单臂路由
1、网络拓扑图
2、PC配置
3、配置交换机SW1、SW2
SW1配置:
<Huawei>undo ter mo //停止自动记录命令行
Info: Current terminal monitor is off.
<Huawei>sy //进入系统
Enter system view, return user view with Ctrl+Z.
[Huawei]sy sw1 //改名为sw1
[sw1]vlan br
[sw1]vlan ba
[sw1]vlan batch 10 20 //批量设置vlan10、20
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw1]int g0/0/1 //进入端口0/0/1
[sw1-GigabitEthernet0/0/1]po
[sw1-GigabitEthernet0/0/1]port l
[sw1-GigabitEthernet0/0/1]port link-t
[sw1-GigabitEthernet0/0/1]port link-type ac
[sw1-GigabitEthernet0/0/1]port link-type access //设置链路类型为access(连接到主机)
[sw1-GigabitEthernet0/0/1]port default vlan 10 //设置接口所属为vlan10
[sw1-GigabitEthernet0/0/1]int g0/0/2 //进入端口g0/0/2
[sw1-GigabitEthernet0/0/2]port link-type ac
[sw1-GigabitEthernet0/0/2]port link-type access //同上
[sw1-GigabitEthernet0/0/2]port default vlan 20 //同上
[sw1-GigabitEthernet0/0/2]int g0/0/3
[sw1-GigabitEthernet0/0/3]port lin
[sw1-GigabitEthernet0/0/3]port link-t
[sw1-GigabitEthernet0/0/3]port link-type tr
[sw1-GigabitEthernet0/0/3]port link-type trunk //设置链路类型为trunk(连接到两台交换机)
[sw1-GigabitEthernet0/0/3]port t
[sw1-GigabitEthernet0/0/3]port trunk a
[sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 //允许两台交换机通讯,放行vlan10,20
[sw1-GigabitEthernet0/0/3]int g0/0/4 //交换机与路由器相连接
[sw1-GigabitEthernet0/0/4]port link-t
[sw1-GigabitEthernet0/0/4]port link-type tr
[sw1-GigabitEthernet0/0/4]port link-type trunk
[sw1-GigabitEthernet0/0/4]port trunk a
[sw1-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 20
[sw1-GigabitEthernet0/0/4]
SW2配置:
<Huawei>undo ter mo
Info: Current terminal monitor is off.
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy sw2
[sw2]inter
[sw2]interface g0/0/1
[sw2-GigabitEthernet0/0/1]port l a //配置和SW1差不多,这里用简写,下同。
[sw2-GigabitEthernet0/0/1]p d v 10 //忘记先配置vlan了......
Error: The VLAN does not exist.
[sw2-GigabitEthernet0/0/1]q
[sw2]vlan ba
[sw2]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw2]interface g0/0/1
[sw2-GigabitEthernet0/0/1]p d v 10
[sw2-GigabitEthernet0/0/1]int g0/0/2
[sw2-GigabitEthernet0/0/2]p l a
[sw2-GigabitEthernet0/0/2]p d v 20
[sw2-GigabitEthernet0/0/2]int g0/0/3
[sw2-GigabitEthernet0/0/3]p l t
[sw2-GigabitEthernet0/0/3]p t a v 10 20
[sw2-GigabitEthernet0/0/3]dis th
4、路由器AR1配置
AR1配置:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy r1
[r1]interface g0/0/0.1 //由于路由器连接交换机物理接口只有一个,因此使用逻辑接口g0/0/0.1配置
[r1-GigabitEthernet0/0/0.1]ip ad
[r1-GigabitEthernet0/0/0.1]ip address 192.168.1.100 24 //配置PC1、PC3网关
[r1-GigabitEthernet0/0/0.1]do
[r1-GigabitEthernet0/0/0.1]dot1q t
[r1-GigabitEthernet0/0/0.1]dot1q termination v
[r1-GigabitEthernet0/0/0.1]dot1q termination vid 10 //设定子接口所属vlan10
Jul 23 2020 20:03:19-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0.1 has entered the UP state.
[r1-GigabitEthernet0/0/0.1]arp b
[r1-GigabitEthernet0/0/0.1]arp broadcast en
[r1-GigabitEthernet0/0/0.1]arp broadcast enable //开启arp广播功能
[r1-GigabitEthernet0/0/0.1]int g0/0/0.2 //下同
[r1-GigabitEthernet0/0/0.2]ip ad
[r1-GigabitEthernet0/0/0.2]ip address 192.168.2.100 24
[r1-GigabitEthernet0/0/0.2]do
[r1-GigabitEthernet0/0/0.2]dot1q t
[r1-GigabitEthernet0/0/0.2]dot1q termination v
[r1-GigabitEthernet0/0/0.2]dot1q termination vid 20
Jul 23 2020 20:03:52-08:00 r1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/0.2 has entered the UP state.
[r1-GigabitEthernet0/0/0.2]arp b
[r1-GigabitEthernet0/0/0.2]arp broadcast e
[r1-GigabitEthernet0/0/0.2]arp broadcast enable
[r1-GigabitEthernet0/0/0.2]
5、实验效果
实现不同vlan的通信成功。
———————————————————分割线———————————————————————
OSPF 最短路径优先协议
通过ospf报文(组播)来发现邻居,并和邻居交换路由。
1、实验网络拓扑图。
2、配置PC机的IP,掩码,网关
略
3、配置各个路由器(演示配置AR1,AR2,其他路由器配置大同小异。)
AR1配置:
<Huawei>
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy r1
[r1]int g0/0/2
[r1-GigabitEthernet0/0/2]ip ad
[r1-GigabitEthernet0/0/2]ip address 192.168.2.100 24 //配置PC2 的网关
Jul 23 2020 20:19:55-08:00 r1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/2 has entered the UP state.
[r1-GigabitEthernet0/0/2]int g0/0/0
[r1-GigabitEthernet0/0/0]ip ad
[r1-GigabitEthernet0/0/0]ip address 10.0.1.1 24 //配置与AR2连接的端口ip 掩码
Jul 23 2020 20:20:18-08:00 r1 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip ad
[r1-GigabitEthernet0/0/1]ip address 10.0.2.1 24 //配置与AR3连接的端口IP 掩码
Jul 23 2020 20:20:38-08:00 r1 %%01IFNET/4/LINK_STATE(l)[3]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r1-GigabitEthernet0/0/1]q
[r1]ospf 1 ro
[r1]ospf 1 router-id 1.1.1.1 //配置OSPF 的显示名称
[r1-ospf-1]ar
[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]neetw
[r1-ospf-1-area-0.0.0.0]net
[r1-ospf-1-area-0.0.0.0]network 0.0.0.0 0.0.0.0 //宣告所有直连网段信息
[r1-ospf-1-area-0.0.0.0]q
[r1-ospf-1]si
[r1-ospf-1]silent-interface g0/0/2 //配置静默接口,一般是连到用户网络的接口
[r1-ospf-1]//如果系统提示需要重启ospf,按ctrl+z回到用户视图后,使用命令reset ospf process重启。
//另外,当遇到不同路由协议之间无法学习的情况,可以使用命令default-route-advertise使得邻居学习到自己的默认路由,也可以使用import static学习到自己的路由,将自己的信息传给动态邻居们。
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy r2
[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]ip ad
[r2-GigabitEthernet0/0/0]ip address 10.0.1.3 24
[r2-GigabitEthernet0/0/0]
Jul 23 2020 20:39:46-08:00 r2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r2-GigabitEthernet0/0/0]int g0/0/1
[r2-GigabitEthernet0/0/1]ip ad
[r2-GigabitEthernet0/0/1]ip address 10.0.5.3 24
Jul 23 2020 20:40:00-08:00 r2 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r2-GigabitEthernet0/0/1]int g0/0/2
[r2-GigabitEthernet0/0/2]ip ad
[r2-GigabitEthernet0/0/2]ip address 10.0.4.3 24
Jul 23 2020 20:40:16-08:00 r2 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
on the interface GigabitEthernet0/0/2 has entered the UP state.
[r2-GigabitEthernet0/0/2]q
[r2]ospf 1 ro
[r2]ospf 1 router-id 2.2.2.2
[r2-ospf-1]ar
[r2-ospf-1]area 0
[r2-ospf-1-area-0.0.0.0]netw
[r2-ospf-1-area-0.0.0.0]network 0.0.0.0 0.0.0.0
………… //省略获取路由信息过程
[r2-ospf-1-area-0.0.0.0]q
[r2-ospf-1]q
[r2]dis
[r2]display ospf ro
[r2]display ospf routing //查看使用ospf获取的路由信息OSPF Process 1 with Router ID 2.2.2.2Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area10.0.1.0/24 1 Transit 10.0.1.3 2.2.2.2 0.0.0.010.0.4.0/24 1 Stub 10.0.4.3 2.2.2.2 0.0.0.010.0.5.0/24 1 Stub 10.0.5.3 2.2.2.2 0.0.0.010.0.2.0/24 2 Stub 10.0.1.1 1.1.1.1 0.0.0.0192.168.2.0/24 2 Stub 10.0.1.1 1.1.1.1 0.0.0.0Total Nets: 5 Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0 [r2]
其他路由配置略。
ACL 访问控制列表
1、几个概念:
通配符:通常和ip地址组合,用于匹配流量中的源ip或者目的ip,里面的0表示“严格匹配”,1表示“不需要匹配”。通常以反掩码的形式存在,如0.0.0.255.
基本ACL(2000-2999)、高级ACL (3000-3999)、二层ACL(4000-4999)、用户自定义ACL(5000-5999)、用户ACL(6000-6999)。
基本ACL:使用报文的源IP地址、分片信息和生效时间段信息来定义规则。
如:rule 5 permit souce 192.168.1.0 0.0.255
rule 10 deny
高级ACL:可使用IPv4报文的源IP地址、目的IP地址、IP协议类型、ICMP类型、TCP源/目的端口号、UDP源/目的端口号、生效时间段等来定义规则。
如:rule 5 permit souce 192.168.1.0 0.0.255 destination 192.168.3.0 0.0.0.255
rule 10 deny ip destination 192.168.3.0 0.0.0.255
rule 15 permit ip
//permit 表示允许数据包通过,deny表示拒绝数据包通过,即丢弃。
2、网络拓扑图
3、路由器配置
实验目的是使得PC2(192.168.2.1)可以访问到PC1(192.168.1.1),但是PC3(192.168.3.1)不可以访问到PC1。因此,在AR3的g0/0/2 上加入规则,这里使用ACL3000。
AR3 配置:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy r1
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip ad
[r1-GigabitEthernet0/0/0]ip address 192.168.1.100 24 //配置出错,应该是.2.100 ?
[r1-GigabitEthernet0/0/0]
Jul 23 2020 21:03:40-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip ad
[r1-GigabitEthernet0/0/1]ip address 192.168.3.100 24
[r1-GigabitEthernet0/0/1]
Jul 23 2020 21:03:59-08:00 r1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r1-GigabitEthernet0/0/1]int g0/0/2
[r1-GigabitEthernet0/0/2]ip ad
[r1-GigabitEthernet0/0/2]ip address 10.0.0.1 24
Jul 23 2020 21:04:14-08:00 r1 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
on the interface GigabitEthernet0/0/2 has entered the UP state.
[r1-GigabitEthernet0/0/2]q //上面步骤是正常的端口ip配置,不再赘述
[r1]acl 3000 //配置acl 3000
[r1-acl-adv-3000]rule 5 in //配置规则5号,rule后数字越小,执行时匹配优先级越高
[r1-acl-adv-3000]rule 5 per
[r1-acl-adv-3000]rule 5 permit
[r1-acl-adv-3000]rule 5 permit ip s
[r1-acl-adv-3000]rule 5 permit ip source 192.168.2.0 0.0.0.255 ip des
[r1-acl-adv-3000]rule 5 permit ip source 192.168.2.0 0.0.0.255 des
[r1-acl-adv-3000]rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255/* permit:允许通行 deny:拒绝通行 source: 发出源的IP destination:目的ip 0.0.0.255:通配符 */[r1-acl-adv-3000]rule 10 deny ip s
[r1-acl-adv-3000]rule 10 deny ip source 192.168.3.0 0.0.0.255 des
[r1-acl-adv-3000]rule 10 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[r1-acl-adv-3000]rule 15 permit ip
[r1-acl-adv-3000]q
[r1]int g0/0/2 //进入AR3的g0/0/2端口配置ACL规则
[r1-GigabitEthernet0/0/2]tra
[r1-GigabitEthernet0/0/2]tracert
[r1-GigabitEthernet0/0/2]traffic-filter outbound acl 3000 //接口出方向配置acl3000//inbound:接口入方向配置规则,对接口收到的流量进行匹配。
//outbound:接口出方向配置规则,对准备从此接口发出的流量进行匹配。[r1-GigabitEthernet0/0/2]q
[r1]ospf 1 //偷个懒,用ospf配置...
[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]netw
[r1-ospf-1-area-0.0.0.0]network 0.0.0.0 0.0.0.0
[r1-ospf-1-area-0.0.0.0]q
[r1-ospf-1]si
[r1-ospf-1]silent-interface g0/0/0
[r1-ospf-1]silent-interface g0/0/1
[r1-ospf-1]q
[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]undo ip address //发现g0/0/0配置IP错了,用undo清除原配置
Jul 23 2020 21:12:29-08:00 r1 %%01IFNET/4/LINK_STATE(l)[8]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the DOWN state.
[r1-GigabitEthernet0/0/0]ip address 192.168.2.100 24
Jul 23 2020 21:12:40-08:00 r1 %%01IFNET/4/LINK_STATE(l)[9]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r1-GigabitEthernet0/0/0]
4、实验效果
学习,配置路由、交换机的端口,规则时,一定要耐心,细心去学习,了解,反复的训练自己,并且善于使用display命令,wireshark工具发现错误所在。
2020.07.23 星期四