H3C综合实验报告

H3C_NE综合实验
【实验名称】
H3CNE综合实验
【实验目的】
在实验室环境根据具体真实网络建设搭建模拟环境进行综合应用实验，学习如何规划实施大型企业、校园网络建设规划。

【实验拓扑】
【实现功能】
1.按照组网环境，互连网络设备，并按照需求配置设备基本信息
2.Device-2 与Device-1 之间采用PPP 封装，考虑广域网链路的安全，启用CHAP 的双向验证
3.Device-3 与Device-1 之间采用Frame-relay 封装，采用子接口，封装类型为PTMP，且使用静态FR 的映射，Device-3 使用PVC 301，Device-1 使用PVC 103
4.A公司内网运行RIP 协议，为保证RIP 协议的安全运行，A公司内网启用RIP 的MD5 验证，密码为riph3c
5.Device-3 上的关键业务30.1.1.1 和30.1.1.2 必须以明细的路由在内网发布，同时，为减轻路由器负担，需对内网进行优化
6.Device-1 与外网相连，不可以将s1/0 接口的IP公告进RIP 中，使用缺省路由访问外网；
7.外网除Device-1 上s1/0 上的IP 地址为公网IP 外，额外还分配了一个公网地址100.1.1.1 作为NAT 装换后的公网地址，
8.结合公司规定及业务需求，只允许Device-2 上的2.2.2.1 的业务和Device-3 上的关键业务30.1.1.1 和30.1.1.2 可以访问Internet 上的Device-5 的200.1.1.1 业务
9.为以后内网维护方便，开启内网内所有路由器的远程登录服务，分别设置管理级别、访问级别的登录用户
10.禁止A 公司内网测试与Device-4 上的4.4.4.1 与4.4.4.2 业务连通性，且外网不可测试A 公司的内部网络
【实验步骤】
1.按照组网环境，互连网络设备，并按照需求配置设备基本信息
Device-1:
system-view
sysname Device-1
interface s1/0
ip address 192.168.1.1 255.255.255.252
undo shutdown
quit
interface s1/1
ip address 192.168.1.5 255.255.255.252
undo shutdown
quit
interface s1/2
ip address 192.168.1.9 255.255.255.252
undo shutdown
quit
interface loopback1
ip address 1.1.1.1 255.255.255.255
undo shutdown
quit
Device-2:
system-view
sysname Device-2
interface s0/1
ip address 192.168.1.6 255.255.255.252
undo shutdown
quit
interface loopback1
ip address 2.2.2.1 255.255.255.255
undo shutdown
quit
Device-3:
system-view
sysname Device-3
interface s1/2
ip address 192.168.1.10 255.255.255.252
undo shutdown
interface loopback1
ip address 3.3.3.1 255.255.255.255 undo shutdown
quit
interface loopback2
ip address 3.3.3.2 255.255.255.255 undo shutdown
quit
interface loopback3
ip address 30.1.1.1 255.255.255.255 undo shutdown
quit
interface loopback4
ip address 30.1.1.2 255.255.255.255 undo shutdown
quit
Device-4:
system-view
sysname Device-4
interface s0/0
ip address 192.168.1.2 255.255.255.252 undo shutdown
quit
interface f0/0
ip address 192.168.1.13 255.255.255.252 undo shutdown
quit
interface loopback1
ip address 4.4.4.1 255.255.255.255 undo shutdown
quit
interface loopback2
ip address 4.4.4.2 255.255.255.255 undo shutdown
quit
Device-5:
system-view
sysname Device-5
interface f1/0
ip address 192.168.1.14 255.255.255.252 undo shutdown
interface loopback1
ip address 200.1.1.1 255.255.255.0
undo shutdown
quit
2.Device-2 与Device-1 之间采用PPP 封装，考虑广域网链路的安全，启用CHAP 的双向验证Device-2:
[Device-2]local-user Device-1
[Device-2-luser-user2]password simple pwdpwd
[Device-2-luser-user2]service-type ppp
[Device-2-luser-user2]quit
[Device-2] interface Serial0/1
[Device-2-Serial0/1]ppp authentication-mode chap
Device-1：
[Device-1-Serial1/1]ppp chap user Device-2
[Device-1-Serial1/1]ppp chap password simple pwdpwd
3.Device-3 与Device-1 之间采用Frame-relay 封装，采用子接口，封装类型为PTMP，且使用静态FR 的映射，Device-3 使用PVC 301，Device-1 使用PVC 103
Device-3:
[Device-3]interface s1/2
[Device-3-Serial1/2]link-protocol frame-relay ietf
[Device-3-Serial1/2]fr interface-type dte
[Device-3-Serial1/2]fr lmi type Q933a
[Device-3-Serial1/2]fr map ip 192.168.1.9 301
Device-1:
[Device-1]interface s1/2
[Device-1-Serial1/2]link-protocol frame-relay ietf
[Device-1-Serial1/2]fr interface-type dte
[Device-1-Serial1/2]fr lmi type Q933a
[Device-1-Serial1/2]fr map ip 192.168.1.10 103
4.A公司内网运行RIP 协议，为保证RIP 协议的安全运行，A公司内网启用RIP 的MD5 验证，密码为riph3c
Device-1:
[Device-1]rip
[Device-1-rip-1]version 2
[Device-1-rip-1]undo summary
[Device-1-rip-1]network 192.168.1.0
[Device-1-rip-1]network 1.0.0.0
[Device-1-rip-1]quit
[Device-1]interface s1/1
[Device-1-Serial1/1]rip authentication-mode md5 riph3c
[Device-1-Serial1/1]quit
[Device-1]interface s1/2
[Device-1-Serial1/2]rip authentication-mode md5 riph3c
[Device-1-Serial1/2]quit
Device-2:
[Device-2]rip
[Device-2-rip-1]version 2
[Device-2-rip-1]undo summary
[Device-2-rip-1]network 192.168.1.0
[Device-2-rip-1]network 1.0.0.0
[Device-2-rip-1]quit
[Device-2]interface s0/1
[Device-2-Serial0/1]rip authentication-mode md5 riph3c
[Device-2-Serial0/1]quit
Device-3:
[Device-3]rip
[Device-3-rip-1]version 2
[Device-3-rip-1]undo summary
[Device-3-rip-1]network 192.168.1.0
[Device-3-rip-1]network 3.0.0.0
[Device-3-rip-1]network 30.0.0.0
[Device-3-rip-1]quit
[Device-3]interface s1/2
[Device-3-Serial1/2]rip authentication-mode md5 riph3c
[Device-3-Serial1/2]quit
5.Device-3 上的关键业务30.1.1.1 和30.1.1.2 必须以明细的路由在内网发布，同时，为减轻路由器负担，需对内网进行优化
Device-3:
[Device-3]ip route-static 30.1.1.1 255.255.255.255 s0/0
[Device-3]ip route-static 30.1.1.2 255.255.255.255 s0/0
Device-4:
[Device-4]ip route-static 0.0.0.0 0.0.0.0 s1/0
6.Device-1 与外网相连，不可以将s1/0 接口的IP公告进RIP 中，使用缺省路由访问外网；Device-1:
[Device-1]ip route-static 0.0.0.0 0.0.0.0 s0/0
Device-4:
[Device-4]ip route-static 0.0.0.0 0.0.0.0 s1/0
7.外网除Device-1 上s1/0 上的IP 地址为公网IP 外，额外还分配了一个公网地址100.1.1.1 作为NAT 装换后的公网地址
Device-1:
[Device-1]acl number 2000
[Device-1-basic-2000]rule 0 permit source 192.168.1.0 0.0.0.255
[Device-1]interface s1/0
[Device-1]nat outbound 2000 address-group 1
8.结合公司规定及业务需求，只允许Device-2 上的 2.2.2.1 的业务和Device-3 上的关键业务30.1.1.1 和30.1.1.2 可以访问Internet 上的Device-5 的200.1.1.1 业务
[Device-5]firewall enable
[Device-5]firewall default permit
[Device-5]acl number 3002
[Device-5-axl-adv-3002]rule permit tcp source 200.1.1.1 0.0.0.0 destination 2.2.2.1 0.0.0.0
[Device-5]interface f0/0
[Device-5-FastEthernet0/0]firewall packet-filter 3002 inbound
9.为以后内网维护方便，开启内网内所有路由器的远程登录服务，分别设置管理级别、访问级别的登录用户
Device-1:
[Device-1] local-user admin password simple admin
[Device-1] local-user admin service-type telnet
[Device-1] local-user admin level 3
[Device-1]user-interface vty 0 4
[Device-1-ui-vty0-4]authentication-mode local
[Device-1]super password level 3 simple super
[Device-1]user-interface vty 0 4
[Device-1-ui-vty0-4]user privilege level 1
[Device-1-ui-vty0-4]set authentication password simple abc
10.禁止A 公司内网测试Device-4 上的4.4.4.1 与4.4.4.2 业务连通性，且外网不可测试A 公司的内部网络
Device-1:
[Device-1]acl 101
[Device-1-basic-101] rule deny icmp source any destination 4.4.4.0 icmp-type echo
[Device-1-basic-101]rule deny icmp source any destination 4.4.4.0 icmp-type echo-reply
[Device-1-basic-101] rule deny souce any destination any
[Device-1]acl 102
[Device-1-basic-102]rule deny icmp source any destination anyicmp-type echo
[Device-1-basic-102]rule deny icmp source any destination any icmp-type echo-reply
[Device-1-basic-102] rule deny souce any destination any。