H3C MSR3020路由NQA實例配置

時間 2020-01-13

標籤 h3c msr3020 msr 路由 nqa 實例配置欄目 C&C++ 简体版

原文原文鏈接

組網需求：node

公司接入3條寬帶，其中兩臺爲撥號ADSL，一條固定IP專線，實現上網業務，不一樣部門電腦劃分不一樣VLAN，經過策略路由實現不一樣部門走不一樣線路訪問外部網絡，同時3條接入寬帶實現聯動，當其中一條出現故障時自動切換到另外一條線路，當連接恢復正常後自動切換回來。react

組網圖以下：服務器

MSR路由主要配置：網絡

#
version 7.1.059, Release 0306P81
#
sysname CORE-RT01
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.61.1 to 192.168.61.253 per-address #QOS限流
qos carl 2 source-ip-address range 192.168.11.1 to 192.168.11.253 per-address #同上，但實際效果不理想，建議上專業流控設備
#
port-security enable
#
dialer-group 1 rule ip permit
dialer-group 2 rule ip permit
#
dhcp enable
#
dns proxy enable
#
password-recovery enable
#
vlan 1
#
policy-based-route wan permit node 1 #策略路由配置
if-match acl 3000 #避免內網網段互訪的數據，直接匹配了策略路由出去了，影響正常通訊
app

#
policy-based-route wan permit node 2
if-match acl 2000
apply default-next-hop 14.XXX.XXX.888 track 1
#
policy-based-route wan permit node 3
if-match acl 2001
apply output-interface Dialer1
#
policy-based-route wan permit node 4
if-match acl 2002
apply output-interface Dialer2
#
policy-based-route wan permit node 5 #策略路由最後要加一條空節點容許其餘數據流經過
dom

#
nqa entry wan1 1        #NQA配置
type icmp-echo
destination ip 14.XXX.XXX.888   #網關地址
frequency 10000
next-hop ip 14.XXX.XXX.888    #網關地址
tcp

probe count 5
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
#
nqa schedule wan1 1 start-time now lifetime forever #使能測試組的啓動時間和持續時間並設置爲永久
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface Dialer1 #ADSL線路1
description INT ADSL 100M
mtu 1492
ppp chap password cipher $c$3$vKmoKSbbB8XKfxtafJ785ifLNBk/Oo1YHmud
ppp chap user xxxxxx@163.gd
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user xxxxxx@163.gd password cipher $c$3$beaDKJmpTvuChge0eU8J1Bj0T+JpG8aUUMlZ
dialer bundle enable
dialer-group 1
ip address ppp-negotiate
tcp mss 1024
nat outbound 2003
#
interface Dialer2 #ADSL線路2ide

description CAIWU ADSL 100M
mtu 1492
ppp chap password cipher $c$3$4qsrevZ+kIoKDuF3zwCvpmucdqAEDN5S43CL
ppp chap user xxxxxx@163.gd
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user xxxxxx@163.gd password cipher $c$3$c2+0dxIWmqO7FqnD72dYCvGXSrXh0+b/R4/I
dialer bundle enable
dialer-group 2
dialer timer idle 0 #需注意多條ADSL線路撥號時需添加此參數，MSR 7.0版本與5.0命令有區別測試

ip address ppp-negotiate
tcp mss 1024
nat outbound 2003
#
interface NULL0
#
interface GigabitEthernet0/0 #鏈接SW字體

port link-mode route
description LAN link to HW-CORE-SW
combo enable copper
ip address 192.168.201.1 255.255.255.0
packet-filter 2017 inbound
qos car inbound carl 1 cir 500 cbs 31250 ebs 0 green pass red discard yellow pass
qos car inbound carl 2 cir 500 cbs 31250 ebs 0 green pass red discard yellow pass
nat hairpin enable #內網客戶端經過公網地址訪問內部服務器

ip policy-based-route wan #將策略路由應用在內網接口
#
interface GigabitEthernet0/1
port link-mode route
tcp mss 1024
#
interface GigabitEthernet0/2
port link-mode route
description WAN 10M DSL
ip address 14.xxx.xxx.xxx 255.255.255.252
tcp mss 1024
nat outbound 2003
nat server protocol tcp global current-interface 21 inside 192.168.10.14 21 #相關端口映射應用
nat server protocol tcp global current-interface 25 inside 192.168.10.168 25
nat server protocol tcp global current-interface 80 inside 192.168.10.14 80
nat server protocol tcp global current-interface 110 inside 192.168.10.168 110
nat server protocol tcp global current-interface 143 inside 192.168.10.168 143
nat server protocol tcp global current-interface 5580 inside 192.168.10.14 8088
nat server protocol tcp global current-interface 5581 inside 192.168.10.14 8081
#
interface GigabitEthernet6/0
port link-mode route
description WAN INT ADSL 100M
nat outbound 2003
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet6/1
port link-mode route
description WAN CAIWU ADSL 100M
nat outbound 2003
pppoe-client dial-bundle-number 2
#
interface GigabitEthernet6/7
port link-mode route
combo enable copper
#
interface GigabitEthernet6/2
port link-mode bridge
#
interface GigabitEthernet6/3
port link-mode bridge
#
interface GigabitEthernet6/4
port link-mode bridge
#
interface GigabitEthernet6/5
port link-mode bridge
#
interface GigabitEthernet6/6
port link-mode bridge
combo enable copper
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 15
authentication-mode scheme
user-role network-admin
#
line vty 16 63
user-role network-operator
#
ip route-static 0.0.0.0 0 14.XXX.XXX.888 track 1 #默認路由指向下一跳網關
ip route-static 0.0.0.0 0 Dialer1 preference 100
ip route-static 0.0.0.0 0 Dialer2 preference 120
ip route-static 192.168.10.0 24 192.168.201.254
ip route-static 192.168.11.0 24 192.168.201.254
ip route-static 192.168.16.0 24 192.168.201.254
ip route-static 192.168.18.0 24 192.168.201.254
ip route-static 192.168.61.0 24 192.168.201.254
#
acl basic 2000
rule 0 permit source 192.168.10.0 0.0.0.255
rule 1 permit source 192.168.11.0 0.0.0.255
rule 2 permit source 192.168.18.0 0.0.0.255
#
acl basic 2001
rule 0 permit source 192.168.61.0 0.0.0.255
#
acl basic 2002
rule 0 permit source 192.168.16.0 0.0.0.255
#
acl basic 2003
rule 0 permit
#
acl basic 2017                             #禁止部分IP訪問外網
description Deny ip link to Internet
rule 0 deny source 192.168.10.23 0
rule 1 deny source 192.168.10.5 0
rule 2 deny source 192.168.10.7 0
rule 199 permit
#
acl advanced 3000
rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255 #增長一條ACL避免內網網段互訪的數據，直接匹配了策略路由出去了，影響正常通訊
#
domain system
#
domain default enable system
#
user-group system
#
local-user admin class manage
password hash $h$6$ROvXv3DjylL9HE6p$53Ib+gCLOkKDY58w+mO03hy0xqy8rQS5xAsuX1HyJFGpPF0EYjxg/8CPhmUWIs4NrNWKM78PWr6QckQj98RdjQ==
service-type telnet http https
authorization-attribute user-role network-admin
#
ip http enable
ip https enable
#
track 1 nqa entry wan1 1 reaction 1   #NQA關聯 track 1 和 reaction 1