h3c路由器上网典型配置
三层交换机如下配置:
内网 5个VL VL 10 ,VL 20,VL 30,VL40,VL50
可以规划为:
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
192.168.40.0/24
192.168.50.0/24
这5个网段。
S3600作为这5个网段的网关设备,配置5个VLAN接口:
int vlan 10到int vlan 50
ip add 192.168.10.1 24
ip add 192.168.20.1 24
ip add 192.168.30.1 24
ip add 192.168.40.1 24
ip add 192.168.50.1 24
再配置1个互连VLAN接口与MSR20-20连接:
int vlan 100
ip add 192.168.100.2/24
并且配置缺省路由:
ip route 0.0.0.0 0.0.0.0 192.168.100.1 (指向MSR20-20的互连IP地址)
对于10,30,50 可以上公网 但是不能相互访问的需求,可以在S3600上做ACL实现:
acl num 3000
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
acl num 3001
rule deny ip source 192.168.30.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
进入VL10所属的端口:
int e1/0/10(比如说这个端口连接的是VL10网段)
packet-filter inbound ip-group 3000
进入VL30所属的端口:
int e1/0/10(比如说这个端口连接的是VL30网段)
packet-filter inbound ip-group 3001
这样就可以实现,VL10 VL30 VL50可以上网,但不可以互访了。
MSR20-20 配置:公网IP 60.2.3.2 255.255.255.252 再配置缺省路由指向公网的网关60.2.3.1 比如e0/0端口
int e0/0
ip add 60.2.3.2 255.255.255.252
route-stac 0.0.0.0 0.0.0.0 外网网关60.2.3.254
内网IP地址:192.168.100.1/24 这个内网口是与S3600互连的端口,比如说是e1/0端口:
int e0/1
ip add 192.168.100.1 24
配置回程路由:
ip route-static 192.168.10.0 255.255.0.0 192.168.100.2
ip route-static 192.168.30.0 255.255.0.0 192.168.100.2
ip route-static 192.168.50.0 255.255.0.0 192.168.100.2
因为只有这3个VL可以上网,要通过MSR20-20转发,所以只写这3个VL的回程路由即可。
配置NAT转换:
acl num 2000
rule permit source 192.168.10.0 0.0.0.255
rule permit source 192.168.30.0 0.0.0.255
rule permit source 192.168.50.0 0.0.0.255
rule deny source any
int e0/0(MSR20-20连接外网的端口)
nat out 2000
这样除了VL10 VL30 VL50能上网,其它VL是无法上网的
若需要做端口映射如下:
nat server protocol tcp global 60.2.3.2 6800 inside 192.168.10.35 6800
要求:
某企业,专线接入,有华为路由器一台,三层交换机一台,二层交换机若干;
1、要求划几个VLAN,为不同部门。
2、所有主机能够通过路由器上网。
设计思路:
1、路由器配置比较简单,主要做NAT转换和ACL控制哪些主机能上外网;
2、三层交换机,划分VLAN,实现内部VLAN间路由,可直接接终端或二层交换机
3、二层交换相接终端。。
设计时,关于防病毒ACL列表、VLAN间互联隔离技术等问题此处未讨论。感兴趣
的朋友,我们可以另起篇章进行讨论。
本设计以华为产品为例,思科产品配置原理相同,只是命令行不同而已。欢迎有志之士把它翻译成思科的配置。
基实也可以不要三层交换机,直接在路由器上做单臂也可以。。只是不适合复杂的网络和发展。。
配置:
一、路由器配置
version 5.20, Release 1205P02, Basic
#
给路由器命名
sysname HUAWE-ROUTE
#
domain default enable system
#
vlan 1
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
定义ACL列表,允许所有IP访问外网,这里你可以指定允许某些或禁止某些主机上网。
acl number 2000
rule 0 permit
#
interface Aux0
async mode flow
link-protocol ppp
#
接专线的接口,配置运营商分配的IP
interface Ethernet0/0
nat outbound 2000
duplex full
speed 100
ip address 218.22.3.126 255.255.255.252
#
接局域网三层交换机的地址
interface Ethernet0/1
DESC TO—SWitch
duplex full
speed 100
ip address 192.168.8.1 255.255.255.252
#
interface NULL0
#
至公网默认路由
ip route-static 0.0.0.0 0.0.0.0 218.22.3.125
至三层交换机回程路由
ip route-static 192.168.0.0 255.255.0.0 192.168.8.2
#
user-interface con 0
user-interface aux 0
未设置TELNET登陆密码,这样外网的人登陆不了,当然你也登陆不了。哈安全吧。(如果想TELNET,需要设置密码和ACL禁止外网的人登陆)
user-interface vty 0 4
#
Return
二、三层交换配置
#
给交换机命名
sysname hwswich
#
设备SUPER密码
super password level 3 cipher ;1>$VGEA)N2C+1!!
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
建立业务VLAN及与路由器互联口VLAN
vlan 5
desc to-router
#
vlan 10
desc bumen1
#
vlan 20
desc bumen2
#
分别给SVI接口设计IP地址,即所属VLAN PC终端的网关
#
interface Vlan-interface 5
DESC to-router
ip address 192.168.8.2 255.255.255.252
interface Vlan-interface 10
ip address 192.168.1.1 255.255.255.0
#
interface Vlan-interface 20
ip address 192.168.2.1 255.255.255.0
#
与二层交换机互联接口
interface Ethernet0/1
duplex full
speed 100
port link-type trunk
port trunk permit vlan 10 20
#
接普通终端的接口
interface Ethernet0/2
port access vlan 10
#
interface Ethernet0/3
port access vlan 20
#
interface Ethernet0/4
shutdown
#
interface Ethernet0/5
#
interface Ethernet0/6
shutdown
#
interface Ethernet0/7
shutdown
#
interface Ethernet0/8
shutdown
#
interface Ethernet0/9
shutdown
#
interface Ethernet0/10
shutdown
#
interface Ethernet0/11
shutdown
#
interface Ethernet0/12
shutdown
#
interface Ethernet0/13
shutdown
#
interface Ethernet0/14
shutdown
#
interface Ethernet0/15
shutdown
#
interface Ethernet0/16
shutdown
#
interface Ethernet0/17
shutdown
#
interface Ethernet0/18
shutdown
#
interface Ethernet0/19
shutdown
#
interface Ethernet0/20
shutdown
#
interface Ethernet0/21
shutdown
#
interface Ethernet0/22
shutdown
#
interface Ethernet0/23
shutdown
#
与路由器互联接口
interface Ethernet0/24
desc to-router
duplex full
speed 100
port access vlan 5
#
SNMP网关配置,可以不要
snmp-agent
snmp-agent local-engineid 800007DB000FE23F864D6877
snmp-agent community read public
snmp-agent sys-info contact HuaWei_Hotline 4008302118or8008302118
snmp-agent sys-info location BeiJing China
snmp-agent sys-info version all
#
设置默认路由
ip route-static 0.0.0.0 0.0.0.0 192.168.8.1
user-interface aux 0
设置TELNET登陆密码
user-interface vty 0 4
authentication-mode password
set authentication password cipher CZP'5O+PV9=FQ!!
#
return
三、二层交换机配置
#
sysname L1-1
#
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
#
interface Aux0/0
#
vlan 1
#
vlan 10
#
vlan 20
#
#
interface Ethernet0/1
port access vlan 10
#
interface Ethernet0/2
port access vlan 10
#
interface Ethernet0/3
port access vlan 10
#
interface Ethernet0/4
port access vlan 10
#
interface Ethernet0/5
port access vlan 10
#
interface Ethernet0/6
port access vlan 10
#
interface Ethernet0/7
port access vlan 10
#
interface Ethernet0/8
port access vlan 10
#
interface Ethernet0/9
port access vlan 10
#
interface Ethernet0/10
port access vlan 10
#
interface Ethernet0/11
port access vlan 10
#
interface Ethernet0/12
port access vlan 20
#
interface Ethernet0/13
port access vlan 20
#
interface Ethernet0/14
port access vlan 20
#
interface Ethernet0/15
port access vlan 20
#
interface Ethernet0/16
port access vlan 20
#
interface Ethernet0/17
port access vlan 20
#
interface Ethernet0/18
port access vlan 20
#
int
erface Ethernet0/19
port access vlan 20
#
interface Ethernet0/20
route add 添加路由port access vlan 20
#
interface Ethernet0/21
port access vlan 20
#
interface Ethernet0/22
port access vlan 20
#
interface Ethernet0/23
port access vlan 20
#
interface Ethernet0/24
duplex full
speed 100
port link-type trunk
port trunk permit vlan 10 20
#
user-interface aux 0
user-interface vty 0 4
#
return
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论