原文链接:https://mp.weixin.qq.com/s/y9mHbIzTWVgkKMcBsl8b0A
实验拓扑
实验需求与实现过程
第一部分
命令行基础与设备基本维护
配置AR1 Console的本地登录密码 Qw!@123123
[AR1]user-interface console 0
[AR1-ui-console0]authentication-mode password
Please configure the login password (maximum length 16):Qw!@123123
[AR1-ui-console0]quit
配置AR1部署SSH实现仅内网主机可以登录
登录账户:zengxz/Qw!@123123
[AR1]stelnet server enable
[AR1]aaa
[AR1-aaa]local-user zengxz password cipher Qw!@123123
[AR1-aaa]local-user zengxz service-type ssh
[AR1-aaa]local-user zengxz privilege level 15
[AR1-aaa]quit
[AR1]ssh user zengxz authentication-type password
[AR1]user-interface vty 0 4
[AR1-ui-vty0-4]authentication-mode aaa
[AR1-ui-vty0-4]protocol inbound ssh
[AR1-ui-vty0-4]quit
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[AR1-acl-basic-2000]quit
[AR1]user-interface vty 0 4
[AR1-ui-vty0-4]acl 2000 inbound
第二部分
链路聚合sw2,sw3之间配置链路聚合,采用LACP模式
[LSW2]int Eth1
[LSW2-Eth-Trunk1]mode lacp-static
[LSW2-Eth-Trunk1]trunkport e0/0/21
[LSW2-Eth-Trunk1]trunkport e0/0/22
[LSW3]int Eth1
[LSW3-Eth-Trunk1]mode lacp-static
[LSW3-Eth-Trunk1]trunkport e0/0/21
[LSW3-Eth-Trunk1]trunkport e0/0/22
VLAN与端口类型
[LSW1]vlan batch 10 20 254 11
[LSW2]vlan batch 10 20 254
[LSW3]vlan batch 10 20 254
[AC1]vlan 254
交换机互联部署Trunk
[LSW2]port-group group-member g0/0/1 Eth-Trunk1
[LSW2-port-group]port link-type trunk
[LSW2-port-group]port trunk allow-pass vlan all
[LSW3]port-group group-member g0/0/1 Eth-Trunk 1
[LSW3-port-group]port link-type trunk
[LSW3-port-group]port trunk allow-pass vlan all
连接AP的接口配置Hybrid
[LSW2]int g0/0/2
[LSW2-GigabitEthernet0/0/2]port hybrid pvid vlan 254
[LSW2-GigabitEthernet0/0/2]port hybrid untagged vlan 254
[LSW2-GigabitEthernet0/0/2]port hybrid tagged vlan 10
连接路由器,PC,SERVER的接口配置为Access
[LSW2]int e0/0/1
[LSW2-Ethernet0/0/1]p l a
[LSW2-Ethernet0/0/1]p d v 10
[LSW3]int e0/0/1
[LSW3-Ethernet0/0/1]p l a
[LSW3-Ethernet0/0/1]p d v 20
[LSW1]int g0/0/24
[LSW1-GigabitEthernet0/0/24]port link-type access
[LSW1-GigabitEthernet0/0/24]port default vlan 11
[LSW1]port-group group-member g0/0/1 g0/0/2
[LSW1-port-group]port link-type trunk
[LSW1-port-group]port trunk allow-pass vlan all
[LSW1-port-group]quit
连接AC的接口选择适当的端口类型
[LSW1] int g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 254
[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 254
STP结构调整保障接入交换机到汇聚交换机之间无阻塞端口
[LSW1]stp mode stp
[LSW1]stp pathcost-standard dot1d
[LSW1]stp priority 8192
[LSW2]stp mode stp
[LSW2]stp pathcost-standard dot1d
[LSW3]stp mode stp
[LSW3]stp pathcost-standard dot1d
VLAN间路由汇聚交换机S1作为PC1,SERVER1的网关,并配置作为DHCP服务器
配置IP地址
[LSW1]dhcp enable
[LSW1-Vlanif20]int v254
[LSW1-Vlanif254]ip add 192.168.254.254 24
[LSW1-Vlanif254]dhcp select interface
[LSW1-Vlanif254]dhcp server excluded-ip-address 192.168.254.253
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.88.1 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 202.105.12.2 30
[AR2-ISP]int g0/0/0
[AR2-ISP-GigabitEthernet0/0/0]ip add 202.105.12.1 24
[AR2-ISP]int l0
[AR2-ISP-LoopBack0]ip add 114.114.114.114 32
[AR2-ISP]int g0/0/1
[AR2-ISP-GigabitEthernet0/0/1]ip add 68.43.23.1 24
[AR2-ISP]vlan 5
[AR2-ISP-vlan5]int e0/0/0
[AR2-ISP-Ethernet0/0/0]p d v 5
[AR2-ISP]int vl5
[AR2-ISP-Vlanif5]ip add 119.146.185.1 30
[AR3]dhcp enable
[AR3]int g0/0/1
[AR3-GigabitEthernet0/0/1]ip add 172.16.30.254 24
[AR3-GigabitEthernet0/0/1]dhcp select interface
配置VLAN间互访实现PC1与SERVER1互通
[LSW1]int Vlanif 10
[LSW1-Vlanif10]ip add 192.168.10.254 24
[LSW1-Vlanif10]dhcp select interface
[LSW1-Vlanif10]int v20
[LSW1-Vlanif20]ip add 192.168.20.254 24
S1与R1之间采用VLANIF11互联
[LSW1] int v11
[LSW1-Vlanif11]ip add 192.168.11.2 24
[AR1]int g1/0/0
[AR1-GigabitEthernet1/0/0]ip add 192.168.11.1 24
局域网加固S2配置端口安全,限制端口学的MAC地址数量,并且可以自动记录MAC地址
[LSW2]int e0/0/1
[LSW2-Ethernet0/0/1]port-security enable
[LSW2-Ethernet0/0/1]port-security mac-address sticky
[LSW2-Ethernet0/0/1]port-security max-mac-num 2
S2配置DHCP Snooping,抵御DHCP欺骗或饥饿攻击
[LSW2]dhcp enable
[LSW2]dhcp snooping enable
[LSW2]vlan 10
[LSW2-vlan10]dhcp snooping enable
[LSW2-vlan10]dhcp snooping check dhcp-chaddr enable
[LSW2-vlan10]int g0/0/1
[LSW2-GigabitEthernet0/0/1]dhcp snooping trusted
[LSW2-GigabitEthernet0/0/1]q
[LSW2]int Eth-Trunk1
[LSW2-Eth-Trunk1]dhcp snooping trusted
S2根据DHCP绑定表,抵御ARP中间人攻击
[LSW2]dhcp snooping user-bind autosave flash:/dhcp.tbl
<LSW2>dis dhcp snooping user-bind all
[LSW2]arp dhcp-snooping-detect enable
[LSW2]dis mac-address
第三部分
0SPF单区域配置
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]net
[AR1-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 192.168.88.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]quit
[AR1-ospf-1]silent-interface g0/0/0
[AR1-ospf-1]quit
[LSW1]ospf 1
[LSW1-ospf-1]silent-interface all
[LSW1-ospf-1]undo silent-interface Vlanif 11
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]quit
[LSW1-ospf-1]int v11
[LSW1-Vlanif11]ospf enable 1 area 0
[LSW1-Vlanif11]int v10
[LSW1-Vlanif10]ospf enable 1 area 0
[LSW1-Vlanif10]int v20
[LSW1-Vlanif20]ospf enable 1 area 0
[LSW1-ospf-1]dis ospf peer brief
0SPF网络类型与默认路由
[AR1]int g1/0/0
[AR1-GigabitEthernet1/0/0]ospf network-type p2p
[AR1]ip route-static 0.0.0.0 0.0.0.0 202.105.12.1
[AR1]ospf 1
[AR1-ospf-1]default-route-advertise
[AR1-ospf-1]quit
[AR1]dis ip routing-table protocol ospf
[LSW1]int v11
[LSW1-Vlanif11]ospf network-type p2p
第四部分广域网技术
PPPOE
服务端
[AR2-ISP]aaa
[AR2-ISP-aaa]local-user zengxz password cipher Qw!@123123
[AR2-ISP-aaa]local-user zengxz service-type ppp
[AR2-ISP-aaa]quit
[AR2-ISP]int Virtual-Template 1
[AR2-ISP-Virtual-Template1]ip add unnumbered interface g0/0/1
[AR2-ISP-Virtual-Template1]ppp authentication-mode chap
[AR2-ISP-Virtual-Template1]remote address 68.43.23.2
[AR2-ISP-Virtual-Template1]quit
[AR2-ISP]int g0/0/1
[AR2-ISP-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1
客户端
[AR3]int Dialer 1
[AR3-Dialer1]ip add ppp-negotiate
[AR3-Dialer1]dialer user zengxz
[AR3-Dialer1]dialer bundle 1
[AR3-Dialer1]mtu 1492
[AR3-Dialer1]ppp chap user zengxz
[AR3-Dialer1]ppp chap password simple Qw!@123123
[AR3-Dialer1]ppp ipcp default-route
[AR3-Dialer1]quit
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1
[AR3]dis pppoe-client session summary
[AR3]dis ip routing-table
第五部分
基于地址组NAT
[AR1]nat address-group 1 202.105.12.16 202.105.12.19
[AR1]acl 3001
[AR1-acl-adv-3001]rule 10 permit ip source 192.168.10.0 0.0.0.255
[AR1-acl-adv-3001]rule 15 permit ip source 192.168.20.0 0.0.0.255
[AR1-acl-adv-3001]quit
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 3001 address-group 1
EASY-IP
[AR3]acl 3001
[AR3-acl-adv-3001]rule 10 permit ip source 172.16.30.0 0.0.0.255
[AR3]int Dialer 1
[AR3-Dialer1]nat outbound 3001
NAT-SERVER与NAT-ALG
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat server protocol tcp global 202.105.12.88 80 inside 192.168.88.88 80
[AR1-GigabitEthernet0/0/1]nat server protocol tcp global 202.105.12.88 21 inside 192.168.88.88 21
[AR1-GigabitEthernet0/0/1]quit
[AR1]nat alg ftp enable
禁止外部ping与tracert AR1的公网接口地址
[AR1]acl 3000
[AR1-acl-adv-3000]rule deny icmp icmp-type echo
[AR1-acl-adv-3000]rule deny udp destination-port gt 33433
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
第六部分
WLAN简单二层组网
[AC1]capwap source interface Vlanif 254
[AC1]wlan
[AC1-wlan-view]ssid-profile name SSID_pro
[AC1-wlan-ssid-prof-SSID_pro]ssid zengxz
[AC1-wlan-ssid-prof-SSID_pro]quit
[AC1-wlan-view]security-profile name SEC_pro
[AC1-wlan-sec-prof-SEC_pro]security wpa2 psk pass-phrase Qw!@123123 aes
[AC1-wlan-sec-prof-SEC_pro]quit
[AC1-wlan-view]vap-profile name VAP_pro
[AC1-wlan-vap-prof-VAP_pro]ssid-profile SSID_pro
[AC1-wlan-vap-prof-VAP_pro]security-profile SEC_pro
[AC1-wlan-vap-prof-VAP_pro]service-vlan vlan-id 10
[AC1-wlan-vap-prof-VAP_pro]forward-mode direct-forward
[AC1-wlan-vap-prof-VAP_pro]q
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc3f-8080
[AC1-wlan-ap-1]ap-name AREA_1
[AC1-wlan-ap-1]vap-profile VAP_pro wlan 1 radio 0
[AC1-wlan-ap-1]vap-profile VAP_pro wlan 1 radio 1
[AC1-wlan-ap-1]q
[AC1-wlan-view]q
[AC1]dis ap all
[AC1]dis station all
IPSEC VPN(分部与总部服务器互访)
[AR1]ike proposal 10
[AR1-ike-proposal-10]authentication-method pre-share
[AR1-ike-proposal-10]dh group2
[AR1-ike-proposal-10]encryption-algorithm 3des
[AR1-ike-proposal-10]authentication-algorithm sha1
[AR1-ike-proposal-10]q
[AR1]ike peer ALL v2
[AR1-ike-peer-ALL]pre-shared-key simple HUAWEI
[AR1-ike-peer-ALL]ike-proposal 10
[AR1]ipsec proposal LAN_SET
[AR1-ipsec-proposal-LAN_SET]esp encryption-algorithm 3des
[AR1-ipsec-proposal-LAN_SET]esp authentication-algorithm sha1
[AR1-ipsec-proposal-LAN_SET]dis th
[AR1-ipsec-proposal-LAN_SET]q
[AR1]ipsec policy-template DY_MAP 10
[AR1-ipsec-policy-templet-DY_MAP-10]ike-peer ALL
[AR1-ipsec-policy-templet-DY_MAP-10]proposal LAN_SET
[AR1-ipsec-policy-templet-DY_MAP-10]quit
[AR1]ipsec policy LAN_MAP 10 isakmp template DY_MAP
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ipsec policy LAN_MAP
[AR1]acl 3001
[AR1-acl-adv-3001]rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 172.16.30.0 0.0.0.255
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 3001 address-group 1
[AR3]ike proposal 10
[AR3-ike-proposal-10]authentication-method pre-share
[AR3-ike-proposal-10]dh group2
[AR3-ike-proposal-10]encryption-algorithm 3des-cbc
[AR3-ike-proposal-10]authentication-algorithm sha1
[AR3-ike-proposal-10]quit
[AR3]ike peer AR1 v2
[AR3-ike-peer-AR1]pre-shared-key simple HUAWEI
[AR3-ike-peer-AR1]ike-proposal 10
[AR3-ike-peer-AR1]remote-address 202.105.12.2
[AR3-ike-peer-AR1]acl 3000
[AR3-acl-adv-3000]rule permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[AR3-acl-adv-3000]quit
[AR3]ipsec proposal LAN_SET
[AR3-ipsec-proposal-LAN_SET]esp encryption-algorithm 3des
[AR3-ipsec-proposal-LAN_SET]esp authentication-algorithm sha1
[AR3-ipsec-proposal-LAN_SET]quit
[AR3]ipsec policy LAN_MAP 10 isakmp
[AR3-ipsec-policy-isakmp-LAN_MAP-10]security acl 3000
[AR3-ipsec-policy-isakmp-LAN_MAP-10]ike-peer AR1
[AR3-ipsec-policy-isakmp-LAN_MAP-10]proposal LAN_SET
[AR3-ipsec-policy-isakmp-LAN_MAP-10]quit
[AR3]int Dialer 1
[AR3-Dialer1]ipsec policy LAN_MAP
[AR3]acl 3001
[AR3-acl-adv-3001]rule 5 deny ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[AR3]int d1
[AR3-Dialer1]nat outbound 3001-END-
扫一扫
2325
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
