一.设备命名
LSW1
<Huawei>sys
[Huawei]sysn LSW1
[LSW1]un in en同理可得,给所有设备如以上命令一样配置
二.VLAN
LSW1
[LSW1]vlan ba 1 10 20 100
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 100
[LSW1-GigabitEthernet0/0/1]int g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 100
[LSW1-GigabitEthernet0/0/2]int e0/0/22
[LSW1-Ethernet0/0/22]port link-type access
[LSW1-Ethernet0/0/22]port default vlan 10
[LSW1-Ethernet0/0/22]dis port vlan
LSW2
[LSW2]vlan ba 20 10 100
[LSW2]int g0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 100
[LSW2-GigabitEthernet0/0/1]int g0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type trunk
[LSW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 100.
[LSW2-GigabitEthernet0/0/2]int e0/0/22
[LSW2-Ethernet0/0/22]port link-type hybrid[LSW2-Ethernet0/0/22]port hybrid pvid vlan 20
[LSW2-Ethernet0/0/22]port hybrid untagged vlan 20[LSW1-Ethernet0/0/22]dis port vlan
LSW3
[LSW3]vlan ba 101 10 20 100
[LSW3]int g0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type access
[LSW3-GigabitEthernet0/0/1]port default vlan 101
[LSW3-GigabitEthernet0/0/1]int g0/0/20
[LSW3-GigabitEthernet0/0/20]port link-type trunk
[LSW3-GigabitEthernet0/0/20]port trunk allow-pass vlan 10 20 100
[LSW3-GigabitEthernet0/0/20]int g0/0/21
[LSW3-GigabitEthernet0/0/21]port link-type trunk
[LSW3-GigabitEthernet0/0/21]port trunk allow-pass vlan 10 20 100
[LSW3-GigabitEthernet0/0/21]int eth 1
[LSW3-Eth-Trunk1]port link-type trunk
[LSW3-Eth-Trunk1]port trunk allow-pass vlan 10 20 100
[LSW3-Eth-Trunk1]undo port trunk allow-pass vlan 1
[LSW3-Eth-Trunk1]port trunk pvid vlan 100
[LSW3-Eth-Trunk1]dis port vlan
LSW4
[LSW4]vlan ba 201 10 20 100
[LSW4]int g0/0/1
[LSW4-GigabitEthernet0/0/1]port link-type access
[LSW4-GigabitEthernet0/0/1]port default vlan 201
[LSW4-GigabitEthernet0/0/1]int g0/0/20
[LSW4-GigabitEthernet0/0/20]port link-type trunk
[LSW4-GigabitEthernet0/0/20]port trunk allow-pass vlan 10 20 100
[LSW4-GigabitEthernet0/0/20]int g0/0/21
[LSW4-GigabitEthernet0/0/21]port link-type trunk
[LSW4-GigabitEthernet0/0/21]port trunk allow-pass vlan 10 20 100
[LSW4-GigabitEthernet0/0/21]int eth 1
[LSW4-Eth-Trunk1]port link-type trunk
[LSW4-Eth-Trunk1]port trunk allow-pass vlan 10 20 100
[LSW4-Eth-Trunk1]undo port trunk allow-pass vlan 1
[LSW4-Eth-Trunk1]port trunk pvid vlan 100
[LSW4-Eth-Trunk1]dis port vlan
三.IP编址
AR1
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 13.0.0.1 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 12.0.0.1 26
[AR1-GigabitEthernet0/0/1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip add 31.0.0.2 24
[AR1-GigabitEthernet0/0/2]int loo0
[AR1-LoopBack0]ip add 1.1.1.1 32
AR2
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 23.0.0.1 24
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip add 12.0.0.2 26
[AR2-GigabitEthernet0/0/1]int g0/0/2
[AR2-GigabitEthernet0/0/2]ip add 42.0.0.2 24
[AR2-GigabitEthernet0/0/2]int loo0
[AR2-LoopBack0]ip add 2.2.2.2 32
AR3
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]ip add 23.0.0.2 24
[AR3-GigabitEthernet0/0/0]int g0/0/1
[AR3-GigabitEthernet0/0/1]ip add 34.0.0.1 24
[AR3-GigabitEthernet0/0/1]int g0/0/2
[AR3-GigabitEthernet0/0/2]ip add 13.0.0.2 24
[AR3-GigabitEthernet0/0/2]int g0/0/3
[AR3-GigabitEthernet0/0/3]ip add 35.0.0.1 30
[AR3-GigabitEthernet0/0/3]int loo 0
[AR3-LoopBack0]ip add 3.3.3.3 32
AR4
[AR4]int g0/0/0
[AR4-GigabitEthernet0/0/0]ip add 34.0.0.2 24
[AR4-GigabitEthernet0/0/0]int g0/0/1
[AR4-GigabitEthernet0/0/1]ip add 4.0.0.1 24
LSW3
[LSW3]int vlan 10
[LSW3-Vlanif10]ip add 192.168.10.100 24
[LSW3-Vlanif10]int vlan 20
[LSW3-Vlanif20]ip add 192.168.20.100 24
[LSW3-Vlanif20]int vlan 100
[LSW3-Vlanif100]ip add 192.168.100.100 24
[LSW3-Vlanif100]int vlan 101
[LSW3-Vlanif101]ip add 31.0.0.1 24
[LSW3-Vlanif101]int loo0
[LSW3-LoopBack0]ip add 5.5.5.5 32
LSW4
[LSW4-Eth-Trunk1]int vlan 10
[LSW4-Vlanif10]ip add 192.168.10.101 24
[LSW4-Vlanif10]int vlan 20
[LSW4-Vlanif20]ip add 192.168.20.101 24
[LSW4-Vlanif20]int vlan 100
[LSW4-Vlanif100]ip add 192.168.100.101 24
[LSW4-Vlanif100]int vlan 201
[LSW4-Vlanif201]ip add 42.0.0.1 24
[LSW4-Vlanif201]int loo0
[LSW4-LoopBack0]ip add 4.4.4.4 32
四.链路聚合
为了在不升级硬件设备的前提下最大限度的提升带宽
1.在LSW3与LSW4之间配置链路聚合。请通过Lacp 模式实现二层链路聚合,成员接口为GE0/0/22,GE0/0/23,GE0/0/24 链路聚合接口ID 为 1,并且 LSW3 作为 LACP 的主动端,优先级 1000。
2.为了保证链路的稳定性,聚合链路配置最大激活2 条聚合链路,使第3 条链路作为备份余
LSW3
[LSW3]int Eth-Trunk 1
[LSW3-Eth-Trunk1]mode lacp-static[LSW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/22 to 0/0/24
[LSW3]lacp priority 1000
[LSW3]dis eth-trunk 1[LSW3]int Eth-Trunk 1
[LSW3-Eth-Trunk1]max active-linknumber 2
LSW4
[LSW4]int Eth-Trunk 1
[LSW4-Eth-Trunk1]mode lacp-static
[LSW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/22 to 0/0/24
[LSW4-Eth-Trunk1]dis eth-trunk 1
五.生成树协议
为了防止二层网络中出现环路和提高网络可靠性,在LSW1,LSW2,LSW3,LSW4之间配置RSTP协议
1.STP 模式为 RSTP。设置LSW3 的优先级为 4096 使其成为根桥设置LSW4 的优先级为8192 使其成为备份根桥
2.为了最大限度的保证网络的稳定性,避免主机频繁重启导致的网络波动。要求所有与PC相连的交换机边缘端口,不参加STP计算直接进入Forwarding状态转发,并且启用LSW1,LSW2,LSW3,LSW4 的 BPDU 保护功能
3.为了防止黑客在 LSW3 的 GEO/0/1 接口接入更高生成树优先圾的交换机,在该接口上设置 STP 根保护端口
LSW1
[LSW1]stp mode rstp
[LSW1-Ethernet0/0/22]stp edged-port enable
[LSW1]stp bpdu-protection
LSW2
[LSW2]stp mode rstp
[LSW2-Ethernet0/0/22]stp edged-port enable
[LSW2]stp bpdu-protection
LSW3
[LSW3]stp mode rstp
[LSW3]stp priority 4096
[LSW3]stp bpdu-protection
[LSW3]int g0/0/1
[LSW3-GigabitEthernet0/0/1]stp root-protection
LSW4
[LSW4]stp mode rstp
[LSW4]stp priority 8192
[LSW4]stp bpdu-protection
六.VRRP
1,设置规则如下
LSW3:
VLANIF10 VRID 为1虚拟地址: 192.168.10.254 修改优先级为150
VLANIF20 VRID为2虚拟地址为:192168.20.254 修改优先级为150
LSW4:
VLANIF10 VRID为1虚拟地址: 192.168.10.254
VLANIF20 VRID为2拟地址为: 192.168.20.254
2.为了保证 VRRP 连接安全,对VRID1,VRID2 进行认证,认证方式为
md5 加密,密码为 Huawei.
3.为了保证网关切换时网络的稳定,配置 VRRP 抢占延时时间为 30s
4.为了保证不因上行链路的问题而导致网络通信中断,在 LSW3 的GEO/0/1 上配置追踪上行接口状态,如果发现状态有问题,减少优先级 100。让 LSW4 成为网关
LSW3
[LSW3]int vlan 10
[LSW3-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[LSW3-Vlanif10]vrrp vrid 1 priority 150
[LSW3-Vlanif10]int vlan 20
[LSW3-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.254
[LSW3-Vlanif20]vrrp vrid 2 priority 150[LSW3-Vlanif20]int vlan 10
[LSW3-Vlanif10]vrrp vrid 1 authentication-mode md5 Huawei
[LSW3-Vlanif10]int vlan 20
[LSW3-Vlanif20]vrrp vrid 2 authentication-mode md5 Huawei[LSW3-Vlanif20]int vlan 10
[LSW3-Vlanif10]vrrp vrid 1 preempt-mode timer delay 30
[LSW3-Vlanif10]int vlan 20
[LSW3-Vlanif20]vrrp vrid 2 preempt-mode timer delay 30[LSW3-Vlanif20]int vlan 10
[LSW3-Vlanif10]int g0/0/1
[LSW3-GigabitEthernet0/0/1]int vlan 10
[LSW3-Vlanif10]vrrp vrid 1 track int g0/0/1 reduced 100
[LSW3-Vlanif10]int vlan 20
[LSW3-Vlanif20]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 100
LSW4
[LSW4]int vlan
[LSW4]int Vlanif 10
[LSW4-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[LSW4-Vlanif10]int Vlanif 20
[LSW4-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.254[LSW4-Vlanif20]int vlan 10
[LSW4-Vlanif10]vrrp vrid 1 authentication-mode md5 Huawei
[LSW4-Vlanif10]int vlan 20
[LSW4-Vlanif20]vrrp vrid 2 authentication-mode md5 Huawei[LSW4]int vlan 10
[LSW4-Vlanif10]vrrp vrid 1 preempt-mode timer delay 30
[LSW4-Vlanif10]int vlan 20
[LSW4-Vlanif20]vrrp vrid 2 preempt-mode timer delay 30
七.路由设置
1.在 LSW3、LSW4、AR1、AR2、AR3 设备上配置 OSPF 1 进程号,router-id与 Loopback 地址一致,loopback 地址宣告进骨干区域。
LSW2、LSW3 里面的 VLANIF10 宣告在 area1 里面。VLANIF20 宣告在area2 里面,其余地址宣告到 area0。所有宣告采用与掩码相同网络的方式宣告。AR3 的 GO/0/1 和 G4/0/0 接口的IP 地址不用宣告到 OSPF内
2.为了 OSPF 的安全,需要配置区域认证,配置为 MD5 模式的密钥密钥号为 1,密码加密显示,密码为: huawei
3.设置 AR3 缺省路由,下一跳指向运营商路由器 AR4。设置 AR4,AR5缺省路由缺省路由,下一跳在 AR3
4.设置 ARB 静态路由,连通 PC3 的网络
AR1
[AR1]ospf 1 router-id 1.1.1.1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher huawei
[AR1-ospf-1-area-0.0.0.0]network 31.0.0.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 13.0.0.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 12.0.0.0 0.0.0.63
[AR1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
AR2
[AR2]ospf 1 router-id 2.2.2.2
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher huawei
[AR2-ospf-1-area-0.0.0.0]network 23.0.0.1 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 12.0.0.2 0.0.0.63
[AR2-ospf-1-area-0.0.0.0]network 42.0.0.2 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
AR3
[AR3]ospf 1 router-id 3.3.3.3
[AR3-ospf-1] area 0.0.0.0
[AR3-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher huawei
[AR3-ospf-1-area-0.0.0.0] network 23.0.0.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0] network 13.0.0.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0[AR3]ip route-static 0.0.0.0 0.0.0.0 34.0.0.2
[AR3]ip route-static 192.168.30.0 255.255.255.0 35.0.0.2
LSW3
[LSW3]ospf 1 router-id 5.5.5.5
[LSW3-ospf-1]area 0
[LSW3-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher huawei
[LSW3-ospf-1-area-0.0.0.0]network 192.168.100.100 0.0.0.255
[LSW3-ospf-1-area-0.0.0.0]network 31.0.0.1 0.0.0.255
[LSW3-ospf-1-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[LSW3-ospf-1-area-0.0.0.0]q
[LSW3-ospf-1]area 1
[LSW3-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher huawei
[LSW3-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
[LSW3-ospf-1-area-0.0.0.1]q
[LSW3-ospf-1]area 2
[LSW3-ospf-1-area-0.0.0.2]authentication-mode md5 1 cipher huawei
[LSW3-ospf-1-area-0.0.0.2]network 192.168.20.0 0.0.0.255
LSW4
[LSW4-ospf-1]ospf 1 router-id 4.4.4.4
[LSW4-ospf-1]area 0
[LSW4-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher huawei
[LSW4-ospf-1-area-0.0.0.0]network 192.168.100.101 0.0.0.255
[LSW4-ospf-1-area-0.0.0.0]network 42.0.0.1 0.0.0.255
[LSW4-ospf-1-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[LSW4-ospf-1-area-0.0.0.0]q
[LSW4-ospf-1]area 1
[LSW4-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher huawei
[LSW4-ospf-1-area-0.0.0.1]network 192.168.10.101 0.0.0.255
[LSW4-ospf-1-area-0.0.0.1]area 2
[LSW4-ospf-1-area-0.0.0.2]authentication-mode md5 1 cipher huawei
[LSW4-ospf-1-area-0.0.0.2]network 192.168.20.101 0.0.0.255[AR4]ip route-static 0.0.0.0 0.0.0.0 34.0.0.1
AR5
[AR5]ip route-static 0.0.0.0 0.0.0.0 35.0.0.1
八.路由引入
八、路由引入
1.在 AR3上配置路由引入,引入 AR3 静态路由和引入缺省路由。
AR3
[AR3]ospf 1
[AR3-ospf-1]import-route static
[AR3-ospf-1]default-route-advertise always
九、DHCP 配置
分别在 LSW3,LSW4 上做 DHCP 服务器,为 VLAN10,VLAN20 分配IP地址
1.VLAN10 采用全局地址池,地址池名字为 pool10 。排 除192.168.X.1-192.168.X.101 不能使用,采用 vrrp 对应 vlan 的IP 作为网关,DNS 服务器为 8.8.8.8,租用时间为 1天1小时
2.VLAN20 采用接口地址池,设置 DNS 服务器为 8.8.8.8,选择合适端口进行发布。
LSW3
[LSW3]ip pool pool10
[LSW3-ip-pool-pool10]network 192.168.10.0 mask 255.255.255.0
[LSW3-ip-pool-pool10]excluded-ip-address 192.168.10.1 192.168.10.101
[LSW3-ip-pool-pool10]gateway-list 192.168.10.254
[LSW3-ip-pool-pool10]dns-list 8.8.8.8
[LSW3-ip-pool-pool10]lease day 1 hour 1
[LSW3-ip-pool-pool10]q
[LSW3]dhcp enable
[LSW3]int vlan 10
[LSW3-Vlanif10]dhcp select global[LSW3-Vlanif10]int vlan 20
[LSW3-Vlanif20]dhcp select interface
[LSW3-Vlanif20]dhcp server dns-list 8.8.8.8
LSW4
[LSW4]ip pool pool10
[LSW4-ip-pool-pool10]network 192.168.10.0 mask 255.255.255.0
[LSW4-ip-pool-pool10]excluded-ip-address 192.168.10.1 192.168.10.101
[LSW4-ip-pool-pool10]gateway-list 192.168.10.254
[LSW4-ip-pool-pool10]dns-list 8.8.8.8
[LSW4-ip-pool-pool10]lease day 1 hour 1
[LSW4-ip-pool-pool10]q
[LSW4]dhcp enable
[LSW4]int vlan 10
[LSW4-Vlanif10]dhcp select global[LSW4-Vlanif10]int vlan 20
[LSW4-Vlanif20]dhcp select interface
[LSW4-Vlanif20]dhcp server dns-list 8.8.8.8
十.出口设计,NAT地址转换
为内网用户访问外部网络的需求
1.AR3 创建访问控制列表 200Q,配置规则允许 192.168.10.0/24 通过 NAT方式连通运营商路由器AR4,在R3的 GO/0/1 接口上配置Easy IP
2.AR3 创建访问控制列表 2001,配置规则允许 192168.20.0/24 网段通过 NAPT 方式连通分公司路由器 AR4,在 R3 的 G/0/1 接口上配置 NAPT。要求公网地址池组名字为 1,公网地址池使用 34.0.0.3 到 34.0.0.10
AR3
[AR3]acl 2000
[AR3-acl-basic-2000]rule permit source 192.168.10.0 0.0.0.255
[AR3-acl-basic-2000]q
[AR3]int g0/0/1
[AR3-GigabitEthernet0/0/1]nat outbound 2000
[AR3-GigabitEthernet0/0/1]q
[AR3]nat address-group 1 34.0.0.3 34.0.0.10
[AR3]acl 2001
[AR3-acl-basic-2001]rule permit source 192.168.20.0 0.0.0.255
[AR3-acl-basic-2001]q
[AR3]int g0/0/1
[AR3-GigabitEthernet0/0/1]nat outbound 2001 address-group 1
十一.访问控制
设置高级访问控制列表 3000
1.设置规则步长 5,配置 192.168.10.0/24 不允许访问 PC3的 HTTP 服务
2.设置规则步长 10,配置 192.168.20.0/24 不允许访问 PC3。设置在 AR3 的 G4/0/0 端口,选择合适的方向。
AR3
[AR3]acl 3000
[AR3-acl-adv-3000]rule 5 deny tcp source 192.168.10.0 0.0.0.255 destination 192.
168.30.3 0.0.0.0 destination-port eq www[AR3-acl-adv-3000]rule 10 deny ip source 192.168.20.0 0.0.0.255 des 192.168.30.3
0.0.0.0
![[BSidesCF 2020]Had a bad day1](https://img-blog.csdnimg.cn/direct/4b14d2ec64ce4e5eadac0bf63563e2d4.png)
