華為路由交換綜合實驗 ---IA階段
目錄
- 華為路由交換綜合實驗 ---IA階段
- 實驗拓撲
- 實驗需求
- 實驗步驟
- 1. 根據拓撲合理規划IP地址以及VLANIf地址
- 2. PC1 不能和PC2互通,實現各部門獨立
- 3. PC1 不能訪問PC2 ,定義ACL
- 4. 分公司運行RIP 協議
- 規划所屬VLAN
- 5. 總公司運行OSPF
- 6. 總公司和分公司業務網段不允許出現協議報文
- 7. SW4和SW5之間配置鏈路聚合,創建聚合組
- 8. SW4、7、5之間運行MSTP,PC3流量走Switch4,PC4流量走Switch5,並且互為主備
- 9. SW7 上配置邊緣端口,接入PC機的端口啟動后直接進入轉發狀態,不參與生成樹計算
- 10. vrrp 配置
- 11. 出口路由器(R1和R3)配置默認路由指向互聯網並通告到私網內部
- 12. 在AR1 上配置默認路由,引入默認路由
- 13. AR6不能訪問PC3、PC4
- 14. R3開啟Telent服務,只允許AR6(網管設備,模擬PC)做遠程管理
- 15. R1和R3運行Easy IP,只允許市場部和技術部訪問外網
- 16. 總部出口路由器R3和運營商設備R2進行PPP認證(CHAP 認證)
- 17. 分部出口路由器R1和運營商設備R2進行PPP認證(PAP認證)
實驗拓撲
實驗需求
- 根據拓撲合理規划IP地址以及VLANIf地址(PC1屬於運營部,PC2屬於市場部;PC3屬於財務部,PC4屬於技術部),給各VLAN打上標識,以便區分,各部門之間獨立。
- 總公司和分公司分別運行動態路由協議(如圖所示)。
- 總公司和分公司業務網段不允許出現協議報文。
- PC3和PC4通過Switch7雙歸屬到Switch4和Switch5。為保證用戶的各種業務在網絡傳輸中不中斷,需在Switch4和Switch5上做網關的備份。
正常情況下,PC3以Switch4為默認網關、PC4以Switch5為默認網關,實現網關的冗余備份。
Switch故障恢復后,其延時20秒通過搶占的方式重新成為Master,承擔數據傳輸。 - Switch4、7、5之間運行MSTP,PC3流量走Switch4,PC4流量走Switch5,並且互為主備,接入PC機的端口啟動后直接進入轉發狀態,不參與生成樹計算。
- R1和R3運行Easy IP,只允許市場部和技術部訪問外網(R2的Loopback0口模擬公網地址)。
- Switch4和switch5之間配置鏈路聚合提高鏈路帶寬和可靠性。
- AR6不能訪問PC3、PC4 (acl)
- R3開啟Telent服務,只允許AR6(網管設備,模擬PC)做遠程管理。 ACL 高級
- 出口路由器(R1和R3)配置默認路由指向互聯網並通告到私網內部。
- 總部出口路由器R3和運營商設備R2為了安全考慮,進行PPP認證(chap認證),用戶名為runtime,密碼為huawei
- 分部出口路由器R1和運營商設備R2進行PPP認證(pap認證),用戶名為aaa,密碼為bbb
- 實現總部和分部互訪(可選)
實驗步驟
1. 根據拓撲合理規划IP地址以及VLANIf地址
LSW6配置如下
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei-Ethernet0/0/4]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]PORT trunk allow-pass vlan 10 20
[Huawei-Ethernet0/0/1]port trunk pvid vlan 10
[Huawei-Ethernet0/0/1]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan 10 20
[Huawei-Ethernet0/0/2]port trunk pvid vlan 20
[Huawei-vlan10]description yun ying // VLAN 標識 //
[Huawei-vlan20]description shi chang // VLAN 標識 //
LSW1配置如下
[Huawei]vlan batch 10 30
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 10
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[Huawei]int vlan 10
[Huawei-Vlanif10]ip address 192.168.1.254 24
LSW2配置如下
[Huawei]vlan batch 20 40
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 20
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[Huawei]int vlan 20
[Huawei-Vlanif10]ip address 192.168.2.254 24
測試連通性
PC1 PING SW1 ; PC2 PING SW2
PC>ping 192.168.1.254
Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
From 192.168.1.254: bytes=32 seq=1 ttl=255 time=93 ms
From 192.168.1.254: bytes=32 seq=2 ttl=255 time=32 ms
From 192.168.1.254: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.1.254: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.1.254: bytes=32 seq=5 ttl=255 time=16 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/40/93 ms
PC>ping 192.168.2.254
Ping 192.168.2.254: 32 data bytes, Press Ctrl_C to break
From 192.168.2.254: bytes=32 seq=1 ttl=255 time=47 ms
From 192.168.2.254: bytes=32 seq=2 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=5 ttl=255 time=32 ms
--- 192.168.2.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/34/47 ms
2. PC1 不能和PC2互通,實現各部門獨立
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
SW1 上配置接口所屬VLAN,及VLANIF
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 30
[Huawei-GigabitEthernet0/0/4]int vlan 30
[Huawei-Vlanif30]ip address 192.168.3.1 24
SW2上配置接口所屬VLAN,及VLANIF
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 40
[Huawei-GigabitEthernet0/0/4]int vlan 40
[Huawei-Vlanif40]ip address 192.168.4.1 24
3. PC1 不能訪問PC2 ,定義ACL
LSW1
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.1.1 0 destination 192.168.2.1
0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
LSW2
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.2.1 0 destination 192.168.1.1
0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
PC1 和PC2 實現了不能互通,策略已經生效
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
4. 分公司運行RIP 協議
AR1上配置IP地址,運行RIP 協議
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]network 192.168.4.0
SW1上配置RIP
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]network 192.168.1.0
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]undo summary
SW2上配置RIP
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.2.0
[Huawei-rip-1]network 192.168.4.0
規划所屬VLAN
SW7 VLAN 配置
[Huawei]vlan batch 10 20
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei]int e0/0/5
[Huawei-Ethernet0/0/5]port link-type trunk
[Huawei-Ethernet0/0/5]port trunk allow-pass vlan all
[Huawei-Ethernet0/0/5]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan all
[Huawei]int vlan 10
[Huawei-Vlanif10]description cai wu //VLAN 標識//
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]description ji shu //VLAN 標識//
LSW4
[Huawei]int e0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type trunk
[Huawei-GigabitEthernet0/0/4] port trunk allow-pass vlan all
LSW5
[Huawei]int e0/0/4
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan all
5. 總公司運行OSPF
配置OSPF 區域 1
SW4
ospf 1
area 1
network 172.19.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
SW5
ospf 1
area 1
network 172.20.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
AR5
ospf 1
area 1
network 172.19.1.0 0.0.0.255
network 172.20.1.0 0.0.0.255
配置OSPF 區域0
ospf 1
area 0
network 172.17.1.0 0.0.0.255
network 172.18.1.0 0.0.0.255
AR6
ospf 1
area 0
network 172.18.1.0 0.0.0.255
AR3
ospf 1
area 0
network 172.17.1.0 0.0.0.255
6. 總公司和分公司業務網段不允許出現協議報文
RIP 區域配置靜默接口
SW1 上配置靜默接口
[Huawei-rip-1]silent-interface g0/0/1 //配置靜默接口//
SW2上配置靜默接口
[Huawei-rip-1]silent-interface g0/0/1 //配置靜默接口//
OSPF 區域配置靜默接口
SW4上配置靜默接口
[Huawei-ospf-1]silent-interface g0/0/4 //配置靜默接口//
SW5上配置靜默接口
[Huawei-ospf-1]silent-interface g0/0/1 //配置靜默接口//
7. SW4和SW5之間配置鏈路聚合,創建聚合組
LSW4
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]trunkport g0/0/2
[Huawei-Eth-Trunk1]trunkport g0/0/5
[Huawei-Eth-Trunk1]trunkport g0/0/1
[Huawei-Eth-Trunk1]port link-type trunk
[Huawei-Eth-Trunk1]port trunk allow-pass 10 20
LSW5
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]trunkport g0/0/2
[Huawei-Eth-Trunk1]trunkport g0/0/5
[Huawei-Eth-Trunk1]trunkport g0/0/1
[Huawei-Eth-Trunk1]port link-type trunk
[Huawei-Eth-Trunk1]port trunk allow-pass 10 20
查看鏈路聚合組
[Huawei]DIS eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/1 Up 1
GigabitEthernet0/0/2 Up 1
GigabitEthernet0/0/5 Up 1
8. SW4、7、5之間運行MSTP,PC3流量走Switch4,PC4流量走Switch5,並且互為主備
在SW4上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
[Huawei]stp instance 1 root primary
在SW5上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
[Huawei]stp instance 2 root primary
在SW7上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
9. SW7 上配置邊緣端口,接入PC機的端口啟動后直接進入轉發狀態,不參與生成樹計算
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]stp edged-port enable
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]stp edged-port enable
10. vrrp 配置
LSW4
[Huawei]int vlan 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
[Huawei-Vlanif10]vrrp vrid 1 priority 150
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 20 //延時20秒通過搶占的方式重新成為Master //
LSW5
[Huawei-Vlanif20]int vlan 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
[Huawei-Vlanif20]vrrp vrid 2 priority 150
[Huawei-Vlanif20]vrrp vrid 2 preempt-mode timer delay 20 //延時20秒通過搶占的方式重新成為Master //
查看VRRP
在SW4上查看主備狀態
[Huawei-Vlanif20]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 172.16.1.254
2 Backup Vlanif20 Normal 172.16.2.254
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0
PC3 PING PC4 測試連通性
PC>ping 172.16.2.1
Ping 172.16.2.1: 32 data bytes, Press Ctrl_C to break
From 172.16.2.1: bytes=32 seq=1 ttl=127 time=203 ms
From 172.16.2.1: bytes=32 seq=2 ttl=127 time=94 ms
From 172.16.2.1: bytes=32 seq=3 ttl=127 time=109 ms
From 172.16.2.1: bytes=32 seq=4 ttl=127 time=109 ms
From 172.16.2.1: bytes=32 seq=5 ttl=127 time=78 ms
--- 172.16.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/118/203 ms
11. 出口路由器(R1和R3)配置默認路由指向互聯網並通告到私網內部
在AR3上配置一條默認路由
[Huawei]ip route-static 0.0.0.0 0 200.100.2.2
[Huawei-ospf-1]default-route-advertise //通告默認路由//
在SW5上查看ospf 路由表
[Huawei]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 5 Routes : 8
OSPF routing table status : <Active>
Destinations : 5 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 172.20.1.2 Vlanif60
172.16.1.254/32 OSPF 10 2 D 172.16.1.252 Vlanif10
OSPF 10 2 D 172.16.2.252 Vlanif20
172.17.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
172.18.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
172.19.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
OSPF 10 2 D 172.16.1.252 Vlanif10
OSPF 10 2 D 172.16.2.252 Vlanif20
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
12. 在AR1 上配置默認路由,引入默認路由
[Huawei]ip route-static 0.0.0.0 0 200.100.1.2
[Huawei-rip-1]default-route originate
在SW1上查看路由表,已經學習到了去往外部默認路由
[Huawei]dis ip routing-table protocol rip
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : RIP
Destinations : 3 Routes : 3
RIP routing table status : <Active>
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 RIP 100 1 D 192.168.3.2 Vlanif30
192.168.2.0/24 RIP 100 2 D 192.168.3.2 Vlanif30
192.168.4.0/24 RIP 100 1 D 192.168.3.2 Vlanif30
RIP routing table status : <Inactive>
Destinations : 0 Routes : 0
13. AR6不能訪問PC3、PC4
在AR5上定義高級ACL 策略
[Huawei]acl 3000
[Huawei-acl-adv-3000] rule 5 deny ip source 172.18.1.2 0 destination
172.16.1.1 0
[Huawei-acl-adv-3000]rule 10 deny ip source 172.18.1.2 0 destination
172.16.2.1 0
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-filter outbound acl 3000
在AR6上測試 PING PC3 和 PC4 ,已實現不能互通
AR6]ping 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
AR6]ping 172.16.2.1
PING 172.16.2.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.16.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
14. R3開啟Telent服務,只允許AR6(網管設備,模擬PC)做遠程管理
[AR3]acl 3001
[AR3-acl-adv-3001]rule 5 permit tcp source 172.18.1.2 0 destination 172.17.1.2 0
destination-port eq 23
[AR3-acl-adv-3001]rule 6 deny tcp source any destination 172.17.1.2 0 destinatio
n-port eq 23
發現只有AR6可以telnet R3,ACL 策略已生效
<AR6>telnet 172.17.1.2
Press CTRL_] to quit telnet mode
Trying 172.17.1.2 ...
Connected to 172.17.1.2 ...
Login authentication
Username:
在AR5上telnet R3做測試 ,發現已經被拒絕
<Huawei>telnet 172.17.1.2
Press CTRL_] to quit telnet mode
Trying 172.17.1.2 ...
15. R1和R3運行Easy IP,只允許市場部和技術部訪問外網
AR1上配置
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit source 192.168.2.1 0
[Huawei-acl-basic-2000]int s4/0/0
[Huawei-Serial4/0/0]nat outbound 2000
AR3上配置
[AR3]acl 2000
[AR3-acl-basic-2000]rule 5 permit source 172.16.2.1 0
[AR3-acl-basic-2000]int s4/0/1
[AR3-Serial4/0/1]nat outbound 2000
PC2 PING 公網地址
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=253 time=110 ms
From 2.2.2.2: bytes=32 seq=2 ttl=253 time=78 ms
From 2.2.2.2: bytes=32 seq=3 ttl=253 time=62 ms
From 2.2.2.2: bytes=32 seq=4 ttl=253 time=79 ms
From 2.2.2.2: bytes=32 seq=5 ttl=253 time=62 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/78/110 ms
16. 總部出口路由器R3和運營商設備R2進行PPP認證(CHAP 認證)
在AR2做CHAP 主認證
[Huawei]aaa
[Huawei-aaa]local-user runtime password cipher huawei
[Huawei-aaa]local-user runtime service-type ppp
[Huawei-Serial4/0/1]link-protocol ppp
[Huawei-Serial4/0/1]ppp authentication-mode chap
[Huawei-Serial4/0/1]ip address 200.100.2.1 30
在AR3上被認證
[Huawei]int s4/0/1
[Huawei-Serial4/0/1]ppp pap local-user runtime
[Huawei-Serial4/0/1]ppp chap password cipher huawei
[Huawei-Serial4/0/1]ip address 200.100.2.2 3
17. 分部出口路由器R1和運營商設備R2進行PPP認證(PAP認證)
在AR1上做PAP主認證方
Huawei]aaa
[Huawei-aaa]local-user aaa password cipher bbb
[Huawei-aaa]local-user aaa service-type ppp
[Huawei-aaa]int s4/0/0
[Huawei-Serial4/0/0]ppp authentication-mode pap
[Huawei-Serial4/0/0]ip address 200.100.1.2 30
在AR2 上做HAP 被認證方
[Huawei]int s4/0/0
[Huawei-Serial4/0/0]ppp pap local-user aaa password simple bbb
[Huawei-Serial4/0/0]ip address 200.100.1.1 30