HCL-综合实验

前言

有关nat、策略路由、ipsec、堆叠等技术的综合实验。

实验

实验要求：
1.按照上图及上表进行设备连接和地址设置。其中，总部为双出口对接运营商。分部为聚合口对接运营商，且通过 loopback 口模拟内网业务段。运营商为两台交换机堆叠，对接总部为两个单口，对接分部为聚合口，且通过 loopback 口模拟公网业务。
2. 总部侧，业务流量从 G0/0 口的出口优先级要高于 G0/1 口。为了分担出口压力，不同的地址段从不同的出口进行上网。服务器通过 G0/0 口的出口上网，PC 通过 G0/1 口的出口上网。
3.为了实现上网需求，总部和分部的公网出口均开启动态 NAT 功能。服务器提供 telnet 服务，外网可以通过 G0/0 口地址的 8023 端口访问该服务。总部内网的 PC 也需要通过外网端口及地址访问该服务。
4.分部访问总部的服务器流量需要经过加密，请采用合适的方案实现该需求。
5.为了优化网络带宽分配，在 G0/1 出口的这条线路上，针对 PC 网段，每 IP 上行、下行都限制到 8M 带宽。预防 G0/1 线路故障导致服务器的带宽被抢占，请为服务器至少保障 10M带宽。

堆叠配置：

配置优先级
[SW1]irf member 1 priority 32//优先级越大，约容易选为主设备

关闭要加入的IRF的物理端口
[SW1]interface Ten-G1/0/49
[SW1-Ten-GigabitEthernet1/0/49]shutdown

创建IRF逻辑虚接口（设备号默认为1，端口号为2），把相连物理接口加入IRF
[SW1]interface Ten-G1/0/49
[SW1-Ten-GigabitEthernet1/0/49]shutdown

重新打开物理端口。
[SW1-Ten-GigabitEthernet1/0/49]undo shutdown

激活IRF设置并保存配置。
[SW1]irf-port-configuration active
[SW1]save f

更改默认的设备号1为2并重启
[SW2]irf member 1 renumber 2
<SW2>reboot//修改成员编号后，需要重启才生效
[SW2]interface Ten-G2/0/49

[SW2-Ten-GigabitEthernet2/0/49]shutdown

[SW2]irf-port 2/1
[SW2-irf-port2/1] port group interface Ten-GigabitEthernet2/0/49

[SW2-Ten-GigabitEthernet2/0/49]undo shutdown
[SW2]save f

[SW2]irf-port-configuration active

参考链接：堆叠详细配置

---

基础配置，配置ip和vlan略，不做讲解

配置静态聚合
分部：

interface Route-Aggregation1----------静态链路聚合
ip address 100.0.0.1 255.255.255.0
然后端口加入

SW1:

interface Bridge-Aggregation1
port access vlan 100(先端口加入再配置access)

然后两个就可以通了。分部ping总部的int vlan 100的接口地址，可以通。
因为两侧都有l0，不要忘记配置静态路由。

---

如何配置路由器的右侧连通。根据要求（ 总部侧，业务流量从 G0/0 口的出口优先级要高于 G0/1 口。），配置默认路由优先级

ip route-static 172.16.0.0 24 10.0.0.254 preference 1
ip route-static 172.16.0.0 24 20.0.0.254 preference 2
ip route-static 200.0.0.0 24 10.0.0.254 preference 1
ip route-static 200.0.0.0 24 20.0.0.254 preference 2
这样配完，分部必须带源ping总部，才通。

---

pc想通外网就在总部外网出口配置nat outbound

---

配置策略路由。服务器通过 G0/0 口的出口上网，PC 通过 G0/1 口的出口上网。再加上下面要求的pc通过外网地址访问服务器。

acl basic 2000-------访问外部
rule 0 permit source 192.168.1.0 0.0.0.255
acl basic 2100-------访问外部
rule 0 permit source 192.168.2.0 0.0.0.255
acl advanced 3000----------这个要注意，要先匹配到跳转到相应端口
rule 0 permit ip source 192.168.2.20 0 destination 10.0.0.1 0
policy-based-route aaa permit node 5----------率先匹配，能够访问服务，而不是匹配其他的跳转到20.0.0.254
if-match acl 3000
apply next-hop 192.168.1.10
policy-based-route aaa permit node 10
if-match acl 2000
apply next-hop 10.0.0.254
policy-based-route aaa permit node 20
if-match acl 2100
apply next-hop 20.0.0.254
记得应用在相应的接口，使得配置生效

---

配置外网和内网访问服务器telnet功能，在相应端口nat server和nat hairpin即可，并开启服务
经过以上配置，pc只能访问服务器的服务，而不能ping通服务器

---

具体配置如下：

<fenbu>dis cu
#
 sysname fenbu
#
interface Route-Aggregation1----------静态链路聚合
 ip address 100.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0
 port link-aggregation group 1------------加入
#
interface GigabitEthernet0/1
 port link-aggregation group 1-----------加入
#
interface LoopBack0
 ip address 172.16.0.1 255.255.255.255
#
 ip route-static 0.0.0.0 0 100.0.0.254


<SW1>dis cu
#
 version 7.1.075, Alpha 7571
#
 sysname SW1
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 100
#
interface Bridge-Aggregation1
 port access vlan 100--------------------要配置，分部的网关是int vlan 100
#
interface LoopBack0
 ip address 200.0.0.254 255.255.255.255
#
interface Vlan-interface10
 ip address 10.0.0.254 255.255.255.0
#
interface Vlan-interface20
 ip address 20.0.0.254 255.255.255.0
#
interface Vlan-interface100
 ip address 100.0.0.254 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 100
 combo enable fiber
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port access vlan 10
 combo enable fiber
#
interface GigabitEthernet2/0/1
 port link-mode bridge
 port access vlan 100
 combo enable fiber
 port link-aggregation group 1
#
interface GigabitEthernet2/0/2
 port link-mode bridge
 port access vlan 20
 combo enable fiber
#
 ip route-static 172.16.0.0 24 100.0.0.1



<zongbu>dis cu
#
 sysname zongbu
#
policy-based-route aaa permit node 5
 if-match acl 3000
 apply next-hop 192.168.1.10
#
policy-based-route aaa permit node 10
 if-match acl 2000
 apply next-hop 10.0.0.254
#
policy-based-route aaa permit node 20
 if-match acl 2100
 apply next-hop 20.0.0.254
#
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 ip address 10.0.0.1 255.255.255.0
 nat outbound
 nat server protocol tcp global 10.0.0.1 8023 inside 192.168.1.10 23
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 20.0.0.1 255.255.255.0
 nat outbound
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip address 192.168.1.1 255.255.255.0
 nat hairpin enable
 ip policy-based-route aaa
#
interface GigabitEthernet5/0
 port link-mode route
 combo enable copper
 ip address 192.168.2.1 255.255.255.0
 nat hairpin enable
 ip policy-based-route aaa
#
 ip route-static 172.16.0.0 24 10.0.0.254 preference 1
 ip route-static 172.16.0.0 24 20.0.0.254 preference 2
 ip route-static 200.0.0.0 24 10.0.0.254 preference 1
 ip route-static 200.0.0.0 24 20.0.0.254 preference 2
#
acl basic 2000
 rule 0 permit source 192.168.1.0 0.0.0.255
#
acl basic 2100
 rule 0 permit source 192.168.2.0 0.0.0.255
#
acl advanced 3000
 rule 0 permit ip source 192.168.2.20 0 destination 10.0.0.1 0
<zongbu>

PC和服务器配置略（默认路由、ip、服务开启）

ipsec配置如下
参考链接：ipsec主模式野蛮模式//里面有些命令连在一起了，例如 esp a------(配置加密的哪些命令），连接里面讲得挺详细的，看了就知道怎么配了。

[zongbu]acl ad 3500
[zongbu-acl-ipv4-adv-3500]rule permit ip source 10.0.0.1 0 destination 172.16.0.
0 0.0.0.255
[zongbu-acl-ipv4-adv-3500]qu
[zongbu]ike proposal 1
[zongbu-ike-proposal-1]qu
[zongbu]ike keychain zongbu
[zongbu-ike-keychain-zongbu]pre-shared-key address 100.0.0.1 key simple 123
[zongbu-ike-keychain-zongbu]qu
[zongbu]ike profile zongbu
[zongbu-ike-profile-zongbu]keychain zongbu
[zongbu-ike-profile-zongbu]proposal 1
[zongbu-ike-profile-zongbu]local-identity address 10.0.0.1
[zongbu-ike-profile-zongbu]match remote identity address 100.0.0.1
[zongbu-ike-profile-zongbu]qu
[zongbu]ipsec transform-set tran1
[zongbu-ipsec-transform-set-tran1]esp authentication-algorithm md5
[zongbu-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc
[zongbu-ipsec-transform-set-tran1]qu
[zongbu]ipsec policy zongbu 1 isakmp
[zongbu-ipsec-policy-isakmp-zongbu-1]security acl 3500
[zongbu-ipsec-policy-isakmp-zongbu-1]ike-profile zongbu
[zongbu-ipsec-policy-isakmp-zongbu-1]transform-set tran1
[zongbu-ipsec-policy-isakmp-zongbu-1]remote-address 100.0.0.1
[zongbu-ipsec-policy-isakmp-zongbu-1]qu
[zongbu]int g0/0
[zongbu-GigabitEthernet0/0]ipsec apply policy zongbu
[zongbu-GigabitEthernet0/0]


<fenbu>sys
System View: return to User View with Ctrl+Z.
[fenbu]acl advanced 3500
[fenbu-acl-ipv4-adv-3500] rule 0 permit ip source 172.16.0.0 0.0.0.255 destinati
on 10.0.0.1 0
[fenbu-acl-ipv4-adv-3500]qu
[fenbu]ike proposal 1
[fenbu-ike-proposal-1]qu
[fenbu]ike keychain fenbu
[fenbu-ike-keychain-fenbu]pre-shared-key address 10.0.0.1 255.255.255.255 key simple 123
[fenbu-ike-keychain-fenbu]qu
[fenbu]ike profile fenbu
[fenbu-ike-profile-fenbu]exchange-mode main
[fenbu-ike-profile-fenbu]keychain fenbu
[fenbu-ike-profile-fenbu]proposal 1
[fenbu-ike-profile-fenbu]local-identity address 100.0.0.1
[fenbu-ike-profile-fenbu]match remote identity address 10.0.0.1
[fenbu-ike-profile-fenbu]qu
[fenbu]ipsec transform-set tran1
[fenbu-ipsec-transform-set-tran1]protocol esp
[fenbu-ipsec-transform-set-tran1]encapsulation-mode tunnel
[fenbu-ipsec-transform-set-tran1]esp authentication-algorithm md5
[fenbu-ipsec-transform-set-tran1]esp encryption-algorithm  3des-cbc
[fenbu-ipsec-transform-set-tran1]qu
[fenbu]ipsec policy fenbu 1 isakmp
[fenbu-ipsec-policy-isakmp-fenbu-1]security acl 3500
[fenbu-ipsec-policy-isakmp-fenbu-1]ike-profile fenbu
[fenbu-ipsec-policy-isakmp-fenbu-1]transform-set tran1
[fenbu-ipsec-policy-isakmp-fenbu-1]remote-address 10.0.0.1
[fenbu-ipsec-policy-isakmp-fenbu-1]qu
[fenbu]int Route-Aggregation 1
[fenbu-Route-Aggregation1]ipsec apply policy fenbu
[fenbu-Route-Aggregation1]qu
[fenbu]qu

测试：
<fenbu>telnet 10.0.0.1 8023 source ip 172.16.0.1///telnet带上源，触发
Trying 10.0.0.1 ...
Press CTRL+K to abort
Connected to 10.0.0.1 ...

******************************************************************************
* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

<server>qu



[fenbu]dis ipsec sa
-------------------------------
Interface: Route-Aggregation1
-------------------------------

  -----------------------------
  IPsec policy: fenbu
  Sequence number: 1
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect Forward Secrecy:
    Inside VPN:
    Extended Sequence Numbers enable: N
    Traffic Flow Confidentiality enable: N
    Transmitting entity: Initiator
    Path MTU: 1444
    Tunnel:
        local  address: 100.0.0.1
        remote address: 10.0.0.1
    Flow:
        sour addr: 172.16.0.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 10.0.0.1/255.255.255.255  port: 0  protocol: ip
。。。
忘记说一点了
发现ipsec需要配置内网通总部那边，需要分部和总部路由器相通。所以总部要配置静态路由过去。
[zongbu]ip route-static 100.0.0.0 24 10.0.0.254

为了优化网络带宽分配，在 G0/1 出口的这条线路上，针对 PC 网段，每 IP 上行、下行都限制到 8M 带宽。预防 G0/1 线路故障导致服务器的带宽被抢占，请为服务器至少保障 10M带宽

EF (Expedited Forwarding)：快速转发,带宽保障应该配这个,优先级比AF高
AF (Assured Forwarding)：确保转发

[zongbu]qos carl 1 source-ip-address range 192.168.2.2 to 192.168.2.254 per-addr
ess
[zongbu]int g0/1
[zongbu-GigabitEthernet0/1]qos car inbound carl 1 cir 8192
[zongbu-GigabitEthernet0/1]qos car outbound carl 1 cir 8192

创建QOS类和流行为
[zongbu]traffic classifier AdvSer2000
[zongbu-classifier-AdvSer2000]if-match acl 2000//匹配ACL
[zongbu-classifier-AdvSer2000]qu
[zongbu]traffic behavior AdvSer2000//创建流行为
[zongbu-behavior-AdvSer2000]queue ef bandwidth 10240  //配置报文进入 ef 队列，最大带宽

创建QOS策略，绑定类和流行为
[zongbu]qos policy PolicySer
[zongbu-qospolicy-PolicySer]classifier AdvSer2000 behavior AdvSer2000//在策略中为类指定采用流行为

[zongbu]int g0/0
[zongbu-GigabitEthernet0/0]qos apply policy PolicySer outbound//在接口出方向调用策略

结语

如有不对，请指正