题目
1.R5为ISP,只能进行IP地址配置,其所有地址均配为公有I地址; 2、R1和R5间使用PPP的PAP认证,R5为主认证方: R2与R5之间使用ppp的CHAP认证,R5为主认证方; R3与R5之间使用HDLC封装; 3.R1、R2、R3构建一个MGRE环境,R1为中心站点,R1、R4间为点到点的GRE; 4.整个私有网络基本RIP全网可达; 5所有pc设置私有IP为源IP,可以访问R5环回,达到全网通。
拓扑图
一.实验思路
1.给能配置IP的设备配好IP地址 2.实现公网通 --- 配置缺省 3.实现R1和R5之间的认证以及R2和R5之间的认证; 4.R3与R5之间使用HDLC封装; 5.根据要求建立隧道通道 6.通过rip让私有网络互通 7.进行内网的转换 --- nat
二.实验步骤
1.配IP
R1: [R1]int g 0/0/0 [R1-GigabitEthernet0/0/0]ip add 192.168.1.2 24 [R1-GigabitEthernet0/0/0]int s 4/0/0 [R1-Serial4/0/0]ip add 15.1.1.1 24 [R1]dis ip int brief R2: [R2]int g 0/0/0 [R2-GigabitEthernet0/0/0]ip add 192.168.2.254 24 [R2-GigabitEthernet0/0/0]int s 4/0/0 [R2-Serial4/0/0]ip add 25.1.1.2 24 [R2]dis ip int b R3: [R3]int s 4/0/0 [R3-Serial4/0/0]ip add 35.1.1.2 24 [R3-Serial4/0/0]int g 0/0/0 [R3-GigabitEthernet0/0/0]ip add 192.168.3.254 24 [R3]dis ip int b R4: [R4]int g 0/0/0 [R4-GigabitEthernet0/0/0]ip add 45.1.1.1 24 [R4-GigabitEthernet0/0/0]int g0/0/1 [R4-GigabitEthernet0/0/1]ip add 192.168.4.254 24 [R4]dis ip int b R5: [R5]int s 4/0/1 [R5-Serial4/0/1]ip add 15.1.1.2 24 [R5-Serial4/0/1]int s 3/0/1 [R5-Serial3/0/1]ip add 25.1.1.1 24 [R5-Serial3/0/1]int g 0/0/0 [R5-GigabitEthernet0/0/0]ip add 45.1.1.1 24 [R5-GigabitEthernet0/0/0]int s 4/0/0 [R5-Serial4/0/0]ip add 35.1.1.1 24 [R5]int loopback0 [R5-LoopBack0]ip add 5.5.5.5 24 [R5]dis ip int b
2.配置缺省
[R1]ip route-static 0.0.0.0 0 15.1.1.2 [R2]ip route-static 0.0.0.0 0 25.1.1.1 [R3]ip route-static 0.0.0.0 0 35.1.1.1 [R4]ip route-static 0.0.0.0 0 45.1.1.2
实现外网之间可以ping通
3.认证
(实现R1和R5之间的认证以及R2和R5之间的认证)
1.R1与R5之间pap验证: 被验证方先发起请求!!! A.: [R5]aaa [R5-aaa]local-user xiaojinfeng service-type ppp [R5-aaa]q [R5]int s 4/0/1 [R5-Serial4/0/1]ppp authentication-mode pap B.进入接口 [R1]int s 4/0/0 [R1-Serial4/0/0]ppp pap local [R1-Serial4/0/0]ppp pap local-user xiaojinfeng password cipher xjf123456 2.R5与R2之间chap验证: [R5]aaa [R5-aaa]local-user zhangjinfeng password cipher zjf123456 [R5-aaa]local-user zhangjinfeng service-type ppp [R5-aaa]q [R5]int s 3/0/1 [R5-Serial3/0/1]ppp authentication-mode chap [R2]int s 4/0/0 [R2-Serial4/0/0]ppp chap user zhangjinfeng [R2-Serial4/0/0]ppp chap password cipher zjf123456 [R2-Serial4/0/0]shutdown [R2-Serial4/0/0]undo shutdown 3.R3与R5之间使用HDLC封装 [R3]int s 4/0/0 [R3-Serial4/0/0]link-protocol hdlc [R5]int s 4/0/0 [R5-Serial4/0/0]link-protocol hdlc Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N] :y
4.建立隧道通道
(建立隧道通道并开启nhrp协议 --- 下一跳协议)
A.R1、R2、R3构建一个MGRE环境: [R1]int Tunnel 0/0/0 [R1-Tunnel0/0/0]ip add 10.1.2.1 24 [R1-Tunnel0/0/0]tun [R1-Tunnel0/0/0]tunnel-protocol [R1-Tunnel0/0/0]tunnel-protocol gre p2mp [R1-Tunnel0/0/0]source 15.1.1.1 [R1-Tunnel0/0/0]nhrp network-id 100 --- 创建一个nhrp域 [R2]int Tunnel 0/0/0 [R2-Tunnel0/0/0]ip add 10.1.2.2 24 [R2-Tunnel0/0/0]tunnel-protocol [R2-Tunnel0/0/0]tunnel-protocol gre p2mp [R2-Tunnel0/0/0]source s4/0/0 --- 写源接口 [R2-Tunnel0/0/0]nhrp network-id 100 [R3]int Tunnel 0/0/0 [R3-Tunnel0/0/0]ip add 10.1.2.3 24 [R3-Tunnel0/0/0]tunnel-protocol [R3-Tunnel0/0/0]tunnel-protocol gre p2mp [R3-Tunnel0/0/0]source s4/0/0 --- 写源接口 [R3-Tunnel0/0/0]nhrp network-id 100 --- 将接口写入到网段id中 B.R1、R4间为点到点的GRE [R1]int t 0/0/1 [R1-Tunnel0/0/1]ip add 10.1.1.1 24 [R1-Tunnel0/0/1]tunnel-protocol gre [R1-Tunnel0/0/1]source 15.1.1.1 [R1-Tunnel0/0/1]destination 45.1.1.1 [R1]dis ip int b ---- 查看一下接口是否双up [R4]int t0/0/1 [R4-Tunnel0/0/1]ip add 10.1.1.2 24 [R4-Tunnel0/0/1]tu [R4-Tunnel0/0/1]tunnel-protocol gre [R4-Tunnel0/0/1]source 45.1.1.1 [R4-Tunnel0/0/1]dest [R4-Tunnel0/0/1]destination 15.1.1.1
5.实现私网通 --- 配置rip
R1: [R1]rip 1 [R1-rip-1]v 2 [R1-rip-1]undo summary [R1-rip-1]network 192.168.1.0 [R1-rip-1]network 10.0.0.0 注意:这里宣告的是两个VPN的网段,不能单独写,单独宣告会报错!!!这是是属于私有IP中的A类,八位网络位! RIP宣告的是主类地址! 什么是主类地址? 拿一个IP对应的自然掩码和该IP相与,便可以得到该IP的主类地址!该题中的10.1.1.0或者10.1.2.0,甚至10.1.2.0,它们的主类地址都是10.0.0.0!! R2: [R2]rip 1 [R2-rip-1]v 2 [R2-rip-1]undo summary [R2-rip-1]network 192.168.2.0 [R2-rip-1]network 10.0.0.0 R3: [R3]rip 1 [R3-rip-1]v 2 [R3-rip-1]undo summary [R3-rip-1]network 192.168.3.0 [R3-rip-1]network 10.0.0.0 R4: [R4]rip 1 [R4-rip-1]v 2 [R4-rip-1]undo summary [R4-rip-1]network 192.168.4.0 [R4-rip-1]network 10.0.0.0 在接口上开启广播功能: 中心设备: [R1]int t 0/0/0 --- 进入隧道接口 [R1-Tunnel0/0/0]nhrp entry multicast dynamic 其他设备进行注册: [R2]int t 0/0/0 [R2-Tunnel0/0/0]nhrp entry 10.1.2.1 15.1.1.1 register [R3]int t 0/0/0 [R3-Tunnel0/0/0]nhrp entry 10.1.2.1 15.1.1.1 register
6.关闭mgre的水平切割机制
[R1]int t 0/0/0 [R1-Tunnel0/0/0]undo rip split-horizon [R2]int t 0/0/0 [R2-Tunnel0/0/0]undo rip split-horizon [R3]int t 0/0/0 [R3-Tunnel0/0/0]undo rip split-horizon 进行内网相互测试!
7.内网转换
nat的分类: 1.静态nat:将私有IP和公用IP做一对一的映射,没有解决IP不够的问题 2.动态nat:将私有IP和公有IP做一个动态映射,本质是一对一映射,没有很好解决IP不够的问题 3.NAPT:基于端口的动态技术,讲私有IP地址和端口号做一个映射,解决IP不够的问题 4.easyIP:NAPT的简化版(必须配置私有与共有IP转换的地址池!),easyIP 不用创建;在内网出口做一个acl,将内网流量放出去,在公网接口下配一个nat outbound 2000; 优点:适用于内网出口的地址是不固定的情况;公网地址不固定的情况; 5.NAT server:把公网IP的某个端口固定映射到私网IP的某个端口,让公网上的用户可以主动访问私网中的服务网;
步骤:
[R1]acl 2000 [R1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255 [R1-acl-basic-2000]q [R1]int s 4/0/0 [R1-Serial4/0/0]nat outbound 2000 [R2]acl 2000 [R2-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255 [R2-acl-basic-2000]q [R2]int s 4/0/0 [R2-Serial4/0/0]nat outbound 2000 [R3]acl 2000 [R3-acl-basic-2000]rule permit source 192.168.3.0 0.0.0.255 [R3-acl-basic-2000]q [R3]int s 4/0/0 [R3-Serial4/0/0]nat outbound 2000 [R4]acl 2000 [R4-acl-basic-2000]rule permit source 192.168.4.0 0.0.0.255 [R4-acl-basic-2000]q [R4]int g 0/0/0 [R4-GigabitEthernet0/0/0]nat outbound 2000
现在私网就可以ping通R5啦!
实验完成!!!