中小企业办公网络配置综合实验华为设备(NAT+策略路由+OSPF+VLAN)
组网需求:
1、PC1、2、3、4均可以访问internet的lo0:8.8.8.8
2、PC1、PC4通过电信ISP访问internet;PC2、PC3通过联通ISP访问internet;
需求分析:
1、internet路由器模拟公网,8.8.8.8模拟公网IP;电信ISP、联通ISP路由器模拟电信和联通运营商;出口路由为企业出口路由器;这四个路由器直连链路之间运行ospf,配置动态路由,实现互通;
2、出口路由与三层交换直连链路运行ospf,动态同步路由信息;
3、出口路由器内网端口配置NAT,实现内外网IP地址转换;
4、内网划分vlan,并将PC分别加入对应的VLAN,VLAN直接配置三层交换实现VLAN间路由;
5、在出口路由上配置策略路由,匹配具体源地址到目的地址报文,并将报文按照设定转发;
配置过程
一、配置ospf area 0
Internet路由器配置:
[internet]int gi 0/0/0
[internet-GigabitEthernet0/0/0]ip addr 100.1.1.1 24
[internet-GigabitEthernet0/0/0]int gi 0/0/1
[internet-GigabitEthernet0/0/1]ip addr 200.1.1.1 24
[internet-GigabitEthernet0/0/1]int lo0
[internet-LoopBack0]ip addr 8.8.8.8 32
[internet-LoopBack0]router id 1.1.1.1
[internet]ospf
[internet-ospf-1]area 0
[internet-ospf-1-area-0.0.0.0]network 100.1.1.1 0.0.0.0
[internet-ospf-1-area-0.0.0.0]network 200.1.1.1 0.0.0.0
[internet-ospf-1-area-0.0.0.0]network 8.8.8.8 0.0.0.0
电信ISP路由器配置:
[telecom]int gi0/0/0
[telecom-GigabitEthernet0/0/0]ip addr 100.1.1.2 24
[telecom-GigabitEthernet0/0/0]int gi 0/0/1
[telecom-GigabitEthernet0/0/1]ip addr 10.1.1.2 24
[telecom-GigabitEthernet0/0/1]router id 2.2.2.2
[telecom]ospf
[telecom-ospf-1]area 0
[telecom-ospf-1-area-0.0.0.0]network 100.1.1.2 0.0.0.0
[telecom-ospf-1-area-0.0.0.0]network 10.1.1.2 0.0.0.0
联通ISP路由器配置:
[unicom]int gi 0/0/0
[unicom-GigabitEthernet0/0/0]ip addr 200.1.1.2 24
[unicom-GigabitEthernet0/0/0]int gi 0/0/1
[unicom-GigabitEthernet0/0/1]ip addr 20.1.1.2 24
[unicom-GigabitEthernet0/0/1]q
[unicom]router id 3.3.3.3
[unicom]ospf
[unicom-ospf-1]area 0
[unicom-ospf-1-area-0.0.0.0]network 200.1.1.2 0.0.0.0
[unicom-ospf-1-area-0.0.0.0]network 20.1.1.2 0.0.0.0
出口路由器配置
[Huawei]int gi 0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 10.1.1.1 24
[Huawei-GigabitEthernet0/0/0]int gi0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 20.1.1.1 24
[Huawei-GigabitEthernet0/0/1]q
[Huawei]router id 4.4.4.4
[Huawei]ospf
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[Huawei-ospf-1-area-0.0.0.0]network 20.1.1.1 0.0.0.0
ospf area 0的配置实现了四个路由器之间的通信
二、配置ospf area 1
出口路由器与三层交换之间也配置动态路由ospf,但是由于三层交换的gi0/0/1口不能配置IP地址,所以将端口划分到vlan100中,并给vlanif100配置ip地址;
出口路由器配置:
[Huawei-GigabitEthernet0/0/2]ip addr 1.1.1.1 24
[Huawei]ospf
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 1.1.1.0 0.0.0.255
[Huawei-GigabitEthernet0/0/2]ospf network-type p2p
三层交换配置:
[Huawei]vlan 100
[Huawei-vlan100]int vlanif 100
[Huawei-Vlanif100]ip addr 1.1.1.1 24
[Huawei-Vlanif100]q
一定要将vlanif100和端口关联起来
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]portswitch
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 100
[Huawei]ospf
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 1.1.1.0 0.0.0.255
[Huawei-ospf-1]silent-interface gi 0/0/2
[Huawei-ospf-1]silent-interface gi 0/0/3
通过抓取直连链路的报文,确定已经建立ospf成功
三、配置NAT(Easy-ip)
在出口路由器上配置NAT,实现局域网网段(192.168.1.0/24和192.168.2.0/24)与外网IP10.1.1.1和20.1.1.1的动态映射;
[Huawei]acl 2001
[Huawei-acl-basic-2001]dis th
[Huawei-acl-basic-2001]rule permit source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2001]rule permit source 192.168.2.0 0.0.0.255
[Huawei-acl-basic-2001]q
[Huawei]int gi 0/0/0
[Huawei-GigabitEthernet0/0/0]nat outbound 2001
[Huawei-GigabitEthernet0/0/0]int gi0/0/1
[Huawei-GigabitEthernet0/0/1]nat outbound 2001
四、划分VLAN
三层交换配置:
[Huawei]vlan batch 10 20
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20
[Huawei-GigabitEthernet0/0/2]q
[Huawei]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type trunk
[Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20
[Huawei-GigabitEthernet0/0/3]q
[Huawei]int vlanif 10
[Huawei-Vlanif10]ip addr 192.168.1.254 24
[Huawei-Vlanif10]int vlanif 20
[Huawei-Vlanif20]ip addr 192.168.2.254 24
二层交换A配置
[L2swA]vlan batch 10 20
[L2swA]int gi 0/0/1
[L2swA-GigabitEthernet0/0/1]port link-type trunk
[L2swA-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[L2swA-GigabitEthernet0/0/1]q
[L2swA]int gi 0/0/2
[L2swA-GigabitEthernet0/0/2]port link-type access
[L2swA-GigabitEthernet0/0/2]port default vlan 10
[L2swA-GigabitEthernet0/0/2]int gi 0/0/3
[L2swA-GigabitEthernet0/0/3]port link-type access
[L2swA-GigabitEthernet0/0/3]port default vlan 10
二层交换B配置
[L2swB]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[L2swB]int gi 0/0/1
[L2swB-GigabitEthernet0/0/1]port link-type trunk
[L2swB-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[L2swB-GigabitEthernet0/0/1]int gi 0/0/2
[L2swB-GigabitEthernet0/0/2]port link-type access
[L2swB-GigabitEthernet0/0/2]port default vlan 20
[L2swB-GigabitEthernet0/0/2]int gi 0/0/3
[L2swB-GigabitEthernet0/0/3]port link-type access
[L2swB-GigabitEthernet0/0/3]port default vlan 20
PC1234配置,下图以PC1为例
完成以上配置后,PC1234都可以正常访问Internet(8.8.8.8)
默认情况下telecom router和unicom router之间形成了等价路由,也就是说局域网PC访问internet是随机选择isp的。
但是要实现PC1和PC4通过ISP telecom访问intelnet
PC2和PC3通过ISP unicom访问interent
还需要配置策略路由;
五、策略路由配置
出口路由配置:
1、配置acl
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule permit ip source 192.168.1.1 0.0.0.0
[Huawei-acl-adv-3001]rule permit ip source 192.168.2.1 0.0.0.0
[Huawei-acl-adv-3001]acl 3002
[Huawei-acl-adv-3002]rule permit ip source 192.168.1.2 0.0.0.0
[Huawei-acl-adv-3002]rule permit ip source 192.168.2.2 0.0.0.0
[Huawei-acl-adv-3002]q
[Huawei]acl 3003
[Huawei-acl-adv-3003]rule permit ip source 192.168.1.0 0.0.0.255 destination 192
.168.1.254 0
[Huawei-acl-adv-3003]rule permit ip source 192.168.2.0 0.0.0.255 destination 19
2.168.2.254 0
[Huawei-acl-adv-3003]q
2、配置流匹配
[Huawei]traffic classifier c1
[Huawei-classifier-c1]if-match acl 3001
[Huawei-classifier-c1]traffic classifier c2
[Huawei-classifier-c2]if-match acl 3002
[Huawei-classifier-c2]traffic classifier c3
[Huawei-classifier-c3]if-match acl 3003
[Huawei-classifier-c3]q
3、配置流行为
[Huawei]traffic behavior b1
[Huawei-behavior-b1]redirect ip-nexthop 10.1.1.2
[Huawei-behavior-b1]traffic behavior b2
[Huawei-behavior-b2]redirect ip-nexthop 20.1.1.2
[Huawei-behavior-b2]traffic behavior b3
[Huawei-behavior-b3]permit
[Huawei-behavior-b3]q
4、配置流策略
[Huawei]traffic policy p1
[Huawei-trafficpolicy-p1]classifier c3 behavior b3
[Huawei-trafficpolicy-p1]classifier c1 behavior b1
[Huawei-trafficpolicy-p1]classifier c2 behavior b2
[Huawei-trafficpolicy-p1]q
5、配置流应用
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-policy p1 inbound
[Huawei-GigabitEthernet0/0/2]q
策略路由配置完成后验证:
