直连路由
目标网段 —— 路由信息。
协议字段:代表当前路由的生产方式,direct——直连。
优先级:路由默认优先级,direct-0,越小越优先。
1.需求
如下拓扑图两台路由两台PC
PC1 = 192.47.10.1/24 PC2 = 192.47.20.2/24
AR1 --- G0/0/0 = 12.47.1.1/24
G0/0/1 = 192.47.10.254/24
AR2 --- G0/0/0 = 12.47.1.2/24
G0/0/1 = 192.47.20.254
通过静态路由使得PC1与PC2能够进行通信拓扑图
AR1配置:
[Huawei]sysname AR1
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 12.47.1.1 24
[AR1-GigabitEthernet0/0/0]q
[AR1]
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.47.10.254 24
[AR1-GigabitEthernet0/0/1]q
[AR1]
//添加静态路由
[AR1]ip route-static 192.47.20.0 24 12.47.1.2
[AR1]display ip routing-tableAR2配置:
[Huawei]sysname AR2
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 12.47.1.2 24
[AR2-GigabitEthernet0/0/0]q
[AR2]
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 192.47.20.254 24
[AR2-GigabitEthernet0/0/1]q
//添加静态路由
[AR2]ip route-static 192.47.10.0 24 12.47.1.1
//查看路由表
[AR2]display ip routing-tablePC1对PC2进行通信测试:
2.需求
添加一台AR3使用S口与AR1和AR2相连接
PC1 = 192.47.10.1/24 PC2 = 192.47.20.2/24
AR1 --- G0/0/0 = 12.47.1.1/24
G0/0/1 = 192.47.10.254/24
S1/0/0 = 13.47.1.1/24
AR2 --- G0/0/0 = 12.47.1.2/24
G0/0/1 = 192.47.20.254/24
S1/0/0 = 23.47.1.2/24
AR3 --- S1/0/0 = 13.47.1.3/24
S1/0/1 = 23.47.1.3/24
通过静态路由使得全部通信
1.断开AR1与AR2 测试是否通过AR3进行通信。
2.修改优先级主从G口,S口作为备选。拓扑图
AR3
//one----------
[Huawei]sysname AR3
[AR3]
[AR3]interface Serial 1/0/0
[AR3-Serial1/0/0]ip address 13.47.1.3 24
[AR3-Serial1/0/0]q
[AR3]
[AR3]interface Serial 1/0/1
[AR3-Serial1/0/1]ip address 23.47.1.3 24
[AR3-Serial1/0/1]q
[AR3]
//two----------
//添加静态路由
[AR3]ip route-static 192.47.10.0 255.255.255.0 13.47.1.1
[AR3]ip route-static 192.47.20.0 255.255.255.0 23.47.1.2AR1根据上面实验来做配置S1/0/0
//one----------
[AR1]interface Serial 1/0/0
[AR1-Serial1/0/0]ip ad
[AR1-Serial1/0/0]ip address 13.47.1.1
[AR1-Serial1/0/0]q
[AR1]
//two----------
//添加静态路由
[AR1]ip route-static 23.47.1.0 24 13.47.1.3
[AR1]ip route-static 192.47.20.0 24 13.47.1.3AR2根据上面实验来做配置S1/0/0
//one----------
[AR2]interface Serial 1/0/0
[AR2-Serial1/0/0]ip ad
[AR2-Serial1/0/0]ip address 23.47.1.2 24
//two----------
//添加静态路由
[AR2]ip route-static 13.47.1.0 24 23.47.1.3
[AR2]ip route-static 192.47.10.0 24 23.47.1.3断开AR1与AR2之间的线路:
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]shutdown
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]shutdownPC1对PC2进行通信测试:
打开AR1与AR2之间的线路测试:
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]undo shutdown
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]undo shutdown查看AR1的路由表:
根据上图可以得出结论:
去往192.47.20.0/24网段有两条路可以选择[12.47.1.2]和[13.47.1.3]
他们的优先级都是60所以在PC1与PC2通信时会分流进行各占百分之50的资源
因为S口是只有几m的传输速度比较缓慢所以咱们只能把他作为备用线路来使用
而G口是千兆口正常传输都是使用G口来传输比较快速高效当G口出现问题才会自动选取S口来进行流量放行
而选取主要的端口作为传输要道需要修改他们的优先级【默认都是60】
优先级越小则就从那一条路由进行放行
下面我将使用G口作为主要路由通信,而S口作为备用通道,只需修改优先级即可
[AR1]ip route-static 192.47.20.0 24 13.47.1.3 preference 61
[AR2]ip route-static 192.47.10.0 24 23.47.1.3 preference 61
我把S口的路由线路修改大一级则就先选取优先级较小
当然我也可以把G口修改为59其结果也是一样查看路由表发现只显示G口没有显示S口:
咱们把G口断开然后再次进行查看路由表:
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]shutdown根据上图路由表可以看出只要咱们配置好两条路由,就算主线路出现问题也是可以正常通信的,如上直接选取了优先级为61的13.47.1.3路由进行与其他设备通信。由此可得通过写多条路由可以进行备份,来防止线路出现损坏而不能正常接收流量等问题。[AR1]ip route-static 192.47.20.0 24 13.47.1.3
[AR2]ip route-static 192.47.10.0 24 23.47.1.3
[AR3]ip route-static 192.47.10.0 24 13.47.1.1
[AR3]ip route-static 192.47.20.0 24 23.47.1.2
ip route 。。。。。 pre 61
[AR1]ip route-static 192.47.20.0 255.255.255.0 13.47.1.3 preference 61
Info: Succeeded in modifying route.
[AR2]ip route-static 192.47.10.0 255.255.255.0 23.47.1.3 preference 61
Info: Succeeded in modifying route.1.拓扑图
PC2
PC4
任务1_配置SW2和SW3使得PC1与PC4通信
SW2配置:
[Huawei]sysname SW2
[SW2]
[SW2]vlan 10
[SW2-vlan10]q
[SW2]interface e0/0/2
[SW2-Ethernet0/0/2]port link-type access
[SW2-Ethernet0/0/2]port default vlan 10
[SW2-Ethernet0/0/2]q
[SW2]
[SW2]interface e0/0/3
[SW2-Ethernet0/0/3]port link-type access
[SW2-Ethernet0/0/3]port default vlan 10
[SW2-Ethernet0/0/3]q
[SW2]
[SW2]interface e0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/1]q
# 查看分配vlan
[SW2]display port vlan
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
Ethernet0/0/1 hybrid 1 -
Ethernet0/0/2 access 10 -
Ethernet0/0/3 access 10 -SW3配置:
[Huawei]sysname SW3
[SW3]
[SW3]vlan 20
[SW3-vlan20]q
[SW3]interface e0/0/2
[SW3-Ethernet0/0/2]port link-type access
[SW3-Ethernet0/0/2]port default vlan 20
[SW3-Ethernet0/0/2]q
[SW3]
[SW3]interface e0/0/3
[SW3-Ethernet0/0/3]port link-type access
[SW3-Ethernet0/0/3]port default vlan 20
[SW3-Ethernet0/0/3]q
[SW3]
[SW3]interface e0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW3-GigabitEthernet0/0/1]q
# 查看分配vlan
[SW3]display port vlan
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
Ethernet0/0/1 hybrid 1 -
Ethernet0/0/2 access 20 -
Ethernet0/0/3 access 20 -SW1配置:
[Huawei]sysname SW1
[SW1]vlan batch 10 20
[SW1]interface Vlanif 10
[SW1-Vlanif10]ip address 172.47.1.254 24
[SW1-Vlanif10]q
[SW1]
[SW1]interface Vlanif 20
[SW1-Vlanif20]ip address 172.47.2.254 24
[SW1-Vlanif20]q
[SW1]
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/2]q
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[SW1-Vlanif20]q
[SW1]PC4对PC2进行通信测试:
任务2_配置DHCP_server使得PC1与PC3获取地址使得通信:
SW1配置:
[SW1]vlan 100
[SW1-vlan100]q
[SW1]
[SW1]interface Vlanif 100
[SW1-Vlanif100]ip address 11.47.1.2 24
[SW1-Vlanif100]q
[SW1]
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 100
[SW1-GigabitEthernet0/0/1]q
[SW1]AR1配置:
[Huawei]sysname AR1
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 11.47.1.1 24
[AR1-GigabitEthernet0/0/0]q
[AR1]
[AR1]ip route-static 172.47.1.0 24 11.47.1.2
[AR1]ip route-static 172.47.2.0 24 11.47.1.2
# 开启dhcp
[AR1]dhcp enable
# 设置一个名为v10的地址池来分配地址给vlan10
[AR1]ip pool v10
[AR1-ip-pool-v10]gateway-list 172.47.1.254
[AR1-ip-pool-v10]network 172.47.1.0 mask 255.255.255.0
[AR1-ip-pool-v10]dns-list 8.8.8.8
[AR1-ip-pool-v10]q
# 设置一个名为v20的地址池来分配地址给vlan20
[AR1]ip pool v20
[AR1-ip-pool-v20]gateway-list 172.47.2.254
[AR1-ip-pool-v20]network 172.47.2.0 mask 255.255.255.0
[AR1-ip-pool-v20]dns-list 8.8.8.8
[AR1-ip-pool-v20]q
[AR1]
# 放行地址
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]dhcp select global
[AR1-GigabitEthernet0/0/0]q
[AR1]SW1继续配置DHCP中继:
[SW1]dhcp enable
[SW1]interface Vlanif 10
[SW1-Vlanif10]dhcp select relay
[SW1-Vlanif10]dhcp relay server-ip 11.47.1.1
[SW1-Vlanif10]q
[SW1]interface Vlanif 20
[SW1-Vlanif20]dhcp select relay
[SW1-Vlanif20]dhcp relay server-ip 11.47.1.1
[SW1-Vlanif20]q
[SW1]PC1通过DHCP获取地址:
PC3通过DHCP获取地址:
测试AR1与PC2和PC4的通信:
任务3_配置AR2使得全部通信:
SW1配置:
[SW1]vlan 200
[SW1-vlan200]q
[SW1]
[SW1]interface Vlanif 200
[SW1-Vlanif200]ip address 12.47.1.2 24
[SW1-Vlanif200]q
[SW1]
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type access
[SW1-GigabitEthernet0/0/4]port default vlan 200
[SW1-GigabitEthernet0/0/4]qAR2配置:
[Huawei]interface GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 12.47.1.1 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]
[Huawei]ip route-static 172.47.1.0 24 12.47.1.2
[Huawei]ip route-static 172.47.2.0 24 12.47.1.2
[Huawei]AR2与PC2和PC3进行通信测试:
2.拓扑图
ISP
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]ip address 100.47.1.254 24
[AR3-GigabitEthernet0/0/0]q
[AR3]
[AR3]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 200.47.1.254 24
[AR3-GigabitEthernet0/0/1]q
[AR3]
[AR3]sysname ISP
[ISP]
# 认证授权和收费三a认证
[ISP]aaa
# 设置用户为WDJ-47 密码为huawei@123
[ISP-aaa]local-user WDJ-47 password cipher huawei@123
Info: Add a new user.
[ISP-aaa]
# 设置pppoe拨号
[ISP-aaa]local-user wdj-47 service-type ppp
[ISP-aaa]q
[ISP]
# 配置虚拟模板
[ISP]interface Virtual-Template 0
[ISP-Virtual-Template0]
# 设置认证模式
[ISP-Virtual-Template0]ppp authentication-mode ?
chap Enable CHAP authentication # 推荐使用chap因为在发送过程中会加密
pap Enable PAP authentication
[ISP-Virtual-Template0]ppp authentication-mode chap
# 下发一个公网地址进行能够上网
[ISP-Virtual-Template0]remote address 202.47.1.2
# 设置虚拟地址
[ISP-Virtual-Template0]ip address 202.47.1.1 24
[ISP-Virtual-Template0]q
[ISP]
# 设置接口绑定(服务器端)
[ISP]
[ISP]interface GigabitEthernet 0/0/2
[ISP-GigabitEthernet0/0/2]pppoe-server bind virtual-template 0
[ISP-GigabitEthernet0/0/2]q
[ISP]AR2
# 配置客户端
# 创建拨号上网接口并且设置账户密码
[AR2]interface Dialer 0
[AR2-Dialer0]
[AR2-Dialer0]ppp chap user WDJ-47
[AR2-Dialer0]ppp chap password cipher huawei@123
[AR2-Dialer0]ip address ppp-negotiate
[AR2-Dialer0]dialer user 1
# 创建绑定编号
[AR2-Dialer0]dialer bundle 100
[AR2-Dialer0]q
[AR2]
# 拨号接口与物理接口进行绑定
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]pppoe-client dial-bundle-number 100
[AR2-GigabitEthernet0/0/1]q
[AR2]
# 查看下发地址 检查AR2的Dialer0是否有地址
[AR2]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
#Dialer0 202.47.1.2/32 up up(s)
GigabitEthernet0/0/0 12.47.1.1/24 up up
GigabitEthernet0/0/1 unassigned up down
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
[AR2]3.拓扑图
SW2配置:
[SW2]interface e0/0/4
[SW2-Ethernet0/0/4]port link-type access
[SW2-Ethernet0/0/4]port default vlan 10
[SW2-Ethernet0/0/4]q
[SW2]AR1配置:
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 10.47.1.254 24SW1配置:
[SW1]ip route-static 10.47.1.0 24 11.47.1.1
任务需求:
需求:ACL访问控制列表
1.服务器2无法访问AR2
2.客户端2可以ping通服务器2,但是无法访问解释ACL
标准ACL:2000-2999可以帮助匹配数据的源IP地址
高级ACL:3000-3999可以帮助匹配数据的五元组(源目IP,源目端口号,协议号)
二层ACL:4000-4999 可以帮助匹配MAC地址sw1配置
[SW1]acl number 2000
# 过滤源地址
[SW1-acl-basic-2000]rule 5 deny source 172.47.1.1 0
[SW1-acl-basic-2000]q
[SW1]
# 调用acl
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]traffic-filter inbound acl 2000验证server2无法访问AR2
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]undo traffic-filter inbound acl 2000
[SW1-GigabitEthernet0/0/2]q
[SW1][AR2]acl number 2000
[AR2-acl-basic-2000]rule 5 deny source 172.47.1.1 0
[AR2-acl-basic-2000]q
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 2000
[AR2-GigabitEthernet0/0/0]q
[AR2]测试通信:
测试通信:
[AR1]acl number 3000
[AR1-acl-adv-3000]rule deny tcp source 10.47.1.3 0 destination 172.47.1.1 0 destination-port eq www
[AR1-acl-adv-3000]rule deny tcp source 10.47.1.3 0 destination 172.47.1.1 0 destination-port eq ftp
[AR1-acl-adv-3000]q
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 3000
[AR1-GigabitEthernet0/0/0]q
[AR1]测试:
[AR2]ip route-static 0.0.0.0 0 202.47.1.1
[SW1]ip route-static 0.0.0.0 0 12.47.1.1[AR2]acl 2001
[AR2-acl-basic-2001]rule permit source 172.47.1.0 0.0.0.255
[AR2-acl-basic-2001]rule permit source 172.47.2.0 0.0.0.255
[AR2-acl-basic-2001]q
[AR2]
[AR2]interface Dialer 0
[AR2-Dialer0]nat outbound 2001
[AR2-Dialer0]nat server protocol tcp global current-interface 5000 inside 172.47
.1.1 www
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]undo traffic-filter inbound
