过滤功能.. 4
1.2 优化NAT会话老化时间.. 7
1.3 启用基于IP地址限速.. 8
1.4 路由优化配置.. 9
1.5 进行IP-MAC地址绑定.. 10
1.6 限制单机的NAT TCP连接数.. 11
1.7 开启Telnet服务.. 12
1.8 关闭设备上不必要的服务.. 13
1.9 限制访问设备HTTP/HTTPS/Telnet服务源地址.. 13
1.10 双WAN接入路由配置.. 14
1.10.1 同运营商双WAN接入.. 14
1.10.2 电信网通双WAN接入.. 18
2 典型配置实例... 20
2.1 单出口典型配置.. 21
2.1.1 PPPoE拨号接入.. 21
2.1.2 主机为私网地址以太网接入.. 26
2.1.3 主机为公网地址以太网接入.. 32
2.2 双WAN接入典型配置.. 37
2.2.1 MSR5006双以太网链路接入.. 37
2.2.2 MSR20/30/50双以太网链路接入.. 44
2.2.3 以太网链路+PPPOE链路接入.. 52
2.2.4 电信网通双链路接入.. 60
2.3 内部服务器访问.. 80
1 网关配置优化概述随着网络建设和应用的不断深入,网络的管理者和使用者对网络的安全性和稳定性要求越来越高,MSR系列网关通过多种功能可以控制和管理网络的流量,能够有效地实施各种防***策略。尤其在企业网和网吧这种复杂的网络环境中,全面合理的配置能够大大提高网络的稳定性和可靠性。下面以MSR2010网关,E1710版本为例(请参考如下具体版本信息),总结出网关设备在企业网和网吧环境中可以优化的配置项和特性配置方法,并且给出了几种典型组网下的配置案例。
[Navigator]_dis ver
H3C Comware Platform Software
Comware Software, Version 5.20, ESS 1710
Comware Platform Software Version COMWAREV500R002B58D001SP01
H3C MSR2010 Software Version V300R003B01D004SP01
Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
Compiled Aug 15 2008 13:57:11, RELEASE SOFTWARE
H3C MSR2010 uptime is 0 week, 3 days, 3 hours, 43 minutes
Last reboot 2007/01/01 08:00:00
System returned to ROM By
CPU type: FREESCALE MPC8323E 333MHz
256M bytes DDR SDRAM Memory
16M bytes Flash Memory
Pcb Version: 3.0
Logic Version: 1.0
Basic BootROM Version: 2.03
Extended BootROM Version: 2.03
[SLOT 0]AUX (Hardware)3.0, (Driver)1.0, (Cpld)1.0
[SLOT 0]ETH0/0 (Hardware)3.0, (Driver)1.0, (Cpld)1.0
[SLOT 0]ETH0/1 (Hardware)3.0, (Driver)1.0, (Cpld)1.0
[SLOT 0]ETH0/2 (Hardware)3.0, (Driver)1.0, (Cpld)1.0
[SLOT 0]ETH0/3 (Hardware)3.0, (Driver)1.0, (Cpld)1.0
[SLOT 0]ETH0/4 (Hardware)3.0, (Driver)1.0, (Cpld)1.0
[Navigator]
1.1 启用防火墙过滤功能ACL 是每个安全策略的基本组成部份,控制和监视什么数据包进入和离开网络几乎是网络安全的定义。在RFC2827/BCP 38 (Best Current Practice ) 中高度建议使用入口过滤,这不仅可以使你的网络安全,而且可以使其它的网络不会被来自你的网络的伪装的源IP给***。许多的网络***者使用伪装的源IP地址来隐藏它们的身份,在网关设备LAN口使用了入口过滤功能后,也更加容易定位网络***者,因为***者必须使用真实的源IP地址。在网关设备WAN使用入口过滤功能后,可以有效的过滤各种病毒和***流量,从而使网络更稳定。
同时目前大部分企业和网吧网关设备都启用NAT转换功能,网关设备向外网转发报文时需要将源地址转换为公网地址,接收报文时需要将目的地址转换为内网地址,根据MSR系列网关转发处理流程特点-入方向先进行NAT转换再进行防火墙过滤,可以有效的利用防火墙将非内网发起的数据连接和外网主动发起的***流量进行过滤,保证网络的稳定性和安全性。也可以利用防火墙将各种常见的病毒报文根据应用服务端口进行过滤。
以局域网接口的IP地址为192.168.1.0/24,广域网接口的IP地址为162.1.1.0/30为例,ACL和防火墙的典型配置如下:
1、启用防火墙:
[H3C]firewall enable
2、关闭设备发送IP不可达报文功能:
[H3C]undo ip unreachables
3、配置LAN口防火墙过滤规则:
acl number 3003 name LANDefend
//将一些常见的端口扫描、病毒报文进行过滤
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444 // Worm.Blaster
rule 2 deny tcp destination-port eq 135 // Worm.Blaster
rule 3 deny udp destination-port eq 135 // Worm.Blaster
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445 // Worm.Blaster
rule 9 deny udp destination-port eq 445 // Worm.Blaster
rule 10 deny udp destination-port eq 593 //Worm.Blaster
rule 11 deny tcp destination-port eq 593 // Worm.Blaster
rule 12 deny tcp destination-port eq 5554 // Sasser
rule 13 deny tcp destination-port eq 9995 // Sasser
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434 // SQL Slammer
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444 // Worm.Blaster
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434 // SQL Slammer
rule 43 deny udp destination-port eq 1433
//允许Ping和Tracert类型的ICMP报文通过,其它类型的ICMP报文丢弃
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
//允许源地址为内网网段的报文进入网关设备转发,当内网主机为DHCP动态获取时,需要允许DHCP请求报文进入网关,其它报文丢弃
rule 1000 permit ip source 192.168.1.0 0.0.0.255
rule 1001 permit udp destination-port eq bootps
rule 2000 deny ip
4、配置WAN口防火墙过滤规则:
acl number 3001 name WANDefend
//将一些常见的端口扫描、病毒报文进行过滤
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444 // Worm.Blaster
rule 2 deny tcp destination-port eq 135 // Worm.Blaster
rule 3 deny udp destination-port eq 135 // Worm.Blaster
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445 // Worm.Blaster
rule 9 deny udp destination-port eq 445 // Worm.Blaster
rule 10 deny udp destination-port eq 593 // Worm.Blaster
rule 11 deny tcp destination-port eq 593 // Worm.Blaster
rule 12 deny tcp destination-port eq 5554 // Sasser
rule 13 deny tcp destination-port eq 9995 // Sasser
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434 // SQL Slammer
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444 // Worm.Blaster
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434 // SQL Slammer
rule 43 deny udp destination-port eq 1433
//允许Ping和Tracert类型的报文通过,其它类型的ICMP报文丢弃
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
//允许DNS代理请求报文进入
rule 300 permit udp source-port eq dns
//开启Telnet管理端口,根据实际业务需求可开启其它服务端口或者服务器地址,如: TR069服务器地址为202.138.1.1,配置如下:
rule 310 permit tcp destination-port eq telnet
rule 320 permit tcp source 202.138.1.1 0
//允许目的地址为内网网段的报文进入网关设备转发,其它报文丢弃
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
5、在LAN口启用防火墙过滤:
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1]firewall packet-filter 3003 inbound
6、在WAN口启用防火墙过滤:
[H3C]interface Ethernet 0/0
[H3C-Ethernet0/0]firewall packet-filter 3001 inbound
1.2 优化NAT会话老化时间内网PC访问外部网络时每个连接都会建立1个NAT会话表项,记录这个连接的状态信息,如源地址、源端口、目的地址、目的端口等信息,用来进行回复报文的NAT转换处理。根据不同的应用,每次内网PC发起的连接数都不一样,如:打开1个网页会建立10~50个TCP连接,下载和网络游戏会建立上百个连接,当这些连接的NAT会话表项建立后,如果因为异常原因,如:应用程序异常关闭,PC重启,导致网关设备没有收到关闭连接的报文,NAT会话表项只能等老化时间过后才能被删除,因此网关设备上会存在部分无用的NAT表项。但是在企业和网吧应用环境中,这些无用的NAT表项会非常多,如果不能及时的老化删除,会严重占用系统资源,影响系统转发效率。因此需要修改NAT表项老化时间,使无用的NAT表项尽快老化删除,释放系统资源;但并不是NAT表项老化时间设置的越短越好,如果NAT表项老化过快,正常延时范围内收到的响应报文无法找到表项转换地址进入内网,会导致连接无法正常建立。如下给出各种NAT会话老化时间的推荐值:
修改操作如下:
[H3C]nat aging-time tcp 300 //修改TCP会话老化时间为300秒,默认为86400秒
[H3C]nat aging-time udp 180 //修改UDP会话老化时间为180秒,默认为300秒
[H3C]nat aging-time pptp 300 //修改PPTP会话老化时间为300秒,默认为86400秒
[H3C]nat aging-time ftp-ctrl 300 //修改ftp-ctrl会话老化时间为300秒,默认为7200秒
[H3C]nat aging-time icmp 10 //修改ICMP会话老化时间为10秒,默认为60秒
[H3C]nat aging-time dns 10 //修改DNS会话老化时间为10秒,默认为60秒
[H3C]nat aging-time tcp-fin 10 //修改tcp-fin报文老化时间为10秒,默认为60秒
[H3C]nat aging-time tcp-syn 10 //修改tcp-syn报文老化时间为10秒,默认为60秒
1.3 启用基于IP地址限速目前企业和网吧向运营商申请的带宽大部分是10M,正常使用中申请的带宽足够满足需要,但是实际使用中常常会因为个别主机的下载而占用大部分带宽,导致其它PC上网速度慢或者无法正常访问网络。此时就需要启动网关设备的基于IP地址限速功能,对内网中的PC进行单独限速,满足正常应用的前提下又不会因为下载过分占用带宽而影响网络的正常使用。
配置步骤如下:
1、配置需要进行限速的地址段,需要分别配置源地址段和目的地址段:
[H3C]qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.254 per-address
[H3C]qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-address
2、在LAN口上启动基于IP地址限速功能,以限制上行512Kbps,下行1024Kbps为例:
[H3C]int Vlan-interface 1
[H3C-Vlan-interface1]qos car inbound carl 1 cir 512
[H3C-Vlan-interface1]qos car outbound carl 2 cir 1024
同时MSR系列网关(不包括MSR5006)支持智能QoS限速的功能,主要工作原理为可以给1个地址段分配1个总带宽,当这个地址段中只有1台PC上网时可以独享配置的总带宽,当两台PC上网时,每台PC可以使用总带宽的二分之一,以此类推,配置步骤如下:
1、配置需要进行限速的地址段,限速方式为共享模式:
[H3C]qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.20 per-address shared-bandwidth
[H3C]qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.20 per-address shared-bandwidth
2、在LAN口上启动基于IP地址限速功能,以限制上行总带宽5000Kbps,下行总带宽10000Kbps为例:
[H3C]int Vlan-interface 1
[H3C-Vlan-interface1]qos car inbound carl 1 cir 5000
[H3C-Vlan-interface1]qos car outbound carl 2 cir 10000
注:基于IP地址限速功能也可以在WAN口上进行配置,这样的话是基于每个WAN口对内网PC进行限速,如果存在多个WAN口的话,每个WAN的限速功能是独立的。同时需要注意在WAN口进行限速配置时,入方向为下行方向,出方向为上行方向,与LAN口配置相反。
1.4 路由优化配置RFC1918中指定的保留的私有地址和其他已知的私有地址不应该存在于现有的internet网络上。可以通过黑洞路由进行过滤。避免局域网中存在***时占用大量的快转表项或者NAT表项。
例如:
ip route-static 10.0.0.0 255.0.0.0 NULL 0 preference 60
ip route-static 169.254.0.0 255.255.0.0 NULL 0 preference 60
ip route-static 172.16.0.0 255.240.0.0 NULL 0 preference 60
ip route-static 192.168.0.0 255.255.0.0 NULL 0 preference 60
ip route-static 198.18.0.0 255.254.0.0 NULL 0 preference 60
1.5 进行IP-MAC地址绑定由于网吧上网人员比较复杂,可能有人有意或无意地更改IP地址,或者使用网络执法官等软件进行恶意地破坏,通过在网关和客户机上都进行IP-MAC地址绑定(静态ARP),可以有效地防止这类以ARP欺骗为基础的***。同时可以启用防ARP泛洪***功能和ARP有效性性检查功能。
1、对于三层以太网接口进行绑定的操作如下:
[H3C]arp static 192.168.1.10 0023-ab13-0121
对于三层vlan接口需要进行长静态ARP绑定操作,相对于短ARP会增加vlan和端口的信息,如下:
[H3C]arp static 192.168.1.10 0023-ab13-0121 1 Ethernet 0/1
2、在网关设备上启用防止ARP泛洪***功能,当1个MAC在5秒内发送的ARP报文超过20个时,则此MAC后续发送的ARP报文将被丢弃,过五分钟后再开始接收此MAC发送的ARP报文,如下:
[H3C]arp anti-attack source-mac filter
[H3C]arp anti-attack source-mac threshold 20
[H3C]arp anti-attack source-mac aging-time 300
3、启用ARP报文有效性检查功能,对以太网帧首部中的源MAC地址和ARP报文中的源MAC地址进行判断,如果不同则认为是非法报文,进行丢弃。
[H3C]arp anti-attack valid-check enable
网关设备上进行ARP绑定后,在客户机上可以通过执行“arp-s +网关IP如192.168.1.1+网关的MAC地址”这一条命令来实现对网关的ARP条目的静态绑定:
PC每次重启后,通过上述命令进行ARP绑定项会丢失,有没有方法可以使PC每次启动后自动进行绑定呢?可以建立一个批处理文件放到启动组里,批处理文件的内容就是对网关进行IP-MAC绑定,这样PC每次启动后就都会自动进行网关IP-MAC绑定。
1.6 限制单机的NAT TCP连接数MSR系列网关(不包括MSR5006)支持NAT限制TCP最大连接数,即可以对单个或多个IP限制其NAT的TCP连接数,因为P2P类软件如BT的一大特点就是同时会有很多的连接,占用大量的NAT表项,因此应用该方法可有效限制BT的使用。比如我们为IP 192.168.1.2设置最大的NAT TCP连接数为300;正常的网络访问肯定够用了,但如果使用BT,那么很快此IP的NAT TCP连接数会达到300,一旦达到峰值,该IP的其他访问就无法再进行NAT转换,必须等到部分NAT表项失效后,才能使用,这样既有效的保护了网络的带宽,也达到了警示的作用。
# 创建ACL并配置规则,来匹配源IP地址为192.168.1.2/24的数据。
[H3C] acl number 3100
[H3C-acl-adv-3100] rule 0 permit tcp source 192.168.1.2 0
[H3C-acl-adv-3100] quit
# 创建连接数限制策略,并配置子规则,对单一源地址发起的连接数进行限制。
[H3C]connection-limit policy 1
[H3C-connection-limit-policy-1]limit 0 acl 3100 per-source amount 300 290
# NAT引用连接数限制策略0。
[H3C]nat connection-limit-policy 1
也可以通过WEB网管对每台PC的NAT连接数限制的配置,如下:
注:E1710版本WEB只支持对每台PC进行连接数限制,不支持单独限制1台PC的NAT连接数。
1.7 开启Telnet服务打开设备的Telnet服务功能,方便后续进行远程维护管理。操作如下:
1、开启Telnet服务功能(MSR5006默认Telnet服务开启,不需要执行开启服务命令):
[H3C]telnet server enable
2、配置Telnet认证方式,使用本地认证:
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]authentication-mode scheme
3、配置本地认证的用户名和密码:
[H3C]local-user admin
[H3C-luser-admin]password cipher xxxx
[H3C-luser-admin]service-type telnet
[H3C-luser-admin]authorization-attribute level 3
1.8 关闭设备上不必要的服务MSR系列网关默认会开启多种服务,而这些服务在企业和网吧环境中是不必需的,可以关闭这些服务来节省系统资源。
MSR5006操作如下:
[H3C]undo icmp unreach send //关闭设备发送不可达报文功能
[H3C]undo icmp redirect send //关闭设备发送重定向报文功能
[H3C]undo dhcp enable //关闭设备DHCP服务
[H3C]undo ftp server //关闭设备FTP服务
MSR20/30/50操作如下:
[H3C]undo ip unreachables //关闭设备发送不可达报文功能
[H3C]undo ip redirects //关闭设备发送重定向报文功能
[H3C]undo dhcp enable //关闭设备DHCP服务
[H3C]undo ftp server //关闭FTP服务
[H3C]undo radius client //关闭Radius服务
1.9 限制访问设备HTTP/HTTPS/Telnet服务源地址设备的HTTP/HTTPS/Telnet服务默认是向所有用户开放,为了增加安全性,可以限制只有部分用户可以访问设备的这些服务,设置如下:
1、设置可以访问设备服务的用户地址,以内网所有地址和公网218.172.13.56地址为例:
[H3C]acl number 2000
[H3C-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[H3C-acl-basic-2000]rule permit source 218.172.13.56 0.0.0.0
[H3C-acl-basic-2000]rule 1000 deny
2、设置可以访问设备HTTP服务的用户:
[H3C]ip http acl 2000
3、设置可以访问设备Telnet服务的用户:
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]acl 2000 inbound
4、设置可以访问设备HTTPS服务的用户:
[H3C]ip https acl 2000
1.10 双WAN接入路由配置目前越来越多的企业和网吧采用双WAN上行接入的方式,这种组网方式既可以实现链路的负载分担又可以实现链路的动态备份,受到用户的普遍欢迎。下面分别介绍不同双WAN接入方式下路由的优化配置方法。
1.10.1 同运营商双WAN接入 1. 双以太网链路接入 1) MSR配置方法对于MSR网关,可以使用策略路由和自动侦测实现负载分担和链路备份功能。同样以其中一条WAN连接地址为142.1.1.2/24,网关为142.1.1.1,另外一条WAN连接地址为162.1.1.2/24,网关为162.1.1.1,使用MSR2010做为网关设备为例,配置方法如下::
1、 配置自动侦测组,对WAN连接状态进行侦测:
[H3C]nqa agent enable
[H3C]nqa entry wan1 1
[H3C-nqa-wan1-1]type icmp-echo
[H3C-nqa-wan1-1-icmp-echo]destination ip 142.1.1.1
[H3C-nqa-wan1-1-icmp-echo]next-hop 142.1.1.1
[H3C-nqa-wan1-1-icmp-echo]probe count 3
[H3C-nqa-wan1-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan1-1-icmp-echo]frequency 10000
[H3C-nqa-wan1-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C]nqa entry wan2 1
[H3C-nqa-wan2-1]type icmp-echo
[H3C-nqa-wan2-1-icmp-echo]destination ip 162.1.1.1
[H3C-nqa-wan2-1-icmp-echo]next-hop 162.1.1.1
[H3C-nqa-wan2-1-icmp-echo]frequency 10000
[H3C-nqa-wan2-1-icmp-echo]probe count 3
[H3C-nqa-wan2-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan2-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C-nqa-wan2-1-icmp-echo]quit
[H3C]nqa schedule wan1 1 start-time now lifetime forever
[H3C]nqa schedule wan2 1 start-time now lifetime forever
[H3C]track 1 nqa entry wan1 1 reaction 1
[H3C]track 2 nqa entry wan2 1 reaction 1
2、 配置ACL,对业务流量进行划分,以根据内网主机单双号进行划分为例:
[H3C]acl number 3200
[H3C-acl-adv-3200] rule 0 permit ip source 192.168.1.0 0.0.0.254
[H3C-acl-adv-3200]rule 1000 deny ip
[H3C-acl-adv-3200]quit
[H3C]acl number 3201
[H3C-acl-adv-3201]rule 0 permit ip source 192.168.1.1 0.0.0.254
[H3C-acl-adv-3201]rule 1000 deny ip
3、 配置策略路由,定义流量转发规则,以双号主机走WAN1,单号主机走WAN2为例:
[H3C]policy-based-route wan permit node 1
[H3C-pbr-wan-1]if-match acl 3200
[H3C-pbr-wan-1]apply ip-address next-hop 142.1.1.1 track 1
[H3C-pbr-wan-1]quit
[H3C]policy-based-route wan permit node 2
[H3C-pbr-wan-2]if-match acl 3201
[H3C-pbr-wan-2]apply ip-address next-hop 162.1.1.1 track 2
4、 在LAN口启用策略路由转发:
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1]ip policy-based-route wan
5、 配置默认路由,当任意WAN链路出现故障时,流量可以在另外一条链路上进行转发:
[H3C]ip route-static 0.0.0.0 0.0.0.0 142.1.1.1 track 1 preference 60
[H3C]ip route-static 0.0.0.0 0.0.0.0 162.1.1.1 track 2 preference 100
2) 基于用户负载分担配置方法MSR5006支持基于用户负载分担特性,可以根据接口带宽将流量动态进行负载分担。配合自动侦测特性可同时实现链路备份的功能,当一条链路出现故障时,流量自动转发到另外一条链路上。以其中一条WAN连接地址为142.1.1.2/24,网关为142.1.1.1,另外一条WAN连接地址为162.1.1.2/24,网关为162.1.1.1为例,配置方法如下:
1、自动侦测的配置请参考上述说明:
2、配置到两个WAN接口的静态默认路由,并管理自动侦测组:
3、启用基于用户负载分担功能:
ip user-based-sharing enable
ip user-based-sharing route 0.0.0.0 0.0.0.0
4、配置WAN口的负载分担带宽(两个WAN接口负载分担带宽配置符合一定比例即可,不需要与实际申请的物理带宽一致):
#
interface Ethernet0/0
port link-mode route
nat outbound
ip address 172.33.13.15 255.255.0.0
load-bandwidth 1000
#
2. 以太网链路+PPPoE链路接入 1) MSR配置方法与以太网链路接入方式配置相似,只有部分地方需要进行调整。同样以其中一条WAN连接地址为142.1.1.2/24,网关为142.1.1.1,另外一条WAN连接为PPPoE链路,使用MSR2010做为网关设备为例,配置方法如下:
1、 配置自动侦测组,对WAN连接状态进行侦测:
[H3C]nqa agent enable
[H3C]nqa entry wan1 1
[H3C-nqa-wan1-1]type icmp-echo
[H3C-nqa-wan1-1-icmp-echo]destination ip 142.1.1.1
[H3C-nqa-wan1-1-icmp-echo]next-hop 142.1.1.1
[H3C-nqa-wan1-1-icmp-echo]probe count 5
[H3C-nqa-wan1-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan1-1-icmp-echo]frequency 10000
[H3C-nqa-wan1-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C]nqa schedule wan1 1 start-time now lifetime forever
[H3C]track 1 nqa entry wan1 1 reaction 1
2、 配置ACL,对业务流量进行划分,以根据内网主机单双号进行划分为例:
[H3C]acl number 3200
[H3C-acl-adv-3200] rule 0 permit ip source 192.168.1.0 0.0.0.254
[H3C-acl-adv-3200]rule 1000 deny ip
[H3C-acl-adv-3200]quit
[H3C]acl number 3201
[H3C-acl-adv-3201]rule 0 permit ip source 192.168.1.1 0.0.0.254
[H3C-acl-adv-3201]rule 1000 deny ip
3、 配置策略路由,定义流量转发规则,以双号主机走WAN1,单号主机走WAN2为例:
[H3C]policy-based-route wan permit node 1
[H3C-pbr-wan-1]if-match acl 3200
[H3C-pbr-wan-1]apply ip-address next-hop 142.1.1.1 track 1
[H3C-pbr-wan-1]quit
[H3C]policy-based-route wan permit node 2
[H3C-pbr-wan-2]if-match acl 3201
[H3C-pbr-wan-2]apply output-interface dialer0
4、 在LAN口启用策略路由转发:
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1]ip policy-based-route wan
5、 配置默认路由,当任意WAN链路出现故障时,流量可以在另外一条链路上进行转发:
[H3C]ip route-static 0.0.0.0 0.0.0.0 142.1.1.1 track 1 preference 60
[H3C]ip route-static 0.0.0.0 0.0.0.0 dialer0 preference 100
注:由于早期版本MSR系列网关策略路由、快速转发和PPPoE拨号结合存在问题(此问题在R1618P11和E1711后的版本解决),当WAN连接为PPPoE连接时,使用策略路由需要关闭vlan接口的快转功能,如下操作:
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1] undo ip fast-forwarding
1.10.2 电信网通双WAN接入这是目前新建网络中最流行的组网方式,用户分别向电信和网通各申请一条接入链路,配置路由使客户机访问电信服务器走电信链路,访问网通的服务器走网通链路,可以大大提高很多网络应用的访问速度,同时两条链路互为备份,也提高了网络的可靠性。配置方法如下:
1) MSR配置方法以其中电信WAN连接地址为142.1.1.2/24,网关为142.1.1.1,另外网通WAN连接地址为162.1.1.2/24,网关为162.1.1.1为例,配置方法如下:
1、 配置自动侦测组,对WAN连接状态进行侦测:
[H3C]nqa agent enable
[H3C]nqa entry wan1 1
[H3C-nqa-wan1-1]type icmp-echo
[H3C-nqa-wan1-1-icmp-echo]destination ip 142.1.1.1
[H3C-nqa-wan1-1-icmp-echo]next-hop 142.1.1.1
[H3C-nqa-wan1-1-icmp-echo]probe count 5
[H3C-nqa-wan1-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan1-1-icmp-echo]frequency 10000
[H3C-nqa-wan1-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C]nqa entry wan2 1
[H3C-nqa-wan2-1]type icmp-echo
[H3C-nqa-wan2-1-icmp-echo]destination ip 162.1.1.1
[H3C-nqa-wan2-1-icmp-echo]next-hop 162.1.1.1
[H3C-nqa-wan2-1-icmp-echo]frequency 10000
[H3C-nqa-wan2-1-icmp-echo]probe count 3
[H3C-nqa-wan2-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan2-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C-nqa-wan2-1-icmp-echo]quit
[H3C]nqa schedule wan1 1 start-time now lifetime forever
[H3C]nqa schedule wan2 1 start-time now lifetime forever
[H3C]track 1 nqa entry wan1 1 reaction 1
[H3C]track 2 nqa entry wan2 1 reaction 1
2、 配置默认路由,当任意WAN链路出现故障时,流量可以在另外一条链路上进行转发:
[H3C]ip route-static 0.0.0.0 0.0.0.0 142.1.1.1 track 1 preference 60
[H3C]ip route-static 0.0.0.0 0.0.0.0 162.1.1.1 track 2 preference 100
3、 配置网通路由表(由于网通路由表有500条左右,以附件的形式给出):
注:如果电信或者网通链路为PPPoE链路的话,只需要修改路由相应的下一跳为Dialer0即可,此时不需要与自动侦测关联。
2 典型配置实例 2.1 单出口典型配置这类组网只有一个上行出口,是最常见的一种情况,网络拓扑比较简单,下面分别给出几种单出口组网的典型配置。
2.1.1 PPPoE拨号接入网络拓扑图如图1所示,MSR2010通过PPPoE拨号链路与ISP相连,局域网内的IP地址段是192.168.1.0/24,局域网内的主机上网需要通过MSR2010进行NAT转换。配置需求如下:
1、 对内网主机进行限速,上行限制512kbps,下行限制1024kbps;
2、 启用防火墙对***报文进行过虑;
3、 启动ARP防***功能和ARP绑定功能,防止ARP欺骗***;
4、 优化NAT表项老化时间;
图1 单出口PPPoE拨号计入拓扑图
[H3C]dis cur
#
version 5.20, ESS 1711
#
sysname H3C
#
ipsec cpu-backup enable
#
firewall enable
#
nat aging-time tcp 300
nat aging-time udp 180
nat aging-time pptp 300
nat aging-time ftp-ctrl 300
#
domain default enable system
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.254 per-address
qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-address
#
acl number 3001 name WANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3003 name LANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 1000 permit ip source 192.168.1.0 0.0.0.255
rule 1001 permit udp destination-port eq bootps
rule 2000 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Dialer0
nat outbound
firewall packet-filter 3001 inbound
link-protocol ppp
ppp chap user test
ppp chap password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!
ppp pap local-user test password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!
ppp ipcp dns admit-any
ppp ipcp dns request
ip address ppp-negotiate
tcp mss 1024
dialer user test
dialer-group 1
dialer bundle 1
#
interface Ethernet0/0
port link-mode route
pppoe-client dial-bundle-number 1
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard
qos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discard
firewall packet-filter 3003 inbound
#
interface Ethernet0/1
port link-mode bridge
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0
ip route-static 10.0.0.0 255.0.0.0 NULL 0 preference 60
ip route-static 169.254.0.0 255.255.0.0 NULL 0 preference 60
ip route-static 172.16.0.0 255.240.0.0 NULL 0 preference 60
ip route-static 192.168.0.0 255.255.0.0 NULL 0 preference 60
ip route-static 198.18.0.0 255.254.0.0 NULL 0 preference 60
#
arp anti-attack valid-check enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 20
arp static 218.168.1.3 0088-0088-0088 1 Ethernet0/4
arp static 218.168.1.4 0088-0088-0089 1 Ethernet0/4
arp static 218.168.1.5 0088-0088-008a 1 Ethernet0/4
arp static 218.168.1.6 0088-0088-008b 1 Ethernet0/4
arp static 218.168.1.7 0088-0088-008c 1 Ethernet0/4
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[H3C]
2.1.2 主机为私网地址以太网接入网络拓扑图如图1所示,MSR2010通过142.1.1.0/24网段和ISP相连,局域网内的IP地址段是192.168.1.0/24,局域网内的主机上网需要通过MSR2010进行NAT转换。配置需求如下:
1、 对内网主机进行限速,上行限制512kbps,下行限制1024kbps;
2、 启用防火墙对***报文进行过虑;
3、 启动ARP防***功能和ARP绑定功能,防止ARP欺骗***;
4、 WAN口启用NAT地址转换功能,优化NAT表项老化时间;
图2 单出口需要进行NAT转换拓扑图
<H3C>dis cur
#
version 5.20, ESS 1711
#
sysname H3C
#
ipsec cpu-backup enable
#
nat aging-time tcp 300
nat aging-time udp 180
nat aging-time pptp 300
nat aging-time ftp-ctrl 300
#
domain default enable system
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.254 per-address
qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-address
#
acl number 3001 name WANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3003 name LANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 1000 permit ip source 192.168.1.0 0.0.0.255
rule 1001 permit udp destination-port eq bootps
rule 2000 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
firewall packet-filter 3001 inbound
nat outbound
ip address 142.1.1.2 255.255.255.0
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard
qos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discard
firewall packet-filter 3003 inbound
#
interface Ethernet0/1
port link-mode bridge
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1
ip route-static 10.0.0.0 255.0.0.0 NULL0
ip route-static 169.254.0.0 255.255.0.0 NULL0
ip route-static 172.16.0.0 255.240.0.0 NULL0
ip route-static 192.168.0.0 255.255.0.0 NULL0
ip route-static 198.18.0.0 255.254.0.0 NULL0
#
arp anti-attack valid-check enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 20
arp static 192.168.1.3 0088-0088-0088 1 Ethernet0/4
arp static 192.168.1.4 0088-0088-0089 1 Ethernet0/4
arp static 192.168.1.5 0088-0088-008a 1 Ethernet0/4
arp static 192.168.1.6 0088-0088-008b 1 Ethernet0/4
arp static 192.168.1.7 0088-0088-008c 1 Ethernet0/4
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
2.1.3 主机为公网地址以太网接入网络拓扑图如图2所示,MSR2010通过142.1.1.0/24网段和ISP相连,局域网内的IP地址段是218.168.1.0/24,局域网内的主机上网只需要在MSR2010设置路由。配置需求如下:
1、 对内网主机进行限速,上行限制512kbps,下行限制1024kbps;
2、 启用防火墙对***报文进行过虑;
3、 启动ARP防***功能和ARP绑定功能,防止ARP欺骗***;
图3 单出口不需要进行NAT转换拓扑图
<H3C>dis cur
#
version 5.20, ESS 1711
#
sysname H3C
#
ipsec cpu-backup enable
#
nat aging-time tcp 300
nat aging-time udp 180
nat aging-time pptp 300
nat aging-time ftp-ctrl 300
#
domain default enable system
#
telnet server enable
#
qos carl 1 source-ip-address range 218.168.1.2 to 218.168.1.254 per-address
qos carl 2 destination-ip-address range 218.168.1.1 to 218.168.1.254 per-address
#
acl number 3001 name WANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 350 deny ip destination 218.168.1.1 0
rule 1000 permit ip destination 218.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3003 name LANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 1000 permit ip source 218.168.1.0 0.0.0.255
rule 2000 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
firewall packet-filter 3001 inbound
ip address 142.1.1.2 255.255.255.0
#
interface NULL0
#
interface Vlan-interface1
ip address 218.168.1.1 255.255.255.0
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard
qos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discard
firewall packet-filter 3003 inbound
#
interface Ethernet0/1
port link-mode bridge
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1
ip route-static 10.0.0.0 255.0.0.0 NULL0
ip route-static 169.254.0.0 255.255.0.0 NULL0
ip route-static 172.16.0.0 255.240.0.0 NULL0
ip route-static 192.168.0.0 255.255.0.0 NULL0
ip route-static 198.18.0.0 255.254.0.0 NULL0
#
arp anti-attack valid-check enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 20
arp static 218.168.1.3 0088-0088-0088 1 Ethernet0/4
arp static 218.168.1.4 0088-0088-0089 1 Ethernet0/4
arp static 218.168.1.5 0088-0088-008a 1 Ethernet0/4
arp static 218.168.1.6 0088-0088-008b 1 Ethernet0/4
arp static 218.168.1.7 0088-0088-008c 1 Ethernet0/4
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
2.2 双WAN接入典型配置用户为了同时实现负载分担和链路备份,一般会选择双WAN接入的组网方式。当两条链路都正常的情况下为负载分担,当任意一条链路出现故障时,所有流量可以转发到另外一条链路进行转发,实现动态备份。下面就两种常见的组网给出配置实例。
2.2.1 MSR双以太网链路接入网络拓扑图如图4所示,MSR2010有两条到同一运营商的链路,E0/0网络地址为142.1.1.0/30,E0/1网络地址为162.1.1.0/30。正常工作时流量分别从两个接口发出,当任意一条链路出现故障时,流量全部转移到另外一条链路发送。配置需求如下:
1、 对内网主机进行限速,上行限制512kbps,下行限制1024kbps;
2、 启用防火墙对***报文进行过虑;
3、 启动ARP防***功能和ARP绑定功能,防止ARP欺骗***;
4、 优化NAT表项老化时间;
5、 启用自动侦测功能对WAN连接状态进行检测;
6、 启动策略路由功能,对流量进行负载分担;
图5 双以太网链路接入拓扑图
[H3C]dis cur
#
version 5.20, ESS 1711
#
sysname H3C
#
ipsec cpu-backup enable
#
firewall enable
#
nat aging-time tcp 300
nat aging-time udp 180
nat aging-time pptp 300
nat aging-time ftp-ctrl 300
#
domain default enable system
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.254 per-address
qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-addres
s
#
acl number 3001 name WAN1Defend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3002 name WAN2Defend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3003 name LANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 1000 permit ip source 192.168.1.0 0.0.0.255
rule 1001 permit udp destination-port eq bootps
rule 2000 deny ip
acl number 3200
rule 0 permit ip source 192.168.1.0 0.0.0.254
rule 1000 deny ip
acl number 3201
rule 0 permit ip source 192.168.1.1 0.0.0.254
rule 1000 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
firewall packet-filter 3001 inbound
nat outbound
ip address 142.1.1.2 255.255.255.252
#
interface Ethernet0/1
port link-mode route
firewall packet-filter 3002 inbound
nat outbound
ip address 162.1.1.2 255.255.255.252
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard
qos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discard
ip policy-based-route wan
firewall packet-filter 3003 inbound
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
nqa entry wan1 1
type icmp-echo
destination ip 142.1.1.1
frequency 10000
next-hop 142.1.1.1
probe count 5
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
#
nqa entry wan2 1
type icmp-echo
destination ip 162.1.1.1
frequency 10000
next-hop 162.1.1.1
probe count 3
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
#
policy-based-route wan permit node 1
if-match acl 3200
apply ip-address next-hop 142.1.1.1 track 1
policy-based-route wan permit node 2
if-match acl 3201
apply ip-address next-hop 162.1.1.1 track 2
#
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1 track 1
ip route-static 0.0.0.0 0.0.0.0 162.1.1.1 track 2 preference 100
ip route-static 169.254.0.0 255.255.0.0 NULL0
ip route-static 172.16.0.0 255.240.0.0 NULL0
ip route-static 192.168.0.0 255.255.0.0 NULL0
ip route-static 198.18.0.0 255.254.0.0 NULL0
#
track 1 nqa entry wan1 1 reaction 1
track 2 nqa entry wan2 1 reaction 1
#
nqa schedule wan1 1 start-time now lifetime forever
nqa schedule wan2 1 start-time now lifetime forever
#
arp anti-attack valid-check enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 20
arp static 192.168.1.3 0088-0088-0088 1 Ethernet0/4
arp static 192.168.1.4 0088-0088-0089 1 Ethernet0/4
arp static 192.168.1.5 0088-0088-008a 1 Ethernet0/4
arp static 192.168.1.6 0088-0088-008b 1 Ethernet0/4
arp static 192.168.1.7 0088-0088-008c 1 Ethernet0/4
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[H3C]
2.2.2 以太网链路+PPPOE链路接入网络拓扑图如图5所示,MSR2010有两条到同一运营商的链路,E0/0为以太网链路,网络地址为142.1.1.0/30;ETH0/1通过PPPOE方式连接ISP。正常工作时流量分别从两个接口发出,当任意一条链路出现故障时,流量全部转移到另外一条链路发送。配置需求如下:
1、 对内网主机进行限速,上行限制512kbps,下行限制1024kbps;
2、 启用防火墙对***报文进行过虑;
3、 启动ARP防***功能和ARP绑定功能,防止ARP欺骗***;
4、 优化NAT表项老化时间;
5、 启用自动侦测功能对WAN连接状态进行检测;
6、 启动策略路由功能,对流量进行负载分担;
图6 以太网链路+PPPOE链路接入拓扑图
[H3C]dis cur
#
version 5.20, ESS 1711
#
sysname H3C
#
ipsec cpu-backup enable
#
firewall enable
#
nat aging-time tcp 300
nat aging-time udp 180
nat aging-time pptp 300
nat aging-time ftp-ctrl 300
#
domain default enable system
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.254 per-address
qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-address
#
acl number 3001 name WAN1Defend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3002 name WAN2Defend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3003 name LANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 1000 permit ip source 192.168.1.0 0.0.0.255
rule 1001 permit udp destination-port eq bootps
rule 2000 deny ip
acl number 3200
rule 0 permit ip source 192.168.1.0 0.0.0.254
rule 1000 deny ip
acl number 3201
rule 0 permit ip source 192.168.1.1 0.0.0.254
rule 1000 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Dialer0
nat outbound
firewall packet-filter 3002 inbound
link-protocol ppp
ppp chap user test
ppp chap password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!
ppp pap local-user test password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!
ppp ipcp dns admit-any
ppp ipcp dns request
ip address ppp-negotiate
tcp mss 1024
dialer user test
dialer-group 1
dialer bundle 1
#
interface Ethernet0/0
port link-mode route
firewall packet-filter 3001 inbound
nat outbound
ip address 142.1.1.2 255.255.255.252
#
interface Ethernet0/1
port link-mode route
pppoe-client dial-bundle-number 1
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard
qos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discard
ip policy-based-route wan
firewall packet-filter 3003 inbound
undo ip fast-forwarding
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
nqa entry wan1 1
type icmp-echo
destination ip 142.1.1.1
frequency 10000
next-hop 142.1.1.1
probe count 5
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
#
policy-based-route wan permit node 1
if-match acl 3200
apply ip-address next-hop 142.1.1.1 track 1
policy-based-route wan permit node 2
if-match acl 3201
apply output-interface Dialer0
#
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1 track 1
ip route-static 0.0.0.0 0.0.0.0 Dialer0 preference 100
ip route-static 169.254.0.0 255.255.0.0 NULL0
ip route-static 172.16.0.0 255.240.0.0 NULL0
ip route-static 192.168.0.0 255.255.0.0 NULL0
ip route-static 198.18.0.0 255.254.0.0 NULL0
#
track 1 nqa entry wan1 1 reaction 1
#
nqa schedule wan1 1 start-time now lifetime forever
#
arp anti-attack valid-check enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 20
arp static 192.168.1.3 0088-0088-0088 1 Ethernet0/4
arp static 192.168.1.4 0088-0088-0089 1 Ethernet0/4
arp static 192.168.1.5 0088-0088-008a 1 Ethernet0/4
arp static 192.168.1.6 0088-0088-008b 1 Ethernet0/4
arp static 192.168.1.7 0088-0088-008c 1 Ethernet0/4
#
dialer-rule 1 ip permit
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[H3C]
2.2.3 电信网通双链路接入这是目前新建网络中最流行的组网方式,用户分别向电信和网通各申请一条接入链路,配置路由使客户机访问电信服务器走电信链路,访问网通的服务器走网通链路,可以大大提高很多网络应用的访问速度,同时两条链路互为备份,也提高了网络的可靠性。
网络拓扑图如图6所示:MSR2010以太网口ETH0/0连接到电信,网络地址为142.1.1.0/30,以太网口ETH0/1连接到网通,网络地址为162.1.1.0/30;配置需求如下:
1、 对内网主机进行限速,上行限制512kbps,下行限制1024kbps;
2、 启用防火墙对***报文进行过虑;
3、 启动ARP防***功能和ARP绑定功能,防止ARP欺骗***;
4、 优化NAT表项老化时间;
5、 启用自动侦测功能对WAN连接状态进行检测;
6、 启动静态路由,对网通和电信流量进行自动区分;
图7 电信网通双链路接入拓扑图
H3C]dis cur
#
version 5.20, ESS 1711
#
sysname H3C
#
ipsec cpu-backup enable
#
firewall enable
#
nat aging-time tcp 300
nat aging-time udp 180
nat aging-time pptp 300
nat aging-time ftp-ctrl 300
#
domain default enable system
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.254 per-address
qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-address
#
acl number 3001 name WAN1Defend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3002 name WAN2Defend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3003 name LANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 1000 permit ip source 192.168.1.0 0.0.0.255
rule 1001 permit udp destination-port eq bootps
rule 2000 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
firewall packet-filter 3001 inbound
nat outbound
ip address 142.1.1.2 255.255.255.252
#
interface Ethernet0/1
port link-mode route
firewall packet-filter 3002 inbound
nat outbound
ip address 162.1.1.2 255.255.255.252
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard
qos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discard
firewall packet-filter 3003 inbound
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
nqa entry wan1 1
type icmp-echo
destination ip 142.1.1.1
frequency 10000
next-hop 142.1.1.1
probe count 5
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
#
nqa entry wan2 1
type icmp-echo
destination ip 162.1.1.1
frequency 10000
next-hop 162.1.1.1
probe count 3
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
#
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1 track 1
ip route-static 0.0.0.0 0.0.0.0 162.1.1.1 track 2 preference 100
ip route-static 58.14.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.16.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 58.17.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 58.18.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 58.21.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 58.30.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.42.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 58.43.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 58.44.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 58.58.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 58.59.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 58.87.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 58.100.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.116.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 58.128.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 58.144.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 58.192.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.194.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.196.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.200.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 58.240.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.242.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.244.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 58.248.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 59.51.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 59.51.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 59.64.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 59.68.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 59.72.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 59.74.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 59.76.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 59.77.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 59.78.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 59.108.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 59.192.0.0 255.192.0.0 162.1.1.1 track 2
ip route-static 60.0.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 60.8.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 60.10.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 60.11.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 60.12.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 60.13.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 60.13.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 60.14.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 60.16.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 60.24.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 60.28.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 60.30.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 60.31.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 60.200.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 60.204.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 60.208.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 60.216.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 60.218.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 60.220.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 60.232.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 60.255.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.45.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 61.48.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 61.133.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 61.134.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 61.134.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 61.135.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.136.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 61.137.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 61.138.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 61.138.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 61.139.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 61.148.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 61.156.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.158.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.159.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 61.161.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 61.161.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 61.162.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.163.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.167.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.168.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.176.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.179.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.180.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 61.181.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.182.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 61.189.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 125.32.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 125.80.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 125.88.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 125.210.224.0 255.255.255.0 162.1.1.1 track 2
ip route-static 134.196.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 162.105.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 166.111.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 169.254.0.0 255.255.0.0 NULL0
ip route-static 172.16.0.0 255.240.0.0 NULL0
ip route-static 192.83.122.0 255.255.255.0 162.1.1.1 track 2
ip route-static 192.83.169.0 255.255.255.0 162.1.1.1 track 2
ip route-static 192.124.154.0 255.255.255.0 162.1.1.1 track 2
ip route-static 192.168.0.0 255.255.0.0 NULL0
ip route-static 192.188.170.0 255.255.255.0 162.1.1.1 track 2
ip route-static 198.17.7.0 255.255.255.0 162.1.1.1 track 2
ip route-static 198.18.0.0 255.254.0.0 NULL0
ip route-static 202.0.110.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.0.160.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.0.176.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.3.77.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.4.128.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.4.252.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.14.88.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.14.235.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.14.236.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.14.238.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.20.120.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.0.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.2.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.4.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.38.8.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.38.64.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.38.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.38.130.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.135.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.136.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.137.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.138.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.140.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.142.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.143.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.144.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.146.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.149.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.150.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.152.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.154.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.156.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.158.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.160.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.38.164.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.38.168.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.169.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.170.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.171.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.172.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.173.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.175.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.38.184.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.38.192.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.41.152.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.43.144.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.46.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.46.224.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.60.112.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.63.248.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.70.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.75.208.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.90.0.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.90.224.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.90.252.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.91.0.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.91.128.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.92.0.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.92.252.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.94.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.95.0.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.95.4.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.95.8.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.95.16.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.95.252.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.96.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.96.64.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.96.72.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.96.80.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.97.96.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.97.112.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.97.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.97.192.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.97.224.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.97.232.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.97.240.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.98.0.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.98.8.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.98.16.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.99.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.99.64.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.99.96.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.99.104.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.99.112.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.99.128.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.99.160.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.99.168.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.99.176.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.99.192.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.99.200.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.99.208.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.99.224.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.99.232.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.99.240.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.102.128.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.102.136.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.102.144.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.102.160.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.102.224.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.102.232.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.102.240.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.106.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 202.107.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.108.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 202.110.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.110.192.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.111.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.111.192.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.112.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 202.113.16.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.113.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.113.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.113.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.113.192.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.113.224.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.113.240.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.114.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.114.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.114.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.114.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.115.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.115.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.115.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.116.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.116.32.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.116.48.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.116.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.117.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.117.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.117.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.118.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.118.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.118.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.118.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.119.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.119.64.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.119.80.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.119.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.119.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.120.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.120.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 202.120.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 202.121.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 202.122.0.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.122.112.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.122.128.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.123.96.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.127.2.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.127.4.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.127.5.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.127.6.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.127.40.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.127.128.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.127.192.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.127.194.0 255.255.254.0 162.1.1.1 track 2
ip route-static 202.127.196.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.127.208.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.127.209.0 255.255.255.0 162.1.1.1 track 2
ip route-static 202.127.212.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.127.216.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.127.224.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.130.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.130.224.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.131.48.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.136.48.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.136.208.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.136.224.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.136.252.0 255.255.252.0 162.1.1.1 track 2
ip route-static 202.142.16.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.149.224.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.150.16.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.152.176.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.158.160.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.165.96.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.168.160.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.168.176.0 255.255.240.0 162.1.1.1 track 2
ip route-static 202.170.128.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.173.8.0 255.255.248.0 162.1.1.1 track 2
ip route-static 202.180.128.0 255.255.224.0 162.1.1.1 track 2
ip route-static 202.192.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 202.200.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 202.204.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 203.79.0.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.81.16.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.86.64.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.86.80.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.88.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 203.89.0.0 255.255.252.0 162.1.1.1 track 2
ip route-static 203.90.0.0 255.255.252.0 162.1.1.1 track 2
ip route-static 203.91.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 203.91.96.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.92.0.0 255.255.252.0 162.1.1.1 track 2
ip route-static 203.94.0.0 255.255.252.0 162.1.1.1 track 2
ip route-static 203.94.4.0 255.255.252.0 162.1.1.1 track 2
ip route-static 203.94.8.0 255.255.248.0 162.1.1.1 track 2
ip route-static 203.94.16.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.95.96.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.100.32.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.100.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 203.119.24.0 255.255.248.0 162.1.1.1 track 2
ip route-static 203.128.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 203.130.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 203.132.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 203.134.240.0 255.255.248.0 162.1.1.1 track 2
ip route-static 203.135.96.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.135.160.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.187.160.0 255.255.224.0 162.1.1.1 track 2
ip route-static 203.191.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 203.192.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 203.196.0.0 255.255.248.0 162.1.1.1 track 2
ip route-static 203.207.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 203.207.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 203.208.0.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.212.0.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.222.192.0 255.255.240.0 162.1.1.1 track 2
ip route-static 203.223.0.0 255.255.240.0 162.1.1.1 track 2
ip route-static 210.2.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.12.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.12.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.12.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.12.192.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.13.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.13.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.13.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 210.14.64.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.14.160.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.14.192.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.14.224.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.15.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.15.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.15.64.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.15.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.15.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.16.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.21.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 210.22.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 210.25.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 210.26.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 210.28.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 210.32.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 210.36.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 210.40.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 210.51.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 210.52.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 210.56.192.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.72.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 210.72.128.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.72.192.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.73.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.74.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.74.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.74.64.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.74.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.74.160.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.76.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.76.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 210.77.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 210.78.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.78.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.78.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.78.128.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.78.160.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.78.192.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.79.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 210.79.224.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.82.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 210.87.128.0 255.255.240.0 162.1.1.1 track 2
ip route-static 210.87.144.0 255.255.240.0 162.1.1.1 track 2
ip route-static 210.87.160.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.192.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 210.211.0.0 255.255.240.0 162.1.1.1 track 2
ip route-static 211.64.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 211.68.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.70.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.80.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 211.81.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 211.82.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 211.83.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 211.84.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.86.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.90.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.92.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.94.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.96.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.98.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.100.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 211.101.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 211.101.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 211.101.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 211.102.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 211.103.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 211.103.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 211.136.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 211.140.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.142.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 211.142.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 211.143.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 211.144.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 211.147.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 211.152.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 211.160.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 211.164.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 218.7.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.8.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.12.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.21.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 218.24.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 218.28.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 218.56.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 218.60.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 218.62.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 218.67.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 218.68.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 218.104.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 218.108.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.109.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.192.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.193.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.194.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.195.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 218.196.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 218.200.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 218.204.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 218.206.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 218.240.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 218.246.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.82.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 219.142.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.154.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.156.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.158.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 219.158.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 219.159.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 219.216.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.218.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.220.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 219.221.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 219.222.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.224.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.226.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 219.227.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 219.228.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.230.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.232.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 219.236.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.238.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.242.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 219.244.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 220.101.192.0 255.255.192.0 162.1.1.1 track 2
ip route-static 220.192.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 220.194.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 220.196.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 220.200.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 220.231.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 220.231.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 220.232.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 220.248.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 221.0.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 221.2.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.3.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.3.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.4.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.5.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.5.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.6.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.7.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 221.7.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 221.7.64.0 255.255.224.0 162.1.1.1 track 2
ip route-static 221.7.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 221.7.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.8.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 221.10.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.11.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.11.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 221.11.192.0 255.255.224.0 162.1.1.1 track 2
ip route-static 221.12.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.12.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 221.13.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 221.13.64.0 255.255.224.0 162.1.1.1 track 2
ip route-static 221.13.96.0 255.255.224.0 162.1.1.1 track 2
ip route-static 221.13.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.14.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 221.130.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 221.172.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 221.176.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 221.192.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 221.194.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.195.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.196.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 221.198.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.199.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 221.199.32.0 255.255.240.0 162.1.1.1 track 2
ip route-static 221.199.128.0 255.255.192.0 162.1.1.1 track 2
ip route-static 221.200.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 221.204.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 221.206.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.207.0.0 255.255.192.0 162.1.1.1 track 2
ip route-static 221.207.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 221.207.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 221.208.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 221.212.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.213.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 221.214.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 221.216.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 222.16.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.18.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.20.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.22.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 222.23.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 222.24.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.26.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.28.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 222.32.0.0 255.224.0.0 162.1.1.1 track 2
ip route-static 222.125.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 222.128.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 222.132.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 222.136.0.0 255.248.0.0 162.1.1.1 track 2
ip route-static 222.160.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.162.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 222.163.0.0 255.255.224.0 162.1.1.1 track 2
ip route-static 222.163.32.0 255.255.224.0 162.1.1.1 track 2
ip route-static 222.163.64.0 255.255.192.0 162.1.1.1 track 2
ip route-static 222.163.128.0 255.255.128.0 162.1.1.1 track 2
ip route-static 222.192.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 222.196.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.198.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 222.199.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 222.200.0.0 255.252.0.0 162.1.1.1 track 2
ip route-static 222.204.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.206.0.0 255.254.0.0 162.1.1.1 track 2
ip route-static 222.248.0.0 255.255.0.0 162.1.1.1 track 2
ip route-static 222.249.0.0 255.255.128.0 162.1.1.1 track 2
ip route-static 222.249.128.0 255.255.224.0 162.1.1.1 track 2
ip route-static 222.249.160.0 255.255.240.0 162.1.1.1 track 2
ip route-static 222.249.176.0 255.255.240.0 162.1.1.1 track 2
ip route-static 222.249.192.0 255.255.192.0 162.1.1.1 track 2
#
track 1 nqa entry wan1 1 reaction 1
track 2 nqa entry wan2 1 reaction 1
#
nqa schedule wan1 1 start-time now lifetime forever
nqa schedule wan2 1 start-time now lifetime forever
#
arp anti-attack valid-check enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 20
arp static 192.168.1.3 0088-0088-0088 1 Ethernet0/4
arp static 192.168.1.4 0088-0088-0089 1 Ethernet0/4
arp static 192.168.1.5 0088-0088-008a 1 Ethernet0/4
arp static 192.168.1.6 0088-0088-008b 1 Ethernet0/4
arp static 192.168.1.7 0088-0088-008c 1 Ethernet0/4
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[H3C]
2.3 内部服务器访问目前大部分企业会在内部网络搭建各种应用服务器,如:WWW、数据库和邮件服务器等,通过在网关设备上启用NAT内部服务器映射功能,可以使外网用户访问企业内部的服务器。但是这种配置下常常会碰到一个问题,外网PC可以正常地访问内部服务器,但是内部PC却无法通过域名或者公网地址访问内部服务器,这是由于网关设备没有启用NAT内部地址转换功能导致的。典型组网如下:
配置需求如下:
1、 MSR采用单条以太网线路接入Internet;
2、 内部存在WWW和SMTP服务器,要求外部PC可以通过访问域名访问内部服务器;
3、 内部可以通过域名或者公网地址访问内部服务器;
典型配置如下:
<H3C>dis cur
#
version 5.20, ESS 1711
#
sysname H3C
#
ipsec cpu-backup enable
#
nat aging-time tcp 300
nat aging-time udp 180
nat aging-time pptp 300
nat aging-time ftp-ctrl 300
#
domain default enable system
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.254 per-address
qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-address
#
acl number 3001 name WANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3003 name LANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 1000 permit ip source 192.168.1.0 0.0.0.255
rule 1001 permit udp destination-port eq bootps
rule 2000 deny ip
acl number 3200
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1000 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
firewall packet-filter 3001 inbound
nat outbound
nat server protocol tcp global 142.1.1.1 www inside 192.168.1.1 www
nat server protocol tcp global 142.1.1.1 smtp inside 192.168.1.2 smtp
ip address 142.1.1.2 255.255.255.0
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard
qos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discard
nat outbound 3200
firewall packet-filter 3003 inbound
#
interface Ethernet0/1
port link-mode bridge
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1
ip route-static 10.0.0.0 255.0.0.0 NULL0
ip route-static 169.254.0.0 255.255.0.0 NULL0
ip route-static 172.16.0.0 255.240.0.0 NULL0
ip route-static 192.168.0.0 255.255.0.0 NULL0
ip route-static 198.18.0.0 255.254.0.0 NULL0
#
arp anti-attack valid-check enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 20
arp static 192.168.1.3 0088-0088-0088 1 Ethernet0/4
arp static 192.168.1.4 0088-0088-0089 1 Ethernet0/4
arp static 192.168.1.5 0088-0088-008a 1 Ethernet0/4
arp static 192.168.1.6 0088-0088-008b 1 Ethernet0/4
arp static 192.168.1.7 0088-0088-008c 1 Ethernet0/4
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#