HCNA（hcna证书）

HCNA（hcna证书）

HCNA必会知识点

1/2/25 槽位/板卡/端口

DSW核心 CSW汇聚 ASW接入

HCNA: ip子网划分,ipv4/ipv6，ARP,ICMP，以太网ll型帧结构,IP,TCP/UDP , VRP ,静态路由 ，路由优先级/路由备份（主备链路），度量值/缺省路由，DHCP, RIP, 基础ospf，trunk, vlan间路由，单臂路由，Easyip和NAT Server ,广域网ppp， 广域网HDLC和FR，链路聚合eth-trunk, VRRP, STP, ACL,配置telnet，配置ssh,配置ftp

ARP地址解析协议，网络层

arp请求

arp应答

arp缓存

当主机学到对端电脑的IP地址会把地址临时放在arp表里

以太网ll型数据帧结构，数据链路层

1目标IP

2源IP

协议类型:IPv4

IP头部

ip数据包格式

ttl经过一次路由ttl只就会减1

ttl=0时，就会丢器数据包

路由器：分冲突域，分广播域

交换机：分冲突域，不分广播域

集线器：不分冲突域，不分广播域

vrp系统文件

dis startup 查看启动参数

保存到RAM

保存到Flash/sd卡

电脑给路由器传文件get下载 put上传，结合Xlight FTP 软件

startup system-software sd1:/ar2220 -v200r003c00spc200.cc 改系统文件

startup system-software sd1:/vrpcfg.zip 改配置文件

策略路由

直连路由

默认路由

动态路由

寻线器-探测头不能寻屏蔽线

测线仪可寻屏蔽线

重点：规划网络ip地址，掩码长度可以不一致，IP不在同一网段，写静态路由可以通信

华为 display mac-address flapping record

H3C dis mac-address mac-move 查看环路命令

产生mac漂移的话先确认漂移mac是什么设备，怎么接的，正常应该从什么接口学到，通过查看设备dis mac-address 表来看接口

环路可能是一端做了聚合一端没做聚合，还有stp协议问题比如根桥不稳定，可以指定根桥或者修改优先级，stp root primary 或者 stp priority 4096 或者4096倍数

192.168.1.0 0.0.0.255/24位 反掩码

undo info-center enable 关闭信息中心

[HX-1]clear configuration interface GE 1/0/2 清楚接口配置

dis telnet ssh server status 查看状态

ping -s windows10带源ping

route print windows10查看路由命令

netast 查看端口连接情况

traceroute 追踪路由

dis startup 查看启动参数

dis users 查看已连接的终端

dis int brief 查看接口状态

dis ip int brie 查看接口ip vlan配置

dis port vlan 查看端口vlan配置

dis ip routing-table pro static 查看静态路由是否生效

display diagnostic-information hcna.txt 将所有设备信息保存到hcna.txt文件，结合ftp服务导出

reset saved-configuration 清楚配置

reboot n不保存当前配置 y重启

format flash： 格式化 Y

format sd1: 格式化系统

​

路由原理：查看路由表，最长掩码匹配，寻找最佳路径。

路由协议优先级

数字越小优先级越高

华为 静态路由60，思科1

华为 OSPF内部10，思科110

华为 OSPF外部150，思科没有

trunk 通信原理

发送端

▶ 终端vlan与交换机trunk接口pvid 不一样的不剥离tag帧，发的数据帧有tag标签（802.1Q)，对端设备收到带tag,看trunk是否方行对应vlan通信。

▶ 终端vlan与交换机trunk接口pvid一样的剥离tag帧，发的数据帧没有tag标签，对端设备 收到不带tag帧，打上接口pvid,trunk方行相应vlan，可以通信。

重点：trunk默认配置pvid1

access通信原理

​

路由搭建ftp

[Huawei]ftp server enable

[Huawei]set default ftp-directory flash:

[Huawei-aaa]local-user huawei password cipher huawei

[Huawei-aaa]local-user huawei service-type ftp

[Huawei-aaa]local-user huawei access-limit 200

[Huawei-aaa]local-user huawei idle-timeout 0 0

[Huawei-aaa]local-user huawei privilege level 3

客户端范文

ftp：xxxxip

电脑360浏览器 关闭选项

按组配置端口

[LSW1-port-group] port-group group-member g0/0/1 to g0/0/10

锐捷

int ran g0/1-24

运营商

[ISP]ip pool pppoe

[ISP-ip-pool-pppoe]network 200.2.2.0 mask 24

[ISP-ip-pool-pppoe]gateway-list 200.2.2.1

[ISP]interface Virtual-Template 1 摸版

[ISP-Virtual-Template1]ppp authentication-mode pap

[ISP-Virtual-Template1]ip address 200.2.2.1 24

[ISP-Virtual-Template1]remote address pool pppoe

[ISP-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1 g0/0/1接口绑定虚拟摸版

[ISP-aaa]local-user part手敲 password cipher 123456

[ISP-aaa]local-user huawei service-type ppp

客户端

[Huawei]dialer-rule

[Huawei-dialer-rule]dialer-rule 1 ip permit 绑定

[part-1]int Dialer 1

[part-1-Dialer1]ppp pap local-user part password cipher %$%$pLKZ!iaG|$#Cm4Q8=MM.,%Nw%$%$

[part-1-Dialer1]ip address ppp-negotiate 自动获取ip

[part-1-Dialer1]dialer user user1

[part-1-Dialer1]dialer-group 1

[part-1-Dialer1]dialer bundle 1

[Huawei-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1 绑定

不写路由也通

A

interface Vlanif30

ip address 10.10.10.1 255.255.255.0

interface Vlanif50

ip address 10.10.30.1 255.255.255.0

interface MEth0/0/1

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan 10 20 30 50

interface GigabitEthernet0/0/2

port link-type access

port default vlan 10

ip route-static 0.0.0.0 0.0.0.0 10.10.30.2

B

interface Vlanif30

ip address 10.10.20.1 255.255.255.0

interface Vlanif50

ip address 10.10.30.2 255.255.255.0

interface MEth0/0/1

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan 10 20 30 50

interface GigabitEthernet0/0/2

port link-type access

port default vlan 20

ip route-static 10.10.10.0 255.255.255.0 10.10.30.1

链路聚合 手工捆绑

捆绑建议2 4 8 链路带宽较均衡

一个eth-trunk 最多可以捆绑8个接口

启用stp协议防环

sw1

[sw1]int Eth-Trunk 1

[sw1-Eth-Trunk1]port link-type trunk

[sw1-Eth-Trunk1]port trunk allow-pass vlan all

[sw1-GigabitEthernet0/0/23]eth-trunk 1

[sw1-GigabitEthernet0/0/24]eth-trunk 1

sw2

[sw2]int Eth-Trunk 1

[sw2-Eth-Trunk1]port link-type trunk

[sw2-Eth-Trunk1]port trunk allow-pass vlan all

[sw2-GigabitEthernet0/0/23]eth-trunk 1

[sw2-GigabitEthernet0/0/24]eth-trunk 1

[sw2]dis interface Eth-Trunk 1

DHCP配置

<接口dhcp>

interface GigabitEthernet0/0/1

ip address 192.168.20.1 255.255.255.0

dhcp select interface

dhcp server excluded-ip-address 192.168.20.2 192.168.20.20 保留地址

dhcp server lease day 10 hour 0 minute 0

dhcp server dns-list 114.114.114.114

<全局dhcp和>

[dhcp]dhcp enable

ip pool 192

[dhcp-ip-pool-192]gateway-list 192.168.0.1

[dhcp-ip-pool-192]network 192.168.0.0 mask 255.255.255.0

[dhcp-ip-pool-192]dns-list 8.8.8.8

[dhcp-ip-pool-192]lease day hour/unlimited day:租约时间 unlimited：永久不限制 hour:小时

ip pool 10

[dhcp-ip-pool-10]network 10.1.1.0 mask 255.255.255.0

[dhcp-GigabitEthernet0/0/0]ip address 10.1.1.1 255.255.255.0

[dhcp-GigabitEthernet0/0/0]dhcp select global

ip route-static 0.0.0.0 0.0.0.0 10.1.1.254 配置默认路由dhcp的报文才能通过

AR1客户端

[AR1-GigabitEthernet0/0/0]ip address 192.168.0.1 255.255.255.0

[AR1-GigabitEthernet0/0/0]dhcp select relay中继

[AR1-GigabitEthernet0/0/0]dhcp relay server-ip 10.1.1.1

[AR1-GigabitEthernet0/0/0]ip address dhcp-alloc

NAT映射一对一

[Huawei-Dialer1]nat static global 202.100.1.251 inside 192.168.10.10 静态nat

[Huawei-Dialer1]nat server protocol tcp global 202.100.1.251 inside 172.31.14.1 description 123 nat服务

NAT映射一对多

AR1

acl number 2000

rule 5 permit source 192.168.0.0 0.0.0.255

#

interface GigabitEthernet0/0/0

ip address 22.23.10.1 255.255.255.248

nat outbound 2000

interface GigabitEthernet0/0/1

ip address 192.168.254.2 255.255.255.0

ip route-static 0.0.0.0 0.0.0.0 22.23.10.2 缺省路由

ip route-static 192.168.0.0 255.255.0.0 192.168.254.1

AR1

[Huawei]acl 3000

[Huawei-acl-adv-3000]description VPN 描述

[Huawei-acl-adv-3000]rule 10 permi ip source 10.10.10.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

AR2

[Huawei]acl 3000

[Huawei-acl-adv-3000]description VPN 描述

[Huawei-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

AR1

[Huawei]ipsec proposal

[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1

[Huawei-ipsec-proposal-sjw]dis this

[V200R003C00]

#

ipsec proposal sjw

esp authentication-algorithm sha1

AR2

[Huawei]ipsec proposal

[Huawei-ipsec-proposal-sjw]esp authentication-algorithm sha1

[Huawei-ipsec-proposal-sjw]dis this

[V200R003C00]

#

ipsec proposal sjw

esp authentication-algorithm sha1

sw3：划vlan 10 20

[Huawei-Ethernet0/0/1]port link-type access

[Huawei-Ethernet0/0/1]port default vlan 10

[Huawei-Ethernet0/0/2]port link-type access

[Huawei-Ethernet0/0/2]port default vlan 20

配置中继trunk

[Huawei-GigabitEthernet0/0/2]int g0/0/1

[Huawei-port-group-trunk]port trunk allow-pass vlan

[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20

[Huawei-GigabitEthernet0/0/2]int g0/0/2

[Huawei-port-group-trunk]port trunk allow-pass vlan

[Huawei-port-group-trunk]port trunk allow-pass vlan 10 20

sw1:划vlan 10 20

[Huawei]int Vlanif 10

[Huawei-Vlanif10]ip address 192.168.10.10 24

[Huawei]int Vlanif 20

[Huawei-Vlanif20]ip address 192.168.10.20 24

[Huawei-GigabitEthernet0/0/1]port link-type trunk

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

sw2:划vlan 10 20

[Huawei]int Vlanif 10

[Huawei-Vlanif20]ip address 192.168.10.20 24

[Huawei]int Vlanif 20

[Huawei-Vlanif20]ip address 192.168.20.20 24

[Huawei-GigabitEthernet0/0/2]port link-type trunk

[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20

AR1路由器

[Huawei-GigabitEthernet0/0/1]ip address 11.0.0.2 24

[Huawei-GigabitEthernet0/0/2]ip address 12.0.0.2 24

[Huawei-GigabitEthernet0/0/2]int loo 0

[Huawei-LoopBack0]ip address 1.1.1.1 24

写路由优先级

[Huawei]ip route-static 192.168.10.0 24 11.0.0.1 默认是60

[Huawei]ip route-static 192.168.10.0 24 12.0.0.2 preference 70

[Huawei]ip route-static 192.168.20.0 24 12.0.0.1 默认是60

[Huawei]ip route-static 192.168.20.0 24 11.0.0.1 preference 70

sw1

[Huawei]ip route-static 1.1.1.0 24 11.0.0.2

sw1

[Huawei-Vlanif100]ip address 11.0.0.1 24

[Huawei-port-group-d]port link-type access

[Huawei-port-group-d]port default vlan 100

sw2

[Huawei]ip route-static 1.1.1.0 24 12.0.0.2

sw2

[Huawei-Vlanif100]ip address 12.0.0.1 24

[Huawei-GigabitEthernet0/0/24]port link-type access

[Huawei-GigabitEthernet0/0/24]port default vlan 100

在核心sw1做vrrp

trunk，虚拟IP ，优先级 ，追踪接口

主备的虚拟ip一至，vrid一致

注意：优先级大的是主， 比如优先级120端扣down掉默认会减10 所以备的不能配置110应该是115,115比120小，主的坏掉默认就走备的

主

[Huawei]int Vlanif 10

[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1

[Huawei-Vlanif10]vrrp vrid 1 priority 120 端扣down掉默认会减10 所以备的不能配置110应该是115,115比120小主的坏掉默认就走备的

（这个打个比喻，这个实验配置的是95）

vrrp 优先级范围是0-255, 0是保留给路由器，主动放弃Master位置时候使用，255是保留给IP地址拥有者使用，能我的是1-254

[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 0

[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/24 追踪上行端口

[Huawei-Vlanif10]vrrp vrid 1 track interface g0/0/1 追踪下行端口

备

[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1

[Huawei-Vlanif10]vrrp vrid 1 priority 115

备的不用配置抢占，也不用配置跟踪端口，因为主的已经配置了

在核心sw2做vrrp

主

[Huawei]int Vlanif 20

[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1

[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/24

[Huawei-Vlanif20]vrrp vrid 2 track interface g0/0/2

抢占和优先级可以不配，【优先级默认是100】，备的配置优先级数字90就可以

备

interface Vlanif20

[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1

[Huawei-Vlanif20]vrrp vrid 2 priority 95

防火墙四个区域

服务器 DMZ中 ，trust用户内网 ，untrustz外网ip最低 ，local最高

dmz：指定dmz安全区域 心跳同步信息，配置ip,优先级

local：指定本地安全区域

name：待创建或删除的安全区域名称

trust：指定信任的安全区域 内网

untrust：指定untrust的安全区域 外网

防火墙双机热备

FW1主

[fw1]interface GigabitEthernet0/0/0] ip address 10.2.2.1 255.255.255.0

[fw1]interface GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.1.2.254 active 主

[fw1]interface GigabitEthernet0/0/0] service-manage all permit 允许所有服务

service-manage permit

service-manage permit

service-manage ping permit

service-manage ssh permit

service-manage snmp permit

service-manage telnet permit

[fw1]interface GigabitEthernet1/0/0] ip address 40.1.1.1 255.255.255.0

[fw1]interface GigabitEthernet1/0/0] vrrp vrid 2 virtual-ip 2.2.2.254 255.255.255.0 active 主

[fw1-GigabitEthernet1/0/0]service-manage all permit

[fw1]interface GigabitEthernet1/0/1] ip address 30.1.1.1 255.255.255.0

[fw1]firewall zone trust

[fw1-zone trust] add interface GigabitEthernet0/0/0

[fw1]firewall zone untrust

[fw1-zone untrust]add interface GigabitEthernet1/0/0

[fw1]firewall zone dmz

[fw1]-zone dmz]add interface GigabitEthernet1/0/1

FW2 备

[fw2interface GigabitEthernet0/0/0] ip address 10.1.2.2 255.255.255.0

[fw2interface GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.1.2.254 standby 备

[fw2interface GigabitEthernet0/0/0] service-manage all permit 允许所有服务

service-manage permit

service-manage permit

service-manage ping permit

service-manage ssh permit

service-manage snmp permit

service-manage telnet permit

[fw2interface GigabitEthernet1/0/0] ip address 40.1.1.2 255.255.255.0

[fw2interface GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 2.2.2.254 255.255.255.0 standby 备

[fw1-GigabitEthernet1/0/0]service-manage all permit

[fw2interface GigabitEthernet1/0/1] ip address 30.1.1.2 255.255.255.0

[fw2]firewall zone trust

[fw2-zone trust]add interface GigabitEthernet0/0/0

[fw2]firewall zone untrust

[fw2-zone untrust] add interface GigabitEthernet1/0/0

[fw2]firewall zone dmz

[fw2-zone dmz] add interface GigabitEthernet1/0/1

HRP心跳线同步信息

[fw1]hrp interface GigabitEthernet1/0/1 remote 30.1.1.2 配置对端的接口ip

[fw2]hrp interface GigabitEthernet1/0/1 remote 30.1.1.1 配置对端的接口ip

开启hrp enable 可以同步习性

开启HRP 显示一个S和M代表双机热备成功

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。