問題描述:
MSR 3610 做出口路由 2條寬帶 WAN 2 固定IP ,WAN3 PPPOE 現在所有流量走PPPOE 想把其中幾個IP 出口流量走 WAN 2 配置策略路由 不生效
組網及組網描述:
- version 7.1.064, Release 6749P30
- #
- sysname MSR3610
- #
- clock timezone shanghai add 08:00:00
- clock protocol none
- #
- wlan global-configuration
- nas-id cm-0-1506643-210235A2C7P21600001Q
- #
- telnet server enable
- #
- security-zone intra-zone default permit
- #
- security-policy disable
- #
- track 1022 nqa entry ge0/3 1 reaction 1
- #
- track 1023 nqa entry ge0/2 1 reaction 1
- #
- ip pool l2tp2 10.10.10.2 10.10.10.15
- #
- dialer-group 2 rule ip permit
- dialer-group 4 rule ip permit
- #
- ip load-sharing mode per-flow src-ip global
- #
- bandwidth-based-sharing
- #
- dhcp enable
- dhcp server forbidden-ip 192.168.0.10
- dhcp server forbidden-ip 192.168.0.240 192.168.0.250
- dhcp server forbidden-ip 192.168.1.17
- dhcp server always-broadcast
- #
- lldp global enable
- #
- system-working-mode standard
- password-recovery enable
- #
- vlan 1
- #
- object-group ip address dstgroup20
- 1004 network host address 180.101.50.188
- #
- object-group ip address dstgroup21
- 1004 network host address 180.101.50.242
- #
- object-group ip address dstgroup23
- 1004 network host address 58.33.11.242
- #
- object-group ip address dstgroup24
- 1004 network host address 0.0.0.0
- #
- object-group ip address dstgroupGE0_5
- 0 network range 0.0.0.0 0.0.0.0
- #
- object-group ip address srcgroup20
- 1004 network range 192.168.0.0 192.168.1.254
- #
- object-group ip address srcgroup21
- 1004 network range 192.168.0.0 192.168.1.254
- #
- object-group ip address srcgroup23
- 1004 network range 192.168.0.0 192.168.1.254
- #
- object-group ip address srcgroup24
- 1004 network host address 192.168.0.39
- #
- object-group ip address srcgroupGE0_5
- 0 network range 192.168.0.8 192.168.0.8
- #
- dhcp server ip-pool lan1
- gateway-list 192.168.1.1
- network 192.168.0.0 mask 255.255.254.0
- address range 192.168.0.2 192.168.1.239
- dns-list 202.96.209.5 114.114.114.114
- expired day 0 hour 0 minute 1
- #
- ddns policy WAN3(GE3)
- url oray://***.***
- username dhht13817790318
- password cipher $c$3$Q4bGE5fQHDgXiRXG1VaZXVB8miKK1gFoks3tgyYjaDgLSA==
- #
- policy-based-route pbr2 permit node 4
- if-match acl name acl24
- apply next-hop 58.33.86.241
- apply output-interface GigabitEthernet0/2
- #
- policy-based-route pbrGE0 permit node 5
- if-match acl name aclGE0_5
- apply next-hop 58.33.86.241
- apply output-interface GigabitEthernet0/2
- #
- controller Cellular0/0
- #
- interface Dialer2
- mtu 1492
- #
- interface Dialer3
- bandwidth 1000000
- mtu 1492
- ppp chap password cipher $c$3$TYch84XZ76YTv9FaQsuUe46nPFDlvNfJB+0r
- ppp chap user ad86616043
- ppp ipcp dns admit-any
- ppp ipcp dns request
- ppp pap local-user ad86616043 password cipher $c$3$xw5COE7wcQ16KGwNZCXtuIbCVwQegOv0xlr7
- dialer bundle enable
- dialer-group 4
- dialer timer idle 0
- dialer timer autodial 5
- ip address ppp-negotiate
- tcp mss 1280
- ip last-hop hold
- nat outbound
- #
- interface Virtual-Template1
- ppp authentication-mode chap
- remote address pool l2tp2
- ip address 10.10.10.1 255.255.255.0
- #
- interface NULL0
- #
- interface GigabitEthernet0/0
- port link-mode route
- description LAN-interface
- ip address 192.168.1.1 255.255.254.0
- tcp mss 1280
- nat hairpin enable
- ip policy-based-route pbrGE0
- ip subscriber l2-connected enable
- ip subscriber initiator dhcp enable
- ip subscriber initiator unclassified-ip enable
- ip subscriber dhcp domain ipoeenabledomain
- ip subscriber unclassified-ip domain ipoeenabledomain
- #
- interface GigabitEthernet0/1
- port link-mode route
- #
- interface GigabitEthernet0/2
- port link-mode route
- description Double_Line1
- bandwidth 100000
- combo enable copper
- ip address 58.33.11.242 255.255.255.248
- ip address 58.33.11.244 255.255.255.248 sub
- tcp mss 1280
- ip last-hop hold
- nat outbound
- nat server protocol tcp global current-interface 4999 inside 192.168.0.250 443
- nat server protocol tcp global current-interface 9798 inside 192.168.0.39 9798 description 財務
- nat server protocol tcp global current-interface 39999 inside 192.168.0.254 39999
- ip policy-based-route pbr2
- #
- interface GigabitEthernet0/3
- port link-mode route
- description Double_Line2
- combo enable copper
- ip policy-based-route pbr2
- pppoe-client dial-bundle-number 3
- #
- interface GigabitEthernet0/4
- port link-mode route
- #
- interface GigabitEthernet0/5
- port link-mode route
- #
- interface SSLVPN-AC1
- ip address 10.1.1.100 255.255.255.0
- #
- route-policy pbr2_priority permit node 3
- if-match ip address acl 3002
- apply preference 50
- #
- route-policy pbr2_priority permit node 10
- apply preference 50
- #
- object-policy ip Any-Any
- rule 65533 inspect 8048_url_profile_global disable
- rule 65534 pass
- #
- security-zone name Local
- #
- security-zone name Trust
- #
- security-zone name DMZ
- #
- security-zone name Untrust
- #
- security-zone name Management
- #
- zone-pair security source Any destination Any
- object-policy apply ip Any-Any
- #
- zone-pair security source Local destination Trust
- packet-filter name SWXWSGL
- #
- zone-pair security source Local destination Untrust
- packet-filter name SWXWSGL
- #
- zone-pair security source Trust destination Local
- packet-filter name SWXWSGL
- #
- zone-pair security source Untrust destination Local
- packet-filter name SWXWSGL
- #
- scheduler logfile size 16
- #
- line class console
- user-role network-admin
- #
- line class tty
- user-role network-operator
- #
- line class vty
- user-role network-operator
- #
- line con 0
- user-role network-admin
- #
- line vty 0 63
- authentication-mode scheme
- user-role network-operator
- #
- ip route-static 0.0.0.0 0 Dialer3
- ip route-static 0.0.0.0 0 GigabitEthernet0/2 58.33.11241
- ip route-static 61.177.138.42 32 GigabitEthernet0/2 58.33.11.241 preference 30
- #
- performance-management
- #
- arp timer aging 3
- arp valid-check enable
- arp max-learning-number 500
- #
- time-range tr20 00:00 to 24:00 daily
- time-range tr21 00:00 to 24:00 daily
- time-range tr23 00:00 to 24:00 daily
- time-range tr24 00:00 to 24:00 daily
- time-range trGE0_5 00:00 to 24:00 daily
- #
- acl number 2000
- rule 0 permit source 192.168.0.39 0
- #
- acl number 3000
- description to fenzhi
- rule 10 permit ip source 192.168.0.0 0.0.1.255 destination 192.168.18.0 0.0.0.255
- rule 15 permit ip source 192.168.0.0 0.0.1.255 destination 10.1.1.0 0.0.0.255
- rule 20 permit ip source 192.168.0.0 0.0.1.255 destination 172.16.1.0 0.0.0.255
- #
- acl advanced 3002
- rule 9 permit ip source 192.168.0.8 0
- rule 10 permit ip source 192.168.1.234 0
- rule 11 permit ip source 192.168.0.19 0
- #
- acl number 3004
- rule 0 deny ip source 192.168.1.234 0
- #
- acl number 3005
- rule 0 permit ip
- rule 10 deny ip source 192.168.1.234 0
- #
- acl advanced name SWXWSGL
- rule 1 permit ip
- #
- acl advanced name acl20
- rule 1 permit ip source object-group srcgroup20 destination object-group dstgroup20 time-range tr20
- rule 1 comment 百度
- #
- acl advanced name acl21
- rule 1 permit ip source object-group srcgroup21 destination object-group dstgroup21 time-range tr21
- rule 1 comment 百度1
- #
- acl advanced name acl23
- rule 1 permit ip source object-group srcgroup23 destination object-group dstgroup23 time-range tr23
- rule 1 comment --
- #
- acl advanced name acl24
- rule 1 permit ip source object-group srcgroup24 destination object-group dstgroup24 time-range tr24
- rule 1 comment 財務
- #
- acl advanced name aclGE0_5
- rule 1 permit ip source object-group srcgroupGE0_5 destination object-group dstgroupGE0_5 time-range trGE0_5
- rule 1 comment --
- #
- password-control enable
- undo password-control aging enable
- undo password-control history enable
- password-control length 6
- password-control login-attempt 3 exceed lock-time 10
- password-control update-interval 0
- password-control login idle-time 0
- #
- domain ipoeenabledomain
- authentication ipoe none
- authorization ipoe none
- accounting ipoe none
- #
- domain system
- #
- domain default enable system
- #
- role name level-0
- description Predefined level-0 role
- #
- role name level-1
- description Predefined level-1 role
- #
- role name level-2
- description Predefined level-2 role
- #
- role name level-3
- description Predefined level-3 role
- #
- role name level-4
- description Predefined level-4 role
- #
- role name level-5
- description Predefined level-5 role
- #
- role name level-6
- description Predefined level-6 role
- #
- role name level-7
- description Predefined level-7 role
- #
- role name level-8
- description Predefined level-8 role
- #
- role name level-9
- description Predefined level-9 role
- #
- role name level-10
- description Predefined level-10 role
- #
- role name level-11
- description Predefined level-11 role
- #
- role name level-12
- description Predefined level-12 role
- #
- role name level-13
- description Predefined level-13 role
- #
- role name level-14
- description Predefined level-14 role
- #
- user-group system
- #
- local-user DHHT2024 class manage
- access-limit 20
- authorization-attribute user-role network-operator
- #
- local-user admin class manage
- service-type telnet http https
- authorization-attribute user-role network-admin
- #
- local-user dhht18 class manage
- authorization-attribute user-role network-operator
- #
- local-user dhht18 class network
- password cipher $c$3$jGAFbwINcfLB9AUed/EahZxGDeVSInuOAwI=
- service-type ppp
- authorization-attribute user-role network-operator
- #
- local-user dhhtvpn class network
- password cipher $c$3$3BbXAsHcBx+J3I9ZokVVldHF05CkglqMl9qW9A+d/mI=
- service-type ppp
- authorization-attribute user-role network-operator
- #
- local-user sslvpnuser class network
- password cipher $c$3$7Zk7wPDh0GO69YHo0pSTMQK2IolEsl7MPBf3
- service-type sslvpn
- authorization-attribute user-role network-operator
- authorization-attribute sslvpn-policy-group resourcegrp
- #
- security-enhanced level 2
- #
- ssl version gm-tls1.1 disable
- ssl renegotiation disable
- ssl version ssl3.0 disable
- ssl version tls1.0 disable
- undo ssl version tls1.1 disable
- undo ssl version tls1.2 disable
- undo ssl version tls1.3 disable
- #
- session statistics enable
- #
- ipsec transform-set WAN2(GE2)@DHHT2418
- esp encryption-algorithm aes-cbc-256
- esp authentication-algorithm sha256
- pfs dh-group2
- #
- ipsec transform-set WAN2(GE2)@dhhtipsec
- esp encryption-algorithm aes-cbc-256
- esp authentication-algorithm sha1
- #
- ipsec transform-set WAN2(GE2)@Huawei
- esp encryption-algorithm aes-cbc-256
- esp authentication-algorithm sha256
- pfs dh-group14
- #
- ipsec policy-template 18f 1
- transform-set WAN2(GE2)@dhhtipsec
- security acl 3000
- ike-profile WAN2(GE2)@dhhtipsec
- #
- l2tp-group 1 mode lns
- allow l2tp virtual-template 1
- mandatory-lcp
- undo tunnel authentication
- #
- l2tp-group 2 mode lns
- allow l2tp virtual-template 1 remote DHH
- undo tunnel authentication
- tunnel name DHH-LNS
- tunnel password cipher $c$3$m2q+DnBDnshMVhfWaSltMw09xw4xzDsdZlRcVTssdbQ=
- #
- l2tp-group 4 mode lns
- undo tunnel authentication
- tunnel name LNS
- tunnel password cipher $c$3$5fPzaq7gYOhY+RRaCAofwkazRcvdgmbyUWGMoqW+QJ0=
- #
- ike identity fqdn dhhtzb
- #
- ike profile WAN2(GE2)@DHHT2418
- keychain WAN2(GE2)@DHHT2418
- exchange-mode aggressive
- local-identity address 58.33.86.242
- match remote identity address 0.0.0.0 0.0.0.0
- proposal 65535
- #
- ike profile WAN2(GE2)@dhhtipsec
- keychain WAN2(GE2)@dhhtipsec
- local-identity address 58.33.11.242
- match remote identity address 0.0.0.0 0.0.0.0
- proposal 10
- #
- ike profile WAN2(GE2)@Huawei
- keychain WAN2(GE2)@Huawei
- exchange-mode aggressive
- local-identity address 58.33.11.242
- match remote identity address 0.0.0.0 0.0.0.0
- proposal 65535
- #
- ike proposal 1
- encryption-algorithm aes-cbc-256
- dh group14
- #
- ike proposal 10
- encryption-algorithm aes-cbc-256
- dh group2
- authentication-algorithm md5
- #
- ike proposal 65535
- encryption-algorithm aes-cbc-256
- dh group2
- authentication-algorithm sha256
- #
- ike keychain WAN2(GE2)@DHHT2418
- pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$NgiowhDvpmdMLzcgsnvguF3FLph3iR4Ni8tq0w8lBvk=
- #
- ike keychain WAN2(GE2)@dhhtipsec
- pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$KykW8kGKUbPTO2o2mB33OitsJzhJvnWsFWLB
- #
- ike keychain WAN2(GE2)@Huawei
- pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$ILy+xXRL2PfwN5LyJyRyAgqgElfeMRqWtdXB0gmCaXo=
- #
- ip http enable
- ip https enable
- web new-style
- #
- url-filter category custom severity 65535
- #
- wlan ap-group default-group
- vlan 1
- radio 2.4g
- radio 5g
- #
- sslvpn ip address-pool sslvpnpool 10.1.1.1 10.1.1.20
- #
- sslvpn gateway gw
- ip address 58.33.86.242 port 4433
- service enable
- #
- sslvpn context ctxip
- gateway gw
- ip-tunnel interface SSLVPN-AC1
- ip-tunnel address-pool sslvpnpool mask 255.255.255.0
- ip-tunnel dns-server primary 114.114.114.114
- ip-route-list rtlist
- include 192.168.0.0 255.255.254.0
- policy-group resourcegrp
- filter ip-tunnel acl 3002
- ip-tunnel access-route ip-route-list rtlist
- service enable
- #
- dac storage service dpi traffic limit hold-time 1
- dac storage service traffic limit hold-time 1
- #
- cloud-management server domain oasis.h3c.com
- #
- return
- 2025-01-23提問
- 舉報
-
(0)
➤
✖
親~登錄後才可以操作哦!
確定
✖
✖
你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
✖
舉報
×
侵犯我的權益
>
對根叔社區有害的內容
>
辱罵、歧視、挑釁等(不友善)
侵犯我的權益
×
侵犯了我企業的權益
>
抄襲了我的內容
>
誹謗我
>
辱罵、歧視、挑釁等(不友善)
騷擾我
侵犯了我企業的權益
×
您好,當您發現根叔知了上有關於您企業的造謠與誹謗、商業侵權等內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到 pub.zhiliao@h3c.com 郵箱,我們會在審核後盡快給您答複。
- 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
- 3. 是哪家企業?(營業執照,單位登記證明等證件)
- 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
我們認為知名企業應該坦然接受公眾討論,對於答案中不準確的部分,我們歡迎您以正式或非正式身份在根叔知了上進行澄清。
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
您好,當您發現根叔知了上有誹謗您的內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到pub.zhiliao@h3c.com 郵箱,我們會盡快處理。
- 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
我們認為知名企業應該坦然接受公眾討論,對於答案中不準確的部分,我們歡迎您以正式或非正式身份在根叔知了上進行澄清。
對根叔社區有害的內容
×
垃圾廣告信息
色情、暴力、血腥等違反法律法規的內容
政治敏感
不規範轉載
>
辱罵、歧視、挑釁等(不友善)
騷擾我
誘導投票
不規範轉載
×
舉報說明
暫無評論