实验拓扑:
实验要求:
1、ISP路由器仅配置IP地址
2、test-1和test-2仅作为代替终端设备进行测试使用,路由采用静态路由
3、R1/R2之间使用0SPF做到内网全通,单区域,0SPF使用一条命令进行宣告(直接宣告192.168.1.0网段);router-ID分别为1.1.1.1和2.2.2.2;0SPF进程为1
4、PC1-PC4使用DHCP获取地址,地址池名称使用1,2
5、PC1不能访问PC5,ac1编号为3000
6、R2出口只拥有一个公网IP
7、test-1设备可以登录内网te1net服务器,test-2不行;ac1编号为3000
8、te1net服务器的账号密码为huawei/123456
9、内网用户可以正常访问ISP(边界做默认路由)
实验相应的IP地址:
192.168.1.0/26 ---骨干
192.168.1.64/26 ---R1下的网络
---192.168.1.64/28 vlan2
---192.168.1.80/28 vlan3
---192.168.1.96/28 vlan4
---192.168.1.112/28
192.168.1.128/26 ---R2下的网络
---192.168.1.128/27 ---vlan2
---192.168.1.160/27 ---vlan3
192.168.1.192/26 ---预留
202.1.1.0/30---R2-ISP
203.1.1.0/24---ISP下方网络
实验前的准备:
一、先在交换机上配置
//创建vlan
[LW1]vlan 2
[LW1]vlan 3
[LW1]vlan 4
//放行vlan
[LW1]int g0/0/2
[LW1-GigabitEthernet0/0/2]port link-type access
[LW1-GigabitEthernet0/0/2]port default vlan 2
[LW1]int g0/0/3
[LW1-GigabitEthernet0/0/3]port link-type access
[LW1-GigabitEthernet0/0/3]port default vlan 3
[LW1]int g0/0/4
[LW1-GigabitEthernet0/0/4]port link-type access
[LW1-GigabitEthernet0/0/4]port default vlan 4
[LW1]int g0/0/1 //干道
[LW1-GigabitEthernet0/0/1]port link-type trunk
[LW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 4
(2)LW2同理:
//创建vlan
[LW2]vlan 2
[LW2]vlan 3
//放行vlan
[LW2]int g0/0/2
[LW2-GigabitEthernet0/0/2]port link-type access
[LW2-GigabitEthernet0/0/2]port default vlan 2
[LW2]int g0/0/3
[LW2-GigabitEthernet0/0/3]port link-type access
[LW2-GigabitEthernet0/0/3]port default vlan 3
[LW2]int g0/0/1 //干道
[LW2-GigabitEthernet0/0/1]port link-type trunk
[LW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
二、在交换机上配置IP
(1)R1上配置IP
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.1.1 26
不可以直接在0/0/0口上配置IP,因为底下有三个广播域,所以需要3个子接口来承接广播域
[R1-GigabitEthernet0/0/1]int g0/0/0.1
[R1-GigabitEthernet0/0/0.1]ip address 192.168.1.65 28
[R1-GigabitEthernet0/0/0.1]dot1q termination vid 2 //用来配置子接口Dot1q终结的单层VLAN ID
[R1-GigabitEthernet0/0/0.1]arp broadcast enable //开启广播的arp功能
[R1-GigabitEthernet0/0/0.1]int g0/0/0.2
[R1-GigabitEthernet0/0/0.2]ip address 192.168.1.81 28
[R1-GigabitEthernet0/0/0.2]dot1q termination vid 3
[R1-GigabitEthernet0/0/0.2]arp broadcast enable
[R1-GigabitEthernet0/0/0.2]int g0/0/0.3
[R1-GigabitEthernet0/0/0.3]ip address 192.168.1.97 28
[R1-GigabitEthernet0/0/0.3]dot1q termination vid 4
[R1-GigabitEthernet0/0/0.3]arp broadcast enable
(2)R2上配置IP
R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.1.2 26
[R2]int g0/0/0.1 //同R1配置子接口
[R2-GigabitEthernet0/0/0.1]ip address 192.168.1.129 27
[R2-GigabitEthernet0/0/0.1]dot1q termination vid 2
[R2-GigabitEthernet0/0/0.1]arp broadcast enable
[R2]int g0/0/0.2
[R2-GigabitEthernet0/0/0.2]ip address 192.168.1.161 27
[R2-GigabitEthernet0/0/0.2]dot1q termination vid 3
[R2-GigabitEthernet0/0/0.2]arp broadcast enable
[R2]int g0/0/2
[R2-GigabitEthernet0/0/2]ip address 202.1.1.1 30 //外网
(3)在Telnet Server上配置IP
[Telnet Server]int g0/0/0
[Telnet Server-GigabitEthernet0/0/0]ip address 192.168.1.98 28
配置完成
实验配置开始:
1.ISP路由器仅配置IP地址
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip address 202.1.1.2 30
[ISP-GigabitEthernet0/0/1]ip address 203.1.1.1 24
2.test-1和test-2仅作为代替终端设备进行测试使用,路由采用静态路由
(1)
[test-1-GigabitEthernet0/0/0]ip add 203.1.1.2 24
(2)
[test-2-GigabitEthernet0/0/0]ip add 203.1.1.3 24
3.使用OSPF协议下发IP地址
(1)在R1上配置OSPF协议
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255 //宣告地址
输入:dis th 查询是否宣告成功
(2)在R2上配置OSPF协议
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255 //宣告网段
4.配置DHCP服务
(1)R1配置DHCP
[R1]dhcp enable //开启dhcp服务
[R1]ip pool 1 //配置地址池1
[R1-ip-pool-1]network 192.168.1.64 mask 28 //IP地址
[R1-ip-pool-1]gateway-list 192.168.1.65 //网关
[R1-ip-pool-1]dns-list 144.144.144.144 //DNS
[R1]ip pool 2 //配置池塘2
[R1-ip-pool-2]network 192.168.1.80 mask 28
[R1-ip-pool-2]gateway-list 192.168.1.81
[R1-ip-pool-2]dns-list 144.144.144.144
配置完地址池开始进入接口激活:
[R1]int g0/0/0.1
[R1-GigabitEthernet0/0/0.1]dhcp select global
[R1]int g0/0/0.2
[R1-GigabitEthernet0/0/0.2]dhcp select global
(2)R2配置DHCP
[R2]dhcp enable
[R2]ip pool 1 //配置池塘1
[R2-ip-pool-1]network 192.168.1.128 mask 27
[R2-ip-pool-1]gateway-list 192.168.1.129
[R2-ip-pool-1]dns-list 144.144.144.144
[R2]ip pool 2 //配置池塘2
[R2-ip-pool-2]network 192.168.1.160 mask 27
[R2-ip-pool-2]gateway-list 192.168.1.161
[R2-ip-pool-2]dns-list 144.144.144.144
配置完地址池开始进入接口激活:
[R2]int g0/0/0.1
[R2-GigabitEthernet0/0/0.1]dhcp select global
[R2]int g0/0/0.2
[R2-GigabitEthernet0/0/0.2]dhcp select global
5.PC1不能访问PC5,ac1编号为3000
需要在边界路由器(R2)上做一个NAT协议
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R2]int g0/0/2
[R2-GigabitEthernet0/0/2]nat outbound 2000 //映射
然后需要一个从PC1到PC5的路由
[R2]ip route-static 0.0.0.0 0 202.1.1.2 //缺省路由
R1上面也没有到达外网的缺省
所以在R2上下发路由:
[R2]ospf 1
[R2-ospf-1]default-route-advertise
在R1路由器上配置限制
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.64 0.0.0.0 destination 203.1.1.
100 0.0.0.0 //deny是拒绝
//icmp是ping的协议 地址是192.168.1.64这个网段不能通过icmp协议去访问203.1.1.
100
需要在R1的入方向就给PC1调用
[R1-GigabitEthernet0/0/0.1]traffic-filter inbound acl 3000
7.test-1设备可以登录内网telnet服务器,test-2不行;acl编号为3000
[R1]acl 3000
[R1-acl-adv-3000]rule deny tcp source 203.1.1.2 0 destination-port eq 23
[R1-acl-adv-3000]int g 0/0/2
[R1-GigabitEthernet0/0/2]traffic-filter inbound acl 3000
8.te1net服务器的账号密码为huawei/123456
[Telnet Server]user-interface vty 0 4
[Telnet Server-ui-vty0-4]authentication-mode aaa
[Telnet Server-aaa][Telnet Server-aaa]local-user huawei privilege level 15 password cipher 123456
[R2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface telnet
inside 192.168.1.98 telnet
[test-1]ip rou 202.1.1.1 32 203.1.1.1
[test-2]ip rou 202.1.1.1 32 203.1.1.1