|
|
(1)实验需求:0 J5 o; @/ |+ _% }0 t; j# q. K* A# P& ~
1)链路聚合( U9 h& ~- f o& l
S1和S2使用链路聚合将两条物理链路组成一个逻辑链路,用于实现链路负载分担和备份,设置S1为LCAP主动端,要求逻辑链路基于目的MAC方式进行负载分担;& s9 x. r; P" n5 ^; Y
2)VALN及VLAN间路由
* T( {* Q+ ?' u/ Z要求所有VLAN客户端和服务器之间互通;! k) U. u' z7 e* z
3)OSPF和RIP部分9 |/ `" ^0 r$ m5 q+ }1 J4 t; B
R2、R3、S1、S2使用OSPF;R3、R4、R5开启RIP;
; M' l7 A/ W: [! {) b* S4)路由重分发 e4 r4 j! R4 b+ w, ~+ s* \
要求OSPF与RIP进行充分发,实现可以相互通信;8 J+ d; a0 n5 g5 M
5)NAT及访问控制
& L% N/ E9 ]+ z& c3 z- S要求192.168.20~21.0/24网段的主机不可以访问互联网,服务器以202.106.0.200地址发布到互联网,互联网用户PC1可以通过这个地址访问服务器!
! Z% r |& s" V) y该拓扑图涉及的命令如下:5 U. f8 y3 B( U/ _
链路聚合;
3 f; T, c: K6 j3 wvlan划分;
5 ?- |7 t; K' `' c$ n单臂路由及三层交换;, H) ?9 A7 @% g% w8 V, s
OSPF及RIP的动态路由配置;+ |. }& G" Z0 @* \/ t. T* t
路由重分发;% u( z: W0 ~2 b. A; B5 F. t% r
PAT及静态NAT的配置;0 r% S+ @7 f, x4 l A2 P; Z
基本ACL及高级ACL配置;
" b* C0 n* L1 u; Y& F2 B(2)案例实施
2 Q9 H8 E+ V) Q8 h1)pc、server自行配置IP地址
g# E8 Z0 {, d. c$ }2)配置链路聚合
) S* ^- s. H! E7 G& Z l( X: v0 z华为的链路聚合主要通过LACP进行实现。在配置时,需要指定优先级、工作模式、负载均衡模式以及所需的成员接口。
; o. O) X* _) U% f* m$ [- wS1的配置如下:, E( a# X/ Y2 `6 @3 ^, V7 N) n3 J/ M
<Huawei>system-view //进入系统视图模式
' d' T: `, W" B" y% i& v& i0 fEnter system view, return user view with Ctrl+Z.! P3 k4 j \5 a' T+ V
[Huawei]undo info enable //关闭回显信息,避免打乱. ^" ~' n1 Y! A
Info: Information center is disabled.
1 }5 |) O; {: {& z2 E/ @[Huawei]sysname S1 //配置设备名称为S1
7 n: T3 @+ F- N" _$ S5 i[S1]lacp priority 1000 //设置S1设备的系统LACP优先级
5 I# w& |; I' I" P8 u8 r[S1]interface Eth-Trunk 12 //创建链路聚合逻辑接口,名称为 Eth-Trunk 12 $ c! _) ^0 z$ o2 Z f% d N |
[S1-Eth-Trunk12]mode lacp-static //配置静态LACP模式
Q( O4 ?' S% O* ?3 ^7 ?[S1-Eth-Trunk12]load-balance dst-mac //配置负载均衡模式为目标MAC地址: _$ C2 X, X7 g% M
[S1-Eth-Trunk12]trunkport GigabitEthernet 0/0/2 //添加成员接口G0/0/2
/ R& O4 H8 F N6 vInfo: This operation may take a few seconds. Please wait for a moment...done.4 ]) N/ c5 m; _) r& D6 L0 h' q# c
[S1-Eth-Trunk12]trunkport GigabitEthernet 0/0/3 //添加成员接口G0/0/3
! u' r2 n' P# q6 NInfo: This operation may take a few seconds. Please wait for a moment...done.8 d. a4 E# m7 Q
[S1-Eth-Trunk12]quit //退回系统视图模式& ^0 R+ \1 g& v. Y
5 {$ x4 z1 H7 D" a! U* F
* f. Z/ f% d, v: I, z, @
, U1 `: l0 @' f* ?/ i: N/ f1 G! r
**注意:**LACP优先级值越小,优先级越高。默认情况下,系统LACP优先级的值为32768。在两端设备中选择系统LACP优先级较小的一端作为主动端,如果LACP优先级值相同,则选择MAC地址较小的一端作为主动端。
2 @7 j2 i9 O$ H, b8 ^- \, Y% sS2的配置如下:
; Z; L# O* _, J! b<Huawei>system-view 0 Q* o) V6 w! d$ J7 X
[Huawei]undo info enable & v: n* t0 j9 v% A( U
Info: Information center is disabled.% i6 Q( o* |/ q0 ?; s2 B+ c1 Y( A
[Huawei]sysname S2: Y [3 Q7 R7 U4 C
[S2]interface Eth-Trunk 12
9 D& v/ X) e# n1 k: U+ \3 t[S2-Eth-Trunk12]mode lacp-static
! ^1 \; S; {9 ?( m. E7 {[S2-Eth-Trunk12]trunkport GigabitEthernet 0/0/2
3 p- Q" h W4 f) K% |+ X5 x& ?( WInfo: This operation may take a few seconds. Please wait for a moment...done.
2 Q% |: \5 E2 C" ~3 C! n[S2-Eth-Trunk12]trunkport GigabitEthernet 0/0/3
. }4 H1 l" y* NInfo: This operation may take a few seconds. Please wait for a moment...done.. ~" p0 e! X A( L+ Q
[S2-Eth-Trunk12]quit
; n7 ~1 g$ A8 h" |//由于配置命令与S1设备差不多,这里就不多做解释了9 ^$ ^, ^8 w% ^1 H) |2 w
6 _# ~$ n+ K1 v& ~+ _
( N) @: B) z: b; z
# [1 X/ o# z/ L9 r3 |8 y$ A O) q) U3)配置VLAN间路由, f/ G7 p: Q+ S* j& Q
VLAN之间的路由主要通过S1和S2实现,需要注意的是,即使S1和S2上面的接口都是trunk模式,也需要创建相应的VLAN,因为交换机收到来自某VLAN的数据包时,如果它本身没有改VLAN时,那么将会丢弃该数据包。
0 U; z, j2 X8 Z; sS1的配置如下:$ P* I' S. ~7 `0 G8 l' g( }5 y
[S1]vlan batch 10 to 13 //一次性创建VLAN10~VLAN13
* H3 d+ _% l! kInfo: This operation may take a few seconds. Please wait for a moment...done.8 x% Z0 I0 c/ \. S
[S1]interface Eth-Trunk 12 //进入链路聚合接口
+ V( L) h8 k: K% k[S1-Eth-Trunk12]port link-type trunk //配置链路聚合接口模式为trunk* J, z5 v4 _3 | }/ ^
[S1-Eth-Trunk12]port trunk allow-pass vlan all //trunk链路允许所有VLAN通过+ u/ S) Y) ]. w) ^7 P
[S1-GigabitEthernet0/0/4]int g0/0/49 N4 x; E7 {! \ l& ^+ j
[S1-GigabitEthernet0/0/5]port link-type trunk //链路聚合模式为trunk# i/ i; D( F0 Z
[S1-GigabitEthernet0/0/5]port trunk allow-pass vlan all //允许所有VLAN通过3 _& Z+ i* y' j) `
[S1-GigabitEthernet0/0/4]int g0/0/56 {1 f: N7 h9 g# N4 C
[S1-GigabitEthernet0/0/5]port link-type trunk$ o8 @) Z) D4 p! e! k
[S1-GigabitEthernet0/0/5]port trunk allow-pass vlan all
+ K( ^% v/ _& q- T. K9 w[S1-GigabitEthernet0/0/5]int vlan 10 //进入VLAN10! z9 H$ n6 _& j
[S1-Vlanif10]ip add 192.168.10.1 24 //设置IP地址
* [3 D6 m" Y: U[S1-Vlanif10]int vlan 11
* d' _, k1 C; a( b$ T[S1-Vlanif11]ip add 192.168.11.1 24
4 |$ S' x& K4 H" o6 v% }2 G5 o/ J[S1-Vlanif11]quit8 h9 n* F3 O( Z) U! o5 @ J5 f
4 i, F' \9 o# c( m. r; s" r/ {8 U* B
* U9 `0 E, f* m& J3 I1 u- Z$ a C3 l5 o& Y* s- N
* u7 l( A2 W: X2 C5 Y/ M/ N' L
**注意:**华为设备的Trunk通道默认不允许除VLAN1以外的所有VLAN,而Cisco设备默认则允许所有VLAN通过。所以在配置华为设备时,在配置完成基本的Trunk配置后,一定要加上允许相关VLAN通过Trunk的命令。4 \* E6 ]5 e W' n& |! e; ?
S2的配置如下:
# ~ A! b( x0 z8 l. |[S2]vlan batch 10 to 13
6 [ j) Y8 D/ F; l1 d# ?Info: This operation may take a few seconds. Please wait for a moment...done.9 ?0 v8 E4 `: v
[S2]interface eth-trunk 12
* H/ E1 M) f( R1 t2 B5 X- ?2 A* ?[S2-Eth-Trunk12]port link-type trunk- R3 Q5 u; @$ L
[S2-Eth-Trunk12]port trunk allow-pass vlan all) E k/ X. H% o% Q `) t
[S2-Eth-Trunk12]interface g0/0/4
6 w7 A. P$ V! a7 G[S2-GigabitEthernet0/0/4]port link-type trunk4 V) i; C3 f; G8 k# h
[S2-GigabitEthernet0/0/4]port trunk allow-pass vlan all
& Y$ m. o/ V" _( e# R4 F f( ~* h& e[S2-GigabitEthernet0/0/4]interface g0/0/5
5 v, `0 z9 g0 o; v& p[S2-GigabitEthernet0/0/5]port link-type trunk
; s# U! |3 b# P5 G. _( ?( L[S2-GigabitEthernet0/0/5]port trunk allow-pass vlan all
1 A' C" r. W6 M" k' m$ |- U[S2-GigabitEthernet0/0/5]int vlan 12
) D& o& l4 u% N/ p* H6 J[S2-Vlanif12]ip add 192.168.12.1 24
1 x" B' H+ C3 c+ G$ S/ \[S2-Vlanif12]int vlan 13
# o+ K; b! H% ][S2-Vlanif13]ip add 192.168.13.1 24! M% u/ d" \# ~9 G( i9 ]+ R
[S2-Vlanif13]quit7 y& y7 d$ k8 \! S# o
//与S1 命令基本一致,这里就不多做解释了!5 @8 \9 l2 U( W; t! U% q* k
9 j3 ?" V$ x8 ~; ]9 W# r7 ]
% x d g0 ~5 K+ _/ x# H) Q7 b" W
9 y0 ] N2 H: L, X' b6 n3 x
7 U I! N2 y2 P, J" g5 t( l! P7 p' ]% G# v9 P7 f* F# x6 i
SW1的配置如下:
* k1 h1 s5 q& N- ^, A<Huawei>system-view $ q$ @) O( h$ _2 h
Enter system view, return user view with Ctrl+Z.
& |) r6 u- Y$ y2 j[Huawei]undo info enable - I4 K) e/ p7 P" ~
Info: Information center is disabled.
( H, N8 k5 E, E1 S2 g) B+ f' I[Huawei]sysname sw1
6 _$ v8 o: c+ }; R- c& k& y[sw1]vlan 10" W) n) h( \* `0 P& _
[sw1-vlan10]interface g0/0/1( [- x% x$ k- k$ t$ f
[sw1-GigabitEthernet0/0/1]port link-type trunk" b: E4 A$ |) {2 T: J
[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
/ @* W% v' ^* m- A) S2 Q[sw1-GigabitEthernet0/0/1]int g0/0/2 8 i* Q. A( v* x9 ]: ~" z
[sw1-GigabitEthernet0/0/2]port link-type access //配置端口模式为access' E! a! x- ^ s
[sw1-GigabitEthernet0/0/2]port default vlan 10 //接口加入VLAN 106 n0 @# T" Z. [4 R( z9 _9 f
[sw1-GigabitEthernet0/0/2]quit( C& A' ?0 i0 f9 N# ?9 Y* J
- C6 l& @1 q2 _7 y o' K
7 i9 F% Z2 K) \0 o5 @
( O o: p, \8 N/ KSW2的配置如下:* _2 u- x4 V! m' p4 U2 z) c9 u
<Huawei>system-view
4 Q* z# [8 N2 n" \% tEnter system view, return user view with Ctrl+Z.
Q: O2 b; u4 E( Q5 e( }+ S[Huawei]undo info enable ' Q. z( a# _" e' R! D" v
Info: Information center is disabled.& A( l3 l" }; k
[Huawei]sysname sw2 / H5 y$ E3 t. P9 Y7 s- Y* o+ ]! Z3 F7 q
[sw2]vlan 11
; L) Y' N& d) ], ^- k" O4 @. f6 G[sw2-vlan11]interface g0/0/17 P% N5 Y- d$ g
[sw2-GigabitEthernet0/0/1]port link-type trunk; L+ g- o; U/ g- G
[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
: o: X T J' S7 {: ]# K4 ?! p- M[sw2-GigabitEthernet0/0/1]int g0/0/2
# u& l* F: ^) O& n8 W[sw2-GigabitEthernet0/0/2]port link-type access + s1 o7 \ _0 y
[sw2-GigabitEthernet0/0/2]port default vlan 11
: i, n" P5 B3 K |, u+ n% @[sw2-GigabitEthernet0/0/2]quit
. o3 ~( w9 t# q* }3 @" d$ b$ O: R
6 [# }9 q, \/ {3 J* s2 a! U- m
& _9 ?2 b! |) S/ k% G7 I2 D# Q' r7 \+ D1 x9 A# k7 K$ Y
SW3的配置如下:/ b3 G# |( s$ I. q+ C+ r7 q8 k
<Huawei>system-view ; C; f- |/ C$ x/ s, _
Enter system view, return user view with Ctrl+Z.( \1 ]2 |0 I* }; H5 t7 R& F0 I
[Huawei]undo info enable
* G9 j9 V, c% l# {Info: Information center is disabled.+ Z! S+ D6 h: _% }
[Huawei]sysname sw36 Q3 O& }2 V" m4 A% n
[sw3]vlan 12* [0 z: u8 P2 [9 J- S
[sw3-vlan12]interface g0/0/1
! H" f5 e6 Q8 D; T[sw3-GigabitEthernet0/0/1]port link-type trunk
- A+ w+ x0 B4 M4 P$ O[sw3-GigabitEthernet0/0/1]port trunk allow-pass vlan all
8 ]" _ P- b& m3 `3 L[sw3-GigabitEthernet0/0/1]interface g0/0/25 M. n- s0 g+ L( Z# x* i: [5 W( @
[sw3-GigabitEthernet0/0/2]port link-type access , d; }, \' {7 C/ t7 m
[sw3-GigabitEthernet0/0/2]port default vlan 12
( m8 Q+ E, i$ C8 o. B I4 ^[sw3-GigabitEthernet0/0/2]quit% G* g3 h N( Y$ w
- e6 P' Y B7 i1 ~5 T3 F4 D; ~; X* E& ]; c i3 o1 |
R" l# e' f" E+ o6 LSW4的配置如下:
+ ~# y/ P8 `# J! K+ C, Y/ I. D<Huawei>system-view
7 ^3 Z0 {6 O* A REnter system view, return user view with Ctrl+Z.. ~ n# |6 H+ Y8 Y- |
[Huawei]undo info enable
2 s: _& r6 E) f) }; RInfo: Information center is disabled.
2 G: J- p, m& V[Huawei]sysname sw44 r F+ F( t N0 t
[sw4]vlan 13
$ D" w$ b5 V1 K' Q a7 g[sw4-vlan13]interface g0/0/1
, z2 p4 ?" [' r, {[sw4-GigabitEthernet0/0/1]port link-type trunk7 y) `- x- d, Q! T
[sw4-GigabitEthernet0/0/1]port trunk allow-pass vlan all
2 w: m5 {4 l4 m7 N; b5 m1 V[sw4-GigabitEthernet0/0/1]interface g0/0/2
3 ?0 |( Z" `) o$ j[sw4-GigabitEthernet0/0/2]port link-type access % e6 i- C/ G# a" T$ f
[sw4-GigabitEthernet0/0/2]port default vlan 13
# Y7 ?6 Q% Z. U" i! v[sw4-GigabitEthernet0/0/2]quit% p, s. j# X+ b0 d
6 a4 u; {% T) j# a* V& C' D' \* l: h2 }: J% g
' h5 m5 }3 P& Z- M" X! h4)配置单臂路由
0 E, }9 o7 t0 {9 ~华为的单臂路由与Cisco几乎没有差别。主要有两项配置,一项是交换机与路由器之间的Trunk配置,另外一项是路由器的子接口配置及关联相应的VLAN。
! a. N! L# ^1 z3 @; v" c% ]5 sR4的配置如下:7 m! t5 b$ @" j
<Huawei>system-view ) l# f5 x- H9 ?! s( F1 L
Enter system view, return user view with Ctrl+Z.1 P! _+ ^9 n+ R
[Huawei]undo info enable
4 r# t0 ~7 q# N% [6 m6 oInfo: Information center is disabled.5 ~, b+ @* i7 ?( ]
[Huawei]sysname R4
: x, K5 O# s7 t l7 {% n[R4]int g0/0/0
$ o( @) C4 H3 L- r, p* B" @" Z- t; t[R4-GigabitEthernet0/0/0]ip add 192.168.101.2 24
s# v# d. c$ p! {6 B2 ^1 a[R4-GigabitEthernet0/0/0]int g0/0/1.1 //进入子接口
7 w& K& s0 I* V8 [$ B# T[R4-GigabitEthernet0/0/1.1]ip add 192.168.20.1 24 //子接口配置IP地址
) z' N5 ^1 B9 Q* v[R4-GigabitEthernet0/0/1.1]dot1q termination vid 20 //使子接口与vlan 20关联
- q) {+ F U( E; O' k$ W[R4-GigabitEthernet0/0/1.1]arp broadcast enable //子接口打开ARP广播 U s$ f' j# ?8 A" b7 ~
[R4-GigabitEthernet0/0/1.1]int g0/0/1.2+ g, K) L J% S0 d, s( W$ T
[R4-GigabitEthernet0/0/1.2]ip add 192.168.21.1 24# T M4 X( m* m5 T' k0 a
[R4-GigabitEthernet0/0/1.2]dot1q termination vid 21( q7 P0 r D; z! d
[R4-GigabitEthernet0/0/1.2]arp broadcast enable+ ~9 l& N: j' ~! l7 G
[R4-GigabitEthernet0/0/1.2]int g0/0/21 X* T; w% c& o* L0 c
[R4-GigabitEthernet0/0/2]ip add 192.168.102.1 245 n9 @3 V, O2 C& a- I
[R4-GigabitEthernet0/0/2]quit
$ k M( \1 u0 n3 z8 R+ j7 b9 H: K* X8 i0 d+ F
+ w2 g+ N. T# p. ]1 w$ z5 c7 q
. v+ a+ t/ L8 OSW5的配置如下:
; o3 E# P2 @, X<Huawei>system-view
7 i1 X! d: [/ j) C! F6 ?" WEnter system view, return user view with Ctrl+Z.
* i. g" n% }1 I5 r[Huawei]undo info enable
$ B5 p, x7 p! W; hInfo: Information center is disabled.7 Q0 S1 W* y/ y* N5 l+ K
[Huawei]sysname sw5) o( s9 ?# s: }4 U
[sw5]vlan 20: w7 q- z1 y9 G0 g% G0 N" K
[sw5-vlan20]vlan 21 //VLAN也可以一个一个的创建
, ~: ^3 A+ p+ v2 y; O[sw5-vlan21]int g0/0/1" `% a) s$ V& o
[sw5-GigabitEthernet0/0/1]port link-type trunk
d) o; ~6 u" {% n5 ^% M# B[sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan all9 p$ }& b. `" | w) i$ X5 I) y
[sw5-GigabitEthernet0/0/2]int g0/0/2
% w# J/ R; B4 e2 X+ d" G[sw5-GigabitEthernet0/0/3]port link-type access
- W) T* J1 y; q0 g' D. i* R3 u[sw5-GigabitEthernet0/0/3]port default vlan 20+ e: |& O7 b# Y: ^0 G, {
[sw5-GigabitEthernet0/0/2]int g0/0/32 \9 n2 ~5 c+ @. q4 H
[sw5-GigabitEthernet0/0/3]port link-type access# V( |! T3 _, |' q# h
[sw5-GigabitEthernet0/0/3]port default vlan 21: l+ @+ s2 z* J: W8 t3 }3 E
# D3 d( G$ r- {4 q3 y( b5 s8 L; |8 V! [* T8 X$ d# ]% I
( Y/ c. b$ Z. W+ G
1 C9 y; M/ w4 M, _: ], r K/ |/ T& d$ y8 i5 w+ n9 w
5)配置OSPF与RIP
; r2 m) W. \4 D* ^. N6 Q1 G P华为的RIP配置与Cisco命令几乎一致,注意把no变成undo即可;配置OSPF时与Cisco不同,它不是一条network命令同时宣告网络和区域,而是在某个区域下的子模式宣告相应的网络。
9 f' D5 I! G2 d9 qS1的配置如下:
# p- C2 q+ p. E[S1]vlan 50% q1 z0 p% e B/ j- K8 o$ ?
[S1-vlan50]int g0/0/1
- N, K V5 H( o! B[S1-GigabitEthernet0/0/1]port link-type access/ a O m! @: Y# A# J
[S1-GigabitEthernet0/0/1]port default vlan 50 //物理接口加入VLAN
' |$ P) w' _% D: i[S1-GigabitEthernet0/0/1]int vlan 505 B; y; h& o- J: n9 z
[S1-Vlanif50]ip add 192.168.50.10 24
\$ G( C. W: \ v* _' t1 c5 U[S1-Vlanif50]ospf 1 //进入OSPF进程
% }. {& u* f! v% p[S1-ospf-1]area 0 //进入区域0
, l: E5 U, u8 f- v[S1-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.255 //简单起见,宣告所有网段
6 k n( O0 L3 L7 K# D+ i[S1-ospf-1-area-0.0.0.0]quit+ r! C7 ?" m/ c. y R
/ g1 e( a6 v1 R! u7 y: K& D# E$ b; U
u/ o8 R% ^: b# k1 g, @5 J7 I
**注意:**在配置OSPF时,如果想要指定router-id,可以在进入进程模式时追加router-id,如[S1] ospf 1 router-id 1.1.1.1 。另外,华为三层交换机的二层接口没有直接提升为三层接口的命令,类似于Cisco下的no switchport命令。所以在做VLAN间路或者和路由器直连时,只能配置VLAN虚接口,物理接口与VLAN做个绑定!
3 u ]- ^1 w' l% m9 zS2的配置如下:* Y! b. f) R6 u3 Z: E; i
[S2]vlan 601 r3 P" U: t$ o, {9 H
[S2-vlan60]int g0/0/1* p: p+ N- d I" J8 [4 o' V
[S2-GigabitEthernet0/0/1]port link-type access) w* m( V' t- `
[S2-GigabitEthernet0/0/1]port default vlan 60
6 [. F6 I4 m, G[S2-GigabitEthernet0/0/1]int vlan 60! Q& ?2 b$ b& v
[S2-Vlanif60]ip add 192.168.60.10 241 v, }7 q0 j4 U, A/ h
[S2-Vlanif60]ospf 12 F) P8 X1 g0 ^$ F. S/ |/ i
[S2-ospf-1]area 0
1 N( }5 \ k! K[S2-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.255% e5 P% N3 h# U
3 n5 d! }+ w$ t) S* q* Y, L3 C2 j" Y5 s/ `6 E
; U" s* r' y9 X# O# H- S
R2的配置如下:
) ^5 f$ M- b; ]& C# j' Y<Huawei>system-view 0 R1 X3 W/ S$ S/ ^% `# A5 i
Enter system view, return user view with Ctrl+Z. ~7 s$ d: d5 L$ y+ a: U
[Huawei]undo info enable
3 c/ a" d* e L: pInfo: Information center is disabled.2 N9 e* S& [+ v$ F3 D
[Huawei]sysname R2
9 T% Y$ I8 A5 X" a9 x; i0 t6 Y! U' }[R2]int g4/0/0
/ b7 @# @/ f6 u6 J. K- b& i! [; i[R2-GigabitEthernet4/0/0]ip add 202.106.0.10 246 p5 e( [; Q/ R7 t
[R2-GigabitEthernet4/0/0]int g0/0/1
/ m* Q4 N7 m+ u8 i[R2-GigabitEthernet0/0/1]ip add 192.168.50.1 24) E8 j! k# r5 ]& S& o4 \
[R2-GigabitEthernet0/0/1]int g0/0/2) _4 C _4 a: N, o2 E T! d6 P
[R2-GigabitEthernet0/0/2]ip add 192.168.60.1 24
! D. g4 q1 `- ?( I[R2-GigabitEthernet0/0/2]int g0/0/0& W ~* m* Z5 ^0 g5 T9 t: z3 \7 A
[R2-GigabitEthernet0/0/0]ip add 192.168.100.1 24
: P' Z7 k0 h4 m8 h( k[R2-GigabitEthernet0/0/0]ospf 1
- m5 U( F) o4 d" r- h6 d7 h# g) X. q' k[R2-ospf-1]area 08 R& A8 y8 Z) k. \+ p
[R2-ospf-1-area-0.0.0.0]netw
4 k5 p8 r6 w: O% h- Y9 @[R2-ospf-1-area-0.0.0.0]network 192.168.50.0 0.0.0.255
3 `" J; L+ \0 O! n- f' u) P[R2-ospf-1-area-0.0.0.0]network 192.168.60.0 0.0.0.255& g# K' V1 |& Y+ m/ m' c( a
[R2-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255
: w0 J6 U5 ~0 \7 q& e//注意这里OSPF就不可以声明所有网段了,否则实验外网与内网通信就没有意义了!
: w4 X: o' f, P5 M. K6 ^[R2-ospf-1-area-0.0.0.0]quit& B! q4 p6 I1 W, _5 |
# X/ S& Q$ h& i: F- h) ]$ v- e2 o {
[% h' b' R9 j" R6 DR3的配置如下:. W& T/ c% o0 v
<Huawei>system-view : |1 J8 m+ W) j
Enter system view, return user view with Ctrl+Z.
5 }3 z( [, ]" l) i2 N[Huawei]undo info enable% z# l: K4 K# K- l. D
Info: Information center is disabled. w+ y; B7 Z6 l- r& ?8 I2 e9 i- n
[Huawei]sysname R3% D b# ?) s' U1 j
[R3]int g0/0/02 S* A! j0 o7 x
[R3-GigabitEthernet0/0/0]ip add 192.168.100.2 24
3 Y1 N3 M1 j: {; w0 I- _* z7 J[R3-GigabitEthernet0/0/0]int g0/0/1' }6 S7 T: m. F+ u
[R3-GigabitEthernet0/0/1]ip add 192.168.101.1 24! i, e7 } `( u0 o5 c
[R3-GigabitEthernet0/0/1]ospf 1
. X: e. W2 {+ Z+ a: Z* S! T[R3-ospf-1]area 0
) d# x* g& L3 e/ j( A[R3-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255' u. x( G) n% _# k
[R3-ospf-1-area-0.0.0.0]rip //进入RIP进程模式,默认进程ID为1
) z% w- d- {+ K) T* D F8 N[R3-rip-1]version 2 //指定RIP版本- |6 B8 F* {+ e1 A' } Y
[R3-rip-1]undo summary //关闭RIP的自动汇总 l; j9 n% ~& `9 X& \2 z
[R3-rip-1]network 192.168.101.0 //宣告网段6 u; Z$ F/ [( h. N( B- c
[R3-rip-1]quit! w% Z& e9 U, R5 N+ I: T8 a
1 A$ N; T% h4 G
, h- e* B8 e7 ~+ U. h+ c* @2 D: q- C, q$ k- g3 {+ `1 j y
注意:在Cisco的IOS中配置RIP时,及可以通过标准的类宣告网络,也可以根据实际网络来宣告。比如:10.1.1.1/24,那么在宣告时,命令10.1.1.0和命令10.0.0.0都可以,但是Cisco将其纠正为10.0.0.0(为标准的宣告方式)。在华为设备中,只能以标准的方式宣告RIP网络。即根据主类的掩码来宣告!' B# w7 x3 e3 K4 v: n; m5 m! O) r# O2 d
R4的配置如下:
8 e, {; f$ z& j6 F. X0 f[R4]rip9 v8 W& ^0 c/ P6 `4 `
[R4-rip-1]version 2
8 s9 x+ q; N& O[R4-rip-1]undo summary # L. W% N. I" }/ S- Q0 [
[R4-rip-1]network 192.168.101.0
6 o$ h5 {* `; ]: t[R4-rip-1]network 192.168.20.0
2 O1 n! ]# n) \& L3 A[R4-rip-1]network 192.168.21.0: Z+ W( y. Q c6 x
[R4-rip-1]network 192.168.102.0
: {5 r+ P' p( L' o/ |; r$ {5 u/ E% P: J6 W. I6 P' X
6 N4 H0 R$ c$ PR5的配置如下: ]1 k' c& d7 u
<Huawei>system-view % f4 A3 B. {, X' F+ b+ D. J
Enter system view, return user view with Ctrl+Z.
: y1 y! I, s& ^( W$ M! i[Huawei]undo info enable
: p; o, j% d; p" z9 y0 _2 {Info: Information center is disabled.
/ P9 g, _* g5 U2 ?[Huawei]sysname R5
2 z$ `2 K {' q9 z[R5]int g0/0/0
* q3 B" z1 r7 h+ N8 t& j9 e7 U) B[R5-GigabitEthernet0/0/0]ip add 192.168.102.2 23 h; A* _5 y9 o& C6 m+ x$ r- j
[R5-GigabitEthernet0/0/0]int g0/0/1
% K0 c; V C# [! K" V[R5-GigabitEthernet0/0/1]ip add 10.0.0.1 24: s9 e" ]0 z) F' y
[R5-GigabitEthernet0/0/1]rip/ l4 K5 C* S" I& ~" y
[R5-rip-1]version 2
' x7 }# a$ l9 J9 r+ R[R5-rip-1]undo summary 2 L% {0 N7 }8 x d, R7 h
[R5-rip-1]network 192.168.102.00 y3 h& T0 E6 h
[R5-rip-1]network 10.0.0.0, j9 m) M- R0 D6 U/ Q+ L
/ n% ^) Y7 c) T6 |
3 P+ d- @" {' A% w8 ^1 u5 S* X" W( ^8 Q4 x. a/ ?4 ]
6)配置路由重分发4 `0 \# e q% ?* E+ v
华为设备的路由重发分是通过import-route命令实现的,不管导入的是什么协议,都要就上进程ID号,和Cisco一样,如果把A协议导入B协议中,那么首先要进入B的路由进程中,执行导入A的命令,反之同理!$ m3 d' f" |5 m/ q- e+ d) W3 ^
R3的配置如下:" S1 v6 [& w. P4 D
[R3]ospf 1
& S# C2 b; [+ r$ @6 r% j6 Z[R3-ospf-1]import-route rip 1 //进入OSPF进程宣告RIP进程
K0 o% R1 x8 o$ _2 n[R3-ospf-1]rip
0 E* Z P) Q e6 p[R3-rip-1]import-route ospf 1 //进入RIP宣告OSPF进程 o* w' y9 D$ W( H
[R3-rip-1]quit) P" a. `# b# j$ R, x9 |4 z
6 t3 {1 n" r7 _9 o# y' f7 u
- Z' O( T$ e9 R( GR2的配置如下:/ J- G# U( B( e" ^$ @# i; a
[R2]ip route-static 0.0.0.0 0.0.0.0 202.106.0.1) N" ~$ q ]! ^8 N( \8 s( C" M& _
//真实环境中,内网连接外网的服务器肯定是一条默认路由8 ?' O" J$ H6 O5 R' t* k# r
[R2]ospf 1' F# \" O) Q7 u# W4 x& c8 b
[R2-ospf-1]default-route-advertise
& s$ m/ o8 l* R2 m//宣告默认路由(前提是有默认路由)) _# X8 S; U8 a, {
7 Y( t4 z+ I. J* l1 T( N, C
7 \: h- w( y O6 h# k3 [; e
* `2 b2 n4 @" K7)配置NAT及访问控制( o7 Q3 {' F8 C9 I, j
华为的NAT转换直接配置在外部接口模式下,需要转换的内部流量通过ACL抓取,而转换后的内部全局地址通过配置NAT组实现。! r8 _& a; F- w! H3 N: L
R2的配置如下:! b s: v [. M% [
[R2]nat address-group 1 202.106.0.100 202.106.0.100 //定义NAT组(池)5 N' S x) J2 J1 H* X4 M
[R2]acl 2000 //编写编号为2000的acl规则, j0 x% k. l/ m3 [ [
[R2-acl-basic-2000]rule 0 permit source 192.168.50.0 0.0.0.25
" A s$ Q6 P5 U. [- J$ @3 j[R2-acl-basic-2000]rule 10 permit source 192.168.60.0 0.0.0.255% h. |( j' v$ o ?7 U7 }
[R2-acl-basic-2000]rule 20 permit source 192.168.10.0 0.0.0.255
}3 T/ V6 ?; x2 [: m! a- E[R2-acl-basic-2000]rule 30 permit source 192.168.11.0 0.0.0.255/ }1 g; T4 S* o6 r& d. O
[R2-acl-basic-2000]rule 40 permit source 192.168.12.0 0.0.0.2559 c, S, R6 t+ c
[R2-acl-basic-2000]rule 50 permit source 192.168.13.0 0.0.0.255
) m6 y* j, ~0 w7 |0 d" A7 T1 b0 e//允许源地址访问,当然可以做路由汇总少写一些!
& r/ {1 @" e4 L' R& {3 @+ ~[R2-acl-basic-2000]int g4/0/09 k- p; Z9 @) C) f
[R2-GigabitEthernet4/0/0]nat outbound 2000 address-group 1
+ x, `) ]+ G1 m+ }' f8 f//定义PAT,将acl允许的地址映射到地址池中
* _4 e& [8 m) _0 J+ m* D2 x[R2-GigabitEthernet4/0/0]nat server global 202.106.0.200 inside 10.0.0.10! d3 w4 J3 z1 Q: Q. _) z* [
//定义静态NAT,一对一!$ y( t: V& ?( V
[R2-GigabitEthernet4/0/0]quit( Z/ E' Q9 H$ W
[R2]acl 3000; g! k# }* v- [% h: C9 g
[R2-acl-adv-3000]rule 0 deny ip source 192.168.20.0 0.0.0.255
) R5 b2 p" G& E; X$ w[R2-acl-adv-3000]rule 10 deny ip source 192.168.21.0 0.0.0.255 destination 20.0.0.0 0.0.0.255 destination eq807 W& Q; ^) O5 I3 H' P
//定义编号为3000的acl,拒绝源地址,可以加上目标地址和端口
1 s# _$ [& X) Z& l[R2-acl-adv-3000]int g4/0/0
3 v8 Q: C% Q: Y) w2 q$ O[R2-GigabitEthernet4/0/0]traffic-filter inbound acl 3000
. r* B4 u4 F6 n: S4 N, @/ O//接口应用编号为3000的acl
3 b; m. d0 K* W) q- W0 O" c
- w, M; F6 r% g! f* W2 D
/ {3 N. X% Q4 U/ ~
6 h5 I! J& J9 r. N# N**注意:**华为的ACL与Cisco类似,分别分为基本与高级,类似于Cisco的标准和扩展。其中基本的编号为20002999吗,高级的编号为30003999。rule后面的编号表示ACL规则的生效顺序!/ }- I7 ^" E3 c9 [$ r
R1 的配置如下:
1 N D! J! |' r" n$ B. U<Huawei>system-view
3 |. y0 p# V' @Enter system view, return user view with Ctrl+Z.1 ^ z* x8 o, Q) J
[Huawei]undo info enable 7 ^3 ~, A1 S5 |7 b
Info: Information center is disabled.2 i& V/ U1 l8 P9 V% r9 F* ^
[Huawei]sysname R1
, S% n+ N" H3 F, d[R1]int g0/0/08 `) R. I! I" c- U3 H$ l
[R1-GigabitEthernet0/0/0]ip add 202.106.0.1 248 ]/ f' q# a: X" L
[R1-GigabitEthernet0/0/0]int g0/0/1! r7 P5 C: t- } A+ Z! h# S, e+ }
[R1-GigabitEthernet0/0/1]ip add 20.0.0.1 24% x+ o5 \% d7 k8 r9 ^
//注意,R1只配置IP地址即可!8 \' E; H# L1 P. M/ L5 n' T) o
9 O% h- r; k3 r2 R1 E7 w配置完成之后,可以自行进行验证,本次博文只是为了尽可能的展示命令而已!4 a" y6 g* W6 u
三、常用的排错命令
9 U7 V$ j; |$ f; ~" `[S1]display current-configuration //查看当前设备的所有配置
8 v5 g: }5 _7 s* l. Q- F) p[S1]display ip routing-table //查看路由表8 h2 q. j$ y' U; [! m
[S1]display vlan //查看vlan信息, l- ?. P2 n: C p' }* N! }9 V
[S1]display ip interface brief //查看接口状态
+ \& L; P( C9 s. Q' ~! k+ k[S1]display current-configuration interface vlan 10
) _, O5 ^1 k+ n* j1 Z* G) O//查看某一个接口的当前配置信息, p/ ^7 E. Q7 b9 e) U2 W) q0 F
[S1]display nat session all //查看NAT转换条目
9 A* i5 d6 A3 t/ U$ y[S1]display ospf peer brief //查看OSPF邻居信息
+ D* a/ h' @2 B9 D; U[S1]display acl all //查看ACL信息
( H* E& o& m5 e9 O% H: |. ^[S1]display eth-trunk 12 //查看链路聚合信息
6 J8 L% i- H. z7 H6 H/ c/ x3 l- r6 _. v8 U6 j* [7 e
|
|
发表于 2022-3-25 01:00:01