構建高可用性網絡

關于本地主機的配置

硬盤技術：

硬盤上的特殊分區，swap

首先，swap的存在是為了擬補虛擬內存的不足而出現的，有叫交換分區，它的作用是將那些內存中有而卻不長用的一些數據保存到硬盤的一塊分區上去，在系統需要的時候再把它調用出來，注意，他只有在系統出現提示增加swap的時候增加，才有必要加，只是改善系統內存的一個小的方法

raid ；廉價的磁盤冗余陣列，它是通過一些軟件或硬件上的技術將多個較小的磁盤整合為一個較大的磁盤設備，但這功能并不僅僅是存儲，還具有提高讀寫速度和數據保護的功能

在windows中也有類似的功能，他們的名稱分別叫簡單卷，跨區卷，帶區卷，鏡像卷，以及raid5

而在Linux下，則有line(線性增長)raid0相當于帶區卷，raid1相當于鏡像卷，raid5依然是raid5，另外還可以實現raid6和raid10

raid的實現

基于硬件設備，有專門的raid卡，缺點是價格較昂貴，所以很多操作系統上就出現了軟raid的工能，也就是同過軟件來模擬出raid的功能，在Linux中是通過叫md(多設備)的驅動來實現的，同時他也是用戶空間中的一種工具，叫mdadm，

首先line，它是沒有速度和冗余方面的工能的

raid0(windows叫帶區卷)，它的要求是硬件的存儲設備數量在2-32之間，最少2個，最多32個，特點是將數據在寫入之前來拆分成若干等分，比如64k，然后分別寫入不同的磁盤，優點是讀取和寫入的速度都相當快，主要帶來效率上的提高，缺點是沒有冗余能力，而且必須保證每個成員的高可用性，因為其中某一塊壞掉的話，會導致整個數據的無法讀取

raid1(windows叫鏡像卷)，它的主要特點是具備冗余能力，它的實現主要是靠多塊設備數據的互為備份，所以又叫鏡像，成員要求最少要有兩個，沒有上限。缺點是讀寫的效率一般，磁盤的實際使用率只有50%

raid5，在widows環境下成員要求最少要有三個，最多是32個，而Linux中支持的具體數量要看內核版本的型號而定,。它的主要原理是在raid1的基礎上寫數據的時候在若干塊(n塊)的磁盤中間隨機的選擇一塊出來用來存放校驗值，該校驗的主要功能是在若干的磁盤中間讀寫數據時利用某一種算法來檢測數據的完整性，而計算的值就放在那些若干(n塊)中的一塊。從邏輯上看，校驗要占用磁盤中單獨一個個體的容量，因此它的磁盤使用率為n-1/n，因為寫入時要計算校驗值，所以寫的速率一般，而讀的效率在沒有故障時卻非常高，當出現一塊壞掉的時候讀的效率會很低(因為計算校驗的緣故),而且raid僅允許出現一塊有故障的，raid5有冗余能力

raid6，它要求在陣列中要有兩塊用做校驗用，因此，raid6的磁盤數最少也要4塊，它是在raid5的基礎上增加了一塊校驗磁盤

raid1-0，該技術是raid1和raid0的結合，將具有快速讀取能力的raid0作為基礎，然后在此基礎上分別把他們看作raid1的兩塊磁盤進行鏡像操作

實現：

安裝mdadm

mdadm的主要參數，-A 集結或裝配模式

-C 創建一個新的陣列

-B 構建一個沒有超級塊的陣列

-F follow or monitor 監控模式

-G ?增長模式

-I，自動增長的裝配模式

-M 管理模式

-L 指定level級別

-N 指定名字

vrrp網絡的搭建，網絡設備拓撲結構如圖所示

sw6的配置步驟大致如下：

劃分VLAN，然后將端口加入VLAN，在相應接口配置trunk，

%Apr ?1 23:58:48:637 2000 Quidway SHELL/5/LOGIN:- 1 - Console(aux0) in unit1 login

sys

system-view

System View: return to User View with Ctrl+Z.

[Quidway]sysname sw6

[sw6]vlan 10

[sw6-vlan10]port e1/0/10

[sw6-vlan10]port e1/0/10

[sw6-vlan10]vlan 20

[sw6-vlan20]port e1/0/20

[sw6-vlan20]int e1/0/1

[sw6-Ethernet1/0/1]port link-type trunk

[sw6-Ethernet1/0/1]port trunk permit vlan all

Please wait........................................... Done.

[sw6-Ethernet1/0/1]dis vlan

The following VLANs exist:

1(default), 10, 20

[sw6-Ethernet1/0/1]int e1/0/24

[sw6-Ethernet1/0/24]port l

[sw6-Ethernet1/0/24]port link-type trunk

[sw6-Ethernet1/0/24]port trunk per

[sw6-Ethernet1/0/24]port trunk permit vlan all

Please wait........................................... Done.

[sw6-Ethernet1/0/24]q

[sw6]

sw8配置與sw6大致相同：

%Apr ?2 00:04:25 2000 Quidway SHELL/5/LOGIN: Console login from Aux0/0

sys

system-view

Enter system view, return to user view with Ctrl+Z.

[Quidway]sysname sw8

[sw8]vlan 10

[sw8-vlan10]

[sw8-vlan10]port eth0/10

[sw8-vlan10]vlan 20

[sw8-vlan20]port eth0/20

[sw8-vlan20]int eth0/1

[sw8-Ethernet0/1]port link-

[sw8-Ethernet0/1]port link-type trunk

[sw8-Ethernet0/1]port trunk per

[sw8-Ethernet0/1]port trunk permit vlan all

Please wait........................................... Done.

[sw8-Ethernet0/1]int eth0/24

[sw8-Ethernet0/24]port link-t

[sw8-Ethernet0/24]port link-type trunk

[sw8-Ethernet0/24]port trunk permit vlan all

Please wait........................................... Done.

[sw8-Ethernet0/24]

路由器r3配置大致有：配置e0口的3.3.3.3 /24地址，配置s0口地址1.1.1.1 /24 ，(一定要先打標簽再配地址) 配置s1口地址1.1.2.1 /24 ，然后復位操作，因其主要模擬廣域網，所以主要起承接作用，

[Router]

[Router]sysname r3

[r3]int e0

[r3-Ethernet0]ip add 3.3.3.3 24

[r3-Ethernet0]loopback

Ethernet0 running on loopback mode

[r3-Ethernet0]

%01:24:13: Interface Ethernet0 is UP

%01:24:13: Line protocol ip on the interface Ethernet0 is UP

[r3-Ethernet0]int s0

[r3-Serial0]ip add 1.1.1.1 24

[r3-Serial0]

%01:27:01: Line protocol ip on the interface Serial0 is UP

[r3-Serial0]shut

% Interface Serial0 is down

[r3-Serial0]

%01:27:10: Interface Serial0 is DOWN

[r3-Serial0]undo shut

% Interface Serial0 is reset

[r3-Serial0]

%01:27:18: Interface Serial0 is UP

[r3-Serial0]int s1

[r3-Serial1]ip add 1.1.2.1 24

[r3-Serial1]

%01:27:48: Line protocol ip on the interface Serial1 is UP

[r3-Serial1]shut

% Interface Serial1 is down

[r3-Serial1]

%01:27:57: Interface Serial1 is DOWN

[r3-Serial1]undo shut

% Interface Serial1 is reset

[r3-Serial1]

%01:28:08: Interface Serial1 is UP

[r3-Serial1]

[r3-Serial1]

r1路由的主要配置有：拆分子接口，配置單臂路由，添加默認路由1.1.1.1 ，物理接口配置地址，然后做pat ,先做acl列表篩選，然后做nat地址池，然后將地址池(或接口，直接寫借口名稱)映射到相應接口上，接著再在接口(子接口)上配置vrrp協議的有關內容(vrid和vrip以及優先級)

[Router]sysname r1

[r1]int s0

[r1-Serial0]ip add 1.1.1.2 24

[r1-Serial0]

%01:29:18: Line protocol ip on the interface Serial0 is UP

[r1-Serial0]shut

% Interface Serial0 is shut down

[r1-Serial0]

%01:29:23: Interface Serial0 is DOWN

[r1-Serial0]undo shut

% Interface Serial0 is reset

[r1-Serial0]

%01:29:33: Interface Serial0 is UP

%01:29:33: Line protocol ip on the interface Serial0 is UP

[r1-Serial0]int e0.1

[r1-Ethernet0.1]vlan-type dot1q vid 10

[r1-Ethernet0.1]ip add 192.168.10.1 24

[r1-Ethernet0.1]

%01:31:37: Line protocol ip on the interface Ethernet0.1 is UP

[r1-Ethernet0.1]int e0.2

[r1-Ethernet0.2]vlan-type dot1q vid 20

[r1-Ethernet0.2]ip add 192.168.20.1 24

[r1-Ethernet0.2]

%01:32:41: Line protocol ip on the interface Ethernet0.2 is UP

[r1-Ethernet0.2]quit

[r1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1

[r1]ping 3.3.3.3

PING 3.3.3.3: 56 ?data bytes, press CTRL_C to break

Reply from 3.3.3.3: bytes=56 Sequence=0 ttl=255 time = 25 ms

Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time = 25 ms

Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time = 25 ms

Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time = 25 ms

Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time = 25 ms

--- 3.3.3.3 ping statistics ---

5 packets transmitted

5 packets received

0.00% packet loss

round-trip min/avg/max = 25/25/25 ms

[r1]acl 2000 match-order auto

[r1-acl-2000]rule permit source any

Rule has been added to normal packet-filtering rules

[r1-acl-2000]quit

[r1]nat address-group 1.1.1.3 1.1.1.9 wewe

[r1]int s0

[r1-Serial0]

[r1-Serial0]nat outbound 2000 address-group wewe

[r1-Serial0]quit

[r1]vrrp ping-enable

ping vrrp ?enable

[r1]int e0.1

[r1-Ethernet0.1]

[r1-Ethernet0.1]vrrp vrid 10 virtual-ip 192.168.10.254

[r1-Ethernet0.1]vrrp vrid 10 priority 120

[r1-Ethernet0.1]vrrp vrid 10 track s0 reduced 30

[r1-Ethernet0.1]int e0.2

[r1-Ethernet0.2]vrrp vrid 20 virtual-ip 192.168.20.254

[r1-Ethernet0.2]quit

[r1]

r2的配置與r1大致相同，不同之處是要將20.0網段所在的接口設為主接口，給予高的優先級，并設置自動收縮和自動搶占(默認已開啟)，將10.0所在子接口設為備份接口，(10.0主接口在r1上)

[Router]

[Router]

%01:28:06: Interface Serial1 is DOWN

%01:28:11: Interface Serial1 is UP

[Router]sysname r2

[r2]int s1

[r2-Serial1]ip add 1.1.2.2 24

[r2-Serial1]

%01:55:26: Line protocol ip on the interface Serial1 is UP

[r2-Serial1]shut

% Interface Serial1 is down

[r2-Serial1]

%01:55:31: Interface Serial1 is DOWN

[r2-Serial1]undo shut

% Interface Serial1 is reset

[r2]vrrp ping-enable

ping vrrp ?enable

[r2]int s1

[r2-Serial1]

%01:55:41: Interface Serial1 is UP

%01:55:41: Line protocol ip on the interface Serial1 is UP

[r2-Serial1]int e0.1

[r2-Ethernet0.1]vlan-type dot1q vid 10

[r2-Ethernet0.1]ip add 192.168.10.2 24

[r2-Ethernet0.1]

%01:57:55: Line protocol ip on the interface Ethernet0.1 is UP

[r2-Ethernet0.1]int e0.2

[r2-Ethernet0.2]vlan-type dot1q vid 20

[r2-Ethernet0.2]ip add 192.168.20.2 24

[r2-Ethernet0.2]

%01:58:48: Line protocol ip on the interface Ethernet0.2 is UP

[r2-Ethernet0.2]quit

[r2]ip route-static 0.0.0.0 0.0.0.0 1.1.2.1

[r2]acl 2000 match-order auto

[r2-acl-2000]rule permit source any

Rule has been added to normal packet-filtering rules

[r2-acl-2000]quit

[r2]nat address-group 1.1.2.6 1.1.2.9 wewe

[r2]int s1

[r2-Serial1]nat outbound 2000 address-group wewe

[r2-Serial1]quit

[r2]vrrp ping-enable

ping vrrp ?enable

[r2]int e0.1

[r2-Ethernet0.1]

[r2-Ethernet0.1]vrrp vrid 10 virtual-ip 192.168.10.254

[r2-Ethernet0.1]int e0.2

[r2-Ethernet0.2]vrrp vrid 20 virtual-ip 192.168.20.254

[r2-Ethernet0.2]vrrp vrid 20 priority 120

[r2-Ethernet0.2]vrrp vrid 20 track s1 reduced 30

[r2]ping 3.3.3.3

PING 3.3.3.3: 56 ?data bytes, press CTRL_C to break

Reply from 3.3.3.3: bytes=56 Sequence=0 ttl=255 time = 26 ms

Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time = 25 ms

Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time = 26 ms

Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time = 25 ms

Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time = 25 ms

--- 3.3.3.3 ping statistics ---

5 packets transmitted

5 packets received

0.00% packet loss

round-trip min/avg/max = 25/25/26 ms

測試階段，方法，阻塞端口，查看兩邊端口的角色變化，兩邊設備鏈路應該互為備份，在冗余條件下達到兩路的高可用性

[r2]dis vrrp

Ethernet0.2 | Virtual Router 20

state : Master

Virtual IP : 192.168.20.254

Priority : 120

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Track IF : Serial1 ? Priority reduced : 30

Ethernet0.1 | Virtual Router 10

state : Backup

Virtual IP : 192.168.10.254

Priority : 100

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

[r2]int s1

[r2-Serial1]shut

% Interface Serial1 is down

[r2-Serial1]

%02:26:49: Interface Serial1 is DOWN

[r2-Serial1]dis vrrp

Ethernet0.2 | Virtual Router 20

state : Backup

Virtual IP : 192.168.20.254

Priority : 90

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Track IF : Serial1 ? Priority reduced : 30

Ethernet0.1 | Virtual Router 10

state : Backup

Virtual IP : 192.168.10.254

Priority : 100

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

[r1]dis vrrp

Ethernet0.2 | Virtual Router 20

state : Master

Virtual IP : 192.168.20.254

Priority : 100

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Ethernet0.1 | Virtual Router 10

state : Master

Virtual IP : 192.168.10.254

Priority : 120

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Track IF : Serial0 ? Priority reduced : 30

[r1]int s0

[r1-Serial0]shut

% Interface Serial0 is shut down

[r1-Serial0]

%02:32:38: Interface Serial0 is DOWN

%02:32:38: Line protocol ip on the interface Serial0 is DOWN

[r2-Serial1]dis vrrp

Ethernet0.2 | Virtual Router 20

state : Master

Virtual IP : 192.168.20.254

Priority : 120

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Track IF : Serial1 ? Priority reduced : 30

Ethernet0.1 | Virtual Router 10

state : Master

Virtual IP : 192.168.10.254

Priority : 100

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

[r2-Serial1]quit

[r1]dis vrrp

Ethernet0.2 | Virtual Router 20

state : Backup

Virtual IP : 192.168.20.254

Priority : 100

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Ethernet0.1 | Virtual Router 10

state : Backup

Virtual IP : 192.168.10.254

Priority : 90

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Track IF : Serial0 ? Priority reduced : 30

[r1]

[r1]int s0

[r1-Serial0]undo shut

% Interface Serial0 is reset

[r1-Serial0]

[r1-Serial0]

[r1-Serial0]d

%02:42:58: Interface Serial0 is UP

%02:42:58: Line protocol ip on the interface Serial0 is UP

[r1-Serial0]

[r1-Serial0]dis vrrp

Ethernet0.2 | Virtual Router 20

state : Backup

Virtual IP : 192.168.20.254

Priority : 100

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Ethernet0.1 | Virtual Router 10

state : Master

Virtual IP : 192.168.10.254

Priority : 120

Preempt : YES ? Delay Time : 0

Timer : 1

Auth Type : NO

Track IF : Serial0 ? Priority reduced : 30

然后找兩臺主機分別進行測試：

華三，華為設備下構建3A服務器(DHCP服務器加3A認證)

在物理拓撲搭建之前，我們要先搭建我們的DHCP服務器和radius服務器，我們分別以Linux平臺的DHCP服務器和windows的IAS服務器來說一下這兩個服務器的搭建過程

Linux下的DHCP：

具體的搭建步驟可以參考博客： DHCP在企業網中的應用

我們的重點是對DHCP配置文件的改寫及測試，修改內容如下：

修改完確認無語法等錯誤后重啟我們的DHCP服務器

DHCP服務器ip地址

然后在windows server 2003 下安裝配置IAS(AAA)服務器，具體步驟如圖：

如上圖所示，因為我們做的是一個驗證類的服務器所以我們必須要有賬號存在，才能提供給客戶端用于驗證，所以接下來新建用戶，并給予相應的訪問權限，

接下新建radius客戶端，并在客戶端屬性中配置共享密鑰(本例中為123456)，必選擇我們的服務類型為標準，因為我們應用的是EPAOR(EPA的中繼方式)所以客戶端的地址就是我們的交換機(客戶端)ip地址，如圖：

接下來，編輯IAS的遠程訪問安全策略，點擊編輯配置文件，將身份的驗證類型改為PAP(為了實驗方便，我們以不加密(不輸密碼)的PAP為例)

為了實驗的順利進行，建議將主機ip地址(要手動配置)與DHCP和radius服務器設在同一網段接下在我們的pc主機上安裝相應的客戶端登錄軟件，如圖：

然后進行實驗環境的具體搭建階段，拓撲結構內容如圖所示，

所需設備為：H3C secpath-100c防火墻一臺

S2000系列的2403H-HI一臺

%Apr ?2 12:56:19:886 2000 Quidway SHELL/5/LOGIN:- 1 - Console(aux0) in unit1 login

system-view

System View: return to User View with Ctrl+Z.

[Quidway]sysname sw1

[sw1]vlan 10

[sw1-vlan10]port e1/0/10

[sw1-vlan10]vlan 20

[sw1-vlan20]port e1/0/20

[sw1-vlan20]vlan 30

[sw1-vlan30]port e1/0/24

[sw1-vlan30]

[sw1-vlan30]dis cu vlan

# vlan 1# ?vlan 10 ?# vlan 20 ?# ?vlan 30 #

[sw1-vlan30]q

[sw1]int Vlan-interface 1

[sw1-Vlan-interface1]

[sw1-Vlan-interface1]ip add 192.168.2.2 24

[sw1-Vlan-interface1]q

[sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1

[sw1]int e1/0/23

[sw1-Ethernet1/0/23]port ?

access ? ? ? ? ? ?Specify current access port's characteristics

hybrid ? ? ? ? ? ?Specify current hybrid port's characteristics

isolate ? ? ? ? ? Port isolate

link-aggregation ?Link aggregation group

link-type ? ? ? ? Specify port link-type

trunk ? ? ? ? ? ? Specify current trunk port's characteristics

[sw1-Ethernet1/0/23]port link-type trunk

[sw1-Ethernet1/0/23]port trunk permit vlan all

Please wait........................................... Done.

[sw1-Ethernet1/0/23]dis vlan

The following VLANs exist:

1(default), 10, 20, 30

[sw1-Ethernet1/0/23]

[sw1-Ethernet1/0/23]q

[sw1]dot1

[sw1]dot1x ?

authentication-method ?Specify system authentication method

dhcp-launch ? ? ? ? ? ?Trigger system authentication when receiving DHCP

packet(s)

guest-vlan ? ? ? ? ? ? Specify guest vlan configuration information for ports

interface ? ? ? ? ? ? ?Specify interface configuration information

max-user ? ? ? ? ? ? ? Specify maximal on-line user number per port

port-control ? ? ? ? ? Specify port authenticated status

port-method ? ? ? ? ? ?Specify port controlled method

quiet-period ? ? ? ? ? Enable quiet period function

retry ? ? ? ? ? ? ? ? ?Specify maximal request times

retry-version-max ? ? ?Specify maximal request times for version information

supp-proxy-check ? ? ? Check whether user(s) access the networks by proxy or

not

timer ? ? ? ? ? ? ? ? ?Specify timer parameters

version-check ? ? ? ? ?Check the version information of 802.1x supplicant

[sw1]dot1x

802.1X is enabled globally.

[sw1]int e1/0/10

[sw1-Ethernet1/0/10]dot1x ?

guest-vlan ? ? ? ?Specify guest vlan configuration information for ports

max-user ? ? ? ? ?Specify maximal on-line user number per port

port-control ? ? ?Specify port authenticated status

port-method ? ? ? Specify port controlled method

supp-proxy-check ?Check whether user(s) access the networks by proxy or not

version-check ? ? Check the version information of 802.1x supplicant

[sw1-Ethernet1/0/10]dot1x

802.1X is enabled on port Ethernet1/0/10.

[sw1-Ethernet1/0/10]q

[sw1]int e1/0/20

[sw1-Ethernet1/0/20]dot1x

802.1X is enabled on port Ethernet1/0/20.

[sw1-Ethernet1/0/20]q

[sw1]radius scheme ?

STRING<1-32> ?Radius scheme name

創建一個radius方案后接下就是指定方案的具體被容，主要包括以下幾個方面

[sw1]radius scheme wewe

New Radius scheme

[sw1-radius-wewe]?

Radius-template view commands:

accounting ? ? ? ? ? ? ?Specify accounting mode

accounting-on ? ? ? ? ? Accounting-On packet sending mode

data-flow-format ? ? ? ?Specify data flow format

display ? ? ? ? ? ? ? ? Display current system information

key ? ? ? ? ? ? ? ? ? ? Specify the shared encryption key of RADIUS server

nas-ip ? ? ? ? ? ? ? ? ?Specify RADIUS source ip address

ping ? ? ? ? ? ? ? ? ? ?Ping function

primary ? ? ? ? ? ? ? ? Specify IP address of primary RADIUS server

quit ? ? ? ? ? ? ? ? ? ?Exit from current command view

retry ? ? ? ? ? ? ? ? ? Specify retransmission times

return ? ? ? ? ? ? ? ? ?Exit to User View

save ? ? ? ? ? ? ? ? ? ?Save current configuration

secondary ? ? ? ? ? ? ? Specify IP address of secondary RADIUS server

server-type ? ? ? ? ? ? Specify the type of RADIUS server

state ? ? ? ? ? ? ? ? ? Specify state of primary/secondary

authentication/accounting RADIUS server

stop-accounting-buffer ?Enable stop-accounting packet buffer

timer ? ? ? ? ? ? ? ? ? Specify timer parameters

tracert ? ? ? ? ? ? ? ? Trace route function

undo ? ? ? ? ? ? ? ? ? ?Cancel current setting

user-name-format ? ? ? ?Specify user-name format sent to RADIUS server

[sw1-radius-wewe]primary ?

accounting ? ? ?Specify IP address of primary accounting RADIUS server

authentication ?Specify IP address of primary authentication RADIUS server

[sw1-radius-wewe]primary authentication 192.168.1.2

[sw1-radius-wewe]key ?

accounting ? ? ?Specify key for accounting RADIUS server

authentication ?Specify key for authentication RADIUS server

[sw1-radius-wewe]key authentication 123456

[sw1-radius-wewe]server-type standard

[sw1-radius-wewe]user-name-format without-domain

[sw1-radius-wewe]accounting ?

optional ?Optional accounting mode

[sw1-radius-wewe]accounting optional

[sw1-radius-wewe]quit

[sw1]dot1x ?

authentication-method ?Specify system authentication method

dhcp-launch ? ? ? ? ? ?Trigger system authentication when receiving DHCP

packet(s)

guest-vlan ? ? ? ? ? ? Specify guest vlan configuration information for ports

interface ? ? ? ? ? ? ?Specify interface configuration information

max-user ? ? ? ? ? ? ? Specify maximal on-line user number per port

port-control ? ? ? ? ? Specify port authenticated status

port-method ? ? ? ? ? ?Specify port controlled method

quiet-period ? ? ? ? ? Enable quiet period function

retry ? ? ? ? ? ? ? ? ?Specify maximal request times

retry-version-max ? ? ?Specify maximal request times for version information

supp-proxy-check ? ? ? Check whether user(s) access the networks by proxy or

not

timer ? ? ? ? ? ? ? ? ?Specify timer parameters

version-check ? ? ? ? ?Check the version information of 802.1x supplicant

接下來是為連接3A服務器的連接方式設置驗證類型，這的驗證類型必須要和遠端的3A服務器(radius)的撥入驗證所選擇的驗證類型一致，才能連接，如圖：

[sw1]dot1x authentication-method ?

chap ?CHAP(Challenge Handshake Authentication Protocol) authentication

method.It's default.

eap ? EAP(Extensible Authentication Protocol) authentication method(support

eap-tls, eap-md5, peap, eap-ttls)

pap ? PAP(Password Authentication Protocol) authentication method

[sw1]dot1x authentication-method pap

PAP authentication is enabled.

%Jan 13 20:23:32:046 2014 H3C SHELL/4/LOGIN: Console login from con0

sys

System View: return to User View with Ctrl+Z.

[H3C]int eth0/0

[H3C-Ethernet0/0]ip add 192.168.2.1 24

[H3C-Ethernet0/0]int eth0/0.1

[H3C-Ethernet0/0.1]vlan-type dot1q vid 10

[H3C-Ethernet0/0.1]ip add 192.168.10.1 24

[H3C-Ethernet0/0.1]int eth0/0.2

[H3C-Ethernet0/0.2]vlan-type dot1q vid 20

[H3C-Ethernet0/0.2]ip add 192.168.20.1 24

[H3C-Ethernet0/0.2]int eth0/0.3

[H3C-Ethernet0/0.3]vlan-type dot1q vid 30

[H3C-Ethernet0/0.3]ip add 192.168.1.1 24

[H3C-Ethernet0/0.3]

[H3C-Ethernet0/0.3]quit

[H3C-zone-trust]add int eth0/0.1

[H3C-zone-trust]add int eth0/0.2

[H3C-zone-trust]add int eth0/0.3

[H3C-zone-trust]quit

注意在防火墻設備上一定要取消端口隔離，因為在拆分端口的請況下默認自端口之間是相互隔離不通信的

[H3C]undo insulate

[H3C]dhcp enable

DHCP task has already been started!

[H3C]dhcp select relay interface eth0/0.1 to eth0/0.2

[H3C]int eth0/0.1

[H3C-Ethernet0/0.1]ip relay add 192.168.1.188

[H3C-Ethernet0/0.1]int eth0/0.2

[H3C-Ethernet0/0.2]ip relay add 192.168.1.188

[H3C-Ethernet0/0.2]quit

[H3C]

dis ip routing-table

Routing Table: public net

Destination/Mask ? Protocol Pre ?Cost ? ? ? ?Nexthop ? ? ? ? Interface

0.0.0.0/0 ? ? ? ? ?STATIC ? 60 ? 0 ? ? ? ? ? 192.168.2.1 ? ? Vlan-interface1

127.0.0.0/8 ? ? ? ?DIRECT ? 0 ? ?0 ? ? ? ? ? 127.0.0.1 ? ? ? InLoopBack0

127.0.0.1/32 ? ? ? DIRECT ? 0 ? ?0 ? ? ? ? ? 127.0.0.1 ? ? ? InLoopBack0

192.168.2.0/24 ? ? DIRECT ? 0 ? ?0 ? ? ? ? ? 192.168.2.2 ? ? Vlan-interface1

192.168.2.2/32 ? ? DIRECT ? 0 ? ?0 ? ? ? ? ? 127.0.0.1 ? ? ? InLoopBack0

system-view

System View: return to User View with Ctrl+Z.

[sw1]domain tyedu

New Domain added.

[sw1-isp-tyedu]radius-scheme wewe

[sw1-isp-tyedu]accounting optional

[sw1-isp-tyedu]

ping 192.168.10.1

PING 192.168.10.1: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.10.1: bytes=56 Sequence=1 ttl=255 time=5 ms

Reply from 192.168.10.1: bytes=56 Sequence=2 ttl=255 time=6 ms

Reply from 192.168.10.1: bytes=56 Sequence=3 ttl=255 time=4 ms

Reply from 192.168.10.1: bytes=56 Sequence=4 ttl=255 time=4 ms

Reply from 192.168.10.1: bytes=56 Sequence=5 ttl=255 time=4 ms

--- 192.168.10.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 4/4/6 ms

ping 192.168.20.1

PING 192.168.20.1: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.20.1: bytes=56 Sequence=1 ttl=255 time=5 ms

Reply from 192.168.20.1: bytes=56 Sequence=2 ttl=255 time=4 ms

Reply from 192.168.20.1: bytes=56 Sequence=3 ttl=255 time=4 ms

Reply from 192.168.20.1: bytes=56 Sequence=4 ttl=255 time=5 ms

Reply from 192.168.20.1: bytes=56 Sequence=5 ttl=255 time=11 ms

ping 192.168.1.1

PING 192.168.1.1: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=4 ms

Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=5 ms

Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=5 ms

Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=6 ms

Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=4 ms

ping 192.168.2.1

PING 192.168.2.1: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=5 ms

Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=4 ms

Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=4 ms

Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=4 ms

Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=3 ms

ping 192.168.2.2

PING 192.168.2.2: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=255 time=2 ms

Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=255 time=4 ms

Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=255 time=3 ms

Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=255 time=3 ms

Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=255 time=4 ms

ping 192.168.1.2

PING 192.168.1.2: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.1.2: bytes=56 Sequence=1 ttl=127 time=9 ms

Reply from 192.168.1.2: bytes=56 Sequence=2 ttl=127 time=5 ms

Reply from 192.168.1.2: bytes=56 Sequence=3 ttl=127 time=4 ms

Reply from 192.168.1.2: bytes=56 Sequence=4 ttl=127 time=7 ms

Reply from 192.168.1.2: bytes=56 Sequence=5 ttl=127 time=4 ms

ping 192.168.1.188 ?測試與DHCP服務器之間的聯通性

PING 192.168.1.188: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.1.188: bytes=56 Sequence=1 ttl=63 time=5 ms

Reply from 192.168.1.188: bytes=56 Sequence=2 ttl=63 time=7 ms

Reply from 192.168.1.188: bytes=56 Sequence=3 ttl=63 time=5 ms

Reply from 192.168.1.188: bytes=56 Sequence=4 ttl=63 time=4 ms

Reply from 192.168.1.188: bytes=56 Sequence=5 ttl=63 time=5 ms

ping 192.168.20.2 ? ?測試與受測主機之間的聯通性

PING 192.168.20.2: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.20.2: bytes=56 Sequence=1 ttl=127 time=6 ms

Reply from 192.168.20.2: bytes=56 Sequence=2 ttl=127 time=7 ms

Reply from 192.168.20.2: bytes=56 Sequence=3 ttl=127 time=4 ms

Reply from 192.168.20.2: bytes=56 Sequence=4 ttl=127 time=4 ms

Reply from 192.168.20.2: bytes=56 Sequence=5 ttl=127 time=5 ms

ping 192.168.10.2 ? 測試與受測主機之間的聯通性

PING 192.168.10.2: 56 ?data bytes, press CTRL_C to break

Reply from 192.168.10.2: bytes=56 Sequence=1 ttl=127 time=5 ms

Reply from 192.168.10.2: bytes=56 Sequence=2 ttl=127 time=5 ms

Reply from 192.168.10.2: bytes=56 Sequence=3 ttl=127 time=5 ms

Reply from 192.168.10.2: bytes=56 Sequence=4 ttl=127 time=4 ms

Reply from 192.168.10.2: bytes=56 Sequence=5 ttl=127 time=8 ms

配置3A驗證下，telnet的驗證類型

[H3C]user-interface vty 0 4

[H3C-ui-vty0-4]?

User-interface view commands:

accounting ? ? ? ? ? Config accounting mode of user terminal interface

acl ? ? ? ? ? ? ? ? ?Specify acl filtering

authentication-mode ?Terminal interface authentication mode

auto-execute ? ? ? ? Do something automatically

console ? ? ? ? ? ? ?console switch to aux

databits ? ? ? ? ? ? Specify the databits of user terminal interface

display ? ? ? ? ? ? ?Display current system information

flow-control ? ? ? ? Specify the flow control mode of user terminal interface

history-command ? ? ?Record history command

idle-timeout ? ? ? ? Specify the connection idle timeout for login user

modem ? ? ? ? ? ? ? ?Specify the characteristic of modem

nslookup ? ? ? ? ? ? Query Internet name servers

parity ? ? ? ? ? ? ? Specify the parity mode of user interface

ping ? ? ? ? ? ? ? ? Ping function

protocol ? ? ? ? ? ? Set user interface protocol

quit ? ? ? ? ? ? ? ? Exit from current command view

return ? ? ? ? ? ? ? Exit to User View

save ? ? ? ? ? ? ? ? Save current configuration

screen-length ? ? ? ?Specify the lines displayed on one screen

set ? ? ? ? ? ? ? ? ?Specify user terminal interface parameters

shell ? ? ? ? ? ? ? ?Enable terminal user service

speed ? ? ? ? ? ? ? ?Specify the TX/RX rate of user terminal interface

stopbits ? ? ? ? ? ? Specify the stop bit of user terminal interface

super ? ? ? ? ? ? ? ?Specify the super authentication mode

tracert ? ? ? ? ? ? ?Trace route function

undo ? ? ? ? ? ? ? ? undo

user ? ? ? ? ? ? ? ? Specify user's parameter of terminal interface

vrbd ? ? ? ? ? ? ? ? Show application version

[H3C-ui-vty0-4]authentication-mode ?

none ? ? ?Login without checking

password ?Use terminal interface password

scheme ? ?Authentication use AAA authorization authentication table

[H3C-ui-vty0-4]authentication-mode sch

[H3C-ui-vty0-4]authentication-mode scheme ?

command-authorization ?Authorization for the command from the user interface

is required

[H3C-ui-vty0-4]authentication-mode scheme

[H3C-ui-vty0-4]q

[H3C]

顯示全局配置文件內容

[sw1]dis cu

#

sysname sw1

#

dot1x

dot1x authentication-method pap

#

radius scheme system

radius scheme wewe

server-type standard

primary authentication 192.168.1.2

accounting optional

key authentication 123456

user-name-format without-domain

#

domain system

domain tyedu

scheme radius-scheme wewe

accounting optional

#

local-user userroot

password simple 123456

service-type telnet

level 3

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

ip address 192.168.2.2 255.255.255.0

interface Ethernet1/0/10

port access vlan 10

dot1x

interface Ethernet1/0/20

port access vlan 20

dot1x

interface Ethernet1/0/23

port link-type trunk

port trunk permit vlan all

#

interface Ethernet1/0/24

port access vlan 30

#

ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 preference 60

dis cu

#

sysname H3C

#

firewall packet-filter enable

firewall packet-filter default permit

#

undo insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

radius scheme wewe

server-type standard

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

local-user userroot

password simple 123456

service-type telnet

level 3

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.2.1 255.255.255.0

#

interface Ethernet0/0.1

ip address 192.168.10.1 255.255.255.0

ip relay address 192.168.1.188

dhcp select relay

vlan-type dot1q vid 10

#

interface Ethernet0/0.2

ip address 192.168.20.1 255.255.255.0

ip relay address 192.168.1.188

dhcp select relay

vlan-type dot1q vid 20

#

interface Ethernet0/0.3

ip address 192.168.1.1 255.255.255.0

vlan-type dot1q vid 30

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/0.1

add interface Ethernet0/0.2

add interface Ethernet0/0.3

set priority 85

#

firewall zone untrust

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

總結

以上是生活随笔為你收集整理的linux网络的高可用性,构建高可用性网络的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。