H3CIE A套实验配置_h3cie 实验a

实验拓扑

实验要求：点击跳转

一、链路聚合

1. 在sw1上创建链路聚合组1，将GE1/0/1、GE1/0/2加入链路聚合组1。

[sw1]interface Bridge-Aggregation 1
[sw1]interface range GigabitEthernet 1/0/1 GigabitEthernet 1/0/2
[sw1-if-range]port link-aggregation group 1
1
2
3

2. 在sw2上创建链路聚合组1，将GE1/0/1、GE1/0/2加入链路聚合组1。

[sw2]interface Bridge-Aggregation 1
[sw2]interface range GigabitEthernet 1/0/1 GigabitEthernet 1/0/2
[sw2-if-range]port link-aggregation group 1
1
2
3

2. 检查
   端口GE1/0/1、GE1/0/2，已加入链路聚合组，端口状态为selected。

[sw1]display link-aggregation verbose 
1

二、VLAN

1.创建vlan

1. 在sw1上创建vlan 10 20 30 40，将GE1/0/4加入vlan 40。

[sw1]vlan 10				// A流
[sw1-vlan10]vlan 20			// B流
[sw1-vlan20]vlan 30			// 互联接口地址
[sw1-vlan30]vlan 40			// G1/0/4
[sw1-vlan40]port GigabitEthernet 1/0/4
1
2
3
4
5

2. 在sw2上创建vlan 10 20 30 40，将GE1/0/4加入vlan 40。

[sw2]vlan 10
[sw2-vlan10]vlan 20
[sw2-vlan20]vlan 30
[sw2-vlan30]vlan 40
[sw2-vlan40]port GigabitEthernet 1/0/4
1
2
3
4
5

3. 在sw3上创建vlan 10 20。

[sw3]vlan 10
[sw3-vlan10]vlan 20
1
2

2.放行vlan

1. 在sw1上进入G1/0/3口，更改链路类型为trunk，放行vlan 10 20，禁止默认vlan 1。

[sw1]interface GigabitEthernet 1/0/3
[sw1-GigabitEthernet1/0/3]port link-type trunk 
[sw1-GigabitEthernet1/0/3]port trunk permit vlan 10 20
[sw1-GigabitEthernet1/0/3]undo port trunk permit vlan 1					
1
2
3
4

2. 在sw1进入链路聚合组1，更改链路类型为trunk，放行vlan 10 20 30，禁止默认vlan 1。

[sw1]interface bridge-aggregation 1
[sw1-Bridge-Aggregation1]port link-type trunk
[sw1-Bridge-Aggregation1]port trunk permit vlan 10 20 30
[sw1-Bridge-Aggregation1]undo port trunk permit vlan 1
1
2
3
4

3. 在sw2上进入G1/0/3口，更改链路类型为trunk，放行vlan 10 20，禁止默认vlan 1。

[sw2]interface GigabitEthernet1/0/3
[sw2-GigabitEthernet1/0/3] port link-type trunk
[sw2-GigabitEthernet1/0/3] port trunk permit vlan 10 20
[sw2-GigabitEthernet1/0/3]undo port trunk permit vlan 1
1
2
3
4

4. 在sw2进入链路聚合组1，更改链路类型为trunk，放行vlan 10 20 30，禁止默认vlan 1。

[sw2]interface Bridge-Aggregation1
[sw2-Bridge-Aggregation1] port link-type trunk
[sw2-Bridge-Aggregation1] port trunk permit vlan 10 20 30
[sw2-Bridge-Aggregation1]undo port trunk permit vlan 1
1
2
3
4

5. 在sw3上进入G1/0/1、G1/0/2口，更改链路类型为trunk，放行vlan 10 20，禁止默认vlan 1。

[sw3]interface range GigabitEthernet 1/0/1 GigabitEthernet 1/0/2
[sw3-if-range]port link-type trunk
[sw3-if-range]port trunk permit vlan 10 20
[sw3-if-range]undo port trunk permit vlan 1
1
2
3
4

6. 检查
   vlan已放行。

[sw1]display port trunk
1

三、MSTP

1. 在 SW1 上进入MSTP域视图，域名为h3c，修订级为3，创建 Instance1 映射 Vlan10，创建 Instance2 映射 Vlan20，激活MSTP域。

[sw1]stp region-configuration 
[sw1-mst-region]region-name h3c
[sw1-mst-region]revision-level 3				// 修订级可做可不做。要做都做，一方做一方不做会导致多域
[sw1-mst-region]instance 1 vlan 10
[sw1-mst-region]instance 2 vlan 20
[sw1-mst-region]active region-configuration 
1
2
3
4
5
6

2. 在 SW1 上配置为 Instance1 的主根和 Instance2 的备份根

[sw1]stp instance 1 root primary 
[sw1]stp instance 2 root secondary 
1
2

3. 在 SW2 上进入MSTP域视图，域名为h3c，修订级为3，创建 Instance1 映射 Vlan10，创建 Instance2 映射 Vlan20，激活MSTP域。

[sw2]stp region-configuration
[sw2-mst-region] region-name h3c
[sw2-mst-region] revision-level 3
[sw2-mst-region] instance 1 vlan 10 
[sw2-mst-region] instance 2 vlan 20 
[sw2-mst-region] active region-configuration
1
2
3
4
5
6

4. 在 SW2 上配置为 Instance1 的备份根和 Instance2 的主根

[sw2]stp instance 1 root  secondary 
[sw2]stp instance 2 root  primary 
1
2

5. 在 SW3 上进入MSTP域视图，域名为h3c，修订级为3，创建 Instance1 映射 Vlan10，创建 Instance2 映射 Vlan20，激活MSTP域。

[sw3]stp region-configuration
[sw3-mst-region] region-name h3c
[sw3-mst-region] revision-level 3
[sw3-mst-region] instance 1 vlan 10 
[sw3-mst-region] instance 2 vlan 20 
[sw3-mst-region] active region-configuration
1
2
3
4
5
6

6. 检查
   在sw3上查看，实例1优先走GE1/0/1，实例2优先走GE1/0/2

<sw3>display stp instance 1 brief
1

四、VRRP

1. 在sw1上配置vlan 10 的IP地址，配置vrrp虚拟地址，vrrp优先级为120。

[sw1]interface Vlan-interface 10
[sw1-Vlan-interface10]ip address 192.168.0.253 24
[sw1-Vlan-interface10]vrrp vrid 10 virtual-ip 192.168.0.254 
[sw1-Vlan-interface10]vrrp vrid 10 priority 120
1
2
3
4

2. 在sw1上配置vlan 20 的IP地址，配置vrrp虚拟地址

[sw1]interface Vlan-interface 20
[sw1-Vlan-interface20]ip address 10.1.255.253 16
[sw1-Vlan-interface20]vrrp vrid 20 virtual-ip 10.1.255.254
1
2
3

3. 在sw2上配置vlan 10 的IP地址，配置vrrp虚拟地址

[sw2]interface Vlan-interface 10 
[sw2-Vlan-interface10]ip address 192.168.0.252 24
[sw2-Vlan-interface10]vrrp vrid 10 virtual-ip 192.168.0.254
1
2
3

4. 在sw2上配置vlan 20 的IP地址，配置vrrp虚拟地址，vrrp优先级为120。

[sw2]interface vlan-interface 20
[sw2-Vlan-interface20]ip address 10.1.255.252 16
[sw2-Vlan-interface20]vrrp vrid 20 virtual-ip 10.1.255.254
[sw2-Vlan-interface20]vrrp vrid 20 priority 120
1
2
3
4

5. 在sw3上配置vlan 10 20 的IP地址

[sw3]interface Vlan-interface 10
[sw3-Vlan-interface10]ip address 192.168.0.1 24
[sw3]interface Vlan-interface 20
[sw3-Vlan-interface20]ip address 10.1.1.100 16
1
2
3
4

6. 检查
   在sw1上查看，vlan 10 为主，vlan 20 为备。
   在sw2上查看，vlan 20 为主，vlan 10 为备。
   此时在sw3上ping 10.1.255.254 、192.168.0.254 可通。

<sw1>display vrrp
1

五、配置IP地址

1.纯IP地址

1. 在sw1上配置IP地址

[sw1]interface Vlan-interface  30
[sw1-Vlan-interface30]ip address 10.255.212.1 30
1
2

[sw1]interface vlan-interface 40
[sw1-Vlan-interface40]ip address 10.255.111.1 30
1
2

[sw1]interface LoopBack 0
[sw1-LoopBack0]ip address 192.168.255.11 32
1
2

2. 在sw2上配置IP地址

[sw2]interface vlan-interface 30
[sw2-Vlan-interface30]ip address 10.255.212.2 30
1
2

[sw2]interface vlan-interface 40
[sw2-Vlan-interface40]ip address 10.255.122.1 30
1
2

[sw2]interface LoopBack 0
[sw2-LoopBack0]ip address 192.168.255.12 32
1
2

3. 在r1上配置IP地址

[r1]interface GigabitEthernet 0/0
[r1-GigabitEthernet0/0]ip address 10.255.111.2 30
1
2

[r1]interface GigabitEthernet 0/1
[r1-GigabitEthernet0/1]ip address 10.255.12.1 30
1
2

[r1]interface GigabitEthernet 0/2
[r1-GigabitEthernet0/2]ip address 100.1.1.1 24
1
2

[r1]interface LoopBack 0
[r1-LoopBack0]ip address 192.168.255.1 32
1
2

4. 在r2上配置IP地址

[r2]interface GigabitEthernet 0/0
[r2-GigabitEthernet0/0]ip address 10.255.122.2 30
1
2

[r2]interface GigabitEthernet 0/1
[r2-GigabitEthernet0/1]ip address 10.255.12.2 30
1
2

[r2]interface Serial 1/0
[r2-Serial1/0]ip address 10.255.25.1 30
1
2

[r2]interface LoopBack 0
[r2-LoopBack0]ip address 192.168.255.2 30
1
2

5. 在r3上配置IP地址

[r3]interface LoopBack 0
[r3-LoopBack0]ip address 192.168.255.3 32
1
2

[r3]interface LoopBack 100
[r3-LoopBack100]ip address 192.168.101.1 24				// a流
1
2

[r3]interface LoopBack 200
[r3-LoopBack200]ip address 10.101.1.1 24					// b流
1
2

6. 在r4上配置IP地址

[r4]interface LoopBack 0
[r4-LoopBack0]ip address 192.168.255.4 32
1
2

[r4]interface LoopBack 100
[r4-LoopBack100]ip address 192.168.102.1 24
1
2

[r4]interface LoopBack 200
[r4-LoopBack200]ip address 10.101.2.1 24
1
2

7. 在r5上配置IP地址

[r5]interface Serial 1/0
[r5-Serial1/0]ip address 10.255.25.2 30
[r5]interface LoopBack 0
[r5-LoopBack0]ip address 192.168.255.5 32
1
2
3
4

2.单臂路由

1. 在r5上进入GE0/0.10子接口，配置IP地址，指定子接口属于vlan10。

[r5]interface GigabitEthernet 0/0.10
[r5-GigabitEthernet0/0.10]ip address 192.168.11.254 24
[r5-GigabitEthernet0/0.10]vlan-type dot1q vid 10
1
2
3

2. 在r5上进入GE0/0.20子接口，配置IP地址，指定子接口属于vlan20。

[r5]interface GigabitEthernet 0/0.20
[r5-GigabitEthernet0/0.20]ip address 10.11.0.254 16
[r5-GigabitEthernet0/0.20]vlan-type dot1q vid 20
1
2
3

3. 在sw4上创建vlan 10 ，为了测试到网关是否可通，给vlan10 配置IP地址

[sw4]vlan 10
[sw4-vlan10]interface vlan-interface 10
[sw4-Vlan-interface10]ip address 192.168.11.1 24
1
2
3

4. 在sw4上创建vlan 20 ，为了测试到网关是否可通，给vlan20 配置IP地址

[sw4]vlan 20
[sw4-vlan20]interface vlan-interface 20
[sw4-Vlan-interface20]ip address 10.11.0.1 16
1
2
3

5. 在sw4上进入GE1/0/1，端口链路类型为trunk，放行vlan 10 20。

[sw4]interface GigabitEthernet 1/0/1
[sw4-GigabitEthernet1/0/1]port link-type trunk
[sw4-GigabitEthernet1/0/1]port trunk permit vlan 10 20
1
2
3

6. 检查
   在sw4上 ping 192.168.11.254、10.11.0.254 可通，单臂路由配置完成。

3.DHCP

1.创建vlan，配置ip

1. 在sw5上创建vlan 10，绑定端口GE1/0/1

[sw5]vlan 10
[sw5-vlan10]port GigabitEthernet 1/0/1
1
2

2. 在sw5上进入vlan10端口配置IP地址

[sw5]interface Vlan-interface 10
[sw5-Vlan-interface10]ip address 100.1.1.254 24
1
2

3. 在sw5上创建vlan 20，绑定端口GE1/0/2

[sw5]vlan 20
[sw5-vlan20]port GigabitEthernet 1/0/2
1
2

4. 在sw5上进入vlan20端口配置IP地址

[sw5]interface Vlan-interface  20
[sw5-Vlan-interface20]ip address 100.1.3.254 24
1
2

5. 在sw5上创建vlan 30，绑定端口GE1/0/3

[sw5]vlan 30
[sw5-vlan30]port GigabitEthernet 1/0/3
1
2

6. 在sw5上进入vlan30端口配置IP地址

[sw5]interface Vlan-interface  30
[sw5-Vlan-interface30]ip address 100.1.4.254 24
1
2

2.创建DHCP地址池

1. 开启DHCP服务

[sw5]dhcp enable 
1

2. 在sw5上创建DHCP地址vlan20，设置网段、网关。

[sw5]dhcp server ip-pool vlan20
[sw5-dhcp-pool-vlan20]network 100.1.3.0 24
[sw5-dhcp-pool-vlan20]gateway-list 100.1.3.254
1
2
3

3. 在sw5上创建DHCP地址vlan30，设置网段、网关。

[sw5]dhcp server ip-pool vlan30
[sw5-dhcp-pool-vlan30]network 100.1.4.0 24
[sw5-dhcp-pool-vlan30]gateway-list 100.1.4.254
1
2
3

3.DHCP自动分配

1. 在r3上进入GE0/0，开启dhcp自动获取地址

[r3]interface GigabitEthernet 0/0
[r3-GigabitEthernet0/0]ip address dhcp-alloc 
1
2

2. 在r4上进入GE0/0，开启dhcp自动获取地址

[r4]interface GigabitEthernet 0/0
[r4-GigabitEthernet0/0]ip address dhcp-alloc 
1
2

3. 检查
   在r3、r4上查看，IP地址已自动分配

<r3>display interface brief 
1

注：DHCP自动分配后，会自动生产一条默认路由，优先级为70。

六、PPP双向验证

1. 在r2上创建用户r5，密码123，服务类型ppp。

[r2]local-user r5 class network
[r2-luser-network-r5]password simple 123
[r2-luser-network-r5]service-type ppp
1
2
3

2. 在r5上创建用户r2，密码123，服务类型ppp。

[r5]local-user r2 class network 
[r5-luser-network-r2]password simple 123
[r5-luser-network-r2]service-type ppp
1
2
3

3. 在r2上进入端口S1/0，ppp认证为chap，用户名r2，密码123。

[r2]interface Serial 1/0
[r2-Serial1/0]ppp authentication-mode chap
[r2-Serial1/0]ppp chap user r2
[r2-Serial1/0]ppp chap password simple 123
1
2
3
4

4. 在r5上进入端口S1/0，ppp认证为chap，用户名r5，密码123。

[r5]interface Serial 1/0
[r5-Serial1/0]ppp authentication-mode chap
[r5-Serial1/0]ppp chap user r5
[r5-Serial1/0]ppp chap  password simple 123
1
2
3
4

5. 检查
   在r2上进入端口S1/0，关闭端口再开启，查看是否出现双up，出现则ppp配置完成。

[r2-Serial1/0]  shutdown 
[r2-Serial1/0]undo shutdown 
1
2

七、OSPF

1. 在sw1上配置OSPF，area 0

[sw1]ospf 1 router-id 192.168.255.11
[sw1-ospf-1]area 0
[sw1-ospf-1-area-0.0.0.0]network 192.168.255.11 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]network 192.168.0.253 0.0.0.255
[sw1-ospf-1-area-0.0.0.0]network 10.1.255.253 0.0.255.255
[sw1-ospf-1-area-0.0.0.0]network 10.255.212.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]network 10.255.111.1 0.0.0.0
1
2
3
4
5
6
7

2. 在sw2上配置OSPF，area 0

[sw2]ospf 1 router-id 192.168.255.12
[sw2-ospf-1]area 0
[sw2-ospf-1-area-0.0.0.0]network 192.168.255.12 0.0.0.0
[sw2-ospf-1-area-0.0.0.0]network 192.168.0.252 0.0.0.255
[sw2-ospf-1-area-0.0.0.0]network 10.1.255.252 0.0.255.255
[sw2-ospf-1-area-0.0.0.0]network 10.255.212.2 0.0.0.0
[sw2-ospf-1-area-0.0.0.0]network 10.255.122.1 0.0.0.0
1
2
3
4
5
6
7

3. 在r1上配置OSPF，area 0

[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]network 192.168.255.1 0.0.0.0
[r1-ospf-1-area-0.0.0.0]network 10.255.111.2 0.0.0.0
[r1-ospf-1-area-0.0.0.0]network 10.255.12.1 0.0.0.0
1
2
3
4

4. 在r2上配置OSPF，area 0、area1

[r2]ospf 1 router-id 192.168.255.2
[r2-ospf-1]area 0
[r2-ospf-1-area-0.0.0.0]network 192.168.255.2 0.0.0.0
[r2-ospf-1-area-0.0.0.0]network 10.255.122.2 0.0.0.0
[r2-ospf-1-area-0.0.0.0]network 10.255.12.2 0.0.0.0
[r2-ospf-1]area 1
[r2-ospf-1-area-0.0.0.1]network 10.255.25.1 0.0.0.0
1
2
3
4
5
6
7

5. 在r5上配置OSPF，area1

[r5]ospf 1 router-id 192.168.255.5
[r5-ospf-1]area 1
[r5-ospf-1-area-0.0.0.1]network 192.168.255.5 0.0.0.0
[r5-ospf-1-area-0.0.0.1]network 192.168.11.254 0.0.0.255
[r5-ospf-1-area-0.0.0.1]network 10.11.0.254 0.0.255.255
[r5-ospf-1-area-0.0.0.1]network 10.255.25.2 0.0.0.0
1
2
3
4
5
6

6. 检查
   在r5上查看ospf路由表，总部a流、b流已学到

但是用sw4 ping 总部a流 192.168.0.252 不可通，默认路由未配置，配置默认路由后可通。

[sw4]ip route-static 0.0.0.0 0 192.168.11.254
1

八、GRE over IPsec VPN

（1）IPsec VPN

1.VPN配置前提

1. 配置vpn前保证路由可通，配置默认路由。

[r1]ip route-static 0.0.0.0 0 100.1.1.254
1

2.总部IPsec VPN协商第一阶段

1. 创建ike提议

[r1]ike proposal 1
1

2. 创建ike域共享密钥，名称r3，密码123

[r1]ike keychain r3
[r1-ike-keychain-r3]pre-shared-key hostname r3 key simple  123
1
2

3. 创建ike profile r3，模式为野蛮模式，指定本地系统为r1，指定对端系统为r3，绑定ike提议1，预共享密钥r3

[r1]ike profile r3
[r1-ike-profile-r3]exchange-mode aggressive 
[r1-ike-profile-r3]local-identity fqdn r1
[r1-ike-profile-r3]match remote identity fqdn r3
[r1-ike-profile-r3]proposal 1
[r1-ike-profile-r3]keychain r3
1
2
3
4
5
6

4. 创建ike域共享密钥，名称r4，密码123

[r1]ike keychain r4
[r1-ike-keychain-r4]pre-shared-key hostname r4 key simple 123
1
2

5. 创建ike profile r4，模式为野蛮模式，指定本地系统为r1，指定对端系统为r4，绑定ike提议1，预共享密钥r4

[r1]ike profile r4
[r1-ike-profile-r4] exchange-mode aggressive
[r1-ike-profile-r4] local-identity fqdn r1
[r1-ike-profile-r4] match remote identity fqdn r4
[r1-ike-profile-r4] proposal 1 
[r1-ike-profile-r4] keychain r4
1
2
3
4
5
6

3.总部IPsec VPN协商第二阶段

1. 创建ipsec 转换集，名称tran1，验证方式md5，加密方式3des。

[r1]ipsec transform-set tran1
[r1-ipsec-transform-set-tran1]esp authentication-algorithm md5 
[r1-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc 
1
2
3

2. 创建策略模板 tem 3，绑定ike-profile r3，绑定ipsec 转换集 tran1。

[r1]ipsec policy-template tem 3
[r1-ipsec-policy-template-tem-3]ike-profile r3
[r1-ipsec-policy-template-tem-3]transform-set tran1
1
2
3

3. 创建策略模板 tem 4，绑定ike-profile r4，绑定ipsec 转换集 tran1。

[r1]ipsec policy-template tem 4
[r1-ipsec-policy-template-tem-4]ike-profile r4
[r1-ipsec-policy-template-tem-4]transform-set tran1
1
2
3

4. 创建ipsec 策略 H3C ，绑定tem模板。

[r1]ipsec policy H3C 1 isakmp template tem
1

5. 在r1上进入GE0/2，下发ipsec策略H3C。

[r1]interface GigabitEthernet 0/2
[r1-GigabitEthernet0/2]ipsec apply policy H3C
1
2

4.分支r3 IPsec VPN协商第一阶段

1. 抓感兴趣流

[r3]acl advanced 3000
[r3-acl-ipv4-adv-3000]rule permit ip source 192.168.255.3 0 destination 192.168.255.1 0
1
2

2. 创建ike提议

[r3]ike proposal 1
1

3. 创建ike域共享密钥，名称r1，密码123

[r3]ike keychain r1
[r3-ike-keychain-r1]pre-shared-key  address 100.1.1.1 key simple 123
1
2

4. 创建ike profile r1，模式为野蛮模式，指定本地系统为r3，指定对端系统为r1，绑定ike提议1，预共享密钥r1

[r3]ike profile r1
[r3-ike-profile-r1] exchange-mode aggressive
[r3-ike-profile-r1] local-identity fqdn r3
[r3-ike-profile-r1] match remote identity fqdn r1
[r3-ike-profile-r1] proposal 1 
[r3-ike-profile-r1] keychain r1
1
2
3
4
5
6

5.分部r3 IPsec VPN协商第二阶段

1. 创建ipsec 转换集，名称tran1，验证方式md5，加密方式3des。

[r3]ipsec transform-set tran1
[r3-ipsec-transform-set-tran1]esp authentication-algorithm md5 
[r3-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc 
1
2
3

2. 创建策略，绑定acl 3000 ，指定对端100.1.1.1，绑定ike-profile r1，绑定ipsec 转换集 tran1。

[r3]ipsec policy H3C 1 isakmp 
[r3-ipsec-policy-isakmp-H3C-1]security acl 3000
[r3-ipsec-policy-isakmp-H3C-1]remote-address 100.1.1.1
[r3-ipsec-policy-isakmp-H3C-1]ike-profile r1
[r3-ipsec-policy-isakmp-H3C-1]transform-set tran1
1
2
3
4
5

3. 在r3上进入GE0/0，下发ipsec策略H3C。

[r3]interface GigabitEthernet 0/0
[r3-GigabitEthernet0/0]ipsec apply policy H3C
1
2

6.分支r4 IPsec VPN协商第一阶段

1. 抓感兴趣流

[r4]acl advanced 3000
[r4-acl-ipv4-adv-3000]rule permit ip source 192.168.255.4 0 destination 192.168.255.1 0
1
2

2. 创建ike提议

[r4]ike proposal 1
1

3. 创建ike域共享密钥，名称r1，密码123

[r4]ike keychain r1
[r4-ike-keychain-r1]pre-shared-key  address 100.1.1.1 key simple 123
1
2

4. 创建ike profile r1，模式为野蛮模式，指定本地系统为r3，指定对端系统为r1，绑定ike提议1，预共享密钥r1

[r4]ike profile r1
[r4-ike-profile-r1] exchange-mode aggressive
[r4-ike-profile-r1] local-identity fqdn r4
[r4-ike-profile-r1] match remote identity fqdn r1
[r4-ike-profile-r1] proposal 1 
[r4-ike-profile-r1] keychain r1
1
2
3
4
5
6

7.分部r4 IPsec VPN协商第二阶段

1. 创建ipsec 转换集，名称tran1，验证方式md5，加密方式3des。

[r4]ipsec transform-set tran1
[r4-ipsec-transform-set-tran1]esp authentication-algorithm md5 
[r4-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc 
1
2
3

2. 创建策略，绑定acl 3000 ，指定对端100.1.1.1，绑定ike-profile r1，绑定ipsec 转换集 tran1。

[r4]ipsec policy H3C 1 isakmp 
[r4-ipsec-policy-isakmp-H3C-1]security acl 3000
[r4-ipsec-policy-isakmp-H3C-1]remote-address 100.1.1.1
[r4-ipsec-policy-isakmp-H3C-1]ike-profile r1
[r4-ipsec-policy-isakmp-H3C-1]transform-set tran1
1
2
3
4
5

3. 在r3上进入GE0/0，下发ipsec策略H3C。

[r4]interface GigabitEthernet 0/0
[r4-GigabitEthernet0/0]ipsec apply policy H3C
1
2

8.检查

1. 第一阶段ike协商成功

[r1]display ike sa
1

2. 第二阶段ipsec协商成功

[r1]display ipsec sa brief 
1

3. 分支 ping 总部 可通
注：少配漏配后补全无法 ping 通，用reset ike sa，reset ipsec sa清除重新触发sa

（2）GRE VPN

1. 在r1上进入Tun0，模式gre，配置IP地址，配置源目端口，开启保活。

[r1]interface Tunnel 0 mode gre
[r1-Tunnel0]ip address 10.255.13.1 30
[r1-Tunnel0]source LoopBack 0
[r1-Tunnel0]destination  192.168.255.3
[r1-Tunnel0]keepalive 
1
2
3
4
5

2. 在r1上进入Tun1，模式gre，配置IP地址，配置源目端口，开启保活。

[r1]interface Tunnel 1 mode gre
[r1-Tunnel1]ip address 10.255.14.1 30
[r1-Tunnel1]source LoopBack 0
[r1-Tunnel1]destination 192.168.255.4
[r1-Tunnel1]keepalive 
1
2
3
4
5

3. 在r3上进入Tun1，模式gre，配置IP地址，配置源目端口，开启保活。

[r3]interface Tunnel 1 mode gre
[r3-Tunnel1]ip address 10.255.13.2 30
[r3-Tunnel1]source LoopBack 0
[r3-Tunnel1]destination 192.168.255.1
[r3-Tunnel1]keepalive 
1
2
3
4
5

4. 在r4上进入Tun1，模式gre，配置IP地址，配置源目端口，开启保活。

[r4]interface Tunnel 1 mode gre 
[r4-Tunnel1]ip address 10.255.14.2 30
[r4-Tunnel1]source LoopBack 0
[r4-Tunnel1]destination 192.168.255.1
[r4-Tunnel1]keepalive 
1
2
3
4
5

5. 检查
   用总部 ping 分部 可通

九、RIP

1. 在r1上配置rip

[r1]rip
[r1-rip-1]version 2
[r1-rip-1]undo summary
[r1-rip-1]network 10.0.0.0
1
2
3
4

2. 在r3上配置rip

[r3]rip
[r3-rip-1]version 2
[r3-rip-1]undo summary 
[r3-rip-1]network 10.0.0.0
[r3-rip-1]network 192.168.101.0
1
2
3
4
5

3. 在r4上配置rip

[r4]rip
[r4-rip-1]version 2
[r4-rip-1]undo summary 
[r4-rip-1]network 10.0.0.0
[r4-rip-1]network 192.168.102.0
1
2
3
4
5

4. 检查
   在r1上查看rip路由表，已学到r3，r4上的路由。

[r1]display ip routing-table protocol rip
1

十、路由引入

1.OSPF引入RIP

1. 创建地址前缀列表

[r1]ip prefix-list o2r permit 192.168.0.0 24
[r1]ip prefix-list o2r permit 10.0.0.0 8 greater-equal 16 less-equal 24
[r1]ip prefix-list o2r permit 10.0.0.0 8 greater-equal 32
1
2
3

2. 创建路由策略，绑定地址前缀列表o2r

[r1]route-policy o2r permit node 10
[r1-route-policy-o2r-10]if-match ip address prefix-list o2r
1
2

3. 在r1的rip中引入ospf

[r1]rip
[r1-rip-1]import-route ospf route-policy o2r
1
2

4. 检查
   在r3上查看ospf路由表，已获取到sw3的路由

<r3>display ip routing-table protocol rip
1

2.RIP引入OSPF

1. 创建地址前缀列表

[r1]ip prefix-list r2o permit 192.168.64.0 18 less-equal 32
[r1]ip prefix-list r2o permit 10.101.0.0 16 less-equal 32
1
2

2. 创建路由策略，绑定地址前缀列表r2o

[r1]route-policy r2o permit node 10
[r1-route-policy-r2o-10]if-match ip address prefix-list r2o
1
2

3. 在r1的ospf中引入rip

[r1]ospf
[r1-ospf-1]import-route rip route-policy r2o
1
2

4. 检查
   在sw1上查看ospf路由表，已获取到r3、r4的路由

<sw1>display ip routing-table protocol ospf 
1

十一、路由过滤

（1）分支一过滤

1. 在r5上配置acl 2000

[r5]acl basic 2000
[r5-acl-ipv4-basic-2000]rule permit source 192.168.0.0 0.0.0.255
[r5-acl-ipv4-basic-2000]rule permit source 10.1.0.0 0.0.255.255
[r5-acl-ipv4-basic-2000]rule permit source 10.101.0.0 0.0.255.255
1
2
3
4

2. 在r5 的ospf中设置acl 2000为入方向

[r5]ospf
[r5-ospf-1]filter-policy 2000 import 
1
2

3. 检查
   在r5 上查看ospf路由表，发现分支二的路由已过滤

[r5]display ip routing-table protocol ospf
1

（2）分支二过滤

1. 在r3上配置acl 2000

[r3]acl basic 2000
[r3-acl-ipv4-basic-2000]rule deny source 192.168.102.0 0.0.0.255
[r3-acl-ipv4-basic-2000]rule permit source any 
1
2
3

2. 在r3 的rip中设置acl 2000为入方向

[r3]rip
[r3-rip-1]filter-policy 2000 import 
1
2

3. 在r4上配置acl 2000

[r4]acl basic 2000
[r4-acl-ipv4-basic-2000]rule deny source 192.168.101.0 0.0.0.255
[r4-acl-ipv4-basic-2000]rule permit source any
1
2
3

4. 在r4 的rip中设置acl 2000为入方向

[r4]rip
[r4-rip-1]filter-policy 2000 import 
1
2

5. 检查
   在r3、r4 上查看ospf路由表，发现路由已过滤

<r1>terminal debugging 
The current terminal is enabled to display debugging logs.
<r1>terminal monitor 
The current terminal is enabled to display logs.
1
2
3
4

十二、静默接口

[r1]rip
[r1-rip-1]silent-interface GigabitEthernet 0/0
[r1-rip-1]silent-interface GigabitEthernet 0/1
1
2
3

[sw1]ospf
[sw1-ospf-1]silent-interface Vlan-interface 10
[sw1-ospf-1]silent-interface Vlan-interface 20
1
2
3

[sw2]ospf
[sw2-ospf-1]silent-interface Vlan-interface 10
[sw2-ospf-1]silent-interface Vlan-interface 20
1
2
3

[r3]rip
[r3-rip-1]silent-interface LoopBack 100
[r3-rip-1]silent-interface LoopBack 200
1
2
3

[r4]rip
[r4-rip-1]silent-interface LoopBack 100
[r4-rip-1]silent-interface LoopBack 200
1
2
3

[r5]ospf
[r5-ospf-1]silent-interface GigabitEthernet 0/0.10
[r5-ospf-1]silent-interface GigabitEthernet 0/0.20
1
2
3

十三、消除等价路由

1. 在sw1上将vlan30的cost 改为1000。

[sw1]interface Vlan-interface 30
[sw1-Vlan-interface30]ospf cost 1000
1
2

2. 在sw2上将vlan30的cost 改为1000。

[sw2]interface Vlan-interface 30
[sw2-Vlan-interface30]ospf cost 1000
1
2

3.检查
cost更改前后路由如下：

十四、NAT

1.引入默认路由

[r1]ospf
[r1-ospf-1]default-route-advertise
1
2

[r1]acl basic 2001
[r1-acl-ipv4-basic-2001]rule permit source 10.1.0.0 0.0.255.255
[r1]interface GigabitEthernet 0/2
[r1-GigabitEthernet0/2]nat outbound 2001
1
2
3
4

[r3]acl basic 2001
[r3-acl-ipv4-basic-2001]rule permit source 10.101.1.0 0.0.0.255
[r3]interface GigabitEthernet 0/0
[r3-GigabitEthernet0/0]nat outbound 2001
1
2
3
4

[r4]acl basic 2001
[r4-acl-ipv4-basic-2001]rule permit source 10.101.2.0 0.0.0.255
[r4]interface GigabitEthernet 0/0
[r4-GigabitEthernet0/0]nat outbound 2001
1
2
3
4

6. 配置默认路由

[sw3]ip route-static 0.0.0.0 0 192.168.0.254
[sw3]ip route-static 0.0.0.0 0 10.1.255.254
1
2

7. 静态nat

[r1]nat static outbound 10.1.1.100 100.1.1.100
[r1]interface GigabitEthernet 0/2
[r1-GigabitEthernet0/2]nat static enable 
1
2
3

十五、QOS

1. 创建acl 3000

[r2]acl advanced 3000
[r2-acl-ipv4-adv-3000]rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.11.0 0.0.0.255
1
2

2. 创建类a，绑定acl 3000

[r2]traffic classifier a
[r2-classifier-a]if-match acl 3000
1
2

3. 创建行为 a，最小带宽1500

[r2]traffic behavior a
[r2-behavior-a]queue af bandwidth 1500
1
2

4. 创建策略a，绑定类和行为

[r2]qos policy a
[r2-qospolicy-a]classifier a behavior a
1
2

5. 在r2上进入S1/0，在出方向下发 QOS 策略

[r2]interface Serial 1/0
[r2-Serial1/0]bandwidth 2048
[r2-Serial1/0]qos apply policy a outbound 
1
2
3

6. 检查
   在r1上查看，bandwidth 1500

<r1>display qos policy interface Serial 1/0
1

7. 在r5上做同样配置

[r5]acl advanced 3000
[r5-acl-ipv4-adv-3000]rule permit ip source 192.168.11.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
1
2

十六、Telnet

[r1]acl basic 2002
[r1-acl-ipv4-basic-2002]rule permit source 192.168.0.100 0
1
2

[r1]undo password-control enable 
[r1]undo password-control length enable 
[r1]undo password-control complexity user-name check 
[r1]undo password-control change-password weak-password enable 
[r1]undo password-control composition enable 
1
2
3
4
5

[r1]telnet server enable 
[r1]local-user abc
[r1-luser-manage-abc]password simple 123
[r1-luser-manage-abc]service-type telnet
[r1-luser-manage-abc]authorization-attribute user-role level-15
1
2
3
4
5

[r1]line vty 0 63
[r1-line-vty0-63]authentication-mode scheme 
1
2

[r1]telnet server acl 2002
1