華為網絡工程師認證HCNA——兩層架構綜合實驗（詳細）

兩層架構綜合實驗

實驗要求：

1.用戶的網關配置在核心交換機

2.企業內網划分成多個vlan，減少廣播域大小，提高網絡穩定性。

接入層交換機配置vlan，並將用戶划入相應的vlan
配置trunk鏈路
核心上面配置vlan和SVI虛擬接口添加網關

<JRSW2>sy
Enter system view, return user view with Ctrl+Z.

[JRSW2]vlan 10
[JRSW2-vlan10]vlan 30

[JRSW2]port-group  group-member e0/0/1 to e0/0/12  //多個接口捆綁為一組
[JRSW2-Ethernet0/0/1]port link-type access  //配置為access
[JRSW2-Ethernet0/0/1]port default vlan 10  //一組接口划入vlan 10

[JRSW2]port-group  group-member e0/0/13 to e0/0/22
[JRSW2-Ethernet0/0/2]port link-type access
[JRSW2-Ethernet0/0/2]port default vlan 30

[JRSW2]int gi0/0/1	
[JRSW2-GigabitEthernet0/0/1]port link-type trunk   //配置trunk
[JRSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 30  //划入兩個vlan 10和30
[JRSW2-GigabitEthernet0/0/1]q


<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy JRSW3
[JRSW3]un in en   //關閉日志提示

[JRSW3]vlan 200
[JRSW3]int e0/0/1
[JRSW3-Ethernet0/0/1]port link-type access 
[JRSW3-Ethernet0/0/1]port default vlan 200
[JRSW3-Ethernet0/0/1]int e0/0/3
[JRSW3-Ethernet0/0/3]port link-type access
[JRSW3-Ethernet0/0/3]port default vlan 200
[JRSW3-Ethernet0/0/3]int gi0/0/1	
[JRSW3-GigabitEthernet0/0/1]port link-type trunk 
[JRSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 200


[Huawei]sy HXSW1
[HXSW1]un in en
Info: Information center is disabled.
[HXSW1]vlan batch 10 30 200  //捆綁創建vlan 10、30、200
Info: This operation may take a few seconds. Please wait for a moment...done.
[HXSW1]int gi0/0/2	
[HXSW1-GigabitEthernet0/0/2]port link-type trunk 	
[HXSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 30

[HXSW1-GigabitEthernet0/0/2]int gi0/0/1
[HXSW1-GigabitEthernet0/0/1]port link-type trunk
[HXSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 200
[HXSW1-GigabitEthernet0/0/1]q

[HXSW1-vlan10]int vlan 10
[HXSW1-Vlanif10]ip add 192.168.10.1 24  //添加vlan所對應網段的網關
[HXSW1-Vlanif10]int vlan 30
[HXSW1-Vlanif30]ip add 192.168.30.1 24
[HXSW1-Vlanif30]int vlan 200
[HXSW1-Vlanif200]ip add 192.168.200.1 24
[HXSW1-Vlanif200]

3.所有用戶均為自動獲取IP地址

<HXSW1>
<HXSW1>sy
Enter system view, return user view with Ctrl+Z.
[HXSW1]ip pool vlan_10   //創建IP地址池名為vlan_10
Info:It's successful to create an IP address pool.   //指定以下三個屬性就可以分配IP
[HXSW1-ip-pool-vlan_10]network 192.168.10.0 mask 24  //地址池的網段和掩碼
[HXSW1-ip-pool-vlan_10]gateway-list 192.168.10.1  //地址池的網關	
[HXSW1-ip-pool-vlan_10]dns-list 8.8.8.8   //dns服務

[HXSW1]ip pool vlan_30
Info:It's successful to create an IP address pool.
[HXSW1-ip-pool-vlan_30]network 192.168.30.0 mask 24
[HXSW1-ip-pool-vlan_30]gateway-list 192.168.30.1 
[HXSW1-ip-pool-vlan_30]dns-list 8.8.8.8

[HXSW1]dhcp enable   //開啟DHCP服務
Info: The operation may take a few seconds. Please wait for a moment.done.
[HXSW1]int vlan 10
[HXSW1-Vlanif10]dhcp select global 
[HXSW1-Vlanif10]int vlan 30
[HXSW1-Vlanif30]dhcp select global

4.所有設備在任何位置都可以telnet遠程管理（三個交換機進行同樣的配置）

<HXSW1>
<HXSW1>sy
Enter system view, return user view with Ctrl+Z.
[HXSW1]telnet server enable  //開啟telnet功能
Info: The Telnet server has been enabled.
[HXSW1]aaa  //進入aaa模式
[HXSW1-aaa]local-user hcnp password simple hcnp123 privilege level 3   //創建賬號hcnp密碼為明文hcnp123,優先級3
Info: Add a new user.	
[HXSW1-aaa]local-user hcnp service-type telnet   //hcnp用戶用於遠程telnet
[HXSW1-aaa]q	
[HXSW1]user-interface vty 0 4	//容納同時登陸的人數
[HXSW1-ui-vty0-4]authentication-mode aaa   //認證模式為aaa
[HXSW1-ui-vty0-4]

出口R1配置telnet

<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy CKR1	
[CKR1]telnet server enable 
 Error: TELNET server has been enabled
[CKR1]aaa
[CKR1-aaa]local-user hcnp password **cipher** hcnp123 privilege level 3   //創建hcnp，密碼為密文hcnp123，優先級為3
Info: Add a new user.	
[CKR1-aaa]local-user hcnp service-type telnet
[CKR1-aaa]q	
[CKR1]user-interface vty 0 4
[CKR1-ui-vty0-4]authentication-mode aaa
[CKR1-ui-vty0-4]

配置telnet管理vlan 999
管理地址段：192.168.255.x/24

[HXSW1]vlan 999
[HXSW1]int vlan 999   //虛擬端口
[HXSW1-Vlanif999]ip add 192.168.255.1 24   //虛擬端口配置IP
[HXSW1]int gi0/0/1
[HXSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 999
[HXSW1-GigabitEthernet0/0/1]int gi0/0/2
[HXSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 999
[HXSW1-GigabitEthernet0/0/2]

[JRSW2]vlan 999
[JRSW2-vlan999]int vlan 999
[JRSW2-Vlanif999]ip add 192.168.255.2 24
[JRSW2]ip route-static 0.0.0.0 0 192.168.255.1
[JRSW2]int gi0/0/1
[JRSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 999
[JRSW2-GigabitEthernet0/0/1]

<JRSW3>sy
Enter system view, return user view with Ctrl+Z.
[JRSW3]vlan 999
[JRSW3-vlan999]int vlan 999
[JRSW3-Vlanif999]ip add 192.168.255.3 24
[JRSW3]ip route-static 0.0.0.0 0 192.168.255.1
[JRSW3]int gi0/0/1	
[JRSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 999

5.出口配置NAT

<HXSW1>sy
Enter system view, return user view with Ctrl+Z.
[HXSW1]vlan 800
[HXSW1-vlan800]int gi0/0/3	
[HXSW1-GigabitEthernet0/0/3]port link-type access 	
[HXSW1-GigabitEthernet0/0/3]port default vlan 800
[HXSW1-GigabitEthernet0/0/3]int vlan 800   //虛擬端口
[HXSW1-Vlanif800]ip add 192.168.254.1 24    //虛擬端口配置IP

出口R1、R2接口配置IP

[CKR1]int gi0/0/0
[CKR1-GigabitEthernet0/0/0]ip add  192.168.254.2 24
[CKR1]int gi0/0/1
[CKR1-GigabitEthernet0/0/1]ip add 12.1.1.1 29

[R2]int gi0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.1.1.6 29
[R2]int LoopBack 9
[R2-LoopBack9]ip add 9.9.9.9 24

[HXSW1]ip route-static 0.0.0.0 0 192.168.254.2
[CKR1]ip route-static 0.0.0.0 0 12.1.1.6  //出包
[CKR1]ip route-static 192.168.0.0 255.255.0.0 192.168.254.1  //將回包交給SW1

[CKR1]acl number 2000
[CKR1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[CKR1-acl-basic-2000]int gi0/0/1
[CKR1-GigabitEthernet0/0/1]nat outbound 2000

6.stp運行RSTP模式，確保核心交換機為根橋。並將接入用戶的接口配置為邊緣端口加快收斂

[JRSW2]stp mode rstp  //stp模式換為rstp
[JRSW3]stp mode rstp

[JRSW2]port-group group-member e0/0/1 to e0/0/21  //所有e0/0/x的接口都設置為邊緣接口 只能接PC	
[JRSW2-port-group]stp edged-port enable  //設置邊緣接口
[JRSW3]port-group group-member e0/0/1 to e0/0/22 	
[JRSW3-port-group]stp edged-port enable 

7.配置根橋保護措施，確保根橋不被搶占

[HXSW1]stp priority 0  //優先級設置為最高（橋id（優先級+mac）不一定最高）
[HXSW1]int gi0/0/1	
[HXSW1-GigabitEthernet0/0/1]stp root-protection  //根橋配置端口保護（收到比自己優先級高的自動阻塞）
[HXSW1-GigabitEthernet0/0/1]int gi0/0/2
[HXSW1-GigabitEthernet0/0/2]stp root-protection

[JRSW2]stp bpdu-protection  //收到邊緣端口的stp報文，將此邊緣端口shutdown
[JRSW3]stp bpdu-protection 

8.在企業出口將內網服務器的80端口映射出去，允許外網用戶訪問

[CKR1]int gi0/0/1
[CKR1-GigabitEthernet0/0/1]nat server pro	
[CKR1-GigabitEthernet0/0/1]nat server protocol tcp gl	
[CKR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www in	
[CKR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www inside 192.168.200.10 www

9.企業財務服務器，只允許企業財務部員工（vlan 30）訪問

[HXSW1]acl 3000  //創建訪問控制列表  表號3000
[HXSW1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0  //允許192.168.30.0網段的用戶訪問192.168.200.20（財務服務器）
[HXSW1-acl-adv-3000]rule deny ip source any destination 192.168.200.20 0  //拒絕所有的訪問財務服務器（一個acl中有多條規則時，匹配到對應的規則后，就會停止匹配）
[HXSW1-acl-adv-3000]int gi0/0/1
[HXSW1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000  //把acl 3000 的規則應用到此端口。