标签:sof security cuc 实现 路由 show inf use obj
架构如图
实现目的
1 在pc端,用telnet访问核心交换机10.20.4.252
2 在pc端,用telnet访问二层交换机10.20.4.253
在此之前,pc_4,pc_5与交换机的配置不进行介绍
新建vlan 10 用于管理所有的交换机
##配置二层交换机的telnet管理ip
[sw-2-1]vlan 10 [sw-2-1-vlan10]int vlan 10 [sw-2-1-Vlan-interface10]ip address 10.20.4.253 [sw-2-1-Vlan-interface10]qu [sw-2-1]telnet server enable
[sw-2-1]user-interface vty 0 4 [sw-2-1-line-vty0-4]authentication-mode scheme [sw-2-1-line-vty0-4]qu [sw-2-1]local-user yhq [sw-2-1-luser-manage-yhq]password simple 123 [sw-2-1-luser-manage-yhq]service-type telnet [sw-2-1-luser-manage-yhq]authorization-attribute user-role level-15
##core核心交换机此步骤相同
##telnet 核心交换机//二层交换机 <core-3-1>system-view System View: return to User View with Ctrl+Z. [core-3-1]vlan 10 [core-3-1-vlan10]int vlan 10 [core-3-1-Vlan-interface10]dis this # interface Vlan-interface10 ip address 10.20.4.252 255.255.252.0 # return [core-3-1-Vlan-interface10]qu [core-3-1]user-interface vty 0 4 [core-3-1-line-vty0-4]authentication-mode scheme [core-3-1-line-vty0-4]qu [core-3-1]local-user yhq New local user added. [core-3-1-luser-manage-yhq]password simple 123 [core-3-1-luser-manage-yhq]service-type telnet [core-3-1-luser-manage-yhq]authorization-attribute user-role level-15 [core-3-1-luser-manage-yhq]qu [core-3-1]telnet server enable
##核心交换机的端口1修改为路由模式,并配置ip和静态路由
<core-3-1>system-view System View: return to User View with Ctrl+Z. [core-3-1]int g1/0/1 [core-3-1-GigabitEthernet1/0/1]dis this # interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk port trunk permit vlan 1 200 300 combo enable fiber [core-3-1-GigabitEthernet1/0/1]port link-mode route //配置为路由模式 [core-3-1-GigabitEthernet1/0/1]ip address 1.1.1.1 30 [core-3-1-GigabitEthernet1/0/1]qu [core-3-1]ip route-static 0.0.0.0 0 1.1.1.2 // 添加路由表,下一条地址为1.1.1.2 [core-3-1]tracert 10.18.4.2 //跟踪 traceroute to 10.18.4.2 (10.18.4.2), 30 hops at most, 40 bytes each packet, press CTRL_C t [core-3-1]display ip routing-table //查看路由表 Destinations : 21 Routes : 21 Destination/Mask Proto Pre Cost NextHop Interface 0.0.0.0/0 Static 60 0 1.1.1.2 GE1/0/1 0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
##fw的端口g1/0/1 配置ip,端口模式为route
<fw-1>system-view System View: return to User View with Ctrl+Z. [fw-1]int g1/0/1 [fw-1-GigabitEthernet1/0/1]dis this # interface GigabitEthernet1/0/1 port link-mode route combo enable copper ip address 1.1.1.2 255.255.255.252 # return [fw-1]int g1/0/0 //端口g1/0/0配置 [fw-1-GigabitEthernet1/0/0]dis this # interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 10.18.4.250 255.255.252.0 nat outbound 2001 address-group 1 no-pat description 1 # return
在pc的cmd窗口添加路由
C:\Users\Administrator>ping 10.20.4.252 正在 Ping 10.20.4.252 具有 32 字节的数据: 请求超时。 请求超时。 C:\Users\Administrator>route print C:\Users\Administrator>route add 10.20.4.0 mask 255.255.252.0 10.18.4.250 操作完成! C:\Users\Administrator>ping 10.20.4.252 正在 Ping 10.20.4.252 具有 32 字节的数据: 来自 10.20.4.252 的回复: 字节=32 时间<1ms TTL=254 来自 10.20.4.252 的回复: 字节=32 时间<1ms TTL=254
##二层sw-2-1添加路由
[sw-2-1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
[sw-2-1]ip route-static 0.0.0.0 0.0.0.0 10.20.4.252
由于之前防火墙已经开启了web端口,这里telnet就很容易了
在pc的cmd窗口进行telnet 10.20.4.252
在pc的cmd窗口进行telnet 10.20.4.253
最后3个设备的配置文件
fw
[fw-1]dis current-configuration # version 7.1.064, Alpha 7164 # sysname fw-1 # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # nat address-group 1 name 1 address 10.18.4.250 10.18.4.250 # xbar load-single password-recovery enable lpu-type f-series # vlan 1 # object-group ip address y11 security-zone Untrust 0 network subnet 10.19.4.0 255.255.252.0 # object-group ip address y22 security-zone Trust 0 network subnet 10.18.4.0 255.255.252.0 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 10.18.4.250 255.255.252.0 nat outbound 2001 address-group 1 no-pat description 1 # interface GigabitEthernet1/0/1 port link-mode route combo enable copper ip address 1.1.1.2 255.255.255.252 # interface GigabitEthernet1/0/2 port link-mode route combo enable copper # interface GigabitEthernet1/0/3 port link-mode route combo enable copper # interface GigabitEthernet1/0/4 port link-mode route combo enable copper # interface GigabitEthernet1/0/5 port link-mode route combo enable copper # interface GigabitEthernet1/0/6 port link-mode route combo enable copper # interface GigabitEthernet1/0/7 port link-mode route combo enable copper # interface GigabitEthernet1/0/8 port link-mode route combo enable copper # interface GigabitEthernet1/0/9 port link-mode route combo enable copper # interface GigabitEthernet1/0/10 port link-mode route combo enable copper # interface GigabitEthernet1/0/11 port link-mode route combo enable copper # interface GigabitEthernet1/0/12 port link-mode route combo enable copper # interface GigabitEthernet1/0/13 port link-mode route combo enable copper # interface GigabitEthernet1/0/14 port link-mode route combo enable copper # interface GigabitEthernet1/0/15 port link-mode route combo enable copper # interface GigabitEthernet1/0/16 port link-mode route combo enable copper # interface GigabitEthernet1/0/17 port link-mode route combo enable copper # interface GigabitEthernet1/0/18 port link-mode route combo enable copper # interface GigabitEthernet1/0/19 port link-mode route combo enable copper # interface GigabitEthernet1/0/20 port link-mode route combo enable copper # interface GigabitEthernet1/0/21 port link-mode route combo enable copper # interface GigabitEthernet1/0/22 port link-mode route combo enable copper # interface GigabitEthernet1/0/23 port link-mode route combo enable copper # object-policy ip manage rule 0 pass # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/0 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/1 # security-zone name Management # zone-pair security source Trust destination Local object-policy apply ip manage # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 4 authentication-mode scheme user-role network-admin # line vty 5 63 user-role network-operator # ip route-static 0.0.0.0 0 10.18.4.2 ip route-static 10.19.4.0 22 GigabitEthernet1/0/1 1.1.1.1 ip route-static 10.20.4.0 22 GigabitEthernet1/0/1 1.1.1.1 # time-range 1 09:14 to 19:14 daily # acl basic 2001 rule 0 permit source 10.19.4.0 0.0.3.255 # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$tBhNQJuBUd3La7/h$+JNXdiLJ/VASRtMlo1o2qKKJhsNN36EOm7rtF1AccdjJUS60Q3tQaeqqCGXXiaqusgSawzTVnR5yOrVDq1PJzQ== service-type telnet terminal http https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ip http enable ip https enable # security-policy ip rule 0 name trust-to-untrust action pass # return
core-3-1
<core-3-1>dis current-configuration # version 7.1.075, Alpha 7571 # sysname core-3-1 # clock protocol none # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # lldp global enable # system-working-mode standard xbar load-single password-recovery enable lpu-type f-series # vlan 1 # vlan 10 # vlan 200 # vlan 300 # stp global enable # interface NULL0 # interface Vlan-interface10 ip address 10.20.4.252 255.255.252.0 # interface Vlan-interface200 ip address 10.19.4.1 255.255.252.0 # interface Vlan-interface300 ip address 192.168.4.1 255.255.252.0 # interface FortyGigE1/0/53 port link-mode bridge # interface FortyGigE1/0/54 port link-mode bridge # interface GigabitEthernet1/0/1 port link-mode route combo enable fiber ip address 1.1.1.1 255.255.255.252 # interface GigabitEthernet1/0/2 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 200 300 combo enable fiber # interface GigabitEthernet1/0/3 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/4 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/5 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/6 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/7 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/8 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/9 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/10 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/11 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/12 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/13 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/14 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/15 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/16 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/17 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/18 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/19 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/20 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/21 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/22 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/23 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/24 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/25 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/26 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/27 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/28 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/29 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/30 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/31 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/32 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/33 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/34 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/35 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/36 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/37 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/38 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/39 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/40 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/41 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/42 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/43 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/44 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/45 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/46 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/47 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/48 port link-mode bridge combo enable fiber # interface M-GigabitEthernet0/0/0 # interface Ten-GigabitEthernet1/0/49 port link-mode bridge combo enable fiber # interface Ten-GigabitEthernet1/0/50 port link-mode bridge combo enable fiber # interface Ten-GigabitEthernet1/0/51 port link-mode bridge combo enable fiber # interface Ten-GigabitEthernet1/0/52 port link-mode bridge combo enable fiber # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-operator # line con 0 user-role network-admin # line vty 0 4 authentication-mode scheme user-role network-operator # line vty 5 63 user-role network-operator # ip route-static 0.0.0.0 0 1.1.1.2 ip route-static 10.20.4.0 22 10.20.4.252 ip route-static 10.20.4.0 22 1.1.1.2 # ntp-service unicast-server 10.20.4.253 # radius scheme system user-name-format without-domain # domain name system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user yhq class manage password hash $h$6$MyuRhIJeandoymXE$5SKNyQVYMgZZm6cJ6nMtUTz4HMCFAIGTjpTJOkX3l09oAnmS3NjZj2E7h1KGFMVk3XYzRqdsKYKI4bKc1HZmiQ== service-type telnet authorization-attribute user-role level-15 authorization-attribute user-role network-operator # return
sw-2-1
<sw-2-1>dis current-configuration # version 7.1.075, Alpha 7571 # sysname sw-2-1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # lldp global enable # system-working-mode standard xbar load-single password-recovery enable lpu-type f-series # vlan 1 # vlan 10 # vlan 200 # vlan 300 # stp global enable # interface NULL0 # interface Vlan-interface10 ip address 10.20.4.253 255.255.252.0 # interface Vlan-interface200 # interface FortyGigE1/0/53 port link-mode bridge # interface FortyGigE1/0/54 port link-mode bridge # interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 200 300 combo enable fiber # interface GigabitEthernet1/0/2 port link-mode bridge port access vlan 200 combo enable fiber # interface GigabitEthernet1/0/3 port link-mode bridge port access vlan 300 combo enable fiber # interface GigabitEthernet1/0/4 port link-mode bridge port access vlan 200 combo enable fiber # interface GigabitEthernet1/0/5 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/6 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/7 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/8 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/9 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/10 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/11 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/12 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/13 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/14 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/15 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/16 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/17 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/18 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/19 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/20 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/21 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/22 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/23 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/24 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/25 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/26 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/27 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/28 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/29 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/30 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/31 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/32 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/33 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/34 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/35 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/36 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/37 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/38 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/39 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/40 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/41 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/42 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/43 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/44 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/45 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/46 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/47 port link-mode bridge combo enable fiber # interface GigabitEthernet1/0/48 port link-mode bridge combo enable fiber # interface M-GigabitEthernet0/0/0 # interface Ten-GigabitEthernet1/0/49 port link-mode bridge combo enable fiber # interface Ten-GigabitEthernet1/0/50 port link-mode bridge combo enable fiber # interface Ten-GigabitEthernet1/0/51 port link-mode bridge combo enable fiber # interface Ten-GigabitEthernet1/0/52 port link-mode bridge combo enable fiber # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-operator # line con 0 user-role network-admin # line vty 0 4 authentication-mode scheme user-role level-3 user-role network-operator set authentication password hash $h$6$LC3L/BBb1SYECRjg$Yt1smXHJIWusWQRLQiRc37xYCUcOs4hahYotExTAb261NBODmPW/4xruBr8pz7DenOdlDkvpzSofLC5qfv0qkA== # line vty 5 63 user-role network-operator # ip route-static 0.0.0.0 0 1.1.1.2 ip route-static 0.0.0.0 0 1.1.1.1 ip route-static 0.0.0.0 0 10.20.4.252 # ntp-service refclock-master 2 # radius scheme system user-name-format without-domain # domain name system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user yhq class manage password hash $h$6$2tMr2Zq84CM2cTGZ$0y06oUKk0a1+YnpPDapjOURe46hUuz0qULjIQMTuMhDBboWPydxqEDtvoprqDrX+wjH7FR5fVIaWvQC9l5yD3Q== service-type telnet authorization-attribute idle-cut 5 authorization-attribute user-role level-3 authorization-attribute user-role level-15 authorization-attribute user-role network-operator # return
在初学使用阶段,如有不正,请提示~~谢谢!!
H3C 模拟器 pc与防火墙,交换机相连,在pc cmd下用telnet访问交换机和防火墙
标签:sof security cuc 实现 路由 show inf use obj
原文地址:https://www.cnblogs.com/yhq1314/p/11419953.html