常见业务配置-省网.doc

此文档收集于网络，如有侵权，请联系网站删除常见业务配置目录(一)地市网段增加（BR已有配置）2(二)地市网段增加（BR无配置）3(三)回收110.125.192.0/18网段7(四)省网交换机下联业务网段增加13(五)新增VRRP业务（下联配置链路聚合）14(六)LDP md5配置20(七)湖东2台S8505扩容上联，从1G变2G，做链路捆绑22(八)福州BR为PPCache配置3*GE（链路捆绑）30(九)Log记录操作命令32(十)闽会113网段倒到金桥32(十一)马尾R2上静态、直连路由过滤重分布到OSPF33(十二)CMNET SIG接入（MPLS L3 VPN）配置34(十三)漳州发布112.5.72.0/2138(十四)NTP配置42(十五)三明AR增加策略路由44(十六)铁通链路扩容44(十七)厦门NE5000E-1端口镜像配置例46(十八)2010-9-20 CMNET泉州网段回程调整47(十九)2010-9-20 三明更换用于做NAT转换的防火墙48(二十)2010-9-26一厂BR到M320扩容2. 5G49(二十一)时域配置52(二十二)2010-10-19福州金山2台C6509增加接口状态变化在LOG体现53(二十三)链路捆绑IP-TRUNK配置注意事宜53(二十四)G3接入福州一厂2台S850554(二十五)盐业马尾调试57(二十六)莆田ME60入网75(二十七)各地市AR对PE的IP做重分布（实施VPN用）76(二十八)扩容10G铁通链路80(二十九)福建CMNET第三方出口省网侧应急倒换测试报告81(三十)通过一厂BR盘挂的F5000做NAT转换81(三十一)绿盟DDOS FOR misc83(三十二)路由重分布到OSPF84(三十三)SNMP trap配置86(三十四)华为8505交换机的千兆点口板使用注意点86(三十五)Netstream板配置86(三十六)华为防尘网处理89(三十七)马尾帝联CDN扩容2*GE91(三十八)龙岩旁挂防火墙配合93(三十九)配合4A打通MDCN旧网102(四十)一厂DNS 211.138.151.161故障应急103(四十一)厦门MA5200G故障应急104(四十二)集团工单，封堵网站105(四十三)MDCN新网新增2层VPN107(四十四)SSH登陆配置108(四十五)视频监控二期VPN部分109(四十六)闽会部分资源引入CMNET配合115(四十七)VIP网段增加注意点139(四十八)CMNET部分移动VIP网段倒回自有普通网段145(四十九)容忽略部分148(一) 地市网段增加（BR已有配置）配置要求：在CMNET厦门新网2台AR发布110.125.255.0/24路由供其使用1、配置内容：ip route-static 110.125.255.0 255.255.255.0 NULL0 preference 250 （管理距离250，由ME60通过OSPF 发布为150的路由时，将OSPF更优选）bgp 64840ipv4-family unicast network 110.125.255.0 255.255.255.02、校验，该C段为2台厦门AR发布：dispiprouting-table110.125.255.1verboseRoutingTable:PublicSummaryCount:2Destination:110.125.255.0/24Protocol:BGPProcessID:0Preference:255Cost:0NextHop:218.207.223.214Neighbour:218.207.223.214State:InactiveAdvGotQAge:00h00m22sTag:0Priority:0Label:NULLQoSInfo:0x0RelayNextHop:218.207.222.82Interface:Eth-Trunk12TunnelID:0x0Flags:RDestination:110.125.255.0/24Protocol:BGPProcessID:0Preference:255Cost:0NextHop:218.207.223.215Neighbour:218.207.223.215State:ActiveAdvGotQAge:00h00m15sTag:0Priority:0Label:NULLQoSInfo:0x0RelayNextHop:218.207.222.82Interface:Eth-Trunk12TunnelID:0x0Flags:RD(二) 地市网段增加（BR无配置）1） 新增移动自有网段，增加183.250.0.0-183.251.255.255移动自有地址，增加183.250.0.0-183.251.255.255一厂BR:acl number 3000 rule 185 permit ip destination 183.250.0.0 0.0.255.255 rule 190 permit ip destination 183.251.0.0 0.0.255.255acl number 3001 rule 240 permit ip source 183.250.0.0 0.0.255.255 rule 241 permit ip source 183.251.0.0 0.0.255.255acl number 3010 rule 145 permit ip source 183.250.0.0 0.0.255.255 rule 150 permit ip source 183.251.0.0 0.0.255.255bgp 64840 ipv4-family unicast network 183.250.0.0 255.255.0.0 network 183.251.0.0 255.255.0.0ip ip-prefix EBGP_EXPORT_M index 70 permit 183.250.0.0 16 greater-equal 16 less-equal 16ip ip-prefix EBGP_EXPORT_S index 80 permit 183.251.0.0 16 greater-equal 16 less-equal 16ip route-static 183.250.0.0 255.255.0.0 NULL0ip route-static 183.251.0.0 255.255.0.0 NULL0厦门BR:acl number 3000 rule 185 permit ip destination 183.250.0.0 0.0.255.255 rule 190 permit ip destination 183.251.0.0 0.0.255.255acl number 3001 rule 240 permit ip source 183.250.0.0 0.0.255.255 rule 241 permit ip source 183.251.0.0 0.0.255.255acl number 3010 rule 145 permit ip source 183.250.0.0 0.0.255.255 rule 150 permit ip source 183.251.0.0 0.0.255.255bgp 64840 ipv4-family unicast network 183.250.0.0 255.255.0.0 network 183.251.0.0 255.255.0.0 ip ip-prefix EBGP_EXPORT_S index 70 permit 183.250.0.0 16 greater-equal 16 less-equal 16ip ip-prefix EBGP_EXPORT_M index 80 permit 183.251.0.0 16 greater-equal 16 less-equal 16ip route-static 183.250.0.0 255.255.0.0 NULL0ip route-static 183.251.0.0 255.255.0.0 NULL0一厂M320-2：set policy-options policy-statement GBNC-to-FJCmnet term deny-GBNC from route-filter 183.250.0.0/16 orlongerset policy-options policy-statement to-fjcmnet term deny-minhui from route-filter 183.250.0.0/16 orlongerset firewall filter cmnet_in term accept-action from destination-address 183.250.0.0/16set firewall filter minhui term accept-action from destination-address 183.250.0.0/16set firewall filter M320-1_in term accept-action from destination-address 183.250.0.0/16set firewall filter chinanet-to-cmnet term deny-source-FJIP from source-address 183.250.0.0/16set firewall filter tietong-in term deny-source-FJIP from source-address 183.250.0.0/16set policy-options policy-statement GBNC-to-FJCmnet term deny-GBNC from route-filter 183.251.0.0/16 orlongerset policy-options policy-statement to-fjcmnet term deny-minhui from route-filter 183.251.0.0/16 orlongerset firewall filter cmnet_in term accept-action from destination-address 183.251.0.0/16set firewall filter minhui term accept-action from destination-address 183.251.0.0/16set firewall filter M320-1_in term accept-action from destination-address 183.251.0.0/16set firewall filter chinanet-to-cmnet term deny-source-FJIP from source-address 183.251.0.0/16set firewall filter tietong-in term deny-source-FJIP from source-address 183.251.0.0/16一厂M320-1：set policy-options policy-statement GBNC-to-FJCmnet term deny-GBNC from route-filter 183.250.0.0/16 orlongerset firewall filter chinanet-to-cmnet term accept-action from destination-address 183.250.0.0/16set firewall filter cmnet_in term accept-action from destination-address 183.250.0.0/16set firewall filter minhui term accept-action from destination-address 183.250.0.0/16set firewall filter GreatPower term accept-action from destination-address 183.250.0.0/16set firewall filter M320-2_in term accept-action from destination-address 183.250.0.0/16set firewall filter GBNC-TO-CMNET term deny-source-FJIP from source-address 183.250.0.0/16set policy-options policy-statement GBNC-to-FJCmnet term deny-GBNC from route-filter 183.251.0.0/16 orlongerset firewall filter chinanet-to-cmnet term accept-action from destination-address 183.251.0.0/16set firewall filter cmnet_in term accept-action from destination-address 183.251.0.0/16set firewall filter minhui term accept-action from destination-address 183.251.0.0/16set firewall filter GreatPower term accept-action from destination-address 183.251.0.0/16set firewall filter M320-2_in term accept-action from destination-address 183.251.0.0/16set firewall filter GBNC-TO-CMNET term deny-source-FJIP from source-address 183.251.0.0/16宁德 2台AR：ip route-static 183.250.8.0 255.255.254.0 NULL0 preference 250bgp 64840ipv4-family unicastnetwork 183.250.8.0 255.255.254.02）福州城域网新增铁通网段111.142.96.0/22.一厂 BR:acl number 3000 rule 135 permit ip destination 111.142.96.0 0.0.3.255acl number 3003 rule 40 permit ip source 111.142.96.0 0.0.3.255厦门BR:acl number 3000 rule 135 permit ip destination 111.142.96.0 0.0.3.255acl number 3003 rule 40 permit ip source 111.142.96.0 0.0.3.255一厂M320-1：set firewall filter cmnet_in term accept-action from destination-address 111.142.0.0/16set firewall filter cmnet_in term accept-action from destination-address 111.143.0.0/16一厂M320-2:set firewall filter cmnet_in term accept-action from destination-address 111.142.0.0/16set firewall filter cmnet_in term accept-action from destination-address 111.143.0.0/16set firewall filter cmnet_in term TieTong from source-address 111.142.0.0/16set firewall filter cmnet_in term TieTong from source-address 111.143.0.0/16set firewall filter M320-1_in term accept-action from destination-address 111.142.0.0/16set firewall filter M320-1_in term accept-action from destination-address 111.143.0.0/16set firewall filter M320-1_in term TieTong from source-address 111.142.0.0/16set firewall filter M320-1_in term TieTong from source-address 111.143.0.0/16福州AR1:ip route-static 111.142.96.0 255.255.252.0 NULL0 preference 250bgp 64840ipv4-family unicast network 111.142.96.0 255.255.252.0福州AR2:ip route-static 111.142.96.0 255.255.252.0 NULL0 preference 250bgp 64840ipv4-family unicast network 111.142.96.0 255.255.252.0校验：FJFZ-PB-CMNet-RT01-NE5000Edisp ip routing-table 111.142.96.0 22 verbose Routing Table : PublicSummary Count : 2Destination: 111.142.96.0/22 Protocol: BGP Process ID: 0 Preference: 255 Cost: 0 NextHop: 218.207.223.212 Neighbour: 218.207.223.212 State: Active Adv GotQ Age: 00h00m26s Tag: 0 Priority: 0 Label: NULL QoSInfo: 0x0 RelayNextHop: 218.207.222.10 Interface: Eth-Trunk11 TunnelID: 0x0 Flags: RDDestination: 111.142.96.0/22 Protocol: BGP Process ID: 0 Preference: 255 Cost: 0 NextHop: 218.207.223.213 Neighbour: 218.207.223.213 State: Inactive Adv GotQ Age: 00h00m19s Tag: 0 Priority: 0 Label: NULL QoSInfo: 0x0 RelayNextHop: 218.207.222.10 Interface: Eth-Trunk11 TunnelID: 0x0 Flags: R(三) 回收110.125.192.0/18网段要求回收110.125.192.0/18网段 110.125.192.0/19 BGP 255 0 RD 218.207.223.220 Ip-Trunk15 110.125.224.0/20 BGP 255 0 RD 218.207.223.220 Ip-Trunk15 110.125.240.0/21 BGP 255 0 RD 218.207.223.218 Ip-Trunk14 110.125.248.0/22 BGP 255 0 RD 218.207.223.218 Ip-Trunk14 110.125.252.0/22 BGP 255 0 RD 218.207.223.214 Ip-Trunk12配置：泉州AR1、AR2：undo ip route-static 110.125.192.0 255.255.224.0 NULL0undo ip route-static 110.125.224.0 255.255.240.0 NULL0bgp 64840ipv4-family unicastundo network 110.125.192.0 255.255.224.0undo network 110.125.224.0 255.255.240.0莆田AR1、AR2：undo ip route-static 110.125.240.0 255.255.248.0 NULL0undo ip route-static 110.125.248.0 255.255.252.0 NULL0bgp 64840ipv4-family unicastundo network 110.125.240.0 255.255.248.0undo network 110.125.248.0 255.255.252.0厦门2台AR:undo ip route-static 110.125.252.0 255.255.252.0 NULL0bgp 64840ipv4-family unicastundo network 110.125.252.0 255.255.252.0一厂BR:原有数据：acl number 3000rule 100 permit ip destination 110.125.240.0 0.0.7.255 rule 105 permit ip destination 110.125.248.0 0.0.7.255 rule 110 permit ip destination 110.125.192.0 0.0.31.255 rule 115 permit ip destination 110.125.224.0 0.0.15.255acl number 3003 description FJIP-TieTong rule 15 permit ip source 110.125.192.0 0.0.31.255 rule 20 permit ip source 110.125.224.0 0.0.15.255rule 50 permit ip source 110.125.248.0 0.0.3.255 rule 55 permit ip source 110.125.254.0 0.0.1.255 rule 60 permit ip source 110.125.242.0 0.0.1.255 rule 65 permit ip source 110.125.244.0 0.0.3.255acl number 3005rule 2 permit ip source 110.125.252.0 0.0.1.255rule 4 permit ip source 110.125.240.0 0.0.1.255acl number 3009rule 2 permit ip destination 110.125.240.0 0.0.1.255 rule 3 permit ip destination 110.125.248.0 0.0.0.255acl number 3010rule 100 permit ip source 110.125.240.0 0.0.7.255 rule 105 permit ip source 110.125.248.0 0.0.7.255 rule 110 permit ip source 110.125.192.0 0.0.31.25 rule 115 permit ip source 110.125.224.0 0.0.15.25acl number 3011 description src-dst-CMCC rule 200 permit ip source 110.125.192.0 0.0.63.255 destination 211.103.0.0 0.0.127.255 rule 201 permit ip source 110.125.192.0 0.0.63.255 destination 211.136.0.0 0.3.255.255 rule 202 permit ip source 110.125.192.0 0.0.63.255 destination 211.136.0.0 0.1.255.255 rule 203 permit ip source 110.125.192.0 0.0.63.255 destination 211.142.0.0 0.1.255.255 rule 204 permit ip source 110.125.192.0 0.0.63.255 destination 218.200.0.0 0.3.255.255 rule 205 permit ip source 110.125.192.0 0.0.63.255 destination 218.204.0.0 0.1.255.255 rule 206 permit ip source 110.125.192.0 0.0.63.255 destination 218.206.0.0 0.1.255.255 rule 207 permit ip source 110.125.192.0 0.0.63.255 destination 221.130.0.0 0.1.255.255 rule 208 permit ip source 110.125.192.0 0.0.63.255 destination 221.176.0.0 0.7.255.255 rule 209 permit ip source 110.125.192.0 0.0.63.255 destination 117.128.0.0 0.63.255.255 rule 210 permit ip source 110.125.192.0 0.0.63.255 destination 120.192.0.0 0.63.255.255 rule 211 permit ip source 110.125.192.0 0.0.63.255 destination 112.0.0.0 0.63.255.255 rule 212 permit ip source 110.125.192.0 0.0.63.255 destination 111.0.0.0 0.63.255.255 rule 213 permit ip source 110.125.192.0 0.0.63.255 destination 183.192.0.0 0.63.255.255删除配置：acl number 3000undo rule 100undo rule 105undo rule 110undo rule 115acl number 3003undo rule 15undo rule 20undo rule 50undo rule 55undo rule 60undo rule 65acl number 3005undo rule 2undo rule 4acl number 3009undo rule 2undo rule 3acl number 3010undo rule 100undo rule 105undo rule 110undo rule 115acl number 3011undo rule 200undo rule 201undo rule 202undo rule 203undo rule 204undo rule 205undo rule 206undo rule 207undo rule 208undo rule 209undo rule 210undo rule 211undo rule 212undo rule 213厦门BR:原有配置：acl number 3000rule 100 permit ip destination 110.125.240.0 0.0.7.255 rule 105 permit ip destination 110.125.248.0 0.0.7.255 rule 110 permit ip destination 110.125.192.0 0.0.31.255 rule 115 permit ip destination 110.125.224.0 0.0.15.255acl number 3003rule 5 permit ip source 110.125.240.0 0.0.7.255 rule 10 permit ip source 110.125.248.0 0.0.7.255 rule 15 permit ip source 110.125.192.0 0.0.31.255 rule 20 permit ip source 110.125.224.0 0.0.15.255acl number 3010rule 100 permit ip source 110.125.240.0 0.0.7.255 rule 105 permit ip source 110.125.248.0 0.0.7.255 rule 110 permit ip source 110.125.192.0 0.0.31.25 rule 115 permit ip source 110.125.224.0 0.0.15.25删除配置：acl number 3000undo rule 100undo rule 105undo rule 110undo rule 115acl number 3003undo rule 5 undo rule 10undo rule 15undo rule 20acl number 3010undo rule 100undo rule 105undo rule 110undo rule 115一厂M320-1：telthinkFJFZ-PI-CMNet-BG01-RE0-M320# show | compare rollback 1 edit firewall filter chinanet-to-cmnet term accept-action from destination-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;edit firewall filter cmnet_in term accept-action from destination-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;edit firewall filter cmnet_in term TieTong from source-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;edit firewall filter minhui term accept-action from destination-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;edit firewall filter minhui term TieTong from source-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;edit firewall filter GreatPower term accept-action from destination-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;edit firewall filter GreatPower term TieTong from source-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;edit firewall filter M320-2_in term accept-action from destination-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;edit firewall filter GBNC-TO-CMNET term deny-source-FJIP from source-address- 110.125.240.0/21;- 110.125.248.0/21;- 110.125.192.0/19;- 110.125.224.0/20;一厂M320-2：delete firewall filter cmnet_in term accept-action from destination-address 110.125.240.0/21delete firewall filter cmnet_in term accept-action from destination-address 110.125.248.0/21delete firewall filter cmnet_in term accept-action from destination-address 110.125.192.0/19delete firewall filter cmnet_in term accept-action from destination-address 110.125.224.0/20delete firewall filter cmnet_in term TieTong from source-address 110.125.240.0/21delete firewall filter cmnet_in term TieTong from source-address 110.125.248.0/21delete firewall filter cmnet_in term TieTong from source-address 110.125.192.0/19delete firewall filter cmnet_in term TieTong from source-address 110.125.224.0/20delete firewall filter minhui term accept-action from destination-address 110.125.240.0/21delete firewall filter minhui term accept-action from destination-address 110.125.248.0/21delete firewall filter minhui term accept-action from destination-address 110.125.192.0/19delete firewall filter minhui term accept-action from destination-address 110.125.224.0/20delete firewall filter minhui term TieTong from source-address 110.125.240.0/21delete firewall filter minhui term TieTong from source-address 110.125.248.0/21delete firewall filter minhui term TieTong from source-address 110.125.192.0/19delete firewall filter minhui term TieTong from source-address 110.125.224.0/20delete firewall filter M320-1_in term accept-action from destination-address 110.125.240.0/21delete firewall filter M320-1_in term accept-action from destination-address 110.125.248.0/21delete firewall filter M320-1_in term accept-action from destination-address 110.125.192.0/19delete firewall filter M320-1_in term accept-action from destination-address 110.125.224.0/20delete firewall fi