华为AR异地组网解决方案

当前环境:

华为AR异地组网解决方案插图

 

总部与分部完全独立,各自拥有管理网络、生产网络、办公网络(管理网络、生产网络均禁止连接外网以及访问办公网络)

需求描述:

  1. 办公网络使用当地ADSL出局
  2. 分部生产网络走向总部出局
  3. 总部生产网络需要与分部生产网络互通

解决方案:

1:总部搭建L2TP VPN让分部连接,并且配置策略路由,使办公网段默认出局ADSL,使生产网段默认出局L2TP VPN隧道

总部AR配置

==========基础配置==========
# 配置接口IP地址
[LNS] interface gigabitEthernet 1/0/0
[LNS-GigabitEthernet1/0/0] ip address 119.136.19.1 255.255.255.248
[LNS] interface gigabitEthernet 2/0/0
[LNS-GigabitEthernet2/0/0] ip address 30.0.0.0 255.255.255.0
[LNS-GigabitEthernet2/0/0] ip address 10.0.0.254 255.255.255.0 sub
[LNS-GigabitEthernet2/0/0] ip address 192.168.0.254 255.255.255.0 sub

# 配置默认路由,优先级为10
[LNS] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 preference 10

==========配置L2TP==========
# 创建L2TP用户
[LNS] aaa
[LNS-aaa] local-user demon password cipher Huawei@2021
[LNS-aaa] local-user demon service-type ppp

# 配置地址池
[LNS] ip pool 1
[LNS-ip-pool-1] network 20.0.0.0 mask 24
[LNS-ip-pool-1] gateway-list 20.0.0.254

# 创建虚拟接口模板并配置ppp协商参数等
[LNS] interface virtual-template 1
[LNS-Virtual-Template1] ppp authentication-mode chap
[LNS-Virtual-Template1] remote address pool 1
[LNS-Virtual-Template1] ip address 20.0.0.254 255.255.255.0

# 使L2TP服务使能,并创建一个L2TP组
[LNS] l2tp enable
[LNS] l2tp-group 1

# 配置总部隧道名称及指定分部隧道名称
[LNS-l2tp1] tunnel name lns
[LNS-l2tp1] allow l2tp virtual-template 1 remote lac

# 启用隧道认证功能并设置隧道认证密码
[LNS-l2tp1] tunnel authentication
[LNS-l2tp1] tunnel password cipher huawei

分部AR配置

==========基础配置==========
# ADSL出局nat匹配源地址为外网网段地址,仅允许该段IP出局ADSL网关
[LNC] acl 2999
[LNC-acl-adv-2999] rule 5 permit source 10.3.0.0 0.0.0.255

# 配置接口IP地址
[LNC] interface gigabitEthernet 1/0/0
[LNC-GigabitEthernet1/0/0] ip address dhcp-alloc
[LNC-GigabitEthernet1/0/0] nat outbound 2999
[LNC] interface gigabitEthernet 2/0/0
[LNC-GigabitEthernet2/0/0] ip address 30.0.3.0 255.255.255.0
[LNC-GigabitEthernet2/0/0] ip address 10.3.0.254 255.255.255.0 sub
[LNC-GigabitEthernet2/0/0] ip address 192.171.0.254 255.255.255.0 sub

# 配置默认路由,优先级为10
[LNC] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 dhcp preference 10

==========配置L2TP==========
# 全局使能L2TP,并创建L2TP组配置为用户名称为demon的用户建立到达LNS的L2TP连接,设置保活时间为5秒
[LAC] l2tp enable
[LAC] l2tp-group 1
[LAC-l2tp1] tunnel name lac
[LAC-l2tp1] start l2tp ip 119.136.19.1 fullusername demon
[LAC-l2tp1] tunnel timer hello 5

# 启用通道验证并设置通道验证密码
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password cipher huawei

# 配置虚拟接口的PPP用户的用户名和密码,PPP认证方式以及IP地址
[LAC] interface virtual-template 1
[LAC-Virtual-Template1] ppp chap user demon
[LAC-Virtual-Template1] ppp chap password cipher Huawei@2021
[LAC-Virtual-Template1] ip address ppp-negotiate

# 在LAC上触发自动拨号建立L2TP隧道
[LAC] interface virtual-template 1
[LAC-Virtual-Template1] l2tp-auto-client enable

==========配置策略路由==========
# 禁止办公网络访问管理网络及生产网络(以下简称业务网络)
[LAC] acl 3000
[LAC-acl-adv-3000] rule 1 deny ip source 10.3.0.0 0.0.0.255 destination 30.0.3.0 0.0.0.255
[LAC-acl-adv-3000] rule 2 deny ip source 10.3.0.0 0.0.0.255 destination 192.171.0.0 0.0.0.255

# 业务网络互访(否则做完策略路由会导致无法ping通网关以及允许访问的网段)
[LAC] acl 3001
[LAC-acl-adv-3001] rule 1 permit ip source 30.0.3.0 0.0.0.255 destination 30.0.3.0 0.0.0.255
[LAC-acl-adv-3001] rule 2 permit ip source 30.0.3.0 0.0.0.255 destination 192.171.0.0 0.0.0.255
[LAC-acl-adv-3001] rule 3 permit ip source 192.171.0.0 0.0.0.255 destination 192.171.0.0 0.0.0.255
[LAC-acl-adv-3001] rule 4 permit ip source 192.171.0.0 0.0.0.255 destination 30.0.3.0 0.0.0.255
 
# 指定业务网段
[LAC] acl 3002
[LAC-acl-adv-3002] rule 5 permit ip source 30.0.3.0 0.0.0.255
[LAC-acl-adv-3002] rule 10 permit ip source 192.171.0.0 0.0.0.255

# 创建禁止办公网络访问业务网络流分类
[LAC] traffic classifier Drop_Wan-To-Lan operator or
[LAC-classifier-Drop_Wan-To-Lan] if-match acl 3000
# 创建流行为
[LAC] traffic behavior Drop_Wan-To-Lan

# 创建业务网络流分类
[LAC] traffic classifier Lan operator or
[LAC-classifier-Lan] if-match acl 3001

# 创建流行为
[LAC] traffic behavior Lan

# 创建与总部互联流分类
[LAC] traffic classifier Branch_Net operator or
[LAC-classifier-Branch_Net] if-match acl 3002

# 创建流行为,指定所匹配的网段出局L2TP VPN接口
[LAC] traffic behavior Branch_Net
[LAC-behavior-Branch_Net] redirect interface Virtual-Template1

# 创建策略路由,并配置各流行为的优先级
[LAC] traffic policy Route
[LAC-trafficpolicy-Route] classifier Drop_Wan-To-Lan behavior Drop_Wan-To-Lan precedence 10
[LAC-trafficpolicy-Route] classifier Lan behavior Lan precedence 20
[LAC-trafficpolicy-Route] classifier Branch_Net behavior Branch_Net precedence 30

# 接口应用策略路由,匹配方向为inbound
[LAC] interface Vlanif1
[LAC-Vlanif1] traffice-policy Route inbound

执行display l2tp tunnel命令可看到L2TP隧道及会话建立

2:总部搭建IPSec VPN让分部连接

总部AR配置

# 配置ACL
[LNS] acl number 3003
[LNS-acl-adv-3003] rule 1 permit ip source 30.0.0.0 0.0.0.255 destination 30.0.3.0 0.0.0.255
[LNS-acl-adv-3003] rule 2 permit ip source 30.0.0.0 0.0.0.255 destination 192.171.0.0 0.0.0.255
[LNS-acl-adv-3003] rule 3 permit ip source 192.168.0.0 0.0.0.255 destination 30.0.3.0 0.0.0.255
[LNS-acl-adv-3003] rule 4 permit ip source 192.168.0.0 0.0.0.255 destination 192.171.0.0 0.0.0.255

# 配置IPSec安全提议
[LNS] ipsec proposal tran1
[LNS-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[LNS-ipsec-proposal-tran1] esp encryption-algorithm aes-128

# 配置IKE安全提议
[LNS] ike proposal 5
[LNS-ike-proposal-5] encryption-algorithm aes-128
[LNS-ike-proposal-5] authentication-algorithm sha2-256
[LNS-ike-proposal-5] dh group14
[LNS] ike peer spua
[LNS-ike-peer-spua] undo version 2
[LNS-ike-peer-spua] ike-proposal 5
[LNS-ike-peer-spua] pre-shared-key cipher Huawei@2021



# 配置IKE动态协商方式安全策略
[LNS] ipsec policy use1 10 isakmp
[LNS-ipsec-policy-isakmp-use1-10] ike-peer spua
[LNS-ipsec-policy-isakmp-use1-10] proposal tran1
[LNS-ipsec-policy-isakmp-use1-10] security acl 3003

# 在接口上引用安全策略组
[LNS] interface gigabitethernet 1/0/0
[LNS-GigabitEthernet1/0/0] ipsec policy use1

分部AR配置

# 配置ACL
[LNS] acl number 3003
[LNS-acl-adv-3003] rule 1 permit ip source 30.0.3.0 0.0.0.255 destination 30.0.0.0 0.0.0.255
[LNS-acl-adv-3003] rule 2 permit ip source 30.0.3.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
[LNS-acl-adv-3003] rule 3 permit ip source 192.171.0.0 0.0.0.255 destination 30.0.0.0 0.0.0.255
[LNS-acl-adv-3003] rule 4 permit ip source 192.171.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

# 配置IPSec安全提议
[LAC] ipsec proposal tran1
[LAC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[LAC-ipsec-proposal-tran1] esp encryption-algorithm aes-128

# 配置IKE安全提议
[LAC] ike proposal 5
[LAC-ike-proposal-5] encryption-algorithm aes-128
[LAC-ike-proposal-5] authentication-algorithm sha2-256
[LAC-ike-proposal-5] dh group14
[LAC] ike peer spub
[LAC-ike-peer-spub] undo version 2
[LAC-ike-peer-spub] ike-proposal 5
[LAC-ike-peer-spub] pre-shared-key cipher Huawei@1234
[LAC-ike-peer-spub] remote-address 1.1.1.1

# 配置IKE动态协商方式安全策略
[LAC] ipsec policy map1 10 isakmp
[LAC-ipsec-policy-isakmp-map1-10] ike-peer spub
[LAC-ipsec-policy-isakmp-map1-10] proposal tran1
[LAC-ipsec-policy-isakmp-map1-10] security acl 3003

# 在接口上引用安全策略组
[LAC] interface gigabitethernet 1/0/0
[LAC-GigabitEthernet1/0/0] ipsec policy map1

执行display ike sa命令可以查看当前由IKE建立的安全联盟

执行display ipsec sa命令可以查看当前ipsec连接信息

 

温馨提示:如果遇到带宽跑不满或断流的情况,修改分部AR流量入接口的TCP最大报文段长度为1200字节即可解决。

# 设置入接口流量TCP最大报文段长度为1200字节(否则可能会导致速率上不去)
[LAC] interface Vlanif1
[LAC-Vlanif1] tcp adjust-mss 1200

以下是百兆公网专线测速截图

华为AR异地组网解决方案插图1

头像

作者:

发表评论

邮箱地址不会被公开。

Demon_运维笔记