table of Contents
Huawei routing and switching integrated experimental stage --- IA
Lab topology
Experimental demand
- , Marked for each VLAN ID, in order to distinguish between separate departments; topology rational planning and VLANIf address IP address (PC3 belong to the Ministry of Finance, PC4 belongs to the technical department PC1 belongs Operations, PC2 belong Marketing) according to.
- Head office and branch dynamic routing protocol, respectively (as shown).
- Head office and branch business segment does not allow protocol packets appear.
- PC3 and PC4 and Switch5 Switch4 attributed to double by Switch7. To ensure that the user's various services are not interrupted transmission in the network, the need to do a backup gateway on Switch4 and Switch5.
Under normal circumstances, PC3 to Switch4 as the default gateway, PC4 to Switch5 as the default gateway, redundant backup gateway.
Switch fault recovery after the delay time is 20 seconds by way of preemption to become re-Master, assume data transmission. - Runs between Switch4,7,5 MSTP, PC3 flow away Switch4, PC4 flow away Switch5, and mutual backup, access port directly into the forwarding state after the PC starts, spanning tree calculation.
- R1 and R3 operation Easy IP, allowing only access to the external network (R2 Loopback0 port of the analog public network address) Marketing and Technology.
- Switch4 disposed between the link and the polymerization switch5 improve link bandwidth and reliability.
- AR6 not have access to PC3, PC4 (acl)
- R3 open Telent service, allowing only AR6 (network management equipment, analog PC) for remote management. Advanced ACL
- Egress router (R1 and R3) configured default route to the Internet for advertisement to the internal private network.
- Headquarters egress router R2 R3 and equipment operators for security reasons, PPP authentication (chap authentication), user name runtime, the password is huawei
- Division egress router R1 and R2 equipment operators PPP authentication (pap authentication), user name aaa, bbb password
Headquarters and branches to achieve visits (optional)
Experimental Procedure
1. According to the IP address topology of rational planning and VLANIf address
LSW6 configuration is as follows
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei-Ethernet0/0/4]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]PORT trunk allow-pass vlan 10 20
[Huawei-Ethernet0/0/1]port trunk pvid vlan 10
[Huawei-Ethernet0/0/1]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan 10 20
[Huawei-Ethernet0/0/2]port trunk pvid vlan 20
[Huawei-vlan10]description yun ying // VLAN 标识 //
[Huawei-vlan20]description shi chang // VLAN 标识 //LSW1 configuration is as follows
[Huawei]vlan batch 10 30
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 10
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[Huawei]int vlan 10
[Huawei-Vlanif10]ip address 192.168.1.254 24LSW2 configuration is as follows
[Huawei]vlan batch 20 40
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 20
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[Huawei]int vlan 20
[Huawei-Vlanif10]ip address 192.168.2.254 24Test connectivity
PC1 PING SW1 ; PC2 PING SW2
PC>ping 192.168.1.254
Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
From 192.168.1.254: bytes=32 seq=1 ttl=255 time=93 ms
From 192.168.1.254: bytes=32 seq=2 ttl=255 time=32 ms
From 192.168.1.254: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.1.254: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.1.254: bytes=32 seq=5 ttl=255 time=16 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/40/93 msPC>ping 192.168.2.254
Ping 192.168.2.254: 32 data bytes, Press Ctrl_C to break
From 192.168.2.254: bytes=32 seq=1 ttl=255 time=47 ms
From 192.168.2.254: bytes=32 seq=2 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=5 ttl=255 time=32 ms
--- 192.168.2.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/34/47 ms2. PC1 and PC2 can not communicate, achieve independence and departments
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet lossSW1 上配置接口所属VLAN,及VLANIF
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 30
[Huawei-GigabitEthernet0/0/4]int vlan 30
[Huawei-Vlanif30]ip address 192.168.3.1 24SW2上配置接口所属VLAN,及VLANIF
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 40
[Huawei-GigabitEthernet0/0/4]int vlan 40
[Huawei-Vlanif40]ip address 192.168.4.1 243. PC1 不能访问PC2 ,定义ACL
LSW1
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.1.1 0 destination 192.168.2.1
0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000LSW2
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.2.1 0 destination 192.168.1.1
0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000PC1 和PC2 实现了不能互通,策略已经生效
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss4. 分公司运行RIP 协议
AR1上配置IP地址,运行RIP 协议
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]network 192.168.4.0SW1上配置RIP
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]network 192.168.1.0
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]undo summarySW2上配置RIP
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.2.0
[Huawei-rip-1]network 192.168.4.0规划所属VLAN
SW7 VLAN 配置
[Huawei]vlan batch 10 20
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei]int e0/0/5
[Huawei-Ethernet0/0/5]port link-type trunk
[Huawei-Ethernet0/0/5]port trunk allow-pass vlan all
[Huawei-Ethernet0/0/5]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan all
[Huawei]int vlan 10
[Huawei-Vlanif10]description cai wu //VLAN 标识//
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]description ji shu //VLAN 标识//LSW4
[Huawei]int e0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type trunk
[Huawei-GigabitEthernet0/0/4] port trunk allow-pass vlan allLSW5
[Huawei]int e0/0/4
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan all5. 总公司运行OSPF
配置OSPF 区域 1
SW4
ospf 1
area 1
network 172.19.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255SW5
ospf 1
area 1
network 172.20.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255AR5
ospf 1
area 1
network 172.19.1.0 0.0.0.255
network 172.20.1.0 0.0.0.255 配置OSPF 区域0
ospf 1
area 0
network 172.17.1.0 0.0.0.255
network 172.18.1.0 0.0.0.255AR6
ospf 1
area 0
network 172.18.1.0 0.0.0.255 AR3
ospf 1
area 0
network 172.17.1.0 0.0.0.255 6. 总公司和分公司业务网段不允许出现协议报文
RIP 区域配置静默接口
SW1 上配置静默接口
[Huawei-rip-1]silent-interface g0/0/1 //配置静默接口//SW2上配置静默接口
[Huawei-rip-1]silent-interface g0/0/1 //配置静默接口//OSPF 区域配置静默接口
SW4上配置静默接口
[Huawei-ospf-1]silent-interface g0/0/4 //配置静默接口//SW5上配置静默接口
[Huawei-ospf-1]silent-interface g0/0/1 //配置静默接口//7. SW4和SW5之间配置链路聚合,创建聚合组
LSW4
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]trunkport g0/0/2
[Huawei-Eth-Trunk1]trunkport g0/0/5
[Huawei-Eth-Trunk1]trunkport g0/0/1
[Huawei-Eth-Trunk1]port link-type trunk
[Huawei-Eth-Trunk1]port trunk allow-pass 10 20LSW5
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]trunkport g0/0/2
[Huawei-Eth-Trunk1]trunkport g0/0/5
[Huawei-Eth-Trunk1]trunkport g0/0/1
[Huawei-Eth-Trunk1]port link-type trunk
[Huawei-Eth-Trunk1]port trunk allow-pass 10 20查看链路聚合组
[Huawei]DIS eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/1 Up 1
GigabitEthernet0/0/2 Up 1
GigabitEthernet0/0/5 Up 1 8. SW4、7、5之间运行MSTP,PC3流量走Switch4,PC4流量走Switch5,并且互为主备
在SW4上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
[Huawei]stp instance 1 root primary在SW5上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
[Huawei]stp instance 2 root primary 在SW7上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration9. SW7 上配置边缘端口,接入PC机的端口启动后直接进入转发状态,不参与生成树计算
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]stp edged-port enable
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]stp edged-port enable 10. vrrp 配置
LSW4
[Huawei]int vlan 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
[Huawei-Vlanif10]vrrp vrid 1 priority 150
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 20 //延时20秒通过抢占的方式重新成为Master //LSW5
[Huawei-Vlanif20]int vlan 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
[Huawei-Vlanif20]vrrp vrid 2 priority 150
[Huawei-Vlanif20]vrrp vrid 2 preempt-mode timer delay 20 //延时20秒通过抢占的方式重新成为Master //查看VRRP
在SW4上查看主备状态
[Huawei-Vlanif20]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 172.16.1.254
2 Backup Vlanif20 Normal 172.16.2.254
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0 PC3 PING PC4 测试连通性
PC>ping 172.16.2.1
Ping 172.16.2.1: 32 data bytes, Press Ctrl_C to break
From 172.16.2.1: bytes=32 seq=1 ttl=127 time=203 ms
From 172.16.2.1: bytes=32 seq=2 ttl=127 time=94 ms
From 172.16.2.1: bytes=32 seq=3 ttl=127 time=109 ms
From 172.16.2.1: bytes=32 seq=4 ttl=127 time=109 ms
From 172.16.2.1: bytes=32 seq=5 ttl=127 time=78 ms
--- 172.16.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/118/203 ms11. 出口路由器(R1和R3)配置默认路由指向互联网并通告到私网内部
在AR3上配置一条默认路由
[Huawei]ip route-static 0.0.0.0 0 200.100.2.2
[Huawei-ospf-1]default-route-advertise //通告默认路由//在SW5上查看ospf 路由表
[Huawei]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 5 Routes : 8
OSPF routing table status : <Active>
Destinations : 5 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 172.20.1.2 Vlanif60
172.16.1.254/32 OSPF 10 2 D 172.16.1.252 Vlanif10
OSPF 10 2 D 172.16.2.252 Vlanif20
172.17.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
172.18.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
172.19.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
OSPF 10 2 D 172.16.1.252 Vlanif10
OSPF 10 2 D 172.16.2.252 Vlanif20
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 012. 在AR1 上配置默认路由,引入默认路由
[Huawei]ip route-static 0.0.0.0 0 200.100.1.2
[Huawei-rip-1]default-route originate 在SW1上查看路由表,已经学习到了去往外部默认路由
[Huawei]dis ip routing-table protocol rip
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : RIP
Destinations : 3 Routes : 3
RIP routing table status : <Active>
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 RIP 100 1 D 192.168.3.2 Vlanif30
192.168.2.0/24 RIP 100 2 D 192.168.3.2 Vlanif30
192.168.4.0/24 RIP 100 1 D 192.168.3.2 Vlanif30
RIP routing table status : <Inactive>
Destinations : 0 Routes : 0
13. AR6不能访问PC3、PC4
在AR5上定义高级ACL 策略
[Huawei]acl 3000
[Huawei-acl-adv-3000] rule 5 deny ip source 172.18.1.2 0 destination
172.16.1.1 0
[Huawei-acl-adv-3000]rule 10 deny ip source 172.18.1.2 0 destination
172.16.2.1 0
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-filter outbound acl 3000在AR6上测试 PING PC3 和 PC4 ,已实现不能互通
AR6]ping 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet lossAR6]ping 172.16.2.1
PING 172.16.2.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.16.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss14. R3开启Telent服务,只允许AR6(网管设备,模拟PC)做远程管理
[AR3]acl 3001
[AR3-acl-adv-3001]rule 5 permit tcp source 172.18.1.2 0 destination 172.17.1.2 0
destination-port eq 23
[AR3-acl-adv-3001]rule 6 deny tcp source any destination 172.17.1.2 0 destinatio
n-port eq 23发现只有AR6可以telnet R3,ACL 策略已生效
<AR6>telnet 172.17.1.2
Press CTRL_] to quit telnet mode
Trying 172.17.1.2 ...
Connected to 172.17.1.2 ...
Login authentication
Username:在AR5上telnet R3做测试 ,发现已经被拒绝
<Huawei>telnet 172.17.1.2
Press CTRL_] to quit telnet mode
Trying 172.17.1.2 ...15. R1和R3运行Easy IP,只允许市场部和技术部访问外网
AR1上配置
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit source 192.168.2.1 0
[Huawei-acl-basic-2000]int s4/0/0
[Huawei-Serial4/0/0]nat outbound 2000AR3上配置
[AR3]acl 2000
[AR3-acl-basic-2000]rule 5 permit source 172.16.2.1 0
[AR3-acl-basic-2000]int s4/0/1
[AR3-Serial4/0/1]nat outbound 2000PC2 PING 公网地址
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=253 time=110 ms
From 2.2.2.2: bytes=32 seq=2 ttl=253 time=78 ms
From 2.2.2.2: bytes=32 seq=3 ttl=253 time=62 ms
From 2.2.2.2: bytes=32 seq=4 ttl=253 time=79 ms
From 2.2.2.2: bytes=32 seq=5 ttl=253 time=62 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/78/110 ms16. 总部出口路由器R3和运营商设备R2进行PPP认证(CHAP 认证)
在AR2做CHAP 主认证
[Huawei]aaa
[Huawei-aaa]local-user runtime password cipher huawei
[Huawei-aaa]local-user runtime service-type ppp
[Huawei-Serial4/0/1]link-protocol ppp
[Huawei-Serial4/0/1]ppp authentication-mode chap
[Huawei-Serial4/0/1]ip address 200.100.2.1 30在AR3上被认证
[Huawei]int s4/0/1
[Huawei-Serial4/0/1]ppp pap local-user runtime
[Huawei-Serial4/0/1]ppp chap password cipher huawei
[Huawei-Serial4/0/1]ip address 200.100.2.2 317. 分部出口路由器R1和运营商设备R2进行PPP认证(PAP认证)
在AR1上做PAP主认证方
Huawei]aaa
[Huawei-aaa]local-user aaa password cipher bbb
[Huawei-aaa]local-user aaa service-type ppp
[Huawei-aaa]int s4/0/0
[Huawei-Serial4/0/0]ppp authentication-mode pap
[Huawei-Serial4/0/0]ip address 200.100.1.2 30在AR2 上做HAP 被认证方
[Huawei]int s4/0/0
[Huawei-Serial4/0/0]ppp pap local-user aaa password simple bbb
[Huawei-Serial4/0/0]ip address 200.100.1.1 30