配置基础
基本命令
查看命令display:display current-configutraration
进入系统视图:system-view
重名名为R1:sysname R1
进入端口视图G0/0/1:interface gigabitethernet 0/0/1
退出到系统视图:quit
退出到用户视图:return
启用telnet并配置vty线路登录的验证方式
// 使能telnet服务功能
telnet server enable
// 开启vty线路模式0-4,5个用户同时登录
user-interface vty 0 4
// 配置vty支持telnet协议
protocol inbound telnet
// 配置认证模式
// aaa 用户名和密码
// password 口令模式 只要密码
authentication-mode aaa|password|none
quit
aaa //进入aaa视图
// 配置用户名密码 user1 密码Huawei123区分大小写
local-user user1 password irreversible-cipher Huawei123
// 配置账号的权限为3
local-user user1 privilege level 3
retrun
save //在用户视图 保存
配置console用户验证方式
user-interface console 0
authentication-mode aaa|password|none
set authentication passsword Huawei123
交换机
配置端口隔离
VLAN配置
GARP配置
STP配置
路由器
DHCP配置
静态路由
动态路由
路由协议的分类
距离矢量路由协议RIP
链路状态路由协议OSPF
中间系统到中间系统协议IS-IS
路由重发布
边界网关协议BGP
虚拟路由冗余协议VRRP
访问控制列表ACL
网络地址转换NAT
静态NAT和静态NAT(不怎么使用)
NAPT、Easy-IP(重点)
NAT Server
IPSec
IPSec(Internet Protocol Security)作为一种开放标准的安全框架结构,可以用来保证IP数据报文在网络上传输的机密性、完整性和防重放。
隧道模式
传输模式
配置步骤
检查配置结果
配置成功后,在主机PC A上执行ping操作仍然可以ping通主机PC B,执行命令display ipsec statistics可以查看数据包的统计信息。
分别在RouterA和RouterB上执行display ipsec sa会显示所配置的信息,以RouterA为例。
[RouterA] display ipsec sa
ipsec sa information:
===============================
Interface: GigabitEthernet1/0/0
===============================
-----------------------------
IPSec policy name: "map1"
Sequence number: 10
Acl group: 3101
Acl rule: -
Mode: Manual
-----------------------------
Encapsulation mode: Tunnel
Tunnel local : 1.1.1.1
Tunnel remote : 2.1.1.1
[Outbound ESP SAs]
SPI: 12345 (0x3039)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
No duration limit for this SA
[Inbound ESP SAs]
SPI: 54321 (0xd431)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
No duration limit for this SA
Anti-replay : Disable
防火墙
防火墙是一种网络安全设备,通常位于网络边界,用于隔离不同安全级别的网络,保护一个网络免受来自另一个网络的攻击和入侵。这种“隔离”不是一刀切,是有控制地隔离,允许合法流量通过防火墙,禁止非法流量通过防火墙。
如图1-1所示,防火墙位于企业Internet出口保护内网安全。在防火墙上可以指定规则,允许内网10.1.1.0/24网段的PC访问Internet,禁止Internet用户访问IP地址为192.168.1.2的内网主机。
图1-1 防火墙控制流量转发由上文可见,防火墙与路由器、交换机是有区别的。路由器用来连接不同的网络,通过路由协议保证互联互通,确保将报文转发到目的地;交换机通常用来组建局域网,作为局域网通信的重要枢纽,通过二层/三层交换快速转发报文;而防火墙主要部署在网络边界,对进出网络的访问行为进行控制,安全防护是其核心特性。路由器与交换机的本质是转发,防火墙的本质是控制。
防火墙控制网络流量的实现主要依托于安全区域和安全策略,下文详细介绍。
接口与安全区域
前文提到防火墙用于隔离不同安全级别的网络,那么防火墙如何识别不同网络呢?答案就是安全区域(Security Zone)。通过将防火墙各接口划分到不同的安全区域,从而将接口连接的网络划分为不同的安全级别。防火墙上的接口必须加入安全区域(部分机型的独立管理口除外)才能处理流量。
安全区域的设计理念可以减少网络攻击面,一旦划分安全区域,流量就无法在安全区域之间流动,除非管理员指定了合法的访问规则。如果网络被入侵,攻击者也只能访问同一个安全区域内的资源,这就把损失控制在一个比较小的范围内。因此建议通过安全区域为网络精细化分区。
接口加入安全区域代表接口所连接的网络加入安全区域,而不是指接口本身。接口、网络和安全区域的关系如图1-2所示。
图1-2 接口、网络和安全区域防火墙的安全区域按照安全级别的不同从1到100划分安全级别,数字越大表示安全级别越高。防火墙缺省存在trust、dmz、untrust和local四个安全区域,管理员还可以自定义安全区域实现更细粒度的控制。 例如,一个企业按图1-3划分防火墙的安全区域,内网接口加入trust安全区域,外网接口加入untrust安全区域,服务器区接口加入dmz安全区域,另外为访客区自定义名称为guest的安全区域。
一个接口只能加入到一个安全区域,一个安全区域下可以加入多个接口。
图1-3 划分安全区域上图中有一个特殊的安全区域local,安全级别最高为100。local代表防火墙本身,local区域中不能添加任何接口,但防火墙上所有接口本身都隐含属于local区域。凡是由防火墙主动发出的报文均可认为是从local安全区域发出,凡是接收方是防火墙的报文(非转发报文)均可认为是由local安全区域接收。
另外除了物理接口,防火墙还支持逻辑接口,如子接口、VLANIF、Tunnel接口等,这些逻辑接口在使用时也需要加入安全区域。
华为防火墙实战配置教程_liangston的博客-CSDN博客_华为防火墙
综合实验
用户交换机 acsw
命令
// 用户模式
<HUAWEI>
// 切换到系统模式
<HUAWEI>system-view
// 修改交换机名称
[~HUAWEI]sysname acsw
[*HUAWEI]commit
我这里用的eve-ng模拟器CE128000设备,主机名没有变需要提交commit命令,相关介绍为
选择命令行配置生效模式(立即生效、两阶段生效) - CloudEngine 12800, 12800E V200R005C10 命令参考 - 华为 (huawei.com)
以及需要到用户模式下执行save命令,掉电不会丢失配置数据。
批量创建vlan
// 创建 vlan10
[~acsw]vlan 10
// 批量创建vlan10 和 vlan20
[~acsw]vlan batch 10 20
进入相关接口
端口类型:
- access:连接用户
- dotlg-tunnel:QinQ port 城域网
- hybrid:连接用户或交换机
- trunk:连接交换机
GE1/0/1
//进入接口-GE1/0/1
[~acsw]interface g1/0/1
//设置接口类型为 access
[~acsw-GE1/0/1]port link-type access
//放入vlan10
[~acsw-GE1/0/1]port default vlan 10
GE1/0/2
//进入接口-GE1/0/2
[~acsw]interface g1/0/2
//设置接口类型为 access
[~acsw-GE1/0/1]port link-type access
//放入vlan20
[~acsw-GE1/0/1]port default vlan 20
GE1/0/3
//进入接口-GE1/0/3
[~acsw]interface g1/0/3
//设置接口类型为 trunk
[~acsw-GE1/0/1]port link-type trunk
//允许 vlan10 20 通过
//允许全部 port trunk allow-pass vlan all
[~acsw-GE1/0/3]port trunk allow-pass vlan 10 20
核心交换机 coresw
网关配置
[~HUAWEI]sysname coresw
[~HUAWEI]commit
[~coresw]vlan batch 10 20 30
[~coresw]
[~coresw]
[~coresw]interface g1/0/3
[~coresw-GE1/0/3]
[~coresw-GE1/0/3]port link-type trunk
[~coresw-GE1/0/3]
[~coresw-GE1/0/3]
[~coresw-GE1/0/3]port trunk allow-pass vlan 10 20
[~coresw-GE1/0/3]
[~coresw-GE1/0/3]
[~coresw-GE1/0/3]quit
[~coresw]
[~coresw]interface vlanif 10
[~coresw-Vlanif10]ip address 192.168.10.254 24
[~coresw-Vlanif10]
[~coresw-Vlanif10]interface vlanif 20
[~coresw-Vlanif20]ip address 192.168.20.254 24
[~coresw-Vlanif20]
[~coresw-Vlanif20]
[~coresw-Vlanif20]quit
[~coresw]commit
[~coresw]dis vlan
The total number of vlans is : 4
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
MAC-LRN: MAC-address learning; STAT: Statistic;
BC: Broadcast; MC: Multicast; UC: Unknown-unicast;
FWD: Forward; DSD: Discard;
--------------------------------------------------------------------------------
VID Ports
--------------------------------------------------------------------------------
1 UT:GE1/0/0(D) GE1/0/1(D) GE1/0/2(D) GE1/0/3(U)
GE1/0/4(D) GE1/0/5(D) GE1/0/6(D) GE1/0/7(D)
GE1/0/8(D) GE1/0/9(D)
10 TG:GE1/0/3(U)
20 TG:GE1/0/3(U)
30
VID Type Status Property MAC-LRN STAT BC MC UC Description
--------------------------------------------------------------------------------
1 common enable default enable disable FWD FWD FWD VLAN 0001
10 common enable default enable disable FWD FWD FWD VLAN 0010
20 common enable default enable disable FWD FWD FWD VLAN 0020
30 common enable default enable disable FWD FWD FWD VLAN 0030
[~coresw]dis interface vlanif 10
Vlanif10 current state : UP (ifindex: 17)
Line protocol current state : UP
Last line protocol up time : 2022-08-30 13:36:19
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 192.168.10.254/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 3864-0111-1200
Physical is VLANIF
Current system time: 2022-08-30 13:37:40
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes
Output:0 packets, 0 bytes
Last 300 seconds input utility rate: --
Last 300 seconds output utility rate: --
[~coresw]dis interface vlanif 20
Vlanif20 current state : UP (ifindex: 18)
Line protocol current state : UP
Last line protocol up time : 2022-08-30 13:36:19
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 192.168.20.254/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 3864-0111-1200
Physical is VLANIF
Current system time: 2022-08-30 13:37:55
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes
Output:0 packets, 0 bytes
Last 300 seconds input utility rate: --
Last 300 seconds output utility rate: --
[~coresw]
DHCP配置(失败)
// 开启dhcp
[~coresw]dhcp enable
// 设置ip地址池名称 比如10 -对应 vlan10
[~coresw]ip pool 10
[~coresw-ip-pool-10]
[~coresw-ip-pool-10]
[~coresw-ip-pool-10]network 192.168.10.0 mask 24
Error: Please configure the gateway first.
// 设置网关
[~coresw-ip-pool-10]gateway-list 192.168.10.254
// 地址池范围
[~coresw-ip-pool-10]network 192.168.10.0 mask 24
//设置dns
[~coresw-ip-pool-10]dns-list 8.8.8.8
// 设置DHCP租期为3天
[~coresw-ip-pool-10]lease day 3
[~coresw-ip-pool-10]
[~coresw]display ip pool
-----------------------------------------------------------------------------
Pool name : 10
Pool number : 0
Position : Local
Status : Unlocked
Gateway : 192.168.10.254
Mask : 255.255.255.0
VPN instance : --
All IP pool address statistic
Total :253
Used :0 Idle :253 Expired :0
Conflict :0 Disable :0
// 排除下面地址 192.168.10.2-192.168.10.253
// 用户只能使用192.168.10.1
[~coresw-ip-pool-10]excluded-ip-address 192.168.10.2 192.168.10.253
[~coresw-ip-pool-10]
CloudEngine 12800, 12800E系列交换机 产品文档 (huawei.com)
以上是相关文档,很遗憾,不能获取到IP,通过抓包工具查看看dhcp服务端没有回应ack包,可能是这个模拟镜像bug,下面是我单独测试效果,用的192.168.1.254
配置静态IP
两台主机的网络是通的
两台主机通信过程
192.168.10.1/24和192.168.20.1/24判断两个IP是否在同一网段:在不同-网段- 不在同一网络后包转给coresw的网关,然后查看自己的路由表是否有
192.168.20.0网段,然后转发到对用接口Vlanif20:
[coresw]interface g1/0/0
[coresw-GE1/0/0]port link-type access
[coresw-GE1/0/0]port default vlan 30
[coresw-GE1/0/0]dis this
#
interface GE1/0/0
undo shutdown
port default vlan 30
#
return
[coresw-GE1/0/0]
路由配置
router
修改路由名称
[HUAWEI]sysname router
[router]
Ethernet1/0/0 配置ip
[router]interface Ethernet1/0/0
[router-Ethernet1/0/0]ip address 192.168.30.3 24
[router-Ethernet1/0/0]q
静态路由
配置前
配置后
[router]ip route-static 192.168.10.0 255.255.255.0 192.168.30.254
另一台主机
[router]ip route-static 192.168.20.0 255.255.255.0 192.168.30.254
查看路由表
[router]display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.10.0/24 Static 60 0 RD 192.168.30.254 Ethernet1/0/0
192.168.20.0/24 Static 60 0 RD 192.168.30.254 Ethernet1/0/0
192.168.30.0/24 Direct 0 0 D 192.168.30.3 Ethernet1/0/0
192.168.30.3/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
192.168.30.255/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[router]
动态路由
删除前面配置的静态路由
[router]undo ip route-static 192.168.10.0 255.255.255.0 192.168.30.254
[router]undo ip route-static 192.168.20.0 255.255.255.0 192.168.30.254
[router]
rip
[router]
[router]rip
[router-rip-1]version 2
[router-rip-1]network 192.168.30.0
[router-rip-1]
[router-rip-1]dis this
#
rip 1
version 2
network 192.168.30.0
#
return
[coresw]
[coresw]rip
[coresw-rip-1]version 2
[coresw-rip-1]network 192.168.10.0
[coresw-rip-1]network 192.168.20.0
[coresw-rip-1]network 192.168.30.0
[coresw-rip-1]dis this
#
rip 1
version 2
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
#
return
[coresw-rip-1]
[router]dis ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.10.0/24 RIP 100 1 D 192.168.30.254 Ethernet1/0/0
192.168.20.0/24 RIP 100 1 D 192.168.30.254 Ethernet1/0/0
192.168.30.0/24 Direct 0 0 D 192.168.30.3 Ethernet1/0/0
192.168.30.3/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
192.168.30.255/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
删除rip
[router]undo rip 1
Warning: The RIP process will be deleted. Continue? [Y/N]:Y
[router]
coresw
[coresw-rip-1]q
[coresw]undo rip 1
Warning: The RIP process will be deleted. Continue? [Y/N]:Y
[coresw]
ospf
[coresw]ospf 1
[coresw-ospf-1]area 0
[coresw-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[coresw-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
[coresw-ospf-1-area-0.0.0.0]network 192.168.30.0 0.0.0.255
[coresw-ospf-1-area-0.0.0.0]display this
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
#
return
[coresw-ospf-1-area-0.0.0.0]
[router]ospf 1
[router-ospf-1]area 0
[router-ospf-1-area-0.0.0.0]network 192.168.30.0 0.0.0.255
[router-ospf-1-area-0.0.0.0]diplay this
^
Error: Unrecognized command found at '^' position.
[router-ospf-1-area-0.0.0.0]dislay this
^
Error: Unrecognized command found at '^' position.
[router-ospf-1-area-0.0.0.0]display this
area 0.0.0.0
network 192.168.30.0 0.0.0.255
#
return
[router-ospf-1-area-0.0.0.0]dis ospf p
[router-ospf-1-area-0.0.0.0]dis ospf peer b
[router-ospf-1-area-0.0.0.0]dis ospf peer brief
(M) Indicates MADJ neighbor
OSPF Process 1 with Router ID 192.168.30.3
Peer Statistic Information
Total number of peer(s): 1
Peer(s) in full state: 1
-----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 Eth1/0/0 192.168.1.254 Full
-----------------------------------------------------------------------------
[router-ospf-1-area-0.0.0.0]
[router]dis ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.10.0/24 OSPF 10 2 D 192.168.30.254 Ethernet1/0/0
192.168.20.0/24 OSPF 10 2 D 192.168.30.254 Ethernet1/0/0
192.168.30.0/24 Direct 0 0 D 192.168.30.3 Ethernet1/0/0
192.168.30.3/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
192.168.30.255/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[router]
出口路由器(dianxing、liantong)
基本配置
<HUAWEI>system-view immediately
Enter system view, return user view with return command.
[HUAWEI]sysname dianxing
[dianxing]
<HUAWEI>system-view immediately
Enter system view, return user view with return command.
[HUAWEI]sysname liantong
[liantong]
[router]interface Ethernet 1/0/1
[router-Ethernet1/0/1]ip address 12.1.1.3 24
[router-Ethernet1/0/1]
[router-Ethernet1/0/1]interface Ethernet 1/0/2
[router-Ethernet1/0/2]ip address 23.1.1.3 24
[router-Ethernet1/0/2]
[router-Ethernet1/0/2]
[dianxing]interface Ethernet 1/0/1
[dianxing-Ethernet1/0/1]ip address 12.1.1.1 24
[dianxing-Ethernet1/0/1]
[dianxing-Ethernet1/0/1]interface Ethernet 1/0/0
[dianxing-Ethernet1/0/0]ip address 100.1.1.1 24
[dianxing-Ethernet1/0/0]
[dianxing-Ethernet1/0/0]
[dianxing-Ethernet1/0/0]interface lo0
[dianxing-LoopBack0]
[dianxing-LoopBack0]ip address 1.1.1.1 24
[dianxing-LoopBack0]
[liantong]interface Ethernet 1/0/1
[liantong-Ethernet1/0/1]ip address 23.1.1.2 24
[liantong-Ethernet1/0/1]
[liantong-Ethernet1/0/1]interface Ethernet 1/0/0
[liantong-Ethernet1/0/0]ip address 100.1.1.2 24
[liantong-Ethernet1/0/0]
[liantong-Ethernet1/0/0]interface lo0
[liantong-LoopBack0]ip address 2.2.2.2 24
[liantong-LoopBack0]
[liantong-LoopBack0]ping 100.1.1.1
PING 100.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 100.1.1.1: bytes=56 Sequence=1 ttl=255 time=20 ms
Reply from 100.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 100.1.1.1: bytes=56 Sequence=3 ttl=255 time=5 ms
Reply from 100.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 100.1.1.1: bytes=56 Sequence=5 ttl=255 time=2 ms
--- 100.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/6/20 ms
[liantong-LoopBack0]q
[liantong]q
<liantong>ping 23.1.1.3
PING 23.1.1.3: 56 data bytes, press CTRL_C to break
Reply from 23.1.1.3: bytes=56 Sequence=1 ttl=255 time=9 ms
Reply from 23.1.1.3: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 23.1.1.3: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 23.1.1.3: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 23.1.1.3: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 23.1.1.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/4/9 ms
<liantong>
