要求:
1.公网设备只配置IP地址
2.全网可达
3.外网设备不允许存在私网路由
4.内网设备不允许存在公网路由
5.test-1可以登录telnet server;而test-2不可以
6.PC1可以访问test-1;PC2不可以
7.PC使用DHCP获取地址
配置IP及外网缺省路由:
R1:
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.12.1 24
[R1-GigabitEthernet0/0/0]quit
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.1.254 24
R2:
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.12.2 24
[R2-GigabitEthernet0/0/0]quit
[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]ip address 192.168.2.254 24
[R2-GigabitEthernet0/0/2]quit
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip address 23.0.0.2 24
R3:
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ip address 23.0.0.3 24
[R3-GigabitEthernet0/0/0]quit
[R3]interface GigabitEthernet 0/0/1
[R3-GigabitEthernet0/0/1]ip address 34.0.0.3 24
telnet s:
[telnet s]interface GigabitEthernet 0/0/0
[telnet s-GigabitEthernet0/0/0]ip address 192.168.1.100 24
[telnet s-GigabitEthernet0/0/0]quit
[telnet s]ip route-static 0.0.0.0 0 192.168.1.254
test-1:
[test-1]interface GigabitEthernet 0/0/0
[test-1-GigabitEthernet0/0/0]ip address 34.0.0.1 24
[test-1-GigabitEthernet0/0/0]quit
[test-1]ip route-static 0.0.0.0 0 34.0.0.3
test-2:
[test-2]interface GigabitEthernet 0/0/0
[test-2-GigabitEthernet0/0/0]ip address 34.0.0.2 24
[test-2-GigabitEthernet0/0/0]quit
[test-2]ip route-static 0.0.0.0 0 34.0.0.3
测试:
配置OSPF及DHCP:
R1:
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 192.168.1.254 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 192.168.12.1 0.0.0.0
[R1]dhcp enable
[R1]ip pool 1
[R1-ip-pool-1]network 192.168.1.0 mask 24
[R1-ip-pool-1]gateway-list 192.168.1.254
[R1-GigabitEthernet0/0/1]dhcp select global
R2:
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 192.168.12.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 192.168.2.254 0.0.0.0
[R2]dhcp enable
[R2]ip pool 1
[R2-ip-pool-1]network 192.168.2.0 mask 24
[R2-ip-pool-1]gateway-list 192.168.2.254
[R2-GigabitEthernet0/0/2]dhcp select global
测试:
静态路由缺省:
[R2]ip route-static 0.0.0.0 0 23.0.0.3
[R2]ospf 1
[R2-ospf-1]default-route-advertise
配置ACL:
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R2-acl-basic-2000]quit
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]nat outbound 2000
测试:
PC1可以访问test-1;PC2不可以:
[R2]acl 3000
[R2-acl-adv-3000]rule deny ip source 192.168.2.0 0.0.0.255 destination 34.0.0.1
0
[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000
test-1可以登录telnet server;而test-2不可以:
[telnet s]user-interface vty 0 4
[telnet s-ui-vty0-4]authentication-mode aaa
[telnet s-ui-vty0-4]quit
[telnet s]aa
[telnet s-aaa]local-user huawei password cipher 123456 privilege level 15
[telnet s-aaa]local-user huawei service-type telnet
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]nat server protocol tcp global current-interface 2323 i
nside 192.168.1.100 23
[R2]acl 3100
[R2-acl-adv-3100]rule deny tcp source 34.0.0.2 0 destination 23.0.0.2 0 destinat
ion-port eq 2323
[R2-acl-adv-3100]quit
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]traffic-filter inbound acl 3100
测试: