实验拓扑图
实验要求
1、公网设备只配置IP地址
2、全网可达
3、外网设备不允许存在私网路由
4、内网设备不允许存在公网设备
5、test-1可以登录设备telnet server;而test-2不可以
6、pc1可以访问test-1;pc2不可以
7、pc使用DHCP获取IP地址,公网设备只配置IP地址
实验过程
一、配置IP地址
配置AR1 :
[r1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
Oct 30 2023 22:50:54-08:00 r1 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip add
[r1-GigabitEthernet0/0/1]ip address 192.168.12.1 24
[r1-GigabitEthernet0/0/1]
Oct 30 2023 22:51:23-08:00 r1 %%01IFNET/4/LINK_STATE(l)[3]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
配置AR2:
[r2-GigabitEthernet0/0/1]ip address 192.168.12.2 24
Oct 30 2023 22:52:52-08:00 r2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r2-GigabitEthernet0/0/2]ip address 23.0.0.2 24
[r2-GigabitEthernet0/0/2]
Oct 30 2023 22:54:13-08:00 r2 %%01IFNET/4/LINK_STATE(l)[3]:The line protocol IP
on the interface GigabitEthernet0/0/2 has entered the UP state.
[r2-GigabitEthernet0/0/0]ip address 192.168.2.254 24
[r2-GigabitEthernet0/0/0]
Oct 30 2023 22:54:35-08:00 r2 %%01IFNET/4/LINK_STATE(l)[4]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
配置AR3:
[r3-GigabitEthernet0/0/0]ip address 23.0.0.3 24
Oct 30 2023 23:03:33-08:00 r3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r3-GigabitEthernet0/0/0]int g0/0/1
[r3-GigabitEthernet0/0/1]ip address 34.0.0.3 24
[r3-GigabitEthernet0/0/1]
Oct 30 2023 23:04:26-08:00 r3 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
二、配置test-1和test-2,且设置缺省路由
配置test-1:
[test-1]int g0/0/0
[test-1-GigabitEthernet0/0/0]ip address 34.0.0.1 24
Oct 30 2023 23:06:50-08:00 test-1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[test-1-GigabitEthernet0/0/0]q
[test-1]ip route-static 0.0.0.0 0 34.0.0.3
同理
配置test-2:
[test-2-GigabitEthernet0/0/0]ip address 34.0.0.2 24
Oct 30 2023 23:11:04-08:00 test-2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[test-2-GigabitEthernet0/0/0]q
[test-2]ip route-static 0.0.0.0 0 34.0.0.3
公网配置完成
三、配置telnet路由,开启
[telnet-GigabitEthernet0/0/0]ip address 192.168.1.100 24
Oct 30 2023 23:16:19-08:00 telnet %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[telnet-GigabitEthernet0/0/0]q设置环回地址:
[telnet]ip route-static 0.0.0.0 0 192.168.1.254
四、测试是否可以ping通
四、设置内网区域,使得内网全网可达,使用ospf,宣告网段
[r1]ospf 1 router-id 1.1.1.1
[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]network 192.168.1.254 0.0.0.0
[r1-ospf-1-area-0.0.0.0]network 192.168.12.1 0.0.0.0
[r2]ospf 1 router-id 2.2.2.2
[r2-ospf-1]area 0
[r2-ospf-1-area-0.0.0.0]network 192.168.12.2 0.0.0.0[r2-ospf-1-area-0.0.0.0]network 192.168.2.254 0.0.0.0
五、AR1、AR2开启DHCP,使得PC端自动获取IP地址
[r1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[r1]ip pool 1
Info: It's successful to create an IP address pool.
[r1-ip-pool-1]network 192.168.1.0 mask 24
[r1-ip-pool-1]gateway-list 192.168.1.254[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]dhcp select global
[r2]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[r2]ip pool 1
Info: It's successful to create an IP address pool.
[r2-ip-pool-1]network 192.168.2.0 mask 24
[r2-ip-pool-1]gateway-list 192.168.2.254
[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]dhcp select global
PC1、PC3自动获取IP地址
此时内网可通
六、内网边界路由写一条缺省路由到外网,使得内网可以连接到外网
并使用缺省路由下放。
[r2]ip route-static 0.0.0.0 0 23.0.0.3
[r2]ospf 1
[r2-ospf-1]default-route-advertise
[r1]display ip routing-table protocol ospf
七、内网访问外网设备,需在AR2上,配置ACL规则,使得内网中的网段转化为外网网段
[r2]acl 2000
[r2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255[r2]int g0/0/2
[r2-GigabitEthernet0/0/2]nat outbound 2000
测试:
可以访问外网。
八、PC3可以访问test-1,而PC1不可以。可以用高级ACL在AR2上配置,限制访问。
[r2]acl 3000
[r2-acl-adv-3000]rule deny ip source 192.168.2.0 0.0.0.255 destination 34.0.0.1 0
使用高级ACL时的调用,需靠近源,所以在接口0/0/0上调用,ACL规则
[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
此时,PC3无法访问test-1
九、开启telnet服务,限制登录
[telnet]user-interface vty 0 4
[telnet-ui-vty0-4]authentication-mode aaa
[telnet-ui-vty0-4]q
[telnet]aaa
[telnet-aaa]local-user huawei password cipher 123456 privilege level 15
Info: Add a new user.[telnet-aaa]local-user huawei service-type telnet
外网设备登陆telnet,先在AR2上端口映射
[r2]int g0/0/2
[r2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 2323 inside 192.168.1.100 23设置ACL规则,不允许test-2登录telnet
[r2]acl 3100
[r2-acl-adv-3100]rule deny tcp source 34.0.0.2 0 destination 23.0.0.2 0 destinat
ion-port eq 2323
[r2]int g0/0/2
[r2-GigabitEthernet0/0/2]traffic-filter inbound acl 3100
test-2无法登录telnet