HCDA 協議配置
HCNA必會知識點算法
HCNA: ip子網劃分,ipv4/ipv6,以太網幀結構,ARP, TCP/UDP , 靜態路由 ,路由優先級/路由備份,度量值/缺省路由,DHCP, RIP, 基礎ospf,trunk, vlan間路由,單臂路由,Easyip和NAT Server ,廣域網ppp, 廣域網HDLC和FR,鏈路聚合eth-trunk, VRRP, STP, ACL,配置telnet,配置ssh,配置ftp瀏覽器
undo info-center enable 關閉信息中心 安全
dis ip int brie 查看接口ip vlan配置
dis port vlan 查看端口vlan配置服務器
trunk 通訊原理
發送端
▶ 終端vlan與交換機trunk接口pvid 不同的不播離tag幀,發的數據幀有tag標籤(802.1Q),對端設備收到帶tag,看trunk是否方行對應vlan通訊。
▶ 終端vlan與交換機trunk接口pvid同樣的播離tag幀,發的數據幀沒有tag標籤,對端設備 收到不帶tag幀,打上接口pvid,trunk方行相應vlan,能夠通訊。
重點:trunk默認配置pvid1
access通訊原理網絡
路由搭建ftp
[Huawei]ftp server enable
[Huawei]set default ftp-directory flash:session
[Huawei-aaa]local-user huawei password cipher huawei
[Huawei-aaa]local-user huawei service-type ftp
[Huawei-aaa]local-user huawei access-limit 200
[Huawei-aaa]local-user huawei idle-timeout 0 0
[Huawei-aaa]local-user huawei privilege level 3ssh
客戶端範文
<Huawei>ftp:xxxxip
電腦360瀏覽器 關閉選項tcp
按組配置端口
[LSW1-port-group] port-group group-member g0/0/1 to g0/0/10
運營商
[ISP]ip pool pppoe
[ISP-ip-pool-pppoe]network 200.2.2.0 mask 24
[ISP-ip-pool-pppoe]gateway-list 200.2.2.1ide
[ISP]interface Virtual-Template 1 摸版
[ISP-Virtual-Template1]ppp authentication-mode pap
[ISP-Virtual-Template1]ip address 200.2.2.1 24
[ISP-Virtual-Template1]remote address pool pppoeoop
[ISP-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1 g0/0/1接口綁定虛擬摸版
[ISP-aaa]local-user part手敲 password cipher 123456
[ISP-aaa]local-user huawei service-type ppp
客戶端
[Huawei]dialer-rule
[Huawei-dialer-rule]dialer-rule 1 ip permit 綁定
[part-1]int Dialer 1
[part-1-Dialer1]ppp pap local-user part password cipher %$%$pLKZ!iaG|$#Cm4Q8=MM.,%Nw%$%$
[part-1-Dialer1]ip address ppp-negotiate 自動獲取ip
[part-1-Dialer1]dialer user user1
[part-1-Dialer1]dialer-group 1
[part-1-Dialer1]dialer bundle 1
[Huawei-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1 綁定
A
interface Vlanif30
ip address 10.10.10.1 255.255.255.0
interface Vlanif50
ip address 10.10.30.1 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 50
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
ip route-static 0.0.0.0 0.0.0.0 10.10.30.2
B
interface Vlanif30
ip address 10.10.20.1 255.255.255.0
interface Vlanif50
ip address 10.10.30.2 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 50
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
ip route-static 10.10.10.0 255.255.255.0 10.10.30.1
鏈路聚合 手工捆綁
捆綁建議2 4 8 鏈路帶寬較均衡
一個eth-trunk 最多能夠捆綁8個接口
啓用stp協議防環
sw1
[sw1]int Eth-Trunk 1
[sw1-Eth-Trunk1]port link-type trunk
[sw1-Eth-Trunk1]port trunk allow-pass vlan all
[sw1-GigabitEthernet0/0/23]eth-trunk 1
[sw1-GigabitEthernet0/0/24]eth-trunk 1
sw2
[sw2]int Eth-Trunk 1
[sw2-Eth-Trunk1]port link-type trunk
[sw2-Eth-Trunk1]port trunk allow-pass vlan all
[sw2-GigabitEthernet0/0/23]eth-trunk 1
[sw2-GigabitEthernet0/0/24]eth-trunk 1
[sw2]dis interface Eth-Trunk 1
dhcp
<全局dhcp和接口dhcp>
[dhcp]dhcp enable
ip pool 192
[dhcp-ip-pool-192]gateway-list 192.168.0.1
[dhcp-ip-pool-192]network 192.168.0.0 mask 255.255.255.0
[dhcp-ip-pool-192]dns-list 8.8.8.8
[dhcp-ip-pool-192]lease day hour/unlimited day:租約時間 unlimited:永久不限制 hour:小時
ip pool 10
[dhcp-ip-pool-10]network 10.1.1.0 mask 255.255.255.0
[dhcp-GigabitEthernet0/0/0]ip address 10.1.1.1 255.255.255.0
[dhcp-GigabitEthernet0/0/0]dhcp select global/interface
ip route-static 0.0.0.0 0.0.0.0 10.1.1.254 配置默認路由dhcp的報文才能經過
AR1客戶端
[AR1-GigabitEthernet0/0/0]ip address 192.168.0.1 255.255.255.0
[AR1-GigabitEthernet0/0/0]dhcp select relay中繼
[AR1-GigabitEthernet0/0/0]dhcp relay server-ip 10.1.1.1
[AR1-GigabitEthernet0/0/0]ip address dhcp-alloc
PPPOE撥號上網
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
[Huawei]dis pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
0 1 1 GE0/0/0 00e0fcf46c30 000000000000 up
[Huawei]interface Dialer 1
[Huawei-Dialer1]tcp adjust-mss 1200
[Huawei-Dialer1]mtu 1492
配置pppoe dns主備
[Huawei-Dialer1]ppp ipcp dns request
[Huawei-Dialer1]ppp ipcp dns admit-any
在撥號接口下查看/或/在出接口和進接口配置nat
[Huawei-Dialer1]di th
[V200R003C00]
#
interface Dialer1
link-protocol ppp
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
tcp adjust-mss 1200
ip address 202.100.1.254 255.255.255.252
nat static global 202.100.1.251 inside 192.168.10.10 netmask 255.255.255.255
nat static enable
配置pppoe 靜態路由
[Huawei]ip route-static 0.0.0.0 0.0.0.0 Dialer 1
NAT映射一對一
[Huawei-Dialer1]nat static global 202.100.1.251 inside 192.168.10.10 靜態nat
[Huawei-Dialer1]nat server protocol tcp global 202.100.1.251 inside 172.31.14.1 description 123 nat服務
NAT映射一對多
AR1
acl number 2000
rule 5 permit source 192.168.0.0 0.0.0.255
#
interface GigabitEthernet0/0/0
ip address 22.23.10.1 255.255.255.248
nat outbound 2000
interface GigabitEthernet0/0/1
ip address 192.168.254.2 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 22.23.10.2 缺省路由
ip route-static 192.168.0.0 255.255.0.0 192.168.254.1
ACL訪問控制列表
acl對流量的應用 對路由表的應用
<華爲的acl在流量進行匹配時,最後一行隱含容許全部流量經過permit any><思科最後一行隱含拒絕全部流量經過deny any>
terffic-filer inbound acl 2000 入方向
terffic-filer outbound acl 2000 出方向
acl規則序號<0-4294967294>
標準ACL範圍:2000 2999 源IP地址
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 deny/permit<容許或拒絕> source 192.168.1.10 0.0.0.255 反掩碼<通配符> 0 是單獨特定一臺主機
[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 2000 拒絕了192.168.10這個地址經過
[Huawei-GigabitEthernet0/0/2]dis acl 2000 查看決絕的ip
[Huawei-acl-basic-2000]rule 6 permit
[Huawei-acl-basic-2000]dis this
[V200R003C00]
#
acl number 2000
rule 5 deny source 10.10.10.10 0
rule 6 permit 等同容許了全部
高級ACL範圍:3000 3999 源IP地址 目的IP地址 源端口 目的端口
[Huawei-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0 destination-port eq 等於21端口
[Huawei-acl-adv-3000]rule deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0
[Huawei-acl-adv-3000]rule permit ip
[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 3000
IPSEC *** 虛擬私有網絡
ESP:安全協議 IKE:祕鑰協商
3.1 路由最重要!
加解密點
a.到達對端加解密點<直連>
b.到達本端的通訊點<直連>
c.到達對端的同信點<靜態默認路由>
3.2IPSEC的SPD(acl), 提議(proposal)和IPSEC策略
AR1
[Huawei]acl 3000
[Huawei-acl-adv-3000]description 描述
[Huawei-acl-adv-3000]rule 10 permi ip source 10.10.10.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
AR2
[Huawei]acl 3000
[Huawei-acl-adv-3000]description 描述
[Huawei-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
AR1
[Huawei]ipsec proposal
[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1 <authentication-algorithm / encryption-algorithm 認證和加密算法>
[Huawei-ipsec-proposal-sjw]dis this
[V200R003C00]
#
ipsec proposal sjw
esp authentication-algorithm sha1
AR2
[Huawei]ipsec proposal
[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1 <authentication-algorithm / encryption-algorithm 認證和加密算法>
[Huawei-ipsec-proposal-sjw]dis this
[V200R003C00]
#
ipsec proposal sjw
esp authentication-algorithm sha1
AR1
[Huawei]ipsec policy song- 10 manual
[Huawei-ipsec-policy-manual-song-10]security acl 3000
[Huawei-ipsec-policy-manual-song-10]proposal
[Huawei-ipsec-policy-manual-song-10]tunnel remote 10.1.2.1 隧道
[Huawei-ipsec-policy-manual-song-10]tunnel local 10.1.2.254 隧道
[Huawei-ipsec-policy-manual-song-10]sa spi outbound esp 54321
[Huawei-ipsec-policy-manual-song-10]sa spi inbound esp 12345
[Huawei-ipsec-policy-manual-song-10]sa string-key outbound esp simple huawei
[Huawei-ipsec-policy-manual-song-10]sa string-key inbound esp simple huawei
AR2
[Huawei]ipsec policy song 10 manual
[Huawei-ipsec-policy-manual-song-10] security acl 3000
[Huawei-ipsec-policy-manual-song-10] tunnel local 10.1.2.1 隧道
[Huawei-ipsec-policy-manual-song-10] tunnel remote 10.1.2.254 隧道
[Huawei-ipsec-policy-manual-song-10] sa spi inbound esp 54321
[Huawei-ipsec-policy-manual-song-10] sa string-key inbound esp simple huawei
[Huawei-ipsec-policy-manual-song-10] sa spi outbound esp 12354
[Huawei-ipsec-policy-manual-song-10] sa 協商string-key outbound esp simple huawei
3.2出接口應用
[Huawei-Dialer1]ipsec policy sjw-
[Huawei-GigabitEthernet0/0/0]ipsec policy sjw-
[Huawei]dis ipsec sa
sw3:劃vlan 10 20
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 10
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 20
配置中繼trunk
[Huawei-GigabitEthernet0/0/2]int g0/0/1
[Huawei-port-group-trunk]port trunk allow-pass vlan
[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20
[Huawei-GigabitEthernet0/0/2]int g0/0/2
[Huawei-port-group-trunk]port trunk allow-pass vlan
[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20
sw1:劃vlan 10 20
[Huawei]int Vlanif 10
[Huawei-Vlanif10]ip address 192.168.10.10 24
[Huawei]int Vlanif 20
[Huawei-Vlanif20]ip address 192.168.10.20 24
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
sw2:劃vlan 10 20
[Huawei]int Vlanif 10
[Huawei-Vlanif20]ip address 192.168.10.20 24
[Huawei]int Vlanif 20
[Huawei-Vlanif20]ip address 192.168.20.20 24
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20
AR1路由器
[Huawei-GigabitEthernet0/0/1]ip address 11.0.0.2 24
[Huawei-GigabitEthernet0/0/2]ip address 12.0.0.2 24
[Huawei-GigabitEthernet0/0/2]int loo 0
[Huawei-LoopBack0]ip address 1.1.1.1 24
寫路由優先級
[Huawei]ip route-static 192.168.10.0 24 11.0.0.1 默認是60
[Huawei]ip route-static 192.168.10.0 24 12.0.0.2 preference 70
[Huawei]ip route-static 192.168.20.0 24 12.0.0.1 默認是60
[Huawei]ip route-static 192.168.20.0 24 11.0.0.1 preference 70
sw1
[Huawei]ip route-static 1.1.1.0 24 11.0.0.2
sw1
[Huawei-Vlanif100]ip address 11.0.0.1 24
[Huawei-port-group-d]port link-type access
[Huawei-port-group-d]port default vlan 100
sw2
[Huawei]ip route-static 1.1.1.0 24 12.0.0.2
sw2
[Huawei-Vlanif100]ip address 12.0.0.1 24
[Huawei-GigabitEthernet0/0/24]port link-type access
[Huawei-GigabitEthernet0/0/24]port default vlan 100
在覈心sw1作vrrp
trunk,虛擬IP ,優先級 ,追蹤接口
主備的虛擬ip一至,vrid一致
注意:優先級大的是主, 好比優先級120端扣down掉默認會減10 因此備的不能配置110應該是115,115比120小,主的壞掉默認就走備的
主
[Huawei]int Vlanif 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1
[Huawei-Vlanif10]vrrp vrid 1 priority 120 端扣down掉默認會減10 因此備的不能配置110應該是115,115比120小主的壞掉默認就走備的
(這個打個比喻,這個實驗配置的是95)
vrrp 優先級範圍是0-255, 0是保留給路由器,主動放棄Master位置時候使用,255是保留給IP地址擁有者使用,能個人是1-254
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 0
[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/24 追蹤上行端口
[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/1 追蹤下行端口
備
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1
[Huawei-Vlanif10]vrrp vrid 1 priority 115
備的不用配置搶佔,也不用配置跟蹤端口,由於主的已經配置了
在覈心sw2作vrrp
主
[Huawei]int Vlanif 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1
[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/24
[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/2
搶佔和優先級能夠不配,【優先級默認是100】,備的配置優先級數字90就能夠
備
interface Vlanif20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1
[Huawei-Vlanif20]vrrp vrid 2 priority 95
防火牆四個區域
服務器 DMZ中 ,trust用戶內網 ,untrustz外網ip最低 ,local最高
dmz:指定dmz安全區域
local:指定本地安全區域
name:待建立或刪除的安全區域名稱
trust:指定信任的安全區域
untrust:指定untrust的安全區域
防火牆雙機熱備
FW1主
[fw1]interface GigabitEthernet0/0/0] ip address 10.2.2.1 255.255.255.0
[fw1]interface GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.1.2.254 active 主
[fw1]interface GigabitEthernet0/0/0] service-manage all permit 容許全部服務
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
[fw1]interface GigabitEthernet1/0/0] ip address 40.1.1.1 255.255.255.0
[fw1]interface GigabitEthernet1/0/0] vrrp vrid 2 virtual-ip 2.2.2.254 255.255.255.0 active 主
[fw1-GigabitEthernet1/0/0]service-manage all permit
[fw1]interface GigabitEthernet1/0/1] ip address 30.1.1.1 255.255.255.0
[fw1]firewall zone trust
[fw1-zone trust] add interface GigabitEthernet0/0/0
[fw1]firewall zone untrust
[fw1-zone untrust]add interface GigabitEthernet1/0/0
[fw1]firewall zone dmz
[fw1]-zone dmz]add interface GigabitEthernet1/0/1
FW2 備
[fw2interface GigabitEthernet0/0/0] ip address 10.1.2.2 255.255.255.0
[fw2interface GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.1.2.254 standby 備
[fw2interface GigabitEthernet0/0/0] service-manage all permit 容許全部服務
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
[fw2interface GigabitEthernet1/0/0] ip address 40.1.1.2 255.255.255.0
[fw2interface GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 2.2.2.254 255.255.255.0 standby 備
[fw1-GigabitEthernet1/0/0]service-manage all permit
[fw2interface GigabitEthernet1/0/1] ip address 30.1.1.2 255.255.255.0
[fw2]firewall zone trust
[fw2-zone trust]add interface GigabitEthernet0/0/0
[fw2]firewall zone untrust
[fw2-zone untrust] add interface GigabitEthernet1/0/0
[fw2]firewall zone dmz
[fw2-zone dmz] add interface GigabitEthernet1/0/1
HRP心跳線同步信息
[fw1]hrp interface GigabitEthernet1/0/1 remote 30.1.1.2 配置對端的接口ip
[fw2]hrp interface GigabitEthernet1/0/1 remote 30.1.1.1 配置對端的接口ip
開啓hrp enable 能夠同步習性開啓HRP 顯示一個S和M表明雙機熱備成功
- 1. HCDA-7-配置ssh遠程管理
- 2. gre協議配置
- 3. PPP協議配置
- 4. snmp協議配置
- 5. 配置Tomcat使用https協議(配置SSL協議)
- 6. 配置Tomcat使用https協議(配置SSL協議) (window環境)
- 7. PPP協議配置--PAP認
- 8. Apache 配置 WebSocket 協議
- 9. 冗餘協議VRRP配置
- 10. Tomcat6配置webdav協議
- 更多相關文章...
- • Eclipse Debug 配置 - Eclipse 教程
- • Swift 協議 - Swift 教程
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
- • IDEA下SpringBoot工程配置文件沒有提示
-
每一个你不满意的现在,都有一个你没有努力的曾经。