Shulou(Shulou.com)06/01 Report--

People who work hard will not be too bad in the end! Follow the blog or add QR 1445696451 to work together!

First of all, the network topology (simulation) of a company is as follows:

The boundary of the intranet adopts Huawei 3206 series router, the core layer uses s5700 series layer 3 switching, and the access layer uses s3700 switching equipment; there is a router in the branch office

Module 1:telnet configuration (if it is configured in the access layer device, if you want to specify a gateway for the access layer device, different network segments can be remotely telnet)

System view: enter the system view

Telnet server enable: enable telnet

Interface vlanif 1: enter vlanif 1

Ip address 192.168.1.1 24: configure addr

User-interface vty0 4: enter vty0 4 mode

Authentication-mode aaa: authentication mode is set to aaa

Aaa: enter aaa mode

Local-user zhangsan password cipher pwd123: set up user zhangsan

Local-user zhangsan privilege level 15: set connection permissions

Local-user zhangsan service-type telnet: set the connection method to telnet

Ip route-static 0.0.0.0 192.168.1.254: configure a default route to the gateway

Module 2:ssh configuration

System view

Stelnet server enable: enable stelnet (that is, ssh)

Interface vlanif 1

Ip address 192.168.1.1 24

User-interafce vty 0 4

Authentication-mode aaa

Protocol inbound ssh: configuring connection protocol

Aaa

Local-user zhangsan password cipher pwd123

Local-user zhangsan privilege level 15

Local-user zhangsan service-type ssh: configure the connection method to be ssh

Ssh user zhangsan authentication-type password: zhangsan uses password authentication

Ssh user zhangsan service-type stelnet: zhangsan uses stelnet connection

Ip route-static 0.0.0.0 0 192.168.1.254

Module 3: configure dhcp to automatically assign addresses

1) Interface dhcp configuration (interface dhcp has a limitation that interface ip is used as a gateway for dhcp clients, but its configuration is very convenient)

Dhcp enable: enable dhcp service

Int vlanif 1

Ip address 192.168.1.1 24

Dhcp select interface: dhcp query method is API

2) Global dhcp configuration

Dhcp enable

Int vlanif 1

Ip address 192.168.1.1 24

Dhcp select global: dhcp query mode is global

Ip pool vlan1: define address pool

Network 192.168.1.0 mask 24: network segment

Gateway-list 192.168.1.254: gateway address

Dns-list 1.1.1.1: dns resolution server address

Excluded-ip-address 192.168.1.2: reserved addr

Lease day 1 hour 1: release time

Module 4:vlan configuration

Vlan batch 2 to 10: create a vlan

Interface g0Accord 1: enter the API

Port link-type access: configure the interface to access mode

Port default vlan2: assigns vlan2 to this interface

Interface g0/0/2

Port link-type trunk: configure the interface to trunk mode

Port trunk allow-pass vlan2 3 5: this interface allows vlan2, 3, 5 to communicate

Module 5:eth-trunk configuration (equivalent to cisco's channel-group)

Interface eth-trunk 1: enter the first eth-trunk

Trunkport g0swap 1: assign the interface g0UniUnique 1 to eth-trunk1

Interface g0/0/2

Eth-trunk 1: same as above

Module 6: static routing configuration

Ip route-static 192.168.1.0 24 192.168.2.1: first the destination network segment, then the mask, the next-hop ip address

Module 7:ACL configuration

1) basic acl (source ip can be limited from 2000 to 2999)

Acl2000: creating acl2000

Rule 5 deny source 192.168.1.0 0.0.0.255: article 5 rejects 192.168.1.0 Universe 24

Rule 10 permit source 192.168.0.0 0.0.255.255: section 10 allows 192.168.0.0 Universe 16

Interface g0/0/1

Traffic-filter inbound acl2000: set the interface to the inbound interface of acl2000

2) Advanced acl (can limit source ip, destination ip, source port, destination port, from 3000 to 3999)

Acl3000: creating acl3000

Rule 5 deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255 destination port eq 21

Article 5 denies traffic from the TCP21 port from 192.168.1.0 to 172.16.0 to 16.

Rule 10 permit tcp source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255

Article 10 allows 192.168.1.0 to 24

TCP traffic to 172.16.0.0; the combination of the two allows TCP traffic other than the TCP21 port.

Module 8:NAT configuration

1) Intranet NAT

Acl 2000

Rule 100 permit 192.168.0.0 0.0.255.255

Interface g0swap: enter the outer network port of the router

Nat outbound 2000: private network egress configured as acl2000

2) publish the NAT of the private network server

Nat static global 202.1.1.1 inside 192.168.1.253

: configure conversion 202.1.1.1 to 192.1

68.1.253

Nat server protocol tcp global 202.1.1.1 www inside 192.168.1.253 8080

You can access the www of the public network 202.1.1.1

Map to the TCP8080 port of 192.168.1.253 on the intranet.

Module 9:mstp layer 2 load sharing

Stp mode mstp: configure the mode of stp to mstp

Stp region-configuration: enter the MSTP domain view

Region-name test: the name of the configuration MSTP domain

Revision-level 1: configure revision level

Instance 1 vlan 10

Instance 2 vlan 20: configure mstp instances and assign vlan

Active region-configuration: activate configuration

Stp instance 1 priority 4096

Stp instance 2 priority 8192: priority of the instance

Module 10:vrrp three-tier load sharing

Master device:

Interface vlanif10: enter vlanif10

Ip address 192.168.1.1 24: configure addr

Vrrp vrid 10 virtual-ip 192.168.1.254: configure a virtual ip address

Vrrp vrid 10 priority 150: priority

Vrrp vrid 10 track interface g0 reduced 100: Port tracking

Backup device:

Interface vlanif 10

Ip address 192.168.1.2 24

Vrrp vrid 10 virtual-ip 192.168.1.254: configure virtual ip (the rest are not configured, and there is a preemptive right in vrrp. It is enabled by default and does not matter)

Module 11:rip distance vector routing

Rip: rip mode

Version 2: use version 2

Network 192.168.1.0: announces the 192.168.1.0 Universe 24 segment

Interface g0/0/1

Rip metricin 2: configure interface metrics (hops)

Undo rip output: turn off sending rip advertisements

Undo rip input: turn off receiving rip advertisements

Slient-interface g0swap 1: silent interface

Rip split-horizon: split horizontally

Rip poison-reverse: toxicity reversal

Display rip: viewing rip configuration

Default-route originate: distribute default rout

Module 12:ospf link-state routing

Ospf 1 router-id 1.1.1.1: configure router-id for ospf

Area0: configured as area0 zone

Network 192.168.1.0 0.0.0.255: declare the network segment

Display ospf peer: query the status of ospf neighbors

Module 13, GRE × ×

Interface tunnel 1: edit Tunnel 1

Tunnel-protocol gre: tunnel uses GRE protocol

Ip address 192.168.1.1 30: tunnel address

Source 202.0.0.1: tunnel source (local public network interface) address

Destination 101.0.0.1: tunnel peer (public network interface) address

Ip route-static 192.168.20.0 255.255.255.0 tunnel 0swap: tunnel routing (the network segment of the target company)

Ospf 1 router-id 1.1.1.1

Area 0

Network 192.168.10.0 0.0.0.255

Network 192.168.1.0 0.0.0.255: configure ospf (interworking routing is required to connect the headquarters and branch networks as a whole. If you configure dynamic routing, you need to declare the tunnel address when the route is announced)

Module 14, IPsec × ×

Ike proposal 2

Encryption-algorithm 3des-cbc

Authentication-algorithm MD5

Authentication-method pre-share

Dh group5

Sa duration 10000: define the first phase of the security policy

Ipsec proposal 5

Esp authentication-algorithm sha1

Esp encryption-algorithm aes-128: define the security policy for the second phase

Ike peer to-fenzhi v1: define peer set information (to-fenzhi is the name)

Pre-shared-key simple 123456: set the negotiation key, and both sides need to agree.

Remote-address 202.1.1.1: the public network interface address of the peer

Acl 3000

Rule permit ip source 10.0.0.0 0.255.255.255 destination 20.0.0.0 0.255.255.255: set acl3000 to define the data stream of interest (that is, the data stream that needs to be tunneled)

Ipsec policy abc 10 isakmp: defines the use of IKE to negotiate IPsec

Security acl3000: calling acl3000

Ike-peer to-fenzhi: invokes peer set

Proposal 5: call the second phase

Interface g0/0/0

Ipsec policy abc: invokes IPsec policy on the interface

Acl 3001

Rule 100 deny ip source 10.0.0.1 0.255.255.255 destination 20.0.0.1 0.255.255.255

Rule 200 permit ip source 10.0.0.0 0.255.255.255 destination any

Configure an Internet access 3001 (refuse to convert the data flow that needs to pass through the tunnel, allow all others)

Interface g0/0/0

Nat outbound 3001: set the public network interface to the interface converted by nat

Module 15 (key module): the use of the display command. (display is equivalent to cisco's show command. I roughly counted "display?" under the system view of Huawei 3260 router. There are about 254 objects, which shows how important this command is. But we only need to master some commonly used ones. Give a brief example of my daily summary)

Display this: common commands to view the current view, mode configuration

Display current-configuration: view current configuration

Display saving-configuration: viewing to save configuration

Display aaa: viewing aaa authentication configuration

Display acl number: acl rule

Display dhcp: dhcp configuration

Display eth-trunk number: configuration under eth-trunk

Display firewall group: firewall related

Display interface g | eCompare /: configuration under API

Display ipsec: view ipsec related

Display lldp neighbor brief: viewing lldp adjacency

Display mac-address: mac address

Display ospf 1 *: related to ospf

Display vrrp: vrrp information

Display vlan brief: viewing vlan information

Display ip routing-table: viewing routing tabl

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.