导图社区 华为设备命令及ensp实验
- 262
- 5
- 2
- 举报
华为设备命令及ensp实验
华为交换机、路由器相关命令与ensp实验,含拓扑图,希望这份脑图会对你有所帮助。
编辑于2023-03-04 12:13:06 广东
- 相似推荐
- 大纲
华为设备命令及ensp 实验
一、本机登录 ensp web设备
1、云 设置
2、AC 设置
<AC6605>sys Enter system view, return user view with Ctrl+Z. [AC6605]undo info-center enable Info: Information center is disabled. [AC6605]vlan 100 Info: This operation may take a few seconds. Please wait for a moment...done. [AC6605-vlan100]quit [AC6605]int g0/0/1 [AC6605-GigabitEthernet0/0/1]port link-type access [AC6605-GigabitEthernet0/0/1]port default vlan 100 [AC6605-GigabitEthernet0/0/1]quit [AC6605]int vlan100 [AC6605-Vlanif100]ip address 192.168.8.200 24 [AC6605]http server enable This operation will take several minutes, please wait... Info: Succeeded in starting the HTTP server [AC6605]
3、telnet远程步骤
(1)配置交换机管理地址和子网掩码 [Huawei]int vlanif1 [Huawei-Vlanif1]ip address 192.1.1.7 24 [Huawei-Vlanif1]quit
(2)配置默认网关地址: [Huawei]ip route-static 0.0.0.0 0.0.0.0 192.1.1.254
(3)启动 VTY服务(Virtual Teletype Terminal 虚拟终端) [Huawei]user-interface vty0 4 [Huawei-ui-vty0-4]protocol inbound telnet [Huawei-ui-vty0-4]shell [Huawei-ui-vty0-4]quit
(4)配置口令鉴别方式 [Huawei]user-interface vty 0 4 [Huawei]authentication-mode password [Huawei]set authentication password cipher 123456
(5)配置AAA鉴别方式 [Huawei]user-interface vty0 4 [Huawei-ui-vty0-4]authentication-mode aaa [Huawei-ui-vty0-4]quit [Huawei]aaa [Huawei-aaa]local-user aaa1 password cipher bbb1 Info: Add a new user. [Huawei-aaa]local-user aaa1 service-type telnet [Huawei-aaa]quit
(6)配置用户的远程权限 [Huawei]user-interface vty0 4 [Huawei-ui-vty0-4]user privilege level 15 [Huawei-ui-vty0-4]quit [Huawei]
二、交换机配置
1、交换机基本配置
1、交换机基本配置
(1)从用户视图进入\退出系统视图:system-view (2)更改名称:sysname (3)显示起始配置信息:display saved-configuration (4)显示当前配置信息:display current-configuration (5)显示系统版本:display version (6)关闭/开启接口: shutdonw / undo shutdown (7)重置交换机 :reset saved-configuration > reboot > N Y
2、交换机端口配置
(1)配置IP地址:ip address (2)进入指定以太网接口的视图:Interface ethernet 0/1 (3)进入千兆以太网接口的视图:interface gigabitethetnet 0/1/1 (4)配置静态ARP映射项:arp static ip-address mac-address (5)选择FE电接口的工作速率:speed {10|100 nigotiation} (6)选择GE电接口的工作速率:speed {10|100|1000 nigotiation} (7)选择以太网接口的工作模式:duplex {half | full nigotition}:
3、应用案例
<Quidway> system-view 进入系统视图显 [Quidway] display current-configuration 显示当前配置 [Quidway] sysname Sw1 [Sw1] interface ethernet 0/1 进入接口视图 [Sw1-Ethernet0/1] speed 100 [Sw1-Ethernet0/1] duplex full [Sw1-Ethernet0/1] ip address 10. 65. 1. 1 255. 255. 0. 0 设置端口IP地址 [Sw1-Ethernet0/1] quit
2、交换机poe供电设置
2.1拓扑图
2.2配置
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] poe power-management auto //供电模式为自动 [Switch] interface gigabitethernet 0/0/1 //进入IP Phone1连接的接口 [Switch-GigabitEthernet0/0/1] poe power 15000 //设置功率为15w [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/3 //进入IP Phone2连接的接口 [Switch-GigabitEthernet0/0/3] poe power 15000 //设置功率为15w [Switch-GigabitEthernet0/0/3] quit [Switch] interface gigabitethernet 0/0/2 //进入AP1连接的接口 [Switch-GigabitEthernet0/0/2] poe power 20000 /设置功率为20w [Switch-GigabitEthernet0/0/2] quit
配置GigabitEthernet0/0/2接口的供电优先级为Critical [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] poe priority critical //设置优先级为最高级critical [Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] poe priority high //设置优先级为高级high [Switch-GigabitEthernet0/0/1] quit
配置GigabitEthernet0/0/4接口下的设备在每天的10:00到11:00下电 [Switch] time-range tset 10:00 to 11:00 daily [Switch] interface gigabitethernet 0/0/4 [Switch-GigabitEthernet0/0/4] poe power-off time-range tset Warning: This operation will power off the PD during this time range poe. Continue?[Y/N]:y [Switch-GigabitEthernet0/0/4] quit
3、VLAN
3.1基于接口VLAN划分
3.1.1基础
基本命令
(1)创建VLAN:vlan vlan-id [alias vlan-alias] (2)删除VLAN:undo vlan vlan-id [all] (3)VLAN视图下创建一个或一组端口属于某个VLAN:port interface-type {interface-num [to interface-number]}&<1-10> (4)接口视图下配置该端口属于某个VLAN:port access vlan vlan-id
Access
[HUAWEI-Gigabitethernet0/0/1]port link-type access [HUAWEI-Gigabitethernet0/0/1]port default vlan 2
Trunk
(1)指定端口类型:trunk access hybrid---port link-type (2)设置Hybrid 端口缺省vlan id--- port hybrid pvid vlan X (3)取消端口类型的设置---undo (4)设置Trunk端口可以通过的 vlan---[undo] port trunk permit vlan (5)显示vlan 信息:display vlan
[ Switch ] interface Ethernet 0/17 [ Switch -Ethernet0/17] port link - type trunk [ Switch -Ethernet0/17] port trunk permit vlan all [ Switch ] interface GigabitEtherneto /0/2 [ Switch - GigabitEtherneto /0/2] port link - type hybrid [ Switch - GigabitEtherneto /0/2] port hybrid pvid vlan20 [ Switch - GigabitEtherneto /0/2] port hybrid untagged vlan 20 [ Switch -GigabitEthernet0/0/2] quit 注:OVID为 缺省VLAN ID
3.1.2使用交换机构建简单的局域网
MAC地址绑定交换机端口
[Huawei-Ethernet0/0/1]mac-address learning disable action discard 关闭地址学习功能
[Huawei]mac-address static 5489-9862-7820 gigabitethernet0/0/1 vlan 1 MAC地址与交换机接口绑定
[Huawei]stp enable 开启生成树协议 [Huawei]stp disable 关闭生成树协议
VLAN 帧的格式
将接口划入vlan
[Huawei]vlan 10 批量 vlan batch 10 20 [Huawei-vlan10]quit [Huawei]interface ethernet0/0/1 [Huawei-Ethernet0/0/1]port link-type access [Huawei-Ethernet0/0/1]port default vlan 10 [Huawei-Ethernet0/0/1]quit
3.2基于子网VLAN划分
[rs4-vlan2]ip-subnet-vlan 2 ip 192.1.1.12 32 [rs4-vlan2]quit [rs4-GigabitEthernet0/0/1]ip-subnet-vlan enable [rs4-GigabitEthernet0/0/1]port link-type hybrid [rs4-GigabitEthernet0/0/1]port hybrid untagged vlan 2 [rs4-GigabitEthernet0/0/1]quit
3.3基于MAC地址的VLAN应用
[Huawei-vlan3]mac-vlan mac-address 5489-9869-1b16 48 48为MAC地址掩码长度 [Huawei-vlan3]quit [Huawei]int g0/0/5 [Huawei-GigabitEthernet0/0/5]port link-type hybrid [Huawei-GigabitEthernet0/0/5]port hybrid untagged vlan 2 to 4 [Huawei-GigabitEthernet0/0/5]mac-vlan enable Info: This operation may take a few seconds. Please wait for a moment...done.
MAC相关
(1)显示MAC地址表:display mac-address (2)限制端口学习到的MAC地址数:mac-limit maximum 2 (3)关闭地址学习功功: mac-address learning disable (4)清除转发表: undo mac-address all (5)配置静态转发项: mac-address static - - - gigabitethernet0/0/1 vlan 1 (6)配置地址黑洞: mac-address blackhole - - - vlan 1
[Huawei]disp mac-address MAC address table of slot 0: ------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------- 5489-9803-5177 1 - - GE0/0/4 dynamic 0/- 5489-98dd-7911 1 - - GE0/0/3 dynamic 0/- ------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 5
1、某公司有A、B两部门。每个部门的员工都有自己的工作计算机,所有计算机的IP地址在同一网段,且通过交换机(SW-1)接入到公司网络,但是,由于工作需要,每台计算机接入交换机的具体位置(即接口)不是固定的。 2、公司有两台网络打印机,通过交换机SW-2接入到公司网络,并且接入到SW-2的位置固定。 要求:通过VLAN设置,使得Printer-1只能被部门A的计算机访问,Printer-2只能被部门B的计算机访问。
VLAN 划分
SW2
[Huawei]interface ethernet0/0/1 [Huawei-Ethernet0/0/1]port link-type access [Huawei-Ethernet0/0/1]port default vlan 10 [Huawei-Ethernet0/0/1]quit [Huawei]interface gigabitethernet0/0/1 [Huawei-GigabitEthernet0/0/1]port link-type trunk [Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 [Huawei-GigabitEthernet0/0/1]quit
SW3
配置MAC与VLAN的关系 [Huawei]VLAN 10 [Huawei-vlan10]mac-vlan mac-address 5489-988C-3563 [Huawei-vlan10]quit [Huawei]interface gigabitethernet0/0/1 //使能接口基于MAC的划分VLAN功能, [Huawei-GigabitEthernet0/0/1]mac-vlan enable Info: This operation may take a few seconds. Please wait for a moment...done. [Huawei-GigabitEthernet0/0/1]port link-type hybrid [Huawei-GigabitEthernet0/0/1]port hybrid untagged vlan 10 20 [Huawei-GigabitEthernet0/0/1]quit
查看 mac-address
<SW1>display mac-address MAC address table of slot 0: ------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------- 5489-98ae-6313 1 - - Eth0/0/1 dynamic 0/- 5489-9862-0761 1 - - Eth0/0/2 dynamic 0/- 5489-98bd-13a1 1 - - Eth0/0/4 dynamic 0/- 5489-987a-17aa 1 - - Eth0/0/3 dynamic 0/- ------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 4
3.4批量将接口加入VLAN
Access接口类型
通过端口组批量将接口加入VLAN <HUAWEI> system-view [HUAWEI] port-group pg1 [HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 to gigabitethernet1/0/5 [HUAWEI-port-group-pg1] port link-type access [HUAWEI-port-group-pg1] port default vlan 10
在VLAN视图下批量将接口加入VLAN <HUAWEI> system-view [HUAWEI] vlan 10 [HUAWEI-vlan10] port gigabitethernet 1/0/1 to 1/0/5 *执行此操作前,须先将所有要批量加入VLAN的接口类型配置为access
Trunk接口类型
将接口GE1/0/1~GE1/0/5批量加入VLAN10和VLAN20。 <HUAWEI> system-view [HUAWEI] port-group pg1 [HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 to gigabitethernet1/0/5 [HUAWEI-port-group-pg1] port link-type trunk [HUAWEI-port-group-pg1] port trunk allow-pass vlan 10 20
Hybrid接口类型
将接口GE1/0/1~GE1/0/5批量加入VLAN10和VLAN20。 <HUAWEI> system-view [HUAWEI] port-group pg1 [HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 to gigabitethernet1/0/5 [HUAWEI-port-group-pg1] port link-type hybrid [HUAWEI-port-group-pg1] port hybrid tagged vlan 10 [HUAWEI-port-group-pg1] port hybrid untagged vlan 20
3.5MUX VLAN
mux-vlan是VLAN视图下使用的命令,该命令的作用是将指定VLAN(这里是VLAN 2)定义为主VLAN.属于主VLAN的端口可以和启动MUX VLAN功能的其他端口相互通信。subordinate group 3是VLAN视图下使用的命令,该命令的作用是将VLAN3定义为从VLAN,且是团VLAN.属于团VLAN的端口允许与属于同一团VLAN的端口和属于主VLAN的端口相互通信。参数3是VLAN ID.subordinate separate 4是VLAN视图下使用的命令,该命令的作用是将VLAN4定义为从VLAN,且是孤立VLAN.属于孤立VLAN的端口只允许与属于主VLAN的端口相互通信。参数4是VLAN ID.
(1)display mux-vlan命令用来查看所有MUX VLAN的相关配置信息。 (2)mux-vlan命令用来将当前VLAN配置为MUX VLAN中的主VLAN(Principal VLAN)。 undo mux-vlan命令用来取消当前VLAN为主VLAN。 (3)subordinate separate命令用来配置主VLAN下的隔离型从VLAN。 undo subordinate separate命令用来删除主VLAN下的隔离型从VLAN。 (4)subordinate group命令用来配置主VLAN下的互通型从VLAN。 undo subordinate group命令用来删除主VLAN下的互通型从VLAN。
[Huawei]vlan 2 [Huawei-vlan2]mux-vlan [Huawei-vlan2]subordinate group 3 [Huawei-vlan2]subordinate separate 4 [Huawei-vlan2]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]port link-type access [Huawei-GigabitEthernet0/0/1]port default vlan 4 [Huawei-GigabitEthernet0/0/1]port mux-vlan enable [Huawei-GigabitEthernet0/0/1]quit
4、链路聚合
创建链路聚合
链路聚合(英语:Link Aggregation)是一个计算机网络术语,指将多个物理端口汇聚在一起,形成一个逻辑端口,以实现出/入流量吞吐量在各成员端口的负荷分担,交换机根据用户配置的端口负荷分担策略决定网络封包从哪个成员端口发送到对端的交换机。当交换机检测到其中一个成员端口的链路发生故障时,就停止在此端口上发送封包,并根据负荷分担策略在剩下的链路中重新计算报文的发送端口,故障端口恢复后再次担任收发端口。链路聚合在增加链路带宽、实现链路传输弹性和工程冗余等方面是一项很重要的技术。 [Huawei-Eth-Trunk1]quit [Huawei]interface Gigabitethernet0/0/1 [Huawei-GigabitEthernet0/0/1]eth-trunk 1 Info: This operation may take a few seconds. Please wait for a moment...done. [Huawei-GigabitEthernet0/0/1]quit [Huawei]quit <Huawei>save The current configuration will be written to the device. Are you sure to continue?[Y/N]y Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:abc112 Error: Invalid file name or Invalid extension ( *.cfg, *.zip ). <Huawei>
5、GVRP 配置
gvrp 称为vlan注册协议,用来维护交换机中vlan的动态注册信息,并单向传播该信息到其他交换机。简单来说就是当一个交换机上面配置gvrp协议那么和他相邻的交换机上面也会生成相应的vlan,当然与他相邻的交换上面也必须有gvrp议。(简化vlan 配置,保持vlan的一致性 ) 注1:GVRP 同步vlan信息必须靠Trunk接口同步。 注2:同步的只是vlan配置,终端接口的vlan归属配置是不被同步的。 (1)Normal模式:允许该端口动态注册或注销VLAN,传播动态VLAN和静态VLAN信息。 (2)Fixed模式:禁止该端口动态注册或注销VLAN,只传播静态VLAN信息,不传播动态VLAN信息。 (3)Forbidden模式:禁止该端口动态注册或注销VLAN,不传播除VLAN1以外的任何VLAN信息。 GARP(Generic Attribute Registration Protocol),全称通用属性注册协议,它为处于同一个交换网内的交换机之间提供了一种分发,传播,注册某种信息(VLAN属性,组播地址等)的手段。GVRP是GARP的一种具体应用或实现,主要用于维护设备动态VLAN属性
[Huawei]gvrp [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]port link-type trunk [Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all [Huawei-GigabitEthernet0/0/1]gvrp [Huawei-GigabitEthernet0/0/1]quit
6、生成树实验
生成树协议用于在一个存在冗余路径的以太网中为终端之间构建没有环路的交换路径。现在常用的生成树协议有生成树协议(Spanning Tree Protocol,STP)、快速生成树协议(Rapid Spanning Tree Protocol,RSTP)和多生成树协议(Multiple Spanning Tree Protocol,MSTP).STP和RSTP基于物理以太网构建生成树。MSTP可以基于VLAN构建生成树,因此,可以在实现容错的同时,实现负载均衡。
(1)BPDU一般指网桥协议数据单元。 网桥协议数据单元(BPDU,Bridge Protocol Data Unit)生成树协议是一种桥嵌套协议,在IEEE 802.1d规范里定义,可以用来消除桥回路。它的工作原理是这样的:生成树协议定义了一个数据包,叫做桥协议数据单元BPDU (2)在STP中,每一台交换机都有一个标示符,叫做Bridge ID或者桥ID。 BID = 16bit的桥优先级(Bridge Priority)+ 48bit的MAC地址构成, 其中桥优先级是可以配置的,取值范围是0~61440,默认值为32768,若修改须设置为4096整数倍 (3)PID 运行STP的交换机使用端口ID来标识每个端口,端口ID可以用来确定端口角色。
STP的操作过程 a.选举一个根桥; b.在每个非根交换机(不是根桥的交换机)选举一个根端口(root port); c.每个网段选举一个指定端口; d.阻塞非根、非指定端口,生成备份端口。
在所有非根交换机上选举根端口 (Root Port),选举规则如下: PID(端口ID):由端口优先级和端口编号组成 a. 非根桥交换机上,到根桥的根路径开销最小的端口,即为该非根交换机的根端口 b. 如果根路径开销相同,则比较对端交换机的BID,越小越优 c. 如果对端交换机的BID相同,则比较对端的PID,越小越优 d. 如果对端的PID相同,则比较本端的PID,越小越优。
在所有链路上选举指定端口(Designated Port),在链路中间观察两端的端口,到根桥的根路径开销最小的端口成为指定端口。具体选举规则如下: a. 在各个链路上,到根桥的根路径开销最小的端口,即为指定端口 b. 如果根路径开销相同,则比较两端交换机的BID,越小越优 c. 如果对端交换机的BID相同,则比较两端交换机的PID,越小越优
阻塞端口 至此,其余既不是根端口也不是指定端口的都是阻塞端口。
STP Spanning Tree Protocol
<HUAWEI> display stp -------[CIST Global Info][Mode STP]------- #CIST全局信息。 CIST Bridge :40960.dcd2-fc9d-0bb0 #CIST桥ID Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 #手工配置的桥协议信息中的时间值: Active Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 # 实际使用的桥协议信息中的时间值: CIST Root/ERPC :40960.dcd2-fc9d-0bb0 / 0 (This bridge is the root) # CIST总根交换设备ID/外部路径开销(从本交换设备到CIST总根交换设备的路径开销)。 CIST RegRoot/IRPC :40960.dcd2-fc9d-0bb0 / 0 #CIST域根桥ID/内部路径开销(从本交换设备到CIST域根交换设备的路径开销)。 CIST RootPortId :0.0 #CIST根端口的ID。“0.0”表示交换设备是根交换设备,没有根端口。 BPDU-Protection :Disabled #BPDU保护功能:Disabled:未使能BPDU保护。Enabled:使能BPDU保护。 TC or TCN received :0 #收到的TC或者TCN报文数量。 TC count per hello :0 #每hellotime收到的TC报文总数。 STP Converge Mode :Normal #STP收敛方式。 Time since last TC :0 days 0h:0m:0s #从上次拓扑变化到现在经过的时间。 Number of TC :0 #拓扑变化的次数。
<HUAWEI> display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet0/0/1 DESI FORWARDING NONE 0 GigabitEthernet0/0/2 DESI FORWARDING NONE 0 GigabitEthernet0/0/4 ROOT FORWARDING NONE
Role 端口角色: ROOT:Root Port(根端口) DESI:Designated Port(指定端口) ALTE:Alternate Port(Alternate替换端口) BACK:Backup Port(Backup端口) MAST:Master Port(Master端口) DISA:Disabled Port(端口处于初始化状态) STP State 端口状态。在CIST域中,有3种端口状态: FORWARDING LEARNING DISCARDING
配置
[sw1]stp mode stp Info: This operation may take a few seconds. Please wait for a moment...done. [sw1]stp enable //启动 STP 功能
[sw2]stp mode stp Info: This operation may take a few seconds. Please wait for a moment...done. [sw2]stp priority 4096 [sw2]stp enable
[sw3]stp mode stp Info: This operation may take a few seconds. Please wait for a moment...done. [sw3]stp priority 12288 [sw3]stp enable
[sw4]stp mode stp Info: This operation may take a few seconds. Please wait for a moment...done. [sw4]stp priority 4096 [sw4]stp enable
[sw5]display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet0/0/1 ROOT FORWARDING NONE 0 GigabitEthernet0/0/2 ALTE DISCARDING NONE 0 GigabitEthernet0/0/3 DESI FORWARDING NONE 0 GigabitEthernet0/0/4 DESI FORWARDING NONE 0 GigabitEthernet0/0/5 DESI FORWARDING NONE
root 根端口 ALTE alternative 替代端口 desi designation 指定端 口
7、使用路由交换机构建园区网
SW1
[SW1]vlan batch 10 20 Info: This operation may take a few seconds. Please wait for a moment...done. [SW1]interface ethernet0/0/1 [SW1-Ethernet0/0/1]port link-type access [SW1-Ethernet0/0/1]port default vlan 10 [SW1-Ethernet0/0/1]quit [SW1]interface ethernet0/0/3 [SW1-Ethernet0/0/3]port link-type access [SW1-Ethernet0/0/3]port default vlan 20 [SW1-Ethernet0/0/3]quit [SW1]interface ethernet0/0/2 [SW1-Ethernet0/0/2]port link-type access [SW1-Ethernet0/0/2]port defatult vlan 10 [SW1-Ethernet0/0/2]port default vlan 10 [SW1-Ethernet0/0/2]quit [SW1]interface gigabitethernet0/0/1 [SW1-GigabitEthernet0/0/1]port link-type trunk [SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 [SW1-GigabitEthernet0/0/1]quit
RS1
[RS-1]vlan batch 10 20 [RS-1]undo info-center enable Info: Information center is disabled. [RS-1]interface gigabitethernet0/0/1 [RS-1-GigabitEthernet0/0/1]port link-type trunk [RS-1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 [RS-1-GigabitEthernet0/0/1]quit
在RS1配置三层路由接口 (SVI)
[RS-1]interface vlanif10 [RS-1-Vlanif10]ip address 192.168.64.254 255.255.255.0 [RS-1-Vlanif10]quit [RS-1]interface vlanif20 [RS-1-Vlanif20]ip address 192.168.65.254 255.255.255.0 [RS-1-Vlanif20]quit [RS-1]display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 6 Routes : 6 Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.64.0/24 Direct 0 0 D 192.168.64.254 Vlanif10 192.168.64.254/32 Direct 0 0 D 127.0.0.1 Vlanif10 192.168.65.0/24 Direct 0 0 D 192.168.65.254 Vlanif20 192.168.65.254/32 Direct 0 0 D 127.0.0.1 Vlanif20
三、路由器配置
1、路由器基本配置命令
1.1基础命令
1、从用户视图进入\退出系统视图:system-view\quit 2、更改名称:sysname 3、显示起始配置信息:display saved-configuration 4、显示当前配置信息:display current-configuration 5、显示系统版本:display version 6、设置静态路由:ip route - static
1.2通过 Telnet 方式配置路由器
SecureCRT 8.7 远程 ensp 交换机
(1)
(2)
(1)配置路由器的 P 地址和 PC 的 IP 地址 [ Quidway ] interface Ethernet 0/0 [ Quidway -Ethernet0/0]ip address 1.1.1.4255.0.0.0 配置完路由器的 ip 地址,还需要配置 PC 的 ip 地址(比如1.1.1.2/8)
(2)配置 Telnet 方式登陆时的密码 [ Quidway ] User - interface vty 04 [ Quidway - ui - vty0 ] authentication - mode password [ Quidway - ui - vty0 ] set authentication password simple Huawei [ Quidway - ui - vty0 ]user privilege level 3
2、点对点信道互连以太网实验
<Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]int serial2/0/0 [Huawei-Serial2/0/0]link-protocol ppp //配置串行接口 [Huawei-Serial2/0/0]ip address 192.1.3.1 30 [Huawei-Serial2/0/0]quit [Huawei]aaa [Huawei-aaa]authentication-scheme yyy //采用本地鉴别机制且名为 yyy的鉴别方案 Info: Create a new authentication scheme. [Huawei-aaa-authen-yyy]quit [Huawei-aaa]domain system //创建和配置鉴别域 Info: Success to create a new domain. [Huawei-aaa-domain-system]authentication-scheme yyy [Huawei-aaa-domain-system]quit [Huawei-aaa]local-user aaa1 password cipher bbb1 //创建本地用户 Info: Add a new user. [Huawei-aaa]local-user aaa1 service-type ppp //配置本地用户接入类型 [Huawei-aaa]quit [Huawei] [Huawei]int serial2/0/0 [Huawei-Serial2/0/0]ppp authentication-mode chap domain system //指定建立PPP链路时的鉴别方式 [Huawei-Serial2/0/0]ppp chap user aaa2 [Huawei-Serial2/0/0]ppp chap password cipher bbb2 [Huawei-Serial2/0/0]shutdown [Huawei-Serial2/0/0]undo shutdown [Huawei-Serial2/0/0]quit [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip address 192.1.1.254 24 [Huawei-GigabitEthernet0/0/0]quit [Huawei]ip route-static 192.1.2.0 24 192.1.3.2 [Huawei]quit
3、默认路由配置实验
3.1配置 Display ip interface brief 显示各接口 IP地址和子网掩码 Displya ip routing-table 显示路由表 ip address 192.7.3.1 254 配置接口IP地址 ip route-static 0.0.0.0 0 192.1.3.2 配置静态路由
3.2配置 路由器远程配置实验
4、RIP 协议配置
4.1Rip基本配置命令
启动 rip
rip
在指定网络接口上应用RIP
network network-address
指定接口的RIP版本为RIP2
rip version 2 [broadcast | multicast]
接口视图下对RIP-2进行通用的MD5认证
rip authentication-mode md5 {nonstandard password key-id |usual password}
启动RIP的路由聚合功能
summary
关闭RIP的路由聚合功能
undo summary
4.2RIP应用
[ RTA]interface Ethernet 0/1 [ RTA -Ethernet0/1] ip address 10.1.1.1 30 [ RTA -Ethernet0/1] rip version 2 multicast [ RTA -Ethernet0/1] rip authentication - mode md5 usual Huawei [ RTA -Ethernet0/1] quit [ RTA ] rip [ RTA - rip ] network 1.1.1.0 [ RTA - rip ] network 10.1.1.0 [ RTA - rip ]undo summary
4.3RIP配置实验
拓扑图
关键命令说明
[Huawei] rip [Huawei-rip-1] version 2 [Huawei-rip-1] undo summary [Huawei-rip-1] network 192. 1. 1. 0 [Huawei-rip-1] network 192. 1. 3. 0 [Huawei-rip-1] quit rip是系统视图下使用的命令,该命令的作用是启动RIP进程,并进入RIP视图。由于没有给出进程编号,启动编号为1的RIP进程。version 2是RIP视图下使用的命令,该命令的作用是启动RIPv2,eNSP支持 RIPv1和RIPv2.RIPv1只支持分类编址,RIPv2支持无分类编址。 undo summary是RIP视图下使用的命令,该命令的作用是取消路由项聚合功能
AR1 配置 <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]int ethernet2/0/0 [Huawei-Ethernet2/0/0]ip address 192.1.1.254 24 [Huawei-Ethernet2/0/0]quit [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip address 192.1.3.1 30 [Huawei-GigabitEthernet0/0/0]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip address 192.1.3.5 30 [Huawei-GigabitEthernet0/0/1]quit [Huawei]int e2/0/1 [Huawei-Ethernet2/0/1]ip address 192.1.3.9 30 [Huawei-Ethernet2/0/1]quit [Huawei]rip [Huawei-rip-1]version 2 [Huawei-rip-1]undo summary [Huawei-rip-1]network 192.1.1.0 [Huawei-rip-1]network 192.1.3.0 [Huawei-rip-1]quit [Huawei]quit <Huawei>save
<Huawei>display ip interface brief *down: administratively down ^down: standby (l): loopback (s): spoofing The number of interface that is UP in Physical is 5 The number of interface that is DOWN in Physical is 0 The number of interface that is UP in Protocol is 5 The number of interface that is DOWN in Protocol is 0 Interface IP Address/Mask Physical Protocol Ethernet2/0/0 192.1.1.254/24 up up Ethernet2/0/1 192.1.3.9/30 up up GigabitEthernet0/0/0 192.1.3.1/30 up up GigabitEthernet0/0/1 192.1.3.5/30 up up NULL0 unassigned up up(s)
AR2配置 <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip address 192.1.3.2 30 [Huawei-GigabitEthernet0/0/0]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip address 192.1.3.13 30 [Huawei-GigabitEthernet0/0/1]quit [Huawei]rip [Huawei-rip-1]version 2 [Huawei-rip-1]undo summary [Huawei-rip-1]network 192.1.3.0 [Huawei-rip-1]quit [Huawei]quit <Huawei>save
AR3配置 <Huawei>SYS Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip address 192.1.3.6 30 [Huawei-GigabitEthernet0/0/0]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip address 192.1.3.17 30 [Huawei-GigabitEthernet0/0/1]quit [Huawei]rip [Huawei-rip-1]version 2 [Huawei-rip-1]network 192.1.3.0 [Huawei-rip-1]quit [Huawei]quit <Huawei>save
5、DHCP
5.1基于接口地址池的服务器配置
[AR1-GigabitEthernet0/0/0] dhcp select interface
5.2基于全局地址池的DHCP服务器配置
[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.1 24 [Huawei]dhcp enable [Huawei]ip pool pool1 [Huawei-ip-pool-pool1]network 192.168.1.0 mask 255.255.255.0
检验: [Huawei]display ip pool [Huawei]display ip pool name pool1 绑定: [AR1]ip pool pool2 [AR1-ip-pool-pool2]static-bind ip-address 192.168.2.100 mac-address 0000-0000-0000 //IP和mac地址绑定,其中“0000-0000-0000”是PC的mac地址。
5.3DHCP中继
5.3.1服务器配置
[R3]dhcp enable Info: The operation may take a few seconds. Please wait for a moment.done. [R3]ip pool ip-pool Info: It's successful to create an IP address pool. [R3-ip-pool-ip-pool]network 10.1.1.0 mask 255.255.255.0 [R3-ip-pool-ip-pool]gateway-list 10.1.1.254 [R3-ip-pool-ip-pool]int g0/0/1 [R3-GigabitEthernet0/0/1]dhcp select global
5.3.2配置DHCP中继
[R1]dhcp enable Info: The operation may take a few seconds. Please wait for a moment.done. [R1]int g0/0/1 [R1-GigabitEthernet0/0/1]dhcp select relay [R1-GigabitEthernet0/0/1]dhcp relay server-ip 100.1.1.1
6、VRRP 实验
6.1虚拟路由冗余协议(Virtual Router Redundancy Protocol,简称VRRP)是由IETF提出的解决局域网中配置静态网关出现单点失效现象的路由协议
6.2配置 [Huawei-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.1.1.250 [Huawei-GigabitEthernet0/0/0]vrrp vrid 2 virtual-ip 192.1.1.251 [Huawei-GigabitEthernet0/0/0]vrrp vrid 2 priority 120 #在VRRP备份组中,设备配置的优先级 [Huawei-GigabitEthernet0/0/0]vrrp vrid 2 preempt-mode timer delay 20 #在VRRP备份组中的抢占延迟时间 [Huawei-GigabitEthernet0/0/0]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]vrrp vrid 3 virtual-ip 192.1.2.250 [Huawei-GigabitEthernet0/0/1]quit [Huawei]ip route-static 192.1.1.0 24 192.1.2.250 [Huawei] [Huawei]display vrrp brief #显示设备有关 VRRP 信息
Total:3 Master:1 Backup:2 Non-active:0 VRID State Interface Type Virtual IP ---------------------------------------------------------------- 1 Backup GE0/0/0 Normal 192.1.1.250 2 Master GE0/0/0 Normal 192.1.1.251 3 Backup GE0/0/1 Normal 192.1.2.250
四、ACL 配置
创建 ACL 并配置规则 [ RTB ] acl number 2000 match - order aute [ RTB - acl - basic -2000] rule permit source 10.1.1.00.0.0.255 [ RTB - acl - basic -2000] rule permit source 20.1.1.00.0.0.3 [ RTB - acl - basic -2000] rule deny source any
创建 ACL 并配置规则 [ RTB ] acl number 3000 [ RTB - acl - adv -3000] rule permit ospf [ RTB - acl - adv -3000] rule permit tcp source 10.1.1.00.0.0.255 destination 10.1.2.00.0.0.255 destination - port eq ftp [ RTB - acl - adv -3000] rule deny tcp source any destination any [ 启用防火墙 [ RTB ] firewal enable 在接口上应用 ACL [ RTB ] interface Ethernet 0/1 [ RTB -Ethernet0/1] firewall packet - filter 3000 inbound time _ range daytime 10:00 to 20:00 daily acl number 3600rule deny ip time - range daytime
五、网络地址转换实验
1、静态NAT配置 在网关设备上写默认路由 ip route static 0.0.0.0 0.0.0.0 公网 nat static global 公网地址 inside 内网地址
2、动态NAT配置实验 (1)定义全球IP地池 [Huawei]nat address-group 1 192.1.1.1 192.1.1.13 (2)建立ACL与全球IP地址池之间的关联 [Huawei-Gigabitethernet0/0/1]nat bound 2000 address-group 1 no pat (3)建立全球IP地址与私有IP地址之的静态映射 [Huawei]nat static global 192.1.1.14 inside 192.168.1.3 (4)启动静态映射 [Huawei]nat static enable
3、PAT 配置实验(Port Address Translation ,PAT) acl 2000 ACL\ 确认要转换内网私有IP地址的范围 rule 5 permit source 192.168.1.0 0.0.0.255 nat outbound 2000 建立规则集与公共接口之间的联系 nat server protocol tcp global current-interface 8000 inside 192.168.1.3 80 建立端口映射
4、Easy IP 配置 [AR1]acl 2000 创建一个标准的acl [AR1]rule 5 permit 建立一个acl的访问规则 [AR1-GigabitEthernet0/0/1]nat outbound 2000 将acl应用到端口的上
六、防火墙
网络拓扑图
配置 RS-1
<Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]sysname RS-1 [RS-1]vlan batch 11 12 100 Info: This operation may take a few seconds. Please wait for a moment...done. [RS-1]int vlanif 11 [RS-1-Vlanif11]ip address 192.168.64.254 24 [RS-1-Vlanif11]quit [RS-1]int vlanif 12 [RS-1-Vlanif12]ip address 192.168.65.254 24 [RS-1-Vlanif12]quit [RS-1]int vlanif100 [RS-1-Vlanif100]ip address 10.0.1.2 30 [RS-1-Vlanif100]quit [RS-1]int g0/0/1 [RS-1-GigabitEthernet0/0/1]port link-type access [RS-1-GigabitEthernet0/0/1]port default vlan 100 [RS-1-GigabitEthernet0/0/1]quit [RS-1]int g0/0/23 [RS-1-GigabitEthernet0/0/23]port link-type access [RS-1-GigabitEthernet0/0/23]port default vlan 11 [RS-1-GigabitEthernet0/0/23]quit [RS-1]int g0/0/24 [RS-1-GigabitEthernet0/0/24]port link-type access [RS-1-GigabitEthernet0/0/24]port default vlan 12 [RS-1-GigabitEthernet0/0/24]quit [RS-1]ip route-static 192.168.66.0 24 10.0.1.1 [RS-1]quit <RS-1>save
配置 RS-2
<Huawei>SYS [Huawei]undo info-center enable [Huawei]sysname RS-2 [RS-2]vlan batch 13 100 [RS-2]int vlanif 13 [RS-2-Vlanif13]ip address 192.168.66.254 24 [RS-2-Vlanif13]quit [RS-2]int vlanif 100 [RS-2-Vlanif100]ip address 10.0.2.2 30 [RS-2-Vlanif100]quit [RS-2]int g0/0/1 [RS-2-GigabitEthernet0/0/1]port link-type access [RS-2-GigabitEthernet0/0/1]port default vlan 13 [RS-2-GigabitEthernet0/0/1]quit [RS-2]int g0/0/23 [RS-2-GigabitEthernet0/0/23]quit [RS-2]int g0/0/24 [RS-2-GigabitEthernet0/0/24]port link-type access [RS-2-GigabitEthernet0/0/24]port default vlan 100 [RS-2-GigabitEthernet0/0/24]quit [RS-2]ip route-static 192.168.64.0 23 10.0.2.1 [RS-2]quit <RS-2>save
防火墙配置
<USG6000V1>SYS [FW-1] [FW-1]INT g1/0/0 [FW-1-GigabitEthernet1/0/0]ip address 10.0.2.1 30 [FW-1-GigabitEthernet1/0/0]quit [FW-1] [FW-1]undo info-center enable [FW-1]int g1/0/1 [FW-1-GigabitEthernet1/0/1]ip address 10.0.1.1 30 [FW-1-GigabitEthernet1/0/1]quit [FW-1]firewall zone untrust [FW-1-zone-untrust]add interface g1/0/0 [FW-1-zone-untrust]add interface g1/0/1 [FW-1-zone-untrust]quit [FW-1]ip route-static 192.168.66.0 24 10.0.2.2 [FW-1]ip route-static 192.168.64.0 23 10.0.1.2 [FW-1]quit <FW-1>save
<FW-1>sys Enter system view, return user view with Ctrl+Z. [FW-1]security-policy [FW-1-policy-security]rule name visit-1 [FW-1-policy-security-rule-visit-1]source-address 192.168.64.0 mask 255.255.255.0 [FW-1-policy-security-rule-visit-1]destination-address 192.168.66.0 mask 255.25.255.0 [FW-1-policy-security-rule-visit-1]service any [FW-1-policy-security-rule-visit-1]action permit [FW-1-policy-security-rule-visit-1]quit [FW-1-policy-security]rule name novisit-1 [FW-1-policy-security-rule-novisit-1]source-address 192.168.65.0 mask 255.255.255.0 [FW-1-policy-security-rule-novisit-1]destination-address 192.168.66.0 mask 255.255.255.0 [FW-1-policy-security-rule-novisit-1]service any [FW-1-policy-security-rule-novisit-1]action deny [FW-1-policy-security-rule-novisit-1]quit [FW-1-policy-security]quit [FW-1]quit <FW-1>save The current configuration will be written to hda1:/fw-1.cfg. Are you sure to continue?[Y/N]y Now saving the current configuration to the slot 0. Save the configuration successfully. <FW-1>
七、实现简单的无线局域网
拓扑图
设备图
AC 配置
<AC6605>sys Enter system view, return user view with Ctrl+Z. [AC6605]sysname AC-1 [AC-1]undo info-center enable Info: Information center is disabled. [AC-1]interface vlanif 1 [AC-1-Vlanif1]ip address 10.0.10.254 24 [AC-1-Vlanif1]quit //开启DHCP服务 [AC-1]dhcp enable Info: The operation may take a few seconds. Please wait for a moment.done. //将AC的vlan1的SVI接口设为DHCP源接口 [AC-1]interface vlanif 1 [AC-1-Vlanif1]dhcp select interface [AC-1-Vlanif1]dhcp server excluded-ip-address 10.0.10.254 [AC-1-Vlanif1]quit
//为capwap隧道绑定VLAN [AC-1]capwap source interface vlanif 1 //配置AC认证模式 [AC-1]wlan [AC-1-wlan-view]ap auth-mode mac-auth //进入AC-1 导入AP-1、AP-2的参数 [AC-1]wlan [AC-1-wlan-view]ap auth-mode mac-auth [AC-1-wlan-view]ap-id 1 ap-mac 00e0-fc21-3160 [AC-1-wlan-ap-1]ap-name AP-1 [AC-1-wlan-ap-1]quit [AC-1-wlan-view]ap-id 2 ap-mac 00e0-fc97-0d20 [AC-1-wlan-ap-2]ap-name AP-2 [AC-1-wlan-ap-2]quit [AC-1-wlan-view] [AC-1-wlan-view]QUIT //查看AP 上线情况 [AC-1]diap ap all
、
//创建安全模板 [AC-1]wlan [AC-1-wlan-view]security-profile name sec-cfg-1 [AC-1-wlan-sec-prof-sec-cfg-1]security wpa-wpa2 psk pass-phrase abcd1111 aes [AC-1-wlan-sec-prof-sec-cfg-1]
//创建SSID模板 [AC-1-wlan-view]ssid-profile name ssid-cfg-1 [AC-1-wlan-ssid-prof-ssid-cfg-1]ssid wifi-24G Info: This operation may take a few seconds, please wait.done. [AC-1-wlan-ssid-prof-ssid-cfg-1]quit [AC-1-wlan-view]ssid-profile name ssid-cfg-2 [AC-1-wlan-ssid-prof-ssid-cfg-2]ssid wifi 5g Info: This operation may take a few seconds, please wait.done. [AC-1-wlan-ssid-prof-ssid-cfg-2]quit
//在wlan视图下,创建vap模板 [AC-1-wlan-view]vap-profile name vap-cfg-1 //数据转发模式为 direct-forward 直接转发 [AC-1-wlan-vap-prof-vap-cfg-1]forward-mode direct-forward //引用安全模板 [AC-1-wlan-vap-prof-vap-cfg-1]security-profile sec-cfg-1 Info: This operation may take a few seconds, please wait.done. //引用对应的2.4GHz的频段SSID模板ssid-cfg-1 [AC-1-wlan-vap-prof-vap-cfg-1]ssid-profile ssid-cfg-1 Info: This operation may take a few seconds, please wait.done. [AC-1-wlan-vap-prof-vap-cfg-1]quit [AC-1-wlan-view]vap-profile name vap-cfg-2 [AC-1-wlan-vap-prof-vap-cfg-2]forward-mode direct-forward [AC-1-wlan-vap-prof-vap-cfg-2]ssid-profile ssid-cfg-2 Info: This operation may take a few seconds, please wait.done. [AC-1-wlan-vap-prof-vap-cfg-2]quit
//配置AP-1 AP-2 AC-1-wlan-view]ap-name AP-1 [AC-1-wlan-ap-1]vap-profile vap-cfg-1 wlan 1 radio 0 [AC-1-wlan-ap-1]vap-profile vap-cfg-2 wlan 1 radio 1 [AC-1-wlan-ap-1]quit AC-1-wlan-view]ap-name AP-2 [AC-1-wlan-ap-2]vap-profile vap-cfg-1 wlan 1 radio 0 [AC-1-wlan-ap-2]vap-proflie vap-cfg-2 wlan 1 radio 1
网络拓扑图