- 积分
- 16840
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
(1)实验需求:
$ N* r g( u2 H0 P9 k& [0 C1 H1)链路聚合( f/ u* b8 d& A" a9 h, v4 T" ?
S1和S2使用链路聚合将两条物理链路组成一个逻辑链路,用于实现链路负载分担和备份,设置S1为LCAP主动端,要求逻辑链路基于目的MAC方式进行负载分担;" `1 `! {% k6 b' }% C/ ]
2)VALN及VLAN间路由
0 ^+ A5 }) Q1 Y( |! H, j- p: J要求所有VLAN客户端和服务器之间互通;
$ S# f- s$ [/ A) m$ i3 U/ L. e3)OSPF和RIP部分
- f, s, F! j% r: V5 n1 WR2、R3、S1、S2使用OSPF;R3、R4、R5开启RIP;3 y- m: b! s/ H2 O6 Q- t
4)路由重分发
; s' H! [9 `$ U7 O要求OSPF与RIP进行充分发,实现可以相互通信;6 O. V2 r) R1 b
5)NAT及访问控制
( d4 I+ p* U/ c1 p3 A9 ` _要求192.168.20~21.0/24网段的主机不可以访问互联网,服务器以202.106.0.200地址发布到互联网,互联网用户PC1可以通过这个地址访问服务器!- E7 J0 Z6 L9 x" ?0 V( b, h; P
该拓扑图涉及的命令如下:
/ T* _( Q5 @$ S1 k/ H6 H( }6 R链路聚合;6 D7 j' V) S2 m* q
vlan划分;/ y, _ A% P; M! g3 L3 B6 U( _
单臂路由及三层交换;! C9 a! I! O( P/ a0 R3 v
OSPF及RIP的动态路由配置;
6 U' p0 U1 S# s' y% q& D+ o路由重分发;
# ` u; T( [/ I" FPAT及静态NAT的配置;
" q+ B8 x w3 f( Y基本ACL及高级ACL配置;6 R1 X7 w+ T; R$ q0 T# F+ j
(2)案例实施: v5 X2 h0 L0 a; |7 b9 C; W
1)pc、server自行配置IP地址
: @& P5 k5 B+ f% ?6 W2)配置链路聚合+ Z. w0 F! {7 b7 `; V4 P
华为的链路聚合主要通过LACP进行实现。在配置时,需要指定优先级、工作模式、负载均衡模式以及所需的成员接口。
' d k! c) c. W, C2 K# b: P3 kS1的配置如下:
6 T$ k, h8 I5 k _<Huawei>system-view //进入系统视图模式
u2 C2 [ b9 ~* C2 yEnter system view, return user view with Ctrl+Z.3 b# k' `; [+ T; o( ]9 z5 j
[Huawei]undo info enable //关闭回显信息,避免打乱+ `) z2 S3 ]0 ~! K2 x) W( M
Info: Information center is disabled.0 {+ B! _9 n0 Y, s8 X
[Huawei]sysname S1 //配置设备名称为S1$ {7 }3 d/ b. b. V @/ G
[S1]lacp priority 1000 //设置S1设备的系统LACP优先级
9 C7 g7 z; N" I0 c1 f5 Y6 {( R[S1]interface Eth-Trunk 12 //创建链路聚合逻辑接口,名称为 Eth-Trunk 12
7 A" S0 n. x6 q; a. F[S1-Eth-Trunk12]mode lacp-static //配置静态LACP模式
+ ~ h- ~% c! y7 `3 T[S1-Eth-Trunk12]load-balance dst-mac //配置负载均衡模式为目标MAC地址+ n; c- g- F* B9 K5 I' }! c5 b
[S1-Eth-Trunk12]trunkport GigabitEthernet 0/0/2 //添加成员接口G0/0/2
, _" Y$ Q- p" e1 r" i2 P4 g* [Info: This operation may take a few seconds. Please wait for a moment...done.
+ J# N- M, M" Q! `6 ^: B[S1-Eth-Trunk12]trunkport GigabitEthernet 0/0/3 //添加成员接口G0/0/36 A+ C5 C: t" `+ t' j
Info: This operation may take a few seconds. Please wait for a moment...done.& F3 T9 j$ p) g$ {
[S1-Eth-Trunk12]quit //退回系统视图模式/ B: \0 I! ~% Y9 _; L& a# s/ G L
' y. @; R4 c) v. F/ t% N3 n' P
3 \6 @5 {' ]5 d
4 Z# F: Y, G) j& M**注意:**LACP优先级值越小,优先级越高。默认情况下,系统LACP优先级的值为32768。在两端设备中选择系统LACP优先级较小的一端作为主动端,如果LACP优先级值相同,则选择MAC地址较小的一端作为主动端。
/ [2 h! ^3 _8 z6 U/ _' ~3 }S2的配置如下:5 F' l( b& V- X# F" w! t
<Huawei>system-view # X& k5 S. i4 R5 p2 @
[Huawei]undo info enable
0 l& R; B& j2 g' I: K3 ~Info: Information center is disabled.' l/ L7 c. u: ~5 P! I
[Huawei]sysname S2
0 J; A9 p7 P# A% G, f[S2]interface Eth-Trunk 121 n/ B2 ]2 \: H
[S2-Eth-Trunk12]mode lacp-static
" M/ T. b1 q6 G2 w1 S* P6 S% E[S2-Eth-Trunk12]trunkport GigabitEthernet 0/0/22 b6 s+ }$ ?% o* u [5 `& h! @& ?
Info: This operation may take a few seconds. Please wait for a moment...done.
$ w! `) `* @7 Q6 S# K7 f7 G' b[S2-Eth-Trunk12]trunkport GigabitEthernet 0/0/3' K7 \5 p3 \1 Y/ I8 M6 L
Info: This operation may take a few seconds. Please wait for a moment...done.
; O* D8 X7 Q' x3 g/ i( x9 b: X[S2-Eth-Trunk12]quit W1 y& a4 ^6 _% w
//由于配置命令与S1设备差不多,这里就不多做解释了/ H& z) B" R7 E$ q" C H% q' X* [
3 J# P5 U% T+ ]% b
. E1 n9 r! V4 |, v0 }4 p4 [3 o1 t m/ F+ b
3)配置VLAN间路由% o# q o0 E! e# b' n/ s0 @# L) f
VLAN之间的路由主要通过S1和S2实现,需要注意的是,即使S1和S2上面的接口都是trunk模式,也需要创建相应的VLAN,因为交换机收到来自某VLAN的数据包时,如果它本身没有改VLAN时,那么将会丢弃该数据包。
5 u' k8 F! h. [. Z* @& R, ES1的配置如下:
* J X0 K3 O0 T0 S' |' q[S1]vlan batch 10 to 13 //一次性创建VLAN10~VLAN13
/ g/ _ Y5 O( S9 ^$ S. VInfo: This operation may take a few seconds. Please wait for a moment...done.+ k+ t0 W" d* d2 I
[S1]interface Eth-Trunk 12 //进入链路聚合接口! C8 t5 j, z) `2 R* J
[S1-Eth-Trunk12]port link-type trunk //配置链路聚合接口模式为trunk5 U5 M, j2 V" o: Q9 ?% O9 O
[S1-Eth-Trunk12]port trunk allow-pass vlan all //trunk链路允许所有VLAN通过% s. Q" e" {, H. |6 P& ^0 X, d
[S1-GigabitEthernet0/0/4]int g0/0/4% C4 z' f, @ \7 @4 ~9 e2 M
[S1-GigabitEthernet0/0/5]port link-type trunk //链路聚合模式为trunk9 t& Y5 e$ m! ]7 {: S8 Z, l% i, k
[S1-GigabitEthernet0/0/5]port trunk allow-pass vlan all //允许所有VLAN通过
) p* k4 _2 U3 G8 ?[S1-GigabitEthernet0/0/4]int g0/0/5) T, a: r( L+ _& b i6 p& k
[S1-GigabitEthernet0/0/5]port link-type trunk
/ d& c2 d& e. ~) i- T& v4 j1 Q[S1-GigabitEthernet0/0/5]port trunk allow-pass vlan all
6 Z/ q( d2 f1 ^( G1 F- d3 S+ P[S1-GigabitEthernet0/0/5]int vlan 10 //进入VLAN10* j/ Z5 T5 q, [$ y! }
[S1-Vlanif10]ip add 192.168.10.1 24 //设置IP地址6 b4 B% Q" E8 i. Y; l
[S1-Vlanif10]int vlan 11- t2 t# l# A0 U3 g
[S1-Vlanif11]ip add 192.168.11.1 24
6 ~) b/ y1 h. M+ i6 k+ ~" n[S1-Vlanif11]quit% P7 k/ k$ z( Q
5 _- }3 O1 x: l- F) l; a7 [9 `2 O& L z2 _2 [
; L/ x; T6 e& O% T$ O
2 @ W7 @, E2 [( d! t( s* x
**注意:**华为设备的Trunk通道默认不允许除VLAN1以外的所有VLAN,而Cisco设备默认则允许所有VLAN通过。所以在配置华为设备时,在配置完成基本的Trunk配置后,一定要加上允许相关VLAN通过Trunk的命令。
* J) X' e1 W1 o5 j, {6 qS2的配置如下:
& { m1 a9 r ^2 ^# w, v9 F6 f[S2]vlan batch 10 to 13
3 s2 x# z8 K' B7 T7 ^" J8 BInfo: This operation may take a few seconds. Please wait for a moment...done.5 H( z7 s$ z' |0 q5 h
[S2]interface eth-trunk 12
4 [; N0 N, O! ]/ S- B, d5 M[S2-Eth-Trunk12]port link-type trunk
% J( s/ S7 n% G0 f0 _7 F+ }. x; ~/ L a[S2-Eth-Trunk12]port trunk allow-pass vlan all
. u( n5 `6 V8 f& z" L$ C5 S[S2-Eth-Trunk12]interface g0/0/4. `& G* \" V' G% `
[S2-GigabitEthernet0/0/4]port link-type trunk. X8 g L0 j: v# J; b7 W3 X
[S2-GigabitEthernet0/0/4]port trunk allow-pass vlan all# c& |# m# T7 J8 U: E, E2 a
[S2-GigabitEthernet0/0/4]interface g0/0/57 _9 L& F- Y `4 u3 R! i6 z! Y" [
[S2-GigabitEthernet0/0/5]port link-type trunk
. q$ z' J$ E; q7 q# Y[S2-GigabitEthernet0/0/5]port trunk allow-pass vlan all! T! B$ s; p. ~
[S2-GigabitEthernet0/0/5]int vlan 12
* l j1 h) m, v7 E5 y" F8 M7 h[S2-Vlanif12]ip add 192.168.12.1 246 h! Z! N3 q( B! f2 S
[S2-Vlanif12]int vlan 13
1 V7 c8 [' j+ @4 R' S9 k[S2-Vlanif13]ip add 192.168.13.1 24
. F" k$ s! g9 ~, A# S1 ^" _" F" u[S2-Vlanif13]quit
3 b5 m# J' U+ B1 B6 V! v5 H, D//与S1 命令基本一致,这里就不多做解释了!
# ^1 f& w9 |, u! W; @. K6 _. c8 M1 m8 G j! Y5 [3 `% Y' M
! i: x$ {# |2 s
1 F; j" \8 }' S! J/ x& u4 }
- N# S! B2 V! A( U9 t0 m3 F4 I6 o6 E. M7 B: D' @
SW1的配置如下:
. z$ Y. H+ w) r/ ?' K& d<Huawei>system-view ) H6 ~4 v4 N, ]4 A% l4 y
Enter system view, return user view with Ctrl+Z.9 h% }6 [7 [8 h- W& Y
[Huawei]undo info enable $ N8 P" ^: }6 \1 \6 u; K
Info: Information center is disabled.
$ S7 i2 b) ~# \+ {0 J[Huawei]sysname sw18 k* m. F6 ^3 [, n- ?7 e0 B$ h
[sw1]vlan 107 a9 w+ F7 m: d
[sw1-vlan10]interface g0/0/19 C& @: x. @* j2 p: q5 J
[sw1-GigabitEthernet0/0/1]port link-type trunk
: ^" I* ]) t& i; g[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan all0 C1 O' E1 t; g, e; x7 \
[sw1-GigabitEthernet0/0/1]int g0/0/2 ' N3 j% Y: [+ ]! k- l; T
[sw1-GigabitEthernet0/0/2]port link-type access //配置端口模式为access
; _* R* n4 m4 a3 E" L1 y[sw1-GigabitEthernet0/0/2]port default vlan 10 //接口加入VLAN 108 `* Z% V/ F8 U
[sw1-GigabitEthernet0/0/2]quit/ n9 l8 Y& \( ~9 m
8 Z7 J0 U' @6 M O8 B: I
% c, ~0 w, y3 V* x7 U- {* N
# L: ~' ^1 _. |6 q9 s9 P* l) q8 m
SW2的配置如下:
9 Z- r" p" x2 y6 D<Huawei>system-view 3 I5 ?% A; j2 t: B1 j
Enter system view, return user view with Ctrl+Z.
; N8 v9 V& E1 b8 j$ k" ~[Huawei]undo info enable % @" U$ R8 J% P5 ~3 P
Info: Information center is disabled.! a8 {$ D5 l2 J: S- z
[Huawei]sysname sw2
% D3 |4 p! _7 \6 I( x[sw2]vlan 11
8 ~( ?+ B- h/ `( Q1 n[sw2-vlan11]interface g0/0/1/ R0 u- t- Q$ ~: W1 g k
[sw2-GigabitEthernet0/0/1]port link-type trunk
- g1 n* a" E. ?6 R: N1 ^[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
" e7 i5 b# n' V/ D3 A# i. M[sw2-GigabitEthernet0/0/1]int g0/0/2 `: @! a, f: s, P9 g& H6 y' r6 X
[sw2-GigabitEthernet0/0/2]port link-type access - {. z8 g8 J) x, E9 c
[sw2-GigabitEthernet0/0/2]port default vlan 11
4 L" ?( w- B# ~) N[sw2-GigabitEthernet0/0/2]quit2 W0 K! J4 k( R6 \/ R3 U0 g4 x
2 }1 p( i. @+ g% {9 T' f: y
; W" u o1 {: f7 R! O* w8 [& o0 t& @+ D# v. d. Q
6 ~* e2 Y. w1 J/ |* t1 o( NSW3的配置如下:
0 f* V3 r) b _! p3 J<Huawei>system-view 8 y, g5 M9 N- `2 A* a' N
Enter system view, return user view with Ctrl+Z.# ]2 G& y, D6 Y4 S
[Huawei]undo info enable 6 S$ D0 s6 Z% t2 i
Info: Information center is disabled.8 W7 a2 l+ R9 J2 q3 I, C
[Huawei]sysname sw3% \$ |5 d% V9 a o% B- ~
[sw3]vlan 128 _ z0 H% F! }
[sw3-vlan12]interface g0/0/1
9 F. |) |! e7 Z* Q! s[sw3-GigabitEthernet0/0/1]port link-type trunk
4 O5 y* i, p( \% P5 ]8 n[sw3-GigabitEthernet0/0/1]port trunk allow-pass vlan all ?4 `+ ^. |/ J7 `
[sw3-GigabitEthernet0/0/1]interface g0/0/2
% U4 x \$ q+ v1 o5 e+ d4 n0 x[sw3-GigabitEthernet0/0/2]port link-type access
& \/ N0 z+ L7 B1 K. Y[sw3-GigabitEthernet0/0/2]port default vlan 12
$ B9 i+ c1 i$ R% }9 [[sw3-GigabitEthernet0/0/2]quit
0 Z! I9 R2 g1 [
c5 O% W5 _( G- E; t1 A7 L8 d- t# t: b# ]( T X* D! T
4 v6 f/ S( s6 p1 [6 D% ]( ~
SW4的配置如下:
) P- | C0 Y$ x* X! [/ ?<Huawei>system-view
& V u9 R, V8 _# {Enter system view, return user view with Ctrl+Z.3 g' V" J" @3 u6 u& y7 z: b
[Huawei]undo info enable . O M& D7 E: w) l0 W w
Info: Information center is disabled.
3 \' S7 p# G7 g% @! b' J[Huawei]sysname sw4
9 ]7 K) c, Z" C4 H! J[sw4]vlan 13! F+ `) M, t, @& I1 ]
[sw4-vlan13]interface g0/0/1
* y' O. ~! H) V3 g. K# d[sw4-GigabitEthernet0/0/1]port link-type trunk
8 C0 x" E8 r% P[sw4-GigabitEthernet0/0/1]port trunk allow-pass vlan all
1 R" m% J( F; z; A+ v H# e. O[sw4-GigabitEthernet0/0/1]interface g0/0/2
/ W& s4 S+ M+ I[sw4-GigabitEthernet0/0/2]port link-type access ) I5 p# o; e* d( M. @* n, p
[sw4-GigabitEthernet0/0/2]port default vlan 135 b4 p' `% k( K2 V
[sw4-GigabitEthernet0/0/2]quit+ p5 _7 F) q: j- D
/ G7 t$ e4 x9 `1 w0 F4 Z7 r2 s1 x
# H& R& F0 D5 C9 O) d) L4 u7 S6 J/ [: Y4 K. }; S' Z C& H5 H
4)配置单臂路由: ?* {" G0 X q; J2 T
华为的单臂路由与Cisco几乎没有差别。主要有两项配置,一项是交换机与路由器之间的Trunk配置,另外一项是路由器的子接口配置及关联相应的VLAN。) B' Z( ?% `- O+ N$ L
R4的配置如下:% I7 g- T9 X) m1 g
<Huawei>system-view
: K" u, H% {% S& lEnter system view, return user view with Ctrl+Z.
- G* }) }5 B: Q8 R[Huawei]undo info enable , R* S; P/ [2 |& v
Info: Information center is disabled.- }$ K1 I8 p5 I& [
[Huawei]sysname R4
' F+ S! s; Z- i0 A0 K[R4]int g0/0/0
/ l y5 v9 W& ]6 S: c[R4-GigabitEthernet0/0/0]ip add 192.168.101.2 24
. i! E# T3 n0 U8 {! q" C; Z[R4-GigabitEthernet0/0/0]int g0/0/1.1 //进入子接口; _, @- j! ] r) R7 {0 p
[R4-GigabitEthernet0/0/1.1]ip add 192.168.20.1 24 //子接口配置IP地址 f. h" L+ R9 a/ H) O6 h9 n
[R4-GigabitEthernet0/0/1.1]dot1q termination vid 20 //使子接口与vlan 20关联
2 }8 T% q4 A7 X% S. O% l9 L[R4-GigabitEthernet0/0/1.1]arp broadcast enable //子接口打开ARP广播& k6 m: b# a# x) w- o
[R4-GigabitEthernet0/0/1.1]int g0/0/1.2
/ B: {5 B8 L! Z' P( `[R4-GigabitEthernet0/0/1.2]ip add 192.168.21.1 24
( C0 b: I( P* w& k, @; C2 M[R4-GigabitEthernet0/0/1.2]dot1q termination vid 21
, S+ U5 o8 q9 B8 m* P& P; M/ F J! q[R4-GigabitEthernet0/0/1.2]arp broadcast enable2 n1 E. Q$ Y2 X' t
[R4-GigabitEthernet0/0/1.2]int g0/0/2
7 c# R) m( a5 y1 W[R4-GigabitEthernet0/0/2]ip add 192.168.102.1 245 P' |8 ]( g+ w( z2 Q
[R4-GigabitEthernet0/0/2]quit
C* S4 N/ z4 v7 T% V+ }% U0 S" P5 j4 r# _) |$ O* ^. e; l
9 F i4 s/ m2 O5 P3 }# i' ^6 k, S s4 v- J
SW5的配置如下:. |. n( M4 [6 B5 `6 R; R3 u
<Huawei>system-view : u' i6 F5 C5 S2 B) ]! Q6 x. B: z0 D
Enter system view, return user view with Ctrl+Z.3 F* Z0 ?0 K/ w8 L7 ?! N2 m( H
[Huawei]undo info enable ! q- Z% m. v2 J) ^- G% [! O _, v9 u
Info: Information center is disabled.
2 ]4 z6 ]3 b% d8 q) ]6 b: G[Huawei]sysname sw5
. k' R2 m3 ]- J7 E[sw5]vlan 207 m; h1 D% k3 Z/ X+ f! o0 E
[sw5-vlan20]vlan 21 //VLAN也可以一个一个的创建
* d2 k6 S6 M. ~* |; w( T( x2 R[sw5-vlan21]int g0/0/1& i. M/ t9 W I2 Q4 S; m) C
[sw5-GigabitEthernet0/0/1]port link-type trunk
/ T' `& {4 |4 I* \( X, W[sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan all
9 ?# a, ~* p9 t; l6 k! T[sw5-GigabitEthernet0/0/2]int g0/0/2
- W$ y j0 J& E+ K3 X/ a! L7 \[sw5-GigabitEthernet0/0/3]port link-type access
* m- `2 F. O2 S) A0 [[sw5-GigabitEthernet0/0/3]port default vlan 20
1 P& |5 i* k# P, Y! Q! n[sw5-GigabitEthernet0/0/2]int g0/0/38 n" F' O; U& m3 J- q% O* X
[sw5-GigabitEthernet0/0/3]port link-type access2 E8 l) H0 _( U: |! `! k$ `; U
[sw5-GigabitEthernet0/0/3]port default vlan 21
, l( x2 K# C* R; r/ R% @- ]& u: y R+ I5 w6 ^+ P* }. ]
$ h& T, f8 ^. s; q( s. Q$ ~; E3 g: Q9 K& y2 u) l+ ]
. t! z5 e, G1 C6 _& c# J1 g: t3 A
0 P N2 U4 w7 f. T- ]5)配置OSPF与RIP
( Y3 F% i+ J2 A; T+ U/ _华为的RIP配置与Cisco命令几乎一致,注意把no变成undo即可;配置OSPF时与Cisco不同,它不是一条network命令同时宣告网络和区域,而是在某个区域下的子模式宣告相应的网络。
" T4 U. B$ {& l) O' @/ fS1的配置如下:. p/ l0 O; m6 q: |9 ?" V; e5 N
[S1]vlan 50
% }" f7 L- U5 D5 u2 H[S1-vlan50]int g0/0/1/ t3 d4 u$ v2 ~; ?: r, A
[S1-GigabitEthernet0/0/1]port link-type access8 p5 T, O+ m! W1 h4 |
[S1-GigabitEthernet0/0/1]port default vlan 50 //物理接口加入VLAN
5 D i5 c7 t5 f1 |* a: f8 }[S1-GigabitEthernet0/0/1]int vlan 50& D" s2 `' I& E$ o4 e
[S1-Vlanif50]ip add 192.168.50.10 24
) Y: o4 b2 e5 h- ^1 k! h[S1-Vlanif50]ospf 1 //进入OSPF进程
+ ^& ~+ ~7 J; h, G. _: @1 z[S1-ospf-1]area 0 //进入区域0$ ~- ]$ W4 o2 K% A3 v' _ }
[S1-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.255 //简单起见,宣告所有网段$ R/ U, F0 J {- f
[S1-ospf-1-area-0.0.0.0]quit
& X( v0 a: b8 x( f$ u, h
( B2 C: B* ^9 r- k7 Z
. Y5 c2 A& M7 {3 B( O3 P: c$ r, g, @+ s
**注意:**在配置OSPF时,如果想要指定router-id,可以在进入进程模式时追加router-id,如[S1] ospf 1 router-id 1.1.1.1 。另外,华为三层交换机的二层接口没有直接提升为三层接口的命令,类似于Cisco下的no switchport命令。所以在做VLAN间路或者和路由器直连时,只能配置VLAN虚接口,物理接口与VLAN做个绑定!# E% i4 u+ \% u( @" X
S2的配置如下:
* \+ R- K' d/ J2 \[S2]vlan 60
) F# l6 H" ]1 x/ O3 j" `8 T[S2-vlan60]int g0/0/1+ N) N- w: \+ ^5 Z$ c& H
[S2-GigabitEthernet0/0/1]port link-type access
) ?. n0 c2 b7 e' w/ {[S2-GigabitEthernet0/0/1]port default vlan 60* D' V! t# y# A) j" ]7 T3 r& }1 f
[S2-GigabitEthernet0/0/1]int vlan 60( P$ e/ M$ A& c. Z& U
[S2-Vlanif60]ip add 192.168.60.10 243 Y! y* C$ K+ c/ v4 P2 z- u* |5 E
[S2-Vlanif60]ospf 11 H7 U7 x1 w5 i+ y8 Q( E9 C: ?& t
[S2-ospf-1]area 0
( K6 l% j( |) x% }. F- b" U6 q; g9 [[S2-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.2559 J2 V) U' K' b$ b$ r) m
' l4 Z: v0 Z4 h6 T
- w# |7 L+ K8 e% w, W
; t% W) L! |1 S6 G" {- hR2的配置如下:
8 ^ w! j% k7 D' v1 j<Huawei>system-view
+ X, w( E0 \3 R. h! q* y6 {Enter system view, return user view with Ctrl+Z.$ [1 E+ V( Y, g: P9 z
[Huawei]undo info enable
+ G, H- |7 G9 @' Y5 c% SInfo: Information center is disabled.) Y4 I+ Y; m+ d
[Huawei]sysname R2
- G3 w+ d5 D8 T6 P% R[R2]int g4/0/05 P0 V2 }; A: |* |" M
[R2-GigabitEthernet4/0/0]ip add 202.106.0.10 24( D8 y7 J; |0 P
[R2-GigabitEthernet4/0/0]int g0/0/1
9 c" S& O7 D8 R- N# A0 y[R2-GigabitEthernet0/0/1]ip add 192.168.50.1 24+ m4 W* s# K1 @ t. J2 ~# D
[R2-GigabitEthernet0/0/1]int g0/0/2
8 P( C" n5 [; ][R2-GigabitEthernet0/0/2]ip add 192.168.60.1 24
9 b. r8 N) D3 W6 N7 s[R2-GigabitEthernet0/0/2]int g0/0/0
1 L3 ]" P* p* Z[R2-GigabitEthernet0/0/0]ip add 192.168.100.1 24
: s) v. |# W; s. E9 V3 y[R2-GigabitEthernet0/0/0]ospf 1. O$ }9 V: ]7 b$ S6 c
[R2-ospf-1]area 0
: ]' U2 p% r: E$ R+ |/ e, E9 [[R2-ospf-1-area-0.0.0.0]netw : ~5 g1 X* b; Q
[R2-ospf-1-area-0.0.0.0]network 192.168.50.0 0.0.0.255
9 D- x: ]0 s5 R; R# b* N[R2-ospf-1-area-0.0.0.0]network 192.168.60.0 0.0.0.255
6 H, a0 A5 k$ O3 D4 j[R2-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255 x1 @- R$ l+ |3 ?, p [, V$ M
//注意这里OSPF就不可以声明所有网段了,否则实验外网与内网通信就没有意义了!
% c/ ~6 {6 c8 k0 q) w[R2-ospf-1-area-0.0.0.0]quit
?' \1 f |, {* Z! I& ]3 {
3 W8 M7 P+ \+ S- S8 v! i9 p2 ?& i0 _4 x
, y+ w% C/ _2 F. V0 r
R3的配置如下:
0 m. L0 V7 x7 Z6 C. t6 _<Huawei>system-view - s3 D+ _9 f8 Q6 t f0 l
Enter system view, return user view with Ctrl+Z.- m# [3 w/ n1 N4 [ k( `6 l& Y
[Huawei]undo info enable' h, A( |" t9 }# k1 O8 @
Info: Information center is disabled.4 c# P# F c7 ~; [
[Huawei]sysname R3
- }& O3 b% T- F[R3]int g0/0/0
% ?, H( X" M& o! }[R3-GigabitEthernet0/0/0]ip add 192.168.100.2 24( [) P/ t* b! D4 `$ D
[R3-GigabitEthernet0/0/0]int g0/0/1
$ D, Q- C% v3 m' _/ \[R3-GigabitEthernet0/0/1]ip add 192.168.101.1 24& @# I( T- ?" Y1 N+ @4 \, y
[R3-GigabitEthernet0/0/1]ospf 1
# K+ b" P! c' l8 x* N) k2 N[R3-ospf-1]area 0
4 ~; y2 ~7 d: U! M- [[R3-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255( R9 V% r" _& L" `% [" b" J
[R3-ospf-1-area-0.0.0.0]rip //进入RIP进程模式,默认进程ID为1 e8 j! s# ^) }
[R3-rip-1]version 2 //指定RIP版本- U4 b% w: W& T
[R3-rip-1]undo summary //关闭RIP的自动汇总" H0 G+ b& z, x9 c$ L8 p
[R3-rip-1]network 192.168.101.0 //宣告网段
7 r( [5 M, k/ q8 `[R3-rip-1]quit, N/ |) l- O, R* Q( W
1 h, r( j! H, ]8 }# `
- Z' R) _% @; E* |
2 A# N& K" X( O# e9 C
注意:在Cisco的IOS中配置RIP时,及可以通过标准的类宣告网络,也可以根据实际网络来宣告。比如:10.1.1.1/24,那么在宣告时,命令10.1.1.0和命令10.0.0.0都可以,但是Cisco将其纠正为10.0.0.0(为标准的宣告方式)。在华为设备中,只能以标准的方式宣告RIP网络。即根据主类的掩码来宣告!
7 l9 I4 L7 P% f: O0 m. q+ fR4的配置如下:9 J6 \8 |& [3 j' l
[R4]rip
" U8 Y/ l7 i6 B8 r N: o( G1 [& ~[R4-rip-1]version 2
2 d8 [' y$ O/ ?[R4-rip-1]undo summary ) `/ I' T" `9 w( \5 K
[R4-rip-1]network 192.168.101.0- R6 Q" u- }& C2 k# I+ s
[R4-rip-1]network 192.168.20.0
R( r9 E7 R0 r/ f9 m[R4-rip-1]network 192.168.21.0/ i+ J) [! A' U
[R4-rip-1]network 192.168.102.06 M- K: i( i5 b
; f- @9 N) J* w& |
" O# q$ j7 ~5 q; fR5的配置如下:
+ }4 a: V; k3 l# }<Huawei>system-view * t6 u- E" G9 G: M
Enter system view, return user view with Ctrl+Z.# e ^1 k0 b& T; {0 ~4 P8 `4 P
[Huawei]undo info enable
1 B7 ]5 ? e/ S K; _ P6 IInfo: Information center is disabled.
$ Y1 L8 Z. o& p- L+ \0 I( |[Huawei]sysname R52 H! T/ G2 A1 P& f
[R5]int g0/0/0
" G5 T" x+ n( N8 `0 [[R5-GigabitEthernet0/0/0]ip add 192.168.102.2 2- ^ P+ I- `' a7 U) v
[R5-GigabitEthernet0/0/0]int g0/0/1
7 W/ D4 Z7 ~' J8 ~. O, `[R5-GigabitEthernet0/0/1]ip add 10.0.0.1 24
; @; ^; ^ k) x# |0 @' a) d6 g4 f: F! j[R5-GigabitEthernet0/0/1]rip t; U; r; O" l& [; y& \
[R5-rip-1]version 22 R0 N i1 F! g, C$ y8 i; X7 A$ ?) N3 ^
[R5-rip-1]undo summary ' Q4 ~3 z/ S% ]1 S# @
[R5-rip-1]network 192.168.102.0
K% h8 B6 o+ x, q9 j[R5-rip-1]network 10.0.0.0
8 c) G2 E& u3 d+ r% O9 L/ J. Q
( d0 }1 m% R0 \$ x+ p) S
6 L8 x# z* X- Z$ @' N* B3 P6 [( p6 y, p0 W9 i$ j" ?
6)配置路由重分发$ D% @6 Z# J N! R5 r+ D5 [
华为设备的路由重发分是通过import-route命令实现的,不管导入的是什么协议,都要就上进程ID号,和Cisco一样,如果把A协议导入B协议中,那么首先要进入B的路由进程中,执行导入A的命令,反之同理!. \2 W7 ^, t* M% Z2 p k V' G
R3的配置如下:
- y# j; v: H$ {6 b[R3]ospf 1
4 U" k7 }+ b' t& I8 |+ z0 ^8 X8 B[R3-ospf-1]import-route rip 1 //进入OSPF进程宣告RIP进程 V3 A$ g7 W9 q, R& y
[R3-ospf-1]rip
" ~! `0 ` c- _6 k[R3-rip-1]import-route ospf 1 //进入RIP宣告OSPF进程
- l6 ]8 V3 R% h' e* e" X[R3-rip-1]quit/ H0 f, U9 U# L& W) y C- O* E0 ?
) @6 A/ o6 @ l: l$ z6 l/ w+ Y
; c% b; q! t' d! a% t$ u* y4 PR2的配置如下:
; k- e( _% y, U: N[R2]ip route-static 0.0.0.0 0.0.0.0 202.106.0.1
3 f; w1 p: {3 ^( e: L' I) Y//真实环境中,内网连接外网的服务器肯定是一条默认路由: V5 K* ^# u1 ~ }) H* A4 ?6 _5 `
[R2]ospf 1/ ^, _& m$ n6 ?. e8 J
[R2-ospf-1]default-route-advertise
0 ?( n2 l$ ~3 h4 l//宣告默认路由(前提是有默认路由)
& s- e1 M, C8 ^7 S! L% a( r% Q7 ]' D7 p: l
) ?) E# i7 c+ H6 V8 i( k
) k: \0 g8 v0 _* o) ~7)配置NAT及访问控制3 K! c+ `4 b( v2 `( h# K
华为的NAT转换直接配置在外部接口模式下,需要转换的内部流量通过ACL抓取,而转换后的内部全局地址通过配置NAT组实现。" H V+ p, p8 E8 N5 A# I1 a% J
R2的配置如下: e" N- _3 ]8 Y3 P$ ^
[R2]nat address-group 1 202.106.0.100 202.106.0.100 //定义NAT组(池)
- i( \0 q# q) B$ ~4 q; @[R2]acl 2000 //编写编号为2000的acl规则5 v) w4 R1 U4 x* H0 v5 {' e( K
[R2-acl-basic-2000]rule 0 permit source 192.168.50.0 0.0.0.25/ v- Y5 c" c7 V& q
[R2-acl-basic-2000]rule 10 permit source 192.168.60.0 0.0.0.255' u6 m7 r0 M( n7 |" @' q9 t
[R2-acl-basic-2000]rule 20 permit source 192.168.10.0 0.0.0.255
0 s9 N' u" M2 r; ~3 A[R2-acl-basic-2000]rule 30 permit source 192.168.11.0 0.0.0.255
# C1 h+ a& N2 ~8 C* i2 L[R2-acl-basic-2000]rule 40 permit source 192.168.12.0 0.0.0.255
1 ]" L' H2 k3 O/ C9 F[R2-acl-basic-2000]rule 50 permit source 192.168.13.0 0.0.0.255
, A* \7 q9 C; u$ E0 G1 Q4 q, U d# L. m//允许源地址访问,当然可以做路由汇总少写一些!9 B3 _8 k5 }7 e# @( M' ^0 c8 ]* A' ^
[R2-acl-basic-2000]int g4/0/0
+ I& E; I, A' i! W[R2-GigabitEthernet4/0/0]nat outbound 2000 address-group 1. s4 u3 U+ j. H$ [
//定义PAT,将acl允许的地址映射到地址池中
# b! e6 h x7 y; I3 Z- T[R2-GigabitEthernet4/0/0]nat server global 202.106.0.200 inside 10.0.0.10
6 u) J9 f z3 T& x& M& }+ c1 K1 E//定义静态NAT,一对一!
. I% f6 A. p) |5 y[R2-GigabitEthernet4/0/0]quit
8 v) i1 z N; T# E0 k, t[R2]acl 3000: G# U" l) ^+ I* J# e
[R2-acl-adv-3000]rule 0 deny ip source 192.168.20.0 0.0.0.2556 n" n y! W7 w7 H. m5 D: E4 z
[R2-acl-adv-3000]rule 10 deny ip source 192.168.21.0 0.0.0.255 destination 20.0.0.0 0.0.0.255 destination eq80: q7 _* ^) i6 L0 V% m e
//定义编号为3000的acl,拒绝源地址,可以加上目标地址和端口; Y7 B+ B A6 h! S
[R2-acl-adv-3000]int g4/0/05 C1 f" c4 g3 d8 @0 k( d
[R2-GigabitEthernet4/0/0]traffic-filter inbound acl 30004 V5 @+ D- ~" s3 ]# ]
//接口应用编号为3000的acl
4 B! l4 ^0 X, V9 K% d
2 ?, a4 ~) `2 S; p% N, f
) i9 a- W) w) Z1 [$ d7 z
/ A' k* I6 W+ Y- ^$ h2 J3 q**注意:**华为的ACL与Cisco类似,分别分为基本与高级,类似于Cisco的标准和扩展。其中基本的编号为20002999吗,高级的编号为30003999。rule后面的编号表示ACL规则的生效顺序!9 E3 V k- ~6 F0 G6 P; H% W9 \
R1 的配置如下:. K0 L( H/ S* A6 S T; c
<Huawei>system-view
# z* Q, O7 S4 b0 C: T+ iEnter system view, return user view with Ctrl+Z.& R8 i- f& {2 D( l' e, y( C! O
[Huawei]undo info enable K( U" s0 J0 G) y8 E; l0 z3 {! @: m
Info: Information center is disabled.& r5 p& `6 K) N3 C1 ?
[Huawei]sysname R1, P: b; ~' a1 u
[R1]int g0/0/0
, g& F- F) R0 i& J, O9 K[R1-GigabitEthernet0/0/0]ip add 202.106.0.1 24
$ W; L( k6 ]/ M; h4 @[R1-GigabitEthernet0/0/0]int g0/0/1% u# h" Y- c3 @
[R1-GigabitEthernet0/0/1]ip add 20.0.0.1 24
( u, s0 U7 f/ u' U1 |" b//注意,R1只配置IP地址即可!! ^6 l; @" S9 z1 o( E- m2 V2 x
) t# ?: Y# X0 J" @3 y4 f
配置完成之后,可以自行进行验证,本次博文只是为了尽可能的展示命令而已!
7 W9 V- B7 w# ~: b3 N( i6 J三、常用的排错命令
B+ j2 P2 C3 ~[S1]display current-configuration //查看当前设备的所有配置
( Q( k8 c% U% v0 B[S1]display ip routing-table //查看路由表( e/ T" g) ?/ ~+ y) E
[S1]display vlan //查看vlan信息7 n5 I8 H4 U. [* P! }. o
[S1]display ip interface brief //查看接口状态/ J2 G1 T% P4 g
[S1]display current-configuration interface vlan 10& I$ t! X# K& m8 J
//查看某一个接口的当前配置信息
" u0 D8 a7 L* D' m* y& ~2 b[S1]display nat session all //查看NAT转换条目) X- A8 X( l6 p) g. r9 e5 g# i/ x4 j
[S1]display ospf peer brief //查看OSPF邻居信息2 p* C# a5 Q% Y4 I9 U' x3 o
[S1]display acl all //查看ACL信息, [* y$ j, h; S& l( J% p% y/ m: }
[S1]display eth-trunk 12 //查看链路聚合信息
3 D1 A3 q4 Z" k' J, o6 D
! ~, J6 K; C# R; x |
|
/4 
窥视卡
雷达卡
发表于 2022-3-25 01:00:01
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主
