初级网络工程师之从入门到入狱(十)
今天学习的主要是关于搭建企业级项目实战的知识的理解和应用。
·
本文是我在学习过程中记录学习的点点滴滴,目的是为了学完之后巩固一下顺便也和大家分享一下,日后忘记了也可以方便快速的复习。
构建企业级网络项目实践(DHCP、VRRP、OSPF)
前言
今天学习的主要是关于搭建企业级项目实战的知识的理解和应用
一、拓扑图
总部办公区1号楼和2号楼的信息点各自汇聚到SW1和SW2,再上行至路由器R1和R2,并由SW8连接至互联网路由器Internet,总部路由器ZB通过串行链路与工厂路由器GC相连,工厂路由器GC通过PPPoE拨号至Internet。
总部办公区有VLAN 10、20、30、40、50和300,其中VLAN300是远程管理网络设备专用;另外SW1和SW2还配置有VLAN11和12,用于VRRP的上行接口。
总览:
细节:
内网部分:
外网部分:
二、代码部分
2.1、配置总部内网二层交换机配置
- 配置二层接口:
- SW4
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW4
[SW4]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW4]interface e0/0/1
[SW4-Ethernet0/0/1]port link-type trunk
[SW4-Ethernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
//很多同学图省事这里允许all或者2 to 4094,这在生产环境中是不允许的,也不专业哦~
[SW4-Ethernet0/0/1]quit
[SW4]interface e0/0/3
[SW4-Ethernet0/0/3]port link-type trunk
[SW4-Ethernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300
[SW4-Ethernet0/0/3]quit
[SW4]interface e0/0/2
[SW4-Ethernet0/0/2]port link-type access
[SW4-Ethernet0/0/2]port default vlan 10
[SW4-Ethernet0/0/2]quit
- SW5
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW5
[SW5]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW5]interface e0/0/1
[SW5-Ethernet0/0/1]port link-type trunk
[SW5-Ethernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW5-Ethernet0/0/1]quit
[SW5]interface e0/0/3
[SW5-Ethernet0/0/3]port link-type trunk
[SW5-Ethernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300
[SW5-Ethernet0/0/3]quit
[SW5]interface e0/0/2
[SW5-Ethernet0/0/2]port link-type access
[SW5-Ethernet0/0/2]port default vlan 20
[SW5-Ethernet0/0/2]quit
- SW6
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW6
[SW6]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW6]interface e0/0/1
[SW6-Ethernet0/0/1]port link-type trunk
[SW6-Ethernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW6-Ethernet0/0/1]quit
[SW6]interface e0/0/3
[SW6-Ethernet0/0/3]port link-type trunk
[SW6-Ethernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300
[SW6-Ethernet0/0/3]quit
[SW6]interface e0/0/2
[SW6-Ethernet0/0/2]port link-type access
[SW6-Ethernet0/0/2]port default vlan 30
[SW6-Ethernet0/0/2]quit
- SW7
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW7
[SW7]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW7]interface e0/0/1
[SW7-Ethernet0/0/1]port link-type trunk
[SW7-Ethernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
//开始复制粘贴了吗?老老实实敲命令可是高级网工的灵魂吼吼~~
[SW7-Ethernet0/0/1]quit
[SW7]interface e0/0/3
[SW7-Ethernet0/0/3]port link-type trunk
[SW7-Ethernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300
[SW7-Ethernet0/0/3]quit
[SW7]interface e0/0/2
[SW7-Ethernet0/0/2]port link-type access
[SW7-Ethernet0/0/2]port default vlan 40
[SW7-Ethernet0/0/2]quit
- SW1
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW1
[SW1]vlan batch 10 20 30 40 50 300 11 12
Info: This operation may take a few seconds. Please wait for a moment...done.
//这里开始有VLAN11和12了,后面VRRP会用到
[SW1]interface g0/0/2
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW1-GigabitEthernet0/0/2]quit
[SW1]interface g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW1-GigabitEthernet0/0/3]quit
- SW2
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW2
[SW2]vlan batch 10 20 30 40 50 300 11 12
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW2]interface g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW2-GigabitEthernet0/0/2]quit
[SW2]interface g0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW2-GigabitEthernet0/0/3]quit
[SW2]interface g0/0/6
[SW2-GigabitEthernet0/0/6]port link-type trunk
[SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW2-GigabitEthernet0/0/6]quit
- SW1和SW2链路聚合
[SW1]interface eth-trunk 1
[SW1-Eth-Trunk1]port link-type trunk
[SW1-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW1-Eth-Trunk1]quit
[SW1]interface g0/0/4
[SW1-GigabitEthernet0/0/4]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1-GigabitEthernet0/0/4]quit
[SW1]interface g0/0/14
[SW1-GigabitEthernet0/0/14]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1-GigabitEthernet0/0/14]quit
[SW2]interface eth-trunk 1
[SW2-Eth-Trunk1]port link-type trunk
[SW2-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW2-Eth-Trunk1]quit
[SW2]interface g0/0/4
[SW2-GigabitEthernet0/0/4]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW2-GigabitEthernet0/0/4]quit
[SW2]interface g0/0/14
[SW2-GigabitEthernet0/0/14]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW2-GigabitEthernet0/0/14]quit
- SW3
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW3
[SW3]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW3]interface g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW3-GigabitEthernet0/0/1]quit
[SW3]interface e0/0/3
[SW3-Ethernet0/0/3]port link-type access
[SW3-Ethernet0/0/3]port default vlan 50
[SW3-Ethernet0/0/3]quit
- 配置总部生成树:
- SW3
[SW3]stp enable
[SW3]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
//华为默认启用MSTP,关于它的应用,我陆续会发其他网络项目中会有的。
- SW4
[SW4]stp enable
[SW4]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW4]interface g0/0/2
[SW4-GigabitEthernet0/0/2]stp edged-port enable
//配置为边缘接口,该接口不会主动发送BPDU报文、不参与生成树计算,仅处于转发状态,
//所以,接入层交换机连接终端的接口最适合配置为边缘接口。
[SW4-GigabitEthernet0/0/2]quit
[SW4]stp bpdu-protection
//启用BPDU保护。防止攻击者仿造BPDU报文导致边缘端口属性变成非边缘端口
- SW5
[SW5]stp enable
[SW5]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW5]interface g0/0/2
[SW5-GigabitEthernet0/0/2]stp edged-port enable
[SW5-GigabitEthernet0/0/2]quit
[SW5]stp bpdu-protection
- SW6
[SW6]stp enable
[SW6]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW6]interface g0/0/2
[SW6-GigabitEthernet0/0/2]stp edged-port enable
[SW6-GigabitEthernet0/0/2]quit
[SW6]stp bpdu-protection
- SW7
[SW7]stp enable
[SW7]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW7]interface g0/0/2
[SW7-GigabitEthernet0/0/2]stp edged-port enable
[SW7-GigabitEthernet0/0/2]quit
[SW7]stp bpdu-protection
- SW1
[SW1]stp enable
[SW1]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]stp priority 4096
//配置SW1为根网桥。有的同学直接把优先级设置为0,这在生产环境中也是禁止的,
//试想一下,如果你要换个根网桥怎么办?
- SW2
[SW2]stp enable
[SW2]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
2.2、配置总部DHCP
- SW1
[SW1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW1]interface vlanif 10
[SW1-Vlanif10]ip address 10.1.10.1 24
[SW1-Vlanif10]dhcp select interface
[SW1-Vlanif10]quit
[SW1]interface vlanif 20
[SW1-Vlanif20]ip address 10.1.20.1 24
[SW1-Vlanif20]dhcp select interface
[SW1-Vlanif20]quit
- SW2
[SW2]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW2]dhcp snooping enable
[SW2]interface vlanif 30
[SW2-Vlanif30]ip address 10.1.30.1 24
[SW2-Vlanif30]dhcp select interface
[SW2-Vlanif30]quit
[SW2]interface vlanif 40
[SW2-Vlanif40]ip address 10.1.40.1 24
[SW2-Vlanif40]dhcp select interface
[SW2-Vlanif40]quit
[SW2]interface vlanif 50
[SW2-Vlanif50]ip address 10.1.50.1 24
[SW2-Vlanif50]quit
此时总部下面的客户端已经可以获取到IP地址了:
2.3、实现汇聚层出方向主备负载分担,配置总部出方向
- SW1上行接口配置
[SW1]interface g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 11
[SW1-GigabitEthernet0/0/1]quit
[SW1]interface g0/0/5
[SW1-GigabitEthernet0/0/5]port link-type access
[SW1-GigabitEthernet0/0/5]port default vlan 11
[SW1-GigabitEthernet0/0/5]quit
[SW1]interface vlanif 11
[SW1-Vlanif11]ip address 10.1.11.1 24
[SW1-Vlanif11]quit
- SW2上行接口配置
[SW2]interface g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 12
[SW2-GigabitEthernet0/0/1]quit
[SW2]interface g0/0/5
[SW2-GigabitEthernet0/0/5]port link-type access
[SW2-GigabitEthernet0/0/5]port default vlan 12
[SW2-GigabitEthernet0/0/5]quit
[SW2]interface vlanif 12
[SW2-Vlanif12]ip address 10.1.12.1 24
[SW2-Vlanif12]quit
- 路由器R1的VRRP下行接口配置
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname R1
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip address 10.1.11.11 24
[R1-GigabitEthernet0/0/0]quit
[R1]interface g0/0/2
[R1-GigabitEthernet0/0/2]ip address 10.1.12.11 24
[R1-GigabitEthernet0/0/2]quit
- 路由器R2的VRRP下行接口配置
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname R2
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]ip address 10.1.12.12 24
[R2-GigabitEthernet0/0/0]quit
[R2]interface g0/0/2
[R2-GigabitEthernet0/0/2]ip address 10.1.11.12 24
[R2-GigabitEthernet0/0/2]quit
- 配置R1为VRRP11的主路由器、VRRP12的备份路由器
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]vrrp vrid 11 virtual-ip 10.1.11.10
//VIP一定要与路由器下行接口IP同属一个网段
[R1-GigabitEthernet0/0/0]vrrp vrid 11 priority 120
//默认优先级100,谁高谁是Master
[R1-GigabitEthernet0/0/0]vrrp vrid 11 preempt-mode timer delay 3
//延迟抢占时间,默认为0秒。Backup设备可以默认0秒表示立即抢占,
//但Master通常要设置非0值,避免因网络偶尔不稳定导致的VRRP状态频繁切换。
[R1-GigabitEthernet0/0/0]quit
[R1]interface g0/0/2
[R1-GigabitEthernet0/0/2]vrrp vrid 12 virtual-ip 10.1.12.10
[R1-GigabitEthernet0/0/2]quit
- 配置R2为VRRP11的备份路由器、VRRP12的主路由器
[R2]interface g0/0/2
[R2-GigabitEthernet0/0/2]vrrp vrid 11 virtual-ip 10.1.11.10
[R2-GigabitEthernet0/0/2]quit
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]vrrp vrid 12 virtual-ip 10.1.12.10
[R2-GigabitEthernet0/0/0]vrrp vrid 12 priority 120
[R2-GigabitEthernet0/0/0]vrrp vrid 12 preempt-mode timer delay 3
[R2-GigabitEthernet0/0/0]quit
此时查看R1和R2的关于VRRP11和VRRP12的主备状态:
2.4、实现 Internet 至总部入方向主备,配置互联网到总部入方向VRRP
- 配置R1上行接口
[R1]interface g0/0/3
[R1-GigabitEthernet0/0/3]ip address 8.1.1.9 24
[R1-GigabitEthernet0/0/3]quit
- 配置R2上行接口
[R2]interface g0/0/3
[R2-GigabitEthernet0/0/3]ip address 8.1.1.10 24
[R2-GigabitEthernet0/0/3]quit
- 配置Internet路由器与R1和R2相连的接口
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname Internet
[Internet]interface g0/0/1
[Internet-GigabitEthernet0/0/1]ip address 8.1.1.1 24
[Internet-GigabitEthernet0/0/1]quit
- 配置R1为VRRP8 的主路由器
[R1]interface g0/0/3
[R1-GigabitEthernet0/0/3]vrrp vrid 8 virtual-ip 8.1.1.2
[R1-GigabitEthernet0/0/3]vrrp vrid 8 priority 120
[R1-GigabitEthernet0/0/3]vrrp vrid 8 preempt-mode timer delay 3
[R1-GigabitEthernet0/0/3]quit
- 配置R2为VRRP8 的备份路由器
[R2]interface g0/0/3
[R2-GigabitEthernet0/0/3]vrrp vrid 8 virtual-ip 8.1.1.2
[R2-GigabitEthernet0/0/3]quit
查看R1和R2关于VRRP8的状态
2.5、实现总部内网互通,配置总部OSPF
- 配置R1与总部边界路由器相连的接口
[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.12.1.9 24
[R1-GigabitEthernet0/0/1]quit
- 配置R2与总部边界路由器相连的接口
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]ip address 10.23.1.9 24
[R2-GigabitEthernet0/0/1]quit
- 配置总部边界路由器R1和R2相连的接口
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname ZB
[ZB]interface g0/0/1
[ZB-GigabitEthernet0/0/1]ip address 10.12.1.10 24
[ZB-GigabitEthernet0/0/1]quit
[ZB]interface g0/0/2
[ZB-GigabitEthernet0/0/2]ip address 10.23.1.10 24
[ZB-GigabitEthernet0/0/2]quit
- SW1宣告网段
[SW1]ospf 1 router-id 10.1.11.1
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.1.10.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 10.1.11.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 10.1.20.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]quit
[SW1-ospf-1]quit
- SW2宣告网段
[SW2]ospf 1 router-id 10.1.12.1
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 10.1.30.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 10.1.40.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 10.1.50.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]quit
[SW2-ospf-1]quit
- R1宣告网段
[R1]interface loopback 0
[R1-LoopBack0]ip address 192.168.1.3 24
//配置Loopback口IP,用于OSPF Router-ID
[R1-LoopBack0]quit
[R1]ospf 1 router-id 192.168.1.3
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.1.11.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.12.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.1.3 0.0.0.0
[R1-ospf-1-area-0.0.0.0]quit
[R1-ospf-1]quit
- R2宣告网段
[R2]interface loopback 0
[R2-LoopBack0]ip address 192.168.1.4 24
[R2-LoopBack0]quit
[R2]ospf 1 router-id 192.168.1.4
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.1.11.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.23.1.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 192.168.1.4 0.0.0.0
[R2-ospf-1-area-0.0.0.0]quit
[R2-ospf-1]quit
//想一想:R1和R2为什么不宣告与Internet相连的网段?
- ZB宣告网段
[ZB]interface loopback 0
[ZB-LoopBack0]ip address 192.168.1.12 24
[ZB-LoopBack0]quit
[ZB]ospf 1 router-id 192.168.1.12
[ZB-ospf-1]area 0
[ZB-ospf-1-area-0.0.0.0]network 10.12.1.0 0.0.0.255
[ZB-ospf-1-area-0.0.0.0]network 10.23.1.0 0.0.0.255
[ZB-ospf-1-area-0.0.0.0]network 192.168.1.12 0.0.0.0
[ZB-ospf-1-area-0.0.0.0]quit
[ZB-ospf-1]quit
- 测试总部内网连通性
查看ZB路由表
2.6、实现工厂与总部的连通
- SW10二层接口配置
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW10
[SW10]vlan batch 5 6
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW10]interface g0/0/1
[SW10-GigabitEthernet0/0/1]port link-type trunk
[SW10-GigabitEthernet0/0/1]port trunk allow-pass vlan 5 6
[SW10-GigabitEthernet0/0/1]quit
[SW10]interface g0/0/2
[SW10-GigabitEthernet0/0/2]port link-type access
[SW10-GigabitEthernet0/0/2]port default vlan 5
[SW10-GigabitEthernet0/0/2]quit
[SW10]interface g0/0/3
[SW10-GigabitEthernet0/0/3]port link-type access
[SW10-GigabitEthernet0/0/3]port default vlan 6
[SW10-GigabitEthernet0/0/3]quit
- 路由器GC配置单臂路由
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname GC
[GC]interface g0/0/1.5
[GC-GigabitEthernet0/0/1.5]dot1q termination vid 5
[GC-GigabitEthernet0/0/1.5]ip address 10.2.5.1 24
[GC-GigabitEthernet0/0/1.5]arp broadcast enable
//启动子接口的ARP广播功能,以便于IP报文的正常转发
[GC-GigabitEthernet0/0/1.5]quit
[GC]interface g0/0/1.6
[GC-GigabitEthernet0/0/1.6]dot1q termination vid 6
[GC-GigabitEthernet0/0/1.6]ip address 10.2.6.1 24
[GC-GigabitEthernet0/0/1.6]arp broadcast enable
[GC-GigabitEthernet0/0/1.6]quit
- 测试工厂内部通信
配置总部与工厂之间的PPP链路: - 配置GC串口IP与协议
[GC]interface s0/0/0
[GC-Serial0/0/0]ip address 22.2.2.2 24
[GC-Serial0/0/0]link-protocol ppp
[GC-Serial0/0/0]quit
- 配置ZB串口IP与协议
[ZB]interface s0/0/0
[ZB-Serial0/0/0]ip address 22.2.2.1 24
[ZB-Serial0/0/0]link-protocol ppp
[ZB-Serial0/0/0]quit
- 配置ZB认证方
[ZB]interface s0/0/0
[ZB-Serial0/0/0]ppp authentication-mode chap
[ZB-Serial0/0/0]quit
[ZB]aaa
[ZB-aaa]local-user chap-gc password cipher gc123456
Info: Add a new user.
[ZB-aaa]local-user chap-gc service-type ppp
[ZB-aaa]quit
[ZB]interface s0/0/0
[ZB-Serial0/0/0]shutdown
[ZB-Serial0/0/0]undo shutdown
[ZB-Serial0/0/0]quit
- 配置GC被认证方
[GC]interface s0/0/0
[GC-Serial0/0/0]ppp chap user chap-gc
[GC-Serial0/0/0]ppp chap password cipher gc123456
[GC-Serial0/0/0]quit
配置工厂OSPF(Area1)
- ZB路由器宣告网段
[ZB]ospf 1 router-id 192.168.1.12
[ZB-ospf-1]area 1
[ZB-ospf-1-area-0.0.0.1]network 22.2.2.0 0.0.0.255
[ZB-ospf-1-area-0.0.0.1]quit
[ZB-ospf-1]quit
- GC路由器宣告网段
[GC]ospf 1 router-id 192.168.1.11
[GC-ospf-1]area 1
[GC-ospf-1-area-0.0.0.1]network 10.2.5.0 0.0.0.255
[GC-ospf-1-area-0.0.0.1]network 10.2.6.0 0.0.0.255
[GC-ospf-1-area-0.0.0.1]network 22.2.2.0 0.0.0.255
[GC-ospf-1-area-0.0.0.1]quit
[GC-ospf-1]quit
- 测试总部与工厂的连通性
2.7、实现总部与 Internet 的连通
- 配置Internet路由器G0/0/2接口
[Internet]interface g0/0/2
[Internet-GigabitEthernet0/0/2]ip address 100.1.1.1 24
[Internet-GigabitEthernet0/0/2]quit
- 配置Internet到总部内网的路由
[Internet]ip route-static 10.1.0.0 255.255.0.0 8.1.1.2
- 配置R1到Internet的路由
[R1]ip route-static 0.0.0.0 0.0.0.0 8.1.1.1
[R1]ospf 1
[R1-ospf-1]default-route-advertise type 1 //引入静态路由至OSPF
[R1-ospf-1]quit
- 配置R2到Internet的路由
[R2]ip route-static 0.0.0.0 0.0.0.0 8.1.1.1
[R2]ospf 1
[R2-ospf-1]default-route-advertise type 1
[R2-ospf-1]quit
- 测试总部内网到Internet的连通性
2.8、实现远程管理网络设备
以远程管理交换机SW1为例:
- 配置管理IP(vlanif300)
[SW1]interface vlanif 300
[SW1-Vlanif300]ip address 192.168.1.1 24
[SW1-Vlanif300]quit
- 配置用户认证和telnet
[SW1]aaa
[SW1-aaa]local-user TeacherFu privilege level 3 password cipher Aa123456
Info: Add a new user.
[SW1-aaa]local-user TeacherFu service-type telnet
[SW1-aaa]quit
[SW1]user-interface vty 0 4
[SW1-ui-vty0-4]authentication-mode aaa
[SW1-ui-vty0-4]protocol inbound telnet
[SW1-ui-vty0-4]quit
- 远程测试
[SW2]interface vlanif 300
[SW2-Vlanif300]ip address 192.168.1.2 24
//先配置管理网段的IP地址
[SW2-Vlanif300]quit
2.9、拒绝工厂展厅访问总部内网服务器区,配置ACL访问控制
-
配置之前可以访问
-
配置路由器GC的ACL
[GC]acl 3000
[GC-acl-adv-3000]rule 5 deny ip source 10.2.5.0 0.0.0.255 destination 10.1.50.0 0.0.0.255
[GC-acl-adv-3000]rule 10 permit ip source any destination any
[GC-acl-adv-3000]quit
[GC]interface g0/0/1.5
[GC-GigabitEthernet0/0/1.5]traffic-filter inbound acl 3000
//在入方向应用ACL效率更高
[GC-GigabitEthernet0/0/1.5]quit
如果受设备限制这个路由器无法再接口上配置ACL,可以选择在LSW10上面配置也是一样的效果:
- 配置之后再次尝试:
💕 原创不易,还希望各位大佬支持一下 \textcolor{blue}{原创不易,还希望各位大佬支持一下} 原创不易,还希望各位大佬支持一下
👍 点赞,你的认可是我创作的动力! \textcolor{orange}{点赞,你的认可是我创作的动力!} 点赞,你的认可是我创作的动力!
⭐ 收藏,你的青睐是我努力的方向! \textcolor{red}{收藏,你的青睐是我努力的方向!} 收藏,你的青睐是我努力的方向!
🥕 评论,你的意见是我进步的财富! \textcolor{green}{评论,你的意见是我进步的财富!} 评论,你的意见是我进步的财富!
有“AI”的1024 = 2048,欢迎大家加入2048 AI社区
更多推荐
20
0- 0
已为社区贡献1条内容
所有评论(0)