介绍:
本次实验拓扑以及需求都是根据真实项目进行修改而来;考虑到同学们的学习层次以及进度,对其中部分未涉及的地方进行删减和修改;
项目: xxx规划
【由于涉及到一些图片隐私的问题,本文此处进行了删减】
实验拓扑:
比赛要求:
IP地址已经规划好,无需考虑IP地址配错问题;打开拓扑文件中的配置文件 rs.net 即可打开拓扑开始考试;在比赛时间内完成实验需求,并且写出实验文档,要求如下:
- 命名规范
19网安1-xxx 19云2-张三 19云3-李四
- 格式
以word文档的方式提交,按照每个实验要求,在每个要求下面写下自己的配置命令。
拓扑介绍:
PC7 , PC10属于技术部vlan10,PC8 , PC9属于财务部vlan20;SW1,SW2为接入层设备,负责局域网通讯,并且使用高可靠的方式互联;SW3为Vlan10和Vlan20的网关设备;SW3,R4,R5运行OSPF单域,并且R4,R5分别为联通电信的出口,保证网络的可靠性;其中R6为Inernet互联网设备。
实验要求:
- 局域网中存在 Vlan10和Vlan20 两个业务 VLAN,Vlan10 和 Vlan20IP 网段分别对应 192.168.1.0/24 和 192.168.2.0/24,请按需求划分Vlan。
[SW1]vlan 10
[SW1‐vlan10]
[[SW1‐vlan10]qu
[SW1]vlan 20
[SW1‐vlan20]qu
[SW1]interface GigabitEthernet 1/0/4
[SW1‐GigabitEthernet1/0/4]port link‐type access
[SW1‐GigabitEthernet1/0/4]port access vlan 10
[SW1‐GigabitEthernet1/0/4]qu
[SW1]interface GigabitEthernet 1/0/5
[SW1‐GigabitEthernet1/0/5]port link‐type access
[SW1‐GigabitEthernet1/0/5]port access vlan 20
[SW2]vlan 10
[SW2‐vlan10]qu
[SW2]vlan 20
[SW2‐vlan20]qu
[SW2]interface GigabitEthernet 1/0/4
[SW2‐GigabitEthernet1/0/4]port link‐type access
[SW2‐GigabitEthernet1/0/4]port access vlan 20
[SW2‐GigabitEthernet1/0/4]qu
[SW2]interface GigabitEthernet 1/0/5
[SW2‐GigabitEthernet1/0/5]port link‐type access
[SW2‐GigabitEthernet1/0/5]port access vlan 10
- SW1 和 SW2 之间的直连链路上配置静态链路聚合实现链路冗余,提高链路带宽。
[SW1]interface Bridge‐Aggregation 1
[SW1‐Bridge‐Aggregation1]qu
[SW1]interface GigabitEthernet 1/0/2
[SW1‐GigabitEthernet1/0/2]port link‐aggregation group 1
[SW1‐GigabitEthernet1/0/2]qu
[SW1]interface GigabitEthernet 1/0/3
[SW1‐GigabitEthernet1/0/3]port link‐aggregation group 1
[SW2]interface Bridge‐Aggregation 1
[SW2‐Bridge‐Aggregation1]qu
[SW2]interface GigabitEthernet 1/0/2
[SW2‐GigabitEthernet1/0/2]port link‐aggregation group 1
[SW2‐GigabitEthernet1/0/2]qu
[SW2]interface GigabitEthernet 1/0/3
[SW2‐GigabitEthernet1/0/3]port link‐aggregation group 1
- 所有交换机相连的端口配置为 Trunk,允许相关流量通过
[SW1]interface Bridge‐Aggregation 1
[SW1‐Bridge‐Aggregation1]port link‐type trunk
[SW1‐Bridge‐Aggregation1]port trunk permit vlan 10 20
[SW1‐Bridge‐Aggregation1]qu
[SW1]interface GigabitEthernet 1/0/1
[SW1‐GigabitEthernet1/0/1]port link‐type trunk
[SW1‐GigabitEthernet1/0/1]port trunk permit vlan 10 20
[SW2]interface Bridge‐Aggregation 1
[SW2‐Bridge‐Aggregation1]port link‐type trunk
[SW2‐Bridge‐Aggregation1]port trunk permit vlan 10 20
[SW2‐Bridge‐Aggregation1]qu
[SW2]interface GigabitEthernet 1/0/1
[SW2‐GigabitEthernet1/0/1]port link‐type trunk
[SW2‐GigabitEthernet1/0/1]port trunk permit vlan 10 20
[SW3]interface GigabitEthernet 1/0/1
[SW3‐GigabitEthernet1/0/1]port link‐type trunk
[SW3‐GigabitEthernet1/0/1]port trunk permit vlan 10 20
[SW3‐GigabitEthernet1/0/1]qu
[SW3]interface GigabitEthernet 1/0/2
[SW3‐GigabitEthernet1/0/2]port link‐type trunk
[SW3‐GigabitEthernet1/0/2]port trunk permit vlan 10 20
- SW1,SW2 和 SW3 运行的生成树版本为STP,并修改cost值,使阻塞端口在SW2的g0/1口上。
[SW1]stp mode stp
[SW1]display stp brief
MST ID Port Role STP State Protection
0 Bridge‐Aggregation1 DESI FORWARDING NONE
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/4 DESI FORWARDING NONE
0 GigabitEthernet1/0/5 DESI FORWARDING NONE
[SW2]stp mode stp
[SW2]display stp brief
MST ID Port Role STP State Protection
0 Bridge‐Aggregation1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/4 DESI FORWARDING NONE
0 GigabitEthernet1/0/5 DESI FORWARDING NONE
[SW3]stp mode stp
[SW3]display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
0 GigabitEthernet1/0/3 DESI FORWARDING NONE
0 GigabitEthernet1/0/4 DESI FORWARDING NONE
//阻塞端口不符合要求,修改阻塞端口
[SW3]stp priority 0
[SW2]interface GigabitEthernet 1/0/1
[SW2‐GigabitEthernet1/0/1]stp cost 400
- 按图在R4,R5和SW3 上配置OSPF单域,宣告业务网段使全网互通;其中SW3的Vlan100 和 Vlan200 分别是和R4, R5来建立OSPF邻居用的(15分)
//划分端口,让三层接口UP
[SW3]interface GigabitEthernet 1/0/3
[SW3‐GigabitEthernet1/0/3]port link‐type access
[SW3‐GigabitEthernet1/0/3]port access vlan 100
[SW3‐GigabitEthernet1/0/3]qu
[SW3]interface GigabitEthernet 1/0/4
[SW3‐GigabitEthernet1/0/4]port link‐type access
[SW3‐GigabitEthernet1/0/4]port access vlan 200
//配置OSPF
[SW3]ospf
[SW3‐ospf‐1]area 0
[SW3‐ospf‐1‐area‐0.0.0.0]network 3.3.3.3 0.0.0.0
[SW3‐ospf‐1‐area‐0.0.0.0]network 100.0.11.0 0.0.0.3
[SW3‐ospf‐1‐area‐0.0.0.0]network 100.0.11.4 0.0.0.3
[SW3‐ospf‐1‐area‐0.0.0.0]network 192.168.1.0 0.0.0.255
[SW3‐ospf‐1‐area‐0.0.0.0]network 192.168.2.0 0.0.0.255
[R4]ospf
[R4‐ospf‐1]area 0
[R4‐ospf‐1‐area‐0.0.0.0]network 4.4.4.4 0.0.0.0
[R4‐ospf‐1‐area‐0.0.0.0]network 100.0.11.0 0.0.0.3
[R4‐ospf‐1‐area‐0.0.0.0]network 100.0.11.8 0.0.0.3
[R5]ospf
[R5‐ospf‐1]area 0
[R5‐ospf‐1‐area‐0.0.0.0]network 5.5.5.5 0.0.0.0
[R5‐ospf‐1‐area‐0.0.0.0]network 100.0.11.4 0.0.0.3
[R5‐ospf‐1‐area‐0.0.0.0]network 100.0.11.8 0.0.0.3
- 业务网段不允许出现协议报文。(5分)
[SW3‐ospf‐1]silent‐interface Vlan‐interface 10
[SW3‐ospf‐1]silent‐interface Vlan‐interface 20
- R4 ,R5 上配置默认路由指向互联网,并引入到 OSPF;并通过合适的方法使其实现主备,主链路为电信,备用链路为联通;只有当电信链路down后,数业务数据才会通过联通链路访问互联网。
[R4]ip route‐static 0.0.0.0 0 200.1.1.2 preference 200
[R4‐ospf‐1]default‐route‐advertise cost 5000
[R5]ip route‐static 0.0.0.0 0 200.2.2.2
[R5‐ospf‐1]default‐route‐advertise
- 在R4,R5上分别配置 EASY IP,保障所有业务网段可以通过R4或者R5访问到互联网。
[R4]acl basic 2000
[R4‐acl‐ipv4‐basic‐2000]rule permit source 192.168.1.0 0.0.0.255
[R4‐acl‐ipv4‐basic‐2000]rule permit source 192.168.2.0 0.0.0.255
[R4]interface Serial 1/0
[R4‐Serial1/0]nat outbound 2000
[R5]acl basic 2000
[R5‐acl‐ipv4‐basic‐2000]rule permit source 192.168.1.0 0.0.0.255
[R5‐acl‐ipv4‐basic‐2000]rule permit source 192.168.2.0 0.0.0.255
[R5]interface Serial 1/0
[R5‐Serial1/0]nat outbound 2000
- R4,R5分别通过单线串行链路连接到互联网,需要配置 PPP,并配置双向 chap 验证。
[R6]local‐user r4 class network
New local user added.
[R6‐luser‐network‐r4]password simple 123
[R6‐luser‐network‐r4]service‐type ppp
[R6]local‐user r5 class network
New local user added.
[R6‐luser‐network‐r5]password simple 123
[R6‐luser‐network‐r5]service‐type ppp
//开启ppp验证
[R6]interface Serial 1/0
[R6‐Serial1/0]ppp authentication‐mode chap
[R6‐Serial1/0]ppp chap user r6
[R6‐Serial1/0]qu
[R6]interface Serial 2/0
[R6‐Serial2/0]pp authentication‐mode chap
[R6‐Serial2/0]ppp chap user r6
//配置R4
[R4]local‐user r6 class network
New local user added.
[R4‐luser‐network‐r6]password simple 123
[R4‐luser‐network‐r6]service‐type ppp
[R4‐luser‐network‐r6]qu
[R4]interface Serial 1/0
[R4‐Serial1/0]ppp authentication‐mode chap
[R4‐Serial1/0]ppp chap user r4
//配置R5
[R5]local‐user r6 class network
New local user added.
[R5‐luser‐network‐r6]password simple 123
[R5‐luser‐network‐r6]service‐type ppp
[R5‐luser‐network‐r6]qu
[R5]interface Serial 1/0
[R5‐Serial1/0]ppp authentication‐mode chap
[R5‐Serial1/0]ppp chap user r5
- R5开启 TELNET 远程管理,使用用户 mo66.cn 登录,密码666 ,权限为最高;并且只允许技术部远程管理 R5。
[R5]local‐user mo66.cn class manage
New local user added.
[R5‐luser‐manage‐huaxia]password simple 666
[R5‐luser‐manage‐huaxia]service‐type telnet
[R5‐luser‐manage‐huaxia]qu
[R5]telnet server enable
[R5]user‐interface vty 0 4
[R5‐line‐vty0‐4]authentication‐mode scheme
[R5‐line‐vty0‐4]user‐role level‐15
//配置acl只允许技术部管理R5
[R5]acl basic 2001
[R5‐acl‐ipv4‐basic‐2001]rule permit source 192.168.1.0 0.0.0.255
[R5‐acl‐ipv4‐basic‐2001]qu
[R5]telnet server acl 200
交卷交卷~
大佬,厉害啊
不敢当,不敢当,都是基础的题目啊哈哈哈