PPPOE拨号上网

interface GigabitEthernet0/0/0

pppoe-client dial-bundle-number 1

[Huawei]dis pppoe-client session summary

PPPoE Client Session:

ID Bundle Dialer Intf Client-MAC Server-MAC State

0 1 1 GE0/0/0 00e0fcf46c30 000000000000 up

[Huawei]interface Dialer 1

[Huawei-Dialer1]tcp adjust-mss 1200

[Huawei-Dialer1]mtu 1492

配置pppoe dns主备

[Huawei-Dialer1]ppp ipcp dns request

[Huawei-Dialer1]ppp ipcp dns admit-any

在拨号接口下查看/或/在出接口和进接口配置nat

[Huawei-Dialer1]di th

[V200R003C00]

interface Dialer1

link-protocol ppp

ppp ipcp dns admit-any

ppp ipcp dns request

mtu 1492

tcp adjust-mss 1200

ip address 202.100.1.254 255.255.255.252

nat static global 202.100.1.251 inside 192.168.10.10 netmask 255.255.255.255

nat static enable

配置pppoe 静态路由

[Huawei]ip route-static 0.0.0.0 0.0.0.0 Dialer 1

NAT映射

[Huawei-Dialer1]nat static global 202.100.1.251 inside 192.168.10.10 静态nat

[Huawei-Dialer1]nat server protocol tcp global 202.100.1.251 inside 172.31.14.1 description 123 nat服务

ACL访问控制列表

acl对流量的应用对路由表的应用

<华为的acl在流量进行匹配时，最后一行隐含允许所有流量通过permit any><思科最后一行隐含拒绝所有流量通过deny any>

acl规则序号<0-4294967294>

标准ACL范围：2000 2999 源IP地址

[Huawei]acl 2000

[Huawei-acl-basic-2000]rule 5 deny/permit<允许或拒绝> source 192.168.1.10 0.0.0.255 反掩码<通配符> 0 是单独特定一台主机

[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 2000 拒绝了192.168.10这个地址通过

[Huawei-GigabitEthernet0/0/2]dis acl 2000 查看决绝的ip

[Huawei-acl-basic-2000]rule 6 permit

[Huawei-acl-basic-2000]dis this

[V200R003C00]

acl number 2000

rule 5 deny source 10.10.10.10 0

rule 6 permit 等同允许了所有

高级ACL范围：3000 3999 源IP地址目的IP地址源端口目的端口

[Huawei-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0 destination-port eq 21

[Huawei-acl-adv-3000]rule deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0

[Huawei-acl-adv-3000]rule permit ip

[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 3000

IPSEC VPN 虚拟私有网络

ESP:安全协议 IKE：秘钥协商

3.1 路由最重要！

加解密点

a.到达对端加解密点<直连>

b.到达本端的通信点<直连>

c.到达对端的同信点<静态默认路由>

3.2IPSEC的SPD（acl), 提议（proposal）和IPSEC策略

AR1

[Huawei]acl 3000

[Huawei-acl-adv-3000]description VPN 描述

[Huawei-acl-adv-3000]rule 10 permi ip source 10.10.10.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

AR2

[Huawei]acl 3000

[Huawei-acl-adv-3000]description VPN 描述

[Huawei-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

AR1

[Huawei]ipsec proposal

[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1

[Huawei-ipsec-proposal-sjw]dis this

[V200R003C00]

ipsec proposal sjw

esp authentication-algorithm sha1

AR2

[Huawei]ipsec proposal

[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1

[Huawei-ipsec-proposal-sjw]dis this

[V200R003C00]

ipsec proposal sjw

esp authentication-algorithm sha1

AR1

[Huawei]ipsec policy song-vpn 10 manual

[Huawei-ipsec-policy-manual-song-10]security acl 3000

[Huawei-ipsec-policy-manual-song-10]proposal vpn

[Huawei-ipsec-policy-manual-song-10]tunnel remote 10.1.2.1 隧道

[Huawei-ipsec-policy-manual-song-10]tunnel local 10.1.2.254 隧道

[Huawei-ipsec-policy-manual-song-10]sa spi outbound esp 54321

[Huawei-ipsec-policy-manual-song-10]sa spi inbound esp 12345

[Huawei-ipsec-policy-manual-song-10]sa string-key outbound esp simple huawei

[Huawei-ipsec-policy-manual-song-10]sa string-key inbound esp simple huawei

AR2

[Huawei]ipsec policy song 10 manual

[Huawei-ipsec-policy-manual-song-10] security acl 3000

[Huawei-ipsec-policy-manual-song-10] tunnel local 10.1.2.1 隧道

[Huawei-ipsec-policy-manual-song-10] tunnel remote 10.1.2.254 隧道

[Huawei-ipsec-policy-manual-song-10] sa spi inbound esp 54321

[Huawei-ipsec-policy-manual-song-10] sa string-key inbound esp simple huawei

[Huawei-ipsec-policy-manual-song-10] sa spi outbound esp 12354

[Huawei-ipsec-policy-manual-song-10] sa string-key outbound esp simple huawei

3.2出接口应用

[Huawei-Dialer1]ipsec policy sjw-vpn

[Huawei-GigabitEthernet0/0/0]ipsec policy sjw-vpn

[Huawei]dis ipsec sa

VRRP双主热备

sw3：划vlan 10 20

[Huawei-Ethernet0/0/1]port link-type access

[Huawei-Ethernet0/0/1]port default vlan 10

[Huawei-Ethernet0/0/2]port link-type access

[Huawei-Ethernet0/0/2]port default vlan 20

配置中继trunk

[Huawei-GigabitEthernet0/0/2]int g0/0/1

[Huawei-port-group-trunk]port trunk allow-pass vlan

[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20

[Huawei-GigabitEthernet0/0/2]int g0/0/2

[Huawei-port-group-trunk]port trunk allow-pass vlan

[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20

sw1:划vlan 10 20

[Huawei]int Vlanif 10

[Huawei-Vlanif10]ip address 192.168.10.10 24

[Huawei]int Vlanif 20

[Huawei-Vlanif20]ip address 192.168.10.20 24

[Huawei-GigabitEthernet0/0/1]port link-type trunk

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

sw2:划vlan 10 20

[Huawei]int Vlanif 10

[Huawei-Vlanif20]ip address 192.168.10.20 24

[Huawei]int Vlanif 20

[Huawei-Vlanif20]ip address 192.168.20.20 24

[Huawei-GigabitEthernet0/0/2]port link-type trunk

[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20

AR1路由器

[Huawei-GigabitEthernet0/0/1]ip address 11.0.0.2 24

[Huawei-GigabitEthernet0/0/2]ip address 12.0.0.2 24

[Huawei-GigabitEthernet0/0/2]int loo 0

[Huawei-LoopBack0]ip address 1.1.1.1 24

写路由优先级

[Huawei]ip route-static 192.168.10.0 24 11.0.0.1 默认是60

[Huawei]ip route-static 192.168.10.0 24 12.0.0.2 preference 70

[Huawei]ip route-static 192.168.20.0 24 12.0.0.1 默认是60

[Huawei]ip route-static 192.168.20.0 24 11.0.0.1 preference 70

sw1

[Huawei]ip route-static 1.1.1.0 24 11.0.0.2

sw1

[Huawei-Vlanif100]ip address 11.0.0.1 24

[Huawei-port-group-d]port link-type access

[Huawei-port-group-d]port default vlan 100

sw2

[Huawei]ip route-static 1.1.1.0 24 12.0.0.2

sw2

[Huawei-Vlanif100]ip address 12.0.0.1 24

[Huawei-GigabitEthernet0/0/24]port link-type access

[Huawei-GigabitEthernet0/0/24]port default vlan 100

在核心sw1做vrrp

主

[Huawei]int Vlanif 10

[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1

[Huawei-Vlanif10]vrrp vrid 1 priority 120 端扣down掉默认会减10 所以备的不能排至110应该是115,115比120小主的坏掉默认就走备的

[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 0

[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/24 追踪上行端口

[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/1 追踪下行端口

备

[Huawei-Vlanif10]vrrp vrid 1virtual-ip192.168.10.1

[Huawei-Vlanif10]vrrp vrid1 priority115

备的不用配置抢占，也不用配置跟踪端口，因为主的已经配置了

在核心sw2做vrrp

主

[Huawei]int Vlanif 20

[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1

[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/24

[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/2

抢占和优先级可以不配，【优先级默认是100】，备的配置优先级数字90就可以

备

interface Vlanif20

[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1

[Huawei-Vlanif20]vrrp vrid 2 priority 95

HCDA 协议配置

VRRP双主热备

你可能感兴趣的:(HCDA 协议配置)