HCNA必会知识点
HCNA: ip子网划分,ipv4/ipv6,以太网帧结构,ARP, TCP/UDP , 静态路由 ,路由优先级/路由备份,度量值/缺省路由,DHCP, RIP, 基础ospf,trunk, vlan间路由,单臂路由,Easyip和NAT Server ,广域网ppp, 广域网HDLC和FR,链路聚合eth-trunk, VRRP, STP, ACL,配置telnet,配置ssh,配置ftp
undo info-center enable 关闭信息中心
dis ip int brie 查看接口ip vlan配置
dis port vlan 查看端口vlan配置
trunk 通信原理
发送端
▶ 终端vlan与交换机trunk接口pvid 不一样的不播离tag帧,发的数据帧有tag标签(802.1Q),对端设备收到带tag,看trunk是否方行对应vlan通信。
▶ 终端vlan与交换机trunk接口pvid一样的播离tag帧,发的数据帧没有tag标签,对端设备 收到不带tag帧,打上接口pvid,trunk方行相应vlan,可以通信。
重点:trunk默认配置pvid1
access通信原理
路由搭建ftp
[Huawei]ftp server enable
[Huawei]set default ftp-directory flash:
[Huawei-aaa]local-user huawei password cipher huawei
[Huawei-aaa]local-user huawei service-type ftp
[Huawei-aaa]local-user huawei access-limit 200
[Huawei-aaa]local-user huawei idle-timeout 0 0
[Huawei-aaa]local-user huawei privilege level 3
客户端范文
<Huawei>ftp:xxxxip
电脑360浏览器 关闭选项
按组配置端口
[LSW1-port-group] port-group group-member g0/0/1 to g0/0/10
运营商
[ISP]ip pool pppoe
[ISP-ip-pool-pppoe]network 200.2.2.0 mask 24
[ISP-ip-pool-pppoe]gateway-list 200.2.2.1
[ISP]interface Virtual-Template 1 摸版
[ISP-Virtual-Template1]ppp authentication-mode pap
[ISP-Virtual-Template1]ip address 200.2.2.1 24
[ISP-Virtual-Template1]remote address pool pppoe
[ISP-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1 g0/0/1接口绑定虚拟摸版
[ISP-aaa]local-user part手敲 password cipher 123456
[ISP-aaa]local-user huawei service-type ppp
客户端
[Huawei]dialer-rule
[Huawei-dialer-rule]dialer-rule 1 ip permit 绑定
[part-1]int Dialer 1
[part-1-Dialer1]ppp pap local-user part password cipher %$%$pLKZ!iaG|$#Cm4Q8=MM.,%Nw%$%$
[part-1-Dialer1]ip address ppp-negotiate 自动获取ip
[part-1-Dialer1]dialer user user1
[part-1-Dialer1]dialer-group 1
[part-1-Dialer1]dialer bundle 1
[Huawei-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1 绑定
A
interface Vlanif30
ip address 10.10.10.1 255.255.255.0
interface Vlanif50
ip address 10.10.30.1 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 50
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
ip route-static 0.0.0.0 0.0.0.0 10.10.30.2
B
interface Vlanif30
ip address 10.10.20.1 255.255.255.0
interface Vlanif50
ip address 10.10.30.2 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 50
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
ip route-static 10.10.10.0 255.255.255.0 10.10.30.1
链路聚合 手工捆绑
捆绑建议2 4 8 链路带宽较均衡
一个eth-trunk 最多可以捆绑8个接口
启用stp协议防环
sw1
[sw1]int Eth-Trunk 1
[sw1-Eth-Trunk1]port link-type trunk
[sw1-Eth-Trunk1]port trunk allow-pass vlan all
[sw1-GigabitEthernet0/0/23]eth-trunk 1
[sw1-GigabitEthernet0/0/24]eth-trunk 1
sw2
[sw2]int Eth-Trunk 1
[sw2-Eth-Trunk1]port link-type trunk
[sw2-Eth-Trunk1]port trunk allow-pass vlan all
[sw2-GigabitEthernet0/0/23]eth-trunk 1
[sw2-GigabitEthernet0/0/24]eth-trunk 1
[sw2]dis interface Eth-Trunk 1
dhcp
<全局dhcp和接口dhcp>
[dhcp]dhcp enable
ip pool 192
[dhcp-ip-pool-192]gateway-list 192.168.0.1
[dhcp-ip-pool-192]network 192.168.0.0 mask 255.255.255.0
[dhcp-ip-pool-192]dns-list 8.8.8.8
[dhcp-ip-pool-192]lease day hour/unlimited day:租约时间 unlimited:永久不限制 hour:小时
ip pool 10
[dhcp-ip-pool-10]network 10.1.1.0 mask 255.255.255.0
[dhcp-GigabitEthernet0/0/0]ip address 10.1.1.1 255.255.255.0
[dhcp-GigabitEthernet0/0/0]dhcp select global/interface
ip route-static 0.0.0.0 0.0.0.0 10.1.1.254 配置默认路由dhcp的报文才能通过
AR1客户端
[AR1-GigabitEthernet0/0/0]ip address 192.168.0.1 255.255.255.0
[AR1-GigabitEthernet0/0/0]dhcp select relay中继
[AR1-GigabitEthernet0/0/0]dhcp relay server-ip 10.1.1.1
[AR1-GigabitEthernet0/0/0]ip address dhcp-alloc
PPPOE拨号上网
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
[Huawei]dis pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
0 1 1 GE0/0/0 00e0fcf46c30 000000000000 up
[Huawei]interface Dialer 1
[Huawei-Dialer1]tcp adjust-mss 1200
[Huawei-Dialer1]mtu 1492
配置pppoe dns主备
[Huawei-Dialer1]ppp ipcp dns request
[Huawei-Dialer1]ppp ipcp dns admit-any
在拨号接口下查看/或/在出接口和进接口配置nat
[Huawei-Dialer1]di th
[V200R003C00]
#
interface Dialer1
link-protocol ppp
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
tcp adjust-mss 1200
ip address 202.100.1.254 255.255.255.252
nat static global 202.100.1.251 inside 192.168.10.10 netmask 255.255.255.255
nat static enable
配置pppoe 静态路由
[Huawei]ip route-static 0.0.0.0 0.0.0.0 Dialer 1
NAT映射一对一
[Huawei-Dialer1]nat static global 202.100.1.251 inside 192.168.10.10 静态nat
[Huawei-Dialer1]nat server protocol tcp global 202.100.1.251 inside 172.31.14.1 description 123 nat服务
NAT映射一对多
AR1
acl number 2000
rule 5 permit source 192.168.0.0 0.0.0.255
#
interface GigabitEthernet0/0/0
ip address 22.23.10.1 255.255.255.248
nat outbound 2000
interface GigabitEthernet0/0/1
ip address 192.168.254.2 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 22.23.10.2 缺省路由
ip route-static 192.168.0.0 255.255.0.0 192.168.254.1
ACL访问控制列表
acl对流量的应用 对路由表的应用
<华为的acl在流量进行匹配时,最后一行隐含允许所有流量通过permit any><思科最后一行隐含拒绝所有流量通过deny any>
terffic-filer inbound acl 2000 入方向
terffic-filer outbound acl 2000 出方向
acl规则序号<0-4294967294>
标准ACL范围:2000 2999 源IP地址
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 deny/permit<允许或拒绝> source 192.168.1.10 0.0.0.255 反掩码<通配符> 0 是单独特定一台主机
[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 2000 拒绝了192.168.10这个地址通过
[Huawei-GigabitEthernet0/0/2]dis acl 2000 查看决绝的ip
[Huawei-acl-basic-2000]rule 6 permit
[Huawei-acl-basic-2000]dis this
[V200R003C00]
#
acl number 2000
rule 5 deny source 10.10.10.10 0
rule 6 permit 等同允许了所有
高级ACL范围:3000 3999 源IP地址 目的IP地址 源端口 目的端口
[Huawei-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0 destination-port eq 等于21端口
[Huawei-acl-adv-3000]rule deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0
[Huawei-acl-adv-3000]rule permit ip
[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 3000
IPSEC *** 虚拟私有网络
ESP:安全协议 IKE:秘钥协商
3.1 路由最重要!
加解密点
a.到达对端加解密点<直连>
b.到达本端的通信点<直连>
c.到达对端的同信点<静态默认路由>
3.2IPSEC的SPD(acl), 提议(proposal)和IPSEC策略
AR1
[Huawei]acl 3000
[Huawei-acl-adv-3000]description 描述
[Huawei-acl-adv-3000]rule 10 permi ip source 10.10.10.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
AR2
[Huawei]acl 3000
[Huawei-acl-adv-3000]description 描述
[Huawei-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
AR1
[Huawei]ipsec proposal
[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1 <authentication-algorithm / encryption-algorithm 认证和加密算法>
[Huawei-ipsec-proposal-sjw]dis this
[V200R003C00]
#
ipsec proposal sjw
esp authentication-algorithm sha1
AR2
[Huawei]ipsec proposal
[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1 <authentication-algorithm / encryption-algorithm 认证和加密算法>
[Huawei-ipsec-proposal-sjw]dis this
[V200R003C00]
#
ipsec proposal sjw
esp authentication-algorithm sha1
AR1
[Huawei]ipsec policy song- 10 manual
[Huawei-ipsec-policy-manual-song-10]security acl 3000
[Huawei-ipsec-policy-manual-song-10]proposal
[Huawei-ipsec-policy-manual-song-10]tunnel remote 10.1.2.1 隧道
[Huawei-ipsec-policy-manual-song-10]tunnel local 10.1.2.254 隧道
[Huawei-ipsec-policy-manual-song-10]sa spi outbound esp 54321
[Huawei-ipsec-policy-manual-song-10]sa spi inbound esp 12345
[Huawei-ipsec-policy-manual-song-10]sa string-key outbound esp simple huawei
[Huawei-ipsec-policy-manual-song-10]sa string-key inbound esp simple huawei
AR2
[Huawei]ipsec policy song 10 manual
[Huawei-ipsec-policy-manual-song-10] security acl 3000
[Huawei-ipsec-policy-manual-song-10] tunnel local 10.1.2.1 隧道
[Huawei-ipsec-policy-manual-song-10] tunnel remote 10.1.2.254 隧道
[Huawei-ipsec-policy-manual-song-10] sa spi inbound esp 54321
[Huawei-ipsec-policy-manual-song-10] sa string-key inbound esp simple huawei
[Huawei-ipsec-policy-manual-song-10] sa spi outbound esp 12354
[Huawei-ipsec-policy-manual-song-10] sa 协商string-key outbound esp simple huawei
3.2出接口应用
[Huawei-Dialer1]ipsec policy sjw-
[Huawei-GigabitEthernet0/0/0]ipsec policy sjw-
[Huawei]dis ipsec sa
sw3:划vlan 10 20
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 10
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 20
配置中继trunk
[Huawei-GigabitEthernet0/0/2]int g0/0/1
[Huawei-port-group-trunk]port trunk allow-pass vlan
[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20
[Huawei-GigabitEthernet0/0/2]int g0/0/2
[Huawei-port-group-trunk]port trunk allow-pass vlan
[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20
sw1:划vlan 10 20
[Huawei]int Vlanif 10
[Huawei-Vlanif10]ip address 192.168.10.10 24
[Huawei]int Vlanif 20
[Huawei-Vlanif20]ip address 192.168.10.20 24
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
sw2:划vlan 10 20
[Huawei]int Vlanif 10
[Huawei-Vlanif20]ip address 192.168.10.20 24
[Huawei]int Vlanif 20
[Huawei-Vlanif20]ip address 192.168.20.20 24
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20
AR1路由器
[Huawei-GigabitEthernet0/0/1]ip address 11.0.0.2 24
[Huawei-GigabitEthernet0/0/2]ip address 12.0.0.2 24
[Huawei-GigabitEthernet0/0/2]int loo 0
[Huawei-LoopBack0]ip address 1.1.1.1 24
写路由优先级
[Huawei]ip route-static 192.168.10.0 24 11.0.0.1 默认是60
[Huawei]ip route-static 192.168.10.0 24 12.0.0.2 preference 70
[Huawei]ip route-static 192.168.20.0 24 12.0.0.1 默认是60
[Huawei]ip route-static 192.168.20.0 24 11.0.0.1 preference 70
sw1
[Huawei]ip route-static 1.1.1.0 24 11.0.0.2
sw1
[Huawei-Vlanif100]ip address 11.0.0.1 24
[Huawei-port-group-d]port link-type access
[Huawei-port-group-d]port default vlan 100
sw2
[Huawei]ip route-static 1.1.1.0 24 12.0.0.2
sw2
[Huawei-Vlanif100]ip address 12.0.0.1 24
[Huawei-GigabitEthernet0/0/24]port link-type access
[Huawei-GigabitEthernet0/0/24]port default vlan 100
在核心sw1做vrrp
trunk,虚拟IP ,优先级 ,追踪接口
主备的虚拟ip一至,vrid一致
注意:优先级大的是主, 比如优先级120端扣down掉默认会减10 所以备的不能配置110应该是115,115比120小,主的坏掉默认就走备的
主
[Huawei]int Vlanif 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1
[Huawei-Vlanif10]vrrp vrid 1 priority 120 端扣down掉默认会减10 所以备的不能配置110应该是115,115比120小主的坏掉默认就走备的
(这个打个比喻,这个实验配置的是95)
vrrp 优先级范围是0-255, 0是保留给路由器,主动放弃Master位置时候使用,255是保留给IP地址拥有者使用,能我的是1-254
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 0
[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/24 追踪上行端口
[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/1 追踪下行端口
备
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1
[Huawei-Vlanif10]vrrp vrid 1 priority 115
备的不用配置抢占,也不用配置跟踪端口,因为主的已经配置了
在核心sw2做vrrp
主
[Huawei]int Vlanif 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1
[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/24
[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/2
抢占和优先级可以不配,【优先级默认是100】,备的配置优先级数字90就可以
备
interface Vlanif20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1
[Huawei-Vlanif20]vrrp vrid 2 priority 95
防火墙四个区域
服务器 DMZ中 ,trust用户内网 ,untrustz外网ip最低 ,local最高
dmz:指定dmz安全区域
local:指定本地安全区域
name:待创建或删除的安全区域名称
trust:指定信任的安全区域
untrust:指定untrust的安全区域
防火墙双机热备
FW1主
[fw1]interface GigabitEthernet0/0/0] ip address 10.2.2.1 255.255.255.0
[fw1]interface GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.1.2.254 active 主
[fw1]interface GigabitEthernet0/0/0] service-manage all permit 允许所有服务
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
[fw1]interface GigabitEthernet1/0/0] ip address 40.1.1.1 255.255.255.0
[fw1]interface GigabitEthernet1/0/0] vrrp vrid 2 virtual-ip 2.2.2.254 255.255.255.0 active 主
[fw1-GigabitEthernet1/0/0]service-manage all permit
[fw1]interface GigabitEthernet1/0/1] ip address 30.1.1.1 255.255.255.0
[fw1]firewall zone trust
[fw1-zone trust] add interface GigabitEthernet0/0/0
[fw1]firewall zone untrust
[fw1-zone untrust]add interface GigabitEthernet1/0/0
[fw1]firewall zone dmz
[fw1]-zone dmz]add interface GigabitEthernet1/0/1
FW2 备
[fw2interface GigabitEthernet0/0/0] ip address 10.1.2.2 255.255.255.0
[fw2interface GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.1.2.254 standby 备
[fw2interface GigabitEthernet0/0/0] service-manage all permit 允许所有服务
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
[fw2interface GigabitEthernet1/0/0] ip address 40.1.1.2 255.255.255.0
[fw2interface GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 2.2.2.254 255.255.255.0 standby 备
[fw1-GigabitEthernet1/0/0]service-manage all permit
[fw2interface GigabitEthernet1/0/1] ip address 30.1.1.2 255.255.255.0
[fw2]firewall zone trust
[fw2-zone trust]add interface GigabitEthernet0/0/0
[fw2]firewall zone untrust
[fw2-zone untrust] add interface GigabitEthernet1/0/0
[fw2]firewall zone dmz
[fw2-zone dmz] add interface GigabitEthernet1/0/1
HRP心跳线同步信息
[fw1]hrp interface GigabitEthernet1/0/1 remote 30.1.1.2 配置对端的接口ip
[fw2]hrp interface GigabitEthernet1/0/1 remote 30.1.1.1 配置对端的接口ip
开启hrp enable 可以同步习性
开启HRP 显示一个S和M代表双机热备成功