在分部(AR1830)與總部(R3640)之間通過(guò)IPSec建立VPN,由于在實(shí)際環(huán)境中AR18xx多以PPPoE-Client撥號(hào)方式接入Internet,其撥號(hào)口Dialer口動(dòng)態(tài)從PPPoE Server端獲取IP地址,這決定了PPPoE Client(分支機(jī)構(gòu))和總部(有固定公網(wǎng)IP地址)之間的IPSec VPN只能以IKE自動(dòng)協(xié)商方式。同時(shí),為了有效合理的利用網(wǎng)絡(luò)資源,在上行口ADSL口上啟用OoS給IPSec VPN之間重要數(shù)據(jù)以帶寬保證。
目標(biāo):在AR1830的IPSec VPN上啟用QOS,從PC1發(fā)送的數(shù)據(jù)流定義為Gold(優(yōu)先級(jí)為5),至少要保證50%的ADSL帶寬;從PC2發(fā)送的數(shù)據(jù)流定義為multimedia(優(yōu)先級(jí)3),至少要保證20%的ADSL帶寬;網(wǎng)管(優(yōu)先級(jí)7)要保證10%帶寬,但是在網(wǎng)絡(luò)不忙的時(shí)候,各個(gè)數(shù)據(jù)流都可以超過(guò)自己所定義的帶寬。
實(shí)現(xiàn):首先是在以太網(wǎng)入口上,對(duì)Gold,Multimedia做識(shí)別并打IP-precedence,對(duì)于網(wǎng)管流量,配置classifier來(lái)匹配源地址是Lo0口的數(shù)據(jù)包,然后在上行口(adsl口)先配置car來(lái)打IP-precedence,并同時(shí)配置EF隊(duì)列保證優(yōu)先轉(zhuǎn)發(fā)。對(duì)在以太網(wǎng)入口打過(guò)IP-precedence的Multimedia和gold流,在上行口上做AF隊(duì)列來(lái)保證帶寬。 這里要注意的一點(diǎn)是,在出接口上要么只能配置百分比帶寬,要么只能配置指定數(shù)字帶寬,不能如客戶要求的那樣配置成既有百分比又有數(shù)據(jù)帶寬(如25%/25%/16K),所以需要預(yù)先知道上行帶寬,然后自己計(jì)算一下,再確認(rèn)是配置成百分比還是數(shù)字帶寬。
另外,ADSL接口的QoS帶寬根據(jù)國(guó)際標(biāo)準(zhǔn)均為640bps。
組網(wǎng)圖:
注意事項(xiàng)
1、 QoS CBQ只能應(yīng)用在ATM接口的PVC下,不可以直接用在ATM接口或Dialer口;
詳細(xì)配置
注:在測(cè)試中,總部路由器R3640通過(guò)以太網(wǎng)口E2/0和AR4640直接相連。
AR1830(分部)配置:
#
sysname Router
#
ike local-name fenbu
#
dialer-rule 1 ip permit
#
ike peer zongbu
exchange-mode aggressive
pre-shared-key fenbu
id-type name
remote-name zongbu
remote-address 162.105.66.36
nat traversal
#
ipsec proposal fenbu
#
ipsec policy map1 1 isakmp
security acl 3000
ike-peer zongbu
proposal fenbu
#
interface Dialer1
link-protocol ppp
mtu 1450
ip address ppp-negotiate
dialer user test
dialer-group 1
dialer bundle 1
ipsec policy map1
#
interface Ethernet1/0
ip address 202.150.1.31 255.255.255.0
#
interface Atm2/0
#
interface Atm2/0.1 p2p
pvc 4/33
map bridge Virtual-Ethernet1
#
interface Virtual-Ethernet1
pppoe-client dial-bundle-number 1
#
interface NULL0
#
acl number 3000
rule 0 permit ip source 202.150.0.0 0.0.255.255 destination 202.150.0.0 0.0.255.255
rule 1 deny ip
acl number 3001
rule 0 deny ip destination 202.150.0.0 0.0.255.255
rule 1 permit ip
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
#
user-interface con 0
idle-timeout 0 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return
R3640(總部)配置:
#
sysname Router
#
ike local-name zongbu
#
ike peer fenbu
exchange-mode aggressive
pre-shared-key fenbu
id-type name
remote-name fenbu
remote-address 1.0.0.0 255.255.255.254
nat traversal
#
ipsec proposal zongbu
#
ipsec policy map1 1 isakmp
security acl 3000
ike-peer fenbu
proposal zongbu
#
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
