詳細(xì)的HCIA-R&S實(shí)驗(yàn)筆記分享

ARP代理

實(shí)驗(yàn)：如下配置兩臺(tái)PC，要求實(shí)現(xiàn)兩臺(tái)PC的互相通信。

為PC各自配置IP，網(wǎng)關(guān)設(shè)置為G0/0/0口和G0/0/1接口的IP
配置AR3的接口IP，并開啟相關(guān)的服務(wù)

[R1-GigabitEthernet0/0/0]undo?info?en??//不會(huì)提示信息
[R1-GigabitEthernet0/0/0]arp-proxy?enable??//開啟ARP代理

[R1-GigabitEthernet0/0/1]arp-proxy?enable?
[R1-GigabitEthernet0/0/1]dis?ip?int?bri??//查看所有的接口信息，檢查IP地址是否配上以及接口是否雙up
Interface?????????????????????????IP?Address/Mask??????Physical???Protocol??
GigabitEthernet0/0/0??????????????192.168.10.254/24????up?????????up?????
GigabitEthernet0/0/1??????????????192.168.20.254/24????up?????????up?????
[R1-GigabitEthernet0/0/1]dis?arp?all??//查看ARP表項(xiàng)

#?在PC上做連通性測(cè)試

可以通過配置網(wǎng)關(guān)實(shí)現(xiàn)互通，網(wǎng)關(guān)地址為路由器與PC接口的IP

通過ARP代理實(shí)現(xiàn)互通，需要改變子網(wǎng)掩碼使不同網(wǎng)段的IP處于同一網(wǎng)段，如本題中的可以將子網(wǎng)掩碼修改為255.255.192.0，即可不通過網(wǎng)關(guān)實(shí)現(xiàn)互通

劃分VLAN

實(shí)驗(yàn)：如下圖配置PC的IP地址，需求相同VLAN可以互通，不同VLAN不能互通。

?

[SW1]dis?vlan??//查看VLAN
[SW1]vlan?batch?10?20??//創(chuàng)建VLAN10、VLAN20
[SW1]int?e0/0/2
[SW1-Ethernet0/0/2]port?link-type?access??//設(shè)置接口類型為Access
[SW1-Ethernet0/0/2]port?default?vlan?10??//默認(rèn)劃分進(jìn)VLAN10

#?同樣方法配置e0/0/3接口，劃分進(jìn)VLAN?20

[SW1]int?g0/0/1??//進(jìn)入g0/0/1接口
[SW1-GigabitEthernet0/0/1]port?link-type?trunk??//配置接口類型為Trunk
[SW1-GigabitEthernet0/0/1]port?trunk?allow-pass?vlan?10?20??//設(shè)置允許通過的VLAN為10?20?，VLAN1默認(rèn)允許通過

#SW2相同的配置

#做連通性測(cè)試

hybrid

按照如下拓?fù)?，配置相關(guān)IP地址。需求：

不同樓層的HR部門和市場部門實(shí)現(xiàn)部門內(nèi)部通信

兩部門之間不允許通信

IT部門可以訪問任意部門

?

[SW1]vlan?batch?10?20?30??//創(chuàng)建VLAN10、20、30
[SW1]dis?vlan??//查看是否創(chuàng)建
[SW1]int?e0/0/3??//進(jìn)入e0/0/3接口
[SW1-Ethernet0/0/3]port?hybrid?untagged?vlan?20?30??//設(shè)置允許通信的VLAN
[SW1-Ethernet0/0/3]port?hybrid?pvid?vlan?20??//設(shè)置PVID
[SW1-Ethernet0/0/3]dis?th??//查看當(dāng)前接口下的命令

#同樣方法配置e0/0/2接口
port?hybrid?pvid?vlan?10
port?hybrid?untagged?vlan?10?30

#配置e0/0/4接口
port?hybrid?pvid?vlan?30
port?hybrid?untagged?vlan?10?20?30

#配置e/0/1接口
port?hybrid?tagged?vlan?10?20?30
默認(rèn)PVID是VLAN?1

#SW2同樣的配置

#進(jìn)行連通性測(cè)試

VLAN間路由

單臂路由

把PC劃分到相應(yīng)的VLAN

把g0/0/1接口配置成trunk，并允許所有VLAN通過

配置路由器的子接口配置IP地址

子接口配置VLAN ID封裝（dot1q termination vid 10）

接口開啟arp廣播（arp broadcast enable）

如下拓?fù)鋱D，為PC配置IP地址。配置單臂路由，實(shí)現(xiàn)PC間互通。

#先給PC配置相應(yīng)的IP地址，網(wǎng)關(guān)254

[SW1]vlan?batch?10?20?30??//創(chuàng)建VLAN
[SW1]dis?vlan??//查看VLAN是否創(chuàng)建成功
[SW1]int?g0/0/2??//進(jìn)入g0/0/2接口
[SW1-GigabitEthernet0/0/2]port?link-type?access??//配置接口類型為access
[SW1-GigabitEthernet0/0/2]port?default?vlan?10??//劃分默認(rèn)VLAN

#同樣的方法配置g0/0/3、g0/0/4接口

#配置trunk接口，并允許所有VLAN通過
[SW1]int?g0/0/1
[SW1-GigabitEthernet0/0/1]port?link-type?trunk??//配置接口類型為trunk???
[SW1-GigabitEthernet0/0/1]port?trunk?all?vlan?all??//允許所有VLAN通過

#在R1上配置子接口
[R1]int?g0/0/0.1??//配置子接口
[R1-GigabitEthernet0/0/0.1]ip?add?192.168.10.254?24??//為子接口配置IP
#同樣方法配置其他子接口
[R1]dis?ip?int?br??//查看所有接口詳細(xì)信息

#封裝VLAN號(hào)
[R1]int?g0/0/0.1
[R1-GigabitEthernet0/0/0.1]dot1q?termination?vid?10??//指定vid，即這個(gè)接口對(duì)應(yīng)的VLAN?ID
[R1-GigabitEthernet0/0/0.1]arp?broadcast?enable??//開啟ARP的廣播功能

#同樣方法配置其他的子接口

#進(jìn)行連通性測(cè)試

三層交換

實(shí)驗(yàn)：如下拓?fù)鋱D，配置相應(yīng)IP地址。配置三層交換，使PC間互通。

[SW1]int?Vlanif?10??//創(chuàng)建VLAN10
[SW1-Vlanif10]ip?add?192.168.10.254?24??//配置IP地址
[SW1-Vlanif10]int?vlanif?20
[SW1-Vlanif20]ip?add?192.168.20.254?24
[SW1-Vlanif20]int?vlanif?30
[SW1-Vlanif30]ip?add?192.168.30.254?24

#進(jìn)行連通性測(cè)試

STP配置

SW1：4c1f-cc5c-74c7
SW2：4c1f-cc2d-7013
SW3：4c1f-cc80-7370
SW4：4c1f-cc6f-1691

選舉根橋

交換BPDU，比較BPDU，相同

比較MAC地址，SW2的MAC最小，選舉為根橋

選舉根端口

比較路徑開銷，SW1在1號(hào)線路到達(dá)根橋路徑開銷最小，所以SW1的1接口為RP（同理SW3的1接口、SW4的1接口都為RP）

如果路徑開銷相同，比較BID（優(yōu)先級(jí)、MAC地址）

如果BID也相同，則比較PID（優(yōu)先級(jí)、端口號(hào)）

選舉指定端口

在網(wǎng)絡(luò)上（每條線路上）選舉指定端口

根橋開銷為0，所以SW2的1、2、3接口都為DP

4號(hào)線路上走1、3線路開銷相同，比較BID（優(yōu)先級(jí)、MAC地址），SW1的MAC地址小，則SW1的2接口為DP，SW3的3接口為AP

5號(hào)線路上走2、3線路開銷相同，比較BID（優(yōu)先級(jí)、MAC地址），SW4的MAC地址小，則SW4的2接口為DP，SW3的2接口為AP

#?查看MAC地址
[SW1]dis?stp??//查看MAC地址

[SW1]dis?stp?bri??//查看SW1的STP
?MSTID??Port????????????????????????Role??STP?State?????Protection
???0????Ethernet0/0/1???????????????ROOT??FORWARDING??????NONE
???0????Ethernet0/0/2???????????????DESI??FORWARDING??????NONE
#?Ethernet0/0/1為RP，F(xiàn)ORWARDING為正常轉(zhuǎn)發(fā)數(shù)據(jù)，Ethernet0/0/2為DP

[SW2]dis?stp?bri??//查看SW2的STP
?MSTID??Port????????????????????????Role??STP?State?????Protection
???0????Ethernet0/0/1???????????????DESI??FORWARDING??????NONE
???0????Ethernet0/0/2???????????????DESI??FORWARDING??????NONE
???0????Ethernet0/0/3???????????????DESI??FORWARDING??????NONE
???0????Ethernet0/0/4???????????????DESI??FORWARDING??????NONE
???0????Ethernet0/0/5???????????????DESI??FORWARDING??????NONE

[SW3]dis?stp?bri??//查看SW3的STP
?MSTID??Port????????????????????????Role??STP?State?????Protection
???0????Ethernet0/0/1???????????????ROOT??FORWARDING??????NONE
???0????Ethernet0/0/2???????????????ALTE??DISCARDING??????NONE
???0????Ethernet0/0/3???????????????ALTE??DISCARDING??????NONE
#?Ethernet0/0/1為RP，數(shù)據(jù)正常轉(zhuǎn)發(fā)，Ethernet0/0/2和Ethernet0/0/3為AP，DISCARDING端口關(guān)閉，不轉(zhuǎn)發(fā)數(shù)據(jù)

[SW4]dis?stp?bri??//查看SW4的STP
?MSTID??Port????????????????????????Role??STP?State?????Protection
???0????Ethernet0/0/1???????????????ROOT??FORWARDING??????NONE
???0????Ethernet0/0/2???????????????DESI??FORWARDING??????NONE

拓展：使SW1為根橋，SW3位次根橋

[SW1]stp?root?primary??//使SW1成為主根橋
[SW1]dis?stp??//查看cost優(yōu)先級(jí)為0


[SW3]stp?root?secondary??//使SW3成為次根橋
[SW3]dis?stp??//查看cost優(yōu)先級(jí)為4096

#?增長為12次方增長，下一個(gè)是8192，一次類推

[SW1]int?e0/0/1
[SW1-Ethernet0/0/1]stp?cost????//修改接口開銷
??INTEGER<1-200000000>??Port?path?cost
[SW1-Ethernet0/0/1]stp?cost?55

靜態(tài)路由協(xié)議

實(shí)驗(yàn)：如下拓?fù)?，按照?qǐng)D上要求配置IP。

#?配置本地環(huán)回口地址
[R1]int?LoopBack?1
[R1-LoopBack1]ip?ad?4.4.4.4?32?

#?R1上的靜態(tài)路由配置
ip?route-static?2.2.2.2?255.255.255.255?192.168.12.2
ip?route-static?3.3.3.3?255.255.255.255?192.168.13.3
ip?route-static?4.4.4.4?255.255.255.255?192.168.12.2?preference?10
ip?route-static?4.4.4.4?255.255.255.255?192.168.13.3?preference?100
ip?route-static?192.168.24.0?255.255.255.0?192.168.12.2
ip?route-static?192.168.34.0?255.255.255.0?192.168.12.2

#?R2上的靜態(tài)路由配置
ip?route-static?1.1.1.1?255.255.255.255?192.168.12.1
ip?route-static?3.3.3.3?255.255.255.255?192.168.12.1
ip?route-static?4.4.4.4?255.255.255.255?192.168.24.4
ip?route-static?192.168.13.0?255.255.255.0?192.168.12.1
ip?route-static?192.168.34.0?255.255.255.0?192.168.24.4

#?R3上的靜態(tài)路由配置
ip?route-static?1.1.1.1?255.255.255.255?192.168.13.1
ip?route-static?2.2.2.2?255.255.255.255?192.168.13.1
ip?route-static?4.4.4.4?255.255.255.255?192.168.34.4
ip?route-static?192.168.12.0?255.255.255.0?192.168.13.1
ip?route-static?192.168.24.0?255.255.255.0?192.168.34.4

#?R4上的靜態(tài)路由配置
ip?route-static?1.1.1.1?255.255.255.255?192.168.34.3?preference?10
ip?route-static?2.2.2.2?255.255.255.255?192.168.24.2
ip?route-static?3.3.3.3?255.255.255.255?192.168.34.3
ip?route-static?192.168.12.0?255.255.255.0?192.168.34.3?preference?10
ip?route-static?192.168.12.0?255.255.255.0?192.168.24.2
ip?route-static?192.168.13.0?255.255.255.0?192.168.34.3?preference?10

#進(jìn)行連通性測(cè)試，Tracer跟蹤查看數(shù)據(jù)轉(zhuǎn)發(fā)路徑

save保存配置，重啟后配置依舊生效

用戶視圖下執(zhí)行reset saved-configuration（清空所有配置），然后reboot重啟

動(dòng)態(tài)路由協(xié)議

RIP配置

實(shí)驗(yàn)：如圖配置IP地址

?

#?配置環(huán)回接口地址與物理接口地址
[R1]int?LoopBack??1
[R1-LoopBack1]ip?ad?1.1.1.1?24?
[R1-LoopBack1]int?g0/0/0
[R1-GigabitEthernet0/0/0]ip?ad?12.1.1.1?24
#?相同方法配置其他路由器

#?配置RIP，對(duì)外宣告主網(wǎng)（宣告的為自身已知的主網(wǎng)）
[R1]rip?1
[R1-rip-1]network?1.0.0.0
[R1-rip-1]network?12.0.0.0
#相同方法配置其他路由器

#?連通性測(cè)試

#?配置RIP認(rèn)證方式
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]rip?authentication-mode?simple?cipher?huawei
[R1-GigabitEthernet0/0/0]q
[R1]

RIP環(huán)路

網(wǎng)絡(luò)發(fā)生故障時(shí)，RIP網(wǎng)絡(luò)有可能會(huì)產(chǎn)生環(huán)路

環(huán)路避免：

水平分割：路由器從某個(gè)接口學(xué)到的路由，不會(huì)從該接口再發(fā)回給領(lǐng)居路由

毒性逆轉(zhuǎn)：路由從某個(gè)接口學(xué)到路由后，將該路由的跳數(shù)設(shè)置為16，并從原接收接口發(fā)回給領(lǐng)居路由器

觸發(fā)更新：當(dāng)路由信息發(fā)生變化時(shí)，立即向鄰居設(shè)備發(fā)送觸發(fā)更新報(bào)文（避免環(huán)路產(chǎn)生）

#?RIP配置
[R1]rip??//進(jìn)入RIP協(xié)議視圖
[R1-rip-1]version?2??//更改V2的版本
[R1-rip-1]network?10.0.0.0??//對(duì)外宣告主網(wǎng)

#?配置Metricin（度量值）
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]rip?metricin?2??//更改進(jìn)接口的度量值
[R1-GigabitEthernet0/0/0]rip?metricout?2??//更改出接口的度量值

#?水平分割?&?毒性逆轉(zhuǎn)
[R1-GigabitEthernet0/0/0]rip?split-horizon??//配置水平分割，默認(rèn)開啟
[R1-GigabitEthernet0/0/0]rip?poison-reverse??//配置毒性逆轉(zhuǎn)，默認(rèn)開啟
#?當(dāng)兩個(gè)特性都配置時(shí)，只有毒性逆轉(zhuǎn)會(huì)生效

#?配置RIP報(bào)文的收發(fā)
[R1-GigabitEthernet0/0/0]undo?rip?output??//禁止發(fā)送RIP報(bào)文
[R1-GigabitEthernet0/0/0]undo?rip?input??//禁止接收RIP報(bào)文

#?抑制接口，命令優(yōu)先級(jí)大于rip?in/output
[R1]rip??//進(jìn)入接口視圖
[R1-rip-1]silent-interface?g0/0/0??//抑制接口，只接受RIP報(bào)文，不發(fā)送

OSPF

實(shí)驗(yàn)一：如圖配置IP，配置OSPF，要求R1、R2、R3互通。

?

#?R1
[R1]ospf?1??//指定OSPF的進(jìn)程號(hào)1???????????????
[R1-ospf-1]area?0??//進(jìn)入骨干區(qū)域
[R1-ospf-1-area-0.0.0.0]network?12.1.1.0?0.0.0.255??//宣告網(wǎng)段
[R1-ospf-1-area-0.0.0.0]net?1.1.1.1?0.0.0.0??//宣告精確地址
#?R2
[R2]ospf?1
[R2-ospf-1]area?0
[R2-ospf-1-area-0.0.0.0]net?2.2.2.2?0.0.0.0
[R2-ospf-1-area-0.0.0.0]net?12.1.1.2?0.0.0.0
[R2-ospf-1-area-0.0.0.0]net?23.1.1.2?
[R2-ospf-1-area-0.0.0.0]net?23.1.1.2?0.0.0.0

#?查看鄰居關(guān)系
[R1]dis?ospf?peer?bri??//查看鄰居關(guān)系

#?R3
[R3]ospf?
[R3-ospf-1]area?0
[R3-ospf-1-area-0.0.0.0]net?3.3.3.3?0.0.0.0
[R3-ospf-1-area-0.0.0.0]net?23.1.1.3?0.0.0.0
#?連通性測(cè)試

指定Router-id

#?如果沒有手動(dòng)指定router-id會(huì)自動(dòng)選取
[R2]router?id?12.1.1.2??//手動(dòng)指定Router-ID
reset?ospf?process??//重新啟動(dòng)OSPF進(jìn)程
[R2]dis?ospf?peer?bri??//查看鄰居關(guān)系，Router-ID變成了指定的12.1.1.2
[R2]dis?ospf?int?g0/0/0??//查看接口下的OSPF

OSPF單區(qū)域

如圖配置IP地址，需求使用OSPF配置，實(shí)現(xiàn)全網(wǎng)互通。

配置OSPF

#?R1
[R1]ospf?router-id?1.1.1.1??//手動(dòng)指定Router-id
[R1-ospf-1]area?0??//進(jìn)入骨干區(qū)域
[R1-ospf-1-area-0.0.0.0]net?1.1.1.1?0.0.0.0??//精確宣告1.1.1.1
[R1-ospf-1-area-0.0.0.0]net?172.16.1.254?0.0.0.0??//精確宣告172.16.1.254
[R1-ospf-1-area-0.0.0.0]net?172.16.13.1?0.0.0.0??//精確宣告172.16.13.1
[R1-ospf-1-area-0.0.0.0]net?172.16.12.1?0.0.0.0??//精確宣告172.16.12.1

#?R2
[R2]ospf?router-id?2.2.2.2
[R2-ospf-1]area?0
[R2-ospf-1-area-0.0.0.0]net?2.2.2.2?0.0.0.0
[R2-ospf-1-area-0.0.0.0]net?172.16.2.254?0.0.0.0?
[R2-ospf-1-area-0.0.0.0]net?172.16.23.2?0.0.0.0?
[R2-ospf-1-area-0.0.0.0]net?172.16.12.2?0.0.0.0

#?R3
[R3]ospf?router-id?3.3.3.3?
[R3-ospf-1]area?0
[R3-ospf-1-area-0.0.0.0]net?3.3.3.3?0.0.0.0
[R3-ospf-1-area-0.0.0.0]net?172.16.3.254?0.0.0.0
[R3-ospf-1-area-0.0.0.0]net?172.16.23.3?0.0.0.0
[R3-ospf-1-area-0.0.0.0]net?172.16.13.3?0.0.0.0

[R1]dis?cu?conf?ospf??//查看OSPF的所有配置
[R1]dis?ospf?peer?bri??//查看OSPF的鄰居狀態(tài)
[R1]dis?ip?routing-table?protocol?ospf??//查看OSPF學(xué)習(xí)到的路由表

#?連通性測(cè)試

OSPF多區(qū)域

OSPF多區(qū)域配置，需求全網(wǎng)互通

配置OSPF

#?R1
[R1]ospf?router-id?1.1.1.1??//手動(dòng)指定Router-id
[R1-ospf-1]area?0??//進(jìn)入骨干區(qū)域
[R1-ospf-1-area-0.0.0.0]net?1.1.1.1?0.0.0.0??//精確宣告1.1.1.1
[R1-ospf-1-area-0.0.0.0]net?172.16.1.254?0.0.0.0??//精確宣告172.16.1.254
[R1-ospf-1-area-0.0.0.0]net?172.16.13.1?0.0.0.0??//精確宣告172.16.13.1
[R1-ospf-1-area-0.0.0.0]net?172.16.12.1?0.0.0.0??//精確宣告172.16.12.1

#?R2
[R2]ospf?router-id?2.2.2.2
[R2-ospf-1]area?0
[R2-ospf-1-area-0.0.0.0]net?2.2.2.2?0.0.0.0
[R2-ospf-1-area-0.0.0.0]net?172.16.2.254?0.0.0.0?
[R2-ospf-1-area-0.0.0.0]net?172.16.23.2?0.0.0.0?
[R2-ospf-1-area-0.0.0.0]net?172.16.12.2?0.0.0.0
[R2-ospf-1-area-0.0.0.0]q
[R2-ospf-1]area?1
[R2-ospf-1-area-0.0.0.1]net?172.16.24.2?0.0.0.0

#?R3
[R3]ospf?router-id?3.3.3.3?
[R3-ospf-1]area?0
[R3-ospf-1-area-0.0.0.0]net?3.3.3.3?0.0.0.0
[R3-ospf-1-area-0.0.0.0]net?172.16.3.254?0.0.0.0
[R3-ospf-1-area-0.0.0.0]net?172.16.23.3?0.0.0.0
[R3-ospf-1-area-0.0.0.0]net?172.16.13.3?0.0.0.0
[R3-ospf-1-area-0.0.0.0]q
[R3-ospf-1]area?2
[R3-ospf-1-area-0.0.0.2]net?172.16.35.3?0.0.0.0

#?R4
[R4]ospf?1??//進(jìn)入OSPF進(jìn)程
[R4-ospf-1]area?1??//進(jìn)入?yún)^(qū)域1
[R4-ospf-1-area-0.0.0.1]net?4.4.4.4?0.0.0.0??//精確宣告IP地址
[R4-ospf-1-area-0.0.0.1]net?172.16.24.4?0.0.0.0

#?R5
[R5]ospf?1
[R5-ospf-1]area?2??//進(jìn)入?yún)^(qū)域2
[R5-ospf-1-area-0.0.0.2]net?5.5.5.5?0.0.0.0??//精確宣告
[R5-ospf-1-area-0.0.0.2]net?172.16.35.5?0.0.0.0

#?顯示當(dāng)前學(xué)習(xí)到的LSA信息
[R2]dis?ospf?lsdb??//查看連接的數(shù)據(jù)庫

#?連通性測(cè)試

OSPF開銷&認(rèn)證

#?修改cost值
[R1]interface?GigabitEthernet?0/0/0
[R1-GigabitEthernet0/0/0]ospf?cost?20?

#?修改帶寬
[R1]ospf
[R1-ospf-1]bandwidth-reference?10000

#?基于接口認(rèn)證
[R1]interface?GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ospf?authentication-mode?md5?1?cipher?huawei

HDLC配置

如圖配置IP地址，使用HDLC接口調(diào)用配置接口。

?

#?R1修改端口協(xié)議
[R1]int?s1/0/0?
[R1-Serial1/0/0]link-protocol?hdlc???//修改為hdlc協(xié)議

#?R2修改端口協(xié)議
[R2]int?s1/0/0
[R2-Serial1/0/0]link-protocol?hdlc?

#?配置環(huán)回口地址
[R1]int?lo?1
[R1-LoopBack1]ip?ad?12.1.1.1?32??//配置環(huán)回口地址

[R1]int?s1/0/0
[R1-Serial1/0/0]ip?address?unnumbered?interface?LoopBack?1??//接口借用

#?添加靜態(tài)路由
[R1]ip?route-static?12.1.1.0?30?s1/0/0

#?連通性測(cè)試

PPP

PAP認(rèn)證

如圖拓?fù)?，配置IP地址，配置PPP的PAP認(rèn)證。

?

[R1]int?s1/0/0
[R1-Serial1/0/0]ppp?authentication-mode?pap??//PPP認(rèn)證模式修改為PAP

#?AAA認(rèn)證
[R1]aaa
[R1-aaa]local-user?bad?password?cipher?huawei123??//配置用戶名和密碼
[R1-aaa]local-user?bad?service-type?ppp??//配置用戶用于PPP

#?R2上配置
[R2]int?s1/0/0
[R2-Serial1/0/0]ppp?pap?local-user?bad?password?cipher?huawei123??//被認(rèn)證方認(rèn)證
#?連通性測(cè)試

Chap認(rèn)證

如圖配合IP地址，配置PPP的Chap認(rèn)證。

R1、R2配置接口IP地址

#?配置Chap認(rèn)證
[R1]int?s1/0/0
[R1-Serial1/0/0]ppp?authentication-mode?chap?

#?配置AAA認(rèn)證
[R1]aaa
[R1-aaa]local-user?bad?password?cipher?huawei123??//配置用戶名和密碼
[R1-aaa]local-user?bad?service-type?ppp??//配置用戶用于PPP

#?
[R2]int?s1/0/0?
[R2-Serial1/0/0]ppp?chap?user?bad
[R2-Serial1/0/0]ppp?chap?password?cipher?huawei123

#?連通性測(cè)試

PPPoE配置

PPPoE Server配置步驟

創(chuàng)建Dialer接口并通過配置IP地址

配置PAP認(rèn)證

綁定撥號(hào)接口

查看被分配的IP地址

如下拓?fù)洌渲肞PPoE，使PC與PPPoE Server互通

PPPoE Server配置

#?創(chuàng)建并配置虛擬模板
[PPPoE?Server]int?Virtual-Template?1??//創(chuàng)建虛擬模板
[PPPoE?Server-Virtual-Template1]ip?ad?100.100.100.254?24??//虛擬模板配置IP地址
[PPPoE?Server-Virtual-Template1]ppp?ipcp?dns?8.8.8.8??//配置DNS

#?創(chuàng)建并配置地址池
[PPPoE?Server]ip?pool?pppoe??//創(chuàng)建地址池
[PPPoE?Server-ip-pool-pppoe]network?100.100.100.0?mask?24??//分配網(wǎng)段
[PPPoE?Server-ip-pool-pppoe]gateway-list?100.100.100.254??//設(shè)置網(wǎng)關(guān)

#?虛擬模板調(diào)用地址池并配置認(rèn)證
[PPPoE?Server]int?Virtual-Template?1??//進(jìn)入虛擬模板接口
[PPPoE?Server-Virtual-Template1]remote?address?pool?pppoe??//調(diào)用地址池
[PPPoE?Server-Virtual-Template1]ppp?authentication-mode?pap??//配置認(rèn)證模式

#?物理接口綁定虛擬模板接口
[PPPoE?Server]int?g0/0/0
[PPPoE?Server-GigabitEthernet0/0/0]pppoe-server?bind?virtual-template?1??//物理接口綁定虛擬模板

#?配置AAA認(rèn)證
[PPPoE?Server]aaa
[PPPoE?Server-aaa]local-user?bad?password?cipher?huawei123
[PPPoE?Server-aaa]local-user?bad?service-type?ppp

PPPoE Client配置

#?創(chuàng)建Dialer接口并通過配置IP地址
[PPPoE?Client]int?Dialer?1??//創(chuàng)建Dialer接口
[PPPoE?Client-Dialer1]dialer?user?bad??//指定Dialer用戶（可配可不配）
[PPPoE?Client-Dialer1]dialer?bundle?1??//接口綁定
[PPPoE?Client-Dialer1]ip?ad?ppp-negotiate??//通過鄰居分配獲得IP地址
[PPPoE?Client-Dialer1]ppp?ipcp?dns?request??//配置接受DNS服務(wù)器

#?配置PAP認(rèn)證
[PPPoE?Client-Dialer1]ppp?pap?local-user?bad?password?cipher?huawei123

#?綁定撥號(hào)接口
[PPPoE?Client]int?g0/0/1
[PPPoE?Client-GigabitEthernet0/0/1]pppoe-client?dial-bundle-number?1

#?查看被分配的IP地址，進(jìn)行連通性測(cè)試
[PPPoE?Client]ping?100.100.100.254

#?客戶端物理接口配置IP地址并配置靜態(tài)路由
[PPPoE?Client]ip?route-static?0.0.0.0?0?Dialer?1
[PPPoE?Client]int?g0/0/0
[PPPoE?Client-GigabitEthernet0/0/0]ip?ad?192.168.43.254?24

#?PPPoE服務(wù)器配置靜態(tài)路由（實(shí)際情況中無需配置靜態(tài)路由）
[PPPoE?Server]ip?route-static?0.0.0.0?0?100.100.100.253

#?PC上連通性測(cè)試

DHCP配置

如下拓?fù)洌渲肈HCP，使PC1與PC2自動(dòng)獲取IP地址

配置接口地址池

配合全局地址池

配置DHCP，使兩臺(tái)PC獲得不同網(wǎng)段的IP地址

接口地址池

[DHCP?Server]dhcp?enable??//開啟DHCP服務(wù)
[DHCP?Server]int?g0/0/0
[DHCP?Server-GigabitEthernet0/0/0]ip?ad?192.168.43.254?24??//配置地址
[DHCP?Server-GigabitEthernet0/0/0]dhcp?select?interface??//接口調(diào)用
[DHCP?Server-GigabitEthernet0/0/0]dhcp?server?dns-list?8.8.8.8??//配置DNS
[DHCP?Server-GigabitEthernet0/0/0]dhcp?server?excluded-ip-address?192.168.43.244?192.168.43.253??//不參與分配的IP地址
[DHCP?Server-GigabitEthernet0/0/0]dhcp?server?lease?day?3??//IP地址租約

#?PC使用DHCP獲取IP地址，查看IP地址

全局地址池

[DHCP?Server]dhcp?enable??//開啟DHCP服務(wù)
[DHCP?Server]ip?pool?bad??//創(chuàng)建全局地址池
[DHCP?Server-ip-pool-bad]net?192.168.43.0?mask?24??//添加一個(gè)網(wǎng)段
[DHCP?Server-ip-pool-bad]gateway-list?192.168.43.254??//配置網(wǎng)關(guān)
[DHCP?Server-ip-pool-bad]dns-list?114.114.114.114??//配置DNS
[DHCP?Server-ip-pool-bad]excluded-ip-address?192.168.43.250?192.168.43.253??//不參與分配的IP地址
[DHCP?Server-ip-pool-bad]lease?day?5??//IP地址租約時(shí)間
[DHCP?Server-ip-pool-bad]dis?ip?pool??//查看地址池的相關(guān)信息

#?將接口使用本地地址池
[DHCP?Server]int?g0/0/0
[DHCP?Server-GigabitEthernet0/0/0]dhcp?select?global??//調(diào)用本地的地址池
[DHCP?Server-GigabitEthernet0/0/0]ip?ad?192.168.43.254?24??//接口添加IP地址（與地址池的地址同一網(wǎng)段）

#?PC查看獲取的IP地址

拓展：兩臺(tái)PC分配不同網(wǎng)段的IP（此處的配置是繼續(xù)上面的實(shí)驗(yàn)）

方法一：配置單臂路由，配置子接口

#?交換機(jī)上的配置
[SW1]vlan?10
[SW1-vlan10]vlan?20
[SW1-vlan20]int?g0/0/2?
[SW1-GigabitEthernet0/0/2]port?link-type?access?
[SW1-GigabitEthernet0/0/2]port?default?vlan?10
[SW1-GigabitEthernet0/0/2]int?g0/0/3
[SW1-GigabitEthernet0/0/3]port?link-type?access?
[SW1-GigabitEthernet0/0/3]port?default?vlan?20
[SW1-GigabitEthernet0/0/3]int?g0/0/1
[SW1-GigabitEthernet0/0/1]port?link-type?trunk?
[SW1-GigabitEthernet0/0/1]port?trunk?allow-pass?vlan?10?20

#?路由器上配置
[DHCP?Server]int?g0/0/0
[DHCP?Server-GigabitEthernet0/0/0]undo?dhcp?select?global??//刪除DHCP的配置
[DHCP?Server-GigabitEthernet0/0/0]undo?ip?add??//刪除IP地址

#?配置子接口
[DHCP?Server]int?g0/0/0.1
[DHCP?Server-GigabitEthernet0/0/0.1]dot1q?termination?vid?10??//封裝VLAN?ID
[DHCP?Server-GigabitEthernet0/0/0.1]arp?broadcast?enable??//開啟ARP轉(zhuǎn)發(fā)
[DHCP?Server-GigabitEthernet0/0/0.1]ip?add?192.168.43.254?24??//配置IP地址
[DHCP?Server-GigabitEthernet0/0/0.1]int?g0/0/0.2
[DHCP?Server-GigabitEthernet0/0/0.2]dot1q?termination?vid?20
[DHCP?Server-GigabitEthernet0/0/0.2]arp?broadcast?enable?
[DHCP?Server-GigabitEthernet0/0/0.2]ip?add?192.168.53.254?24

#?查看地址池
[DHCP?Server]dis?ip?pool?

#?創(chuàng)建地址池
[DHCP?Server]ip?pool?boy
[DHCP?Server-ip-pool-boy]net?192.168.53.0?mask?24??//分配的網(wǎng)段
[DHCP?Server-ip-pool-boy]gateway-list?192.168.53.254??//網(wǎng)關(guān)
[DHCP?Server-ip-pool-boy]lease?day?3??//IP地址租約
[DHCP?Server-ip-pool-boy]dns-list?8.8.8.8??//DNS服務(wù)器
[DHCP?Server-ip-pool-boy]excluded-ip-address?192.168.53.200?192.168.53.253??//不參與分配的IP地址

#?查看地址池
[DHCP?Server]dis?ip?pool?

#?接口調(diào)用地址池
[DHCP?Server]int?g0/0/0.1
[DHCP?Server-GigabitEthernet0/0/0.1]dhcp?select?global??//調(diào)用全局地址池
[DHCP?Server-GigabitEthernet0/0/0.1]int?g0/0/0.2
[DHCP?Server-GigabitEthernet0/0/0.2]dhcp?select?global??//調(diào)用地址池

#?PC查看獲取的IP地址

方法二：DHCP中繼

#?配置DHCP中繼
[SW1]dhcp?enable??
[SW1]int?Vlanif?10
[SW1-Vlanif10]dhcp?select?relay?
[SW1-Vlanif10]dhcp?relay?server-ip?192.168.43.254??//DHCP服務(wù)器的出接口地址
[SW1-Vlanif10]q
[SW1]int?Vlanif?20
[SW1-Vlanif20]dhcp?select?relay?
[SW1-Vlanif20]dhcp?relay?server-ip?192.168.43.254

AAA

配置AAA步驟：

起aaa（aaa）

配置本地用戶和密碼（local-user bad password cipher huawei@123）

應(yīng)用的服務(wù)類型（local-user bad service-type telnet）

設(shè)置權(quán)限（local-user bad privilege level 5）

允許同時(shí)登錄的用戶數(shù)量（user-interface vty 0 4）

修改認(rèn)證模式（authentication-mode aaa）

配置Telnet和Stelnet登錄

[AC1]telnet?server?enable??//開啟Telnet服務(wù)
[AC1]aaa??//配置aaa
[AC1-aaa]local-user?bad?password?cipher?huawei@123??//創(chuàng)建用戶并設(shè)置密碼
[AC1-aaa]local-user?bad?service-type?telnet??//設(shè)置賬戶類型
[AC1-aaa]local-user?bad?privilege?level?5??//設(shè)置等級(jí)
Warning:?This?operation?may?affect?online?users,?are?you?sure?to?change?the?user?privilege?level??[Y/N]y
[AC1-aaa]q

[AC1]user-interface?vty?0?4
[AC1-ui-vty0-4]protocol?inbound?all??//?允許登錄接入用戶類型的協(xié)議
[AC1-ui-vty0-4]authentication-mode?aaa??//修改aaa認(rèn)證模式
[AC1-ui-vty0-4]return

telnet?192.168.43.120??//Telnet登錄

Stelnet登錄

#?生本地rsa密鑰
[FWQ]rsa?local-key-pair?create??//創(chuàng)建密鑰
The?key?name?will?be:?Host
%?RSA?keys?defined?for?Host?already?exist.
Confirm?to?replace?them??(y/n)[n]:y??//y確認(rèn)
The?range?of?public?key?size?is?(512?~?2048).
NOTES:?If?the?key?modulus?is?greater?than?512,
???????It?will?take?a?few?minutes.
Input?the?bits?in?the?modulus[default?=?512]:512??//密鑰長度
Generating?keys...

#?配置AAA認(rèn)證
[FWQ]aaa
[FWQ-aaa]local-user?bad?password?cipher?huawei@123??//創(chuàng)建用戶及密碼
[FWQ-aaa]local-user?bad?service-type?ssh??//配置用戶允許登錄方式
[FWQ-aaa]local-user?bad?privilege?level?5??//設(shè)置賬戶等級(jí)
[FWQ-aaa]q
[FWQ]user-interface?vty?0?4??//配置允許用戶登錄
[FWQ-ui-vty0-4]authentication-mode?aaa??//用戶登錄的方式
[FWQ-ui-vty0-4]protocol?inbound?ssh?//允許通過ssh登錄

#?在系統(tǒng)視圖下創(chuàng)建一個(gè)用戶，指定ssh登錄方式為密碼登錄
[FWQ]ssh?user?bad?authentication-type?password??//配置密碼登錄
[FWQ]stelnet?server?enable??//開啟Stelnet服務(wù)

客戶端配置

#?開啟首次認(rèn)證
[KH]ssh?client?first-time?enable?

#?Stelnet登錄
[KH]stelnet?2.2.2.29
Please?input?the?username:bad??//用戶名
Trying?2.2.2.29?...
Press?CTRL+K?to?abort
Connected?to?2.2.2.29?...
The?server?is?not?authenticated.?Continue?to?access?it??(y/n)[n]:y??//y確認(rèn)
Apr??2?2020?2028-08:00?KH?%%01SSH/4/CONTINUE_KEYEXCHANGE(l)[0]:The?server?had?not?been?authenticated?in?the?process?of?exchanging?keys.?When?deciding?whether?to?continue,?the?user?chose?Y.?
[KH]
Save?the?server's?public?key??(y/n)[n]:y??//y確認(rèn)
The?server's?public?key?will?be?saved?with?the?name?2.2.2.29.?Please?wait...

Apr??2?2020?2030-08:00?KH?%%01SSH/4/SAVE_PUBLICKEY(l)[1]:When?deciding?whether?to?save?the?server's?public?key?2.2.2.29,?the?user?chose?Y.?
[KH]
Enter?password:???//密碼

ACL配置

基本ACL配置

acl?2000
rule?deny?source?192.168.1.0?0.0.0.255
interface?GigabitEthernet?0/0/0
traffic-filter?outbound?acl?2000??//出方向調(diào)用2000規(guī)則

高級(jí)ACL配置

acl?3000
#?拒絕192.168.1.0網(wǎng)段主機(jī)訪問172.16.10.1的FTP（21端口）
rule?deny?tcp?source?192.168.1.0?0.0.0.255?destination?172.16.10.1?0.0.0.0?destination-port?eq?21
#?拒絕192.168.2.0主機(jī)訪問172.16.10.2的所有服務(wù)
rule?deny?tcp?source?192.168.2.0?0.0.0.255?destination?172.16.10.2?0.0.0.0?
rule?permit?ip??//允許其它，默認(rèn)為拒絕
traffic-filter?outbound?acl?3000??//接口出方向調(diào)用此ACL

實(shí)驗(yàn)：如下拓?fù)鋱D，配置IP地址，配置RIP，使PC間互通，通過配置ACL，阻止PC互通。

AR2上配置ACL

[AR2]acl?2000
[AR2-acl-basic-2000]rule?deny?source?192.168.1.0?0.0.0.255??//配置ACL
[AR2-acl-basic-2000]rule?permit??//放行其他的IP
[AR2-acl-basic-2000]q
[AR2]int?g0/0/0
[AR2-GigabitEthernet0/0/0]traffic-filter?inbound?acl?2000??//接口入方向調(diào)用ACL

ACL控制訪問FTP服務(wù)器

?

[AR3]acl?3000??//配置ACL
#?禁止192.168.1.0訪問192.168.2.100的FTP服務(wù)器
[AR3-acl-adv-3000]rule?deny?tcp?source?192.168.1.0?0.0.0.255?destination?192.168.2.100?0?destination-port?eq?21
[AR3-acl-adv-3000]q
[AR3]int?g0/0/0
[AR3-GigabitEthernet0/0/0]traffic-filter?inbound?acl?3000??//接口入方向調(diào)用ACL

NAT配置

如下拓?fù)洌瓿上嚓P(guān)IP地址配置，完成相關(guān)需求。

靜態(tài)NAT

[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]nat?static?global?202.169.10.3?inside?172.16.1.1??//建立公網(wǎng)地址與私網(wǎng)地址的映射關(guān)系

Easy IP

#?刪除靜態(tài)NAT
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]undo?nat?static?global?202.169.10.3?inside?172.16.1.1

#?調(diào)用ACL
[R1]acl?2000??//配置ACL
[R1-acl-basic-2000]rule?permit??//配置允許所有通過
[R1-acl-basic-2000]q
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]nat?outbound?2000??//接口調(diào)用ACL
[R1-GigabitEthernet0/0/0]q
[R1]dis?nat?outbound??//查看

動(dòng)態(tài)NAT

#?刪除Easy?IP配置
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]undo?nat?outbound?2000
[R1-GigabitEthernet0/0/0]q
[R1]undo?acl?2000

#?創(chuàng)建公網(wǎng)地址池
#?創(chuàng)建名為1范圍為202.169.10.2-202.169.10.50的地址池
[R1]nat?address-group?1?202.169.10.2?202.169.10.50
#?創(chuàng)建名為2范圍為202.169.10.100-202.169.10.200的地址池
[R1]nat?address-group?2?202.169.10.100?202.169.10.200

#?配置ACL
[R1]acl?2000
[R1-acl-basic-2000]rule?permit?source?172.16.1.0?0.0.0.255
[R1-acl-basic-2000]q
[R1]acl?2001
[R1-acl-basic-2001]rule?permit?source?172.17.1.0?0.0.0.255

#?公網(wǎng)地址池調(diào)用ACL
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]nat?outbound?2000?address-group?1?no-pat?
[R1-GigabitEthernet0/0/0]nat?outbound?2001?address-group?2?no-pat?

#?查看地址池
[R1]dis?nat?outbound?
?NAT?Outbound?Information:
?-----------------------------------------------------------------------
?Interface?????????????????????Acl?????Address-group/IP/Interface???Type
?-----------------------------------------------------------------------
?GigabitEthernet0/0/0?????????2000????????????????1???????????????no-pat
?GigabitEthernet0/0/0?????????2001????????????????2???????????????no-pat
?-----------------------------------------------------------------------
??Total?:?2

NAT Server

#?刪除動(dòng)態(tài)NAT配置
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]undo?nat?outbound?2000?address-group?1?no-pat
[R1-GigabitEthernet0/0/0]undo?nat?outbound?2001?address-group?2?no-pat
[R1-GigabitEthernet0/0/0]q
[R1]undo?acl?2000
[R1]undo?acl?2001

#?重新配置ACL，并調(diào)用
[R1]acl?2000
[R1-acl-basic-2000]rule?permit?
[R1-acl-basic-2000]q
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]nat?outbound?2000

配置NAT Server

#?配置ftp端口映射
[R1]int?g0/0/0
[R1-GigabitEthernet0/0/0]nat?server?protocol?tcp?global?current-interface?ftp?inside?172.16.1.3?ftp?

編輯：黃飛

?