首页 > √思科华为 > ne20配置双出口策略路由
viyin.net

ne20配置双出口策略路由

2009年4月14日 发表评论 阅读评论

#
sysname ne20
#
super password level 3 simple huawei
#
nat address-group 0 Y.238.243.1 Y.238.243.62 mask 255.255.255.192    //地址池网段
#
acl number 2000   //匹配内网网段,NAT
rule 0 permit source X.34.160.0 0.0.15.255
rule 1 deny
#
acl number 3033   //内部cernet服务器网段
rule 0 permit ip source X.34.160.60 0
rule 5 permit ip source X.34.160.34 0


rule 10 permit ip source X.34.160.37 0
rule 15 permit ip source X.34.160.35 0
rule 20 permit ip source X.34.160.53 0
rule 25 permit ip source X.34.160.54 0
rule 30 permit ip source X.34.160.57 0
rule 35 permit ip source X.34.160.52 0
rule 40 permit ip source X.34.160.39 0
rule 45 permit tcp source X.34.160.41 0 source-port eq www destination-port gt 1023
rule 50 permit tcp source X.34.160.41 0 source-port eq 5631
rule 55 permit tcp source X.34.160.41 0 source-port eq sm
rule 60 permit tcp source X.34.160.41 0 source-port eq pop3
rule 65 permit tcp source X.34.160.41 0 source-port eq 3000
acl number 3036   //电信服务器网段
rule 0 permit ip source Y.238.243.64 0.0.0.63
rule 5 deny ip
acl number 3044   //匹配包过滤防火墙。这部分是用户原配置复制,未改动。
rule 0 deny tcp source-port eq 4682
rule 5 deny tcp destination-port eq 4682
rule 10 deny tcp source-port range 6881 6889
rule 15 deny tcp source-port range 16881 16889
rule 20 deny tcp destination-port range 6881 6889
rule 25 deny tcp destination-port range 16881 16889
  rule 495 deny ip
#
traffic classifier telcom  //电信服务器流分类
if-match acl 3036
traffic classifier cool   //防火墙流分类
if-match acl 3044
traffic classifier cernet  //教育网服务器流分类
if-match acl 3033                        
#
traffic behavior telcom
remark ip-nexthop 172.30.55.41 Ethernet0/0/1  //进行策略路由
traffic behavior cool
deny
traffic behavior cernet
remark ip-nexthop 202.111.42.37 Ethernet1/0/1
#
traffic policy policy1  //将2个流及动作绑到1个qos下
classifier cernet behavior cernet
classifier telcom behavior telcom
traffic policy cool
classifier cool behavior cool
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
description TO IDC  //电信接口
ip address 172.30.55.42 255.255.255.252  
nat outbound 2000 address-group 0  //NAT
#
interface Ethernet1/0/0
description TO 6506  //内网接口
ip address X.34.171.1 255.255.255.252
traffic-policy policy1 inbound  //对入接口流量进行策略路由
traffic-policy cool outbound  //对出接口流量进行包过滤防火墙。为何不将防火墙配置在外网口?考虑到防火墙配置到外网口要配置到2处接口。另外配置在做NAT的外网口上时,对于入方向报文流,通过ACL匹配防火墙优先,反向地址转换在后(这时NE20不会考虑其 NAT的 acl num是2000的),包过滤的目的网段和端口如何配置需要考虑因素比较多。因此最终将防火墙配置在内网口上。
#
interface Ethernet1/0/1
description TO Cernet  //cernet接口
ip address 202.111.42.38 255.255.255.252
#
interface NULL0
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default                           
#
#
ip route-static 0.0.0.0 0.0.0.0 172.30.55.41  //缺省路由是电信出口
ip route-static 59.64.0.0 255.254.0.0 202.111.42.37  //免费地址段的路由是cernet出口

viyin.net
分类: √思科华为 标签:
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.