【H3C设备组网配置】第二版

在这里插入图片描述

实验要求:

1、服务器组双链路 上联核心,调高数据可靠性
2、配置vlan,减小广播域范围
3、所有网关都设在核心上,部分ip需自动获取
4、业务端口,配置边缘端口,减小频繁up down对网络的影响
5、配置相关路由,使的用户可以访问外网及新校区
6、广域网出口做主备,线路正常走联通
7、所有设备可以被Telnet ,管理网段255.x,vlan999
8、vlan30 用户不能访问200.4

服务器sw网桥聚合

思路

1、起网桥聚合
2、聚合口为trunk

server-sw

[H3C]SY S-SW
[S-SW]vlan 200
[S-SW-vlan200]port g1/0/1
[S-SW-vlan200]port g1/0/2
dis 
[S-SW-vlan200]int b 1
[S-SW-Bridge-Aggregation1]qu
[S-SW]int range Ten-GigabitEthernet1/0/50 to Ten-GigabitEthernet1/0/51
[S-SW-if-range]port link-aggregation group 1
[S-SW-if-range]qu

[S-SW]dis link-aggregation v
  Port             Status  Priority Oper-Key
--------------------------------------------------------------------------------
  XGE1/0/50        S       32768    1
  XGE1/0/51        S       32768    1

没有设置网桥模式为dynamic(动态)就会出现上面情况

[S-SW]int b 1
[S-SW-Bridge-Aggregation1]link mode dynamic   ==开启动态模式==
[S-SW-Bridge-Aggregation1]dis link-aggregation v

System ID: 0x8000, 6e7e-6251-1200
Local:
  Port                Status  Priority Oper-Key  Flag
--------------------------------------------------------------------------------
  XGE1/0/50           S       32768    1         {ACDEFG}
  XGE1/0/51           U       32768    1         {ACG}
Remote:
  Actor               Partner Priority Oper-Key  SystemID               Flag
--------------------------------------------------------------------------------
  XGE1/0/50           0       32768    0         0x8000, 0000-0000-0000 {DEF}
  XGE1/0/51           0       32768    0         0x8000, 0000-0000-0000 {DEF}
====================由于对端摸开启 显示上面的 U  ====================================
[S-SW-Bridge-Aggregation1]dis link-aggregation v
System ID: 0x8000, 6e7e-6251-1200
Local:
  Port                Status  Priority Oper-Key  Flag
--------------------------------------------------------------------------------
  XGE1/0/50           S       32768    1         {ACDEF}
  XGE1/0/51           S       32768    1         {ACDEF}
Remote:
  Actor               Partner Priority Oper-Key  SystemID               Flag
--------------------------------------------------------------------------------
  XGE1/0/50           51      32768    1         0x8000, 6e7d-01a4-0100 {ACDEF}
  XGE1/0/51           52      32768    1         0x8000, 6e7d-01a4-0100 {ACDEF}

在PC14(服务器)上ping网关 200.1 不通,分析原因为没有设置trunk

[S-SW-Bridge-Aggregation1]qu
[S-SW]in b 1
[S-SW-Bridge-Aggregation1]port link-ty trunk
		Configuring Ten-GigabitEthernet1/0/50 done.    ==这两done要出现==
		Configuring Ten-GigabitEthernet1/0/51 done.
[S-SW-Bridge-Aggregation1]por tr pe v a
		Configuring Ten-GigabitEthernet1/0/50 done.
		Configuring Ten-GigabitEthernet1/0/51 done.

核心sw

这个顺序好像很重要

sy SW1
vlan 200

int vlan 200
ip add 192.168.200.1 24

int b 1
qu

int range Ten-GigabitEthernet1/0/50 to Ten-GigabitEthernet1/0/51
port link-ag gr 1

int b 1
link mode dynamic
port link-ty trunk
port tr pe v all

验证

<H3C>PING 192.168.200.1
Ping 192.168.200.1 (192.168.200.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 192.168.200.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 192.168.200.1: icmp_seq=2 ttl=255 time=1.000 m

在这里插入图片描述

2、配置vlan,减小广播域范围

思路

1、目标 vlan 10 vlan 20 vlan 30 vlan 40 vlan 80 vlan 200
疑问:服务器支路和pc9支路,如果按需开启vlan200 和999  会怎样 ?
答:就是要按需开启,没有必要开启其他的
2、用dis vlan b

vlan10段

核心sw1 起vlan trunk 虚接口

vlan 10
int vlan 10 
ip ad 192.168.10.1 24
qu
iint Ten-GigabitEthernet1/0/52
port link-ty trunk
port trunk pe v all

检测 - vlan

[sw1]dis po tr
Interface             PVID    VLAN Passing
BAGG1                 1       1, 10, 200, 999
XGE1/0/50             1       1, 10, 200, 999
XGE1/0/51             1       1, 10, 200, 999
XGE1/0/52             1       1, 10, 200, 999

检测 -trunk

10        VLAN 0010                        BAGG1  XGE1/0/50  XGE1/0/51
                                           XGE1/0/52
200       VLAN 0200                        BAGG1  XGE1/0/50  XGE1/0/51
                                           XGE1/0/52
999       VLAN 0999                        BAGG1  XGE1/0/50  XGE1/0/51
                                           XGE1/0/52

检测 -虚接口

[sw1]dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
MGE0/0/0                 down     down     --              --
Vlan10                   up       up       192.168.10.1    --
Vlan200                  up       up       192.168.200.1   --

汇聚sw2 起vlan, 并三个trunk口

1、起vlan, 并三个trunk口 就ok

[sw-核心]sy sw-汇聚
[sw-汇聚]vlan 10
[sw-汇聚-vlan10]vlan 20
[sw-汇聚-vlan20]vlan 999
[sw-汇聚-vlan999]qu

[sw-汇聚]int Ten-GigabitEthernet1/0/52
[sw-汇聚-Ten-GigabitEthernet1/0/52]port link-ty trunk
[sw-汇聚-Ten-GigabitEthernet1/0/52]port tr pe v a
[sw-汇聚-GigabitEthernet1/0/1]qu

[sw-汇聚]int g1/0/1
[sw-汇聚-GigabitEthernet1/0/1]port link-ty trunk
[sw-汇聚-GigabitEthernet1/0/1]port tr pe v a
[sw-汇聚-GigabitEthernet1/0/1]int g1/0/2
[sw-汇聚-GigabitEthernet1/0/2]port link-ty trunk
[sw-汇聚-GigabitEthernet1/0/2]port tr pe v a
[sw2]dis vlan b
.......
10        VLAN 0010                        GE1/0/1  GE1/0/2  XGE1/0/52
20        VLAN 0020                        GE1/0/1  GE1/0/2  XGE1/0/52
999       VLAN 0999                        GE1/0/1  GE1/0/2  XGE1/0/52

[sw-汇聚]dis por tr
Interface             PVID    VLAN Passing
GE1/0/1               1       1, 10, 20, 999
GE1/0/2               1       1, 10, 20, 999
XGE1/0/52             1       1, 10, 20, 999

接入sw4 起vlan 开trunk

开通vlan10 (不用全部)并纳口 , 开通trunk 并all

[H3C]sy sw-接入
[sw-接入]vlan 10
[sw-接入-vlan10]port g1/0/2
[sw-接入-vlan10]port g1/0/3
[sw-接入-vlan10]int g1/0/1
[sw-接入-GigabitEthernet1/0/1]port link-ty tr
[sw-接入-GigabitEthernet1/0/1]port tr pe v a

========= 顺便业务端口
[sw4-vlan10]qu
[sw4]int range g1/0/2 to g1/0/3
[sw4-if-range]stp edged-port
10        VLAN 0010                        GE1/0/1  GE1/0/2  GE1/0/3
999       VLAN 0999                        GE1/0/1

pc9 能ping通网关10.1和200.1


<H3C>ping 192.168.10.1
Ping 192.168.10.1 (192.168.10.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.10.1: icmp_seq=0 ttl=255 time=1.000 ms

<H3C>ping 192.168.200.1
Ping 192.168.200.1 (192.168.200.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.200.1: icmp_seq=1 ttl=255 time=1.000 ms

至此接入sw不能ping通 网关

[sw-接入]ping 192.168.10.1
Ping 192.168.10.1 (192.168.10.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out

vlan 20段

sw1 起vlan 虚拟口

[sw1]vlan 20
[sw1-vlan20]int vlan 20
[sw1-Vlan-interface20]ip address 192.168.20.1 24

汇聚 sw 不用设置

sw5接入 起vlan 配trunk

[sw]sy sw5-接入
[sw5-接入]vlan 20
[sw5-接入-vlan20]por g1/0/1
[sw5-接入-vlan20]int g1/0/2
[sw5-接入-GigabitEthernet1/0/2]port link-ty tr
[sw5-接入-GigabitEthernet1/0/2]por tr pe v a

验证 ping 10.1 20.1 200.1都ok

<H3C>ping 192.168.200.1
Ping 192.168.200.1 (192.168.200.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.1: icmp_seq=0 ttl=255 time=1.000 ms

vlan 30 40段

sw1起vlan 设虚拟口 配trunk

[sw1]vlan 30
[sw1-vlan30]int vlan 30
[sw1-Vlan-interface30]ip ad 192.168.30.1 24
[sw1-Vlan-interface30]vlan 40
[sw1-vlan40]int vlan 40
[sw1-Vlan-interface40]ip ad 192.168.40.1 24
[sw1-Vlan-interface40]qu

[sw1]int Ten-GigabitEthernet1/0/49
[sw1-Ten-GigabitEthernet1/0/49]port link-ty tr
[sw1-Ten-GigabitEthernet1/0/49]port link-ty trunk
[sw1-Ten-GigabitEthernet1/0/49]port tr pe v a

汇聚sw3 三个trunk

[sw-汇聚]int Ten-GigabitEthernet1/0/49
[sw-汇聚-Ten-GigabitEthernet1/0/49]port link-ty tr
[sw-汇聚-Ten-GigabitEthernet1/0/49]po tr pe v a
[sw-汇聚-Ten-GigabitEthernet1/0/49]qu

[sw-汇聚]int range g1/0/1 to g1/0/2
[sw-汇聚-if-range]port link-ty tr
[sw-汇聚-if-range]po tr pe v a

接入sw6 vlan30

[H3C]sy sw-接入
[sw-接入]vlan 30
[sw-接入-vlan30]por g1/0/1

[sw-接入-vlan30]int g1/0/2
[sw-接入-GigabitEthernet1/0/2]port link-ty tr
[sw-接入-GigabitEthernet1/0/2]po tr pe v a

验证vlan30

<H3C>ping 192.168.200.5
Ping 192.168.200.5 (192.168.200.5): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.5: icmp_seq=0 ttl=254 time=2.000 ms

接入sw vlan40

[H3C]sy sw-接入
[sw-接入]vlan 40
[sw-接入-vlan40]port g1/0/1

[sw-接入-vlan4int g1/0/2
[sw-接入-GigabitEthernet1/0/2]port link-ty tr
[sw-接入-GigabitEthernet1/0/2]port tr pe v a

验证 vlan40 因未配置DHCP 不能 分配IP

3、配置DHCP 使部分PC自动获取ip

核心 sw1 起dhcp 设地址段和网关

[sw1]dhcp enable
[sw1]dhcp server ip-pool 10
[sw1-dhcp-pool-10]network 192.168.10.0 mask 255.255.255.0
[sw1-dhcp-pool-10]gateway-list 192.168.10.1 24
[sw1-dhcp-pool-10]dns-list 8.8.8.8

[sw1]dhcp server ip-pool 40
[sw1-dhcp-pool-40]network 192.168.40.0 mask 255.255.255.0
[sw1-dhcp-pool-40]gateway-list 192.168.40.1
[sw1-dhcp-pool-40]dns-list 8.8.8.8

验证 等几分钟后
在这里插入图片描述在这里插入图片描述

4 STP 协议树

核心为根网桥 优先级改成0

[sw1]stp priority 0

业务口配置边缘口

使得pc up down不影响网络
依次

[sw-接入]in g1/0/1
[sw-接入-GigabitEthernet1/0/1]stp edged-port

5、配置ospf 联通新校区

思路

1、核心sw1 起ospf ,宣告网段

[sw1]ospf 1
[sw1-ospf-1]area 1
[sw1-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.20.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.30.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.40.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.200.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.100.0 0.0.0.255

2、外网R起ospf ,宣告网段

[R-外网]ospf 1
[R-外网-ospf-1]area 1
[R-外网-ospf-1-area-0.0.0.1]network 192.168.100.0 0.0.0.255
[R-外网-ospf-1-area-0.0.0.1]network 12.1.1.0 0.0.0.255
[R-外网-ospf-1-area-0.0.0.1]network 13.1.1.0 0.0.0.255
[R-外网-ospf-1-area-0.0.0.1]network 14.1.1.0 0.0.0.255

3、新校区 R 配IP 起ospf ,宣告网段

[R-]int s1/0
[R--Serial1/0]ip address 14.1.1.2 24

[R--Serial1/0]int g0/0
[R--GigabitEthernet0/0]ip address 192.168.80.1 24

[R-]ospf 1
[R--ospf-1-area-0.0.0.1]network 192.168.14.0 0.0.0.255  ======错误
[R--ospf-1-area-0.0.0.1]network 14.1.1.1  0.0.0.255
[R--ospf-1-area-0.0.0.1]dis this
#
 area 0.0.0.1
  network 14.1.1.0 0.0.0.255
  network 192.168.14.0 0.0.0.255
# 
[R--ospf-1-area-0.0.0.1]un network 192.168.14.0 0.0.0.255
[R--ospf-1-area-0.0.0.1]dis this
#
 area 0.0.0.1
  network 14.1.1.0 0.0.0.255
#
return
[R--ospf-1-area-0.0.0.1]network 192.168.80.0 0.0.0.255

验证 用新校区路由器及PC_13可以ping通 服务器200.4

[R--Serial1/0]ping 192.168.200.4
Ping 192.168.200.4 (192.168.200.4): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.200.4: icmp_seq=0 ttl=253 time=2.000 ms

[R--Serial1/0]ping 192.168.20.11
Ping 192.168.20.11 (192.168.20.11): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.20.11: icmp_seq=0 ttl=253 time=1.000 ms
<H3C>ping 192.168.200.1
Ping 192.168.200.1 (192.168.200.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.1: icmp_seq=0 ttl=253 time=1.000 ms

**PC_9pingPC_13

<H3C>ping 192.168.80.13
Ping 192.168.80.13 (192.168.80.13): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.80.13: icmp_seq=0 ttl=252 time=2.000 ms

6、访问外网

1) 核心 sw1 改02口为route模式,并设置地址

[sw1]int g1/0/2
[sw1-GigabitEthernet1/0/2]port link-mode route
[sw1-GigabitEthernet1/0/2]ip address 192.168.100.1 24

2) R-外网 设各口IP地址

[R-外网]int g0/2
[R-外网-GigabitEthernet0/2]ip a 192.168.100.2 24

[R-外网-GigabitEthernet0/2]int g0/0
[R-外网-GigabitEthernet0/0]ip a 12.1.1.1 24
[R-外网-GigabitEthernet0/0]int g0/1
[R-外网-GigabitEthernet0/1]ip a 13.1.1.1 24

[R-外网-GigabitEthernet0/1]int s1/0
[R-外网-Serial1/0]ip ad 14.1.1.1 24

至此 PC_可以访问到12.1.1.1 但到不了 12.1.1.2 更到不了 6.6.6.6
在这里插入图片描述

<H3C>ping 192.168.80.13
Ping 192.168.80.13 (192.168.80.13): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.80.13: icmp_seq=0 ttl=252 time=2.000 ms
56 bytes from 192.168.80.13: icmp_seq=0 ttl=252 time=2.000 ms

ping 12.1.1.1
Ping 12.1.1.1 (12.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 12.1.1.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 12.1.1.1: icmp_seq=0 ttl=254 time=1.000 ms

ping 12.1.1.2
Ping 12.1.1.2 (12.1.1.2): 56 data bytes, press CTRL_C to break
Request time out
Request time out

[H3C]PING 6.6.6.6
Ping 6.6.6.6 (6.6.6.6): 56 data bytes, press CTRL_C to break
Request time out

应该配置 直连路由了吧

3) 核心sw1 设置默认路由,下一条100.2

[sw1]ip route-static 0.0.0.0 0 192.168.100.2

在这里插入图片描述

4) R-外网设置默认路由 ,吓一跳 12.1.1.2

[R-外网]ip route-static 0.0.0.0 0 12.1.1.2

在这里插入图片描述

5) R_联通 设置ip

[R-联通]int g0/0
[R-联通-GigabitEthernet0/0]ip address 12.1.1.2 24

[R-联通]int LoopBack 1
[R-联通-LoopBack1]ip address 6.6.6.6 24

至此连不通 6 6 6 6,应起acl

[H3C]PING 6.6.6.6
Ping 6.6.6.6 (6.6.6.6): 56 data bytes, press CTRL_C to break
Request time out
Request time out

6) R_外网 起acl NAT地址转换

[R-外网]acl basic 2000
[R-外网-acl-ipv4-basic-2000]rule permit source 192.168.0.0 0.0.255.255 
# 规则:允许192.168.0.0,通过无条件通过
[R-外网-acl-ipv4-basic-2000]int g0/0
[R-外网-GigabitEthernet0/0]nat outbound 2000
# 0/0端口 ,调用2000规则

7) 验证

验证 可以 ping 6.6.6.6

PING 6.6.6.6
Ping 6.6.6.6 (6.6.6.6): 56 data bytes, press CTRL_C to break
56 bytes from 6.6.6.6: icmp_seq=0 ttl=253 time=1.000 ms
56 bytes from 6.6.6.6: icmp_seq=1 ttl=253 time=2.000 ms

==R-外网


[R-外网]dis  ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface           Physical Protocol IP address/Mask    VPN instance Description
GE0/0               up       up       12.1.1.1/24        --           --
GE0/1               up       up       13.1.1.1/24        --           --
GE0/2               up       up       192.168.100.2/24   --           --
GE5/0               down     down     --                 --           --
GE5/1               down     down     --                 --           --
GE6/0               down     down     --                 --           --
GE6/1               down     down     --                 --           --
Ser1/0              up       up       14.1.1.1/24        --           --
Ser2/0              down     down     --                 --           --
Ser3/0              down     down     --                 --           --
Ser4/0              down     down     --                 --           -


[R-外网dis ip routing-table
Destinations : 27       Routes : 27
Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           12.1.1.2        GE0/0
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
12.1.1.0/24        Direct  0   0           12.1.1.1        GE0/0
12.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
12.1.1.255/32      Direct  0   0           12.1.1.1        GE0/0
13.1.1.0/24        Direct  0   0           13.1.1.1        GE0/1
13.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
13.1.1.255/32      Direct  0   0           13.1.1.1        GE0/1
14.1.1.0/24        Direct  0   0           14.1.1.1        Ser1/0
14.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
14.1.1.2/32        Direct  0   0           14.1.1.2        Ser1/0
14.1.1.255/32      Direct  0   0           14.1.1.1        Ser1/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
192.168.10.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.20.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.30.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.40.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.80.0/24    O_INTRA 10  1563        14.1.1.2        Ser1/0
192.168.100.0/24   Direct  0   0           192.168.100.2   GE0/2
192.168.100.2/32   Direct  0   0           127.0.0.1       InLoop0
192.168.100.255/32 Direct  0   0           192.168.100.2   GE0/2
192.168.200.0/24   O_INTRA 10  2           192.168.100.1   GE0/2
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

R-联通

<R-联通>dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface           Physical Protocol IP address/Mask    VPN instance Description
GE0/0               up       up       12.1.1.2/24        --           --
GE0/1               up       up       --                 --           --
GE0/2               down     down     --                 --           --
GE5/0               down     down     --                 --           --
GE5/1               down     down     --                 --           --
GE6/0               down     down     --                 --           --
GE6/1               down     down     --                 --           --
Loop1               up       up(s)    6.6.6.6/24         --           --
Ser1/0              down     down     --                 --           --
Ser2/0              down     down     --                 --           --
Ser3/0              down     down     --                 --           --
Ser4/0              down     down     --                 --           0


<R-联通>dis ip routing-table
Destinations : 13       Routes : 13
Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
6.6.6.0/24         Direct  0   0           6.6.6.6         Loop1
6.6.6.6/32         Direct  0   0           127.0.0.1       InLoop0
6.6.6.255/32       Direct  0   0           6.6.6.6         Loop1
12.1.1.0/24        Direct  0   0           12.1.1.2        GE0/0
12.1.1.2/32        Direct  0   0           127.0.0.1       InLoop0
12.1.1.255/32      Direct  0   0           12.1.1.2        GE0/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

R_移动


<R_移动>dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface           Physical Protocol IP address/Mask    VPN instance Description
GE0/0               up       up       13.1.1.2/24        --           --
GE0/1               up       up       --                 --           --
GE0/2               down     down     --                 --           --
GE5/0               down     down     --                 --           --
GE5/1               down     down     --                 --           --
GE6/0               down     down     --                 --           --
GE6/1               down     down     --                 --           --
Loop3               up       up(s)    7.7.7.7/24         --           --
Ser1/0              down     down     --                 --           --
Ser2/0              down     down     --                 --           --
Ser3/0              down     down     --                 --           --
Ser4/0              down     down     --                 --           --
<R_移动>dis ip rou
<R_移动>dis ip routing-table

Destinations : 13       Routes : 13

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
7.7.7.0/24         Direct  0   0           7.7.7.7         Loop3
7.7.7.7/32         Direct  0   0           127.0.0.1       InLoop0
7.7.7.255/32       Direct  0   0           7.7.7.7         Loop3
13.1.1.0/24        Direct  0   0           13.1.1.2        GE0/0
13.1.1.2/32        Direct  0   0           127.0.0.1       InLoop0
13.1.1.255/32      Direct  0   0           13.1.1.2        GE0/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

7、外网双线备份 ,联通为主,移动为副 ,自动切换

1) R_外网 设路由 设优先级

ip route-static 0.0.0.0 0 13.1.1.2 preference 70

2) R_移动 设置ip

[R_移动]int LoopBack 3
[R_移动-LoopBack3]ip a 7.7.7.7 24

[R_移动-LoopBack3]int g0/0
[R_移动-GigabitEthernet0/0]ip a 13.1.1.2 24

检验

[R_移动]dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface           Physical Protocol IP address/Mask    VPN instance Description
GE0/0               up       up       13.1.1.2/24        --           --
GE0/1               up       up       --                 --           --
GE0/2               down     down     --                 --           --
GE5/0               down     down     --                 --           --
GE5/1               down     down     --                 --           --
GE6/0               down     down     --                 --           --
GE6/1               down     down     --                 --           --
Loop3               up       up(s)    7.7.7.7/24         --           --

3) 断开联通6.6.6.6 线路后,自动切换到 7.7.7.7

在这里插入图片描述

断开后 R_外网 路由表边长 注意第一行 优先级70

[R-外 dis ip routing-table
Destinations : 25       Routes : 25
Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  70  0           13.1.1.2        GE0/1
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
12.1.1.1/32        Direct  1   0           0.0.0.0         NULL0
13.1.1.0/24        Direct  0   0           13.1.1.1        GE0/1
13.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
13.1.1.255/32      Direct  0   0           13.1.1.1        GE0/1
14.1.1.0/24        Direct  0   0           14.1.1.1        Ser1/0
14.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
14.1.1.2/32        Direct  0   0           14.1.1.2        Ser1/0
14.1.1.255/32      Direct  0   0           14.1.1.1        Ser1/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
192.168.10.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.20.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.30.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.40.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.80.0/24    O_INTRA 10  1563        14.1.1.2        Ser1/0
192.168.100.0/24   Direct  0   0           192.168.100.2   GE0/2
192.168.100.2/32   Direct  0   0           127.0.0.1       InLoop0
192.168.100.255/32 Direct  0   0           192.168.100.2   GE0/2
192.168.200.0/24   O_INTRA 10  2           192.168.100.1   GE0/2
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

3.1)但是 ping不通 7.7.7.7 ,重新到R_外网NAT

ping不通 7.7.7.7 也不通 13.1.1.2 13.1.1.1通 ,说明没有配NAT

4) 返回 R_外网 匹配acl 规则

[R-外网]int g0/1
[R-外网-GigabitEthernet0/1]dis thi
# c发现 确实没有配置 NAT
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 13.1.1.1 255.255.255.0

[R-外网-GigabitEthernet0/1]nat outbound 2000
# c再次检测

[R-外网-GigabitEthernet0/1]DIS THI
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 13.1.1.1 255.255.255.0
 nat outbound 2000
# c返现有nat 规则

==用pc-14 ping7.7.7.7=

PING 7.7.7.7
Ping 7.7.7.7 (7.7.7.7): 56 data bytes, press CTRL_C to break
56 bytes from 7.7.7.7: icmp_seq=0 ttl=253 time=1.000 ms
56 bytes from 7.7.7.7: icmp_seq=1 ttl=253 time=1.000 ms

5) 再次接通 6.6.6.6 PC14 自动切换到 6.6.6.6

在这里插入图片描述

[H3C]PING 7.7.7.7
Ping 7.7.7.7 (7.7.7.7): 56 data bytes, press CTRL_C to break
56 bytes from 7.7.7.7: icmp_seq=0 ttl=253 time=2.000 ms
56 bytes from 7.7.7.7: icmp_seq=1 ttl=253 time=2.000 ms
Request time out
Request time out
Request time out
# c正连通的7在接通6.6,断了
PING 6.6.6.6
Ping 6.6.6.6 (6.6.6.6): 56 data bytes, press CTRL_C to break
56 bytes from 6.6.6.6: icmp_seq=0 ttl=253 time=1.000 ms
56 bytes from 6.6.6.6: icmp_seq=1 ttl=253 time=1.000 ms
# c此时6.6 通路
[H3C]PING 7.7.7.7
Ping 7.7.7.7 (7.7.7.7): 56 data bytes, press CTRL_C to break
Request time out
Request time out
# c此时7.7 断路

8、所有设备科Telnet ,管理网段255.x,vlan999

1)所有设备可Telnet 每个设备都要配置 都一样

# c开启telnat服务
[sw1]telnet server enable
# c新增用户abc 设为管理员组,密码123  服务类型为Telnet
[sw1]local-user abc class mange
[sw1-luser-manage-abc]password simple 123
[sw1-luser-manage-abc]service-type telnet

# c改用户role 为网络管理员
[sw1-luser-manage-abc]authorization-attribute user-role network-admin

# c设用户登录方式为 账号密码  有意复制了 提示==
[sw1]use
[sw1]user-?
  user-group      Specify user group configuration information
  user-interface  Configure the line
  user-profile    Specify a user profile

[sw1]user-in
[sw1]user-interface ?
  INTEGER<0-147>  Number of the first line
  aux             AUX line
  class           Specify the line class to modify the default configuration
  console         Console line
  tty             Async serial line
  vty             Virtual type terminal (VTY) line

[sw1]user-interface vty ?
  INTEGER<0-63>  Number of the first line

[sw1]user-interface vty 0 4
[sw1-line-vty0-4]a
[sw1-line-vty0-4]authentication-mode ?
  none      Login without authentication
  password  Password authentication
  scheme    Authentication use AAA

[sw1-line-vty0-4]authentication-mode sc
[sw1-line-vty0-4]authentication-mode scheme

2) 通用代码 复制后 在每台设备上粘贴

telnet serv en
local-user abc class manage

pas sim 123
service-type telnet
authorization-attribute user-role network-admin
qu
user-interface vty 0 4
authentication-mode scheme

3)设置管理vlan 999和255.x的可以telnet

核心交换机和接入交换机以及路由器 , 要可被Telnet ,就必须有地址(虚接口),
故要设置管理vlan999.并给他一个255.x的地址
使得  所有pc都可以访问各交换机和路由器

① 核心sw 起管理vlan999 +ip

[sw1-luser-manage-abc]int vlan 999
[sw1-Vlan-interface999]ip address 192.168.255.1 24

②汇聚和接入交换机都要起管理vlan和管理地址

int vlan 999
ip add 192.168.255.x 24

③除主核心外 ,其他设备还要配置缺省路由 【不懂】

[sw14]ip route-static 0.0.0.0 0 192.168.255.1;用于管理流量的回包

总结以下,除了核心交换机,都应该这么设置

[sw-汇聚]vlan 999
[sw-汇聚-vlan999]int vlan 999
[sw-汇聚-Vlan-interface999]ip a 192.168.255.2 24
[sw-汇聚-Vlan-interface999]qu
[sw-汇聚]ip rou 0.0.0.0 0 192.168.255.1
# c默认路由的目的是为了管理流量回包,要不pc访问不了

检验排查

# c先看vlan999
[sw-接入]dis vlan
 Total VLANs: 3
 The VLANs include:
 1(default), 10, 999
# c2 排查 ip
[sw-接入]dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
MGE0/0/0                 down     down     --              --
Vlan999                  up       up       192.168.110.4   --
# c2 查看默认路由  
[sw-接入]dis ip rou
Destinations : 13       Routes : 13
Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           192.168.255.1   Vlan999

9、vlan30 用户不能访问200.5 ACL NAT 是packet-filer

核心sw 设置高级阻断规则 acl

[sw1]acl advanced 3000
[sw1-acl-ipv4-adv-3000]rule deny ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.5 0.0.0.0
# 0.0.0.255? 是否合适
[sw1-acl-ipv4-adv-3000]qu
[sw1]int vlan 30
# 要设置  vlan
[sw1-Vlan-interface30]packet-filter 3000 inbound
# 不是nat  是packet-filer

检测

用192.168.30.12 ping 20.4 和200.5 成功

<H3C>ping 192.168.200.4
Ping 192.168.200.4 (192.168.200.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.4: icmp_seq=0 ttl=254 time=2.000 ms
56 bytes from 192.168.200.4: icmp_seq=1 ttl=254 time=2.000 ms

ping 192.168.200.5
Ping 192.168.200.5 (192.168.200.5): 56 data bytes, press CTRL_C to break
Request time out
Request time out

用192.168.200.4 ping 30.12 通

ping 192.168.30.12
Ping 192.168.30.12 (192.168.30.12): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.30.12: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.30.12: icmp_seq=1 ttl=254 time=1.000 ms

用200.5 ping 30.12 不通

<H3C>ping 192.168.30.12
Ping 192.168.30.12 (192.168.30.12): 56 data bytes, press CTRL_C to break
Request time out
Request time out

结果很 ok 一切合乎设计要求

另 实验 如果 192.168.200.5 0.0.0.0.0 改成 0.0.0.255
[sw1-acl-ipv4-adv-3000]rule deny ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.5 0.0.0.0

[sw1-acl-ipv4-adv-3000]rule deny ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.5 0.0.0.255

#【结果】 0.0.0.255? 是否合适 255 就使得200段的所有ip都不能ping通

<H3C>ping 192.168.200.4
Ping 192.168.200.4 (192.168.200.4): 56 data bytes, press CTRL_C to break
Request time out
Request time out

ping 192.168.200.5
Ping 192.168.200.5 (192.168.200.5): 56 data bytes, press CTRL_C to break
Request time out
Request time out

查看sw1相关配置

[sw1]int vlan 30
[sw1-Vlan-interface30]dis thi
#
interface Vlan-interface30
 ip address 192.168.30.1 255.255.255.0
 packet-filter 3000 inbound
[sw1]acl advanced 3000
[sw1-acl-ipv4-adv-3000]dis th
#
acl advanced 3000
 rule 0 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.200.0 0.0.0.255

再次改回来

[sw1]acl a 3000
[sw1-acl-ipv4-adv-3000]rule deny ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.5 0.0.0.0
[sw1-acl-ipv4-adv-3000]dis thi
#
acl advanced 3000
 rule 0 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.200.5 0

30.12ping 200.5 互不通 ping’ 200.4 互通

  • 1
    点赞
  • 16
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
目录: 01 H3C S5500与思科3750对接二层链路聚合的典型组网配置案例 02 H3C S5500与思科2960对接二层链路聚合的典型组网配置案例 03 H3C S6800与思科3560对接二层链路聚合典型组网配置案例 04 H3C S6800与思科2960对接二层链路聚合典型组网配置案例 05 H3C S5820与思科2960对接二层链路聚合典型组网配置案例 06 S12508与思科3560对接NTP典型组网配置案例 07 S6520与思科3560对接NTP典型组网配置案例 08 S5820与思科3560对接NTP典型组网配置案例 09 S6800与思科3560对接NTP典型组网配置案例 10 S12508与思科2960对接NTP典型组网配置案例 11 S5500与思科3750对接EBGP典型组网配置案例 12 S6520与思科3925对接NTP典型组网配置案例 13 S5820与思科3925对接NTP典型组网配置案例 14 S6800与思科3925对接NTP典型组网配置案例 15 S6520与思科3750对接NTP典型组网配置案例 16 S6520与思科2960对接NTP典型组网配置案例 17 S5820与思科3750对接NTP典型组网配置案例 18 S5820与思科2960对接NTP典型组网配置案例 19 S6800与思科2960对接NTP典型组网配置案例 20 S6800与思科3750对接NTP典型组网配置案例 21 S5500与思科3750对接RIP典型组网配置案例 22 S5500与思科3750对接IBGP典型组网配置案例 23 H3C ME5000和思科语音系统融合典型配置 24 S6800与思科2960对接PVST典型组网配置案例 25 S6800与思科3560对接PVST典型组网配置案例 26 H3C设备与思科做BFD配置案例 27 S5820与思科2960对接PVST典型组网配置案例 28 S12508与思科3750对接PVST典型组网配置案例 29 S12508与思科2960对接PVST典型组网配置案例 30 S5500与思科3750对接多VPN实例OSPF典型组网配置案例 31 思科语音网关3662语音命令对应的MSR翻译 32 MSR系列路由器FR IPv6和思科互通典型配置 33 H3C VG1040使用SIPLINE方式与思科CallManager5.0.4互通典型配置 34 S5820-52QF-U与思科N5548 FC(NPV方式)互通配置 35 V7防火墙和思科ACS 实现radius认证 36 S9500E配置远程镜像导致网络中断问题解决方法 37 iMC设备定义功能介绍 38 MSR路由器与Cisco36 72系列路由器MPLS VPN跨标签对接案例 39 CE3000-EI与Cisco 4948 PIM-SSM对接配置案例 40 S12500&S9500E&CR16000 CoPP应用案例 41 配合EIA进行iNode批量升级的典型配置 42 H3C XE2000和AVAYA S85对接典型配置案例 43 CAMS设备无关功能特性配置

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值