2022-2023华为ICT大赛(全国)实验题研究

 Jul 24th 24  Huawei 11 minutes read (About 1592 words)

上一篇文整了个大阵仗(内容太多,浏览器好像有些受不了)

经过在搜索引擎遨游,最终发现这些题其实在华为的ICT学院课程网站上有

https://talent.shixizhi.huawei.com –>> 搜索ICT –>> 华为ICT大赛 - 网络赛道学习空间(中国区)

还有其他内容,有兴趣可以点击看看

本次研究研究,搓一搓的图如标题所示

文章末尾,附上ensp拓扑文件和配置导出文件

说明

  • ensp版本:1.3.00.100 V100R003C00SPC100
  • 电脑:Win10 ltsc (CPU:不配拥有名称,RAM=16GB)
  • 我电脑跑这图是真的卡
  • 遇到FW启动错误代码40,建议先启动FW,再启动其他设备
  • AR路由器我整不出G0/0/3接口,使用G3/0/0代替

实验拓扑

ENSP拓扑

配置

任务1:VLAN

  • 按照给出的表格数据配置对应设备的vlan、Trunk、Access
  • 路由器接口注意配置子接口dot1q termination vid xx ,arp broadcast enable
  • 防火墙接口注意配置 vlan-type dot1q xx

任务2:IP地址

  • 按照给出的表格数据配置对应设备的IP地址

任务3:MSTP配置

  • SW1

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    #
    stp mode mstp
    #
    stp region-configuration
     region-name RG1
     instance 1 vlan 2 to 9
     instance 2 vlan 10 to 20
     active region-configuration
    #
    interface Ethernet0/0/1
     stp edged-port enable
    #
    interface Ethernet0/0/2
     stp edged-port enable
    #

  • SW2

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    #
    stp mode mstp
    #
    stp region-configuration
     region-name RG1
     instance 1 vlan 2 to 9
     instance 2 vlan 10 to 20
     active region-configuration
    #
    stp instance 1 priority 0
    stp instance 2 priority 4096
    #
    interface GigabitEthernet0/0/1
     stp root-protection
    #
    interface GigabitEthernet0/0/5
     stp disable
    #

  • SW3

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    #
    stp mode mstp
    #
    stp region-configuration
     region-name RG1
     instance 1 vlan 2 to 9
     instance 2 vlan 10 to 20
     active region-configuration
    #
    stp instance 1 priority 4096
    stp instance 2 priority 0
    #
    interface GigabitEthernet0/0/1
     stp edged-port enable
    #
    interface GigabitEthernet0/0/2
     stp root-protection
    #
    interface GigabitEthernet0/0/5
     stp disable
    #

  • 验证: dis stp

任务4:防火墙安全域配置

  • FW1

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    #
    firewall zone trust
     add interface GigabitEthernet1/0/5.1
     add interface GigabitEthernet1/0/5.2
    #
    firewall zone untrust
     add interface GigabitEthernet1/0/3
     add interface GigabitEthernet1/0/3.1
    #
    firewall zone dmz
     add interface GigabitEthernet1/0/1
    #

  • FW2

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    #
    firewall zone trust
     add interface GigabitEthernet1/0/5.1
     add interface GigabitEthernet1/0/5.2
    #
    firewall zone untrust
     add interface GigabitEthernet1/0/3
     add interface GigabitEthernet1/0/3.1
    #
    firewall zone dmz
     add interface GigabitEthernet1/0/1
    #

  • FW3

    1
    2
    3
    4
    5
    6
    7
    #
    firewall zone trust
     add interface GigabitEthernet1/0/1
    #
    firewall zone untrust
     add interface GigabitEthernet1/0/2
    #

  • 验证:dis zone interface

任务5:防火墙VRRP、双机热备和安全策略配置

  • FW1

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    #
    interface GigabitEthernet1/0/5.1
     vrrp vrid 1 virtual-ip 192.168.1.254 active
    #
    interface GigabitEthernet1/0/5.2
     vrrp vrid 2 virtual-ip 192.168.2.254 standby
    #
     hrp enable
     hrp interface GigabitEthernet1/0/1 remote 15.1.1.2
     hrp mirror session enable
    #
    security-policy
     rule name web
      source-zone trust
      destination-zone untrust
      source-address 192.168.1.0 mask 255.255.255.0
      destination-address 100.1.1.1 mask 255.255.255.255
      service protocol tcp destination-port 8080
      action permit
     rule name Wireless
      source-zone trust
      destination-zone untrust
      source-address 192.168.2.0 mask 255.255.255.0
      action permit
    #

  • FW2

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    #
    interface GigabitEthernet1/0/5.1
     vrrp vrid 1 virtual-ip 192.168.1.254 standby
    #
    interface GigabitEthernet1/0/5.2
     vrrp vrid 2 virtual-ip 192.168.2.254 active
    #
     hrp enable
     hrp interface GigabitEthernet1/0/1 remote 15.1.1.1
     hrp mirror session enable
    #
    # 配置hrp后,安全策略配置从HRP_M[FW1]同步,不能在HRP_S[FW2]配置
    #

  • FW3

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    #
    nat server 0 protocol tcp global 100.1.1.1 8080 inside 172.16.1.1 www
    #
    security-policy
     rule name web
      source-zone untrust
      destination-zone trust
      destination-address 172.16.1.0 mask 255.255.255.0
      service http
      action permit
    #

  • 验证

任务6:公网静态路由配置

  • FW1

    1
    2
    ip route-static 0.0.0.0 0.0.0.0 10.2.1.2
    ip route-static 100.1.1.1 255.255.255.255 10.2.2.2

  • FW2

    1
    2
    ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
    ip route-static 100.1.1.1 255.255.255.255 10.3.2.2

  • FW3

    1
    2
    ip route-static 0.0.0.0 0.0.0.0 20.1.3.1
    ip route-static 100.1.1.1 255.255.255.255 NULL0

  • PE1

    1
    2
    ip route-static 192.168.2.0 255.255.255.0 10.2.1.1
    ip route-static 192.168.2.0 255.255.255.0 10.3.1.1

任务7:公网动态路由配置

  • PE1

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    #
    isis 1
     is-level level-2
     network-entity 01.0000.0010.0100.1001.00
     domain-authentication-mode md5 cipher ICTEXAM
    #
    interface LoopBack0
     isis enable 1
    #
    interface GigabitEthernet0/0/2
     isis enable 1
    #
    bgp 100
     router-id 1.1.1.1
     peer 2.2.2.2 as-number 100 
     peer 2.2.2.2 connect-interface LoopBack0
    #

  • PE2

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    #
    isis 1
     is-level level-2
     network-entity 01.0000.0020.0200.2002.00
     domain-authentication-mode md5 cipher ICTEXAM
    #
    interface LoopBack0
     isis enable 1
    #
    interface GigabitEthernet0/0/1
     isis enable 1
    #
    bgp 100
     router-id 3.3.3.3
     peer 2.2.2.2 as-number 100 
     peer 2.2.2.2 connect-interface LoopBack0
     peer 20.1.4.2 as-number 200  
    #

  • P

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    #
    isis 1
     is-level level-2
     network-entity 01.0000.0030.0300.3003.00
     domain-authentication-mode md5 cipher ICTEXAM
    #
    interface LoopBack0
     ip address 2.2.2.2 255.255.255.255 
     isis enable 1
    #
    interface GigabitEthernet0/0/1
     isis enable 1
    #
    interface GigabitEthernet0/0/2
     isis enable 1
    #
    bgp 100
     router-id 2.2.2.2
     group ibgpv4 internal
     peer ibgpv4 connect-interface LoopBack0
     peer 1.1.1.1 as-number 100 
     peer 1.1.1.1 group ibgpv4 
     peer 3.3.3.3 as-number 100 
     peer 3.3.3.3 group ibgpv4 
    #
     ipv4-family unicast
      peer ibgpv4 enable
      peer ibgpv4 reflect-client
      peer 1.1.1.1 group ibgpv4 
      peer 3.3.3.3 group ibgpv4 
     #

  • Internet

    1
    2
    3
    4
    5
    6
    #
    bgp 200
     router-id 16.16.16.16
     peer 20.1.4.1 as-number 100 
     network 16.16.16.16 255.255.255.255 
    #

  • FW3

    1
    2
    3
    4
    5
    6
    7
    8
    9
    #
    ospf 100
     default-route-advertise
     area 0.0.0.0
      network 30.1.1.1 0.0.0.0
    #
    interface GigabitEthernet1/0/1
     ospf network-type p2p
    #

  • DC-GW

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    #
    interface GigabitEthernet0/0/1
     ospf network-type p2p
    #
    ospf 100 router-id 11.11.11.11 
     area 0.0.0.0 
      network 11.11.11.11 0.0.0.0 
      network 30.1.1.2 0.0.0.0 
      network 30.1.2.1 0.0.0.0 
      network 30.1.3.1 0.0.0.0 
    #

  • Leaf1

    1
    2
    3
    4
    5
    6
    7
    #
    ospf 100 router-id 12.12.12.12 
     area 0.0.0.0 
      network 12.12.12.12 0.0.0.0 
      network 30.1.2.2 0.0.0.0 
      network 172.16.1.254 0.0.0.0 
    #

  • Leaf2

    1
    2
    3
    4
    5
    6
    #
    ospf 100 router-id 13.13.13.13 
     area 0.0.0.0 
      network 13.13.13.13 0.0.0.0 
      network 30.1.3.2 0.0.0.0 
    #

  • 验证

任务8:MPLS VPN

  • PE1

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    #
    bgp 100
     #
     ipv4-family unicast
      import-route static
     # 
     ipv4-family vpnv4
      peer 2.2.2.2 enable
    #
    mpls lsr-id 1.1.1.1
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet0/0/2
     mpls
     mpls ldp
    #
    ip vpn-instance ToDC
      route-distinguisher 100:1
      vpn-target 200:1 both
    #
    interface GigabitEthernet0/0/1.1
     ip binding vpn-instance ToDC
     ip address 10.2.2.2 255.255.255.252 
    #
    interface GigabitEthernet3/0/0.1
     ip binding vpn-instance ToDC
     ip address 10.3.2.2 255.255.255.252 
    #
    ip route-static vpn-instance ToDC 192.168.0.0 255.255.0.0 10.2.2.1
    ip route-static vpn-instance ToDC 192.168.0.0 255.255.0.0 10.3.2.1
    #
    #
    bgp 100
     #
     ipv4-family vpn-instance ToDC 
      import-route static
    #

  • PE2

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    #
    bgp 100
     #
     ipv4-family unicast
      peer 2.2.2.2 next-hop-local 
     # 
     ipv4-family vpnv4
      peer 2.2.2.2 enable
    #
    mpls lsr-id 3.3.3.3
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet0/0/1
     mpls
     mpls ldp
    #
    ip vpn-instance ToDC
      route-distinguisher 100:1
      vpn-target 200:1 both
    #
    interface GigabitEthernet0/0/2
     ip binding vpn-instance ToDC
     ip address 20.1.3.1 255.255.255.252 
    #
    #
    bgp 100
     #
     ipv4-family vpn-instance ToDC 
      peer 20.1.3.2 as-number 300 
    #

  • P

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    #
    bgp 100
     # 
     ipv4-family vpnv4
      undo policy vpn-target
      peer ibgpv4 enable
      peer ibgpv4 reflect-client
      peer 1.1.1.1 group ibgpv4 
      peer 3.3.3.3 group ibgpv4 
    #
    mpls lsr-id 2.2.2.2
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet0/0/1
     mpls
     mpls ldp
    #
    interface GigabitEthernet0/0/2
     mpls
     mpls ldp
    #

  • FW3

    1
    2
    3
    4
    5
    6
    7
    #
    bgp 300
     peer 20.1.3.1 as-number 100
     #
     ipv4-family unicast
      import-route static
    #

  • dis bgp vpnv4 all peer

  • dis mpls ldp int

  • dis mpls ldp peer

  • dis ip vpn-instance verbose

  • dis bgp vpnv4 all routing-table

任务9:GRE

  • Leaf1

    1
    2
    3
    4
    5
    6
    7
    8
    9
    #
    interface Tunnel0/0/0
     ip address 173.1.2.1 255.255.255.252 
     tunnel-protocol gre
     source 12.12.12.12
     destination 13.13.13.13
    #
    ip route-static 172.16.2.0 255.255.255.0 173.1.2.2
    #

  • Leaf2

    1
    2
    3
    4
    5
    6
    7
    8
    9
    #
    interface Tunnel0/0/0
     ip address 173.1.2.2 255.255.255.252 
     tunnel-protocol gre
     source 13.13.13.13
     destination 12.12.12.12
    #
    ip route-static 172.16.3.0 255.255.255.0 173.1.2.1
    #

任务10:WLAN

  • FW1/FW2

    1
    2
    3
    4
    5
    6
    7
    #
    interface GigabitEthernet1/0/5.1
     service-manage ping permit
    #
    interface GigabitEthernet1/0/5.2
     service-manage ping permit
    #

  • AC

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    #
    vlan batch 19 to 20
    #
    dhcp enable
    #
    ip pool For_AP
     gateway-list 192.168.19.254 
     network 192.168.19.0 mask 255.255.255.0 
    #
    ip pool STA
     gateway-list 192.168.2.254
     network 192.168.2.0 mask 255.255.255.0 
     excluded-ip-address 192.168.2.1 192.168.2.3 
    #
    interface Vlanif19
     ip address 192.168.19.254 255.255.255.0
     dhcp select global
    #
    interface Vlanif20
     ip address 192.168.2.1 255.255.255.0
     dhcp select global
    #
    #
    capwap source interface vlanif19
    #
    wlan
     security-profile name s1
      security wpa-wpa2 psk pass-phrase Huawei@123 aes
     ssid-profile name s1
      ssid ICT
     vap-profile name p1
      forward-mode tunnel
      service-vlan vlan-id 20
      ssid-profile s1
      security-profile s1
     ap-group name default
      radio 0
       vap-profile p1 wlan 1
     ap-id 1 type-id 56 ap-mac 00e0-fcef-0250 ap-sn 2102354483100961AE61
      ap-group default
    #

综合测试

  • Web-Client访问Web-Server

    image-20240724115158242

  • FW3查看会话

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    <FW3>dis firewall session table verbose
    2024-07-24 03:54:01.520 
     Current Total Sessions : 2
     http  VPN: public --> public  ID: c487fdedb993138324f66a07acf
     Zone: untrust --> trust  TTL: 00:00:10  Left: 00:00:05
     Recv Interface: GigabitEthernet1/0/2
     Interface: GigabitEthernet1/0/1  NextHop: 30.1.1.2  MAC: 00e0-fc45-0d43
     <--packets: 5 bytes: 515 --> packets: 6 bytes: 399
     192.168.1.1:2050 --> 100.1.1.1:8080[172.16.1.1:80] PolicyName: web
     TCP State: close

     bgp  VPN: public --> public  ID: c487fdedb99d128393566a074da
     Zone: untrust --> local  TTL: 00:20:00  Left: 00:20:00
     Recv Interface: GigabitEthernet1/0/2
     Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 0000-0000-0000
     <--packets: 64 bytes: 3,158 --> packets: 68 bytes: 3,404
     20.1.3.1:49928 --> 20.1.3.2:179 PolicyName: ---
     TCP State: established

    <FW3>

  • VM1和VM2互相ping测试

    image-20240724120153111

  • 无线客户端PC1 ping测试

    image-20240724120408833

最后

  • 个人觉得整个拓扑的就必上一篇文的规模小多了,量也没那么大,技术要点也不考察那么细致
  • 貌似模拟器的USG防火墙有bug,拓扑中FW3与PE2建立EBGP,FW3与DC-GW建立OSPF,均不用配置安全策略就能建立起邻居关系
  • 就不过多总结了,都在敲击键盘的过程中了
  • 把文中的配置复制粘贴进对应设备最终就能实现综合测试的结果
  • ……
  • 可能有更好的实现需求的配置答案(山外有山)
  • 文件存阿里云盘了,这是链接:[分享的文件]
  • 欢迎“来电”来函探讨。
#ICT #ensp实验 #解题 #华为 #搓一搓 #真的卡
在Rocky Linux 8.7虚拟机安装Gogs的记录 2021-2022华为ICT大赛(全球)实验题研究
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×