2023年江西省赛样题答案

企业开发 2024-11-02 19:04:34 阅读次数: 0

2023年江西省赛样题

在这里插入图片描述

3.交换配置

1.配置 vlan,SW1、SW2、SW3、AC1 的二层链路只允许相应 vlan 通过。

SW1

Interface Ethernet1/0/23
 switchport mode trunk
 switchport trunk allowed vlan 10;20;30;40;50;60;70;80;90 
!
Interface Ethernet1/0/28
 switchport mode trunk
 switchport trunk allowed vlan 10;20;30;40;50;60;70;80;90 
 port-group 1 mode active
!
Interface Port-Channel1
!

SW2

Interface Ethernet1/0/23
 switchport mode trunk
 switchport trunk allowed vlan 10;20;30;40;50;60;70;80;90 
!
Interface Ethernet1/0/28
 switchport mode trunk
 switchport trunk allowed vlan 10;20;30;40;50;60;70;80;90 
 port-group 1 mode passive
!
Interface Port-Channel1
!

SW3

Interface Ethernet1/0/23
 switchport mode trunk
 switchport trunk allowed vlan 10;20;30;40;50;60;70;80;90;110 
!
Interface Ethernet1/0/24
 switchport mode trunk
 switchport trunk allowed vlan 10;20;30;40;50;60;70;80;90;110 
!

2.SW1、SW2、SW3 启用 MSTP,实现网络二层负载均衡和冗余备份,创建实例Instance10 和 Instance20,名称为 SKILLS,修订版本为 1,其中 Instance10关联 vlan60 和 vlan70,Instance20 关联 vlan80 和 vlan90。SW1 为 Instance0和 Instance10 的根交换机,为 Instance20 备份根交换机;SW2 为 Instance20根交换机,为 Instance0 和 Instance10 的备份根交换机;根交换机 STP 优先级为 0,备份根交换机 STP 优先级为 4096。关闭交换机之间三层互联接口的STP。

SW1

spanning-tree mst configuration
 name SKILLS
 revision-level 1
 instance 0 vlan 1-59;61-69;71-79;81-89;91-4094
 instance 10 vlan 60;70
 instance 20 vlan 80;90
 exit
!
spanning-tree
 spanning-tree mst 10 priority 0
 spanning-tree mst 20 priority 4096
!
Interface Ethernet1/0/26
 no spanning-tree!
!

SW2

spanning-tree mst configuration
 name SKILLS
 revision-level 1
 instance 0 vlan 1-59;61-69;71-79;81-89;91-4094
 instance 10 vlan 60;70
 instance 20 vlan 80;90
 exit
!
spanning-tree
 spanning-tree mst 10 priority 4096
 spanning-tree mst 20 priority 0
!
Interface Ethernet1/0/26
 no spanning-tree!
!

SW3

spanning-tree mst configuration
 name SKILLS
 revision-level 1
 instance 0 vlan 1-59;61-69;71-79;81-89;91-4094
 instance 10 vlan 60;70
 instance 20 vlan 80;90
 exit
!
spanning-tree
!
Interface Ethernet1/0/21
 no spanning-tree
!
Interface Ethernet1/0/22
 no spanning-tree
!

3.SW1 和 SW2 之间利用三条裸光缆实现互通,其中一条裸光缆承载三层 IP 业务、一条裸光缆承载 VPN 业务、一条裸光缆承载二层业务。用相关技术分别实现财务 1 段、财务 2 段业务路由表与其它业务路由表隔离,财务业务 VPN实例名称为 CW。承载二层业务的只有一条裸光缆通道,配置相关技术,方便后续链路扩容与冗余备份,编号为 1,用 LACP 协议,SW1 为 active,SW2 为active;采用源、目的 IP 进行实现流量负载分担。

SW1

load-balance dst-src-ip
!
ip vrf CW
!
interface Vlan40
 ip vrf forwarding CW
 ip address 10.10.14.1 255.255.255.0
!
interface Vlan1027
 ip vrf forwarding CW
 ip address 10.10.255.1 255.255.255.252
!
interface Loopback2
 ip vrf forwarding CW
 ipv6 address 2001:10:10:1::2/128
 ip address 10.10.1.2 255.255.255.255
!         

SW2

load-balance dst-src-ip
!
ip vrf CW
!
interface Vlan40
 ip vrf forwarding CW
 ipv6 address 2001:10:10:24::1/64
 ip address 10.10.24.1 255.255.255.0
!
interface Vlan1027
 ip vrf forwarding CW
 ip address 10.10.255.2 255.255.255.252
!
interface Loopback2
 ip vrf forwarding CW
 ipv6 address 2001:10:10:2::2/128
 ip address 10.10.2.2 255.255.255.255
!         

二层链路见第一题

4.将 SW3 模拟为 Internet 交换机,实现与集团其它业务路由表隔离,Internet 路由表 VPN 实例名称为 Internet。将 SW3 模拟办事处交换机,实现与集团其它业务路由表隔离,办事处路由表 VPN 实例名称为 Guangdong。

SW3

ip vrf Internet
!
ip vrf Guangdong
!
interface Vlan110
 ip vrf forwarding Guangdong
 ipv6 address 2001:10:10:110::1/64
 ip address 10.10.110.1 255.255.255.0
!
interface Vlan120
 ip vrf forwarding Guangdong
 ipv6 address 2001:10:10:120::1/64
 ip address 10.10.120.1 255.255.255.0
!
interface Vlan1015
 ip vrf forwarding Guangdong
 ip address 10.10.255.46 255.255.255.252
!
interface Vlan1017
 ip vrf forwarding Internet
 ip address 200.200.200.1 255.255.255.252
!
interface Vlan1018
 ip vrf forwarding Internet
 ip address 200.200.200.5 255.255.255.252
!
interface Loopback2
 ip vrf forwarding Guangdong
 ipv6 address 2001:10:10:3::2/128
 ip address 10.10.3.2 255.255.255.255
!
interface Loopback3
 ip vrf forwarding Internet
 ipv6 address 2001:200:200:3::3/128
 ip address 200.200.3.3 255.255.255.255
!

5.SW1 法务物理接口限制收发数据占用的带宽均为 1500Mbps,限制所有报文最大收包速率为 2000packets/s,如果超过了配置交换机端口的报文最大收包速率则关闭此端口,1 分钟后恢复此端口;启用端口安全功能,最大安全 MAC地址数为 20,当超过设定 MAC 地址数量的最大值,不学习新的 MAC、丢弃数据包、发 snmp trap、同时在 syslog 日志中记录,端口的老化定时器到期后,在老化周期中没有流量的部分表项老化,有流量的部分依旧保留,恢复时间为 10 分钟;禁止采用访问控制列表,只允许 IP 主机位为 20-50 的数据包进行转发;禁止配置访问控制列表,实现端口间二层流量无法互通,组名称 FW。6.SW1 配置 SNMP,引擎 id 分别为 1;创建组 GROUP2022,采用最高安全级别,配置组的读、写视图分别为:SKILLS_Ro、SKILLS_Rw;创建认证用户为 USER2022,采用 aes 算法进行加密,密钥为 Pass-1234,哈希算法为 sha,密钥为 Pass-1111;当设备有异常时,需要用本地的环回地址 loopback1 发送 v3Trap 消息至集团网管服务器 10.10.11.99、2001:10:10:11::99,采用最高安全级别;当法务部门对应的用户接口发生 UPDOWN 事件时,禁止发送 trap 消息至上述集团网管服务器。

Interface Ethernet1/0/3
 flow control
 bandwidth control 150000 transmit
 bandwidth control 200000 receive
 rate-violation all 2000
 rate-violation control shutdown recovery 60
 switchport access vlan 30
 switchport port-security
 switchport port-security maximum 20
 switchport port-security violation restrict recovery 600
 switchport port-security aging time 10
 switchport port-security aging type inactivity
 am port
 am ip-pool 10.10.13.20 30
!

snmp-server enable
snmp-server trap-source 10.10.1.1
snmp-server trap-source 2001:10:10:1::1
snmp-server engineid 1
snmp-server user USER2022 GROUP2022 authPriv aes d3d0bd41d545d579040a06dd09aab6f0 auth sha d3d0bd41d545d579040a06dd09aab6f05a75557f
snmp-server group GROUP2022 authpriv read SKILLS_Ro write SKILLS_Rw
snmp-server host 2001:10:10:11::99 v3 authpriv USER2022
snmp-server host 10.10.11.99 v3 authpriv USER2022
!
Interface Ethernet1/0/3
 no switchport updown notification enable
!

4.路由配置

1.配置所有设备接口 ipv4 地址和 ipv6 地址,互联接口 ipv6 地址用本地链路地址。

交换机默认开启

RT

ipv6  unicast-routing
接口下
ipv6  enable

FW

接口下
ipv6 enable

2.利用 vrrpv2 和 vrrpv3 技术实现 vlan60、vlan70、vlan80、vlan90 网关冗余备份,vrrpid 与 vlanid 相同。vrrpv2vip 为 10.10.vlanid.9(如 vlan60 vrrpv2vip为 10.10.60.9 ) , vrrpv3vip 为 FE80:vlanid::9 ( 如 vlan60 的 vrrpv3vip 为FE80:60::9)。配置 SW1 为 vlan60、vlan70 的 Master,SW2 为 vlan80、vlan90的 Master。要求 vrrp 组中高优先级为 120,低优先级为默认值,抢占模式为默认值,vrrpv2 和 vrrpv3 发送通告报文时间间隔为默认值。当 SW1 或 SW2 上联链路发生故障,Master 优先级降低 50。

SW1

router vrrp 60
 virtual-ip 10.10.60.9
 interface Vlan60
 priority 120
 vrrp track interface Ethernet1/0/21 priority 50
 enable
!
router vrrp 70
 virtual-ip 10.10.70.9
 interface Vlan70
 priority 120
 vrrp track interface Ethernet1/0/21 priority 50
 enable
!
router vrrp 80
 virtual-ip 10.10.80.9
 interface Vlan80
 enable
!
router vrrp 90
 virtual-ip 10.10.90.9
 interface Vlan90
 enable
!

router ipv6 vrrp 60
 virtual-ipv6 fe80:60::9 interface Vlan60
 circuit-failover Vlan1021 50
 priority 120
 enable
!
router ipv6 vrrp 70
 virtual-ipv6 fe80:70::9 interface Vlan70
 circuit-failover Vlan1021 50
 priority 120
 enable
!
router ipv6 vrrp 80
 virtual-ipv6 fe80:80::9 interface Vlan80
 enable
!
router ipv6 vrrp 90
 virtual-ipv6 fe80:90::9 interface Vlan90
 enable
!

SW2

router vrrp 60
 virtual-ip 10.10.60.9
 interface Vlan60
 enable
!
router vrrp 70
 virtual-ip 10.10.70.9
 interface Vlan70
 enable
!
router vrrp 80
 virtual-ip 10.10.80.9
 interface Vlan80
 priority 120
 vrrp track interface Ethernet1/0/21 priority 50
 enable
!
router vrrp 90
 virtual-ip 10.10.90.9
 interface Vlan90
 priority 120
 vrrp track interface Ethernet1/0/21 priority 50
 enable
!

router ipv6 vrrp 60
 virtual-ipv6 fe80:60::9 interface Vlan60
 enable
!
router ipv6 vrrp 70
 virtual-ipv6 fe80:70::9 interface Vlan70
 enable
!
router ipv6 vrrp 80
 virtual-ipv6 fe80:80::9 interface Vlan80
 circuit-failover Vlan1021 50
 priority 120
 enable
!
router ipv6 vrrp 90
 virtual-ipv6 fe80:90::9 interface Vlan90
 circuit-failover Vlan1021 50
 priority 120
 enable
!

3.SW1、SW2、SW3、RT1 以太链路、RT2 以太链路、FW1、FW2、AC1 之间运行OSPFv2 和 OSPFv3 协议(路由模式发布网络用接口地址,BGP 协议除外)。

(1)SW1、SW2、SW3、RT1、RT2、FW1 之间 OSPFv2 和 OSPFv3 协议,进程 1,区域 0,分别发布 loopback1 地址路由和产品路由,FW1 通告 type2 默认路由。
(2)RT2 与 AC1 之间运行 OSPFv2 协议,进程 1,nssano-summary 区域 1;AC1发布 loopback1 地址路由、产品和营销路由,用 prefix-list 重发布 loopback3。
(3)RT2 与 AC1 之间运行 OSPFv3 协议,进程 1,stubno-summary 区域 1;AC1发布 loopback1 地址路由、产品和营销。
SW1

router ospf 1
 ospf router-id 10.10.1.1
 network 10.10.1.1/32 area 0
 network 10.10.11.0/24 area 0
 network 10.10.255.0/30 area 0
 network 10.10.255.4/30 area 0
 network 10.10.255.12/30 area 0
!
router ipv6 ospf 1
 router-id 10.10.1.1
!
interface Loopback1
 ipv6 router ospf area 0 tag 1
!
interface Vlan1021
 ipv6 router ospf area 0 tag 1
!
interface Vlan1022
 ipv6 router ospf area 0 tag 1
!
interface Vlan1026
 ipv6 router ospf area 0 tag 1
!
interface Vlan10
 ipv6 router ospf area 0 tag 1
!

SW2

router ospf 1
 ospf router-id 10.10.2.1
 network 10.10.2.1/32 area 0
 network 10.10.21.0/24 area 0
 network 10.10.255.0/30 area 0
 network 10.10.255.8/30 area 0
 network 10.10.255.20/30 area 0
!
router ipv6 ospf 1
 router-id 10.10.2.1
!
interface Loopback1
 ipv6 router ospf area 0 tag 1
!
interface Vlan1021
 ipv6 router ospf area 0 tag 1
!
interface Vlan1022
 ipv6 router ospf area 0 tag 1
!
interface Vlan1026
 ipv6 router ospf area 0 tag 1
!
interface Vlan10
 ipv6 router ospf area 0 tag 1
!

SW3

router ospf 1
 ospf router-id 10.10.3.1
 network 10.10.3.1/32 area 0
 network 10.10.31.0/24 area 0
 network 10.10.255.4/30 area 0
 network 10.10.255.8/30 area 0
!
router ipv6 ospf 1
 router-id 10.10.3.1
!
interface Loopback1
 ipv6 router ospf area 0 tag 1
!
interface Vlan1021
 ipv6 router ospf area 0 tag 1
!
interface Vlan1022
 ipv6 router ospf area 0 tag 1
!
interface Vlan10
 ipv6 router ospf area 0 tag 1
!

RT1

router ospf 1
 router-id 10.10.4.1
 network 10.10.4.1 255.255.255.255 area 0
 network 10.10.255.28 255.255.255.252 area 0
 network 10.10.255.20 255.255.255.252 area 0
 network 10.10.255.16 255.255.255.252 area 0
 redistribute ospf 2 route-map FW2
!
router ospfv3 1
 router-id 10.10.4.1
!
interface Loopback1
 ipv6 enable
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/0
 ipv6 enable
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/1
 ipv6 enable
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/2
 ipv6 enable
 ip ospf cost 100
 ipv6 ospf 1 area 0 
!

RT2

router ospf 1
 router-id 10.10.5.1
 network 10.10.5.1 255.255.255.255 area 0
 network 10.10.255.28 255.255.255.252 area 0
 network 10.10.255.40 255.255.255.252 area 1
 area 1 nssa no-summary
          
!
router ospfv3 1
 router-id 10.10.5.1
 area 1 stub no-summary

!

interface Loopback1
 ip address 10.10.5.1 255.255.255.255
 ipv6 enable
 ipv6 address 2001:10:10:5::1/128
 mpls ip encapsulate 
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/0
 ipv6 enable
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/1
 ipv6 enable
 ipv6 ospf 1 area 1 
!

AC1

ip prefix-list Loopback3 seq 5 permit 10.10.8.3/32
!
route-map Loopback3 permit 10
 match ip address prefix-list Loopback3
!
router ospf 1
 ospf router-id 10.10.8.1
 area 1 nssa no-summary
 network 10.10.8.1/32 area 1
 network 10.10.255.40/30 area 1
 network 10.17.100.0/24 area 1
 redistribute connected route-map Loopback3
!
router ipv6 ospf 1
 router-id 10.10.8.1
 area 1 stub no-summary
!
interface Loopback1
 ipv6 router ospf area 1 tag 1
!
interface Vlan1001
 ipv6 router ospf area 1 tag 1
!
interface Vlan100
 ipv6 router ospf area 1 tag 1
!
interface Vlan110
 ipv6 router ospf area 1 tag 1
!
interface Vlan120
 ipv6 router ospf area 1 tag 1
!

FW1

ip vrouter "trust-vr"
router ospf 1
    router-id 10.10.6.1
    default-information originate type 1
    network 10.10.6.1/32 area 0
    network 10.10.255.12/30 area 0
    network 10.10.255.16/30 area 0
  exit
  ipv6 router ospf 1
    router-id 10.10.6.1
    default-information originate type 1
  exit
exit

(4)SW3 模拟办事处产品和营销接口配置为 loopback,模拟接口 up。SW3 模拟办事处与 FW2 之间运行 OSPFv2 协议,进程 2,区域 2,SW3 模拟办事处发布loopback2、产品和营销。SW3 模拟办事处配置 ipv6 默认路由;FW2 分别配置到 SW3 模拟办事处 loopback2、产品和营销的 ipv6 明细静态路由,FW2 重发布静态路由到 OSPFv3 协议。

SW3

router ospf 2 vrf Guangdong
 ospf router-id 10.10.3.2
 network 10.10.3.2/32 area 2
 network 10.10.110.0/24 area 2
 network 10.10.120.0/24 area 2
 network 10.10.255.44/30 area 2
!
ipv6 route vrf Guangdong ::/0 fe80::203:fff:fe2b:5d21 Vlan1015
!

FW2

ip vrouter "trust-vr"
  ipv6 route 2001:10:10:3::2/128 "ethernet0/1" FE80::203:FFF:FE3F:C694
  ipv6 route 2001:10:10:110::/64 "ethernet0/1" FE80::203:FFF:FE3F:C694
  ipv6 route 2001:10:10:120::/64 "ethernet0/1" FE80::203:FFF:FE3F:C694
  router ospf 2
    router-id 10.10.7.1
    network 10.10.7.1/32 area 2
    network 10.10.255.44/30 area 2
  exit
    ipv6 router ospf 2
    router-id 10.10.7.1
    redistribute static
  exit
exit

(5)RT1、FW2 之间 OSPFv2 和 OSPFv3 协议,进程 2,区域 2;RT1 发布 loopback4路由,向该区域通告 type1 默认路由;FW2 发布 loopback1 路由,FW2 禁止学习到集团和分公司的所有路由。RT1 用 prefix-list 匹配 FW2loopback1 路由、SW3 模拟办事处 loopback2 和产品路由、RT1 与 FW2 直连 ipv4 路由,将这些路由重发布到区域 0。

FW2

access-list route   FW2  deny   any
route-map  FW2 deny 10
match  ip  address   FW2
exit
  router ospf 2
    network 10.10.255.24/30 area 2
    distribute-list FW2 in ethernet0/1
  exit
exit
interface loopback1
  ipv6 enable
  ipv6 ospf 2 area 2
exit
interface ethernet0/2
  ipv6 enable
  ipv6 ospf 2 area 2
exit

RT1

ip prefix-list FW2 seq 5 permit 10.10.7.1/32
ip prefix-list FW2 seq 10 permit 10.10.3.2/32
ip prefix-list FW2 seq 15 permit 10.10.110.0/24
ip prefix-list FW2 seq 20 permit 10.10.255.24/30
!         
route-map FW2 10 permit
 match ip address prefix-list FW2
!
ipv6 route default Null0
!
router ospf 2
 router-id 10.10.4.4
 network 10.10.4.4 255.255.255.255 area 2
 network 10.10.255.24 255.255.255.252 area 2
 default-information originate metric-type 1
 redistribute ospf 1
!
router ospf 1
 redistribute ospf 2 route-map FW2
!

router ospfv3 2
 router-id 10.10.4.4
 default-information originate metric-type 1

!
interface Loopback4
 ipv6 enable
 ipv6 ospf 2 area 2 
!         
interface GigaEthernet0/3
 ipv6 enable
 ipv6 ospf 2 area 2 
!

(6)修改 ospfcost 为 100,实现 SW1 分别与 RT2、FW2 之间 ipv4 和 ipv6 互访流量优先通过 SW1_SW2_RT1 链路转发,SW2 访问 Internetipv4 和 ipv6 流量优先通过 SW2_SW1_FW1 链路转发。

SW1

interface vlan 1021
ip ospf cost 100
ipv6 ospf cost 100

SW2

interface vlan 1021
ip ospf cost 100
ipv6 ospf cost 100

FW1

interface ethernet0/2
ip ospf cost 100
ipv6 ospf cost 100

RT1

interface GigaEthernet0/2
ip  ospf cost 100
ipv6 ospf cost 100

4.RT1 串行链路、RT2 串行链路、FW1、AC1 之间分别运行 RIP 和 RIPng 协议,FW1、RT1、RT2 的 RIP 和 RIPng 发布 loopback2 地址路由,AC1RIP 发布 loopback2地址路由,AC1RIPng 采用 route-map 匹配 prefix-list 重发布 loopback2 地址路由。RT1 配置 offset 值为 4 的路由策略,实现 RT1-S1/0_RT2-S1/1 为主链路,RT1-S1/1_RT2-S1/0 为备份链路,ipv4 的 ACL 名称为 AclRIP,ipv6 的 ACL名称为 AclRIPng。RT1 的 S1/0 与 RT2 的 S1/1 之间采用 chap 双向认证,用户名为对端设备名称,密码为 Pass-1234。

FW1

router rip
    network 10.10.6.2/32
    network 10.10.255.16/30
  exit
  ipv6 router rip
    network ethernet0/2
    network loopback2
  exit
  
RT1
  
aaa authentication ppp default local
!
username RT2 password 0 Pass-1234
!
ip access-list standard AclRIP
 permit any  sequence 10
!
ipv6 access-list AclRIPng
 permit ipv6 any any sequence 10
!
router rip 1 
 offset Serial1/1 in AclRIP 4 
 offset Serial1/1 out AclRIP 4 
!
router ripng 1
 offset Serial1/1 in AclRIPng 4 
 offset Serial1/1 out AclRIPng 4 
!
interface Loopback2
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface GigaEthernet0/2
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface Serial1/0
 ip address 10.10.255.33 255.255.255.252
 encapsulation ppp
 ppp authentication chap 
 ppp chap hostname RT1
 ppp chap password 0 Pass-1234
 physical-layer speed 2048000
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface Serial1/1
 ip address 10.10.255.37 255.255.255.252
 encapsulation ppp
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!

RT2

aaa authentication ppp default local
!
username RT1 password 0 Pass-1234
!
router rip 1 
!
router ripng 1
!
interface Loopback2
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface GigaEthernet0/1
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface Serial1/0
 ip address 10.10.255.38 255.255.255.252
 encapsulation ppp
 ppp authentication chap 
 ppp chap hostname RT2
 ppp chap password 0 Pass-1234
 physical-layer speed 2048000
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface Serial1/1
 ip address 10.10.255.34 255.255.255.252
 encapsulation ppp
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!

AC1

ip prefix-list Loopback3 seq 5 permit 10.10.8.3/32
!
route-map Loopback3 permit 10
 match ip address prefix-list Loopback3
!
router rip
 network 10.10.8.2/32
 network 10.10.255.40/30
!
router ipv6 rip
 redistribute connected route-map L2
!
interface Loopback2
 ipv6 router rip 
!
interface Vlan1001
 ipv6 router rip 
!

5.RT1 以太链路、RT2 以太链路之间运行 ISIS 协议,进程 1,分别实现 loopback3之间 ipv4 互通和 ipv6 互通。RT1、RT2 的 NET 分别为10.0000.0000.0001.00、10.0000.0000.0002.00,路由器类型是 Level-2,接口网络类型为点到点。配置域 md5 认证和接口 md5 认证,密码均为 Pass-1234。

RT1

router isis 1
 is-type level-2
 authentication mode md5 level-2
 authentication key 0 Pass-1234 level-2
 net 10.0000.0000.0001.00
!
interface Loopback3
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
!
interface GigaEthernet0/0
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
 isis network point-to-point
 isis circuit-type level-2
 isis authentication mode md5 level-2
 isis authentication key 0 Pass-1234 level-2
!

RT2

router isis 1
 is-type level-2
 authentication mode md5 level-2
 authentication key 0 Pass-1234 level-2
 net 10.0000.0000.0002.00
!
interface Loopback3
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
!
interface GigaEthernet0/0
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
 isis network point-to-point
 isis circuit-type level-2
 isis authentication mode md5 level-2
 isis authentication key 0 Pass-1234 level-2
!

6.RT2 配置 ipv4nat,实现 AC1ipv4 产品部门用 RT2 外网接口 ipv4 地址访问Internet。RT2 配置 nat64,实现 AC1ipv6 产品部门用 RT2 外网接口 ipv4 地址访问 Internet,ipv4 地址转 ipv6 地址前缀为 64:ff9b::/96。

RT2

interface GigaEthernet0/1
 ip nat inside
!
interface GigaEthernet0/3
 ip nat outside
!
ip access-list standard Nat
 permit 10.17.110.1 255.255.255.255 sequence 10
!
ipv6 access-list Nat64
 permit ipv6 2001:10:17:110::/64 any sequence 10
!
ip nat inside source list Nat interface GigaEthernet0/3
!
ipv6 nat v6v4 source list Nat64 interface GigaEthernet0/3
ipv6 nat prefix 64:FF9B::/96 v4-mapped Nat64
!

这里要在RT2和SW3 Internet上面做默认路由不然通不了外网无法转换

7.SW1、SW2、SW3、RT1、RT2 之间运行 BGP 协议,SW1、SW2、RT1AS 号 65001、RT2AS 号 65002、SW3AS 号 65003。

(1)SW1、SW2、SW3、RT1、RT2 之间通过 loopback1 建立 ipv4 和 ipv6BGP 邻居。SW1 和 SW2 之间财务通过 loopback2 建立 ipv4BGP 邻居,SW1 和 SW2 的 loopback2互通采用静态路由。
(2)SW1、SW2、SW3、RT2 分别只发布营销、法务、财务、人力等 ipv4 和 ipv6路由;RT1 发布办事处营销 ipv4 和 ipv6 路由到 BGP。
SW1

router bgp 65001

 network 10.10.12.0/24
 network 10.10.13.0/24
 network 10.10.15.0/24
 
 neighbor 10.10.2.1 remote-as 65001
 neighbor 10.10.2.1 update-source Loopback1
 neighbor 10.10.2.1 next-hop-self
 
 neighbor 10.10.3.1 remote-as 65003
 neighbor 10.10.3.1 ebgp-multihop 255
 neighbor 10.10.3.1 update-source Loopback1
 
 neighbor 2001:10:10:2::1 remote-as 65001
 neighbor 2001:10:10:2::1 update-source Loopback1
 no neighbor 2001:10:10:2::1 activate
 
 neighbor 2001:10:10:3::1 remote-as 65003
 neighbor 2001:10:10:3::1 ebgp-multihop 255
 neighbor 2001:10:10:3::1 update-source Loopback1
 no neighbor 2001:10:10:3::1 activate
 
 address-family ipv6 unicast
 
 network 2001:10:10:12::/64
 network 2001:10:10:13::/64
 network 2001:10:10:15::/64
 
 neighbor 2001:10:10:2::1 activate
 neighbor 2001:10:10:3::1 activate
 
 exit-address-family
 address-family ipv4 vrf CW
 neighbor 10.10.2.2 remote-as 65001
 exit-address-family
!

SW2

router bgp 65001

 network 10.10.22.0/24
 network 10.10.23.0/24
 network 10.10.25.0/24
 
 neighbor 10.10.1.1 remote-as 65001
 neighbor 10.10.1.1 update-source Loopback1
 neighbor 10.10.1.1 next-hop-self
 
 neighbor 10.10.3.1 remote-as 65003
 neighbor 10.10.3.1 ebgp-multihop 255
 neighbor 10.10.3.1 update-source Loopback1
 
 neighbor 10.10.4.1 remote-as 65001
 neighbor 10.10.4.1 update-source Loopback1
 neighbor 10.10.4.1 next-hop-self
 
 neighbor 2001:10:10:1::1 remote-as 65001
 neighbor 2001:10:10:1::1 update-source Loopback1
 no neighbor 2001:10:10:1::1 activate
 
 neighbor 2001:10:10:3::1 remote-as 65003
 neighbor 2001:10:10:3::1 ebgp-multihop 255
 neighbor 2001:10:10:3::1 update-source Loopback1
 no neighbor 2001:10:10:3::1 activate
 
 neighbor 2001:10:10:4::1 remote-as 65001
 neighbor 2001:10:10:4::1 update-source Loopback1
 no neighbor 2001:10:10:4::1 activate
 
 address-family ipv6 unicast
 
 network 2001:10:10:22::/64
 network 2001:10:10:23::/64
 network 2001:10:10:25::/64
 
 neighbor 2001:10:10:1::1 activate
 neighbor 2001:10:10:3::1 activate
 neighbor 2001:10:10:4::1 activate
 
 exit-address-family
 address-family ipv4 vrf CW
 neighbor 10.10.1.2 remote-as 65001
 exit-address-family
!

SW3

router bgp 65003

 network 10.10.32.0/24
 network 10.10.33.0/24
 network 10.10.35.0/24
 
 neighbor 10.10.1.1 remote-as 65001
 neighbor 10.10.1.1 ebgp-multihop 255
 neighbor 10.10.1.1 update-source Loopback1

 neighbor 10.10.2.1 remote-as 65001
 neighbor 10.10.2.1 ebgp-multihop 255
 neighbor 10.10.2.1 update-source Loopback1

 neighbor 2001:10:10:1::1 remote-as 65001
 neighbor 2001:10:10:1::1 ebgp-multihop 255
 neighbor 2001:10:10:1::1 update-source Loopback1
 no neighbor 2001:10:10:1::1 activate
 
 neighbor 2001:10:10:2::1 remote-as 65001
 neighbor 2001:10:10:2::1 ebgp-multihop 255
 neighbor 2001:10:10:2::1 update-source Loopback1
 no neighbor 2001:10:10:2::1 activate
 
 address-family ipv6 unicast
 
 network 2001:10:10:32::/64
 network 2001:10:10:33::/64
 network 2001:10:10:35::/64
 
 neighbor 2001:10:10:1::1 activate
 neighbor 2001:10:10:2::1 activate
 
 exit-address-family
!

RT1

router bgp 65001

 network 10.10.110.0/24
 
 neighbor 10.10.2.1 remote-as 65001 
 neighbor 10.10.2.1 update-source Loopback1
 neighbor 10.10.2.1 next-hop-self
 
 neighbor 10.10.5.1 remote-as 65002 
 neighbor 10.10.5.1 ebgp-multihop 255
 neighbor 10.10.5.1 update-source Loopback1
 
 neighbor 2001:10:10:2::1 remote-as 65001 
 neighbor 2001:10:10:2::1 update-source Loopback1
 no neighbor 2001:10:10:2::1 activate
 
 neighbor 2001:10:10:5::1 remote-as 65002 
 neighbor 2001:10:10:5::1 ebgp-multihop 255
 neighbor 2001:10:10:5::1 update-source Loopback1
 no neighbor 2001:10:10:5::1 activate

 address-family vpnv6
 neighbor 2001:10:10:5::1 activate
 neighbor 2001:10:10:5::1 send-community extended
 exit-address-family

!

RT2

router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.10.4.1 remote-as 65001 
 neighbor 10.10.4.1 ebgp-multihop 255
 neighbor 10.10.4.1 update-source Loopback1
 neighbor 2001:10:10:4::1 remote-as 65001 
 neighbor 2001:10:10:4::1 ebgp-multihop 255
 neighbor 2001:10:10:4::1 update-source Loopback1
 no neighbor 2001:10:10:4::1 activate

 address-family ipv6
 no synchronization
 neighbor 2001:10:10:4::1 activate
 exit-address-family

!
(3)SW3 营销分别与 SW1 和 SW2 营销 ipv4 和 ipv6 互访优先在 SW3_SW1 链路转发;SW3 法务及人力分别与 SW1 和 SW2 法务及人力 ipv4 和 ipv6 互访优先在 SW3_SW2链路转发,主备链路相互备份;用 prefix-list、route-map 和 BGP 路径属性进行选路,新增 AS65000。
SW3

ip prefix-list SW1-SW2-FWRL-IPv4 seq 5 permit 10.10.13.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 10 permit 10.10.23.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 15 permit 10.10.15.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 20 permit 10.10.25.1/24
ip prefix-list SW1-SW2-YX-IPv4 seq 5 permit 10.10.12.1/24
ip prefix-list SW1-SW2-YX-IPv4 seq 10 permit 10.10.22.1/24
ip prefix-list SW3-FWRL-IPv4 seq 5 permit 10.10.33.1/24
ip prefix-list SW3-FWRL-IPv4 seq 10 permit 10.10.35.1/24
ip prefix-list SW3-YX-IPv4 seq 5 permit 10.10.32.1/24
!
ipv6 route vrf Guangdong ::/0 fe80::203:fff:fe2b:5d21 Vlan1015
!
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 5 permit 2001:10:10:13::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 10 permit 2001:10:10:23::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 15 permit 2001:10:10:15::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 20 permit 2001:10:10:25::1/64
ipv6 prefix-list SW1-SW2-YX-IPv6 seq 5 permit 2001:10:10:12::1/64
ipv6 prefix-list SW1-SW2-YX-IPv6 seq 10 permit 2001:10:10:22::1/64
ipv6 prefix-list SW3-FWRL-IPv6 seq 5 permit 2001:10:10:33::1/64
ipv6 prefix-list SW3-FWRL-IPv6 seq 10 permit 2001:10:10:35::1/64
ipv6 prefix-list SW3-YX-IPv6 seq 5 permit 2001:10:10:32::1/64
!

route-map SW1-SW2-YX-IPv4 permit 10
 match ip address prefix-list SW1-SW2-YX-IPv4
 set ip next-hop 10.10.1.1
 set as-path prepend 65000
!
route-map SW1-SW2-YX-IPv4 permit 20
!
route-map SW1-SW2-FWRL-IPv4 permit 10
 match ip address prefix-list SW1-SW2-FWRL-IPv4
 set as-path prepend 65000
 set ip next-hop 10.10.2.1
!
route-map SW1-SW2-FWRL-IPv4 permit 20
!
route-map SW3-YX-IPv4 permit 10
 match ip address prefix-list SW3-YX-IPv4
 set as-path prepend 65000
 set ip next-hop 10.10.1.1
!
route-map SW3-YX-IPv4 permit 20
!
route-map SW3-FWRL-IPv4 permit 10
 match ip address prefix-list SW3-FWRL-IPv4
 set as-path prepend 65000
 set ip next-hop 10.10.2.1
!
route-map SW3-FWRL-IPv4 permit 20
! 
route-map SW1-SW2-YX-IPv6 permit 10
 match ipv6 address prefix-list SW1-SW2-YX-IPv6
 set as-path prepend 65000
 set ipv6 next-hop 2001:10:10:1::1
!
route-map SW1-SW2-YX-IPv6 permit 20
!
route-map SW1-SW2-FWRL-IPv6 permit 10
 match ipv6 address prefix-list SW1-SW2-FWRL-IPv6
 set as-path prepend 65000
 set ipv6 next-hop 2001:10:10:2::1
!
route-map SW1-SW2-FWRL-IPv6 permit 20
!
route-map SW3-YX-IPv6 permit 10
 match ipv6 address prefix-list SW3-YX-IPv6
 set as-path prepend 65000
 set ipv6 next-hop 2001:10:10:1::1
!
route-map SW3-YX-IPv6 permit 20
!
route-map SW3-FWRL-IPv6 permit 10
 match ipv6 address prefix-list SW3-FWRL-IPv6
 set as-path prepend 65000
 set ipv6 next-hop 2001:10:10:2::1
!
route-map SW3-FWRL-IPv6 permit 20
!
router bgp 65003

 neighbor 10.10.1.1 route-map SW1-SW2-FWRL-IPv4 in
 neighbor 10.10.1.1 route-map SW3-FWRL-IPv4 out

 neighbor 10.10.2.1 route-map SW1-SW2-YX-IPv4 in
 neighbor 10.10.2.1 route-map SW3-YX-IPv4 out

 address-family ipv6 unicast

 neighbor 2001:10:10:1::1 route-map SW1-SW2-FWRL-IPv6 in
 neighbor 2001:10:10:1::1 route-map SW3-FWRL-IPv6 out

 neighbor 2001:10:10:2::1 route-map SW1-SW2-YX-IPv6 in
 neighbor 2001:10:10:2::1 route-map SW3-YX-IPv6 out
 exit-address-family
 !

8.利用 BGPMPLSVPN 技术,RT1 与 RT2 以太链路间运行多协议标签交换、标签分发协议。RT1 与 RT2 间创建财务 VPN 实例,名称为 CW,RT1 的 RD 值为 1:1,exportrt 值为 1:2,importrt 值为 2:1;RT2 的 RD 值为 2:2。通过两端 loopback1建立 VPN 邻居,分别实现两端 loopback5ipv4 互通和 ipv6 互通。

RT1

ipv6 vrf CW
 rd 1:1
 route-target import 2:1
 route-target export 1:2
!
!
!
mpls ip
mpls ldp router-id 10.10.4.1
!
!
ip vrf CW
 rd 1:1
 route-target export 1:2
 route-target import 2:1
!
interface Loopback1
 mpls ip encapsulate 
!
interface Loopback5
 ip vrf forwarding CW
 ip address 10.10.4.5 255.255.255.255
 ipv6 enable
 ipv6 address 2001:10:10:4::5/128
 ipv6 vrf forwarding CW
 mpls ip encapsulate 
!
interface GigaEthernet0/0
 mpls ip
 mpls ldp enable
!
router bgp 65001

 address-family vpnv4
 neighbor 10.10.5.1 activate
 neighbor 10.10.5.1 send-community extended
 exit-address-family
 
 address-family vpnv6
 neighbor 2001:10:10:5::1 activate
 neighbor 2001:10:10:5::1 send-community extended
 exit-address-family
 
 address-family ipv4 vrf CW
 no synchronization
 network 10.10.4.5/32
 exit-address-family
 
 address-family ipv6 vrf CW
 no synchronization
 network 2001:10:10:4::5/128
 exit-address-family
!

RT2

ipv6 vrf CW
 rd 2:2
 route-target import 1:2
 route-target export 2:1
!
!
!
mpls ip
mpls ldp router-id 10.10.5.1
!
!
ip vrf CW
 rd 2:2
 route-target export 2:1
 route-target import 1:2
!
interface Loopback1
 mpls ip encapsulate 
!
interface Loopback5
 ip vrf forwarding CW
 ip address 10.10.5.5 255.255.255.255
 ipv6 enable
 ipv6 address 2001:10:10:5::5/128
 ipv6 vrf forwarding CW
 mpls ip encapsulate 
!    
interface GigaEthernet0/0
 mpls ip
 mpls ldp enable
!
router bgp 65002

 address-family vpnv4
 neighbor 10.10.4.1 activate
 neighbor 10.10.4.1 send-community extended
 exit-address-family

 address-family vpnv6
 neighbor 2001:10:10:4::1 activate
 neighbor 2001:10:10:4::1 send-community extended
 exit-address-family
 
 address-family ipv4 vrf CW
 no synchronization
 network 10.10.5.5/32
 exit-address-family
 
 address-family ipv6 vrf CW
 no synchronization
 network 2001:10:10:5::5/128
 exit-address-family
!

5.无线配置

1.AC1 loopback1 ipv4 和 ipv6 地址分别作为 AC1 的 ipv4 和 ipv6 管理地址。AP二层自动注册,AP 采用 MAC 地址认证。配置 2 个 ssid,分别为 SKILLS-2.4G和 SKILLS-5G。SKILLS-2.4G 对应 vlan110,用 network110 和 radio1(模式为n-only-g),用户接入无线网络时需要采用基于 WPA-personal 加密方式,密码为 Pass-1234。SKILLS-5G 对应 vlan120,用 network120 和 radio2(模式为n-only-a),不需要认证,隐藏 ssid,SKILLS-5G 用倒数第一个可用 VAP 发送 5G 信号。

2.AC1 配置 dhcpv4 和 dhcpv6,分别为 SW1 产品 1 段 vlan10 和分公司 vlan100、vlan110 和 vlan120 分配地址;ipv4 地址池名称分别为 POOLv4-10、POOLv4-100、POOLv4-110、POOLv4-120,ipv6 地址池名称分别为 POOLv6-10、POOLv6-100、POOLv6-110、POOLv6-120;ipv6 地址池用网络前缀表示;排除网关;DNS 分别 为 114.114.114.114 和 2400:3200::1 ; 为 PC1 保 留 地 址 10.10.11.9 和2001:10:10:11::9,为 AP1 保留地址 10.17.100.9 和 2001:10:17**:100**::9,为 PC2保留地址 10.17.110.9 和 2001:10:17:110::9。SW1 上中继地址为 AC1 loopback1地址。SW1 启用 dhcpv4 和 dhcpv6 snooping,如果 E1/0/1 连接 dhcpv4 服务器,则关闭该端口,恢复时间为 1 分钟。

3.当 AP 上线,如果 AC 中储存的 Image 版本和 AP 的 Image 版本号不同时,会触发 AP 自动升级。AP 失败状态超时时间及探测到的客户端状态超时时间都为 2 小时。

4.MAC 认证模式为黑名单,MAC 地址为 80-45-DD-77-CC-48 的无线终端采用全局配置 MAC 认证。

5.配置 vlan110 无线接入用户上班时间(工作日 09:00-17:00)访问 Internethttps 上下行 CIR 为 100Mbps,CBS 为 200Mbps,PBS 为 300Mbps,exceed-action和 violate-action 均为 drop。时间范围名称、控制列表名称、分类名称、策略名称均为 SKILLS。

6.开启 AP 组播广播突发限制功能;AP 收到错误帧时,将不再发送 ACK 帧; AP发送向无线终端表明 AP 存在的帧时间间隔为 1 秒。

7.AP 发射功率为 80%。 

AC1

ip dhcp excluded-address 10.10.11.1
!
ip dhcp pool POOLv4-10
 network-address 10.10.11.0 255.255.255.0
 default-router 10.10.11.1
 dns-server 114.114.114.114
!
ip dhcp pool POOLv4-100
 network-address 10.17.100.0 255.255.255.0
 default-router 10.17.100.1
 dns-server 114.114.114.114
!
ip dhcp pool POOLv4-110
 network-address 10.17.110.0 255.255.255.0
 default-router 10.17.110.1
 dns-server 114.114.114.114
!
ip dhcp pool POOLv4-120
 network-address 10.17.120.0 255.255.255.0
 default-router 10.17.120.1
 dns-server 114.114.114.114
!
ip dhcp pool AP1
 host 10.17.100.9 255.255.255.0
 hardware-address 00-03-0F-D9-CD-C0
!
ip dhcp pool PC1
 host 10.10.11.9 255.255.255.0
 hardware-address 98-0E-24-AB-83-F1
!
ip dhcp pool PC2
 host 10.17.110.9 255.255.255.0
 hardware-address C0-18-03-BB-9F-94
!
!
!
!
!
service dhcpv6
!
ipv6 dhcp pool POOLv6-120
 network-address 2001:10:17:120::1 64
 excluded-address 2001:10:17:120::1
 dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-110
 network-address 2001:10:17:110::1 64
 static-binding 2001:10:17:110::9 c0-18-03-bb-9f-94
 excluded-address 2001:10:17:110::1
 dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-100
 network-address 2001:10:17:100::1 64
 static-binding 2001:10:17:100::9 00-03-0f-d9-cd-c0
 excluded-address 2001:10:17:100::1
 dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-10
 network-address 2001:10:10:11::1 64
 static-binding 2001:10:10:11::9 98-0e-24-ab-83-f1
 excluded-address 2001:10:10:11::1
 dns-server 2400:3200::1
!

SW1

service dhcp
!
ip forward-protocol udp bootps
!
ip dhcp snooping enable
!
service dhcpv6
!
savi enable
 savi ipv6 dhcp-only enable
!
interface Vlan10
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ipv6 router ospf area 0 tag 1
 ip helper-address 10.10.8.1
 ipv6 dhcp relay destination 2001:10:10:8::1
!

AC1

no login
wireless
 auto-ip-assign
 agetime ap-failure 2
 agetime detected-clients 2
 ap authentication mac
 discovery ip-list 10.17.100.1
 discovery ipv6-list 2001:10:17:100::1
 discovery vlan-list 100
 mac-authentication-mode black-list
 static-ip  10.10.8.1
 static-ipv6  2001:10:10:8::1
 ap-online-upgrade enable
 known-client 80-45-dd-77-cc-48 action global-action
 network 1
  device-finger enable
!
 network 2
!
 network 3
!
 network 4
!
 network 5
!
 network 6
!
 network 7
!
 network 8
!
 network 9
!
 network 10
!
 network 11
!
 network 12
!
 network 13
!
 network 14
!
 network 15
!
 network 16
!
 network 110
  client-qos diffserv-policy down SKILLS
  client-qos diffserv-policy up SKILLS
  security mode wpa-personal
  ssid SKILLS-2.4G
  wpa key encrypted 952e9c6cfa72cc8d02f8b364fdab8779d77cdf39d6fa53c28b54864ae33979b35eae21937a18415e98e1695298cbade6010e5cd68c266c965f576b497c5f2130
!
 network 120
  hide-ssid
  ssid SKILLS-5G
!         
 ap load-balance template 1
!
 ap air-match template 1
  air-match load-balance session
  air-match load-balance session 2
!
 ap profile 1
  channel-plan an time 05:00
  channel-plan bgn time 05:00
  air-match template 1
  radio 1
   mode n-only-g
   beacon-interval 1000
   power default 80
   incorrect-frame-no-ack
   vap 0
    network 110
!
!
  radio 2
   mode n-only-a
   beacon-interval 1000
   power default 80
   incorrect-frame-no-ack
   vap 0
!
   vap 15
    enable
    network 120
!
!
  radio 3
   vap 0
!
!
!
 ap database 00-03-0f-d9-cd-c0
!
!
captive-portal
!

做完记得给AP应用

6.安全配置

1.FW1 配置 ipv4nat,实现集团产品 1 段 ipv4 访问 Internet ipv4,转换 ip/mask为 200.200.200.160/28,保证每一个源 ip 产生的所有会话将被映射到同一个固定的 IP 地址;当有流量匹配本地址转换规则时产生日志信息,将匹配的日志发送至 10.10.11.99 的 UDP514 端口,记录主机名,用明文轮询方式分发日志;开启相关特性,实现扩展 nat 转换后的网络地址端口资源。

在这里插入图片描述在这里插入图片描述在这里插入图片描述在这里插入图片描述在这里插入图片描述

2.FW1 配置 nat64,实现集团产品 1 段 ipv6 访问 Internet ipv4,转换为出接口 IP,ipv4 转 ipv6 地址前缀为 64:ff9b::/96。

在这里插入图片描述

3.FW1 和 FW2 策略默认动作为拒绝,FW1 允许集团产品 1 段 ipv4 和 ipv6 访问Internet 任意服务。

在这里插入图片描述

4.FW2 允许办事处产品 ipv4 访问集团产品 1 段 https 服务,允许集团产品 1段和分公司产品访问办事处产品 ipv4、FW2 loopback1 ipv4、SW3 模拟办事处loopback2 ipv4。

在这里插入图片描述

5.FW1 与 RT2 之 间 用 Internet 互 联 地 址 建 立 GRE Over IPSec VPN , 实 现loopback4 之间的加密访问。

SW3

ip route vrf Internet 0.0.0.0/0 200.200.200.2
ip route vrf Internet 0.0.0.0/0 200.200.200.6
!

RT2

ip route default 200.200.200.5
ip route 10.10.6.4 255.255.255.255 10.10.255.49对端隧道地址
!
ip access-list extended ACL-VPN
 permit gre 200.200.200.6 255.255.255.252 200.200.200.2 255.255.255.252 sequence 10
!
crypto isakmp key 0 Pass-1234 address 200.200.200.2 255.255.255.252 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 lifetime 4000
!
crypto ipsec transform-set SET-1 esp-3des esp-md5-hmac
 mode transport
!
crypto map MAP-1 10 ipsec-isakmp
 match address ACL-VPN
 set peer 200.200.200.2
 set transform-set SET-1
!
interface GigaEthernet0/3
 crypto map MAP-1
!

FW1

在这里插入图片描述

在这里插入图片描述在这里插入图片描述

在这里插入图片描述在这里插入图片描述

在这里插入图片描述
在这里插入图片描述

tunnel gre "GRE-1"
  source 200.200.200.2
  destination 200.200.200.6
  interface ethernet0/3
  next-tunnel ipsec IPSEC-1
exit
ip vrouter "trust-vr"
  ip route 0.0.0.0/0 200.200.200.1
  ip route 10.10.5.4/32 10.10.255.50
  exit
  interface tunnel4
  zone  "VPNHub"
  ip address 10.10.255.49 255.255.255.252
  manage ping
  tunnel gre "GRE-1" gw 10.10.255.50 对端隧道
exit

6.FW1 配置 SSLVPN,名称为 VPNSSL,ssl 协议为 1.2 版本,Internet 用户通过端口 8888 连接,本地认证账号 UserSSL,密码 Pass-1234,地址池名称为POOLSSL,地址池范围为 10.18.0.100/24-10.18.0.199/24。保持 PC1 位置不变,用 PC1 测试。

FW1

在这里插入图片描述
在这里插入图片描述

这里显示的密码是加密后的

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

验证方法:

1.在浏览器输入https://200.200.200.2:8888

在这里插入图片描述

在这里插入图片描述

猜你喜欢

转载自blog.csdn.net/Iustinianu/article/details/142070248
今日推荐
周排行
教你如何约女孩子的方式去理解(TCP三次握手与四次挥手)
android按压背景
【量化小讲堂-Python&Pandas系列10】如何判断一个策略的好坏?(附代码)
编程题:利用链表实现栈
盘点47条 Allegro 使用技巧,你都知道吗?
在VMware Workstation中安装CentOS
二叉树的实现
cmake安装jsoncpp
ReactNative开发城市列表页
最全前端学习资源
每日归档
更多
2025-03-20(0)
2025-03-19(0)
2025-03-18(0)
2025-03-17(0)
2025-03-16(0)
2025-03-15(0)
2025-03-14(0)
2025-03-13(0)
2025-03-12(0)
2025-03-11(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022