华为路由交换综合实验 ---IA阶段
目录
华为路由交换综合实验 ---IA阶段
实验拓扑
实验需求
实验步骤
1. 根据拓扑合理规划IP地址以及VLANIf地址
测试连通性
2. PC1 不能和PC2互通,实现各部门独立
SW1 上配置接口所属VLAN,及VLANIF
SW2上配置接口所属VLAN,及VLANIF
3. PC1 不能访问PC2 ,定义ACL
PC1 和PC2 实现了不能互通,策略已经生效
4. 分公司运行RIP 协议
AR1上配置IP地址,运行RIP 协议
规划所属VLAN
5. 总公司运行OSPF
配置OSPF 区域 1
配置OSPF 区域0
6. 总公司和分公司业务网段不允许出现协议报文
RIP 区域配置静默接口
OSPF 区域配置静默接口
7. SW4和SW5之间配置链路聚合,创建聚合组
查看链路聚合组
8. SW4、7、5之间运行MSTP,PC3流量走Switch4,PC4流量走Switch5,并且互为主备
9. SW7 上配置边缘端口,接入PC机的端口启动后直接进入转发状态,不参与生成树计算
10. vrrp 配置
查看VRRP
在SW4上查看主备状态
PC3 PING PC4 测试连通性
11. 出口路由器(R1和R3)配置默认路由指向互联网并通告到私网内部
在AR3上配置一条默认路由
在SW5上查看ospf 路由表
12. 在AR1 上配置默认路由,引入默认路由
在SW1上查看路由表,已经学习到了去往外部默认路由
13. AR6不能访问PC3、PC4
在AR5上定义高级ACL 策略
在AR6上测试 PING PC3 和 PC4 ,已实现不能互通
14. R3开启Telent服务,只允许AR6(网管设备,模拟PC)做远程管理
发现只有AR6可以telnet R3,ACL 策略已生效
在AR5上telnet R3做测试 ,发现已经被拒绝
15. R1和R3运行Easy IP,只允许市场部和技术部访问外网
PC2 PING 公网地址
16. 总部出口路由器R3和运营商设备R2进行PPP认证(CHAP 认证)
在AR2做CHAP 主认证
在AR3上被认证
17. 分部出口路由器R1和运营商设备R2进行PPP认证(PAP认证)
在AR1上做PAP主认证方
在AR2 上做HAP 被认证方
实验拓扑
实验需求
- 根据拓扑合理规划IP地址以及VLANIf地址(PC1属于运营部,PC2属于市场部;PC3属于财务部,PC4属于技术部),给各VLAN打上标识,以便区分,各部门之间独立。
总公司和分公司分别运行动态路由协议(如图所示)。
总公司和分公司业务网段不允许出现协议报文。
PC3和PC4通过Switch7双归属到Switch4和Switch5。为保证用户的各种业务在网络传输中不中断,需在Switch4和Switch5上做网关的备份。
正常情况下,PC3以Switch4为默认网关、PC4以Switch5为默认网关,实现网关的冗余备份。
Switch故障恢复后,其延时20秒通过抢占的方式重新成为Master,承担数据传输。
Switch4、7、5之间运行MSTP,PC3流量走Switch4,PC4流量走Switch5,并且互为主备,接入PC机的端口启动后直接进入转发状态,不参与生成树计算。
R1和R3运行Easy IP,只允许市场部和技术部访问外网(R2的Loopback0口模拟公网地址)。
Switch4和switch5之间配置链路聚合提高链路带宽和可靠性。
AR6不能访问PC3、PC4 (acl)
R3开启Telent服务,只允许AR6(网管设备,模拟PC)做远程管理。 ACL 高级
出口路由器(R1和R3)配置默认路由指向互联网并通告到私网内部。
总部出口路由器R3和运营商设备R2为了安全考虑,进行PPP认证(chap认证),用户名为runtime,密码为huawei
分部出口路由器R1和运营商设备R2进行PPP认证(pap认证),用户名为aaa,密码为bbb
实现总部和分部互访(可选)
实验步骤
1. 根据拓扑合理规划IP地址以及VLANIf地址
LSW6配置如下
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei-Ethernet0/0/4]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]PORT trunk allow-pass vlan 10 20
[Huawei-Ethernet0/0/1]port trunk pvid vlan 10
[Huawei-Ethernet0/0/1]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan 10 20
[Huawei-Ethernet0/0/2]port trunk pvid vlan 20
[Huawei-vlan10]description yun ying // VLAN 标识 //
[Huawei-vlan20]description shi chang // VLAN 标识 //
LSW1配置如下
[Huawei]vlan batch 10 30
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 10
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[Huawei]int vlan 10
[Huawei-Vlanif10]ip address 192.168.1.254 24
LSW2配置如下
[Huawei]vlan batch 20 40
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 20
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[Huawei]int vlan 20
[Huawei-Vlanif10]ip address 192.168.2.254 24
测试连通性
PC1 PING SW1 ; PC2 PING SW2
PC>ping 192.168.1.254
Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
From 192.168.1.254: bytes=32 seq=1 ttl=255 time=93 ms
From 192.168.1.254: bytes=32 seq=2 ttl=255 time=32 ms
From 192.168.1.254: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.1.254: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.1.254: bytes=32 seq=5 ttl=255 time=16 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/40/93 ms
PC>ping 192.168.2.254
Ping 192.168.2.254: 32 data bytes, Press Ctrl_C to break
From 192.168.2.254: bytes=32 seq=1 ttl=255 time=47 ms
From 192.168.2.254: bytes=32 seq=2 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=5 ttl=255 time=32 ms
--- 192.168.2.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/34/47 ms
2. PC1 不能和PC2互通,实现各部门独立
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
SW1 上配置接口所属VLAN,及VLANIF
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 30
[Huawei-GigabitEthernet0/0/4]int vlan 30
[Huawei-Vlanif30]ip address 192.168.3.1 24
SW2上配置接口所属VLAN,及VLANIF
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 40
[Huawei-GigabitEthernet0/0/4]int vlan 40
[Huawei-Vlanif40]ip address 192.168.4.1 24
3. PC1 不能访问PC2 ,定义ACL
LSW1
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.1.1 0 destination 192.168.2.1
0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
LSW2
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.2.1 0 destination 192.168.1.1
0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
PC1 和PC2 实现了不能互通,策略已经生效
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
4. 分公司运行RIP 协议
AR1上配置IP地址,运行RIP 协议
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]network 192.168.4.0
SW1上配置RIP
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]network 192.168.1.0
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]undo summary
SW2上配置RIP
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.2.0
[Huawei-rip-1]network 192.168.4.0
规划所属VLAN
SW7 VLAN 配置
[Huawei]vlan batch 10 20
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei]int e0/0/5
[Huawei-Ethernet0/0/5]port link-type trunk
[Huawei-Ethernet0/0/5]port trunk allow-pass vlan all
[Huawei-Ethernet0/0/5]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan all
[Huawei]int vlan 10
[Huawei-Vlanif10]description cai wu //VLAN 标识//
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]description ji shu //VLAN 标识//
LSW4
[Huawei]int e0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type trunk
[Huawei-GigabitEthernet0/0/4] port trunk allow-pass vlan all
LSW5
[Huawei]int e0/0/4
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan all
5. 总公司运行OSPF
配置OSPF 区域 1
SW4
ospf 1
area 1
network 172.19.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
SW5
ospf 1
area 1
network 172.20.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
AR5
ospf 1
area 1
network 172.19.1.0 0.0.0.255
network 172.20.1.0 0.0.0.255
配置OSPF 区域0
ospf 1
area 0
network 172.17.1.0 0.0.0.255
network 172.18.1.0 0.0.0.255
AR6
ospf 1
area 0
network 172.18.1.0 0.0.0.255
AR3
ospf 1
area 0
network 172.17.1.0 0.0.0.255
6. 总公司和分公司业务网段不允许出现协议报文
RIP 区域配置静默接口
SW1 上配置静默接口
[Huawei-rip-1]silent-interface g0/0/1 //配置静默接口//
SW2上配置静默接口
[Huawei-rip-1]silent-interface g0/0/1 //配置静默接口//
OSPF 区域配置静默接口
SW4上配置静默接口
[Huawei-ospf-1]silent-interface g0/0/4 //配置静默接口//
SW5上配置静默接口
[Huawei-ospf-1]silent-interface g0/0/1 //配置静默接口//
7. SW4和SW5之间配置链路聚合,创建聚合组
LSW4
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]trunkport g0/0/2
[Huawei-Eth-Trunk1]trunkport g0/0/5
[Huawei-Eth-Trunk1]trunkport g0/0/1
[Huawei-Eth-Trunk1]port link-type trunk
[Huawei-Eth-Trunk1]port trunk allow-pass 10 20
LSW5
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]trunkport g0/0/2
[Huawei-Eth-Trunk1]trunkport g0/0/5
[Huawei-Eth-Trunk1]trunkport g0/0/1
[Huawei-Eth-Trunk1]port link-type trunk
[Huawei-Eth-Trunk1]port trunk allow-pass 10 20
查看链路聚合组
[Huawei]DIS eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/1 Up 1
GigabitEthernet0/0/2 Up 1
GigabitEthernet0/0/5 Up 1
8. SW4、7、5之间运行MSTP,PC3流量走Switch4,PC4流量走Switch5,并且互为主备
在SW4上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
[Huawei]stp instance 1 root primary
在SW5上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
[Huawei]stp instance 2 root primary
在SW7上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
9. SW7 上配置边缘端口,接入PC机的端口启动后直接进入转发状态,不参与生成树计算
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]stp edged-port enable
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]stp edged-port enable
10. vrrp 配置
LSW4
[Huawei]int vlan 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
[Huawei-Vlanif10]vrrp vrid 1 priority 150
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 20 //延时20秒通过抢占的方式重新成为Master //
LSW5
[Huawei-Vlanif20]int vlan 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
[Huawei-Vlanif20]vrrp vrid 2 priority 150
[Huawei-Vlanif20]vrrp vrid 2 preempt-mode timer delay 20 //延时20秒通过抢占的方式重新成为Master //
查看VRRP
在SW4上查看主备状态
[Huawei-Vlanif20]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 172.16.1.254
2 Backup Vlanif20 Normal 172.16.2.254
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0
PC3 PING PC4 测试连通性
PC>ping 172.16.2.1
Ping 172.16.2.1: 32 data bytes, Press Ctrl_C to break
From 172.16.2.1: bytes=32 seq=1 ttl=127 time=203 ms
From 172.16.2.1: bytes=32 seq=2 ttl=127 time=94 ms
From 172.16.2.1: bytes=32 seq=3 ttl=127 time=109 ms
From 172.16.2.1: bytes=32 seq=4 ttl=127 time=109 ms
From 172.16.2.1: bytes=32 seq=5 ttl=127 time=78 ms
--- 172.16.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/118/203 ms
11. 出口路由器(R1和R3)配置默认路由指向互联网并通告到私网内部
在AR3上配置一条默认路由
[Huawei]ip route-static 0.0.0.0 0 200.100.2.2
[Huawei-ospf-1]default-route-advertise //通告默认路由//
在SW5上查看ospf 路由表
[Huawei]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 5 Routes : 8
OSPF routing table status : <Active>
Destinations : 5 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 172.20.1.2 Vlanif60
172.16.1.254/32 OSPF 10 2 D 172.16.1.252 Vlanif10
OSPF 10 2 D 172.16.2.252 Vlanif20
172.17.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
172.18.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
172.19.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
OSPF 10 2 D 172.16.1.252 Vlanif10
OSPF 10 2 D 172.16.2.252 Vlanif20
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
12. 在AR1 上配置默认路由,引入默认路由
[Huawei]ip route-static 0.0.0.0 0 200.100.1.2
[Huawei-rip-1]default-route originate
在SW1上查看路由表,已经学习到了去往外部默认路由
[Huawei]dis ip routing-table protocol rip
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : RIP
Destinations : 3 Routes : 3
RIP routing table status : <Active>
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 RIP 100 1 D 192.168.3.2 Vlanif30
192.168.2.0/24 RIP 100 2 D 192.168.3.2 Vlanif30
192.168.4.0/24 RIP 100 1 D 192.168.3.2 Vlanif30
RIP routing table status : <Inactive>
Destinations : 0 Routes : 0
13. AR6不能访问PC3、PC4
在AR5上定义高级ACL 策略
[Huawei]acl 3000
[Huawei-acl-adv-3000] rule 5 deny ip source 172.18.1.2 0 destination
172.16.1.1 0
[Huawei-acl-adv-3000]rule 10 deny ip source 172.18.1.2 0 destination
172.16.2.1 0
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-filter outbound acl 3000
在AR6上测试 PING PC3 和 PC4 ,已实现不能互通
AR6]ping 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
AR6]ping 172.16.2.1
PING 172.16.2.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.16.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
14. R3开启Telent服务,只允许AR6(网管设备,模拟PC)做远程管理
[AR3]acl 3001
[AR3-acl-adv-3001]rule 5 permit tcp source 172.18.1.2 0 destination 172.17.1.2 0
destination-port eq 23
[AR3-acl-adv-3001]rule 6 deny tcp source any destination 172.17.1.2 0 destinatio
n-port eq 23
发现只有AR6可以telnet R3,ACL 策略已生效
<AR6>telnet 172.17.1.2
Press CTRL_] to quit telnet mode
Trying 172.17.1.2 ...
Connected to 172.17.1.2 ...
Login authentication
Username:
在AR5上telnet R3做测试 ,发现已经被拒绝
<Huawei>telnet 172.17.1.2
Press CTRL_] to quit telnet mode
Trying 172.17.1.2 ...
15. R1和R3运行Easy IP,只允许市场部和技术部访问外网
AR1上配置
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit source 192.168.2.1 0
[Huawei-acl-basic-2000]int s4/0/0
[Huawei-Serial4/0/0]nat outbound 2000
AR3上配置
[AR3]acl 2000
[AR3-acl-basic-2000]rule 5 permit source 172.16.2.1 0
[AR3-acl-basic-2000]int s4/0/1
[AR3-Serial4/0/1]nat outbound 2000
PC2 PING 公网地址
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=253 time=110 ms
From 2.2.2.2: bytes=32 seq=2 ttl=253 time=78 ms
From 2.2.2.2: bytes=32 seq=3 ttl=253 time=62 ms
From 2.2.2.2: bytes=32 seq=4 ttl=253 time=79 ms
From 2.2.2.2: bytes=32 seq=5 ttl=253 time=62 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/78/110 ms
16. 总部出口路由器R3和运营商设备R2进行PPP认证(CHAP 认证)
在AR2做CHAP 主认证
[Huawei]aaa
[Huawei-aaa]local-user runtime password cipher huawei
[Huawei-aaa]local-user runtime service-type ppp
[Huawei-Serial4/0/1]link-protocol ppp
[Huawei-Serial4/0/1]ppp authentication-mode chap
[Huawei-Serial4/0/1]ip address 200.100.2.1 30
在AR3上被认证
[Huawei]int s4/0/1
[Huawei-Serial4/0/1]ppp pap local-user runtime
[Huawei-Serial4/0/1]ppp chap password cipher huawei
[Huawei-Serial4/0/1]ip address 200.100.2.2 3
17. 分部出口路由器R1和运营商设备R2进行PPP认证(PAP认证)
在AR1上做PAP主认证方
Huawei]aaa
[Huawei-aaa]local-user aaa password cipher bbb
[Huawei-aaa]local-user aaa service-type ppp
[Huawei-aaa]int s4/0/0
[Huawei-Serial4/0/0]ppp authentication-mode pap
[Huawei-Serial4/0/0]ip address 200.100.1.2 30
在AR2 上做HAP 被认证方
[Huawei]int s4/0/0
[Huawei-Serial4/0/0]ppp pap local-user aaa password simple bbb
[Huawei-Serial4/0/0]ip address 200.100.1.1 30
