H3C MSR系列路由器典型配置举例
H3CMSR路由器PPPOENAT策略路由QOS配置实例
H3C MSR 路由器PPPOE+NAT+ 策略路由+QOS 配置实例[H3C]display current-configuration#version 5.20, Release 1719, Basic#sysname H3C#undo cryptoengine enable#firewall enable#domain default enable system#telnet server enable#qos carl 1 destination-ip-address range 192.168.3.2 to 192.168.3.254 per-addres sqos carl 2 source-ip-address range 192.168.3.2 to 192.168.3.254 per-address qos carl 3 destination-ip-address range 192.168.2.1 to 192.168.2.254 per-addres sqos carl 10 source-ip-address subnet 192.168.3.0 24 per-addressqos carl 20 destination-ip-address subnet 192.168.3.0 24 per-address#acl number 2000rule 0 permit source 192.168.3.0 0.0.0.255acl number 2222rule 0 permit source 192.168.3.0 0.0.0.255rule 5 permit source 192.168.2.0 0.0.0.255#acl number 3001rule 0 permit ip source 192.168.3.1 0.0.0.254acl number 3002rule 0 permit ip source 10.0.1.1 0.0.0.254acl number 3111rule 0 permit ip source 192.168.3.0 0.0.0.254acl number 3112rule 0 permit ip source 192.168.3.1 0.0.0.254acl number 3113rule 0 permit ip destination 192.168.2.0 0.0.0.255acl number 3114rule 5 permit ip source 192.168.3.180 0.0.0.3acl number 3333# vlan 1#conn ecti on-limit policy 1#domai n system access-limit disable state active idle-cut disable self-service-url disable # user-group system#local-user huaweipassword cipher N'C55QK<'=/Q=A Q'MAF4<1!!authorizati on-attribute level 3 service-type telnet# in terface AuxO async mode flow lin k-protocol ppp #in terface Dialerl nat outbou nd 2000 lin k-protocol pppppp pap local-user ************** ip address ppp-n egotiate load-bandwidth 2000 tcp mss 1024 dialer-group 1dialer user ****************dialer-group 1dialer bun dle 1#in terface Dialer2nat outbou nd 2000lin k-protocol pppppp pap local-user **************** ____ip address ppp-n egotiateload-bandwidth 2000tcp mss 1024dialer user **************dialer bun dle 2 in terface Dialer3 nat outbou nd 2000 lin k-protocol pppppp pap local-user **************** ____ip address ppp-n egotiateload-ba ndwidth 2000tcp mss 1024dialer user *************dialer-group 1dialer bun dle 3#in terface Ethernet。
H3C MSR系列路由器 IPSec配置
H3C MSR系列路由器IPsec典型配置举例(V7)
7 相关资料1 简介本文档介绍IPsec的典型配置举例。
2 配置前提本文档适用于使用Comware V7软件版本的MSR系列路由器,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。
如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解IPsec特性。
3 使用iNode客户端基于证书认证的L2TP over IPsec功能配置举例3.1 组网需求如图1所示,PPP用户Host与Device建立L2TP隧道,Windows server 2003作为CA服务器,要求:•通过L2TP隧道访问Corporate network。
•用IPsec对L2TP隧道进行数据加密。
•采用RSA证书认证方式建立IPsec隧道。
图1 基于证书认证的L2TP over IPsec配置组网图3.2 配置思路由于使用证书认证方式建立IPsec隧道,所以需要在ike profile中配置local-identity 为dn,指定从本端证书中的主题字段取得本端身份。
3.3 使用版本本举例是在R0106版本上进行配置和验证的。
3.4 配置步骤3.4.1 Device的配置(1) 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址。
<Device> system-view[Device] interface gigabitethernet 2/0/1[Device-GigabitEthernet2/0/1] ip address 192.168.100.50 24[Device-GigabitEthernet2/0/1] quit# 配置接口GigabitEthernet2/0/2的IP地址。
[Device] interface gigabitethernet 2/0/2[Device-GigabitEthernet2/0/2] ip address 102.168.1.11 24[Device-GigabitEthernet2/0/2] quit# 配置接口GigabitEthernet2/0/3的IP地址。
H3C-MSR路由器配置
H3C-MSR路由器配置配置(pèizhì)telnet登录(dēnɡlù)telnet server enable创建本地(běndì)账号与密码local-user adminpassword simple hnjb8013user-interface vty 0 4authentication-mode schemauser-role level-15配置(pèizhì)WAN口地址(dìzhǐ)<H3C>system-view2)设置内网网关设置(shèzhì)DHCP<H3C>system-view[H3C]dhcp server ip-pool 1[H3C-dhcp-pool-1]network 192.168.1.0 mask 255.255.255.0[H3C-dhcp-pool-1]gateway-list 192.168.1.1[H3C-dhcp-pool-1]address range 192.168.1.2 192.168.1.200地点(dìzhǐ)池[H3C-dhcp-pool-1]dns-list202.106.0.20 114.114.114.114//具体(jùtǐ)的运营商DNS地址(dìzhǐ)[H3C-dhcp-pool-1]quit5)配置默许路由[H3C]ip route-static 0.0.0.0 0.0.0.0 119.57.73.65//下一跳地址配置运营商分配的网关地址Nat一对一NAT<H3C>system-viewNAT端口映照<H3C>system-viewnat server protocol tcp global 119.57.73.67 5366 inside 192.168.1.67 5366nat server protocol tcp global 119.57.73.67 5367 inside 192.168.1.67 5367nat server protocol tcp global 119.57.73.67 8081 inside 192.168.1.244 8081nat server protocol tcp global 119.57.73.67 8123 inside 192.168.1.250 8443nat server protocol tcp global 119.57.73.67 inside 192.168.1.88 3389L2TP over ipsec1.开启(kāiqǐ)L2TP功能(gōngnéng)。
H3C-MSR路由器配置
H3C-MSR路由器配置路由器作为网络中的重要设备之一,扮演着连接不同网络、实现数据转发的关键角色。
H3C-MSR路由器作为一款功能强大、性能稳定的产品,被广泛应用于各种规模的网络中。
为了使H3C-MSR路由器能够正常工作并满足网络需求,正确的配置是至关重要的。
本文将详细介绍H3C-MSR路由器的配置方法,帮助用户快速上手。
一、基本配置1. 连接路由器首先,使用网线将H3C-MSR路由器的Console接口与计算机的串口相连。
然后,使用串口终端工具,如SecureCRT等,通过串口连接到路由器。
打开终端工具后,选择正确的串口号和波特率,确保与路由器连接成功。
2. 登录路由器成功连接到路由器后,输入登录用户名和密码,即可登录路由器的命令行界面。
默认的用户名为admin,密码为空。
为了提高安全性,建议用户在首次登录后立即修改密码。
3. 设定主机名在路由器命令行界面下,通过以下命令来为路由器设定一个主机名:configure terminalhostname <主机名>exit二、接口配置1. 配置接口IP地址为了使路由器能够与其他设备进行通信,需要为其配置IP地址。
假设要为接口GigabitEthernet 0/0/1配置IP地址为192.168.1.1,子网掩码为255.255.255.0,可以在命令行界面下执行以下命令:interface GigabitEthernet 0/0/1ip address 192.168.1.1 255.255.255.02. 配置接口描述接口描述功能可以使管理员更好地管理和识别各个接口。
为了对接口GigabitEthernet 0/0/1进行描述,可以使用以下命令:interface GigabitEthernet 0/0/1description <描述信息>3. 配置接口速率和双工模式根据网络需求和接口连接设备的性能要求,可以配置接口的速率和双工模式。
H3C-MSR路由器配置
配置telnet登录telnet server enable创建本地账号与密码local-user adminpassword simple hnjb8013user-interface vty 0 4authentication-mode schemauser-role level-15配置WAN口地址<H3C>system-view[H3C]interface GigabitEthernet 0/0[H3C-GigabitEthernet0/0]ip address 119.57.73.67 255.255.255.248 //IP地址和掩码配置运营商分配的地址[H3C-GigabitEthernet0/0]quit2) 设置网网关[H3C]interface GigabitEthernet 0/1[H3C-GigabitEthernet0/1]ip address 192.168.1.1 24//网网关IP地址[H3C-GigabitEthernet0/1]quit设置DHCP<H3C>system-view[H3C]dhcp server ip-pool 1[H3C-dhcp-pool-1]network 192.168.1.0 mask 255.255.255.0[H3C-dhcp-pool-1]gateway-list 192.168.1.1[H3C-dhcp-pool-1]address range 192.168.1.2 192.168.1.200 地址池[H3C-dhcp-pool-1]dns-list202.106.0.20 114.114.114.114 //具体的运营商DNS 地址[H3C-dhcp-pool-1]quit4) 在WAN接口配置NAT,实现网地址上网进行源地址转换。
[H3C]interface GigabitEthernet 0/0[H3C-GigabitEthernet0/0]nat outbound5) 配置默认路由[H3C]ip route-static 0.0.0.0 0.0.0.0 119.57.73.65 //下一跳地址配置运营商分配的网关地址Nat一对一NAT<H3C>system-view[H3C]nat static outbound 192.168.1.248 119.57.73.70[H3C]interface GigabitEthernet0/0[H3C-GigabitEthernet0/0]ip address 119.57.73.70 255.255.255.248 sub[H3C-GigabitEthernet0/0]nat static enable[H3C-GigabitEthernet0/0]quitNAT端口映射<H3C>system-view[H3C]interface GigabitEthernet 0/0 //进入设备公网接口[H3C-GigabitEthernet0/0]nat server protocol tcp global 119.57.73.67 5366 inside 192.168.1.67 5366nat server protocol tcp global 119.57.73.67 5367 inside 192.168.1.67 5367nat server protocol tcp global 119.57.73.67 8081 inside 192.168.1.244 8081nat server protocol tcp global 119.57.73.67 8123 inside 192.168.1.250 8443nat server protocol tcp global 119.57.73.67 33890 inside 192.168.1.88 3389L2TP over ipsec1.开启L2TP功能。
H3C MSR 系列路由器 Web配置指导-R2104(V1.04)-DNS设置
目录1 域名解析设置....................................................................................................................................1-11.1 概述..................................................................................................................................................1-11.1.1 动态域名解析.........................................................................................................................1-11.1.2 DNS代理.................................................................................................................................1-21.2 配置域名解析....................................................................................................................................1-31.2.1 配置概述................................................................................................................................1-31.2.2 配置动态域名解析..................................................................................................................1-41.2.3 配置设备为DNS proxy...........................................................................................................1-51.2.4 配置域名服务器的IP地址.......................................................................................................1-51.2.5 配置域名后缀.........................................................................................................................1-51.3 域名解析典型配置举例.....................................................................................................................1-62 DDNS设置.........................................................................................................................................2-12.1 概述..................................................................................................................................................2-12.1.1 DDNS简介..............................................................................................................................2-12.1.2 DDNS典型组网应用................................................................................................................2-12.2 配置DDNS........................................................................................................................................2-22.2.1 配置准备................................................................................................................................2-22.2.2 配置DDNS.............................................................................................................................2-22.3 DDNS典型配置举例..........................................................................................................................2-41 域名解析设置1.1 概述域名系统(DNS,Domain Name System)是一种用于TCP/IP应用程序的分布式数据库,提供域名与IP地址之间的转换。
H3C-MSR800路由器配置说明
H3C-MSR800路由器配置说明H3C-MSR800路由器配置说明1、引言1.1 目的1.2 读者对象1.3 参考资料2、准备工作2.1 硬件准备2.2 软件准备2.3 连接设置3、路由器基本配置3.1 登录路由器3.2 密码配置3.3 系统基本配置3.4 接口配置3.5 路由配置4.1 IP地质配置4.2 子网掩码配置4.3 网关配置4.4 DNS配置4.5 NAT配置5、路由器安全配置5.1 访问控制列表(ACL)配置5.2 防火墙配置5.3 用户认证配置5.4 安全策略配置6、功能配置6.1 VLAN配置6.2 QoS配置6.3 VPN配置6.4 动态主机配置协议(DHCP)配置 6.5 虚拟路由器冗余协议(VRRP)配置7.1 SNMP配置7.2 日志配置7.3 命令行接口(CLI)配置7.4 图形用户界面(GUI)配置8、故障排除8.1 故障排除工具和命令8.2 常见问题及解决方法9、附件- H3C-MSR800路由器安装手册- H3C-MSR800路由器用户手册注释:- IP地质:Internet Protocol Address的缩写,指网络上的设备的唯一标识符。
- 子网掩码:用于划分网络地质和主机地质的掩码。
- 网关:支持不同子网之间通信的设备或系统。
- DNS:Domn Name System的缩写,用于将域名映射为IP地质的系统。
- NAT:Network Address Translation的缩写,用于在不同网络之间转换IP地质。
- ACL:Access Control List的缩写,用于限制网络中的数据流动。
- QoS:Quality of Service的缩写,用于优化网络的数据传输质量。
- VPN:Virtual Private Network的缩写,用于建立安全的网络连接。
- DHCP:Dynamic Host Configuration Protocol的缩写,用于自动分配IP地质的协议。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
3.2 配置思路
当拨号成功以后,总部网关 LNS 会给分支网关 client 分配一个 IP 地址,总部 LNS 只会有分支网关 的路由,而不会有分支内网的路由,要实现总部内网和分支内网间的通信要在总部配置一条目的地 址为分支内网的静态路由,下一条指向分支网关,但是分支网关的 IP 地址是总部 LNS 这边的地址 池里面动态分配的,所以下一条无法定义为具体的 IP 地址,只能定义为虚模板。不过这是一总部多 分支的组网,所有的 L2TP 连接都是用的同一虚模板,所以无法满足用同一个下一跳地址实现和多 个分支的通信。在这种情况下只能在 L2TP 上复用 IPsec 来实现路由功能,在 LNS 的虚接口 virtual-template 上下发 IPsec 策略,不同目的地址的数据流会触发不同的 ACL 来和不同的 IPsec 对等体通信,这样就可以实现一对多的精确路由了。
i
1 简介
本文档介绍 MSR 系列路由器用 L2TP+IPsec+PPPoE 实现总部与多分支通信的典型配置举例。
2 配置前提
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品 手册,或以设备实际情况为准。 本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺 省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置 不冲突。 本文档假设您已了解 L2TP、IPsec 和 PPPoE 特性。
# 在接口 Ethernet0/0 上配置 PPPOE 会话。
[RouterA] interface ethernet 0/0 [RouterA-Ethernet0/0] pppoe-client dial-bundle-number 1 [RouterA-Ethernet0/0] quit
2
# 配置默认路由指向 Router D。
[RouterA] ip route-static 0.0.0.0 0.0.0.0 100.0.0.1
# 创建 ACL,定义触发 IPsec 的数据流。
[RouterA] acl number 3000 [RouterA-acl-adv-3000] rule 0 permit ip source 172.16.2.0 0.0.0.255 [RouterA-acl-adv-3000] quit
# 创建 IPsec 安全策略 policy,其协商方式为 isakmp。
[RouterA] ipsec policy policy 1 isakmp [RouterA-ipsec-policy-isakmp-policy-1] security acl 3000 [RouterA-ipsec-policy-isakmp-policy-1] ike-peer peer [RouterA-ipsec-policy-isakmp-policy-1] proposal def [RouterA-ipsec-policy-isakmp-policy-1] quit
3.5 配置步骤
3.5.1 Router A的配置
# 配置接口 Ethernet0/1 的 IP 地址。
<RouterA> system-view [RouterA] interface ethernet 0/1 [RouterA-Ethernet0/1] ip address 172.16.2.1 255.255.255.0 [RouterA-Ethernet0/1] quit
目录
1 简介 ······················································································································································ 1 2 配置前提 ··············································································································································· 1 3 配置举例 ··············································································································································· 1
# 配置拨号接口 Dialer0,地址协商获得。
[RouterA] dialer-rule 1 ip permit [RouterA] interface dialer 0 [RouterA-Dialer0] link-protocol ppp [RouterA-Dialer0] ppp chap user client1@lac [RouterA-Dialer0] ppp chap password simple 123 [RouterA-Dialer0] ip address ppp-negotiate [RouterA-Dialer0] dialer user pppoe [RouterA-Dialer0] dialer-group 1 [RouterA-Dialer0] dialer bundle 1 [RouterA-Dialer0] quit
MSR 系列路由器用 L2TP+IPsec+PPPoE 实现 总部和多分支通信配置举例
Copyright © 2014 杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。
# 配置 IKE 对等体。
[RouterA] ike peer peer [RouterA-ike-peer-peer] exchange-mode aggressive [RouterA-ike-peer-peer] pre-shared-key 123 [RouterA-ike-peer-peer] id-type name [RouterA-ike-peer-peer] remote-name center [RouterA-ike-peer-peer] remote-address 100.0.0.1 [RouterA-ike-peer-peer] quit
3.1 组网需求 ··············································································································································· 1 3.2 配置思路 ··············································································································································· 2 3.3 使用版本 ··············································································································································· 2 3.4 配置注意事项········································································································································ 2 3.5 配置步骤 ··············································································································································· 2
3 配置举例
组网需求
如 图 1 所示,Router A和Router B是某企业分支网关,Router C为L2TP的LAC,Router D为L2TP 的LNS,要求:分支通过PPPoE拨上LAC,并触发LAC和LNS建立L2TP隧道,实现分支和总部的内 网可以互访。 图1 MSR 系列路由器用 L2TP+IPsec+PPPoE 实现一总部、多分支式通信配置组网图
# 采用安全提议的缺省配置。
[RouterA] ipsec proposal def
# 配置 ESP 协议采用 md5 认证算法。
[RouterA-ipsec-transform-set-def] esp authentication-algorithm md5 [RouterA-ipsec-transform-set-def] quit
3.3 使用版本
本举例是在 Release 2317 版本上进行配置和验证的。
3.4 配置注意事项
• 配置 client 的时候,要配置一条默认路由,下一跳指向 LNS 虚模板的地址。 • 配置 LNS 的安全策略的时候,使用模板,不用配置 ACL。 • 分别在分支网关的拨号口和总部网关(LNS)的虚模板接口上下发安全策略。
3.5.1 Router A的配置··························································································································2 3.5.2 Router B的配置··························································································································3 3.5.3 Router C的配置 ························································································································· 4 3.5.4 Router D的配置 ························································································································· 5 3.6 验证配置 ··············································································································································· 7 3.7 配置文件 ··············································································································································· 8 4 相关资料 ············································································································································· 11