组网需求:
公司接入3条宽带,其中两台为拨号ADSL,一条固定IP专线,实现上网业务,不同部门电脑划分不同VLAN,通过策略路由实现不同部门走不同线路访问外部网络,同时3条接入宽带实现联动,当其中一条出现故障时自动切换到另一条线路,当链接恢复正常后自动切换回来。
组网图如下:
MSR路由主要配置:
#
version 7.1.059, Release 0306P81# sysname CORE-RT01# telnet server enable# qos carl 1 source-ip-address range 192.168.61.1 to 192.168.61.253 per-address #QOS限流 qos carl 2 source-ip-address range 192.168.11.1 to 192.168.11.253 per-address #同上,但实际效果不理想,建议上专业流控设备# port-security enable# dialer-group 1 rule ip permit dialer-group 2 rule ip permit# dhcp enable# dns proxy enable# password-recovery enable#vlan 1#policy-based-route wan permit node 1 #策略路由配置 if-match acl 3000 #避免内网网段互访的数据,直接匹配了策略路由出去了,影响正常通信#policy-based-route wan permit node 2 if-match acl 2000 apply default-next-hop 14.XXX.XXX.888 track 1#policy-based-route wan permit node 3 if-match acl 2001 apply output-interface Dialer1#policy-based-route wan permit node 4 if-match acl 2002 apply output-interface Dialer2#policy-based-route wan permit node 5 #策略路由最后要加一条空节点允许其他数据流通过
#nqa entry wan1 1 #NQA配置 type icmp-echo destination ip 14.XXX.XXX.888 #网关地址 frequency 10000 next-hop ip 14.XXX.XXX.888 #网关地址
probe count 5 probe timeout 1000 reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only# nqa schedule wan1 1 start-time now lifetime forever #使能测试组的启动时间和持续时间并设置为永久
#controller Cellular0/0#controller Cellular0/1#interface Aux0#interface Dialer1 #ADSL线路1 description INT ADSL 100M mtu 1492 ppp chap password cipher $c$3$vKmoKSbbB8XKfxtafJ785ifLNBk/Oo1YHmud ppp chap user xxxxxx@163.gd ppp ipcp dns admit-any ppp ipcp dns request ppp pap local-user xxxxxx@163.gd password cipher $c$3$beaDKJmpTvuChge0eU8J1Bj0T+JpG8aUUMlZ dialer bundle enable dialer-group 1 ip address ppp-negotiate tcp mss 1024 nat outbound 2003#interface Dialer2 #ADSL线路2description CAIWU ADSL 100M
mtu 1492 ppp chap password cipher $c$3$4qsrevZ+kIoKDuF3zwCvpmucdqAEDN5S43CL ppp chap user xxxxxx@163.gd ppp ipcp dns admit-any ppp ipcp dns request ppp pap local-user xxxxxx@163.gd password cipher $c$3$c2+0dxIWmqO7FqnD72dYCvGXSrXh0+b/R4/I dialer bundle enable dialer-group 2 dialer timer idle 0 #需注意多条ADSL线路拨号时需添加此参数,MSR 7.0版本与5.0命令有区别ip address ppp-negotiate
tcp mss 1024 nat outbound 2003#interface NULL0#interface GigabitEthernet0/0 #连接SWport link-mode route
description LAN link to HW-CORE-SW combo enable copper ip address 192.168.201.1 255.255.255.0 packet-filter 2017 inbound qos car inbound carl 1 cir 500 cbs 31250 ebs 0 green pass red discard yellow pass qos car inbound carl 2 cir 500 cbs 31250 ebs 0 green pass red discard yellow pass nat hairpin enable #内网客户端通过公网地址访问内部服务器ip policy-based-route wan #将策略路由应用在内网接口
#interface GigabitEthernet0/1 port link-mode route tcp mss 1024#interface GigabitEthernet0/2 port link-mode route description WAN 10M DSL ip address 14.xxx.xxx.xxx 255.255.255.252 tcp mss 1024 nat outbound 2003 nat server protocol tcp global current-interface 21 inside 192.168.10.14 21 #相关端口映射应用 nat server protocol tcp global current-interface 25 inside 192.168.10.168 25 nat server protocol tcp global current-interface 80 inside 192.168.10.14 80 nat server protocol tcp global current-interface 110 inside 192.168.10.168 110 nat server protocol tcp global current-interface 143 inside 192.168.10.168 143 nat server protocol tcp global current-interface 5580 inside 192.168.10.14 8088 nat server protocol tcp global current-interface 5581 inside 192.168.10.14 8081#interface GigabitEthernet6/0 port link-mode route description WAN INT ADSL 100M nat outbound 2003 pppoe-client dial-bundle-number 1#interface GigabitEthernet6/1 port link-mode route description WAN CAIWU ADSL 100M nat outbound 2003 pppoe-client dial-bundle-number 2#interface GigabitEthernet6/7 port link-mode route combo enable copper#interface GigabitEthernet6/2 port link-mode bridge#interface GigabitEthernet6/3 port link-mode bridge# interface GigabitEthernet6/4 port link-mode bridge#interface GigabitEthernet6/5 port link-mode bridge#interface GigabitEthernet6/6 port link-mode bridge combo enable copper# scheduler logfile size 16#line class aux user-role network-admin#line class tty user-role network-operator#line class vty user-role network-operator#line aux 0 user-role network-admin#line vty 0 15 authentication-mode scheme user-role network-admin#line vty 16 63 user-role network-operator# ip route-static 0.0.0.0 0 14.XXX.XXX.888 track 1 #默认路由指向下一跳网关 ip route-static 0.0.0.0 0 Dialer1 preference 100 ip route-static 0.0.0.0 0 Dialer2 preference 120 ip route-static 192.168.10.0 24 192.168.201.254 ip route-static 192.168.11.0 24 192.168.201.254 ip route-static 192.168.16.0 24 192.168.201.254 ip route-static 192.168.18.0 24 192.168.201.254 ip route-static 192.168.61.0 24 192.168.201.254#acl basic 2000 rule 0 permit source 192.168.10.0 0.0.0.255 rule 1 permit source 192.168.11.0 0.0.0.255 rule 2 permit source 192.168.18.0 0.0.0.255#acl basic 2001 rule 0 permit source 192.168.61.0 0.0.0.255#acl basic 2002 rule 0 permit source 192.168.16.0 0.0.0.255#acl basic 2003 rule 0 permit#acl basic 2017 #禁止部分IP访问外网 description Deny ip link to Internet rule 0 deny source 192.168.10.23 0 rule 1 deny source 192.168.10.5 0 rule 2 deny source 192.168.10.7 0 rule 199 permit#acl advanced 3000 rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255 #增加一条ACL避免内网网段互访的数据,直接匹配了策略路由出去了,影响正常通信#domain system# domain default enable system#user-group system# local-user admin class manage password hash $h$6$ROvXv3DjylL9HE6p$53Ib+gCLOkKDY58w+mO03hy0xqy8rQS5xAsuX1HyJFGpPF0EYjxg/8CPhmUWIs4NrNWKM78PWr6QckQj98RdjQ== service-type telnet http https authorization-attribute user-role network-admin# ip http enable ip https enable# track 1 nqa entry wan1 1 reaction 1 #NQA关联 track 1 和 reaction 1#
return说明:以上加色字体为配置要点,由于考虑到成本问题,部分公司会选择ADSL接入作为备份链路,如果是多条固定IP宽带接入则设置多个NQA 实现即可,配置类似, 以上为工作小记。