目录
2.3 将交换机上的各个接口划分到对应的VLAN中,并建立trunk干道
2.8 ISP telnet 12.1.1.1最终登录到R1(端口映射)
一、实验要求与拓扑搭建
二、实验过程
2.1内网P地址划分
192.168.1.0/24
192.168.1.0/26 骨干
192.168.1.0/30 借4位即16个网络IP
192.168.1.4/30 192.168.1.8/30 ...... 192.168.1.60/30
192.168.1.64/26 R1 192.168.1.64/27 192.168.1.96/27
192.168.1.128/26 R2 192.168.1.128/27 192.168.1.160/27
192.168.1.192/26 备用
2.2 配置IP地址、设置子接口并建立DHCP池塘
[r2]ip pool vlan2
[r2-ip-pool-vlan2]network 192.168.1.128 mask 255.255.255.224
[r2-ip-pool-vlan2]gateway-list 192.168.1.129
[r2-ip-pool-vlan2]dns-list 114.114.114.114
[r2]ip pool vlan3
[r2-ip-pool-vlan3]network 192.168.1.160 mask 255.255.255.224
[r2-ip-pool-vlan3]gateway-list 192.168.1.161
[r2-ip-pool-vlan3]dns-list 114.114.114.114
[r2]int g0/0/0.1
[r2-GigabitEthernet0/0/2.1]dhcp select global
[r2]int g0/0/0.2
[r2-GigabitEthernet0/0/2.2]dhcp select global
2.3 将交换机上的各个接口划分到对应的VLAN中,并建立trunk干道
[sw1]vlan batch 2 to 3
[sw1]port-group group-member e0/0/1 to e0/0/2
[sw1-port-group]port link-type access
[sw1-port-group]port default vlan 2
[sw1]int e0/0/3
[sw1-Ethernet0/0/3]port link-type access
[sw1-Ethernet0/0/3]port default vlan 3
[sw1]int g0/0/1
[sw1-GigabitEthernet0/0/1]port link-type trunk
[sw1-port-group-trunk]port trunk allow-pass vlan all
[sw2]vlan batch 2 to 3
[sw2]int e0/0/1
[sw2-Ethernet0/0/1]port link-type access
[sw2-Ethernet0/0/1]port default vlan 2
[sw2]int e0/0/2
[sw2-Ethernet0/0/2]port link-type access
[sw2-Ethernet0/0/2]port default vlan 3
[sw2]int g0/0/1
[sw2-GigabitEthernet0/0/1]port link-type trunk
[sw2-port-group-trunk]port trunk allow-pass vlan all
2.4 R1-R2之间启动OSPF协议(单区域)
2.4.1区域路由汇总,减少路由条目
2.4.2 沉默子接口,阻挡ospf发送hello包
2.4.3 设置OSPF加密认证
[r1]int g0/0/1
[r1-GigabitEthernet0/0/1]ospf authentication-mode md5 1 cipher 123456
[r2]int g0/0/1
[r2-GigabitEthernet0/0/1]ospf authentication-mode md5 1 cipher 123456
2.5 R1上开启telnet (AAA)服务
[r1]aaa
[r1-aaa]local-user linxi password cipher 123456
[r1-aaa]local-user linxi service-type telnet
[r1-aaa]local-user linxi privilege level 15
[r1-aaa]q
[r1]user-interface vty 0 4
[r1-ui-vty0-4]authentication-mode aaa
2.5.1 拒绝PC1对R1的 telnet
[r1] acl 3000
[r1-acl-adv-3000]rule deny tcp source 192.168.1.92 0 destination 192.168.1.1 0 destination-port eq 23
[r1-acl-adv-3000]rule deny tcp source 192.168.1.65 0 destination 192.168.1.97 0 destination-port eq 23
[r1]int g0/0/1.1
[r1-GigabitEthernet0/0/1.1]traffic-filter inbound acl 3000 调用认证
2.6 实现公网访问私网
2.7 实现client通过域名访问httpserver
[r2]acl 2000
[r2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[r2-acl-basic-2000]q
[r2]int g0/0/1
[r2-GigabitEthernet0/0/1]nat outbound 2000
[r2]interface g0/0/1
[r2-GigabitEthernet0/0/1]nat server protocol tcp global current-interface 80 inside 192.168.1.100 80
Warning:The port 80 is well-known port. If you continue it may cause function failure.
Are you sure to continue?[Y/N]:y
切记:给client与server手动添加IP地址子网掩码与网关!
2.8 ISP telnet 12.1.1.1最终登录到R1(端口映射)
[r2]int g0/0/1
[r2-GigabitEthernet0/0/1]nat server protocol tcp global current-interface 23 inside 192.168.1.1 23
Warning:The port 23 is well-known port. If you continue it may cause function failure.
Are you sure to continue?[Y/N]:y
2.9 添加空接口,防环
[r1]ip route-static 192.168.1.0 26 NULL 0
[r2]ip route-static 192.168.1.128 26 null 0
最后,利用ping进行网络之间的互通检验;
实验完成!