1.实验拓扑设计:
2.交换与路由配置:
[SW1]dis curr
#
sysname SW1
#
vlan batch 2 to 3
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 3
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
[SW2]dis curr
#
sysname SW2
#
vlan batch 2 to 3
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
[SW3]dis curr
#
sysname SW3
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
[R1]dis current-configuration
[V200R003C00]
#
sysname R1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
dhcp enable
#
acl number 3000
rule 5 deny tcp source 192.168.1.125 0 destination 192.168.1.1 0 destination-po
rt eq telnet
rule 10 deny tcp source 192.168.1.125 0 destination 192.168.2.1 0 destination-p
ort eq telnet
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$dD-^9{6^(/rcx$*l!zS/YCG6%$%$
local-user admin privilege level 15
local-user admin service-type telnet
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.252
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/2.1
dot1q termination vid 2
ip address 192.168.1.1 255.255.255.128
traffic-filter inbound acl 3000
arp broadcast enable
dhcp select interface
#
interface GigabitEthernet0/0/2.2
dot1q termination vid 3
ip address 192.168.1.129 255.255.255.128
arp broadcast enable
#
interface NULL0
#
ospf 1 router-id 1.1.1.1
silent-interface GigabitEthernet0/0/2
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
ospf 12
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
authentication-mode aaa
user-interface vty 16 20
#
wlan ac
#
return
[R2]dis curr
[V200R003C00]
#
sysname R2
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
dhcp enable
#
acl number 2000
rule 5 permit source 192.168.0.0 0.0.255.255
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 192.168.2.2 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 12.1.1.1 255.255.255.0
nat server protocol tcp global current-interface telnet inside 192.168.2.1 teln
et
nat server protocol tcp global current-interface www inside 192.168.1.130 www
nat outbound 2000
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/2.1
dot1q termination vid 2
ip address 192.168.3.1 255.255.255.128
arp broadcast enable
dhcp select interface
#
interface GigabitEthernet0/0/2.2
dot1q termination vid 3
ip address 192.168.3.129 255.255.255.128
arp broadcast enable
dhcp select interface
#
interface NULL0
#
ospf 1 router-id 2.2.2.2
default-route-advertise
silent-interface GigabitEthernet0/0/2
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<ISP>sys
Enter system view, return user view with Ctrl+Z.
[ISP]dis curr
[V200R003C00]
#
sysname ISP
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
ip address 1.1.1.1 255.255.255.0
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
3.测试:
1.ISP路由器只能配置IP地址,之后不得进行其他任何配置
已配置,不在冗述
2.R1/2之间启动ospf协议,单区域
此处不做配置详述,强调一下R1/R2的g/0/0/2需要配置端口静默
3PC1-PC4自动获取IP地址
我在R1/R2子接口配置 dhcp select interface也达到要求,配置简单如果有其他要求可配置池塘
4.PC1不能Telnet R1,PC1外的其他的内网PC可以Telnet
此处由于模拟器的原因无法测试,实际工程中可以正常测试,下面是为达此目的R1上的配置:
[R1]acl number 3000
rule 5 deny tcp source 192.168.1.125 0 destination 192.168.1.1 0 destination-po
rt eq telnet
rule 10 deny tcp source 192.168.1.125 0 destination 192.168.2.1 0 destination-p
ort eq telnet
[R1]interface GigabitEthernet0/0/2.1
traffic-filter inbound acl 3000
5.PC1-PC4可以访问PC5,R2的公网接口只拥有一个公有IP 12.1.1.1
其他PC测试类似
6.外部的client可以通过域名访问httpserver
由上图可知已实现既定要求
7.ISP路由Telnet 12.1.1.1,最终成功登陆到R1上
由上图可知已实现既定要求
8.扩展知识:
NAT:网络地址转换(cisco篇)
在一台路由器上对进或出流量进行IP地址的修改;常用规则为从内部去往外部时修改源 IP地址;从外部
进入内部时修改目标IP地址;
静态nat——地址间的映射关系为固定;动态nat,临时地址映射;
流量从内部去往外部时,将内部本地地址修改为内部全局地址;从外部进入内部时,将内部全局地址修改为内部本地地址;
1、一对一(静态) 在边界路由器上,生成一条固定的永久的映射记录;
r1(config)#ip nat inside source static 192.168.1.2 12.1.1.1
内部本地 内部全局
2、一对多(动态) 内部私有IP地址在nat成为同一个公有IP地址时,需要不同的源端口号,来形成唯一的临时映射关系;临时映射——需要内部流量先去往外部,被转换记录,之后返回,映射刷新;
因为需要修改流量的端口、故一对多又被称为PAT——端口地址转换 一个公有IP,仅存在65535个端口,故一个时间节点最大一次转发65535个数据包,所以不能在大型网络中使用;
r1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
r1(config)#ip nat inside source list 1 interface fastEthernet 0/1 overloade
内部本地 内部全局
overload 携带该单词为动态nat,不携带为静态,但因为一对多只能为动态,故即使不配置该单词,设备也会自动在默认添加该单词;
3、多对多(动、静态均可) 主要针对大型的局域网,同一时间内大量数据包需要进入互联网;一个公有IP只能进行65535个数据包转发,故同时需要提供多个公有IP;
r1(config)# ip nat pool a 12.1.1.3 12.1.1.10 netnask 255.255.255.0 公有地址范围
r1(config)# access-list2 permit 192.168.0.0 0.0.255.255 私有地址范围
r1(config)# ip nat inside source list2 pool a ?
overload Overload an address translation
<cr>
携带overoad 为动态,就是循环将私有IP转换不同公有IP的不同端口;相当于同时进行多个一对多;
不携带 overoad 为静态,就是最先出来的一些私有IP,和各个公有IP形成一对一映射;
4、端口映射(静态)
r1(config)# ip nat inside source static tcp 192.168.1.250 80 12.1.1.1 80
只有在外网访问12.1.1.1且目标端口为80时,才进行转换,转换为目标IP 192.168.1.250,目标端口80
r1(config# ip nat inside source static tcp 192.1681.251 80 12.1.1.1 8888
只有在外网访问12.1.1.1且目标端口为8888时,才进行转换,转换为目标IP 192.168.1.251,目标端口80
切记:cisco设备中无论何种配置 nat,都需要在边界路由器上定义各个接口的方向;
r1(config)# interface fastEthemet 0/0
r1(config)# ip nat inside
r1(config)# exite
r1(config)# interface fastEthernet 0/1
r1(config)# ip nat outside
[2]华为一不需要在边界路由器上定义各个接口的方向,但nat还是在边界路由器上配置
1、静态nat —— 和cisco 中的一对一 一致
[RTA-Serial1/0/0] nat static global 202.10.10.1 inside 192.168.1.1
[RTA-Serial1/0/0] nat static global 202.10.10.2 inside 192.168.1.2
公有 私有
[RTA] display nat static
2、动态nat —— 和cisco中的多对多相同
[RTA] nat address-group 1 200.10.10.1 200.10.10.200 公有范围
[RTA] acl2000
[RTA-acl-basic-2000] rule 5 permit source 192.168.1.0 0.0.0.255 私有ip范围
[RTA-acl-basic-2000] quit
[RTA] interface serial1/0/0 在连接互联网的公有 ip地址接口配置
[RTA-Serial1/0/0] nat outbound 2000 address-group 1 no-pat
私有 公有
切记:携带no-pat为静态多对多;不携带为动态多对多;
[RTA] display nat address-group 1
3、easy nat和 cisco 中的一对多相同:PAT 端口地址转换
[RTA] acl 2000
[RTA-acl-basic-2000] rule 5 permit source 192.168.1.0 0.0.0.255 私有
[RTA-acl-basic-2000] quite
[RTA] interfiace serial1/0/0 该接口为公有 IP 地址所在接口;
[RTA-Serial1/0/0] nat outbound 2000
[RTA] display nat outbound
4、nat服务器:和cisco的端口映射相同
[RTA] interface Serial1/0/0 该接口为连接公网的接口
[RTA-Serial1/0/0] ip address 200.10.10.2 24
[RTA-Serial1/0/0] nat server protocol tcp global 202.10.10.1 www inside 192.168.1.1 8080