Hello everyone, I am senior Xiaohua, a blogger in the computer field. After years of study and practice, I have accumulated rich computer knowledge and experience. Here I would like to share my learning experience and skills with you to help you become a better programmer.
As a computer blogger, I have been focusing on programming, algorithms, software development and other fields, and have accumulated a lot of experience in these areas. I believe that sharing is a win-win situation. Through sharing, I can help others improve their technical level and at the same time get the opportunity to learn and communicate.
In my articles, you will see my analysis and analysis of various programming languages, development tools, and common problems. I will provide you with practical solutions and optimization techniques based on my actual project experience. I believe that these experiences will not only help you solve the problems you are currently encountering, but also improve your programming thinking and problem-solving abilities.
In addition to sharing technical aspects, I will also touch on some topics about career development and learning methods. As a former student, I know how to better improve myself and face challenges in the computer field. I will share some learning methods, interview skills and workplace experiences, hoping to have a positive impact on your career development.
My articles will be published in the CSDN community, which is a very active and professional computer technology community. Here you can communicate, learn and share with other people who love technology. By following my blog, you can get my latest articles as soon as possible and interact with me and other readers.
If you are interested in the computer field and hope to better improve your programming skills and technical level, then please follow my CSDN blog. I believe that what I share will help and inspire you, allowing you to achieve greater success in the computer field!
Let us become better programmers together and explore the wonderful world of computing together! Thank you for your attention and support!
All computer project source codes shared include documents and can be used for graduation projects or course designs. Welcome to leave a message to share questions and exchange experiences!
Summary
With the explosive growth of computer networks, the network demands of individuals and companies are rising sharply, and the quality of the required networks is also increasing. Therefore, in order to improve the network usage problems of individuals and companies, the use of policy routing can allow the network to be divided, thereby Improve network quality.
We improve the stability and security of the network link by using a dual-line network. By setting up two export links at the network export, this can increase the bandwidth of the network export and diversify the company's network export links. This will achieve load balancing of network traffic, reduce network burden, and thereby improve network quality.
This paper will start from the planning and design of the dual-line network access solution of policy routing, and conduct an overall planning and analysis of the planning and design of the dual-line network access solution of policy routing. This network system involves demand analysis, overall network design, networking technology and implementation, wireless design and other modules. Based on Huawei simulator, it uses VLAN division, DHCP automatic IP acquisition, OSPF protocol, VPN configuration and other technologies to implement dual policy routing. Line network access planning functional modules are divided, designed and implemented in the system.
Different users will have different requirements for the required configuration. Policy routing can route and forward according to their requirements. At the same time, it can capture packets according to the rules. It can also set specified policy routing according to people's needs. Great for this is that policy routing becomes more flexible and easier to control. At the same time, the routing table can be flexibly changed without changing it. Use ENSP simulation software to simulate network environment and policy routing. In the experimental environment, the network simulation environment and policy routing were separated, and corresponding tests were run to verify the effectiveness of TCP traffic diversion.
Keywords: policy routing, dual-line network access, design and deployment
Abstract
With the explosive growth of computer networks, the demand for personal and corporate networks is rising rapidly, and the quality of the networks to be delivered is also growing, so in order to improve the use of networks by individuals and companies, using policy routing can divide the network and improve the quality of the network.
We improve the stability and security of the network links by using a two-wire network. By setting two export links at the network outlets, we can increase the bandwidth of the network outlets and diversify the company's network outlets, this will achieve network traffic load balance, reduce network burden, thus improving the quality of the network.
This paper will start with the plan and design of the two-wire network access scheme of strategy route, and analyze the overall plan and design of the two-wire network access scheme of strategy route. This network system involves demand analysis, network overall design, networking technology and implementation, wireless design and other modules, based on Huawei Simulator, the use of Vlan, DHCP automatic access to IP, OSPF protocol, VPN configuration and other technologies, the two-wire network access planning function module of policy routing is divided, designed and implemented.
Different users will have different requirements on the required configuration, policy routing can be routed and forwarded according to their requirements, and at the same time the rules can be captured, it can also set specific policy routes according to people's needs, which makes policy routing much more flexible and convenient to control. And the flexibility to change without changing Routing table. Simulation of network environment and policy routing using ENSP simulation software. In the experimental environment.
Keywords: Policy routing Two-wire network access Design and deployment
Table of contents
1.2 Research significance... 1
Chapter 2 System Analysis... 2
2.2 Requirements analysis... 2
2.3 Network architecture design... 3
Chapter 3 Overview of related technologies... 4
3.1 Virtual LAN technology... 4
3.2 Access control list technology... 5
3.3 Virtual Private Network Technology... 7
3.4 Network address translation technology... 9
4.1 Overall network design... 11
4.2 Network topology diagram... 11
Chapter 5 Detailed Design... 16
5.1 Egress multi-link design... 17
5.2 Priority of egress link access... 17
5.3 Export security design... 18
5.4 Analysis of network hierarchical structure... 18
5.5 Key technologies and difficulties... 20
5.6 Existing problems and solutions... 21
Chapter 6 System Testing... 21
Chapter 1 Introduction
This article mainly focuses on the design and deployment of dual-line access with policy routing. It mainly configures the firewall at the network exit, configures reasonable policy routing on the firewall to implement traffic path rules, and flexibly controls the flow of data packets without changing the routing table. In the sending situation, when data packets need to be forwarded, the system will forcefully forward them according to the policy form that the user wants. Even if the routing entry does not exist in the routing table, if there is no such configuration policy or when he cannot find himself When there is a match, he will send it by looking up the routing table. This effectively reduces problems such as loops that may be caused by changes in the routing table. Reduce the performance loss of the company's equipment and reduce the maintenance costs of operation and maintenance personnel. Increase scalability and security.
1.1 Research background
The usage and demand of the network are increasing day by day, and the broadband we need is also increasing. In order to improve the network and solve the interconnection problems between telecommunications and China Netcom, people have developed strategic routing. Since China's After the two major networks were separated, the network environment with the characteristics of the motherland also followed, which is also known as Southern Telecom and Northern Netcom, because when the two networks access each other's lines, the network speed will become very slow. , so people have to use dual-line network access technology to control the direction of the two networks, which greatly improves the speed of the network. Through policy routing, the two networks are planned to take two lines respectively, so that The network load has been greatly improved and the problem of network usage has been greatly solved.
1.2 Research significance
With the increasing use of computers, computers have become an indispensable thing for people around the world, and computer technology will also become the mainstream of future society. The network level required by individuals and companies has also become extremely high. Computers are increasingly widely used and developing extremely rapidly, so network construction is particularly important. In many places, there are many network problems when the network is first built. For example, the network is unstable and always under attack. This also brings a lot of trouble to maintenance. Troublesome, the maintenance content is time-consuming and complicated. For this reason, network security and network fluency are indispensable for every network. At the same time, clarity is also indispensable. We can further improve the network by using a two-wire network. The stability and security are enhanced, and the bandwidth of the company's network exit can be improved by setting up links at the network exit, thereby diversifying the network exit links and balancing the company's network load, thereby achieving the desired effect and making the network The environment is improved.
1.3 Research content
Policy routing is a routing mechanism that is transmitted through routing rules selected by the user. Through the reasonable and standardized use of policy routing, the router can forward the information based on the source address of each transmitted information or the length of the message that arrives. This is somewhat different from using the IP destination address to query the routing table for forwarding. Policy routing is performed by passing information such as the source address of the message, the length of the message, and the protocol type of the message. According to different objects, policy routing can be divided into two types. One is local policy routing. This policy routing is actually the policy routing for locally generated packets. This policy routing can only be used for locally generated packets and cannot be used. In forwarded packets; the second type is interface policy routing. This route, on the other hand, can only be used for forwarded packets, but cannot be used for packets directly generated locally.
Chapter 2 System Analysis
2.1 Feasibility analysis
2.1.1 Technical feasibility
In today's network construction, as the number of people using the Internet increases, the demand for Internet use increases, so there are extremely high requirements for the quality of the network we use, so by far the most essential thing is to divert the network. Now our country's two major networks have implemented traffic diversion, allowing the two major networks to take their own network lines. This has greatly increased the network speed, weakened the complexity of the network, and improved the quality of network use to a certain extent.
2.1.2 Operational feasibility
Dual-line network access through policy routing can greatly increase the convenience of network maintenance, and can carry out concrete and formalized management of the network. Today's computers are moving faster and faster, and dual-line network access can perform maintenance on the network used. Diversion, thereby improving the quality of Internet access, meeting the network needs of enterprises and individuals, being convenient, and bringing great convenience to future network maintenance. Therefore, dual-line network access for policy routing is very necessary.
2.2 Demand analysis
Overall needs analysis:
Computer technology has grown day by day, and computer users are also growing rapidly. Computers have become an indispensable thing for everyone. In the future, computers will also become the mainstream of society. However, as the number of Internet users increases, the number of Internet users The requirements are getting higher and higher, and the quality required is getting higher and higher, resulting in excessive network load, so the network speed is slow. As individuals and national enterprises grow stronger, the requirements for the network become higher, and the network in many places It will also face a series of problems such as incomplete initial construction, such as network instability and constant attacks. This also brings a lot of trouble to maintenance. The content of maintenance is time-consuming and complicated. For this reason, every network is indispensable. Network security and network fluency, and clarity are also indispensable. We can further enhance the stability and security of the network by using a two-line network, and we can also make the company network more secure by setting up links at the network exit. The export bandwidth is improved, which diversifies the network export links and balances the company's network load, thereby achieving the desired effect and improving the network environment. The company has access to two operators, China Telecom and China Unicom, to provide Intel services, and uses optical fiber services provided by ISP Intel service providers. Provides fiber-to-the-desktop services. Configure a firewall at the company network egress to configure NAT and policy routing, and ensure the security of the intranet by setting firewall level zones. For the intranet access requirements of different departments, data communication is carried out through the EASY-IP of the firewall.
2.3 Network architecture design
The network design of this topic is to apply the three-layer network design, which is to split the complex network into multiple layers. Each layer will focus on some unique functions. Through this method, an extremely complex and The huge network has become much simpler and clearer.
The network architecture design has three levels, one is the core layer, the other is the aggregation layer, and the last is the access layer. Medium and large networks must be designed according to such a standard structure to improve management convenience and greatly improve network performance.
The "shrinking core" design allows the network to ignore aggregation, which is suitable for environments with smaller network sizes and shorter interconnection distance tables.
The equipment on the core layer can directly connect to the access layer. This method can effectively save part of the cost of the aggregation layer, while also reducing the maintenance burden and making monitoring of network conditions more convenient.
Adjusting the network architecture of the two-layer switching technology to the network architecture of the three-layer switching technology will make the network optimization effect very obvious. Installing it into software related to network management will greatly increase the security and protection of the network. . The core switch is configured in a standardized manner to fully utilize the hardware performance of the core switch.
By adjusting the position and structure of the core switch's processing capabilities for broadband technology and network traffic, it has an excellent expansion function. VLANs are divided according to the needs of different services, the broadcast range is controlled, and the broadcast storm is controlled at the same time. Suppression is performed, which improves the overall performance of the LAN and the security of the LAN. To improve the overall reliability of the network, the core switches adopt dual-machine hot backup and load balancing methods. Normally, both core switches will participate in the work. When any switch fails, the second switch will It automatically takes over the work, and the information is visible to the naked eye to network supervisors and users. There is no need for manual intervention in failover. This increases the automatic fault tolerance of network emergencies and greatly improves the network's ability to handle emergencies. Downtime due to faults is reduced.
Chapter 3 Overview of Related Technologies
3.1 Virtual LAN technology
Virtual LAN is a communication technology based on CSMA/CD side virtual LAN for universal sharing of media data network. Every time when the host broadcasts, conflicts will occur, thereby greatly reducing performance. At the same time, it may also affect network connection and other issues, which will affect the work. The impact is huge and serious. Switch interconnection technology can solve a lot of problems and resolve conflicts. However, there is no solution to the proliferation of broadcasts and the quality of the network.
After the birth of VLAN technology, VLAN technology will divide each LAN into multiple VLANs. After that, any one of them will be a broadcast domain. The communication effect between VLAN and LAN is the same, and the communication effect between VLANs is the same. They cannot communicate with each other, so VLAN will restrict any one of them.
Different forwarding of common VLANs in Access and Trunk, as shown in Table 3.1
Form 3.1
| Access port PVID |
VLAN ID of the received packet |
VLAN ID of the sent packet |
process result |
| VLAN2 |
none |
Forward after adding VLAN 2 |
|
| VLAN2 |
VLAN3 |
throw away |
|
| VLAN2 |
VLAN2 |
Forward within VLAN2 |
|
| VLAN2 |
VLAN2 |
Remove VLAN2 and forward |
|
| VLAN2 |
VLAN3 |
throw away |
|
| PVID of trunk port |
VLAN ID of the received packet |
VLAN ID of the sent packet |
process result |
| VLAN1 |
none |
After marking VLAN1, forward within VLAN1 |
|
| VLAN2 |
none |
After marking VLAN2, forward within VLAN2 |
|
| VLAN2 |
VLAN2 port allowed |
Remove VLAN2 forwarding |
|
| VLAN2 |
VLAN3 port allowed |
Remove VLAN3 forwarding |
|
| VLAN2 |
VLAN3 port not allowed |
throw away |
|
| VLAN2 |
VLAN2 |
Remove vlan2 and send |
|
| VLAN2 |
VLAN3 |
Send directly |
3.2 Access control list technology
Access control list is a type of private access control list protocol supported by Cisco-based IOS system. If the network administrator wants to use access control list technology on Layer 3 switching, some users on the Internet can restrict access to the content in the network. At the same time, during the operation, each network controls Personnel can also control access to network segments and restrict them. Using this ACL technology can provide great support for network security and provide good security protection. However, this technology does not Not everything is possible. This technology can only be used in a network with a small number of clients. The configuration of this access control list can also effectively improve the router's interface and greatly increase the speed of the router's access to data. At the same time, the enterprise's Network usage is also monitored at all times. This ACL function can be seen everywhere in major enterprises today. When local network traffic is small, network administrators can also use this technology to control the router. , for this purpose, some functions have been implemented for the firewall technology, but this technology cannot replace the firewall technology.
At the beginning of its birth, the access control list technology could only be applied to routers. However, when working on switches that have been replaced by Layer 3 in recent years, this can also be achieved using ACL technology, but it is Because this switch has just been born, the features it supports are not as comprehensive as the three-layer switch. An access list protocol that uses ACL to control packet filtering technology. This protocol will combine the third and fourth layers of data packets in the router, including the source address and destination address, and will also collect and read specific information from the object's port. .
Administrators can edit the ACL access control list according to the usage rules they want, and then the system will screen each data packet according to the rules set by the administrator. After passing this step, the technical The purpose of access control has been accomplished. Accessing the control list enables various functions to be realized, and the nodes of each network are divided into two types, one is the resource node and the other is the user node.
The main function of the access control list is to block and stop illegal users through resource-protecting nodes. Secondly, it can access internal network resources of the enterprise through unique network nodes and provide users with updated network resources. For advanced permissions, in the process of implementing access control list technology on a Layer 3 switch device or other device that can support access control list technology, the device must follow two necessary guidelines. One of the necessary guidelines is the least privilege principle. Each time the configuration target is controlled, the minimum permissions for the configuration target will be given to it. The second is the principle closest to constructing the configuration object. This means that many access users can only access the most basic network layer, because this device sets restrictions on users who can access the network layer. The access control list technology also has constraints on the network in addition to the access control list. The reason The principle of access control technology is to implement packet filtering technology to realize data management. Therefore, when filtering data packets, only some messages in the third and fourth layers of the data will be filtered, thus causing Because this technology does not recognize the specific identity information of the person passing through the device, there is no way to completely reveal the internal privilege levels that specifically pass through this device and are specifically applied to this device. If an enterprise wants to fully implement end-to-end control, it must be enabled at the same time as system-level and application-level access to allow the enterprise to implement end-to-end control.
When using access control list technology, please pay attention to the following usage rules: Be careful when using access control list technology. There is at least one affirmative statement in the list, otherwise this node will block all data. The placement of the serial number of the configuration command of the access control list technology is also particularly important, because when the device first identifies the command that meets the specific conditions of the device during detection, it will process the command after the serial number. During verification, the device will discard the packet, and then it will not perform subsequent command configurations. When creating an ACL, the administrator must put the command in the control list at the front, and then bind the command to the incoming and outgoing ports. When access control list technology is used, this technology can only filter the data traffic passing through the device, but it cannot filter the data traffic generated by itself.
3.3 Virtual Private Network Technology
Virtual private network technology is VPN technology. VPN technology is to create a temporary and highly secure connection on the Intel network. This connection is a safe and stable channel that can pass through the public network. Generally speaking, virtual private network technology The private network is implemented to facilitate the internal network of the enterprise and network users. In this way, users can use it to help remote users and partners or the internal network construction of the enterprise to create a safe and convenient connection channel with At the same time to ensure the security of transmitted data, virtual private networks will be used in the global Internet intervention of the ever-increasing number of mobile users to achieve mutual secure transmission connection channels, which can be implemented in virtual networks for secure communication on corporate websites. A dedicated line acts as a secure virtual professional network between the company and its cooperating enterprises.
A series of security mechanisms are used to build a virtual private network, such as tunneling technology (Tunneling), encryption and decryption technology (Encryption), key management technology , identity authentication technology (Authentication), etc. These security technologies are used to ensure the security of the virtual professional network. It is foolproof, effectively and powerfully ensuring security during the broadcast process, greatly reducing the risk of being stolen during the transmission process. Even if it is stolen by others during the transmission process, there is no way for others to read the information inside.
A virtual private network is a "service based on a public data network that provides users with a direct connection to a private local network. VPN greatly reduces the cost for users and provides greater security and reliability than traditional methods. VPN can be divided into There are three major categories: Internet VPN that acts between different departments and remote departments of the enterprise, and Internet VPN is provided between each enterprise and its partners or its customers and friends.
Because of the application of this virtual private network technology, there is actually no independent user-dedicated network. Users do not need to specially build or lease lines or equip special equipment to become telecom users' own private networks. Virtual private networks It is a functional network created using public telecommunications networks. Different types of public networks can create different types of virtual private networks through software control within the network.
Security requirements require VPNs to make users feel they are private, so the first priority of public data networks based on uncertain and unreliable data is to address security concerns. Virtual private networks can solve the security problems of virtual private networks through three security technologies: tunneling technology, encryption and authentication. In the virtual private network on the Internet, high-strength encryption technology must be provided to protect sensitive information. Remote access to the virtual private network must provide a reliable authentication mechanism for remote users.
Although network speeds have improved, in the Internet era, with the growth of e-commerce activities, network congestion has had a significant impact on the performance stability of VPNs. Therefore, VPN solutions should enable administrators to monitor communications to ensure their performance. Through the VPN platform, administrators define management policies that activate bandwidth distribution based on importance. This ensures that tight requirements and high-priority applications are served in terms of data loss, rather than being "starved" in terms of low-priority applications.
Due to the increasing availability of network services and applications, and the increasing complexity of network management, management requires more and more network user IP addresses. VPN is an external extension of the enterprise, so VPN must have a fixed management system, which will reduce the burden of its management, reporting, etc. The management platform must have an easy way to determine security policies, assign and manage large numbers of devices.
Advantages of VPN : Saving costs, this is one of the most important advantages of VPN network technology and the key to winning over traditional dedicated line networks. According to surveys of industrial companies, companies with a VPN can save 30% to 70% on startup costs compared to companies using remote access servers or modems and traditional dedicated access lines.
Currently, the security of VPN systems is improving. VPN systems mainly use four technologies to ensure data communication: tunneling technology, encryption and decryption technology, and identification technology. In terms of security technology to verify user identity, VPN uses point-to-point protocol user authentication methods for verification. These verification methods include: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Shiva Password Authentication Protocol (SPAP) ), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and optional Extensible Authentication Protocol (EAP); for data encryption and key management, the VPN uses Microsoft Point-to-Point Encryption (MPPE) and Internet Security Protocol (IPSec) ) security mechanism, while keys use methods based on public and private keys. MPPE enables Windows 95, 98 and NT4.0 terminals to communicate securely anywhere in the world. MPPE encryption ensures the secure transmission of data, using a minimum public key. The authentication and encryption methods described above are performed by the remote VPN server. In the case of a VPN connection based on the dial-up method, the VPN connection allows double encryption of data, making the transmission of data over the network more secure.
There is little that companies can do if they want to expand the capabilities and coverage of their VPNs, and they do so in a timely manner because these tasks can be entrusted to professional NSPs, thus guaranteeing the quality of the project and avoiding many complications. Enterprises only need to sign an account contract with the new NSP or renew the contract with the original NSP to expand the scope of services. VPN routers can also automatically assemble workstations.
i IP addresses are secure because VPNs are encrypted and when VPN packets are transmitted over the Internet, Internet users only see the public service IP address and not the private network address contained in the packet. Therefore, addresses on private remote networks are protected. The uncertainty of IP addresses is one of the main reasons why VPNs were not fully considered in the early days.
3.4 Network address translation technology
NAT is an IETF standard that allows an organization as a whole to have a public IP address on the Internet. As he puts it, it is a technology that converts internal private network addresses (IP addresses) into legitimate network IP addresses. Therefore, it can be considered that NAT can effectively solve the problem of insufficient public network addresses to some extent. The purpose of NAT network address translation is to convert private IP to public addresses, and the most important thing is to make up for the lack of the number of public addresses, so we use EASY-IP here to configure the network.
The implementation principle of the Easy IP method is similar to the NAPT conversion principle of the address pool. It can be regarded as a special case of NAPT. The difference is that the Easy IP method can automatically implement the conversion between the public IP address of the WAN interface on the router and the private IP address. mapping.
Easy IP is mainly used when the router WAN interface IP address is used as the public network IP address to be mapped. It is especially suitable for small LANs in small and medium-sized Internet cafes, small offices and other environments to access the Internet. The gateway has the following characteristics: there are few internal hosts, and the outbound interface obtains a temporary (or fixed) public IP address through dial-up for internal hosts to access the Internet.
3.5 OSPF protocol
OSPF routing protocol is a typical link-state routing protocol, generally used within the same routing domain. Here, the routing domain refers to an Autonomous System (AS), which refers to a group of networks that exchange routing information with each other through a unified routing policy or routing protocol. In this AS, all OSPF routers maintain the same database describing the structure of this AS. This database stores the status information of the corresponding links in the routing domain. It is through this database that the OSPF router calculates its OSPF routing table. of.
As a link state routing protocol , OSPF transmits link state multicast data LSA (Link State Advertisement) to all routers in a certain area, which is different from distance vector routing protocols . A router running a distance vector routing protocol passes part or all of its routing table to its neighboring routers.
Regarding the security of information exchange, OSPF stipulates that any information exchange between routers can be authenticated or authenticated (Authentication) when necessary to ensure that only trusted routers can propagate routing information. OSPF supports multiple authentication mechanisms and allows different authentication mechanisms to be used in various areas. OSPF optimizes the application of link status algorithms in broadcast networks (such as Ethernet) to make full use of hardware broadcast capabilities to deliver link status messages. Usually a node in the topology diagram of the link state algorithm represents a router. If K routers are all connected to the Ethernet, in the broadcast link state, the number of messages related to these K routers will reach K square. For this reason, OSPF allows a node in the topology diagram to represent a broadcast network. All routers on each broadcast network send link status messages to report the link status of the routers in the network.
To put it simply, OSPF means that two adjacent routers become neighbors by sending messages. The neighbors then send link status information to each other to form an adjacency relationship. Then each calculates the route according to the shortest path algorithm and puts it in the OSPF routing table. OSPF routing Compare with other routes and add the best one to the global routing table. The entire process uses five types of messages, three stages, and four tables.
There are five types of messages: Hello messages, which establish and maintain neighbor relationships. DBD message: sends link status header information. LSR message: Send the required link status header information found in the DBD to the neighbor, requesting complete information. LSU message: Send the complete information corresponding to the header information of the LSR request to the neighbor. LSACK: Acknowledge the LSU message after receiving it. Three stages: Neighbor discovery: neighbor relationships are formed by sending Hello messages. Route Advertisement: Neighbors send link status information to form adjacency relationships. Route calculation: Calculate the routing table based on the shortest path algorithm. Four tables, neighbor table: mainly records the routers that form neighbor relationships. Link status database: records link status information. OSPF routing table: derived from the link state database. Global routing table: OSPF routes are compared with others.
The working process is to understand its own link. Each router understands its own link, that is, the network directly connected to it. Finding neighbors is different from RIP. After the OSPF protocol is run, it does not broadcast routing information to the network immediately. Instead, it first searches for surrounding routers in the network that can exchange link status information with itself. Routers that can exchange link status information are neighbors to each other. Create link state packets. Once a router has established a neighbor relationship, it can create link state packets. Link status information transfer,
The router floods LSAs describing the link status to its neighbors, ultimately forming a link status database containing complete link status information for the network. To calculate routes, each router in the routing area can use the SPF algorithm to calculate routes independently.
The main advantage is that OSPF is suitable for a wide range of networks : There is no limit on the number of route hops in the OSPF protocol , so the OSPF protocol can be used in many situations and also supports a wider range of network sizes. As long as it is in a multicast network, the OSPF protocol can support dozens of routers operating together. Multicast triggered update: After the convergence is completed, the OSPF protocol will send topology change information to other routers in a triggered manner, which can reduce network bandwidth utilization; at the same time, it can reduce interference, especially when using multicast networks structure, when sending information to the outside, it will not have any other impact on other devices. Fast convergence speed: if the network structure changes, the OSPF protocol system will send out new messages as quickly as possible, allowing the new topology to spread quickly. to the entire network; moreover, OSPF uses short-cycle HELLO messages to maintain neighbor status. Using cost as a metric value: When the OSPF protocol was designed, the impact of link bandwidth on routing metric values was taken into consideration. The OSPF protocol uses cost value as the standard, and link cost and link bandwidth form an inverse relationship. The higher the bandwidth, the smaller the cost. In this way, OSPF route selection is mainly based on bandwidth factors . The OSPF protocol is designed to avoid routing loops: under the shortest path algorithm, the link status in the route is received, and then the path is generated, so that no loops occur. Wide application: It is widely used on the Internet, and there are a large number of other application examples. This has proven to be one of the most widely used IGPs.
Chapter 4 System Design
4.1 Overall network design
When most campuses build Internet networks, they lease a dedicated line to connect the local area network to the public network. However, there is a risk of a single point of failure in a link. If only a telecommunications link is connected, then a single operator link failure At this time, the entire network will be interrupted. With the increase of users in the park and the further development of network applications, the original single telecommunications exit can no longer meet the demand. It is necessary to open a second exit through the local network service provider to connect to China Unicom lines. .
After the two lines are configured with policy routing through the egress firewall, when intranet users access the Internet, some users are automatically matched to the route of the China Telecom line, and some users are automatically matched to the route of the China Unicom line to access the Internet. Assuming that when the telecommunications link fails, the link connectivity detection technology will return the fault information to the firewall. The firewall will automatically determine that the telecommunications link is invalid, and all users will match China Unicom lines to access the Internet. Through the setting of policy routing, this solves the problem of a certain external network link being interrupted and internal network users being unable to access the Internet. As the network structure becomes more and more complex, for some networks with special requirements, it is necessary to carefully analyze the topology of the user network, understand the flow direction of various data, and then take corresponding countermeasures. Policy routing can flexibly control the flow of network data packets according to established policies to meet the needs of campus network users for multiple network egress networking.
4.2 Network topology diagram
The network environment is built based on Huawei ENSP simulator. The topology of the simulator is shown in Figure 4.1.
Figure 4.1 Network topology diagram
4.3 IP address planning
Reasonable planning of IP addresses is an important part of network design. Large-scale networks must uniformly plan and implement IP addresses. The quality of IP address planning affects the efficiency of network routing protocol algorithms, network performance, network expansion, network management, and will also directly affect the further development of network applications.
Table 4.1 IP address planning table
| VLAN |
network segment |
Remark |
| 10 |
10.7.10.0/24 |
/ |
| 11 |
10.7.11.0/24 |
/ |
| 12 |
10.7.12.0/24 |
/ |
| 13 |
10.7.13.0/24 |
/ |
| 14 |
10.7.14.0/24 |
/ |
| 15 |
10.7.15.0/24 |
/ |
| 16 |
10.7.16.0/24 |
/ |
| 20 |
10.7.20.0/24 |
server area |
| 51 |
10.7.51.0/24 |
Core 1 and firewall interconnection |
| 52 |
10.7.52.0/24 |
Core 2 and firewall interconnection |
4.4 Equipment selection
4.4.1 Core switch selection
Core layer switches should mainly consider switching capabilities and reliability, so products with no single point of failure in design should be selected. After comprehensive consideration, Huawei Quidway S9306 was selected as the core switch of this network architecture.
Quidway S9306 adopts a modular design, supports 6 service slots, has a backplane bandwidth of 6Tbps, a packet forwarding rate of 1152Mpps, and a single device supports 240 10 Gigabit ports, which will upgrade the core layer of the campus network to 10G in the future. Provide possibilities. Quidway S9300 series switches provide carrier-grade high reliability. The main controller, power supply and other key components are designed for redundancy, and all components support hot swapping. Therefore, when the network is congested, service interruptions can be reduced, lossless service upgrades can be performed, complete operation and maintenance detection and performance management can be supported, and data transmission delays, system jitters and other parameters can be collected statistically to monitor network traffic and faults in real time. Rapid positioning. In addition, S9306 also supports wireless controller (AC) cards, which support automatic selection of transmission channels and power sources when wireless access points (APs) are online, and automatically adjust channels or power sources when information conflicts. When roaming across point access, wireless devices switch quickly, and the wireless AC has one-to-one, one-to-many cold standby and balanced load to improve reliability. Huawei Quidway S9306 switch is shown in Figure 4.2
Figure 4.2 Huawei Quidway S9306 switch
4.2.2 Aggregation layer switch selection
An aggregation switch aggregates and forwards traffic to the switch. In addition to the backplane bandwidth, the interface type should match the upstream interface of the access switch. Link aggregation, inter-VLAN routing and corresponding security policies should be supported. Huawei Quidway S5700-28C-EI-24S was selected as the aggregation switch in the network. This switch is a layer 3 switch. In terms of interfaces, this model provides 24 100/1000Base-X ports and 4 10/100/1000Base-T Gigabit combo ports to meet the uplink input requirements of aggregation switch multi-fiber links; in terms of VLAN support, It supports default VLAN, voice stream VLAN, MAC address-based VLAN segmentation, smart subnets, policies, ports, and one-to-one and one-to-many VLAN switching. It can meet the management needs of access switches such as VLAN aggregation and routing; in network management, it supports stacking, remote login configuration, simple network management protocols, cluster management, and port reception and transmission packet rate control. In terms of security management, it supports user role management and password protection, denial of service, address resolution, ICMP attack prevention, IP address, MAC address, port number, VLAN combination binding, port isolation and 802. Limit the number of users on a single port to fully meet the connection and management requirements of the network aggregation layer.
Huawei Quidway S5700-28C-EI switch is shown in Figure 4.3.
Figure 4.3 Huawei Quidway S5700-28C-EI switch
4.2.3 Access switch selection
Access layer switches mainly consider access costs and should provide high port density and scalability. In addition, it should provide simple network management functions (for example: VLAN determination, MAC binding, flow control, etc.). Taking into account a variety of factors, Huawei's Quidway S3700-EI (AC) switch was selected as the access switch at the network access layer. The switch provides 24 10/100Base-TX ports, 2 Gigabit combo ports, stackable, backplane bandwidth 3Gbps, packet forwarding rate 6.6Mpps, supports port-based and MAC address-based VLAN division, supports IP, MAC, port , VLAN combination binding, supports port speed limit and flow speed limit, supports port aggregation, supports Telnet, SSH, supports remote user dial-up authentication system Radius, supports network access control NAC, and limits the number of users who can access each port.
Huawei Quidway S3700-EI switch is shown in Figure 4.2.3.
Figure 4.4 Huawei Quidway S3700-EI switch
4.2.4 Firewall selection
The firewall is located at the entrance of the campus network and is used to control internal traffic access to the internal network and external traffic access to campus resources. The location and role of a firewall determines its importance. The selection of a firewall should fully consider its reliability, throughput, number of concurrent connections, number of new connections per second, access control functions, flow-based state detection, application software monitoring and attack prevention functions.
Taking various factors into consideration, the egress firewall uses Huawei USG6000, which is a 3U rack-mounted device with a modular design. The standard configuration is 4GE Combo port, 4 MIC expansion slots, 2 FIC expansion slots and one DFIC expansion slot, which can flexibly adapt to changes in network structure. Using advanced multi-core processors and multi-threaded parallel processing mechanisms, the throughput is as high as 4Gbps, the maximum number of concurrent connections is 2 million, and the number of new connections is 40,000 per second, which can effectively reduce network latency and improve user experience. Supports various forms of VPN access and can easily achieve remote access. In addition, USG5150 integrates advanced Symantec and IPS and anti-virus technology to provide efficient and accurate network packet scanning capabilities. It also has efficient and accurate antivirus capabilities against viruses hidden in traffic. Application awareness ensures granular control of network traffic and ensures core and business bandwidth. URL filtering, search engine keyword filtering and page keyword filtering can standardize the Internet access behavior of the intranet and fully meet the requirements of campus network traffic management and protection.
Figure 4.5 shows the appearance of Huawei USG6000 firewall.
Figure 4.5 USG5150 firewall
4.5 Equipment list
The equipment selection list is shown in the following table:
Table 4.2 Equipment list
| model |
quantity |
effect |
| SGD6000 |
1 |
egress firewall |
| S9300 |
2 |
core switch |
| S5700 |
2 |
Aggregation switch |
| S3700 |
8 |
access switch |
| RH2285 |
2 |
server |
Chapter 5 Detailed Design
系统主要集成了核心交换机虚拟交换接口技术、三层交换机的策略路由技术.核心三层交换机里的路由选择协议按照路由算法选择某一条通路,出口的策略路由可以按照网络管理者的意图控制数据包选择相应的通路,策略路由优先于路由协议被执行,最后,系统成功让园区内部网段对访问Internt 的数据流量进行选路分析。从而提高了内部网的可管理性和可用性。
策略路由是一种比利用目标网络进行路由更加灵活的数据包路由转发机制,策略路由的优先级别高于普通路由。应用了策略路由以后,路由器将根据用户指定的策略决定如何对需要路由的数据包进行处理。一个接口应用策略路由后,将对该接口接收到的所有数据包进行检查,不符合路由策略的数据包将按照通常的路由转发进行处理,符合某个用户策略的数据包就会按照用户策略指定的下一跳地址或路由器接口进行转发。
多出口网络选路问题非常重要,应用策略路由可以较好解决这一问题.策略路由有基于目的地址策略、基于源地址策略和智能均衡策略,其中智能均衡策略,可以自动识别局域网网络出口线路,并智能采取相应的策略,是策略路由未来发展的趋势。
5.1 出口多链路设计
本课题设计将采用多出口链路,多链路设计可以使内网访问公网速度慢的问题基本得到解决,并且解决了单链路的故障节点。因为单链路的网络环境下公网用户访问网内服务器慢的问题却更加突出了。一方面,网内服务器大多使用电信的出口IP,所有对网内的访问都必须走电信链路,因此,尽管园区内拥有高速的电信链路,但公网用户却只能通过有着带宽瓶颈的单链路和跨运营商转换才能访问内部服务器,这无疑是对多出口链路的严重浪费;另一方面,虽然可以在网内服务器上配置多网卡IP,然后通过智能DNS技术来对访问流量的来源IP地址进行区分。
采用多链路出口在结合策略路由的配置下主要实现了基于源地址(内网地址)和目标地址(公网地址)的策略路由和SNAT功能,既提供了访问不同运营商资源的最佳路径选择(如:访问电信资源走电信线路、访问联通资源走联通线路)、出口路由的冗余备份,又通过SNAT解决了公网地址不足的问题。
5.2 出口链路访问的优先级
由于采用双线路出口,那么如何设置路由以充分利用二条线路的资源是一个必须面对的问题。处理两条线路的带宽分配,最简单的办法是直接将默认路由设置为两条线路对端的路由上,这样路由器能够动态分配网络流量。但实际运行后发现内网访问公网速度并没有明显提高,出现网络访问时快时慢的现象,有时甚至出现网络中断现象。通过路由器NAT转换分析发现,路由器并没按照带宽多少动态分量数据流量,而是随机根据用户访问进行NAT转换,这种负载均衡的方法实际意义并不大,总的出口带宽是共享易受干扰,网络访问高峰时分配带宽更突显不足,部分走电信线路出口的客户没有明显感受访问速度的提升,
这一问题的原因在于,根据部署的多链路出口,那么必然是两条不同的运营商链路,在运营商之间,也是有着路由协议互联互通,当电信的用户去访问联通的资源时,那么可能数据包的响应速度会有一定的延迟。所以策略路由这个技术可以很好的解决掉此问题,我们可以通过出口设备的的ISP地址集更新,设定为策略路由的目的地址,那么内网用户就可以根据访问的目的域名或者系统所归属的运营商地址来选择需要匹配哪条路由进行访问。
根据ISP地址集设定的策略路由,实现了智能负载的效果,保障了网络的响应速度和策略路由的负载特性。
5.3 出口安全性设计
双出口的园区网综合运用了网络地址转换(NAT)和策略路由技术,通过不同的网络分担用户上网流量,提高了网络访问的速度。NAT技术的应用使通过本地ISP进行路由的外部主机无法访问到通过这种连接的内部主机,因此在一定程度上保证了园区网内部主机的安全性。
5.4 网络层次化结构分析
5.4.1核心层设计
核心交换机为进出数据中心的包提供高速的转发,为多个汇聚层提供连接性,核心交换机为整个网络提供一个弹性的L3 路由网络。
核心层是网络的高速交换主干,对整个网络的连通起到至关重要的作用。核心应该具有如下几个特性:可靠性、高效性、冗余性、容错性、可管理性、适应性、低延时性等。在核心层中,应该采用高带宽的千兆以上交换机,因为核心层是网络的枢纽中心,重要性突出。核心层设备采用双机冗余热备份是非常必要的,也可以使用负载均衡功能,来改善网络性能。网络的控制策略最好尽量少在核心层上实施。核心层一直被认为是所有外部网络流量的最终承受者,所以对核心层的设计以及网络设备的要求十分严格。核心层设备将占投资的主要部分。
网络核心层主要功能为:负责骨干网络之间的优化传输、实现业务服务器(数据中心)的高速接入、构建统一的数据交换中心、安全控制中心与网络管理中心。因此,在网络核心层设计时,网络的高性能与高可靠性是设计的重点。将来系统建设完成后,网络核心层主要包括:网络核心交换机2台,互联网出口防火墙1台,核心设备间采用高速链路实现互连,并采用全冗余连接方式提高互连可靠性。核心交换机间采用2条GE (或10GE)链路互连,实现核心交换机间的高速互连,从而实现链路冗余,其次本设计具有多条互联网链路出口,因此我们针对防火墙做了策略路由,实现负载分担的效果,同时与另一个园区通过互联网链路配置IPSEC VPN来实现内到内的加密访问,也配置安全策略来实现广域网接入的安全控制。策略路由设计如图5.1所示。
图5.1 策略路由设计
本课题设计是基于双线的互联网出口部署的策略路由环境,以策略路由技术为核心,解决网络系统数据包选路的问题.系统为某园区内部网,总部防火墙为是园区内部网的出口设备,分别通过电信路由器和联通路由器连接到Internet,现在,根据业务需要,要求所有来自VLAN10-13 的用户默认使用策略路由走向电信运营商线路,其余用户默认使用联通线路进行访问,两条链路互为主备链路,实现策略路由双线接入的负载分担。
5.4.2汇聚层设计
汇聚交换机连接接入交换机,同时提供其他的服务,例如:防火墙,SSL Offload,入侵检测,网络分析等。
汇聚层的功能主要是连接接入层节点和核心层中心。汇聚层为连接本区域的逻辑中心,以减轻核心层设备的负荷。汇聚层具有工作组接入、虚拟局域网(VLAN)之间的等多种功能。在汇聚层中,应该选用支持VLAN 的交换机,以达到网络隔离和分段的目的。本课题设计将汇聚层规划两台交换机与核心交叉互联,形成了物理链路备份,并且汇聚了下联所有接入交换机的接入,实现真正的汇聚功能。如图5.2所示。
图5.2 汇聚层设计
5.4.3接入层设计
网络接入层的主要功能为:底层网络的接口,相对结构简单。设备的性能和功能要求不多,本次设计的所有终端和用户网络接入点都是在接入层上完成,再通过汇聚交换机聚合发送至核心交换机达到路由走向的完成。如图5.3所示。
图5.3接入层设计
5.5 关键性技术及难点
本课题设计的关键技术在于策略路由的设计和IPSEC VPN隧道路由的对接,PBR策略路由需要针对企业内部部门所需进行路由指向,并且要把握好设备、线路的流量负载分担需求;其次就是IPSEC VPN的加密控制和感兴趣流匹配,考虑到安全性,只能对有需求的部门进行匹配VPN的感兴趣流。
基于园区的访问策略,对双链路出口进行路由规划,明确边界网进出流量的路径选择和控制规则,一方面使外网主机既能访问内网服务器。另一方面,经过NAT处理,满足所有内网用户访问外网的需求,内网访问外网的路由可以根据运营商提供的ISP地址表自动选择出口。也可以手动设定内网用户的流量均衡,为了能尽量减轻某条链路的压力,ISP地址表需及时更新,确保其有效性。
其中IPSEC VPN与NAT地址转换冲突,在设计的过程中需要注意将感兴趣流匹配的范围地址排除;策略路由的源目的地址需要精确匹配,一但完全放开的话会造成流量不均衡,可能会引发网络拥堵。
5.6 存在的问题及解决方案
IPSEC VPN的安全性问题,建立的匹配的感兴趣流放通了网段,导致总部分支的流量双向互通,针对这个问题的解决方法是精确的限定了感兴趣流的匹配,或者在防火墙、核心设备上针对VPN源目地址做ACL访问控制的。
第6章 系统测试
6.1 调试与测试
采用DHCP可以自动的给终端分配IP地址,能够充分的利用IP地址,避免IP地址的浪费。如图6.1所示DHCP状态查看
图6.1 DHCP状态查看
OSPF通过路由器之间通告网络接口的状态来建立链路状态数据库,生成最短路径树,每个OSPF路由器使用这些最短构造路由表。本次设计网络规划将出口防火墙和核心交换机划分为骨干区域。
如图6.2所示防火墙上学到的OSPF路由。
图6.2防火墙OSPF邻接状态
如图6.3所示将出口防火墙和核心交换机划分到了骨干区域。
图6.3 防火墙路由表
6.1.3 HTTP服务及DNS测试
服务器开放HTTP服务和DNS域名解析,内网都可通过域名来对http服务器进行访问。
下图为内网通过web访问域名进入HTTP服务:如图6,4所示。
图6.4 内网通过域名访问HTTP服务器
6.1.4 VRRP状态及切换
VRRP就是让两台设备共同维护一个虚拟网关,现网所创建的网关地址是不存在的,当主设备宕机后,备设备可立即进行切换从而接替主设备进行网关转发。如下图所示
图6.5核心交换机1VRRP状态
图6.6核心交换机2VRRP状态
6.2 连通性测试
6.2.1 局域网连通性测试
VLAN划分可以简化网络管理,同时隔绝广播域的作用,不同VLAN默认是不能互相通信的,如果需要相互通信的话必须经过网关转发。下图为不同VLAN之间相互通信测试。
如图6.7所示
图6.7 VLAN之间通信测试
6.2.2 局域网访问互联网连通性测试
内网通过边界防火墙源地址转换策略访问公网,当内网终端流量数据到达边界防火墙时,防火墙将源地址转换为自身出接口地址进行访问,当数据回包时再将目的地址转为本地终端。
如图6.8所示
图6.8内网访问公网
6.2.3 互联网出口设置策略路由
互联网出口防火墙运营商链路双线接入,因此为了达到负载分担的效果,将VLAN10-13的流量走电信出口进行上网,其余的VLAN、接口流量从联通线路进行互联网访问。
流量走向如图6.9所示
图6.9 策略路由测试
由上图可以很直观的看出,VLAN12通过互联网时走的时220.189.1.2这条电信线路地址,而VLAN15通过互联网时走的路线则是220.189.2.2这条联通线路,测试结果为策略路由设置正确,测试正常。
6.2.4 IPSEC VPN测试
由于网络环境中存在两个园区,两个园区通过互联网进行数据交互。众所周知,互联网上进行数据交互是不够安全的,因此两个园区之间建立了IPSEC VPN隧道,对数据流进行加密。
IPSEC VPN只允许VLAN15和VLAN16匹配到VPN的感兴趣流,进入隧道进行数据交互,测试结果如图6.10所示
图6.10 IPSEC VPN访问测试
通过VLAN14和VLAN15访问另一个园区的内网地址,发现VLAN15可以正常访问,而VLAN14则没有匹配到感兴趣流,无法访问另一个园区的地址。
图6.11 防火墙会话记录
参考文献
[1]《基于边界防火墙策略路由的校园网出口建设》缪元照等.计算机时代.2020
[2]《策略路由在企业网络中的应用》韩菊莲.中国新通信.2020
[3]《浅析策略路由的实现》王献宏.电脑知识与技术. 2020
[4]《基于策略路由的校园网出口建构与实践》缪元照等.现代计算机.2019
[5]《策略路由技术综合实验设计与实现》赵宣乔等.信息技术与信息化.2019
[6]《基于策略路由和BIND9的校园网快速访问研究》赵建勋.信息技术与网络安全.2019
[7]《基策略路由在企业网络中的应用》韩菊莲.中国新通信.2020
[8]《基于策略路由和BIND9的校园网快速访问研究》赵建勋.微型机与应用.2019
[9]《策略路由技术综合实验设计与实现》赵宣乔等.信息技术与信息化.2019
[10]《用策略路由限制访问》何钰等.网络安全和信息化. 2017
[11]《校园网双出口的设计与实现》贺广梅等.现代职业教育. 2017
[12]《策略路由在网络安全中的应用》何钰等.网络安全和信息化.2017
[13]《根据需求应用策略路由》何钰等.网络安全和信息化.2017
[14]《移动社交网络中多策略路由算法研究》黄嘉玲等.青岛大学.2019
[15]《校园网路由转发策略设计与实践》庞镭等.通讯世界.2019
[16]《多线路下实现负载均衡探析》曾红玉等.信息系统工程.2019
附 录
#
sysname HX-2
#
vlan batch 10 to 16 20 52 100
#
stp instance 1 root secondary
stp instance 2 root primary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name MSTP
instance 1 vlan 10 to 13 100
instance 2 vlan 14 to 16 20
active region-configuration
#
drop-profile default
#
ip pool 10
gateway-list 10.7.10.254
network 10.7.10.0 mask 255.255.255.0
excluded-ip-address 10.7.10.250 10.7.10.253
dns-list 10.7.20.2
#
ip pool 11
gateway-list 10.7.11.254
network 10.7.11.0 mask 255.255.255.0
excluded-ip-address 10.7.11.250 10.7.11.253
dns-list 10.7.20.2
#
ip pool 12
gateway-list 10.7.12.254
network 10.7.12.0 mask 255.255.255.0
excluded-ip-address 10.7.12.250 10.7.12.253
dns-list 10.7.20.2
#
ip pool 13
gateway-list 10.7.13.254
network 10.7.13.0 mask 255.255.255.0
excluded-ip-address 10.7.13.250 10.7.13.253
dns-list 10.7.20.2
#
ip pool 14
gateway-list 10.7.14.254
network 10.7.14.0 mask 255.255.255.0
excluded-ip-address 10.7.14.250 10.7.14.253
dns-list 10.7.20.2
#
sysname HX-1
#
vlan batch 10 to 16 20 51 100
#
stp instance 1 root primary
stp instance 2 root secondary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name MSTP
instance 1 vlan 10 to 13 100
instance 2 vlan 14 to 16 20
active region-configuration
#
drop-profile default
#
ip pool 10
gateway-list 10.7.10.254
network 10.7.10.0 mask 255.255.255.0
excluded-ip-address 10.7.10.250 10.7.10.253
dns-list 10.7.20.2
#
ip pool 11
gateway-list 10.7.11.254
network 10.7.11.0 mask 255.255.255.0
excluded-ip-address 10.7.11.250 10.7.11.253
dns-list 10.7.20.2
#
#
sysname Server-SW
#
vlan batch 20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name MSTP
instance 1 vlan 10 to 13 100
instance 2 vlan 14 to 16 20
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
sysname HJ2
#
vlan batch 10 to 20 100
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name MSTP
instance 1 vlan 10 to 13 51 100 to 101
instance 2 vlan 14 to 16 20 52
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 13
##
sysname HJ1
#
vlan batch 10 to 12
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name MSTP
instance 1 vlan 10 to 13 51 100 to 101
instance 2 vlan 14 to 16 20 52
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 11
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 12
#
sysname Huawei
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#