一、具体需求与实现
1、多wan:两条宽带接入链路,使用VRRP+BFD技术,实现链路冗余;
2、IDC机房远程管理和登录限制:使用PPTP+freeRadius+mysql实现VPN,限制指定网段或IP进行拨号认证登录IDC机房,并编写脚本检查非法用户登录IDC机房服务器情况;
3、内网VLAN划分:利于安全管理、IP分流和带宽限制;
4、内网监控:使用NTOP、cacti等实现;
5、IDC机房服务器监控:使用zabbix、snort、脚本实现;
6、用户带宽使用限速:交换机处配置流量整形,对内网IP进行限速;(慎用)
7、访客控制:需要接入层设备支持Qos、802.1x协议(暂不考虑)
二、关键需求分析与考虑
1、多wan
A、以RouterA和RouterB分别拨号直连internet,避开使用同一设备时需编写策略路由;
B、便于正常时对上网、邮件、视频及核心业务进行分路,其中一台设备、链路down 的时候,业务快速转移到正常设备、链路上;
C、不同部门上网业务分流管理;
2、IDC机房远程管理和登录限制
A、由之前的ItranetVPN(内联网关:网关–网关),改变为AccessVPN(远程接入VPN:客
户端–网关);
B、把VPN用户认证转移至Radius服务器上,增加安全性高、节省路由设备有限内存;
C、可记录VPN用户的登录时间,传送字节数,从而对用户进行统计;
D、利用mysql实现用户的增删查改、中文名记录和其他信息等
3、内网VLAN划分
A、有利于登录IDC的IP在Radius上进行限制;
B、根据网段进行IP分流和部门分链路上网;
C、对指定网段进行带宽限制;
4、内网监控
A、使用Ntop可以实现监控用户流量行为;
B、cacti主要用于远程监控IDC机房服务器流量;
5、IDC机房服务器监控
A、将zabbix服务迁移至IDC机房利于减少因网络不稳定引起的误报;
6、用户带宽使用限速
A、对流量队列整形限速,由于IP输出速率被限制在规定范围内,队列满后,无法缓存
报文将被丢弃,造成用户上网失效和卡顿等(不建议使用)
三、拓扑、设备选型和IP规划
设备选型、IP规划略
四、实施
分两个部分,第一部分为使用VRRP+BFD实现双线路切换,第二部分为PPTP+MYSQL+FreeRadius实现堡垒机访问IDC机房
第一部分,双链路内网VRRP+BFD
按照拓扑配置,配置文件如下:
R1,连接移动链路
sysname R1 # dns proxy enable # vlan batch 100 200 # dhcp enable # bfd # pki realm default enrollment self-signed # acl number 2001 rule 0 permit source 0.0.0.0 255.255.255.0 # acl number 3100 rule 5 permit ip # traffic classifier 0 operator or if-match acl 3100 # traffic behavior 0 redirect ip-nexthop 192.168.200.253 track nqa internet icmp #####nqa检测,下一跳地址为 # traffic policy 0 classifier 0 behavior 0 # ip pool 1 ####内网地址池,注意gateway-list gateway-list 192.168.1.2 network 192.168.1.0 mask 255.255.255.0 excluded-ip-address 192.168.1.3 192.168.1.30 excluded-ip-address 192.168.1.220 192.168.1.254 dns-list 114.114.114.114 8.8.8.8 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %@%@G6`zGlcNl)NORWIru%]F)C_b%@%@ local-user admin service-type telnet http # firewall zone Local priority 16 # interface Vlanif1 # interface Vlanif100 ##########使用双VRRP保证链路下游交换机上行流量负载均衡 ip address 192.168.1.253 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.1.1 vrrp vrid 1 priority 90 vrrp vrid 1 track bfd-session 20 increased 20 vrrp vrid 2 virtual-ip 192.168.1.2 vrrp vrid 2 track bfd-session 20 reduced 20 traffic-policy 0 inbound ####限制进入该路由器ISP dhcp select global # interface Vlanif200 # interface Ethernet0/0/0 undo portswitch ip address 192.168.200.254 255.255.255.0 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 200 # interface Ethernet0/0/2 # interface Ethernet0/0/3 # interface Ethernet0/0/4 ip address 183.239.175.146 255.255.255.252 # interface Cellular0/0/0 # interface NULL0 # bfd vrrp bind peer-ip 192.168.1.254 interface Vlanif100 ####配置bfd检测,disp bfd可以查看状态 discriminator local 20 discriminator remote 10 commit # snmp-agent local-engineid 800007DB03E0247F03BDEC # ip route-static 0.0.0.0 0.0.0.0 183.239.175.145 ip route-static XXX.XXX.XXX.XXX 255.255.255.0 192.168.200.253 #####XXXX部分为R2连接第二条链路获取到的IP网段 # nqa test-instance internet icmp ####配置nqa,XXXX为R2路由wan口对端地址 test-type icmp destination-address ipv4 XXX.XXXX.XXXX.XXX frequency 12 timeout 1 start now
R2,连接移动链路
R2 # dns proxy enable # vlan batch 100 200 # dhcp enable # bfd # pki realm default enrollment self-signed # ssl policy default_policy type server pki-realm default # acl number 2001 rule 0 permit source 192.168.1.0 0.0.0.255 # acl number 3100 rule 5 permit ip # traffic classifier 0 operator or if-match acl 3100 # traffic behavior 0 redirect ip-nexthop 192.168.200.254 track nqa internet icmp # traffic policy 0 classifier 0 behavior 0 # ip pool 1 gateway-list 192.168.1.1 network 192.168.1.0 mask 255.255.255.0 excluded-ip-address 192.168.1.3 192.168.1.30 excluded-ip-address 192.168.1.220 192.168.1.254 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %@%@4Rn(:Ke5,~Q5i9-@Zer5)PIb%@%@ local-user admin privilege level 15 local-user admin service-type telnet http # firewall zone Local priority 16 # interface Dialer1 ######由于R2所接链路为拨号ADSL,配置拨号 link-protocol ppp ppp pap local-user SZFTTH1224904088 password simple 123456 ppp ipcp dns admit-any ppp ipcp dns request mtu 1492 ip address ppp-negotiate dialer user SZFTTH1224904088 dialer bundle 1 dialer-group 1 nat outbound 2001 # interface Vlanif1 # interface Vlanif100 ip address 192.168.1.254 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.1.1 vrrp vrid 1 track bfd-session 10 reduced 20 vrrp vrid 2 virtual-ip 192.168.1.2 vrrp vrid 2 priority 90 vrrp vrid 2 track bfd-session 10 increased 20 traffic-policy 0 inbound dhcp select global # interface Vlanif200 # interface Ethernet0/0/0 undo portswitch ip address 192.168.200.253 255.255.255.0 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 200 # interface Ethernet0/0/2 # interface Ethernet0/0/3 # interface Ethernet0/0/4 pppoe-client dial-bundle-number 1 # interface Cellular0/0/0 # interface NULL0 # dialer-rule dialer-rule 1 ip permit # bfd vrrp bind peer-ip 192.168.1.253 interface Vlanif100 discriminator local 10 discriminator remote 20 commit # snmp-agent local-engineid 800007DB03E09796A46BBE # http secure-server ssl-policy default_policy http server enable http secure-server enable # ip route-static 0.0.0.0 0.0.0.0 Dialer1 ip route-static XXXX.XXXX.XXX.XXX 255.255.255.252 192.168.200.254 # nqa test-instance internet icmp test-type icmp destination-address ipv4 XXX.XXXX.XXX.XXX frequency 12 timeout 1 start now #
下游交换机
# interface Vlanif100 ip address 192.168.1.252 255.255.255.0 # interface Ethernet0/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 200 # interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 200 # http secure-server ssl-policy default_policy http server enable http secure-server enable # ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 ip route-static 0.0.0.0 0.0.0.0 192.168.1.2 #
以上,实现了双链路切换,可以自行端口链路测试配置结果,并使用disp bfd\NQA\VRRP\iprouting-table检查配置结果,并逐一排错。
下一篇为PPTP+MYSQL+FreeRadius实现IDC堡垒机部分
原创文章,作者:handsomeyoleen@qq.com,如若转载,请注明出处:http://www.178linux.com/35905
