關於H3C的路由器、交換機基礎理論知識,可以參看博文:H3C產品簡介及基礎配置命令
1.案例拓補
該拓撲圖中的校園網內部分爲兩個網段:一個爲學生校舍網段(192.168.2.0),主要訪問電信提供的internet服務器;另外一個網段爲校園辦公和教學用網段(192.168.3.0),主要訪問教育網。校園網出口路由器連接了電信提供的internet20m光纖,同時也連接了教育網的20m光纖(由於H3C的模擬器無法模擬出PC和server,所以只好使用路由器來代替了)。
本次案例使用的模擬器是H3C Cloud Lab,網盤鏈接:鏈接:https://pan.baidu.com/s/1MK-nw5MpkroXvhf-kFgG3w
提取碼:xfup
2.案例需求
(1)路由器配置要求:當其中任意一條外部光纖中斷時,另一條光纖可備份其下屬的網段訪問internet服務或教育網資源。
(2)Nat配置要求:出口路由器的兩個出口都能同時使用校園內網的私有網段做nat後訪問外部資源。教育網出口接口處還配置了nat server,使內部的教學網段的某個ip服務器對教育網提供telnet訪問服務。
(3)策略路由配置要求:校園網內的教學用網段192.168.3.0/24主要通過教育網訪問外部資源,而校舍網段192.168.2.0/24主要通過電信出口訪問Internet資源。當教育專網的光纖故障時,校舍網段可以通過電信出口訪問相關教育網資源,當電信的光纖線路故障時,校舍網段可以通過專網出口訪問相關資源。
3.案例實施
(1)基本配置
PC1的配置:
Automatic configuration is running, press CTRL_D to break.
//每個設備開機時,都需使用組合鍵Ctrl+D纔可進行配置
[PC1]int g0/0
[PC1-GigabitEthernet0/0]ip add 192.168.2.100 255.255.255.0
[PC1-GigabitEthernet0/0]undo shutdown
[PC1-GigabitEthernet0/0]quit
[PC1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1
//配置默認路由(網關)PC2的配置:
[PC2]int g0/0
[PC2-GigabitEthernet0/0]ip add 192.168.3.100 255.255.255.0
[PC2-GigabitEthernet0/0]undo shutdown
[PC2-GigabitEthernet0/0]quit
[PC2]ip route-static 0.0.0.0 0.0.0.0 192.168.3.1server的配置:
[server]int g0/0
[server-GigabitEthernet0/0]ip add 192.168.3.250 255.255.255.0
[server-GigabitEthernet0/0]undo shutdown
[server-GigabitEthernet0/0]quit
[server]ip route-static 0.0.0.0 0.0.0.0 192.168.3.1SW1的配置:
[sw1]vlan 2
[sw1-vlan2]vlan 3 //創建vlan2、vlan3
[sw1-vlan3]quit
[sw1]int vlan 1
[sw1-Vlan-interface1]ip add 192.168.1.2 255.255.255.0
[sw1-Vlan-interface1]undo shutdown
[sw1-Vlan-interface1]int vlan 2
[sw1-Vlan-interface2]ip add 192.168.2.1 255.255.255.0
[sw1-Vlan-interface2]undo shutdown
[sw1-Vlan-interface2]int vlan 3
[sw1-Vlan-interface3]ip add 192.168.3.1 255.255.255.0
[sw1-Vlan-interface3]undo shutdown
[sw1-Vlan-interface3]int g1/0/6
[sw1-GigabitEthernet1/0/6]port access vlan 2
[sw1-GigabitEthernet1/0/6]int g1/0/7
[sw1-GigabitEthernet1/0/7]port access vlan 3
[sw1-GigabitEthernet1/0/7]int g1/0/8
[sw1-GigabitEthernet1/0/8]port access vlan 3
//將接口加入指定vlan中R1的配置:
[R1]int g0/0
[R1-GigabitEthernet0/0]ip add 202.202.202.2 255.255.255.252
[R1-GigabitEthernet0/0]undo shutdown
[R1-GigabitEthernet0/0]int g0/1
[R1-GigabitEthernet0/1]ip add 200.200.200.2 29 //子網掩碼也支持數值
[R1-GigabitEthernet0/1]undo shutdown
[R1-GigabitEthernet0/1]int g0/2
[R1-GigabitEthernet0/2]port link-mode bridge //將接口改爲bridge類型
//所有接口默認屬於vlan1,所以相當於G0/2的接口IP已經是vlan 1的IP地址了
[R1-GigabitEthernet0/2]int vlan 1
[R1-Vlan-interface1]ip add 192.168.1.1 24
[R1-Vlan-interface1]undo shutdownR2的配置:
[R2]int g0/0
[R2-GigabitEthernet0/0]ip add 202.202.202.1 30
[R2-GigabitEthernet0/0]undo shutdown
[R2-GigabitEthernet0/0]int g0/1
[R2-GigabitEthernet0/1]ip add 222.222.222.1 30
[R2-GigabitEthernet0/1]undo shutdown
[R2-GigabitEthernet0/1]int loop 0
[R2-LoopBack0]ip add 202.202.0.1 32R3的配置:
[R3]int g0/0
[R3-GigabitEthernet0/0]ip add 222.222.222.2 30
[R3-GigabitEthernet0/0]undo shutdown
[R3-GigabitEthernet0/0]int g0/1
[R3-GigabitEthernet0/1]ip add 200.200.200.1 29
[R3-GigabitEthernet0/1]undo shutdown
[R3-GigabitEthernet0/1]int g0/2
[R3-GigabitEthernet0/2]ip add 202.1.1.1 24
[R3-GigabitEthernet0/2]undo shutdownPC3的配置:
[pc3]int g0/0
[pc3-GigabitEthernet0/0]ip add 202.1.1.2 24
[pc3-GigabitEthernet0/0]undo shutdown
[pc3-GigabitEthernet0/0]quit
[pc3]ip route-static 0.0.0.0 0.0.0.0 202.1.1.1(2)路由配置
sw1配置默認路由:
[sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1
//配置一條默認路由指向R1R1配置靜態路由和ospf:
[R1]ip route-static 192.168.3.0 255.255.255.0 192.168.1.2
[R1]ip route-static 192.168.2.0 255.255.255.0 192.168.1.2
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]net 0.0.0.0 255.255.255.255R2配置ospf:
[R2]ospf 1
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]net 0.0.0.0 255.255.255.255R3配置ospf:
[R3]ospf 1
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]net 0.0.0.0 255.255.255.255(3)配置NAT
R1的配置NAT:
[R1]acl basic 2001 //創建ACL,編號爲2001
[R1-acl-ipv4-basic-2001]rule 0 permit source 192.168.2.0 0.0.0.255
[R1-acl-ipv4-basic-2001]rule 5 permit source 192.168.3.0 0.0.0.255
[R1-acl-ipv4-basic-2001]rule 10 deny
[R1-acl-ipv4-basic-2001]int g0/0
[R1-GigabitEthernet0/0]port link-mode route
[R1-GigabitEthernet0/0]description link_to_tel
[R1-GigabitEthernet0/0]nat outbound 2001
[R1-GigabitEthernet0/0]int g0/1
[R1-GigabitEthernet0/1]port link-mode route
[R1-GigabitEthernet0/1]description link_to_end
[R1-GigabitEthernet0/1]nat outbound 2001
//將ACL應用到兩個出接口上,匹配到ACL2001的,都進行nat轉換驗證PC1是否能夠ping通R2路由器上的loopback接口地址:
驗證PC1是否能夠ping通PC3:
在R1路由器查看NAT轉換表:
[R1]display nat session verbose
Slot 0:
Initiator:
Source IP/port: 192.168.2.100/44032 //源地址是192.168.2.100
Destination IP/port: 202.202.0.1/2048 //目標地址是202.202.0.1
DS-Lite tunnel peer: -
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface1
Responder:
Source IP/port: 202.202.0.1/3 //202.202.0.1的返回流量
Destination IP/port: 202.202.202.2/0 //200.200.200.2接口進入內網
DS-Lite tunnel peer: -
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0
State: ICMP_REPLY
Application: OTHER
Start time: 2019-10-29 07:48:16 TTL: 28s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.2.100/43776 //源地址是192.168.2.100
Destination IP/port: 202.1.1.2/2048 //目標地址是200.1.1.2
DS-Lite tunnel peer: -
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface1
Responder:
Source IP/port: 202.1.1.2/3 //202.1.1.2的返回流量
Destination IP/port: 200.200.200.2/0 //200.200.200.2接口進入內網
DS-Lite tunnel peer: -
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/1
State: ICMP_REPLY
Application: OTHER
Start time: 2019-10-29 07:47:47 TTL: 0s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2(4)配置策略路由
R1配置策略路由:
[R1]acl advanced 3001 //定義擴展ACL,編號爲3001
[R1-acl-ipv4-adv-3001]rule 0 permit ip source 192.168.3.0 0.0.0.255
[R1-acl-ipv4-adv-3001]quit
[R1]policy-based-route al permit node 10 //配置策略路由
[R1-pbr-al-10]if-match acl 3001 //如果匹配acl 3001
[R1-pbr-al-10]apply next-hop 200.200.200.1 //下一跳指向200.200.200.1
[R1-pbr-al-10]quit
[R1]policy-based-route al permit node 20 //空節點,放行其他流量
[R1-pbr-al-20]quit
[R1]int Vlan-interface 1
[R1-Vlan-interface1]ip policy-based-route al
//在此接口下應用路由策略,因爲需要做策略路由的數據包都是從這個接口下轉發過來的測試pc1pingpc3,並查看nat轉換表
[R1]display nat session verbose
Slot 0:
Initiator:
Source IP/port: 192.168.2.100/45824
Destination IP/port: 202.1.1.2/2048
DS-Lite tunnel peer: -
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface1
Responder:
Source IP/port: 202.1.1.2/4
Destination IP/port: 200.200.200.2/0 //注意看這裏
DS-Lite tunnel peer: -
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/1
State: ICMP_REPLY
Application: OTHER
Start time: 2019-10-29 08:01:58 TTL: 27s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1測試pc2pingpc3,並查看nat轉換表
[R1]display nat session verbose
Slot 0:
Initiator:
Source IP/port: 192.168.3.100/43008
Destination IP/port: 202.1.1.2/2048
DS-Lite tunnel peer: -
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface1
Responder:
Source IP/port: 202.1.1.2/6
Destination IP/port: 200.200.200.2/0
DS-Lite tunnel peer: -
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/1
State: ICMP_REPLY
Application: OTHER
Start time: 2019-10-29 08:04:55 TTL: 27s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1可以看到策略路由已經生效了,並且現在關閉R1路由器的G0/0和G0/1中的任何一個接口,都不會影響內網與外網的通信,可自行測試。
(5)配置NAT server映射
R1配置NAT server:
[R1]int g0/1
[R1-GigabitEthernet0/1]nat server protocol tcp global 200.200.200.2 23 inside 192.168.3.250 23
//配置NAT映射,將內部的服務器192.168.3.250的23端口映射到全局地址200.200.200.2的23端口上server開啓Telnet:
[server]telnet server enable //默認就是開啓,可以省略
[server]local-user admin //創建本地用戶admin
New local user added.
[server-luser-manage-admin]password simple benet //配置明文密碼“benet”
[server-luser-manage-admin]service-type telnet //指定服務類型爲telnet
[server-luser-manage-admin]authorization-attribute user-role level-3
//指定命令級別爲3
[server-luser-manage-admin]quit
[server]user-interface vty 0 4 //進入vty線路
[server-line-vty0-4]authentication-mode scheme //配置用戶的認證方式
[server-line-vty0-4]protocol inbound telnet //支持telnet
[server-line-vty0-4]quitPC3開始測試telnet server:
<pc3>Telnet 200.200.200.2 //注意是在用戶視圖下
//測試使用server映射出的外部地址(也就是路由器的接口地址)
Trying 200.200.200.2 ...
Press CTRL+K to abort
Connected to 200.200.200.2 ...
******************************************************************************
* Copyright (c) 2004-2014 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: admin
Password:
<server> //登錄成功———————— 本文至此結束,感謝閱讀 ————————