rs

rs

telnet

[Huawei]aaa                //进入aaa视图

[Huawei-aaa]local-usertest password simple 123

            //建立一个名为test密码为简单123的账户

[Huawei-aaa]local-usertest service-type telnet

           // 将test账户应用在telnet上

local-user testprivilege level 15

            //将test用户的权限提升到15级（15最高）

local-user testidle-timeout 300

            // 设置test用户的衰老时间为300s

[Huawei]user-interfacevty 0 4

            //开启telnet功能

[Huawei-ui-vty0-4]authentication-modeaaa

            //借用aaa权限的用户

 

Dhcp开启

[Huawei]dhcp en            //开启dhcp服务

[Huawei]ip pool dchppool             //建立一个地址池，起名为dhcppool

[Huawei-ip-pool-dchppool]network192.168.2.1 mask 255.255.255.0

                          //宣告地址池的网段

[Huawei-ip-pool-dchppool]dns-list8.8.8.8

                          //设置dns

[Huawei-ip-pool-dchppool]gateway-list192.168.2.254

                          //设置网关

[Huawei-ip-pool-dchppool]excluded-ip-address192.168.2.1

                          //这个地址不分配

[Huawei]vlan 20          

[Huawei-vlan20]int vlan20

[Huawei-Vlanif20]ip add192.168.2.1 255.255.255.0

[Huawei-Vlanif20]dhcpselect global     //将dhcp应用

[Huawei-Vlanif20]intg0/0/20

[Huawei-GigabitEthernet0/0/20]poli a

[Huawei-GigabitEthernet0/0/20]pode vlan 20

ppp认证和chap认证

[r1]int s2/0/0                       //进入2口

[r1-Serial2/0/0] ip address 10.0.0.1255.255.255.0  //增加ip

[r1-Serial2/0/0] link-protocol ppp               //设置为ppp模式

[r1-Serial2/0/0] pppauthentication-mode pap    //设置为pap链路

[r1]aaa    //进入3a

[r1-aaa]local-user zhanghao password cipher mima   //添加账号为zhanghao密码为mima的账号

[r1-aaa] local-user zhanghao service-type ppp    //使zhanghao使用在ppp上

[r1]rip    //开启rip协议

[r1-rip-1]ver 2    //启用版本2

[r1-rip-1] network 10.0.0.0   //宣告网段为10.0.0.0

 

[r2]int s2/0/0          //

[r2-Serial2/0/0] link-protocol ppp

[r2-Serial2/0/0] ip address 10.0.0.2255.255.255.0

[r2-Serial2/0/0] ppp pap local-userzhanghao password cipher mima   

                   //启用ppp的pap协议用zhanghao和mima去认证

[r2]rip

[r2-rip-1]ver 2

[r2-rip-1]net 10.0.0.0

 

[r3]int s2/0/1

[r3-Serial2/0/1] ip address 10.0.1.2255.255.255.0

[r3-Serial2/0/1] link-protocol ppp

[r3-Serial2/0/1] pppauthentication-mode chap    //启动chap

[r3]aaa

[r3-aaa] local-user zhanghaopassword cipher mima 

[r3-aaa] local-user zhanghaoservice-type ppp

[r3]rip

[r3-rip-1]ver 2

[r3-rip-1]net 10.0.0.0

 

[r2]int s2/0/1

[r2-Serial2/0/1] ip address 10.0.1.1255.255.255.0

[r2-Serial2/0/1] link-protocol ppp

[r2-Serial2/0/1] ppp chap userzhanghao    //认证用户为zhanghao

[r2-Serial2/0/1] ppp chap password simple mima    //密码为mima

 

 

pppoe

 

[server2]ip pool pppoe            //建立pppoe地址池

[server2-ip-pool-pppoe]network10.0.0.0  ma 255.255.255.0 

 [server2-ip-pool-pppoe]gateway-list 10.0.0.254   

[server2]int Virtual-Template 1            //创建vt接口

为了让同为L2层协议的以太网承载ppp，那么就需要配置vt虚拟模板（Virtual-Template），VT模板就是为了让一条链路上可以封装多种同层协   议的虚拟接口。因为现在的以太网物理接口已经默认封装了以太网协议，无法再封装其他的wan协议了，所以才需要vt来模拟一个(WAN)ppp接口，然后封装其他协议如ppp，最后在把vt绑定到物理接口，实现ppp和以太网协议的嵌套。所以需要在VT虚拟接口中，来配置ppp协议，所以要在vt接口中配置ppp的认证、加密方式、ipcp协商等

[server2-Virtual-Template1]pppauthentication-mode chap   //设置为chap

[server2-Virtual-Template1]ipadd 10.0.0.254 255.255.255.0    //添加vt ip地址

 [server2-Virtual-Template1]remote add poolpppoe//为远程客户端分配池中ip    

[server2-GigabitEthernet0/0/1]pppoe-serverbind virtual-template 1  

//将物理接口与虚拟接口绑定

[server2-aaa]local-user zhanghaopassword cipher mima

[Huawei-aaa]local-user zhanghaoservice-type ppp

 

 

[client1]dialer-rule   //进入dialer-rule视图，用来匹配允许pppoe拨号连接的流量

[client1-dialer-rule]dialer-rule 1IP permit     //允许1中所有的ip报文拨号上网

[client1]interface Dialer 1           //创建dialer 1

DCC（拨号控制中心）虚拟拨号接口（dialer）的配置，就是专门用来控制拨号的接口，在这个接口下配置封装协议、ppp认证、ip地址自动获得、dialer接口拨号使用的用户名、pppoe连接建立的等待时间、dialer所属的组、指定dialer接口的编号（这个编号是用来和物理接口绑定时候用到的编号）、nat地址转换等等的配置，都在是该拨号接口下完成的。

[client1-Dialer1]dialer user 1      //在dialer接口1使能共享dcc对应的对端用户名为“1”

[client1-Dialer1]dialer-group 1             //接口置于一个拨号访问组为1

[client1-Dialer1]dialer bundle 1  //共享dcc的dialer使用dialer bundle

[client1-Dialer1]ppp chap userzhanghao     //验证账号

[client1-Dialer1]ppp chap passwordcipher mima    //验证密码

[client1-Dialer1] ip addressppp-negotiate      //设置自动获取

[client2-Dialer1]dialertimer idle 300         //设置300s无报文自动下线

[client2-Dialer1]dialerqueue-length 8       //设置拨号接口队列缓冲长度

[client1-GigabitEthernet0/0/1]pppoe-client dial-bundle-number 1     //借口建立pppoe会话

[client1]iproute-static 0.0.0.0 0.0.0.0 Dialer 1 

Acl

rule 5permit tcp source 10.0.0.2 0 destination 10.0.0.0 0.0.0.255 destination-port eqtelnet    //允许访问telnet

rule 10deny ip        //禁止所有

traffic-filterinbound acl 3000    //绑定在进端口

 

easy ip

nat outbound 2000

ipsec ***

[Huawei]sysna isp

[isp]int l

[isp]int LoopBack 0

[isp-LoopBack0]ip add 2.2.2.2255.255.255.0

[isp-LoopBack0]int s2/0/0

[isp-Serial2/0/0]ip add 10.0.0.2255.255.255.0

[isp-Serial2/0/0]ints2/0/1

[isp-Serial2/0/1]ip add 10.0.1.1 255.255.255.0

[isp]ospf 1 router-id 2.2.2.2

[isp-ospf-1]area 0

 [isp-ospf-1-area-0.0.0.0]network 10.0.0.00.0.0.255

[isp-ospf-1-area-0.0.0.0]network10.0.1.0 0.0.0.255

[isp-ospf-1-area-0.0.0.0]net2.2.2.0 0.0.0.255

 

[Huawei]sysna home

[home]int l0

[home-LoopBack0]ip add1.1.1.1 255.255.255.0

[home]int s2/0/0

[home-Serial2/0/0]ipadd 10.0.0.1 255.255.255.0

[home]ospf 1 router-id1.1.1.1

[home-ospf-1]area 0

[home-ospf-1-area-0.0.0.0]net10.0.0.0 0.0.0.255

[home-ospf-1-area-0.0.0.0]net1.1.1.1 255.255.255.0

[home]acl 3000

[home-acl-adv-3000]rule 5 permitip source 10.0.0.0 0.0.0.255 destination 10.0.1.0 0.0.0.255

[home]ipsec proposal***    //创建名为***为传输集

[home-ipsec-proposal-***]espauthentication-algorithm md5    //认证算法为md5

[home-ipsec-proposal-***]espencryption-algorithm 3des  //加密算法为3ses

[home]ipsec policy p1 10manual   //创建一条名为p1序号为10的安全策略，写上方式为manual

[home-ipsec-policy-manual-p1-10]securityacl 3000    //调用acl

[home-ipsec-policy-manual-p1-10]proposal***       //调用安全协议

[home-ipsec-policy-manual-p1-10]tunnellocal 10.0.0.1   //隧道本地ip

[home-ipsec-policy-manual-p1-10]tunnelremote 10.0.1.2   //隧道对方ip

[home-ipsec-policy-manual-p1-10]saspi inbound esp 54321    //设置spi

[home-ipsec-policy-manual-p1-10]saspi outbound esp 12345

[home-ipsec-policy-manual-p1-10]sastring-key inbound esp simple mima  //设置密钥

[home-ipsec-policy-manual-p1-10]sa string-keyoutbound esp simple mima

[home-Serial2/0/0]ipsec policyp1   //应用安全策略 

 

[Huawei]sysna company

[company]int l0

[company-LoopBack0]ip add3.3.3.3 255.255.255.0

[company-LoopBack0]int s2/0/1

[company-Serial2/0/1]ip add10.0.1.2 255.255.255.0

[company]ospf 1 router-id3.3.3.3

[company-ospf-1]ar 0

[company-ospf-1-area-0.0.0.0]net3.3.3.0 0.0.0.255

[company-ospf-1-area-0.0.0.0]net10.0.1.0 0.0.0.255

[company]acl 3000

[company-acl-adv-3000]rule 5permit ip source 10.0.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

[company]ipsecproposal ***

[company-ipsec-proposal-***]espauthentication-algorithm md5

[company-ipsec-proposal-***]espencryption-algorithm 3des

[company]ipsec policyp1 10 manual

[company-ipsec-policy-manual-p1-10]securityacl 3000

[company-ipsec-policy-manual-p1-10]proposal***

[company-ipsec-policy-manual-p1-10]tunnel local 10.0.1.2

[company-ipsec-policy-manual-p1-10]tunnel remote 10.0.0.1

[company-ipsec-policy-manual-p1-10]saspi inbound esp 12345

[company-ipsec-policy-manual-p1-10]sa spi out esp 54321

[company-ipsec-policy-manual-p1-10]sastring-key inbound esp simple mima

[company-ipsec-policy-manual-p1-10]sa string-key outboundesp simple mima

[company-Serial2/0/1]ipsec policy p1