堂-DayDayUP VIM Linux Life
堂-DayDayUP
VIM Linux Life

华为ACL、DHCP、NAT配置

已发表 -更新

ACL

标准访问控制列表:<2000-2999>

1.基于源地址 2.基于时间 3.默认是允许所有

高级访问控制列表:<3000-3999>

1.基于源IP地址 目标IP地址 2.基于协议 3.基于端口 4.基于时间

[R]display acl all 查看所有ACL信息 [R]display acl 2000 查看ACL 2000信息

[R]time-range zhongwu 12:00 to 14:00 daily 定义一个名为zhongwu的时间段12点到下午两点每天

[R]acl 2000 新建一个标准控制列表

[R-acl-basic-2000]rule 5 permit source 172.16.1.0 0.0.0.255 允许172.16.1.0网段通过

[R-acl-basic-2000]rule 10 permit source 172.16.2.0 0.0.0.255 time-range zhongwu 规定时间通过

[R-acl-basic-2000]rule 15 deny source any 其余的不允许通过

[R-GigabitEthernet0/0/0]traffic-filter outbound acl 2000 定义流量过滤出口以ACL 2000过滤

[R-acl-basic-2000]rule 4 deny source 172.16.1.2 0.0.0.0 插入一条172.16.1.2不能通过

[R-acl-basic-2000]rule 9 permit source 172.16.2.2 0.0.0.0 插入一条172.16.2.2允许通过

只允许一台电脑telnet路由器:

[R]acl 2010

[R-acl-basic-2010]rule permit source 172.16.2.3 0 只允许172.16.2.3通过

[R-acl-basic-2010]rule deny source any 其他不允许通过

[R]user-interface vty 0 4

[R-ui-vty0-4]user privilege level 15

[R-ui-vty0-4]acl 2010 inbound 从当前用户界面过滤登录连接

DHCP服务

DHCP配置:

[R]DHCP enable 开启DHCP服务

[R]ip pool VLAN1 建一个名为VLAN1的地址池

[R-ip-pool-VLAN1]network 172.16.1.0 mask 24 配置网段

[R-ip-pool-VLAN1]gateway-list 172.16.1.1 配置网关

[R-ip-pool-VLAN1]dns-list 114.114.114.114 8.8.8.8 配置DNS

[R-ip-pool-VLAN1]lease day 1 hour 10 配置IP地址租约有效期

[R-ip-pool-VLAN1]excluded-ip-address 172.16.1.2 172.16.1.20 禁用此地址段自动分配

[R]port-group VLAN1

[R-port-group-vlan1]group-member Ethernet 0/0/0 to Ethernet 0/0/4

[R-port-group-vlan1]port link-type access

[R-port-group-vlan1]port default vlan 1

[R]interface Vlanif 1

[R-Vlanif1]dhcp select global 从路由器全局地址池选择

[R-Vlanif1]ip address 172.16.1.1 24

[R]ip pool VLAN2

[R-ip-pool-VLAN2]network 172.16.2.0 mask 24

[R-ip-pool-VLAN2]gateway-list 172.16.2.1

[R-ip-pool-VLAN2]dns-list 114.114.114.114

[R-ip-pool-VLAN2]lease day 1

[R-ip-pool-VLAN2]excluded-ip-address 172.16.2.2 172.16.2.20

[R-port-group-vlan2]port link-type access

[R-port-group-vlan2]port default vlan 2

[R]interface Vlanif 2

[R-Vlanif2]dhcp select global

[R-Vlanif2]ip address 172.16.2.1 24

在接口上配置DHCP

[R]interface Ethernet 0/0/7

[R-Ethernet0/0/7]port link-type access

[R-Ethernet0/0/7]port default vlan 3

[R]interface Vlanif 3

[R-Vlanif3]ip address 192.168.3.1 24

[R-Vlanif3]dhcp select interface 启用接口DHCP

[R-Vlanif3]dhcp server dns-list 114.114.114.114

[R-Vlanif3]dhcp server lease day 1

[R-Vlanif3]dhcp server excluded-ip-address 192.168.3.2 192.168.3.20

跨网段分配IP地址:

[R]ip pool remoteVLAN8

[R-ip-pool-remoteVLAN8]network 20.1.1.0 mask 24

[R-ip-pool-remoteVLAN8]gateway-list 20.1.1.1

[R-ip-pool-remoteVLAN8]dns-list 114.114.114.114

[R-ip-pool-remoteVLAN8]lease day 2

[R-ip-pool-remoteVLAN8]excluded-ip-address 20.1.1.2 20.1.1.20

[R-GigabitEthernet0/0/1]dhcp select global

再配置DHCP中继:

[R1]dhcp enable

[R1]interface Vlanif 1

[R1-Vlanif1]dhcp select relay

[R1-Vlanif1]dhcp relay server-ip 10.10.10.1

[R1-Vlanif1]ip address 20.1.1.1 24

为特定的计算机保留IP地址:

[R]ip pool VLAN1

[R-ip-pool-VLAN1]static-bind ip-address 172.16.1.88 mac-address 5489-98F9-0795

释放已经已分配的地址:

[R]dhcp relay release 172.16.1.253 5489-98C1-0880

NAT地址转换

静态NAT:

静态NAT在路由器上将公网IP地址和私网IP地址一一对应。

[R]interface GigabitEthernet 0/0/0 进入内网出端口。

[R-GigabitEthernet0/0/0]nat static global 10.10.10.4 inside 172.16.1.2 netmask 255.255.255.255

[R-GigabitEthernet0/0/0]nat static global 10.10.10.3 inside 172.16.2.2 netmask 255.255.255.255

网络地址端口转换NAPT与动态NAT转换:

[R]nat address-group 1 10.10.10.1 10.10.10.5 定义一个出口NAT地址池

[R]acl 2000

[R-acl-basic-2000]rule 5 permit source 172.16.1.0 0.0.0.255

[R-acl-basic-2000]rule 10 deny source any

[R]interface GigabitEthernet 0/0/0

[R-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 定义ACL以NAT地址池1也,NAPT

[R-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 no-pat 不带端口转换 动态NAT

Easy IP也是NAPT但不需要定义地址池:

[R]acl 2000

[R-acl-basic-2000]rule 5 permit source 172.16.1.0 0.0.0.255

[R-acl-basic-2000]rule 10 deny source any

[R]interface GigabitEthernet 0/0/0

[R-GigabitEthernet0/0/0]nat outbound 2000 只有一个公网IP可用Easy IP

配置端口映射让Internet访问内网服务器:

[R]acl 2000

[R-acl-basic-2000]rule 3 permit source 172.16.3.0 0.0.0.255

[R-acl-basic-2000]rule 4 permit source 172.16.2.0 0.0.0.255

[R-acl-basic-2000]rule 5 permit source 172.16.1.0 0.0.0.255

[R-acl-basic-2000]rule 10 deny source any

[R]interface GigabitEthernet 0/0/1

[R-GigabitEthernet0/0/1]nat outbound 2000

[R-GigabitEthernet0/0/1]nat server protocol tcp global 192.168.37.3 80 inside 172.16.3.2 80

[R-GigabitEthernet0/0/1]nat server protocol tcp global 192.168.37.3 8899 inside 172.16.3.3 80

可通过当前端口来映射:

[R-GigabitEthernet0/0/1]nat server protocol tcp global current-interface www inside 172.16.3.3 80