網絡管理期末測評（實例）

網絡管理期末測評（實例）

涉及的技術有：

vpn,web,nat,hsrb,dns,策略路由,qos,acl,802.1x,acs服務器

拓撲圖如下：

拓撲圖：

 

R1的配置如下：

Building configuration...

 

Current configuration : 2376 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

aaa new-model（紅色是vpn的配置）

!

!

aaa authentication login vpn-en local

aaa authorization network vpn-or local

!

aaa session-id common

ip cef

!

!

!

!

!

voice-card 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username root password 0 123456

!

!

!

!

!

crypto isakmp policy 20

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group myvpn

 key 123cisco

 pool vpn-pool

 acl 101

!

!

crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac

!

crypto dynamic-map dymap 20

 set transform-set vpn-client

 reverse-route

!

!

crypto map test client authentication list vpn-en

crypto map test isakmp authorization list vpn-or

crypto map test client configuration address respond

crypto map test 20 ipsec-isakmp dynamic dymap

!

!

!

!

interface FastEthernet0/0

 ip address 192.168.54.251 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

 standby use-bia

 standby 1 ip 192.168.54.253

 standby 1 priority 105

 standby 1 preempt

 standby 1 track FastEthernet0/0

 standby 1 track FastEthernet0/1

 standby 2 ip 192.168.54.254

 standby 2 preempt

!

interface FastEthernet0/1

ip address 210.41.166.121 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 crypto map test

!

interface Serial0/3/0

 no ip address

 shutdown

 no fair-queue

 clock rate 125000

!

interface Serial0/3/1

 no ip address

 shutdown

 clock rate 125000

!

router ospf 1

 log-adjacency-changes

 network 192.168.1.0 0.0.0.255 area 0

 network 192.168.10.0 0.0.0.255 area 0

 network 192.168.20.0 0.0.0.255 area 0

 network 192.168.54.0 0.0.0.255 area 0

 network 192.168.110.0 0.0.0.255 area 0

 network 210.41.166.0 0.0.0.255 area 0

 default-information originate always

!

ip local pool vpn-pool 192.168.110.1 192.168.110.254

ip route 0.0.0.0 0.0.0.0 210.41.166.1

!

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/1 overload

!

access-list 1 permit any

access-list 100 deny   ip 192.168.54.0 0.0.0.255 192.168.110.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 permit ip 192.168.54.0 0.0.0.255 192.168.110.0 0.0.0.255

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

scheduler allocate 20000 1000

end

 

R2的配置如下：

show runn

R2#show running-config

Building configuration...

 

Current configuration : 2722 bytes

!

version 12.4

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login vpn-en local

aaa authorization network vpn-or local

!

aaa session-id common

ip cef

 

!

!

!

!

!

voice-card 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username root password 0 123456

!

!

!

!

class-map match-all pc2

 match access-group 121

class-map match-all pc1

 match access-group 120

!

!

policy-map llq

 class pc1

  priority percent 20

 class pc2

  priority percent 60

 class class-default

  fair-queue

!

!

!

crypto isakmp policy 20

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group myvpn

 key 123cisco

 pool vpn-pool

 acl 101

!

!

crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac

!

crypto dynamic-map dymap 20

 set transform-set vpn-client

 reverse-route

!

!

crypto map test client authentication list vpn-en

crypto map test isakmp authorization list vpn-or

crypto map test client configuration address respond

crypto map test 20 ipsec-isakmp dynamic dymap

!

!

!

!

 interface FastEthernet0/0

 ip address 192.168.54.252 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

 standby use-bia

 standby 1 ip 192.168.54.253 //分組的hsrb協議

 standby 1 preempt

 standby 2 ip 192.168.54.254

 standby 2 priority 105

 standby 2 preempt

 standby 2 track FastEthernet0/0

 standby 2 track FastEthernet0/1

!

interface FastEthernet0/1

 ip address 210.41.166.122 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 crypto map test

!

 interface Serial0/3/0

 no ip address

 shutdown

 no fair-queue

 clock rate 125000

!

interface Serial0/3/1

 no ip address

 shutdown

 clock rate 125000

!

router ospf 1

 log-adjacency-changes

 network 192.168.1.0 0.0.0.255 area 0

 network 192.168.10.0 0.0.0.255 area 0

 network 192.168.20.0 0.0.0.255 area 0

 network 192.168.54.0 0.0.0.255 area 0

 network 192.168.110.0 0.0.0.255 area 0

 network 210.41.166.0 0.0.0.255 area 0

 default-information originate always

!

ip local pool vpn-pool 192.168.110.1 192.168.110.254

ip route 0.0.0.0 0.0.0.0 210.41.166.1

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/1 overload //nat地址轉換配置

!

access-list 1 permit any

access-list 100 deny   ip 192.168.54.0 0.0.0.255 192.168.110.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 permit ip 192.168.54.0 0.0.0.255 192.168.110.0 0.0.0.255

access-list 120 permit tcp any host 192.168.20.1 eq ftp

access-list 121 permit tcp any host 192.168.20.1 eq www

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

scheduler allocate 20000 1000

end

 

 

S的配置如下：

show runn

S#show running-config

Building configuration...

 

Current configuration : 3655 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname S

!

!

aaa new-model（此顏色是802.1x的配置）

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

aaa session-id common

ip subnet-zero

ip routing

!

!

!

!

!

dot1x system-auth-control

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

interface FastEthernet0/1

 switchport mode access

!

interface FastEthernet0/2

 switchport mode dynamic desirable

!

interface FastEthernet0/3

 switchport mode dynamic desirable

!

interface FastEthernet0/4

 switchport mode dynamic desirable

!

interface FastEthernet0/5

 switchport mode dynamic desirable

!

interface FastEthernet0/6

 switchport mode dynamic desirable

!

interface FastEthernet0/7

 switchport mode dynamic desirable

!

interface FastEthernet0/8

 switchport mode dynamic desirable

!

interface FastEthernet0/9

 switchport mode dynamic desirable

!

interface FastEthernet0/10

 switchport access vlan 10

 switchport mode access

 dot1x port-control auto //此藉口打開802.1x檢測

 spanning-tree portfast

!

interface FastEthernet0/11

 switchport mode dynamic desirable

!

interface FastEthernet0/12

 switchport mode dynamic desirable

!

interface FastEthernet0/13

 switchport mode dynamic desirable

!

interface FastEthernet0/14

 switchport mode dynamic desirable

!

interface FastEthernet0/15

 switchport mode dynamic desirable

!

interface FastEthernet0/16

 switchport mode dynamic desirable

!

interface FastEthernet0/17

 switchport mode dynamic desirable

!

interface FastEthernet0/18

 switchport mode dynamic desirable

!

interface FastEthernet0/19

 switchport mode dynamic desirable

interface FastEthernet0/20

 switchport access vlan 20

 switchport mode access

 dot1x port-control auto //此藉口打開802.1x檢測

 spanning-tree portfast

!

interface FastEthernet0/21

 switchport mode dynamic desirable

!

interface FastEthernet0/22

 switchport mode dynamic desirable

!

interface FastEthernet0/23

 switchport mode dynamic desirable

!

interface FastEthernet0/24

 no switchport

 ip address 192.168.54.250 255.255.255.0

!

interface GigabitEthernet0/1

 switchport mode dynamic desirable

!

interface GigabitEthernet0/2

 switchport mode dynamic desirable

!

interface Vlan1

 ip address 192.168.1.254 255.255.255.0

!

interface Vlan10

 ip address 192.168.10.254 255.255.255.0

 ip policy route-map out-traffic1 //應用策略路由（此處是策略路由）

 ip access-group 110 in //配置ACL

!

interface Vlan20

 ip address 192.168.20.254 255.255.255.0

 ip policy route-map out-traffic2 //應用策略路由

!

router ospf 1 //ospf路由協議

 log-adjacency-changes

 network 192.168.1.0 0.0.0.255 area 0

 network 192.168.10.0 0.0.0.255 area 0

 network 192.168.20.0 0.0.0.255 area 0

 network 192.168.54.0 0.0.0.255 area 0

 default-information originate always

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/24 //以送出藉口配置默認路由

ip http server

ip http secure-server

!

!

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 110 permit tcp 192.168.10.0 0.0.0.255 host 210.41.160.7 eq www（ACL的配置）

access-list 110 permit tcp 192.168.10.0 0.0.0.255 host 192.168.1.1 eq www

access-list 110 permit icmp 192.168.10.0 0.0.0.255 host 210.41.160.7 echo

access-list 110 permit icmp 192.168.10.0 0.0.0.255 host 210.41.160.7 echo-reply

route-map out-traffic2 permit 20

 match ip address 101

 set ip next-hop 192.168.54.254

!

route-map out-traffic1 permit 10

 match ip address 100

 set ip next-hop 192.168.54.253

!

radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key cisco

radius-server source-ports 1645-1646

radius-server vsa send accounting

radius-server vsa send authentication

control-plane

!

!

line con 0

line vty 5 15

!

!

end