linux网络的高可用性,构建高可用性网络
構建高可用性網絡
關于本地主機的配置
硬盤技術:
硬盤上的特殊分區,swap
首先,swap的存在是為了擬補虛擬內存的不足而出現的,有叫交換分區,它的作用是將那些內存中有而卻不長用的一些數據保存到硬盤的一塊分區上去,在系統需要的時候再把它調用出來,注意,他只有在系統出現提示增加swap的時候增加,才有必要加,只是改善系統內存的一個小的方法
raid ;廉價的磁盤冗余陣列,它是通過一些軟件或硬件上的技術將多個較小的磁盤整合為一個較大的磁盤設備,但這功能并不僅僅是存儲,還具有提高讀寫速度和數據保護的功能
在windows中也有類似的功能,他們的名稱分別叫簡單卷,跨區卷,帶區卷,鏡像卷,以及raid5
而在Linux下,則有line(線性增長)raid0相當于帶區卷,raid1相當于鏡像卷,raid5依然是raid5,另外還可以實現raid6和raid10
raid的實現
基于硬件設備,有專門的raid卡,缺點是價格較昂貴,所以很多操作系統上就出現了軟raid的工能,也就是同過軟件來模擬出raid的功能,在Linux中是通過叫md(多設備)的驅動來實現的,同時他也是用戶空間中的一種工具,叫mdadm,
首先line,它是沒有速度和冗余方面的工能的
raid0(windows叫帶區卷),它的要求是硬件的存儲設備數量在2-32之間,最少2個,最多32個,特點是將數據在寫入之前來拆分成若干等分,比如64k,然后分別寫入不同的磁盤,優點是讀取和寫入的速度都相當快,主要帶來效率上的提高,缺點是沒有冗余能力,而且必須保證每個成員的高可用性,因為其中某一塊壞掉的話,會導致整個數據的無法讀取
raid1(windows叫鏡像卷),它的主要特點是具備冗余能力,它的實現主要是靠多塊設備數據的互為備份,所以又叫鏡像,成員要求最少要有兩個,沒有上限。缺點是讀寫的效率一般,磁盤的實際使用率只有50%
raid5,在widows環境下成員要求最少要有三個,最多是32個,而Linux中支持的具體數量要看內核版本的型號而定,。它的主要原理是在raid1的基礎上寫數據的時候在若干塊(n塊)的磁盤中間隨機的選擇一塊出來用來存放校驗值,該校驗的主要功能是在若干的磁盤中間讀寫數據時利用某一種算法來檢測數據的完整性,而計算的值就放在那些若干(n塊)中的一塊。從邏輯上看,校驗要占用磁盤中單獨一個個體的容量,因此它的磁盤使用率為n-1/n,因為寫入時要計算校驗值,所以寫的速率一般,而讀的效率在沒有故障時卻非常高,當出現一塊壞掉的時候讀的效率會很低(因為計算校驗的緣故),而且raid僅允許出現一塊有故障的,raid5有冗余能力
raid6,它要求在陣列中要有兩塊用做校驗用,因此,raid6的磁盤數最少也要4塊,它是在raid5的基礎上增加了一塊校驗磁盤
raid1-0,該技術是raid1和raid0的結合,將具有快速讀取能力的raid0作為基礎,然后在此基礎上分別把他們看作raid1的兩塊磁盤進行鏡像操作
實現:
安裝mdadm
mdadm的主要參數,-A 集結或裝配模式
-C 創建一個新的陣列
-B 構建一個沒有超級塊的陣列
-F follow or monitor 監控模式
-G ?增長模式
-I,自動增長的裝配模式
-M 管理模式
-L 指定level級別
-N 指定名字
vrrp網絡的搭建,網絡設備拓撲結構如圖所示
sw6的配置步驟大致如下:
劃分VLAN,然后將端口加入VLAN,在相應接口配置trunk,
%Apr ?1 23:58:48:637 2000 Quidway SHELL/5/LOGIN:- 1 - Console(aux0) in unit1 login
sys
system-view
System View: return to User View with Ctrl+Z.
[Quidway]sysname sw6
[sw6]vlan 10
[sw6-vlan10]port e1/0/10
[sw6-vlan10]port e1/0/10
[sw6-vlan10]vlan 20
[sw6-vlan20]port e1/0/20
[sw6-vlan20]int e1/0/1
[sw6-Ethernet1/0/1]port link-type trunk
[sw6-Ethernet1/0/1]port trunk permit vlan all
Please wait........................................... Done.
[sw6-Ethernet1/0/1]dis vlan
The following VLANs exist:
1(default), 10, 20
[sw6-Ethernet1/0/1]int e1/0/24
[sw6-Ethernet1/0/24]port l
[sw6-Ethernet1/0/24]port link-type trunk
[sw6-Ethernet1/0/24]port trunk per
[sw6-Ethernet1/0/24]port trunk permit vlan all
Please wait........................................... Done.
[sw6-Ethernet1/0/24]q
[sw6]
sw8配置與sw6大致相同:
%Apr ?2 00:04:25 2000 Quidway SHELL/5/LOGIN: Console login from Aux0/0
sys
system-view
Enter system view, return to user view with Ctrl+Z.
[Quidway]sysname sw8
[sw8]vlan 10
[sw8-vlan10]
[sw8-vlan10]port eth0/10
[sw8-vlan10]vlan 20
[sw8-vlan20]port eth0/20
[sw8-vlan20]int eth0/1
[sw8-Ethernet0/1]port link-
[sw8-Ethernet0/1]port link-type trunk
[sw8-Ethernet0/1]port trunk per
[sw8-Ethernet0/1]port trunk permit vlan all
Please wait........................................... Done.
[sw8-Ethernet0/1]int eth0/24
[sw8-Ethernet0/24]port link-t
[sw8-Ethernet0/24]port link-type trunk
[sw8-Ethernet0/24]port trunk permit vlan all
Please wait........................................... Done.
[sw8-Ethernet0/24]
路由器r3配置大致有:配置e0口的3.3.3.3 /24地址,配置s0口地址1.1.1.1 /24 ,(一定要先打標簽再配地址) 配置s1口地址1.1.2.1 /24 ,然后復位操作,因其主要模擬廣域網,所以主要起承接作用,
[Router]
[Router]sysname r3
[r3]int e0
[r3-Ethernet0]ip add 3.3.3.3 24
[r3-Ethernet0]loopback
Ethernet0 running on loopback mode
[r3-Ethernet0]
%01:24:13: Interface Ethernet0 is UP
%01:24:13: Line protocol ip on the interface Ethernet0 is UP
[r3-Ethernet0]int s0
[r3-Serial0]ip add 1.1.1.1 24
[r3-Serial0]
%01:27:01: Line protocol ip on the interface Serial0 is UP
[r3-Serial0]shut
% Interface Serial0 is down
[r3-Serial0]
%01:27:10: Interface Serial0 is DOWN
[r3-Serial0]undo shut
% Interface Serial0 is reset
[r3-Serial0]
%01:27:18: Interface Serial0 is UP
[r3-Serial0]int s1
[r3-Serial1]ip add 1.1.2.1 24
[r3-Serial1]
%01:27:48: Line protocol ip on the interface Serial1 is UP
[r3-Serial1]shut
% Interface Serial1 is down
[r3-Serial1]
%01:27:57: Interface Serial1 is DOWN
[r3-Serial1]undo shut
% Interface Serial1 is reset
[r3-Serial1]
%01:28:08: Interface Serial1 is UP
[r3-Serial1]
[r3-Serial1]
r1路由的主要配置有:拆分子接口,配置單臂路由,添加默認路由1.1.1.1 ,物理接口配置地址,然后做pat ,先做acl列表篩選,然后做nat地址池,然后將地址池(或接口,直接寫借口名稱)映射到相應接口上,接著再在接口(子接口)上配置vrrp協議的有關內容(vrid和vrip以及優先級)
[Router]sysname r1
[r1]int s0
[r1-Serial0]ip add 1.1.1.2 24
[r1-Serial0]
%01:29:18: Line protocol ip on the interface Serial0 is UP
[r1-Serial0]shut
% Interface Serial0 is shut down
[r1-Serial0]
%01:29:23: Interface Serial0 is DOWN
[r1-Serial0]undo shut
% Interface Serial0 is reset
[r1-Serial0]
%01:29:33: Interface Serial0 is UP
%01:29:33: Line protocol ip on the interface Serial0 is UP
[r1-Serial0]int e0.1
[r1-Ethernet0.1]vlan-type dot1q vid 10
[r1-Ethernet0.1]ip add 192.168.10.1 24
[r1-Ethernet0.1]
%01:31:37: Line protocol ip on the interface Ethernet0.1 is UP
[r1-Ethernet0.1]int e0.2
[r1-Ethernet0.2]vlan-type dot1q vid 20
[r1-Ethernet0.2]ip add 192.168.20.1 24
[r1-Ethernet0.2]
%01:32:41: Line protocol ip on the interface Ethernet0.2 is UP
[r1-Ethernet0.2]quit
[r1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
[r1]ping 3.3.3.3
PING 3.3.3.3: 56 ?data bytes, press CTRL_C to break
Reply from 3.3.3.3: bytes=56 Sequence=0 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time = 25 ms
--- 3.3.3.3 ping statistics ---
5 packets transmitted
5 packets received
0.00% packet loss
round-trip min/avg/max = 25/25/25 ms
[r1]acl 2000 match-order auto
[r1-acl-2000]rule permit source any
Rule has been added to normal packet-filtering rules
[r1-acl-2000]quit
[r1]nat address-group 1.1.1.3 1.1.1.9 wewe
[r1]int s0
[r1-Serial0]
[r1-Serial0]nat outbound 2000 address-group wewe
[r1-Serial0]quit
[r1]vrrp ping-enable
ping vrrp ?enable
[r1]int e0.1
[r1-Ethernet0.1]
[r1-Ethernet0.1]vrrp vrid 10 virtual-ip 192.168.10.254
[r1-Ethernet0.1]vrrp vrid 10 priority 120
[r1-Ethernet0.1]vrrp vrid 10 track s0 reduced 30
[r1-Ethernet0.1]int e0.2
[r1-Ethernet0.2]vrrp vrid 20 virtual-ip 192.168.20.254
[r1-Ethernet0.2]quit
[r1]
r2的配置與r1大致相同,不同之處是要將20.0網段所在的接口設為主接口,給予高的優先級,并設置自動收縮和自動搶占(默認已開啟),將10.0所在子接口設為備份接口,(10.0主接口在r1上)
[Router]
[Router]
%01:28:06: Interface Serial1 is DOWN
%01:28:11: Interface Serial1 is UP
[Router]sysname r2
[r2]int s1
[r2-Serial1]ip add 1.1.2.2 24
[r2-Serial1]
%01:55:26: Line protocol ip on the interface Serial1 is UP
[r2-Serial1]shut
% Interface Serial1 is down
[r2-Serial1]
%01:55:31: Interface Serial1 is DOWN
[r2-Serial1]undo shut
% Interface Serial1 is reset
[r2]vrrp ping-enable
ping vrrp ?enable
[r2]int s1
[r2-Serial1]
%01:55:41: Interface Serial1 is UP
%01:55:41: Line protocol ip on the interface Serial1 is UP
[r2-Serial1]int e0.1
[r2-Ethernet0.1]vlan-type dot1q vid 10
[r2-Ethernet0.1]ip add 192.168.10.2 24
[r2-Ethernet0.1]
%01:57:55: Line protocol ip on the interface Ethernet0.1 is UP
[r2-Ethernet0.1]int e0.2
[r2-Ethernet0.2]vlan-type dot1q vid 20
[r2-Ethernet0.2]ip add 192.168.20.2 24
[r2-Ethernet0.2]
%01:58:48: Line protocol ip on the interface Ethernet0.2 is UP
[r2-Ethernet0.2]quit
[r2]ip route-static 0.0.0.0 0.0.0.0 1.1.2.1
[r2]acl 2000 match-order auto
[r2-acl-2000]rule permit source any
Rule has been added to normal packet-filtering rules
[r2-acl-2000]quit
[r2]nat address-group 1.1.2.6 1.1.2.9 wewe
[r2]int s1
[r2-Serial1]nat outbound 2000 address-group wewe
[r2-Serial1]quit
[r2]vrrp ping-enable
ping vrrp ?enable
[r2]int e0.1
[r2-Ethernet0.1]
[r2-Ethernet0.1]vrrp vrid 10 virtual-ip 192.168.10.254
[r2-Ethernet0.1]int e0.2
[r2-Ethernet0.2]vrrp vrid 20 virtual-ip 192.168.20.254
[r2-Ethernet0.2]vrrp vrid 20 priority 120
[r2-Ethernet0.2]vrrp vrid 20 track s1 reduced 30
[r2]ping 3.3.3.3
PING 3.3.3.3: 56 ?data bytes, press CTRL_C to break
Reply from 3.3.3.3: bytes=56 Sequence=0 ttl=255 time = 26 ms
Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time = 26 ms
Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time = 25 ms
Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time = 25 ms
--- 3.3.3.3 ping statistics ---
5 packets transmitted
5 packets received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
測試階段,方法,阻塞端口,查看兩邊端口的角色變化,兩邊設備鏈路應該互為備份,在冗余條件下達到兩路的高可用性
[r2]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Master
Virtual IP : 192.168.20.254
Priority : 120
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial1 ? Priority reduced : 30
Ethernet0.1 | Virtual Router 10
state : Backup
Virtual IP : 192.168.10.254
Priority : 100
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
[r2]int s1
[r2-Serial1]shut
% Interface Serial1 is down
[r2-Serial1]
%02:26:49: Interface Serial1 is DOWN
[r2-Serial1]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Backup
Virtual IP : 192.168.20.254
Priority : 90
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial1 ? Priority reduced : 30
Ethernet0.1 | Virtual Router 10
state : Backup
Virtual IP : 192.168.10.254
Priority : 100
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
[r1]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Master
Virtual IP : 192.168.20.254
Priority : 100
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Ethernet0.1 | Virtual Router 10
state : Master
Virtual IP : 192.168.10.254
Priority : 120
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial0 ? Priority reduced : 30
[r1]int s0
[r1-Serial0]shut
% Interface Serial0 is shut down
[r1-Serial0]
%02:32:38: Interface Serial0 is DOWN
%02:32:38: Line protocol ip on the interface Serial0 is DOWN
[r2-Serial1]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Master
Virtual IP : 192.168.20.254
Priority : 120
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial1 ? Priority reduced : 30
Ethernet0.1 | Virtual Router 10
state : Master
Virtual IP : 192.168.10.254
Priority : 100
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
[r2-Serial1]quit
[r1]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Backup
Virtual IP : 192.168.20.254
Priority : 100
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Ethernet0.1 | Virtual Router 10
state : Backup
Virtual IP : 192.168.10.254
Priority : 90
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial0 ? Priority reduced : 30
[r1]
[r1]int s0
[r1-Serial0]undo shut
% Interface Serial0 is reset
[r1-Serial0]
[r1-Serial0]
[r1-Serial0]d
%02:42:58: Interface Serial0 is UP
%02:42:58: Line protocol ip on the interface Serial0 is UP
[r1-Serial0]
[r1-Serial0]dis vrrp
Ethernet0.2 | Virtual Router 20
state : Backup
Virtual IP : 192.168.20.254
Priority : 100
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Ethernet0.1 | Virtual Router 10
state : Master
Virtual IP : 192.168.10.254
Priority : 120
Preempt : YES ? Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Serial0 ? Priority reduced : 30
然后找兩臺主機分別進行測試:
華三,華為設備下構建3A服務器(DHCP服務器加3A認證)
在物理拓撲搭建之前,我們要先搭建我們的DHCP服務器和radius服務器,我們分別以Linux平臺的DHCP服務器和windows的IAS服務器來說一下這兩個服務器的搭建過程
Linux下的DHCP:
具體的搭建步驟可以參考博客: DHCP在企業網中的應用
我們的重點是對DHCP配置文件的改寫及測試,修改內容如下:
修改完確認無語法等錯誤后重啟我們的DHCP服務器
DHCP服務器ip地址
然后在windows server 2003 下安裝配置IAS(AAA)服務器,具體步驟如圖:
如上圖所示,因為我們做的是一個驗證類的服務器所以我們必須要有賬號存在,才能提供給客戶端用于驗證,所以接下來新建用戶,并給予相應的訪問權限,
接下新建radius客戶端,并在客戶端屬性中配置共享密鑰(本例中為123456),必選擇我們的服務類型為標準,因為我們應用的是EPAOR(EPA的中繼方式)所以客戶端的地址就是我們的交換機(客戶端)ip地址,如圖:
接下來,編輯IAS的遠程訪問安全策略,點擊編輯配置文件,將身份的驗證類型改為PAP(為了實驗方便,我們以不加密(不輸密碼)的PAP為例)
為了實驗的順利進行,建議將主機ip地址(要手動配置)與DHCP和radius服務器設在同一網段接下在我們的pc主機上安裝相應的客戶端登錄軟件,如圖:
然后進行實驗環境的具體搭建階段,拓撲結構內容如圖所示,
所需設備為:H3C secpath-100c防火墻一臺
S2000系列的2403H-HI一臺
%Apr ?2 12:56:19:886 2000 Quidway SHELL/5/LOGIN:- 1 - Console(aux0) in unit1 login
system-view
System View: return to User View with Ctrl+Z.
[Quidway]sysname sw1
[sw1]vlan 10
[sw1-vlan10]port e1/0/10
[sw1-vlan10]vlan 20
[sw1-vlan20]port e1/0/20
[sw1-vlan20]vlan 30
[sw1-vlan30]port e1/0/24
[sw1-vlan30]
[sw1-vlan30]dis cu vlan
# vlan 1# ?vlan 10 ?# vlan 20 ?# ?vlan 30 #
[sw1-vlan30]q
[sw1]int Vlan-interface 1
[sw1-Vlan-interface1]
[sw1-Vlan-interface1]ip add 192.168.2.2 24
[sw1-Vlan-interface1]q
[sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1
[sw1]int e1/0/23
[sw1-Ethernet1/0/23]port ?
access ? ? ? ? ? ?Specify current access port's characteristics
hybrid ? ? ? ? ? ?Specify current hybrid port's characteristics
isolate ? ? ? ? ? Port isolate
link-aggregation ?Link aggregation group
link-type ? ? ? ? Specify port link-type
trunk ? ? ? ? ? ? Specify current trunk port's characteristics
[sw1-Ethernet1/0/23]port link-type trunk
[sw1-Ethernet1/0/23]port trunk permit vlan all
Please wait........................................... Done.
[sw1-Ethernet1/0/23]dis vlan
The following VLANs exist:
1(default), 10, 20, 30
[sw1-Ethernet1/0/23]
[sw1-Ethernet1/0/23]q
[sw1]dot1
[sw1]dot1x ?
authentication-method ?Specify system authentication method
dhcp-launch ? ? ? ? ? ?Trigger system authentication when receiving DHCP
packet(s)
guest-vlan ? ? ? ? ? ? Specify guest vlan configuration information for ports
interface ? ? ? ? ? ? ?Specify interface configuration information
max-user ? ? ? ? ? ? ? Specify maximal on-line user number per port
port-control ? ? ? ? ? Specify port authenticated status
port-method ? ? ? ? ? ?Specify port controlled method
quiet-period ? ? ? ? ? Enable quiet period function
retry ? ? ? ? ? ? ? ? ?Specify maximal request times
retry-version-max ? ? ?Specify maximal request times for version information
supp-proxy-check ? ? ? Check whether user(s) access the networks by proxy or
not
timer ? ? ? ? ? ? ? ? ?Specify timer parameters
version-check ? ? ? ? ?Check the version information of 802.1x supplicant
[sw1]dot1x
802.1X is enabled globally.
[sw1]int e1/0/10
[sw1-Ethernet1/0/10]dot1x ?
guest-vlan ? ? ? ?Specify guest vlan configuration information for ports
max-user ? ? ? ? ?Specify maximal on-line user number per port
port-control ? ? ?Specify port authenticated status
port-method ? ? ? Specify port controlled method
supp-proxy-check ?Check whether user(s) access the networks by proxy or not
version-check ? ? Check the version information of 802.1x supplicant
[sw1-Ethernet1/0/10]dot1x
802.1X is enabled on port Ethernet1/0/10.
[sw1-Ethernet1/0/10]q
[sw1]int e1/0/20
[sw1-Ethernet1/0/20]dot1x
802.1X is enabled on port Ethernet1/0/20.
[sw1-Ethernet1/0/20]q
[sw1]radius scheme ?
STRING<1-32> ?Radius scheme name
創建一個radius方案后接下就是指定方案的具體被容,主要包括以下幾個方面
[sw1]radius scheme wewe
New Radius scheme
[sw1-radius-wewe]?
Radius-template view commands:
accounting ? ? ? ? ? ? ?Specify accounting mode
accounting-on ? ? ? ? ? Accounting-On packet sending mode
data-flow-format ? ? ? ?Specify data flow format
display ? ? ? ? ? ? ? ? Display current system information
key ? ? ? ? ? ? ? ? ? ? Specify the shared encryption key of RADIUS server
nas-ip ? ? ? ? ? ? ? ? ?Specify RADIUS source ip address
ping ? ? ? ? ? ? ? ? ? ?Ping function
primary ? ? ? ? ? ? ? ? Specify IP address of primary RADIUS server
quit ? ? ? ? ? ? ? ? ? ?Exit from current command view
retry ? ? ? ? ? ? ? ? ? Specify retransmission times
return ? ? ? ? ? ? ? ? ?Exit to User View
save ? ? ? ? ? ? ? ? ? ?Save current configuration
secondary ? ? ? ? ? ? ? Specify IP address of secondary RADIUS server
server-type ? ? ? ? ? ? Specify the type of RADIUS server
state ? ? ? ? ? ? ? ? ? Specify state of primary/secondary
authentication/accounting RADIUS server
stop-accounting-buffer ?Enable stop-accounting packet buffer
timer ? ? ? ? ? ? ? ? ? Specify timer parameters
tracert ? ? ? ? ? ? ? ? Trace route function
undo ? ? ? ? ? ? ? ? ? ?Cancel current setting
user-name-format ? ? ? ?Specify user-name format sent to RADIUS server
[sw1-radius-wewe]primary ?
accounting ? ? ?Specify IP address of primary accounting RADIUS server
authentication ?Specify IP address of primary authentication RADIUS server
[sw1-radius-wewe]primary authentication 192.168.1.2
[sw1-radius-wewe]key ?
accounting ? ? ?Specify key for accounting RADIUS server
authentication ?Specify key for authentication RADIUS server
[sw1-radius-wewe]key authentication 123456
[sw1-radius-wewe]server-type standard
[sw1-radius-wewe]user-name-format without-domain
[sw1-radius-wewe]accounting ?
optional ?Optional accounting mode
[sw1-radius-wewe]accounting optional
[sw1-radius-wewe]quit
[sw1]dot1x ?
authentication-method ?Specify system authentication method
dhcp-launch ? ? ? ? ? ?Trigger system authentication when receiving DHCP
packet(s)
guest-vlan ? ? ? ? ? ? Specify guest vlan configuration information for ports
interface ? ? ? ? ? ? ?Specify interface configuration information
max-user ? ? ? ? ? ? ? Specify maximal on-line user number per port
port-control ? ? ? ? ? Specify port authenticated status
port-method ? ? ? ? ? ?Specify port controlled method
quiet-period ? ? ? ? ? Enable quiet period function
retry ? ? ? ? ? ? ? ? ?Specify maximal request times
retry-version-max ? ? ?Specify maximal request times for version information
supp-proxy-check ? ? ? Check whether user(s) access the networks by proxy or
not
timer ? ? ? ? ? ? ? ? ?Specify timer parameters
version-check ? ? ? ? ?Check the version information of 802.1x supplicant
接下來是為連接3A服務器的連接方式設置驗證類型,這的驗證類型必須要和遠端的3A服務器(radius)的撥入驗證所選擇的驗證類型一致,才能連接,如圖:
[sw1]dot1x authentication-method ?
chap ?CHAP(Challenge Handshake Authentication Protocol) authentication
method.It's default.
eap ? EAP(Extensible Authentication Protocol) authentication method(support
eap-tls, eap-md5, peap, eap-ttls)
pap ? PAP(Password Authentication Protocol) authentication method
[sw1]dot1x authentication-method pap
PAP authentication is enabled.
%Jan 13 20:23:32:046 2014 H3C SHELL/4/LOGIN: Console login from con0
sys
System View: return to User View with Ctrl+Z.
[H3C]int eth0/0
[H3C-Ethernet0/0]ip add 192.168.2.1 24
[H3C-Ethernet0/0]int eth0/0.1
[H3C-Ethernet0/0.1]vlan-type dot1q vid 10
[H3C-Ethernet0/0.1]ip add 192.168.10.1 24
[H3C-Ethernet0/0.1]int eth0/0.2
[H3C-Ethernet0/0.2]vlan-type dot1q vid 20
[H3C-Ethernet0/0.2]ip add 192.168.20.1 24
[H3C-Ethernet0/0.2]int eth0/0.3
[H3C-Ethernet0/0.3]vlan-type dot1q vid 30
[H3C-Ethernet0/0.3]ip add 192.168.1.1 24
[H3C-Ethernet0/0.3]
[H3C-Ethernet0/0.3]quit
[H3C-zone-trust]add int eth0/0.1
[H3C-zone-trust]add int eth0/0.2
[H3C-zone-trust]add int eth0/0.3
[H3C-zone-trust]quit
注意在防火墻設備上一定要取消端口隔離,因為在拆分端口的請況下默認自端口之間是相互隔離不通信的
[H3C]undo insulate
[H3C]dhcp enable
DHCP task has already been started!
[H3C]dhcp select relay interface eth0/0.1 to eth0/0.2
[H3C]int eth0/0.1
[H3C-Ethernet0/0.1]ip relay add 192.168.1.188
[H3C-Ethernet0/0.1]int eth0/0.2
[H3C-Ethernet0/0.2]ip relay add 192.168.1.188
[H3C-Ethernet0/0.2]quit
[H3C]
dis ip routing-table
Routing Table: public net
Destination/Mask ? Protocol Pre ?Cost ? ? ? ?Nexthop ? ? ? ? Interface
0.0.0.0/0 ? ? ? ? ?STATIC ? 60 ? 0 ? ? ? ? ? 192.168.2.1 ? ? Vlan-interface1
127.0.0.0/8 ? ? ? ?DIRECT ? 0 ? ?0 ? ? ? ? ? 127.0.0.1 ? ? ? InLoopBack0
127.0.0.1/32 ? ? ? DIRECT ? 0 ? ?0 ? ? ? ? ? 127.0.0.1 ? ? ? InLoopBack0
192.168.2.0/24 ? ? DIRECT ? 0 ? ?0 ? ? ? ? ? 192.168.2.2 ? ? Vlan-interface1
192.168.2.2/32 ? ? DIRECT ? 0 ? ?0 ? ? ? ? ? 127.0.0.1 ? ? ? InLoopBack0
system-view
System View: return to User View with Ctrl+Z.
[sw1]domain tyedu
New Domain added.
[sw1-isp-tyedu]radius-scheme wewe
[sw1-isp-tyedu]accounting optional
[sw1-isp-tyedu]
ping 192.168.10.1
PING 192.168.10.1: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.10.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 192.168.10.1: bytes=56 Sequence=2 ttl=255 time=6 ms
Reply from 192.168.10.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 192.168.10.1: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 192.168.10.1: bytes=56 Sequence=5 ttl=255 time=4 ms
--- 192.168.10.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/6 ms
ping 192.168.20.1
PING 192.168.20.1: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.20.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 192.168.20.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.20.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 192.168.20.1: bytes=56 Sequence=4 ttl=255 time=5 ms
Reply from 192.168.20.1: bytes=56 Sequence=5 ttl=255 time=11 ms
ping 192.168.1.1
PING 192.168.1.1: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=4 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=5 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=5 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=6 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=4 ms
ping 192.168.2.1
PING 192.168.2.1: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=3 ms
ping 192.168.2.2
PING 192.168.2.2: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=255 time=2 ms
Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=255 time=4 ms
ping 192.168.1.2
PING 192.168.1.2: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.1.2: bytes=56 Sequence=1 ttl=127 time=9 ms
Reply from 192.168.1.2: bytes=56 Sequence=2 ttl=127 time=5 ms
Reply from 192.168.1.2: bytes=56 Sequence=3 ttl=127 time=4 ms
Reply from 192.168.1.2: bytes=56 Sequence=4 ttl=127 time=7 ms
Reply from 192.168.1.2: bytes=56 Sequence=5 ttl=127 time=4 ms
ping 192.168.1.188 ?測試與DHCP服務器之間的聯通性
PING 192.168.1.188: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.1.188: bytes=56 Sequence=1 ttl=63 time=5 ms
Reply from 192.168.1.188: bytes=56 Sequence=2 ttl=63 time=7 ms
Reply from 192.168.1.188: bytes=56 Sequence=3 ttl=63 time=5 ms
Reply from 192.168.1.188: bytes=56 Sequence=4 ttl=63 time=4 ms
Reply from 192.168.1.188: bytes=56 Sequence=5 ttl=63 time=5 ms
ping 192.168.20.2 ? ?測試與受測主機之間的聯通性
PING 192.168.20.2: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.20.2: bytes=56 Sequence=1 ttl=127 time=6 ms
Reply from 192.168.20.2: bytes=56 Sequence=2 ttl=127 time=7 ms
Reply from 192.168.20.2: bytes=56 Sequence=3 ttl=127 time=4 ms
Reply from 192.168.20.2: bytes=56 Sequence=4 ttl=127 time=4 ms
Reply from 192.168.20.2: bytes=56 Sequence=5 ttl=127 time=5 ms
ping 192.168.10.2 ? 測試與受測主機之間的聯通性
PING 192.168.10.2: 56 ?data bytes, press CTRL_C to break
Reply from 192.168.10.2: bytes=56 Sequence=1 ttl=127 time=5 ms
Reply from 192.168.10.2: bytes=56 Sequence=2 ttl=127 time=5 ms
Reply from 192.168.10.2: bytes=56 Sequence=3 ttl=127 time=5 ms
Reply from 192.168.10.2: bytes=56 Sequence=4 ttl=127 time=4 ms
Reply from 192.168.10.2: bytes=56 Sequence=5 ttl=127 time=8 ms
配置3A驗證下,telnet的驗證類型
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]?
User-interface view commands:
accounting ? ? ? ? ? Config accounting mode of user terminal interface
acl ? ? ? ? ? ? ? ? ?Specify acl filtering
authentication-mode ?Terminal interface authentication mode
auto-execute ? ? ? ? Do something automatically
console ? ? ? ? ? ? ?console switch to aux
databits ? ? ? ? ? ? Specify the databits of user terminal interface
display ? ? ? ? ? ? ?Display current system information
flow-control ? ? ? ? Specify the flow control mode of user terminal interface
history-command ? ? ?Record history command
idle-timeout ? ? ? ? Specify the connection idle timeout for login user
modem ? ? ? ? ? ? ? ?Specify the characteristic of modem
nslookup ? ? ? ? ? ? Query Internet name servers
parity ? ? ? ? ? ? ? Specify the parity mode of user interface
ping ? ? ? ? ? ? ? ? Ping function
protocol ? ? ? ? ? ? Set user interface protocol
quit ? ? ? ? ? ? ? ? Exit from current command view
return ? ? ? ? ? ? ? Exit to User View
save ? ? ? ? ? ? ? ? Save current configuration
screen-length ? ? ? ?Specify the lines displayed on one screen
set ? ? ? ? ? ? ? ? ?Specify user terminal interface parameters
shell ? ? ? ? ? ? ? ?Enable terminal user service
speed ? ? ? ? ? ? ? ?Specify the TX/RX rate of user terminal interface
stopbits ? ? ? ? ? ? Specify the stop bit of user terminal interface
super ? ? ? ? ? ? ? ?Specify the super authentication mode
tracert ? ? ? ? ? ? ?Trace route function
undo ? ? ? ? ? ? ? ? undo
user ? ? ? ? ? ? ? ? Specify user's parameter of terminal interface
vrbd ? ? ? ? ? ? ? ? Show application version
[H3C-ui-vty0-4]authentication-mode ?
none ? ? ?Login without checking
password ?Use terminal interface password
scheme ? ?Authentication use AAA authorization authentication table
[H3C-ui-vty0-4]authentication-mode sch
[H3C-ui-vty0-4]authentication-mode scheme ?
command-authorization ?Authorization for the command from the user interface
is required
[H3C-ui-vty0-4]authentication-mode scheme
[H3C-ui-vty0-4]q
[H3C]
顯示全局配置文件內容
[sw1]dis cu
#
sysname sw1
#
dot1x
dot1x authentication-method pap
#
radius scheme system
radius scheme wewe
server-type standard
primary authentication 192.168.1.2
accounting optional
key authentication 123456
user-name-format without-domain
#
domain system
domain tyedu
scheme radius-scheme wewe
accounting optional
#
local-user userroot
password simple 123456
service-type telnet
level 3
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.2.2 255.255.255.0
interface Ethernet1/0/10
port access vlan 10
dot1x
interface Ethernet1/0/20
port access vlan 20
dot1x
interface Ethernet1/0/23
port link-type trunk
port trunk permit vlan all
#
interface Ethernet1/0/24
port access vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 preference 60
dis cu
#
sysname H3C
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
radius scheme wewe
server-type standard
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user userroot
password simple 123456
service-type telnet
level 3
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet0/0.1
ip address 192.168.10.1 255.255.255.0
ip relay address 192.168.1.188
dhcp select relay
vlan-type dot1q vid 10
#
interface Ethernet0/0.2
ip address 192.168.20.1 255.255.255.0
ip relay address 192.168.1.188
dhcp select relay
vlan-type dot1q vid 20
#
interface Ethernet0/0.3
ip address 192.168.1.1 255.255.255.0
vlan-type dot1q vid 30
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/0.1
add interface Ethernet0/0.2
add interface Ethernet0/0.3
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
總結
以上是生活随笔為你收集整理的linux网络的高可用性,构建高可用性网络的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 过敏性鼻炎哮喘综合症对精子的影响
- 下一篇: linux ps转为tiff,转换为TI