注意事项:                                                   抽签号:
1.注意阅读题目和答卷,按要求完成,否则影响评分
2.试卷,答卷、打印机等材料都不能带离考场,而且都必须协商抽签的组号。有缺漏或没写清楚组号的不予评分。作品中有暴露作者身份给0分。
3.全部虚拟机文件保存在主机的最后一个磁盘分区中,否则不作评分。
4.截屏文件以PNG格式保存在虚拟机所对应的主机桌面中,没有按要求截屏的内容不作评分。
5.所有操作系统密码统一设置为123+shenz
6.在答卷上要求正确填写拓扑图的地址,并按图连接有关网络设备!
网络地址规划(接口可根据实现而定)

设备名

IP地址

备注

SW1

172.16.75.1/24

 

FW

214.125.128.1/24

 

172.16.1.1/24

 

198.177.1.3/24

 

RA

214.125.128.2/24

 

136.177.78.65/24

 

RB

198.177.1.4/24

 

110.31.48.1/24

 

RC

10.1.1.1/24

 

136.177.78.66/24

 

110.31.48.2/24

 

SW2

10.1.1.2/24

 

AC

192.168.10.1/24

 

AP

192.168.20.1/24

 

1.       SW1上创建VLAN100接口是f0/1-10;VLAN200接口是f0/11-20;并将最后一个IP作为网关地址。
 2.       WG上创建VLAN110接口是f0/1-6;VLAN120接口是f0/7-12;VLAN130接口是f0/13-18;并将最后一个IP地址作为网关地址;并且IP地址为自动获取。

 

     内部网络配置管理

     1.       WG交换机的F0/5上配置为只允许接入5台主机,F0/6只允许接入1台主机。

     2.       SW1F0/21WGF0/19相连。

     3.       配置RA,RB,RC之间串口使用CHAP验证。

     4.       RC上配置NAT,使内网可以转换为公网IP访问internet.

     5.       FW,RA,RC运行OSPF实体1;FW,RB,RC运行OSPF实体2;RC,SW2运行OSPF实体20.

     6.       RARC之间配置IPSEC ×××,密匙为87654321,加密集为esp-3desesp-md5-hmac

     7.       配置在RC上看来所有流量都从RA走。

     8.       FW上配置P2P上行为2M

     9.       配置FWURL过滤,qq.com的网站及其子网站。

     10.    SW2上配置内网只有工作日(900~1800)才可以访问公网,其它不限制。

     11.    AC上配置DHCP使无线用户可以获取到IP,使用SSIDx-shenz,配置为WPA2加密,配置AP注册到ACAPIP192.168.20.1/24.

 

     拓扑图:


 

     配置文件:

    hostname WG
     interface FastEthernet0/1
        switchport access vlan 110
     interface FastEthernet0/2
      switchport access vlan 120
     interface FastEthernet0/3
      switchport access vlan 130
     interface FastEthernet0/15
      switchport mode trunk

 

    hostname SW1
     ip dhcp pool vlan110
    network 192.168.110.0 255.255.255.0
    default-router 192.168.110.254
     ip dhcp pool vlan120
    network 192.168.120.0 255.255.255.0
    default-router 192.168.120.254
     ip dhcp pool vlan130
    network 192.168.130.0 255.255.255.0
    default-router 192.168.130.254
     interface FastEthernet0/0
     no switchport
        ip address 172.16.75.1 255.255.0.0
     interface FastEthernet0/1
      switchport access vlan 100
     interface FastEthernet0/2
      switchport access vlan 200
     interface FastEthernet0/15
      switchport mode trunk
     interface Vlan100
      ip address 192.168.100.254 255.255.255.0
     interface Vlan110
      ip address 192.168.110.254 255.255.255.0
     interface Vlan120
      ip address 192.168.120.254 255.255.255.0
     interface Vlan130
      ip address 192.168.130.254 255.255.255.0
     interface Vlan200
      ip address 192.168.200.254 255.255.255.0
     router ospf 1
     network 172.16.0.0 0.0.255.255 area 0
      network 192.168.100.0 0.0.0.255 area 0
      network 192.168.110.0 0.0.0.255 area 0
      network 192.168.120.0 0.0.0.255 area 0
      network 192.168.130.0 0.0.0.255 area 0
      network 192.168.200.0 0.0.0.255 area 0

 

    hostname FW
     interface FastEthernet0/0
      ip address 172.16.1.1 255.255.0.0
     interface FastEthernet1/0
      ip address 214.125.128.1 255.255.255.0
     interface FastEthernet2/0
      ip address 198.177.1.3 255.255.255.0
     router ospf 1
      router-id 1.1.1.1
     area 1 virtual-link 2.2.2.2
      network 172.16.0.0 0.0.255.255 area 0
      network 198.177.1.0 0.0.0.255 area 2
      network 214.125.128.0 0.0.0.255 area 1

 

    hostname RA
     username RA
     crypto isakmp policy 1
        authentication pre-share
     crypto isakmp key 87654321 address 136.177.78.66
     crypto ipsec transform-set set esp-3des esp-md5-hmac
     crypto map map 10 ipsec-isakmp
      set peer 136.177.78.66
      set transform-set set
      match address 100
     interface FastEthernet0/0
      ip address 214.125.128.2 255.255.255.0
     interface Serial1/0
      ip address 136.177.78.65 255.255.255.0
      encapsulation ppp
     ppp authentication chap
      ppp chap hostname RC
      crypto map map
     router ospf 1
     network 136.177.78.0 0.0.0.255 area 1
      network 214.125.128.0 0.0.0.255 area 1
     access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

 

    hostname RB
     username RB
     interface FastEthernet0/0
      ip address 198.177.1.4 255.255.255.0
     interface Serial1/0
      ip address 110.31.48.1 255.255.255.0
      encapsulation ppp
     ppp authentication chap
      ppp chap hostname RC
     router ospf 1
     network 110.31.48.0 0.0.0.255 area 2
      network 198.177.1.0 0.0.0.255 area 2

 

    hostname RC
     username RC
     crypto isakmp policy 1
      authentication pre-share
     crypto isakmp key 87654321 address 136.177.78.65
     crypto ipsec transform-set set esp-3des esp-md5-hmac
     crypto map map 10 ipsec-isakmp
      set peer 136.177.78.65
      set transform-set set
      match address 100
     interface FastEthernet0/0
        ip address 10.1.1.1 255.255.255.0
        ip nat inside
     interface Serial2/0
      ip address 136.177.78.66 255.255.255.0
      ip nat outside
      ip virtual-reassembly
      encapsulation ppp
      serial restart-delay 0
      ppp authentication chap
      ppp chap hostname RA
      crypto map map
     interface Serial2/1
      ip address 110.31.48.2 255.255.255.0
      ip nat outside
     encapsulation ppp
     ppp authentication chap
        ppp chap hostname RB
     router ospf 1
      router-id 2.2.2.2
     area 1 virtual-link 1.1.1.1
      network 10.1.1.0 0.0.0.255 area 20
      network 110.31.48.0 0.0.0.255 area 2
      network 136.177.78.0 0.0.0.255 area 1
     ip nat inside source list 120 interface Serial2/0 overload
     ip nat inside source list 130 interface Serial2/1 overload
     access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
     access-list 120 deny   ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
     access-list 120 permit ip 192.168.10.0 0.0.0.255 any
     access-list 120 permit ip 192.168.20.0 0.0.0.255 any
     access-list 130 deny   ip 192.168.10.0 0.0.0.255 any
     access-list 130 permit ip 192.168.10.0 0.0.0.255 any
     access-list 130 permit ip 192.168.20.0 0.0.0.255 any

 

    hostname SW2
     interface FastEthernet0/0
      no switchport
        ip address 10.1.1.2 255.255.255.0
     interface FastEthernet0/1
      switchport access vlan 30
     interface FastEthernet0/2
      switchport access vlan 40
     interface FastEthernet0/3
      switchport access vlan 30
     interface FastEthernet0/4
      switchport access vlan 40
     interface FastEthernet0/5
      switchport access vlan 111
     interface Vlan30
      ip address 192.168.10.254 255.255.255.0
     interface Vlan40
        ip address 192.168.20.254 255.255.255.0
        ip helper-address 192.168.10.1
     interface Vlan111
      ip address 192.168.111.254 255.255.255.0
      ip helper-address 192.168.10.1
     router ospf 1
     network 10.1.1.0 0.0.0.255 area 20
      network 192.168.10.0 0.0.0.255 area 20
      network 192.168.20.0 0.0.0.255 area 20

 

    hostname AC
     ip dhcp pool vlan30
          network 192.168.10.0 255.255.255.0
          default-router 192.168.10.254
     ip dhcp pool vlan40
          network 192.168.20.0 255.255.255.0
          default-router 192.168.20.254
     interface FastEthernet0/1
      switchport access vlan 30
     interface Vlan30
      ip address 192.168.10.1 255.255.255.0
     ip route 0.0.0.0 0.0.0.0 192.168.10.254

 

    hostname AP
     interface FastEthernet0/0
      ip address dhcp

 

     注意:

     1.       配置NAT时要DENY掉走IPSEC的流量。

     2.       配置IPSEC时一定不能 per an an,要配置具体的流量。

     3.       PPPCHAP在接口要配置使用对端用户名验证。

     4.       一定要配置AREA0和虚链路,否则AREA20的路由学习不到全网的路由,虽然其它路由器可以学习到全网的路由。