华为网络工程师认证HCNA——两层架构综合实验(详细)
两层架构综合实验
实验要求:
1.用户的网关配置在核心交换机
2.企业内网划分成多个vlan,减少广播域大小,提高网络稳定性。
接入层交换机配置vlan,并将用户划入相应的vlan
配置trunk链路
核心上面配置vlan和SVI虚拟接口添加网关
<JRSW2>sy
Enter system view, return user view with Ctrl+Z.
[JRSW2]vlan 10
[JRSW2-vlan10]vlan 30
[JRSW2]port-group group-member e0/0/1 to e0/0/12 //多个接口捆绑为一组
[JRSW2-Ethernet0/0/1]port link-type access //配置为access
[JRSW2-Ethernet0/0/1]port default vlan 10 //一组接口划入vlan 10
[JRSW2]port-group group-member e0/0/13 to e0/0/22
[JRSW2-Ethernet0/0/2]port link-type access
[JRSW2-Ethernet0/0/2]port default vlan 30
[JRSW2]int gi0/0/1
[JRSW2-GigabitEthernet0/0/1]port link-type trunk //配置trunk
[JRSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 30 //划入两个vlan 10和30
[JRSW2-GigabitEthernet0/0/1]q
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy JRSW3
[JRSW3]un in en //关闭日志提示
[JRSW3]vlan 200
[JRSW3]int e0/0/1
[JRSW3-Ethernet0/0/1]port link-type access
[JRSW3-Ethernet0/0/1]port default vlan 200
[JRSW3-Ethernet0/0/1]int e0/0/3
[JRSW3-Ethernet0/0/3]port link-type access
[JRSW3-Ethernet0/0/3]port default vlan 200
[JRSW3-Ethernet0/0/3]int gi0/0/1
[JRSW3-GigabitEthernet0/0/1]port link-type trunk
[JRSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 200
[Huawei]sy HXSW1
[HXSW1]un in en
Info: Information center is disabled.
[HXSW1]vlan batch 10 30 200 //捆绑创建vlan 10、30、200
Info: This operation may take a few seconds. Please wait for a moment...done.
[HXSW1]int gi0/0/2
[HXSW1-GigabitEthernet0/0/2]port link-type trunk
[HXSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 30
[HXSW1-GigabitEthernet0/0/2]int gi0/0/1
[HXSW1-GigabitEthernet0/0/1]port link-type trunk
[HXSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 200
[HXSW1-GigabitEthernet0/0/1]q
[HXSW1-vlan10]int vlan 10
[HXSW1-Vlanif10]ip add 192.168.10.1 24 //添加vlan所对应网段的网关
[HXSW1-Vlanif10]int vlan 30
[HXSW1-Vlanif30]ip add 192.168.30.1 24
[HXSW1-Vlanif30]int vlan 200
[HXSW1-Vlanif200]ip add 192.168.200.1 24
[HXSW1-Vlanif200]
3.所有用户均为自动获取IP地址
<HXSW1>
<HXSW1>sy
Enter system view, return user view with Ctrl+Z.
[HXSW1]ip pool vlan_10 //创建IP地址池名为vlan_10
Info:It's successful to create an IP address pool. //指定以下三个属性就可以分配IP
[HXSW1-ip-pool-vlan_10]network 192.168.10.0 mask 24 //地址池的网段和掩码
[HXSW1-ip-pool-vlan_10]gateway-list 192.168.10.1 //地址池的网关
[HXSW1-ip-pool-vlan_10]dns-list 8.8.8.8 //dns服务
[HXSW1]ip pool vlan_30
Info:It's successful to create an IP address pool.
[HXSW1-ip-pool-vlan_30]network 192.168.30.0 mask 24
[HXSW1-ip-pool-vlan_30]gateway-list 192.168.30.1
[HXSW1-ip-pool-vlan_30]dns-list 8.8.8.8
[HXSW1]dhcp enable //开启DHCP服务
Info: The operation may take a few seconds. Please wait for a moment.done.
[HXSW1]int vlan 10
[HXSW1-Vlanif10]dhcp select global
[HXSW1-Vlanif10]int vlan 30
[HXSW1-Vlanif30]dhcp select global
4.所有设备在任何位置都可以telnet远程管理(三个交换机进行同样的配置)
<HXSW1>
<HXSW1>sy
Enter system view, return user view with Ctrl+Z.
[HXSW1]telnet server enable //开启telnet功能
Info: The Telnet server has been enabled.
[HXSW1]aaa //进入aaa模式
[HXSW1-aaa]local-user hcnp password simple hcnp123 privilege level 3 //创建账号hcnp密码为明文hcnp123,优先级3
Info: Add a new user.
[HXSW1-aaa]local-user hcnp service-type telnet //hcnp用户用于远程telnet
[HXSW1-aaa]q
[HXSW1]user-interface vty 0 4 //容纳同时登陆的人数
[HXSW1-ui-vty0-4]authentication-mode aaa //认证模式为aaa
[HXSW1-ui-vty0-4]
出口R1配置telnet
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy CKR1
[CKR1]telnet server enable
Error: TELNET server has been enabled
[CKR1]aaa
[CKR1-aaa]local-user hcnp password **cipher** hcnp123 privilege level 3 //创建hcnp,密码为密文hcnp123,优先级为3
Info: Add a new user.
[CKR1-aaa]local-user hcnp service-type telnet
[CKR1-aaa]q
[CKR1]user-interface vty 0 4
[CKR1-ui-vty0-4]authentication-mode aaa
[CKR1-ui-vty0-4]
配置telnet管理vlan 999
管理地址段:192.168.255.x/24
[HXSW1]vlan 999
[HXSW1]int vlan 999 //虚拟端口
[HXSW1-Vlanif999]ip add 192.168.255.1 24 //虚拟端口配置IP
[HXSW1]int gi0/0/1
[HXSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 999
[HXSW1-GigabitEthernet0/0/1]int gi0/0/2
[HXSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 999
[HXSW1-GigabitEthernet0/0/2]
[JRSW2]vlan 999
[JRSW2-vlan999]int vlan 999
[JRSW2-Vlanif999]ip add 192.168.255.2 24
[JRSW2]ip route-static 0.0.0.0 0 192.168.255.1
[JRSW2]int gi0/0/1
[JRSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 999
[JRSW2-GigabitEthernet0/0/1]
<JRSW3>sy
Enter system view, return user view with Ctrl+Z.
[JRSW3]vlan 999
[JRSW3-vlan999]int vlan 999
[JRSW3-Vlanif999]ip add 192.168.255.3 24
[JRSW3]ip route-static 0.0.0.0 0 192.168.255.1
[JRSW3]int gi0/0/1
[JRSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 999
5.出口配置NAT
<HXSW1>sy
Enter system view, return user view with Ctrl+Z.
[HXSW1]vlan 800
[HXSW1-vlan800]int gi0/0/3
[HXSW1-GigabitEthernet0/0/3]port link-type access
[HXSW1-GigabitEthernet0/0/3]port default vlan 800
[HXSW1-GigabitEthernet0/0/3]int vlan 800 //虚拟端口
[HXSW1-Vlanif800]ip add 192.168.254.1 24 //虚拟端口配置IP
出口R1、R2接口配置IP
[CKR1]int gi0/0/0
[CKR1-GigabitEthernet0/0/0]ip add 192.168.254.2 24
[CKR1]int gi0/0/1
[CKR1-GigabitEthernet0/0/1]ip add 12.1.1.1 29
[R2]int gi0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.1.1.6 29
[R2]int LoopBack 9
[R2-LoopBack9]ip add 9.9.9.9 24
[HXSW1]ip route-static 0.0.0.0 0 192.168.254.2
[CKR1]ip route-static 0.0.0.0 0 12.1.1.6 //出包
[CKR1]ip route-static 192.168.0.0 255.255.0.0 192.168.254.1 //将回包交给SW1
[CKR1]acl number 2000
[CKR1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[CKR1-acl-basic-2000]int gi0/0/1
[CKR1-GigabitEthernet0/0/1]nat outbound 2000
6.stp运行RSTP模式,确保核心交换机为根桥。并将接入用户的接口配置为边缘端口加快收敛
[JRSW2]stp mode rstp //stp模式换为rstp
[JRSW3]stp mode rstp
[JRSW2]port-group group-member e0/0/1 to e0/0/21 //所有e0/0/x的接口都设置为边缘接口 只能接PC
[JRSW2-port-group]stp edged-port enable //设置边缘接口
[JRSW3]port-group group-member e0/0/1 to e0/0/22
[JRSW3-port-group]stp edged-port enable
7.配置根桥保护措施,确保根桥不被抢占
[HXSW1]stp priority 0 //优先级设置为最高(桥id(优先级+mac)不一定最高)
[HXSW1]int gi0/0/1
[HXSW1-GigabitEthernet0/0/1]stp root-protection //根桥配置端口保护(收到比自己优先级高的自动阻塞)
[HXSW1-GigabitEthernet0/0/1]int gi0/0/2
[HXSW1-GigabitEthernet0/0/2]stp root-protection
[JRSW2]stp bpdu-protection //收到边缘端口的stp报文,将此边缘端口shutdown
[JRSW3]stp bpdu-protection
8.在企业出口将内网服务器的80端口映射出去,允许外网用户访问
[CKR1]int gi0/0/1
[CKR1-GigabitEthernet0/0/1]nat server pro
[CKR1-GigabitEthernet0/0/1]nat server protocol tcp gl
[CKR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www in
[CKR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www inside 192.168.200.10 www
9.企业财务服务器,只允许企业财务部员工(vlan 30)访问
[HXSW1]acl 3000 //创建访问控制列表 表号3000
[HXSW1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0 //允许192.168.30.0网段的用户访问192.168.200.20(财务服务器)
[HXSW1-acl-adv-3000]rule deny ip source any destination 192.168.200.20 0 //拒绝所有的访问财务服务器(一个acl中有多条规则时,匹配到对应的规则后,就会停止匹配)
[HXSW1-acl-adv-3000]int gi0/0/1
[HXSW1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000 //把acl 3000 的规则应用到此端口。
