2025年河南省中等职业教育技能大赛 网络建设与运维赛项(第7套)
模块二:网络建设与调试 — 配置答案
密码统一为
Pass-1234; 防火墙初始用户名/密码hillstone/hillstone,首次登录后改密为Pass-1234。
一、交换配置
1. VLAN 创建与 Trunk 配置
SW1
sysname SW1 vlan batch 11 to 15 1001 1002 1004 1007 interface Vlanif11 ip address 10.7.11.1 24 ipv6 address 2025:10:7:11::1 64 interface Vlanif12 ip address 10.7.12.1 24 ipv6 address 2025:10:7:12::1 64 interface Vlanif13 ip address 10.7.13.1 24 ipv6 address 2025:10:7:13::1 64 interface Vlanif14 ip address 10.7.14.1 24 ipv6 address 2025:10:7:14::1 64 interface Vlanif15 ip address 10.7.15.1 24 ipv6 address 2025:10:7:15::1 64 interface Vlanif1001 ip address 10.7.255.1 30 interface Vlanif1002 ip address 10.7.255.1 30 interface Vlanif1004 ip address 10.7.255.5 30 interface Vlanif1007 ip address 10.7.255.13 30 interface LoopBack1 ip address 10.7.1.1 32 ipv6 address 2025:10:7:1::1 128 interface LoopBack2 ip address 10.7.1.2 32 ipv6 address 2025:10:7:1::2 128 ! Trunk ports — 二层链路只允许对应vlan通过 ! 假设SW1上联SW2的端口为GigabitEthernet0/0/1(承载L3), 0/0/2(承载VPN), 0/0/3(承载L2) ! 假设SW1上联SW3的端口为GigabitEthernet0/0/4(承载L3), 0/0/5(承载L2) ! 实际端口以拓扑为准,此处仅为示例 interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 1001 interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 1002 interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 1004 interface GigabitEthernet0/0/5 port link-type trunk port trunk allow-pass vlan 1007
SW2
sysname SW2 vlan batch 21 to 25 1001 1002 1006 1007 interface Vlanif21 ip address 10.7.21.1 24 ipv6 address 2025:10:7:21::1 64 interface Vlanif22 ip address 10.7.22.1 24 ipv6 address 2025:10:7:22::1 64 interface Vlanif23 ip address 10.7.23.1 24 ipv6 address 2025:10:7:23::1 64 interface Vlanif24 ip address 10.7.24.1 24 ipv6 address 2025:10:7:24::1 64 interface Vlanif25 ip address 10.7.25.1 24 ipv6 address 2025:10:7:25::1 64 interface Vlanif1001 ip address 10.7.255.2 30 interface Vlanif1002 ip address 10.7.255.2 30 interface Vlanif1006 ip address 10.7.255.9 30 interface Vlanif1007 ip address 10.7.255.17 30 interface LoopBack1 ip address 10.7.2.1 32 ipv6 address 2025:10:7:2::1 128 interface LoopBack2 ip address 10.7.2.2 32 ipv6 address 2025:10:7:2::2 128 interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 1001 interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 1002 interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 1006 interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 1007
SW3
sysname SW3 vlan batch 31 to 34 110 120 1000 1001 1002 1004 1006 interface Vlanif31 ip address 10.7.31.1 24 ipv6 address 2025:10:7:31::1 64 interface Vlanif32 ip address 10.7.32.1 24 ipv6 address 2025:10:7:32::1 64 interface Vlanif33 ip address 10.7.33.1 24 ipv6 address 2025:10:7:33::1 64 interface Vlanif34 ip address 10.7.34.1 24 ipv6 address 2025:10:7:34::1 64 interface Vlanif1004 ip address 10.7.255.6 30 interface Vlanif1006 ip address 10.7.255.10 30 interface LoopBack1 ip address 10.7.3.1 32 ipv6 address 2025:10:7:3::1 128 interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 1004 interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 1006 ! ---------- SW3 模拟 SW5 ---------- ! G0/7 作为 trunk 连接 SW4,只允许 vlan110、vlan120、vlan1000 通过 interface GigabitEthernet0/0/7 port link-type trunk port trunk allow-pass vlan 110 120 1000
SW3 模拟 Internet — VLAN及接口
! SW3 模拟 Internet 交换机部分 vlan batch 2001 2002 ! 实际对应 IP表 vlan1001(200.200.200.2/30) vlan1002(200.200.200.6/30) ! 此处沿用原 vlan 编号,仅在不同 VRF 下绑定不同 IP interface Vlanif1001 ip binding vpn-instance Internet ip address 200.200.200.2 30 interface Vlanif1002 ip binding vpn-instance Internet ip address 200.200.200.6 30
2. SW1 与 SW2 之间链路聚合与 VRF 隔离
SW1 — VRF Finance + Eth-Trunk
! 创建 VRF Finance ip vpn-instance Finance ipv4-family route-distinguisher 10.7.1.1:1 ipv6-family route-distinguisher 10.7.1.1:1 ! 财务 vlan 绑定 VRF interface Vlanif15 ip binding vpn-instance Finance ip address 10.7.15.1 24 ipv6 address 2025:10:7:15::1 64 ! VPN 承载链路 vlan1002 绑定 VRF interface Vlanif1002 ip binding vpn-instance Finance ip address 10.7.255.1 30 ! 三层 IP 业务 vlan1001 留在全局路由表 ! vlan1001 已在上一步配置 ! 二层承载 — Eth-Trunk 1,LACP,SW1 active,SW2 passive interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 1007 mode lacp load-balance dst-ip src-ip ! 物理成员口(假设 G0/0/3) interface GigabitEthernet0/0/3 eth-trunk 1 lacp priority 100 ! 数值越小越优先,SW1 为 active 端
SW2 — VRF Finance + Eth-Trunk
ip vpn-instance Finance ipv4-family route-distinguisher 10.7.2.1:1 ipv6-family route-distinguisher 10.7.2.1:1 interface Vlanif25 ip binding vpn-instance Finance ip address 10.7.25.1 24 ipv6 address 2025:10:7:25::1 64 interface Vlanif1002 ip binding vpn-instance Finance ip address 10.7.255.2 30 interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 1007 mode lacp load-balance dst-ip src-ip interface GigabitEthernet0/0/4 eth-trunk 1
3. SW1-SW3、SW2-SW3 之间链路
已在 VLAN 配置中完成 Trunk 设置。
4. SW3 模拟 SW5 和 Internet — VRF 隔离
! --- SW3 模拟 SW5 (VRF Office) --- ip vpn-instance Office ipv4-family route-distinguisher 10.7.3.1:2 ipv6-family route-distinguisher 10.7.3.1:2 interface LoopBack2 ip binding vpn-instance Office ip address 10.7.3.2 32 interface Vlanif110 ip binding vpn-instance Office ip address 10.7.110.1 24 interface Vlanif120 ip binding vpn-instance Office ip address 10.7.120.1 24 interface Vlanif1000 ip binding vpn-instance Office ip address 10.7.255.42 30 ! --- SW3 模拟 Internet (VRF Internet) --- ip vpn-instance Internet ipv4-family route-distinguisher 10.7.3.1:3 ipv6-family route-distinguisher 10.7.3.1:3 interface Vlanif1001 ip binding vpn-instance Internet ip address 200.200.200.2 30 interface Vlanif1002 ip binding vpn-instance Internet ip address 200.200.200.6 30
5. LLDP 配置(SW1 & SW2)
SW1
lldp enable lldp message-transmission interval 20 lldp trap-interval 10 ! 互连端口开启 LLDP 告警 interface GigabitEthernet0/0/1 lldp trap enable interface GigabitEthernet0/0/2 lldp trap enable interface GigabitEthernet0/0/3 lldp trap enable
SW2
lldp enable lldp message-transmission interval 20 lldp trap-interval 10 interface GigabitEthernet0/0/1 lldp trap enable interface GigabitEthernet0/0/2 lldp trap enable interface GigabitEthernet0/0/4 lldp trap enable
6. Telnet 及 Banner(SW1 & SW2)
SW1
telnet server enable user-interface vty 0 4 authentication-mode password set authentication password cipher Pass-1234 protocol inbound telnet header login shell information "WARNING!!! Authorised access only, all of your done will be recorded! Disconnected IMMEDIATELY if you are not an authorised user! Otherwise, we retain the right to pursue the legal responsibility"
SW2
telnet server enable user-interface vty 0 4 authentication-mode password set authentication password cipher Pass-1234 protocol inbound telnet header login shell information "WARNING!!! Authorised access only, all of your done will be recorded! Disconnected IMMEDIATELY if you are not an authorised user! Otherwise, we retain the right to pursue the legal responsibility"
二、路由调试
1. 主机名、SSH、超时
所有设备均需配置。以 SW1 为例,其余设备同理:
sysname SW1 ! 各设备对应:SW1/SW2/SW3/SW4/RT1/RT2/FW1/FW2 stelnet server enable ssh user admin ssh user admin authentication-type password ssh user admin service-type stelnet ssh server timeout 60 local-user admin password cipher Pass-1234 local-user admin service-type ssh local-user admin privilege level 15
其他设备同理替换主机名即可。
2. 接口 IPv4 / IPv6 地址
已在交换配置部分完成交换机的 VLANIF 地址配置。以下是路由器和防火墙的接口地址:
RT1
sysname RT1 interface GigabitEthernet0/0/0 ip address 10.7.255.14 30 ipv6 enable ipv6 address auto link-local interface GigabitEthernet0/0/1 ip address 10.7.255.18 30 ipv6 enable ipv6 address auto link-local interface GigabitEthernet0/0/2 ip address 10.7.255.21 30 ipv6 enable ipv6 address auto link-local interface GigabitEthernet0/0/3 ip address 10.7.255.25 30 ipv6 enable ipv6 address auto link-local interface GigabitEthernet0/0/4 ip address 10.7.255.29 30 ipv6 enable ipv6 address auto link-local interface GigabitEthernet0/0/5 ip address 10.7.255.33 30 ipv6 enable ipv6 address auto link-local interface LoopBack1 ip address 10.7.5.1 32 ipv6 address 2025:10:7:5::1 128 interface LoopBack2 ip address 10.7.5.2 32 ipv6 address 2025:10:7:5::2 128 interface LoopBack3 ip address 10.7.5.3 32 ipv6 address 2025:10:7:5::3 128 interface LoopBack4 ip address 10.7.5.4 32 ipv6 address 2025:10:7:5::4 128
RT2
sysname RT2 interface GigabitEthernet0/0/0 ip address 10.7.255.38 30 interface GigabitEthernet0/0/1 ip address 10.7.255.41 30 interface LoopBack1 ip address 10.7.6.1 32 ipv6 address 2025:10:7:6::1 128 interface LoopBack2 ip address 10.7.6.2 32 ipv6 address 2025:10:7:6::2 128 interface LoopBack4 ip address 10.7.6.4 32 ipv6 address 2025:10:7:6::4 128
FW1(山石/Hillstone 风格)
hostname FW1 interface ethernet0/0 zone trust ip address 10.7.255.37/30 interface ethernet0/1 zone untrust ip address 200.200.200.1/30 interface ethernet0/2 zone dmz ip address 10.7.255.22/30 interface ethernet0/4 zone dmz ip address 10.7.255.30/30 interface loopback1 zone trust ip address 10.7.7.1/32 interface loopback2 zone trust ip address 10.7.7.2/32 interface loopback3 zone trust ip address 10.7.7.3/32 interface loopback4 zone trust ip address 10.7.7.4/32
FW2(山石/Hillstone 风格)
hostname FW2 interface ethernet0/0 zone dmz ip address 10.7.255.45/30 interface ethernet0/1 zone untrust ip address 200.200.200.5/30 interface ethernet0/3 zone trust ip address 10.7.255.26/30 interface ethernet0/5 zone trust ip address 10.7.255.34/30 interface loopback1 zone trust ip address 10.7.8.1/32 interface loopback2 zone trust ip address 10.7.8.2/32 interface loopback3 zone trust ip address 10.7.8.3/32 interface loopback4 zone trust ip address 10.7.8.4/32
SW4
sysname SW4 vlan batch 210 1000 interface Vlanif210 ip address 10.7.210.1 24 ipv6 address 2025:10:7:210::1 64 interface Vlanif1000 ip address 10.7.255.46 30 interface LoopBack1 ip address 10.7.4.1 32 ipv6 address 2025:10:7:4::1 128
3. RT1 DHCPv4 配置
dhcp enable ip pool Poolv4-Vlan11 gateway-list 10.7.11.1 network 10.7.11.0 mask 255.255.255.0 dns-list 10.7.210.1 excluded-ip-address 10.7.11.1 ip pool Poolv4-Vlan21 gateway-list 10.7.21.1 network 10.7.21.0 mask 255.255.255.0 dns-list 10.7.210.1 excluded-ip-address 10.7.21.1 ip pool Poolv4-Vlan31 gateway-list 10.7.31.1 network 10.7.31.0 mask 255.255.255.0 dns-list 10.7.210.1 excluded-ip-address 10.7.31.1 ip pool Poolv4-Vlan110 gateway-list 10.7.110.1 network 10.7.110.0 mask 255.255.255.0 dns-list 10.7.210.1 excluded-ip-address 10.7.110.1 interface GigabitEthernet0/0/0 dhcp select global dhcp relay server-ip 10.7.5.1 ! RT1 Loopback1 interface GigabitEthernet0/0/1 dhcp select global dhcp relay server-ip 10.7.5.1
SW1/SW2/SW3/SW5 中继地址指向 RT1 Loopback1:
! SW1 interface Vlanif11 dhcp select relay dhcp relay server-ip 10.7.5.1 ! SW2 interface Vlanif21 dhcp select relay dhcp relay server-ip 10.7.5.1 ! SW3 interface Vlanif31 dhcp select relay dhcp relay server-ip 10.7.5.1 ! SW3-SW5 interface Vlanif110 dhcp select relay dhcp relay server-ip 10.7.5.1
4. OSPFv2 / OSPFv3 配置
4.1 SW1、SW2、SW3、RT1 — OSPF 进程1 区域0
SW1
ospf 1 router-id 10.7.1.1 area 0.0.0.0 network 10.7.1.1 0.0.0.0 network 10.7.11.0 0.0.0.255 network 10.7.255.4 0.0.0.3 ! vlan1004 (10.7.255.5/30) network 10.7.255.12 0.0.0.3 ! vlan1007 (10.7.255.13/30) ospfv3 1 router-id 10.7.1.1 area 0.0.0.0 interface Vlanif11 ospfv3 1 area 0 interface Vlanif1004 ospfv3 1 area 0 interface Vlanif1007 ospfv3 1 area 0 interface LoopBack1 ospfv3 1 area 0
SW2
ospf 1 router-id 10.7.2.1 area 0.0.0.0 network 10.7.2.1 0.0.0.0 network 10.7.21.0 0.0.0.255 network 10.7.255.8 0.0.0.3 ! vlan1006 network 10.7.255.16 0.0.0.3 ! vlan1007 ospfv3 1 router-id 10.7.2.1 area 0.0.0.0 interface Vlanif21 ospfv3 1 area 0 interface Vlanif1006 ospfv3 1 area 0 interface Vlanif1007 ospfv3 1 area 0 interface LoopBack1 ospfv3 1 area 0
SW3
ospf 1 router-id 10.7.3.1 area 0.0.0.0 network 10.7.3.1 0.0.0.0 network 10.7.31.0 0.0.0.255 network 10.7.255.4 0.0.0.3 ! vlan1004 (10.7.255.6/30) network 10.7.255.8 0.0.0.3 ! vlan1006 (10.7.255.10/30) ospfv3 1 router-id 10.7.3.1 area 0.0.0.0 interface Vlanif31 ospfv3 1 area 0 interface Vlanif1004 ospfv3 1 area 0 interface Vlanif1006 ospfv3 1 area 0 interface LoopBack1 ospfv3 1 area 0
RT1
ospf 1 router-id 10.7.5.1 area 0.0.0.0 network 10.7.5.1 0.0.0.0 network 10.7.255.12 0.0.0.3 ! G0/0 (10.7.255.14/30) network 10.7.255.16 0.0.0.3 ! G0/1 (10.7.255.18/30) area 0.0.0.1 network 10.7.255.20 0.0.0.3 ! G0/2 (10.7.255.21/30) area 0.0.0.2 network 10.7.255.24 0.0.0.3 ! G0/3 (10.7.255.25/30) ospfv3 1 router-id 10.7.5.1 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0 interface GigabitEthernet0/0/1 ospfv3 1 area 0 interface LoopBack1 ospfv3 1 area 0
4.2 RT1 ↔ FW1 — OSPF 进程1 区域1
RT1 补充
ospf 1 area 0.0.0.1 network 10.7.255.20 0.0.0.3
FW1
! 山石防火墙 OSPF 配置 router ospf 1 router-id 10.7.7.1 network 10.7.7.1/32 area 1 network 10.7.255.20/30 area 1 ! ! OSPFv3 同理配置
4.3 RT1 ↔ FW2 — OSPF 进程1 区域2
RT1 补充
ospf 1 area 0.0.0.2 network 10.7.255.24 0.0.0.3
FW2
router ospf 1 router-id 10.7.8.1 network 10.7.8.1/32 area 2 network 10.7.255.24/30 area 2
4.4 SW4 ↔ FW2 — OSPF 进程2 区域0
SW4
ospf 2 router-id 10.7.4.1 area 0.0.0.0 network 10.7.4.1 0.0.0.0 network 10.7.210.0 0.0.0.255 network 10.7.255.44 0.0.0.3 ! vlan1000 ospfv3 2 router-id 10.7.4.1 area 0.0.0.0 interface Vlanif210 ospfv3 2 area 0 interface Vlanif1000 ospfv3 2 area 0 interface LoopBack1 ospfv3 2 area 0
FW2
! OSPF 进程2 区域0 router ospf 2 router-id 10.7.8.1 network 10.7.255.44/30 area 0 default-information originate always metric-type 1 ! 路由重发布到 OSPF 进程1 access-list 100 permit ip 10.7.4.1/32 any access-list 100 permit ip 10.7.210.0/24 any access-list 100 permit ip 10.7.255.44/30 any route-map SW4-TO-OSPF1 permit 10 match ip address 100 router ospf 1 redistribute ospf 2 route-map SW4-TO-OSPF1 ! OSPFv3 直接重发布 ! (山石防火墙 ospfv3 redistribute)
5. RIP / RIPng 配置
RT1
rip 2 version 2 network 10.0.0.0 import-route direct import-route ospf 1 ! offset 策略 — 备份链路 +5 ! 假设备份链路: G0/4(10.7.255.29/30) → FW1 E0/4, G0/5(10.7.255.33/30) → FW2 E0/5 interface GigabitEthernet0/0/4 rip metricin 5 interface GigabitEthernet0/0/5 rip metricin 5 ripng 2
RT2
rip 2 version 2 network 10.0.0.0 import-route direct ripng 2
FW1
router rip 2 version 2 network 10.7.7.2/32 network 10.7.255.36/30 ! E0/0 trust network 10.7.255.20/30 ! E0/2 dmz → RT1 network 10.7.255.28/30 ! E0/4 dmz → RT1
FW2
router rip 2 version 2 network 10.7.8.2/32 network 10.7.255.24/30 ! E0/3 trust → RT1 network 10.7.255.32/30 ! E0/5 trust → RT1
6. ISIS 配置
RT1
isis 1 network-entity 49.0000.0000.0005.00 is-level level-2 graceful-restart interface GigabitEthernet0/0/2 isis enable 1 isis circuit-type p2p isis authentication-mode md5 cipher Pass-1234 interface GigabitEthernet0/0/3 isis enable 1 isis circuit-type p2p isis authentication-mode md5 cipher Pass-1234 interface LoopBack3 isis enable 1
FW1
router isis 1 net 49.0000.0000.0007.00 is-type level-2-only interface ethernet0/2 isis enable 1 isis circuit-type p2p isis authentication-mode md5 Pass-1234 interface ethernet0/4 isis enable 1 isis circuit-type p2p isis authentication-mode md5 Pass-1234 interface loopback3 isis enable 1
FW2
router isis 1 net 49.0000.0000.0008.00 is-type level-2-only interface ethernet0/3 isis enable 1 isis circuit-type p2p isis authentication-mode md5 Pass-1234 interface ethernet0/5 isis enable 1 isis circuit-type p2p isis authentication-mode md5 Pass-1234 interface loopback3 isis enable 1
三、安全维护
1. FW1/FW2 默认拒绝 + 产品1段访问规则
FW1
! 默认策略拒绝 policy default-action deny ! 允许产品1段(10.7.11.0/24) IPv4/v6 访问 Internet policy from trust to untrust rule 10 match source-address 10.7.11.0/24 match destination-address any match service any action permit
FW2
policy default-action deny ! 允许产品1段(10.7.11.0/24) IPv4 访问 DMZ policy from trust to dmz rule 10 match source-address 10.7.11.0/24 match destination-address any match service any action permit
2. FW2 DMZ 访问 (已在上一步策略覆盖)
3. FW1 NAT
! 产品1段 → Internet,转换为 200.200.200.16/28,固定IP映射 nat-policy rule 10 match source-address 10.7.11.0/24 match destination-zone untrust action source-nat translation-type dynamic-ip-and-port translated-address 200.200.200.16 200.200.200.31 translated-mode per-session
4. FW2 NAT(端口映射)
! Internet → 200.200.200.5:80 → 10.7.210.20:80 nat-policy rule 10 match destination-address 200.200.200.5 match service HTTP action destination-nat translated-address 10.7.210.20 translated-port 80
5. GRE Over IPSec VPN(FW1 ↔ FW2)
FW1
! IKE Proposal ike proposal P-1 authentication-algorithm sha256 encryption-algorithm aes-256 dh group14 ! IKE Peer ike peer PEER-1 proposal P-1 pre-shared-key Pass-1234 remote-address 200.200.200.5 ! IPSec Proposal ipsec proposal P-2 encapsulation-mode tunnel transform esp-aes-256 esp-sha256-hmac ! IPSec Policy ipsec policy IPSEC-1 10 isakmp proposal P-2 ike-peer PEER-1 ! GRE Tunnel interface tunnel1 ip address 10.7.255.49 30 tunnel source ethernet0/1 tunnel destination 200.200.200.5 ipsec policy IPSEC-1
FW2
ike proposal P-1 authentication-algorithm sha256 encryption-algorithm aes-256 dh group14 ike peer PEER-1 proposal P-1 pre-shared-key Pass-1234 remote-address 200.200.200.1 ipsec proposal P-2 encapsulation-mode tunnel transform esp-aes-256 esp-sha256-hmac ipsec policy IPSEC-1 10 isakmp proposal P-2 ike-peer PEER-1 interface tunnel1 ip address 10.7.255.50 30 tunnel source ethernet0/1 tunnel destination 200.200.200.1 ipsec policy IPSEC-1
说明:以上配置基于华为/华三命令行风格编写,防火墙部分参考山石 Hillstone 风格。实际竞赛环境中需根据具体设备型号调整端口编号和命令语法。所有密码均为
Pass-1234。
评论区
评论加载中...