华为:hcia综合实验

一、拓扑图

二、实验要求

  1. pc地址请自行规划,vlan已给出

  2. 服务器地址自行规划,vlan,网段已给出

  3. 交换机互联链路捆绑保证冗余性

  4. 内网pc网关集中于核心交换机,交换机vlan 40互联路由器

,地址网段已给出

5.配置静态路由实现内外网互通(内网主机在公网上使用公网地址访问外网)

内网有线无线用户以拨号的形式访问外网(PPPoE)

6.外网主机vlan、地址网段已给出,自行规划地址及网关

  1. 外网客户端可以访问内网FTP服务器(隐藏服务器内网地址)

8.利用基本ACL/高级ACL实现

pc1 不能访问服务器

pc3 不能访问pc4

注意:交换机也可以

调用ACL,可以使用traffic-filter 命令

  1. 无线部分配置要求:管理vlan100,业务vlan101

AC作为服务器,为AP分配地址,接口地址池

SW3作为服务器为用户分配地址,接口地址池

AP管理组、安全模板、域管理模板、SSID模板、VAP模板等请自行规划,

用户能正确获取地址并连接无线网络为准,AC建立CAPWAP隧道源接口地址为vlanfi接口

三、配置命令

AR4:

[ar4]dis cu 
[V200R003C00]
#
 sysname ar4
#
 board add 0/4 2SA 
#
 undo info-center enable
#
acl number 2000  
 rule 10 permit source 192.168.10.0 0.0.0.255 
 rule 20 permit source 192.168.20.0 0.0.0.255 
 rule 101 permit source 192.168.101.0 0.0.0.255 
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
 nat address-group 4 200.1.1.10 200.1.1.20
#
interface Serial4/0/0
 link-protocol ppp
 ppp chap user huawei
 ppp chap password cipher %$%$smyT5"wVxGLN>.Eku2fN,.^~%$%$
 ip address 200.1.1.1 255.255.255.0 
 nat server protocol tcp global 200.1.1.21 ftp inside 192.168.30.1 ftp
 nat outbound 2000 address-group 4 
#
interface Serial4/0/1
 link-protocol ppp
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.2 255.255.255.0 
#
ip route-static 0.0.0.0 0.0.0.0 Serial4/0/0
ip route-static 192.168.10.0 255.255.255.0 10.1.1.1
ip route-static 192.168.20.0 255.255.255.0 10.1.1.1
ip route-static 192.168.30.0 255.255.255.0 10.1.1.1
ip route-static 192.168.100.0 255.255.255.0 10.1.1.1
ip route-static 192.168.101.0 255.255.255.0 10.1.1.1
#
return

S3:

[Sw3]dis cu 
#
sysname Sw3
#
undo info-center enable
#
vlan batch 10 20 30 40 100 to 101
#
dhcp enable
#
acl number 3000
 rule 10 deny ip source 192.168.10.1 0 destination 192.168.30.1 0
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
 dhcp select interface
#
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
 dhcp select interface
#
interface Vlanif30
 ip address 192.168.30.254 255.255.255.0
 dhcp select interface
#
interface Vlanif40
 ip address 10.1.1.1 255.255.255.0
#
interface Vlanif101
 ip address 192.168.101.254 255.255.255.0
 dhcp select interface
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 100 to 101
#
interface Eth-Trunk2
 port link-type trunk
 port trunk allow-pass vlan 20 100 to 101
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 40
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 30
 traffic-filter outbound acl 3000
#
interface GigabitEthernet0/0/3
 eth-trunk 1
#
interface GigabitEthernet0/0/4
 eth-trunk 1
#
interface GigabitEthernet0/0/5
 eth-trunk 2
#
interface GigabitEthernet0/0/6
 eth-trunk 2
#
interface GigabitEthernet0/0/7
 port link-type trunk
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/8
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2

#
return

AC:

[AC6605]dis cu 
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
 ip address 192.168.100.254 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
#
 undo info-center enable
#
capwap source interface vlanif100
#
wlan
 traffic-profile name default
 security-profile name default
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#.],$1'A0v3fyOs28$.VWFo(}Xn*W@G&FB.*W!@V~
%^%# aes
 security-profile name default-wds
 security-profile name default-mesh
 ssid-profile name default
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name default
 vap-profile name wlan-net
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 wds-profile name default
 mesh-handover-profile name default
 mesh-profile name default
 regulatory-domain-profile name default
 air-scan-profile name default
 rrm-profile name default
 radio-2g-profile name default
 radio-5g-profile name default
 wids-spoof-profile name default
 wids-profile name default
 wireless-access-specification
 ap-system-profile name default
 port-link-profile name default
 wired-port-profile name default
 serial-profile name preset-enjoyor-toeap 
 ap-group name default
 ap-group name ap-group1
  radio 0
   vap-profile wlan-net wlan 1
  radio 1
   vap-profile wlan-net wlan 1
 ap-id 1 type-id 61 ap-mac 00e0-fc39-4180 ap-sn 210235448310AD5CEC06
  ap-name area1
  ap-group ap-group1
 ap-id 2 type-id 61 ap-mac 00e0-fcf9-1830 ap-sn 2102354483102877682D
  ap-name area2
  ap-group ap-group1
 provision-ap
#
return

S7:

[s7]]dis cu 
#
sysname s7]
#
undo info-center enable
#
vlan batch 10 100 to 101
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 100 to 101
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 eth-trunk 1
#
interface GigabitEthernet0/0/4
 eth-trunk 1
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/6
#
return

S8:

[s8]dis cu 
#
sysname s8
#
undo info-center enable
#
vlan batch 20 100 to 101
#
acl number 3001
 rule 10 deny ip source 192.168.20.3 0 destination 192.168.20.4 0
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Eth-Trunk2
 port link-type trunk
 port trunk allow-pass vlan 20 100 to 101
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
 traffic-filter outbound acl 3001
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/5
 eth-trunk 2
#
interface GigabitEthernet0/0/6
 eth-trunk 2
#
interface GigabitEthernet0/0/7
#
interface NULL0
#
return

AR5:

[ar5]dis cu 
[V200R003C00]
#
 sysname ar5
#
 board add 0/4 2SA 
#
 undo info-center enable
#
dhcp enable
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
 local-user huawei password cipher %$%$"5_":.XY0UJ:+GUN5>^>>I#9%$%$
 local-user huawei privilege level 15
 local-user huawei service-type ppp
#
firewall zone Local
 priority 15
#
interface Serial4/0/0
 link-protocol ppp
 ppp authentication-mode chap 
 ip address 200.1.1.2 255.255.255.0 
#
interface Serial4/0/1
 link-protocol ppp
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.1
#
interface GigabitEthernet0/0/0.2
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.1
 dot1q termination vid 100
 ip address 172.16.100.254 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/1.2
 dot1q termination vid 200
 ip address 172.16.200.254 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 Serial4/0/0
#
return

S6:

[s6]dis cu 
#
sysname s6
#
undo info-center enable
#
vlan batch 100 200
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 200
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return

完成过程可参照前面其他文章,文章仅为个人学习资料

相关推荐
Zmxcl-0071 小时前
IIS解析漏洞
服务器·数据库·microsoft
Stark、1 小时前
【Linux】文件IO--fcntl/lseek/阻塞与非阻塞/文件偏移
linux·运维·服务器·c语言·后端
vortex51 小时前
Burp与其他安全工具联动及代理设置教程
网络·安全
xserver22 小时前
ensp 基于端口安全的财务部网络组建
网络·安全
Damon小智2 小时前
HarmonyOS NEXT 技术实践-基于基础视觉服务的多目标识别
华为·harmonyos
一个不秃头的 程序员3 小时前
服务器上加入SFTP------(小白篇 1)
运维·服务器
fnd_LN3 小时前
Linux文件目录 --- 复制命令CP、递归复制目录、软连接、硬链接
linux·运维·服务器
MorleyOlsen3 小时前
【Trick】解决服务器cuda报错——RuntimeError: cuDNN error: CUDNN_STATUS_NOT_INITIALIZED
运维·服务器·深度学习
周周的奇妙编程3 小时前
基于鲲鹏服务器的打砖块小游戏部署
运维·服务器
从后端到QT3 小时前
boost asio 异步服务器
服务器·网络·tcp/ip