精华内容
下载资源
问答
  • 路由交换综合实验

    2019-12-09 23:46:13
    SW1 SW1>en SW1#conf t SW1(config)#vl 10 SW1(config-vlan)#vl 20 SW1(config-vlan)#exit SW1(config)#int f0/1 SW1(config-if)#sw acc vl 10 SW1(config-if)#int f0/2 SW1(config-if)#sw acc vl 20 ...


    SW1
    SW1>en
    SW1#conf t
    SW1(config)#vl 10
    SW1(config-vlan)#vl 20
    SW1(config-vlan)#exit
    SW1(config)#int f0/1
    SW1(config-if)#sw acc vl 10
    SW1(config-if)#int f0/2
    SW1(config-if)#sw acc vl 20
    SW1(config-if)#exit
    SW1(config)#int f0/24
    SW1(config-if)#sw mo trunk

    SW2
    SW2>en
    SW2#conf t
    SW2(config)#vl 10
    SW2(config-vlan)#vl 20
    SW2(config-vlan)#exit
    SW2(config)#int f0/1
    SW2(config-if)#sw acc vl 10
    SW2(config-if)#int f0/2
    SW2(config-if)#sw acc vl 20
    SW2(config-if)#int f0/24
    SW2(config-if)#sw mo trunk

    SW3
    Switch>enable
    Switch#configure terminal
    Switch(config)#vl 10
    Switch(config-vlan)#vl 20
    Switch(config)#int f0/24
    Switch(config-if)#sw mo trunk
    Switch(config-if)#int f0/23
    Switch(config-if)#sw mo trunk
    Switch(config-if)#int vl 10
    Switch(config-if)#ip add 192.168.10.254 255.255.255.0
    Switch(config-if)#int vl 20
    Switch(config-if)#ip add 192.168.20.254 255.255.255.0
    Switch(config-if)#exit
    Switch(config)#int f0/1
    Switch(config-if)#no switchport
    Switch(config-if)#ip add 172.16.100.1 255.255.255.0
    Switch(config-if)#exit
    Switch(config)#ip routing
    Switch(config)#ip route 0.0.0.0 0.0.0.0 172.16.100.2

    R1
    BR1>enable
    BR1#configure terminal
    BR1(config)#interface FastEthernet0/1
    BR1(config-if)#ip address 172.16.100.2 255.255.255.252
    BR1(config-if)#exit
    BR1(config)#ip route 0.0.0.0 0.0.0.0 172.16.100.1
    BR1(config-if)#exit
    BR1(config)#interface FastEthernet0/0
    BR1(config-if)#ip address 220.101.224.1 255.255.255.252

    欢迎大家进群交流学习,群里有很多资料,供大家参考。
    在这里插入图片描述
    群号:825456833

    展开全文
  • 路由交换综合实验

    2018-04-26 09:56:09
    路由交换综合实验题,结合真实的项目案例,来布局出题,有效的让学习这门技术的学者,了解在企业中是如何进行项目布局,
  • 路由交换综合实验 掌握使用Boson模拟器的方法,学会用Boson Network Designer 绘制网络拓扑图, 并结合Boson NetSim进行设备配置练习。熟练运用IP地址的分类及子网的划分。
  • [r3]interface g0/0/0 [r3-GigabitEthernet0/0/0]dhcp select global 三、动态路由RIP协议配置: R1: [r1]rip 1 [r1-rip-1]version 2 [r1-rip-1]network 192.168.1.0 [r1-rip-1]network 12.0.0.0 R2: [r2]rip 1 [r2...

    这里是引用

    在这里插入图片描述

    一、路由器上IP地址配置:
    R1:
    [r1]interface g0/0/0
    [r1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
    [r1]interface g0/0/1
    [r1-GigabitEthernet0/0/1]ip address 12.1.1.1 24
    R2:
    [r2]interface g0/0/1
    [r2-GigabitEthernet0/0/1]ip address 12.1.1.2 24
    [r2]interface g0/0/2
    [r2-GigabitEthernet0/0/2]ip address 23.1.1.1 24
    [r2]interface g0/0/0
    [r2-GigabitEthernet0/0/0]ip address 192.168.2.1 24
    R3:
    [r3]interface g0/0/1
    [r3-GigabitEthernet0/0/1]ip address 23.1.1.2 24
    [r3]interface g0/0/0
    [r3-GigabitEthernet0/0/0]ip address 192.168.3.1 24
    二、路由器地址池的配置:
    R1:
    [r1]ip pool class_A
    Info: It’s successful to create an IP address pool.
    [r1-ip-pool-class_A]network 192.168.1.0 mask 24
    [r1-ip-pool-class_A]gateway-list 192.168.1.1
    [r1-ip-pool-class_A]dns-list 8.8.8.8
    [r1]dhcp enable
    Info: The operation may take a few seconds. Please wait for a moment.done.
    [r1]interface g0/0/0
    [r1-GigabitEthernet0/0/0]dhcp select global
    R2:
    [r2]ip pool class_B
    Info: It’s successful to create an IP address pool.
    [r2-ip-pool-class_B]network 192.168.2.0 mask 24
    [r2-ip-pool-class_B]gateway-list 192.168.2.1
    [r2-ip-pool-class_B]dns-list 8.8.8.8
    [r2]dhcp enable
    Info: The operation may take a few seconds. Please wait for a moment.done.
    [r2]interface g0/0/0
    [r2-GigabitEthernet0/0/0]dhcp select global
    R3:
    [r3]ip pool class_C
    Info: It’s successful to create an IP address pool.
    [r3-ip-pool-class_C]network 192.168.3.0 mask 24
    [r3-ip-pool-class_C]gateway-list 192.168.3.1
    [r3-ip-pool-class_C]dns-list 8.8.8.8
    [r3]dhcp enable
    Info: The operation may take a few seconds. Please wait for a moment.done.
    [r3]interface g0/0/0
    [r3-GigabitEthernet0/0/0]dhcp select global

    三、动态路由RIP协议配置:
    R1:
    [r1]rip 1
    [r1-rip-1]version 2
    [r1-rip-1]network 192.168.1.0
    [r1-rip-1]network 12.0.0.0
    R2:
    [r2]rip 1
    [r2-rip-1]version 2
    [r2-rip-1]network 12.0.0.0
    [r2-rip-1]network 23.0.0.0
    [r2-rip-1]network 192.168.2.0
    R3:
    [r3]rip 1
    [r3-rip-1]version 2
    [r3-rip-1]network 23.0.0.0
    [r3-rip-1]network 192.168.3.0

    四、acl配置
    要求PC1不能ping通PC6,但能ping通PC5
    说明一下:在第二步DHCP操作中,PC1和PC5拿到的地址分别为:
    PC1:192.168.1.253 (很奇怪,竟然不是254) PC2:192.168.3.253

    1. 首先进行基本ACL配置:
      基本ACL使用在靠近目标的地方
      [r3]acl 2000
      [r3-acl-basic-2000]rule 1 deny source 192.168.1.253 0.0.0.0
      [r3]interface g0/0/0
      [r3-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
      这样我们发现终端PC5和PC6都拒绝被访问,所以我们要进行高级ACL配置
    2. 高级ACL的配置—高级ACL使用在靠近源端口的地方
      删除上边配置的ACL 2000
      [r3]undo acl 2000
      在进行下边配置:
      [r1]acl 3000
      [r1-acl-adv-3000]rule 1 deny ip source 192.168.1.253 0 destination 192.168.3.253 0
      [r1]interface g0/0/0
      [r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

    五、远程登录及icmp配置:

    1. 要求:R1不能ping通R3,但是可以远程登录R3
      (1)首先,在R3上进行远程登录配置:
      [r3]user-interface vty 0 4
      [r3-ui-vty0-4]authentication-mode aaa
      [r3-ui-vty0-4]q
      [r3]aaa
      [r3-aaa]local-user huawei password cipher huawei
      Info: Add a new user.
      [r3-aaa]local-user huawei privilege level 15
      [r3-aaa]local-user huawei service-type telnet
      然后在R1上远程登录R3进行验证
      (2)在R2上配置高级ACL及icmp(ping)的限制
      说明:由于路由器不能限制自己本身产生的流量,所以必须在靠近R1最近的一台设备R2上进行设置,其配置如下:
      [r2]acl 3000
      [r2-acl-adv-3000]rule 1 deny icmp source 12.1.1.1 0 destination 23.1.1.2 0
      [r2-acl-adv-3000]q
      [r2]interface g0/0/1
      [r2-GigabitEthernet0/0/1]traffic-filter inbound acl
      这样,我们就达到了R1能远程登录R3但不能ping通R3的目的
    2. 对于上边的实验过程,我们也可以反过来操作
      所以其要求为:R1可以ping通R3,但是不能远程登录R3
      说明:和上边一样要在R2上进行操作,其配置如下:
      首先,删除在R2上的ACL配置:
      [r2]undo acl 3000
      重新配置高级ACL如下:
      [r2]acl 3000
      [r2-acl-adv-3000]rule 1 deny tcp source 12.1.1.1 0 destination 23.1.1.2 0
      destination-port ep 23
      [r2-acl-adv-3000]rule 1 deny tcp source 12.1.1.1 0 destination 23.1.1.2 0
      destination-port eq 23
      [r2-acl-adv-3000]q
      [r2]interface g0/0/1
      [r2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
      Error: A simplified ACL has been applied in this view.
      (前边已经调用过acl 3000,所以再次调用会出现错误已经调用警告)
      [r2-GigabitEthernet0/0/1]q
      [r2]acl 3000
      [r2-acl-adv-3000]rule 2 deny tcp source 12.1.1.1 0 destination 192.168.3.1 0
      destination-port eq 23
      经过以上操作,我们实现了R1的g0/0/1端口不能远程登录R3。但是,在VRP平台上,使用 -a 参数能够让ping程序以指定的IP作为回显请求报文的源地址。操作如下:
      telnet -a 192.168.1.1 23.1.1.2
      使用上边指令依然能够远程登录R3,所以我们要继续在R2上操作:
      [r2]acl 3000
      [r2-acl-adv-3000]rule 3 deny tcp source 192.168.1.1 0 destination 23.1.1.2 0
      destination-port eq 23
      [r2-acl-adv-3000]rule 4 deny tcp source 192.168.1.1 0 destination 192.168.3.1 0
      destination-port eq 23
      这样,我们就实现了在两个源端口全方位封堵R1远程登录R3的要求。
    展开全文
  • 华为路由交换综合实验 ---IA阶段 实验拓扑 实验需求 华为路由交换综合实验 ---IA阶段 实验拓扑 实验需求 根据拓扑合理规划IP地址以及VLANIf地址(PC1属于运营部,PC2属于市场部;PC3属于财务部,PC4属于...

    华为路由交换综合实验 ---IA阶段

    实验拓扑

    1735097-20190802093424949-844641506.png

    实验需求

    1. 根据拓扑合理规划IP地址以及VLANIf地址(PC1属于运营部,PC2属于市场部;PC3属于财务部,PC4属于技术部),给各VLAN打上标识,以便区分,各部门之间独立。
    2. 总公司和分公司分别运行动态路由协议(如图所示)。
    3. 总公司和分公司业务网段不允许出现协议报文。
    4. PC3和PC4通过Switch7双归属到Switch4和Switch5。为保证用户的各种业务在网络传输中不中断,需在Switch4和Switch5上做网关的备份。
      正常情况下,PC3以Switch4为默认网关、PC4以Switch5为默认网关,实现网关的冗余备份。
      Switch故障恢复后,其延时20秒通过抢占的方式重新成为Master,承担数据传输。
    5. Switch4、7、5之间运行MSTP,PC3流量走Switch4,PC4流量走Switch5,并且互为主备,接入PC机的端口启动后直接进入转发状态,不参与生成树计算。
    6. R1和R3运行Easy IP,只允许市场部和技术部访问外网(R2的Loopback0口模拟公网地址)。
    7. Switch4和switch5之间配置链路聚合提高链路带宽和可靠性。
    8. AR6不能访问PC3、PC4 (acl)
    9. R3开启Telent服务,只允许AR6(网管设备,模拟PC)做远程管理。 ACL 高级
    10. 出口路由器(R1和R3)配置默认路由指向互联网并通告到私网内部。
    11. 总部出口路由器R3和运营商设备R2为了安全考虑,进行PPP认证(chap认证),用户名为runtime,密码为huawei
    12. 分部出口路由器R1和运营商设备R2进行PPP认证(pap认证),用户名为aaa,密码为bbb
    13. 实现总部和分部互访(可选)

      实验步骤

      1. 根据拓扑合理规划IP地址以及VLANIf地址

      LSW6配置如下
    [Huawei]int e0/0/3
    [Huawei-Ethernet0/0/3]port link-type access 
    [Huawei-Ethernet0/0/3]port default vlan 10
    
    [Huawei-Ethernet0/0/3]int e0/0/4
    [Huawei-Ethernet0/0/4]port link-type access 
    [Huawei-Ethernet0/0/4]port default vlan 20
    
    [Huawei-Ethernet0/0/4]int e0/0/1    
    [Huawei-Ethernet0/0/1]port link-type trunk 
    [Huawei-Ethernet0/0/1]PORT trunk allow-pass vlan 10 20
    [Huawei-Ethernet0/0/1]port trunk pvid vlan 10
    
    [Huawei-Ethernet0/0/1]int e0/0/2
    [Huawei-Ethernet0/0/2]port link-type trunk 
    [Huawei-Ethernet0/0/2]port trunk allow-pass vlan 10 20
    [Huawei-Ethernet0/0/2]port trunk pvid vlan 20
    [Huawei-vlan10]description yun ying  // VLAN 标识 //
    [Huawei-vlan20]description shi chang  // VLAN 标识 //

    LSW1配置如下

    [Huawei]vlan batch 10 30
    
    [Huawei-GigabitEthernet0/0/1]port link-type trunk
    [Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 10
    [Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
    [Huawei]int vlan 10
    [Huawei-Vlanif10]ip address 192.168.1.254 24

    LSW2配置如下

    [Huawei]vlan batch 20 40
    [Huawei-GigabitEthernet0/0/1]port link-type trunk
    [Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 20
    [Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
    [Huawei]int vlan 20
    [Huawei-Vlanif10]ip address 192.168.2.254 24
    测试连通性

    PC1 PING SW1 ; PC2 PING SW2

    PC>ping 192.168.1.254
    
    Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
    From 192.168.1.254: bytes=32 seq=1 ttl=255 time=93 ms
    From 192.168.1.254: bytes=32 seq=2 ttl=255 time=32 ms
    From 192.168.1.254: bytes=32 seq=3 ttl=255 time=31 ms
    From 192.168.1.254: bytes=32 seq=4 ttl=255 time=31 ms
    From 192.168.1.254: bytes=32 seq=5 ttl=255 time=16 ms
    
    --- 192.168.1.254 ping statistics ---
      5 packet(s) transmitted
      5 packet(s) received
      0.00% packet loss
      round-trip min/avg/max = 16/40/93 ms
    PC>ping 192.168.2.254
    
    Ping 192.168.2.254: 32 data bytes, Press Ctrl_C to break
    From 192.168.2.254: bytes=32 seq=1 ttl=255 time=47 ms
    From 192.168.2.254: bytes=32 seq=2 ttl=255 time=31 ms
    From 192.168.2.254: bytes=32 seq=3 ttl=255 time=31 ms
    From 192.168.2.254: bytes=32 seq=4 ttl=255 time=31 ms
    From 192.168.2.254: bytes=32 seq=5 ttl=255 time=32 ms
    
    --- 192.168.2.254 ping statistics ---
      5 packet(s) transmitted
      5 packet(s) received
      0.00% packet loss
      round-trip min/avg/max = 31/34/47 ms

    2. PC1 不能和PC2互通,实现各部门独立

    PC>ping 192.168.2.1
    
    Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
    Request timeout!
    Request timeout!
    Request timeout!
    Request timeout!
    Request timeout!
    
    --- 192.168.2.1 ping statistics ---
      5 packet(s) transmitted
      0 packet(s) received
      100.00% packet loss
    SW1 上配置接口所属VLAN,及VLANIF
    [Huawei]int g0/0/4
    [Huawei-GigabitEthernet0/0/4]port link-type access
    [Huawei-GigabitEthernet0/0/4]port default vlan 30
    [Huawei-GigabitEthernet0/0/4]int vlan 30
    [Huawei-Vlanif30]ip address 192.168.3.1 24
    SW2上配置接口所属VLAN,及VLANIF
    [Huawei]int g0/0/4  
    [Huawei-GigabitEthernet0/0/4]port link-type access 
    [Huawei-GigabitEthernet0/0/4]port default vlan 40
    [Huawei-GigabitEthernet0/0/4]int vlan 40
    [Huawei-Vlanif40]ip address 192.168.4.1 24

    3. PC1 不能访问PC2 ,定义ACL

    LSW1

    [Huawei-acl-adv-3000]rule 5 deny ip source 192.168.1.1 0 destination 192.168.2.1
     0 
    [Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000

    LSW2

    [Huawei-acl-adv-3000]rule 5 deny ip source 192.168.2.1 0 destination 192.168.1.1
     0
    [Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
    PC1 和PC2 实现了不能互通,策略已经生效
    PC>ping 192.168.2.1
    
    Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
    Request timeout!
    Request timeout!
    Request timeout!
    Request timeout!
    Request timeout!
    
    --- 192.168.2.1 ping statistics ---
      5 packet(s) transmitted
      0 packet(s) received
      100.00% packet loss

    4. 分公司运行RIP 协议

    AR1上配置IP地址,运行RIP 协议
    [Huawei]rip 
    [Huawei-rip-1]ver 2 
    [Huawei-rip-1]undo summary 
    [Huawei-rip-1]network 192.168.3.0
    [Huawei-rip-1]network 192.168.4.0

    SW1上配置RIP

    [Huawei]rip 
    [Huawei-rip-1]ver 2 
    [Huawei-rip-1]network 192.168.1.0 
    [Huawei-rip-1]network 192.168.3.0
    [Huawei-rip-1]undo summary

    SW2上配置RIP

    [Huawei]rip 
    [Huawei-rip-1]ver 2
    [Huawei-rip-1]undo summary 
    [Huawei-rip-1]network 192.168.2.0
    [Huawei-rip-1]network 192.168.4.0

    规划所属VLAN

    SW7 VLAN 配置

    [Huawei]vlan batch 10 20
    [Huawei]int e0/0/3
    [Huawei-Ethernet0/0/3]port link-type access 
    [Huawei-Ethernet0/0/3]port default vlan 10 
    
    [Huawei-Ethernet0/0/3]int e0/0/4
    [Huawei-Ethernet0/0/4]port link-type access 
    [Huawei-Ethernet0/0/4]port default vlan 20
    
    [Huawei]int e0/0/5
    [Huawei-Ethernet0/0/5]port link-type trunk 
    [Huawei-Ethernet0/0/5]port trunk allow-pass vlan all
    
    [Huawei-Ethernet0/0/5]int e0/0/2
    [Huawei-Ethernet0/0/2]port link-type trunk 
    [Huawei-Ethernet0/0/2]port trunk allow-pass vlan all
    
    [Huawei]int vlan 10
    [Huawei-Vlanif10]description cai wu //VLAN 标识//
    [Huawei-Vlanif10]int vlan 20
    [Huawei-Vlanif20]description ji shu //VLAN 标识//

    LSW4

    [Huawei]int e0/0/4
    [Huawei-GigabitEthernet0/0/4]port link-type trunk
    [Huawei-GigabitEthernet0/0/4] port trunk allow-pass vlan all

    LSW5

    [Huawei]int e0/0/4
    [Huawei-GigabitEthernet0/0/1]port link-type trunk
    [Huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan all

    5. 总公司运行OSPF

    配置OSPF 区域 1

    SW4

    ospf 1
     area 1
      network 172.19.1.0 0.0.0.255
      network 172.16.1.0 0.0.0.255
      network 172.16.2.0 0.0.0.255

    SW5

    ospf 1
     area 1
      network 172.20.1.0 0.0.0.255
      network 172.16.1.0 0.0.0.255
      network 172.16.2.0 0.0.0.255

    AR5

    ospf 1 
     area 1
      network 172.19.1.0 0.0.0.255 
      network 172.20.1.0 0.0.0.255 
    配置OSPF 区域0
    ospf 1 
     area 0 
      network 172.17.1.0 0.0.0.255 
      network 172.18.1.0 0.0.0.255

    AR6

    ospf 1 
     area 0
      network 172.18.1.0 0.0.0.255 

    AR3

    ospf 1 
     area 0 
      network 172.17.1.0 0.0.0.255 

    6. 总公司和分公司业务网段不允许出现协议报文

    RIP 区域配置静默接口

    SW1 上配置静默接口

    [Huawei-rip-1]silent-interface g0/0/1 //配置静默接口//

    SW2上配置静默接口

    [Huawei-rip-1]silent-interface g0/0/1 //配置静默接口//
    OSPF 区域配置静默接口

    SW4上配置静默接口

    [Huawei-ospf-1]silent-interface g0/0/4  //配置静默接口//

    SW5上配置静默接口

    [Huawei-ospf-1]silent-interface g0/0/1 //配置静默接口//

    7. SW4和SW5之间配置链路聚合,创建聚合组

    LSW4

    [Huawei]int Eth-Trunk 1
    [Huawei-Eth-Trunk1]trunkport g0/0/2
    [Huawei-Eth-Trunk1]trunkport g0/0/5
    [Huawei-Eth-Trunk1]trunkport g0/0/1
    [Huawei-Eth-Trunk1]port link-type trunk 
    [Huawei-Eth-Trunk1]port trunk allow-pass 10 20

    LSW5

    [Huawei]int Eth-Trunk 1
    [Huawei-Eth-Trunk1]trunkport g0/0/2
    [Huawei-Eth-Trunk1]trunkport g0/0/5
    [Huawei-Eth-Trunk1]trunkport g0/0/1
    [Huawei-Eth-Trunk1]port link-type trunk 
    [Huawei-Eth-Trunk1]port trunk allow-pass 10 20
    查看链路聚合组
    [Huawei]DIS eth-trunk 1
    Eth-Trunk1's state information is:
    WorkingMode: NORMAL         Hash arithmetic: According to SIP-XOR-DIP         
    Least Active-linknumber: 1  Max Bandwidth-affected-linknumber: 8              
    Operate status: up          Number Of Up Port In Trunk: 3                     
    --------------------------------------------------------------------------------
    PortName                      Status      Weight 
    GigabitEthernet0/0/1          Up          1      
    GigabitEthernet0/0/2          Up          1      
    GigabitEthernet0/0/5          Up          1      

    8. SW4、7、5之间运行MSTP,PC3流量走Switch4,PC4流量走Switch5,并且互为主备

    在SW4上配置如下

    [Huawei]stp region-configuration 
    [Huawei-mst-region]region-name chen
    [Huawei-mst-region]instanse 1 vlan 10
    [Huawei-mst-region]instanse 2 vlan 20
    [Huawei-mst-region]active region-configuration 
    [Huawei]stp instance 1 root primary

    在SW5上配置如下

    [Huawei]stp region-configuration 
    [Huawei-mst-region]region-name chen
    [Huawei-mst-region]instanse 1 vlan 10
    [Huawei-mst-region]instanse 2 vlan 20
    [Huawei-mst-region]active region-configuration
    [Huawei]stp instance 2 root primary 

    在SW7上配置如下

    [Huawei]stp region-configuration 
    [Huawei-mst-region]region-name chen
    [Huawei-mst-region]instanse 1 vlan 10
    [Huawei-mst-region]instanse 2 vlan 20
    [Huawei-mst-region]active region-configuration

    9. SW7 上配置边缘端口,接入PC机的端口启动后直接进入转发状态,不参与生成树计算

    [Huawei]int e0/0/3
    [Huawei-Ethernet0/0/3]stp edged-port enable 
    [Huawei-Ethernet0/0/3]int e0/0/4
    [Huawei-Ethernet0/0/4]stp edged-port enable 

    10. vrrp 配置

    LSW4

    [Huawei]int vlan 10
    [Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
    [Huawei-Vlanif10]vrrp vrid 1 priority 150
    [Huawei-Vlanif10]int vlan 20
    [Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
    [Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 20  //延时20秒通过抢占的方式重新成为Master //

    LSW5

    [Huawei-Vlanif20]int vlan 10
    [Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
    [Huawei-Vlanif10]int vlan 20
    [Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
    [Huawei-Vlanif20]vrrp vrid 2 priority 150
    [Huawei-Vlanif20]vrrp vrid 2 preempt-mode timer delay 20 //延时20秒通过抢占的方式重新成为Master //
    查看VRRP
    在SW4上查看主备状态
    [Huawei-Vlanif20]dis vrrp brief
    VRID  State        Interface                Type     Virtual IP     
    ----------------------------------------------------------------
    1     Master       Vlanif10                 Normal   172.16.1.254   
    2     Backup       Vlanif20                 Normal   172.16.2.254   
    ----------------------------------------------------------------
    Total:2     Master:1     Backup:1     Non-active:0     
    PC3 PING PC4 测试连通性
    PC>ping 172.16.2.1
    
    Ping 172.16.2.1: 32 data bytes, Press Ctrl_C to break
    From 172.16.2.1: bytes=32 seq=1 ttl=127 time=203 ms
    From 172.16.2.1: bytes=32 seq=2 ttl=127 time=94 ms
    From 172.16.2.1: bytes=32 seq=3 ttl=127 time=109 ms
    From 172.16.2.1: bytes=32 seq=4 ttl=127 time=109 ms
    From 172.16.2.1: bytes=32 seq=5 ttl=127 time=78 ms
    
    --- 172.16.2.1 ping statistics ---
      5 packet(s) transmitted
      5 packet(s) received
      0.00% packet loss
      round-trip min/avg/max = 78/118/203 ms

    11. 出口路由器(R1和R3)配置默认路由指向互联网并通告到私网内部

    在AR3上配置一条默认路由
    [Huawei]ip route-static 0.0.0.0 0 200.100.2.2
    [Huawei-ospf-1]default-route-advertise //通告默认路由//
    在SW5上查看ospf 路由表
    [Huawei]dis ip routing-table protocol ospf 
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Public routing table : OSPF
             Destinations : 5        Routes : 8        
    
    OSPF routing table status : <Active>
             Destinations : 5        Routes : 8
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
            0.0.0.0/0   O_ASE   150  1           D   172.20.1.2      Vlanif60
       172.16.1.254/32  OSPF    10   2           D   172.16.1.252    Vlanif10
                        OSPF    10   2           D   172.16.2.252    Vlanif20
         172.17.1.0/24  OSPF    10   2           D   172.20.1.2      Vlanif60
         172.18.1.0/24  OSPF    10   2           D   172.20.1.2      Vlanif60
         172.19.1.0/24  OSPF    10   2           D   172.20.1.2      Vlanif60
                        OSPF    10   2           D   172.16.1.252    Vlanif10
                        OSPF    10   2           D   172.16.2.252    Vlanif20
    
    OSPF routing table status : <Inactive>
             Destinations : 0        Routes : 0

    12. 在AR1 上配置默认路由,引入默认路由

    [Huawei]ip route-static 0.0.0.0 0 200.100.1.2
    [Huawei-rip-1]default-route originate 
    在SW1上查看路由表,已经学习到了去往外部默认路由
    [Huawei]dis ip routing-table protocol rip 
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Public routing table : RIP
             Destinations : 3        Routes : 3        
    
    RIP routing table status : <Active>
             Destinations : 3        Routes : 3
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
            0.0.0.0/0   RIP     100  1           D   192.168.3.2     Vlanif30
        192.168.2.0/24  RIP     100  2           D   192.168.3.2     Vlanif30
        192.168.4.0/24  RIP     100  1           D   192.168.3.2     Vlanif30
    
    RIP routing table status : <Inactive>
             Destinations : 0        Routes : 0
    

    13. AR6不能访问PC3、PC4

    在AR5上定义高级ACL 策略
    [Huawei]acl 3000
    [Huawei-acl-adv-3000] rule 5 deny ip source 172.18.1.2 0 destination 
    172.16.1.1 0
    [Huawei-acl-adv-3000]rule 10 deny ip source 172.18.1.2 0 destination
     172.16.2.1 0 
    [Huawei]int g0/0/1
    [Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
    [Huawei-GigabitEthernet0/0/1]int g0/0/2
    [Huawei-GigabitEthernet0/0/2]traffic-filter outbound acl 3000
    在AR6上测试 PING PC3 和 PC4 ,已实现不能互通
    AR6]ping 172.16.1.1
      PING 172.16.1.1: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 172.16.1.1 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
    AR6]ping 172.16.2.1
      PING 172.16.2.1: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 172.16.2.1 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss

    14. R3开启Telent服务,只允许AR6(网管设备,模拟PC)做远程管理

    [AR3]acl 3001
    [AR3-acl-adv-3001]rule 5 permit tcp source 172.18.1.2 0 destination 172.17.1.2 0
     destination-port eq 23
    [AR3-acl-adv-3001]rule 6 deny tcp source any destination 172.17.1.2 0 destinatio
    n-port eq 23
    发现只有AR6可以telnet R3,ACL 策略已生效
    <AR6>telnet 172.17.1.2
      Press CTRL_] to quit telnet mode
      Trying 172.17.1.2 ...
      Connected to 172.17.1.2 ...
    
    Login authentication
    
    
    Username:
    在AR5上telnet R3做测试 ,发现已经被拒绝
    <Huawei>telnet 172.17.1.2
      Press CTRL_] to quit telnet mode
      Trying 172.17.1.2 ...

    15. R1和R3运行Easy IP,只允许市场部和技术部访问外网

    AR1上配置

    [Huawei]acl 2000
    [Huawei-acl-basic-2000]rule 5 permit source 192.168.2.1 0
    [Huawei-acl-basic-2000]int s4/0/0
    [Huawei-Serial4/0/0]nat outbound 2000

    AR3上配置

    [AR3]acl 2000
    [AR3-acl-basic-2000]rule 5 permit source 172.16.2.1 0
    [AR3-acl-basic-2000]int s4/0/1
    [AR3-Serial4/0/1]nat outbound 2000
    PC2 PING 公网地址
    PC>ping 2.2.2.2
    
    Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
    From 2.2.2.2: bytes=32 seq=1 ttl=253 time=110 ms
    From 2.2.2.2: bytes=32 seq=2 ttl=253 time=78 ms
    From 2.2.2.2: bytes=32 seq=3 ttl=253 time=62 ms
    From 2.2.2.2: bytes=32 seq=4 ttl=253 time=79 ms
    From 2.2.2.2: bytes=32 seq=5 ttl=253 time=62 ms
    
    --- 2.2.2.2 ping statistics ---
      5 packet(s) transmitted
      5 packet(s) received
      0.00% packet loss
      round-trip min/avg/max = 62/78/110 ms

    16. 总部出口路由器R3和运营商设备R2进行PPP认证(CHAP 认证)

    在AR2做CHAP 主认证
    [Huawei]aaa
    [Huawei-aaa]local-user runtime password cipher huawei
    [Huawei-aaa]local-user runtime service-type ppp
    [Huawei-Serial4/0/1]link-protocol ppp
    [Huawei-Serial4/0/1]ppp authentication-mode chap
    [Huawei-Serial4/0/1]ip address 200.100.2.1 30
    在AR3上被认证
    [Huawei]int s4/0/1
    [Huawei-Serial4/0/1]ppp pap local-user runtime 
    [Huawei-Serial4/0/1]ppp chap password cipher huawei
    [Huawei-Serial4/0/1]ip address 200.100.2.2 3

    17. 分部出口路由器R1和运营商设备R2进行PPP认证(PAP认证)

    在AR1上做PAP主认证方
    Huawei]aaa
    [Huawei-aaa]local-user aaa password cipher bbb
    [Huawei-aaa]local-user aaa service-type ppp
    [Huawei-aaa]int s4/0/0
    [Huawei-Serial4/0/0]ppp authentication-mode pap
    [Huawei-Serial4/0/0]ip address 200.100.1.2 30
    在AR2 上做HAP 被认证方
    [Huawei]int s4/0/0
    [Huawei-Serial4/0/0]ppp pap local-user aaa password simple bbb
    [Huawei-Serial4/0/0]ip address 200.100.1.1 30

    转载于:https://www.cnblogs.com/yu15/p/11286722.html

    展开全文
  • traffic-filter inbound acl 这样,我们就达到了R1能远程登录R3但不能ping通R3的目的 对于上边的实验过程,我们也可以反过来操作 所以其要求为:R1可以ping通R3,但是不能远程登录R3 说明:和上边一样要在R2上进行...

    在这里插入图片描述

    一、路由器上IP地址配置

    R1:
    [r1]interface g0/0/0
    [r1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
    [r1]interface g0/0/1
    [r1-GigabitEthernet0/0/1]ip address 12.1.1.1 24
    R2:
    [r2]interface g0/0/1
    [r2-GigabitEthernet0/0/1]ip address 12.1.1.2 24
    [r2]interface g0/0/2
    [r2-GigabitEthernet0/0/2]ip address 23.1.1.1 24
    [r2]interface g0/0/0
    [r2-GigabitEthernet0/0/0]ip address 192.168.2.1 24
    R3:
    [r3]interface g0/0/1
    [r3-GigabitEthernet0/0/1]ip address 23.1.1.2 24
    [r3]interface g0/0/0
    [r3-GigabitEthernet0/0/0]ip address 192.168.3.1 24

    二、路由器地址池的配置

    R1:
    [r1]ip pool class_A
    Info: It’s successful to create an IP address pool.
    [r1-ip-pool-class_A]network 192.168.1.0 mask 24
    [r1-ip-pool-class_A]gateway-list 192.168.1.1
    [r1-ip-pool-class_A]dns-list 8.8.8.8
    [r1]dhcp enable
    Info: The operation may take a few seconds. Please wait for a moment.done.
    [r1]interface g0/0/0
    [r1-GigabitEthernet0/0/0]dhcp select global
    R2:
    [r2]ip pool class_B
    Info: It’s successful to create an IP address pool.
    [r2-ip-pool-class_B]network 192.168.2.0 mask 24
    [r2-ip-pool-class_B]gateway-list 192.168.2.1
    [r2-ip-pool-class_B]dns-list 8.8.8.8
    [r2]dhcp enable
    Info: The operation may take a few seconds. Please wait for a moment.done.
    [r2]interface g0/0/0
    [r2-GigabitEthernet0/0/0]dhcp select global
    R3:
    [r3]ip pool class_C
    Info: It’s successful to create an IP address pool.
    [r3-ip-pool-class_C]network 192.168.3.0 mask 24
    [r3-ip-pool-class_C]gateway-list 192.168.3.1
    [r3-ip-pool-class_C]dns-list 8.8.8.8
    [r3]dhcp enable
    Info: The operation may take a few seconds. Please wait for a moment.done.
    [r3]interface g0/0/0
    [r3-GigabitEthernet0/0/0]dhcp select global

    三、动态路由RIP协议配置

    R1:
    [r1]rip 1
    [r1-rip-1]version 2
    [r1-rip-1]network 192.168.1.0
    [r1-rip-1]network 12.0.0.0
    R2:
    [r2]rip 1
    [r2-rip-1]version 2
    [r2-rip-1]network 12.0.0.0
    [r2-rip-1]network 23.0.0.0
    [r2-rip-1]network 192.168.2.0
    R3:
    [r3]rip 1
    [r3-rip-1]version 2
    [r3-rip-1]network 23.0.0.0
    [r3-rip-1]network 192.168.3.0

    四、acl配置

    要求PC1不能ping通PC6,但能ping通PC5
    说明一下:在第二步DHCP操作中,PC1和PC5拿到的地址分别为:
    PC1:192.168.1.253 (很奇怪,竟然不是254) PC2:192.168.3.253

    1. 首先进行基本ACL配置:
      基本ACL使用在靠近目标的地方
      [r3]acl 2000
      [r3-acl-basic-2000]rule 1 deny source 192.168.1.253 0.0.0.0
      [r3]interface g0/0/0
      [r3-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
      这样我们发现终端PC5和PC6都拒绝被访问,所以我们要进行高级ACL配置
    2. 高级ACL的配置—高级ACL使用在靠近源端口的地方
      删除上边配置的ACL 2000
      [r3]undo acl 2000
      在进行下边配置:
      [r1]acl 3000
      [r1-acl-adv-3000]rule 1 deny ip source 192.168.1.253 0 destination 192.168.3.253 0
      [r1]interface g0/0/0
      [r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

    五、远程登录及icmp配置

    1. 要求:R1不能ping通R3,但是可以远程登录R3
      (1)首先,在R3上进行远程登录配置:
      [r3]user-interface vty 0 4
      [r3-ui-vty0-4]authentication-mode aaa
      [r3-ui-vty0-4]q
      [r3]aaa
      [r3-aaa]local-user huawei password cipher huawei
      Info: Add a new user.
      [r3-aaa]local-user huawei privilege level 15
      [r3-aaa]local-user huawei service-type telnet
      然后在R1上远程登录R3进行验证
      (2)在R2上配置高级ACL及icmp(ping)的限制
      说明:由于路由器不能限制自己本身产生的流量,所以必须在靠近R1最近的一台设备R2上进行设置,其配置如下:
      [r2]acl 3000
      [r2-acl-adv-3000]rule 1 deny icmp source 12.1.1.1 0 destination 23.1.1.2 0
      [r2-acl-adv-3000]q
      [r2]interface g0/0/1
      [r2-GigabitEthernet0/0/1]traffic-filter inbound acl
      这样,我们就达到了R1能远程登录R3但不能ping通R3的目的
    2. 对于上边的实验过程,我们也可以反过来操作
      所以其要求为:R1可以ping通R3,但是不能远程登录R3
      说明:和上边一样要在R2上进行操作,其配置如下:
      首先,删除在R2上的ACL配置:
      [r2]undo acl 3000
      重新配置高级ACL如下:
      [r2]acl 3000
      [r2-acl-adv-3000]rule 1 deny tcp source 12.1.1.1 0 destination 23.1.1.2 0
      destination-port ep 23
      [r2-acl-adv-3000]rule 1 deny tcp source 12.1.1.1 0 destination 23.1.1.2 0
      destination-port eq 23
      [r2-acl-adv-3000]q
      [r2]interface g0/0/1
      [r2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
      Error: A simplified ACL has been applied in this view.
      (前边已经调用过acl 3000,所以再次调用会出现错误已经调用警告)
      [r2-GigabitEthernet0/0/1]q
      [r2]acl 3000
      [r2-acl-adv-3000]rule 2 deny tcp source 12.1.1.1 0 destination 192.168.3.1 0
      destination-port eq 23
      经过以上操作,我们实现了R1的g0/0/1端口不能远程登录R3。但是,在VRP平台上,使用 -a 参数能够让ping程序以指定的IP作为回显请求报文的源地址。操作如下:
      telnet -a 192.168.1.1 23.1.1.2
      使用上边指令依然能够远程登录R3,所以我们要继续在R2上操作:
      [r2]acl 3000
      [r2-acl-adv-3000]rule 3 deny tcp source 192.168.1.1 0 destination 23.1.1.2 0
      destination-port eq 23
      [r2-acl-adv-3000]rule 4 deny tcp source 192.168.1.1 0 destination 192.168.3.1 0
      destination-port eq 23
      这样,我们就实现了在两个源端口全方位封堵R1远程登录R3的要求

    六、公网和私网的地址转换

    首先在R3和R5即ISP(运营商)的直连端口上配置IP地址
    R3:
    [r3]interface g0/0/2
    [r3-GigabitEthernet0/0/2]ip address 100.1.1.1 24
    R5:
    [ISP]interface g0/0/0
    [ISP-GigabitEthernet0/0/0]ip address 100.1.1.2 24
    为了实现内网互通,给R3下放一条缺省
    [r3]rip 1
    [r3-rip-1]version 2
    [r3-rip-1]default-route originate
    为了实现内网流量到达运营商,继续在R3上配置内网到达运营商的缺省
    [r3]ip route-static 0.0.0.0 0 100.1.1.2
    要求:内网的设备能够实现上网,有三种配制方法,往下看

    1. 为了使内网实现上网,我们可以使内网中的某一台设备上网:
      [r3]nat address-group 1 100.1.1.3 100.1.1.10
      [r3]acl 2000
      [r3-acl-basic-2000]rule 1 permit source 192.168.1.0 0.0.0.255
      [r3-acl-basic-2000]q
      [r3]interface g0/0/2
      [r3-GigabitEthernet0/0/2]nat outbound 2000 address-group 1 no-pat
      也可以使所有设备同时上网:
      先删掉上边的规则:
      [r3]acl 2000
      [r3-acl-basic-2000]undo rule 1
      重新设定规则:
      [r3-acl-basic-2000]rule 1 permit source any
      此方法的弊端:一个私有地址只能转化成一个公有地址。
    2. 用NAPT进行配置:
      当然,要删除上边的规则,重新设定
      [r3]nat address-group 1 100.1.1.3 100.1.1.10
      [r3]acl 2000
      [r3-acl-basic-2000]rule 1 permit source any
      [r3]interface g0/0/2
      [r3-GigabitEthernet0/0/2]nat outbound 2000 address-group 1
    3. Easy IP及配置 (此方法只能在华为设备中应用)
      [r3]acl 2000
      [r3-acl-basic-2000]rule 1 permit source any
      [r3-GigabitEthernet0/0/2]nat outbound 2000

    七、用外网服务器远程登录内网设备

    首先,在R1上远程登录设置:
    [r1]user-interface vty 0 4
    [r1-ui-vty0-4]authentication-mode aaa
    [r1-ui-vty0-4]aaa
    [r1-aaa]local-user huawei password cipher huawei
    Info: Add a new user.
    [r1-aaa]local-user huawei privilege level 15
    [r1-aaa]local-user huawei service-type telnet
    在内网边界路由器R3的出入端口静态NAT配置
    [r3]interface g0/0/2
    [r3-GigabitEthernet0/0/2]nat static global 100.1.1.11 inside 12.1.1.1
    在运营商R5上远程登录:
    telnet 100.1.1.11
    就可以进入内网R1设备进面
    说明:这样做是不安全的,所以我们用另外一种方法在R3静态NAT配置上
    [r3]interface g0/0/2
    [r3-GigabitEthernet0/0/2]undo nat static global 100.1.1.11 inside 12.1.1.1 (删掉上边配置,并在下边重新配置)
    [r3-GigabitEthernet0/0/2]nat server protocol tcp global 100.1.1.11 23 inside 12.1.1.1 23

    展开全文
  • 综合实验 实验要求: 1、添加vlan10,vlan20,vlan30,vlan40,SW1与SW2之间做以太网通道,与交换机SW3、4、5、6之间做trunk链路。 2、vpcs1分配vlan10,真机分配vlan20,vpcs2分配vlan30,web服务分配vlan40, 3...
  • 综合实验(NAT+×××+VRPP+MST) 技术关键词 Vlan、VTP、VR...
  • 实验路由交换综合实验路由交换综合实验路由交换综合实验路由交换综合
  • lsw1 实验配置: [lsw1]dis cu sysname lsw1 ...#(这里是三层交换的配置,可以替换成单臂路由的配置,见最后) interface Vlanif10 ip address 192.168.10.1 255.255.255.0 dhcp select interface dh...
  • 1.R1/R2/R3运行OSPF进程号为10,相连的接口都属于区域0(如图)并且使用LOOP 0接口作为OSPF router-id,要求路由可达。 2.R2、R3运行BGP AS为100,使用LOOP 0接口建立IBGP邻居关系,并且能够传递VPN路由。 3.R1、R2、...
  • 交换路由综合实验一 本实验内容应用了以下知识点:VLAN 、Trunk、channel-group、三层路由、VTP 、STP、 HSRP、OSPF。知识点应用面还是比较多的。 实验拓扑环境: 实验部署环境: 1.PC1和PC3属于vlan ...
  • 实验环境介绍: 52LAB自主设计制作的实验操作环境以及实验要求,方便CCNP学习者系统性的学习和实验操作,提高学习效率,降低学习成本。 实验要求: 1、按照实验拓扑图上信息为每台...
  • 实验环境介绍: 52LAB自主设计制作的实验操作环境以及实验要求,方便CCNP学习者系统性的学习和实验操作,提高学习效率,降低学习成本。 实验要求: 1、按照拓扑图上显示信息给每台路...
  • 华为路由交换设备配置综合实验: 单臂路由、三层交换、动静路由、VRRP路由、DHCP中继、捆绑Etrunk链路(实验六合一) 实验拓扑图: 目的:实现全网各个PC之间的互联互通 全部实验脚本如下,以下脚本直接复制即可...
  • 华为路由交换由浅入深系列(八)-交换综合实验(包含Hybrid,MAC VLAN、三层路由及单臂路由) 实验拓扑: 对于华为的Access、Trunk、Hybrid接口处理数据报文不清楚的朋友可以看该说明 《交换机三种端口模式...
  • 单臂路由三层交换机提供vlan间的通信之菜鸟之降龙详解要点: 图示PC:左到右依次设置IP172.16.10.1, 20.1, 30.1, 40,1 ,50,1 /24网关10.254 ,20.254 30,254 40,254 50.254目的:全网ping通2层交换,下行做vlan,把...
  • 路由交换实验手册,包含路由篇、交换篇、远程篇、策略篇、综合实验。是学习路由交换人员必备手册。
  • 交换综合实验(包含 Hybrid,MAC VLAN、三层路由及单臂路由

空空如也

空空如也

1 2 3 4 5 ... 9
收藏数 174
精华内容 69
关键字:

路由交换综合实验