一、实验拓扑及要求
二、整体IP规划
三、解决方案
四、解决步骤配置命令
一、基本部分
一、交换机
1、创建对应VLAN,对应接口划入对应VLAN中,创建Trunk干道,配置HTTP服务器IP
LSW1
[sw1]vlan batch 2 to 3
[sw1]interface e0/0/1
[sw1-Ethernet0/0/1]q
[sw1]port-group group-member e0/0/1 to e0/0/2
[sw1-port-group]port link-type access
[sw1-Ethernet0/0/1]port link-type access
[sw1-Ethernet0/0/2]port link-type access
[sw1-port-group]port default vlan 2
[sw1-Ethernet0/0/1]port default vlan 2
[sw1-Ethernet0/0/2]port default vlan 2
[sw1]interface e0/0/3
[sw1-Ethernet0/0/3]port link-type access
[sw1-Ethernet0/0/3]port default vlan 3
[sw1]interface g0/0/1
[sw1-GigabitEthernet0/0/1]port link-type trunk
[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
LSW2
[sw2]vlan batch 2 to 3
[sw2]interface e0/0/1
[sw2-Ethernet0/0/1]port link-type access
[sw2-Ethernet0/0/1]port default vlan 2
[sw2-Ethernet0/0/2]port link-type access
[sw2-Ethernet0/0/2]port default vlan 3
[sw2]interface g0/0/1
[sw2-GigabitEthernet0/0/1]port link-type trunk
[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
二、路由器
1、接口配IP,子接口划到对应VLAN中,分配IP,开启ARP、DHCP功能,主路由器开启DHCP功能,定义两个VLAN对应池塘
AR1
[r1]interface g0/0/0.1
[r1-GigabitEthernet0/0/0.1]ip address 192.168.1.65 27
[r1-GigabitEthernet0/0/0.1]interface g0/0/0.2
[r1-GigabitEthernet0/0/0.2]ip address 192.168.1.97 27
[r1-GigabitEthernet0/0/0.2]interface g0/0/1
[r1-GigabitEthernet0/0/1]ip address 192.168.1.1 30
[r1]interface g0/0/0.1
[r1-GigabitEthernet0/0/0.1]dot1q termination vid 2
[r1-GigabitEthernet0/0/0.1]arp broadcast enable
[r1]interface g0/0/0.2
[r1-GigabitEthernet0/0/0.2]dot1q termination vid 3
[r1-GigabitEthernet0/0/0.2]arp broadcast enable
[r1]ip pool v2
[r1-ip-pool-v2]network 192.168.1.64 mask 255.255.255.224
[r1-ip-pool-v2]gateway-list 192.168.1.65
[r1-ip-pool-v2]dns-list 114.114.114.114
[r1]ip pool v3
[r1-ip-pool-v3]network 192.168.1.96 mask 255.255.255.224
[r1-ip-pool-v3]gateway-list 192.168.1.97
[r1-ip-pool-v3]dns-list 114.114.114.114
[r1]dhcp enable
[r1]interface g0/0/0.1
[r1-GigabitEthernet0/0/0.1]dhcp select global
[r1-GigabitEthernet0/0/0.1]interface g0/0/0.2
[r1-GigabitEthernet0/0/0.2]dhcp select global
AR2
[r2]interface g0/0/0.1
[r2-GigabitEthernet0/0/0.1]ip address 192.168.1.129 27
[r2-GigabitEthernet0/0/0.1]interface g0/0/0.2
[r2-GigabitEthernet0/0/0.2]ip address 192.168.1.161 27
[r2-GigabitEthernet0/0/0.2]interface g0/0/1
[r2-GigabitEthernet0/0/1]ip address 192.168.1.2 30
[r2-GigabitEthernet0/0/1]ip address 12.1.1.1 24
[r2]interface g0/0/0.1
[r2-GigabitEthernet0/0/0.1]dot1q termination vid 2
[r2-GigabitEthernet0/0/0.1]arp broadcast enable
[r2]interface g0/0/0.2
[r2-GigabitEthernet0/0/0.2]dot1q termination vid 3
[r2-GigabitEthernet0/0/0.2]arp broadcast enable
[r2]ip pool v2
[r2-ip-pool-v2]network 192.168.1.128 mask 255.255.255.224
[r2-ip-pool-v2]gateway-list 192.168.1.129
[r2-ip-pool-v2]dns-list 114.114.114.114
[r2]ip pool v3
[r2-ip-pool-v3]network 192.168.1.160 mask 255.255.255.224
[r2-ip-pool-v3]gateway-list 192.168.1.161
[r2-ip-pool-v3]dns-list 114.114.114.114
[r2]dhcp enable
[r2]interface g0/0/0.1
[r2-GigabitEthernet0/0/0.1]dhcp select global
[r2-GigabitEthernet0/0/0.1]interface g0/0/0.2
[r2-GigabitEthernet0/0/0.2]dhcp select global
ISP :配置接口IP,手配外网PC的IP
[ISP]interface g0/0/0
[ISP-GigabitEthernet0/0/0]ip address 1.1.1.1 24
[ISP-GigabitEthernet0/0/0]interface g0/0/1
[ISP-GigabitEthernet0/0/1]ip address 12.1.1.2 24
二、解决要求步骤
一、OSPF基础配置
1、启用OSPF协议,将内网划为3个区域(方便OSPF路由汇总),各接口宣告到对应区域内,路由之间建立邻接关系
AR1
[r1]ospf 1 router-id 1.1.1.1
[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]network 192.168.1.1 0.0.0.0
[r1-ospf-1-area-0.0.0.0]q
[r1-ospf-1]area 1
[r1-ospf-1-area-0.0.0.1]network 192.168.1.65 0.0.0.0
[r1-ospf-1-area-0.0.0.1]network 192.168.1.97 0.0.0.0
AR2
[r2]ospf 1 router-id 2.2.2.2
[r2-ospf-1]area 0
[r2-ospf-1-area-0.0.0.0]network 192.168.1.2 0.0.0.0
[r2-ospf-1]area 2
[r2-ospf-1-area-0.0.0.2]network 192.168.1.129 0.0.0.0
[r2-ospf-1-area-0.0.0.2]network 192.168.1.161 0.0.0.0
二、OSPF优化(扩展配置)
1、区域1、区域2、路由汇总,子接口配置沉默接口,路由器之间做接口认证(安全)
AR1
[r1-ospf-1]area 1
[r1-ospf-1-area-0.0.0.1]abr-summary 192.168.1.64 255.255.255.192
[r1-ospf-1]silent-interface g0/0/0.1
[r1-ospf-1]silent-interface g0/0/0.2
AR2
[r2-ospf-1]area 2
[r2-ospf-1-area-0.0.0.2]abr-summary 192.168.1.128 255.255.255.192
[r2-ospf-1]silent-interface g0/0/0.1
[r2-ospf-1]silent-interface g0/0/0.2
三、NAT配置
1、R1上创建telnet用户,开启telnet功能
[r1]aaa
[r1-aaa]local-user htxlmx privilege level 15 password cipher 123456
Info: Add a new user.
[r1-aaa]local-user htxlmx service-type telnet
[r1-aaa]user-interface vty 0
[r1-ui-vty0]authentication-mode aaa
2、路由器充当电脑,获取对应IP
[PC1]dhcp enable
[PC1]interface g0/0/0
[PC1-GigabitEthernet0/0/0]ip address dhcp-alloc
3、编写扩展ACL列表,填写R1拒绝PC1的telnet可以通过的所有接口,其他默认允许
[r1]acl 3000
[r1-acl-adv-3000]rule deny tcp source 192.168.1.94 0 destination 192.168.1.1 0 d
estination-port eq 23
[r1-acl-adv-3000]rule deny tcp source 192.168.1.94 0 destination 192.168.1.65 0 de
stination-port eq 23
[r1-acl-adv-3000]rule deny tcp source 192.168.1.94 0 destination 192.168.1.97 0 destination-port eq 23
4、将扩展ACL列表调用到PC1对应的子接口上
[r1-GigabitEthernet0/0/0]interface g0/0/0.1
[r1-GigabitEthernet0/0/0.1]traffic-filter inbound acl 3000
5、边界路由器通过OSPF协议给内网路由发缺省,且边界路由器自己添加缺省指向ISP(静态路由添加)
[r2]ospf 1
[r2-ospf-1]default-route-advertise always
[r2]ip route-static 0.0.0.0 0 12.1.1.2
6、开启NAT策略(一对多),内网所有IP通过边界路由器,访问互联网
[r2]acl 2000
[r2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
7、开启NAT策略(端口映射),外网可以访问内网的HTTP(端口80)server器(若出现报错,则使用此接口端口映射)外网配置DNS服务器,通过域名解析直接访问内网服务器
[r2]interface g0/0/2
[r2-GigabitEthernet0/0/2]nat outbound 2000
[r2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 80 ins
ide 192.168.1.100 80
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
9、开启NAT策略(端口映射),外网设备可以telnet(端口23)内网的R1设备(若出现报错,则使用此接口端口映射)
[r2-GigabitEthernet0/0/2]nat server protocol global current-interface 23
inside 192.168.1.1 23
Warning:The port 23 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
10、路由器配置空接口路由,防止OSPF汇总后产生的路由黑洞与缺省路由产生的环路
[r2]ip route-static 192.168.1.128 26 NULL 0
所有实验条件匹配完成,全网可达,实验结束