客戶網絡環境:
一個小型辦公網絡,有兩家公司(A、B)在一個寫字樓辦公,共申請一條4M獨享VDSL專線(其中A是繳3M的專線費用,B是繳1M的專線費用),共60臺電腦左右,各30臺電腦,各三臺非網管24口D-LINK交換機,一臺華為1821路由器(1wan口,
4lan口)。
用戶特殊需求:
(1)、A、B不能互訪。
(2)、A、B都通過華為路由器DHCP獲取地址。
(3)、A、B帶寬必須劃分開,A享受3M帶寬,B享受1M帶寬(原來的時候B公司網絡流量過大經常影響到A公司網絡辦公)。
簡單解決方案:
根據現有網絡條件,實際上僅通過華為1821路由器可以實現以上功能,具體實施如下:
(1)、在華為路由器1821內部網關口(eth1/0)劃分子接口(eth1/0.1、eth1/0.2),分別配置兩個網關(192.168.0.1、192.168.0.2),并分別進行封裝與vlan2、vlan3相對應。
(2)、在華為路由器1821兩個lan口(eth1/1、eth1/2)劃分兩個vlan(vlan2、vlan3)。
(3)、分別在兩個不同的邏輯子接口(eth1/0.1、eth1/0.2)配置nat并應用。
(4)、分別在兩個不同的邏輯子接口(eth1/0.1、eth1/0.2)配置dhcp,在同一物理接口針對兩個vlan網絡應用dhcp來分配兩個不同的網段。
(5)、由于該路由器lan口為二層端口,無法實現qos car限速,只能考慮在其唯一的內部網關接口(eth1/0)的子接口上實現qos car限速達到帶寬限制的作用。
(6)、配置wan口地址(X、X、X、X),配置static route地址,大功告成。
(7)、配置用戶登錄(super、console、vty等)用戶名及密碼(這里僅配置密碼模式)。
華為1821路由器具體配置如下:
#
sysname Quidway
#
clock timezone gmt-12:000 minus 12:00:00
#
cpu-usage cycle 1min
#
connection-limit disable
connection-limit default action deny
connection-limit default amount upper-limit 50 lower-limit 20
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
#
local-user *******
sysname Quidway
#
clock timezone gmt-12:000 minus 12:00:00
#
cpu-usage cycle 1min
#
connection-limit disable
connection-limit default action deny
connection-limit default amount upper-limit 50 lower-limit 20
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
#
local-user *******
password cipher .]@*********
service-type telnet terminal
level 3
service-type ftp
#
acl number 2000 \ 配置nat Acl
rule 0 permit source 192.168.0.0 0.0.0.255
#
acl number 3000 \ 配置nat Acl
rule 0 permit ip source 192.168.1.0 0.0.0.255
acl number 3001 \配置 Firewall Acl
rule 0 deny ip destination 192.168.1.0 0.0.0.255
acl number 3002 \配置 Firewall Acl
rule 0 deny ip destination 192.168.0.0 0.0.0.255
#
interface Ethernet1/0
ip address dhcp-alloc
#
interface Ethernet1/0.1
ip address 192.168.0.1 255.255.255.0
dhcp select interface \ dhcp 應用于子接口
dhcp server dns-list 202.106.0.20 202.106.196.115
firewall packet-filter 3001 inbound \ firewall ACL過濾應用于接口
vlan-type dot1q vid 2 \子接口封裝dot1q
qos car inbound any cir 3072000 cbs 153600 ebs 1000 green pass red discard
service-type telnet terminal
level 3
service-type ftp
#
acl number 2000 \ 配置nat Acl
rule 0 permit source 192.168.0.0 0.0.0.255
#
acl number 3000 \ 配置nat Acl
rule 0 permit ip source 192.168.1.0 0.0.0.255
acl number 3001 \配置 Firewall Acl
rule 0 deny ip destination 192.168.1.0 0.0.0.255
acl number 3002 \配置 Firewall Acl
rule 0 deny ip destination 192.168.0.0 0.0.0.255
#
interface Ethernet1/0
ip address dhcp-alloc
#
interface Ethernet1/0.1
ip address 192.168.0.1 255.255.255.0
dhcp select interface \ dhcp 應用于子接口
dhcp server dns-list 202.106.0.20 202.106.196.115
firewall packet-filter 3001 inbound \ firewall ACL過濾應用于接口
vlan-type dot1q vid 2 \子接口封裝dot1q
qos car inbound any cir 3072000 cbs 153600 ebs 1000 green pass red discard
\流量限速qos car 配置
qos car outbound any cir 3072000 cbs 153600 ebs 1000 green pass red discard
qos car outbound any cir 3072000 cbs 153600 ebs 1000 green pass red discard
\流量限速qos car 配置
#
interface Ethernet1/0.2
ip address 192.168.1.1 255.255.255.0
dhcp select interface \ dhcp 應用于子接口
dhcp server dns-list 202.106.0.20 202.106.196.115
firewall packet-filter 3002 inbound \ firewall ACL過濾應用于接口
#
interface Ethernet1/0.2
ip address 192.168.1.1 255.255.255.0
dhcp select interface \ dhcp 應用于子接口
dhcp server dns-list 202.106.0.20 202.106.196.115
firewall packet-filter 3002 inbound \ firewall ACL過濾應用于接口
vlan-type dot1q vid 3 \子接口封裝dot1q
qos car inbound any cir 1024000 cbs 51200 ebs 1000 green pass red discard
qos car inbound any cir 1024000 cbs 51200 ebs 1000 green pass red discard
\流量限速qos car 配置
qos car outbound any cir 1024000 cbs 51200 ebs 1000 green pass red discard
qos car outbound any cir 1024000 cbs 51200 ebs 1000 green pass red discard
\流量限速qos car 配置
#
interface Ethernet1/1
port access vlan 2 \將e1/1端口加入vlan2
#
interface Ethernet1/1
port access vlan 2 \將e1/1端口加入vlan2
#
interface Ethernet1/2
port access vlan 3 \將e1/1端口加入vlan2
#
interface Ethernet1/3
#
interface Ethernet1/4
#
interface Ethernet2/0 \進入wan口配置
ip address X、X、X、X 255.255.255.224
nat outbound 3000
nat outbound 2000
#
interface NULL0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 y、y、y、y preference 60
#
user-interface con 0 \用戶登錄配置
authentication-mode password
set authentication password cipher 0HB8%-MB%I^[Q1R','&6NQ!!
user-interface vty 0 4
user privilege level 3
set authentication password cipher 0HB8%-MB%I^[Q1R','&6NQ!!
#
return
[Quidway]
interface Ethernet1/2
port access vlan 3 \將e1/1端口加入vlan2
#
interface Ethernet1/3
#
interface Ethernet1/4
#
interface Ethernet2/0 \進入wan口配置
ip address X、X、X、X 255.255.255.224
nat outbound 3000
nat outbound 2000
#
interface NULL0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 y、y、y、y preference 60
#
user-interface con 0 \用戶登錄配置
authentication-mode password
set authentication password cipher 0HB8%-MB%I^[Q1R','&6NQ!!
user-interface vty 0 4
user privilege level 3
set authentication password cipher 0HB8%-MB%I^[Q1R','&6NQ!!
#
return
[Quidway]
