2021华为ICT大赛全国总决赛网络赛道实验解析及验证

企业开发 2023-12-18 05:23:03 阅读次数: 0

作者信息:苗浩15515026488微信同号

本文摘抄自《华为ICT大赛-网络赛道学习空间(中国区)》,如有侵权,请及时联系作者删除文章

原文链接:

https://talent.shixizhi.huawei.com/course/1365189427395223554/application-learn?status=published&courseId=1680760185478529026&id=554759065239212032&appId=554759065222434816&classId=554759065222434817&courseType=1&sxz-lang=zh_CN&headershow=false

一、项目背景

某家大型公司设有一个总部(HQ)和一个分支机构(BR-1)。总部网络通过有线和无线 接入方式为员工实现网络接入。为了提高公司网络的安全。公司总部及分支机构网络出口 部署防火墙,并且为了提高可靠性,在总部开启双机热备,为了公司总部与分支机构间的 通信安全,需要建立IPSec VPN。

作者本人参加了这一届的大赛,因为当时自己水平确实不够,国赛成绩比较差,所以这个图也是作者的意难平,趁着假期把这张拓扑做出来,让后面参加的同学们有一个参考,预祝2023-2024华为ICT大赛的选手可以取得佳绩。

二、网络拓扑

本实验包含以下设备:

  1. 3台 USG6000V防火墙(FW1 to FW3)
  2. 4台 AR2220路由器(R1 to R4)
  3. 2台 S5700交换机(SW1 and SW2)
  4. 3台 S3700交换机(SW3 to SW5)
  5. 2台 AC6005(AC1 and AC2)
  6. 2个 AP4050(AP1 and AP2)
  7. 1台 CE6800
  8. 2台 PC(PC1、PC2)
  9. 1台 STA(STA1)

 表2-1 设备登录信息

设备

用户名

默认密码

新密码

防火墙

admin

Admin@123

Huawei@123

表2-2 VLAN规划信息

设备名称

端口

链路类型

VLAN规划

SW1

GE0/0/1

Trunk

Allow-pass:104

GE0/0/2

Trunk

Allow-pass:101、102、103、105

GE0/0/3

Trunk

Allow-pass:101、102、103

SW2

GE0/0/1

Trunk

Allow-pass:106

GE0/0/2

Trunk

Allow-pass:101、102、103、105

GE0/0/3

Trunk

Allow-pass:101、102、103

SW3

GE0/0/1

Trunk

Allow-pass:101、102、103

GE0/0/2

Trunk

Allow-pass:101、102、103

Eth0/0/3

Trunk

Eth0/0/4

Access

VLAN:102

SW4

GE0/0/1

Trunk

Allow-pass:101、102、103

GE0/0/2

Trunk

Allow-pass:101、102、103

Eth0/0/3

Trunk

表2-3 IP地址规划

设备名称

端口

IP地址

R1

Loopback0

1.1.1.1/24

GE0/0/1

100.1.1.1/24

GE0/0/0

12.1.1.1/30

R2

Loopback0

2.2.2.2/24

GE0/0/1

200.1.1.1/24

GE0/0/0

12.1.1.2/30

.FW1

Eth-Trunk0

192.168.100.1/30

GE1/0/0

100.1.1.2/24

GE1/0/1.104

192.168.104.1/30

FW2

Eth-Trunk0

192.168.100.2/30

GE1/0/0

100.1.1.3/24

GE1/0/1.106

192.168.106.1/30

SW1

VLANIF 101

192.168.101.2/24

VLANIF 102

192.168.102.2/24

VLANIF 103

10.11.103.4/24

VLANIF 104

192.168.104.2/30

VLANIF 105

192.168.105.1/30

SW2

VLANIF 105

192.168.105.2/30

VLANIF 106

192.168.106.2/30

FW3

GE1/0/0

200.1.1.2/30

GE1/0/2

10.10.1.1/30

GE1/0/1

10.10.2.1/30

R3

GE0/0/0

10.10.1.2/30

GE0/0/1

10.10.3.1/30

R4

GE0/0/0

10.10.2.2/30

GE0/0/1

10.10.4.1/30

SW5

GE0/0/1

Vlanif3:10.10.3.2/30

GE0/0/2

Vlanif4:10.10.4.2/30

Eth0/0/3

Vlanif5:10.10.5.1/24

CE6800

GE1/0/3

Vlanif1:192.168.56.100/24

PC2

静态IP

10.10.5.2/24

配置过程:基础配置

设备命名/初始化
#SW1
<Huawei>system-view 
[Huawei]sysname SW1
[SW1]

#SW2
<Huawei>system-view 
[Huawei]sysname SW2
[SW2]

#SW3
<Huawei>system-view 
[Huawei]sysname SW3
[SW3]

#SW4
<Huawei>system-view 
[Huawei]sysname SW4
[SW4]

#AC1
<AC6005>system-view 
[AC6005]sysname AC1
[AC1]

#AC2
<AC6005>system-view 
[AC6005]sysname AC2
[AC2]

#FW1
<USG6000V1>system-view 
[USG6000V1]sysname FW1
[FW1]

#FW2
<USG6000V1>system-view 
[USG6000V1]sysname FW2
[FW2]

#CE6800
<HUAWEI>system-view immediately
[HUAWEI]sysname CE6800
[CE6800]

#FW3
<USG6000V1>system-view 
[USG6000V1]sysname FW3
[FW3]

#AR3
<Huawei>system-view 
[Huawei]sysname AR3
[AR3]

#AR4
<Huawei>system-view 
[Huawei]sysname AR4
[AR4]

#SW5
<Huawei>system-view 
[Huawei]sysname SW5
[SW5]

#AR1
<Huawei>system-view 
[Huawei]sysname AR1
[AR1]

#AR2
<Huawei>system-view 
[Huawei]sysname AR2
[AR2]


VLAN/链路配置
#SW1
[SW1]vlan batch 101 102 103 104 105
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk 
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 104
[SW1-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk 
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 101 102 103 105
[SW1-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk 
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 101 102 103
[SW1-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk 
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 101 102 103
[SW1-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1


#SW2
[SW2]vlan batch 101 102 103 105 106
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk 
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 106
[SW2-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk 
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 101 102 103 105
[SW2-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk 
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 101 102 103
[SW2-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk 
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 101 102 103
[SW2-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1


#SW3
[SW3]vlan batch 101 102 103
[SW3]port-group group-member GigabitEthernet 0/0/1 GigabitEthernet 0/0/2
[SW3-port-group]port link-type trunk 
[SW3-port-group]port trunk allow-pass vlan 101 102 103
[SW3-port-group]undo port trunk allow-pass vlan 1
[SW3]interface Ethernet0/0/3
[SW3-Ethernet0/0/3]port link-type trunk 
[SW3-Ethernet0/0/3]port trunk allow-pass vlan 101 102 103
[SW3-Ethernet0/0/3]port trunk pvid vlan 101
[SW3-Ethernet0/0/3]undo port trunk allow-pass vlan 1
[SW3]interface Ethernet0/0/4
[SW3-Ethernet0/0/4]port link-type access
[SW3-Ethernet0/0/4]port default vlan 102

#SW4
[SW4]vlan batch 101 102 103
[SW4]port-group group-member GigabitEthernet 0/0/1 GigabitEthernet 0/0/2
[SW4-port-group]port link-type trunk 
[SW4-port-group]port trunk allow-pass vlan 101 102 103
[SW4-port-group]undo port trunk allow-pass vlan 1
[SW4]interface Ethernet0/0/3
[SW4-Ethernet0/0/3]port link-type trunk 
[SW4-Ethernet0/0/3]port trunk allow-pass vlan 101 102 103
[SW4-Ethernet0/0/3]port trunk pvid vlan 101
[SW4-Ethernet0/0/3]undo port trunk allow-pass vlan 1

#SW5
[SW5]vlan batch 3 4 5
[SW5]interface GigabitEthernet 0/0/1
[SW5-GigabitEthernet0/0/1]port link-type access
[SW5-GigabitEthernet0/0/1]port default vlan 3
[SW5]interface GigabitEthernet 0/0/2
[SW5-GigabitEthernet0/0/2]port link-type access
[SW5-GigabitEthernet0/0/2]port default vlan 4
[SW5]interface Ethernet0/0/3
[SW5-Ethernet0/0/3]port link-type access
[SW5-Ethernet0/0/3]port default vlan 5


#FW1
[FW1]interface Eth-Trunk 0
[FW1-Eth-Trunk0]trunkport GigabitEthernet 1/0/2 1/0/3

#FW2
[FW2]interface Eth-Trunk 0
[FW2-Eth-Trunk0]trunkport GigabitEthernet 1/0/2 1/0/3

#AC1
[AC1]vlan batch 101 102 103
[AC1]interface GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk 
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 101 102 103

#AC2
[AC2]vlan batch 101 102 103
[AC1]interface GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk 
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 101 102 103

IP地址配置
#R1
[R1]interface LoopBack 0
[R1-LoopBack0]ip address 1.1.1.1 24
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 100.1.1.1 24
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 12.1.1.1 30

#R2
[R2]interface LoopBack 0
[R2-LoopBack0]ip address 2.2.2.2 24
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip address 200.1.1.1 24
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 12.1.1.2 30

#FW1
[FW1]interface Eth-Trunk 0
[FW1-Eth-Trunk0]ip address 192.168.100.1 30
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip address 100.1.1.2 24
[FW1]interface GigabitEthernet 1/0/1.104
[FW1-GigabitEthernet1/0/1.104]vlan-type dot1q 104
[FW1-GigabitEthernet1/0/1.104]ip address 192.168.104.1 30

#FW2
[FW2]interface Eth-Trunk 0
[FW2-Eth-Trunk0]ip address 192.168.100.2 30
[FW2]interface GigabitEthernet 1/0/0       
[FW2-GigabitEthernet1/0/0]ip address 100.1.1.3 24
[FW2]interface GigabitEthernet 1/0/1.106
[FW2-GigabitEthernet1/0/1.106]vlan-type dot1q 106
[FW2-GigabitEthernet1/0/1.106]ip address 192.168.106.1 30

#SW1
[SW1]interface Vlanif 101
[SW1-Vlanif101]ip address 192.168.101.2 24
[SW1]interface Vlanif 102
[SW1-Vlanif102]ip address 192.168.102.2 24
[SW1]interface Vlanif 103
[SW1-Vlanif103]ip address 10.11.103.4 24
[SW1]interface Vlanif 104
[SW1-Vlanif104]ip address 192.168.104.2 30
[SW1]interface Vlanif 105
[SW1-Vlanif105]ip address 192.168.105.1 30

#SW2
[SW2]interface Vlanif 105
[SW2-Vlanif105]ip address 192.168.105.2 30
[SW2]interface Vlanif 106
[SW2-Vlanif106]ip address 192.168.106.2 30

#FW3
[FW3]interface GigabitEthernet 1/0/0
[FW3-GigabitEthernet1/0/0]ip address 200.1.1.2 30
[FW3]interface GigabitEthernet 1/0/2
[FW3-GigabitEthernet1/0/2]ip address 10.10.1.1 30
[FW3]interface GigabitEthernet 1/0/1
[FW3-GigabitEthernet1/0/1]ip address 10.10.2.1 30

#R3
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ip address 10.10.1.2 30
[R3]interface GigabitEthernet 0/0/1
[R3-GigabitEthernet0/0/1]ip address 10.10.3.1 30

#R4
[R4]interface GigabitEthernet 0/0/0
[R4-GigabitEthernet0/0/0]ip address 10.10.2.2 30
[R4]interface GigabitEthernet 0/0/1
[R4-GigabitEthernet0/0/1]ip address 10.10.4.1 30

#SW5
[SW5]interface Vlanif 3
[SW5-Vlanif3]ip address 10.10.3.2 30
[SW5]interface Vlanif 4
[SW5-Vlanif4]ip address 10.10.4.2 30
[SW5]interface Vlanif 5
[SW5-Vlanif5]ip address 10.10.5.1 24

#CE6800
[CE6800]interface GE 1/0/3
[CE6800-GE1/0/3]undo shutdown 
[CE6800-GE1/0/3]port link-type access 
[CE6800-GE1/0/3]port default vlan 1
[CE6800-Vlanif1]ip address 192.168.56.100 24

#AC1
[AC1]interface Vlanif 103
[AC1-Vlanif103]ip address 10.11.103.2 24

#AC2
[AC2]interface Vlanif 103
[AC2-Vlanif103]ip address 10.11.103.3 24

三、配置任务

3.1 公司总部网络配置

3.1.1 任务1:配置MSTP

  1. 在SW1、SW2、SW3、SW4上创建VLAN101、102、103,并开启STP协议,并指定SW1为根桥,SW2为备用根桥。
  2. 创建MST域,域名:huawei,并允许VLAN101至103从该域转发。
  3. 根桥设备指定端口开启跟根保护功能。

配置过程:

#SW1
[SW1]stp region-configuration 
[SW1-mst-region]region-name huawei
[SW1-mst-region]instance 1 vlan 101 102 103
[SW1-mst-region]active region-configuration 
[SW1]stp instance 0 root primary 
[SW1]stp instance 1 root primary 

#SW2
[SW2]stp region-configuration 
[SW2-mst-region]region-name huawei
[SW2-mst-region]instance 1 vlan 101 102 103
[SW2-mst-region]active region-configuration 
[SW2]stp instance 0 root secondary 
[SW2]stp instance 1 root secondary 

#SW3
[SW2]stp region-configuration 
[SW2-mst-region]region-name huawei
[SW2-mst-region]instance 1 vlan 101 102 103
[SW2-mst-region]active region-configuration 

#SW4
[SW2]stp region-configuration 
[SW2-mst-region]region-name huawei
[SW2-mst-region]instance 1 vlan 101 102 103
[SW2-mst-region]active region-configuration 

STP根保护/边缘端口
#SW1
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]stp edged-port enable 
[SW1-GigabitEthernet0/0/1]stp disable
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]stp edged-port enable 
[SW1-GigabitEthernet0/0/4]stp disable
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]stp root-protection 
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]stp root-protection 

#SW2
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]stp edged-port enable 
[SW2-GigabitEthernet0/0/1]stp disable
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]stp edged-port enable 
[SW2-GigabitEthernet0/0/4]stp disable
[SW2]interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3]stp root-protection

验证: 

3.1.2  任务2:IP地址

        根据图2-1所示的网络拓扑,配置接口IP地址,IP地址规划如表2-3所示。

3.1.3  任务3:配置DHCP

SW1作为总部内部网络的网关,开启DHCP功能,对内部有线及无线网络分配IP地址。在SW1上创建基于接口地址池的DHCP服务,分别为AP1、AP2、STA、PC1分配地址。

  1. STA和有线PC地址池为192.168.102.0/24,网关为192.168.102.1,DNS服务器IP地址为114.114.114.114。
  2. AP地址池为192.168.101.0/24,网关为192.168.101.1。

配置过程:

DHCP
#SW1
[SW1]dhcp enable 
[SW1]interface Vlanif 101
[SW1-Vlanif101]dhcp select interface 
[SW1-Vlanif101]dhcp server option 43 sub-option 2 ip-address 10.11.103.1
[SW1]interface Vlanif 102
[SW1-Vlanif102]dhcp select interface 
[SW1-Vlanif102]dhcp server dns-list 114.114.114.114

验证:按照这个题目需求应该做不到网关和题目一致

 

 3.1.4 任务4:配置OSPF

  1. 在FW1、FW2、SW1、SW2上运行OSPF,设置OSPF进程为1。
  2. 防火墙FW1 GE1/0/1.104、FW2 GE1/0/1.106、SW1 VLANIF104和VLANIF105、SW2 VLANIF105和VLANIF106对应接口开启OSPF,并加入区域0.0.0.0。
  3. 在SW1上配置路由策略,匹配PC1及STA终端所在网段路由,并在OSPF引入用户路由时应用路由策略。
OSPF
#SW1
[SW1]ip ip-prefix PC1_STA permit 192.168.102.0 24
[SW1]route-policy PC1_STA permit node 10
[SW1-route-policy]if-match ip-prefix PC1_STA
[SW1]ospf 1
[SW1-ospf-1]import-route direct route-policy PC1_STA type 1
[SW1-ospf-1]area 0
[SW1]interface Vlanif 104
[SW1-Vlanif104]ospf enable 1 area 0
[SW1]interface Vlanif 105
[SW1-Vlanif105]ospf enable 1 area 0

#SW2
[SW2]ospf 1
[SW2-ospf-1]area 0
[SW2]interface Vlanif 105
[SW2-Vlanif105]ospf enable 1 area 0
[SW2]interface Vlanif 106
[SW2-Vlanif106]ospf enable 1 area 0

#FW1
FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
[FW1]ospf 1 
[FW1-ospf-1]default-route-advertise type 1 
[FW1-ospf-1]area 0
[FW1]interface GigabitEthernet 1/0/1.104
[FW1-GigabitEthernet1/0/1.104]ospf enable 1 area 0

#FW2
[FW2]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
[FW2]ospf 1
[FW2-ospf-1]default-route-advertise type 1 
[FW2-ospf-1]area 0
[FW2]interface GigabitEthernet 1/0/1.106
[FW2-GigabitEthernet1/0/1.106]ospf enable 1 area 0

验证:

 

 

 3.1.5 任务5:配置防火墙安全区域

  1. 创建ISP安全区域,设置优先级为15,将GE1/0/0加入该区域负责与ISP网络直连。
  2. 创建Heart安全区域,设置优先级为75,将防火墙双机热备心跳口Eth-trunk0接口加入该区域。
  3. 将GE1/0/1接口及其子接口加入trust区域。

配置过程:

安全区域
#FW1
[FW1]firewall zone name ISP
[FW1-zone-ISP]set priority 15
[FW1-zone-ISP]add interface GigabitEthernet 1/0/0
[FW1]firewall zone name Heart
[FW1-zone-Heart]set priority 75
[FW1-zone-Heart]add interface Eth-Trunk 0
[FW1]firewall zone trust 
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.104

#FW2
[FW2]firewall zone name ISP
[FW2-zone-ISP]set priority 15
[FW2-zone-ISP]add interface GigabitEthernet 1/0/0
[FW2]firewall zone name Heart
[FW2-zone-Heart]set priority 75
[FW2-zone-Heart]add interface Eth-Trunk 0
[FW2]firewall zone trust 
[FW2-zone-trust]add interface GigabitEthernet 1/0/1
[FW2-zone-trust]add interface GigabitEthernet 1/0/1.106

验证:display zone

 3.1.6 任务6:配置防火墙双机热备

防火墙作为企业出口网关,为提升总部网络可靠性,部署防火墙双机热备,在正常工作时,FW1作为主用设备转发流量,当FW1出现故障,企业网络流量可切换至备用设备FW2,保证企业内外部的正常通信。

  1. 在FW1、FW2上配置VRRP备份组,具体规划请看表3-1 VRRP规划表。
  2. 在FW1、FW2上指定心跳接口,心跳接口为Eth-trunk0,启用双机热备。
  3. OSPF路由优先走FW1。
  4. 配置Link-group,当FW1的上下接口GE1/0/0或者GE1/0/1出现故障时,触发防火墙主备切换。

配置过程:

#SW2
[SW2]interface Vlanif 106
[SW2-Vlanif106]ospf cost 5

#FW2
[FW2]interface GigabitEthernet 1/0/1.106
[FW2-GigabitEthernet1/0/1.106]ospf cost 5

VRRP
#FW1
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 100.1.1.100 active

#FW2
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 100.1.1.100 standby 

HRP
#FW1
[FW1]hrp interface Eth-Trunk 0 remote 192.168.100.2
[FW1]hrp enable 
[FW1]hrp mirror session enable 
HRP_M[FW1]hrp auto-sync config static-route (+B) 

#FW2
[FW2]hrp interface Eth-Trunk 0 remote 192.168.100.1
[FW2]hrp enable 
[FW2]hrp mirror session enable 
HRP_S[FW2]hrp standby-device 

Link-Group
#FW1
HRP_M[FW1]interface GigabitEthernet 1/0/1 (+B)
HRP_M[FW1-GigabitEthernet1/0/1]link-group 1
HRP_M[FW1]interface GigabitEthernet 1/0/0 (+B)
HRP_M[FW1-GigabitEthernet1/0/0]link-group 1 

#FW2
HRP_S[FW2]interface GigabitEthernet 1/0/0
HRP_S[FW2-GigabitEthernet1/0/0]link-group 1
HRP_S[FW2]interface GigabitEthernet 1/0/1
HRP_S[FW2-GigabitEthernet1/0/1]link-group 1

验证:

 

3.1.7 任务7:配置防火墙NAT

为了使私网中192.168.102.0/24网段的用户可以正常访问Internet,需要在防火墙上配置源NAT策略,除了公网接口的IP地址外,公司还向ISP申请了7个IP地址(100.1.1.4~100.1.1.10)作为私网地址转换后的公网地址,因公司员工访问互联网的需求较多,需要开启允许端口转换。 

配置过程:

NAT
#FW1
HRP_M[FW1]nat address-group PAT
HRP_M[FW1-address-group-PAT]mode pat  (+B)
HRP_M[FW1-address-group-PAT]section 0 100.1.1.4 100.1.1.10
HRP_M[FW1]nat-policy  (+B)
HRP_M[FW1-policy-nat]rule name No_PAT (+B)
HRP_M[FW1-policy-nat-rule-PAT]source-zone trust  (+B)
HRP_M[FW1-policy-nat-rule-PAT]destination-zone ISP (+B)
HRP_M[FW1-policy-nat-rule-PAT]source-address 192.168.102.0 mask 255.255.255.0 (+B)
HRP_M[FW1-policy-nat-rule-PAT]action source-nat address-group PAT (+B)

安全策略
#FW1
HRP_M[FW1]interface GigabitEthernet 1/0/1.104 (+B)
HRP_M[FW1-GigabitEthernet1/0/1.104]service-manage ping permit  (+B)
HRP_M[FW1]interface GigabitEthernet 1/0/0 (+B)
HRP_M[FW1-GigabitEthernet1/0/0]service-manage ping permit  (+B)
HRP_M[FW1]interface GigabitEthernet 1/0/1.106 (+B)
HRP_M[FW1-GigabitEthernet1/0/1.106]service-manage ping permit  (+B)
HRP_M[FW1]security-policy  (+B)
HRP_M[FW1-policy-security]rule name ISP (+B)
HRP_M[FW1-policy-security-rule-ISP]destination-zone ISP (+B)
HRP_M[FW1-policy-security-rule-ISP]source-address 100.1.1.0 mask 255.255.255.0 (+B)
HRP_M[FW1-policy-security-rule-ISP]destination-address 100.1.1.1 mask 255.255.255.255 (+B)
HRP_M[FW1-policy-security-rule-ISP]destination-address 200.1.1.1 mask 255.255.255.255 (+B)
HRP_M[FW1-policy-security-rule-ISP]action permit  (+B)
HRP_M[FW1-policy-security]rule name ospf (+B)
HRP_M[FW1-policy-security-rule-ospf]source-zone local  (+B)
HRP_M[FW1-policy-security-rule-ospf]destination-zone trust  (+B)
HRP_M[FW1-policy-security-rule-ospf]source-address 192.168.104.1 mask 255.255.255.255 (+B)
HRP_M[FW1-policy-security-rule-ospf]source-address 192.168.106.1 mask 255.255.255.255 (+B)
HRP_M[FW1-policy-security-rule-ospf]destination-address 192.168.104.2 mask 255.255.255.255 (+B)
HRP_M[FW1-policy-security-rule-ospf]destination-address 192.168.106.2 mask 255.255.255.255 (+B)
HRP_M[FW1-policy-security-rule-ospf]action permit  (+B)

3.1.8 任务8 :配置WLAN

  1. 根据表3-2 AC数据规划表配置AC1、AC2管理地址VLANIF103,实现AC间互通。
  2. 配置WLAN基本业务,确保STA能够正确获取IP地址,可以访问互联网(即能ping通1.1.1.1)。
  3. 使用VRRP实现双机热备份功能,实现当AC1故障时,AC2接替AC1继续工作,保证用户业务不中断,VRRP组:1,接口IP:10.11.103.2和10.11.103.3,虚拟IP:10.11.103.1。
  4. 在WLAN覆盖区域STA终端实现二层漫游。
AC和AP建立通信
#AC1
[AC1]ip route-static 0.0.0.0 0.0.0.0 10.11.103.4

#AC2
[AC2]ip route-static 0.0.0.0 0.0.0.0 10.11.103.4

AC-VRRP
#AC1
[AC1]interface Vlanif 103
[AC1-Vlanif103]vrrp vrid 1 virtual-ip 10.11.103.1 
[AC1-Vlanif103]vrrp vrid 1 priority 120
[AC1-Vlanif103]admin-vrrp vrid 1

#AC2
[AC2]interface Vlanif 103
[AC2-Vlanif103]vrrp vrid 1 virtual-ip 10.11.103.1
[AC2-Vlanif103]admin-vrrp vrid 1

WLAN业务配置
#AC1
[AC1]capwap source ip-address 10.11.103.1
[AC2]wlan
[AC1-wlan-view]ap-group name huawei
[AC1-wlan-ap-group-huawei]quit 
[AC1-wlan-view]regulatory-domain-profile name huawei
[AC1-wlan-regulate-domain-huawei]country-code CN 
[AC1-wlan-view]ap-id 0 ap-mac 00e0-fc66-4180
[AC1-wlan-ap-0]ap-name AP1
[AC1-wlan-ap-0]ap-group huawei
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc49-5010
[AC1-wlan-ap-1]ap-name AP2
[AC1-wlan-ap-1]ap-group huawei
[AC1-wlan-view]ssid-profile name huawei
[AC1-wlan-ssid-prof-huawei]ssid huaweiICT
[AC1-wlan-view]security-profile name huawei
[AC1-wlan-sec-prof-huawei]security wpa-wpa2 psk pass-phrase huawei@123 aes
[AC1-wlan-view]vap-profile name huawei
[AC1-wlan-vap-prof-huawei]forward-mode direct-forward
[AC1-wlan-vap-prof-huawei]service-vlan vlan-id 102
[AC1-wlan-vap-prof-huawei]ssid-profile huawei
[AC1-wlan-vap-prof-huawei]security-profile huawei
[AC1-wlan-view]ap-group name huawei
[AC1-wlan-ap-group-huawei]regulatory-domain-profile huawei
[AC1-wlan-ap-group-huawei]vap-profile huawei wlan 1 radio all 

#AC2
[AC2]capwap source ip-address 10.11.103.1
[AC2]wlan
[AC2-wlan-view]ap-group name huawei
[AC2-wlan-ap-group-huawei]quit 
[AC2-wlan-view]regulatory-domain-profile name huawei
[AC2-wlan-regulate-domain-huawei]country-code CN
[AC2-wlan-view]ap-id 0 ap-mac 00e0-fc66-4180
[AC2-wlan-ap-0]ap-name AP1
[AC2-wlan-ap-0]ap-group huawei
[AC2-wlan-view]ap-id 1 ap-mac 00e0-fc49-5010
[AC2-wlan-ap-1]ap-name AP2
[AC2-wlan-ap-1]ap-group huawei
[AC2-wlan-view]ssid-profile name huawei
[AC2-wlan-ssid-prof-huawei]ssid huaweiICT
[AC2-wlan-view]security-profile name huawei
[AC2-wlan-sec-prof-huawei]security wpa-wpa2 psk pass-phrase huawei@123 aes
[AC2-wlan-view]vap-profile name huawei
[AC2-wlan-vap-prof-huawei]forward-mode direct-forward
[AC2-wlan-vap-prof-huawei]service-vlan vlan-id 102
[AC2-wlan-vap-prof-huawei]ssid-profile huawei
[AC2-wlan-vap-prof-huawei]security-profile huawei
[AC2-wlan-view]ap-group name huawei
[AC2-wlan-ap-group-huawei]regulatory-domain-profile huawei
[AC2-wlan-ap-group-huawei]vap-profile huawei wlan 1 radio all 


#AC HSB配置
#AC1
[AC1]hsb-service 0
[AC1-hsb-service-0]service-ip-port local-ip 10.11.103.2 peer-ip 10.11.103.3 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0]service-keep-alive detect retransmit 3 interval 6
[AC1]hsb-group 0
[AC1-hsb-group-0]track vrrp vrid 1 interface Vlanif 103 
[AC1-hsb-group-0]bind-service 0
[AC1]hsb-service-type access-user hsb-group 0
[AC1]hsb-service-type access-user dhcp 0
[AC1]hsb-service-type access-user ap 0
[AC1]hsb-group 0
[AC1]hsb enable

#AC2
[AC2]hsb-service 0
[AC2-hsb-service-0]service-ip-port local-ip 10.11.103.3 peer-ip 10.11.103.2 local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0]service-keep-alive detect retransmit 3 interval 6
[AC2]hsb-group 0
[AC2-hsb-group-0]track vrrp vrid 1 interface Vlanif 103 
[AC2-hsb-group-0]bind-service 0
[AC2]hsb-service-type access-user hsb-group 0
[AC2]hsb-service-type access-user dhcp 0
[AC2]hsb-service-type access-user ap 0
[AC2]hsb-group 0
[AC2]hsb enable


#智能漫游
#AC1
[AC1]wlan
[AC1-wlan-view]rrm-profile name huawei
[AC1-wlan-rrm-prof-huawei]smart-roam enable 
[AC1-wlan-rrm-prof-huawei]smart-roam roam-threshold snr 15
[AC1-wlan-view]radio-2g-profile name huawei
[AC1-wlan-radio-2g-prof-huawei]rrm-profile huawei
[AC1-wlan-view]radio-5g-profile name huawei
[AC1-wlan-radio-5g-prof-huawei]rrm-profile huawei
[AC1-wlan-view]ap-group name huawei
[AC1-wlan-ap-group-huawei]radio 0
[AC1-wlan-group-radio-huawei/0]radio-2g-profile huawei
[AC1-wlan-ap-group-huawei]radio 1
[AC1-wlan-group-radio-huawei/1]radio-5g-profile huawei
[AC1-wlan-ap-group-huawei]radio 2
[AC1-wlan-group-radio-huawei/2]radio-5g-profile huawei

#AC2
[AC2]wlan
[AC2-wlan-view]rrm-profile name huawei
[AC2-wlan-rrm-prof-huawei]smart-roam enable 
[AC2-wlan-rrm-prof-huawei]smart-roam roam-threshold snr 15
[AC2-wlan-view]radio-2g-profile name huawei
[AC2-wlan-radio-2g-prof-huawei]rrm-profile huawei
[AC2-wlan-view]radio-5g-profile name huawei
[AC2-wlan-radio-5g-prof-huawei]rrm-profile huawei
[AC2-wlan-view]ap-group name huawei
[AC2-wlan-ap-group-huawei]radio 0
[AC2-wlan-group-radio-huawei/0]radio-2g-profile huawei
[AC2-wlan-ap-group-huawei]radio 1
[AC2-wlan-group-radio-huawei/1]radio-5g-profile huawei
[AC2-wlan-ap-group-huawei]radio 2
[AC2-wlan-group-radio-huawei/2]radio-5g-profile huawei

验证:

 3.1.9 任务9:配置QOS

  1. 在交换机SW1的GE0/0/1出方向,周一至周五的8:00-18:00点,对TCP目的端口号6881-6999的流量进行限速,承诺的平均速度为2Mbps。
  2. 在交换机SW1的GE0/0/2和GE0/0/3入方向,对来自PC1和STA的报文DSCP优先级重标记为AF43(38)。

配置过程:

#SW1
[SW1]time-range huawei 8:00 to 18:00 working-day
[SW1]acl 3000
[SW1-acl-adv-3000]rule permit tcp source-port range 6881 6999 destination-port range 6881 6999 time-range huawei
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]traffic-limit outbound acl 3000 cir 4096 
[SW1]traffic classifier huawei
[SW1-classifier-huawei]if-match vlan-id 102
[SW1]traffic behavior huawei
[SW1-behavior-huawei]remark vlan-id 102
[SW1-behavior-huawei]remark dscp af43 
[SW1]traffic policy huawei
[SW1-trafficpolicy-huawei]classifier huawei behavior huawei
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]traffic-policy huawei inbound 
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]traffic-policy huawei inbound

 3.1.10 任务10:配置网络自动化

        公司现有一台CE6800设备,管理IP地址为192.168.56.100/24。现在需要在客户端Client编写          自动化脚本,抓取设备当前配置文件,图2-1 网络拓扑重客户端Client即装有Python 的主机         (即模拟器所在的主机) 

  1. 配置CE交换机,设备管理地址为VLANIF1:192.168.56.100/24。
  2. 使能CE交换机的STenlet功能及配置VTY用户界面。
  3. 在CE交换机创建本地用户python,将用户加入管理员组,并配置用户服务类型为SSH。
  4. 在CE交换机创建SSH用户,并配置认证方式为简单密码认证,服务类型为SSH。
  5. 在客户端client主机上运行jupyter Notebook(andconda3)软件,编写Python代码,通过自动化脚本登录CE交换机并显示CE交换机的配置信息。
  6. 保存Python文件,命名为python_ssh.ipynb。

配置过程:

#配置管理地址
[CE6800]interface Vlanif 1
[CE6800-Vlanif1]ip address 192.168.56.100 24 

#配置SSH
[CE6800]stelnet server enable 
[CE6800]user-interface vty 0 4
[CE6800-ui-vty0-4]authentication-mode aaa
[CE6800-ui-vty0-4]protocol inbound ssh 
[CE6800]aaa
[CE6800-aaa]local-user python password irreversible-cipher Huawei@123 
[CE6800-aaa]local-user python level 3
[CE6800-aaa]local-user python service-type ssh 
[CE6800]rsa local-key-pair create 
[CE6800]ssh user ssh_python
[CE6800]ssh user ssh_python service-type ssh
[CE6800]ssh user ssh_python authentication-type password

#python
import telnetlib
import time

host = '192.168.56.100'
username = 'ssh_python'
password = 'Huawei@123'

tn = telnetlib.Telnet(host)

tn.read_until(b"username:")
tn.write(user.encode('ascii')+b"\n")

tn.read_until(b"Password:")
tn.write(Password.encode('ascii')+b"\n")

tn.write(b"dis cu \n")

tn.write(b"    \n")

tn.write(b"return \n")

tn.write(b"quit\n")


附加:在此场景中CE交换机是个大坑,默认接口状态全为down,需要手工把接口打开
[CE6800]interface GE 1/0/0
[CE6800-GE1/0/0]undo shutdown
[CE6800]interface GE 1/0/1
[CE6800-GE1/0/1]undo shutdown
[CE6800]interface GE 1/0/2
[CE6800-GE1/0/2]undo shutdown
[CE6800]interface GE 1/0/3
[CE6800-GE1/0/3]undo shutdown

 电脑没有python所以没有测试,大概思路是这样的。。。

3.2 分支机构网络配置

3.2.1 任务1:配置IP地址

        根据表2-3 IP地址规划表,配置IP地址。 

3.2.2 任务2:配置OSPF路由协议

  1. 在FW3、R3、R4、SW5上运行OSPF,设置OSPF进程为1。
  2. 防火墙GE1/0/2、GE1/0/1、R3 GE0/0/0、GE0/0/1、R4 GE0/0/0、GE0/0/1、SW5 GE0/0/1、GE0/0/2、Eth0/0/3接口开启OSPF,并将这些接口加入区域。
  3. 要求PC2不能接收OSPF报文。
  4. 要求从PC2访问互联网(ping 2.2.2.2)流量优先从R3路由器转发,从互联网到PC2的流量从R4路由器转发。

配置过程:

#FW3
[FW3]ip route-static 0.0.0.0 0 200.1.1.1
[FW3]ospf 1
[FW3-ospf-1]default-route-advertise type 1
[FW3-ospf-1]area 0
[FW3]interface GigabitEthernet 1/0/2
[FW3-GigabitEthernet1/0/2]ospf enable 1 area 0
[FW3-GigabitEthernet1/0/1]ospf cost 5
[FW3]interface GigabitEthernet 1/0/1
[FW3-GigabitEthernet1/0/1]ospf enable 1 area 0

#R3
[R3]ospf 1
[R3-ospf-1]area 0
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ospf enable 1 area 0
[R3-GigabitEthernet0/0/0]ospf cost 5
[R3]interface GigabitEthernet 0/0/1
[R3-GigabitEthernet0/0/1]ospf enable 1 area 0

#R4
[R4]ospf 1
[R4-ospf-1]area 0
[R4]interface GigabitEthernet 0/0/1
[R4-GigabitEthernet0/0/1]ospf cost 5
[R4-GigabitEthernet0/0/1]ospf enable 1 area 0
[R4]interface GigabitEthernet 0/0/0
[R4-GigabitEthernet0/0/0]ospf enable 1 area 0


#SW5
[SW5]ospf 1
[SW5-ospf-1]silent-interface Vlanif 5
[SW5-ospf-1]area 0
[SW5]interface Vlanif 3
[SW5-Vlanif3]ospf enable 1 area 0
[SW5]interface Vlanif 4
[SW5-Vlanif4]ospf enable 1 area 0
[SW5-Vlanif4]ospf cost 5
[SW5]interface Vlanif 5
[SW5-Vlanif5]ospf enable 1 area 0

3.2.3 任务3:防火墙配置

  1. 将FW3 GE1/0/0的接口加入untrust区域,将GE1/0/2和GE1/0/1加入trust区域。
  2. 配置安全策略,使分支机构用户(PC2)能实现访问ISP网络(1.1.1.1)。

        注:禁止将FW1、FW2、FW3安全策略全放通,且安全策略配置需细化。 

配置过程:

#FW3
#安全区域
[FW3]firewall zone untrust
[FW3-zone-untrust]add interface GigabitEthernet 1/0/0
[FW3]firewall zone trust 
[FW3-zone-trust]add interface GigabitEthernet 1/0/1 
[FW3-zone-trust]add interface GigabitEthernet 1/0/2 

#安全策略
[FW3]interface GigabitEthernet 1/0/0
[FW3-GigabitEthernet1/0/0]service-manage ping permit 
[FW3]interface GigabitEthernet 1/0/1
[FW3-GigabitEthernet1/0/1]service-manage ping permit 
[FW3]interface GigabitEthernet 1/0/2
[FW3-GigabitEthernet1/0/2]service-manage ping permit 
[FW3]security-policy 
[FW3-policy-security]rule name ospf
[FW3-policy-security-rule-ospf]source-zone local 
[FW3-policy-security-rule-ospf]destination-zone trust
[FW3-policy-security-rule-ospf]source-address 10.10.2.1 32
[FW3-policy-security-rule-ospf]source-address 10.10.1.1 32
[FW3-policy-security-rule-ospf]destination-address 10.10.2.2 32
[FW3-policy-security-rule-ospf]destination-address 10.10.1.2 32
[FW3-policy-security-rule-ospf]service ospf
[FW3-policy-security-rule-ospf]action permit 
[FW3-policy-security]rule name ISP
[FW3-policy-security-rule-ISP]source-zone local
[FW3-policy-security-rule-ISP]destination-zone untrust
[FW3-policy-security-rule-ISP]source-address 200.1.1.2 mask 255.255.255.255
[FW3-policy-security-rule-ISP]destination-address 200.1.1.1 mask 255.255.255.255 
[FW3-policy-security-rule-ISP]destination-address 100.1.1.100 mask 255.255.255.255
[FW3-policy-security-rule-ISP]action permit
[FW3-policy-security]rule name nat
[FW3-policy-security-rule-nat]source-zone trust 
[FW3-policy-security-rule-nat]destination-zone untrust
[FW3-policy-security-rule-nat]source-address 10.10.5.0 mask 255.255.255.0
[FW3-policy-security-rule-nat]action permit 

[FW3]nat-policy 
[FW3-policy-nat]rule name easy-ip
[FW3-policy-nat-rule-easy-ip]source-zone trust 
[FW3-policy-nat-rule-easy-ip]destination-zone untrust 
[FW3-policy-nat-rule-easy-ip]source-address 10.10.5.0 mask 255.255.255.0
[FW3-policy-nat-rule-easy-ip]action source-nat easy-ip

验证:

3.3 ISP网络配置

3.3.1 任务1:配置IP地址

        根据2-3 IP地址规划表配置路由器IP地址。 

3.3.2 任务2:配置ISIS路由协议

  1. 根据表3-3 ISIS规划表,配置ISIS路由协议,修改R1和R2为level-2路由器。
  2. 为提高安全性,配置ISIS接口认证,IS-IS接口的认证模式为简单模式,密码为Huawei@123。

配置过程:

#AR1
[R1]isis 1
[R1-isis-1]network-entity 10.0000.0000.0001.00
[R1-isis-1]is-level level-2 
[R1-isis-1]import-route direct 
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]isis enable 1
[R1-GigabitEthernet0/0/0]isis authentication-mode simple Huawei@123
[R1]interface LoopBack 0
[R1-LoopBack0]isis enable 1 

#AR2
[R2]isis 1
[R2-isis-1]network-entity 10.0000.0000.0002.00
[R2-isis-1]is-level level-2
[R2-isis-1]import-route direct 
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]isis enable 1
[R2-GigabitEthernet0/0/0]isis authentication-mode simple Huawei@123
[R2]interface LoopBack 0
[R2-LoopBack0]isis enable 1

3.4 总部与分支机构通信配置

3.4.1 任务1:配置IPSec VPN

配置高可靠的IPSec VPN,以VRRP IP地址建立IPSec VPN。 

  1. 在FW1上配置高级ACL 3000,定义总部到分支机构的受保护流量(源:192.168.102.0/24,目的:10.10.0.0/16)
  2. 在FW3上配置高级ACL 3000,定义分支机构到总部的受保护流量(源:10.10.0.0/16,目的:192.168.102.0/24)
  3. 公司总部和分支机构通过建立IPSec VPN实现公司内网用户之间互访,采用IKE预共享密钥方式建立IPSec隧道,具体参数请见表3-4 IPSec配置参数。

配置过程:

#FW1
配置感兴趣流
HRP_M[FW1]acl 3000 (+B)
HRP_M[FW1-acl-adv-3000]rule permit ip source 192.168.102.0 0.0.0.255 destination 10.10.0.0 0.0.255.255 (+B)

配置ISAKMP服务端口
HRP_M[FW1]ip service-set ISAKMP type object  (+B)
HRP_M[FW1-object-service-set-ISAKMP]service 0 protocol udp source-port 500 destination-port 500 (+B)

放行ISAKMP、ESP服务
HRP_M[FW1]security-policy  (+B)
HRP_M[FW1-policy-security]rule name ISP (+B)
HRP_M[FW1-policy-security-rule-ISP]service ISAKMP  (+B)
HRP_M[FW1-policy-security-rule-ISP]service esp (+B)
HRP_M[FW1-policy-security-rule-ISP]action permit  (+B)

配置IPSec安全提议
HRP_M[FW1]ipsec proposal huawei (+B)
HRP_M[FW1-ipsec-proposal-huawei]encapsulation-mode tunnel (+B)
HRP_M[FW1-ipsec-proposal-huawei]esp encryption-algorithm aes-256 (+B)
HRP_M[FW1-ipsec-proposal-huawei]esp authentication-algorithm sha2-256 (+B)

配置IKE安全提议
HRP_M[FW1]ike proposal 10 (+B)
HRP_M[FW1-ike-proposal-10]authentication-method pre-share  (+B)
HRP_M[FW1-ike-proposal-10]encryption-algorithm aes-256 (+B)
HRP_M[FW1-ike-proposal-10]authentication-algorithm sha2-256 (+B)

配置IEK Peer
HRP_M[FW1]ike peer huawei (+B)
HRP_M[FW1-ike-peer-huawei]pre-shared-key Huawei@123
HRP_M[FW1-ike-peer-huawei]ike-proposal 10 (+B)

配置IPSec策略模板
HRP_M[FW1]ipsec policy-template huawei 10 (+B)
HRP_M[FW1-ipsec-policy-templet-huawei-10]security acl 3000 (+B)
HRP_M[FW1-ipsec-policy-templet-huawei-10]ike-peer huawei (+B)
HRP_M[FW1-ipsec-policy-templet-huawei-10]proposal huawei (+B)
HRP_M[FW1-ipsec-policy-templet-huawei-10]tunnel local 100.1.1.100 (+B)

HRP_M[FW1]ipsec policy huawei1 10 isakmp template huawei (+B)

HRP_M[FW1]interface GigabitEthernet 1/0/0 (+B)
HRP_M[FW1-GigabitEthernet1/0/0]ipsec policy huawei1 (+B)



#FW3
[FW3]acl 3000
[FW3-acl-adv-3000]rule permit ip source 10.10.0.0 0.0.255.255 destination 192.168.102.0 0.0.0.255
[FW3]ip service-set ISAKMP type object 
[FW3-object-service-set-ISAKMP]service 0 protocol udp source-port 500 destination-port 500
[FW3]security-policy 
[FW3-policy-security]rule name ISP 
[FW3-policy-security-rule-ISP]service ISAKMP 
[FW3-policy-security-rule-ISP]service esp
[FW3-policy-security-rule-ISP]action permit
[FW3]ipsec proposal huawei
[FW3-ipsec-proposal-huawei]encapsulation-mode tunnel 
[FW3-ipsec-proposal-huawei]esp encryption-algorithm aes-256
[FW3-ipsec-proposal-huawei]esp authentication-algorithm sha2-256
[FW3]ike proposal 10  
[FW3-ike-proposal-10]authentication-method pre-share
[FW3-ike-proposal-10]encryption-algorithm aes-256
[FW3-ike-proposal-10]authentication-algorithm sha2-256
[FW3]ike peer huawei
[FW3-ike-peer-huawei]pre-shared-key Huawei@123
[FW3-ike-peer-huawei]remote-address 100.1.1.100
[FW3-ike-peer-huawei]ike-proposal 10
[FW3]ipsec policy huawei 10 isakmp 
[FW3-ipsec-policy-isakmp-huawei-10]security acl 3000
[FW3-ipsec-policy-isakmp-huawei-10]ike-peer huawei
[FW3-ipsec-policy-isakmp-huawei-10]proposal huawei
[FW3]interface GigabitEthernet 1/0/0
[FW3-GigabitEthernet1/0/0]ipsec policy huawei

猜你喜欢

转载自blog.csdn.net/qq_45744971/article/details/133436824
今日推荐
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
报告:Django 仍然是 74% 开发者的首选
《2024 年一季度互联网投融资运行情况》研究报告
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
周排行
BPM为企业带来的实际利益
好程序员web前端分享css常用属性缩写
Java文件下载(excel)
css样式的动态添加及显示和隐藏等零碎用法
axios全局配置以及拦截器
使用Logstash来实时同步MySQL和log日志数据到ES
C++获取当前时间(年月日、时分秒、毫秒)
Odoo产品分析 (四) -- 工具板块(11) -- 网站即时聊天(1)
Java环境配置正确,但是java、javac、java -version均返回“不是内部或外部命令,也不是可运行的程序或批处理文件”?
01 官网下载各种CentOS教程(超详细版)
每日归档
更多
2024-05-14(0)
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022