优先控制(Tunnel接口)

网络示意图:优先控制(Tunnel接口)

结构

中心局一台RTX-1500(1),据点为两台RTX-1500(2)、RTX-1500(3),共计三个据点建成网络。
中心局端RTX-1500(1)的WAN线路使用以10M签约的Ethernet线路,据点端RTX-1500(2)、RTX-1500(3)的WAN线路使用PPPoE线路。

QoS设置讨论

这个网络中,重要的服务为主干服务和客户端之间的通信以及VoIP方式的通话服务。
这两种服务的使用带宽分别为:主干服务中每个客户端约500K左右,VoIP服务中约为1M左右。
优先级高的服务所需带宽较小,因此选择优先控制方式。

设置范例

RTX1500(1)

能够只导出下述的设置部分。

ConfigDownload

路由设置(默认网关) ip route default gateway pp 1
ip route 172.16.2.0/24 gateway tunnel 1
ip route 172.16.3.0/24 gateway tunnel 2
过滤的设置 ip filter source-route on
ip filter directed-broadcast on
LAN端接口的IP地址设置 ip lan1 address 172.16.1.1/24
发送带宽的设置 speed lan2 10m
Queue的设置 queue lan2 type priority
WAN接口的设置 pp select 1
pp always-on on
queue pp class filter list 1 2 3 (※1)
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接的ID) (密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (固定IP地址1)
ip pp mtu 1454
ip pp secure filter in 1020 1030 1040 1041 1042 1043 2000
ip pp secure filter out 1010 1011 1012 1013 1014 1015 3000 dynamic 100 101
102 103 104 105 106
ip pp nat descriptor 1
pp enable 1
通道接口的设置 tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp 3des-cbc md5-hmac anti-replay-check=off (※2)
ipsec ike keepalive use 1 on
ipsec ike local address 1 172.16.1.1
ipsec ike pre-shared-key 1 text (密码)
ipsec ike remote address 1 (固定IP地址2)
queue tunnel class filter list 4 5 6
tunnel enable 1
tunnel select 2
ipsec tunnel 102
ipsec sa policy 102 2 esp 3des-cbc md5-hmac anti-replay-check=off (※2)
ipsec ike keepalive use 2 on
ipsec ike local address 2 172.16.1.1
ipsec ike pre-shared-key 2 text (密码)
ipsec ike remote address 2 (固定IP地址3)
queue tunnel class filter list 4 5 6
tunnel enable 2
过滤的设置 ip filter 1010 reject * * udp,tcp 135 *
ip filter 1011 reject * * udp,tcp * 135
ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1014 reject * * udp,tcp 445 *
ip filter 1015 reject * * udp,tcp * 445
ip filter 1020 reject 172.16.1.0/24 *
ip filter 1030 pass * 172.16.1.0/24 icmp
ip filter 1040 pass (固定IP地址2) * udp * 500
ip filter 1041 pass (固定IP地址2) * esp
ip filter 1042 pass (固定IP地址3) * udp * 500
ip filter 1043 pass (固定IP地址3) * esp
ip filter 2000 reject * *
ip filter 3000 pass * *
ip filter dynamic 100 * * ftp
ip filter dynamic 101 * * www
ip filter dynamic 102 * * domain
ip filter dynamic 103 * * smtp
ip filter dynamic 104 * * pop3
ip filter dynamic 105 * * tcp
ip filter dynamic 106 * * udp
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (固定IP地址1)
nat descriptor masquerade static 1 1 172.16.1.1 udp 500
nat descriptor masquerade static 1 2 172.16.1.1 esp
VPN(IPsec)的设置 ipsec auto refresh on
Queue的设置(优先数据包的过滤定义 ) queue class filter 1 4 ip * * udp * 500
queue class filter 2 3 ip * * esp
queue class filter 3 2 ip * *
queue class filter 4 4 ip "主干Server" *
queue class filter 5 4 ip "VoIP终端" *
queue class filter 6 2 ip * *
DNS的设置 dns server (DNS服务的IP地址)
dns private address spoof on

※ 即使路由器中进行了QoS设置,还是可能因为互联网的混杂情况而在网络内发生数据包丢失、延迟。
※1 优先IPsec通道的控制数据包。
※2 关于IPsec数据包,设置为不进行序列号检查。

RTX1500(2)

能够只导出下述的设置部分。

ConfigDownload

路由设置(默认网关) ip route default gateway pp 1
ip route 172.16.1.0/24 gateway tunnel 1
过滤的设置 ip filter source-route on
ip filter directed-broadcast on
LAN端接口的IP地址设置 ip lan1 address 172.16.2.1/24
发送带宽的设置 speed lan2 10m
Queue的设置 queue lan2 type priority
WAN接口的设置 pp select 1
pp always-on on
queue pp class filter list 1 2 3 (※1)
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接的ID) (密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (固定IP地址2)
ip pp mtu 1454
ip pp secure filter in 1020 1030 1040 1041 2000
ip pp secure filter out 1010 1011 1012 1013 1014 1015 3000 dynamic 100 101
102 103 104 105 106
ip pp nat descriptor 1
pp enable 1
通道接口的设置 tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp 3des-cbc md5-hmac anti-replay-check=off (※2)
ipsec ike keepalive use 1 on
ipsec ike local address 1 172.16.2.1
ipsec ike pre-shared-key 1 text (密码)
ipsec ike remote address 1 (固定IP地址1)
queue tunnel class filter list 4 5 6
tunnel enable 1
过滤的设置 ip filter 1010 reject * * udp,tcp 135 *
ip filter 1011 reject * * udp,tcp * 135
ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1014 reject * * udp,tcp 445 *
ip filter 1015 reject * * udp,tcp * 445
ip filter 1020 reject 172.16.2.0/24 *
ip filter 1030 pass * 172.16.2.0/24 icmp
ip filter 1040 pass (固定IP地址1) * udp * 500
ip filter 1041 pass (固定IP地址1) * esp
ip filter 2000 reject * *
ip filter 3000 pass * *
ip filter dynamic 100 * * ftp
ip filter dynamic 101 * * www
ip filter dynamic 102 * * domain
ip filter dynamic 103 * * smtp
ip filter dynamic 104 * * pop3
ip filter dynamic 105 * * tcp
ip filter dynamic 106 * * udp
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (固定IP地址2)
nat descriptor masquerade static 1 1 172.16.2.1 udp 500
nat descriptor masquerade static 1 2 172.16.2.1 esp
VPN(IPsec)的设置 ipsec auto refresh on
Queue的设置(优先数据包的过滤定义 ) queue class filter 1 4 ip * * udp * 500
queue class filter 2 3 ip * * esp
queue class filter 3 2 ip * *
queue class filter 4 4 ip * "主干Server"
queue class filter 5 4 ip * "VoIP终端"
queue class filter 6 2 ip * *
DNS的设置 dns server (DNS服务的IP地址)
dns private address spoof on

※ 即使路由器中进行了QoS设置,还是可能因为互联网的混杂情况而在网络内发生数据包丢失、延迟。
※1 优先IPsec通道的控制数据包。
※2 关于IPsec数据包,设置为不进行序列号检查。

RTX1500(3)

能够只导出下述的设置部分。

ConfigDownload

路由设置(默认网关) ip route default gateway pp 1
ip route 172.16.1.0/24 gateway tunnel 1
过滤的设置 ip filter source-route on
ip filter directed-broadcast on
LAN端接口的 IP地址设置 ip lan1 address 172.16.3.1/24
发送带宽的设置 speed lan2 10m
Queue的设置 queue lan2 type priority
WAN接口的设置 pp select 1
pp always-on on
queue pp class filter list 1 2 3 (※1)
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接的ID) (密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (固定IP地址3)
ip pp mtu 1454
ip pp secure filter in 1020 1030 1040 1041 2000
ip pp secure filter out 1010 1011 1012 1013 1014 1015 3000 dynamic 100 101
102 103 104 105 106
ip pp nat descriptor 1
pp enable 1
通道接口的设置 tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp 3des-cbc md5-hmac anti-replay-check=off (※2)
ipsec ike keepalive use 1 on
ipsec ike local address 1 172.16.3.1
ipsec ike pre-shared-key 1 text (密码)
ipsec ike remote address 1 (固定IP地址1)
queue tunnel class filter list 4 5 6
tunnel enable 1
过滤的设置 ip filter 1010 reject * * udp,tcp 135 *
ip filter 1011 reject * * udp,tcp * 135
ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1014 reject * * udp,tcp 445 *
ip filter 1015 reject * * udp,tcp * 445
ip filter 1020 reject 172.16.3.0/24 *
ip filter 1030 pass * 172.16.3.0/24 icmp
ip filter 1040 pass (固定IP地址1) * udp * 500
ip filter 1041 pass (固定IP地址1) * esp
ip filter 2000 reject * *
ip filter 3000 pass * *
ip filter dynamic 100 * * ftp
ip filter dynamic 101 * * www
ip filter dynamic 102 * * domain
ip filter dynamic 103 * * smtp
ip filter dynamic 104 * * pop3
ip filter dynamic 105 * * tcp
ip filter dynamic 106 * * udp
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (固定IP地址3)
nat descriptor masquerade static 1 1 172.16.3.1 udp 500
nat descriptor masquerade static 1 2 172.16.3.1 esp
VPN(IPsec)的设置 ipsec auto refresh on
Queue的设置(优先数据包的过滤定义 ) queue class filter 1 4 ip * * udp * 500
queue class filter 2 3 ip * * esp
queue class filter 3 2 ip * *
queue class filter 4 4 ip * "主干Server"
queue class filter 5 4 ip * "VoIP终端"
queue class filter 6 2 ip * *
DNS的设置 dns server (DNS服务的IP地址)
dns private address spoof on

※ 即使路由器中进行了QoS设置,还是可能因为互联网的混杂情况而在网络内发生数据包丢失、延迟。
※1 优先IPsec通道的控制数据包。
※2 关于IPsec数据包,设置为不进行序列号检查。

返回顶部