【网工】华为配置专题进阶篇②

[■DHCP NAT BFD 策略路由](#■DHCP NAT BFD 策略路由)

▲掩码与反掩码总结

▲综合实验

■DHCP NAT BFD 策略路由

▲掩码与反掩码总结

使用掩码的场景：IP地址强相关

场景一：IP地址配置

ip address 192.168.1.1 255.255.255.0 或ip address 192.168.1.1 24

场景二：DHCP配置

network 192.168.1.0 mask 255.255.255.0 或network 192.168.1.0 mask 24

使用反掩码的场景

场景一： ACL

rule 10 permit source 192.168.1.1 0 或rule 10 permit source 192.168.1.1 0.0.0.0

rule 10 permit source 192.168.1.0 0.0.0.255

场景二：OSPF路由宣告

network 192.168.1.0 0.0.0.255 //宣告192.168.1.0网段

++++RIP++++ 路由宣告不需要掩码或反掩码，宣告主类网络（ABC类主类IP地址掩码分别为/8/16/24）：

network 10.0.0.0

network 172.16.0.0

network 192.168.1.0

▲综合实验

接入 交换机ACSW配置

<Huawei>system-view

$Huawei$ sysname Acsw

$Acsw$ vlan batch 10 20

$Acsw$ interface GigabitEthernet 0/0/1

$Acsw-GigabitEthernet0/0/1$ port link-type access

$Acsw-GigabitEthernet0/0/1$ port default vlan 10

$Acsw-GigabitEthernet0/0/1$ quit

$Acsw$ interface GigabitEthernet 0/0/2

$Acsw-GigabitEthernet0/0/2$ port link-type access

$Acsw-GigabitEthernet0/0/2$ port default vlan 20

$Acsw-GigabitEthernet0/0/2$ quit

$Acsw$ interface GigabitEthernet 0/0/3

$Acsw-GigabitEthernet0/0/3$ port link-type trunk

$Acsw-GigabitEthernet0/0/3$ port trunk allow-pass vlan all

核心交换机的配置

下行接口以及网关

$Coresw$ vlan batch 10 20 30

$Coresw$ interface Vlanif 10

$Coresw-Vlanif10$ ip address 192.168.10.254 24

$Coresw-Vlanif10$ quit

$Coresw$ interface Vlanif 20

$Coresw-Vlanif20$ ip address 192.168.20.254 24

$Coresw-Vlanif20$ quit

$Coresw$ interface GigabitEthernet 0/0/3

$Coresw-GigabitEthernet0/0/3$ port link-type trunk

$Coresw-GigabitEthernet0/0/3$ port trunk allow-pass vlan all

配置DHCP

vlanif10 全局模式

$Coresw$ dhcp enable

$Coresw$ ip pool 10

$Coresw-ip-pool-10$ network 192.168.10.0 mask 24

$Coresw-ip-pool-10$ gateway-list 192.168.10.254

$Coresw-ip-pool-10$ dns-list 8.8.8.8

$Coresw-ip-pool-10$ lease day 5

$Coresw-ip-pool-10$ excluded-ip-address 192.168.10.2 192.168.10.253

$Coresw-ip-pool-10$ quit

$Coresw$ interface Vlanif 10

$Coresw-Vlanif10$ dhcp select global

vlanif20 接口模式

$Coresw-Vlanif20$ dhcp select interface

$Coresw-Vlanif20$ dhcp server excluded-ip-address 192.168.20.2 192.168.20.253

$Coresw-Vlanif20$ dhcp server dns-list 114.114.114.114

$Coresw-Vlanif20$ dhcp server lease day 4 hour 4 minute 4

核心交换机上层接口

$Coresw$ interface GigabitEthernet 0/0/1

$Coresw-GigabitEthernet0/0/1$ port link-type access

$Coresw-GigabitEthernet0/0/1$ port default vlan 30

$Coresw-GigabitEthernet0/0/1$ quit

$Coresw$ interface Vlanif 30

$Coresw-Vlanif30$ ip address 192.168.30.254 24

指定核心交换机的默认路由出口路由器无法nat设置完之后

$Coresw$ ip route-static 0.0.0.0 0 192.168.30.3

出口路由器配置（下行口）

<Route>system-view

$Route$ interface GigabitEthernet 0/0/1

$Route-GigabitEthernet0/0/1$ ip address 192.168.30.3 24

可以使用静态路由来使route有返回到主机的路由条目（但本实验不这么做，选用动态路由协议）

$route$ ip route-static 192.168.10.0 255.255.255.0 192.168.30.254

动态路由协议：RIP

$Route$ rip

$Route-rip-1$ version 2

$Route-rip-1$ network 192.168.30.0

$Coresw$ rip

$Coresw-rip-1$ version 2

$Coresw-rip-1$ network 192.168.10.0

$Coresw-rip-1$ network 192.168.20.0

$Coresw-rip-1$ network 192.168.30.0

$Route$ undo rip 1

$Coresw$ undo rip 1

动态路由协议：OSPF

$Route$ ospf 1

$Route-ospf-1$ area 0

$Route-ospf-1-area-0.0.0.0$ network 192.168.30.0 0.0.0.255

$Coresw$ ospf 1

$Coresw-ospf-1$ area 0

$Coresw-ospf-1-area-0.0.0.0$ network 192.168.10.0 0.0.0.255

$Coresw-ospf-1-area-0.0.0.0$ network 192.168.20.0 0.0.0.255

$Coresw-ospf-1-area-0.0.0.0$ network 192.168.30.0 0.0.0.255

路由器的两个上行接口

上行接口IP地址配置：

$Route$ interface GigabitEthernet 0/0/0

$Route-GigabitEthernet0/0/0$ ip address 12.1.1.3 24

$Route-GigabitEthernet0/0/0$ quit

$Route$ interface GigabitEthernet 0/0/2

$Route-GigabitEthernet0/0/2$ ip address 23.1.1.3 24

出口路由器做NAT在电信和联通配置RIP之后

$Route$ acl 2000

$Route-acl-basic-2000$ rule 5 permit source 192.168.10.0 0.0.0.255

$Route-acl-basic-2000$ rule 10 permit source 192.168.20.0 0.0.0.255

$Route-acl-basic-2000$ quit

$Route$ interface GigabitEthernet 0/0/0

$Route-GigabitEthernet0/0/0$ nat outbound 2000

$Route$ interface GigabitEthernet 0/0/2

$Route-GigabitEthernet0/0/2$ nat outbound 2000

电信路由器

电信路由器配置IP地址：

$dianxin$ interface GigabitEthernet 0/0/0

$dianxin-GigabitEthernet0/0/0$ ip address 12.1.1.1 24

$dianxin-GigabitEthernet0/0/0$ quit

$dianxin$ interface GigabitEthernet 0/0/1

$dianxin-GigabitEthernet0/0/1$ ip address 100.1.1.1 24

$dianxin-GigabitEthernet0/0/1$ quit

$dianxin$ interface LoopBack 0

$dianxin-LoopBack0$ ip address 1.1.1.1 24

配置rip...

联通路由器

联通路由器配置IP地址：

<liantong>system-view

$liantong$ interface GigabitEthernet 0/0/1

$liantong-GigabitEthernet0/0/1$ ip address 100.1.1.2 24

$liantong-GigabitEthernet0/0/1$ quit

$liantong$ interface GigabitEthernet 0/0/2

$liantong-GigabitEthernet0/0/2$ ip address 23.1.1.2 24

$liantong-GigabitEthernet0/0/2$ quit

$liantong$ interface LoopBack 0

$liantong-LoopBack0$ ip address 2.2.2.2 24

配置rip...

给核心交换机配置默认路由完成之后还是无法通信，是因为出口路由器没有做默认路由，如果要做浮动路由，需要更改两条路由的优先级

静态路由和默认路由的优先级都是60

$Route$ ip route

$Route$ ip route-static 0.0.0.0 0 12.1.1.1 preference 50

$Route$ ip route-static 0.0.0.0 0 23.1.1.2

要使用BGF所以默认路由先不用了，实际上只有默认路由也无法完成需求

$Route$ undo ip route-static 0.0.0.0 0 12.1.1.1

$Route$ undo ip route-static 0.0.0.0 0 23.1.1.2

出口路由器BFD的配置，为了保证电信挂了以后可以走联通的网络

$Route$ bfd

$Route-bfd$ quit

$Route$ bfd dianxin bind peer-ip 12.1.1.1 source-ip 12.1.1.3 auto

$Route-bfd-session-dianxin$ quit

电信那一边配置bfd （因为不支持单臂回声，实际项目可以配置单边）

$dianxin$ bfd

$dianxin-bfd$ quit

$dianxin$ bfd dianxin bind peer-ip 12.1.1.3 source-ip 12.1.1.1 auto

$dianxin-bfd-session-dianxin$ display bfd session all

track追踪，BFD两边配置，两边ping不通的时候就是挂了，该链路的路由会被删除

$Route$ ip route-static 0.0.0.0 0 12.1.1.1 preference 50 track bfd-session dianxin

$Route$ ip route-static 0.0.0.0 0.0.0.0 23.1.1.2 #bfd链路挂了就走这个

策略路由配置

首先删除两个默认路由

$Route$ undo ip route-static 0.0.0.0 0 23.1.1.2

$Route$ undo ip route-static 0.0.0.0 0 12.1.1.1

策略路由设置

策略路由vlan10走电信出口，vlan20走联通出口

具体步骤：

①配置ACL，匹配流量

②流分类

③流行为

④流策略（绑定流分类流行为）

⑤入接口应用策略路由

策略路由配置在入接口是因为要匹配两个网段的地址放在任意一个出接口都不能对另一个网段进行匹配

<Route>system-view

配置ACL

$Route$ acl 2010

$Route-acl-basic-2010$ rule 10 permit source 192.168.10.0 0.0.0.255

$Route-acl-basic-2010$ quit

$Route$ acl 2020

$Route-acl-basic-2020$ rule 10 permit source 192.168.20.0 0.0.0.255

配置流分类

$Route$ traffic classifier vlan10

$Route-classifier-vlan10$ if-match acl 2010

$Route-classifier-vlan10$ quit

$Route$ traffic classifier vlan20

$Route-classifier-vlan20$ if-match acl 2020

$Route-classifier-vlan20$ quit

配置流行为

$Route$ traffic behavior dianxin

$Route-behavior-dianxin$ redirect ip-nexthop 12.1.1.1

$Route-behavior-dianxin$ quit

$Route$ traffic behavior liantong

$Route-behavior-liantong$ redirect ip-nexthop 23.1.1.2

$Route-behavior-liantong$ quit

配置流策略

$Route$ traffic policy 10,20-dl

$Route-trafficpolicy-10,20-dl$ classifier vlan10 behavior dianxin

$Route-trafficpolicy-10,20-dl$ classifier vlan20 behavior liantong

$Route-trafficpolicy-10,20-dl$ quit

入接口应用策略路由

$Route-GigabitEthernet0/0/****1****$ traffic-policy 10,20-dl inbound

Step1:配置ACL,匹配流量

$router$ acl 3010

$router-acl-adv-3010$ rule 10 permit ip source any destination 1.1.1.0 0.0.0.255 //匹配任意源地址去往电信服务器1.1.1.1的流量

$router-acl-adv-3010$ acl 3020

$router-acl-adv-3020$ rule 10 permit ip source any destination 2.2.2.0 0.0.0.255 //匹配任意源地址去往联通服务器2.2.2.2的流量其他配置略，与实验三一样。

至此，本文分享的内容就结束了。