划分网段和端口IP如图,PC端IP为DHCP自动获取的地址
R1和R2建立邻接关系,实现内网全通
查看路由表,有R2通过ospf提供过来的1.128/27和1.160/27网段;
交换机划分vlan
写完easy IP后,用PC2 ping PC5,通过wireshark抓包R2左右侧端口,成功发现私网IP转化为公网IP
PC1 ping不通 PC5 ,PC2 ping通 PC5
test-1成功通过telnet登录telnet server
test-2 Telnet不能登录Telnet server,但是能ping通.
除去配置端口的其他代码如下:
[R1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.31 ospf宣告0区内,R1的直连链路
[R1-ospf-1-area-0.0.0.0]network 192.168.1.32 0.0.0.31
[R1-ospf-1-area-0.0.0.0]network 192.168.1.64 0.0.0.31
[R1-ospf-1-area-0.0.0.0]network 192.168.1.96 0.0.0.31
( R1宣告g0/0/0端口3个广播域和g0/0/1对应等等网段)
[R1]dhcp enable 开启DHCP协议
[R1-ip-pool-a]network 192.168.1.0 mask 27 ip池a宣告1.0/27网段
[R1-ip-pool-a]gateway-list 192.168.1.1 宣告1.1为网关
[R1-ip-pool-a]dns-list 114.114.114.114 8.8.8.8 写入根服务器地址
[R1-ip-pool-b]network 192.168.1.32 mask 27 同上
[R1-ip-pool-b]gateway-list 192.168.1.33
[R1-ip-pool-b]dns-list 114.114.114.144 8.8.8.8
[R1-ip-pool-c]network 192.168.1.64 mask 27 同上
[R1-ip-pool-c]gateway-list 192.168.1.65
[R1-ip-pool-c]dns-list 114.114.114.114 8.8.8.8
[R1-GigabitEthernet0/0/0.1]ip address 192.168.1.1 27 写入端口网关
[R1-GigabitEthernet0/0/0.1]dhcp select global 开启dhcp服务
[R1-GigabitEthernet0/0/0.1]dot1q termination vid 2 以802-1q型帧形式定义子接口管理vid
[R1-GigabitEthernet0/0/0.1]arp broadcast enable 开启arp服务
[R1-GigabitEthernet0/0/0.2]ip address 192.168.1.33 27 同上
[R1-GigabitEthernet0/0/0.2]dhcp select global
[R1-GigabitEthernet0/0/0.2]dot1q termination vid 3
[R1-GigabitEthernet0/0/0.2]arp broadcast enable
[R1-GigabitEthernet0/0/0.3]ip address 192.168.1.65 27 同上
[R1-GigabitEthernet0/0/0.3]dhcp select global
[R1-GigabitEthernet0/0/0.3]dot1q termination vid 4
[R1-GigabitEthernet0/0/0.3]arp broadcast enable
[R1]ip route-static 0.0.0.0 0 192.168.1.98 缺省,下一跳为1.98
[R1]ip route-static 192.168.1.0 24 NULL 0 防止路由黑洞
[R1-acl-adv-3001]rule deny ip source 192.168.1.30 0.0.0.0 destination 192.168.3.3 0.0.0.0
acl3001:拒绝1.30(PC1)指向3.3(PC5)的流量
[R1-GigabitEthernet0/0/1]traffic-filter outbound acl 3001 R1g0/0/1端口outbound使用acl3001规则
[R2-ospf-1-area-0.0.0.0]network 192.168.1.96 0.0.0.31 ospf宣告0区内,R2的直连链路
[R2-ospf-1-area-0.0.0.0]network 192.168.1.128 0.0.0.31
[R2-ospf-1-area-0.0.0.0]network 192.168.1.160 0.0.0.31
[R2]dhcp enable DHCP自动分配IP代码与R1类似
[R2-ip-pool-a]network 192.168.1.128 mask 27
[R2-ip-pool-a]gateway-list 192.168.1.129
[R2-ip-pool-a]dns-list 114.114.114.114 8.8.8.8
[R2-ip-pool-b]network 192.168.1.160 mask 27
[R2-ip-pool-b]gateway-list 192.168.1.161
[R2-ip-pool-b]dns-list 114.114.114.114 8.8.8.8
[R2-GigabitEthernet0/0/1.1]ip address 192.168.1.129 27
[R2-GigabitEthernet0/0/1.1]dhcp select global
[R2-GigabitEthernet0/0/1.1]dot1q termination vid 2
[R2-GigabitEthernet0/0/1.1]arp broadcast enable
[R2-GigabitEthernet0/0/1.2]ip address 192.168.1.161 27
[R2-GigabitEthernet0/0/1.2]dhcp select global
[R2-GigabitEthernet0/0/1.2]dot1q termination vid 3
[R2-GigabitEthernet0/0/1.2]arp broadcast enable
[R2]ip route-static 0.0.0.0 0 192.168.2.2 缺省,下一跳为2.2
[R2-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255 acl 2000:允许1.0/24网段通过
[R2-GigabitEthernet0/0/2]nat outbound 2000 配置easy ip(一对多)
[R2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 10 inside 192.168.1.10 10 将现接口的10号端口与IP1.10的10号端口绑定
[ISP]ip route-static 192.168.1.0 24 192.168.2.1 外网服务器ISP配置静态指向1.0/24网段
[ISP-acl-adv-3000]rule deny tcp source 192.168.3.4 0.0.0.0 destination 192.168.1.10 0.0.0.0 destination-port eq 23 acl 3000:拒绝ip 3.4(PC5)的Telnet请求前往ip1.10(Telnet server)
[ISP-GigabitEthernet0/0/1]traffic-filter inbound acl 3000 ISP的g0/0/1接口inbound使用acl 3000
[telnet server-GigabitEthernet0/0/0]ip address 192.168.1.66 27 配置接口IP为1.66
[telnet server]ip route-static 0.0.0.0 0 192.168.1.65 缺省,下一跳为1.65
[telnet server-aaa]local-user test-1 privilege level 15 password cipher 123
创建用户test-1并给予最高权限(level 15),密码为123
[telnet server-aaa]local-user test-1 service-type telnet 宣布test-1用户是用Telnet服务的
[telnet server-aaa]local-user test-2 privilege level 15 password cipher 123 同上
[telnet server-aaa]local-user test-2 service-type telnet
[telnet server]user-interface vty 0 4 创建4个虚拟接口
[telnet server-ui-vty0-4]authentication-mode aaa 宣告这4个虚拟接口是给aaa服务用的
[SW1]vlan batch 2 to 4 创建vlan2 到vlan4
[SW1-GigabitEthernet0/0/1]port link-type trunk 定义该接口链路类型为trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all 该接口下的trunk链路放通所有vlan
[SW1-GigabitEthernet0/0/2]port link-type access 定义该接口链路类型为access
[SW1-GigabitEthernet0/0/2]port default vlan 2 将该接口处的链路划入vlan2
[SW1-GigabitEthernet0/0/3]port link-type access 同上
[SW1-GigabitEthernet0/0/3]port default vlan 3
[SW1-GigabitEthernet0/0/4]port link-type access 同上
[SW1-GigabitEthernet0/0/4]port default vlan 4
[sw2]vlan batch 2 to 4 同交换机sw1
[sw2-GigabitEthernet0/0/1]port link-type trunk
[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[sw2-GigabitEthernet0/0/2]port link-type access
[sw2-GigabitEthernet0/0/2]port default vlan 2
[sw2-GigabitEthernet0/0/3]port link-type access
[sw2-GigabitEthernet0/0/3]port default vlan 3
[test-1]ip route-static 0.0.0.0 0 192.168.3.1 test-1缺省,下一跳为3.1
[test-2]ip route-static 0.0.0.0 0 192.168.3.1 test-2缺省,下一跳为3.1
作业途中遇到的问题和解决思路:
1.R2做缺省能通往外网后,R1路由表内仍没有去往外网的路由条目
R1也做缺省,但是要注意路由黑洞
2.一开始先写的子网划分网段和DHCP分配,结果划分vlan后R1,R2不能ping通自身广播域的pc端
发现vlan划分后,R1的g0/0/0接口下变为3个广播域而非1个,R2的g0/0/1接口也是2个广播域,
导致DHCP下发ip失败(重启所有设备后发现的,但是要重新划分网段,所以重做了一遍)
3.PC1 ping PC5一开始做的时候可以做到ping不通(要求5),写完要求6后能ping通了
ping通说明acl失效了,原因如下:
配置easy ip后,内网的PC1ip会转化为唯一的公网IP2.1,acl写的拒绝1.30通往3.3,所以会失效,需要把acl 从外网服务器ISP改写到R1上,从一开始就封杀PC1 使其不能ping通PC5
4.test-2先登录Telnet server的时候登录不了,ping也ping不通(基础反而最容易忘掉).
发现是路由表没有到达Telnet server的路由条目,所以做了缺省.
5.配完acl 3000去限制test-2 仍能Telnet 登录 telnet server.
发现一个接口上不能同时运用2个acl(此处是在问题3发现之前,acl3000 rule:拒绝PC1去PC5还在ISP上,同时写了inbound和outbound),所以acl 3000写在了ISP 接口g0/0/0 inbound 和g0/0/1 outbound上