H3CMSR路由器PPPOENAT策略路由QOS配置实例

H3C MSR 路由器PPPOE+NAT+ 策略路由+QOS 配置实例[H3C]display current-configuration
#
version 5.20, Release 1719, Basic
#
sysname H3C
#
undo cryptoengine enable
#
firewall enable
#
domain default enable system
#
telnet server enable
#
qos carl 1 destination-ip-address range 192.168.3.2 to 192.168.3.254 per-addres s
qos carl 2 source-ip-address range 192.168.3.2 to 192.168.3.254 per-address qos carl 3 destination-ip-address range 192.168.2.1 to 192.168.2.254 per-addres s
qos carl 10 source-ip-address subnet 192.168.3.0 24 per-address
qos carl 20 destination-ip-address subnet 192.168.3.0 24 per-address
#
acl number 2000
rule 0 permit source 192.168.3.0 0.0.0.255
acl number 2222
rule 0 permit source 192.168.3.0 0.0.0.255
rule 5 permit source 192.168.2.0 0.0.0.255
#
acl number 3001
rule 0 permit ip source 192.168.3.1 0.0.0.254
acl number 3002
rule 0 permit ip source 10.0.1.1 0.0.0.254
acl number 3111
rule 0 permit ip source 192.168.3.0 0.0.0.254
acl number 3112
rule 0 permit ip source 192.168.3.1 0.0.0.254
acl number 3113
rule 0 permit ip destination 192.168.2.0 0.0.0.255
acl number 3114
rule 5 permit ip source 192.168.3.180 0.0.0.3
acl number 3333
# vlan 1
#
conn ecti on-limit policy 1
#
domai n system access-limit disable state active idle-cut disable self-service-url disable # user-group system
#
local-user huawei
password cipher N'C55QK<'=/Q=A Q'MAF4<1!!
authorizati on-attribute level 3 service-type telnet
# in terface AuxO async mode flow lin k-protocol ppp #
in terface Dialerl nat outbou nd 2000 lin k-protocol ppp
ppp pap local-user ************** ip address ppp-n egotiate load-bandwidth 2000 tcp mss 1024 dialer-group 1
dialer user ****************
dialer-group 1
dialer bun dle 1
#
in terface Dialer2
nat outbou nd 2000
lin k-protocol ppp
ppp pap local-user **************** ____
ip address ppp-n egotiate
load-bandwidth 2000
tcp mss 1024
dialer user **************
dialer bun dle 2 in terface Dialer3 nat outbou nd 2000 lin k-protocol ppp
ppp pap local-user **************** ____
ip address ppp-n egotiate
load-ba ndwidth 2000
tcp mss 1024
dialer user *************
dialer-group 1
dialer bun dle 3
#
in terface Ethernet。

/。

port lin k-mode route
pppoe-clie nt dial-b un dle-nu mber 3
#
in terface Ethernet0/1
port lin k-mode route
pppoe-clie nt dial-b un dle-nu mber 2
#
in terface Ethernet1/0
port lin k-mode route
pppoe-clie nt dial-b un dle-nu mber 1
#
in terface NULL0
#
in terface LoopBack10
ip address 192.1682253 255.255.255.255
#
in terface Vlan-i nterface1
ip address 192.168.3.1 255.255.255.0
ip address 192.168.2.254 255.255.255.0 sub
qos car in bou nd carl 10 cir 1000 cbs 1000 ebs 1000 green pass red discard qos car outbo und carl 20 cir 1000 cbs 1000 ebs 1000 gree n pass red pass ip policy-based-route fz1
#
in terface Ethernet0/2
port lin k-mode bridge
#
in terface Ethernet0/3
port lin k-mode bridge
#
in terface Ethernet0/4
port lin k-mode bridge
#
in terface Ethernet0/5
port lin k-mode bridge
#
interface Ethernet0/6 port link-mode bridge
#
interface Ethernet0/7 port link-mode bridge
#
interface Ethernet0/8 port link-mode bridge
#
interface Ethernet0/9 port link-mode bridge
#
policy-based-route fz1 permit node 0 if-match acl 3113 apply output-interface Vlan-interface1
policy-based-route fz1 permit node 1 if-match acl 3114 apply output-interface Dialer3
policy-based-route fz1 permit node 2 if-match acl 3112 apply output-interface Dialer2
policy-based-route fz1 permit node 3 if-match acl 3111 apply output-interface Dialer1
#
policy-based-route fz2 permit node 0 if-match acl 3111 apply output-interface Dialer1
policy-based-route fz2 permit node 1 if-match acl 3112 apply output-interface Dialer2
#
ip route-static 0.0.0.0 0.0.0.0 Dialer3
#
nat connection-limit-policy 1
#
telnet client source ip 192.168.2.254
#
dialer-rule 1 ip permit dialer-rule 2 ip permit dialer-rule 3 ip permit # user-interface con 0 user- in terface aux 0
user- in terface vty 0 4
acl 2222 inbound
authe nticatio n-m ode scheme
user privilege level 3
set authe nticati on password simple huawei
#
return
网络拓扑图如图4所示，AR18-22-24有两条到ISP的链路，E1/0为主用链路，网络地址为142.1.1.0/30 ; ETH2/0连接ADSL modem 通过PPPOE方式连接ISP, Dialer。

做备用链路。

正常工作时所有的流量通过
主用链路E1/0发送，当主用链路岀现异常时，设备会自动发起PPPOE拨号，流量切换到备用链路，主用
链路恢复后会自动重新启用。

主链路启用60秒后PPPOE连接会自动挂断。

图4以太网链路+PPPOE链路进行主备备份拓扑图
[Quidway]display current-configuration
#
sysname Quidway
#
clock summer-time BJ repeating 00:00:00 06/01/2000 23:59:59 08/31/2000 01:00:00
#
clock timezone Peking add 08:00:00
#
FTP server enable
#
firewall enable
#
flow-interval 5
dialer-rule 1 ip permit
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=A Q'MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
# 配置自动侦测组1 ，侦测主用链路的对端地址是否可达，侦测间隔为
5s
detect-group 1 detect-list 1 ip address 142.1.1.1 timer loop 5
#
# 配置接口应用NAT 时引用的ACL 。

acl number 2001
rule 10 permit source 192.168.1.0 0.0.0.255
#
# 配置在接口上应用的过滤规则，主要用于攻击防范，强烈建议配置。

acl number 3001
rule 10 deny tcp destination-port eq 445 rule 11 deny udp destination-port eq 445 rule 20 deny tcp destination-port eq 135 rule 21 deny udp destination-port eq 135 rule 30 deny tcp destination-port eq 137 rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138 rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139 rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 4444 rule 90 deny tcp destination-port eq 707 rule 100 deny tcp destination-port eq 1433 rule 101 deny udp destination-port eq 1433 rule 110 deny tcp
destination-port eq 1434 rule 111 deny udp destination-port eq 1434 rule 120 deny tcp destination-port eq 5554 rule 130 deny tcp destination-port eq 9996 rule 141 deny udp source-port eq bootps rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp
rule 2002 permit ip destination 142.1.1.2 0
rule 3000 deny ip
acl number 3002
rule 10 deny tcp destination-port eq 445 rule 11 deny udp destination-port eq 445 rule 20 deny tcp destination-port eq 135 rule 21 deny udp destination-port eq 135 rule 30 deny tcp destination-port eq 137 rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138 rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139 rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 4444 rule 90 deny tcp destination-port eq 707 rule 100 deny tcp destination-port eq 1433 rule 101 deny udp destination-port eq 1433 rule 110 deny tcp destination-port eq 1434 rule 111 deny udp destination-port eq 1434 rule 120 deny tcp destination-port eq 5554 rule 130 deny tcp destination-port eq 9996 rule 141 deny udp source-port eq bootps rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp rule 2000 permit ip acl number 3003
rule 10 deny tcp destination-port eq 445 rule 11 deny udp destination-port eq 445 rule 20 deny tcp destination-port eq 135 rule 21 deny udp destination-port eq 135 rule 30 deny tcp destination-port eq 137 rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138 rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139 rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 4444 rule 90 deny tcp destination-port eq 707 rule 100 deny tcp destination-port eq 1433 rule 101 deny udp destination-port eq 1433
rule 110 deny tcp destination-port eq 1434
rule 111 deny udp destination-port eq 1434
rule 120 deny tcp destination-port eq 5554
rule 130 deny tcp destination-port eq 9996
rule 141 deny udp source-port eq bootps
rule 160 permit icmp icmp-type echo
rule 161 permit icmp icmp-type echo-reply
rule 162 permit icmp icmp-type ttl-exceeded
rule 165 deny icmp
rule 2010 deny ip source 192.168.1.1 0
rule 2030 permit ip source 192.168.1.0 0.0.0.255
rule 3000 deny ip
#
# 配置广域网接口Dialer0 ，拨号的用户名和口令均为test ，对入报文进行过滤（所有出报文均需要做时可
NAT 以不对入报文进行过滤），对出报文进行NAT 。

interface Dialer0
link-protocol ppp
ppp pap local-user test password simple test
ip address ppp-negotiate
dialer user test
dialer-group 1
dialer bundle 1
nat outbound 2001
firewall packet-filter 3002 inbound
#
# 配置广域网接口E1/0 ，对入报文进行过滤（所有出报文均需要做NAT 时可以不对入报文进行过滤）对出报文进行NAT 。

interface Ethernet1/0
ip address 142.1.1.2 255.255.255.252
firewall packet-filter 3001 inbound
nat outbound 2001
#
# 配置广域网接口E2/0 ，做为拨号接口，链路空闲60 秒钟后自动切断。

interface Ethernet2/0 pppoe-client dial-bundle-number 1 idle-timeout 60
# # 配置局域网接口E3/0 ，对入报文进行过滤interface Ethernet3/0
ip address 192.168.1.1 255.255.255.0
firewall packet-filter 3003 inbound
#
interface Ethernet3/1
#
interface Ethernet3/2
#
interface Ethernet3/3
#
interface Ethernet3/4
#
interface Ethernet3/5
#
interface Ethernet3/6
#
interface Ethernet3/7
#
interface Ethernet3/8
#
interface Ethernet3/9
#
interface Ethernet3/10
#
interface Ethernet3/11
#
interface Ethernet3/12
#
interface Ethernet3/13
#
interface Ethernet3/14
#
interface Ethernet3/15
#
interface Ethernet3/16
#
interface Ethernet3/17
#
interface Ethernet3/18
#
interface Ethernet3/19
#
interface Ethernet3/20
interface Ethernet3/21
#
interface Ethernet3/22
#
interface Ethernet3/23
#
interface Ethernet3/24
#
interface NULL0
#
# 配置缺省路由和黑洞路由。

通过主接口的缺省路由和自动侦测组1 相关联。

当自动侦测组1 可达时，主接口的缺省路由生效，当自动侦测组 1 不可达时，主接口的缺省路由失效，备份接口启用，备份接口的缺省路由生效。

ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 100
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1 preference 60 detect-group 1
ip route-static 10.0.0.0 255.0.0.0 NULL 0 preference 60
ip route-static 169.254.0.0 255.255.0.0 NULL 0 preference 60
ip route-static 172.16.0.0 255.240.0.0 NULL 0 preference 60
ip route-static 192.168.0.0 255.255.0.0 NULL 0 preference 60
ip route-static 198.18.0.0 255.254.0.0 NULL 0 preference 60
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
# return。