HCIP 网络协议实验

第一步：配置IP地址以及缺省

R1：
[r1]int s4/0/0
[r1-Serial4/0/0]ip add 15.0.0.1 24
[r1-Serial4/0/0]int g0/0/0
[r1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[r1]ip route-static 0.0.0.0 0 15.0.0.2
//R1到R4基本配置相同，只是地址不一样，在此就不一一展示了。
R5的接口多一些，故配置IP地址多一些
[isp]int s3/0/0
[isp-Serial3/0/0]ip add 15.0.0.2 24
[isp-Serial3/0/0]int s3/0/1
[isp-Serial3/0/1]ip add 25.0.0.2 24
[isp-Serial3/0/1]int s4/0/0
[isp-Serial4/0/0]ip add 35.0.0.2 24
[isp-Serial4/0/0]int g0/0/0
[isp-GigabitEthernet0/0/0]ip add 45.0.0.2 24
[isp-GigabitEthernet0/0/0]int l0
[isp-LoopBack0]ip add 5.5.5.5 24

第二步：实验分析

由要求二可知
1、R1和R5间要做PPP的PAP认证，R5为主认证方，故在R5上做配置：
[isp]aaa
[isp-aaa]loc
[isp-aaa]local-user r1 pa
[isp-aaa]local-user r1 password c
[isp-aaa]local-user r1 password cipher 123456
Info: Add a new user.//创建一个新用户
[isp-aaa]local-user r1 s
[isp-aaa]local-user r1 service-type pp
[isp-aaa]local-user r1 service-type ppp //该用户用于ppp协议
[isp-aaa]int s3/0/0
[isp-Serial3/0/0]ppp au
[isp-Serial3/0/0]ppp authentication-mode pap//PPP协议的PAP认证
R5需要认证R1就提供认证
[r1-Serial4/0/0]ppp pap local-user r1 pa
[r1-Serial4/0/0]ppp pap local-user r1 password c
[r1-Serial4/0/0]ppp pap local-user r1 password cipher 123456
注意：验证认证是否成功时，ping对端地址，但是之前已经可以ping通对端地址，说明认证前会话已经创建，多以我们将接口关闭然后在开启，再去ping对端地址，此时还能ping通的话说明，认证成功。
2、在R2和R5之间做PPP的CHAP认证，R5为主认证方：
同理先在R5上创建一个新用户，然后用这个用户启用PPP服务
[isp]aaa
[isp-aaa]loc
[isp-aaa]local-user r2 p
[isp-aaa]local-user r2 password c
[isp-aaa]local-user r2 password cipher 123456
Info: Add a new user.
[isp-aaa]l
[isp-aaa]local-user s
[isp-aaa]local-user r2 s
[isp-aaa]local-user r2 service-type p
[isp-aaa]local-user r2 service-type ppp
[isp-aaa]int s3/0/0
[isp-Serial3/0/0]ppp a
[isp-Serial3/0/0]ppp authentication-mode c
[isp-Serial3/0/0]ppp authentication-mode chap //PPP协议的chap认证
[isp-Serial3/0/0]
R2提供认证
[r2-Serial4/0/0]ppp chap user r2
[r2-Serial4/0/0]ppp c
[r2-Serial4/0/0]ppp chap p
[r2-Serial4/0/0]ppp chap password c
[r2-Serial4/0/0]ppp chap password cipher 123456
3、R3与R5之间使用HDLC封装：
通过命令display interface s4/0/0可知串口默认启用PPP协议，现在要求我们使用HDLC封装，所以我们要更改协议：
[r3]int s4/0/0
[r3-Serial4/0/0]li
[r3-Serial4/0/0]link-protocol hd
[r3-Serial4/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]
:y
同样需要在R5上更改协议：
[isp]int s4/0/0
[isp-Serial4/0/0]lin
[isp-Serial4/0/0]link-protocol hd
[isp-Serial4/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]
:y

由要求三可知要做MGRE和GRE
1、在R1 R2 R3间构建MGRE环境，R1为中心站点：
虚拟逻辑链路网段位192.168.5.0/24
[r1]int t0/0/0//创建一个虚拟接口
[r1-Tunnel0/0/0]ip add 192.168.5.1 24
[r1-Tunnel0/0/0]t
[r1-Tunnel0/0/0]tun
[r1-Tunnel0/0/0]tunnel-protocol g
[r1-Tunnel0/0/0]tunnel-protocol gre p
[r1-Tunnel0/0/0]tunnel-protocol gre p2mp//P2P为点到点，P2MP则为点到多点，加上GRE则为MGRE
[r1-Tunnel0/0/0]so
[r1-Tunnel0/0/0]source 15.0.0.1//源地址
[r1-Tunnel0/0/0]
[r1-Tunnel0/0/0]nhrp n
[r1-Tunnel0/0/0]nhrp network-id 100//创建nhrp域，注意：要加入同一个域，才能将物理地址和隧道IP地址上报给中心站点
[r1-Tunnel0/0/0]nh
[r1-Tunnel0/0/0]nhrp en
[r1-Tunnel0/0/0]nhrp entry m
[r1-Tunnel0/0/0]nhrp entry multicast d
[r1-Tunnel0/0/0]nhrp entry multicast dynamic //后面需要rip协议伪广播
同理，分支站点也一样：
[r2]int t0/0/0
[r2-Tunnel0/0/0]ip add 192.168.5.2 24
[r2-Tunnel0/0/0]t
[r2-Tunnel0/0/0]tun
[r2-Tunnel0/0/0]tunnel-protocol g
[r2-Tunnel0/0/0]tunnel-protocol gre p
[r2-Tunnel0/0/0]tunnel-protocol gre p2mp
[r2-Tunnel0/0/0]so
[r2-Tunnel0/0/0]source s4/0/0//接口始终不会变化
[r2-Tunnel0/0/0]
[r2-Tunnel0/0/0]nhrp n
[r2-Tunnel0/0/0]nhrp network-id 100//加入同一个nhrp域
[r2-Tunnel0/0/0]nhrp e
[r2-Tunnel0/0/0]nhrp entry 192.168.5.1 15.0.0.1 r
[r2-Tunnel0/0/0]nhrp entry 192.168.5.1 15.0.0.1 register //找中心站点汇报
[r2-Tunnel0/0/0]

[r3]int t0/0/0
[r3-Tunnel0/0/0]ip add 192.168.5.3 24
[r3-Tunnel0/0/0]tun
[r3-Tunnel0/0/0]tunnel-protocol g
[r3-Tunnel0/0/0]tunnel-protocol gre p
[r3-Tunnel0/0/0]tunnel-protocol gre p2mp
[r3-Tunnel0/0/0]so
[r3-Tunnel0/0/0]source s4/0/0
[r3-Tunnel0/0/0]
[r3-Tunnel0/0/0]nh
[r3-Tunnel0/0/0]nhrp n
[r3-Tunnel0/0/0]nhrp network-id 100
[r3-Tunnel0/0/0]nh
[r3-Tunnel0/0/0]nhrp e
[r3-Tunnel0/0/0]nhrp entry 192.168.5.1 15.0.0.1 register
[r3-Tunnel0/0/0]

2、R1和R4为GRE：
虚拟逻辑链路网段为192.168.6.0/24
同上
[r1-Tunnel0/0/0]int t0/0/1
[r1-Tunnel0/0/1]ip add 192.168.6.1 24
[r1-Tunnel0/0/1]yun
[r1-Tunnel0/0/1]tun
[r1-Tunnel0/0/1]tunnel-protocol gre
[r1-Tunnel0/0/1]so
[r1-Tunnel0/0/1]source 15.0.0.1
[r1-Tunnel0/0/1]d
[r1-Tunnel0/0/1]dest
[r1-Tunnel0/0/1]destination 45.0.0.1

[r4]int t0/0/0
[r4-Tunnel0/0/0]ip add 192.168.6.2 24
[r4-Tunnel0/0/0]tun
[r4-Tunnel0/0/0]tunnel-protocol g
[r4-Tunnel0/0/0]tunnel-protocol gre
[r4-Tunnel0/0/0]so
[r4-Tunnel0/0/0]source 45.0.0.1
[r4-Tunnel0/0/0]dest
[r4-Tunnel0/0/0]destination 15.0.0.1

根据要求四基于rip进行全网可达：
[r1]rip
[r1-rip-1]v 2
[r1-rip-1]net
[r1-rip-1]network 192.168.1.0
[r1-rip-1]network 192.168.5.0
[r1-rip-1]network 192.168.6.0
[r1-Tunnel0/0/0]undo rip sp
[r1-Tunnel0/0/0]undo rip split-horizon //关闭毒性逆转水平分割
[r1-Tunnel0/0/0]
同理，其他路由器的配置与R1相同，在此不一一展示

由要求五知所有PC设置私有IP地址为源IP，可以访问R5环回：
故需要在四个边界路由器上做nat
[r1]acl 2000
[r1-acl-basic-2000]ru
[r1-acl-basic-2000]rule s
[r1-acl-basic-2000]rule p
[r1-acl-basic-2000]rule permit s
[r1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[r1-acl-basic-2000]int s4/0/0
[r1-Serial4/0/0]nat o
[r1-Serial4/0/0]nat outbound 2000
[r1-Serial4/0/0]
同理剩余三个配置相同