华为路由器交换机实现单臂路由的方法.doc

华为路由器交换机实现单臂路由的方法连接如上图,ROUTET的F1/0与SWITCH的F0/24相连,SWITCH的F0/1,F0/2,F0/11分别与PC1,PC2,PC3相连接,PC1,PC2分到VLAN2,PC3分到VLAN 31.路由器的配置RouterRouterinter e0Router-Ethernet0inter e 0.1 /定义子接口E0.1Router-Ethernet0.1ip add 54 Router-Ethernet0.1vlan-type dot1q vid 2 /指定以太网子接口属于VLAN2,此命令应用在以太网子接口上。Router-Ethernet0.1inter e0.2 /定义子接口E0.2Router-Ethernet0.2ip add 54 Router-Ethernet0.2vlan-type dot1q vid 3 /指定以太网子接口属于VLAN3 Router-Ethernet0.3inter e0Router-Ethernet0undo shut2.交换机的配置sysEnter system view , return user view with Ctrl Z.Quidwayvlan 2Quidway-vlan2port ethernet 0/1 to eth 0/2 eth 0/22 /将第1至2端口，加入到VLAN2Quidway-vlan2vlan 3Quidway-vlan3port eth 0/11 /将第11端口加入VLAN3Quidway-vlan3inter e0/24Quidway-Ethernet0/24port link-type trunk /将第24端口设为trunk口Quidway-Ethernet0/24port trunk permit vlan all/允许所有VLAN流量通过,这里与CISCO的交换机有所不同的是CISCO交换机默认是允许所有VLAN的流里通过Please wait. Done.2.PC机的配置PC1: IP地址: 子网掩码: 默认网关:54PC2: IP地址: 子网掩码: 默认网关:54PC3: IP地址: 子网掩码: 默认网关:54思科路由器交换机实现单臂路由的方法 CISCO路由器实现单臂路由的配置方法连接如上图,ROUTET的F1/0与SWITCH的F0/0相连,SWITCH的F0/1,F0/2,F0/3分别与PC1,PC2,PC3相连接,PC1分到VLAN10,PC2,PC3分到VLAN 201.路由器的配置注意的地方,在子接口先要先描术DOT1Q,再配IP地址,DOT1Q后面的数字是VLAN的号码,根据交换机的配置不同有所不同Routerenable Router#configure terminalRouter(config)#int f1/0 Router(config-if)#no shut Router(config)#int f 1/0.1Router(config-subif)#encapsulation dot1q 10/描术子接口的类型为dot1qRouter(config-subif)#ip add 54 Router(config-subif)#exitRouter(config)#int f1/0.2Router(config-subif)#encapsulation dot1q 20/描术子接口的类型为dot1qRouter(config-subif)#ip add 54 Router(config-subif)#exitRouter#copy run star2交换机的配置SwitchenableSwitch#vlan databaseSwitch(vlan)#vlan 10Switch(vlan)#vlan 20Switch(vlan)#exitSwitch#configure terminalSwitch(config)#int f0/0Switch(config-if)#switchport mode trunk/把接品设成trunk模式,Switch(config)#int f0/1Switch(config-if)#switchport access vlan 10Switch(config-if)#exitSwitch(config)#int f0/2Switch(config-if)#switchport access vlan 20Switch(config-if)#exitSwitch(config)#int f0/3Switch(config-if)#switchport access vlan 20Switch(config-if)#exit3.PC机的配置PC1: IP地址: 子网掩码: 默认网关:54PC2: IP地址: 子网掩码: 默认网关:54PC3: IP地址: 子网掩码: 默认网关:544配置成功后的测试华为路由器单臂路由配置实例2009-04-05 14:20组网描述:PC-3050C-AR28-31-INTERNET组网实现:3050C上划分多个VLAN,在AR28-31上终结VLAN信息,下面的所有VLAN中的PC都可以上公网,所有的PC机都通过AR28-31分配IP地址和DNSAR28-31dis cu#sysname Quidway#FTP server enable#nat address-group 0 0 用于上公网的地址池#radius scheme system#domain system#local-user adminpassword cipher .USE=B,53Q=QMAF41!service-type telnet terminallevel 3service-type ftplocal-user huawei telnet用户,用于远程管理password simple huaweiservice-type telnetlevel 3#dhcp server ip-pool 10 为VLAN10分配IP地址network mask gateway-list dns-list 00#dhcp server ip-pool 20 为VLAN20分配IP地址network mask gateway-list dns-list 00#dhcp server ip-pool 30 为VLAN30分配IP地址network mask gateway-list dns-list 00#dhcp server ip-pool 40 为VLAN40分配IP地址network mask gateway-list dns-list 00#interface Aux0async mode flow#interface Ethernet1/0 用于与交换机的管理IP互通ip address firewall packet-filter 3000 inbound#interface Ethernet1/0.1 终结交换机上的VLAN10tcp mss 1024ip address firewall packet-filter 3000 inboundvlan-type dot1q vid 10#interface Ethernet1/0.2 终结交换机上的VLAN20tcp mss 1024ip address firewall packet-filter 3000 inboundvlan-type dot1q vid 20#interface Ethernet1/0.3 终结交换机上的VLAN30tcp mss 1024ip address firewall packet-filter 3000 inboundvlan-type dot1q vid 30#interface Ethernet1/0.4 终结交换机上的VLAN40tcp mss 1024ip address firewall packet-filter 3000 inboundvlan-type dot1q vid 40#interface Ethernet2/0ip address nat outbound 2000 address-group 0 进行私网到公网的地址转换#interface NULL0#acl number 2000 允许 这个网段的地址进行地址转换rule 0 permit source 55rule 1 deny#acl number 3000rule 0 deny udp destination-port eq tftprule 1 deny tcp destination-port eq 135rule 2 deny udp destination-port eq 135rule 3 deny udp destination-port eq netbios-nsrule 4 deny udp destination-port eq netbios-dgmrule 5 deny tcp destination-port eq 139rule 6 deny udp destination-port eq netbios-ssnrule 7 deny tcp destination-port eq 445rule 8 deny udp destination-port eq 445rule 9 deny tcp destination-port eq 539rule 10 deny udp destination-port eq 539rule 11 deny udp destination-port eq 593rule 12 deny tcp destination-port eq 593rule 13 deny udp destination-port eq 1434rule 14 deny tcp destination-port eq 4444rule 15 deny tcp destination-port eq 9996rule 16 deny tcp destination-port eq 5554rule 17 deny udp destination-port eq 9996rule 18 deny udp destination-port eq 5554rule 19 deny tcp destination-port eq 137rule 20 deny tcp destination-port eq 138rule 21 deny tcp destination-port eq 1025rule 22 deny udp destination-port eq 1025rule 23 deny tcp destination-port eq 9995rule 24 deny udp destination-port eq 9995rule 25 deny tcp destination-port eq 1068rule 26 deny udp destination-port eq 1068rule 27 deny tcp destination-port eq 1023rule 28 deny udp destination-port eq 1023#ip route-static 54 preference 60 到电信网关的缺省路由#user-interface con 0user-interface aux 0user-interface vty 0 4authentication-mode scheme#return=dis cu#sysname Quidway#radius scheme systemserver-type huaweiprimary authentication 1645primary accounting 1646user-name-format without-domaindomain systemradius-scheme systemaccess-limit disablestate activevlan-assignment-mode integeridle-cut disableself-service-url disablemessenger time disabledomain default enable system#local-server nas-ip key huaweilocal-user huawei 用于WEB网管和TELNETpassword simple huaweiservice-type telnet level 3#vlan 1#vlan 10#vlan 20#vlan 30#vlan 40#interface Vlan-interface1 管理IPip address #interface Aux0/0#interface Ethernet0/1port access vlan 10#interface Ethernet0/2port access vlan 10#interface Ethernet0/3port access vlan 10#interface Ethernet0/4port access vlan 10#interface Ethernet0/5port access vlan 10#interface Ethernet0/6port access vlan 10#interface Ethernet0/7port access vlan 10#interface Ethernet0/8port access vlan 10#interface Ethernet0/9port access vlan 10#interface Ethernet0/10port access vlan 10#interface Ethernet0/11port access vlan 20#interface Ethernet0/12port access vlan 20#interface Ethernet0/13port access vlan 20#interface Ethernet0/14port access vlan 20#interface Ethernet0/15port access vlan 20#interface Ethernet0/16port access vlan 20#interface Ethernet0/17port access vlan 20#interface Ethernet0/18port access vlan 20#interface Ethernet0/19port access vlan 20#interface Ethernet0/20port access vlan 20#interface Ethernet0/21port access vlan 30#interface Ethernet0/22port access vlan 30#interface Ethernet0/23port access vlan 30#interface Ethernet0/24port access vlan 30#interface Ethernet0/25port access vlan 30#interface Ethernet0/26port access vlan 30#interface Ethernet0/27port access vlan 30#interface Ethernet0/28port access vlan 30#interface Ethernet0/29port access vlan 30#interface Ethernet0/30port access vlan 30#interface Ethernet0/31port access vlan 40#interface Ethernet0/32port access vlan 40#interface Ethernet0/33port access vlan 40#interface Ethernet0/34port access vlan 40#interface Ethernet0/35port access vlan 40#interface Ethernet0/36port access vlan 40#interface Ethernet0/37port access vlan 40#interface Ethernet0/38port access vlan 40#interface Ethernet0/39port access vlan 40#interface Ethernet0/40port access vlan 40#interface Ethernet0/41port access vlan 40#interface Ethernet0/42port access vlan 40#interface Ethernet0/43port access vlan 40#interface Ethernet0/44port access vlan 40#interface Ethernet0/45port access vlan 40#interface Ethernet0/46port access vlan 40#interface Ethernet0/47port access vlan 40#interface Ethernet0/48 上行口port link-type trunkport trunk permit vlan 1 10 20 30 40 只允许这几个VLAN标签透传#interface NULL0#user-interface aux 0user-interface vty 0 4#return 华为路由器单臂路由实例2009-12-24 17:39需求:在局域网中,通过交换机上配置VLAN可以减少主机通信广播域的范围,当VLAN之间有部分主机需要通信,但交换机不支持三层交换时,可以采用一台支持802.1Q的路由器实现VLAN的互通。这需要在以太口上建立子接口,分配IP地址作为该VLAN的网关,同时启动802.1Q.组网:路由器E0端口与交换机的上行trunk端口(第24端口)相连,交换机下行口划分3个VLAN,带若干主机.拓扑图如下： 1.路由器的配置RouterRouterinter e0Router-Ethernet0ip add Router-Ethernet0inter e0.1 /定义子接口E0.1Router-Ethernet0.1ip add Router-Ethernet0.1vlan-type dot1q vid 1 /指定以太网子接口属于VLAN1,此命令应用在以太网子接口上。只有配置了该命令之后，以太网子接口才会根据配置的VLAN ID 号在以太网帧头中嵌入VLAN 标签，与该网口相连的交换机接口才能正确处理接收到的帧。Router-Ethernet0.1inter e0.2 /定义子接口E0.2Router-Ethernet0.2ip add Router-Ethernet0.2vlan-type dot1q vid 2 /指定以太网子接口属于VLAN2Router-Ethernet0.2inter e0.3 /定义子接口E0.3Router-Ethernet0.3ip add Router-Ethernet0.3vlan-type dot1q vid 3 /指定以太网子接口属于VLAN3Router-Ethernet0.3inter e0Router-Ethernet0undo shut% Interface Ethernet0 is upRouter-Ethernet0 /用网线将E0端口连到S3026第24端口%19:46:32: Interface Ethernet0 changed state to UP%19:46:32: Line protocol ip on interface Ethernet0, changed state to UP%19:46:32: Line protocol ip on interface Ethernet0.1, changed state to UP%19:46:32: Line protocol ip on interface Ethernet0.2, changed state to UP%19:46:32: Line protocol ip on interface Ethernet0.3, changed state to UP2.交换机的配置sysEnter system view , return user view with Ctrl+Z.Quidwayvlan 1Quidway-vlan1vlan 2Quidway-vlan2port ethernet 0/17 to eth 0/19 eth 0/22 /将第17至19端口，和第22端口加入VLAN2Quidway-vlan2vlan 3Quidway-vlan3port eth 0/21 /将第21端口加入VLAN2Quidway-vlan3inter e0/24Quidway-Ethernet0/24port link-type trunk /将第24端口设为trunk口Quidway-Ethernet0/24port trunk permit vlan all/允许所有VLAN流量通过Please wait. Done.Quidway-Ethernet0/24dis port trunk /检验TRUNK口配置Now, the following trunking ports exist:Ethernet0/24Quidway-Ethernet0/24dis vlan 2/检验VLAN2的配置VLAN ID: 2VLAN Type: staticRoute Interface: not configuredDescription: VLAN 0002Tagged Ports:Ethernet0/24Untagged Ports:Ethernet0/17 Ethernet0/18 Ethernet0/19 Ethernet0/22Quidway-Ethernet0/24dis vlan 3/检验VLAN3的配置VLAN ID: 3VLAN Type: staticRoute Interface: not configuredDescription: VLAN 0003Tagged Ports:Ethernet0/24Untagged Ports:Ethernet0/213.在工作站上检查网络是否连通。此工作站连接S3026第21端口，属于VLAN2。C:Documents and SettingsAdministratoripconfigWindows 2000 IP ConfigurationEthernet adapter 本地连接:Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 2Subnet Mask . . . . . . . . . . . : Default Gateway . . . . . . . . . : C:Documents and SettingsAdministratorping Pinging with 32 bytes of data:Reply from : bytes=32 time10ms TTL=255Reply from : bytes=32 time10ms TTL=255Reply from : bytes=32 time10ms TTL=255Reply from : bytes=32 time10ms TTL=255Ping statistics for :Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 0ms, Average = 0ms4.在路由器上查看路由表。可以发现，由于172.16各网段都是直连路由，故不需启用路由协议或静态路由即能实现VLAN之间的通讯。Routerdisplay ip routing-tableRouting Tables:Destination/Mask Proto Pref Metric Nexthop Interface/24 Direct 0 0 Ethernet0/32 Direct 0 0 LoopBack0/8 Direct 0 0 LoopBack0/32 Direct 0 0 LoopBack0/24 Direct 0 0 Ethernet0.1/32 Direct 0 0 LoopBack0/24 Direct 0 0 Ethernet0.2/32 Direct 0 0 LoopBack0/24 Direct 0 0 Ethernet0.3/32 Direct 0 0 LoopBack0 华为路由器单臂路由器的配置2008-07-09 12:11设备/b：华为AR 28-11路由器、华为 S2403需求/b：1、完成LAN内的相互通信2、LAN内各PC均可访问Internet3、根据需求，要求H3C S3928交换机划分4个VLAN来隔离广播域。各设备/bIP/b地址规划：/b/b1、AR28-11路由器内网口IP地址：，外网口IP地址：2、交换机与ROUTE相连接的E1/1/3口IP地址为：3、各VLAN的IP：如下： （此IP地址作为各VLAN下属PC的网关）bvlan 1 ip address (网管)/bvlan 10 ip address vlan 20 ip address vlan 30 ip address vlan 40 ip address 具体配置：/b/b/b路由器（AR28-11）配置如下：local-user huawei1 /创建本地帐号“huawei”/#user-interface con 0 password simple huawei1 /设置密码为“huawei”/service-type terminal /设置服务类型为terminal/level 3 /设置用户优先级为3/user-interface con 0authentication-mode scheme /设置scheme认证/# user-interface vty 0 4 /创建本地帐号“huawei”/password simple huawei /设置密码为“huawei”/service-type telnet /设置服务类型为telnet/level 3 /设置用户优先级为3/interface Ethernet0/1ip address /设置内网网关/* 注：telnet 必须配置接口IPinterface NULL0#user-interface con 0user-interface vty 0 4authentication-mode scheme /设置scheme认证/#interface Ethernet0/1.1ip address vlan-type dot1q vid 10 /子接口封装为vlan10/#interface Ethernet0/1.2ip address vlan-type dot1q vid 20 /子接口封装为vlan20/#interface Ethernet0/1.3ip address vlan-type dot1q vid 30 /子接口封装为vlan30#interface Ethernet0/1.4ip address vlan-type dot1q vid 40 /子接口封装为vlan40#acl number 2000 /配置允许进行NAT转换的内网地址段/rule 0 permit source 55rule 1 deny#acl number 3000rule 0 deny tcp source-port eq 3127 rule 1 deny tcp source-port eq 1025 rule 2 deny tcp source-port eq 5554 rule 3 deny tcp source-port eq 9996 rule 4 deny tcp source-port eq 1068 rule 5 deny tcp source-port eq 135 rule 6 deny udp source-port eq 135 rule 7 deny tcp source-port eq 137 rule 8 deny udp source-port eq netbios-ns rule 9 deny tcp source-port eq 138 rule 10 deny udp source-port eq netbios-dgm rule 11 deny tcp source-port eq 139 rule 12 deny udp source-port eq netbios-ssn rule 13 deny tcp source-port eq 593 rule 14 deny tcp source-port eq 4444 rule 15 deny tcp source-port eq 5800 rule 16 deny tcp source-port eq 5900 rule 18 deny tcp source-port eq 8998 rule 19 deny tcp source-port eq 445 rule 20 deny udp source-port eq 445 rule 21 deny udp source-port eq 1434rule 30 deny tcp destination-port eq 3127rule 31 deny tcp destination-port eq 1025rule 32 deny tcp destination-port eq 5554rule 33 deny tcp destination-port eq 9996rule 34 deny tcp destination-port eq 1068rule 35 deny tcp destination-port eq 135rule 36 deny udp destination-port eq 135rule 37 deny tcp destination-port eq 137rule 38 deny udp destination-port eq netbios-nsrule 39 deny tcp destination-port eq 138rule 40 deny udp destination-port eq netbios-dgmrule 41 deny tcp destination-port eq 139rule 42 deny udp destination-port eq netbios-ssnrule 43 deny tcp destination-port eq 593rule 44 deny tcp destination-port eq 4444rule 45 deny tcp destination-port eq 5800rule 46 deny tcp destination-port eq 5900rule 48 deny tcp destination-port eq 8998rule 49 deny tcp destination-port eq 445rule 50 deny udp destination-port eq 445rule 51 deny udp destination-port eq 1434#firewall enable /使能防火墙功能/#interface Ethernet0/0ip address 48firewall packet-filter 3000 inboundfirewall packet-filter 3000 outboundnat outbound 2000#ip route-static preference 60 /配置默认路由/交换机（S2403）配置略 查看文章 华为单臂路由2009-02-17 15:10华为路由器单臂路由需求:在局域网中,通过交换机上配置VLAN可以减少主机通信广播域的范围,当VLAN之间有部分主机需要通信