- 微信
- 微博
  
  分享文章到微博
- 复制链接
  
  复制链接到剪贴板

ensp实验

无敌小戴发表于 2021/10/12 17:52:51 2021/10/12

【摘要】实验一：IP地址和网关交换机配置实验二：配置静态路由命令配置：R3与pc1之间互联R4与pc2之间的互联路由与路由之间互通R3R4最后验证实验三：动态路由配置R5路由R6路由验证实验四：Ospf使用（跨区域）详细配置看视频：https://www.bilibili.com/video/BV1M64y1r7rq?p=9&spm_id_from=pageDriver拓扑结构R3R4实验完成综合性...

实验一：

IP地址和网关

交换机配置

实验二：

配置静态路由

命令配置：

R3与pc1之间互联

R4与pc2之间的互联

路由与路由之间互通

最后验证

实验三：

动态路由配置

R5路由

R6路由

验证

实验四：

Ospf使用（跨区域）

详细配置看视频：

https://www.bilibili.com/video/BV1M64y1r7rq?p=9&spm_id_from=pageDriver

拓扑结构

实验完成

综合性案例可参考：

G:\华为认证（HCIA HCIP HCIE）\路由交换机案例\15网络工程组网的设计与实现实训课程

《ospf多区域互通-华为》

拓扑图讲解：
如图所示。绿色区域为OSPF骨干区域（区域0），蓝色区域/×××区域为普通区域。

在NSSA区域与骨干区域中间有两台“区域边界路由器（ABR）
名词讲解：
骨干区域：每个OSPF网络中，至少有1个骨干区域。它是OSPF网络中的“核心部分”。用于连接非骨干区域。（特殊情况除外：虚链路等）
普通区域：非骨干区域/非特殊区域的区域就叫做普通区域。

实验名称：OSPF多区域互通实验
实验目的：
1配置路由器物理接口/回环接口的IP地址，子网掩码。
2通过OSPF并对其接口进行区域宣告，最终实现AR4可以PING通AR5

IP地址规划：

AR1（区域边界路由器）

	接口	IP地址	子网掩码
g0/0/0	192.168.12.1	255.255.255.0
g0/0/2	192.168.41.1	255.255.255.0
loopback0	10.10.1.1	255.255.255.0

AR2

	接口	IP地址	子网掩码
g0/0/0	192.168.12.2	255.255.255.0
g0/0/1	192.168.23.1	255.255.255.0
g0/0/2	192.168.62.1	255.255.255.0
loopback0	10.10.2.2	255.255.255.0

AR3

	接口	IP地址	子网掩码
g0/0/1	192.168.23.2	255.255.255.0
g0/0/2	192.168.53.1	255.255.255.0
loopback0	10.10.3.3	255.255.255.0

AR4

	接口	IP地址	子网掩码
g0/0/1	192.168.64.2	255.255.255.0
g0/0/2	192.168.41.2	255.255.255.0
loopback0	10.10.4.4	255.255.255.0

AR5

	接口	IP地址	子网掩码
g0/0/2	192.168.53.2	255.255.255.0
loopback0	10.10.5.5	255.255.255.0

AR6（区域边界路由器）

	接口	IP地址	子网掩码
g0/0/1	192.168.64.1	255.255.255.0
g0/0/2	192.168.62.2	255.255.255.0
loopback0	10.10.6.6	255.255.255.0

配置思路：

一-配置所有路由器的IP地址，回环接口。并确保邻近路由器直连链路可以实现互通

二-划分OSPF区域：

	区域名称	区域类型	设备
区域0	骨干区域	AR1:g0/0/0
区域0	骨干区域	AR2
区域0	骨干区域	AR3:g0/0/1
区域0	骨干区域	AR6:g0/0/2
区域53	普通区域	AR5
区域53	普通区域	AR3:g0/0/2
区域41	特殊区域：NSSA	AR1:g0/0/2
区域41	特殊区域：NSSA	AR6:g0/0/1
区域41	特殊区域：NSSA	AR4

三-验证OSPF多区域互通性
四-区域41开启NSSA
五-AR4/AR5上分别开启默认路由功能
六-观察AR1/AR6两台ABR（区域边界路由器）的角色状态
七-通过更改AR1/AR6 OSPF的RID，以此观察其角色状态变化

实验五

单臂路由

LWS1（交换机）

<Huawei>undo terminal monitor ##清除多余信息

Info: Current terminal monitor is off.

<Huawei>sys ##进入界面

Enter system view, return user view with Ctrl+Z.

[Huawei]vlan batch 10 20 30 ##批量添加vlan网段

Info: This operation may take a few seconds. Please wait for a moment...done.

[Huawei]int g0/0/2 ##进入网口

[Huawei-GigabitEthernet0/0/2]port link-type access

[Huawei-GigabitEthernet0/0/2]port default vlan 10

[Huawei-GigabitEthernet0/0/2]

[Huawei-GigabitEthernet0/0/2]int g0/0/3

[Huawei-GigabitEthernet0/0/3]port link-type access

[Huawei-GigabitEthernet0/0/3]port default vlan 20

[Huawei-GigabitEthernet0/0/3]

[Huawei-GigabitEthernet0/0/3]int g0/0/4

[Huawei-GigabitEthernet0/0/4]port link-type access

[Huawei-GigabitEthernet0/0/4]por

[Huawei-GigabitEthernet0/0/4]port de

[Huawei-GigabitEthernet0/0/4]port default vlan 30

[Huawei-GigabitEthernet0/0/4]

[Huawei-GigabitEthernet0/0/4]int g0/0/1

[Huawei-GigabitEthernet0/0/1]port link-type tr

[Huawei-GigabitEthernet0/0/1]port link-type trunk

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all

R5（路由器）

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]int g0/0/1.1

[Huawei-GigabitEthernet0/0/1.1]ip ad

[Huawei-GigabitEthernet0/0/1.1]ip address 192.168.2.254 24

[Huawei-GigabitEthernet0/0/1.1]dot1q termination vid 10

[Huawei-GigabitEthernet0/0/1.1]q

[Huawei] ##错误

[Huawei]int g0/0/1.1

[Huawei-GigabitEthernet0/0/1.1]undo ip address 192.168.2.254 24 ##删除错误IP

[Huawei-GigabitEthernet0/0/1.1]ip address 192.168.1.254 24 ##重新添加

[Huawei-GigabitEthernet0/0/1.1]

[Huawei-GigabitEthernet0/0/1.1]dot1q termination vid 10 ##封装

Error: Failed to configure the interface because the VLAN has been configured on

interface GigabitEthernet0/0/1.1. ##修改

[Huawei-GigabitEthernet0/0/1.1]int g0/0/1.2

[Huawei-GigabitEthernet0/0/1.2]ip ad

[Huawei-GigabitEthernet0/0/1.2]ip address 192.168.2.254 24

[Huawei-GigabitEthernet0/0/1.2]dot1q termination vid 20

[Huawei-GigabitEthernet0/0/1.2]

[Huawei-GigabitEthernet0/0/1.2]int g0/0/1.3

[Huawei-GigabitEthernet0/0/1.3]

[Huawei-GigabitEthernet0/0/1.3]ip ad

[Huawei-GigabitEthernet0/0/1.3]ip address 192.168.3.254 24

[Huawei-GigabitEthernet0/0/1.3]dot1q termination vid 30

[Huawei-GigabitEthernet0/0/1.3]arp broadcast enable ##开启设备

[Huawei-GigabitEthernet0/0/1.3]

[Huawei-GigabitEthernet0/0/1.3]int g0/0/1.2

[Huawei-GigabitEthernet0/0/1.2]

[Huawei-GigabitEthernet0/0/1.2]arp broadcast enable

[Huawei-GigabitEthernet0/0/1.2]

[Huawei-GigabitEthernet0/0/1.2]int g0/0/1.1

[Huawei-GigabitEthernet0/0/1.1]arp broadcast enable

PC机IP规划

最后验证（三台PC互ping）：

实验六

Telnet：

1、 密码模式

设置密码

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]user-interface console 0 ##进入console 0接口

[Huawei-ui-console0]authentication-mode password ##设置为简单密码模式

[Huawei-ui-console0]

[Huawei-ui-console0]set authentication password cipher 123 ##设置密码

[Huawei-ui-console0]

[Huawei-ui-console0]user privilege level 3 ##密文用户级别为3

[Huawei-ui-console0]q ##退出

[Huawei]q

<Huawei>q User interface con0 is available

Please Press ENTER.

Password: ##需要输入密码才能登陆了

2、 Telnet模式

<Huawei>undo ter

<Huawei>undo terminal mo

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.1 24

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]q

[Huawei]

[Huawei]user-interface vty 0 4

[Huawei-ui-vty0-4]authentication-mode password

Please configure the login password (maximum length 16):123456

[Huawei-ui-vty0-4]user privilege level 3

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.1 24

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]q

[Huawei]q

<Huawei>telnet 192.168.1.1

Press CTRL_] to quit telnet mode

Trying 192.168.1.1 ...

Connected to 192.168.1.1 ...

实验七：

DHCP模式

Sep 26 2021 10:03:41-08:00 Huawei %%01IFPDT/4/IF_STATE(l)[0]:Interface GigabitEt

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]dhc

[Huawei]dhcp en

[Huawei]dhcp enable

Info: The operation may take a few seconds. Please wait for a moment.done.

[Huawei]ip pool 1

Info: It's successful to create an IP address pool.

[Huawei-ip-pool-1]network 192.168.1.0 mask 255.255.255.0

[Huawei-ip-pool-1]gateway-list 192.168.1.1

[Huawei-ip-pool-1]excluded-ip-address 192.168.1.2 192.168.1.253

[Huawei-ip-pool-1]dns-list 8.8.8.8

[Huawei-ip-pool-1]q

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.1 24

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]dhcp select global

[Huawei-GigabitEthernet0/0/0]

详细视频看：https://www.bilibili.com/video/BV1M64y1r7rq?p=14&spm_id_from=pageDriver

实验八：

链路聚合

LSW1

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int Eth-Trunk 1

[Huawei-Eth-Trunk1]mode manual load-balance

[Huawei-Eth-Trunk1]q

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]eth-trunk 1

Info: This operation may take a few seconds. Please wait for a moment...done.

[Huawei-GigabitEthernet0/0/1]int g0/0/2

[Huawei-GigabitEthernet0/0/2]eth-trunk 1

Info: This operation may take a few seconds. Please wait for a moment...done.

[Huawei-GigabitEthernet0/0/2]

[Huawei-GigabitEthernet0/0/2]q

[Huawei]dis eth-trunk 1

Eth-Trunk1's state information is:

WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP

Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8

Operate status: up Number Of Up Port In Trunk: 2

--------------------------------------------------------------------------------

PortName Status Weight

GigabitEthernet0/0/1 Up 1

GigabitEthernet0/0/2 Up 1

[Huawei]

LSW2

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int Eth-Trunk 1

[Huawei-Eth-Trunk1]mode manual load-balance

[Huawei-Eth-Trunk1]q

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]eth-trunk 1

Info: This operation may take a few seconds. Please wait for a moment...done.

[Huawei-GigabitEthernet0/0/1]int g0/0/2

[Huawei-GigabitEthernet0/0/2]eth-trunk 1

Info: This operation may take a few seconds. Please wait for a moment...done.

[Huawei-GigabitEthernet0/0/2]

实验九：

RIP使用

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.254 24

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip address 192.168.4.1 24

[Huawei-GigabitEthernet0/0/1]

[Huawei-GigabitEthernet0/0/1]ip rou

[Huawei-GigabitEthernet0/0/1]q

[Huawei]

[Huawei]dis ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost Flags NextHop Interface

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0

127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

192.168.1.0/24 Direct 0 0 D 192.168.1.254 GigabitEthernet

0/0/0

192.168.1.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet

0/0/0

192.168.4.0/24 Direct 0 0 D 192.168.4.1 GigabitEthernet

0/0/1

192.168.4.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet

0/0/1

[Huawei]rip

[Huawei-rip-1]network 192.168.1.0

[Huawei-rip-1]network 192.168.4.0

[Huawei-rip-1]

The device is running!

<Huawei>undo

<Huawei>undo ter

<Huawei>undo terminal mo

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip address 192.168.4.2 24

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip address 192.168.2.254 24

[Huawei-GigabitEthernet0/0/1]

[Huawei-GigabitEthernet0/0/1]int g0/0/2

[Huawei-GigabitEthernet0/0/2]

[Huawei-GigabitEthernet0/0/2]ip address 192.168.5.2 24

[Huawei-GigabitEthernet0/0/2]

[Huawei-GigabitEthernet0/0/2]rip

[Huawei-rip-1]network 192.168.2.0

[Huawei-rip-1]network 192.168.4.0

[Huawei-rip-1]network 192.168.5.0

[Huawei-rip-1]

The device is running!

<Huawei>und

<Huawei>undo ter

<Huawei>undo terminal mo

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip address 192.168.5.3 24

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]int g0/0/1

[Huawei-GigabitEthernet0/0/1]

[Huawei-GigabitEthernet0/0/1]ip address 192.168.3.254 24

[Huawei-GigabitEthernet0/0/1]

[Huawei-GigabitEthernet0/0/1]rip

[Huawei-rip-1]network 192.168.3.0

[Huawei-rip-1]network 192.168.5.0

验证

实验十：

Vlan模式

PC规划看上图：

三层交换机：S3700

LSW1

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>int eth0/0/1

Error: Unrecognized command found at '^' position.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int eth0/0/1

[Huawei-Ethernet0/0/1]port link-type access

[Huawei-Ethernet0/0/1]vlan 10

[Huawei-vlan10]vlan 20 ##先定义

[Huawei-vlan20]int eth0/0/1

[Huawei-Ethernet0/0/1]port link-type access

[Huawei-Ethernet0/0/1]port default vlan 10

[Huawei-Ethernet0/0/1]

[Huawei-Ethernet0/0/1]int eth0/0/2

[Huawei-Ethernet0/0/2]

[Huawei-Ethernet0/0/2]port link-type access

[Huawei-Ethernet0/0/2]

[Huawei-Ethernet0/0/2]port default vlan 20

[Huawei-Ethernet0/0/2]int eth0/0/3

[Huawei-Ethernet0/0/3]

[Huawei-Ethernet0/0/3]port link-type trunk

[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 10 20

LSW2

<Huawei>undo terminal monitor

Info: Current terminal monitor is off.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]vlan 10

[Huawei-vlan10]vlan 20

[Huawei-vlan20]int eth0/0/1

[Huawei-Ethernet0/0/1]port link-type access

[Huawei-Ethernet0/0/1]port default vlan 10

[Huawei-Ethernet0/0/1]

[Huawei-Ethernet0/0/1]int eth0/0/2

[Huawei-Ethernet0/0/2]

[Huawei-Ethernet0/0/2]port link-type access

[Huawei-Ethernet0/0/2]

[Huawei-Ethernet0/0/2]port default vlan 20

[Huawei-Ethernet0/0/2]

[Huawei-Ethernet0/0/2]int eth0/0/3

[Huawei-Ethernet0/0/3]

[Huawei-Ethernet0/0/3]port link-type trunk

[Huawei-Ethernet0/0/3]

[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 10 20

验证：

实验十一：

综合性实验

详细参考：G:\华为认证（HCIA HCIP HCIE）\路由交换机案例\14基于华为仿真平台eNSP的网络课程教学改革\实验案例\实验手册\实验课11综合实验

拓扑表：

设备名称	接口	IP地址	VLAN ID	备注
SW3	GE0/0/1	-	10	连接PC1的接口
	GE0/0/2	-	20	连接PC2的接口
	GE0/0/21	-	Trunk	连接SW1的接口
	GE0/0/22	-	Trunk	连接SW2的接口
SW1	GE0/0/21	-	Trunk	连接SW3的接口
	GE0/0/23	-	Trunk	连接SW2的接口（Eth-trunk）
	GE0/0/24	-	Trunk	连接SW2的接口（Eth-trunk）
	GE0/0/20	-	Trunk	连接防火墙FW1的接口
SW2	GE0/0/22	-	Trunk	连接SW3的接口
	GE0/0/23	-	Trunk	连接SW1的接口（Eth-trunk）
	GE0/0/24	-	Trunk	连接SW1的接口（Eth-trunk）
	GE0/0/20	-	Trunk	连接防火墙FW1的接口
FW1	GE0/0/1.10	192.168.10.3/24	-	子接口，对应vlan10
	GE0/0/1.10	192.168.10.1/24	-	VRRP组1的虚拟IP地址
	GE0/0/1.20	192.168.20.3/24	-	子接口，对应vlan20
	GE0/0/1.20	192.168.20.1/24	-	VRRP组2的虚拟IP地址
	GE0/0/3	10.1.1.1/24	-	连接R1的接口
FW2	GE0/0/1.10	192.168.10.2/24	-	子接口，对应vlan10
	GE0/0/1.10	192.168.10.1/24	-	VRRP组1的虚拟IP地址
	GE0/0/1.20	192.168.20.2/24	-	子接口，对应vlan20
	GE0/0/1.20	192.168.20.1/24	-	VRRP组2的虚拟IP地址
	GE0/0/3	10.1.2.1/24	-	连接R2的接口
R1	GE0/0/0	10.1.1.2/24	-	连接FW1的接口
R1	GE0/0/1	10.9.9.1/24	-	连接R2的接口
R2	GE0/0/0	10.1.2.2/24	-	连接FW2的接口
R2	GE0/0/1	10.9.9.2/24	-	连接R1的接口
PC1	Eth	192.168.10.100/24	-	网关是192.168.10.1
PC2	Eth	192.168.20.100/24	-	网关是192.168.20.1

配置接入层交换机SW3

#在SW3上创建VLAN10及20

[SW3] vlan batch 10 20

#在SW3上配置二层接口类型，并加入相应的VLAN

[SW3] interface GigabitEthernet0/0/1

[SW3-GigabitEthernet0/0/1] port link-type access

[SW3-GigabitEthernet0/0/1] port default vlan 10

[SW3] interface GigabitEthernet0/0/2

[SW3-GigabitEthernet0/0/1] port link-type access

[SW3-GigabitEthernet0/0/1] port default vlan 20

[SW3] interface GigabitEthernet0/0/21

[SW3-GigabitEthernet0/0/21] port link-type trunk

[SW3-GigabitEthernet0/0/21] port trunk allow-pass vlan all

[SW3] interface GigabitEthernet0/0/22

[SW3-GigabitEthernet0/0/22] port link-type trunk

[SW3-GigabitEthernet0/0/22] port trunk allow-pass vlan all

#在SW3上配置MSTP

[SW3] stp mode mstp

[SW3] stp enable

配置SW1及SW2

#在SW1上创建VLAN、配置Eth-trunk、配置二层接口并将接口划入相应VLAN

[SW1] vlan batch 10 20

[SW1]interface Eth-Trunk 1

[SW1-Eth-Trunk1] mode manual load-balance

[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/23

[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/24

[SW1-Eth-Trunk1] port link-type trunk

[SW1-Eth-Trunk1] port trunk allow-pass vlan 10 20

[SW1-Eth-Trunk1] quit

[SW1] interface GigabitEthernet0/0/21

[SW1-GigabitEthernet0/0/21] port link-type trunk

[SW1-GigabitEthernet0/0/21] port trunk allow-pass vlan 10 20

[SW1] interface GigabitEthernet0/0/20

[SW1-GigabitEthernet0/0/20] port link-type trunk

[SW1-GigabitEthernet0/0/20] port trunk allow-pass vlan 10 20

#SW1配置MSTP，SW1配置为网络中的STP主根

[SW1] stp mode mstp

[SW1] stp instance 0 root primary

[SW1] stp enable

#在SW2上创建VLAN、配置Eth-trunk、配置二层接口并将接口划入相应VLAN

[SW2] vlan batch 10 20

[SW2] interface Eth-Trunk 1

[SW2-Eth-Trunk1] mode manual load-balance

[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/23

[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/24

[SW2-Eth-Trunk1] port link-type trunk

[SW2-Eth-Trunk1] port trunk allow-pass vlan 10 20

[SW2-Eth-Trunk1] quit

[SW2] interface GigabitEthernet0/0/22

[SW2-GigabitEthernet0/0/22] port link-type trunk

[SW2-GigabitEthernet0/0/22] port trunk allow-pass vlan 10 20

[SW2] interface GigabitEthernet0/0/20

[SW2-GigabitEthernet0/0/20] port link-type trunk

[SW2-GigabitEthernet0/0/20] port trunk allow-pass vlan 10 20

#SW1配置MSTP，SW2配置为网络中的STP次根

[SW1] stp mode mstp

[SW1] stp instance 0 root secondary

[SW1] stp enable

配置FW1及FW2，使得PC1及PC2能够与自己的网关互通

#在FW1上创建子接口GE0/0/1.10，封装dot1q vlan 10，配置IP地址及VRRP；创建子接口GE0/0/1.20，封装dot1q vlan 20，配置IP地址及VRRP；将上述两个子接口关联到相应安全区域：

[Fw1] interface GigabitEthernet 0/0/1.10

[Fw1-GigabitEthernet0/0/1.10] vlan-type dot1q 10

[Fw1-GigabitEthernet0/0/1.10] ip address 192.168.10.3 24

[Fw1-GigabitEthernet0/0/1.10] vrrp vrid 1 virtual-ip 192.168.10.1 master

[Fw1-GigabitEthernet0/0/1.10] quit

[Fw1] interface GigabitEthernet 0/0/1.20

[Fw1-GigabitEthernet0/0/1.20] vlan-type dot1q 20

[Fw1-GigabitEthernet0/0/1.20] ip address 192.168.20.3 24

[Fw1-GigabitEthernet0/0/1.20] vrrp vrid 2 virtual-ip 192.168.20.1 master

[Fw1-GigabitEthernet0/0/1.20] quit

[Fw1] firewall zone trust

[Fw1-zone-trust] add interface GigabitEthernet 0/0/1.10

[Fw1-zone-trust] quit

[Fw1] firewall zone dmz

[Fw1-zone-dmz] add interface GigabitEthernet 0/0/1.20

[Fw1-zone-dmz] quit

#在FW2上创建子接口GE0/0/1.10，封装dot1q vlan 10，配置IP地址及VRRP；创建子接口GE0/0/1.20，封装dot1q vlan 20，配置IP地址及VRRP；将上述两个子接口关联到相应安全区域：

[Fw2] interface GigabitEthernet 0/0/1.10

[Fw2-GigabitEthernet0/0/1.10] vlan-type dot1q 10

[Fw2-GigabitEthernet0/0/1.10] ip address 192.168.10.2 24

[Fw2-GigabitEthernet0/0/1.10] vrrp vrid 1 virtual-ip 192.168.10.1 slave

[Fw2-GigabitEthernet0/0/1.10] quit

[Fw2] interface GigabitEthernet 0/0/1.20

[Fw2-GigabitEthernet0/0/1.20] vlan-type dot1q 20

[Fw2-GigabitEthernet0/0/1.20] ip address 192.168.20.2 24

[Fw2-GigabitEthernet0/0/1.20] vrrp vrid 2 virtual-ip 192.168.20.1 slave

[Fw2-GigabitEthernet0/0/1.20] quit

[Fw2] firewall zone trust

[Fw2-zone-untrust] add interface GigabitEthernet 0/0/1.10

[Fw2-zone-untrust] quit

[Fw2] firewall zone dmz

[Fw2-zone-untrust] add interface GigabitEthernet 0/0/1.20

[Fw2-zone-untrust] quit

完成上述配置后PC1与PC2就能够跟自己的网关互通了，PC1属于trust区域，防火墙可能默认的安全策略放行了local-trust安全区域的inbound及outbound策略，因此PC1可直接ping通网关192.168.10.1；而local-dmz的inbound及outbound的默认策略都是deny的，因此PC2可能无法直接ping通网关192.168.20.1，但是这并不影响实验，如果想要观察实验结果，可以放开local-dmz之间的安全策略。

配置FW1及FW2，与R1、R2建立OSPF邻居关系

#在FW1配置GE0/0/3口，并且运行OSPF，使用router-id 1.1.1.1

[Fw1] firewall zone untrust

[Fw1-zone-untrust] add interface GigabitEthernet 0/0/3

[Fw1] interface GigabitEthernet 0/0/3

[Fw1-GigabitEthernet0/0/3] ip address 10.1.1.1 24

[Fw1] ospf 1 router-id 1.1.1.1

[Fw1-ospf-1] area 0

[Fw1-ospf-1-0.0.0.0] network 10.1.1.0 0.0.0.255

[Fw1-ospf-1-0.0.0.0] network 192.168.10.0 0.0.0.255

[Fw1-ospf-1-0.0.0.0] network 192.168.20.0 0.0.0.255

[Fw1-ospf-1-0.0.0.0] quit

[Fw1-ospf-1] quit

#在FW2配置GE0/0/3口，并且运行OSPF，使用router-id 2.2.2.2

[Fw2] firewall zone untrust

[Fw2-zone-untrust] add interface GigabitEthernet 0/0/3

[Fw2] interface GigabitEthernet 0/0/3

[Fw2-GigabitEthernet0/0/3] ip address 10.1.2.1 24

[Fw2] ospf 1 router-id 2.2.2.2

[Fw2-ospf-1] area 0

[Fw2-ospf-1-0.0.0.0] network 10.1.2.0 0.0.0.255

[Fw2-ospf-1-0.0.0.0] network 192.168.10.0 0.0.0.255

[Fw2-ospf-1-0.0.0.0] network 192.168.20.0 0.0.0.255

[Fw2-ospf-1-0.0.0.0] quit

[Fw2-ospf-1] quit

#配置R1

[R1] interface GigabitEthernet 0/0/0

[R1-GigabitEthernet0/0/0] ip address 10.1.1.2 24

[R1] interface GigabitEthernet 0/0/1

[R1-GigabitEthernet0/0/1] ip address 10.9.9.1 24

[R1] ospf 1 router-id 3.3.3.3

[R1-ospf-1] area 0

[R1-ospf-1-0.0.0.0] network 10.1.1.0 0.0.0.255

[R1-ospf-1-0.0.0.0] network 10.9.9.0 0.0.0.255

[R1-ospf-1-0.0.0.0] quit

[R1-ospf-1] quit

#配置R2

[R2] interface GigabitEthernet 0/0/0

[R2-GigabitEthernet0/0/0] ip address 10.1.2.2 24

[R2] interface GigabitEthernet 0/0/1

[R2-GigabitEthernet0/0/1] ip address 10.9.9.2 24

[R2] ospf 1 router-id 4.4.4.4

[R2-ospf-1] area 0

[R2-ospf-1-0.0.0.0] network 10.1.2.0 0.0.0.255

[R2-ospf-1-0.0.0.0] network 10.9.9.0 0.0.0.255

[R2-ospf-1-0.0.0.0] quit

[R2-ospf-1] quit

FW1及FW2配置双机热备

FW1的配置增加如下：

[FW1] interface GigabitEthernet0/0/3

[FW1-GigabitEthernet 0/0/3] hrp track master

[FW1] Interface GigabitEthernet 0/0/2 #配置用于HRP的接口

[FW1-GigabitEthernet 0/0/2] Ip address 1.1.1.1 24

[FW1-GigabitEthernet 0/0/2] quit

[FW1] firewall zone name heart #创建一个安全区域并关联该接口

[FW1-zone-heart] set priority 90

[FW1-zone-heart] add interface GigabitEthernet 0/0/2

[FW1-zone-heart] quit

[FW1] hrp interface GigabitEthernet0/0/2 #将GE0/0/2口配置为HRP心跳接口

[FW1] hrp ospf-cost adjust-enable # 配置根据HRP状态调整OSPF相关的COST值命令功能。

[FW1] hrp preempt delay 30

[FW1] hrp enable #启用HRP备份功能，启用之后就会协商主备，主设备显示HRP_M，备设备显示HRP_S。两端首次协商出主备后，主用设备将向备用设备备份配置和连接状态等信息

FW2的配置增加如下：

[Fw2] interface GigabitEthernet0/0/3

[Fw2-GigabitEthernet 0/0/3] hrp track master

[Fw2] Interface GigabitEthernet 0/0/2 #配置用于HRP的接口

[Fw2-GigabitEthernet 0/0/2] Ip address 1.1.1.2 24

[Fw2-GigabitEthernet 0/0/2] quit

[Fw2] firewall zone name heart #创建一个安全区域并关联该接口

[Fw2-zone-heart] set priority 90

[Fw2-zone-heart] add interface GigabitEthernet 0/0/2

[Fw2-zone-heart] quit

[Fw2] hrp interface GigabitEthernet0/0/2 #将GE0/0/2口配置为HRP心跳接口

[Fw2] hrp ospf-cost adjust-enable # 配置根据HRP状态调整OSPF相关的COST值命令功能。

[Fw2] hrp preempt delay 30

[Fw2] hrp enable

防火墙主备跑起来后，FW2作为备机在通告192.168.10.0/24及192.168.20.0/24路由给R2的时候，路由的cost就会变成65500；而FW1作为主设备，其在通告路由给R1的时候，路由的metric不会调整，因此untrust区域内的用户到trust的流量，会走FW1。

在主设备FW1上完成配置，使得PC1能够ping 10.9.9.0/24网络

#FW1上部署interzone策略，允许PC1所在网段访问untrust区域：

HRP_M[Fw1] policy interzone trust untrust outbound

HRP_M[Fw1-policy-interzone-trust-untrust-outbound] policy 0

HRP_M[Fw1-policy-interzone-trust-untrust-outbound-0] policy source 192.168.10.0 0.0.0.255

HRP_M[Fw1-policy-interzone-trust-untrust-outbound-0] action permit

HRP_M[Fw1-policy-interzone-trust-untrust-outbound-0] quit

HRP_M[Fw1-policy-interzone-trust-untrust-outbound] quit

由于部署了防火墙双机热备，因此在主设备FW1上所配置的策略会同步到备份设备FW2上。

如此一来，PC1即可ping通10.9.9.1或10.9.9.2。

点赞
收藏
关注作者

0/1000

抱歉，系统识别当前为高风险访问，暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称，即可参与社区互动！

*长度不超过10个汉字或20个英文字符，设置后3个月内不可修改。

确认取消

加入云驻计划，成为创作者

华为云周边好礼
免费体验产品
特殊身份标识
线下官方门票
内部专家零距离
与10000+优质创作者共同成长

立即加入

ensp实验

全部回复

设置昵称

关于作者

目录

加入云驻计划，成为创作者

ensp实验

全部回复

设置昵称

关于作者

目录

加入云驻计划，成为创作者

推荐阅读

相关产品