《华为认证HCDP实验指导书HCDP-IENPv16.docx》由会员分享,可在线阅读,更多相关《华为认证HCDP实验指导书HCDP-IENPv16.docx(156页珍藏版)》请在三一办公上搜索。
1、HCDP-IENP华为认证系列教程HCDP-IENP提升企业级网络性能实验指导书华为技术有限公司版权声明版权所有 华为技术有限公司 2010。 保留一切权利。本书所有内容受版权法保护,华为拥有所有版权,但注明引用其他方的内容除外。未经华为技术有限公司事先书面许可,任何人、任何组织不得将本书的任何内容以任何方式进行复制、经销、翻印、存储于信息检索系统或使用于任何其他任何商业目的。版权所有 侵权必究。商标声明和其他华为商标均为华为技术有限公司的商标。本文档提及的其他所有商标或注册商标,由各自的所有人拥有。华为认证系列教程HCDP-IENP提升企业级网络性能实验指导书 HUAWEI TECHNOLO
2、GIESHCDP-IENP 华为认证体系介绍第1.6版本华为认证体系介绍依托华为公司雄厚的技术实力和专业的培训体系,华为认证考虑到不同客户对ICT技术不同层次的需求,致力于为客户提供实战性、专业化的技术认证。根据ICT技术的特点和客户不同层次的需求,华为认证为客户提供面向十三个方向的四级认证体系。HCDA(Huawei Certified Datacom Associate,华为认证数据通信工程师)主要面向IP网络维护工程师,以及其他希望学习IP网络知识的人士。HCDA认证在内容上涵盖TCP/IP基础、路由、交换等IP网络通用基础知识以及华为数据通信产品、通用路由平台VRP特点和基本维护。HC
3、DP-Enterprise (Huawei Certified Datacom Professional-Enterprise,华为认证数据通信资深工程师-企业级)主要面向企业级网络维护工程师、网络设计工程师以及希望系统深入地掌握路由、交换、网络调整及优化技术的人士。HCDP-Enterprise包括IESN(Implement Enterprise Switching Network,部署企业级交换网络)、IERN(Implement Enterprise Routing Network,部署企业级路由网络)、IENP(Improving Enterprise Network Perform
4、ance,提升企业级网络性能)三个部分。内容上涵盖IPv4路由技术原理深入以及在VRP中的实现;交换技术原理深入以及在VRP中的实现;网络安全技术、高可靠性技术和Qos技术等高级IP网络技术以及在华为产品中的实现。HCIE-Enterprise(Huawei Certified Internetwork Expert-Enterprise,华为认证互联网络专家)旨在培养能够熟练掌握各种IP网络技术;精通华为产品的维护、诊断和故障排除;具备大型IP网络规划、设计和优化的IP网络大师。华为认证协助您打开行业之窗,开启改变之门,屹立在ICT世界的潮头浪尖!HCDP-IENP 常用图标前言简介本书为H
5、CDP-IENP认证培训教程,适用于准备参加HCDP-IENP考试的学员或者希望系统掌握华为安全产品与技术、可靠性HA技术、QoS原理以及在华为通用路由平台VRP上的实现的读者。内容描述本书共包含三个Module,系统地介绍了华为安全产品与技术、可靠性HA技术和QoS原理以及在VRP上的配置与实现。Module1 详细介绍了华为Eudemon防火墙产品功能特性和业务特性,使读者对华为安全产品及网络安全有一个较为深入的了解。Module 2 详细介绍了可靠性HA技术,帮助读者深入了解各种HA技术原理和运用。Module 3 详细介绍了IP QoS技术,帮助读者深入了解QoS原理,掌握QoS在华为
6、VRP中的配置。本书引导读者循序渐进地掌握华为安全产品与技术、可靠性HA技术和QoS技术原理以及在华为产品中的实现,读者也可以根据自身情况选择感兴趣的章节阅读。读者知识背景为了更好地掌握本书内容,阅读本书的读者应首先具备以下基本条件之一:1) 参加过HCDA培训2) 通过HCDA考试3) 熟悉TCP/IP协议,具有一定的网络基础知识4) 熟悉多种路由协议如OSPF、IS-IS和BGP本书常用图标路由器三层交换机二层交换机防火墙网云以太网线缆串行线缆HCDP-IERN 华为认证体系介绍实验环境说明组网介绍本实验环境面向准备HCDP-IENP考试的网络工程师,实验设备包括路由器5台,交换机4台,防
7、火墙2台。每套实验环境适用于2名学员同时上机操作。设备介绍为了满足HCDP-IENP实验需要,建议每套实验环境采用以下配置:设备名称、型号与版本的对应关系如下:设备名称设备型号软件版本R1AR 2220Version 5.90 ( V200R001C01SPC300)R2AR 2220Version 5.90 ( V200R001C01SPC300)R3AR 2220Version 5.90 ( V200R001C01SPC300)R4AR 1220Version 5.90 ( V200R001C01SPC300)R5AR 1220Version 5.90 ( V200R001C01SPC30
8、0)S1S5700-28C-EI-24SVersion 5.70 (V100R006C00SPC800)S2S5700-28C-EI-24SVersion 5.70 (V100R006C00SPC800)S3S3700-28TP-EI-ACVersion 5.70 (V100R006C00SPC800)S4S3700-28TP-EI-ACVersion 5.70 (V100R006C00SPC800)FW1Eudemon 200E-X2Version 5.30 (V100R005C00SPC100)FW2Eudemon 200E-X2Version 5.30 (V100R005C00SPC10
9、0)目录第一章 防火墙特性功能1实验 1-1 Eudemon防火墙安全区域及其他基本功能配置1实验 1-2 Eudemon防火墙IPSec VPN配置21实验 1-3 防火墙攻击防范配置42实验 1-4 Eudemon防火墙NAT配置56实验 1-5 Eudemon防火墙双机热备份71第二章 服务质量与流量控制99实验 2-1 QoS基础99实验 2-2 使用流策略实现流行为控制119第三章 综合实验135实验 3-1 综合实验1(选做)135实验 3-2 综合实验2(选做)140HCDP-IENP 第三章 综合实验第一章 防火墙特性功能实验 1-1 Eudemon防火墙安全区域及其他基本功能
10、配置学习目的 掌握防火墙安全区域的配置方法 掌握域间包过滤的配置方法 掌握在静态与动态配置黑名单的方法 掌握黑名单的配置方法 掌握应用层包过滤的配置方法拓扑图图1-1 Eudemon防火墙区域配置场景你是你们公司的网络管理员。公司总部的网络分成了三个区域,包括内部区域(Trust)、外部区域(Untrust)和服务器区域(DMZ)。你设计通过防火墙来实现对数据的控制,添加黑名单来防范网络攻击,确保公司内部网络安全。学习任务步骤一. 基本配置与IP编址给三个路由器配置地址信息。system-view Enter system view, return user view with Ctrl+Z.
11、Huaweisysname R1R1interface GigabitEthernet 0/0/1R1-GigabitEthernet0/0/1ip address 10.0.10.1 24R1-GigabitEthernet0/0/1interface loopback 0R1-LoopBack0ip address 10.0.1.1 24system-view Enter system view, return user view with Ctrl+Z.Huaweisysname R2R2interface GigabitEthernet0/0/1R2-GigabitEthernet0/
12、0/1ip address 10.0.20.1 24R2-GigabitEthernet0/0/1interface loopback 0R2-LoopBack0ip address 10.0.2.2 24system-viewEnter system view, return user view with Ctrl+Z.Huaweisysname R3R3interface GigabitEthernet 0/0/1R3-GigabitEthernet0/0/1ip address 10.0.30.1 24R3-GigabitEthernet0/0/1interface loopback 0
13、 R3-LoopBack0ip address 10.0.3.3 24给防火墙配置地址时,需要注意Ethernet1/0/0接口为二层交换机接口,无法配置IP地址。实验中我们在防火墙上配置VLAN12,定义Vlanif12,配置IP地址作为Inside区域的网关。由于默认情况下,防火墙会给它的Vlanif1配置地址,实验中为避免干扰,删除该配置。system-view Enter system view, return user view with Ctrl+Z.Eudemon 200Esysname FWFWvlan 12FW-vlan-12quitFWinterface vlanif 12
14、FW-Vlanif12ip address 10.0.20.254 24FW-Vlanif12interface Ethernet 1/0/0FW-Ethernet1/0/0port access vlan 12FW-Ethernet1/0/0interface Ethernet 0/0/0FW-Ethernet0/0/0ip address 10.0.10.254 24FW-Ethernet0/0/0interface ethernet 2/0/0FW-Ethernet2/0/0ip address 10.0.30.254 24FW-Ethernet2/0/0quitFWundo inter
15、face Vlanif 1交换机上需要按照需求定义VLAN。Quidwaysysname S1S1vlan batch 11 to 13S1interface GigabitEthernet 0/0/1S1-GigabitEthernet0/0/1port link-type accessS1-GigabitEthernet0/0/1port default vlan 11S1-GigabitEthernet0/0/1interface GigabitEthernet 0/0/2S1-GigabitEthernet0/0/2port link-type accessS1-GigabitEthe
16、rnet0/0/2port default vlan 12S1-GigabitEthernet0/0/2interface GigabitEthernet 0/0/3S1-GigabitEthernet0/0/3port link-type accessS1-GigabitEthernet0/0/3port default vlan 13S1-GigabitEthernet0/0/3interface GigabitEthernet 0/0/21S1-GigabitEthernet0/0/21port link-type accessS1-GigabitEthernet0/0/21port d
17、efault vlan 11S1-GigabitEthernet0/0/21interface GigabitEthernet 0/0/22S1-GigabitEthernet0/0/22port link-type accessS1-GigabitEthernet0/0/22port default vlan 12S1-GigabitEthernet0/0/22interface GigabitEthernet 0/0/23S1-GigabitEthernet0/0/23port link-type accessS1-GigabitEthernet0/0/23port default vla
18、n 13配置完成后在FW设备上测试相同区域的连通性。FWping 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply f
19、rom 10.0.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms - 10.0.10.1 ping statistics - 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 msFWping 10.0.20.1 PING 10.0.20.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.20.1: bytes=56 Se
20、quence=2 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=5 ttl=255 time=1 ms - 10.0.20.1 ping statistics - 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss
21、 round-trip min/avg/max = 1/1/1 msFWping 10.0.30.1 PING 10.0.30.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.30.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=4 ttl=255 time=1 ms
22、 Reply from 10.0.30.1: bytes=56 Sequence=5 ttl=255 time=1 ms - 10.0.30.1 ping statistics - 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms在R1、R2和R3上配置缺省路由,在FW上配置明确的静态路由,实现三个Loopback0接口连接的网段之间的互通。R1ip route-static 0.0.0.0 0 10.0.10.254R2ip route-stati
23、c 0.0.0.0 0 10.0.20.254R3ip route-static 0.0.0.0 0 10.0.30.254FWip route-static 10.0.1.0 24 10.0.10.1FWip route-static 10.0.2.0 24 10.0.20.1FWip route-static 10.0.3.0 24 10.0.30.1配置完成后,测试各路由器Loopback0接口连接的网段之间的通讯情况。R1ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply
24、 from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=4 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms - 10.0.2.2
25、 ping statistics - 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/4 msR1ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=2
26、54 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=4 ms - 10.0.3.3 ping statistics - 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/
27、max = 3/3/4 ms防火墙上默认有四个区域,分别是“local“、”trust“、”untrust“、”dmz“。实验中我们使用到“trust“、”untrust“和”dmz“三个区域,分别将对应接口加入各安全区域。FWfirewall zone dmzFW-zone-dmzadd interface Ethernet 2/0/0FW-zone-dmzfirewall zone trustFW-zone-trustadd interface Vlanif 12FW-zone-trustfirewall zone untrustFW-zone-untrustadd interface E
28、thernet 0/0/0默认情况下,所有区域之间可以正常通讯,不被检查。FWdis firewall packet-filter default all10:28:18 2011/12/24 Firewall default packet-filter action is : packet-filter in public: local - trust : inbound : default: permit; | IPv6-acl: null outbound : default: permit; | IPv6-acl: null local - untrust : inbound : de
29、fault: permit; | IPv6-acl: null outbound : default: permit; | IPv6-acl: null local - dmz : inbound : default: permit; | IPv6-acl: null outbound : default: permit; | IPv6-acl: null trust - untrust : inbound : default: permit; | IPv6-acl: null outbound : default: permit; | IPv6-acl: null trust - dmz :
30、 inbound : default: permit; | IPv6-acl: null outbound : default: permit; | IPv6-acl: null dmz - untrust : inbound : default: permit; | IPv6-acl: null outbound : default: permit; | IPv6-acl: null packet-filter between VFW:由以上显示的内容看出,缺省情况下,所有安全区域间的所有方向都允许报文通过。检查区域之间的连通性。Untrust区域到Trust区域。ping -a 10.0.
31、1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=3 ms
32、 Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms - 10.0.2.2 ping statistics - 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 3/3/3 msUntrust区域到DMZ区域。ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: b
33、ytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms - 10.0.3.3 ping statistics
34、- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 msTrust区域到Untrust区域。ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=25
35、4 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms - 10.0.1.1 ping statistics - 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/
36、max = 3/3/3 msTrust区域到DMZ区域。ping -a 10.0.2.2 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3
37、.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms - 10.0.3.3 ping statistics - 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 msDMZ区域到Untrust区域。ping -a 10.0.3.3 10.0.1.1 PING 10.0.1.1: 56 data bytes, pr
38、ess CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl
39、=254 time=3 ms - 10.0.1.1 ping statistics - 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 msDMZ区域到Trust区域。ping -a 10.0.3.3 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=5 ms Reply fro
40、m 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms - 10.0.2.2 ping statistics - 5 packet(s) transmitted 5 packet(s) received
41、 0.00% packet lossround-trip min/avg/max = 3/3/5 ms步骤二. 配置域间包过滤包过滤是一个基础安全策略,主要控制域间报文转发,在进行其他安全策略检查之前都会先进行包过滤规则的检查,所以包过滤功能是否配置正确,将影响设备大部分功能的使用。配置区域之间的缺省包过滤策略,仅允许Trust区域访问其他区域,不允许其他区域之间的访问。FWfirewall packet-filter default deny allFWfirewall packet-filter default permit interzone trust untrust directio
42、n outboundFWfirewall packet-filter default permit interzone trust dmz direction outboundFWfirewall session link-state check配置完成后,测试区域之间的连通性。Untrust区域到Trust区域。R1ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request tim
43、e out Request time out - 10.0.2.2 ping statistics - 5 packet(s) transmitted 0 packet(s) received 100.00% packet lossUntrust区域到DMZ区域。R1ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out - 1
44、0.0.3.3 ping statistics - 5 packet(s) transmitted 0 packet(s) received 100.00% packet lossTrust区域到Untrust区域。R2ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time