华为AR系列快速配置

Huawei AR100,AR120 and AR200 SeriesEnterprise Routers DatasheetRealize Your PotentialHuawei AR100, AR120 and AR200 Series Enterprise Routers DatasheetHuawei's next-generation routers, the AR100, AR120 and AR200 series are designed for enterprisebranch offices and small businesses, delivering a comprehensive set of services, including routing,switching, voice, security, and wireless access.Product OverviewThe AR100, AR120 and AR200 series are fixed interface routers that provide a comprehensive platform fora variety of network topologies, including IMS, NGN, WAN and PSTN. The AR100, AR120 and AR200 alsoemploy embedded hardware encryption for security as well as a voice Digital Signal Processor (DSP) for voiceservices.The AR100, AR120 and AR200 series are mature, stable and quiet routers that offer high performancefunctionality for small networks, enabling small businesses to greatly increase productivity at a lower cost.AR100s, AR120s and AR200s are easy to deploy, configure and customize, greatly reducing cost ofdeployment and maintenance, while offering maximum value to customers. These models allow networkadministrators to expand their networks easily and quickly, saving time and costs. The routers supportfirewalls, call processing, and application program functionalities. The AR100, AR120 and AR200 seriesincludes the following models:• AR109, AR109W, AR109GW-L• A R129CVW, AR129CGVW-L, AR121,AR129CV• AR201,AR207The specifications for these models are shown in the following table.Product Features and Benefits• More applications: Huawei series routers use the dual-core processor that isolates the control plane from the forwarding plane and processes more enterprise applications. Huawei series routers improve user experience for multimedia service when streams overlap.• Higher performance: The AR100s, AR120s and AR200s can process various enterprise applications, and its service processing capability is four times that in the industry.• Greater potential: Huawei series routers provide the capability to migrate services to the 3G and LTE networks.Small Size and High Performance1• Maturity and Stableness: The AR100s, AR120s and AR200s uses the Huawei VRP operating system and VSP voice platform. In addition, the AR100s, AR120s and AR200s uses modularized hardware design, which brings good user experience.• L ow-noise office: Huawei series routers have no fan, which brings low noise and good user experience. • Secure environment: The lightning failure rate AR100s, AR120s and AR200s is only 3% of industry average. The AR100s, AR120s and AR200s can be applied in the harsh environment.Small footprint on a Comprehensive Platform3• Easy to construct: The AR100s, AR120s and AR200s supports plug-and-play, intelligent configuration, and deployment using the USB flash drive. It can function immediately after being installed. Users do not need to configure an IP address manually. The PPP and VPN indicators show the status of corresponding services. The AR100s, AR120s and AR200s helps to quickly construct an enterprise IT network.• Simplified solution: Huawei provides an all-around solution that integrates the routing, switching, voice, security, and wireless services. Customers can customize solutions as required.• Easy to expand: Huawei series routers have four/eight FE/GE ports, can access more employee for small enterprises. The two uplink WAN ports implement load balancing and link protection, maximizing the return on investments.Low Investment with High Returns2Example deployment in branch networks for WAN access. In this example, the AR100s, AR120s and AR200s function as the egress routers on enterprise branch networks and provide multiple access methods, including Ethernet, xDSL, 3G, LTE and WLAN.WAN AccessSample DeploymentsEnterprise Voice Services DeploymentIP PBX with WAN and PSTN AccessThis illustration shows AR120 series router deployed at an enterprise branch with access to a WAN and a PSTN. If a fault occurs on the WAN, the PSTN acts as a backup to the WAN and ensures that call services remain uninterrupted.AR120s are deployed at enterprise branch offices to provide intelligent, integrated dialing across the network. When deployed as voice service gateways, AR120s can function as IP PBX boxes and SIP access gateways.IP PBX.AR120s have a built-in PBX, which supports the enterprise main number, interactive voice response (IVR), and billing query functions. These features help enhance the corporate image of small businesses by allowing them to look more professional to their customers, while simultaneously improving the efficiency of their enterprise communications.SIP Server. AR120s have a built-in SIP server that ensures reliability of voice services. If the SIP server at the headquarters office becomes unreachable, the local built-in SIP server at the branch office ensures that communication remains uninterrupted between branch offices and the PSTN network.Mid-scale branchThe AR120 series routers provide integrated voice, fax, and IP services. The AR120s can function as SIP access gateways for enterprise branch offices that transform traditional phone signals into Voice over IP (VoIP). Typically, AR120s are connected upstream from the IMS and NGN networks to enable anytime voice communication on any media, such as phones, handsets, and computers.VPNs Connecting Branches and Partners to HeadquartersVPN Deployment for Secure Enterprise CommunicationsThis illustration shows how to deploy AR100s, AR120s and AR200s using VPNs to connect branches and partners to headquarters.AR100s, AR120s and AR200s provide various VPN tunnel protocols to ensure secure communications between:• Enterprise branches andother branch offices • Enterprise branchesand headquarters • Partners and enterpriseresourcesAR100s, AR120s and AR200s support the following VPN tunnel protocols:• GRE VPN • I PSEC VPN• DSVPN • L2TP VPNAR100s, AR120s and AR200s support fast tunnel set-up and authentication.IPSEC VPN DSVPNGRE VPNAR3200VPN ClientL2TP VPN3G/LTE and Wi-Fi Wireless Access applicationWireless Access and Management in BranchThe AR100s, AR120s routers complied with 3G and LTE standards including HSPA+ and FDD LTE, meeting or LTE data link can be used as a backup for wired link to protect the xDSL, FE/GE, uplinks. The backup link improves network stability and reduces network construction costs. Some models of AR100s, AR120s routers are dual SIM devices, providing dual SIM standby. Thecustomers can switch the SIMcard manually according to 3G/LTE network standards. In addition, the device can switch to the backup SIM card when signal is weak to avoid link interruption.The AR100s, AR120s routers integrated WLAN wireless access capabilities, support 802.11a/b/g/nstandard communication, Built-in AC function make the deployment and management more conveniently. Its wireless features can meet users' demand for wireless access, and help enterprises to build a branch network flexibly.AR3200HeadquartersBranch 1Branch 2Wireless AC ManagementapplicationThe AR120s and AR200s routers integrated AC (Access Controller, a wireless controller) functionality, which can manage the wireless AP (Access Point, Access Point) in wireless LAN. AR supported rich certification and flexible user access control, which can provide security access guarantee for Wi-Fi users. The rich wireless capabilities integrated in one device, this can realize centralized management of wired and wireless network,meet the customers' requirements of building different scale enterprises networks.Branch 1Branch 2Technical SpecificationsTable1: AR100s Technical SpecificationsTable 2: AR120s Technical SpecificationsTable 3: AR200 Technical SpecificationsHardware*Service performance depending on specific feature configuration. Ordering InformationThe AR100, AR120 and AR200 series routers are configured by selecting and installing the appropriate configuration module. The configuration module ordering information and descriptions are shown in the following table4-7.Table 4: Chassis OptionsTable 5: Power Module OptionsTable 7: SD Card and USB Disk OptionsTable 6: License OptionsProfessional Service and SupportHuawei Professional Services provides expert network design and service optimization tasks, helping customers design and deploy a high-performance network that is reliable and secure, maximizing return on investment as well as reducing operational expenses.Company AddendumFor more information, please visit /en/ or contact your local Huawei office.Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.Other trademarks, product, service and company names mentioned are the property of their respective owners.General DisclaimerThe information in this document may contain predictive statements including,without limitation, statements regarding the future financial and operating results,future product portfolio, new technology, etc. There are a number of factors thatcould cause actual results and developments to differ materially from thoseexpressed or implied in the predictive statements. Therefore, such information isprovided for reference purpose only and constitutes neither an offer nor anacceptance. Huawei may change the information at any time without notice.。

5 IPSec配置关于本章5.1 IPSec简介5.2 IPSec原理描述5.3 IPSec应用场景5.4 IPSec配置任务概览5.5 IPSec配置注意事项5.6 IPSec缺省配置5.7 配置采用ACL方式建立IPSec隧道5.8 配置采用虚拟隧道接口方式建立IPSec隧道5.9 配置采用Efficient VPN策略建立IPSec隧道5.10 配置IKE5.11 维护IPSec5.12 IPSec配置举例5.13 IPSec常见配置错误5.1 IPSec简介起源随着Internet的发展，越来越多的企业直接通过Internet进行互联，但由于IP协议未考虑安全性，而且Internet上有大量的不可靠用户和网络设备，所以用户业务数据要穿越这些未知网络，根本无法保证数据的安全性，数据易被伪造、篡改或窃取。

因此，迫切需要一种兼容IP协议的通用的网络安全方案。

为了解决上述问题，IPSec（Internet Protocol Security）应运而生。

IPSec是对IP的安全性补充，其工作在IP层，为IP网络通信提供透明的安全服务。

定义IPSec是IETF（Internet Engineering Task Force）制定的一组开放的网络安全协议。

它并不是一个单独的协议，而是一系列为IP网络提供安全性的协议和服务的集合，包括认证头AH（Authentication Header）和封装安全载荷ESP（Encapsulating SecurityPayload）两个安全协议、密钥交换和用于验证及加密的一些算法等。

通过这些协议，在两个设备之间建立一条IPSec隧道。

数据通过IPSec隧道进行转发，实现保护数据的安全性。

受益IPSec通过加密与验证等方式，从以下几个方面保障了用户业务数据在Internet中的安全传输：●数据来源验证：接收方验证发送方身份是否合法。

●数据加密：发送方对数据进行加密，以密文的形式在Internet上传送，接收方对接收的加密数据进行解密后处理或直接转发。

4 PPPoE配置关于本章PPPoE（PPP over Ethernet）是在以太网链路上运行PPP协议，在小区组网建设等一系列应用中被广泛采用。

4.1 PPPoE简介介绍PPPoE的定义和目的。

4.2 PPPoE配置注意事项介绍PPPoE的配置注意事项。

4.3 PPPoE原理描述介绍PPPoE的实现原理。

4.4 PPPoE应用场景介绍PPPoE的应用场景。

4.5 PPPoE附录介绍PPPoE的报文。

4.6 PPPoE缺省配置介绍PPPoE常见参数的缺省配置。

4.7 配置设备作为PPPoE Server设备提供了PPPoE Server的功能，支持动态分配IP地址，提供多种认证方式。

4.8 配置设备作为PPPoE Client设备作为PPPoE Client下行连接局域网用户，同一个局域网中的所有主机可以共享一个帐号，进行拨号上网。

4.9 维护PPPoEPPPoE相关维护命令，包括复位PPPoE会话和强制断开PPPoE会话。

4.10 PPPoE配置举例介绍PPPoE典型场景配置举例。

配置示例中包括组网需求、配置思路等。

4.11 PPPoE常见配置错误介绍常见配置错误的案例，避免在配置阶段引入故障。

4.1 PPPoE简介介绍PPPoE的定义和目的。

定义PPPoE（PPP over Ethernet）协议是一种把PPP帧封装到以太网帧中的链路层协议。

PPPoE可以使以太网网络中的多台主机连接到远端的宽带接入服务器。

目的运营商希望把一个站点上的多台主机连接到同一台远程接入设备，同时接入设备能够提供与拨号上网类似的访问控制和计费功能。

在众多的接入技术中，把多个主机连接到接入设备的最经济的方法就是以太网，而PPP协议可以提供良好的访问控制和计费功能，于是产生了在以太网上传输PPP报文的技术，即PPPoE。

PPPoE利用以太网将大量主机组成网络，通过一个远端接入设备连入因特网，并运用PPP协议对接入的每个主机进行控制，具有适用范围广、安全性高、计费方便的特点。

4双机热备份配置关于本章4.1 双机热备份简介4.2 双机热备原理描述4.3 双机热备份应用场景4.4 配置注意事项4.5 双机热备份缺省配置4.6 配置双机热备份功能4.7 双机热备份配置举例4.8 双机热备份常见配置错误4.1 双机热备份简介定义双机热备份（Hot-Standby Backup）是指，当两台设备在确定主用（Master）设备和备用（Backup）设备后，由主用设备进行业务的转发，而备用设备处于监控状态，同时主用设备实时向备用设备发送状态信息和需要备份的信息，当主用设备出现故障后，备用设备及时接替主用设备的业务运行。

目的随着用户对网络可靠性的要求越来越高，如何保证网络的不间断传输，已成为一个必须解决的问题。

特别是在一些重要业务的入口或接入点上，需要保证网络的不间断运行，如企业的Internet接入点、银行的数据库服务器等。

在这些业务点上如果只使用一台设备，无论其可靠性多高，网络都必然要承受因单点故障而导致业务中断的风险。

为了解决上述问题，引入了双机热备份。

双机热备份实现了双机业务的备份功能，业务信息通过备份链路实现批量备份和实时备份，保证在主设备故障时业务能够不中断地顺利切换到备份设备，从而降低了单点故障的风险，提高了网络的可靠性。

4.2 双机热备原理描述4.2.1 备份方式设备支持主备方式的双机热备份解决方案。

主备方式（与VRRP热备份配合使用）如图4-1所示，RouterA与RouterB组成一个VRRP备份组。

正常情况下主设备RouterA处理所有业务，并将产生的会话信息通过主备通道传送到备份设备RouterB进行备份；RouterB不处理业务，只用做备份。

图4-1双机热备份主备方式组网图（正常工作）RouterA主备通道当主设备RouterA发生故障，备份设备RouterB接替主设备RouterA处理业务，如图4-2所示。

由于已经在备用设备上备份了会话信息，从而可以保证新发起的会话能正常建立，当前正在进行的会话也不会中断，提高了网络的可靠性。

12策略路由配置关于本章通过配置策略路由，可以用于提高网络的安全性能和负载分担。

12.1 策略路由简介介绍策略路由的定义和作用。

12.2 策略路由原理描述介绍策略路由的实现原理。

12.3 策略路由应用介绍策略路由的应用场景。

12.4 策略路由配置任务概览设备不仅支持基于到达报文的源地址、报文长度等信息进行路由选择的本地策略路由和接口策略路由，还支持基于链路质量信息为业务数据流选择优选链路的智能策略路由SPR（Smart Policy Routing）。

12.5 策略路由配置注意事项介绍策略路由在使用和配置过程中的注意事项。

12.6 配置本地策略路由通过配置本地策略路由，可以控制本机下发的报文通过指定的出口进行发送。

本地策略路由只对主机面下发的数据生效。

12.7 配置接口策略路由配置接口策略路由可以将到达接口的三层报文重定向到指定的下一跳地址。

12.8 配置智能策略路由根据业务对链路质量的需求情况配置智能策略路由SPR（Smart Policy Routing）可以实现随链路质量变化情况动态切换业务数据的传输链路。

12.9 策略路由配置举例配置示例中包括组网需求和配置思路等。

12.1 策略路由简介介绍策略路由的定义和作用。

定义策略路由PBR（Policy-Based Routing）是一种依据用户制定的策略进行路由选择的机制，分为本地策略路由、接口策略路由和智能策略路由SPR（Smart PolicyRouting）。

说明●策略路由与路由策略（Routing Policy）存在以下不同：●策略路由的操作对象是数据包，在路由表已经产生的情况下，不按照路由表进行转发，而是根据需要，依照某种策略改变数据包转发路径。

●路由策略的操作对象是路由信息。

路由策略主要实现了路由过滤和路由属性设置等功能，它通过改变路由属性（包括可达性）来改变网络流量所经过的路径。

路由策略的详细内容请参见10 路由策略配置。

目的传统的路由转发原理是首先根据报文的目的地址查找路由表，然后进行报文转发。