2021年华三杯竞赛试题
一、实验拓扑图
二、需求
本网络模拟一个大型企业网络,需要使用BGP/MPLS VPN技术来隔离不同的VPN,并使用防火墙来做到防攻击与访问策略。
请考生根据以下配置需求在HCL中的设备上进行相关配置。
PPP配置
路由器R1与路由器R3间为广域网链路,使用PPP协议连通。
PPP配置的具体要求如下:
- 使用CHAP协议,并且为单向认证:
- R1作为认证方,R2作为被认证方:
- R1上配置本地AAA认证;用户名和密码均为123456。
虚拟局域网
为了减少广播,需要规划并配置VLAN。具体要求如下:
- 配置合理,链路上不允许不必要的数据流通过。
- 交换机与路由器间的互连物理端口直接使用三层模式互连。
- 交换机(S1、S2、L2SW)间的互连端口链路类型为Trunk类型。
根据上述信息及表1-1,在交换机上完成VLAN配置和端口分配。
- 链路聚合
在交换机S1和S2上配置链路聚合,要求使用二层静态链路聚合组,并设定组号为1;将接口
G0/23与G0/24所在的链路聚合起来。 MSTP部署
在交换机S1、S2及L2SW上配置MSTP防止二层环路;所配置的参数要求如下:
- STP中的region-name为2021;
- 其他相关要求见下表:
- IPv4地址部署
VRRP部署
在交换机S1、S2配置VRRP以提高可靠性,所配置的参数要求如下:
- S1作为VLAN10内主机的主用网关,S2作为VLAN20内主的主用网关,且互相备份:
- VRRP的主用优先级为150,备用优先级为110。
IPv4IGP路由部署
使用OSPF协议及静态路由互通。具体要求如下:
- R1、R2、R3之间运行OSPF;OSPF进程号为1,区域0;Router ID为本路由器的Loopback地址;
- R1与S1、S2之间运行OSPF;OSPF进程号为10,区域0:Router ID为本路由器的Loopback地址;
- S1、S2中的OSPF不允许将协议报文发送到业务网段中;
- 要求OSPF及静态路由都发布具体网段(OSPF必须精确反掩码匹配),不允许发布缺省路由;
- 为了管理方便,OSPF需要发布Loopback地址,其中R1需要在OSPF进程1中发布。
BGP/MPLS VPN部署
各个路由器(R1、R2、R3)之间,以及R2与R4之间运行BGP协议。具体要求如下:
- R2与R4之间运行EBGP,R2属于AS100,R4属于AS300:
- R1、R2、R3之间运行IBGP,都属于AS100,并以Loopback地址作为互连的源地址:
- 通过network命令方式生成BGP路由,而不允许通过import命令将IGP路由引入。
- R3与FW1、FW2之间运行静态VPN路由,并配置具体网段(不允许配置缺省路由)。
配置两个VPN,并要求同一VPN内能够互访,不同VPN间不能互访。相关参数要求如下:
- MPLS的lsr-id使用Loopback地址,并使用LDP协议来进行标签分配。
- 防火墙部署
FW1、FW2上配置安全域和安全策略。具体要求如下:
- FWI、FW2与服务器互联接口处于Trust安全域,与R3接口处于Untrust安全域:
- FW1上配置地址对象组server1,并定义其主机地址为地址172.0.0.1/32;配置安全策略ap1,规则rule0,允许Untrust域中的客户端可以访问Trust域中目的地址为地址对象server1的所有P流量;
- FW2上配置地址对象组server2,并定义其主机地址为地址192.0.0.1/32;配置安全策略ap1,规则rule0,允许Untrust域中的客户端可以访问Trust.域中目的地址为地址对象server2的所有P流量;
- FW1、FW2上应用缺省IPS策略对用户数据报文进行IPS防御。具体要求如下:
- 配置DPI应用profile,命名为sec,应用缺省IPS策略default并指定IPS策略模式为protect;
在安全策略ap1上引用该sec;
FW1、FW2上配置攻击防范策略。具体要求如下:
- FW1上配置攻击防范策略ad1,配置针对Sever1地址的SYN flood的攻击防范策略,阈值为2000,动作为丢弃并输出告警日志;在安全域Untrust上应用攻击防范策略ad1。
- FW2上配置攻击防范策略ad1,配置针对Sever2地址的SYNf1ood的攻击防范策略,阈值为2000,动作为丢弃并输出告警日志;在安全域Untrust上应用攻击防范策略ad1。
- IPv6部署
在交换机S1、S2配置IPv6协议。要求使用OSPFv3协议,进程号为1,区域为0;Router ID与
OSPF的Router ID相同。IPv6地址如下表所示:
- 设备与网络管理部署
根据表1-5,为网络设备配置主机名。
三、实验步骤
(一)配置ip地址
如果你的拓扑图接口跟我一样那么就可以直接复制下面的命令
R1
sysname R1
interface gig 0/0
ip a 10.0.0.1 30
interface gig 0/1
ip a 10.0.0.5 30
interface gig 0/2
ip a 100.0.0.1 30
interface serial 1/0
ip a 100.0.0.10 30
interface loopback 0
ip a 9.9.9.1 32R2
sysname R2
interface gig 0/0
ip a 100.0.0.2 30
interface gig 0/1
ip a 100.0.0.5 30
interface gig 0/2
ip a 10.0.0.9 30
interface l 0
ip a 9.9.9.2 32 R3
sysname R3
interface gig 0/0
ip a 100.0.0.6 30
interface gig 0/1
ip a 10.0.0.13 30
interface gig 0/2
ip a 10.0.0.17 30
interface serial 1/0
ip a 100.0.0.9 30
interface loopback 0
ip a 9.9.9.3 32R4
sysname R4
interface gi 0/0
ip a 10.0.0.10 30
interface gig 0/1
ip a 192.0.10.254 24
interface l 0
ip a 9.9.9.105 32S1
sysname S1
interface gig 1/0/1
port link-mode route
ip a 10.0.0.2 30
quit
vlan 10
vlan 20
interface vlan 10
ip a 172.0.10.252 24
interface vlan 20
ip a 172.0.20.252 24
interface l 0
ip a 9.9.9.101 32S2
sysname S2
interface gig 1/0/1
port link-mode route
ip a 10.0.0.6 30
quit
vlan 10
vlan 20
interface vlan 10
ip a 172.0.10.253 24
interface vlan 20
ip a 172.0.20.253 24
interface l 0
ip a 9.9.9.102 32FW1
sysname FW1
interface gig 1/0/1
ip a 10.0.0.14 30
interface gig 1/0/0
ip a 172.0.0.254 24
interface l 0
ip a 9.9.9.201 32FW2
sysname FW2
interface gig 1/0/1
ip a 10.0.0.18 30
interface gig 1/0/0
ip a 192.0.0.254 24 (二)ppp的配置
R1
[R1]local-user 123456 class network
New local user added.
[R1-luser-network-123456]password simple 123456
[R1-luser-network-123456]service-type ppp
[R1-luser-network-123456]interface serial 1/0
[R1-Serial1/0]ppp aut chapR2
[R2]interface serial 1/0
[R2-Serial1/0]ppp chap user 123456
[R2-Serial1/0]ppp chap password simple 1233456
[R2-Serial1/0](三)链路聚合
S1
[S1]interface bridge 1
[S1-Bridge-Aggregation1]quit
[S1]interface range gig 1/0/23 gig 1/0/24
[S1-if-range]port link-aggregation group 1S2
[S2]interface bridge 1
[S2-Bridge-Aggregation1]quit
[S2]interface range gig 1/0/23 gig 1/0/24
[S2-if-range]port link-aggregation group 1(四)vlan划分
S1
[S1]interface range bridge 1 gig 1/0/3
[S1-if-range]port link-type trunk
Configuring GigabitEthernet1/0/23 done.
Configuring GigabitEthernet1/0/24 done.
[S1-if-range]port trunk permit vlan 10 20 S2
[S2]interface range bridge 1 gig 1/0/3
[S2-if-range]port link-type trunk
Configuring GigabitEthernet1/0/23 done.
Configuring GigabitEthernet1/0/24 done.
[S2-if-range]port trunk permit vlan 10 20 L2SW
[L2SW]vlan 10
[L2SW-vlan10]port gig 1/0/1 to gig 1/0/4
[L2SW-vlan10]vlan 20
[L2SW-vlan20]port gig 1/0/5 to gig 1/0/8
[L2SW-vlan20]interface range gig 1/0/23 gig 1/0/24
[L2SW-if-range]port link-type trunk
[L2SW-if-range]port trunk permit vlan 10 20(五)配置MSTP
S1,S2,L2SW
stp reg
reg 2021
instance 1 vlan 10
instance 2 vlan 20
ac regS1
[S1]stp instance 1 root pri
[S1]stp instance 2 root secS2
[S2]stp instance 1 root sec
[S2]stp instance 2 root pri(六)配置vrrp
S1
[S1]interface vlan 10
[S1-Vlan-interface10]vrrp vrid 10 vir 172.0.10.254
[S1-Vlan-interface10]vrrp vrid 10 pri 150
[S1-Vlan-interface10]interface vlan 20
[S1-Vlan-interface20]vrrp vrid 20 pri 110
[S1-Vlan-interface20]vrrp vrid 20 vir 172.0.20.254 S2
[S2]interface vlan 10
[S2-Vlan-interface10]vrrp vrid 10 vir 172.0.10.254
[S2-Vlan-interface10]vrrp vrid 10 pri 110
[S2-Vlan-interface10]interface vlan 20
[S2-Vlan-interface20]vrrp vrid 20 vir 172.0.20.254
[S2-Vlan-interface20]vrrp vrid 20 pri 150(七)配置ipv4 IGP路由
R1
[R1]ospf 1 router-id 9.9.9.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 9.9.9.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 100.0.0.1 0.0.0.3
[R1-ospf-1-area-0.0.0.0]network 100.0.0.10 0.0.0.3 R2
[R2]ospf 1 router-id 9.9.9.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 9.9.9.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 100.0.0.2 0.0.0.3
[R2-ospf-1-area-0.0.0.0]network 100.0.0.5 0.0.0.3R3
[R3]ospf 1 router-id 9.9.9.3
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 9.9.9.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 100.0.0.6 0.0.0.3
[R3-ospf-1-area-0.0.0.0]network 100.0.0.9 0.0.0.3R1
[R1]ip vpn-instance vpn1
[R1-vpn-instance-vpn1]route-distinguisher 100:1
[R1-vpn-instance-vpn1]vpn-target 100:1 both
[R1-vpn-instance-vpn1]quit
[R1]interface gig 0/0
[R1-GigabitEthernet0/0]ip binding vpn-instance vpn1
Some configurations on the interface are removed.
[R1-GigabitEthernet0/0] ip address 10.0.0.1 255.255.255.252
[R1-GigabitEthernet0/0]quit
[R1]interface gig 0/1
[R1-GigabitEthernet0/1]ip bind vpn vpn1
Some configurations on the interface are removed.
[R1-GigabitEthernet0/1] ip address 10.0.0.5 255.255.255.252
[R1]ospf 10 router-id 9.9.9.1 vpn-instance vpn1
[R1-ospf-10]area 0
[R1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3
[R1-ospf-10-area-0.0.0.0]network 10.0.4.0 0.0.0.3S1
[S1]ospf 10 router-id 9.9.9.101
[S1-ospf-10]area 0
[S1-ospf-10]silent-interface vlan 10
[S1-ospf-10]silent-interface vlan 20
[S1-ospf-10-area-0.0.0.0]network 9.9.9.101 0.0.0.0
[S1-ospf-10-area-0.0.0.0]network 172.0.10.0 0.0.0.255
[S1-ospf-10-area-0.0.0.0]network 172.0.20.0 0.0.0.255
[S1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3S2
[S2]ospf 10 router-id 9.9.9.102
[S2-ospf-10]area 0
[S2-ospf-10]silent-interface vlan 10
[S2-ospf-10]silent-interface vlan 20
[S2-ospf-10-area-0.0.0.0]network 10.0.0.4 0.0.0.3
[S2-ospf-10-area-0.0.0.0]network 9.9.9.102 0.0.0.0
[S2-ospf-10-area-0.0.0.0]network 172.0.10.0 0.0.0.255
[S2-ospf-10-area-0.0.0.0]network 172.0.20.0 0.0.0.255(八)防火墙的配置
FW1
[FW1]security-zone name Trust
[FW1-security-zone-Trust]import interface gig 1/0/0
[FW1-security-zone-Trust]quit
[FW1]security-zone name untrust
[FW1-security-zone-Untrust]import interface gig 1/0/1
[FW1-security-zone-Untrust]quit
[FW1]object-group ip address server1
[FW1-obj-grp-ip-server1]network host address 172.0.0.1
[FW1-obj-grp-ip-server1]quit
[FW1]security-policy ip
[FW1-security-policy-ip]rule 0 name ap1
[FW1-security-policy-ip-0-ap1]source-zone untrust
[FW1-security-policy-ip-0-ap1]destination-zone trust
[FW1-security-policy-ip-0-ap1]destination-ip server1
[FW1-security-policy-ip-0-ap1]action pass
[FW1-security-policy-ip-0-ap1]quit
[FW1-security-policy-ip]qu
[FW1-app-profile-sec]ips apply policy default mode protect
[FW1-app-profile-sec]quit
[FW1]security-policy ip
[FW1-security-policy-ip]rule 0
[FW1-security-policy-ip-0-ap1]profile sec
[FW1-security-policy-ip-0-ap1]quit
[FW1-security-policy-ip]quit
[FW1]attack-defense policy ad1
[FW1-attack-defense-policy-ad1]syn-flood threshold 2000
[FW1-attack-defense-policy-ad1]syn-flood action logging drop
[FW1-attack-defense-policy-ad1]syn-flood detect ip 172.0.0.1
[FW1-attack-defense-policy-ad1]quit
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]attack-defense apply policy ad1FW2
[FW2]security-zone name trust
[FW2-security-zone-Trust]import interface gig 1/0/0
[FW2-security-zone-Trust]quit
[FW2]security-zone name untrust
[FW2-security-zone-Untrust]import interface gig 1/0/1
[FW2-security-zone-Untrust]quit
[FW2]object-group ip address server2
[FW2-obj-grp-ip-server2]network host address 192.0.0.1
[FW2-obj-grp-ip-server2]quit
[FW2]security-policy ip
[FW2-security-policy-ip]rule 0 name ap1
[FW2-security-policy-ip-0-ap1]source-zone untrust
[FW2-security-policy-ip-0-ap1]destination-zone trust
[FW2-security-policy-ip-0-ap1]destination-ip server2
[FW2-security-policy-ip-0-ap1]action pass
[FW2-security-policy-ip-0-ap1]quit
[FW2-security-policy-ip]quit
[FW2]app-profile sec
[FW2-app-profile-sec]ips apply policy default mode protect
[FW2-app-profile-sec]quit
[FW2]security-policy ip
[FW2-security-policy-ip]rule 0
[FW2-security-policy-ip-0-ap1]profile sec
[FW2-security-policy-ip-0-ap1]quit
[FW2-security-policy-ip]quit
[FW2]attack-defense policy ad1
[FW2-attack-defense-policy-ad1]syn-flood threshold 2000
[FW2-attack-defense-policy-ad1]syn-flood detect ip 192.0.0.1
[FW2-attack-defense-policy-ad1]syn-flood action logging drop
[FW2-attack-defense-policy-ad1]quit
[FW2]security-zone name untrust
[FW2-security-zone-Untrust]attack-defense apply policy ad1(九)ipv6的部署
S1
[S1]interface vlan 10
[S1-Vlan-interface10]ipv6 address 172:10::254 64
[S1-Vlan-interface10]interface vlan 20
[S1-Vlan-interface20]ipv6 address 172:20::254 64
[S1-Vlan-interface20]ipv6 address 172:20::253 64
[S1-Vlan-interface20]undo ipv6 address 172:20::254 64
[S1-Vlan-interface20]interface loopback 0
[S1-LoopBack0]ipv6 address 9::101 128
[S1-LoopBack0]quit
[S1]ospfv3 1
[S1-ospfv3-1]router-id 9.9.9.101
[S1-ospfv3-1]interface range vlan 10 vlan 20
[S1-if-range]ospfv3 1 area 0S2
[S2]interface vlan 10
[S2-Vlan-interface10]ipv6 address 172:10::253 64
[S2-Vlan-interface10]interface vlan 20
[S2-Vlan-interface20]ipv6 address 172:20::254 64
[S2-Vlan-interface20]interface loopback 0
[S2-LoopBack0]ipv6 address 9::102 128
[S2-LoopBack0]quit
[S2]ospfv3 1
[S2-ospfv3-1]router-id 9.9.9.102
[S2-ospfv3-1]interface range vlan 10 vlan 20
[S2-if-range]ospfv3 1 area 0(十)配置BGP/mpls VPN
R4
[R4]bgp 300
[R4-bgp-default]peer 10.0.0.9 as-number 100
[R4-bgp-default]address-family ipv4
[R4-bgp-default-ipv4]peer 10.0.0.9 enable
[R4-bgp-default-ipv4]network 192.0.10.0 24R2
[R2]ip vpn-instance vpn2
[R2-vpn-instance-vpn2]route-distinguisher 100:1
[R2-vpn-instance-vpn2]vpn-target 200:1 both
[R2-vpn-instance-vpn2]quit
[R2]interface gig 0/2
[R2-GigabitEthernet0/2]ip binding vpn-instance vpn2
Some configurations on the interface are removed.
[R2-GigabitEthernet0/2] ip address 10.0.0.9 255.255.255.252
[R2-GigabitEthernet0/2]quit
[R2]bgp 100
[R2-bgp-default]ip vpn-instance vpn2
[R2-bgp-default-vpn2]peer 10.0.0.10 as-number 300
[R2-bgp-default-vpn2]address-family ipv4
[R2-bgp-default-ipv4-vpn2]peer 10.0.0.10 enable
[R2]mpls ldp
[R2-ldp]lsr-id 9.9.9.2
[R2-ldp]interface range gig 0/0 gig 0/1
[R2-if-range]mpls enable
[R2-if-range]mpls ldp enable
[R2-if-range]quit
[R2]bgp 100
[R2-bgp-default]group in
[R2-bgp-default]peer 9.9.9.1 group in
[R2-bgp-default]peer 9.9.9.3 group in
[R2-bgp-default]peer in con loopback 0
[R2-bgp-default]address-family vpnv4
[R2-bgp-default-vpnv4]peer in enable R1
[R1]mpls ldp
[R1-ldp]lsr-id 9.9.9.1
[R1-ldp]interface range gig 0/2 serial 1/0
[R1-if-range]mpls enable
[R1-if-range]mpls ldp enable
[R1]bgp 100
[R1-bgp-default]group in
[R1-bgp-default]peer 9.9.9.2 group in
[R1-bgp-default]peer 9.9.9.3 group in
[R1-bgp-default]peer in connect-interface loopback 0
[R1-bgp-default]address-family vpnv4
[R1-bgp-default-vpnv4]peer in enable
[R1]bgp 100
[R1-bgp-default]ip vpn-instance vpn1
[R1-bgp-default-vpn1]address-family ipv4
[R1-bgp-default-ipv4-vpn1]network 172.0.10.0 24
[R1-bgp-default-ipv4-vpn1]network 172.0.20.0 24
[R1-bgp-default-ipv4-vpn1]quit
[R1-bgp-default-vpn1]quit
[R1-bgp-default]quit
[R1]ospf 10
[R1-ospf-10]import bgpR3
[R3]mpls ldp
[R3-ldp]lsr-id 9.9.9.3
[R3-ldp]interface range serial 1/0 gig 0/0
[R3-if-range]mpls enable
[R3-if-range]mpls ldp enable
[R3-if-range]quit
[R3]bgp 100
[R3-bgp-default]group in
[R3-bgp-default]peer 9.9.9.1 group in
[R3-bgp-default]peer 9.9.9.2 group in
[R3-bgp-default]peer in connect-interface loopback 0
[R3-bgp-default]address-family vpnv4
[R3-bgp-default-vpnv4]peer in enable
[R3]ip vpn-instance vpn1
[R3-vpn-instance-vpn1]route-distinguisher 100:1
[R3-vpn-instance-vpn1]vpn-target 100:1 both
[R3-vpn-instance-vpn1]quit
[R3]ip vpn-instance vpn2
[R3-vpn-instance-vpn2]route-distinguisher 200:1\
[R3-vpn-instance-vpn2]vpn-target 200:1 both
[R3-vpn-instance-vpn2]quit
[R3]interface gig 0/1
[R3-GigabitEthernet0/1]ip binding vpn-instance vpn1
Some configurations on the interface are removed.
[R3-GigabitEthernet0/1] ip address 10.0.0.13 255.255.255.252
[R3-GigabitEthernet0/1]interface gig 0/2
[R3-GigabitEthernet0/2]ip binding vpn-instance vpn2
Some configurations on the interface are removed.
[R3-GigabitEthernet0/2]ip a 10.0.0.17 30
[R3-GigabitEthernet0/2]quit
[R3]ip route-static vpn-instance vpn1 172.0.0.0 24 10.0.0.14
[R3]ip route-static vpn-instance vpn2 192.0.0.0 24 10.0.0.18
[R3]bgp 100
[R3-bgp-default]ip vpn vpn1
[R3-bgp-default-vpn1]ad ipv4
[R3-bgp-default-ipv4-vpn1]network 172.0.0.0 24
[R3-bgp-default-ipv4-vpn1]quit
[R3-bgp-default-vpn1]quit
[R3-bgp-default]ip vpn vpn2
[R3-bgp-default-vpn2]ad ipv4
[R3-bgp-default-ipv4-vpn2]network 192.0.0.0 24FW1
[FW1]ip route-static 172.0.10.0 24 10.0.0.13
[FW1]ip route-static 172.0.20.0 24 10.0.0.13FW2
[FW2]ip route-static 192.0.10.0 24 10.0.0.17测试连通性
S1 PING PC11
[S1]ping -a 172.0.10.252 172.0.0.1
Ping 172.0.0.1 (172.0.0.1) from 172.0.10.252: 56 data bytes, press CTRL_C to break
56 bytes from 172.0.0.1: icmp_seq=0 ttl=252 time=3.000 ms
56 bytes from 172.0.0.1: icmp_seq=1 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=2 ttl=252 time=3.000 ms
56 bytes from 172.0.0.1: icmp_seq=3 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=4 ttl=252 time=1.000 ms
--- Ping statistics for 172.0.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms
[S1]%Nov 19 14:52:47:811 2022 S1 PING/6/PING_STATISTICS: Ping statistics for 172.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms.
[S1]ping -a 172.0.20.252 172.0.0.1
Ping 172.0.0.1 (172.0.0.1) from 172.0.20.252: 56 data bytes, press CTRL_C to break
56 bytes from 172.0.0.1: icmp_seq=0 ttl=252 time=3.000 ms
56 bytes from 172.0.0.1: icmp_seq=1 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=2 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=3 ttl=252 time=2.000 ms
56 bytes from 172.0.0.1: icmp_seq=4 ttl=252 time=2.000 ms
--- Ping statistics for 172.0.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/2.200/3.000/0.400 ms
[S1]%Nov 19 14:52:57:002 2022 S1 PING/6/PING_STATISTICS: Ping statistics for 172.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.200/3.000/0.400 ms.PC10 PING PC12
[PC10]ping -a 192.0.10.1 192.0.0.1
Ping 192.0.0.1 (192.0.0.1) from 192.0.10.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.0.0.1: icmp_seq=0 ttl=251 time=3.000 ms
56 bytes from 192.0.0.1: icmp_seq=1 ttl=251 time=2.000 ms
56 bytes from 192.0.0.1: icmp_seq=2 ttl=251 time=2.000 ms
56 bytes from 192.0.0.1: icmp_seq=3 ttl=251 time=3.000 ms
56 bytes from 192.0.0.1: icmp_seq=4 ttl=251 time=2.000 ms
--- Ping statistics for 192.0.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms
[H3C]%Nov 19 14:51:05:349 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms.拓展
这个实验如果你通过PC11和PC12去ping其他vpn网段,那么你会发现ping不通,这是因为防火墙策略没有允许放行,但是题目没有做要求,这里就是拓展一下而已
[PC11]ping 172.0.10.252
Ping 172.0.10.252 (172.0.10.252): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 172.0.10.252 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Nov 19 14:54:26:179 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 172.0.10.252: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
通过下面在防火墙放行区域,再次测试就可以ping通
[FW1]security-policy ip
[FW1-security-policy-ip]rule 0
[FW1-security-policy-ip-0-ap1]source-zone trust
[FW1-security-policy-ip-0-ap1]destination-zone untrust
[FW1]object-group ip address server1
[FW1-obj-grp-ip-server1]network subnet 172.0.10.0 24[PC11]ping 172.0.10.252
Ping 172.0.10.252 (172.0.10.252): 56 data bytes, press CTRL_C to break
56 bytes from 172.0.10.252: icmp_seq=0 ttl=252 time=3.000 ms
56 bytes from 172.0.10.252: icmp_seq=1 ttl=252 time=3.000 ms
56 bytes from 172.0.10.252: icmp_seq=2 ttl=252 time=3.000 ms
56 bytes from 172.0.10.252: icmp_seq=3 ttl=252 time=3.000 ms
56 bytes from 172.0.10.252: icmp_seq=4 ttl=252 time=2.000 ms
--- Ping statistics for 172.0.10.252 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/2.800/3.000/0.400 ms
[H3C]%Nov 19 15:08:04:765 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 172.0.10.252: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.800/3.000/0.400 ms.
FW2也是一样这里就不演示了
搞得好点的教程去抖音卖去吧!上次花了几块钱买的教程,打开视频一看,纯属菜鸟级别