Table of contents
NAT - Network Address Translation
expand
<Huawei> save - save the configuration
<Huawei>reset ospf process
Warning: The OSPF process will be reset. Continue? [Y/N]: Restart the device and reset OSPF
<R2>ping -a 1.1.1.1 192.168.3.1 specifies the source and destination
Original IP Target IP
[Huawei-GigabitEthernet0/0/1]display ip interface brief View interface configuration information
[Huawei]display this : View some commands configured at this location
[Huawei]display current-configuration View all configurations made by the device
[ R 1]display ip routing-table protocol static - View the routes written by static in the routing table
[r2] display ospf peer view neighbor table
[r2]display ospf peer brief View neighbor brief list
[r3-ospf-1-area-0.0.0.1]display ospf lsdb view directory ( LSA )
[r3-ospf-1-area-0.0.0.1]display ospf lsdb router 2.2.2.2 View the LSA information of a certain router
[r3-ospf-1]display ip routing-table protocol ospf to view the routes learned by filtering routers through OSPF
[r1-GigabitEthernet0/0/0]display acl 2000 search and create ACL
<r2>display nataddress-group to see which addresses can be used
switch
1. Create a VLAN
[SW1]vlan ?
INTEGER<1-4094> VLAN ID
batch Batch process batch batch creation (batch 6 to 100 create 6~100)
[SW1] undo vlan batch 6 to 100 batch delete VLAN
View VLAN: [SW1] display v lan
2. Interface allocation link type
[SW1-GigabitEthernet0/0/1]port link-type access —Specifies that the link of Access type transmits traffic without labels
The interface connected to the switch and the PC is Access
[SW1-GigabitEthernet0/0/2]port link-type ?
access Access port does not carry label traffic
dot1q-tunnel QinQ port
hybrid Hybrid port
Trunk Trunk port The traffic going out from this interface carries labels
3. Interface division VLAN
[SW1-GigabitEthernet0/0/1]port default vlan 2
4. Communication across network segments
Configure the command to make the link between the switches (the public link between switch 1 and 2, or the single-line connection between the switch and the router) allow VLAN1 and VLAN2 commands to pass through
[SW1-GigabitEthernet0/0/5]port link-type trunk
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 2 3
Communication across network segments: routing is required
The link type between the switch and the router is configured as Trunk (if this link carries traffic of multiple VLANs )
[r1]interface GigabitEthernet /0/0/0.1
Because a physical interface cannot serve multiple broadcast domains at the same time, a virtual interface-sub-interface is designed
[Huawei-GigabitEthernet0/0/ 0.1 ] dot1q termination vid 2 allows the sub-interface of the router to serve a certain VLAN
[r1-GigabitEthernet0/0/0.1] arp broadcast enable - open the ARP broadcast function
router
Router Gateway Configuration
Configure IP address: Configure IP Tab auto-completion for all nodes that need to configure IP addresses? It is equivalent to help to view the commands that can be entered next
<Huawei>system-view Enter the system (global) view
[Huawei]interface GigabitEthernet0/0/0 enter port 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.1 24 (255.255.255.0) Configure IP for the port
[Huawei-GigabitEthernet0/0/0]quit (q) returns to the previous level
[Huawei]int g0/0/1 enter port 0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192.168.2.1 24 Configure IP for the port
[Huawei-GigabitEthernet0/0/1] display ip interface brief View interface configuration information
[Huawei] display this: View some commands configured at this location
[Huawei-GigabitEthernet0/0/0]undo (command to be deleted) Add an undo before the original configuration to delete the configuration
[Huawei-GigabitEthernet0/0/0]undo ip address Delete the IP address
[Huawei]sysname change user name
DHCP server
[R1]dhcp enable start DHCP service
[R1lip pool aaa (pool name such as aaa ) creates a DHCP pool named aaa ,
One device can create multiple ponds, but one pond can only serve one broadcast domain
[R1-ip-pool- aaa ]network 192.168.1.0 mask 24 Binding interface, assignable address range
[R1-ip-pool- aaa ] gateway-list 192.168.1.1-deliver gateway
[R1-ip-pool- aaa ]dns-list 8.8.8.8 114.114.114.114-deliver DNS server information
Remember: each DHCP working interface on the router must also enable the DHCP service
[R1-GigabitEthernet0/0/0]dhcp select global-the corresponding interface activates the configuration of the global pond
[R1-GigabitEthernet0/0/0] quit quit interface 0/0/0
[R1lip pool bbb creates a DHCP pool named bbb ,
[R1-ip-pool- bbb ]network 192.168.2.0 mask 24 Binding interface, assignable address range
[R1-ip-pool- bbb ] gateway-list 192.168.2.1 Sending gateway
[R1-ip-pool- bbb ]dns-list 8.8.8.8 114.114.114.114 Send DNS server information
[R1-GigabitEthernet0/0/1]dhcp select global-the corresponding interface activates the configuration of the global pond
Telnet: Remote login protocol
To configure the second router to become a T elnet client, the command is as follows:
[Huawei]sysname R2 changed the name to
[R2] aaa—the space where Huawei devices store account numbers and passwords
[R2-aaa]local-user huaei password cipher 123456 Create login account and password, Huawei default cipher text storage
[R2-aaa]local-user huawei service-type telnet Let this account be used as telnet (remote login)
[R2-aaa]local-user huawei privilege level 15 Set the login privilege, the larger the value, the higher the privilege
[R2]user-interface vty 0 4 Create an interface for login, note that the interface here is a virtual interface and does not really exist
[R2-ui-vty0-4]authentication-mode aaa Bind the account and password of aaa space
Finally, use R2 to remotely log in to R1 and make it ping any device in the broadcast domain. The command is as follows:
<R2>telnet 192.168.3.1 access interface 192.168.3.1 connected to R1
Username:huawei Enter username: huawei
Password: 123456 Enter the password: 123456 (the password will not be displayed)
<R1>ping 192.168.1.2 to ping devices in a broadcast domain connected to the router for verification
Static routing configuration
configuration
[R1]ip route-static 192.168.3.0 24 192.168.2.2
Static route Destination route network segment Next hop
(Destination/Mask) (NextHop)
[ R 1]display ip routing-table protocol static - View the routes written by static in the routing table
1. Loopback interface :
[R1]interface LoopBack ? (interface loopback)
<0-1023> LoopBackinterface number
Configure interface: [R1]interface LoopBack 0 (interface number range 0~1023)
2. Manual summary:
When the router accesses multiple consecutive subnets, and these subnets have the same next hop , then the aggregation can be performed.
[R2]ip route-static 192.168.0.0 22 12.0.0.1
4. Default route
By default, when meeting a black hole, it must form a ring
[R1]ip route-static 0.0.0.0 0 12.0.0.2
Because there is no network bit at this time , the host bit is all zero , so it represents all IPs, which is equivalent to accessing the Internet
5. Empty interface
black hole router
[R1]ip route-static 192.168.0.0 22 NULL 0 Method: Configure a route to the summary network segment on the blackhole router to point to the empty interface and follow the longest mask matching principle—the rule with the highest priority in the routing table (if it exists Multiple routes, only the route with the longest subnet mask will be matched)
<R2>ping -a 1.1.1.1 192.168.3.1 specifies the source and destination
Original IP Target IP
6. Floating static routes
pre: priority
ip route-static 0.0.0.0 0 192.168.1.22 preference 61 Change the route priority (value range 0~255)
The larger the priority value, the higher the priority level
undo shutdown open interface
shutdown shut down the interface
dynamic routing
OSPF
1. Start the OSPF process and configure RID
[r1]ospf ?
INTEGER<1-65535> ProcessID Configure process ID
[r1] ospf 1 router-id 1.1.1.1 try to manually specify
2. Create a zone
[r1-ospf-1]area 0
3. Declare
[r1-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255 range announcement (equivalent to announcing a network segment)
0.0.0.255: (anti-mask)
0 means immutable 1 means mutable
32-bit binary composition, consisting of consecutive 0s or consecutive 1s, the only part of the mask is the network bit, which is equivalent to immutable
[r1-ospf-1-area-0.0.0.0]network 12.0.0.1 0.0.0.0 Accurate announcement, which is equivalent to only announcing one IP
extension:
[r2] display ospf peer view neighbor table
[r2]display ospf peer brief View neighbor brief list
[r3-ospf-1-area-0.0.0.1]display ospf lsdb view directory ( LSA )
[r3-ospf-1-area-0.0.0.1]display ospf lsdb router 2.2.2.2 View the LSA information of a certain router
[r3-ospf-1]display ip routing-table protocol ospf to view the routes learned by filtering routers through OSPF
[r3-ospf-1] bandwidth-reference 10000 - modify bandwidth
priority change
P priority: 1 The one with the higher priority value of DR becomes DR
[r1-GigabitEthernet0/0/0]ospf dr-priority ?
INTEGER<0-255> Router priority value
Interfere in the election of DR and BDR, 0 means not to participate in the election [r1-GigabitEthernet0/0/0] ospf dr-priority 0
Interface authentication :
[R4-GigabitEthernet0/0/0]ospf authentication-mode md5 1 plain 123456
1 : Authentication number (the number of the lock, a device can have multiple locks at the same time to increase security)
Regional certification : the essence is still interface certification
[Huawei-ospf-1-area-0.0.0.0]authentication-mode md5 1 plain 123456
2. Manual summary
Area summary: configure on the ABR
[r4-ospf-1area 0 Enter the corresponding area (declare in that area and summarize in that area)
[r4-ospf-1-area-0.0.0.0]abr-summary 172.16.0.0 255.254.0.0 summary (the mask can only be written in dots and minutes)
3. Silent interface:
[r5-ospf-1] silent-interface GigabitEthernet 0/0/1 does not deliver OSPF to a certain interface, configure it at a certain location
4. Speed up convergence
[r4-GigabitEthernet0/0/1]ospf timer hello 5 - Only the interface needs to change the hello time
By default, the dead time will be automatically modified according to the relationship of 4 times (or [R4-GigabitEthernet0/0/0] ospf timer dead 20)
Conclusion: All interfaces need to be modified
5. Default route
[ r5-ospf-1]default-route-advertise - configuration location, in the ospf process
There must be a default for itself before it can be delivered to other devices. [r5]ip route-static 0.0.0.0 0 NULL 0
[r5-ospf-1]default-route-advertise always - force the default route to be delivered
RIP
RIP basic configuration:
[r1]rip ?
INTEGER<1-65535> Process ID Process ID, different process numbers are equivalent to different protocols
[r1]rip 1 starts the RIP process
[r1-rip-1]version 2 select version
[r1-rip-1]network 1.0.0.0 declaration ( only need to declare the network segment directly connected to itself )
RIP extension:
1Manual authentication of RIP-RIPV2
[r1-GigabitEthernet0/0/0]rip authentication-mode simple cipher123456- interface authentication adopts simple forwarding process in plain text
[r2-GigabitEthernet0/0/0]rip authentication-mode md5 usual cipher 123456 MD5 is used for encryption and forwarding in cipher text authentication
simple: The password in the data packet sent by RIP is forwarded in plain text. The authentication algorithm must be the same : Simple MD5 (two types)
cipher: store cipher and plain in the way of local ciphertext (everyone can see the local) (two types, do not insist on consistency)
2. Manual summary of RIP
[r1-GigabitEthernet0/0/0]rip summary-address 192.168.0.0 255.255.252.0
Configure the location where the RIP data packet is sent out , and the mask can only be written in dotted decimal, and the number cannot be written directly
3. Silent interface
This interface will only receive packets, but will not send RIP packets
[r1-rip-1] silent-interface GigabitEthernet 0/0/1 configuration location RIP process silent-interface silent interface
4. Accelerated convergence of RIP
Change the RIP timer
[r1-rip-1]timers rip 10 60 40
10 60 40
Send cycle Life time Delete cycle
5. RIP default route
[r2-rip-1]default-route originate
NAT - Network Address Translation
Static NAT
On the outgoing interface of the border router , manually establish and maintain a static NAT mapping table ( the correspondence between the public network IP address and the private network IP address and this relationship is one-to-one correspondence )
[r2-GigabitEthernet0/0/2]nat static global 23.0.0.1 inside 192.168.1.2
Error: The address conflicts with interface or ARP IP. global公网 inside 私网
[r2-GigabitEthernet0/0/2]nat static global 23.0.0.3 inside 192.168.1.2
23.0.0.3 - floating address (legal) - currently must be within the range of the public network segment (and not used by the device)
[r2]display nat static - view static NAT configuration
Dynamic NAT
Dynamic NAT: many-to-many NAT
1. Create a public network address group—these public network addresses must be consecutive.
[r2]nat address-group 0 23.0.0.3 23.0.0.5
Start address ~~ end address ( the public network addresses must be consecutive. )
2. Grab the traffic (grab the flow of interest)
[r2]acl 2000
[r2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
Allow the network segment of interest
3. The interface calls NAT
[r2-GigabitEthernet0/0/2]nat outbound 2000 address-group 0 no-pat does not follow the principle of port conversion
<r2>display nataddress-group to see which addresses can be used
NAPT—easy IP
The packet also appends the port number
1. Capture traffic
[r2]display acl 2000
[r2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255 (already configured)
[r2-acl-basic-2000]rule permit source 192.168.3.0 0.0.0.255
Basic ACL 2000, 2 rules
Acl's step is 5
rule 5 permit source 192.168.1.0 0.0.0.255
rule 10 permit source 192.168.3.0 0.0.0.255
2. Interface configuration NAT
[r2-GigabitEthernet0/0/2]nat outbound 2000
Many-to-many NAPT
Dynamic NAT: many-to-many NAT
1. Create a public network address group—these public network addresses must be consecutive.
[r2]nat address-group 0 23.0.0.3 23.0.0.5
2. Capture traffic
[r2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
3. The interface calls NAT
[r2-GigabitEthernet0/0/2]nat outbound 2000 address-group 0
Port Mapping—Advanced Usage
[r2-GigabitEthernet0/0/2]nat server protocol tcp global 23.0.0.1 80 inside 192. 168.1.100 80
Error: The address conflicts with interface or ARP IP.
[r2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 80 inside 192.168.1.100 80
current-interface—use this interface directly (use the IP address of this interface)
ACL—Access Control List
Classification of ACLs:
[r1]acl ?
INTEGER<2000-2999> Basic access-list(add to current using rules)
INTEGER<3000-3999> Advanced access-list(add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group-
based ACL: only focus on the source IP address 2000-2999 in the packetAdvanced ACL: In addition to paying attention to the source IP address in the data packet , it will also pay attention to the destination IP, port number, etc. in the data packet . 3000-3999
User-defined ACL:
configuration
ACL call: the interface of the router, and the ACL call needs to distinguish the flow direction of the traffic (incoming or outgoing)
Configure the base ACL :
Example 1:
1. create
ACL [r1] acl 2000
2. Write rules to the ACL list
[r1-acl-basic-2000]rule deny source 192.168.1.3 0.0.0.0 —equivalent to denying the IP address of 192.168.1.3
0.0.0.0—wildcard (32-bit binary): 0 means immutable, 1 means variable
192.168.1.3 0.255.0.255
192.X.1.X[r1-acl-basic-2000]rule ?
INTEGER<0-4294967294> ID of ACL rule
deny (deny) Specify matched packet deny
permit (allow) Specify matched packet permit
3. Interface calling rules:
[r1-GigabitEthernet0/0/0]traffic-filter ? Need to pay attention to the flow of traffic, IN—inflow OUT—outflow
inbound (流入) Apply ACL to the inbound direction of the interface
outbound(流出) Apply ACL to the outbound direction of the interfa
[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 2000 interface call ACL list
[r1-GigabitEthernet0/0/0]display acl 2000 search and create ACL
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 deny source 192.168.1.3 0
Example 2:
Note: The configuration position of the basic ACL should be as close to the target as possible to avoid accidental injury
1. Create ACLs
[r2]acl 2000
2. Write rules to the ACL list
[r2-acl-basic-2000]rule deny source 192.168.1.3 0.0.0.0
3. Interface call - pay attention to the location of the call
[r2GigabitEthernet0/0/0]traffic-filter outbound acl 2000
<r1>display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 deny source 192.168.1.3 0
5 — step size value (the default step size of the ACL list is 5)
On the other hand, to facilitate the insertion of some rules between the rules
The matching principle of the ACL access control list: top-down (step size from small to large, top-to-bottom), match one by one,
Once matched, it will not be matched downward
Delete rule : [r2-acl-basic-2000] undo rule 10
Configure advanced ACL :
Example 1:
The calling position of the advanced ACL should be as close as possible to the source to avoid waste of resources (at the same time, because the advanced ACL pays attention to both the source and the target, it will not cause accidental injury)
[R1-acl-adv-3000]rule deny tcp source 192.168.1.3 0 destination 192.168.3.2 0.0. 0.0
- Deny source 1.3 Access 3.2 All TCP-related services ping The transport layer uses the TCP protocol
- destination target source source
Configuration:
1. create
[R1]acl 3000
2. Write the rules
[R1-acl-adv-3000]rule 10 deny icmp source 192.168.1.3 0 destination 192.168.3.2 0
Deny traffic from source 192.168.1.3 to ping destination 192.168.3.2 More accurate, ping uses protocol icmp
3. Interface calling rules
[r1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
traffic-filter inbound acl 3000 Note that only one list can be called in one direction of an interface
[r2-GigabitEthernet0/0/1]undo traffic-filter outbound --- delete the call of the interface
Example 2:
configuration
1. create
[R2]acl 3001
2. Write the rules
[R 2 -acl-adv-300 1 ] rule 5 deny tcp source 192.168.2.1 0 destination 192.168.2.2 0 destination-port eq 23 (represents the service as Telent)
—Reject traffic whose source is 192.168.2.1, destination is 192.168.2.2 and access service is Telent service
Telent uses the tcp protocol (traffic with the destination port number 23)
3. Call the rules in the interface
[r2-GigabitEthernet0/0/0]traffic-filter inbound acl 3001