• H3CNE综合小实验

    目录

    实验拓扑

    实验需求

    实验解法

     

    实验拓扑


    拓扑下载地址

    H3CNE综合小实验

     

     

    c6590b50da249a3390ee657a20023b35.png

     


     

     

    图 1-1

    注:如无特别说明,描述中的 R1 或 SW1 对应拓扑中设备名称末尾数字为 1 的设备,R2 或 SW2 对应拓扑中设备名称末尾数字为 2 的设备,以此类推;另外,同一网段中,IP 地址的主机位为其设备编号,如 R3 的 g0/0 接口若在192.168.1.0/24网段,则其 IP 地址为192.168.1.3/24,以此类推

    实验需求

    1. 按照图示配置 IP 地址

    2. sw2和sw10使用链路聚合

    3. 四个部门:地址为dhcp获取

    4. sw2,r13,sw10,运行ospf,使其内网互通,ospf使用命令下发缺省网关

    5. R13与R14采用双向认证。

    6. 仅允许技术部和产品研发部方位外网,财务部门访问财务服务器

    7. R11作为ftp服务器,要求外网用户可以访问

    实验解法

    8,配置 IP 地址部分

    R14

    1. sys
    2. System View: return to User View with Ctrl+Z.
    3. [H3C]sysn r14
    4. [r14]int mp-gr 1
    5. [r14-MP-group1]int s1/0
    6. [r14-Serial1/0]ppp mp mp-gr 1
    7. [r14-Serial1/0]
    8. [r14-Serial1/0]int s2/0
    9. [r14-Serial2/0]ppp mp mp-gr 1
    10. [r14]int mp-gr 1
    11. [r14-MP-group1]ip add 100.1.1.2 24

    R13

    1. SYS
    2. [H3C]SYSN r13
    3. [r13]int mp-gr 1
    4. [r13-MP-group1]int s1/0
    5. [r13-Serial1/0]ppp mp mp-gr 1
    6. [r13-Serial1/0]int s2/0
    7. [r13-Serial2/0]ppp mp mp-gr1
    8. [r13-Serial2/0]int mp-gr 1
    9. [r13-MP-group1]ip add 100.1.1.1 24
    10. [r13]int g0/0
    11. [r13-GigabitEthernet0/0]ip add 192.168.60.2 24
    12. [r13-GigabitEthernet0/0]int g0/1
    13. [r13-GigabitEthernet0/1]ip add 192.168.70.2 24

    SW2

    1. sys
    2. System View: return to User View with Ctrl+Z.
    3. [H3C]sys sw2
    4. [sw2]vlan 10
    5. [sw2-vlan10]vlan 20
    6. [sw2-vlan20]vlan 30
    7. [sw2-vlan30]vlan 40
    8. [sw2-vlan40]vlan 50
    9. [sw2-vlan50]vlan 60
    10. [sw2-vlan60]int vlan 10
    11. [sw2-Vlan-interface10]ip add 192.168.1.254 24
    12. [sw2-Vlan-interface10]int vlan 20
    13. [sw2-Vlan-interface20]ip add 192.168.2.254 24
    14. [sw2-Vlan-interface20]int vlan 30
    15. [sw2-Vlan-interface30]ip add 192.168.3.254 24
    16. [sw2-Vlan-interface30]int vlan 40
    17. [sw2-Vlan-interface40]ip add 192.168.4.254 24
    18. [sw2-Vlan-interface40]int vlan 50
    19. [sw2-Vlan-interface50]ip add 192.168.50.1 24
    20. [sw2-Vlan-interface50]int vlan 60
    21. [sw2-Vlan-interface60]ip add 192.168.60.1 24
    22. [sw2-Vlan-interface60]int g1/0/5
    23. [sw2-GigabitEthernet1/0/5]port link-ty ac
    24. [sw2-GigabitEthernet1/0/5]port ac vlan 60
    25. [sw2]int range g1/0/1 to g1/0/2
    26. [sw2-if-range]port tr pe  vlan all

    SW10

    1. SYS
    2. System View: return to User View with Ctrl+Z.
    3. [H3C]SYSN sw10
    4. [sw10]vlan 10
    5. [sw10-vlan10]vlan 20
    6. [sw10-vlan20]vlan 50
    7. [sw10-vlan50]vlan 70
    8. [sw10-vlan70]int vlan 10
    9. [sw10-Vlan-interface10]ip add 192.168.80.2 24
    10. [sw10-Vlan-interface10]int vlan 20
    11. [sw10-Vlan-interface20]ip add 192.168.90.2 24
    12. [sw10-Vlan-interface20]int vlan 50
    13. [sw10-Vlan-interface50]ip add 192.168.50.2 24
    14. [sw10-Vlan-interface50]int vlan 70
    15. [sw10-Vlan-interface70]ip add 192.168.70.1 24
    16. [sw10-Vlan-interface70]int ran g1/0/1 to g1/0/2
    17. [sw10-if-range]port link-ty ac
    18. [sw10-if-range]int g1/0/1
    19. [sw10-GigabitEthernet1/0/1]port ac vlan 10
    20. [sw10-GigabitEthernet1/0/1]int g1/0/2
    21. [sw10-GigabitEthernet1/0/2]port ac vlan 20

    SW1

    1. SYS
    2. System View: return to User View with Ctrl+Z.
    3. [H3C]SYSN SW1
    4. [SW1]vlan 10
    5. [SW1-vlan10]vlan 20
    6. [SW1]INT G1/0/4
    7. [SW1-GigabitEthernet1/0/4]port link-ty tr
    8. [SW1-GigabitEthernet1/0/4]port tr pe vlan all
    9. [SW1-vlan20]int ran g1/0/1 to g1/0/2
    10. [SW1-if-range]port link-ty access
    11. [SW1-if-range]port ac vlan 10
    12. [SW1-if-range]int g1/0/3
    13. [SW1-GigabitEthernet1/0/3]port link-ty acc
    14. [SW1-GigabitEthernet1/0/3]port ac vlan 20

    SW3

    1. SYS
    2. System View: return to User View with Ctrl+Z.
    3. [H3C]SYSN SW3
    4. [SW3-vlan20]int g1/0/4
    5. [SW3-GigabitEthernet1/0/4]port link-ty tr
    6. [SW3-GigabitEthernet1/0/4]port tr pe vlan all
    7. [SW3-GigabitEthernet1/0/1]port link-ty ac
    8. [SW3-GigabitEthernet1/0/1]port ac vlan 30
    9. [SW3-GigabitEthernet1/0/1]int ran g1/0/2 to g1/0/3
    10. [SW3-if-range]port link-ty ac
    11. [SW3-if-range]port ac vlan 40

    R11(路由作为电脑设备使用需要增加缺省路由,服务器系统自动添加,这个只是模拟器,你自己的电脑也会添加缺省路由来上网,模拟器需要自己手动配置下)

    1. SYS
    2. System View: return to User View with Ctrl+Z.
    3. [H3C]SYSN R11
    4. [R11]int g0/0
    5. [R11-GigabitEthernet0/0]ip add 192.168.80.1 24
    6. [R11]ip route-static 0.0.0.0 0.0.0.0 192.168.80.2

    R12

    1. SYS
    2. System View: return to User View with Ctrl+Z.
    3. [H3C]SYSN R12
    4. [R12]int g0/0
    5. [R12-GigabitEthernet0/0]ip add 192.168.90.1 24
    6. [R12]ip route-static 0.0.0.0 0.0.0.0 192.168.90.2

    PC4-PC9(DHCP分配地址)

     

    cfb3fc7ebac85ff0a6acc31375e9bf3b.png

     

     

     

    9,sw2和sw10使用链路聚合

    步骤 1:在 SW2上创建 聚合组,并添加端口,双方都建立后不会警告(默认vlan)PVID不匹配

    SW2

    1. sys
    2. System View: return to User View with Ctrl+Z.
    3. [sw2]int Bridge-Aggregation 1
    4. [sw2-Bridge-Aggregation1]int ran g1/0/3 to g1/0/4
    5. [sw2-if-range]port link-agg gr 1
    6. [sw2-if-range]int Bridge-Aggregation 1
    7. [sw2-Bridge-Aggregation1]port link-type  ac
    8. Configuring GigabitEthernet1/0/3 done.
    9. Configuring GigabitEthernet1/0/4 done.
    10. [sw2-Bridge-Aggregation1]port ac vlan 50
    11. Configuring GigabitEthernet1/0/3 done.
    12. Configuring GigabitEthernet1/0/4 done.

    步骤2:在 SW10上创建 聚合组,并添加端口

    SW10

    1. SYS
    2. System View: return to User View with Ctrl+Z.
    3. [sw10]int Bridge-Aggregation 1.
    4. [sw10-Bridge-Aggregation1]int ran g1/0/3 to g1/0/4
    5. [sw10-if-range]port link-agg gr 1
    6. [sw10-if-range]int Bridge-Aggregation 1
    7. [sw10-Bridge-Aggregation1]port link-ty ac
    8. Configuring GigabitEthernet1/0/3 done.
    9. Configuring GigabitEthernet1/0/4 done.
    10. [sw10-Bridge-Aggregation1]port ac vlan 50
    11. Configuring GigabitEthernet1/0/3 done.
    12. Configuring GigabitEthernet1/0/4 done.

     

    10,四个部门:地址为dhcp获取

    步骤 1:在 SW2上创建 DHCP地址池,网关为vlan地址,开启DHCP全局模式,不同vlan配置不同的地址池,dns设置为114.114.114.114

     

    1. [sw2]dhcp enable
    2. [sw2]dhcp server ip vlan10
    3. [sw2-dhcp-pool-vlan10]netw 192.168.1.0 ma 255.255.255.0
    4. [sw2-dhcp-pool-vlan10]gat 192.168.1.254
    5. [sw2-dhcp-pool-vlan10]dns 114.114.114.114
    6. [sw2-dhcp-pool-vlan10]dhcp ser ip vlan20
    7. [sw2-dhcp-pool-vlan20]netw 192.168.2.0 ma 255.255.255.0
    8. [sw2-dhcp-pool-vlan20]gat 192.168.2.254
    9. [sw2-dhcp-pool-vlan20]dns 114.114.114.114
    10. [sw2-dhcp-pool-vlan20]dhcp ser ip  vlan30
    11. [sw2-dhcp-pool-vlan30]netw 192.168.3.0 ma 255.255.255.0
    12. [sw2-dhcp-pool-vlan30]gat 192.168.3.254
    13. [sw2-dhcp-pool-vlan30]dns 114.114.114.114
    14. [sw2]dhcp ser ip vlan40
    15. [sw2-dhcp-pool-vlan40]netw 192.168.4.0 ma 255.255.255.0
    16. [sw2-dhcp-pool-vlan40]gat 192.168.4.254
    17. [sw2-dhcp-pool-vlan40]dns 114.114.114.114

    步骤 2:查看各个部门的电脑ip已经自动分配或者使用dis arp all 命令也可以查询

     

    8afbc929ea4f7019ba2df0c34fc1a8dc.png

     

     

    11,sw2,r13,sw10,运行ospf,使其内网互通,ospf使用命令下发缺省网关

     

    R13(ospf下发缺省路由指向互联网)

    1. [r13]ospf
    2. [r13-ospf-1]a 0
    3. [r13-ospf-1-area-0.0.0.0]netw 192.168.60.2 0.0.0.0
    4. [r13-ospf-1-area-0.0.0.0]netw 192.168.70.2 0.0.0.0
    5. [r13-ospf-1-area-0.0.0.0]netw 100.1.1.1 0.0.0.0
    6. [r13-ospf-1-area-0.0.0.0]q
    7. [r13-ospf-1]q
    8. [r13]ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
    9. [r13]ospf
    10. [r13-ospf-1]default-route-advertise

    SW2

    1. [sw2]ospf
    2. [sw2-ospf-1]a 0
    3. [sw2-ospf-1-area-0.0.0.0]netw 192.168.1.254 0.0.0.0
    4. [sw2-ospf-1-area-0.0.0.0]netw 192.168.2.254 0.0.0.0
    5. [sw2-ospf-1-area-0.0.0.0]netw 192.168.3.254 0.0.0.0
    6. [sw2-ospf-1-area-0.0.0.0]netw 192.168.4.254 0.0.0.0
    7. [sw2-ospf-1-area-0.0.0.0]netw 192.168.50.1 0.0.0.0
    8. [sw2-ospf-1-area-0.0.0.0]netw 192.168.60.1 0.0.0.0

     

    SW10

    1. [sw10]ospf
    2. [sw10-ospf-1]a 0
    3. [sw10-ospf-1-area-0.0.0.0]netw 192.168.80.2 0.0.0.0
    4. [sw10-ospf-1-area-0.0.0.0]netw 192.168.90.2 0.0.0.0
    5. [sw10-ospf-1-area-0.0.0.0]netw 192.168.50.2 0.0.0.0
    6. [sw10-ospf-1-area-0.0.0.0]netw 192.168.70.1 0.0.0.0

    12,R13与R14采用双向认证。

    步骤一:创建用户han,密码为123,设置为用户名单,直接修改端口模式为chap,直接调用用户名单进行双向验证,端口切记关闭在开启才能生效

    R13

    1. [r13]local-user han cla netw
    2. New local user added.
    3. [r13-luser-network-han]pas si 123
    4. [r13-luser-network-han]ser ppp
    5. [r13]int s1/0
    6. [r13-Serial1/0]ppp auth chap
    7. [r13-Serial1/0]ppp chap user han
    8. [r13-Serial1/0]int s2/0
    9. [r13-Serial2/0]ppp auth chap
    10. [r13-Serial2/0]ppp chap user han

    R14

     

    1. [r14]local-user han cla netw
    2. New local user added.
    3. [r14-luser-network-han]pas si 123
    4. [r14-luser-network-han]ser ppp
    5. [r14]int s1/0
    6. [r14-Serial1/0]ppp auth chap
    7. [r14-Serial1/0]ppp chap user han
    8. [r14-Serial1/0]int s2/0
    9. [r14-Serial2/0]ppp auth chap
    10. [r14-Serial2/0]ppp chap user han

     

     

    1. 仅允许技术部和产品研发部方位外网,只允许财务部门访问财务服务器

    步骤一,使用acl策略匹配技术部与产品研发部的流量,在验证mp-group使用简单nat进行外网访问控制

    R13

    1. [r13]acl basic 2000
    2. [r13-acl-ipv4-basic-2000]rule per source 192.168.2.0 0.0.0.255
    3. [r13-acl-ipv4-basic-2000]rule permit source 192.168.4.0 0.0.0.255
    4. [r13]int MP-group 1
    5. [r13-MP-group1]nat outbound 2000

    sw10

    步骤二利用acl策略匹配流量,第一条如果没有匹配上会进行第二条,只会生效一条,注意顺序,vlan调用acl为出口方向(答案不唯一多种方式都可以)

    1. [sw10]acl basic 2000
    2. [sw10-acl-ipv4-basic-2000]rule deny source 192.168.1.0 0.0.0.255
    3. [sw10-acl-ipv4-basic-2000]rule deny source 192.168.2.0 0.0.0.255
    4. [sw10-acl-ipv4-basic-2000]rule deny source 192.168.4.0 0.0.0.255
    5. [sw10]int vlan 20
    6. [sw10-Vlan-interface20]packet-filter 2000 out

    13,R11作为ftp服务器,要求外网用户可以访问

    步骤一,创建ftp服务器,密码为1234,用户名为hany

    R11

    1. [R11]ftp ser en
    2. [R11]local-user hany class manage
    3. New local user added.
    4. [R11-luser-manage-han]pas sim 1234
    5. [R11-luser-manage-han]authorization-attribute user-role level-15
    6. [R11-luser-manage-han]service-type ftp

    步骤二:在 R3 的公网接口上配置 NAT SERVER,映射端口 20 和 21,这里映射ftp服务器的地址为192.168.80.1,映射后地址为R3外网出口地址

     

    1. [r13]int mp-gr 1
    2. [r13-MP-group1]nat ser pro tcp global current-interface 20 21 inside 192.168.80.1 20 21

    最后在R14上测试ftp登录正常

    bd12a85c588c3d6691c92d6ef2ae38c5.png

    vlan10 vlan20 vlan 40无法访问财务服务器

    51f5719838884535b51a82e5c819dc32.png

     

    4e641e4da7644b20b1e0813137938404.png

     

    033c198f6b9d4597a9add1e0ba2dd52f.png

     

     

     

     

     

  • 相关阅读:
    MPP 架构在 OLAP 数据库的运用
    记一次 include virtual不生效问题
    SSM+图书馆电子文件资源管理 毕业设计-附源码191614
    kubernetes-Pod详解2
    操作系统闲谈02——高性能网络模式
    MySQL数据库基础知识(一)
    Qt Creato配置PCL库
    linux deepin系统 php多版本
    java 单例模式
    kubernetes安全检测工具-kube-bench
  • 原文地址:https://blog.csdn.net/h320758724/article/details/127113139