華為小型企業(yè)實(shí)訓(xùn)報(bào)告

1、 小型企業(yè)網(wǎng)絡(luò)構(gòu)建一、實(shí)訓(xùn)設(shè)備：1、 H3C路由器2臺(tái)2、 H3C交換機(jī)一臺(tái)3、 Windows XP客戶端兩臺(tái)4、 Windows Server 2003一臺(tái)5、 Console串口線1條6、 V.35串口線一條7、 網(wǎng)線若干二、實(shí)訓(xùn)要求1、規(guī)劃網(wǎng)絡(luò)環(huán)境各組根據(jù)實(shí)際情況，規(guī)劃網(wǎng)絡(luò)環(huán)境，要求客戶端至少在兩個(gè)子網(wǎng)中，即至少需要?jiǎng)澐謨蓚€(gè)VLAN，分配IP地址及相關(guān)參數(shù)，寫出實(shí)訓(xùn)環(huán)境說(shuō)明。2、配置客戶端計(jì)算機(jī)配置各網(wǎng)段客戶端計(jì)算機(jī)的靜態(tài)IP地址及相關(guān)網(wǎng)絡(luò)參數(shù)，為實(shí)訓(xùn)的驗(yàn)證做好準(zhǔn)備工作。3、配置DHCP服務(wù)器，創(chuàng)建多個(gè)作用域，以實(shí)現(xiàn)為企業(yè)網(wǎng)內(nèi)部不同網(wǎng)段的客戶端計(jì)算機(jī)提供IP地址。4、配置路由器（1）配

2、置路由器外網(wǎng)和內(nèi)網(wǎng)地址，啟用NAT功能，實(shí)現(xiàn)內(nèi)部客戶端計(jì)算機(jī)連接Internet。（2）配置路由器的ACL，實(shí)現(xiàn)對(duì)內(nèi)部計(jì)算機(jī)的安全管理。（3）配置核心路由交換機(jī)。（4）配置接入層交換機(jī)。（5）配置基于IPsec的VPN隧道（6）802.1x對(duì)接入主機(jī)進(jìn)行認(rèn)證（使用Windows XP設(shè)置802.1x客戶端）。三、網(wǎng)絡(luò)規(guī)劃1、使用Windows server 2003 做DHCP服務(wù)器2、路由器RTA做NAT 轉(zhuǎn)換3、路由器RTB做IPSec4、在交換機(jī)劃上分VLAN，配置認(rèn)證四、網(wǎng)絡(luò)拓?fù)鋱D五、拓?fù)鋱D分析1、RTA 的e0/1接口連接外網(wǎng)2、RTA與RTB通過(guò)各自的S0/0接口連接3、RTA的e

3、0/0接口連接到交換機(jī)的e1/0/22接口4、DHCP服務(wù)器連接到交換機(jī)e1/0/20接口5、C1連接到交換機(jī)e1/0/1接口，C2連接到交換機(jī)e1/0/6接口六、IP 地址、VLAN及DHCP的規(guī)劃DHCP: 24RTA e0/0: 24 e0/1:33 24 s0/0: 24RTB e0/0: s0/0: 24DHCP作用域1 地址范圍：00 網(wǎng)關(guān)： 排除IP 作用

4、域2 地址范圍：00 網(wǎng)關(guān)： 排除IP 192.VLAN劃分Vlan 2 接口e1/0/1e1/0/5Vlan 3接口e1/0/6e1/0/10Vlan 1 IP: 24Vlan 2 IP： 24Vlan 3 IP: 24七、配置步驟1、配置DHCP，建立兩個(gè)作用域，如以上規(guī)劃的地址范圍2、為了使得客戶端可以獲取到不同作用域的IP地址，需為交換機(jī)創(chuàng)建Vlan 2 3 并為其配置IP地址，為各作用域的網(wǎng)關(guān)，為默認(rèn)Vlan 1配置與DHCP在

5、同一網(wǎng)段的IP地址3、在交換機(jī)上配置dhcp-server 0 ip 并在Vlan 2 Vlan 3中引用dhcp-server 04、客戶端自動(dòng)獲取IP地址，根據(jù)以上規(guī)劃，C1連接在屬于Vlan 1接口中，C2連接屬于Vlan 2 的接口中，可以獲取到不同網(wǎng)段的IP地址5、在RTA上配置NAT服務(wù)器，NAT地址池40506、配置完成后，在e0/1接口上引用7、配置RIP協(xié)議使得RTA與RTB可以互通8、配置交換機(jī)與RTA相連的e1/0/22接口為Trunk端口，允許所有Vlan通過(guò)9、在交換機(jī)上配置RIP，使得交換機(jī)上的Vl

6、an 1 2 3可以互相通信10、在交換機(jī)上配置802.1x認(rèn)證，將與客戶端相連的端口加入認(rèn)證客戶端連接成功后可輸入用戶名和密碼可進(jìn)行認(rèn)證11、在RTB上做IPSec隧道八、最終配置結(jié)果1、交換機(jī)swadis cur # local-server nas-ip key huawei # domain default enable system # dhcp-server 0 ip # dot1x # udp-helper enable # queue-scheduler wrr 1 2 3 4 5 9 13 15 # radius scheme sy

7、stem # domain system # local-user tt password simple 123 service-type lan-access # vlan 1 # vlan 2 # vlan 3 # interface Vlan-interface1 ip address # interface Vlan-interface2 ip address dhcp-server 0 udp-helper server # interface Vlan-i

8、n ip address dhcp-server 0 udp-helper server # interface Aux1/0/0 # interface Ethernet1/0/1 port access vlan 2 # interface Ethernet1/0/2 port access vlan 2 # interface Ethernet1/0/3 port access vlan 2 # interface Ethernet1/0/4 port access vlan 2 # interface Ethe

9、rnet1/0/5 port access vlan 2 # interface Ethernet1/0/6 port access vlan 3 dot1x # interface Ethernet1/0/7 port access vlan 3 # interface Ethernet1/0/8 port access vlan 3 # interface Ethernet1/0/9 port access # interface Ethernet1/0/10 port access vlan 3 # interface Ethernet1/0/11 # interface Etherne

10、t1/0/12 # interface Ethernet1/0/13 # interface Ethernet1/0/14 # interface Ethernet1/0/15 # interface Ethernet1/0/16 # interface Ethernet1/0/17 # interface Ethernet1/0/18 # interface Ethernet1/0/19 # interface Ethernet1/0/20 #interface Ethernet1/0/21#interface Ethernet1/0/22 port link-type trunk port

11、 trunk permit vlan all #interface Ethernet1/0/23#interface Ethernet1/0/24# sysname swa undo irf-fabric authentication-mode#interface NULL0#rip network network network #user-interface aux 0 7user-interface vty 0 4#Return2、RTAdis cur # sysname rta # FTP server enable

12、 # l2tp domain suffix-separator # nat address-group 1 40 50 # radius scheme system # domain system # local-user admin password cipher .USE=B,53Q=QMAF4TX$_S#6.NM(0=0)*5WWQ=QMAF4TX$_S#6. N service-type telnet terminal level 3 service-type ftp # ike peer peer1 pre-shared-key 123 r

13、emote-address # ipsec proposal tt esp authentication-a # ipsec policy tang2 10 isakmp ike-peer peer1 proposal tt # interface Aux0 async mode flow # interface Ethernet0/0 ip address ip address sub dhcp select relay # interface Ethernet0/

14、1 ip address 33 nat outbound 2000 address-group 1 # interface Ethernet1/0 ip address dhcp-alloc # interface Serial0/0 clock DTECLK1 link-protocol ppp ip address ipsec policy yy # interface NULL0#acl number 2000 rule 0 permit#rip network netw

15、ork network network import-route direct import-route static# ip route-static preference 60 ip route-static preference 60#user-interface con 0user-interface aux 0user-interface vty 0 4 authentication-mode sch

16、eme#Return3、RTBdis cur # sysname rtb # FTP server enable # l2tp domain suffix-separator # radius scheme system # domain system # local-user admin password cipher .USE=B,53Q=QMAF4TX$_S#6.NM(0=0)*5WWQ=QMAF4TX$_S#6. N service-type telnet terminal level 3 service-type ftp # ike peer peer1 pre-shared-key

17、 123 remote-address # ipsec proposal tt esp authentication-algorithm sha1 # ipsec policy yy 10 isakmp ike-peer peer1 proposal tt # interface Aux0 async mode flow # interface Ethernet0/0 ip address # interface Ethernet0/1 ip address dhcp-alloc # interface Ethernet1/0 ip address dhcp-alloc#interface Serial0/0 link-protocol ppp ip address ipsec policy yy#interface NULL0# ip route-static preference 60#user-interface con 0user-interface aux 0user-interface vty 0 4 authentication-mode scheme#return八、測(cè)試最終結(jié)果