- 积分
- 16844
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
(1)实验需求:, y' Y6 d) c8 ^$ y. V
1)链路聚合
: u" `* K& I2 ]9 U: z& QS1和S2使用链路聚合将两条物理链路组成一个逻辑链路,用于实现链路负载分担和备份,设置S1为LCAP主动端,要求逻辑链路基于目的MAC方式进行负载分担;2 g$ P2 b" G Q, D2 Y0 N
2)VALN及VLAN间路由
* A, Z( n6 n5 Z) B4 g! c! Z要求所有VLAN客户端和服务器之间互通;
: H9 L6 r9 M7 W3)OSPF和RIP部分
6 p( `: k9 T- Z9 S! {- n) n4 z" ER2、R3、S1、S2使用OSPF;R3、R4、R5开启RIP;9 o( Q6 A: ?0 r0 M
4)路由重分发+ C& Q4 a0 v6 b/ p6 G$ l) \: ?
要求OSPF与RIP进行充分发,实现可以相互通信;
5 `3 l) l# }9 A+ W0 ?2 [5)NAT及访问控制
0 f# [" f% T+ u7 Q; a" U要求192.168.20~21.0/24网段的主机不可以访问互联网,服务器以202.106.0.200地址发布到互联网,互联网用户PC1可以通过这个地址访问服务器!' G% Y' ^5 U% h5 G; q5 U
该拓扑图涉及的命令如下:; |: t/ @ U g! Z) l
链路聚合;
! d/ s+ W1 _" h( Lvlan划分;- R, l6 Z+ @7 i* ]# l: L8 s+ d
单臂路由及三层交换;
6 Q% G) X) D6 j; s; J) {# T+ ~; dOSPF及RIP的动态路由配置; S$ t8 i2 r' |$ [% ~
路由重分发;2 i, k/ `" |! Q. d' u4 B' u: k5 ^
PAT及静态NAT的配置;
) t$ f6 V" [$ n" M基本ACL及高级ACL配置;7 _5 h/ B7 a" q S2 \" }
(2)案例实施
K6 K6 e# z h& R' [* o1)pc、server自行配置IP地址
, G) Z- \/ t( Y& w {4 k2)配置链路聚合
* w1 \' w! g0 t华为的链路聚合主要通过LACP进行实现。在配置时,需要指定优先级、工作模式、负载均衡模式以及所需的成员接口。4 ]3 m* e9 p, }7 T
S1的配置如下:) e: l* n6 K, W7 Z$ g" t, q
<Huawei>system-view //进入系统视图模式( u3 g/ {! [' D( S; }. ^* ^; p; [
Enter system view, return user view with Ctrl+Z.
5 J( w6 O8 G/ z0 Z& g/ a[Huawei]undo info enable //关闭回显信息,避免打乱
4 X3 W2 Y7 J: h- e# Y/ b, CInfo: Information center is disabled.
7 j' K5 {( [7 {* x! O4 Z- k[Huawei]sysname S1 //配置设备名称为S1
# v0 Y$ Y+ S% v[S1]lacp priority 1000 //设置S1设备的系统LACP优先级
( A( X# `: _" o2 N6 B3 ^[S1]interface Eth-Trunk 12 //创建链路聚合逻辑接口,名称为 Eth-Trunk 12
& K' ^. f7 C D e. H. m[S1-Eth-Trunk12]mode lacp-static //配置静态LACP模式1 ?. T7 c0 r4 B1 u
[S1-Eth-Trunk12]load-balance dst-mac //配置负载均衡模式为目标MAC地址
9 K* D3 u2 r& B9 k" P9 `[S1-Eth-Trunk12]trunkport GigabitEthernet 0/0/2 //添加成员接口G0/0/29 |" \3 |) k' g3 ?
Info: This operation may take a few seconds. Please wait for a moment...done.
0 G% U5 {. t/ m5 s% t4 Z: U[S1-Eth-Trunk12]trunkport GigabitEthernet 0/0/3 //添加成员接口G0/0/3" `7 U/ b. l+ E) [* T# O
Info: This operation may take a few seconds. Please wait for a moment...done.* {" O9 p4 ]* e1 M1 o
[S1-Eth-Trunk12]quit //退回系统视图模式
* D. e0 X/ N) i4 H: x" c8 o" u) ]4 x/ Z" l& t
_3 L2 \# O9 n
) f7 R. N H7 S! E; V
**注意:**LACP优先级值越小,优先级越高。默认情况下,系统LACP优先级的值为32768。在两端设备中选择系统LACP优先级较小的一端作为主动端,如果LACP优先级值相同,则选择MAC地址较小的一端作为主动端。
, Z/ q' d. W4 U7 W% \S2的配置如下:# I4 V4 k; n. b' D
<Huawei>system-view * l( @7 @2 X/ {
[Huawei]undo info enable
4 R) ^! Y& n9 c, n+ K; K, D- SInfo: Information center is disabled." l& u' ] ~8 z. Z: A' T
[Huawei]sysname S22 \+ x; l$ G" A! K6 c
[S2]interface Eth-Trunk 12+ ^% l7 Z% n/ Q" N/ o
[S2-Eth-Trunk12]mode lacp-static . |# r, K& F/ [3 { q3 |: [
[S2-Eth-Trunk12]trunkport GigabitEthernet 0/0/2- [, u2 j& V; r+ p8 b3 ^' h; q
Info: This operation may take a few seconds. Please wait for a moment...done.
/ f9 Q3 I1 `* Q9 q6 L[S2-Eth-Trunk12]trunkport GigabitEthernet 0/0/3
" p' C" N' u& h# G3 Z$ l0 AInfo: This operation may take a few seconds. Please wait for a moment...done.+ m! M1 F3 m; X
[S2-Eth-Trunk12]quit
6 b' F/ ?! C+ [* B//由于配置命令与S1设备差不多,这里就不多做解释了
5 K: l. d0 D8 F0 @6 x
7 O: I0 E( k x7 k7 I: Z1 j. f, ^' ~5 G6 d3 J% O
" o) }4 Q; W% Y$ h0 [0 n' J* Z- \3)配置VLAN间路由3 Z: ^9 m- y5 k
VLAN之间的路由主要通过S1和S2实现,需要注意的是,即使S1和S2上面的接口都是trunk模式,也需要创建相应的VLAN,因为交换机收到来自某VLAN的数据包时,如果它本身没有改VLAN时,那么将会丢弃该数据包。# X4 ]: u0 @) y0 f
S1的配置如下:
8 D! H1 g' s% {/ r% l[S1]vlan batch 10 to 13 //一次性创建VLAN10~VLAN13
0 x9 G5 y0 t4 G# j7 ^! n! X7 ZInfo: This operation may take a few seconds. Please wait for a moment...done.. c- T; b+ m" @0 g6 |
[S1]interface Eth-Trunk 12 //进入链路聚合接口 ]4 l) Q( U9 l; E, Y1 x s
[S1-Eth-Trunk12]port link-type trunk //配置链路聚合接口模式为trunk
3 J+ `- }! c; O8 W f% } u6 u' T[S1-Eth-Trunk12]port trunk allow-pass vlan all //trunk链路允许所有VLAN通过+ T! O s5 K% g1 P' y
[S1-GigabitEthernet0/0/4]int g0/0/4
3 V1 V- c9 i4 i4 q6 g[S1-GigabitEthernet0/0/5]port link-type trunk //链路聚合模式为trunk6 B- G% Z3 |, x2 i) g
[S1-GigabitEthernet0/0/5]port trunk allow-pass vlan all //允许所有VLAN通过
) I+ L$ h/ L* R) w8 d+ Z, j( N[S1-GigabitEthernet0/0/4]int g0/0/53 R2 X5 E$ P9 A4 ?3 |) C: Y
[S1-GigabitEthernet0/0/5]port link-type trunk
) r: E2 H& g0 x% w[S1-GigabitEthernet0/0/5]port trunk allow-pass vlan all
/ ?, ]' a# h5 j* R5 N* q. p[S1-GigabitEthernet0/0/5]int vlan 10 //进入VLAN10: T9 b- l, f! e1 k5 a$ ? y+ `
[S1-Vlanif10]ip add 192.168.10.1 24 //设置IP地址
* U3 b( L1 o& u4 Q+ @8 w7 Q. o- W% o[S1-Vlanif10]int vlan 115 h- z3 P2 F8 \6 y# [
[S1-Vlanif11]ip add 192.168.11.1 24
) U+ K0 i7 y# K[S1-Vlanif11]quit7 y; d& G8 I! s4 N% R ? |
$ q4 r, ~" N* {! ~' H) v2 |& K3 x j, o0 ?3 s1 m9 d- b
! k9 L2 @' g' A( r5 k
3 ? Q1 }0 w1 N7 u3 G7 ]& U**注意:**华为设备的Trunk通道默认不允许除VLAN1以外的所有VLAN,而Cisco设备默认则允许所有VLAN通过。所以在配置华为设备时,在配置完成基本的Trunk配置后,一定要加上允许相关VLAN通过Trunk的命令。
6 k& K, f7 W* R5 u' R! k) o# R" y9 YS2的配置如下:0 F$ ^& B9 v8 U0 q. r2 ~( u& m5 a
[S2]vlan batch 10 to 13, M( b) Q7 j ]
Info: This operation may take a few seconds. Please wait for a moment...done.
: Y. P, I: V/ j) A4 N7 ~[S2]interface eth-trunk 12, I9 R; G9 G9 u! I& @) z" Y
[S2-Eth-Trunk12]port link-type trunk
7 V9 l; R* ^7 U6 g& Q8 V: t* z[S2-Eth-Trunk12]port trunk allow-pass vlan all! W+ Q# W0 ~: E/ |$ W% z
[S2-Eth-Trunk12]interface g0/0/4! ^4 y- y8 A; @# s
[S2-GigabitEthernet0/0/4]port link-type trunk
9 W2 F' p. r$ S4 J7 p3 w[S2-GigabitEthernet0/0/4]port trunk allow-pass vlan all
3 S3 y5 H* z& ?6 l; b7 f+ v[S2-GigabitEthernet0/0/4]interface g0/0/5
' X3 k& c, | M3 E, `& C[S2-GigabitEthernet0/0/5]port link-type trunk* c+ \, w2 d& Y: s) ^& b" _' `0 a
[S2-GigabitEthernet0/0/5]port trunk allow-pass vlan all
& o* N# V6 S) O& j; W5 {1 _[S2-GigabitEthernet0/0/5]int vlan 12$ w' H3 s7 ?+ m. g) f1 R8 q% r
[S2-Vlanif12]ip add 192.168.12.1 24; d+ @ z$ V% ?
[S2-Vlanif12]int vlan 130 O' p. z& a1 p* m
[S2-Vlanif13]ip add 192.168.13.1 24
7 ~( T' L. f. ^: j% m/ y& F[S2-Vlanif13]quit) y; f8 s H3 u; j
//与S1 命令基本一致,这里就不多做解释了!$ j7 M, |0 `; L4 V
6 N! U# S3 J9 W
2 a: g. t, Z3 }1 g
/ m1 h5 }! N& X0 a
9 }8 s8 f7 D, J4 j8 L' F4 O) a
: W; R/ @0 z' c: J0 ~# ~( f% A7 cSW1的配置如下:
& t9 S/ W4 W! k. \<Huawei>system-view
$ ^# F; K- A0 MEnter system view, return user view with Ctrl+Z.$ a: T( A5 J, p0 c
[Huawei]undo info enable
$ U5 _" U! l6 h3 B! ?; hInfo: Information center is disabled.
/ L3 X- [' E( g6 O[Huawei]sysname sw1
! [: s4 F( d1 M/ T# V+ s9 J% {3 l[sw1]vlan 10
. p& n# d" h$ G[sw1-vlan10]interface g0/0/1
" V9 x( ~2 s$ F/ t[sw1-GigabitEthernet0/0/1]port link-type trunk
7 v" N1 H" U: i1 _6 M2 v+ F6 B" x[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
- C" P1 o. ^2 c! Q, P4 _4 P1 {& j[sw1-GigabitEthernet0/0/1]int g0/0/2
! `$ f: K4 [% i; n[sw1-GigabitEthernet0/0/2]port link-type access //配置端口模式为access
: U- W; a; ^# c! q[sw1-GigabitEthernet0/0/2]port default vlan 10 //接口加入VLAN 10
6 H+ [* c; b* V8 `5 y[sw1-GigabitEthernet0/0/2]quit- K$ X) w* e" k: T, r
! `& C# `, e( p' J" s1 R) \
# S( f- t! X3 {$ Z. r
8 S5 U; q; ]2 r1 rSW2的配置如下:
/ }7 h$ R1 C9 @. `1 I<Huawei>system-view
; ~6 x- [9 h( B( ~' s) \Enter system view, return user view with Ctrl+Z.
2 x; v7 M7 c1 @2 w9 |[Huawei]undo info enable
( T1 _+ V7 a) D9 J" ?- v- VInfo: Information center is disabled.
/ j& t' w& r4 F1 W7 P0 |9 v+ ?[Huawei]sysname sw2 $ x# p* o. w0 P* m* Q/ v$ l- X
[sw2]vlan 11& u" A5 b$ |& D8 r' l" q- K
[sw2-vlan11]interface g0/0/14 m4 k( {$ \1 _+ G, A
[sw2-GigabitEthernet0/0/1]port link-type trunk
& \- z ^ i$ Y* F[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
1 x3 W& [( f' \1 t* Y2 M[sw2-GigabitEthernet0/0/1]int g0/0/2
- @& r3 k6 m" Y; t* M4 \1 y# l* j9 C; [[sw2-GigabitEthernet0/0/2]port link-type access
" n# ?- |4 C8 j0 a" o a[sw2-GigabitEthernet0/0/2]port default vlan 11
; m8 w" e- x! }7 @. h- g J. r! h[sw2-GigabitEthernet0/0/2]quit# O5 i( u/ h; |
, L* E: o* Y9 \+ N) y! D, z" F& t2 { C, R/ W
) R7 g9 G( I. o; d+ C
4 K4 ^. N i! ^0 n2 D. vSW3的配置如下:
8 L1 s, m: c4 d- L+ P<Huawei>system-view
; S! Q& e- \4 w z4 h oEnter system view, return user view with Ctrl+Z.( W+ l; T j# k# ?0 \5 @# b
[Huawei]undo info enable
$ U1 L% q& [3 {Info: Information center is disabled.4 @, \, o8 D" J- S. Y
[Huawei]sysname sw3 [: M- }: k8 e" W
[sw3]vlan 12" T, b0 \% g, u1 ?3 }* g
[sw3-vlan12]interface g0/0/1
3 u: D" L2 n% A9 y, @[sw3-GigabitEthernet0/0/1]port link-type trunk
# r& d2 s9 ?, @. z' `3 ~[sw3-GigabitEthernet0/0/1]port trunk allow-pass vlan all" M& o1 S" b; F2 m
[sw3-GigabitEthernet0/0/1]interface g0/0/2) Z* Z5 n( z+ H! j j' ]
[sw3-GigabitEthernet0/0/2]port link-type access
( T5 @. f" a, ]( F0 K8 \$ i[sw3-GigabitEthernet0/0/2]port default vlan 12
: W4 ^2 C9 h" f: [ W[sw3-GigabitEthernet0/0/2]quit
8 {2 e$ X6 V; D" \3 } |( r3 F# ~+ k4 m+ [
4 J+ Y) z( ^+ M8 l/ f: r q. X P& J: ~, V" f/ W
SW4的配置如下:/ ]' q- t1 g% F! Q5 g! x: \+ l
<Huawei>system-view
# h8 m) y5 V3 U n% B% g+ QEnter system view, return user view with Ctrl+Z./ _& a) _9 q @: `; L1 `
[Huawei]undo info enable 5 _, S- J6 d7 }5 K0 C; l/ [3 g
Info: Information center is disabled.
3 N, R* I# X7 w[Huawei]sysname sw4
- p9 x; c5 s4 n, v* v, X[sw4]vlan 13
. A" n( N- |/ \5 f[sw4-vlan13]interface g0/0/1
2 T9 A9 u. h- w[sw4-GigabitEthernet0/0/1]port link-type trunk
) O5 I, u4 G) u1 d# F6 W& ?[sw4-GigabitEthernet0/0/1]port trunk allow-pass vlan all
' S5 `, N3 y" e, T/ Z" Y( }[sw4-GigabitEthernet0/0/1]interface g0/0/2" v+ a/ v& W1 g- }/ r+ D
[sw4-GigabitEthernet0/0/2]port link-type access
# g& T2 i3 a1 @/ t9 I[sw4-GigabitEthernet0/0/2]port default vlan 13# F; O# Q4 J, L& Y7 W+ R
[sw4-GigabitEthernet0/0/2]quit. w* u0 F% r! K
2 Y6 K6 ~& ^" d* i" A
+ [1 a. W4 z$ O) @) T; Z8 k0 U
' R4 Z9 ^8 A1 X. u( l s4)配置单臂路由# W2 O7 u. p6 e4 _, o/ M. n5 l
华为的单臂路由与Cisco几乎没有差别。主要有两项配置,一项是交换机与路由器之间的Trunk配置,另外一项是路由器的子接口配置及关联相应的VLAN。
1 |' B! V2 }! {4 }R4的配置如下:5 b) P# Y' f% ^/ n- N1 B1 j( T
<Huawei>system-view 2 a, h0 ^! m) B
Enter system view, return user view with Ctrl+Z.! z) [9 b& e8 r: m' |, O; c, `% C
[Huawei]undo info enable
& c: v) R1 Y0 G# L9 L$ WInfo: Information center is disabled.
& n: n3 Q. T% c- i* J6 a[Huawei]sysname R4: w9 X l6 T1 F- k9 f2 U5 r
[R4]int g0/0/0
+ Y; i+ @. m j5 R- o[R4-GigabitEthernet0/0/0]ip add 192.168.101.2 24
: [* F2 i6 ~7 r z) g$ r[R4-GigabitEthernet0/0/0]int g0/0/1.1 //进入子接口
$ k, ? H* P. {/ {9 ?[R4-GigabitEthernet0/0/1.1]ip add 192.168.20.1 24 //子接口配置IP地址
3 i* ^/ w- @3 O& Q: S/ w[R4-GigabitEthernet0/0/1.1]dot1q termination vid 20 //使子接口与vlan 20关联
' d3 V, |% n: u0 `+ M[R4-GigabitEthernet0/0/1.1]arp broadcast enable //子接口打开ARP广播
& P* e4 T5 k3 ~$ V+ T! O! b) z[R4-GigabitEthernet0/0/1.1]int g0/0/1.27 M6 k+ y# W0 a% T, d6 w% s4 M
[R4-GigabitEthernet0/0/1.2]ip add 192.168.21.1 24
5 U, G J! J5 f; A[R4-GigabitEthernet0/0/1.2]dot1q termination vid 219 c+ C9 B: [+ v- K( Q
[R4-GigabitEthernet0/0/1.2]arp broadcast enable- m/ |! ^" y, m* @( A
[R4-GigabitEthernet0/0/1.2]int g0/0/2
8 s/ |: ]/ M' ~' p[R4-GigabitEthernet0/0/2]ip add 192.168.102.1 24
# Z2 m! c+ E! y6 m( v4 W[R4-GigabitEthernet0/0/2]quit
& O V" N5 w+ ]+ S9 z! n
/ q5 I% F6 R. H! F' h. [4 {$ Y
" I, C+ `9 P( r( w2 n; ^2 ?
+ }( @/ R$ X" o3 e4 Z, MSW5的配置如下:
8 W! ]6 w$ G; }, b' E1 _8 J<Huawei>system-view ) v9 e6 q1 t2 K2 L5 x: ?
Enter system view, return user view with Ctrl+Z.
+ i# y6 ]. _ j4 a2 r' Z5 ^+ a[Huawei]undo info enable % q% W6 F4 K; N3 s
Info: Information center is disabled.
# S8 ~" K7 O0 p9 I8 N7 }& O( V- s[Huawei]sysname sw5
' I; ^9 U J8 N3 L- w[sw5]vlan 20, y( P5 R' }7 V- d% V' ~7 [1 H
[sw5-vlan20]vlan 21 //VLAN也可以一个一个的创建
0 \3 a" F% a* R+ J6 [5 K[sw5-vlan21]int g0/0/1
/ U) Z. q* E$ I9 n1 K7 c[sw5-GigabitEthernet0/0/1]port link-type trunk
$ _( i; ?) [2 ? B[sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan all
6 F3 g( E- j2 X2 J4 x. x0 |[sw5-GigabitEthernet0/0/2]int g0/0/2; r+ u: Y% H/ }# p0 P
[sw5-GigabitEthernet0/0/3]port link-type access; j, B+ Q! ~! ~' k% b2 z
[sw5-GigabitEthernet0/0/3]port default vlan 20: ~7 f3 G- x+ Z" I7 X) l+ X- a. g
[sw5-GigabitEthernet0/0/2]int g0/0/3
: s* |, @8 o; H. O[sw5-GigabitEthernet0/0/3]port link-type access) x x! ?5 K; K5 c% ]+ {4 x
[sw5-GigabitEthernet0/0/3]port default vlan 21
3 Y' z( j2 T- N8 g5 L" v# @% k% a0 W0 Z A7 o p8 \
/ E X/ Z: A6 C0 `! j6 a5 o4 R7 e& T! b$ X
Q7 }" j* N# y4 ]4 n7 [7 V
, `3 x# A q7 T* {& N' i1 I9 P5)配置OSPF与RIP
+ Y; M; d8 w: k1 G华为的RIP配置与Cisco命令几乎一致,注意把no变成undo即可;配置OSPF时与Cisco不同,它不是一条network命令同时宣告网络和区域,而是在某个区域下的子模式宣告相应的网络。% _) E9 ]3 a( P" l8 Q$ G
S1的配置如下:8 m. S4 n! }! l
[S1]vlan 50
3 R: e5 B) q; [' m* ^; D6 ^[S1-vlan50]int g0/0/1
) ~2 x* W1 m: [( G$ z4 S( I[S1-GigabitEthernet0/0/1]port link-type access
9 e8 @+ P/ K$ _2 W[S1-GigabitEthernet0/0/1]port default vlan 50 //物理接口加入VLAN
5 I5 S6 R1 u- G, N[S1-GigabitEthernet0/0/1]int vlan 50
: T N8 S3 ~6 _1 y[S1-Vlanif50]ip add 192.168.50.10 24
% B% w2 u1 h+ a% z: J9 u: \! M) |9 o[S1-Vlanif50]ospf 1 //进入OSPF进程. k8 [% r! ?4 i! s2 k* S
[S1-ospf-1]area 0 //进入区域01 F3 q2 d8 M, N$ A3 }2 I0 Y
[S1-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.255 //简单起见,宣告所有网段 x6 r, y2 P+ H1 ~1 r p# l
[S1-ospf-1-area-0.0.0.0]quit# }5 N( f8 M; d$ _8 {9 {6 M
$ x' s* O* X p* C, F
( a3 U2 q4 G% Z+ ?
$ G, a' S7 F4 P; \; m D8 w' D* Y**注意:**在配置OSPF时,如果想要指定router-id,可以在进入进程模式时追加router-id,如[S1] ospf 1 router-id 1.1.1.1 。另外,华为三层交换机的二层接口没有直接提升为三层接口的命令,类似于Cisco下的no switchport命令。所以在做VLAN间路或者和路由器直连时,只能配置VLAN虚接口,物理接口与VLAN做个绑定!
% B. f+ D# k5 N! z! `& d1 SS2的配置如下:
, Z( }$ e# J& M5 n# R[S2]vlan 60. h7 ]9 l0 ]* I
[S2-vlan60]int g0/0/1! A* P% p! }3 J G7 N
[S2-GigabitEthernet0/0/1]port link-type access$ d( g6 B+ o, |! f$ D( J
[S2-GigabitEthernet0/0/1]port default vlan 60
' I2 ]& _8 z0 S) ^0 p[S2-GigabitEthernet0/0/1]int vlan 60, W2 w. a* C, \3 G p
[S2-Vlanif60]ip add 192.168.60.10 24! V- L4 ^3 z( W2 ~0 `$ h
[S2-Vlanif60]ospf 1- l5 H- Z F; V( A( H2 A/ o6 i, Q1 R
[S2-ospf-1]area 0
* l$ C7 x ?) A9 \3 w, Y4 p[S2-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.255
& _ c# T$ _# d$ b; y& I1 J- B/ [0 [3 p4 e+ f5 K- N
" O6 f; H1 h3 m! m- }4 L) T+ V5 U! F" ~* \! L0 q8 ?8 O0 }
R2的配置如下:7 ]1 B/ t. y" Y" U
<Huawei>system-view , ], V5 S( X7 f, L0 e
Enter system view, return user view with Ctrl+Z.
7 x* ]$ Y( i- U0 {[Huawei]undo info enable ( G$ |: S3 s9 l, o
Info: Information center is disabled.) @* s$ [/ e0 F6 E% i
[Huawei]sysname R2
8 P; Q( E1 y4 V! f[R2]int g4/0/0
! P- f+ V. p2 G0 ~+ w" B[R2-GigabitEthernet4/0/0]ip add 202.106.0.10 24. ^# M) p4 z. u
[R2-GigabitEthernet4/0/0]int g0/0/1
, f4 o: M R# F9 @[R2-GigabitEthernet0/0/1]ip add 192.168.50.1 24
; e. b1 ~6 f* H C+ K" I2 W[R2-GigabitEthernet0/0/1]int g0/0/2. x) S0 R! s1 U! ~$ f
[R2-GigabitEthernet0/0/2]ip add 192.168.60.1 24; ]# N. I, L" M$ g6 I! K% [
[R2-GigabitEthernet0/0/2]int g0/0/0' C( H) L1 @: o; O+ G
[R2-GigabitEthernet0/0/0]ip add 192.168.100.1 24
. Q$ p3 w5 y" U0 d b2 X- }0 }6 G; v[R2-GigabitEthernet0/0/0]ospf 19 b0 N3 h# @6 Z0 Z
[R2-ospf-1]area 0+ y$ N- D, D6 |0 K( l0 a8 E1 W* E e
[R2-ospf-1-area-0.0.0.0]netw
. m- P7 T( u( [3 X. u4 s[R2-ospf-1-area-0.0.0.0]network 192.168.50.0 0.0.0.2551 j1 Q% W( _, |/ [
[R2-ospf-1-area-0.0.0.0]network 192.168.60.0 0.0.0.255+ e3 ~- e+ k2 y0 H! H
[R2-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255
- T& t- y M; z* B: w. U: t! m//注意这里OSPF就不可以声明所有网段了,否则实验外网与内网通信就没有意义了!
) C. L% j+ b" ]$ s0 o[R2-ospf-1-area-0.0.0.0]quit
# i" E, o: L8 d7 m3 z( O7 q% C! E
4 P% B- v3 ^3 w5 r# h3 P( R. ?9 @3 N! |
+ {5 R, Z/ T; w1 D+ \# cR3的配置如下:
( D, {9 ~9 V1 j( r<Huawei>system-view 6 Z/ E2 Y t" { P1 Y
Enter system view, return user view with Ctrl+Z.
: g5 J; z; o6 }) G# S[Huawei]undo info enable; `$ y- `) F7 C* M/ {, d1 ]/ _
Info: Information center is disabled.# t/ d+ V3 I# m- w, ~2 V+ V
[Huawei]sysname R3: w5 E$ N* \( @# J/ D8 P1 i
[R3]int g0/0/0
$ K1 q( @# J& {* E" R: @[R3-GigabitEthernet0/0/0]ip add 192.168.100.2 24 ~# u" G2 k$ B/ ?
[R3-GigabitEthernet0/0/0]int g0/0/1
- A" F& x$ {8 `7 ~( X1 ^[R3-GigabitEthernet0/0/1]ip add 192.168.101.1 24
( K- o5 M. z& d+ t) l[R3-GigabitEthernet0/0/1]ospf 1$ x! n: ^0 ~8 q3 r& F6 N' a! y
[R3-ospf-1]area 0% Z! k5 z* y3 s- I
[R3-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255
0 J6 K9 k4 ?( V- m[R3-ospf-1-area-0.0.0.0]rip //进入RIP进程模式,默认进程ID为1# s3 V" n ~' e' J6 t
[R3-rip-1]version 2 //指定RIP版本
+ s7 ~& z. I2 @* `1 b+ ~) K/ V4 C[R3-rip-1]undo summary //关闭RIP的自动汇总9 r# d$ Y: w* N, b' t
[R3-rip-1]network 192.168.101.0 //宣告网段
' ^; y! r! P' O) r' T6 d1 ?[R3-rip-1]quit+ Q: \/ k2 }0 O! h9 o
" q& p! m5 V( v+ X1 R# j P
4 N; E6 l( q- s9 x0 s
) S4 m1 U9 p; k* ^, }
注意:在Cisco的IOS中配置RIP时,及可以通过标准的类宣告网络,也可以根据实际网络来宣告。比如:10.1.1.1/24,那么在宣告时,命令10.1.1.0和命令10.0.0.0都可以,但是Cisco将其纠正为10.0.0.0(为标准的宣告方式)。在华为设备中,只能以标准的方式宣告RIP网络。即根据主类的掩码来宣告!
. G. A$ e4 n0 o5 Z/ DR4的配置如下:
: e; I$ B- [* L! D' r# N- d7 Y[R4]rip
2 x/ [7 L& Z; A[R4-rip-1]version 2
% V1 H- i V3 I. _- \# V V6 b" H[R4-rip-1]undo summary
& @0 F+ N; @! m, O$ C, [. S; D[R4-rip-1]network 192.168.101.0
% e+ Q5 z8 a% i1 o: V! m: x$ b[R4-rip-1]network 192.168.20.0
. e$ ~: M; x# r H5 {8 B z- {% G[R4-rip-1]network 192.168.21.0
+ ^+ c( _" \" A4 w$ @[R4-rip-1]network 192.168.102.0
1 Q% P2 F! N4 V+ n- n+ `) W# {+ O# z3 @9 a# N+ m3 z Y. U; J1 C& K2 c
% {+ Y7 M! D) ]4 n5 V1 S
R5的配置如下:
! L c8 [/ F: i# q<Huawei>system-view
M4 H9 E+ r4 q `, E& I( F2 y# eEnter system view, return user view with Ctrl+Z.5 j$ _( h/ x" l1 b# c1 R
[Huawei]undo info enable % B( p: x0 \# g8 v; X$ g* q
Info: Information center is disabled.+ ^4 p( n- i, Z2 v' l2 H
[Huawei]sysname R5
. C$ I3 }* p7 i4 J[R5]int g0/0/0* N$ Q h! b* f. }* g* j
[R5-GigabitEthernet0/0/0]ip add 192.168.102.2 2
% m/ f( P3 b9 w[R5-GigabitEthernet0/0/0]int g0/0/1
/ p3 q- W+ ]8 I) [5 a: r; r[R5-GigabitEthernet0/0/1]ip add 10.0.0.1 24' \) x+ k! Z9 v m
[R5-GigabitEthernet0/0/1]rip
/ S3 ?: _3 H/ b% m* w& e[R5-rip-1]version 2
+ x7 K8 u8 @& Z9 H; ~[R5-rip-1]undo summary
' z, |" {& Z* n" B: y[R5-rip-1]network 192.168.102.0
; l, l9 C- n) m+ s[R5-rip-1]network 10.0.0.0
6 `/ C9 D2 T- ^# v# h4 l' F7 A" O
8 H! q; d; f0 {* Z
; n/ m. C5 h) ~6)配置路由重分发' d- x' \8 j0 ` n
华为设备的路由重发分是通过import-route命令实现的,不管导入的是什么协议,都要就上进程ID号,和Cisco一样,如果把A协议导入B协议中,那么首先要进入B的路由进程中,执行导入A的命令,反之同理!
2 ?6 y1 p- c2 n2 o* IR3的配置如下:
& L Q' Y( W; ^+ v8 R+ _[R3]ospf 1
% V" ~ ~- G* W7 V[R3-ospf-1]import-route rip 1 //进入OSPF进程宣告RIP进程; p5 C2 o) ~: X/ m7 m- f& c
[R3-ospf-1]rip
1 p; M% G' k# |) B$ I[R3-rip-1]import-route ospf 1 //进入RIP宣告OSPF进程
0 ]* w7 P$ a0 G' I4 d[R3-rip-1]quit$ R* e# M, M- T* x
8 b% _1 h+ @& c( p e8 I. t) o
8 B/ j, k- i* b _0 e& M1 C
R2的配置如下:* x- [& _6 z- w$ _! f" Q
[R2]ip route-static 0.0.0.0 0.0.0.0 202.106.0.1
$ D) l3 Y( Y/ A! Q//真实环境中,内网连接外网的服务器肯定是一条默认路由
7 H, |: i6 O2 b[R2]ospf 1) V: A$ M! @( }
[R2-ospf-1]default-route-advertise
: {; ^& X2 y: Y9 y//宣告默认路由(前提是有默认路由)
$ Q, A# n. A1 U/ T
" d2 T, J, i4 t3 ?6 p/ y5 W, [
; j# ^! t6 Q! x$ r/ b
, K" G, I2 F9 s# ^7)配置NAT及访问控制" k" S& A7 Y4 s6 m/ e
华为的NAT转换直接配置在外部接口模式下,需要转换的内部流量通过ACL抓取,而转换后的内部全局地址通过配置NAT组实现。
' w! U3 ?" D" R0 @+ eR2的配置如下:8 Y- k/ `; H% s0 B% R0 D z
[R2]nat address-group 1 202.106.0.100 202.106.0.100 //定义NAT组(池)
9 M9 X3 ~ d y* K[R2]acl 2000 //编写编号为2000的acl规则
4 s; y4 V, y: N1 s: d, q[R2-acl-basic-2000]rule 0 permit source 192.168.50.0 0.0.0.251 K4 @! ~, [- @" V ]; N& `' U
[R2-acl-basic-2000]rule 10 permit source 192.168.60.0 0.0.0.255
- O& e# A: {, L4 f P7 k2 B[R2-acl-basic-2000]rule 20 permit source 192.168.10.0 0.0.0.255
; o# A3 ^# {' E. N! e/ M7 i[R2-acl-basic-2000]rule 30 permit source 192.168.11.0 0.0.0.255) |) S# K6 I! {
[R2-acl-basic-2000]rule 40 permit source 192.168.12.0 0.0.0.255; h/ j/ ^8 f9 n. h" b. H$ u
[R2-acl-basic-2000]rule 50 permit source 192.168.13.0 0.0.0.255+ q2 C- R3 v$ G: y, J! Z7 ^
//允许源地址访问,当然可以做路由汇总少写一些!
2 O5 N7 s2 O6 Q4 V5 r+ f8 A[R2-acl-basic-2000]int g4/0/0! p3 i" R7 Y( i9 L# L5 j7 q# B
[R2-GigabitEthernet4/0/0]nat outbound 2000 address-group 1
3 F' k' r5 F1 f& j3 i5 A//定义PAT,将acl允许的地址映射到地址池中' f2 t( Y- k# | H
[R2-GigabitEthernet4/0/0]nat server global 202.106.0.200 inside 10.0.0.10
; V8 Y+ P" m$ j. b, f//定义静态NAT,一对一!4 X9 B+ b8 d2 G0 H) _ f+ m
[R2-GigabitEthernet4/0/0]quit' a7 ~( S/ q$ z+ b+ J0 s, `2 y3 ?
[R2]acl 3000. Z0 Z% ], a7 k" \- }' ?- f; }
[R2-acl-adv-3000]rule 0 deny ip source 192.168.20.0 0.0.0.255
+ p3 b8 r( j! r[R2-acl-adv-3000]rule 10 deny ip source 192.168.21.0 0.0.0.255 destination 20.0.0.0 0.0.0.255 destination eq80
( X M4 O7 ]+ j' q* a$ G0 y//定义编号为3000的acl,拒绝源地址,可以加上目标地址和端口1 M s$ C& i: [# e- C6 T
[R2-acl-adv-3000]int g4/0/0
2 W1 {& o2 k! D" S3 y1 h! C[R2-GigabitEthernet4/0/0]traffic-filter inbound acl 3000
2 D5 t" S( T! }//接口应用编号为3000的acl
# I' q2 Y3 n8 F
7 K: G0 m) M4 G" @" e3 z$ W( |" H# G* P" r% E) O
0 i, ?: y9 N" N R**注意:**华为的ACL与Cisco类似,分别分为基本与高级,类似于Cisco的标准和扩展。其中基本的编号为20002999吗,高级的编号为30003999。rule后面的编号表示ACL规则的生效顺序!
: I! P0 c' l$ r; P3 K# Q# A& vR1 的配置如下:6 ?' ]' L' s( j* Z6 g% U0 k
<Huawei>system-view & Z# ]: _0 l) t" g% C! a z6 N
Enter system view, return user view with Ctrl+Z.& ]) s* ^0 M9 Y
[Huawei]undo info enable
4 b, l& ]! Y5 s( ^2 oInfo: Information center is disabled.
8 G& U i# K+ c) W% W[Huawei]sysname R1
% U( V- H, v* S/ ~- j[R1]int g0/0/0! Q( |, q# W3 g! \! [
[R1-GigabitEthernet0/0/0]ip add 202.106.0.1 248 q; K2 d) R# ^; u/ h H; e
[R1-GigabitEthernet0/0/0]int g0/0/19 [6 T) j2 x* K; a' z
[R1-GigabitEthernet0/0/1]ip add 20.0.0.1 24
" r2 r# [! G- f6 a5 @2 R( W//注意,R1只配置IP地址即可!7 S1 u6 e. m9 p! q7 h2 [
7 V1 ^8 W7 v: P- L c4 b1 l配置完成之后,可以自行进行验证,本次博文只是为了尽可能的展示命令而已!
# ]6 S1 X) J0 h2 X+ z2 O A# D, ?三、常用的排错命令+ P/ b$ [7 A6 J( N6 z3 u
[S1]display current-configuration //查看当前设备的所有配置: C2 `! I1 G0 C+ {' _/ o0 ?7 Z: W& r
[S1]display ip routing-table //查看路由表$ V* e j& W2 Q
[S1]display vlan //查看vlan信息
2 H l2 s9 v* x[S1]display ip interface brief //查看接口状态3 i$ Z9 V; D+ x6 M
[S1]display current-configuration interface vlan 10
Q$ M) j- x. D8 W" }' t//查看某一个接口的当前配置信息' k' k3 j: R& x- a& d
[S1]display nat session all //查看NAT转换条目
7 ^+ _& F' \$ G/ L9 P[S1]display ospf peer brief //查看OSPF邻居信息5 {' E2 T# z- q" J" U( [8 c
[S1]display acl all //查看ACL信息
% g7 o" M% I6 w& S0 l5 u[S1]display eth-trunk 12 //查看链路聚合信息
: J" A2 j1 B7 w; f6 l" V6 T8 v' |. T; @9 ], }
|
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2022-3-25 01:00:01
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主