01-正文
本章节下载 (427.07 KB)
目 录
本文介绍的设备是指被SeerEngine-DC纳管的设备。为确保设备正常接入到Underlay网络以及设备与SeerEngine-DC之间IP路由可达,需手动在设备上进行预配置。本文介绍了设备在不同场景下的预配置,方便用户了解使用指定类型的设备前需要在设备上手动预配置哪些功能。
根据设备的载体形态不同,设备可以分为:
· 物理设备:指设备的载体形态是物理设备(例如物理交换机),其根据服务类型又可以分为接入设备、边界设备等。当使用手动上线方式时,用户需在该类型的设备上进行预配置。自动化上线场景下无需进行预配置。
· 虚拟设备:指在物理服务器或物理网络设备(例如M9000)上虚拟出来的虚拟设备(例如VNF设备、NGFW设备等),其根据服务类型又可以分为虚拟网关、虚拟防火墙、虚拟负载均衡器等。根据虚拟设备的创建方式不同,虚拟设备又可以分为:
¡ 手动添加的纳管设备:指已创建的虚拟设备,需要通过手动添加该设备作为SeerEngine-DC的虚拟设备。用户需在该类型的设备上进行预配置。
¡ 从资源池分配的设备:指通过NGFW资源池或VNF资源池分配的虚拟设备。创建该类型设备时需引用对应的模板,预配置会在创建模板时自动生成。用户不需在该类型的设备上进行任何预配置。用户可根据配置项章节的介绍了解模板中预配置的功能,也可根据需求修改模板中的预配置。
本部分介绍了不同类型设备的配置项及配置简介。配置项部分介绍了不同类型设备可能需要配置的所有功能,用户可根据配置简介的配置步骤预配置指定类型的设备,也可参照配置项了解虚拟设备各类型模板都预配置哪些功能。
|
配置项 |
章节 |
边界设备 |
|
开启设备的L2VPN功能 |
Y |
|
|
配置本地用户及开启NETCONF服务 |
Y |
|
|
配置路由协议 |
Y |
|
|
配置管理接口 |
Y |
|
|
配置VTEP IP |
Y |
|
|
配置边界设备的DCI VTEP IP所在接口 |
Y |
|
|
配置AC侧接口 |
N |
|
|
配置VLAN接口资源预留 |
Y |
|
|
配置与安全设备互联的接口加入同一VLAN |
仅边界设备作为服务网关组的成员设备时需配置 |
|
|
配置IRF桥MAC永久保留 |
仅IRF模式的边界设备需配置 |
|
配置项 |
章节 |
服务链型防火墙 |
服务网关型防火墙 |
|
配置本地用户及开启NETCONF服务 |
Y |
Y |
|
|
配置路由协议 |
Y |
Y |
|
|
配置管理接口 |
Y |
Y |
|
|
配置IRF集群 |
仅IRF模式的服务链型防火墙需配置 |
仅IRF模式的服务网关型防火墙需配置 |
|
|
配置Track项 |
|||
|
配置冗余组 |
|||
|
配置双机热备相关功能 |
|||
|
配置IRF桥MAC永久保留 |
|||
|
配置防火墙默认放行 |
Y |
Y |
|
|
配置Track和NQA联动监测主备静态路由 |
N |
仅多出口场景且SNAT为开启状态时需要配置 |
|
配置项 |
章节 |
服务链型负载均衡器 |
|
配置本地用户及开启NETCONF服务 |
Y |
|
|
配置路由协议 |
Y |
|
|
配置管理接口 |
Y |
|
|
配置IRF集群 |
仅IRF模式的服务链型负载均衡器需配置 |
|
|
配置Track项 |
||
|
配置冗余组 |
||
|
配置双机热备相关功能 |
||
|
配置IRF桥MAC永久保留 |
||
|
配置虚服务器IP所在接口 |
Y |
开启设备的L2VPN功能。
[Device] l2vpn enable
为了确保安全性,设备需要对SeerEngine-DC发起的连接进行认证和授权。目前在解决方案中一般都采用本地认证和授权的方式,所以要在设备上创建本地用户并配置相关属性。(用户名以sdn为例,密码以123为例)
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
配置设备和SeerEngine-DC之间使用NETCONF over SSH通道进行通信。
[Device] ssh server enable
[Device] netconf ssh server enable
配置设备和SeerEngine-DC之间使用NETCONF over HTTPS通道进行通信。
[Device] ip https enable
[Device] netconf soap https enable
配置用户登录设备时的认证方式。
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
配置OSPF进程。一个进程作为管理网的路由发布域(以进程10为例),另一个进程作为Underlay网络的路由发布域(以进程1为例)。
[Device] ospf 10
[Device] ospf 1
· 用户可根据需求使用其他路由协议,建议使用OSPF协议。
· 必须在接口使能OSPF功能前进行本配置。
· 当设备类型为VNF设备时,不支持使用IS-IS路由协议。
· 从资源池分配的虚拟设备(以VNF设备为例)
¡ 当VNF工作在IRF模式时:创建IRF模式设备的管理接口Reth 999,该接口的IP地址将通过VNF Manager下发。组成IRF的两台VNF的管理接口(以GigabitEthernet1/1/0和GigabitEthernet2/1/0为例)作为冗余接口的成员接口。把冗余接口加入到管理网的路由发布域(以OSPF 10区域0为例)。
[Device] interface Reth 999
[Device-Reth999] member interface GigabitEthernet 1/1/0 priority 100
[Device-Reth999] member interface GigabitEthernet 2/1/0 priority 80
[Device-Reth999] ospf 10 area 0
¡ 当VNF工作在独立模式时:管理接口(以GigabitEthernet1/1/0为例)的IP地址将由VNF Manager下发,把管理接口加入到管理网的路由发布域(以OSPF 10区域0为例)。
[Device] interface GigabitEthernet 1/1/0
[Device-GigabitEthernet1/1/0] ospf 10 area 0
· 物理设备及手动增加的虚拟设备:创建管理接口(以LoopBack 0为例,也可以根据需求使用其他接口)并配置接口的IP地址,把该接口加入到管理网的路由发布域(以OSPF 10区域0为例)。
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.126 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
Reth 999接口已被预留作为设备的管理接口,该接口不可再用于其他用途。
创建VTEP IP所在接口,并配置VTEP IP地址。
(1) 创建VTEP IP所在接口Loopback 0,把该接口加入到Underlay网络的路由发布域(以OSPF 1区域0为例)。
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 1 area 0
(2) 配置VTEP IP地址。
[Device-LoopBack0] ip address 10.10.1.10 32
· 当存在Fabric连接时,LoopBack 0接口被预留作为配置VTEP IP的接口,该接口不可再用于其他用途。
· 从VM发出的报文较大,在转发过程中可能由于接口MTU值较小导致报文被丢弃,建议修改接口的MTU值为较大值。
DCI VTEP IP用于创建数据中心连接,需要在边界设备上手动创建DCI VTEP IP所在的接口,并为其配置IP地址。
创建环回口作为DCI VTEP IP所在接口,并配置IP地址,以Loopback 2为例。
[Device] interface LoopBack 2
[Device-LoopBack2] ip address 101.10.1.1 255.255.0.0
该配置需要在边界设备上线前完成,上线后不允许删除和修改。
SeerEngine-DC纳管的网络中的内网流量都在VPN中转发,要实现内外网流量互通,需创建外网VPN并把外网出接口加入到该VPN。(适用于VNF网关和NGFW网关)
(1) 创建外网VPN
[Device] ip vpn-instance external_vpn
external_vpn已被预留作为外网VPN,该VPN不可再用于其他用途。
(2) 配置外网出接口
· 当外网出接口所连接的TOR交换机的接口发送的报文带VLAN Tag(以2为例)时,配置物理子接口进行VLAN终结,同时配置物理子接口作为外网出接口的成员接口(以GigabitEthernet1/5/0.2和GigabitEthernet2/5/0.2为例)。
[Device] interface GigabitEthernet 1/5/0.2
[Device-GigabitEthernet1/5/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet1/5/0.2] interface GigabitEthernet 2/5/0.2
[Device-GigabitEthernet2/5/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet2/5/0.2] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 1/5/0.2 priority 100
[Device-Reth1] member interface GigabitEthernet 2/5/0.2 priority 80
[Device-Reth1] ip binding vpn-instance external_vpn
· 当外网出接口所连接的TOR交换机接口发送的报文不带VLAN Tag时,配置物理接口作为外网出接口的成员接口(以GigabitEthernet1/5/0和GigabitEthernet2/5/0为例)。
[Device] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 1/5/0 priority 100
[Device-Reth1] member interface GigabitEthernet 2/5/0 priority 80
[Device-Reth1] ip binding vpn-instance external_vpn
Reth 1已被预留作为外网出接口,该接口不可再用于其他用途。
为实现设备的高可靠性,可配置设备工作在IRF模式。指定设备的成员编号及在IRF中的成员优先级,配置IRF端口与物理接口绑定,数据通道和控制通道分别对应不同的物理接口。(适用于IRF模式的VNF设备)
[DeviceA] irf member 1
[DeviceA] irf member 1 priority 32
[DeviceA] irf-port 1
[DeviceA-irf-port1] port group interface GigabitEthernet1/2/0 type data
[DeviceA-irf-port1] port group interface GigabitEthernet1/3/0 type control
[DeviceB] irf member 2
[DeviceB] irf member 2 priority 31
[DeviceB] irf-port 2
[DeviceB-irf-port2] port group interface GigabitEthernet2/2/0 type data
[DeviceB-irf-port2] port group interface GigabitEthernet2/3/0 type control
Track项用于监测外网出接口、下行接口或管理接口的状态。
接口名称可根据实际组网需求修改。本配置项举例中,GigabitEthernet1/1/0和GigabitEthernet2/1/0作为管理接口Reth 999的成员接口;GigabitEthernet1/4/0和GigabitEthernet2/4/0作为下行接口Reth2的成员接口;GigabitEthernet1/5/0和GigabitEthernet2/5/0作为上行接口Reth1的成员接口。
· 虚拟网关设备负责内网流量的三层转发以及内外网流量互通,需监测三种类型的接口。(适用于VNF网关和NGFW网关)
[Device] track 1 interface GigabitEthernet 1/1/0
[Device] track 2 interface GigabitEthernet 1/4/0
[Device] track 3 interface GigabitEthernet 1/5/0
[Device] track 4 interface GigabitEthernet 2/1/0
[Device] track 5 interface GigabitEthernet 2/4/0
[Device] track 6 interface GigabitEthernet 2/5/0
· 服务链节点负责本服务链内的流量转发,不负责内外网流量互通,不需配置外网出接口。(服务链模式vFW和服务链模式vLB)
[Device] track 1 interface GigabitEthernet 1/1/0
[Device] track 2 interface GigabitEthernet 1/5/0
[Device] track 3 interface GigabitEthernet 2/1/0
[Device] track 4 interface GigabitEthernet 2/5/0
冗余组功能仅在IRF模式下支持,一个冗余组最多且必须包含主备两个节点,每个冗余组节点和一台IRF成员设备绑定,两个节点形成设备级备份,且保证了业务报文的接收、处理和发送都在同一台成员设备上进行。
· 冗余组添加各冗余接口作为成员接口。创建Node 1,为主节点,绑定IRF中成员设备slot 1,关联Track项1、2和3;创建Node 2,为备节点,绑定IRF中的成员设备slot 2,关联Track项4、5和6。当slot 1的上下行链路、管理链路或设备故障时,流量切换到slot 2,当故障恢复时,流量再切回。(适用于VNF网关和NGFW网关)
[Device] redundancy group reth
[Device-redundancy-group-reth] member interface Reth1
[Device-redundancy-group-reth] member interface Reth2
[Device-redundancy-group-reth] member interface Reth999
[Device-redundancy-group-reth] node 1
[Device-redundancy-group-right-node1] bind slot 1
[Device-redundancy-group-right-node1] priority 100
[Device-redundancy-group-right-node1] track 1 interface GigabitEthernet1/1/0
[Device-redundancy-group-right-node1] track 2 interface GigabitEthernet1/4/0
[Device-redundancy-group-right-node1] track 3 interface GigabitEthernet1/5/0
[Device-redundancy-group-right-node1] quit
[Device-redundancy-group-reth] node 2
[Device-redundancy-group-right-node2] bind slot 2
[Device-redundancy-group-right-node2] priority 80
[Device-redundancy-group-right-node2] track 4 interface GigabitEthernet2/1/0
[Device-redundancy-group-right-node2] track 5 interface GigabitEthernet2/4/0
[Device-redundancy-group-right-node2] track 6 interface GigabitEthernet2/5/0
· 冗余组添加各冗余接口作为成员接口。创建Node 1,为主节点,绑定IRF中成员设备slot 1,关联Track项1和2;创建Node 2,为备节点,绑定IRF中的成员设备slot 2,关联Track项3和4。当slot 1的下行链路、管理链路或设备故障时,流量切换到slot 2,当故障恢复时,流量再切回。(适用于服务链模式vFW和服务链模式vLB)
[Device] redundancy group reth
[Device-redundancy-group-reth] member interface Reth999
[Device-redundancy-group-reth] member interface Reth2
[Device-redundancy-group-reth] node 1
[Device-redundancy-group-right-node1] bind slot 1
[Device-redundancy-group-right-node1] priority 100
[Device-redundancy-group-right-node1] track 1 interface GigabitEthernet1/1/0
[Device-redundancy-group-right-node1] track 2 interface GigabitEthernet1/4/0
[Device-redundancy-group-right-node1] quit
[Device-redundancy-group-reth] node 2
[Device-redundancy-group-right-node2] bind slot 2
[Device-redundancy-group-right-node2] priority 80
[Device-redundancy-group-right-node2] track 3 interface GigabitEthernet2/1/0
[Device-redundancy-group-right-node2] track 4 interface GigabitEthernet2/4/0
当虚拟设备工作在IRF模式时,需要在两个虚拟设备上都配置双机热备的相关功能。
(1) 开启会话双机热备功能(适用于vFW、vLB、VNF网关和NGFW网关)
[Device] session synchronization enable
(2) 开启NAT双机热备功能(适用于VNF网关和NGFW网关)
[Device] nat port-block synchronization enable
(3) 开启IPsec双机热备功能(适用于VNF网关和NGFW网关)
[Device] ipsec redundancy enable
虚服务器是负载均衡设备上面向用户业务的虚拟载体,只有匹配上虚服务器的报文才需要进行负载均衡处理。创建Loopback 127,该接口作为虚服务器的IP地址所在接口。SeerEngine-DC界面上配置的虚服务器IP地址将自动下发到该接口。(适用于vLB)
[Device] interface LoopBack 127
Loopback 127接口已被预留作为虚服务器IP所在接口,该接口不可再用于其他用途。
有些防火墙(例如通过VNF Manager创建的vFW或通过NGFW Manager在M9K设备上虚拟出来的vFW)默认丢弃未匹配安全策略的报文,这样可能导致Underlay网络或管理网不通。通过把放行报文的接口加入到SDN默认安全域,并配置域内接口间报文默认动作为permit和域间策略的处理动作为pass,可放行Underlay数据链路报文和管理报文,实现网络互通。
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0.2
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] Object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
· SDN_ZONE_DEFAULT安全域已被预留作为SDN默认放行域,该安全域不可再用于其他用途。
· SDN_POLICY_DEFAULT对象策略已被预留作为SDN默认放行策略,该对象策略不可再用于其他用途。
配置AC侧接口。接入设备上连接VM或物理服务器的接口称为AC侧接口(以Ten-GigabitEthernet2/0/5:1为例)。为了在SeerEngine-DC上显示并控制AC侧接口,必须在接入设备上配置以下命令:
[Device] interface Ten-GigabitEthernet2/0/5
[Device-Ten-GigabitEthernet2/0/5] vtep access port
由于产品芯片(例如S12500-X的F系列芯片)限制,在创建除VLAN接口外的其它类型三层接口/子接口前或配置需要使用三层接口硬件资源的特性前,需要先配置本功能预留VLAN接口资源。
当VXLAN隧道工作在三层转发模式时,在VSI视图创建VXLAN前,需要先配置全局类型VLAN接口资源预留。每创建一个VXLAN,需要预留一个全局类型VLAN接口资源。
<Sysname> system-view
[Sysname] reserve-vlan-interface 3400 to 3500 global
当用户的组网方案中使用服务网关组时,需配置服务网关组的成员设备连接安全设备(例如防火墙、负载均衡器)的所有物理接口(以接口GigabitEthernet11/0/13为例)加入同一个VLAN,以保证成员设备与安全设备二层互通。
[Device] interface GigabitEthernet 11/0/13
[Device-GigabitEthernet11/0/13] port link-mode bridge
[Device-GigabitEthernet11/0/13] port link-type trunk
[Device-GigabitEthernet11/0/13] port trunk permit vlan all
当从物理安全设备虚拟出来的防火墙资源(即Context)需部署DPI各业务(例如:IPS、防病毒、URL过滤等)时,需在物理安全设备上执行命令激活设备的DPI功能,否则SeerEngine-DC不能向该设备上的Context成功下发DPI各业务配置。
[Device] inspect activate
当设备为IRF模式时,需要配置IRF桥MAC永久保留。进行该配置后,无论IRF桥MAC拥有者是否离开IRF,IRF桥MAC始终保持不变,保证业务正常运行。
[Device] irf mac-address persistent always
对于安全纳管组网的服务网关,可通过配置Track和NQA联动探测静态路由的有效性,实现主备静态路由的自动切换。
创建并配置ICMP-echo类型的NQA测试组(管理员为admin,操作标签为test1)。
[Device] nqa entry admin test1
[Device-nqa-test-test] type icmp-echo
[Device-nqa-test-test-icmp-echo] destination ip 10.2.2.2
[Device-nqa-test-test-icmp-echo] frequency 1000
[Device-nqa-test-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trap-only
[Device-nqa-test-test-icmp-echo] vpn-instance external_vpn_22
[Device-nqa-test-test-icmp-echo] quit
[Device] nqa schedule test test start-time now lifetime forever
配置Track与NQA联动。
[Device] track 1 nqa entry admin test reaction 1
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.126 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] quit
[Device] interface GigabitEthernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0/1] ospf 10 area 0
[Device-GigabitEthernet1/0/1] quit
[Device] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] quit
[Device] interface GigabitEthernet 2/0/1
[Device-GigabitEthernet2/0/1] ip address 111.0.9.126 255.255.0.0
[Device-GigabitEthernet2/0/1] mtu 9216
[Device-GigabitEthernet2/0/1] ospf 1 area 0
[Device-GigabitEthernet2/0/1] ospf cost 1
通过VNF Manager或NGFW Manager创建指定类型的设备时,SeerEngine-DC会根据设备引用的模板类型不同向设备下发不同的预配置。用户可根据本章了解SeerEngine-DC下发了哪些预配置。
本章节介绍的预配置只是设备要实现功能的最简配置,根据用户配置模板时使用的接口不同,下发的预配置可能不同。
ip vpn-instance external_vpn
interface GigabitEthernet 3/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 3/0.2 priority 100
ip binding vpn-instance external_vpn
ospf 1
ospf 10
interface LoopBack 0
ospf 10 area 0
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
session synchronization enable
nat port-block synchronization enable
ipsec redundancy enable
ip vpn-instance external_vpn
interface GigabitEthernet 1/5/0.2
vlan-type dot1q vid 2
interface GigabitEthernet 2/5/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 1/5/0.2 priority 100
member interface GigabitEthernet 2/5/0.2 priority 80
ip binding vpn-instance external_vpn
interface Reth2
member interface GigabitEthernet 1/4/0 priority 100
member interface GigabitEthernet 2/4/0 priority 80
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 1/5/0
track 4 interface GigabitEthernet 2/1/0
track 5 interface GigabitEthernet 2/4/0
track 6 interface GigabitEthernet 2/5/0
redundancy group reth
preempt-delay 0
member interface Reth1
member interface Reth2
member interface Reth999
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 1/5/0
node 2
bind slot 2
priority 80
track 4 interface GigabitEthernet 2/1/0
track 5 interface GigabitEthernet 2/4/0
track 6 interface GigabitEthernet 2/5/0
ospf 1
non-stop-routing
interface Reth2
ospf 1 area 0
interface LoopBack 1
ospf 1 area 0
interface LoopBack 127
interface Reth 2
mtu 9216
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
session synchronization enable
interface Reth2
member interface GigabitEthernet 1/4/0 priority 100
member interface GigabitEthernet 2/4/0 priority 80
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 2/1/0
track 4 interface GigabitEthernet 2/4/0
redundancy group reth
preempt-delay 0
member interface Reth2
member interface Reth999
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
node 2
bind slot 2
priority 80
track 3 interface GigabitEthernet 2/1/0
track 4 interface GigabitEthernet 2/4/0
ospf 1
non-stop-routing
interface Reth2
ospf 1 area 0
interface LoopBack 1
ospf 1 area 0
interface Reth2
mtu 9216
security-zone name SDN_ZONE_DEFAULT
import interface Reth2
import interface Reth999
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
session synchronization enable
interface Reth2
member interface GigabitEthernet 1/4/0 priority 100
member interface GigabitEthernet 2/4/0 priority 80
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 2/1/0
track 4 interface GigabitEthernet 2/4/0
redundancy group reth
preempt-delay 0
member interface Reth2
member interface Reth999
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
node 2
bind slot 2
priority 80
track 3 interface GigabitEthernet 2/1/0
track 4 interface GigabitEthernet 2/4/0
ospf 1
non-stop-routing
interface Reth2
ospf 1 area 0
interface LoopBack 1
ospf 1 area 0
interface LoopBack 127
interface Reth2
mtu 9216
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
interface LoopBack 127
session synchronization enable
ip vpn-instance external_vpn
interface GigabitEthernet 3/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 3/0.2 priority 100
ip binding vpn-instance external_vpn
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
ospf cost 1
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
import interface GigabitEthernet3/0
import interface GigabitEthernet3/0.2
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
session synchronization enable
nat port-block synchronization enable
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
session synchronization enable
ipsec redundancy enable
nat port-block synchronization enable
ip vpn-instance external_vpn
ospf 1 vpn-instance external_vpn
import-route direct
import-route static
area 0.0.0.0
interface LoopBack2
ip binding vpn-instance external_vpn
interface Ten-GigabitEthernet2/0/4
description internal
interface Ten-GigabitEthernet2/0/9
description external
ip binding vpn-instance external_vpn
ospf 1 area 0.0.0.0
interface Ten-GigabitEthernet2/0/15
description management
security-zone name SEC_ZONE_DEFAULT
import interface Ten-GigabitEthernet2/0/15
object-policy ip SEC_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SEC_POLICY_DEFAULT
ip route-static 0.0.0.0 0 192.168.67.254
session synchronization enable
nat port-block synchronization enable
session synchronization http
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
ospf cost 1
interface LoopBack 127
session synchronization enable
nat port-block synchronization enable
session synchronization http
interface LoopBack127
interface GigabitEthernet1/0/1
description management
interface Ten-GigabitEthernet1/0/26
description internal
interface Ten-GigabitEthernet1/0/27
description external
ip route-static 0.0.0.0 0 192.168.67.254
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device]interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.123 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ip address 21.0.6.126 255.255.255.255
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] ip address 111.0.9.125 255.255.0.0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] Object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.123 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] ip address 111.0.9.125 255.255.0.0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
[Device] interface LoopBack 127
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ip vpn-instance external_vpn
[Device] interface GigabitEthernet 3/0.2
[Device-GigabitEthernet3/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet3/0.2] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 3/0.2 priority 100
[Device-Reth1] ip binding vpn-instance external_vpn
[Device-Reth1] quit
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0.2
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] Object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ip vpn-instance external_vpn
[Device] interface GigabitEthernet 3/0.2
[Device-GigabitEthernet3/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet3/0.2] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 3/0.2 priority 100
[Device-Reth1] ip binding vpn-instance external_vpn
[Device-Reth1] quit
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
配置设备管理接口IP地址,并配置该地址与SeerEngine-DC的IP地址路由互通,具体配置略。
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
