注意事项: 抽签号:
1.注意阅读题目和答卷,按要求完成,否则影响评分
2.试卷,答卷、打印机等材料都不能带离考场,而且都必须协商抽签的组号。有缺漏或没写清楚组号的不予评分。作品中有暴露作者身份给0分。
3.全部虚拟机文件保存在主机的最后一个磁盘分区中,否则不作评分。
4.截屏文件以PNG格式保存在虚拟机所对应的主机桌面中,没有按要求截屏的内容不作评分。
5.所有操作系统密码统一设置为123+shenz
6.在答卷上要求正确填写拓扑图的地址,并按图连接有关网络设备!
网络地址规划(接口可根据实现而定)
设备名
|
IP地址
|
备注
|
SW1
|
172.16.75.1/24
|
|
FW
|
214.125.128.1/24
|
|
172.16.1.1/24
|
|
|
198.177.1.3/24
|
|
|
RA
|
214.125.128.2/24
|
|
136.177.78.65/24
|
|
|
RB
|
198.177.1.4/24
|
|
110.31.48.1/24
|
|
|
RC
|
10.1.1.1/24
|
|
136.177.78.66/24
|
|
|
110.31.48.2/24
|
|
|
SW2
|
10.1.1.2/24
|
|
AC
|
192.168.10.1/24
|
|
AP
|
192.168.20.1/24
|
|
2. 在WG上创建VLAN110接口是f0/1-6;和VLAN120接口是f0/7-12;和VLAN130接口是f0/13-18;并将最后一个IP地址作为网关地址;并且IP地址为自动获取。
1. 在WG交换机的F0/5上配置为只允许接入5台主机,F0/6只允许接入1台主机。
2. SW1的F0/21与WG的F0/19相连。
3. 配置RA,RB,RC之间串口使用CHAP验证。
4. 在RC上配置NAT,使内网可以转换为公网IP访问internet.
5. FW,RA,RC运行OSPF实体1;FW,RB,RC运行OSPF实体2;RC,SW2运行OSPF实体20.
6. RA与RC之间配置IPSEC ×××,密匙为87654321,加密集为esp-3des和esp-md5-hmac。
7. 配置在RC上看来所有流量都从RA走。
8. 在FW上配置P2P上行为2M。
9. 配置FW的URL过滤,qq.com的网站及其子网站。
10. 在SW2上配置内网只有工作日(9:00~18:00)才可以访问公网,其它不限制。
11. 在AC上配置DHCP使无线用户可以获取到IP,使用SSID为x-shenz,配置为WPA2加密,配置AP注册到AC,AP的IP为192.168.20.1/24.
hostname WG
interface FastEthernet0/1
switchport access vlan 110
interface FastEthernet0/2
switchport access vlan 120
interface FastEthernet0/3
switchport access vlan 130
interface FastEthernet0/15
switchport mode trunk
ip dhcp pool vlan110
network 192.168.110.0 255.255.255.0
default-router 192.168.110.254
ip dhcp pool vlan120
network 192.168.120.0 255.255.255.0
default-router 192.168.120.254
ip dhcp pool vlan130
network 192.168.130.0 255.255.255.0
default-router 192.168.130.254
interface FastEthernet0/0
no switchport
ip address 172.16.75.1 255.255.0.0
interface FastEthernet0/1
switchport access vlan 100
interface FastEthernet0/2
switchport access vlan 200
interface FastEthernet0/15
switchport mode trunk
interface Vlan100
ip address 192.168.100.254 255.255.255.0
interface Vlan110
ip address 192.168.110.254 255.255.255.0
interface Vlan120
ip address 192.168.120.254 255.255.255.0
interface Vlan130
ip address 192.168.130.254 255.255.255.0
interface Vlan200
ip address 192.168.200.254 255.255.255.0
router ospf 1
network 172.16.0.0 0.0.255.255 area 0
network 192.168.100.0 0.0.0.255 area 0
network 192.168.110.0 0.0.0.255 area 0
network 192.168.120.0 0.0.0.255 area 0
network 192.168.130.0 0.0.0.255 area 0
network 192.168.200.0 0.0.0.255 area 0
interface FastEthernet0/0
ip address 172.16.1.1 255.255.0.0
interface FastEthernet1/0
ip address 214.125.128.1 255.255.255.0
interface FastEthernet2/0
ip address 198.177.1.3 255.255.255.0
router ospf 1
router-id 1.1.1.1
area 1 virtual-link 2.2.2.2
network 172.16.0.0 0.0.255.255 area 0
network 198.177.1.0 0.0.0.255 area 2
network 214.125.128.0 0.0.0.255 area 1
username RA
crypto isakmp policy 1
authentication pre-share
crypto isakmp key 87654321 address 136.177.78.66
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto map map 10 ipsec-isakmp
set peer 136.177.78.66
set transform-set set
match address 100
interface FastEthernet0/0
ip address 214.125.128.2 255.255.255.0
interface Serial1/0
ip address 136.177.78.65 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname RC
crypto map map
router ospf 1
network 136.177.78.0 0.0.0.255 area 1
network 214.125.128.0 0.0.0.255 area 1
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255
username RB
interface FastEthernet0/0
ip address 198.177.1.4 255.255.255.0
interface Serial1/0
ip address 110.31.48.1 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname RC
router ospf 1
network 110.31.48.0 0.0.0.255 area 2
network 198.177.1.0 0.0.0.255 area 2
username RC
crypto isakmp policy 1
authentication pre-share
crypto isakmp key 87654321 address 136.177.78.65
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto map map 10 ipsec-isakmp
set peer 136.177.78.65
set transform-set set
match address 100
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
interface Serial2/0
ip address 136.177.78.66 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
serial restart-delay 0
ppp authentication chap
ppp chap hostname RA
crypto map map
interface Serial2/1
ip address 110.31.48.2 255.255.255.0
ip nat outside
encapsulation ppp
ppp authentication chap
ppp chap hostname RB
router ospf 1
router-id 2.2.2.2
area 1 virtual-link 1.1.1.1
network 10.1.1.0 0.0.0.255 area 20
network 110.31.48.0 0.0.0.255 area 2
network 136.177.78.0 0.0.0.255 area 1
ip nat inside source list 120 interface Serial2/0 overload
ip nat inside source list 130 interface Serial2/1 overload
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 120 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 any
access-list 120 permit ip 192.168.20.0 0.0.0.255 any
access-list 130 deny ip 192.168.10.0 0.0.0.255 any
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
access-list 130 permit ip 192.168.20.0 0.0.0.255 any
interface FastEthernet0/0
no switchport
ip address 10.1.1.2 255.255.255.0
interface FastEthernet0/1
switchport access vlan 30
interface FastEthernet0/2
switchport access vlan 40
interface FastEthernet0/3
switchport access vlan 30
interface FastEthernet0/4
switchport access vlan 40
interface FastEthernet0/5
switchport access vlan 111
interface Vlan30
ip address 192.168.10.254 255.255.255.0
interface Vlan40
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.10.1
interface Vlan111
ip address 192.168.111.254 255.255.255.0
ip helper-address 192.168.10.1
router ospf 1
network 10.1.1.0 0.0.0.255 area 20
network 192.168.10.0 0.0.0.255 area 20
network 192.168.20.0 0.0.0.255 area 20
ip dhcp pool vlan30
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool vlan40
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
interface FastEthernet0/1
switchport access vlan 30
interface Vlan30
ip address 192.168.10.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.10.254
interface FastEthernet0/0
ip address dhcp
1. 配置NAT时要DENY掉走IPSEC的流量。
2. 配置IPSEC时一定不能 per an an,要配置具体的流量。
3. PPP的CHAP在接口要配置使用对端用户名验证。
4. 一定要配置AREA0和虚链路,否则AREA20的路由学习不到全网的路由,虽然其它路由器可以学习到全网的路由。