This blog will focus on an integrated network topology, the Huawei router, some basic configuration of the switch to write it down. And explain the concepts of link aggregation.
Bowen outline:
- Link Aggregation related concepts (a) Overview Huawei network device.
1, link aggregation is what?
2. Members of the interface what are the limitations?
3, link aggregation mode of operation What?
4, the concept of active interface with the non-active interfaces.
5, the concept of active and passive end of the end.
6, load balancing mode, which has several?- (Ii) Huawei network device configuration commands.
- (C) summary
(A) Huawei network device link aggregation concepts overview:
- 1, link aggregation is what?
- 2. Members of the interface what are the limitations?
- 3, link aggregation mode of operation What?
- 4, the concept of active interface with the non-active interfaces.
- 5, the concept of active and passive end of the end.
- 6, load balancing mode, which has several?
1, link aggregation is what?
Link Aggregation (link aggregation) is a plurality of physical interfaces as one logical interface, to increase bandwidth and provide circuit redundancy. The sum of the physical interface bandwidth link aggregation bandwidth theoretically equivalent contained, ideal for enterprise core networks, while participating in a member interface or link bundling damage, does not affect the normal operation of link aggregation provides redundancy More than sex. Huawei device supports link aggregation protocol is the LACP (link aggregation control protocol). Huawei apparatus, bundling a plurality of physical interfaces into a logical interface, which is referred Eth-Trunk interface.
2. Members of the interface what are the limitations?
When adding an interface Eth-Trunk, you need to pay attention to the following issues:
- Each Eth-Trunk Interface can contain up to eight members of the interface;
- Member interfaces and functions can not be configured separately static MAC address;
- When adding an interface Eth-Trunk, to be the default hybrid interface (the default type is a Huawei device interface type);
- Eth-Trunk interface can not be nested, i.e., is not a member Eth-Trunk interfaces;
- An Ethernet interface to only one Eth-Trunk interface. To add other Eth-Trunk interface, you must first withdraw from the original Eth-Trunk interface;
- A Eth-Trunk interface member interfaces must be of the same type, namely FE interface and the GE interface can not be added to the same Eth-Trunk interface.
- The Ethernet interface board can be different interfaces added to the same Eth-Trunk.
- If the local device using Eth-Trunk, with members of the peer directly connected to the interface must be bundled into an interface Eth-Trunk interface, such ends can not communicate.
- When the rates of members of an interface, congestion may occur in actual use a small rate interface and packet loss.
- After an interface is added Eth-Trunk, MAC address learning is to learn the Eth-Trunk, not in accordance with the member interfaces.
3, link aggregation mode of operation What?
Huawei network device link aggregation mode supports are manual load balancing mode and static LACP mode:
- Manual load balancing mode: This mode does not participate in the LACP packets, all configuration is completed by hand, such as adding member interfaces. In this mode all the interfaces are in forwarding state, achieve load balancing of. It supports load balancing purposes treasure MAC, Source MAC, MAC source or destination MAC exclusive, source IP, destination IP, source IP address or destination IP exclusive. Manual mode is typically applied to the load without the support LSCP protocol peer device.
- Static LACP Mode: This mode is the two line ends using LACP protocol negotiation to determine active interfaces and inactive link aggregation interface, in this mode, creates Eth-Trunk, added Eth-Trunk member interfaces done manually, determine active interfaces and inactive interfaces consultations by LACP. Static LACP mode is called M: N mode. This way you can achieve the dual function of link load balancing and redundancy backup. In a link aggregation group, M links in the active state, forward data and load balancing, and the N links is inactive, no data is forwarded, when the M active link fails, the system automatically selecting the highest priority takes over the failed link from the N backup link, and starts to forward data.
The main difference between static LACP mode with manual load balancing mode Static LACP mode can have a backup link, while the manual load balancing mode, all members of the interfaces are in forwarding state to share the load flow, unless line fault.
4, the concept of active interface with the non-active interfaces.
Active and responsible for forwarding data interface called the active interface. Instead, the interface is inactive and prohibit forwarding data are called inactive interfaces. Active interfaces and inactive interfaces generally do not require human intervention, in a static mode LACP number of active interfaces can be configured upper and a lower limit.
Depending on the mode configurations, classified as follows:
- Manual load balancing mode: Under normal circumstances, all interfaces are active interfaces unless the interfaces of a link failure.
- Static LACP mode: M links corresponds to an active interface and is responsible for forwarding data link interface corresponding to the N non-active interfaces and is responsible for redundancy.
5, the concept of active and passive end of the end.
In static LACP mode, the two ends of an aggregation group, the active end needs to select the one end and the other end is a passive end. Typically, LACP higher priority to end the active end, LACP priority to the lower end of the passive side. If the priority is the same, the period is usually selected smaller MAC address is an active end. (The smaller the value of the priority, the higher the priority).
Distinguish between active and passive side end goal is to ensure consistent final active interfaces on both ends, or both ends of each end of the interface according to the priority select active interfaces, both ends of the final active interfaces is likely not match, the polymerization links can not be established. As follows:
SwitchA selected above two active interface, and SwitchB select the following two active interface, because SwitchA higher priority, the final event in both the two interfaces SwitchA subject, it should first determine the active end , passive end interface priorities according to the active end of the selected active interfaces.
6, load balancing mode, which has several?
The main role of link aggregation is to increase the bandwidth and increase redundancy, but common practice is to implement load balancing across multiple physical links.
Conventional load sharing mode comprises:
- dst-ip (destination IP address) mode: from the destination IP address in the TCP / UDP port number of the port select each 3bit value of the specified bit XOR operation, select Eth-Trunk table outbound interface based on the calculation result.
- dst-mac (destination MAC address) Mode: Specifies 3bit bit value from the destination MAC address, VLAN ID, and the port information of the Ethernet type, respectively, XOR, Eth-Trunk table select outbound interface according to the calculation result .
- src-ip (source IP address) mode: the source IP address, the TCP / UDP port number of the specified port are 3bit bit value XORed select Eth-Trunk table outbound interface based on the calculation result.
- src-mac (source MAC address) Mode: Specifies 3bit bit values from the source MAC address, VLAN ID, and the port information of the Ethernet type, respectively, XOR, Eth-Trunk table select outbound interface according to the calculation result .
- src-dst-ip (or a heterologous source IP address and destination IP address) mode: destination IP address, source IP two kinds of calculation results of load balancing mode XORed address, select a corresponding Eth-Trunk table according to the calculation result outbound interface.
- src-dst-mac (heterologous source MAC address and destination address or MAC) mode: source MAC address destination MAC address, VLAN ID, Ethernet type and port information specified in the respective selected position, 3bit value XORed , selected according to the calculation result Eth-Trunk to the corresponding table.
(Ii) Huawei network device configuration commands:
From here talking about a large-scale configuration of the network topology map, write Fundamentals Command Huawei network equipment down, you can download topology map I offer (extraction code: ay6t), the topology with no practical purpose, but with more configuration commands and techniques involved for the purpose. Network topology is as follows:
The topology according to the command as follows:
- Link Aggregation
- vlan division
- Single-arm and three-tier exchange routing
- RIP and OSPF dynamic routing configuration
- Routing redistribution
- Static NAT and PAT configuration
- The basic ACL and advanced ACL configuration
Network Topology Analysis:
1)OSPF和RIP部分:
R2为公司的网关路由器,R1模拟公网路由器,所以不可配置去往公司内部的路由。公司内网使用了两种动态路由协议,RIP和OSPF,R2的GE0/0/0、GE0/0/1两个接口和SW1、SW2使用了OSPF动态路由,属于area0。R2的GE0/0/2以及R3和R4 都是用了动态路由协议RIP。所以需要在R2路由器上进行路由重分发。从而使不同的路由协议相互学习。R2作为网关路由器,需要有一条默认路由指向公网,并且需要将这条默认路由重分发到OSPF及RIP协议里。
2)链路聚合:
SW1和SW2使用链路聚合将两条物理链路聚合成一条逻辑链路,用于实现负载分担和备份。设置SW1为LACP主动端,逻辑链路基于MAC方式进行负载分担。
3)NAT及ACL:
模拟内网中192.168.10.0/24和192.168.11.0/24这两个网段不可以连接公网,所以需要设置ACL。Windows server 2016搭建一个web服务器,使用静态NAT发布到公网,使win 7 客户端可以访问到web服务器。
4)公司内部所有的网段都是192.168.X.0/24的网段。
开始配置:
网络拓扑比较大,我们分为多个部分来配置。
第一部分的配置:
第一部分首先从R2路由器的GE0/0/0和GE0/0/1开始往下配置,依次配置路由器接口IP地址、OSPF、三层交换机的接口、vlan、链路聚的配置、二层交换机的接口配置以及划分vlan,最终测试最下面的PC是否可以ping通路由器的GE0/0/0接口(需要在配置完OSPF后才可ping通)。
R2路由器配置如下:
<R2>un ter mo <!--关闭日志提示消息(很烦人的一个东西)-->
<R2>sys <!--进入系统视图-->
[R2]ip route-static 0.0.0.0 0.0.0.0 200.0.0.2 <!--配置一个指向公网的默认路由-->
[R2]int g0/0/0 <!--进入该接口-->
[R2-GigabitEthernet0/0/0]ip add 192.168.7.2 24 <!--配置接口IP,默认接口处于开启状态,所以不用开启接口-->
[R2-GigabitEthernet0/0/0]int g0/0/1 <!--进入该接口-->
[R2-GigabitEthernet0/0/1]ip add 192.168.8.2 24 <!--配置接口IP-->
[R2-GigabitEthernet0/0/1]ospf 10 <!--进入OSPF进程,指定进程号为10-->
[R2-ospf-10]area 0 <!--进入area0 区域-->
[R2-ospf-10-area-0.0.0.0]net 192.168.7.0 0.0.0.255 <!--宣告相应网段-->
[R2-ospf-10-area-0.0.0.0]net 192.168.8.0 0.0.0.255 <!--宣告相应网段-->
[R2-ospf-10-area-0.0.0.0]quit <!--退出area 0区域-->
[R2-ospf-10]default-route-advertise <!--注入一条默认路由(前提是该路由器有默认)-->SW1配置如下:
<SW1>un ter mo <!--关闭日志提示消息-->
<SW1>sys <!--进入系统视图-->
[SW1]vlan ba 2 to 8 <!--创建vlan2到vlan8-->
[SW1]in vlan 7 <!--进入vlan7-->
[SW1-Vlanif7]ip add 192.168.7.1 24 <!--给vlan配置IP地址-->
[SW1-Vlanif7]in vlan 2 <!--进入vlan2-->
[SW1-Vlanif2]ip add 192.168.2.254 24 <!--给vlan配置IP地址-->
[SW1-Vlanif2]in vlan 3 <!--进入vlan3-->
[SW1-Vlanif3]ip add 192.168.3.254 24 <!--给vlan配置IP地址-->
[SW1-Vlanif3]in vlan 4 <!--进入vlan4-->
[SW1-Vlanif4]ip add 192.168.4.254 24 <!--给vlan配置IP地址-->
[SW1-Vlanif4]in g0/0/1 <!--进入接口g0/0/1-->
[SW1-GigabitEthernet0/0/1]port link-type access <!--更改接口类型为access-->
[SW1-GigabitEthernet0/0/1]port default vlan 7 <!--将接口添加到vlan 7-->
<!--因为华为的三层交换机不可以直接在物理接口配置IP地址,
所以只能把IP配在vlan,然后将物理接口添加到VLAN中-->
[SW1-GigabitEthernet0/0/1]lacp pri 1000 <!--更改该交换机的LACP优先级-->
[SW1]int Eth-Trunk 12 <!--创建链路聚合逻辑接口,指定ID为12-->
[SW1-Eth-Trunk12]mode lacp-static <!--配置静态LACP模式-->
[SW1-Eth-Trunk12]load-balance dst-mac <!--配置负载均衡模式为目标MAC地址-->
[SW1-Eth-Trunk12]trunkport g0/0/23 <!--添加成员接口g0/0/23-->
[SW1-Eth-Trunk12]trunkport g0/0/24 <!--添加成员接口g0/0/24-->
[SW1-Eth-Trunk12]port link-type trunk <!--配置链路聚合模式为trunk-->
[SW1-Eth-Trunk12]port trunk allow-pass vlan all
<!--允许所有vlan通过,华为设备默认不允许除vlan1以外的所以vlan通过,所以要手动允许。-->
[SW1-Eth-Trunk12]in g0/0/2 <!--进入g0/0/2接口-->
[SW1-GigabitEthernet0/0/2]port link-type trunk <!--配置接口类型为trunk-->
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all <!--允许所有vlan通过-->
[SW1-GigabitEthernet0/0/2]in g0/0/3 <!--进入g0/0/3接口-->
[SW1-GigabitEthernet0/0/3]port link-type trunk <!--配置接口类型为trunk-->
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan all <!--允许所有vlan通过-->
[SW1]ospf 10 <!--配置OSPF-->
[SW1-ospf-10]area 0 <!--进入area 0-->
[SW1-ospf-10-area-0.0.0.0]net 192.168.2.0 0.0.0.255 <!--将所有直连网段声明-->
[SW1-ospf-10-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[SW1-ospf-10-area-0.0.0.0]net 192.168.4.0 0.0.0.255
[SW1-ospf-10-area-0.0.0.0]net 192.168.7.0 0.0.0.255SW2配置如下:
<SW2>un ter mo <!--关闭日志消息-->
<SW2>sys <!--进入系统视图-->
[SW2]vlan ba 2 to 8 <!--创建vlan-->
[SW2]in vlan 8 <!--进入vlan8-->
[SW2-Vlanif8]ip add 192.168.8.1 24 <!--给vlan配置IP地址-->
[SW2-Vlanif8]in vlan 6 <!--进入vlan6-->
[SW2-Vlanif6]ip add 192.168.6.254 24 <!--给vlan配置IP地址-->
[SW2-Vlanif6]in vlan 5 <!--进入vlan5-->
[SW2-Vlanif5]ip add 192.168.5.254 24 <!--给vlan配置IP地址-->
[SW2-Vlanif5]in g0/0/1 <!--进入接口g0/0/1-->
[SW2-GigabitEthernet0/0/1]port link-type access <!--将接口类型改为access-->
[SW2-GigabitEthernet0/0/1]port default vlan 8 <!--将接口添加到vlan8-->
[SW2]int Eth-Trunk 12 <!--创建聚合链路,以便与SW1对应-->
[SW2-Eth-Trunk12]mode lacp-static <!--配置静态LACP模式-->
[SW2-Eth-Trunk12]trunkport g0/0/23 <!--添加成员接口g0/0/23-->
[SW2-Eth-Trunk12]trunkport g0/0/24 <!--添加成员接口g0/0/24-->
[SW2-Eth-Trunk12]port link-type trunk <!--将接口类型改为trunk-->
[SW2-Eth-Trunk12]port trunk allow-pass vlan all <!--允许所有vlan通过-->
[SW2-Eth-Trunk12]in g0/0/2 <!--进入g0/0/2接口-->
[SW2-GigabitEthernet0/0/2]port link-type trunk <!--配置接口类型为trunk-->
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all <!--允许所有vlan通过-->
[SW2-GigabitEthernet0/0/2]in g0/0/3 <!--进入g0/0/3接口-->
[SW2-GigabitEthernet0/0/3]port link-type trunk <!--配置接口类型为trunk-->
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan all <!--允许所有vlan通过-->
[SW2]ospf 10 <!--配置OSPF-->
[SW2-ospf-10]area 0 <!--进入area 0-->
[SW2-ospf-10-area-0.0.0.0]net 192.168.8.0 0.0.0.255 <!--将所有直连网段声明-->
[SW2-ospf-10-area-0.0.0.0]net 192.168.5.0 0.0.0.255
[SW2-ospf-10-area-0.0.0.0]net 192.168.6.0 0.0.0.255
SW4配置如下:
SW4>undo ter mo <!--关闭日志消息-->
<SW4>sys <!--进入系统视图-->
[SW4]vlan ba 2 to 8 <!--创建vlan,其实这里只创建vlan2和vlan3就可以了-->
[SW4]in g0/0/1 <!--进入该接口-->
[SW4-GigabitEthernet0/0/1]port link-type trunk <!--配置接口类型为trunk-->
[SW4-GigabitEthernet0/0/1]port trunk allow-pass vlan all <!--允许所有vlan通过-->
[SW4-GigabitEthernet0/0/1]in g0/0/3 <!--进入该接口-->
[SW4-GigabitEthernet0/0/3]port link-type access <!--将接口类型改为access-->
[SW4-GigabitEthernet0/0/3]port default vlan 2 <!--将接口添加到vlan2-->
[SW4-GigabitEthernet0/0/3]in g0/0/2 <!--进入该接口-->
[SW4-GigabitEthernet0/0/2]port link-type access <!--将接口类型改为access-->
[SW4-GigabitEthernet0/0/2]port default vlan 3 <!--将接口添加到vlan3-->SW5配置如下:
<SW5>undo ter mo <!--关闭日志消息-->
<SW5>sys <!--进入系统视图-->
[SW5]vlan 4 <!--创建vlan4-->
[SW5-vlan4]quit
[SW5]in g0/0/1 <!--进入该接口-->
[SW5-GigabitEthernet0/0/1]port link-type trunk <!--配置接口类型为trunk-->
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all <!--允许所有vlan通过-->
[SW5-GigabitEthernet0/0/1]in g0/0/2 <!--进入该接口-->
[SW5-GigabitEthernet0/0/2]port link-type access <!--将接口类型改为access-->
[SW5-GigabitEthernet0/0/2]port default vlan 4 <!--将接口添加到vlan4-->由于SW6、SW7和SW5的配置相比起来没有太大的差别,都是改一下接口类型,创建相应的vlan,将接口添加到vlan中,trunk接口允许所有vlan的信息通过,所以,SW6和SW7就不写注释了,相应的注释可以参考SW5的配置。
SW6配置如下:
<SW6>undo ter mo
<SW6>sys
[SW6]vlan 5
[SW6-vlan5]in g0/0/1
[SW6-GigabitEthernet0/0/1]port link-type trunk
[SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW6-GigabitEthernet0/0/1]in g0/0/2
[SW6-GigabitEthernet0/0/2]port link-type access
[SW6-GigabitEthernet0/0/2]port default vlan 5SW7配置如下:
<SW7>un ter mo
<SW7>sys
[SW7]vlan 6
[SW7-vlan6]in g0/0/1
[SW7-GigabitEthernet0/0/1]port link-type trunk
[SW7-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW7-GigabitEthernet0/0/1]in g0/0/2
[SW7-GigabitEthernet0/0/2]port link-type access
[SW7-GigabitEthernet0/0/2]port default vlan 6经过以上配置,下面的网络部分已经通了,可以自行使用PC进行ping测试。
第二部分的配置:
第二部分开始配置R2路由器的GE0/0/2接口到R4路由器及下面的交换机,首先配置R2路由器的GE0/0/2接口IP并配置RIP,进行OSPF和RIP的路由重分发,配置R3的接口IP及RIP路由,最后配置R4的接口IP、单臂路由及RIP路由。
R2路由器配置如下:
[R2]in g0/0/2 <!--进入该接口-->
[R2-GigabitEthernet0/0/2]ip add 192.168.12.1 24 <!--配置接口IP-->
[R2-GigabitEthernet0/0/2]rip <!--进入RIP-->
[R2-rip-1]ver 2 <!--开启RIP版本2-->
[R2-rip-1]undo summary <!--关闭路由自动汇总-->
[R2-rip-1]net 192.168.12.0 <!--声明网段信息-->
[R2-rip-1]import-route ospf 10 <!--充分发OSPF路由信息-->
[R2-rip-1]default-route originate <!--注入默认路由,前提是本设备有默认路由-->
[R2-rip-1]ospf 10 <!--进入OSPF-->
[R2-ospf-10]import-route rip 1 <!--重分发RIP路由信息,默认RIP进程号为1-->R3路由器配置如下:
<R3>undo ter mo <!--关闭日志信息-->
<R3>sys <!--进入系统视图-->
[R3]in g0/0/0 <!--进入该接口-->
[R3i-GigabitEthernet0/0/0]ip add 192.168.12.2 24 <!--配置接口IP-->
[R3-GigabitEthernet0/0/0]in g0/0/1 <!--进入该接口-->
[R3-GigabitEthernet0/0/1]ip add 192.168.13.1 24 <!--配置接口IP-->
[R3-GigabitEthernet0/0/1]rip <!--进入RIP-->
[R3-rip-1]ver 2 <!--指定RIP版本为2-->
[R3-rip-1]un sum <!--关闭路由自动汇总-->
[R3-rip-1]net 192.168.12.0 <!--声明相应的直连网段-->
[R3i-rip-1]net 192.168.13.0
R4路由器配置如下:
<R4>un ter mo <!--关闭日志信息-->
<R4>sys <!--进入系统视图-->
[R4]in g0/0/1 <!--进入该接口-->
[R4-GigabitEthernet0/0/1]ip add 192.168.13.2 24 <!--配置接口IP-->
[R4-GigabitEthernet0/0/1]in g0/0/0.10 <!--配置单臂路由-->
[R4-GigabitEthernet0/0/0.10]ip add 192.168.10.1 24 <!--配置子接口的IP地址-->
[R4-GigabitEthernet0/0/0.10]dot ter vid 10 <!--子接口和vlan 10 关联-->
[R4-GigabitEthernet0/0/0.10]arp bro ena <!--子接口打开ARP广播-->
[R4-GigabitEthernet0/0/0.10]in g0/0/0.11 <!--进入子接口g0/0/0.11-->
[R4-GigabitEthernet0/0/0.11]ip add 192.168.11.1 24 <!--配置子接口的IP地址-->
[R4-GigabitEthernet0/0/0.11]dot1q ter vid 11 <!--子接口和vlan 11 关联-->
[R4-GigabitEthernet0/0/0.11]arp broadcast enable <!--子接口打开ARP广播-->
[R4]rip <!--进入RIP-->
[R4-rip-1]ver 2 <!--指定RIP版本为2-->
[R4-rip-1]un sum <!--关闭路由自动汇总-->
[R4-rip-1]net 192.168.13.0 <!--声明直连网段-->
[R4-rip-1]net 192.168.10.0
[R4-rip-1]net 192.168.11.0
SW3交换机配置如下:
<SW3>un ter mo <!--关闭日志信息-->
<SW3>sys <!--进入系统视图-->
[SW3]vlan ba 10 to 11 <!--创建响应vlan-->
[SW3]in g0/0/1 <!--进入该接口-->
[SW3-GigabitEthernet0/0/1]port link-type trunk <!--将接口模式改为trunk-->
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 11 <!--允许相应vlan通过,“10 to 11”也可换成“all”-->
[SW3-GigabitEthernet0/0/1]in g0/0/2 <!--进入该接口-->
[SW3-GigabitEthernet0/0/2]port link-type access <!--将接口模式改为access-->
[SW3-GigabitEthernet0/0/2]port default vlan 10 <!--将接口添加到vlan 10-->
[SW3-GigabitEthernet0/0/2]in g0/0/3 <!--进入该接口-->
[SW3-GigabitEthernet0/0/3]port link-type access <!--将接口模式改为access-->
[SW3-GigabitEthernet0/0/3]port default vlan 11 <!--将接口添加到vlan 11-->经过上面的配置,下面这些网络就全部搞定了,可以自行使用PC机进行ping测试。
第三部分的配置:
现在就需要配置Internet部分了,从R2路由器的GE3/0/0接口开始配置,首先配置该接口的IP地址,然后在配置Internet路由器R1的相应接口IP地址,注意,Internet路由器R1不可配置路由表,但依然要求所有内网可以ping通win 7客户端,因为在实际中,公司内部的私网地址不可能在公网上进行路由,公网上的路由器也不可能配置路由表直接指向公司内部,这就需要用到了NAT。为了引出ACL的配置方法,就指定PC5和PC6不可以和公网进行通信,剩下的都可以。
R2路由器配置如下:
[R2]in g3/0/0 <!--进入该接口-->
[R2-GigabitEthernet3/0/0]ip add 200.0.0.1 24 <!--配置接口IP-->
[R2-GigabitEthernet3/0/0]quit <!--退出该接口-->
[R2]nat address-group 1 200.0.0.100 200.0.0.100 <!--配置NAT组-->
[R2]acl 2000 <!--编写编号为2000的基本ACL-->
[R2-acl-basic-2000]rule 0 per source any <!--允许所有源地址通过-->
[R2-acl-basic-2000]quit <!--退出-->
[R2]acl 3000 <!--编写编号为3000的高级ACL-->
[R2-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.1.255 destination 200.0.0.0 0.0.0.255
<!--拒绝某个地址访问指定地址,“192.168.10.0”是一个汇总后的地址,从反掩码可以看出-->
[R2-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.1.254 destination 201.0.0.0 0.0.0.255
<!--拒绝某个地址访问指定地址-->
[R2-acl-adv-3000]quit <!--退出-->
[R2]in g3/0/0 <!--进入连接Internet的接口-->
[R2-GigabitEthernet3/0/0]nat outbound 2000 address-group 1 <!--NAT转换,2000为ACL-->
[R2-GigabitEthernet3/0/0]nat server global 200.0.0.200 inside 192.168.2.10
<!--配置NAT映射,将内网服务器映射为公网IP“200.0.0.200”-->
[R2-GigabitEthernet3/0/0]quit <!--退出-->
[R2]in g0/0/2 <!--进入该接口-->
[R2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000 <!--应用拒绝的ACL-->R1路由器配置如下:
<!--只是给接口配相应的IP地址,耐心快消耗没了,就不注释了-->
<R1>sys
[R1]in g0/0/0
[R1-GigabitEthernet0/0/0]ip add 200.0.0.2 24
[R1-GigabitEthernet0/0/0]in g0/0/1
[R1-GigabitEthernet0/0/1]ip add 201.0.0.1 24现在所有配置均以完成,自行配置win7和win server 2016进行测试吧,注意,win7和内网进行ping测试或访问Windows server 2016的服务时,需要ping内网映射出来的地址和服务器映射出的公网地址,而不是内网服务器的真实地址。原本打算将ACL的配置写的更详细些,但是这篇博文已经写了五个多小时了,实在没耐心了。
附带一些用于排错的命令:
[R2]display current-configuration <!--查看当前设备的所有配置-->
[R2]display ip routing-table <!--查看路由表-->
[SW1]display vlan <!--查看vlan信息-->
[SW1]display ip interface brief <!--查看接口状态-->
[SW1]display current-configuration interface vlan 2 <!--查看某一个接口的当前配置信息-->
[R2]display nat session all <!--查看NAT转换条目-->
[R2]display ospf peer brief <!--查看OSPF邻居信息-->
[R2]display acl all <!--查看ACL信息-->
[SW1]display eth-trunk 12 <!--查看链路聚合信息-->(三)总结:
该网络拓扑图需知道以下几个知识点:
- 即使某些交换机上并没有相应vlan的客户端,但依然要创建相应vlan,如上面拓扑图中的SW1和SW2,因为当交换机收到来自某vlan的数据包时,如果他没有该vlan,那么将丢弃该数据包,但是如果中间经过了路由器,那就不一样了。
- Huawei trunk communication channel allowed by default all except vlan vlan 1, and the Cisco equipment trunk vlan default allow all communication, when configuring the device Huawei, After configuring the basic trunk configuration, must be added to allow the relevant vlan trunk of command.
- When configuring link aggregation, LACP smaller priority value, the higher the priority, by default, the system LACP priority is 32,768. LACP priority selecting as the small end of the active end in both ends of the apparatus, if the same system LACP priority, select the smaller end of the MAC address as the active end.
- Configuring OSPF is, if you want to specify the router-id, may be added at the time of entering the router-id process mode, such as the router-id of R2 is set to 1.1.1.1: "[R2] ospf 10 router-id 1.1.1.1" .
- Huawei Interface Layer three switches are not directly enhance the command Layer 3 interfaces, such as the Cisco "no switchport", and so in the router connected, only the configuration vlan virtual interfaces, and physical interfaces to add the vlan .
- In Huawei, it can only be declared in a standard way RIP network, such as network after subnetting is "10.10.5.0/24", while declaring segment, can only be declared "10.0.0.0", but need Note that if subnetting network through a network, be sure to use RIP version 2 (default is 1), and turn off auto-summary.
- Huawei NAT translation directly disposed external interface mode, internal traffic needs to be converted is defined by the ACL, the internal global address conversion is implemented by configuring the NAT group.
- Huawei and Cisco ACL similar, Huawei's basic and advanced ACL is divided into two types, similar to the Cisco standard and extended. Wherein substantially numbered 2000 to 2999, higher numbered 3000 to 3999, can be added after the command word rule numbers may be omitted, the default rule between each number separated by 5, because the rules are matched ACL stop, so this allows for convenient future changes rule, before a rule can be inserted.