目录
华为路由交换综合实验 ---IA阶段
实验拓扑实验需求
华为路由交换综合实验 ---IA阶段
实验拓扑
实验需求
根据拓扑合理规划IP地址以及VLANIf地址(PC1属于运营部,PC2属于市场部;PC3属于财务部,PC4属于技术部),给各VLAN打上标识,以便区分,各部门之间独立。总公司和分公司分别运行动态路由协议(如图所示)。总公司和分公司业务网段不允许出现协议报文。PC3和PC4通过Switch7双归属到Switch4和Switch5。为保证用户的各种业务在网络传输中不中断,需在Switch4和Switch5上做网关的备份。 正常情况下,PC3以Switch4为默认网关、PC4以Switch5为默认网关,实现网关的冗余备份。 Switch故障恢复后,其延时20秒通过抢占的方式重新成为Master,承担数据传输。Switch4、7、5之间运行MSTP,PC3流量走Switch4,PC4流量走Switch5,并且互为主备,接入PC机的端口启动后直接进入转发状态,不参与生成树计算。R1和R3运行Easy IP,只允许市场部和技术部访问外网(R2的Loopback0口模拟公网地址)。Switch4和switch5之间配置链路聚合提高链路带宽和可靠性。AR6不能访问PC3、PC4 (acl)R3开启Telent服务,只允许AR6(网管设备,模拟PC)做远程管理。 ACL 高级出口路由器(R1和R3)配置默认路由指向互联网并通告到私网内部。总部出口路由器R3和运营商设备R2为了安全考虑,进行PPP认证(chap认证),用户名为runtime,密码为huawei分部出口路由器R1和运营商设备R2进行PPP认证(pap认证),用户名为aaa,密码为bbb
实现总部和分部互访(可选)
实验步骤
1. 根据拓扑合理规划IP地址以及VLANIf地址
LSW6配置如下
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei-Ethernet0/0/4]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]PORT trunk allow-pass vlan 10 20
[Huawei-Ethernet0/0/1]port trunk pvid vlan 10
[Huawei-Ethernet0/0/1]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan 10 20
[Huawei-Ethernet0/0/2]port trunk pvid vlan 20
[Huawei-vlan10]description yun ying // VLAN 标识 //
[Huawei-vlan20]description shi chang // VLAN 标识 //
LSW1配置如下
[Huawei]vlan batch 10 30
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 10
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[Huawei]int vlan 10
[Huawei-Vlanif10]ip address 192.168.1.254 24
LSW2配置如下
[Huawei]vlan batch 20 40
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 20
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[Huawei]int vlan 20
[Huawei-Vlanif10]ip address 192.168.2.254 24
测试连通性
PC1 PING SW1 ; PC2 PING SW2
PC>ping 192.168.1.254
Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
From 192.168.1.254: bytes=32 seq=1 ttl=255 time=93 ms
From 192.168.1.254: bytes=32 seq=2 ttl=255 time=32 ms
From 192.168.1.254: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.1.254: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.1.254: bytes=32 seq=5 ttl=255 time=16 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/40/93 ms
PC>ping 192.168.2.254
Ping 192.168.2.254: 32 data bytes, Press Ctrl_C to break
From 192.168.2.254: bytes=32 seq=1 ttl=255 time=47 ms
From 192.168.2.254: bytes=32 seq=2 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.2.254: bytes=32 seq=5 ttl=255 time=32 ms
--- 192.168.2.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/34/47 ms
2. PC1 不能和PC2互通,实现各部门独立
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
SW1 上配置接口所属VLAN,及VLANIF
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 30
[Huawei-GigabitEthernet0/0/4]int vlan 30
[Huawei-Vlanif30]ip address 192.168.3.1 24
SW2上配置接口所属VLAN,及VLANIF
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 40
[Huawei-GigabitEthernet0/0/4]int vlan 40
[Huawei-Vlanif40]ip address 192.168.4.1 24
3. PC1 不能访问PC2 ,定义ACL
LSW1
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.1.1 0 destination 192.168.2.1
0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
LSW2
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.2.1 0 destination 192.168.1.1
0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
PC1 和PC2 实现了不能互通,策略已经生效
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
4. 分公司运行RIP 协议
AR1上配置IP地址,运行RIP 协议
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]network 192.168.4.0
SW1上配置RIP
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]network 192.168.1.0
[Huawei-rip-1]network 192.168.3.0
[Huawei-rip-1]undo summary
SW2上配置RIP
[Huawei]rip
[Huawei-rip-1]ver 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.2.0
[Huawei-rip-1]network 192.168.4.0
规划所属VLAN
SW7 VLAN 配置
[Huawei]vlan batch 10 20
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei]int e0/0/5
[Huawei-Ethernet0/0/5]port link-type trunk
[Huawei-Ethernet0/0/5]port trunk allow-pass vlan all
[Huawei-Ethernet0/0/5]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan all
[Huawei]int vlan 10
[Huawei-Vlanif10]description cai wu //VLAN 标识//
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]description ji shu //VLAN 标识//
LSW4
[Huawei]int e0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type trunk
[Huawei-GigabitEthernet0/0/4] port trunk allow-pass vlan all
LSW5
[Huawei]int e0/0/4
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan all
5. 总公司运行OSPF
配置OSPF 区域 1
SW4
ospf 1
area 1
network 172.19.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
SW5
ospf 1
area 1
network 172.20.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
AR5
ospf 1
area 1
network 172.19.1.0 0.0.0.255
network 172.20.1.0 0.0.0.255
配置OSPF 区域0
ospf 1
area 0
network 172.17.1.0 0.0.0.255
network 172.18.1.0 0.0.0.255
AR6
ospf 1
area 0
network 172.18.1.0 0.0.0.255
AR3
ospf 1
area 0
network 172.17.1.0 0.0.0.255
6. 总公司和分公司业务网段不允许出现协议报文
RIP 区域配置静默接口
SW1 上配置静默接口
[Huawei-rip-1]silent-interface g0/0/1 //配置静默接口//
SW2上配置静默接口
[Huawei-rip-1]silent-interface g0/0/1 //配置静默接口//
OSPF 区域配置静默接口
SW4上配置静默接口
[Huawei-ospf-1]silent-interface g0/0/4 //配置静默接口//
SW5上配置静默接口
[Huawei-ospf-1]silent-interface g0/0/1 //配置静默接口//
7. SW4和SW5之间配置链路聚合,创建聚合组
LSW4
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]trunkport g0/0/2
[Huawei-Eth-Trunk1]trunkport g0/0/5
[Huawei-Eth-Trunk1]trunkport g0/0/1
[Huawei-Eth-Trunk1]port link-type trunk
[Huawei-Eth-Trunk1]port trunk allow-pass 10 20
LSW5
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]trunkport g0/0/2
[Huawei-Eth-Trunk1]trunkport g0/0/5
[Huawei-Eth-Trunk1]trunkport g0/0/1
[Huawei-Eth-Trunk1]port link-type trunk
[Huawei-Eth-Trunk1]port trunk allow-pass 10 20
查看链路聚合组
[Huawei]DIS eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/1 Up 1
GigabitEthernet0/0/2 Up 1
GigabitEthernet0/0/5 Up 1
8. SW4、7、5之间运行MSTP,PC3流量走Switch4,PC4流量走Switch5,并且互为主备
在SW4上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
[Huawei]stp instance 1 root primary
在SW5上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
[Huawei]stp instance 2 root primary
在SW7上配置如下
[Huawei]stp region-configuration
[Huawei-mst-region]region-name chen
[Huawei-mst-region]instanse 1 vlan 10
[Huawei-mst-region]instanse 2 vlan 20
[Huawei-mst-region]active region-configuration
9. SW7 上配置边缘端口,接入PC机的端口启动后直接进入转发状态,不参与生成树计算
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]stp edged-port enable
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]stp edged-port enable
10. vrrp 配置
LSW4
[Huawei]int vlan 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
[Huawei-Vlanif10]vrrp vrid 1 priority 150
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 20 //延时20秒通过抢占的方式重新成为Master //
LSW5
[Huawei-Vlanif20]int vlan 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 172.16.1.254
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.2.254
[Huawei-Vlanif20]vrrp vrid 2 priority 150
[Huawei-Vlanif20]vrrp vrid 2 preempt-mode timer delay 20 //延时20秒通过抢占的方式重新成为Master //
查看VRRP
在SW4上查看主备状态
[Huawei-Vlanif20]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 172.16.1.254
2 Backup Vlanif20 Normal 172.16.2.254
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0
PC3 PING PC4 测试连通性
PC>ping 172.16.2.1
Ping 172.16.2.1: 32 data bytes, Press Ctrl_C to break
From 172.16.2.1: bytes=32 seq=1 ttl=127 time=203 ms
From 172.16.2.1: bytes=32 seq=2 ttl=127 time=94 ms
From 172.16.2.1: bytes=32 seq=3 ttl=127 time=109 ms
From 172.16.2.1: bytes=32 seq=4 ttl=127 time=109 ms
From 172.16.2.1: bytes=32 seq=5 ttl=127 time=78 ms
--- 172.16.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/118/203 ms
11. 出口路由器(R1和R3)配置默认路由指向互联网并通告到私网内部
在AR3上配置一条默认路由
[Huawei]ip route-static 0.0.0.0 0 200.100.2.2
[Huawei-ospf-1]default-route-advertise //通告默认路由//
在SW5上查看ospf 路由表
[Huawei]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 5 Routes : 8
OSPF routing table status : <Active>
Destinations : 5 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 172.20.1.2 Vlanif60
172.16.1.254/32 OSPF 10 2 D 172.16.1.252 Vlanif10
OSPF 10 2 D 172.16.2.252 Vlanif20
172.17.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
172.18.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
172.19.1.0/24 OSPF 10 2 D 172.20.1.2 Vlanif60
OSPF 10 2 D 172.16.1.252 Vlanif10
OSPF 10 2 D 172.16.2.252 Vlanif20
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
12. 在AR1 上配置默认路由,引入默认路由
[Huawei]ip route-static 0.0.0.0 0 200.100.1.2
[Huawei-rip-1]default-route originate
在SW1上查看路由表,已经学习到了去往外部默认路由
[Huawei]dis ip routing-table protocol rip
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : RIP
Destinations : 3 Routes : 3
RIP routing table status : <Active>
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 RIP 100 1 D 192.168.3.2 Vlanif30
192.168.2.0/24 RIP 100 2 D 192.168.3.2 Vlanif30
192.168.4.0/24 RIP 100 1 D 192.168.3.2 Vlanif30
RIP routing table status : <Inactive>
Destinations : 0 Routes : 0
13. AR6不能访问PC3、PC4
在AR5上定义高级ACL 策略
[Huawei]acl 3000
[Huawei-acl-adv-3000] rule 5 deny ip source 172.18.1.2 0 destination
172.16.1.1 0
[Huawei-acl-adv-3000]rule 10 deny ip source 172.18.1.2 0 destination
172.16.2.1 0
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-filter outbound acl 3000
在AR6上测试 PING PC3 和 PC4 ,已实现不能互通
AR6]ping 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
AR6]ping 172.16.2.1
PING 172.16.2.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.16.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
14. R3开启Telent服务,只允许AR6(网管设备,模拟PC)做远程管理
[AR3]acl 3001
[AR3-acl-adv-3001]rule 5 permit tcp source 172.18.1.2 0 destination 172.17.1.2 0
destination-port eq 23
[AR3-acl-adv-3001]rule 6 deny tcp source any destination 172.17.1.2 0 destinatio
n-port eq 23
发现只有AR6可以telnet R3,ACL 策略已生效
<AR6>telnet 172.17.1.2
Press CTRL_] to quit telnet mode
Trying 172.17.1.2 ...
Connected to 172.17.1.2 ...
Login authentication
Username:
在AR5上telnet R3做测试 ,发现已经被拒绝
<Huawei>telnet 172.17.1.2
Press CTRL_] to quit telnet mode
Trying 172.17.1.2 ...
15. R1和R3运行Easy IP,只允许市场部和技术部访问外网
AR1上配置
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit source 192.168.2.1 0
[Huawei-acl-basic-2000]int s4/0/0
[Huawei-Serial4/0/0]nat outbound 2000
AR3上配置
[AR3]acl 2000
[AR3-acl-basic-2000]rule 5 permit source 172.16.2.1 0
[AR3-acl-basic-2000]int s4/0/1
[AR3-Serial4/0/1]nat outbound 2000
PC2 PING 公网地址
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=253 time=110 ms
From 2.2.2.2: bytes=32 seq=2 ttl=253 time=78 ms
From 2.2.2.2: bytes=32 seq=3 ttl=253 time=62 ms
From 2.2.2.2: bytes=32 seq=4 ttl=253 time=79 ms
From 2.2.2.2: bytes=32 seq=5 ttl=253 time=62 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/78/110 ms
16. 总部出口路由器R3和运营商设备R2进行PPP认证(CHAP 认证)
在AR2做CHAP 主认证
[Huawei]aaa
[Huawei-aaa]local-user runtime password cipher huawei
[Huawei-aaa]local-user runtime service-type ppp
[Huawei-Serial4/0/1]link-protocol ppp
[Huawei-Serial4/0/1]ppp authentication-mode chap
[Huawei-Serial4/0/1]ip address 200.100.2.1 30
在AR3上被认证
[Huawei]int s4/0/1
[Huawei-Serial4/0/1]ppp pap local-user runtime
[Huawei-Serial4/0/1]ppp chap password cipher huawei
[Huawei-Serial4/0/1]ip address 200.100.2.2 3
17. 分部出口路由器R1和运营商设备R2进行PPP认证(PAP认证)
在AR1上做PAP主认证方
Huawei]aaa
[Huawei-aaa]local-user aaa password cipher bbb
[Huawei-aaa]local-user aaa service-type ppp
[Huawei-aaa]int s4/0/0
[Huawei-Serial4/0/0]ppp authentication-mode pap
[Huawei-Serial4/0/0]ip address 200.100.1.2 30
在AR2 上做HAP 被认证方
[Huawei]int s4/0/0
[Huawei-Serial4/0/0]ppp pap local-user aaa password simple bbb
[Huawei-Serial4/0/0]ip address 200.100.1.1 30
转载于:https://www.cnblogs.com/yu15/p/11286722.html
相关资源:华为认证HCIE RS 路由交换 全套复习资料
