网络工程设计-eNSP
AI-摘要
YouduAI GPT
AI初始化中...
介绍自己
生成本文简介
推荐相关文章
前往主页
前往tianli博客
实验拓扑
需求:分部能够通过MPLS VPN专线访问总部内网服务器,另外在互联网上再做一条IPsec VPN与专线冗余部署。
注意事项:暂无。
1. Eth-Trunk
SW1================================
system-view
sysname SW1
int Eth-Trunk 1
mode lacp-static
trunkport GigabitEthernet0/0/23
trunkport GigabitEthernet0/0/24
SW2================================
system-view
sysname SW2
int Eth-Trunk 1
mode lacp-static
trunkport GigabitEthernet0/0/23
trunkport GigabitEthernet0/0/24
dis eth-trunk 1 # 查看链路聚合状态, 状态为selected就起来了2. vlan与端口类型
SW1 ================================
vlan batch 10 20 30 254 78 127
int GigabitEthernet 0/0/1
port link-type access
port default vlan 127
int GigabitEthernet 0/0/10
port link-type trunk
port trunk allow-pass vlan 78 20
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan 78 254
port-group group-member GigabitEthernet 0/0/11 to g0/0/13
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
SW2 ================================
vlan batch 10 20 30 254 78 138
int GigabitEthernet 0/0/1
port link-type access
port default vlan 138
int GigabitEthernet 0/0/10
port link-type trunk
port trunk allow-pass vlan 78 20
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan 78 254
port-group group-member GigabitEthernet 0/0/11 to g0/0/13
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
Acc1 ================================
system-view
sysname Acc1
vlan batch 10 20 30 254
port-group group-member g0/0/1 g0/0/2
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
port-group group-member Ethernet 0/0/1 Ethernet 0/0/2
port link-type access
port default vlan 10
Acc2 ================================
system-view
sysname Acc2
vlan batch 10 20 30 254
port-group group-member g0/0/1 g0/0/2
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
port-group group-member Ethernet 0/0/1 Ethernet 0/0/2
port link-type hybrid
port hybrid pvid vlan 254
port hybrid untagged vlan 254
Acc3 ================================
system-view
sysname Acc3
vlan batch 10 20 30 254
port-group group-member g0/0/1 g0/0/2
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
int Ethernet0/0/1
port link-type access
port default vlan 30
3. mstp多实例与优化
SW1/2 Acc1/2/3 ================================
stp region-configuration
region-name mst
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 30
active region-configuration
SW1 ================================
stp instance 1 root primary
stp instance 2 root secondary
SW2 ================================
stp instance 1 root secondary
stp instance 2 root primary
# 内网安全与优化
Acc1/2/3 ================================
# 上行端口取消边缘端口,其他端口使能边缘端口
port-group group-member g0/0/1 g0/0/2
stp edged-port disable
quit
stp edged-port default
#所有与交换机互联的端口都开启环路保护
port-group group-member g0/0/1 g0/0/2
stp loop-protection
SW1/2 ================================
port-group group-member g0/0/11 to g0/0/13
stp loop-protection
Acc1 ================================
# 用户侧开机bpdu保护,五分钟后自动恢复
stp bpdu-protection
error-down auto-recovery cause bpdu-protection interval 300
Acc3 ================================
# 连接服务器的端口推荐开启根保护
int e0/0/1
stp root-protection
4. VRRP
SW1 ================================
interface Vlanif10
ip address 10.1.10.7 24
vrrp vrid 1 virtual-ip 10.1.10.254
vrrp vrid 1 priority 101
vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 5
interface Vlanif20
ip address 10.1.20.7 24
vrrp vrid 2 virtual-ip 10.1.20.254
vrrp vrid 2 priority 101
vrrp vrid 2 track interface GigabitEthernet0/0/1 reduced 5
interface Vlanif30
ip address 10.1.30.7 24
vrrp vrid 3 virtual-ip 10.1.30.254
vrrp vrid 3 priority 99
SW2 ================================
interface Vlanif10
ip address 10.1.10.8 24
vrrp vrid 1 virtual-ip 10.1.10.254
interface Vlanif20
ip address 10.1.20.8 24
vrrp vrid 2 virtual-ip 10.1.20.254
interface Vlanif30
ip address 10.1.30.8 24
vrrp vrid 3 virtual-ip 10.1.30.254
vrrp vrid 3 track interface GigabitEthernet0/0/1 reduced 5
# 查看 vrrp状态
dis vrrp brief
# SW1 应显示 主主备,SW2应显示 备备主5.DHCP冗余部署
AP1/2 ================================
interface Vlanif1
shutdown
SW1 ================================
dhcp enable
interface Vlanif254
ip address 10.1.254.7 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.1.254.128 10.1.254.254
dhcp server option 43 sub-option 2 ip-address 10.1.78.10 10.1.78.20
ip pool dhcp_pool
gateway-list 10.1.20.254
network 10.1.20.0 mask 24
excluded-ip-address 10.1.20.128 10.1.20.253
interface Vlanif20
dhcp select global
SW2 ================================
dhcp enable
interface Vlanif254
ip address 10.1.254.8 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.1.254.1 10.1.254.7
dhcp server excluded-ip-address 10.1.254.9 10.1.254.127
dhcp server option 43 sub-option 2 ip-address 10.1.78.10 10.1.78.20
ip pool dhcp_pool
gateway-list 10.1.20.254
network 10.1.20.0 mask 24
excluded-ip-address 10.1.20.1 10.1.20.7
excluded-ip-address 10.1.20.9 10.1.20.127
interface Vlanif20
dhcp select global
AP1/2 ================================
interface Vlanif1
undo shutdown
6.WLAN双链路热备
SW1 ================================
interface Vlanif78
ip address 10.1.78.7 255.255.255.0
SW2 ================================
interface Vlanif78
ip address 10.1.78.8 255.255.255.0
AC1 ================================
sys
sysna AC1
vl batch 20 78
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 78
interface Vlanif78
ip address 10.1.78.10 24
ip route-static 0.0.0.0 0 10.1.78.7
hsb-service 0
service-ip-port local-ip 10.1.78.10 peer-ip 10.1.78.20 local-data-port 10240 peer-data-port 10240
quit
hsb-service-type ap hsb-service 0
hsb-service-type access-user hsb-service 0
wlan
ac protect priority 1 protect-ac 10.1.78.20
ac protect enable
y
# 无限配置
wlan
ap-id 1 ap-mac 00e0-fc8a-1c70
ap-name AREA_1
ap-id 2 ap-mac 00e0-fc99-0f60
ap-name AREA_2
quit
ssid-profile name ssid_pro
ssid h3c
quit
security-profile name sec_pro
security wpa2 psk pass-phrase H3c@123456 aes
y
quit
vap-profile name vap_pro
forward-mode tunnel
service-vlan vlan-id 20
ssid-profile ssid_pro
y
security-profile sec_pro
quit
ap-id 1
vap-profile vap_pro wlan 1 radio 0
vap-profile vap_pro wlan 1 radio 1
ap-id 2
vap-profile vap_pro wlan 1 radio 0
vap-profile vap_pro wlan 1 radio 1
capwap source interface Vlanif 78
AC2 ================================
sys
sysna AC2
vl batch 20 78
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 78
interface Vlanif78
ip address 10.1.78.20 24
ip route-static 0.0.0.0 0 10.1.78.8
hsb-service 0
service-ip-port local-ip 10.1.78.20 peer-ip 10.1.78.10 local-data-port 10240 peer-data-port 10240
quit
hsb-service-type ap hsb-service 0
hsb-service-type access-user hsb-service 0
# 查看hsb状态和同步内容
dis hsb-service 0
wlan
ac protect priority 5 protect-ac 10.1.78.10
ac protect enable
y
# 查看状态
dis ac protect
# ap的mac地址根据实际情况修改 dis arp查看
# 无限配置
wlan
ap-id 1 ap-mac 00e0-fc8a-1c70
ap-name AREA_1
ap-id 2 ap-mac 00e0-fc99-0f60
ap-name AREA_2
quit
ssid-profile name ssid_pro
ssid h3c
quit
security-profile name sec_pro
security wpa2 psk pass-phrase H3c@123456 aes
y
quit
vap-profile name vap_pro
forward-mode tunnel
service-vlan vlan-id 20
ssid-profile ssid_pro
y
security-profile sec_pro
quit
ap-id 1
vap-profile vap_pro wlan 1 radio 0
vap-profile vap_pro wlan 1 radio 1
ap-id 2
vap-profile vap_pro wlan 1 radio 0
vap-profile vap_pro wlan 1 radio 1
capwap source interface Vlanif 78
# 查看上线AP
dis ap all
# 查看上线客户算
dis station all
# AC1和AC2保持同步7.防火墙双机热备
FW-1 ================================
sys
sysname FW-1
# 配置防火墙会话用不超时,避免总是输账户密码
user-int con 0
id 0 0
firewall zone name Heart
add interface GigabitEthernet1/0/3
int g1/0/3
ip add 10.0.0.12 24
hrp interface g1/0/3 remote 10.0.0.13
hrp enable
# 会话备份
hrp mirror session enable
FW-2 ================================
sys
sysname FW-2
user-int con 0
id 0 0
firewall zone name Heart
add interface GigabitEthernet1/0/3
int g1/0/3
ip add 10.0.0.13 24
firewall zone dmz
add int g1/0/2
hrp interface g1/0/3 remote 10.0.0.12
hrp enable
hrp mirror session enable
# 查看安全区域
dis zone
# 查看双机热备状态
dis hrp state
8.OSPF多区域
AR1 ================================
sys
sysna AR1
int l0
ip add 10.1.1.1 32
ospf 1
int g0/0/1
ip add 10.1.121.1 24
int g0/0/2
ip add 10.1.131.1 24
ospf 1
a 0
netw 10.1.0.0 0.0.255.255
FW-1 ================================
int g1/0/0
ip add 10.1.121.12 24
int g1/0/2
ip add 10.1.0.12 24
int g1/0/1
ip add 10.1.127.12 24
# 只需在FW-1上配置安全区域,会在自动同步到FW-2
firewall zone untrust
add int g1/0/0
firewall zone trust
add int g1/0/3
firewall zone dmz
add int g1/0/2
ospf 1
a 0
netw 10.1.0.0 0.0.255.255
FW-2 ================================
int g1/0/0
ip add 10.1.131.13 24
int g1/0/2
ip add 10.1.0.13 24
int g1/0/1
ip add 10.1.138.13 24
ospf 1
a 0
netw 10.1.0.0 0.0.255.255
SW1 ================================
int vl 127
ip add 10.1.127.7 24
ospf 1
a 0
quit
a 1
quit
a 2
int vl 127
ospf en 1 a 0
int vl 10
ospf en 1 a 1
int vl 20
ospf en 1 a 1
int vl 30
ospf en 1 a 1
int vl 78
ospf en 1 a 2
SW2 ================================
int vl 138
ip add 10.1.138.8 24
ospf 1
a 0
quit
a 1
quit
a 2
int vl 138
ospf en 1 a 0
int vl 10
ospf en 1 a 1
int vl 20
ospf en 1 a 1
int vl 30
ospf en 1 a 1
int vl 78
ospf en 1 a 2
9.OSPF特性(Vlink,认证,网络类型,LSA3过滤)
SW1 ================================
# 除了互连接口,其他接口全部静默
ospf 1
silent-interface all
undo silent-interface Vlanif78
undo silent-interface Vlanif127
SW2 ================================
ospf 1
silent-interface all
undo silent-interface Vlanif78
undo silent-interface Vlanif138
FW-1/2 ================================
ospf 1
silent-interface g1/0/2
AR1 FW-1/2 SW1/2================================
# ospf 认证,加固内网安全
ospf 1
a 0
authentication-mode md5 1 plain H3c@123456
# 修改AR1 FW-1/2 SW1/2互联接口的ospf网络类型为p2p,加快收敛
SW1 ================================
int vl 78
ospf netw p2p
int vl 127
ospf netw p2p
SW2 ================================
int vl 78
ospf netw p2p
int vl 138
ospf netw p2p
FW-1/2 ================================
int g1/0/0
ospf netw p2p
int g1/0/1
ospf netw p2p
AR1 ================================
int g0/0/1
ospf netw p2p
int g0/0/2
ospf netw p2p
# 把面向用户的lsdb压倒最小
SW1/2 ================================
ospf 1
a 2
stub
stub no-summary
# 3类LSA过滤,过滤区域2进来的所有外部路由,此区域仅用于互联
ip ip-prefix deny_all deny 0.0.0.0 0 less-equal 32
ospf 1
a 2
filter ip-prefix deny_all import
# 由拓扑图可知,若防火墙和路由器或交换任意一条线路断开,都会导致区域0分裂
# 所以需要在SW1/2上的area2区域加上一个vlink,让可能被被分裂两个的area0逻辑连接起来
SW1 ================================
#先手动修改一下ospf的router-id,修改完毕后需要进用户试图下重置一下
ospf 1 router-id 10.1.7.7
<SW1>reset ospf 1 process
ospf 1
a 2
vlink-peer 10.1.8.8
SW2 ================================
#先手动修改一下ospf的router-id,修改完毕后需要进用户试图下重置一下
ospf 1 router-id 10.1.8.8
<SW2>reset ospf 1 process
ospf 1
a 2
vlink-peer 10.1.7.7
# 查看vlink状态
dis ospf vlink
10.NAPT
internet ================================
sys
sysna internet
int l0
ip add 130.1.2.2 32
int g0/0/0
ip add 136.1.12.2 24
int g0/0/1
ip add 136.1.142.2 24
int e1/0/0
ip add 136.1.2.2 24
R1 ================================
int g0/0/0
ip add 136.1.12.1 24
ip route-static 0.0.0.0 0 136.1.12.2
ospf 1
default-route-advertise
nat address-group 1 136.1.12.16 136.1.12.19
acl number 2000
rule 5 permit source 10.1.10.0 0.0.0.255
rule 10 permit source 10.1.20.0 0.0.0.255
interface GigabitEthernet0/0/0
nat outbound 2000
FW-1 ================================
# 调整安全策略,放通本地到所有区域,放通内网10,20网段用户到所有区域
security-policy
rule name local->any
source-zone local
action permit
quit
rule name in->out
source-address 10.1.10.0 mask 24
source-address 10.1.20.0 mask 24
action permit
11.SSH
R1 ================================
stelnet server enable
rsa local-key-pair create
y
1024
aaa
local-user h3c password cipher H3c@123456
local-user h3c service-type ssh
local-user h3c privilege level 15
quit
ssh user h3c authentication-type password
user-int vty 0 4
authentication-mode aaa
protocol inbound ssh
# acl过滤可以远程登录的网段
acl 2000 inbound
# 交换机登陆路由器测试
SW1 ================================
# 由于防火墙上设置了仅10 20两个用户网段可以出防火墙
# 在做测试前需要把防火墙默认策略改为放通,并且把user-int vty 0 4内的acl过滤取消掉
ssh client first-time enable
stelnet 10.1.1.1
# 测试结束后还原防火墙默认放通策略
12.PPPoE
Home ================================
sys
sysna Hone
int g0/0/0
ip add 192.168.1.1 24
int Dialer1
ip address ppp-negotiate
dialer user h3c
dialer bundle 1
ppp chap user h3c
ppp chap password simple H3c@123456
mtu 1492
ppp ipcp default-route
int g0/0/1
pppoe-client dial-bundle-number 1
internet================================
aaa
local-user h3c password cipher H3c@123456
local-user h3c service-type ppp
quit
int Virtual-Template1
ppp authentication-mode chap
remote address 136.1.2.1
int g0/0/1
pppoe-server bind Virtual-Template 1
# 查看pppoe服务器和客户端会话
dis pppoe-server session all
dis pppoe-client session summary
#然后在hone上测一下公网的连通性就Ok了
13.EASY-IP
Home ================================
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
int Dialer1
nat outbound 2000
# 上client1上测试公网连通性14.NAT SERVER与NAT-ALG
# 先在公共服务器上把ftp和http服务打开
AR1 ================================
# 上出口路由器做端口映射
int g0/0/0
nat server protocol tcp global 136.1.12.10 www inside 10.1.0.10 www
nat server protocol tcp global 136.1.12.10 ftp inside 10.1.0.10 ftp
FW-1 ================================
# 调整安全策略
security-policy
rule name out->dmz
source-zone untrust
destination-zone dmz
destination-address 10.1.0.10 mask 255.255.255.255
action permit
# 由于服务器有两个出口,但是只能配一个网关,所以在防火墙上做VRRP
FW-1 ================================
int g1/0/2
vrrp vrid 1 virtual-ip 10.1.0.254 active
FW-2 ================================
int g1/0/2
vrrp vrid 1 virtual-ip 10.1.0.254 standby
# 配完之后在防火墙上ping服务器,能通则ok
#然后上internet的客户端测试服务Client1
# 访问 http://136.1.12.10 , 显示OK即可
# ftp也是访问此地址,可以发现ftp无法访问,原因是ftp是多信道,需要在AR1上开启nat alg
AR1 ================================
nat alg ftp enable
#开启后就可以正常访问了
15.端口安全
Acc1 ================================
port-group group-member e0/0/1 e0/0/2
port-security enable
port-security max-mac-num 2
port-security mac-address sticky
port-security protect-action shutdown
# 做完之后上两个PC上再测试公网连通性,然后上Acc1上查看mac地址表
# 可以看到学习到了两个state为sticky的两个mac地址
16.端口隔离
Acc1 ================================
port-group group-member e0/0/1 e0/0/2
port-isolate enable
# 配置完毕后测试PC1和PC2的互通性,可以看到虽然处在同一vlan且同网段
# 但仍然无法互通。 dis port-isolate group all 查看所有隔离组17.总部站点路径优化
# 为了实现10 20网段的业务走SW1,30网段的业务走SW2
# 需要在SW1/2上对不同业务接口的开销作适当调整
SW1 ================================
# 30网段的业务走SW2,所以需要在SW1上加大30网段的开销
int vl 30
ospf cost 10
SW2 ================================
# SW2上同理
int vl 10
ospf cost 10
int vl 20
ospf cost 10
# 上AR1上查看OSPF路由表,按理来讲去往10 20网段的路由下一跳应该走FW-1
# 去往30网段的路由下一跳应该走FW-2,但是路由表里都是走的FW-1
# 经过故障排查,发现是 vrrp 的vgmp协议造成的,该协议会让防火墙设备呈现主备状态
# 影响到防火墙hrp的双活状态,我们需要给防火墙再加一组vrrp,这组vrrp与原组主备替换
# 就可以让防火墙重新回到双活状态
# 查看防火墙hrp状态 dis hrp state,需要role和peer都为active,即双活状态
FW-1 ================================
int g1/0/2
vrrp vrid 2 virtual-ip 10.1.0.253 standby
FW-2 ================================
int g1/0/2
vrrp vrid 2 virtual-ip 10.1.0.253 active
# 再查看hrp状态,可以看到恢复到双活了
# 再查看 AR1的路由表,可以看到选路正常了18.WLAN二层组网与VLAN_Pool
SW5 ================================
sys
sysna SW5
vlan batch 5 254 145
int g0/0/24
port link-ty acc
port def vl 145
int g0/0/11
port link-ty acc
port def vl 5
int g0/0/10
port link-ty trunk
port trunk allow-pass vlan 254
int g0/0/1
port hybrid pvid vl 254
port hybrid untag vl 254
int vl 5
ip add 172.16.5.5 24
int vl 254
ip add 172.16.254.5 24
AC3 ================================
sys
sysna AC3
vl 254
int g0/0/1
port link-ty trunk
port trunk allow-pass vlan 254
int vl 254
ip add 172.16.254.10 24
# 配置vlan池,将用户分到不同的vlan,减小广广播域
vlan pool vlan_pool
vlan 11 12
# 无线配置
wlan
ap-id 1 ap-mac 00e0-fcab-0b30
ap-name AREA_3
quit
ssid-profile name ssid_pro
ssid h3c
quit
security-profile name sec_pro
security wpa2 psk pass-phrase H3c@123456 aes
y
quit
vap-profile name vap_pro
forward-mode direct-forward
service-vlan vlan-pool vlan_pool
ssid-profile ssid_pro
y
security-profile sec_pro
quit
ap-id 1
vap-profile vap_pro wlan 1 radio 0
vap-profile vap_pro wlan 1 radio 1
capwap source interface vlanif254
19.DHCP中继
FW-3 ================================
# 防火墙初始化
sys
sysna FW-3
user-int con 0
id 0 0
firewall zone untrust
add int g1/0/0
firewall zone trust
add int g1/0/1
firewall zone name mpls
add int g1/0/2
int g1/0/1
ip add 172.16.145.14 24
int g1/0/2
ip add 100.1.143.14 24
int g1/0/0
ip add 136.1.142.14 24
ospf 1
a 0
netw 172.16.0.0 0.0.255.255
# ap地址池
ip pool ap_pool
network 172.16.254.0 mask 24
gateway-list 172.16.254.5
# 用户地址池
ip pool dhcp_pool
network 172.16.10.0 mask 24
gateway-list 172.16.10.5
quit
dhcp enable
int g1/0/1
dhcp select global
quit
SW5 ================================
dhcp en
int vl 145
ip add 172.16.145.5 24
ospf 1
a 0
netw 172.16.0.0 0.0.255.255
# AP管理vlan设为中继
int vl 254
dhcp select relay
dhcp relay server-ip 172.16.145.14
# 配置结束后上AP3上查看是否获取到了地址
# 获取到了ping一下AC,能通无线效果一会儿就出
# 无线效果出来之后用cellphone连接是无法获取地址的,等后面给端口做一些处理才行
20.VLAN聚合
SW5 ================================
vlan batch 11 12
# vlan聚合
vlan 10
aggregate-vlan
access-vlan 11 to 12
int vl 10
ip add 172.16.10.5 24
# 开启vlan间互访,只限制广播,不限制互访
arp-proxy inter-sub-vlan-proxy enable
# 也开启中继,指向防火墙
dhcp select relay
dhcp relay server-ip 172.16.145.14
# 查看聚合vlan
dis super-vlan
# 再用手机连接无线,发现还是无法获取地址
# 需要把SW5的1口接收到的数据打上vlan11 12的标签
int g0/0/1
port hybrid tagged vlan 11 to 12
# 这样才能获取到super vlan(vlan10)里指定的地址
# 防火墙是如何区分不同的dhcp request,从而分配不同网段的地址呢?
# 根据 dhcp中继(SW5) 是从哪个接口发送的请求,防火墙能够根据这些中级请求的源地址所在的网段
# 来匹配本地dhcp地址池的网段,一致则下发地址。没有匹配的则拒绝。
# 最终效果测试
# 在AC3上 dis station all , 可以看到两个客户端不在同一个vlan
# 在两个客户端上分别ping对方,发现虽然处于不同vlan,但还是能互通的
21.DHCP Snooping与ARP安全
SW5 ================================
# 禁止用户私自接入dhcp 服务器
dhcp snooping enable
int g0/0/24
dhcp snooping trusted
vl 10
dhcp snooping enable
# 检查客户端硬件地址,防止消耗行为
dhcp snooping check dhcp-chaddr enable
# 限制dhcp发包速率
dhcp snooping check dhcp-rate enable 10
# 自动保存dhcp绑定表项
dhcp snooping user-bind autosave flash:/dhcp.tbl
# 开启arp映射条目检查,防止中间人攻击(arp欺骗)
arp dhcp-snooping-detect enable
# 把客户端的无线重连一下,在上SW5上查看dhcp snooping 绑定表项
dis dhcp snooping user-bind all
22.防火墙NAT
FW3 ================================
ip route-static 0.0.0.0 0.0.0.0 136.1.142.2
ospf 1
default-route-advertise
security-policy
rule name local->any
source-zone local
action permit
quit
rule name in->out
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
action permit
nat-policy
rule name easy_ip
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
action source-nat easy-ip
# 测试,客户端能正常上公网则OK23.ISIS多区域
R1 ================================
sys
sysname R1
int loop0
ip add 150.1.1.1 32
int g0/0/0
ip add 155.1.12.1 24
isis
net 49.0000.0000.0000.0001.00
is-level level-2
int loop0
isis en
int g0/0/0
isis en
R2 ================================
sys
sysname R2
int loop0
ip add 150.1.2.2 32
int g0/0/0
ip add 155.1.12.2 24
int g0/0/1
ip add 155.1.23.2 24
isis
net 49.0001.0000.0000.0002.00
is-level level-1-2
int loop0
isis en
int g0/0/0
isis en
int g0/0/1
isis en
R3 ================================
sys
sysname R3
int loop0
ip add 150.1.3.3 32
int g0/0/1
ip add 155.1.23.3 24
isis
net 49.0001.0000.0000.0003.00
is-level level-1
int loop0
isis en
int g0/0/1
isis en
# R2上查看isis邻接关系,state都为up则ok
dis isis peer
# R2上查看isis路由,能学到R1 R3的环回口地址则ok
dis ip routing-table protocol isis
24.MPLS LDP
R1 ================================
mpls lsr-id 150.1.1.1
mpls
mpls ldp
int g0/0/0
mpls
mpls ldp
R2 ================================
mpls lsr-id 150.1.2.2
mpls
mpls ldp
int g0/0/0
mpls
mpls ldp
int g0/0/1
mpls
mpls ldp
R3 ================================
mpls lsr-id 150.1.3.3
mpls
mpls ldp
int g0/0/1
mpls
mpls ldp
# 配置完毕后上R2查看mpls ldp会话,status都为Operational则ok
dis mpls ldp session all 25.MP-BGP
R2 ================================
bgp 100
peer 150.1.1.1 as-number 100
peer 150.1.1.1 connect-interface LoopBack0
peer 150.1.3.3 as-number 100
peer 150.1.3.3 connect-interface LoopBack0
ipv4 un
undo peer 150.1.1.1 enable
undo peer 150.1.3.3 enable
quit
ipv4 vpnv4
undo policy vpn-target
# R2作为BGP反射器,减少邻居关系
peer 150.1.1.1 enable
peer 150.1.1.1 reflect-client
peer 150.1.3.3 enable
peer 150.1.3.3 reflect-client
# R1和R3的配置是一样的
R1/3 ================================
bgp 100
peer 150.1.2.2 as-number 100
peer 150.1.2.2 connect-interface LoopBack0
#
ipv4 un
undo peer 150.1.2.2 enable
#
ipv4-family vpnv4
peer 150.1.2.2 enable
# 在R2上查看BGP vpnv4的所有邻居,都为Established 则ok
dis bgp vpnv4 all peer
26.PE-CE使用BGP接入
AR1 ================================
int e1/0/0
ip add 100.1.1.1 24
bgp 65000
peer 100.1.1.100 as-n 100
ipv4 un
import-route ospf 1
FW3 ================================
int g1/0/2
ip add 100.1.143.14 24
bgp 65000
peer 100.1.143.100 as-n 100
ipv4 un
import-route ospf 1
# 注意,这里面无需把bgp反向引入ospf
# 因为AR1和FW3都已经在ospf内下发了默认
R1 ================================
ip vpn-instance VRF_A
# 100 为本地as号,1为对端ce的id
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:14 import-extcommunity
bgp 100
ipv4 vpn-instance VRF_A
peer 100.1.1.1 as-number 65000
int e0/0/0
ip binding vpn-instance VRF_A
ip add 100.1.1.100 24
R3 ================================
ip vpn-instance VRF_A
route-distinguisher 100:14
vpn-target 100:14 export-extcommunity
vpn-target 100:1 import-extcommunity
bgp 100
ipv4 vpn-instance VRF_A
peer 100.1.143.14 as-number 65000
int e0/0/1
ip binding vpn-instance VRF_A
ip add 100.1.143.100 24
# 配置完毕后上两个CE设备上查看BGP邻居,状态为Established 则ok
dis bgp peer
# PE-CE之间的部署完成
27.ISIS路由渗透,BGP AS替换
# 首先查看一下两个PE设备上的路由
dis bgp vpnv4 vpn-instance VRF_A routing-table
# 可以看到R1学到了总部和分部的路由,R3只学到了分部的路由
# 排障流程,现在R1上 ping R3 的lsp ip
ping lsp ip 150.1.3.3 32
# 能通,再反过来测,发现不通
# 不通的原因是R3上没有R1的LSP,也就是没有R1的路由
# 没有路由的原因就是 isis 中level2的路由进不去level1
# 解决方案,渗透,在R2上将level2的路由渗透到level1
R2 ================================
isis
import-route isis level-2 into level-1
# 引入后再测,R3就能ping通R1的lsp ip,R3上也学到了总部的路由
# 问题2,由于两边的as号相同,会触发ebgp防环,导致两边学习不到对方的路由
# 解决方案,再PE设备上peer对端时做as替换
R1 ================================
bgp 100
ipv4 vpn-instance VRF_A
peer 100.1.1.1 substitute-as
R3 ================================
bgp 100
ipv4 vpn-instance VRF_A
peer 100.1.143.14 substitute-as
28.BGP过滤与MPLS调优
# 由于分部设备性能较为薄弱,需要过滤掉总部内部的互联网段路由
# 仅保留总部内部服务器所在的网段。
# 解决方法,通过地址前缀列表过滤所需网段
# 在peer ebgp对等体的export方向调用
AR1 ================================
ip ip-prefix zon_ser permit 10.1.30.0 24
bgp 65000
peer 100.1.1.100
peer 100.1.1.100 ip-prefix zon_ser export
# 配置完后,上FW-3上查看BGP路由表,可以发现只学到了总部内部服务器的网段
# 此实验需求是让分部客户端通过MPLS VPN访问总部服务器
# 下面调整总部和分部防火墙的安全策略
FW-3 ================================
security-policy
rule name in->mpls
source-zone trust
destination-zone mpls
source-address 172.16.10.0 mask 255.255.255.0
destination-address 10.1.30.0 mask 255.255.255.0
action permit
FW-1/2 ================================
security-policy
rule name out->in
source-zone untrust
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 10.1.30.0 mask 255.255.255.0
action permit
# 配置完毕后上分校区客户端ping总部内部服务器,能通则OK,也可以试试tracert
# 运营商PE设备调优
# 当网络过大时,运营商那边浪费的标签就比较多
# 解决方案,改为基于实例分标签,而不是基于路由条目分标签
R1/3 ================================
ip vpn-instance VRF_A
apply-label per-instance
29.IPsec VPN冗余部署
# 虽然分部已经可以通过MPLS VPN线路访问总部服务器
# 但是如果这条专线链路出问题了,就无法访问了
# 解决方案,在互联网链路上配置IPsec VPN实现冗余
FW-1 ================================
ike proposal 10
authentication-method pre-share
dh group2
encryption-algorithm 3des
authentication-algorithm sha1
quit
ike peer FW-3
pre-shared-key H3c@123456
ike-proposal 10
remote-address 136.1.142.14
quit
acl number 3000
rule permit ip source 10.1.30.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
quit
ipsec proposal lan_set
esp authentication-algorithm sha1
esp encryption-algorithm 3des
quit
ipsec policy lan_map 10 isakmp
security acl 3000
ike-peer FW-3
proposal lan_set
interface Tunnel0
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy lan_map
firewall zone dmz
add int tun 0
FW-2 ================================
interface Tunnel0
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
# 这条指令要在FW-1上undo掉重新再配,同步到FW-2,这里没法直接配
ipsec policy lan_map
R1 ================================
int g0/0/0
# 在出口路由器上要把ike的流量映射出来
nat server protocol udp global 136.1.12.12 500 inside 10.1.121.12 500
nat server protocol udp global 136.1.12.13 500 inside 10.1.131.13 500
# nat穿越的要放出来
nat server protocol udp global 136.1.12.12 4500 inside 10.1.121.12 4500
nat server protocol udp global 136.1.12.13 4500 inside 10.1.131.13 4500
FW-3 ================================
ike proposal 10
authentication-method pre-share
dh group2
encryption-algorithm 3des
authentication-algorithm sha1
quit
ike peer all
ike-proposal 10
pre-shared-key H3c@123456
# 对等体不知道是哪个墙,就不写了
quit
ipsec proposal lan_set
esp authentication-algorithm sha1
esp encryption-algorithm 3des
quit
acl number 3000
rule permit ip source 172.16.0.0 0.0.255.255 destination 10.1.30.0 0.0.0.255
quit
# 配置策略模板
ipsec policy-template diy_map 10
security acl 3000
ike-peer all
proposal lan_set
quit
ipsec policy lan_map 10 isakmp template diy_map
# 接口下发策略
int g1/0/0
ipsec policy lan_map
下面调整安全策略 ================================
FW-3 ================================
security-policy
rule name out->local
source-zone untrust
destination-zone local
service protocol udp destination-port 4500
service protocol udp destination-port 500
action permit
# 从内往外的已经放过了
FW-1 ================================
# 注意:隧道口在dmz
rule name dmz->in
source-zone dmz
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 10.1.30.0 mask 255.255.255.0
action permit
# 服务器不可能主动找用户建立隧道,所以需要在策略里面将隧道建立方式修改为自动建
ipsec policy lan_map 10 isakmp
sa trigger-mode auto
# 配置完毕后将FW-3的MPLS VPN专线链路断掉(关闭g1/0/2)
# 再上客户端上ping总部服务器,ping不同
# FW-3上安全策略并没有拦截,原因应该还是NAT的原因
# NAT的优先级由于IPsec,所以需要修改NAT策略
# 分部访问总部服务器的流量不做nat转换
FW-3 ================================
nat-policy
rule name no_nat
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 10.1.30.0 mask 255.255.255.0
action no-nat
quit
rule move no_nat top
# 修改完毕后再ping,发现还是不通,经过排查发现,是回包出了问题
# 服务器回包 -> SW2 -> FW-2 之后,FW-2查路由表转发,会走g1/0/1口转发
# 这样是不行的,得让回包也走tunnel0口
FW-1 ================================
ipsec policy lan_map 10 isakmp
# 将策略中引用的acl自动生成路由条目
route inject dynamic
# 配置完后查看user网络路由,可以看到有一条下一跳为tunnel0的去往分部私网的路由
dis ip routing-table protocol unr
# 再上分部客户端ping总部服务器,结果还是不通!!!
# 原因是回包是回到FW-2,但是ipsec双活状态下,只有FW-1和FW-3协商成功了
# 所以回报必须走FW-1回
# 可以在ospf中,把反向路由引入到ospf中,用明细路由压制默认路由
# 这样回包在到达SW2后就不会走默认到FW-2了,而是直接转到FW-1
# 从而走IPsec VPN隧道回去
FW-1 ================================
ospf 1
import-route unr
# 再上分部客户端ping总部服务器,结果终于通了,tracert测试一下
# 再打开MPLS VPN链路,再ping和tracert,测试结果见下图
断掉MPLS VPN专线,走IPsec VPN访问总部内部服务器测试。
tracert中间回包路径屏蔽的原因和H3C的实验道理是一样的,感兴趣可以去看看 网络工程设计HCL篇。
再打开MPLS VPN专线链路(G1/0/2),可以看到tracert路径就是走的MPLS VPN,这是由于BGP MPlS VPN有总部服务器的明细路由,由于走IPsec的默认路由。
30.IPsec与MPLS备份
# 上次调整分部走IPsec VPN回包的时候,把172.16的回包路由引入到了ospf
# SW2和防火墙上就有了分部私网的明细路由,造成了当分部的MPLS VPN专线恢复后
# 总部的回包仍然会走IPsec VPN,这样专线就没意义了,因此需要做备份
R1 ================================
ospf 1
# 将BGP的明细路由引入OSPF
import-route bgp
ipsec policy lan_map 10 isakmp
# 专线在线的情况下走BGP引入到OSPF的外部路
# 将IPsec自动注入的路由优先级调为大于OSPF外部路由
route inject dynamic preference 151
# 这样MPLS VPN线路正常时就会走MPLS VPN专线了
# 专线down掉后,引入OSPF的BGP明细路由就失效,走自动注入的路由
# 在三个防火墙上配置下面指令,让防火墙显示在tracert路径上
icmp ttl-exceeded send
#配置完毕后再去分部客户端上ping和tracert总部内部服务器,测试情况和之前是一样的
31.组播-PIM-SM
R1 ================================
multicast routing-enable
int e0/0/1
pim sm
ip add 155.1.1.1 24
int g0/0/0
pim sm
R2 ================================
multicast routing-enable
int g0/0/0
pim sm
int g0/0/1
pim sm
int loop0
# 环回口留着做RP
pim sm
pim
c-rp loop0
c-bsr loop0
R3 ================================
multicast routing-enable
int g0/0/1
pim sm
int e0/0/0
pim sm
igmp enab
ip add 155.1.3.3 24
# 组播服务器和接收者的地址配置以及测试参考 HCL网络工程设计
# 这里不做演示
# 组播接收者点击加入组播后,在路由器查看组播表象
dis pim routing-table
# 没有推送流量前只能看到(*,G)表项,推送流量后,可以看到(S, G)表项
# 关于如何推送流量也是参考 HCL-网络工程设计
组播测试,加入组播后产生的(*, G)表项,以及组播服务器推送流量后产生的(S, G)表项都可以看到
32.DHCPv6
R3 ================================
ipv6
dhcp en
int e0/0/0
ipv6 enab
ipv add 2001:155:1:3::3/64
quit
dhcpv6 pool dhcpv6_pool
add prefix 2001:155:1:3::/64
quit
int e0/0/0
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
dhcpv6 server dhcpv6_pool
# 配置完毕后上客户端,ipv6配置点下静态再点应用,再点下DHCPv6再点应用
#在命令行 ipconfig查看是否获取到了ipv6地址33.OSPFv3
# 在PC5 FW-3和SW5上起一个OSPFv3
FW-3 ================================
ipv6
int g1/0/1
ipv6 en
ipv6 address auto link-local
ospfv3 1
router-id 172.16.14.14
int g1/0/1
ospfv3 1 a 0
SW5 ================================
ipv6
int vl 145
ipv6 en
ipv6 address auto link-local
int vl 5
ipv6 en
ipv6 add 2001:172:16:5::5/64
ospfv3 1
router-id 172.16.5.5
int vl 145
ospfv3 1 a 0
int vl 5
ospfv3 1 a 0
# 查看ospfv3 peer
dis ospfv3 peer
# 查看ospfv3 路由
dis ospfv3 routing
34.NAT64
# 实现分部ipv6主机能够上网
FW-3 ================================
# 先在防火墙上下发一条默认路由
ospfv3
# 加上always是不管本地有没有默认都下发一条默认
default-route-advertise always
nat64 prefix 2001:172:14:: 96
nat-policy
rule name nat64
source-zone trust
destination-zone untrust
source-address 2001:172:16:5:: 64
nat-type nat64
action source-nat easy-ip
int g1/0/1
nat64 enable
security-policy
rule name in->out(ipv6)
source-zone trust
destination-zone untrust
service icmpv6
action permit
#配置完毕后上v6主机上ping公网(需要把公网地址转算为ipv6地址)
130.1.2.2
1000 0010 0000 0001 0000 0010 0000 0010
8 2 0 1 0 2 0 2
# pc上ping测试
ping 2001:172:14::8201:0202 -6
# ping通之后上防火墙上查看ipv6地址转换记录
dis firewall ipv6 session table nat64转换记录查看 dis firewall ipv6 session table
35.IPv6 6to4自动隧道
R1 ================================
ipv6
int g0/0/1
ipv6 en
ipv6 add 2001:155:1:1::1/64
# 配置自动隧道
int tun0/0/0
ipv6 enable
# ipv6地址转换参考nat64,13是随意的,表示R1<->R3
ipv6 address 2002:9601:0101:13::1/64
tunnel-protocol ipv6-ipv4 6to4
source LoopBack0
ipv6 route-static 2002:: 16 Tunnel0/0/0
R3 ================================
int tun0/0/0
ipv6 enable
ipv6 address 2002:9601:0303:13::3/64
tunnel-protocol ipv6-ipv4 6to4
source LoopBack0
ipv6 route-static 2002:: 16 Tunnel0/0/0
# 隧道建立完成后在R3上 ping测试
ping ipv6 2002:9601:0101:13::1
# 两边隧道没问题后再加上路由
R1 ================================
ipv6 route-static 2001:155:1:3:: 64 2002:9601:303::3
R2 ================================
ipv6 route-static 2001:155:1:1:: 64 2002:9601:101::1
# 然后上PC5(DHCPv6_Client)上ping对端PC4
ping 2001:155:1:1::10 -6
PC5(DHCPv6_Client)上ping对端PC4测试
36.QOS
# 定义两组列表,把分部有线用户和无限用户抓取出来
AR1 ================================
acl number 2005
rule 5 permit source 172.16.5.0 0.0.0.255
acl number 2010
rule 5 permit source 172.16.10.0 0.0.0.255
traffic classifier net5_cmap
if-match acl 2005
traffic classifier net10_cmap
if-match acl 2010
traffic behavior net5_bmap
remark dscp af11
traffic behavior net10_bmap
remark dscp af21
traffic policy remark
classifier net5_cmap behavior net5_bmap
classifier net10_cmap behavior net10_bmap
int e1/0/0
traffic-policy remark inbound
# 配置拥塞避免
drop-profile net10_wred
dscp af21 low-limit 50 high-limit 80 discard-percentage 50
qos queue-profile queue_pro
schedule wfq 0 t 4
queue 1 weight 50
queue 2 weight 30
queue 2 drop-profile net10_wred
queue 1 gts cir 512
int g0/0/1
qos queue-profile queue_pro
int g0/0/2
qos queue-profile queue_pro
# 揪出上班时间种子下载的流量
acl 3000
rule 5 permit udp destination-port range 6881 6999 time-range work_time
# 定义上班时间
time-range work_time 09:00 to 18:00 working-day
# 在公网口匹配流量做限速
int g0/0/0
qos car inbound acl 3000 cir 256
37.防火墙内容安全
# 下面做防火墙内容安全
FW-1 ================================
# 打开防火墙管理口的https服务
int g0/0/0
service-manage https permit
# 然后拉一朵云,和本地某个网卡做双向通道,再在0口配置一个和该网卡同网段的地址
# 然后开浏览器访问
# https://192.168.99.100:8443/
配置入侵防御模版,在签名过滤器里按照需求勾选对应用程序,协议,威胁类别做过滤。
在策略里面,点击外部到服务器的流量,在内容安全里面把刚才做好的入侵防御给选上。
对分校区访问总部服务器的流量做反病毒处理
外部到内部的流量,勾选上面做好的反病毒模版
用户行为管理,配置URL过滤模版。
在in到out的流量内选择刚做的URL过滤模版
做完之后不要忘记保存配置。
然后上防火墙命令行上查看安全策略,可以发现web界面的配置是与命令行同步的。
38.BFD
AR1 ================================
bfd
int g0/0/1
ospf bfd enable
int g0/0/2
ospf bfd enable
FW-1/2 ================================
bfd
int g1/0/0
ospf bfd enable
# 配置完毕后上AR1查看OSPF BFD会话
dis ospf bfd session all
# 分部防火墙上配置NQA
FW-3 ================================
nqa test-instance admin icmp
test-type icmp
destination-address ipv4 130.1.2.2
records result 1
records history 3
frequency 5
timeout 2
start now
# 默认路由加上刚才配置的nqa
ip route-static 0.0.0.0 0.0.0.0 136.1.142.2 track nqa admin icmp
# 为了便于测试,还需要加上一条通往130.1.2.2的明细路由
ip route-static 130.1.2.2 32 136.1.142.2
# 查看nqa测试记录,状态都是sucess
dis nqa history
# 然后上internet上把loop0口shutdown掉
# 再看nqa测试记录,就都为busy或者timeout了
# 防火墙上配置的那条联动了nqa的默认路由也会消失 (模拟器有bug,看不出现象)
查看ospf的bfd 会话状态
查看nqa的测试历史记录。
完结。
- 感谢你赐予我前进的力量
-
微信 
支付宝
赞赏者名单
因为你们的支持让我意识到写文章的价值🙏
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
通讯录
心之所向,便是归途
1
南京大学
诚朴雄伟,励学敦行
有朋自远方来,不亦乐乎
1
有度
事事如意