H3C MSR3020路由NQA執行個體配置

組網需求：

       公司接入3條寬帶，其中兩台為撥号ADSL，一條固定IP專線，實作上網業務，不同部門電腦劃分不同VLAN，通過政策路由實作不同部門走不同線路通路外部網絡，同時3條接入寬帶實作關聯，當其中一條出現故障時自動切換到另一條線路，當連結恢複正常後自動切換回來。

組網圖如下：

<a href="https://s4.51cto.com/wyfs02/M00/8D/7E/wKioL1iew32RTQDkAACecuItEys683.jpg-wh_500x0-wm_3-wmp_4-s_4203209773.jpg" target="_blank"></a>

MSR路由主要配置：

#

 version 7.1.059, Release 0306P81

 sysname CORE-RT01

 telnet server enable

 qos carl 1 source-ip-address range 192.168.61.1 to 192.168.61.253 per-address  #QOS限流

 qos carl 2 source-ip-address range 192.168.11.1 to 192.168.11.253 per-address #同上，但實際效果不理想，建議上專業流控裝置

 port-security enable

 dialer-group 1 rule ip permit

 dialer-group 2 rule ip permit

 dhcp enable

 dns proxy enable

 password-recovery enable

vlan 1

policy-based-route wan permit node 1   #政策路由配置

 if-match acl 3000   #避免内網網段互訪的資料，直接比對了政策路由出去了，影響正常通信

policy-based-route wan permit node 2

 if-match acl 2000

 apply default-next-hop 14.XXX.XXX.888 track 1

policy-based-route wan permit node 3

 if-match acl 2001

 apply output-interface Dialer1

policy-based-route wan permit node 4

 if-match acl 2002

 apply output-interface Dialer2

policy-based-route wan permit node 5    #政策路由最後要加一條空節點允許其他資料流通過

nqa entry wan1 1        #NQA配置

 type icmp-echo

  destination ip 14.XXX.XXX.888   #網關位址

  frequency 10000

  next-hop ip 14.XXX.XXX.888    #網關位址

  probe count 5

  probe timeout 1000

  reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only

 nqa schedule wan1 1 start-time now lifetime forever  #使能測試組的啟動時間和持續時間并設定為永久

controller Cellular0/0

controller Cellular0/1

interface Aux0

interface Dialer1      #ADSL線路1       

 description INT ADSL 100M 

 mtu 1492

 ppp chap password cipher $c$3$vKmoKSbbB8XKfxtafJ785ifLNBk/Oo1YHmud 

 ppp chap user [email protected] 

 ppp ipcp dns admit-any 

 ppp ipcp dns request 

 ppp pap local-user [email protected] password cipher $c$3$beaDKJmpTvuChge0eU8J1Bj0T+JpG8aUUMlZ 

 dialer bundle enable

 dialer-group 1

 ip address ppp-negotiate

 tcp mss 1024

 nat outbound 2003

interface Dialer2    #ADSL線路2

 description CAIWU ADSL 100M

 ppp chap password cipher $c$3$4qsrevZ+kIoKDuF3zwCvpmucdqAEDN5S43CL 

 ppp pap local-user [email protected] password cipher $c$3$c2+0dxIWmqO7FqnD72dYCvGXSrXh0+b/R4/I 

 dialer-group 2

 dialer timer idle 0     #需注意多條ADSL線路撥号時需添加此參數，MSR 7.0版本與5.0指令有差別

interface NULL0

interface GigabitEthernet0/0   #連接配接SW

 port link-mode route

 description LAN link to HW-CORE-SW

 combo enable copper

 ip address 192.168.201.1 255.255.255.0

 packet-filter 2017 inbound

 qos car inbound carl 1 cir 500 cbs 31250 ebs 0 green pass red discard yellow pass

 qos car inbound carl 2 cir 500 cbs 31250 ebs 0 green pass red discard yellow pass

 nat hairpin enable   #内網用戶端通過公網位址通路内部伺服器

 ip policy-based-route wan  #将政策路由應用在内網接口 

interface GigabitEthernet0/1

interface GigabitEthernet0/2

 description WAN 10M DSL

 ip address 14.xxx.xxx.xxx 255.255.255.252

 nat server protocol tcp global current-interface 21 inside 192.168.10.14 21  #相關端口映射應用

 nat server protocol tcp global current-interface 25 inside 192.168.10.168 25

 nat server protocol tcp global current-interface 80 inside 192.168.10.14 80

 nat server protocol tcp global current-interface 110 inside 192.168.10.168 110

 nat server protocol tcp global current-interface 143 inside 192.168.10.168 143

 nat server protocol tcp global current-interface 5580 inside 192.168.10.14 8088

 nat server protocol tcp global current-interface 5581 inside 192.168.10.14 8081

interface GigabitEthernet6/0

 description WAN INT ADSL 100M

 pppoe-client dial-bundle-number 1

interface GigabitEthernet6/1

 description WAN CAIWU ADSL 100M

 pppoe-client dial-bundle-number 2

interface GigabitEthernet6/7

interface GigabitEthernet6/2

 port link-mode bridge

interface GigabitEthernet6/3

#              

interface GigabitEthernet6/4

interface GigabitEthernet6/5

interface GigabitEthernet6/6

 scheduler logfile size 16

line class aux

 user-role network-admin

line class tty

 user-role network-operator

line class vty

line aux 0

line vty 0 15

 authentication-mode scheme

line vty 16 63

 ip route-static 0.0.0.0 0 14.XXX.XXX.888 track 1  #預設路由指向下一跳網關

 ip route-static 0.0.0.0 0 Dialer1 preference 100

 ip route-static 0.0.0.0 0 Dialer2 preference 120

 ip route-static 192.168.10.0 24 192.168.201.254

 ip route-static 192.168.11.0 24 192.168.201.254

 ip route-static 192.168.16.0 24 192.168.201.254

 ip route-static 192.168.18.0 24 192.168.201.254

 ip route-static 192.168.61.0 24 192.168.201.254

acl basic 2000

 rule 0 permit source 192.168.10.0 0.0.0.255

 rule 1 permit source 192.168.11.0 0.0.0.255

 rule 2 permit source 192.168.18.0 0.0.0.255

acl basic 2001 

 rule 0 permit source 192.168.61.0 0.0.0.255

acl basic 2002

 rule 0 permit source 192.168.16.0 0.0.0.255

acl basic 2003

 rule 0 permit

acl basic 2017                             #禁止部分IP通路外網

 description Deny ip link to Internet

 rule 0 deny source 192.168.10.23 0

 rule 1 deny source 192.168.10.5 0

 rule 2 deny source 192.168.10.7 0

 rule 199 permit

acl advanced 3000

 rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255  #增加一條ACL避免内網網段互訪的資料，直接比對了政策路由出去了，影響正常通信

domain system

 domain default enable system

user-group system

local-user admin class manage

 password hash $h$6$ROvXv3DjylL9HE6p$53Ib+gCLOkKDY58w+mO03hy0xqy8rQS5xAsuX1HyJFGpPF0EYjxg/8CPhmUWIs4NrNWKM78PWr6QckQj98RdjQ==

 service-type telnet http https

 authorization-attribute user-role network-admin

 ip http enable

 ip https enable

 track 1 nqa entry wan1 1 reaction 1   #NQA關聯 track 1 和 reaction 1

return

說明：以上加色字型為配置要點，由于考慮到成本問題，部分公司會選擇ADSL接入作為備份鍊路，如果是多條固定IP寬帶接入則設定多個NQA 實作即可，配置類似， 以上為工作小記。

本文轉自pimg200551CTO部落格，原文連結：http://blog.51cto.com/pimg2005/1896917 ，如需轉載請自行聯系原作者