2021年华三杯竞赛试题

admin
2022-12-03 / 1 评论 / 214 阅读 / 正在检测是否收录...

2021年华三杯竞赛试题

一、实验拓扑图

image-20221119144752707

二、需求

本网络模拟一个大型企业网络,需要使用BGP/MPLS VPN技术来隔离不同的VPN,并使用防火墙来做到防攻击与访问策略。
请考生根据以下配置需求在HCL中的设备上进行相关配置。

  1. PPP配置

    路由器R1与路由器R3间为广域网链路,使用PPP协议连通。

    PPP配置的具体要求如下:

    • 使用CHAP协议,并且为单向认证:
    • R1作为认证方,R2作为被认证方:
    • R1上配置本地AAA认证;用户名和密码均为123456。
  2. 虚拟局域网

    为了减少广播,需要规划并配置VLAN。具体要求如下:

    • 配置合理,链路上不允许不必要的数据流通过。
    • 交换机与路由器间的互连物理端口直接使用三层模式互连。
    • 交换机(S1、S2、L2SW)间的互连端口链路类型为Trunk类型。

    根据上述信息及表1-1,在交换机上完成VLAN配置和端口分配。

image-20221118234323651

  1. 链路聚合

    在交换机S1和S2上配置链路聚合,要求使用二层静态链路聚合组,并设定组号为1;将接口
    G0/23与G0/24所在的链路聚合起来。

  2. MSTP部署

    在交换机S1、S2及L2SW上配置MSTP防止二层环路;所配置的参数要求如下:

    • STP中的region-name为2021;
    • 其他相关要求见下表:

image-20221118234637221

  1. IPv4地址部署

image-20221118234754617

  1. VRRP部署

    在交换机S1、S2配置VRRP以提高可靠性,所配置的参数要求如下:

    image-20221118234855117

    • S1作为VLAN10内主机的主用网关,S2作为VLAN20内主的主用网关,且互相备份:
    • VRRP的主用优先级为150,备用优先级为110。
  2. IPv4IGP路由部署

    使用OSPF协议及静态路由互通。具体要求如下:

    • R1、R2、R3之间运行OSPF;OSPF进程号为1,区域0;Router ID为本路由器的Loopback地址;
    • R1与S1、S2之间运行OSPF;OSPF进程号为10,区域0:Router ID为本路由器的Loopback地址;
    • S1、S2中的OSPF不允许将协议报文发送到业务网段中;
    • 要求OSPF及静态路由都发布具体网段(OSPF必须精确反掩码匹配),不允许发布缺省路由;
    • 为了管理方便,OSPF需要发布Loopback地址,其中R1需要在OSPF进程1中发布。
  3. BGP/MPLS VPN部署

    各个路由器(R1、R2、R3)之间,以及R2与R4之间运行BGP协议。具体要求如下:

    • R2与R4之间运行EBGP,R2属于AS100,R4属于AS300:
    • R1、R2、R3之间运行IBGP,都属于AS100,并以Loopback地址作为互连的源地址:
    • 通过network命令方式生成BGP路由,而不允许通过import命令将IGP路由引入。
    • R3与FW1、FW2之间运行静态VPN路由,并配置具体网段(不允许配置缺省路由)。

    配置两个VPN,并要求同一VPN内能够互访,不同VPN间不能互访。相关参数要求如下:

    image-20221118235231761

    • MPLS的lsr-id使用Loopback地址,并使用LDP协议来进行标签分配。
  4. 防火墙部署

FW1、FW2上配置安全域和安全策略。具体要求如下:

  • FWI、FW2与服务器互联接口处于Trust安全域,与R3接口处于Untrust安全域:
  • FW1上配置地址对象组server1,并定义其主机地址为地址172.0.0.1/32;配置安全策略ap1,规则rule0,允许Untrust域中的客户端可以访问Trust域中目的地址为地址对象server1的所有P流量;
  • FW2上配置地址对象组server2,并定义其主机地址为地址192.0.0.1/32;配置安全策略ap1,规则rule0,允许Untrust域中的客户端可以访问Trust.域中目的地址为地址对象server2的所有P流量;
  • FW1、FW2上应用缺省IPS策略对用户数据报文进行IPS防御。具体要求如下:
  • 配置DPI应用profile,命名为sec,应用缺省IPS策略default并指定IPS策略模式为protect;
    在安全策略ap1上引用该sec;

FW1、FW2上配置攻击防范策略。具体要求如下:

  • FW1上配置攻击防范策略ad1,配置针对Sever1地址的SYN flood的攻击防范策略,阈值为2000,动作为丢弃并输出告警日志;在安全域Untrust上应用攻击防范策略ad1。
  • FW2上配置攻击防范策略ad1,配置针对Sever2地址的SYNf1ood的攻击防范策略,阈值为2000,动作为丢弃并输出告警日志;在安全域Untrust上应用攻击防范策略ad1。
  1. IPv6部署

在交换机S1、S2配置IPv6协议。要求使用OSPFv3协议,进程号为1,区域为0;Router ID与
OSPF的Router ID相同。IPv6地址如下表所示:

image-20221118235717812

  1. 设备与网络管理部署

根据表1-5,为网络设备配置主机名。

image-20221118235814643

三、实验步骤

(一)配置ip地址

如果你的拓扑图接口跟我一样那么就可以直接复制下面的命令

R1

sysname R1
interface gig 0/0
ip a 10.0.0.1 30 
interface gig 0/1
ip a 10.0.0.5 30 
interface gig 0/2
ip a 100.0.0.1 30 
interface serial 1/0
ip a 100.0.0.10 30
interface loopback 0 
ip a 9.9.9.1 32

R2

sysname R2
interface gig 0/0
ip a 100.0.0.2 30 
interface gig 0/1
ip a 100.0.0.5 30 
interface gig 0/2
ip a 10.0.0.9 30 
interface l 0 
ip a 9.9.9.2 32 

R3

sysname R3
interface gig 0/0
ip a 100.0.0.6 30 
interface gig 0/1 
ip a 10.0.0.13 30 
interface gig 0/2 
ip a 10.0.0.17 30
interface serial 1/0
ip a 100.0.0.9 30 
interface loopback 0 
ip a 9.9.9.3 32

R4

sysname R4
interface gi 0/0
ip a 10.0.0.10 30 
interface gig 0/1 
ip a 192.0.10.254 24 
interface l 0 
ip a 9.9.9.105 32

S1

sysname S1
interface gig 1/0/1 
port link-mode route
ip a 10.0.0.2 30 
quit 
vlan 10
vlan 20
interface vlan 10
ip a 172.0.10.252 24 
interface vlan 20
ip a 172.0.20.252 24 
interface l 0 
ip a 9.9.9.101 32

S2

sysname S2
interface gig 1/0/1
port link-mode route
ip a 10.0.0.6 30
quit
vlan 10
vlan 20
interface vlan 10
ip a 172.0.10.253 24 
interface vlan 20
ip a 172.0.20.253 24 
interface l 0 
ip a 9.9.9.102 32

FW1

sysname FW1
interface gig 1/0/1
ip a 10.0.0.14 30 
interface gig 1/0/0
ip a 172.0.0.254 24 
interface l  0 
ip a 9.9.9.201 32

FW2

sysname FW2
interface gig 1/0/1
ip a 10.0.0.18 30 
interface gig 1/0/0
ip a 192.0.0.254 24 

(二)ppp的配置

R1

[R1]local-user 123456 class network
New local user added.
[R1-luser-network-123456]password simple 123456
[R1-luser-network-123456]service-type ppp
[R1-luser-network-123456]interface serial 1/0
[R1-Serial1/0]ppp aut chap

R2

[R2]interface serial 1/0
[R2-Serial1/0]ppp chap user 123456
[R2-Serial1/0]ppp chap password simple 1233456
[R2-Serial1/0]

(三)链路聚合

S1

[S1]interface bridge 1 
[S1-Bridge-Aggregation1]quit 
[S1]interface range gig 1/0/23 gig 1/0/24 
[S1-if-range]port link-aggregation group 1

S2

[S2]interface bridge 1 
[S2-Bridge-Aggregation1]quit 
[S2]interface range gig 1/0/23 gig 1/0/24 
[S2-if-range]port link-aggregation group 1

(四)vlan划分

S1

[S1]interface range bridge 1 gig 1/0/3
[S1-if-range]port link-type trunk 
Configuring GigabitEthernet1/0/23 done.
Configuring GigabitEthernet1/0/24 done.
[S1-if-range]port trunk permit vlan 10 20 

S2

[S2]interface range bridge 1 gig 1/0/3
[S2-if-range]port link-type trunk
Configuring GigabitEthernet1/0/23 done.
Configuring GigabitEthernet1/0/24 done.
[S2-if-range]port trunk permit vlan 10 20 

L2SW

[L2SW]vlan 10 
[L2SW-vlan10]port gig 1/0/1 to gig 1/0/4
[L2SW-vlan10]vlan 20 
[L2SW-vlan20]port gig 1/0/5 to gig 1/0/8
[L2SW-vlan20]interface range gig 1/0/23 gig 1/0/24
[L2SW-if-range]port link-type trunk 
[L2SW-if-range]port trunk permit vlan 10 20

(五)配置MSTP

S1,S2,L2SW

stp reg 
reg 2021
instance 1 vlan 10 
instance 2 vlan 20 
ac reg

S1

[S1]stp instance 1 root pri 
[S1]stp instance 2 root sec

S2

[S2]stp instance 1 root sec 
[S2]stp instance 2 root pri

(六)配置vrrp

S1

[S1]interface vlan 10 
[S1-Vlan-interface10]vrrp vrid 10 vir 172.0.10.254 
[S1-Vlan-interface10]vrrp vrid 10 pri 150
[S1-Vlan-interface10]interface vlan 20 
[S1-Vlan-interface20]vrrp vrid 20 pri 110
[S1-Vlan-interface20]vrrp vrid 20 vir 172.0.20.254 

S2

[S2]interface vlan 10
[S2-Vlan-interface10]vrrp vrid 10 vir 172.0.10.254 
[S2-Vlan-interface10]vrrp vrid 10 pri 110
[S2-Vlan-interface10]interface vlan 20 
[S2-Vlan-interface20]vrrp vrid 20 vir 172.0.20.254 
[S2-Vlan-interface20]vrrp vrid 20 pri 150

(七)配置ipv4 IGP路由

R1

[R1]ospf 1 router-id 9.9.9.1
[R1-ospf-1]area 0 
[R1-ospf-1-area-0.0.0.0]network 9.9.9.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 100.0.0.1 0.0.0.3 
[R1-ospf-1-area-0.0.0.0]network 100.0.0.10 0.0.0.3 

R2

[R2]ospf 1 router-id 9.9.9.2 
[R2-ospf-1]area 0 
[R2-ospf-1-area-0.0.0.0]network 9.9.9.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 100.0.0.2 0.0.0.3 
[R2-ospf-1-area-0.0.0.0]network 100.0.0.5 0.0.0.3

R3

[R3]ospf 1 router-id 9.9.9.3 
[R3-ospf-1]area 0 
[R3-ospf-1-area-0.0.0.0]network 9.9.9.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 100.0.0.6 0.0.0.3 
[R3-ospf-1-area-0.0.0.0]network 100.0.0.9 0.0.0.3

R1

[R1]ip vpn-instance vpn1
[R1-vpn-instance-vpn1]route-distinguisher 100:1
[R1-vpn-instance-vpn1]vpn-target 100:1 both
[R1-vpn-instance-vpn1]quit
[R1]interface gig 0/0
[R1-GigabitEthernet0/0]ip binding vpn-instance vpn1
Some configurations on the interface are removed.
[R1-GigabitEthernet0/0] ip address 10.0.0.1 255.255.255.252
[R1-GigabitEthernet0/0]quit 
[R1]interface gig 0/1
[R1-GigabitEthernet0/1]ip bind vpn vpn1
Some configurations on the interface are removed.
[R1-GigabitEthernet0/1] ip address 10.0.0.5 255.255.255.252


[R1]ospf 10 router-id 9.9.9.1 vpn-instance vpn1
[R1-ospf-10]area 0 
[R1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3
[R1-ospf-10-area-0.0.0.0]network 10.0.4.0 0.0.0.3

S1

[S1]ospf 10 router-id 9.9.9.101 
[S1-ospf-10]area 0 
[S1-ospf-10]silent-interface vlan 10
[S1-ospf-10]silent-interface vlan 20
[S1-ospf-10-area-0.0.0.0]network 9.9.9.101 0.0.0.0
[S1-ospf-10-area-0.0.0.0]network 172.0.10.0 0.0.0.255
[S1-ospf-10-area-0.0.0.0]network 172.0.20.0 0.0.0.255
[S1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3

S2

[S2]ospf 10 router-id 9.9.9.102 
[S2-ospf-10]area 0 
[S2-ospf-10]silent-interface vlan 10
[S2-ospf-10]silent-interface vlan 20
[S2-ospf-10-area-0.0.0.0]network 10.0.0.4 0.0.0.3 
[S2-ospf-10-area-0.0.0.0]network 9.9.9.102 0.0.0.0
[S2-ospf-10-area-0.0.0.0]network 172.0.10.0 0.0.0.255
[S2-ospf-10-area-0.0.0.0]network 172.0.20.0 0.0.0.255

(八)防火墙的配置

FW1

[FW1]security-zone name Trust 
[FW1-security-zone-Trust]import interface gig 1/0/0
[FW1-security-zone-Trust]quit 
[FW1]security-zone name untrust
[FW1-security-zone-Untrust]import interface gig 1/0/1
[FW1-security-zone-Untrust]quit 
[FW1]object-group ip address server1
[FW1-obj-grp-ip-server1]network host address 172.0.0.1 
[FW1-obj-grp-ip-server1]quit 
[FW1]security-policy ip
[FW1-security-policy-ip]rule 0 name ap1
[FW1-security-policy-ip-0-ap1]source-zone untrust
[FW1-security-policy-ip-0-ap1]destination-zone trust
[FW1-security-policy-ip-0-ap1]destination-ip server1
[FW1-security-policy-ip-0-ap1]action pass
[FW1-security-policy-ip-0-ap1]quit 
[FW1-security-policy-ip]qu
[FW1-app-profile-sec]ips apply policy default mode protect 
[FW1-app-profile-sec]quit 
[FW1]security-policy ip
[FW1-security-policy-ip]rule 0 
[FW1-security-policy-ip-0-ap1]profile sec
[FW1-security-policy-ip-0-ap1]quit
[FW1-security-policy-ip]quit 
[FW1]attack-defense policy ad1
[FW1-attack-defense-policy-ad1]syn-flood threshold 2000
[FW1-attack-defense-policy-ad1]syn-flood action logging drop
[FW1-attack-defense-policy-ad1]syn-flood detect ip 172.0.0.1
[FW1-attack-defense-policy-ad1]quit 
[FW1]security-zone name Untrust 
[FW1-security-zone-Untrust]attack-defense apply policy ad1

FW2

[FW2]security-zone name trust
[FW2-security-zone-Trust]import interface gig 1/0/0
[FW2-security-zone-Trust]quit 
[FW2]security-zone name untrust
[FW2-security-zone-Untrust]import interface gig 1/0/1
[FW2-security-zone-Untrust]quit 
[FW2]object-group ip address server2
[FW2-obj-grp-ip-server2]network host address 192.0.0.1 
[FW2-obj-grp-ip-server2]quit 
[FW2]security-policy ip 
[FW2-security-policy-ip]rule 0 name ap1
[FW2-security-policy-ip-0-ap1]source-zone untrust
[FW2-security-policy-ip-0-ap1]destination-zone trust
[FW2-security-policy-ip-0-ap1]destination-ip server2
[FW2-security-policy-ip-0-ap1]action pass 
[FW2-security-policy-ip-0-ap1]quit
[FW2-security-policy-ip]quit 
[FW2]app-profile sec 
[FW2-app-profile-sec]ips apply policy default mode protect 
[FW2-app-profile-sec]quit 
[FW2]security-policy ip
[FW2-security-policy-ip]rule 0 
[FW2-security-policy-ip-0-ap1]profile sec
[FW2-security-policy-ip-0-ap1]quit 
[FW2-security-policy-ip]quit 
[FW2]attack-defense policy ad1
[FW2-attack-defense-policy-ad1]syn-flood threshold 2000
[FW2-attack-defense-policy-ad1]syn-flood detect ip 192.0.0.1
[FW2-attack-defense-policy-ad1]syn-flood action logging drop
[FW2-attack-defense-policy-ad1]quit
[FW2]security-zone name untrust 
[FW2-security-zone-Untrust]attack-defense apply policy ad1

(九)ipv6的部署

S1

[S1]interface vlan 10 
[S1-Vlan-interface10]ipv6 address 172:10::254 64
[S1-Vlan-interface10]interface vlan 20 
[S1-Vlan-interface20]ipv6 address 172:20::254 64 
[S1-Vlan-interface20]ipv6 address 172:20::253 64 
[S1-Vlan-interface20]undo ipv6 address 172:20::254 64 
[S1-Vlan-interface20]interface loopback 0 
[S1-LoopBack0]ipv6 address 9::101 128
[S1-LoopBack0]quit 
[S1]ospfv3 1
[S1-ospfv3-1]router-id 9.9.9.101
[S1-ospfv3-1]interface range vlan 10 vlan 20
[S1-if-range]ospfv3 1 area 0

S2

[S2]interface vlan 10
[S2-Vlan-interface10]ipv6 address 172:10::253 64 
[S2-Vlan-interface10]interface vlan 20
[S2-Vlan-interface20]ipv6 address 172:20::254 64 
[S2-Vlan-interface20]interface loopback 0 
[S2-LoopBack0]ipv6 address 9::102 128
[S2-LoopBack0]quit 
[S2]ospfv3 1 
[S2-ospfv3-1]router-id 9.9.9.102
[S2-ospfv3-1]interface range vlan 10 vlan 20
[S2-if-range]ospfv3 1 area 0

(十)配置BGP/mpls VPN

R4

[R4]bgp 300
[R4-bgp-default]peer 10.0.0.9 as-number 100
[R4-bgp-default]address-family ipv4 
[R4-bgp-default-ipv4]peer 10.0.0.9 enable 
[R4-bgp-default-ipv4]network 192.0.10.0 24

R2

[R2]ip vpn-instance vpn2
[R2-vpn-instance-vpn2]route-distinguisher 100:1
[R2-vpn-instance-vpn2]vpn-target 200:1 both
[R2-vpn-instance-vpn2]quit 
[R2]interface gig 0/2
[R2-GigabitEthernet0/2]ip binding vpn-instance vpn2
Some configurations on the interface are removed.
[R2-GigabitEthernet0/2] ip address 10.0.0.9 255.255.255.252
[R2-GigabitEthernet0/2]quit 
[R2]bgp 100
[R2-bgp-default]ip vpn-instance vpn2
[R2-bgp-default-vpn2]peer 10.0.0.10 as-number 300
[R2-bgp-default-vpn2]address-family ipv4 
[R2-bgp-default-ipv4-vpn2]peer 10.0.0.10 enable



[R2]mpls ldp 
[R2-ldp]lsr-id 9.9.9.2
[R2-ldp]interface range gig 0/0 gig 0/1
[R2-if-range]mpls enable 
[R2-if-range]mpls ldp enable 
[R2-if-range]quit 
[R2]bgp 100 
[R2-bgp-default]group in 
[R2-bgp-default]peer 9.9.9.1 group in 
[R2-bgp-default]peer 9.9.9.3 group in 
[R2-bgp-default]peer in con loopback 0 
[R2-bgp-default]address-family vpnv4
[R2-bgp-default-vpnv4]peer in enable 

R1

[R1]mpls ldp
[R1-ldp]lsr-id 9.9.9.1
[R1-ldp]interface range gig 0/2 serial 1/0
[R1-if-range]mpls enable 
[R1-if-range]mpls ldp enable
[R1]bgp 100
[R1-bgp-default]group in 
[R1-bgp-default]peer 9.9.9.2 group in 
[R1-bgp-default]peer 9.9.9.3 group in 
[R1-bgp-default]peer in connect-interface loopback 0 
[R1-bgp-default]address-family vpnv4 
[R1-bgp-default-vpnv4]peer in enable




[R1]bgp 100
[R1-bgp-default]ip vpn-instance vpn1
[R1-bgp-default-vpn1]address-family ipv4
[R1-bgp-default-ipv4-vpn1]network 172.0.10.0 24
[R1-bgp-default-ipv4-vpn1]network 172.0.20.0 24
[R1-bgp-default-ipv4-vpn1]quit 
[R1-bgp-default-vpn1]quit 
[R1-bgp-default]quit 
[R1]ospf 10
[R1-ospf-10]import bgp

R3

[R3]mpls ldp 
[R3-ldp]lsr-id 9.9.9.3
[R3-ldp]interface range serial 1/0 gig 0/0
[R3-if-range]mpls enable 
[R3-if-range]mpls ldp enable 
[R3-if-range]quit 
[R3]bgp 100
[R3-bgp-default]group in 
[R3-bgp-default]peer 9.9.9.1 group in 
[R3-bgp-default]peer 9.9.9.2 group in 
[R3-bgp-default]peer in connect-interface loopback 0 
[R3-bgp-default]address-family vpnv4
[R3-bgp-default-vpnv4]peer in enable 



[R3]ip vpn-instance vpn1
[R3-vpn-instance-vpn1]route-distinguisher 100:1
[R3-vpn-instance-vpn1]vpn-target 100:1 both 
[R3-vpn-instance-vpn1]quit 
[R3]ip vpn-instance vpn2
[R3-vpn-instance-vpn2]route-distinguisher 200:1\
[R3-vpn-instance-vpn2]vpn-target 200:1 both 
[R3-vpn-instance-vpn2]quit 
[R3]interface gig 0/1
[R3-GigabitEthernet0/1]ip binding vpn-instance vpn1
Some configurations on the interface are removed.
[R3-GigabitEthernet0/1] ip address 10.0.0.13 255.255.255.252
[R3-GigabitEthernet0/1]interface gig 0/2
[R3-GigabitEthernet0/2]ip binding vpn-instance vpn2
Some configurations on the interface are removed.
[R3-GigabitEthernet0/2]ip a 10.0.0.17 30
[R3-GigabitEthernet0/2]quit 
[R3]ip route-static vpn-instance vpn1 172.0.0.0 24 10.0.0.14 
[R3]ip route-static vpn-instance vpn2 192.0.0.0 24 10.0.0.18

[R3]bgp 100
[R3-bgp-default]ip vpn vpn1
[R3-bgp-default-vpn1]ad ipv4 
[R3-bgp-default-ipv4-vpn1]network 172.0.0.0 24 
[R3-bgp-default-ipv4-vpn1]quit 
[R3-bgp-default-vpn1]quit 
[R3-bgp-default]ip vpn vpn2
[R3-bgp-default-vpn2]ad ipv4 
[R3-bgp-default-ipv4-vpn2]network 192.0.0.0 24

FW1

[FW1]ip route-static 172.0.10.0 24 10.0.0.13 
[FW1]ip route-static 172.0.20.0 24 10.0.0.13

FW2

[FW2]ip route-static 192.0.10.0 24 10.0.0.17

测试连通性

S1 PING PC11

[S1]ping -a 172.0.10.252 172.0.0.1
Ping 172.0.0.1 (172.0.0.1) from 172.0.10.252: 56 data bytes, press CTRL_C to break
56 bytes from 172.0.0.1: icmp_seq=0 ttl=252 time=3.000 ms
56 bytes from 172.0.0.1: icmp_seq=1 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=2 ttl=252 time=3.000 ms
56 bytes from 172.0.0.1: icmp_seq=3 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=4 ttl=252 time=1.000 ms

--- Ping statistics for 172.0.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms
[S1]%Nov 19 14:52:47:811 2022 S1 PING/6/PING_STATISTICS: Ping statistics for 172.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms.

[S1]ping -a 172.0.20.252 172.0.0.1
Ping 172.0.0.1 (172.0.0.1) from 172.0.20.252: 56 data bytes, press CTRL_C to break
56 bytes from 172.0.0.1: icmp_seq=0 ttl=252 time=3.000 ms
56 bytes from 172.0.0.1: icmp_seq=1 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=2 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=3 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=4 ttl=252 time=2.000 ms

--- Ping statistics for 172.0.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/2.200/3.000/0.400 ms
[S1]%Nov 19 14:52:57:002 2022 S1 PING/6/PING_STATISTICS: Ping statistics for 172.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.200/3.000/0.400 ms.

PC10 PING PC12

[PC10]ping -a 192.0.10.1 192.0.0.1
Ping 192.0.0.1 (192.0.0.1) from 192.0.10.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.0.0.1: icmp_seq=0 ttl=251 time=3.000 ms
56 bytes from 192.0.0.1: icmp_seq=1 ttl=251 time=2.000 ms
56 bytes from 192.0.0.1: icmp_seq=2 ttl=251 time=2.000 ms
56 bytes from 192.0.0.1: icmp_seq=3 ttl=251 time=3.000 ms
56 bytes from 192.0.0.1: icmp_seq=4 ttl=251 time=2.000 ms

--- Ping statistics for 192.0.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms
[H3C]%Nov 19 14:51:05:349 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms.

拓展

这个实验如果你通过PC11和PC12去ping其他vpn网段,那么你会发现ping不通,这是因为防火墙策略没有允许放行,但是题目没有做要求,这里就是拓展一下而已

[PC11]ping 172.0.10.252
Ping 172.0.10.252 (172.0.10.252): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out

--- Ping statistics for 172.0.10.252 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Nov 19 14:54:26:179 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 172.0.10.252: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

通过下面在防火墙放行区域,再次测试就可以ping通

[FW1]security-policy ip 
[FW1-security-policy-ip]rule 0 
[FW1-security-policy-ip-0-ap1]source-zone trust
[FW1-security-policy-ip-0-ap1]destination-zone untrust
[FW1]object-group ip address server1
[FW1-obj-grp-ip-server1]network subnet 172.0.10.0 24
[PC11]ping 172.0.10.252
Ping 172.0.10.252 (172.0.10.252): 56 data bytes, press CTRL_C to break
56 bytes from 172.0.10.252: icmp_seq=0 ttl=252 time=3.000 ms
56 bytes from 172.0.10.252: icmp_seq=1 ttl=252 time=3.000 ms
56 bytes from 172.0.10.252: icmp_seq=2 ttl=252 time=3.000 ms
56 bytes from 172.0.10.252: icmp_seq=3 ttl=252 time=3.000 ms
56 bytes from 172.0.10.252: icmp_seq=4 ttl=252 time=2.000 ms

--- Ping statistics for 172.0.10.252 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/2.800/3.000/0.400 ms
[H3C]%Nov 19 15:08:04:765 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 172.0.10.252: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.800/3.000/0.400 ms.

FW2也是一样这里就不演示了

0

打赏

评论 (1)

取消
  1. 头像
    网友小宋
    Windows 10 · Google Chrome

    搞得好点的教程去抖音卖去吧!上次花了几块钱买的教程,打开视频一看,纯属菜鸟级别表情

    回复