实验拓扑(分部改造后)

注意事项:暂无

需求:分部能够通过MPLS VPN专线访问总部内网服务器,另外在互联网上再做一条IPsec VPN与专线冗余部署。

1. 堆叠

SW1 ================================
sys
int ran ten1/0/51 ten1/0/52
shutdown
irf member 1 priority 10
irf-port 1/1
port group interface ten1/0/51
irf-port 1/2
port group interface ten1/0/52
int ran ten1/0/51 ten1/0/52
no shutdown

SW2 ================================
sys
int ran ten1/0/51 ten1/0/52
shutdown
irf member 1 renumber 2
y
irf member 1 priority 5
irf-port 1/2
port group interface ten1/0/51
irf-port 1/1
port group interface ten1/0/52  
int ran ten1/0/51 ten1/0/52
no shutdown

SW1/2  ================================
# 两边同时保存并激活配置,然后重启SW2,SW1后面会自动重启
save f
irf-port-configuration act

# 激活后重启
reboot 
y

#查看堆叠效果
dis  irf

2. 链路聚合

SW1 ================================
sysname Core
int Bridge-Aggregation 1
link-aggregation mode dynamic 
int ran g1/0/41 g2/0/41 
port link-aggregation group 1

int Bridge-Aggregation 2
link-aggregation mode dynamic 
int ran g1/0/42 g2/0/42
port link-aggregation group 2

int Bridge-Aggregation 3
link-aggregation mode dynamic 
int ran g1/0/10 g2/0/10
port link-aggregation group 3

int Route-Aggregation 1
link-aggregation mode dynamic 
int ran g1/0/1 g2/0/1
port link-mode route
port link-aggregation group 1

Access1 ================================
sys
sysname Access1 
int Bridge-Aggregation 1
link-aggregation mode dynamic 
int ran g1/0/23 g1/0/24
port link-aggregation group 1

Access2 ================================
sys
sysname Access2 
int Bridge-Aggregation 2
link-aggregation mode dynamic 
int ran g1/0/23 g1/0/24
port link-aggregation group 2

AC1 ================================
sys
sysname AC1 
int Bridge-Aggregation 3
link-aggregation mode dynamic 
int ran g1/0/1 g1/0/2
port link-aggregation group 3

FW-1 ================================
sys
sysname FW-1
int Route-Aggregation 1
link-aggregation mode dynamic 
int ran g1/0/1 g1/0/2
port link-aggregation group 1


# 查看聚合端口状态,四组局和端口都被选中则OK
dis link-aggregation summary

# 也可以在核心上修改lacp优先级,使其成为聚合主动端
lacp system-priority 16384

3. VLAN与端口类型

SW1 ================================
# 模拟器新版交换机(S6850)可以直接直接定义多个vlan
vlan 10 20
int ran Bridge-Aggregation 1 Bridge-Aggregation 2
port link-type trunk
port trunk permit vlan 10 20

Access1 ================================
vlan 10
vlan 20
int g1/0/1
port access vlan 10

int ran Bridge-Aggregation 1
port link-type trunk
port trunk permit vlan 10 20
Access2 ================================
vlan 10
vlan 20
int g1/0/1
port access vlan 20

int ran Bridge-Aggregation 2
port link-type trunk
port trunk permit vlan 10 20

4. VLAN间路由

SW1 ================================
int vl 10
ip add 10.1.10.254 24
int vl 20
ip add 10.1.20.254 24 

PC1 ================================
# 先给PC1设置静态地址
直接在GUI界面修改地址

Server2 ================================
# 需要配置网卡文件
vi /etc/network/interfaces
# 先将 eth0 的 gateway 这一行删除 (dd)
# 然后修改 eth1的地址和网关
# 此操作可能需要一定的 linux vi基础,不会的话自行上网学习

wq! 修改好配置文件后,重启一下网卡
service networking restart

# 最后 PC1和Server2可以互通就行

5. DHCP

SW1 ================================
dhcp enable
dhcp server ip-pool DHCP_POOL
gateway-list 10.1.10.254
network 10.1.10.0 mask 255.255.255.0
dns-list 8.8.8.8
# 修改租期
expired day 0 hour 8  
# mac地址可以在接入交换机上通过 dis mac-address 查看
static-bind ip-address 10.1.10.10 mask 255.255.255.0 hardware-address 72d2-8cd0-0a06

6. WLAN三层组网

AP1 ================================
# 先收集AP信息 (mac地址,序列号,型号)
dis wlan ap

SW1 ================================
vlan 254

int ran Bridge-Aggregation 1 Bridge-Aggregation 2
port trunk permit vlan 254

vlan 100
int Bridge-Aggregation 3
port link-type trunk 
port trunk permit vlan 100

int vl 100
ip add 10.0.100.254 24 

# 管理地址
int vl 254 
ip add 10.1.254.254 24
dhcp server ip-pool AP_POOL
gateway-list 10.1.254.254
network 10.1.254.0 mask 255.255.255.0
# 三成组网为43,hex后解读:
# 格式为80,07是长度,后面四个0保留,再后01是AC数量,再后8位为IP地址16进制显示
option 43 hex 80070000010a00640a


Access1 ================================
vlan 254

int ran Bridge-Aggregation 1 
port trunk permit vlan 254

int g1/0/10
port link-type trunk
port trunk permit vlan 10 254
port trunk pvid vlan 254
# 管理vlan,接收帧要打标才能和SW1通,发送帧去标才能和AP1通

Access2 ================================
vlan 254

int ran Bridge-Aggregation 2
port trunk permit vlan 254

AC1 ================================
vlan 100
int Bridge-Aggregation 3
port link-type trunk 
port trunk permit vlan 100

int vl 100
ip add 10.0.100.10 24 
ip route-static 0.0.0.0 0 10.0.100.254 

# 无线配置
wlan ap AREA_1 model WA6320-HCL 
serial-id H3C_72-D1-C9-F8-09-00
quit
wlan service-template vap_pro
ssid H3C
vlan 10
client forwarding-location ap
service-template enable
wlan ap AREA_1
radio 1
service-template vap_pro
radio enable 

# Core 上配置完 AP的DHCP池后,在AP1上进入vlan1口重启,获取到地址就好
若AP1未获取地址,参考易错点:
1. 交换机互联接口未方通vlan254。2. Access1的接入端口缺省vlanID要修改为管理vlan 254

# 修改AP端口类型,模拟器可以直接修改,但是现网中建议使用AC上传MAP文件下发配置
AC1 ================================
ip https enable 
local-user admin class manage 
password simple H3c@123456
authorization-attribute user-role network-admin
int g1/0/0
port link-mode route
ip address 136.1.2.10 24
# 和本地环回网卡地址能互通即可,然后浏览器访问 https://136.1.2.10 

MAP.txt 文件配置内容 ================================
system-view
vlan 10
int g0/0/0
   port link-type trunk
   port trunk permit vlan 10


# 无线状态查看
查看上线AP状态
dis wlan ap all
查看客户端
dis wlan client

AC上传MAP文件下发配置流程 (MAP.txt 文件内容见上)

点击MAP.txt文件,选择本地文件上传,上传成功后点击下面确定。

然后上AP上查看配置,可以发现AC下发的MAP配置文件已生效。

打开无线终端,连接无线网络,如下图所示,已正常获取到地址。

7. 防火墙安全区域,安全策略,路由部署

SW1 ================================
int Route-Aggregation 1
ip address 10.0.0.254 24

#在防火墙放通后配置
ospf 1 
a 0
a 1
int ran vl10 vl20
ospf 1 area 1
int Route-Aggregation 1
ospf 1 area 0

#查看邻居状态
dis ospf peer
#查看路由表,可以看到防火墙拿到了内网路由
dis ip routing-table  protocol ospf 

FW-1 ================================
int Route-Aggregation 1
ip address 10.0.0.12 24

security-zone name Trust
import interface Route-Aggregation 1

security-zone name DMZ
import interface g1/0/3

security-zone name Untrust
import interface g1/0/0

security-zone name MPLS
import interface g1/0/4

ospf 1 
area 0
netw 10.0.0.0 0.0.255.255
quit

# 本地到任何地方都放通,放通信任区到本地的ospf报文
security-policy ip
rule name local->any
source-zone local
action pass 
quit
rule name in->local
source-zone trust
destination-zone local
service ospf
action pass

8. OSPF认证,网络类型,静默接口,特殊区域

# 给OSPF增加安全认证,修改网络类型为p2p,加快收敛
# 将area1修改为totally stub,将lsdb压倒最小

FW-1 ================================
ospf 1
area 0
authentication-mode md5 1 plain H3c@123456

int Route-Aggregation 1
ospf netw p2p

SW1 ================================
int Route-Aggregation 1
ospf authentication-mode md5 1 plain H3c@123456
ospf netw p2p

ospf 1
# 静默接口
silent-interface Vlan-interface10
silent-interface Vlan-interface20
a 1
# 改为totally stub区域
stub no-summary

# 内部网络基本完成,还有一些其他特性,例如收敛优化和过滤等,后续也可以加上

9. 防火墙NAT

FW-1 ================================
int g1/0/0
ip add 136.1.122.12 24 

ip route-static 0.0.0.0 0 136.1.122.2

ospf 1 
default-route-advertise

nat address-group 1
address 136.1.122.16 136.1.122.19

nat global-policy
rule name NAPT
source-zone trust
destination-zone untrust
source-ip subnet 10.1.10.0 24
action snat address-group 1

security-policy ip
rule name in->out
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.10.0 24
action pass

# 配置完毕后用PC1 ping internet环回口地址,能通则OK

internet ================================
sys
sysname internet
int l0
ip add 130.1.2.2 32
int g0/0
ip add 136.1.122.2 24
int g0/1
ip add 136.1.2.2 24
int g0/2 
ip add 136.1.12.1 24

10. NAT Server

FW-1 ================================
int g1/0/0
nat server protocol tcp global 136.1.122.10 16666 inside 10.1.0.10 81 reversible 
# 添加reversible,是为了支持私网侧内部服务器主动访问外网

security-policy ip
rule name out->dmz
source-zone untrust
destination-zone dmz
destination-ip-host 10.1.0.10
service-port tcp destination 81
action pass

int g1/0/3
ip add 10.1.0.12 24

Server1 ================================
首先修改地址,修改方法同之前Server2
ip 10.1.0.10 24 gw 10.1.0.12
配置之后防火墙能ping通此地址即可。

nat server 效果测试

Way1: 可以通过配置隧道,来使用华为eNSP的Client进行web测试

先在HCL模拟器新建一个Cloud,配置本地端口为50000,对端端口为20000。

按下图顺序,在eNSP中添加Cloud。eNSP Cloud的监听端口和对端端口分别为HCL Cloud的远端端口和本地端口。

按下图添加双向通道。

Client的地址需要和HCL模拟器的internet的1口地址同网段,并且此口地址就是Client的网关地址。

配置完毕后,用HCL的internet来ping Client的地址,能通则OK。

最后在 eNSP的Client,点客户端消息,访问 http://136.1.122.10:16666,能访问到web页面则ok。

注意:显示 Connect server failure. 也算成功,因为这是HCL模拟器的bug。

Way2: 通过连接HOST主机的本地环回网卡,修改本地环回网卡的地址与internet的1口地址同网段即可。

然后在本地浏览器直接访问即可,这里不做演示。

以下配置都是参考分部改造前的拓扑:

2025-05-20T20:27:14-exnrqkwb.PNG

11. 端口隔离

SW3 ================================
sys
sysname SW3
vl 10 
int ran g1/0/1 g1/0/2 
port access vlan 10

port-isolate group 1
int ran g1/0/1 g1/0/2 
port-isolate enable group 1

# 配置完毕后通过 dis port-isolate group 查看隔离组端口
# 由于模拟器有bug,所以在测试的时候可以看到隔离组内的端口还是可以互通的

12. 端口安全

SW3 ================================
port-security enable
int ran g1/0/1 g1/0/2
# 端口最大mac地址学习数量
port-security max-mac-count 2
# 端口自动学习mac地址
port-security port-mode autolearn 
# 端口违规处罚:临时关闭端口
port-security intrusion-mode disableport-temporarily 
quit
# 临时关闭端口时间 300s
port-security timer disableport 300

13. DHCP Snooping

SW3 ================================
dhcp enable
dhcp snooping enable
int g1/0/24
dhcp snooping trust
int ran g1/0/1 g1/0/2 
# 记录dhcp绑定
dhcp snooping binding record 
# 检查mac地址
dhcp snooping check mac-address
# 限制dhcp发包速率
dhcp snooping rate-limit 100

14. DHCP中继

SW3 ================================
int g1/0/24
port link-mode route
ip address 172.16.13.3 24

int vl 10
ip add 172.16.10.254 24
dhcp select relay
dhcp relay server-address 172.16.13.1

int ran g1/0/1 g1/0/2 
stp edged-port  

R1 ================================
sys
sysname R1
int g0/1
ip add 172.16.13.1 24 
ip route-static 172.16.10.0 24 172.16.13.3

dhcp enable
dhcp server ip-pool pool
network 172.16.10.0 24
gateway-list 172.16.10.254

# 配置完毕,获取到地址后,在SW3上 通过dis dhcp snooping binding 查看绑定表象
# 在SW3上通过 dis port-security mac-address security 查看安全表象

15. PPPoE

R1 ================================
int Dialer 1
# 开启
dialer bundle enable 
# 自动拨号间隔 10s
dialer timer autodial 10
# 休息时间 0s
dialer timer idle 0
# ppp封装地址协商
ip address ppp-negotiate
# 新建协商用户和密码
ppp chap user h3c
ppp chap password simple h3c@123456
# 拨号接口绑定,后面1是拨号口id
int g0/2
pppoe-client dial-bundle-number 1

ip route-static 0.0.0.0 0 Dialer 1

internet ================================
local-user h3c class network
password simple h3c@123456
service-type ppp
ip pool user_pool 136.1.12.16 136.1.12.19
int Virtual-Template 1
ip address unnumbered int g0/2
ppp authentication-mode chap
remote address pool user_pool

int g0/2
pppoe-server bind virtual-template 1

# 配置完毕后在R1上通过 dis pppoe-client session summary 查看pppoe会话状态

16. EasyIP

R1 ================================
acl basic 2000
rule  permit source 172.16.10.0 0.0.0.255 
# 注意是在拨号口绑定
int Dialer 1
nat outbound 2000

# 配置完成后上PC上ping Internet的地址,能通则OK

17. SSH远程登录

R1 ================================
ssh server enable 
local-user admin class manage 
password simple h3c@123456
authorization-attribute user-role network-admin

ssh user admin service-type stelnet authentication-type password
public-key local create rsa
Y
1024
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh 

# 配置完成后在Internet上测试,ssh R1获取的公网地址

18. 路由-ISIS

NE1 ================================
sys
sysname NE1
int l0
ip add 150.1.1.1 32 
int g0/0/1
ip add 155.1.12.1 24 

isis
net 49.0000.0000.0000.0001.00
is-level level-2
int ran l0 g0/0/1
isis en

NE2 ================================
sys
sysname NE2
int l0
ip add 150.1.2.2 32 
int g0/0/1 
ip add 155.1.12.2 24 
int g0/0/2 
ip add 155.1.23.2 24

isis
net 49.0000.0000.0000.0002.00
is-level level-2
int ran g0/0/1 g0/0/2 l0
isis en

NE3 ================================
sys
sysname NE3
int l0
ip add 150.1.3.3 32 
int g0/0/2 
ip add 155.1.23.3 24 

isis
net 49.0000.0000.0000.0003.00
is-level level-2
int ran l0 g0/0/2
isis enable


# 配置完成后上NE2上 dis isis peer 查看邻居关系
# dis ip routing-table  protocol  isis ,能学到1和3的两个环回口地址即可

19. MPLS LDP

NE1 ================================
mpls lsr-id 150.1.1.1
mpls ldp
int g0/0/1
mpls enable 
mpls ldp enable

NE2 ================================
mpls lsr-id 150.1.2.2
mpls ldp
int ran g0/0/1 g0/0/2
mpls enable 
mpls ldp enable

NE3 ================================
mpls lsr-id 150.1.3.3
mpls ldp
int g0/0/2
mpls enable 
mpls ldp enable

# 在NE2上 dis mpls ldp peer 查看mpls的对等体,状态为 Operational则OK
# dis mpls lsp 查看设备标签交换路径

20. MP-BGP

NE1 ================================
bgp 100
peer 150.1.2.2 as 100
peer 150.1.2.2 con l0
add vpnv4
peer 150.1.2.2  en

NE2 ================================
# NE2 作为vpnv4的反射器,NE1 NE3作为反射器客户端

bgp 100
peer 150.1.1.1 as 100
peer 150.1.1.1 con l0
peer 150.1.3.3 as 100
peer 150.1.3.3 con l0
add vpnv4
peer 150.1.1.1  en
peer 150.1.3.3  en
# 取消 RT
no policy vpn-target
peer 150.1.1.1   reflect-client
peer 150.1.3.3   reflect-client

NE3 ================================
bgp 100
peer 150.1.2.2 as 100
peer 150.1.2.2 con l0
add vpnv4
peer 150.1.2.2  en


# 配置完成后,在NE2山 dis bgp peer vpnv4 查看 vpnv4的邻居关系。
# 都为 Established 则说明建立成功。

21. MPLS VPN

NE1 ================================
ip vpn-instance VRF_A
route-distinguisher 100:1
vpn-target 100:3 import-extcommunity
vpn-target 100:1 export-extcommunity
int g0/0/0
ip binding vpn-instance VRF_A
ip address 100.1.121.1 24

bgp 100
ip vpn-instance VRF_A
peer 100.1.121.12 as 65000
add ipv4 
peer 100.1.121.12 en

NE3 ================================
ip vpn-instance VRF_A
route-distinguisher 100:3
vpn-target 100:3 export-extcommunity
vpn-target 100:1 import-extcommunity
int g0/0/0
ip binding vpn-instance VRF_A
ip address  100.1.13.3 24 

bgp 100
ip vpn-instance VRF_A
peer 100.1.13.1 as 65000
add ipv4
peer 100.1.13.1 en

FW-1 ================================
int g1/0/4
ip address 100.1.121.12 24 

bgp 65000
peer 100.1.121.1 as 100
add ipv4
peer 100.1.121.1 en

ip prefix-list net20 permit 10.1.20.0 24 
route-policy ospf->bgp permit node 10
if-match ip address prefix-list net20
bgp 65000
add ipv4
import-route ospf  1 route-policy ospf->bgp

R1 ================================
int g0/0
ip add 100.1.13.1 24

bgp 65000
peer 100.1.13.3 as 100
add ipv4
peer 100.1.13.3 en
netw 172.16.10.0 24

# 配置完成后,在NE1 NE3上dis bgp peer ipv4 vpn-instance VRF_A 
# 查看ipv4实例邻居是否 Established
# 在NE1 NE3上 dis bgp routing-table ipv4 vpn-instance VRF_A 
# 查看是否学到了总部和分部的路由

# 然后在总部 FW-1上 dis bgp routing-table ipv4
# 可以发现,并没有学习到分部的路由,为什么?
# 因为总部和分支都是as65000,中间是ebgp,会造成bgp成环(as-path导致)

# 解决方法
NE1 ================================
bgp 100
ip vpn-instance VRF_A
peer 100.1.121.12 substitute-as
NE2 ================================
bgp 100
ip vpn-instance VRF_A
peer 100.1.13.1 substitute-as

# substitute-as 解决as号重复,导致的路由环路检测问题
# 核心原理就是将ce设备的as号替换为本地的as号

# 最后在总部和分部查看路由 dis bgp routing-table  ipv4
# 可以看到总部和分部互相学到的路由as都为100

FW-1 ================================
# 调整安全策略,实现分部pc能够ping通总部内网服务器
security-policy ip
rule name mpls->in
source-zone mpls
destination-zone trust
source-ip-subnet 172.16.10.0 24
destination-ip-host 10.1.20.10
action pass 

# 最后在分部PC上 ping总部内网服务器地址,能ping通则OK

22. IPSec VPN

# 由于 R1是拨号上网,地址不固定,所以传统方法行不通,只能用策略模板来做

R1  ================================
ike proposal 10
authentication-method pre-share
dh group2
encryption-algorithm 3des-cbc 
authentication-algorithm sha

ike keychain lan_key
pre-shared-key address 136.1.122.12 key simple H3c@123456

ike profile ike_pro
proposal 10
keychain lan_key
local-identity fqdn R1
match remote identity fqdn FW1

ipsec transform-set  lan_set 
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1

acl advanced 3000
rule permit ip source 172.16.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255 

ipsec policy lan_map 10 isakmp
security acl 3000
ike-profile ike_pro
transform-set lan_set
remote-address 136.1.122.12
# 模拟器有bug可修改为自动触发
sa trigger-mode auto 

# 注意策略是下发在拨号口
int Dialer 1
ipsec apply policy lan_map

FW-1 ================================
ike proposal 10
authentication-method pre-share
dh group2
encryption-algorithm 3des-cbc 
authentication-algorithm sha

ike keychain lan_key
# 远端地址不固定,共享密钥是一致的
pre-shared-key address 0.0.0.0 0 key simple H3c@123456

ike profile ike_pro
proposal 10
keychain lan_key
local-identity fqdn FW1
match remote identity fqdn R1

ipsec transform-set  lan_set 
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1

ipsec policy-template dy_map 10
transform-set lan_set
ike-profile ike_pro

ipsec policy lan_map 10 isakmp template dy_map

int g1/0/0
ipsec apply policy lan_map

# 调整安全策略,
security-policy ip
rule name out->local
source-zone untrust
destination-zone local
service ike
service ipsec-esp
action pass


# 配置完成后, 查看 vpn状态 可以通过 以下指令查看VPN状态
dis ipsec  sa
dis ike sa    
dis ipsec sa brief

security-policy ip
rule name out->in
source-zone untrust
destination-zone trust
source-ip-subnet 172.16.10.0 24
destination-ip-host 10.1.20.10
action pass 

# 为方便后面tracert测试,需要在所有途径设备上都开启包追踪功能
ip unreachables enable
ip ttl-expires enable

# 然后在分部PC上ping总部内网服务器10.1.20.10,肯定是通的,因为默认是走MPLS VPN路径
# 在R1上关闭0口,不走MPLS VPN路径,发现无法ping通
# 排查流程,在防火墙上新建test规则,开启击中数量功能

FW-1 ================================
security-policy ip
rule  name  test
counting enable 
action drop 

# 配置完毕后再用分部 PC ping总部服务器,然后上防火墙
# 通过  dis security-policy ip brief 查看规则test有没有击中次数
# 可以发现,并没有
# 最终发现是R1上 esay ip导致的,因为nat的优先级高于ipsec,
# 所有从拨号口出去的流量优先被nat转换了
# 解决方法:重写nat的acl,过滤掉分部内网到总部内网服务器的流量,其他全部放行

R1 ================================
# 只需deny掉分部内网到总部内网服务器的流量即可
acl advanced 3001
rule deny ip source 172.16.10.0 0.0.0.255 destination 10.1.20.10 0
rule permit ip

int Dialer 1
no nat outbound 2000
nat outbound 3001

# 修改完毕后,就可以正常ping通了,tracert不显示路径,是因为途径设备返回的icmp包无法匹配感兴趣,
# 无法从vpn隧道传回,所以无法显示,但最后一步是显示的。

# 最后记得还原环境,把R1 0口打开

23. 组播-PIM SM

NE1  ================================
multicast routing 
int g0/0/2
ip add 155.1.1.1 24 
pim sm
isis en
int g0/0/1
pim sm

NE2  ================================
multicast routing 
int ran g0/0/1 g0/0/2 
pim sm

int l0
pim sm 
quit
pim
c-bsr 150.1.2.2
c-rp 150.1.2.2


NE3  ================================
multicast routing 
int ran g0/0/1 g0/0/2 
pim sm 

int g0/0/1
ip add 155.1.3.3 24
igmp enab


# 查看bsr信息 
dis pim bsr-info
# 查看rp信息 
dis pim rp-info


# eNSP上服务器客户端搭建加入成功后,上NE3设备上可以看到(*, G)表项
dis pim  routing-table 
# 在组播服务器上运行视频后,可以看到(S, G)表项

组播测试,借助eNSP的组播服务器和客户端测试

在HCL模拟器中,添加组播服务器个客户端两个cloud,建立双向隧道,分别通向eNSP的组播服务器和客户端。

HCL的组播服务器(cloud)

组播客户端(cloud)

eNSP的组播服务器(cloud)

组播客户端(cloud)

组播服务器地址配置如下

客户端地址配置如下。

记得点一下目的mac,再点加入。

加组成功后上NE3上查看 dis pim route,可以看到(*, G)表象则说明桥接没有问题。

(S, G)表象需要推送流量后才能看到,下面推送一下流量。

组播源发包测试,组播地址设置为239.1.1.1,选择一个视频文件,点击运行。

注意:这里的组播mac地址需要点一下,才会自动弹出,再点运行。

客户端能正常播放组播服务器运行的视频则说明OK。

24. IPv6 6to4自动隧道

NE1  ================================
int Tunnel 0 mode ipv6-ipv4 6to4
ipv6 address 2002:9601:0101::1/64
source LoopBack 0

ipv6 route-static 2002::  16 Tunnel 0

int g0/0/2
ipv6 address 2001:155:1:1::1/64

bgp 100
peer  2002:9601:0303::3 as 100
add ipv6
peer  2002:9601:0303::3 en
netw 2001:155:1:1::  64

NE3  ================================
int Tunnel 0 mode ipv6-ipv4 6to4
ipv6 address 2002:9601:0303::3/64
source LoopBack 0

ipv6 route-static 2002::  16 Tunnel 0

int g0/0/1
ipv6 address 2001:155:1:3::3/64

bgp 100
peer   2002:9601:0101::1 as 100
add ipv6
peer   2002:9601:0101::1  en
netw  2001:155:1:3::  64


# 隧道和路由建立完成后,做下ipv6的ping测试
ping ipv6 2002:9601:0303::3
# NE1的2口的ipv6地址走6to4隧道和NE3的1口的ipv6地址通
# 查看bgp的ipv6邻居
dis bgp peer ipv6

# 查看bgp ipv6路由
dis bgp routing-table ipv6

#学习到路由后在NE1或3上做带源ping,能通则OK
ping ipv6 -a 2001:155:1:1::1  2001:155:1:3::3

25. SSLVPN

FW-1  ================================
# 定义ssl网关地址
sslvpn gateway ssl_gw
ip add 136.1.122.12
service enable

sslvpn context ssl_context

# 用户拨入接口
int SSLVPN-AC 1
ip add 192.168.66.12 24 

sslvpn context ssl_context
# 关联网关
gateway ssl_gw
# 关联拨入接口
ip-tunnel interface SSLVPN-AC 1
# 关联 acl
ip-route-list ssl_acl
# 指定访问总部内部的网段
include 10.1.20.0 24

#用户接入地址范围
sslvpn ip address-pool ssl_pool 192.168.66.101 192.168.66.110

sslvpn context ssl_context
# 关联地址池
ip-tunnel address-pool ssl_pool mask 24
# 创建策略组
policy-group ssl_group
# 关联地址池和acl
ip-tunnel address-pool ssl_pool mask 24
ip-tunnel access-route ip-route-list ssl_acl

sslvpn context ssl_context
# 定义为用户接入默认组
default-policy-group ssl_group
#启用服务
service  enable

# 新建安全区域,调整安全策略
security-zone name VPN
import interface SSLVPN-AC 1

security-policy ip
rule name out->local
service-port tcp destination 443

security-policy ip
rule name vpn->in
source-zone vpn
destination-zone trust
source-ip-subnet 192.168.66.0 24
destination-ip-host 10.1.20.10 
exit
# 删除之前做测试的rule 7
no rule 7

local-user user class network 
service-type sslvpn 
authorization-attribute sslvpn-policy-group ssl_group
password simple H3c@123456


# 所有配置完毕后需要上虚拟机用inode客户端测试
inode安装包:

连接在internet上的服务器,用vmware workstation里的win10虚拟机做桥接,桥接至本地环回卡

和HCl模拟器选择的网卡保持一致。

然后修改win10的IP地址和网关,和上图internet路由器的1口保持对应。

地址配置完毕后做ping通测试,能通则OK。

防火墙SSL VPN配置完毕后,需要在虚拟机上用inode客户端测试。

node安装包:none

打开inode智能客户端,输入配置的ssl网关地址,一般就是公网出接口地址,再输入创建的账户密码连接即可。如下图接入成功的话,会分配到之前配置的地质池内的66网段地址。

(由于没找到inode客户端安装包,这里就没有ssl vpn连接图)

接入vpn之后,ping总部内网服务器,能ping通则ok,也可以给内网服务器配置一些服务,例如FTP,做详细测试,这里不做演示。

另外,防火墙配置VPN也可以在web界面配置,也是用host主机桥接本地某个网卡,然后连接到防火墙的管理口上,管理口地址和桥接网卡地址同网段即可,然后在浏览器访问管理口地址。

之前在命令行配置的内容也可以在web界面看到。

补充: 分部网络升级改造 (拓扑)

2025-05-22T23:23:17-hcaqoqaf.PNG

26. MLAG(跨设备链路聚合)

分部在接入和出口设备中间增加汇聚设备,为了实现冗余备份,汇聚层设备做MLAG,跨设备链路聚合。

分部改造配置如下

doing...

27. 结果查看与最终测试

sw4的m-lag状态 m-lag组状态各聚合端口状态如下:

分部PC tracert总部内网服务器,第一次tracert是走的MPLS VPN隧道。第二次tracert是在关闭R1的0口后。走的是中间的IPsec VPN隧道,中间有两段路径缺生是由于防火墙安全策略仅放通了ipsec-esp和ike服务,中间设备的tracert的icmp来回包无法触发感兴趣流,被防火墙过滤了,所以查看不到,不过肯定是可以通,可以ping通的,如下图第三红框。

FW-1和R1路由学习情况

NE1和NE3路由学习情况

FW-1 IPsec saike sa

R1 IPsec saike sa

NE2/3上的组播表项。

NE1上的组播标项

AC1上查看所有上线AP和在线客户端

防火墙安全区域查看

完结。