搜索到
3
篇与
网络
的结果
-
2021年华三杯竞赛试题 2021年华三杯竞赛试题一、实验拓扑图二、需求本网络模拟一个大型企业网络,需要使用BGP/MPLS VPN技术来隔离不同的VPN,并使用防火墙来做到防攻击与访问策略。请考生根据以下配置需求在HCL中的设备上进行相关配置。PPP配置路由器R1与路由器R3间为广域网链路,使用PPP协议连通。PPP配置的具体要求如下:使用CHAP协议,并且为单向认证:R1作为认证方,R2作为被认证方:R1上配置本地AAA认证;用户名和密码均为123456。虚拟局域网为了减少广播,需要规划并配置VLAN。具体要求如下:配置合理,链路上不允许不必要的数据流通过。交换机与路由器间的互连物理端口直接使用三层模式互连。交换机(S1、S2、L2SW)间的互连端口链路类型为Trunk类型。根据上述信息及表1-1,在交换机上完成VLAN配置和端口分配。链路聚合在交换机S1和S2上配置链路聚合,要求使用二层静态链路聚合组,并设定组号为1;将接口G0/23与G0/24所在的链路聚合起来。MSTP部署在交换机S1、S2及L2SW上配置MSTP防止二层环路;所配置的参数要求如下:STP中的region-name为2021;其他相关要求见下表:IPv4地址部署VRRP部署在交换机S1、S2配置VRRP以提高可靠性,所配置的参数要求如下:S1作为VLAN10内主机的主用网关,S2作为VLAN20内主的主用网关,且互相备份:VRRP的主用优先级为150,备用优先级为110。IPv4IGP路由部署使用OSPF协议及静态路由互通。具体要求如下:R1、R2、R3之间运行OSPF;OSPF进程号为1,区域0;Router ID为本路由器的Loopback地址;R1与S1、S2之间运行OSPF;OSPF进程号为10,区域0:Router ID为本路由器的Loopback地址;S1、S2中的OSPF不允许将协议报文发送到业务网段中;要求OSPF及静态路由都发布具体网段(OSPF必须精确反掩码匹配),不允许发布缺省路由;为了管理方便,OSPF需要发布Loopback地址,其中R1需要在OSPF进程1中发布。BGP/MPLS VPN部署各个路由器(R1、R2、R3)之间,以及R2与R4之间运行BGP协议。具体要求如下:R2与R4之间运行EBGP,R2属于AS100,R4属于AS300:R1、R2、R3之间运行IBGP,都属于AS100,并以Loopback地址作为互连的源地址:通过network命令方式生成BGP路由,而不允许通过import命令将IGP路由引入。R3与FW1、FW2之间运行静态VPN路由,并配置具体网段(不允许配置缺省路由)。配置两个VPN,并要求同一VPN内能够互访,不同VPN间不能互访。相关参数要求如下:MPLS的lsr-id使用Loopback地址,并使用LDP协议来进行标签分配。防火墙部署FW1、FW2上配置安全域和安全策略。具体要求如下:FWI、FW2与服务器互联接口处于Trust安全域,与R3接口处于Untrust安全域:FW1上配置地址对象组server1,并定义其主机地址为地址172.0.0.1/32;配置安全策略ap1,规则rule0,允许Untrust域中的客户端可以访问Trust域中目的地址为地址对象server1的所有P流量;FW2上配置地址对象组server2,并定义其主机地址为地址192.0.0.1/32;配置安全策略ap1,规则rule0,允许Untrust域中的客户端可以访问Trust.域中目的地址为地址对象server2的所有P流量;FW1、FW2上应用缺省IPS策略对用户数据报文进行IPS防御。具体要求如下:配置DPI应用profile,命名为sec,应用缺省IPS策略default并指定IPS策略模式为protect;在安全策略ap1上引用该sec;FW1、FW2上配置攻击防范策略。具体要求如下:FW1上配置攻击防范策略ad1,配置针对Sever1地址的SYN flood的攻击防范策略,阈值为2000,动作为丢弃并输出告警日志;在安全域Untrust上应用攻击防范策略ad1。FW2上配置攻击防范策略ad1,配置针对Sever2地址的SYNf1ood的攻击防范策略,阈值为2000,动作为丢弃并输出告警日志;在安全域Untrust上应用攻击防范策略ad1。IPv6部署在交换机S1、S2配置IPv6协议。要求使用OSPFv3协议,进程号为1,区域为0;Router ID与OSPF的Router ID相同。IPv6地址如下表所示:设备与网络管理部署根据表1-5,为网络设备配置主机名。三、实验步骤(一)配置ip地址如果你的拓扑图接口跟我一样那么就可以直接复制下面的命令R1sysname R1 interface gig 0/0 ip a 10.0.0.1 30 interface gig 0/1 ip a 10.0.0.5 30 interface gig 0/2 ip a 100.0.0.1 30 interface serial 1/0 ip a 100.0.0.10 30 interface loopback 0 ip a 9.9.9.1 32R2sysname R2 interface gig 0/0 ip a 100.0.0.2 30 interface gig 0/1 ip a 100.0.0.5 30 interface gig 0/2 ip a 10.0.0.9 30 interface l 0 ip a 9.9.9.2 32 R3sysname R3 interface gig 0/0 ip a 100.0.0.6 30 interface gig 0/1 ip a 10.0.0.13 30 interface gig 0/2 ip a 10.0.0.17 30 interface serial 1/0 ip a 100.0.0.9 30 interface loopback 0 ip a 9.9.9.3 32R4sysname R4 interface gi 0/0 ip a 10.0.0.10 30 interface gig 0/1 ip a 192.0.10.254 24 interface l 0 ip a 9.9.9.105 32S1sysname S1 interface gig 1/0/1 port link-mode route ip a 10.0.0.2 30 quit vlan 10 vlan 20 interface vlan 10 ip a 172.0.10.252 24 interface vlan 20 ip a 172.0.20.252 24 interface l 0 ip a 9.9.9.101 32S2sysname S2 interface gig 1/0/1 port link-mode route ip a 10.0.0.6 30 quit vlan 10 vlan 20 interface vlan 10 ip a 172.0.10.253 24 interface vlan 20 ip a 172.0.20.253 24 interface l 0 ip a 9.9.9.102 32FW1sysname FW1 interface gig 1/0/1 ip a 10.0.0.14 30 interface gig 1/0/0 ip a 172.0.0.254 24 interface l 0 ip a 9.9.9.201 32FW2sysname FW2 interface gig 1/0/1 ip a 10.0.0.18 30 interface gig 1/0/0 ip a 192.0.0.254 24 (二)ppp的配置R1[R1]local-user 123456 class network New local user added. [R1-luser-network-123456]password simple 123456 [R1-luser-network-123456]service-type ppp [R1-luser-network-123456]interface serial 1/0 [R1-Serial1/0]ppp aut chapR2[R2]interface serial 1/0 [R2-Serial1/0]ppp chap user 123456 [R2-Serial1/0]ppp chap password simple 1233456 [R2-Serial1/0](三)链路聚合S1[S1]interface bridge 1 [S1-Bridge-Aggregation1]quit [S1]interface range gig 1/0/23 gig 1/0/24 [S1-if-range]port link-aggregation group 1S2[S2]interface bridge 1 [S2-Bridge-Aggregation1]quit [S2]interface range gig 1/0/23 gig 1/0/24 [S2-if-range]port link-aggregation group 1(四)vlan划分S1[S1]interface range bridge 1 gig 1/0/3 [S1-if-range]port link-type trunk Configuring GigabitEthernet1/0/23 done. Configuring GigabitEthernet1/0/24 done. [S1-if-range]port trunk permit vlan 10 20 S2[S2]interface range bridge 1 gig 1/0/3 [S2-if-range]port link-type trunk Configuring GigabitEthernet1/0/23 done. Configuring GigabitEthernet1/0/24 done. [S2-if-range]port trunk permit vlan 10 20 L2SW[L2SW]vlan 10 [L2SW-vlan10]port gig 1/0/1 to gig 1/0/4 [L2SW-vlan10]vlan 20 [L2SW-vlan20]port gig 1/0/5 to gig 1/0/8 [L2SW-vlan20]interface range gig 1/0/23 gig 1/0/24 [L2SW-if-range]port link-type trunk [L2SW-if-range]port trunk permit vlan 10 20(五)配置MSTPS1,S2,L2SWstp reg reg 2021 instance 1 vlan 10 instance 2 vlan 20 ac regS1[S1]stp instance 1 root pri [S1]stp instance 2 root secS2[S2]stp instance 1 root sec [S2]stp instance 2 root pri(六)配置vrrpS1[S1]interface vlan 10 [S1-Vlan-interface10]vrrp vrid 10 vir 172.0.10.254 [S1-Vlan-interface10]vrrp vrid 10 pri 150 [S1-Vlan-interface10]interface vlan 20 [S1-Vlan-interface20]vrrp vrid 20 pri 110 [S1-Vlan-interface20]vrrp vrid 20 vir 172.0.20.254 S2[S2]interface vlan 10 [S2-Vlan-interface10]vrrp vrid 10 vir 172.0.10.254 [S2-Vlan-interface10]vrrp vrid 10 pri 110 [S2-Vlan-interface10]interface vlan 20 [S2-Vlan-interface20]vrrp vrid 20 vir 172.0.20.254 [S2-Vlan-interface20]vrrp vrid 20 pri 150(七)配置ipv4 IGP路由R1[R1]ospf 1 router-id 9.9.9.1 [R1-ospf-1]area 0 [R1-ospf-1-area-0.0.0.0]network 9.9.9.1 0.0.0.0 [R1-ospf-1-area-0.0.0.0]network 100.0.0.1 0.0.0.3 [R1-ospf-1-area-0.0.0.0]network 100.0.0.10 0.0.0.3 R2[R2]ospf 1 router-id 9.9.9.2 [R2-ospf-1]area 0 [R2-ospf-1-area-0.0.0.0]network 9.9.9.2 0.0.0.0 [R2-ospf-1-area-0.0.0.0]network 100.0.0.2 0.0.0.3 [R2-ospf-1-area-0.0.0.0]network 100.0.0.5 0.0.0.3R3[R3]ospf 1 router-id 9.9.9.3 [R3-ospf-1]area 0 [R3-ospf-1-area-0.0.0.0]network 9.9.9.3 0.0.0.0 [R3-ospf-1-area-0.0.0.0]network 100.0.0.6 0.0.0.3 [R3-ospf-1-area-0.0.0.0]network 100.0.0.9 0.0.0.3R1[R1]ip vpn-instance vpn1 [R1-vpn-instance-vpn1]route-distinguisher 100:1 [R1-vpn-instance-vpn1]vpn-target 100:1 both [R1-vpn-instance-vpn1]quit [R1]interface gig 0/0 [R1-GigabitEthernet0/0]ip binding vpn-instance vpn1 Some configurations on the interface are removed. [R1-GigabitEthernet0/0] ip address 10.0.0.1 255.255.255.252 [R1-GigabitEthernet0/0]quit [R1]interface gig 0/1 [R1-GigabitEthernet0/1]ip bind vpn vpn1 Some configurations on the interface are removed. [R1-GigabitEthernet0/1] ip address 10.0.0.5 255.255.255.252 [R1]ospf 10 router-id 9.9.9.1 vpn-instance vpn1 [R1-ospf-10]area 0 [R1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3 [R1-ospf-10-area-0.0.0.0]network 10.0.4.0 0.0.0.3S1[S1]ospf 10 router-id 9.9.9.101 [S1-ospf-10]area 0 [S1-ospf-10]silent-interface vlan 10 [S1-ospf-10]silent-interface vlan 20 [S1-ospf-10-area-0.0.0.0]network 9.9.9.101 0.0.0.0 [S1-ospf-10-area-0.0.0.0]network 172.0.10.0 0.0.0.255 [S1-ospf-10-area-0.0.0.0]network 172.0.20.0 0.0.0.255 [S1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3S2[S2]ospf 10 router-id 9.9.9.102 [S2-ospf-10]area 0 [S2-ospf-10]silent-interface vlan 10 [S2-ospf-10]silent-interface vlan 20 [S2-ospf-10-area-0.0.0.0]network 10.0.0.4 0.0.0.3 [S2-ospf-10-area-0.0.0.0]network 9.9.9.102 0.0.0.0 [S2-ospf-10-area-0.0.0.0]network 172.0.10.0 0.0.0.255 [S2-ospf-10-area-0.0.0.0]network 172.0.20.0 0.0.0.255(八)防火墙的配置FW1[FW1]security-zone name Trust [FW1-security-zone-Trust]import interface gig 1/0/0 [FW1-security-zone-Trust]quit [FW1]security-zone name untrust [FW1-security-zone-Untrust]import interface gig 1/0/1 [FW1-security-zone-Untrust]quit [FW1]object-group ip address server1 [FW1-obj-grp-ip-server1]network host address 172.0.0.1 [FW1-obj-grp-ip-server1]quit [FW1]security-policy ip [FW1-security-policy-ip]rule 0 name ap1 [FW1-security-policy-ip-0-ap1]source-zone untrust [FW1-security-policy-ip-0-ap1]destination-zone trust [FW1-security-policy-ip-0-ap1]destination-ip server1 [FW1-security-policy-ip-0-ap1]action pass [FW1-security-policy-ip-0-ap1]quit [FW1-security-policy-ip]qu [FW1-app-profile-sec]ips apply policy default mode protect [FW1-app-profile-sec]quit [FW1]security-policy ip [FW1-security-policy-ip]rule 0 [FW1-security-policy-ip-0-ap1]profile sec [FW1-security-policy-ip-0-ap1]quit [FW1-security-policy-ip]quit [FW1]attack-defense policy ad1 [FW1-attack-defense-policy-ad1]syn-flood threshold 2000 [FW1-attack-defense-policy-ad1]syn-flood action logging drop [FW1-attack-defense-policy-ad1]syn-flood detect ip 172.0.0.1 [FW1-attack-defense-policy-ad1]quit [FW1]security-zone name Untrust [FW1-security-zone-Untrust]attack-defense apply policy ad1FW2[FW2]security-zone name trust [FW2-security-zone-Trust]import interface gig 1/0/0 [FW2-security-zone-Trust]quit [FW2]security-zone name untrust [FW2-security-zone-Untrust]import interface gig 1/0/1 [FW2-security-zone-Untrust]quit [FW2]object-group ip address server2 [FW2-obj-grp-ip-server2]network host address 192.0.0.1 [FW2-obj-grp-ip-server2]quit [FW2]security-policy ip [FW2-security-policy-ip]rule 0 name ap1 [FW2-security-policy-ip-0-ap1]source-zone untrust [FW2-security-policy-ip-0-ap1]destination-zone trust [FW2-security-policy-ip-0-ap1]destination-ip server2 [FW2-security-policy-ip-0-ap1]action pass [FW2-security-policy-ip-0-ap1]quit [FW2-security-policy-ip]quit [FW2]app-profile sec [FW2-app-profile-sec]ips apply policy default mode protect [FW2-app-profile-sec]quit [FW2]security-policy ip [FW2-security-policy-ip]rule 0 [FW2-security-policy-ip-0-ap1]profile sec [FW2-security-policy-ip-0-ap1]quit [FW2-security-policy-ip]quit [FW2]attack-defense policy ad1 [FW2-attack-defense-policy-ad1]syn-flood threshold 2000 [FW2-attack-defense-policy-ad1]syn-flood detect ip 192.0.0.1 [FW2-attack-defense-policy-ad1]syn-flood action logging drop [FW2-attack-defense-policy-ad1]quit [FW2]security-zone name untrust [FW2-security-zone-Untrust]attack-defense apply policy ad1(九)ipv6的部署S1[S1]interface vlan 10 [S1-Vlan-interface10]ipv6 address 172:10::254 64 [S1-Vlan-interface10]interface vlan 20 [S1-Vlan-interface20]ipv6 address 172:20::254 64 [S1-Vlan-interface20]ipv6 address 172:20::253 64 [S1-Vlan-interface20]undo ipv6 address 172:20::254 64 [S1-Vlan-interface20]interface loopback 0 [S1-LoopBack0]ipv6 address 9::101 128 [S1-LoopBack0]quit [S1]ospfv3 1 [S1-ospfv3-1]router-id 9.9.9.101 [S1-ospfv3-1]interface range vlan 10 vlan 20 [S1-if-range]ospfv3 1 area 0S2[S2]interface vlan 10 [S2-Vlan-interface10]ipv6 address 172:10::253 64 [S2-Vlan-interface10]interface vlan 20 [S2-Vlan-interface20]ipv6 address 172:20::254 64 [S2-Vlan-interface20]interface loopback 0 [S2-LoopBack0]ipv6 address 9::102 128 [S2-LoopBack0]quit [S2]ospfv3 1 [S2-ospfv3-1]router-id 9.9.9.102 [S2-ospfv3-1]interface range vlan 10 vlan 20 [S2-if-range]ospfv3 1 area 0(十)配置BGP/mpls VPNR4[R4]bgp 300 [R4-bgp-default]peer 10.0.0.9 as-number 100 [R4-bgp-default]address-family ipv4 [R4-bgp-default-ipv4]peer 10.0.0.9 enable [R4-bgp-default-ipv4]network 192.0.10.0 24R2[R2]ip vpn-instance vpn2 [R2-vpn-instance-vpn2]route-distinguisher 100:1 [R2-vpn-instance-vpn2]vpn-target 200:1 both [R2-vpn-instance-vpn2]quit [R2]interface gig 0/2 [R2-GigabitEthernet0/2]ip binding vpn-instance vpn2 Some configurations on the interface are removed. [R2-GigabitEthernet0/2] ip address 10.0.0.9 255.255.255.252 [R2-GigabitEthernet0/2]quit [R2]bgp 100 [R2-bgp-default]ip vpn-instance vpn2 [R2-bgp-default-vpn2]peer 10.0.0.10 as-number 300 [R2-bgp-default-vpn2]address-family ipv4 [R2-bgp-default-ipv4-vpn2]peer 10.0.0.10 enable [R2]mpls ldp [R2-ldp]lsr-id 9.9.9.2 [R2-ldp]interface range gig 0/0 gig 0/1 [R2-if-range]mpls enable [R2-if-range]mpls ldp enable [R2-if-range]quit [R2]bgp 100 [R2-bgp-default]group in [R2-bgp-default]peer 9.9.9.1 group in [R2-bgp-default]peer 9.9.9.3 group in [R2-bgp-default]peer in con loopback 0 [R2-bgp-default]address-family vpnv4 [R2-bgp-default-vpnv4]peer in enable R1[R1]mpls ldp [R1-ldp]lsr-id 9.9.9.1 [R1-ldp]interface range gig 0/2 serial 1/0 [R1-if-range]mpls enable [R1-if-range]mpls ldp enable [R1]bgp 100 [R1-bgp-default]group in [R1-bgp-default]peer 9.9.9.2 group in [R1-bgp-default]peer 9.9.9.3 group in [R1-bgp-default]peer in connect-interface loopback 0 [R1-bgp-default]address-family vpnv4 [R1-bgp-default-vpnv4]peer in enable [R1]bgp 100 [R1-bgp-default]ip vpn-instance vpn1 [R1-bgp-default-vpn1]address-family ipv4 [R1-bgp-default-ipv4-vpn1]network 172.0.10.0 24 [R1-bgp-default-ipv4-vpn1]network 172.0.20.0 24 [R1-bgp-default-ipv4-vpn1]quit [R1-bgp-default-vpn1]quit [R1-bgp-default]quit [R1]ospf 10 [R1-ospf-10]import bgpR3[R3]mpls ldp [R3-ldp]lsr-id 9.9.9.3 [R3-ldp]interface range serial 1/0 gig 0/0 [R3-if-range]mpls enable [R3-if-range]mpls ldp enable [R3-if-range]quit [R3]bgp 100 [R3-bgp-default]group in [R3-bgp-default]peer 9.9.9.1 group in [R3-bgp-default]peer 9.9.9.2 group in [R3-bgp-default]peer in connect-interface loopback 0 [R3-bgp-default]address-family vpnv4 [R3-bgp-default-vpnv4]peer in enable [R3]ip vpn-instance vpn1 [R3-vpn-instance-vpn1]route-distinguisher 100:1 [R3-vpn-instance-vpn1]vpn-target 100:1 both [R3-vpn-instance-vpn1]quit [R3]ip vpn-instance vpn2 [R3-vpn-instance-vpn2]route-distinguisher 200:1\ [R3-vpn-instance-vpn2]vpn-target 200:1 both [R3-vpn-instance-vpn2]quit [R3]interface gig 0/1 [R3-GigabitEthernet0/1]ip binding vpn-instance vpn1 Some configurations on the interface are removed. [R3-GigabitEthernet0/1] ip address 10.0.0.13 255.255.255.252 [R3-GigabitEthernet0/1]interface gig 0/2 [R3-GigabitEthernet0/2]ip binding vpn-instance vpn2 Some configurations on the interface are removed. [R3-GigabitEthernet0/2]ip a 10.0.0.17 30 [R3-GigabitEthernet0/2]quit [R3]ip route-static vpn-instance vpn1 172.0.0.0 24 10.0.0.14 [R3]ip route-static vpn-instance vpn2 192.0.0.0 24 10.0.0.18 [R3]bgp 100 [R3-bgp-default]ip vpn vpn1 [R3-bgp-default-vpn1]ad ipv4 [R3-bgp-default-ipv4-vpn1]network 172.0.0.0 24 [R3-bgp-default-ipv4-vpn1]quit [R3-bgp-default-vpn1]quit [R3-bgp-default]ip vpn vpn2 [R3-bgp-default-vpn2]ad ipv4 [R3-bgp-default-ipv4-vpn2]network 192.0.0.0 24FW1[FW1]ip route-static 172.0.10.0 24 10.0.0.13 [FW1]ip route-static 172.0.20.0 24 10.0.0.13FW2[FW2]ip route-static 192.0.10.0 24 10.0.0.17测试连通性S1 PING PC11[S1]ping -a 172.0.10.252 172.0.0.1 Ping 172.0.0.1 (172.0.0.1) from 172.0.10.252: 56 data bytes, press CTRL_C to break 56 bytes from 172.0.0.1: icmp_seq=0 ttl=252 time=3.000 ms 56 bytes from 172.0.0.1: icmp_seq=1 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=2 ttl=252 time=3.000 ms 56 bytes from 172.0.0.1: icmp_seq=3 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=4 ttl=252 time=1.000 ms --- Ping statistics for 172.0.0.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms [S1]%Nov 19 14:52:47:811 2022 S1 PING/6/PING_STATISTICS: Ping statistics for 172.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms. [S1]ping -a 172.0.20.252 172.0.0.1 Ping 172.0.0.1 (172.0.0.1) from 172.0.20.252: 56 data bytes, press CTRL_C to break 56 bytes from 172.0.0.1: icmp_seq=0 ttl=252 time=3.000 ms 56 bytes from 172.0.0.1: icmp_seq=1 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=2 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=3 ttl=252 time=2.000 ms 56 bytes from 172.0.0.1: icmp_seq=4 ttl=252 time=2.000 ms --- Ping statistics for 172.0.0.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.000/2.200/3.000/0.400 ms [S1]%Nov 19 14:52:57:002 2022 S1 PING/6/PING_STATISTICS: Ping statistics for 172.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.200/3.000/0.400 ms.PC10 PING PC12[PC10]ping -a 192.0.10.1 192.0.0.1 Ping 192.0.0.1 (192.0.0.1) from 192.0.10.1: 56 data bytes, press CTRL_C to break 56 bytes from 192.0.0.1: icmp_seq=0 ttl=251 time=3.000 ms 56 bytes from 192.0.0.1: icmp_seq=1 ttl=251 time=2.000 ms 56 bytes from 192.0.0.1: icmp_seq=2 ttl=251 time=2.000 ms 56 bytes from 192.0.0.1: icmp_seq=3 ttl=251 time=3.000 ms 56 bytes from 192.0.0.1: icmp_seq=4 ttl=251 time=2.000 ms --- Ping statistics for 192.0.0.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms [H3C]%Nov 19 14:51:05:349 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms.拓展这个实验如果你通过PC11和PC12去ping其他vpn网段,那么你会发现ping不通,这是因为防火墙策略没有允许放行,但是题目没有做要求,这里就是拓展一下而已[PC11]ping 172.0.10.252 Ping 172.0.10.252 (172.0.10.252): 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- Ping statistics for 172.0.10.252 --- 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss [H3C]%Nov 19 14:54:26:179 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 172.0.10.252: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss. 通过下面在防火墙放行区域,再次测试就可以ping通[FW1]security-policy ip [FW1-security-policy-ip]rule 0 [FW1-security-policy-ip-0-ap1]source-zone trust [FW1-security-policy-ip-0-ap1]destination-zone untrust [FW1]object-group ip address server1 [FW1-obj-grp-ip-server1]network subnet 172.0.10.0 24[PC11]ping 172.0.10.252 Ping 172.0.10.252 (172.0.10.252): 56 data bytes, press CTRL_C to break 56 bytes from 172.0.10.252: icmp_seq=0 ttl=252 time=3.000 ms 56 bytes from 172.0.10.252: icmp_seq=1 ttl=252 time=3.000 ms 56 bytes from 172.0.10.252: icmp_seq=2 ttl=252 time=3.000 ms 56 bytes from 172.0.10.252: icmp_seq=3 ttl=252 time=3.000 ms 56 bytes from 172.0.10.252: icmp_seq=4 ttl=252 time=2.000 ms --- Ping statistics for 172.0.10.252 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.000/2.800/3.000/0.400 ms [H3C]%Nov 19 15:08:04:765 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 172.0.10.252: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.800/3.000/0.400 ms. FW2也是一样这里就不演示了 -
H3CIE-RS+考证心得,H3CIE-RS+之路完结 初中起我对计算机产生浓厚的兴趣,每天放学就端着饭在电脑前折腾,随后我选择了计算机专业,刚开始比较迷茫,因为计算机的世界分了很多方向2020年开始上网络课程刚开始我是学渗透的对网络概念比较模糊,老师讲课非常有趣,经过几堂课下来我对网络有了兴趣和喜爱,实验因为我们的教室环境还在建设没有电脑给我们做实验,那学习期只能先学理论知识考了H3CNE我对网络有了大致的框架第二学期我们的教室环境都弄好了,老师开始教我们做实验命令不是很难理解,在一些实验理论知识可以听懂,但是在实验的时候却出现了很多难题,有的bug排了很久非常的难受最后在老师的帮助下,我才慢慢的能够自己独立解决问题,而且每次找出问题后挺有成就甚至感觉挺有意思的觉得网络也挺有趣的,对网络越来越喜欢了在2021年考取了SE认证,身边的老师都是IE大佬就有了想考IE的念头,但是想着IE很难的,自己不知道能不能学得来,想来想去,最后还是给自己立下了Flag报名IE班后开始努力学,老师上课通俗易懂,让我更有了信心,很快考完了笔试还有机试和面试,继续加油在机试阶段很难受,实验步骤非常的多,每次出现bug都要排查很久,十分煎熬,敲完lab时候的手指关节感觉到痛期间还参加了校园技能节获得了一等奖非常有成就感经过两个月每天手不离键盘的磨炼后,在2022年6月17日收到了机试结果邮件,通过点击通知栏的邮件在跳转延迟的那几秒钟心跳加速……通过了面试是最后一道坎了,也是最艰难的时候,上完了所有的课程,重新对自己不懂的知识重新学习,别人放暑假我们在教室漫长又煎熬的备考这期间甚至直接在教室里睡觉,闭关多日常常喝提神饮料来提神面试前那种心情真的很难忘,我用深呼吸来尽量抑制自己紧张的情绪……出考场的手还在微微颤抖且像冬天一样凉……最终,经过层层考验后,我实现了当初立下的那个Flag,在IE考试过程中我要感谢老师们和那些在背后默默帮助我的所有人,还有一起并肩作战的同学们,感谢你们的指导和陪伴。兴趣才是自己最好的老师! 学习IE过程是很困难而且很煎熬的,但只要我们肯动脑子,多思考,花时间和精力,你会发现再难也能克服。相关视频:{bilibili bvid="BV12W4y1B7ZR" page=""/}{bilibili bvid="BV1Kd4y137Cu" page=""/}【H3CIE 成功上岸!】:https://www.bilibili.com/video/BV1Kd4y137Cu【H3CIE之路完结,梦想成真记录整个过程-哔哩哔哩】 :https://b23.tv/cn04EGi
-
校园ICT技能节比赛题目【2022.5】 介绍:本次实验拓扑以及需求都是根据真实项目进行修改而来;考虑到同学们的学习层次以及进度,对其中部分未涉及的地方进行删减和修改;项目: xxx规划【由于涉及到一些图片隐私的问题,本文此处进行了删减】实验拓扑:比赛要求:IP地址已经规划好,无需考虑IP地址配错问题;打开拓扑文件中的配置文件 rs.net 即可打开拓扑开始考试;在比赛时间内完成实验需求,并且写出实验文档,要求如下:命名规范19网安1-xxx 19云2-张三 19云3-李四格式以word文档的方式提交,按照每个实验要求,在每个要求下面写下自己的配置命令。拓扑介绍:PC7 , PC10属于技术部vlan10,PC8 , PC9属于财务部vlan20;SW1,SW2为接入层设备,负责局域网通讯,并且使用高可靠的方式互联;SW3为Vlan10和Vlan20的网关设备;SW3,R4,R5运行OSPF单域,并且R4,R5分别为联通电信的出口,保证网络的可靠性;其中R6为Inernet互联网设备。实验要求:局域网中存在 Vlan10和Vlan20 两个业务 VLAN,Vlan10 和 Vlan20IP 网段分别对应 192.168.1.0/24 和 192.168.2.0/24,请按需求划分Vlan。[SW1]vlan 10 [SW1‐vlan10] [[SW1‐vlan10]qu [SW1]vlan 20 [SW1‐vlan20]qu [SW1]interface GigabitEthernet 1/0/4 [SW1‐GigabitEthernet1/0/4]port link‐type access [SW1‐GigabitEthernet1/0/4]port access vlan 10 [SW1‐GigabitEthernet1/0/4]qu [SW1]interface GigabitEthernet 1/0/5 [SW1‐GigabitEthernet1/0/5]port link‐type access [SW1‐GigabitEthernet1/0/5]port access vlan 20[SW2]vlan 10 [SW2‐vlan10]qu [SW2]vlan 20 [SW2‐vlan20]qu [SW2]interface GigabitEthernet 1/0/4 [SW2‐GigabitEthernet1/0/4]port link‐type access [SW2‐GigabitEthernet1/0/4]port access vlan 20 [SW2‐GigabitEthernet1/0/4]qu [SW2]interface GigabitEthernet 1/0/5 [SW2‐GigabitEthernet1/0/5]port link‐type access [SW2‐GigabitEthernet1/0/5]port access vlan 10SW1 和 SW2 之间的直连链路上配置静态链路聚合实现链路冗余,提高链路带宽。[SW1]interface Bridge‐Aggregation 1 [SW1‐Bridge‐Aggregation1]qu [SW1]interface GigabitEthernet 1/0/2 [SW1‐GigabitEthernet1/0/2]port link‐aggregation group 1 [SW1‐GigabitEthernet1/0/2]qu [SW1]interface GigabitEthernet 1/0/3 [SW1‐GigabitEthernet1/0/3]port link‐aggregation group 1[SW2]interface Bridge‐Aggregation 1 [SW2‐Bridge‐Aggregation1]qu [SW2]interface GigabitEthernet 1/0/2 [SW2‐GigabitEthernet1/0/2]port link‐aggregation group 1 [SW2‐GigabitEthernet1/0/2]qu [SW2]interface GigabitEthernet 1/0/3 [SW2‐GigabitEthernet1/0/3]port link‐aggregation group 1所有交换机相连的端口配置为 Trunk,允许相关流量通过[SW1]interface Bridge‐Aggregation 1 [SW1‐Bridge‐Aggregation1]port link‐type trunk [SW1‐Bridge‐Aggregation1]port trunk permit vlan 10 20 [SW1‐Bridge‐Aggregation1]qu [SW1]interface GigabitEthernet 1/0/1 [SW1‐GigabitEthernet1/0/1]port link‐type trunk [SW1‐GigabitEthernet1/0/1]port trunk permit vlan 10 20[SW2]interface Bridge‐Aggregation 1 [SW2‐Bridge‐Aggregation1]port link‐type trunk [SW2‐Bridge‐Aggregation1]port trunk permit vlan 10 20 [SW2‐Bridge‐Aggregation1]qu [SW2]interface GigabitEthernet 1/0/1 [SW2‐GigabitEthernet1/0/1]port link‐type trunk [SW2‐GigabitEthernet1/0/1]port trunk permit vlan 10 20[SW3]interface GigabitEthernet 1/0/1 [SW3‐GigabitEthernet1/0/1]port link‐type trunk [SW3‐GigabitEthernet1/0/1]port trunk permit vlan 10 20 [SW3‐GigabitEthernet1/0/1]qu [SW3]interface GigabitEthernet 1/0/2 [SW3‐GigabitEthernet1/0/2]port link‐type trunk [SW3‐GigabitEthernet1/0/2]port trunk permit vlan 10 20SW1,SW2 和 SW3 运行的生成树版本为STP,并修改cost值,使阻塞端口在SW2的g0/1口上。[SW1]stp mode stp [SW1]display stp brief MST ID Port Role STP State Protection 0 Bridge‐Aggregation1 DESI FORWARDING NONE 0 GigabitEthernet1/0/1 DESI FORWARDING NONE 0 GigabitEthernet1/0/4 DESI FORWARDING NONE 0 GigabitEthernet1/0/5 DESI FORWARDING NONE[SW2]stp mode stp [SW2]display stp brief MST ID Port Role STP State Protection 0 Bridge‐Aggregation1 ROOT FORWARDING NONE 0 GigabitEthernet1/0/1 DESI FORWARDING NONE 0 GigabitEthernet1/0/4 DESI FORWARDING NONE 0 GigabitEthernet1/0/5 DESI FORWARDING NONE[SW3]stp mode stp [SW3]display stp brief MST ID Port Role STP State Protection 0 GigabitEthernet1/0/1 ROOT FORWARDING NONE 0 GigabitEthernet1/0/2 ALTE DISCARDING NONE 0 GigabitEthernet1/0/3 DESI FORWARDING NONE 0 GigabitEthernet1/0/4 DESI FORWARDING NONE//阻塞端口不符合要求,修改阻塞端口 [SW3]stp priority 0 [SW2]interface GigabitEthernet 1/0/1 [SW2‐GigabitEthernet1/0/1]stp cost 400按图在R4,R5和SW3 上配置OSPF单域,宣告业务网段使全网互通;其中SW3的Vlan100 和 Vlan200 分别是和R4, R5来建立OSPF邻居用的(15分)//划分端口,让三层接口UP [SW3]interface GigabitEthernet 1/0/3 [SW3‐GigabitEthernet1/0/3]port link‐type access [SW3‐GigabitEthernet1/0/3]port access vlan 100 [SW3‐GigabitEthernet1/0/3]qu [SW3]interface GigabitEthernet 1/0/4 [SW3‐GigabitEthernet1/0/4]port link‐type access [SW3‐GigabitEthernet1/0/4]port access vlan 200 //配置OSPF [SW3]ospf [SW3‐ospf‐1]area 0 [SW3‐ospf‐1‐area‐0.0.0.0]network 3.3.3.3 0.0.0.0 [SW3‐ospf‐1‐area‐0.0.0.0]network 100.0.11.0 0.0.0.3 [SW3‐ospf‐1‐area‐0.0.0.0]network 100.0.11.4 0.0.0.3 [SW3‐ospf‐1‐area‐0.0.0.0]network 192.168.1.0 0.0.0.255 [SW3‐ospf‐1‐area‐0.0.0.0]network 192.168.2.0 0.0.0.255[R4]ospf [R4‐ospf‐1]area 0 [R4‐ospf‐1‐area‐0.0.0.0]network 4.4.4.4 0.0.0.0 [R4‐ospf‐1‐area‐0.0.0.0]network 100.0.11.0 0.0.0.3 [R4‐ospf‐1‐area‐0.0.0.0]network 100.0.11.8 0.0.0.3[R5]ospf [R5‐ospf‐1]area 0 [R5‐ospf‐1‐area‐0.0.0.0]network 5.5.5.5 0.0.0.0 [R5‐ospf‐1‐area‐0.0.0.0]network 100.0.11.4 0.0.0.3 [R5‐ospf‐1‐area‐0.0.0.0]network 100.0.11.8 0.0.0.3业务网段不允许出现协议报文。(5分)[SW3‐ospf‐1]silent‐interface Vlan‐interface 10 [SW3‐ospf‐1]silent‐interface Vlan‐interface 20R4 ,R5 上配置默认路由指向互联网,并引入到 OSPF;并通过合适的方法使其实现主备,主链路为电信,备用链路为联通;只有当电信链路down后,数业务数据才会通过联通链路访问互联网。[R4]ip route‐static 0.0.0.0 0 200.1.1.2 preference 200 [R4‐ospf‐1]default‐route‐advertise cost 5000 [R5]ip route‐static 0.0.0.0 0 200.2.2.2 [R5‐ospf‐1]default‐route‐advertise在R4,R5上分别配置 EASY IP,保障所有业务网段可以通过R4或者R5访问到互联网。[R4]acl basic 2000 [R4‐acl‐ipv4‐basic‐2000]rule permit source 192.168.1.0 0.0.0.255 [R4‐acl‐ipv4‐basic‐2000]rule permit source 192.168.2.0 0.0.0.255 [R4]interface Serial 1/0 [R4‐Serial1/0]nat outbound 2000[R5]acl basic 2000 [R5‐acl‐ipv4‐basic‐2000]rule permit source 192.168.1.0 0.0.0.255 [R5‐acl‐ipv4‐basic‐2000]rule permit source 192.168.2.0 0.0.0.255 [R5]interface Serial 1/0 [R5‐Serial1/0]nat outbound 2000R4,R5分别通过单线串行链路连接到互联网,需要配置 PPP,并配置双向 chap 验证。[R6]local‐user r4 class network New local user added. [R6‐luser‐network‐r4]password simple 123 [R6‐luser‐network‐r4]service‐type ppp [R6]local‐user r5 class network New local user added. [R6‐luser‐network‐r5]password simple 123 [R6‐luser‐network‐r5]service‐type ppp //开启ppp验证 [R6]interface Serial 1/0 [R6‐Serial1/0]ppp authentication‐mode chap [R6‐Serial1/0]ppp chap user r6 [R6‐Serial1/0]qu [R6]interface Serial 2/0 [R6‐Serial2/0]pp authentication‐mode chap [R6‐Serial2/0]ppp chap user r6//配置R4 [R4]local‐user r6 class network New local user added. [R4‐luser‐network‐r6]password simple 123 [R4‐luser‐network‐r6]service‐type ppp [R4‐luser‐network‐r6]qu [R4]interface Serial 1/0 [R4‐Serial1/0]ppp authentication‐mode chap [R4‐Serial1/0]ppp chap user r4//配置R5 [R5]local‐user r6 class network New local user added. [R5‐luser‐network‐r6]password simple 123 [R5‐luser‐network‐r6]service‐type ppp [R5‐luser‐network‐r6]qu [R5]interface Serial 1/0 [R5‐Serial1/0]ppp authentication‐mode chap [R5‐Serial1/0]ppp chap user r5R5开启 TELNET 远程管理,使用用户 mo66.cn 登录,密码666 ,权限为最高;并且只允许技术部远程管理 R5。[R5]local‐user mo66.cn class manage New local user added. [R5‐luser‐manage‐huaxia]password simple 666 [R5‐luser‐manage‐huaxia]service‐type telnet [R5‐luser‐manage‐huaxia]qu [R5]telnet server enable [R5]user‐interface vty 0 4 [R5‐line‐vty0‐4]authentication‐mode scheme [R5‐line‐vty0‐4]user‐role level‐15 //配置acl只允许技术部管理R5 [R5]acl basic 2001 [R5‐acl‐ipv4‐basic‐2001]rule permit source 192.168.1.0 0.0.0.255 [R5‐acl‐ipv4‐basic‐2001]qu [R5]telnet server acl 200交卷交卷~
