构建高可用性网络
关于本地主机的配置
硬盘技术:
硬盘上的特殊分区,swap
首先,swap的存在是为了拟补虚拟内存的不足而出现的,有叫交换分区,它的作用是将那些内存中有而却不长用的一些数据保存到硬盘的一块分区上去,在系统需要的时候再把它调用出来,注意,他只有在系统出现提示增加swap的时候增加,才有必要加,只是改善系统内存的一个小的方法
raid ;廉价的磁盘冗余阵列,它是通过一些软件或硬件上的技术将多个较小的磁盘整合为一个较大的磁盘设备,但这功能并不仅仅是存储,还具有提高读写速度和数据保护的功能
在windows中也有类似的功能,他们的名称分别叫简单卷,跨区卷,带区卷,镜像卷,以及raid5
而在Linux下,则有line(线性增长)raid0相当于带区卷,raid1相当于镜像卷,raid5依然是raid5,另外还可以实现raid6和raid10
raid的实现
基于硬件设备,有专门的raid卡,缺点是价格较昂贵,所以很多操作系统上就出现了软raid的工能,也就是同过软件来模拟出raid的功能,在Linux中是通过叫md(多设备)的驱动来实现的,同时他也是用户空间中的一种工具,叫mdadm,
首先line,它是没有速度和冗余方面的工能的
raid0(windows叫带区卷),它的要求是硬件的存储设备数量在2-32之间,最少2个,最多32个,特点是将数据在写入之前来拆分成若干等分,比如64k,然后分别写入不同的磁盘,优点是读取和写入的速度都相当快,主要带来效率上的提高,缺点是没有冗余能力,而且必须保证每个成员的高可用性,因为其中某一块坏掉的话,会导致整个数据的无法读取
raid1(windows叫镜像卷),它的主要特点是具备冗余能力,它的实现主要是靠多块设备数据的互为备份,所以又叫镜像,成员要求最少要有两个,没有上限。缺点是读写的效率一般,磁盘的实际使用率只有50%
raid5,在widows环境下成员要求最少要有三个,最多是32个,而Linux中支持的具体数量要看内核版本的型号而定,。它的主要原理是在raid1的基础上写数据的时候在若干块(n块)的磁盘中间随机的选择一块出来用来存放校验值,该校验的主要功能是在若干的磁盘中间读写数据时利用某一种算法来检测数据的完整性,而计算的值就放在那些若干(n块)中的一块。从逻辑上看,校验要占用磁盘中单独一个个体的容量,因此它的磁盘使用率为n-1/n,因为写入时要计算校验值,所以写的速率一般,而读的效率在没有故障时却非常高,当出现一块坏掉的时候读的效率会很低(因为计算校验的缘故),而且raid仅允许出现一块有故障的,raid5有冗余能力
raid6,它要求在阵列中要有两块用做校验用,因此,raid6的磁盘数最少也要4块,它是在raid5的基础上增加了一块校验磁盘
raid1-0,该技术是raid1和raid0的结合,将具有快速读取能力的raid0作为基础,然后在此基础上分别把他们看作raid1的两块磁盘进行镜像操作
实现:
安装mdadm
mdadm的主要参数,-A 集结或装配模式
-C 创建一个新的阵列
-B 构建一个没有超级块的阵列
-F follow or monitor 监控模式
-G 增长模式
-I,自动增长的装配模式
-M 管理模式
-L 指定level级别
-N 指定名字
vrrp网络的搭建,网络设备拓扑结构如图所示
sw6的配置步骤大致如下:
划分VLAN,然后将端口加入VLAN,在相应接口配置trunk,
%Apr 1 23:58:48:637 2000 Quidway SHELL/5/LOGIN:- 1 - Console(aux0) in unit1 login
sys
system-view
System View: return to User View with Ctrl+Z.
[Quidway]sysname sw6
[sw6]vlan 10
[sw6-vlan10]port e1/0/10
[sw6-vlan10]port e1/0/10
[sw6-vlan10]vlan 20
[sw6-vlan20]port e1/0/20
[sw6-vlan20]int e1/0/1
[sw6-Ethernet1/0/1]port link-type trunk
[sw6-Ethernet1/0/1]port trunk permit vlan all
Please wait........................................... Done.
[sw6-Ethernet1/0/1]dis vlan
The following VLANs exist:
1(default), 10, 20
[sw6-Ethernet1/0/1]int e1/0/24
[sw6-Ethernet1/0/24]port l
[sw6-Ethernet1/0/24]port link-type trunk
[sw6-Ethernet1/0/24]port trunk per
[sw6-Ethernet1/0/24]port trunk permit vlan all
Please wait........................................... Done.
[sw6-Ethernet1/0/24]q
[sw6]
sw8配置与sw6大致相同:
%Apr 2 00:04:25 2000 Quidway SHELL/5/LOGIN: Console login from Aux0/0
sys
system-view
Enter system view, return to user view with Ctrl+Z.
[Quidway]sysname sw8
[sw8]vlan 10
[sw8-vlan10]
[sw8-vlan10]port eth0/10
[sw8-vlan10]vlan 20
[sw8-vlan20]port eth0/20
[sw8-vlan20]int eth0/1
[sw8-Ethernet0/1]port link-
[sw8-Ethernet0/1]port link-type trunk
[sw8-Ethernet0/1]port trunk per
[sw8-Ethernet0/1]port trunk permit vlan all
Please wait........................................... Done.
[sw8-Ethernet0/1]int eth0/24
[sw8-Ethernet0/24]port link-t
[sw8-Ethernet0/24]port link-type trunk
[sw8-Ethernet0/24]port trunk permit vlan all
Please wait........................................... Done.
[sw8-Ethernet0/24]
路由器r3配置大致有:配置e0口的3.3.3.3 /24地址,配置s0口地址1.1.1.1 /24 ,(一定要先打标签再配地址) 配置s1口地址1.1.2.1 /24 ,然后复位操作,因其主要模拟广域网,所以主要起承接作用,
[Router]
[Router]sysname r3
[r3]int e0
[r3-Ethernet0]ip add 3.3.3.3 24
[r3-Ethernet0]loopback
Ethernet0 running on loopback mode
[r3-Ethernet0]
%01:24:13: Interface Ethernet0 is UP
%01:24:13: Line protocol ip on the interface Ethernet0 is UP
[r3-Ethernet0]int s0
[r3-Serial0]ip add 1.1.1.1 24
[r3-Serial0]
%01:27:01: Line protocol ip on the interface Serial0 is UP
[r3-Serial0]shut
% Interface Serial0 is down
[r3-Serial0]
%01:27:10: Interface Serial0 is DOWN
[r3-Serial0]undo shut
% Interface Serial0 is reset
[r3-Serial0]
%01:27:18: Interface Serial0 is UP
[r3-Serial0]int s1
[r3-Serial1]ip add 1.1.2.1 24
[r3-Serial1]
%01:27:48: Line protocol ip on the interface Serial1 is UP
[r3-Serial1]shut
% Interface Serial1 is down
[r3-Serial1]
%01:27:57: Interface Serial1 is DOWN
[r3-Serial1]undo shut
% Interface Serial1 is reset
[r3-Serial1]
%01:28:08: Interface Serial1 is UP
[r3-Serial1]
[r3-Serial1]
r1路由的主要配置有:拆分子接口,配置单臂路由,添加默认路由1.1.1.1 ,物理接口配置地址,然后做pat ,先做acl列表筛选,然后做nat地址池,然后将地址池(或接口,直接写借口名称)映射到相应接口上,接着再在接口(子接口)上配置vrrp协议的有关内容(vrid和vrip以及优先级)
[Router]sysname r1
[r1]int s0
[r1-Serial0]ip add 1.1.1.2 24
[r1-Serial0]
%01:29:18: Line protocol ip on the interface Serial0 is UP
[r1-Serial0]shut
% Interface Serial0 is shut down
[r1-Serial0]
%01:29:23: Interface Serial0 is DOWN
[r1-Serial0]undo shut
% Interface Serial0 is reset
[r1-Serial0]
%01:29:33: Interface Serial0 is UP
%01:29:33: Line protocol ip on the interface Serial0 is UP
[r1-Serial0]int e0.1
[r1-Ethernet0.1]vlan-type dot1q vid 10
[r1-Ethernet0.1]ip add 192.168.10.1 24
[r1-Ethernet0.1]
%01:31:37: Line protocol ip on the interface Ethernet0.1 is UP
[r1-Ethernet0.1]int e0.2
[r1-Ethernet0.2]vlan-type dot1q vid 20
[r1-Ethernet0.2]ip add 192.168.20.1 24
[r1-Ethernet0.2]
%01:32:41: Line protocol ip on the interface Ethernet0.2 is UP
[r1-Ethernet0.2]quit
[r1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
[r1]ping 3.3.3.3
PING 3.3.3.3: 56 data bytes, press CTRL_C to break
Reply from 3.3.3.3: bytes=56 Sequence=0 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time = 25 ms
--- 3.3.3.3 ping statistics ---
5 packets transmitted
5 packets received
0.00% packet loss
round-trip min/avg/max = 25/25/25 ms
[r1]acl 2000 match-order auto
[r1-acl-2000]rule permit source any
Rule has been added to normal packet-filtering rules
[r1-acl-2000]quit
[r1]nat address-group 1.1.1.3 1.1.1.9 wewe
[r1]int s0
[r1-Serial0]
[r1-Serial0]nat outbound 2000 address-group wewe
[r1-Serial0]quit
[r1]vrrp ping-enable
ping vrrp enable
[r1]int e0.1
[r1-Ethernet0.1]
[r1-Ethernet0.1]vrrp vrid 10 virtual-ip 192.168.10.254
[r1-Ethernet0.1]vrrp vrid 10 priority 120
[r1-Ethernet0.1]vrrp vrid 10 track s0 reduced 30
[r1-Ethernet0.1]int e0.2
[r1-Ethernet0.2]vrrp vrid 20 virtual-ip 192.168.20.254
[r1-Ethernet0.2]quit
[r1]
r2的配置与r1大致相同,不同之处是要将20.0网段所在的接口设为主接口,给予高的优先级,并设置自动收缩和自动抢占(默认已开启),将10.0所在子接口设为备份接口,(10.0主接口在r1上)
[Router]
[Router]
%01:28:06: Interface Serial1 is DOWN
%01:28:11: Interface Serial1 is UP
[Router]sysname r2
[r2]int s1
[r2-Serial1]ip add 1.1.2.2 24
[r2-Serial1]
%01:55:26: Line protocol ip on the interface Serial1 is UP
[r2-Serial1]shut
% Interface Serial1 is down
[r2-Serial1]
%01:55:31: Interface Serial1 is DOWN
[r2-Serial1]undo shut
% Interface Serial1 is reset
[r2]vrrp ping-enable
ping vrrp enable
[r2]int s1
[r2-Serial1]
%01:55:41: Interface Serial1 is UP
%01:55:41: Line protocol ip on the interface Serial1 is UP
[r2-Serial1]int e0.1
[r2-Ethernet0.1]vlan-type dot1q vid 10
[r2-Ethernet0.1]ip add 192.168.10.2 24
[r2-Ethernet0.1]
%01:57:55: Line protocol ip on the interface Ethernet0.1 is UP
[r2-Ethernet0.1]int e0.2
[r2-Ethernet0.2]vlan-type dot1q vid 20
[r2-Ethernet0.2]ip add 192.168.20.2 24
[r2-Ethernet0.2]
%01:58:48: Line protocol ip on the interface Ethernet0.2 is UP
[r2-Ethernet0.2]quit
[r2]ip route-static 0.0.0.0 0.0.0.0 1.1.2.1
[r2]acl 2000 match-order auto
[r2-acl-2000]rule permit source any
Rule has been added to normal packet-filtering rules
[r2-acl-2000]quit
[r2]nat address-group 1.1.2.6 1.1.2.9 wewe
[r2]int s1
[r2-Serial1]nat outbound 2000 address-group wewe
[r2-Serial1]quit
[r2]vrrp ping-enable
ping vrrp enable
[r2]int e0.1
[r2-Ethernet0.1]
[r2-Ethernet0.1]vrrp vrid 10 virtual-ip 192.168.10.254
[r2-Ethernet0.1]int e0.2
[r2-Ethernet0.2]vrrp vrid 20 virtual-ip 192.168.20.254
[r2-Ethernet0.2]vrrp vrid 20 priority 120
[r2-Ethernet0.2]vrrp vrid 20 track s1 reduced 30
[r2]ping 3.3.3.3
PING 3.3.3.3: 56 data bytes, press CTRL_C to break
Reply from 3.3.3.3: bytes=56 Sequence=0 ttl=255 time = 26 ms
Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time = 26 ms
Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time = 25 ms
--- 3.3.3.3 ping statistics ---
5 packets transmitted
5 packets received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
测试阶段,方法,阻塞端口,查看两边端口的角色变化,两边设备链路应该互为备份,在冗余条件下达到两路的高可用性
[r2]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Master
Virtual IP : 192.168.20.254
Priority : 120
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial1 Priority reduced : 30
Ethernet0.1 | Virtual Router 10
state : Backup
Virtual IP : 192.168.10.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
[r2]int s1
[r2-Serial1]shut
% Interface Serial1 is down
[r2-Serial1]
%02:26:49: Interface Serial1 is DOWN
[r2-Serial1]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Backup
Virtual IP : 192.168.20.254
Priority : 90
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial1 Priority reduced : 30
Ethernet0.1 | Virtual Router 10
state : Backup
Virtual IP : 192.168.10.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
[r1]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Master
Virtual IP : 192.168.20.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Ethernet0.1 | Virtual Router 10
state : Master
Virtual IP : 192.168.10.254
Priority : 120
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial0 Priority reduced : 30
[r1]int s0
[r1-Serial0]shut
% Interface Serial0 is shut down
[r1-Serial0]
%02:32:38: Interface Serial0 is DOWN
%02:32:38: Line protocol ip on the interface Serial0 is DOWN
[r2-Serial1]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Master
Virtual IP : 192.168.20.254
Priority : 120
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial1 Priority reduced : 30
Ethernet0.1 | Virtual Router 10
state : Master
Virtual IP : 192.168.10.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
[r2-Serial1]quit
[r1]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Backup
Virtual IP : 192.168.20.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Ethernet0.1 | Virtual Router 10
state : Backup
Virtual IP : 192.168.10.254
Priority : 90
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial0 Priority reduced : 30
[r1]
[r1]int s0
[r1-Serial0]undo shut
% Interface Serial0 is reset
[r1-Serial0]
[r1-Serial0]
[r1-Serial0]d
%02:42:58: Interface Serial0 is UP
%02:42:58: Line protocol ip on the interface Serial0 is UP
[r1-Serial0]
[r1-Serial0]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Backup
Virtual IP : 192.168.20.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Ethernet0.1 | Virtual Router 10
state : Master
Virtual IP : 192.168.10.254
Priority : 120
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial0 Priority reduced : 30
然后找两台主机分别进行测试:
华三,华为设备下构建3A服务器(DHCP服务器加3A认证)
在物理拓扑搭建之前,我们要先搭建我们的DHCP服务器和radius服务器,我们分别以Linux平台的DHCP服务器和windows的IAS服务器来说一下这两个服务器的搭建过程
Linux下的DHCP:
具体的搭建步骤可以参考博客: DHCP在企业网中的应用
我们的重点是对DHCP配置文件的改写及测试,修改内容如下:
修改完确认无语法等错误后重启我们的DHCP服务器
DHCP服务器ip地址
然后在windows server 2003 下安装配置IAS(AAA)服务器,具体步骤如图:
如上图所示,因为我们做的是一个验证类的服务器所以我们必须要有账号存在,才能提供给客户端用于验证,所以接下来新建用户,并给予相应的访问权限,
接下新建radius客户端,并在客户端属性中配置共享密钥(本例中为123456),必选择我们的服务类型为标准,因为我们应用的是EPAOR(EPA的中继方式)所以客户端的地址就是我们的交换机(客户端)ip地址,如图:
接下来,编辑IAS的远程访问安全策略,点击编辑配置文件,将身份的验证类型改为PAP(为了实验方便,我们以不加密(不输密码)的PAP为例)
为了实验的顺利进行,建议将主机ip地址(要手动配置)与DHCP和radius服务器设在同一网段接下在我们的pc主机上安装相应的客户端登录软件,如图:
然后进行实验环境的具体搭建阶段,拓扑结构内容如图所示,
所需设备为:H3C secpath-100c防火墙一台
S2000系列的2403H-HI一台
%Apr 2 12:56:19:886 2000 Quidway SHELL/5/LOGIN:- 1 - Console(aux0) in unit1 login
system-view
System View: return to User View with Ctrl+Z.
[Quidway]sysname sw1
[sw1]vlan 10
[sw1-vlan10]port e1/0/10
[sw1-vlan10]vlan 20
[sw1-vlan20]port e1/0/20
[sw1-vlan20]vlan 30
[sw1-vlan30]port e1/0/24
[sw1-vlan30]
[sw1-vlan30]dis cu vlan
# vlan 1# vlan 10 # vlan 20 # vlan 30 #
[sw1-vlan30]q
[sw1]int Vlan-interface 1
[sw1-Vlan-interface1]
[sw1-Vlan-interface1]ip add 192.168.2.2 24
[sw1-Vlan-interface1]q
[sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1
[sw1]int e1/0/23
[sw1-Ethernet1/0/23]port ?
access Specify current access port's characteristics
hybrid Specify current hybrid port's characteristics
isolate Port isolate
link-aggregation Link aggregation group
link-type Specify port link-type
trunk Specify current trunk port's characteristics
[sw1-Ethernet1/0/23]port link-type trunk
[sw1-Ethernet1/0/23]port trunk permit vlan all
Please wait........................................... Done.
[sw1-Ethernet1/0/23]dis vlan
The following VLANs exist:
1(default), 10, 20, 30
[sw1-Ethernet1/0/23]
[sw1-Ethernet1/0/23]q
[sw1]dot1
[sw1]dot1x ?
authentication-method Specify system authentication method
dhcp-launch Trigger system authentication when receiving DHCP
packet(s)
guest-vlan Specify guest vlan configuration information for ports
interface Specify interface configuration information
max-user Specify maximal on-line user number per port
port-control Specify port authenticated status
port-method Specify port controlled method
quiet-period Enable quiet period function
retry Specify maximal request times
retry-version-max Specify maximal request times for version information
supp-proxy-check Check whether user(s) access the networks by proxy or
not
timer Specify timer parameters
version-check Check the version information of 802.1x supplicant
[sw1]dot1x
802.1X is enabled globally.
[sw1]int e1/0/10
[sw1-Ethernet1/0/10]dot1x ?
guest-vlan Specify guest vlan configuration information for ports
max-user Specify maximal on-line user number per port
port-control Specify port authenticated status
port-method Specify port controlled method
supp-proxy-check Check whether user(s) access the networks by proxy or not
version-check Check the version information of 802.1x supplicant
[sw1-Ethernet1/0/10]dot1x
802.1X is enabled on port Ethernet1/0/10.
[sw1-Ethernet1/0/10]q
[sw1]int e1/0/20
[sw1-Ethernet1/0/20]dot1x
802.1X is enabled on port Ethernet1/0/20.
[sw1-Ethernet1/0/20]q
[sw1]radius scheme ?
STRING<1-32> Radius scheme name
创建一个radius方案后接下就是指定方案的具体被容,主要包括以下几个方面
[sw1]radius scheme wewe
New Radius scheme
[sw1-radius-wewe]?
Radius-template view commands:
accounting Specify accounting mode
accounting-on Accounting-On packet sending mode
data-flow-format Specify data flow format
display Display current system information
key Specify the shared encryption key of RADIUS server
nas-ip Specify RADIUS source ip address
ping Ping function
primary Specify IP address of primary RADIUS server
quit Exit from current command view
retry Specify retransmission times
return Exit to User View
save Save current configuration
secondary Specify IP address of secondary RADIUS server
server-type Specify the type of RADIUS server
state Specify state of primary/secondary
authentication/accounting RADIUS server
stop-accounting-buffer Enable stop-accounting packet buffer
timer Specify timer parameters
tracert Trace route function
undo Cancel current setting
user-name-format Specify user-name format sent to RADIUS server
[sw1-radius-wewe]primary ?
accounting Specify IP address of primary accounting RADIUS server
authentication Specify IP address of primary authentication RADIUS server
[sw1-radius-wewe]primary authentication 192.168.1.2
[sw1-radius-wewe]key ?
accounting Specify key for accounting RADIUS server
authentication Specify key for authentication RADIUS server
[sw1-radius-wewe]key authentication 123456
[sw1-radius-wewe]server-type standard
[sw1-radius-wewe]user-name-format without-domain
[sw1-radius-wewe]accounting ?
optional Optional accounting mode
[sw1-radius-wewe]accounting optional
[sw1-radius-wewe]quit
[sw1]dot1x ?
authentication-method Specify system authentication method
dhcp-launch Trigger system authentication when receiving DHCP
packet(s)
guest-vlan Specify guest vlan configuration information for ports
interface Specify interface configuration information
max-user Specify maximal on-line user number per port
port-control Specify port authenticated status
port-method Specify port controlled method
quiet-period Enable quiet period function
retry Specify maximal request times
retry-version-max Specify maximal request times for version information
supp-proxy-check Check whether user(s) access the networks by proxy or
not
timer Specify timer parameters
version-check Check the version information of 802.1x supplicant
接下来是为连接3A服务器的连接方式设置验证类型,这的验证类型必须要和远端的3A服务器(radius)的拨入验证所选择的验证类型一致,才能连接,如图:
[sw1]dot1x authentication-method ?
chap CHAP(Challenge Handshake Authentication Protocol) authentication
method.It's default.
eap EAP(Extensible Authentication Protocol) authentication method(support
eap-tls, eap-md5, peap, eap-ttls)
pap PAP(Password Authentication Protocol) authentication method
[sw1]dot1x authentication-method pap
PAP authentication is enabled.
%Jan 13 20:23:32:046 2014 H3C SHELL/4/LOGIN: Console login from con0
sys
System View: return to User View with Ctrl+Z.
[H3C]int eth0/0
[H3C-Ethernet0/0]ip add 192.168.2.1 24
[H3C-Ethernet0/0]int eth0/0.1
[H3C-Ethernet0/0.1]vlan-type dot1q vid 10
[H3C-Ethernet0/0.1]ip add 192.168.10.1 24
[H3C-Ethernet0/0.1]int eth0/0.2
[H3C-Ethernet0/0.2]vlan-type dot1q vid 20
[H3C-Ethernet0/0.2]ip add 192.168.20.1 24
[H3C-Ethernet0/0.2]int eth0/0.3
[H3C-Ethernet0/0.3]vlan-type dot1q vid 30
[H3C-Ethernet0/0.3]ip add 192.168.1.1 24
[H3C-Ethernet0/0.3]
[H3C-Ethernet0/0.3]quit
[H3C-zone-trust]add int eth0/0.1
[H3C-zone-trust]add int eth0/0.2
[H3C-zone-trust]add int eth0/0.3
[H3C-zone-trust]quit
注意在防火墙设备上一定要取消端口隔离,因为在拆分端口的请况下默认自端口之间是相互隔离不通信的
[H3C]undo insulate
[H3C]dhcp enable
DHCP task has already been started!
[H3C]dhcp select relay interface eth0/0.1 to eth0/0.2
[H3C]int eth0/0.1
[H3C-Ethernet0/0.1]ip relay add 192.168.1.188
[H3C-Ethernet0/0.1]int eth0/0.2
[H3C-Ethernet0/0.2]ip relay add 192.168.1.188
[H3C-Ethernet0/0.2]quit
[H3C]
dis ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 192.168.2.1 Vlan-interface1
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24 DIRECT 0 0 192.168.2.2 Vlan-interface1
192.168.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
system-view
System View: return to User View with Ctrl+Z.
[sw1]domain tyedu
New Domain added.
[sw1-isp-tyedu]radius-scheme wewe
[sw1-isp-tyedu]accounting optional
[sw1-isp-tyedu]
ping 192.168.10.1
PING 192.168.10.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 192.168.10.1: bytes=56 Sequence=2 ttl=255 time=6 ms
Reply from 192.168.10.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 192.168.10.1: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 192.168.10.1: bytes=56 Sequence=5 ttl=255 time=4 ms
--- 192.168.10.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/6 ms
ping 192.168.20.1
PING 192.168.20.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.20.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 192.168.20.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.20.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 192.168.20.1: bytes=56 Sequence=4 ttl=255 time=5 ms
Reply from 192.168.20.1: bytes=56 Sequence=5 ttl=255 time=11 ms
ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=4 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=5 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=5 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=6 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=4 ms
ping 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=3 ms
ping 192.168.2.2
PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=255 time=2 ms
Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=255 time=4 ms
ping 192.168.1.2
PING 192.168.1.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.2: bytes=56 Sequence=1 ttl=127 time=9 ms
Reply from 192.168.1.2: bytes=56 Sequence=2 ttl=127 time=5 ms
Reply from 192.168.1.2: bytes=56 Sequence=3 ttl=127 time=4 ms
Reply from 192.168.1.2: bytes=56 Sequence=4 ttl=127 time=7 ms
Reply from 192.168.1.2: bytes=56 Sequence=5 ttl=127 time=4 ms
ping 192.168.1.188 测试与DHCP服务器之间的联通性
PING 192.168.1.188: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.188: bytes=56 Sequence=1 ttl=63 time=5 ms
Reply from 192.168.1.188: bytes=56 Sequence=2 ttl=63 time=7 ms
Reply from 192.168.1.188: bytes=56 Sequence=3 ttl=63 time=5 ms
Reply from 192.168.1.188: bytes=56 Sequence=4 ttl=63 time=4 ms
Reply from 192.168.1.188: bytes=56 Sequence=5 ttl=63 time=5 ms
ping 192.168.20.2 测试与受测主机之间的联通性
PING 192.168.20.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.20.2: bytes=56 Sequence=1 ttl=127 time=6 ms
Reply from 192.168.20.2: bytes=56 Sequence=2 ttl=127 time=7 ms
Reply from 192.168.20.2: bytes=56 Sequence=3 ttl=127 time=4 ms
Reply from 192.168.20.2: bytes=56 Sequence=4 ttl=127 time=4 ms
Reply from 192.168.20.2: bytes=56 Sequence=5 ttl=127 time=5 ms
ping 192.168.10.2 测试与受测主机之间的联通性
PING 192.168.10.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.2: bytes=56 Sequence=1 ttl=127 time=5 ms
Reply from 192.168.10.2: bytes=56 Sequence=2 ttl=127 time=5 ms
Reply from 192.168.10.2: bytes=56 Sequence=3 ttl=127 time=5 ms
Reply from 192.168.10.2: bytes=56 Sequence=4 ttl=127 time=4 ms
Reply from 192.168.10.2: bytes=56 Sequence=5 ttl=127 time=8 ms
配置3A验证下,telnet的验证类型
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]?
User-interface view commands:
accounting Config accounting mode of user terminal interface
acl Specify acl filtering
authentication-mode Terminal interface authentication mode
auto-execute Do something automatically
console console switch to aux
databits Specify the databits of user terminal interface
display Display current system information
flow-control Specify the flow control mode of user terminal interface
history-command Record history command
idle-timeout Specify the connection idle timeout for login user
modem Specify the characteristic of modem
nslookup Query Internet name servers
parity Specify the parity mode of user interface
ping Ping function
protocol Set user interface protocol
quit Exit from current command view
return Exit to User View
save Save current configuration
screen-length Specify the lines displayed on one screen
set Specify user terminal interface parameters
shell Enable terminal user service
speed Specify the TX/RX rate of user terminal interface
stopbits Specify the stop bit of user terminal interface
super Specify the super authentication mode
tracert Trace route function
undo undo
user Specify user's parameter of terminal interface
vrbd Show application version
[H3C-ui-vty0-4]authentication-mode ?
none Login without checking
password Use terminal interface password
scheme Authentication use AAA authorization authentication table
[H3C-ui-vty0-4]authentication-mode sch
[H3C-ui-vty0-4]authentication-mode scheme ?
command-authorization Authorization for the command from the user interface
is required
[H3C-ui-vty0-4]authentication-mode scheme
[H3C-ui-vty0-4]q
[H3C]
显示全局配置文件内容
[sw1]dis cu
#
sysname sw1
#
dot1x
dot1x authentication-method pap
#
radius scheme system
radius scheme wewe
server-type standard
primary authentication 192.168.1.2
accounting optional
key authentication 123456
user-name-format without-domain
#
domain system
domain tyedu
scheme radius-scheme wewe
accounting optional
#
local-user userroot
password simple 123456
service-type telnet
level 3
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.2.2 255.255.255.0
interface Ethernet1/0/10
port access vlan 10
dot1x
interface Ethernet1/0/20
port access vlan 20
dot1x
interface Ethernet1/0/23
port link-type trunk
port trunk permit vlan all
#
interface Ethernet1/0/24
port access vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 preference 60
dis cu
#
sysname H3C
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
radius scheme wewe
server-type standard
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user userroot
password simple 123456
service-type telnet
level 3
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet0/0.1
ip address 192.168.10.1 255.255.255.0
ip relay address 192.168.1.188
dhcp select relay
vlan-type dot1q vid 10
#
interface Ethernet0/0.2
ip address 192.168.20.1 255.255.255.0
ip relay address 192.168.1.188
dhcp select relay
vlan-type dot1q vid 20
#
interface Ethernet0/0.3
ip address 192.168.1.1 255.255.255.0
vlan-type dot1q vid 30
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/0.1
add interface Ethernet0/0.2
add interface Ethernet0/0.3
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return