HCNA知识点

HCNA: ip子网划分,ipv4/ipv6,ARP,ICMP,以太网ll型帧结构,IP,TCP/UDP , VRP ,静态路由 ,路由优先级/路由备份(主备链路),度量值/缺省路由,DHCP, RIP, 基础ospf,trunk, vlan间路由,单臂路由,Easyip和NAT Server ,广域网ppp, 广域网HDLC和FR,链路聚合eth-trunk, VRRP, STP, ACL,配置telnet,配置ssh,配置ftp

CSW核心 DSW汇聚 ASW接入

交换机万兆口,插千兆口光模块交换机是黄色灯

1/1/2/25  主控板/槽位/子槽号/端口号

1/2/25 槽位/子槽号/端口号

6/0/5 板卡/无/端口号

XGE1/0/9 这俩是一个口 interface Ten-GigabitEthernet1/0/9

FGE- 40G XGE-10G

H3C

<Ctrl+A>将光标移动到当前⾏的开头

<Ctrl+E>将光标移动到当前⾏的末尾

<Ctrl+X>删除光标左侧所有的字符

<Ctrl+Y>删除光标右侧所有的字符

<Ctrl+Z>退回到⽤户视图

[H3C]interface range Ten-GigabitEthernet 1/0/29 Ten-GigabitEthernet 1/0/30

清楚配置 reset saved-configuration Y在查看配置是否备清楚 ---- reboot 重启 N Y

dis mac-address mac-move 查看环路命令

产生mac漂移的话先确认漂移mac是什么设备,怎么接的,正常应该从什么接口学到,通过查看设备dis mac-address 表来看接口

环路可能是一端做了聚合一端没做聚合,还有stp协议问题比如根桥不稳定,可以指定根桥或者修改优先级,stp root primary 或者 stp priority 4096 或者4096倍数

undo portswitch 关掉交换机二层接口

undo info-center enable 关闭信息中心

[HX-1]clear configuration interface GE 1/0/2 清楚接口配置

作在强制全双工模式,速率为1000Mbits/s

[SwitchA-GigabitEthernet1/1/1] duplex full

[SwitchA-GigabitEthernet1/1/1] speed 1000

ping -a 1.1.1.1 2.2.2.2   ping原端地址和目地端地址

ping -c 100 -a 1.1.1.1 2.2.2.2 -c:ping 100 个报文后结束

锐捷  :int ran g0/1-24

华为

[LSW1-port-group] port-group group-member g0/0/1 to g0/0/10

dis telnet ssh http https server status 查看状态

ping -s windows10带源ping

route print windows10查看路由命令

netast 查看端口连接情况

traceroute 追踪路由

dis startup 查看启动参数

dis users 查看已连接的终端

dis mac-address 查看所有接口mac

dis int GigabitEthernet 0/0/2 查看接口详细信心

dis int brief 查看接口状态

dis ip int brie 查看接口ip vlan配置

dis port vlan 查看端口vlan配置

dis ip routing-table pro static 查看静态路由是否生效

display diagnostic-information hcna.txt 将所有设备信息保存到hcna.txt文件,结合ftp服务导出

reset saved-configuration 清楚配置

reboot n不保存当前配置 y重启

format flash: 格式化 Y

format sd1: 格式化系统

路由器:分冲突域,分广播域

交换机:分冲突域,不分广播域

集线器:不分冲突域,不分广播域

vrp系统文件

dis startup 查看启动参数

保存到RAM

保存到Flash/sd卡

电脑给路由器传文件get下载 put上传,结合Xlight FTP 软件

startup system-software sd1:/ar2220 -v200r003c00spc200.cc 改系统文件

startup system-software sd1:/vrpcfg.zip改配置文件

策略路由-直连路由-默认路由-动态路由

寻线器-探测头不能寻屏蔽线 /  测线仪可寻屏蔽线

重点:规划网络ip地址,掩码长度可以不一致,IP不在同一网段,写静态路由可以通信

R1和R3通信:R1R3各写一条路由,R2不用写(他与R1R3直连)

HCNA_优先级

R1 和R4通信:R1R4各写一条路由,R2R3各写两条路由

HCNA_静态路由_02

路由原理:查看路由表,最长掩码匹配,寻找最佳路径。

路由协议优先级

数字越小优先级越高

HCNA_3c_03

华为 静态路由60,思科1

华为 OSPF内部10,思科110

华为 OSPF外部150,思科没有


运营商

[ISP]ip pool pppoe

[ISP-ip-pool-pppoe]network 200.2.2.0 mask 24

[ISP-ip-pool-pppoe]gateway-list 200.2.2.1


[ISP]interface Virtual-Template 1 摸版

[ISP-Virtual-Template1]ppp authentication-mode pap

[ISP-Virtual-Template1]ip address 200.2.2.1 24

[ISP-Virtual-Template1]remote address pool pppoe


[ISP-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1 g0/0/1接口绑定虚拟摸版

[ISP-aaa]local-user part手敲 password cipher 123456

[ISP-aaa]local-user huawei service-type ppp


客户端

[Huawei]dialer-rule

[Huawei-dialer-rule]dialer-rule 1 ip permit 绑定


[part-1]int Dialer 1

[part-1-Dialer1]ppp pap local-user part password cipher %$%$pLKZ!iaG|$#Cm4Q8=MM.,%Nw%$%$

[part-1-Dialer1]ip address ppp-negotiate 自动获取ip

[part-1-Dialer1]dialer user user1

[part-1-Dialer1]dialer-group 1

[part-1-Dialer1]dialer bundle 1

[Huawei-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1 绑定

HCNA_优先级_04



不写路由也通

HCNA_3c_05



HCNA_静态路由_06

HCNA_静态路由_07

A

interface Vlanif30

ip address 10.10.10.1 255.255.255.0

interface Vlanif50

ip address 10.10.30.1 255.255.255.0

interface MEth0/0/1

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan 10 20 30 50

interface GigabitEthernet0/0/2

port link-type access

port default vlan 10

ip route-static 0.0.0.0 0.0.0.0 10.10.30.2

B

interface Vlanif30

ip address 10.10.20.1 255.255.255.0

interface Vlanif50

ip address 10.10.30.2 255.255.255.0

interface MEth0/0/1

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan 10 20 30 50

interface GigabitEthernet0/0/2

port link-type access

port default vlan 20

ip route-static 10.10.10.0 255.255.255.0 10.10.30.1


启用stp协议防环

sw1

[sw1]int Eth-Trunk 1

[sw1-Eth-Trunk1]port link-type trunk

[sw1-Eth-Trunk1]port trunk allow-pass vlan all

[sw1-GigabitEthernet0/0/23]eth-trunk 1

[sw1-GigabitEthernet0/0/24]eth-trunk 1

sw2

[sw2]int Eth-Trunk 1

[sw2-Eth-Trunk1]port link-type trunk

[sw2-Eth-Trunk1]port trunk allow-pass vlan all

[sw2-GigabitEthernet0/0/23]eth-trunk 1

[sw2-GigabitEthernet0/0/24]eth-trunk 1


[sw2]dis interface Eth-Trunk 1

HCNA_优先级_08

HCNA_静态路由_09

HCNA_静态路由_10

DHCP配置

<接口dhcp>

interface GigabitEthernet0/0/1

ip address 192.168.20.1 255.255.255.0

dhcp select interface

dhcp server excluded-ip-address 192.168.20.2 192.168.20.20 保留地址

dhcp server lease day 10 hour 0 minute 0

dhcp server dns-list 114.114.114.114


<全局dhcp和>

[dhcp]dhcp enable

ip pool 192

[dhcp-ip-pool-192]gateway-list 192.168.0.1

[dhcp-ip-pool-192]network 192.168.0.0 mask 255.255.255.0

[dhcp-ip-pool-192]dns-list 8.8.8.8

[dhcp-ip-pool-192]lease day hour/unlimited day:租约时间 unlimited:永久不限制 hour:小时

ip pool 10

[dhcp-ip-pool-10]network 10.1.1.0 mask 255.255.255.0

[dhcp-GigabitEthernet0/0/0]ip address 10.1.1.1 255.255.255.0

[dhcp-GigabitEthernet0/0/0]dhcp select global

ip route-static 0.0.0.0 0.0.0.0 10.1.1.254 配置默认路由dhcp的报文才能通过

AR1客户端

[AR1-GigabitEthernet0/0/0]ip address 192.168.0.1 255.255.255.0

[AR1-GigabitEthernet0/0/0]dhcp select relay中继

[AR1-GigabitEthernet0/0/0]dhcp relay server-ip 10.1.1.1

[AR1-GigabitEthernet0/0/0]ip address dhcp-alloc


NAT映射一对一

[Huawei-Dialer1]nat static global 202.100.1.251 inside 192.168.10.10 静态nat

[Huawei-Dialer1]nat server protocol tcp global 202.100.1.251 inside 172.31.14.1 description 123 nat服务

NAT映射一对多

HCNA_3c_11

AR1

acl number 2000

rule 5 permit source 192.168.0.0 0.0.0.255

#

interface GigabitEthernet0/0/0

ip address 22.23.10.1 255.255.255.248

nat outbound 2000


interface GigabitEthernet0/0/1

ip address 192.168.254.2 255.255.255.0


ip route-static 0.0.0.0 0.0.0.0 22.23.10.2 缺省路由

ip route-static 192.168.0.0 255.255.0.0 192.168.254.1


HCNA_优先级_12


AR1

[Huawei]acl 3000

[Huawei-acl-adv-3000]description VPN 描述

[Huawei-acl-adv-3000]rule 10 permi ip source 10.10.10.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

AR2

[Huawei]acl 3000

[Huawei-acl-adv-3000]description VPN 描述

[Huawei-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

AR1

[Huawei]ipsec proposal

[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1 <authentication-algorithm / encryption-algorithm 认证和加密算法>

[Huawei-ipsec-proposal-sjw]dis this

[V200R003C00]

#

ipsec proposal sjw

esp authentication-algorithm sha1

AR2

[Huawei]ipsec proposal

[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1 <authentication-algorithm / encryption-algorithm 认证和加密算法>

[Huawei-ipsec-proposal-sjw]dis this

[V200R003C00]

#

ipsec proposal sjw

esp authentication-algorithm sha1

HCNA_静态路由_13


sw3:划vlan 10 20

[Huawei-Ethernet0/0/1]port link-type access

[Huawei-Ethernet0/0/1]port default vlan 10

[Huawei-Ethernet0/0/2]port link-type access

[Huawei-Ethernet0/0/2]port default vlan 20

配置中继trunk

[Huawei-GigabitEthernet0/0/2]int g0/0/1

[Huawei-port-group-trunk]port trunk allow-pass vlan

[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20


[Huawei-GigabitEthernet0/0/2]int g0/0/2

[Huawei-port-group-trunk]port trunk allow-pass vlan

[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20


sw1:划vlan 10 20

[Huawei]int Vlanif 10

[Huawei-Vlanif10]ip address 192.168.10.10 24

[Huawei]int Vlanif 20

[Huawei-Vlanif20]ip address 192.168.10.20 24

[Huawei-GigabitEthernet0/0/1]port link-type trunk

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

sw2:划vlan 10 20

[Huawei]int Vlanif 10

[Huawei-Vlanif20]ip address 192.168.10.20 24

[Huawei]int Vlanif 20

[Huawei-Vlanif20]ip address 192.168.20.20 24

[Huawei-GigabitEthernet0/0/2]port link-type trunk

[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20

AR1路由器

[Huawei-GigabitEthernet0/0/1]ip address 11.0.0.2 24

[Huawei-GigabitEthernet0/0/2]ip address 12.0.0.2 24

[Huawei-GigabitEthernet0/0/2]int loo 0

[Huawei-LoopBack0]ip address 1.1.1.1 24

写路由优先级

[Huawei]ip route-static 192.168.10.0 24 11.0.0.1 默认是60

[Huawei]ip route-static 192.168.10.0 24 12.0.0.2 preference 70

[Huawei]ip route-static 192.168.20.0 24 12.0.0.1 默认是60

[Huawei]ip route-static 192.168.20.0 24 11.0.0.1 preference 70

sw1

[Huawei]ip route-static 1.1.1.0 24 11.0.0.2

sw1

[Huawei-Vlanif100]ip address 11.0.0.1 24

[Huawei-port-group-d]port link-type access

[Huawei-port-group-d]port default vlan 100

sw2

[Huawei]ip route-static 1.1.1.0 24 12.0.0.2

sw2

[Huawei-Vlanif100]ip address 12.0.0.1 24

[Huawei-GigabitEthernet0/0/24]port link-type access

[Huawei-GigabitEthernet0/0/24]port default vlan 100


在核心sw1做vrrp

trunk,虚拟IP ,优先级 ,追踪接口

主备的虚拟ip一至,vrid一致

注意:优先级大的是主, 比如优先级120端扣down掉默认会减10 所以备的不能配置110应该是115,115比120小,主的坏掉默认就走备的

[Huawei]int Vlanif 10

[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1

[Huawei-Vlanif10]vrrp vrid 1 priority 120 端扣down掉默认会减10 所以备的不能配置110应该是115,115比120小主的坏掉默认就走备的

(这个打个比喻,这个实验配置的是95)

vrrp 优先级范围是0-255, 0是保留给路由器,主动放弃Master位置时候使用,255是保留给IP地址拥有者使用,能我的是1-254

[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 0

[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/24 追踪上行端口

[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/1 追踪下行端口

[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1

[Huawei-Vlanif10]vrrp vrid 1 priority 115

备的不用配置抢占,也不用配置跟踪端口,因为主的已经配置了

在核心sw2做vrrp

[Huawei]int Vlanif 20

[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1

[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/24

[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/2

抢占和优先级可以不配,【优先级默认是100】,备的配置优先级数字90就可以

interface Vlanif20

[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1

[Huawei-Vlanif20]vrrp vrid 2 priority 95


防火墙四个区域

服务器 DMZ中 ,trust用户内网 ,untrustz外网ip最低 ,local最高

dmz:指定dmz安全区域 心跳同步信息,配置ip,优先级

local:指定本地安全区域

name:待创建或删除的安全区域名称

trust:指定信任的安全区域 内网

untrust:指定untrust的安全区域 外网

HCNA_优先级_14




防火墙双机热备

FW1主

[fw1]interface GigabitEthernet0/0/0] ip address 10.2.2.1 255.255.255.0

[fw1]interface GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.1.2.254 active 主

[fw1]interface GigabitEthernet0/0/0] service-manage all permit 允许所有服务

service-manage http permit

service-manage https permit

service-manage ping permit

service-manage ssh permit

service-manage snmp permit

service-manage telnet permit

[fw1]interface GigabitEthernet1/0/0] ip address 40.1.1.1 255.255.255.0

[fw1]interface GigabitEthernet1/0/0] vrrp vrid 2 virtual-ip 2.2.2.254 255.255.255.0 active 主

[fw1-GigabitEthernet1/0/0]service-manage all permit

[fw1]interface GigabitEthernet1/0/1] ip address 30.1.1.1 255.255.255.0


[fw1]firewall zone trust

[fw1-zone trust] add interface GigabitEthernet0/0/0

[fw1]firewall zone untrust

[fw1-zone untrust]add interface GigabitEthernet1/0/0

[fw1]firewall zone dmz

[fw1]-zone dmz]add interface GigabitEthernet1/0/1

FW2 备

[fw2interface GigabitEthernet0/0/0] ip address 10.1.2.2 255.255.255.0

[fw2interface GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.1.2.254 standby 备

[fw2interface GigabitEthernet0/0/0] service-manage all permit 允许所有服务

service-manage http permit

service-manage https permit

service-manage ping permit

service-manage ssh permit

service-manage snmp permit

service-manage telnet permit

[fw2interface GigabitEthernet1/0/0] ip address 40.1.1.2 255.255.255.0

[fw2interface GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 2.2.2.254 255.255.255.0 standby 备

[fw1-GigabitEthernet1/0/0]service-manage all permit

[fw2interface GigabitEthernet1/0/1] ip address 30.1.1.2 255.255.255.0


[fw2]firewall zone trust

[fw2-zone trust]add interface GigabitEthernet0/0/0

[fw2]firewall zone untrust

[fw2-zone untrust] add interface GigabitEthernet1/0/0

[fw2]firewall zone dmz

[fw2-zone dmz] add interface GigabitEthernet1/0/1


HRP心跳线同步信息

[fw1]hrp interface GigabitEthernet1/0/1 remote 30.1.1.2 配置对端的接口ip

[fw2]hrp interface GigabitEthernet1/0/1 remote 30.1.1.1 配置对端的接口ip


开启hrp enable 可以同步习性

开启HRP 显示一个S和M代表双机热备成功

HCNA_优先级_15