PPPOE拨号上网

 interface GigabitEthernet0/0/0

 pppoe-client dial-bundle-number 1

[Huawei]dis pppoe-client session summary                    

PPPoE Client Session:

ID   Bundle  Dialer         Intf             Client-MAC       Server-MAC         State

0    1              1          GE0/0/0          00e0fcf46c30    000000000000     up 

[Huawei]interface Dialer 1

[Huawei-Dialer1]tcp adjust-mss 1200

[Huawei-Dialer1]mtu 1492

配置pppoe dns主备

[Huawei-Dialer1]ppp ipcp dns request

[Huawei-Dialer1]ppp ipcp dns admit-any

在拨号接口下查看/或/在出接口和进接口配置nat

[Huawei-Dialer1]di th

[V200R003C00]

#

interface Dialer1

 link-protocol ppp

 ppp ipcp dns admit-any

 ppp ipcp dns request

 mtu 1492

 tcp adjust-mss 1200

 ip address 202.100.1.254 255.255.255.252

 nat static global 202.100.1.251 inside 192.168.10.10 netmask 255.255.255.255

 nat static enable

配置pppoe 静态路由

[Huawei]ip route-static 0.0.0.0 0.0.0.0 Dialer 1 

NAT映射

[Huawei-Dialer1]nat static global 202.100.1.251 inside 192.168.10.10  静态nat

[Huawei-Dialer1]nat server protocol tcp global 202.100.1.251 inside 172.31.14.1 description 123  nat服务

ACL访问控制列表

acl对流量的应用  对路由表的应用

<华为的acl在流量进行匹配时，最后一行隐含允许所有流量通过permit  any><思科最后一行隐含拒绝所有流量通过deny  any>

acl规则序号<0-4294967294>

标准ACL范围：2000 2999       源IP地址

[Huawei]acl 2000

[Huawei-acl-basic-2000]rule 5 deny/permit<允许或拒绝> source 192.168.1.10  0.0.0.255 反掩码<通配符> 0 是单独特定一台主机

[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 2000  拒绝了192.168.10这个地址通过

[Huawei-GigabitEthernet0/0/2]dis acl 2000  查看决绝的ip

[Huawei-acl-basic-2000]rule 6  permit

[Huawei-acl-basic-2000]dis this

[V200R003C00]

#

acl number 2000 

 rule 5 deny source 10.10.10.10 0

 rule 6 permit    等同允许了所有

高级ACL范围：3000 3999       源IP地址  目的IP地址   源端口  目的端口

[Huawei-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0 destination-port eq 21

[Huawei-acl-adv-3000]rule deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.2  0.0.0.0

[Huawei-acl-adv-3000]rule permit ip

[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 3000

IPSEC VPN 虚拟私有网络

ESP:安全协议  IKE：秘钥协商

3.1 路由最重要！

加解密点

a.到达对端加解密点<直连>

b.到达本端的通信点<直连>

c.到达对端的同信点<静态默认路由>

3.2IPSEC的SPD（acl), 提议（proposal）和IPSEC策略

AR1

[Huawei]acl 3000

[Huawei-acl-adv-3000]description VPN  描述

[Huawei-acl-adv-3000]rule 10 permi ip source 10.10.10.0  0.0.0.255 destination 10.1.2.0  0.0.0.255

AR2

[Huawei]acl 3000

[Huawei-acl-adv-3000]description VPN  描述

[Huawei-acl-adv-3000]rule 5 permit ip source 10.1.2.0  0.0.0.255 destination 10.10.10.0  0.0.0.255

AR1

[Huawei]ipsec proposal

[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1      <authentication-algorithm / encryption-algorithm 认证和加密算法>

[Huawei-ipsec-proposal-sjw]dis this

[V200R003C00]

#

ipsec proposal sjw

esp authentication-algorithm sha1

AR2

[Huawei]ipsec proposal

[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1      <authentication-algorithm / encryption-algorithm 认证和加密算法>

[Huawei-ipsec-proposal-sjw]dis this

[V200R003C00]

#

ipsec proposal sjw

esp authentication-algorithm sha1

AR1

[Huawei]ipsec policy song-vpn 10 manual

[Huawei-ipsec-policy-manual-song-10]security acl 3000

[Huawei-ipsec-policy-manual-song-10]proposal  vpn

[Huawei-ipsec-policy-manual-song-10]tunnel remote 10.1.2.1            隧道

[Huawei-ipsec-policy-manual-song-10]tunnel local    10.1.2.254        隧道

[Huawei-ipsec-policy-manual-song-10]sa spi outbound esp 54321

[Huawei-ipsec-policy-manual-song-10]sa spi inbound esp 12345

[Huawei-ipsec-policy-manual-song-10]sa string-key outbound esp simple huawei

[Huawei-ipsec-policy-manual-song-10]sa string-key inbound esp simple huawei

AR2

[Huawei]ipsec policy song 10 manual

[Huawei-ipsec-policy-manual-song-10] security acl 3000

[Huawei-ipsec-policy-manual-song-10] tunnel local 10.1.2.1                    隧道

[Huawei-ipsec-policy-manual-song-10] tunnel remote 10.1.2.254            隧道

[Huawei-ipsec-policy-manual-song-10] sa spi inbound esp 54321

[Huawei-ipsec-policy-manual-song-10] sa string-key inbound esp simple huawei

[Huawei-ipsec-policy-manual-song-10] sa spi outbound esp 12354

[Huawei-ipsec-policy-manual-song-10] sa string-key outbound esp simple huawei

3.2出接口应用

[Huawei-Dialer1]ipsec policy sjw-vpn

[Huawei-GigabitEthernet0/0/0]ipsec policy sjw-vpn

[Huawei]dis ipsec sa

VRRP双主热备

sw3：划vlan 10 20

[Huawei-Ethernet0/0/1]port link-type access

[Huawei-Ethernet0/0/1]port default vlan 10

[Huawei-Ethernet0/0/2]port link-type access

[Huawei-Ethernet0/0/2]port default vlan 20

配置中继trunk

[Huawei-GigabitEthernet0/0/2]int g0/0/1

[Huawei-port-group-trunk]port trunk allow-pass vlan

[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20

[Huawei-GigabitEthernet0/0/2]int g0/0/2

[Huawei-port-group-trunk]port trunk allow-pass vlan

[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20

sw1:划vlan 10  20

[Huawei]int Vlanif 10

[Huawei-Vlanif10]ip address 192.168.10.10 24

[Huawei]int Vlanif 20

[Huawei-Vlanif20]ip address 192.168.10.20 24

[Huawei-GigabitEthernet0/0/1]port link-type trunk

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

sw2:划vlan 10  20

[Huawei]int Vlanif 10

[Huawei-Vlanif20]ip address 192.168.10.20 24

[Huawei]int Vlanif 20

[Huawei-Vlanif20]ip address 192.168.20.20 24

[Huawei-GigabitEthernet0/0/2]port link-type trunk

[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20

AR1路由器

[Huawei-GigabitEthernet0/0/1]ip address 11.0.0.2 24

[Huawei-GigabitEthernet0/0/2]ip address 12.0.0.2 24

[Huawei-GigabitEthernet0/0/2]int loo 0

[Huawei-LoopBack0]ip address 1.1.1.1 24

写路由优先级

[Huawei]ip route-static 192.168.10.0 24 11.0.0.1  默认是60

[Huawei]ip route-static 192.168.10.0 24 12.0.0.2 preference 70

[Huawei]ip route-static 192.168.20.0 24 12.0.0.1  默认是60

[Huawei]ip route-static 192.168.20.0 24 11.0.0.1 preference 70

sw1

[Huawei]ip route-static 1.1.1.0 24 11.0.0.2

sw1

[Huawei-Vlanif100]ip address 11.0.0.1 24

[Huawei-port-group-d]port link-type access

[Huawei-port-group-d]port default vlan 100

sw2

[Huawei]ip route-static 1.1.1.0 24 12.0.0.2

sw2

[Huawei-Vlanif100]ip address 12.0.0.1 24

[Huawei-GigabitEthernet0/0/24]port link-type access

[Huawei-GigabitEthernet0/0/24]port default vlan 100

在核心sw1做vrrp

主

[Huawei]int Vlanif 10

[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1

[Huawei-Vlanif10]vrrp vrid 1 priority 120 端扣down掉默认会减10 所以备的不能排至110应该是115,115比120小主的坏掉默认就走备的

[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 0

[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/24   追踪上行端口

[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/1            追踪下行端口

备

[Huawei-Vlanif10]vrrp vrid 1virtual-ip192.168.10.1

[Huawei-Vlanif10]vrrp vrid1 priority115

备的不用配置抢占，也不用配置跟踪端口，因为主的已经配置了

 在核心sw2做vrrp

主

[Huawei]int Vlanif 20

[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1

[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/24

[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/2

抢占和优先级可以不配，【优先级默认是100】，备的配置优先级数字90就可以

备

interface Vlanif20

[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1

[Huawei-Vlanif20]vrrp vrid 2 priority 95