基础配置(送分题):system-view 、sysname、interface vlanif 、IP地址
高频配置(一定要会的):VLAN、DHCP、ACL、策略路由、NAT、静态/默认/RIP/OSPF
偏门考点:IPv6、4G、WLAN、IPSEC
下午占分比例50%
华为基础配置命令
<Huawei>:用户视图
[Huawei]:系统视图
[user-interface vty 04] :进入用户接口视图
[interface g0/0/0]:进入接口视图
[acl 2000]:进入ACL视图
[vlan 10]:进入VLAN视图
[ospf 1]:进入路由协议视图
quit:返回上一层视图
DHCP与VLAN配置
我这里用的ensp模拟器,由于海外针对华为问题,开源软件也告华为侵权致华为下架这款软件了,现在好像华为自己出了款ensp模拟器可以去官网文档查询一下
手动配置IP地址
划分VLAN10、20 ,并将端口1放入VLAN10,端口2放入VLAN20,设置网关
undo info-center enable:关闭提醒信息(不然一直弹出打断敲命令)
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]interface vlanif 10
[Huawei-Vlanif10]ip address 192.168.10.254 24
[Huawei-Vlanif10]interface vlanif 20
[Huawei-Vlanif20]ip address 192.168.20.254 24
[Huawei-Vlanif20]interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 10
[Huawei-GigabitEthernet0/0/1]interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 20
[Huawei-GigabitEthernet0/0/2]
给PC1手动添加地址,网关指向我们设置的192.168.10.254
给PC2手动添加地址,网关指向我们设置的192.168.20.254
两台主机相互ping一下测试通了没
基于端口DHCP配置
开启DHCP功能
划分VLAN10、20,并将端口g0/0/1、g0/0/2分配相应VLAN
指定VLAN10、20网关
指定基于端口DHCP
指定dns
指定租期
排除分配地址范围(华为分配地址默认从最大地址开始分配,下面10、20网段我们都是排除了100-253的地址,所以因为会获取到10.99/20.99的IP地址)
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[Huawei]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 10
[Huawei-GigabitEthernet0/0/1]interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 20
[Huawei-GigabitEthernet0/0/2]q
[Huawei]interface vlanif 10
[Huawei-Vlanif10]ip address 192.168.10.254 24
[Huawei-Vlanif10]dhcp select interface
[Huawei-Vlanif10]dhcp server dns-list 1.1.1.1
[Huawei-Vlanif10]dhcp server lease day 1
[Huawei-Vlanif10]dhcp server excluded-ip-address 192.168.10.100 192.168.10.253
[Huawei-Vlanif10]q
[Huawei]interface vlanif 20
[Huawei-Vlanif20]ip address 192.168.20.254 24
[Huawei-Vlanif20]dhcp select interface
[Huawei-Vlanif20]dhcp server dns-list 2.2.2.2
[Huawei-Vlanif20]dhcp server lease day 2
[Huawei-Vlanif20]dhcp server excluded-ip-address 192.168.20.100 192.168.20.253
[Huawei-Vlanif20]q
[Huawei]
将PC1、2开启DHCP自动获取地址
先使用ipconfig查看获取到的IP地址,然后两台主机相互ping测试互通了没。
基于全局DHCP配置
开启DHCP
创建VLAN10、20
VLAN分配IP并指定DHCP模式
端口分入相应VLAN
创建地址池10、20
指定各自的网关、dns、租期、需要排除的分配地址(保留地址)
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[Huawei]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]interface vlanif 10
[Huawei-Vlanif10]ip address 192.168.10.254 24
[Huawei-Vlanif10]dhcp select glo
[Huawei-Vlanif10]dhcp select global
[Huawei-Vlanif10]q
[Huawei]interface vlanif 20
[Huawei-Vlanif20]ip address 192.168.20.254 24
[Huawei-Vlanif20]dhcp select global
[Huawei-Vlanif20]q
[Huawei]interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 10
[Huawei-GigabitEthernet0/0/1]interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 20
[Huawei-GigabitEthernet0/0/2]q
[Huawei]ip pool 10
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-10]network 192.168.10.0 mask 24
[Huawei-ip-pool-10]gateway-list 192.168.10.254
[Huawei-ip-pool-10]dns-list 1.1.1.1
[Huawei-ip-pool-10]lease day 1
[Huawei-ip-pool-10]q
[Huawei]ip pool 20
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-20]network 192.168.20.0 mask 24
[Huawei-ip-pool-20]gateway-list 192.168.20.254
[Huawei-ip-pool-20]dns-list 2.2.2.2
[Huawei-ip-pool-20]lease day 2
[Huawei-ip-pool-20]excluded-ip-address 192.168.20.201 192.168.20.253
[Huawei-ip-pool-20]q
[Huawei]
两台PC开启DHCP,查看IP地址并测试互访
PC1:没有设置保留地址,所以获取到10.253最大地址
PC2:保留了20.10-20.253的地址,所以获取到20.9地址
ACL配置
ACL是由一系列permit或deny语句组成的、有序规则的列表
ACL是一个匹配工具,能够对报文进行匹配和区分。
规则编号可写可不写,不写默认按5增加
特殊的通配符:192.168.1.1 0.0.0.0 = 192.168.1.1 0(0.0.0.0可以直接写成1个0),0.0.0.0 255.255.255.255=any (可以写成any)
ACL分类(主要记基本高级)
分类 | 编号 | 规则 |
基本ACL | 2000-2999 | 使用报文的源IP地址来定义规则 |
高级ACL | 3000-3999 | 可使用IPv4源IP、目的IP地址、IP协议类型、TCP/UDP源端口、TCP/UDP目的端口等信息来定义规则 |
二层ACL | 4000-4999 | 使用报文以太网帧头信息定义规则 |
用户自定义ACL | 5000-5999 | 使用报文头、偏移位置、用户自定义字符串定义规则 |
用户ACL | 6000-6999 | 使用基本ACL+高级ACL的规则来定义 |
基本ACL配置
拓扑图
实现配置:在Router上部署基本ACL后,ACL将试图穿越Router的源地址为192.168.1.0/24网段的数据包过滤掉,并放行其他流量,从而禁止192.168.1.0/24网段的用户访问Router右侧的服务器网络。
[Router] acl 2000
[Router-acl-basic-2000] rule deny source 192.168.1.0 0.0.0.255 //拒绝源为192.168.1网段的
[Router-acl-basic-2000] rule permit source any //其它源都允许
[Router] interface GigabitEthernet 0/0/1 //进入g0/0/1接口
[Router-GigabitEthernet0/0/1] traffic-filter inbound acl 2000 //入方向配置流量过滤
[Router-GigabitEthernet0/0/1] quit
高级ACL配置
服务器:192.168.3.100
销售部:192.168.1.1
开发部:192.168.2.1
模拟互联网:1.1.1.1
要求1:销售部不允许访问服务器
要求2:开发部可以访问服务器
要求3:互联网不可以访问服务器
路由器配置
进入系统视图
更改路由器设备名称router
为各个部门指定网关
<Huawei> system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]
[Huawei]
[Huawei]sysname router
[router]interface gigabitethernet 0/0/0
[router-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[router-GigabitEthernet0/0/0]interface gigabitethernet 0/0/1
[router-GigabitEthernet0/0/1]ip address 192.168.2.254 24
[router-GigabitEthernet0/0/1]interface gigabitethernet 0/0/2
[router-GigabitEthernet0/0/2]ip address 1.1.1.254 24
[router-GigabitEthernet0/0/2]interface ethernet 0/0/0
[router-Ethernet0/0/0]ip address 192.168.3.254 24
[router-Ethernet0/0/0
模拟互联网路由器配置
进入系统视图
进入端口g0/0/0
设置网关
添加一条默认静态路由,让流量可以传给1.1.1.254,这个时候所有设备可以访问互联网。
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 1.1.1.1 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0 1.1.1.254
[Huawei]
ACL配置
创建3条acl规则
1.拒绝销售访问192.168.3.100
2.允许开发访问192.168.3.100
3.拒绝互联网访问192.168.3.100
最后在路由器的e0/0/0 接口上应用alc3000。
<router>
<router>sys
Enter system view, return user view with Ctrl+Z.
[router]acl 3000
[router-acl-adv-3000]rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192
.168.3.100 0.0.0.0
[router-acl-adv-3000]rule 2 permit ip source 192.168.2.0 0.0.0.255 destination 1
92.168.3.100 0.0.0.0
[router-acl-adv-3000]rule 3 deny ip source any destination 192.168.3.100 0.0.0.0
[router-acl-adv-3000]q
[router]interface ethernet 0/0/0
[router-Ethernet0/0/0]traffic-filter outbound acl 3000
NAT配置
NAT技术产生背景
随着互联网用户增多,IPv4地址越发越短,公有地址严重不足。
nat缓解了IPv4地址短缺的问题,另一方面nat技术让外网无法直接使用私有地址的内网进行通信,提升了内网的安全性。
私有IP地址
公有地址:由专门的机构管理,分配可以再Internet上直接通信的IP地址。
私有地址:组织和个人任意使用,无法直接在internet上通信,只能在内部使用的地址。
A类:10.0.0.0~10.255.255.255
B类:172.16.0.0~172.31.255.255
C类:192.168.0.0~192.168.255.255
静态NAT
每个私有地址映射一个公网地址,实际当中基本用不到,一对一映射过于浪费,就算电脑是关机状态地址还是占用中。
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]nat static global 1.1.1.1 inside 192.168.1.5
[Huawei-GigabitEthernet0/0/1]nat static global 1.1.1.2 inside 192.168.1.6
[Huawei-GigabitEthernet0/0/1]nat static global 1.1.1.3 inside 192.168.1.7
[Huawei-GigabitEthernet0/0/1]动态NAT
为了避免地址浪费,动态NAT提出了地址池概念,所有公有地址放入地址池中。比静态NAT灵活些,实际项目中也基本上不用,只是没静态NAT那么浪费,只要人数越多公网IP就用的越多。
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]nat address-group 2 10.1.1.1 10.1.1.50
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2000]q
[Huawei]interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0]nat outbound 2000 address-group 2 no-pat
[Huawei-GigabitEthernet0/0/0]NAPT
从地址池中选择地址转换时不仅转换IP地址,同时会对端口转换,实现1:n的公网映射,有效提高了使用率。
配置时比动态NAT去掉no-pat就是NAPT,注意NAPT的公网地址是地址池中变化的。
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]nat address-group 2 10.1.1.1 10.1.1.50
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2000]q
[Huawei]interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0]nat outbound 2000 address-group 2
[Huawei-GigabitEthernet0/0/0]Easy-NAT
实现原理和NAPT一样,区别是没有地址池的概念,使用接口地址作为NAT转换的公有地址。
配置时不用配置地址池
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2000]q
[Huawei]interface gigabitetherne 0/0/1
[Huawei-GigabitEthernet0/0/1]nat outbound 2000
[Huawei-GigabitEthernet0/0/1]NAT Server
指定公网+端口私网+端口的一对一映射,将内网服务器映射到公网,当私网服务器需要外网访问时使用。
将私网192.168.3.100地址服务器映射公有地址122.1.2.1 80端口。
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 122.1.2.1 24
[Huawei-GigabitEthernet0/0/1]nat server protocol tcp global 122.1.2.1 www inside 192.168.3.100 80
[Huawei-GigabitEthernet0/0/1]eNSP模拟器练习NAT
拓扑图
给PC1、PC2手动设置IP地址
AR1路由器设置IP地址
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192.168.1.254 24
[Huawei-GigabitEthernet0/0/1]
[Huawei-GigabitEthernet0/0/1]interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 12.1.1.1 24
[Huawei-GigabitEthernet0/0/0]
[Huawei-GigabitEthernet0/0/0]q
[Huawei]sysname AR1
[AR1]AR2路由器设置地址
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname AR2
[AR2]undo info-center enable
Info: Information center is disabled.
[AR2]interface gigabitethernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 12.1.1.254 24
[AR2-GigabitEthernet0/0/0]
[AR2-GigabitEthernet0/0/0]练习1:系统模式下配置静态NAT,注意需要去AR1端口下开启静态nat功能
[AR1]nat static global 12.1.1.2 inside 192.168.1.1
[AR1]interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0]nat static enable
[AR1-GigabitEthernet0/0/0]练习2:端口模式下配置静态NAT,不需要单独开启静态NAT
[AR1]
[AR1]interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0]nat static global 12.1.1.3 inside 192.168.1.2
[AR1-GigabitEthernet0/0/0]练习3:动态NAT,创建地址池,创建基础acl匹配所有1网段地址,抓包查看各自出去的公网地址一个12.1.1.5,一个12.1.1.8
[AR1]
[AR1]nat address-group 1 12.1.1.2 12.1.1.10
[AR1]acl 2000
[AR1-acl-basic-2000]rule 1 permit source 192.168.1.0 0.0.0.255
[AR1-acl-basic-2000]q
[AR1]interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 no-pat
[AR1-GigabitEthernet0/0/0]练习4:NAPT,配置地址池只有一个公网地址,抓包看下两台PC个字出公网的地址是多少,都是12.1.1.2,NAPT是可以端口转换的1个地址n个伪端口号
[AR1]
[AR1]nat address-group 1 12.1.1.2 12.1.1.2
[AR1]acl 2000
[AR1-acl-basic-2000]rule 2 permit source 192.168.1.0 0.0.0.255
[AR1-acl-basic-2000]q
[AR1]interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000 address-group 1
[AR1-GigabitEthernet0/0/0]练习5:EasyNAT,抓包查看他们的公网IP都是AR1 g0/0/0的端口地址12.1.1.1。
[AR1]
[AR1]acl 2000
[AR1-acl-basic-2000]rule 100 permit source 192.168.1.0 0.0.0.255
[AR1-acl-basic-2000]q
[AR1]interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000
[AR1-GigabitEthernet0/0/0]练习6:NAT Server,将192.168.1.3 服务器的 映射公网12.1.1.3 80端口
<AR1>sys
Enter system view, return user view with Ctrl+Z.
[AR1]interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0]nat server protocol tcp global 12.1.1.3 www inside 192.168.1.3 80
[AR1-GigabitEthernet0/0/0]网关冗余VRRP技术
VRRP原理
通过把几台路由器联合组成一台虚拟的 路由设备 ,保证主机的下一跳路由出现故障时,及时将业务切换到备份路由设备,从而保持通讯的连续性和可靠性。
VRRP路由器:运行VRRP协议的路由器。
VRID:一个VRRP组由多台协同工作的路由器(接口)组成,使用相同的VRID进行标识,属于同一个VRRP组的路由器之间交互VRRP协议报文并产生一台虚拟“路由器”,一个VRRP组只能出现一台master路由器。
VRRP典型应用
通过创建多个虚拟路由器,每个物理路由在不同的VRRP组中扮演不同的角色,不同虚拟路由器的Virtual IP作为不同的内网网关地址可以实现流量转发负载分担。
BFD:出现故障时,以毫秒的速度切换主备设备。
VRRP配置
PC1电脑配置
指定ip192.168.10.1 网关192.18.10.254
LSW1交换机配置
ge0/0/1 access ,vlan10
ge0/0/2 trunk
ge0/0/3 trunk
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]vlan 10
[Huawei-vlan10]q
[Huawei]interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 10
[Huawei-GigabitEthernet0/0/1]q
[Huawei]interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[Huawei-GigabitEthernet0/0/2]q
[Huawei]interface gigabitethernet 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type trunk
[Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[Huawei-GigabitEthernet0/0/3]q
[Huawei]
LSW2交换机配置
基础配置
vlan10:192.168.10.252/24
vlan100:192.168.100.1/30
ge 0/0/1 trunk
ge 0/0/3 trunk
ge 0/0/2 access ,vlan100
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LSW2
[LSW2]vlan batch 10 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2]interface vlanif 10
[LSW2-Vlanif10]ip address 192.168.10.252 24
[LSW2-Vlanif10]q
[LSW2]interface vlanif 100
[LSW2-Vlanif100]ip address 192.168.100.1 30
[LSW2-Vlanif100]q
[LSW2]interface gigabitethernet 0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/1]q
[LSW2]interface gigabitethernet 0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/3]q
[LSW2]interface gigabitethernet 0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 100
[LSW2-GigabitEthernet0/0/2]q
[LSW2]
配置VRRP
VRRP虚拟ip:192.168.10.254
优先级120
抢占时间20s
[LSW2]
[LSW2]interface vlanif 10
[LSW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW2-Vlanif10]vrrp vrid 10 priority 120
[LSW2-Vlanif10]vrrp vri 10 preempt-mode timer delay 20
[LSW2-Vlanif10]
配置路由
现在PC1和3台交换机是通的,但是到不了互联网
[LSW2]ip route-static 0.0.0.0 0 192.168.100.2
[LSW2]
LSW3交换机配置
基础配置
vlan10:192.168.10.253/24
vlan200:192.168.200.1/30
ge0/0/1 trunk
ge0/0/3 trunk
ge0/0/2 access,vlan200
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LSW3
[LSW3]vlan batch 10 200
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW3]interface vlanif 10
[LSW3-Vlanif10]ip address 192.168.10.253 24
[LSW3-Vlanif10]q
[LSW3]interface vlanif 200
[LSW3-Vlanif200]ip address 192.168.200.1 30
[LSW3-Vlanif200]q
[LSW3]interface gigabitethernet 0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW3-GigabitEthernet0/0/1]q
[LSW3]interface gigabitethernet 0/0/3
[LSW3-GigabitEthernet0/0/3]port link-type trunk
[LSW3-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW3-GigabitEthernet0/0/3]q
[LSW3]interface gigabitethernet 0/0/2
[LSW3-GigabitEthernet0/0/2]port link-type access
[LSW3-GigabitEthernet0/0/2]port default vlan 200
[LSW3-GigabitEthernet0/0/2]q
[LSW3]
VRRP配置
VRRP虚拟ip:192.168.10.254
默认优先级100,所有LSW2是主,LSW3是备
[LSW3]
[LSW3]interface vlanif 10
[LSW3-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW3-Vlanif10]q
[LSW3]
配置默认路由
[LSW3]
[LSW3]ip route-static 0.0.0.0 0 192.168.200.2
[LSW3]
R1路由器配置
基础配置
ge0/0/1:192.168.100.2/30
ge0/0/2:192.168.200.2/30
ge0/0/0:100.1.1.2/30
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname AR1
[AR1]interface gigabitethernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.100.2 30
[AR1-GigabitEthernet0/0/1]q
[AR1]interface gigabitethernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address 192.168.200.2 30
[AR1-GigabitEthernet0/0/2]q
[AR1]interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 100.1.1.2 30
[AR1-GigabitEthernet0/0/0]q
[AR1]
路由配置
将10网段指向100.1、200.1
回去有两条路,LSW2路由器出现故障挂掉的还可以走右边。
[AR1]
[AR1]ip route-static 192.168.10.0 24 192.168.100.1
[AR1]ip route-static 192.168.10.0 24 192.168.200.1
[AR1]
R2路由器配置
基础配置
ge0/0/0:100.1.1.1/30
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR2
[AR2]interface gigabitethernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 100.1.1.1 30
[AR2-GigabitEthernet0/0/0]q
路由配置
将10网段丢给100.1.1.2,不然10网段请求过来,返回不去
[AR2]ip route-static 192.168.10.0 24 100.1.1.2
[AR2]q
<AR2>
至此全部配置完成,这个拓扑主要练习VRRP和路由走向关系。可以用pc1在ping100.1.1.1时候抓包看默认走的左边还是右边。很明显左边是主默认走左边,当我们把LSW2的VRRP优先级调小(比如90,LSW3的优先级是默认的100),会自动走备路线往右边出去。当左边的LSW2交换机优先级调回来时,需要等待20秒后才会回复成master。
浮动路由和BFD配置
拓扑图
电脑配置
pc1:192.168.10.1/24
pc2:192.168.20.1/24
AR1路由器配置
配置4个接口的地址
ge0/0/0:192.168.10.254/24
ge0/0/1:192.168.20.254/24
ge0/0/2:12.1.1.1/30
ge4/0/0:13.1.1.1/30
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR1
[AR1]interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.10.254 24
[AR1-GigabitEthernet0/0/0]q
[AR1]interface gigabitethernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.20.254 24
[AR1-GigabitEthernet0/0/1]q
[AR1]interface gigabitethernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address 12.1.1.1 30
[AR1-GigabitEthernet0/0/2]q
[AR1]interface gigabitethernet 4/0/0
[AR1-GigabitEthernet4/0/0]ip address 13.1.1.1 30
[AR1-GigabitEthernet4/0/0]q
[AR1]
配置出口路由地址
[AR1]acl 2000
[AR1-acl-basic-2000]rule 1 permit source 192.168.10.0 0.0.0.255
[AR1-acl-basic-2000]rule 2 permit source 192.168.20.0 0.0.0.255
[AR1-acl-basic-2000]quit
[AR1]interface gigabitethernet 0/0/2
[AR1-GigabitEthernet0/0/2]nat outbound 2000
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]quit
[AR1]interfa gigabitethernet 4/0/0
[AR1-GigabitEthernet4/0/0]nat outbound 2000
[AR1-GigabitEthernet4/0/0]qui
[AR1]
配置静态路由
电信,联通两条路都可以走
[AR1]
[AR1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
[AR1]ip route-static 0.0.0.0 0.0.0.0 13.1.1.2
[AR1]
这时候优先级都是默认60
但是它走的下面联通路线,我们要求优先走电信上面的路线
给联通的优先级调大一点(90),数字越小越优先
[AR1]
[AR1]ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 preference 90
Info: Succeeded in modifying route.
Apr 11 2023 15:04:53-08:00 AR1 %%01RM/4/IPV4_DEFT_RT_CHG(l)[0]:IPV4 default Rout
e is changed. (ChangeType=Delete, InstanceId=0, Protocol=Static, ExitIf=GigabitE
thernet4/0/0, Nexthop=13.1.1.2, Neighbour=0.0.0.0, Preference=1509949440, Label=
NULL, Metric=0)
[AR1]
这时候默认走上面电信,当上面的线路出现故障才走下面的联通
AR2路由器配置
配置两边端口的ip
ge0/0/0:12.1.1.2/30
ge0/0/1:100.1.1.1/30
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR2
[AR2]interface gigabitethernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 12.1.1.2 30
[AR2-GigabitEthernet0/0/0]quit
[AR2]interface gigabitethernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 100.1.1.1 30
[AR2-GigabitEthernet0/0/1]q
[AR2]
OSPF宣告所有网段
[AR2]
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 0.0.0.0 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]quit
[AR2-ospf-1]quit
AR3路由器配置
ge0/0/1:13.1.1.2/30
ge0/0/0:200.1.1.1/30
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR3
[AR3]interface gigabitethernet 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 13.1.1.2 30
[AR3-GigabitEthernet0/0/1]quit
[AR3]interface gigabitethernet 0/0/0
[AR3-GigabitEthernet0/0/0]ip address 200.1.1.1 30
[AR3-GigabitEthernet0/0/0]quit
[AR3]
OSPF宣告所有网段
[AR3]
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 0.0.0.0 0.0.0.0
[AR3-ospf-1-area-0.0.0.0]quit
[AR3-ospf-1]quit
[AR3]
AR4路由器配置
ge0/0/0:100.1.1.2/30
ge0/0/1:200.1.1.2/30
le0:22.22.22.22/32
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR4
[AR4]interface gigabitethernet 0/0/1
[AR4-GigabitEthernet0/0/1]ip address 100.1.1.2 30
[AR4-GigabitEthernet0/0/1]quit
[AR4]interface gigabitethernet 0/0/0
[AR4-GigabitEthernet0/0/0]ip address 200.1.1.2 30
[AR4-GigabitEthernet0/0/0]quit
[AR4]interface loopback 0
[AR4-LoopBack0]ip address 22.22.22.22 32
[AR4-LoopBack0]quit
[AR4]
OSPF宣告所有网段
[AR4]
[AR4]
[AR4]ospf 1
[AR4-ospf-1]area 0
[AR4-ospf-1-area-0.0.0.0]network 0.0.0.0 0.0.0.0
[AR4-ospf-1-area-0.0.0.0]quit
[AR4-ospf-1]
BFD检测配置
在路由和电信中间新增一台不做配置的交换机
这时候依然优先走上面电信线路
但是如果LSW1这台新增交换机的ge 0/0/2接口或电脑的ge 0/0/0接口出现故障,网络就会瘫痪,除非是LSW1的ge 0/0/2端口出现故障才会自动切换走联通路线。
这时候使用BFD,快速检测设备发送和接收两端的通信故障,可以避免发生此类事件。
AR1路由器BFD配置
[AR1]
[AR1]bfd
[AR1-bfd]bfd 1 bind peer-ip 12.1.1.2 source-ip 12.1.1.1 auto
[AR1-bfd-session-1]commit
[AR1-bfd-session-1]quit
上面这条路由跟踪刚刚设置的BFD,如果BFD不通了,就删掉上面的路由,从而实现上面线路出现故障自动走下面。
[AR1]
[AR1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 track bfd-session 1
Info: Succeeded in modifying route.
Apr 11 2023 16:02:23-08:00 AR1 %%01RM/4/IPV4_DEFT_RT_CHG(l)[13]:IPV4 default Rou
te is changed. (ChangeType=Delete, InstanceId=0, Protocol=Static, ExitIf=Gigabit
Ethernet0/0/2, Nexthop=12.1.1.2, Neighbour=0.0.0.0, Preference=1006632960, Label
=NULL, Metric=0)
[AR1]
AR2路由器BFD配置
[AR2]
[AR2]bfd
[AR2-bfd]bfd 1 bind peer-ip 12.1.1.1 source-ip 12.1.1.2 auto
[AR2-bfd-session-1]commit
[AR2-bfd-session-1]quit
[AR2]
评论区