安全端口唯一IP MAC

[SW-Ethernet0/0/5]port-security enable

[SW-Ethernet0/0/5]port-security mac-address sticky

[SW-Ethernet0/0/5]port-security mac-address sticky 5489-98B3-12DF  vlan 1

port link-type access
port default vlan 10

生成树STP

stp enable
stp mode stp

stp root primary

[SW1]stp priority 0
[SW2]stp priority 4096

RSTP的保护功能

防止二层环路和BPDU攻击

边界保护（交换机的接口* 与 计算机客户端 ）

[SW2]interfacce GigabitEthernet 0/0/1
[SW2-GigabitEthernet 0/0/1]stp edged-port enable
[SW2-GigabitEthernet 0/0/1]stp bpdu-protection

vlan组

多端口设置

[SW1]port-group group-member  Ethernet 0/0/1 to Ethernet 0/0/10
[SW1-Ethernet0/0/1]port link-type access
[SW1-port-group]port default vlan 10

RSTP 的可靠网络

stp mode rstp
[SW1]stp priority 0
[SW2]stp priority 4096

删除在 SW1 上所配置的优先级，做主根交换机

undo stp priority 
stp root priority

删除在 SW2 上所配置的优先级，做备根交换机

undo stp priority
stp root secondary

配置边缘端口（客户端client的对端接口）

stp edged-port enable 

静态路由

RIP只能以“跳数（Hop Count）”作为开销 （一个节点为 1 跳）

目的地/掩码 下一跳地址

ip route-static    3.3.3.0     24     1.1.1.2

单臂路由

[R1]interface g 0/0/1.1
[R1-GigabitEthernet0/0/0.10]dot1q termination vid 10
[R1-GigabitEthernet0/0/1.10]ip address 192.168.10.254 24
[R1-GigabitEthernet0/0/1.10]arp broadcast enable

链路聚合

[SW1]interface eth-trunk 1
[SW1-Eth-Trunk1]trunkport GigabitEthernet0/0/1 to 0/0/2
[SW1-Eth-Trunk1]port link-type trunk
[SW1-Eth-Trunk1]port trunk allow-pass vlan all

VRRP认证

调整接口在VRID 10 (VLAN 10)中的优先级为150

[R1-GignbitEthernet0/0/0]vrrp vrid 10 priority 150

密钥同为：huawei

[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]vrrp vrid 20 virtual-ip 10.1.1.253
[R1-GigabitEthernet0/0/0]vrrp vrid 20 authentication-mode simple plain huawei

（同左边）

[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]vrrp vrid 20 virtual-ip 10.1.1.253
[R2-GigabitEthernet0/0/0]vrrp vrid 20 priority 150
[R2-GigabitEthernet0/0/0]vrrp vrid 20 authentication-mode simple plain huawei

（同左边）

PPP

（制定该账号和密码用于PPP的CHAP认证）

PAP协议是两次握手协议，它通过用户名及口令来进行用户的验证

认证方：

在路由器R1指定该密码应用于PPP认证

[R1]aaa
[R1-aaa]local-user jan16 password cipher huawei
[R1-aaa]local-user jan16 service-type ppp

接口配置

[R1]interface Serial 0/0/1
 [R1-Serial0/0/1]ip address 10.10.10.1 24
 [R1-Serial0/0/1]link-protocol ppp
 [R1-Serial0/0/1]ppp authentication-mode pap

被认证方：

[R2]interface  Serial0/0/1
[R2-Serial0/0/1]ip address 10.10.10.2  24
[R2-Serial0/0/1]link-protocol ppp  //在接口S0/0/1启用PPP，并指定PAP认证的账号和密码
[R2-Serial0/0/1]ppp pap local-user jan16  password cipher huawei

^{广域网技术}

ACL

创建一个编号为2000的基本ACL

在ACL 2000视图下创建如下的规则：

禁止：IP地址为192.168.2.1/24

使用报文过滤技术中traffic-filter命令将ACL 2000应用在路由器R1的GE0/0/3接口出方向

 [R1]acl 2000
 [R1-acl-basic-2000]rule deny source 192.168.2.1 0.0.0.0

[R1]interface gigabitethernet 0/0/3
[R1-GigabitEthernet0/0/3]traffic-filter outbound acl 2000

创建一个编号为2000的基本ACL的允许规则

[R1]acl 2000

[R1-acl-basic-2000]rule permit source192.168.4.10

[R1-acl-basic-2000]rule deny source any

在VTY接口上应用ACL 2000

 [R1]user-interface vty 0 4
 [R1-ui-vty0-4]acl 2000 inbound

端口映射NAT

为各设备接口配置IP地址；（4IP）

 [R1]interface g 0/0/0
 [R1-GigabitEthernet0/0/0]ip add 192.168.0.254 24
 [R1-GigabitEthernet0/0/0]quit

在路由器R1配置NAT，将Web服务器映射到200.10.1.3

 [R1]interface g 0/0/1
 [R1-GigabitEthernet0/0/1]ip add 200.10.1.2 24
 [R1-GigabitEthernet0/0/1]nat static global 200.10.1.3 inside 192.168.0.2
 [R1-GigabitEthernet0/0/1]quit

NAT配置

[R1]interface g0/0/0
 [R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
 [R1-GigabitEthernet0/0/0]quit
 [R1]interface g0/0/1

 [R1-GigabitEthernet0/0/1]ip add 200.10.1.1 24
 [R1]nat address-group 1 200.10.10.2 200.10.10.20
 [R1]acl 2000
 [R1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
 [R1-acl-basic-2000]quit
 [R1]interface g0/0/1
 [R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat

AAA认证服务器

路由器R1上创建本地用户admin和publics

[R1]aaa
[R1-aaa]local-user admin password cipher admin@123
[R1-aaa]local-user admin privilege  level 15
[R1-aaa]local-user admin service-type telnet
[R1-aaa]local-user public password cipher 123456@p
[R1-aaa]local-user public privilege level2
[R1-aaa]local-user public service-type telnet

在路由器R1上启用telnet服务，认证方式为aaa认证

 [R1]user-interface vty 0 4
 [R1-ui-vty0-4]protocol inbound telnet
 [R1-ui-vty0-4]authentication-mode aaa

验证：

dis local-user

VRRP的负载均衡出口链路配置

R1的配置

[R1]interface G0/0/0 
[R1-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.168.1.253 
[R1-GigabitEthernet0/0/0]vrrp vrid 2 virtual-ip 192.168.1.254 

R2的配置

[R2]interface GigabitEthernet 0/0/0 
[R2-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.168.1.253 
[R2-GigabitEthernet0/0/0]vrrp vrid 2 virtual-ip 192.168.1.254 

R1的配置

[R1-GigabitEthernet0/0/0]vrrp vrid 1 priority 110 

R2的配置

[R2-GigabitEthernet0/0/0] vrrp vrid 2 priority 110

裁剪优先级60，使优先级变为50，小于R2里VRRP备份组1的优先级100

[R1-GigabitEthernet0/0/0]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 60

[R2-GigabitEthernet0/0/0] vrrp vrid 2 track interface GigabitEthernet0/0/2 reduced 60

链路聚合

[SW2]interface Eth-Trunk 1 
[SW2-Eth-Trunk1]mode manual load-balance 
[SW2]quit 
[SW2]interface GigabitEthernet 0/0/1 
[SW2-GigabitEthernet0/0/1] eth-trunk 1 

基于CHAP认证的公司

[R1]aaa 
[R1-aaa]local-user Jan16 password cipher 123456 
[R1-aaa]local-user Jan16 service-type ppp

本端PPP协议的认证方式为CHAP

[R1]interface Serial 4/0/0  
[R1-Serial4/0/0]link-protocol ppp 
[R1-Serial4/0/0]ppp authentication-mode chap 

对端配置CHAP验证

[R2]int s4/0/0 
[R2-Serial4/0/0]link-protocol ppp 
[R2-Serial4/0/0]ppp chap user Jan16 
[R2-Serial4/0/0]ppp chap password 123456 

地址池pool

[sw1]ip pool vlan2

[sw1-ip-pool-vlan1]network 192.168.2.0 mask 24

[sw1-ip-pool-vlan1]gateway-list 192.168.2.1	

[sw1-ip-pool-vlan1]dns-list 8.8.8.8	

[sw1-ip-pool-vlan1]lease day 0 hour 8 minute 0

[sw1-ip-pool-vlan1]excluded-ip-address 192.168.2.2 192.168.2.10