网络综合实验 V7版
1. 显示当前生效的配置命令
[任意视图] display current-configuration
2. 端口
设置端口的链路类型命令
[H3C-Ethernet1/0/1] port link-type { access | trunk | hybrid }
恢复为缺省值命令:
[H3C-Ethernet1/0/1] undo port link-type #缺省状态一般是access
| 举例:|
|:–|–|
| [H3C-Ethernet1/0/1] port link-type trunk|
创建聚合接口,并进入聚合接口视图
[h3c]interface bridge-aggregation interface-number
interface-number :聚合端口, 系列取值范围为1-1024
将以太网接口加入聚合组(首先进入以太网接口视图)
[H3C-Ethernet1/0/1] port link-aggregation group number
| 例子:将以太网端口Ethernet1/0/1 加入聚合端口22 |
|:–|–|
|[H3C] interface bridge-aggregation 22|
|[H3C] interface Ethernet1/0/1 |
|[H3C-Ethernet1/0/1]port link-aggregation group 22|
清除端口聚合
[H3C] undo link-aggregation group agg-id
[H3C] undo interface bridge-aggregation interface-number (如第一条命令不能执行,请执行此条命令)
显示端口聚合的信息
[H3C] display link-aggregation summary
查看交换机的 mac 地址表
[H3C] display mac-addres
3. Vlan
创建/删除VLAN
[H3C] vlan vlan_id
vlan-id :VLAN接口的ID,取值范围为1~4094
[H3C] undo vlan vlan_id
向VLAN中添加交换机端口
[H3C-vlan2] port port_num to port_num
从VLAN中删除交换机端口
[H3C-vlan2] undo port port_num to port_num
| 举例:|
|:–|–|
| [H3C-vlan2] port ethernet 1/0/1 to ethernet 1/0/12|
将端口添加到VLAN
[H3C-Ethernet1/0/2] port access vlan vlan-id
将端口从VLAN中删除
[H3C-Ethernet1/0/2] undo port access vlan vlan-id
| 举例:|
|:–|–|
| [H3C-Ethernet1/0/2] port access vlan 1|
设定Vlan的IP地址
[H3C-vlan-inferface1] ip address ip-addr netmask
取消Vlan的IP地址
[H3C-vlan-inferface1] undo ip address
| 举例:|
|:–|–|
| [H3C-vlan-inferface1] ip address 210.30.103.254 255.255.255.0|
查看VLAN设置:
[任意视图] display vlan [vlan_id ]
开启/关闭VLAN接口:
[H3C-vlan-interface1] shutdown
[H3C-vlan-interface1] undo shutdown
指定/删除VLAN描述字符:
[H3C-vlan1] description string
[H3C-vlan1] undo description
例:[H3C-vlan1] description Floor 1 and 2
检查IP地址配置是否正确
[非用户视图] display interface vlan-interface vlan_id
设置当前Trunk端口,允许某些VLAN的帧通过
[H3C-Ethernet1/0/1] port trunk permit vlan { vlan_id_list | all | vlan_id to vlan_id }
将当前Trunk端口从某些VLAN中删除
[H3C-Ethernet1/0/1] [undo] port trunk permit vlan { vlan_id_list | all | vlan_id to vlan_id }
| 举例:|
|:–|–|
| [H3C-Ethernet1/0/1] port trunk permit vlan 2 6 to 10 25|
|[H3C-Ethernet1/0/1] port trunk permit vlan all|
在汇聚情况下设置trunk链路允许vlan通过
[H3C]interface bridge-aggregation 1
[H3C-bridge-aggregation1]port link-type trunk
[H3C-bridge-aggregation1]port trunk permit vlan 2 to 3
ps:不需要在实际物理端口视图下分别设置trunk属性!!!
4. 静态路由的配置
添加一条静态路由表项
[H3C] ip route-static ip-address { mask | mask-length } { interface-type interface-number | gateway-address }
| 举例:|
|:–|–|
| [H3C] ip route-static 129.1.0.0 16 10.0.0.2|
| [H3C] ip route-static 129.1.0.0 255.255.0.0 10.0.0.2|
| [H3C] ip route-static 129.1.0.0 16 Serial 2
| [H3C] ip route-static 0.0.0.0 0 10.0.0.2 (缺省路由)
删除一条静态路由表项
[H3C] undo ip route-static ip-address { mask | mask-length }
| 举例:|
|:–|–|
| [H3C] ip route-static 210.30.104.0 24 210.30.104.254|
|[H3C] ip route-static 0.0.0.0 0 192.168.1.1 //缺省路由表示配对路由表失败时也能发出该报文|
检查静态路由表
[任意视图] display ip routing-table
5. 交换机
配置用户telnet远程登录口令和权限
| |
|:–|–|
|[H3C]telnet server enable |
|[H3C] user-interface vty 0 4|
|[H3C-line -vty0-4] authentication-mode password|
|[H3C-line -vty0-4] set authentication password simple 123456|
|[H3C-line vty0-4]user-role level-15|
6. 路由器配置
接口封装的链路层协议为PPP
[Quidway-Serial0] link-protocol ppp
路由器接口缺省封装的链路层协议即为PPP,故在路由器启动后,它的同异步串口的链路层协议将自动是PPP
PPP配置 — PAP验证
验证方: | 被验证方: |
---|---|
[Quidway-Serial0] ppp authentication-mode pap | [Quidway-Serial0] ppp pap local-user username password simple password |
[Quidway] local-user username class network | |
[Quidway-luser] service-type ppp | |
[Quidway-luser] password simple password | |
注意:配置后一定要在接口视图下重启接口,即执行命令“shut down”和“undo shutdown” |
PPP配置 — CHAP验证
验证方: | 被验证方: |
---|---|
[RA-Serial0] ppp authentication-mode chap | [RB-Serial0] ppp chap user user -b |
[RA-Serial0] ppp chap user user -a | [Quidway] local-user user –a class network |
[Quidway] local-user user-b class network | [Quidway-luser] service-type ppp |
[Quidway-luser] service-type ppp | [Quidway-luser] password simple password |
[Quidway-luser] password simple password | |
注意:配置后一定要在接口视图下重启接口,即执行命令“shut down”和“undo shutdown” |
7. 防火墙
v7不需要配置防火墙!
禁止/开启防火墙
[Router] firewall enable
[Router] undo firewall enable
v7默认开启
设置防火墙缺省过滤方式
[Router] firewall default permit
设置缺省过滤方式为“允许”
[Router] firewall default deny
设置缺省过滤方式为“禁止”:
v7在缺省情况下,缺省过滤方式为“允许”
显示防火墙状态
[任意视图] display firewall-statistics { all | interface type number }
在路由器上配置Telnet用户和密码
[RT]telnet server enable
缺省情况下,Telnet服务处于关闭状态
[RT]line vty 0
进入一个或多个VTY用户线视图
[RT-line-vty0]authentication-mode scheme
设置登录用户的认证方式为通过AAA认证
创建本地用户命令如下
[RT]local-user name class manage(创建用户名)
[RT-luser-manage-test]password simple 12(创建密码)
[RT-luser-manage-test]service-type telnet
[RT-luser-manage-test]authorization-attribute user-role network-admin(设置登陆权限是超级用户最高权限)
8. RIP协议
启动rip
[H3C] rip rip_id
在路由器所连接的一个网段启动/关闭RIP:
[H3C-rip] [undo] network network-address
network-address: 路由器相应接口的IP地址的网段
在路由器所连接的所有网段启动/关闭RIP:
[H3C-rip] [undo] network 0.0.0.0
引入/取消其它协议的路由
[H3C-rip] [undo] import-route protocol
protocol: Direct, Static, OSPF, BGP, IS-IS
在缺省情况下,RIP未引入其它协议的路由。
启动/关闭RIP-2的路由聚合功能
[H3C-rip] [undo] summary
路由聚合仅在RIP-2下工作;在缺省情况下,RIP-2启动路由聚合
9. OSPF协议
配置/取消路由器的ID
[H3C] router id router-id
[H3C] undo router id
[H3C] router id 1.1.1.1
路由器的ID号是一个32比特的无符号整数,为点分十进制格式,它是路由器所在自治系统中的唯一标识
如果路由器所有的接口都没有配置IP地址,那么用户必须配置路由器ID号,否则OSPF无法运行
通常的做法是将路由器的ID配置为与该路由器某个接口的IP地址,这样便可以保证它的唯一性
启动/关闭OSPF
[H3C] [undo] ospf
缺省情况下,路由器不启动OSPF
OSPF的大部分特性都需要在OSPF视图下配置
创建/删除OSPF区域
[H3C-ospf] [undo] area area-id
[H3C-ospf] area 0
在区域中指定/取消网段
[H3C-ospf-area0] [undo] network ip-addr mask
ip-addr:路由器接口IP
mask: 反子网掩码
[H3C-ospf-area0] network 192.168.1.1 0.0.0.255
在系统视图下使用ospf 命令启动OSPF 后,还必须在区域视图下向该区域中加入网段,然后OSPF才会在该网段上运行
引入/取消其它协议的路由
[H3C-ospf] [undo] import-route protocol
protocol: Direct, Static, RIP, BGP, IS-IS
在缺省情况下,OSPF未引入其它协议的路由
例子
10. ACL
创建ACL
[Router] acl [advanced | basic | mac] acl-number [ match-order { config | auto } ]
config:匹配规则时按用户的配置顺序。
auto:匹配规则时按“深度优先”的顺序。(基本都用这个)
编码 | acl-number |
---|---|
basic | 2000~2999 |
advanced | 3000~3999 |
mac | 4000~4999 |
basic类型ACL
[Router-acl-basic-acl-number] rule rule-id { permit | deny } [ source sour-addr sour-wildcard | any ]
[Router-acl-basic-2000] rule permit source 192.168.1.1 0.0.0.0
反掩码(通配符) 和子网掩码功能相似,但写法不同:
0表示需要比较
1表示忽略比较
关于ACL用到的都是反掩码!
反掩码(通配符) 0.0.0.0相当于255.255.255.255表示唯一的ip192.168.1.1
Adcanced类型ACL
[Router-acl-adv-acl-number] rule { permit | deny } protocol [source source-addr source-wildcard | any ] [ destination dest-addr dest-wildcard | any]
协议类型protocol:ip, ospf, igmp, gre, icmp, tcp, udp, etc.
例子 |
---|
[Router-acl-adv-3001] rule permit ip source 192.168.1.0 0.0.0.255 destination any |
[Router-acl-adv-3001] rule deny tcp source 192.168.0.1 0.0.0.0 destination 202.118.66.66 0.0.0.0 destination-port equal 80 |
[Router-acl-adv-3001] rule deny icmp source any destination 210.30.103.0 0.0.0.255 icmp-type echo |
[Router-acl-adv-3001] rule deny ip source any destination any |
在接口上应用ACL
[Quidway-Serial0] packet-filter acl-number { inbound | outbound }
inbound:入方向
outbound:出方向
在一个接口的一个方向上,可以配置多个ACL,匹配时从acl-number 大的ACL开始
显示ACL及在接口上的应用
[任意视图] display acl { all | acl-number }
只显示被应用的acl
例子:
配置Ethernet0入方向访问规则禁止所有包通过 |
---|
[Router] acl number 3001 match-order auto |
[Router-acl-adv-3001] rule deny ip source any destination any |
允许内部特定PC访问外部网,允许内部服务器与外部特定PC通讯 |
---|
[Router-acl-adv-3001] rule permit ip source 129.38.1.4 0 destination any |
[Router-acl-adv-3001] rule permit ip source 129.38.1.1 0 destination 202.39.2.3 0 |
[Router-acl-adv-3001] rule permit ip source 129.38.1.2 0 destination 202.39.2.3 0 |
[Router-acl-adv-3001] rule permit ip source 129.38.1.3 0 destination 202.39.2.3 0 |
将规则3001 作用于从接口Ethernet0 进入的包 |
---|
[Router-Ethernet0] packet-filter 3001 inbound |
配置Serial0入方向访问规则禁止所有包通过 |
---|
[Router] acl number 3002 match-order auto |
[Router-acl-adv-3002] rule deny ip source any destination any |
允许外部网与内部特定PC通讯 |
---|
[Router-acl-adv-3002] rule permit ip source any destination 129.38.1.4 0 |
允许外部特定PC访问内部服务器 |
---|
[Router-acl-adv-3002] rule permit ip source 202.39.2.3 0 destination 129.38.1.1 0 |
[Router-acl-adv-3002] rule permit ip source 202.39.2.3 0 destination 129.38.1.2 0 |
[Router-acl-adv-3002] rule permit ip source 202.39.2.3 0 destination 129.38.1.3 0 |
将规则3002 作用于从接口Serial0 进入的包 |
---|
[Router-Serial0] packet-filter 3002 inbound |
11. NAT地址池
定义地址池命令
[H3C] nat address-group group-number
[H3C-address-group-group-number ] address start-address end-address
[H3C] nat address-group 1
[H3C-address-group-1] address 210.30.101.1 210.30.101.4
定义地址池关联命令
[H3C-Serialx/x] nat outbound [ acl-number ] [ address-group group-number ]
举例: |
---|
[H3C] acl number 2000 match-order auto |
[H3C-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 |
[H3C-acl-basic-2000] rule deny source any |
[H3C] nat address-group 1 |
[H3C-address-group-1] address 210.30.101.1 210.30.101.4 |
[H3C-Serial1/0] nat outbound 2000 address-group 1 |
内部服务器映射
[H3C-Serialx/x] nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ] [ acl acl-number ]
举例 |
---|
[H3C-Serial1/0] nat server protocol tcp global 210.30.103.22 8080 inside 192.168.1.4 http |
查看地址转换的配置信息
[任意视图] display nat { address-group | all | outbound | server | statistics }
例子