组网需求:
公司接入3条宽带,其中两台为拨号ADSL,一条固定IP专线,实现上网业务,不同部门电脑划分不同VLAN,通过策略路由实现不同部门走不同线路访问外部网络,同时3条接入宽带实现联动,当其中一条出现故障时自动切换到另一条线路,当链接恢复正常后自动切换回来。
组网图如下:
MSR路由主要配置:
#
version 7.1.059, Release 0306P81
#
sysname CORE-RT01
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.61.1 to 192.168.61.253 per-address #QOS限流
qos carl 2 source-ip-address range 192.168.11.1 to 192.168.11.253 per-address #同上,但实际效果不理想,建议上专业流控设备
#
port-security enable
#
dialer-group 1 rule ip permit
dialer-group 2 rule ip permit
#
dhcp enable
#
dns proxy enable
#
password-recovery enable
#
vlan 1
#
policy-based-route wan permit node 1 #策略路由配置
if-match acl 3000 #避免内网网段互访的数据,直接匹配了策略路由出去了,影响正常通信
#
policy-based-route wan permit node 2
if-match acl 2000
apply default-next-hop 14.XXX.XXX.888 track 1
#
policy-based-route wan permit node 3
if-match acl 2001
apply output-interface Dialer1
#
policy-based-route wan permit node 4
if-match acl 2002
apply output-interface Dialer2
#
policy-based-route wan permit node 5 #策略路由最后要加一条空节点允许其他数据流通过
#
nqa entry wan1 1 #NQA配置
type icmp-echo
destination ip 14.XXX.XXX.888 #网关地址
frequency 10000
next-hop ip 14.XXX.XXX.888 #网关地址
probe count 5
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
#
nqa schedule wan1 1 start-time now lifetime forever #使能测试组的启动时间和持续时间并设置为永久
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface Dialer1 #ADSL线路1
description INT ADSL 100M
mtu 1492
ppp chap password cipher $c$3$vKmoKSbbB8XKfxtafJ785ifLNBk/Oo1YHmud
ppp chap user xxxxxx@163.gd
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user xxxxxx@163.gd password cipher $c$3$beaDKJmpTvuChge0eU8J1Bj0T+JpG8aUUMlZ
dialer bundle enable
dialer-group 1
ip address ppp-negotiate
tcp mss 1024
nat outbound 2003
#
interface Dialer2 #ADSL线路2
description CAIWU ADSL 100M
mtu 1492
ppp chap password cipher $c$3$4qsrevZ+kIoKDuF3zwCvpmucdqAEDN5S43CL
ppp chap user xxxxxx@163.gd
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user xxxxxx@163.gd password cipher $c$3$c2+0dxIWmqO7FqnD72dYCvGXSrXh0+b/R4/I
dialer bundle enable
dialer-group 2
dialer timer idle 0 #需注意多条ADSL线路拨号时需添加此参数,MSR 7.0版本与5.0命令有区别
ip address ppp-negotiate
tcp mss 1024
nat outbound 2003
#
interface NULL0
#
interface GigabitEthernet0/0 #连接SW
port link-mode route
description LAN link to HW-CORE-SW
combo enable copper
ip address 192.168.201.1 255.255.255.0
packet-filter 2017 inbound
qos car inbound carl 1 cir 500 cbs 31250 ebs 0 green pass red discard yellow pass
qos car inbound carl 2 cir 500 cbs 31250 ebs 0 green pass red discard yellow pass
nat hairpin enable
ip policy-based-route wan #将策略路由应用在内网接口
#
interface GigabitEthernet0/1
port link-mode route
tcp mss 1024
#
interface GigabitEthernet0/2
port link-mode route
description WAN 10M DSL
ip address 14.xxx.xxx.xxx 255.255.255.252
tcp mss 1024
nat outbound 2003
nat server protocol tcp global current-interface 21 inside 192.168.10.14 21 #相关端口映射应用
nat server protocol tcp global current-interface 25 inside 192.168.10.168 25
nat server protocol tcp global current-interface 80 inside 192.168.10.14 80
nat server protocol tcp global current-interface 110 inside 192.168.10.168 110
nat server protocol tcp global current-interface 143 inside 192.168.10.168 143
nat server protocol tcp global current-interface 5580 inside 192.168.10.14 8088
nat server protocol tcp global current-interface 5581 inside 192.168.10.14 8081
#
interface GigabitEthernet6/0
port link-mode route
description WAN INT ADSL 100M
nat outbound 2003
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet6/1
port link-mode route
description WAN CAIWU ADSL 100M
nat outbound 2003
pppoe-client dial-bundle-number 2
#
interface GigabitEthernet6/7
port link-mode route
combo enable copper
#
interface GigabitEthernet6/2
port link-mode bridge
#
interface GigabitEthernet6/3
port link-mode bridge
#
interface GigabitEthernet6/4
port link-mode bridge
#
interface GigabitEthernet6/5
port link-mode bridge
#
interface GigabitEthernet6/6
port link-mode bridge
combo enable copper
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 15
authentication-mode scheme
user-role network-admin
#
line vty 16 63
user-role network-operator
#
ip route-static 0.0.0.0 0 14.XXX.XXX.888 track 1 #默认路由指向下一跳网关
ip route-static 0.0.0.0 0 Dialer1 preference 100
ip route-static 0.0.0.0 0 Dialer2 preference 120
ip route-static 192.168.10.0 24 192.168.201.254
ip route-static 192.168.11.0 24 192.168.201.254
ip route-static 192.168.16.0 24 192.168.201.254
ip route-static 192.168.18.0 24 192.168.201.254
ip route-static 192.168.61.0 24 192.168.201.254
#
acl basic 2000
rule 0 permit source 192.168.10.0 0.0.0.255
rule 1 permit source 192.168.11.0 0.0.0.255
rule 2 permit source 192.168.18.0 0.0.0.255
#
acl basic 2001
rule 0 permit source 192.168.61.0 0.0.0.255
#
acl basic 2002
rule 0 permit source 192.168.16.0 0.0.0.255
#
acl basic 2003
rule 0 permit
#
acl basic 2017 #禁止部分IP访问外网
description Deny ip link to Internet
rule 0 deny source 192.168.10.23 0
rule 1 deny source 192.168.10.5 0
rule 2 deny source 192.168.10.7 0
rule 199 permit
#
acl advanced 3000
rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255 #增加一条ACL避免内网网段互访的数据,直接匹配了策略路由出去了,影响正常通信
#
domain system
#
domain default enable system
#
user-group system
#
local-user admin class manage
password hash $h$6$ROvXv3DjylL9HE6p$53Ib+gCLOkKDY58w+mO03hy0xqy8rQS5xAsuX1HyJFGpPF0EYjxg/8CPhmUWIs4NrNWKM78PWr6QckQj98RdjQ==
service-type telnet http https
authorization-attribute user-role network-admin
#
ip http enable
ip https enable
#
track 1 nqa entry wan1 1 reaction 1 #NQA关联 track 1 和 reaction 1
#
return