实验1-vlan虚拟局域网实验
1.交换机上创建vlan信息:
[Huawei]vlan batch 2 3
2.将接口划入vlan中:
接口下逐一配置
LSW1
1)进入接口[Huawei]interface Ethernet0/0/1
2)更改接口类型[Huawei-Ethernet0/0/1]port
link-type access
3)划入vlan。[Huawei-Ethernet0/0/1]port default vlan 2
[Huawei-Ethernet0/0/1]q
[Huawei]interface Ethernet0/0/2
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 2
[Huawei-Ethernet0/0/2]q
[Huawei]interface Ethernet0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 3
[Huawei-Ethernet0/0/3]q
同理LSW2
[Huawei]vlan batch 2 3
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 2
[Huawei-Ethernet0/0/1]q
[Huawei]interface Ethernet0/0/2
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 3
[Huawei-Ethernet0/0/2]q
Pc配置ip地址
Pc1 192.168.1.2 255.255.255.0
Pc2-5同理
上述操作可实现交换机内部下的同一个vlan 通信
3.配置trunk端vlan属性
LSW1
1)进入接口[Huawei]interface
Ethernet0/0/4
2)更改接口类型[Huawei-Ethernet0/0/4]port
link-type trunk
3)允许通过的vlan [Huawei-Ethernet0/0/4]port trunk
allow-pass vlan all
LSW2
[Huawei]interface Ethernet0/0/3
[Huawei-Ethernet0/0/3]port link-type trunk
[Huawei-Ethernet0/0/3]port trunk allow-pass
vlan all
[Huawei-Ethernet0/0/3]q
[Huawei]dis vlan查看接口所划入的vlan是否正确
添加上述操作可实现LSW1中的vlan2与LSW2的 vlan 2通信
实验2单臂路由实验——基于虚拟局域网实验(可实现全网通)
(1)在LSW1中,将于路由器相连的接口类型改为trunk,设置允许所有的vlan通过
[Huawei]interface Ethernet0/0/5
[Huawei-Ethernet0/0/5]port link-type trunk
[Huawei-Ethernet0/0/5]port trunk allow-pass
vlan all
(2)在路由器上配置
[Huawei]interface
g0/0/0.1//创建虚拟子接口
[Huawei-GigabitEthernet0/0/0.1]dot1q termination vid 2//封装给vlan
[Huawei-GigabitEthernet0/0/0.1]ip
address 192.168.1.1 24 //配置IP(网关)
[Huawei-GigabitEthernet0/0/0.1]arp
broadcast enable //开启arp广播[Huawei-GigabitEthernet0/0/0.1]q
同理[Huawei]interface g0/0/0.2
[Huawei-GigabitEthernet0/0/0.2]dot1q
termination vid 3
[Huawei-GigabitEthernet0/0/0.2]ip address
192.168.2.1 24
[Huawei-GigabitEthernet0/0/0.2]arp
broadcast enable
[Huawei-GigabitEthernet0/0/0.2]q
(3)DHCP动态主机配置(pc自动获取ip地址)
[Huawei]ip pool
kaikai //创建名为kaikai的地址池
Info: It’s
successful to create an IP address pool.
[Huawei-ip-pool-kaikai]network
192.168.1.0 mask 24 下放地址
[Huawei-ip-pool-kaikai]gateway-list
192.168.1.1 网管地址
[Huawei-ip-pool-kaikai]dns-list 8.8.8.8 dhs服务器地址
[Huawei-ip-pool-kaikai]q
[Huawei]dhcp enable
[Huawei]interface g0/0/0.1
[Huawei-GigabitEthernet0/0/0.1]dhcp
select global 使能
[Huawei-GigabitEthernet0/0/0.1]q
同理
[Huawei]ip pool meimei
[Huawei-ip-pool-meimei]network 192.168.2.0
mask 24
[Huawei-ip-pool-meimei]gateway-list 192.168.2.1
[Huawei-ip-pool-meimei]dns-list
8.8.8.8
[Huawei-ip-pool-meimei]q
[Huawei]interface g0/0/0.2
[Huawei-GigabitEthernet0/0/0.2]dhcp select
global
(4)所有的pc点击DHCP并应用,用ipconfig在命令行查看IP地址
任何俩个pc都可以ping通(用DHCP获取的地址)
实验3——ACL实验
要求全网通后1ping不通3,1ping通2(用rip协议实现全网通)
AR1
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address
192.168.1.1 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address
12.1.1.1 24
[Huawei-GigabitEthernet0/0/1]q
[Huawei]rip 1
[Huawei-rip-1]version 2
[Huawei-rip-1]network 192.168.1.0
[Huawei-rip-1]network 12.0.0.0
[Huawei-rip-1]q
AR2
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address
192.168.2.1 24
[Huawei-GigabitEthernet0/0/1]q
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address
12.1.1.2 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]interface g0/0/2
[Huawei-GigabitEthernet0/0/2]ip address
24.1.1.1 24
[Huawei-GigabitEthernet0/0/2]q
[Huawei]rip 1
[Huawei-rip-1]version 2
[Huawei-rip-1]network 192.168.2.0
[Huawei-rip-1]network 12.0.0.0
[Huawei-rip-1]network 24.0.0.0
[Huawei-rip-1]q
AR3
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address
192.168.3.1 24
[Huawei-GigabitEthernet0/0/1]q
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address
24.1.1.2 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]rip 1
[Huawei-rip-1]version 2
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]network 24.0.0.0
[Huawei-rip-1]q
上述操作后全网通
低级ACL配置
在AR3上操作 法1:拒绝
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule deny
source 192.168.1.2 0
[Huawei-acl-basic-2000]q
[Huawei]interface g0/0/1 (在该接口调用)
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
[Huawei-GigabitEthernet0/0/1]q
验证
法2:允许
[Huawei]undo acl
2000
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule
permit source 192.168.2.2
[Huawei-acl-basic-2000]rule
deny source any
[Huawei-acl-basic-2000]q
[Huawei]interface
g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter
outbound acl 2000
高级ACL配置
(1)AR1可以ping
通AR3,但不能远程登陆AR3
AR2上操作(由于路游器不能限制自己的流量,所以不能在AR1或AR3上操作)
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule
deny tcp source 12.1.1.1 0 destination-port eq 23
[Huawei-acl-adv-3000]q
[Huawei]interface
g0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-filter
inbound acl 3000
(2)
AR2上操作AR1不可以ping
通AR3,但能远程登陆AR3
[kaikai]undo acl 3000
[kaikai]acl 3000
[kaikai-acl-adv-3000]rule deny icmp source 12.1.1.1 0
destination 24.1.1.2 0
[kaikai-acl-adv-3000]q
[kaikai]interface g0/0/0
[kaikai-GigabitEthernet0/0/0]traffic-filter outbound acl 3000
实验4——基于ACL实验的IP配置
例一内网访问外网
AR3 (1)配置缺省路游
[kaikai]rip 1
[kaikai-rip-1]version
2
[kaikai-rip-1]default-route
originate
[kaikai-rip-1]q
[kaikai]ip
route-static 0.0.0.0 0 GigabitEthernet 0/0/2
[kaikai]interface
g0/0/2
[kaikai-GigabitEthernet0/0/2]ip
address 100.1.1.1 24
[kaikai-GigabitEthernet0/0/2]q
AR4 [Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip
address 100.1.1.2 24
(2)定义地址池
AR3[kaikai]nat
address-group 1 100.1.1.3 100.1.1.120
[kaikai]acl 2000 抓取流量
[kaikai-acl-basic-2000]rule
permit source any 允许内网所有的流量通过
[kaikai-acl-basic-2000]q
[kaikai]interface
g0/0/2 私网与公网的交界口
[kaikai-GigabitEthernet0/0/2]nat
outbound 2000 address-group 1 no-pat
例二外网登陆内网
[AR1]user-interface
vty 0 4
[AR1-ui-vty0-4]authentication-mode
password
Please configure
the login password (maximum length 16):huawei
[AR3]interface
g0/0/2
[AR3-GigabitEthernet0/0/2]nat
static global 100.1.1.121 inside 192.168.1.1 静态一对一
或者 nat server protocol tcp global current-interface 23 inside 192.168.1.1 23
telnet
100.1.1.121
