实验要求:
前提:网络内部主机可以相互访问
- 员工主机不能访问网页
- 其他部门不能访问财务部
- 人力和其他部门可以互访
- AR1是ssh、ftp的客户端,AR6是ssh、ftp服务器
- 研发部和商务部不能互访
- AR5和AR6之间为了保证数据的不间断性,是由右边的链路作为主链路
一.实验拓扑图搭建
二.实验基本配置
员工主机不能访问网页
LSW5配置
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule deny tcp destination-port eq 80 source any
[Huawei-acl-adv-3000]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]t
[Huawei-GigabitEthernet0/0/1]traffic-filter out
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
其他部门不能访问财务部
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule deny ip source 192.168.10.0 0.0.0.255
[Huawei-acl-adv-3001]rule deny ip source 192.168.20.0 0.0.0.255
[Huawei-acl-adv-3001]rule deny ip source 192.168.50.0 0.0.0.255
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]t
[Huawei-Ethernet0/0/3]traffic-filter ou
[Huawei-Ethernet0/0/3]traffic-filter outbound acl 3001
人力和其他部门可以互访:不需要配置命令
AR1是ssh、ftp的客户端,AR6是ssh、ftp服务器
AR6配置FTP服务
核心FTP命令system-view 进入系统模式ftp server enable 开启 ftp 服务user-interface console 0authentication-mode aaa 选择 aaa 认证模式aaa 进入 aaa 认证模式local-user ftp 名 password cipher 密码 创建 ftp 名 设置密码local-user ftp 名 privilege level 0 为 ftp 名 设置权限级别 0local-user ftp 名 service-type ftp 为 ftp 名设置服务类型 ftplocal-user ftp 名 ftp-directory flash: 为 ftp 名 指定目录 flashquit
[Huawei]ftp server enable
Info: Succeeded in starting the FTP server
[Huawei]u
[Huawei]us
[Huawei]user-i
[Huawei]user-interface v
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]au
[Huawei-ui-vty0-4]authentication-mode aaa
[Huawei-ui-vty0-4]q
[Huawei]aaa
[Huawei-aaa]l
[Huawei-aaa]local-user ma p
[Huawei-aaa]local-user ma password c
[Huawei-aaa]local-user ma password cipher 123
Info: Add a new user.
[Huawei-aaa]l
[Huawei-aaa]local-user
[Huawei-aaa]local-user ma
[Huawei-aaa]local-user ma pr
[Huawei-aaa]local-user ma privilege l
[Huawei-aaa]local-user ma privilege level 3
[Huawei-aaa]l
[Huawei-aaa]local-user ma se
[Huawei-aaa]local-user ma service-type ftp
[Huawei-aaa]l
[Huawei-aaa]local-user ma
[Huawei-aaa]local-user ma se
[Huawei-aaa]local-user ma ftp
[Huawei-aaa]local-user ma ftp-directory
[Huawei-aaa]local-user ma ftp-directory f
[Huawei-aaa]local-user ma ftp-directory flash:
[Huawei-aaa]q
AR1验证登录
AR6配置SSH服务
核心代码
配置情况如下:
[R6]stelnet server enable
Info: Succeeded in starting the STELNET server.
[R6]rsa
[R6]rsa l
[R6]rsa local-key-pair c
[R6]rsa local-key-pair create
The key name will be: Host
% RSA keys defined for Host already exist.
Confirm to replace them? (y/n)[n]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:1024
Generating keys...
................................................................................
..................................++++++
.++++++
.++++++++
............++++++++
[R6]u
[R6]us
[R6]user-in
[R6]user-interface vty 0 4
[R6-ui-vty0-4]au
[R6-ui-vty0-4]authentication-mode aaa
[R6-ui-vty0-4]p
[R6-ui-vty0-4]pr
[R6-ui-vty0-4]protocol s
[R6-ui-vty0-4]protocol in
[R6-ui-vty0-4]protocol inbound s
[R6-ui-vty0-4]protocol inbound ssh
[R6-ui-vty0-4]q
[R6]aaa
[R6-aaa]l
[R6-aaa]local-user ma1 p
[R6-aaa]local-user ma1 password c
[R6-aaa]local-user ma1 password cipher 123
Info: Add a new user.
[R6-aaa]l
[R6-aaa]local-user
[R6-aaa]local-user ma1 p
[R6-aaa]local-user ma1 pri
[R6-aaa]local-user ma1 privilege l
[R6-aaa]local-user ma1 privilege level 3
[R6-aaa]l
[R6-aaa]local-user ma1 p
[R6-aaa]local-user ma1 pri
[R6-aaa]local-user ma1 s
[R6-aaa]local-user ma1 service-type ssh
[R6-aaa]q
[R6]ssh u
[R6]ssh user ma1 au
[R6]ssh user ma1 authentication-type a
AR1验证登录
核心代码
[Huawei]ssh client first-time enable
[Huawei]stelnet 16.0.0.6
Please input the username:ma1
Trying 16.0.0.6 ...
Press CTRL+K to abort
Connected to 16.0.0.6 ...
The server is not authenticated. Continue to access it? (y/n)[n]:y
Save the server's public key? (y/n)[n]:y
The server's public key will be saved with the name 16.0.0.6. Please wait...
Enter password:
<R6>
<R6>
研发部和商务部不能互访
LSW1配置和LSW4配置方法类似
进入LSW1配置如下
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule de
[Huawei-acl-adv-3001]rule deny ip so
[Huawei-acl-adv-3001]rule deny ip source 192.168.20.0 0.0.0.255
[Huawei-acl-adv-3001]q
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]t
[Huawei-Ethernet0/0/1]traffic-filter ou
[Huawei-Ethernet0/0/1]traffic-filter outbound a
[Huawei-Ethernet0/0/1]traffic-filter outbound acl 3001
AR5和AR6之间为了保证数据的不间断性,是由右边的链路作为主链路
AR6配置静态路由
ip route-static 12.0.0.0 61.0.0.5 主路由器,默认值 60ip routr-static 12.0.0.0 24 16.0.0.5preference 65 备份路由[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]shut
[Huawei-GigabitEthernet0/0/0]shutdown 关闭路由主接口,数据包将会走备份接口
结果显示;
[Huawei]tracert 12.0.0.2
traceroute to 12.0.0.2(12.0.0.2), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 16.0.0.5 50 ms 10 ms 10 ms
2 15.0.1.2 20 ms 30 ms 20 ms
3 12.0.0.2 50 ms 20 ms 40 ms
三.实验结果
各PC之间按照实验要求通信
四.实验总结
- 显示主机或者网段之间访问情况,使用ACL命令做限制(前提:网段之间正常通信)
- FTP SSH服务搭建:使用基本配置命令
- 浮动路由:配置两条静态路由,其中一条线路作为备份线路;
进入主链路接口,关闭shudow接口;
使用tracert ip 查看经过线路路由