【网工】华为配置专题进阶篇②

[■DHCP NAT BFD 策略路由](#■DHCP NAT BFD 策略路由)

▲掩码与反掩码总结

▲综合实验

■DHCP NAT BFD 策略路由

▲掩码与反掩码总结

使用掩码的场景：IP地址强相关

场景一：IP地址配置

ip address 192.168.1.1 255.255.255.0 或ip address 192.168.1.1 24

场景二：DHCP配置

network 192.168.1.0 mask 255.255.255.0 或network 192.168.1.0 mask 24

使用反掩码的场景

场景一： ACL

rule 10 permit source 192.168.1.1 0 或rule 10 permit source 192.168.1.1 0.0.0.0

rule 10 permit source 192.168.1.0 0.0.0.255

场景二：OSPF路由宣告

network 192.168.1.0 0.0.0.255 //宣告192.168.1.0网段

++++RIP++++ 路由宣告不需要掩码或反掩码，宣告主类网络（ABC类主类IP地址掩码分别为/8/16/24）：

network 10.0.0.0

network 172.16.0.0

network 192.168.1.0

▲综合实验

接入 交换机ACSW配置

<Huawei>system-view

Huawei\]****sysname**** Acsw \[Acsw\]****vlan batch**** 10 20 \[Acsw\]****interface**** GigabitEthernet 0/0/1 \[Acsw-GigabitEthernet0/0/1\]****port link-type**** ****access**** \[Acsw-GigabitEthernet0/0/1\]****port default vlan 10**** \[Acsw-GigabitEthernet0/0/1\]****quit**** \[Acsw\]****interface**** GigabitEthernet 0/0/2 \[Acsw-GigabitEthernet0/0/2\]port link-type access \[Acsw-GigabitEthernet0/0/2\]port default vlan 20 \[Acsw-GigabitEthernet0/0/2\]quit \[Acsw\]****interface**** GigabitEthernet 0/0/3 \[Acsw-GigabitEthernet0/0/3\]port link-type ****trunk**** \[Acsw-GigabitEthernet0/0/3\]****port trunk allow-pass vlan all**** * ****核心交换机的配置**** 下行接口以及网关 \[Coresw\]****vlan batch**** 10 20 30 \[Coresw\]****interface**** Vlanif 10 \[Coresw-Vlanif10\]****ip address**** 192.168.10.254 24 \[Coresw-Vlanif10\]quit \[Coresw\]****interface**** Vlanif 20 \[Coresw-Vlanif20\]****ip address**** 192.168.20.254 24 \[Coresw-Vlanif20\]quit \[Coresw\]****interface**** GigabitEthernet 0/0/3 \[Coresw-GigabitEthernet0/0/3\]port link-type ****trunk**** \[Coresw-GigabitEthernet0/0/3\]****port trunk allow-pass vlan all**** 配置DHCP vlanif10 全局模式 \[Coresw\]****dhcp enable**** \[Coresw\]****ip pool**** 10 \[Coresw-ip-pool-10\]****network**** 192.168.10.0 mask 24 \[Coresw-ip-pool-10\]****gateway-list**** 192.168.10.254 \[Coresw-ip-pool-10\]****dns-list**** 8.8.8.8 \[Coresw-ip-pool-10\]****lease**** day 5 \[Coresw-ip-pool-10\]****excluded-ip-address**** 192.168.10.2 192.168.10.253 \[Coresw-ip-pool-10\]quit \[Coresw\]interface Vlanif 10 \[Coresw-Vlanif10\]****dhcp select global**** vlanif20 接口模式 \[Coresw-Vlanif20\]dhcp select interface \[Coresw-Vlanif20\]dhcp server excluded-ip-address 192.168.20.2 192.168.20.253 \[Coresw-Vlanif20\]dhcp server dns-list 114.114.114.114 \[Coresw-Vlanif20\]dhcp server lease day 4 hour 4 minute 4 * **核心交换机上层接口** \[Coresw\]interface GigabitEthernet 0/0/1 \[Coresw-GigabitEthernet0/0/1\]port link-type ****access**** \[Coresw-GigabitEthernet0/0/1\]port default vlan 30 \[Coresw-GigabitEthernet0/0/1\]quit \[Coresw\]interface Vlanif 30 \[Coresw-Vlanif30\]ip address 192.168.30.254 24 指定核心交换机的默认路由 出口路由器无法nat设置完之后 \[Coresw\]ip route-static 0.0.0.0 0 192.168.30.3 * ****出口路由器配置（下行口）**** \system-view \[Route\]interface GigabitEthernet 0/0/1 \[Route-GigabitEthernet0/0/1\]ip address 192.168.30.3 24 可以使用静态路由来使route有返回到主机的路由条目（但本实验不这么做，选用动态路由协议） \[route\]****ip route-static**** 192.168.10.0 255.255.255.0 ****192.168.30.254**** ****动态路由协议：RIP**** \[Route\]rip \[Route-rip-1\]version 2 \[Route-rip-1\]****network**** 192.168.30.0 \[Coresw\]rip \[Coresw-rip-1\]version 2 \[Coresw-rip-1\]****network**** 192.168.10.0 \[Coresw-rip-1\]****network**** 192.168.20.0 \[Coresw-rip-1\]****network**** 192.168.30.0 \[Route\]undo rip 1 \[Coresw\]undo rip 1 ****动态路由协议：OSPF**** \[Route\]****ospf**** 1 \[Route-ospf-1\]****area**** 0 \[Route-ospf-1-area-0.0.0.0\]****network**** 192.168.30.0 ****0.0.0.255**** \[Coresw\]****ospf**** 1 \[Coresw-ospf-1\]****area**** 0 \[Coresw-ospf-1-area-0.0.0.0\]****network**** 192.168.10.0 0.0.0.255 \[Coresw-ospf-1-area-0.0.0.0\]****network**** 192.168.20.0 0.0.0.255 \[Coresw-ospf-1-area-0.0.0.0\]****network**** 192.168.30.0 0.0.0.255 * ****路由器的两个上行接口**** 上行接口IP地址配置： \[Route\]****interface**** GigabitEthernet 0/0/0 \[Route-GigabitEthernet0/0/0\]ip address 12.1.1.3 24 \[Route-GigabitEthernet0/0/0\]quit \[Route\]****interface**** GigabitEthernet 0/0/2 \[Route-GigabitEthernet0/0/2\]ip address 23.1.1.3 24 出口路由器做NAT在电信和联通配置RIP之后 \[Route\]acl 2000 \[Route-acl-basic-2000\]rule 5 ****permit**** source 192.168.10.0 0.0.0.255 \[Route-acl-basic-2000\]rule 10 ****permit**** source 192.168.20.0 0.0.0.255 \[Route-acl-basic-2000\]quit \[Route\]interface GigabitEthernet 0/0/0 \[Route-GigabitEthernet0/0/0\]****nat outbound 2000**** \[Route\]interface GigabitEthernet 0/0/2 \[Route-GigabitEthernet0/0/2\]****nat outbound 2000**** * ****电信路由器**** 电信路由器配置IP地址： \[dianxin\]****interfac****e GigabitEthernet 0/0/0 \[dianxin-GigabitEthernet0/0/0\]ip address 12.1.1.1 24 \[dianxin-GigabitEthernet0/0/0\]quit \[dianxin\]interface GigabitEthernet 0/0/1 \[dianxin-GigabitEthernet0/0/1\]ip address 100.1.1.1 24 \[dianxin-GigabitEthernet0/0/1\]quit \[dianxin\]****interface LoopBack 0**** \[dianxin-LoopBack0\]****ip address 1.1.1.1 24**** 配置rip... * ****联通路由器**** 联通路由器配置IP地址： \system-view \[liantong\]interface GigabitEthernet 0/0/1 \[liantong-GigabitEthernet0/0/1\]ip address 100.1.1.2 24 \[liantong-GigabitEthernet0/0/1\]quit \[liantong\]interface GigabitEthernet 0/0/2 \[liantong-GigabitEthernet0/0/2\]ip address 23.1.1.2 24 \[liantong-GigabitEthernet0/0/2\]quit \[liantong\]****interface LoopBack 0**** \[liantong-LoopBack0\]****ip address 2.2.2.2 24**** 配置rip... ****给核心交换机配置默认路由完成之后还是无法通信，是因为出口路由器没有做默认路由，如果要做浮动路由，需要更改两条路由的优先级**** 静态路由和默认路由的优先级都是60 \[Route\]ip route \[Route\]****ip route-static**** 0.0.0.0 0 12.1.1.1 ****preference**** 50 \[Route\]****ip route-static**** 0.0.0.0 0 23.1.1.2 要使用BGF所以默认路由先不用了，实际上只有默认路由也无法完成需求 \[Route\]undo ip route-static 0.0.0.0 0 12.1.1.1 \[Route\]undo ip route-static 0.0.0.0 0 23.1.1.2 * ****出口路由器BFD的配置，为了保证电信挂了以后可以走联通的网络**** \[Route\]****bfd**** \[Route-bfd\]quit \[Route\]****bfd dianxin bind peer-ip 12.1.1.1 source-ip 12.1.1.3 auto**** \[Route-bfd-session-dianxin\]quit 电信那一边配置bfd （因为不支持单臂回声，实际项目可以配置单边） \[dianxin\]bfd \[dianxin-bfd\]quit \[dianxin\]****bfd dianxin bind peer-ip 12.1.1.3 source-ip 12.1.1.1 auto**** \[dianxin-bfd-session-dianxin\]****display bfd session all**** track追踪，BFD两边配置，两边ping不通的时候就是挂了，该链路的路由会被删除 \[Route\]****ip route-static 0.0.0.0 0 12.1.1.1 preference 50 track bfd-session dianxin**** \[Route\]****ip route-static 0.0.0.0 0.0.0.0 23.1.1.2**** #bfd链路挂了就走这个 * ****策略路由配置**** 首先删除两个默认路由 \[Route\]undo ip route-static 0.0.0.0 0 23.1.1.2 \[Route\]undo ip route-static 0.0.0.0 0 12.1.1.1 * ****策略路由设置**** 策略路由vlan10走电信出口，vlan20走联通出口 > ****具体步骤：**** > > ①****配置ACL，匹配流量**** > > ②****流分类**** > > ③****流行为**** > > ④****流策略（绑定流分类流行为）**** > > ⑤****入接口应用策略路由**** 策略路由配置在入接口是因为要匹配两个网段的地址 放在任意一个出接口都不能对另一个网段进行匹配 \system-view > 配置ACL \[Route\]****acl**** 2010 \[Route-acl-basic-2010\]****rule 10 permit source**** 192.168.10.0 ****0.0.0.255**** \[Route-acl-basic-2010\]quit \[Route\]****acl**** 2020 \[Route-acl-basic-2020\]****rule 10 permit source**** 192.168.20.0 0.0.0.255 > 配置流分类 \[Route\]****traffic classifier**** vlan10 \[Route-classifier-vlan10\]****if-match acl**** 2010 \[Route-classifier-vlan10\]quit \[Route\]****traffic classifier**** vlan20 \[Route-classifier-vlan20\]****if-match acl**** 2020 \[Route-classifier-vlan20\]quit > 配置流行为 \[Route\]****traffic behavior**** dianxin \[Route-behavior-dianxin\]****redirect ip-nexthop 12.1.1.1**** \[Route-behavior-dianxin\]quit \[Route\]****traffic behavior**** liantong \[Route-behavior-liantong\]****redirect ip-nexthop 23.1.1.2**** \[Route-behavior-liantong\]quit > 配置流策略 \[Route\]****traffic policy**** 10,20-dl \[Route-trafficpolicy-10,20-dl\]****classifier**** vlan10 ****behavior**** dianxin \[Route-trafficpolicy-10,20-dl\]****classifier**** vlan20 ****behavior**** liantong \[Route-trafficpolicy-10,20-dl\]quit > 入接口应用策略路由 \[Route-GigabitEthernet0/0/****1**** \]****traffic-policy**** 10,20-dl ****inbound**** > ****Step1:配置ACL,匹配流量**** \[router\] acl 3010 \[router-acl-adv-3010\] ****rule 10 permit ip source any destination 1.1.1.0 0.0.0.255**** //匹配任意源地址去往电信服务器1.1.1.1的流量 \[router-acl-adv-3010\] acl 3020 \[router-acl-adv-3020\] ****rule 10 permit ip source any destination 2.2.2.0 0.0.0.255**** //匹配任意源地址去往联通服务器2.2.2.2的流量其他配置略，与实验三一样。 至此，本文分享的内容就结束了。