HCIA--综合实验（超详细）

要求：

1. 使用172.16.0.0/16划分网络

2.使用ospf协议合理规划区域保证更新安全

3.加快收敛速度

4. r1为DR没有BDR

5.PC2，3，4，5自动获取IP地址；PC1为外网，PC要求可用互相访问

6.r7为运营商，只能配IP地址

7.PC1远程登陆r7实际登陆r4

8.PC4可以ping通r6但不能登陆r6

9.PC3可以ping通PC5，但PC5不能ping通PC3

1. 使用172.16.0.0/16划分网络

area 0: 172.16.0.0/18

area 1:172.16.64.0/18

area 2:172.16.128.0/18

area 3:172.16.192.0/18

配置环回以及接口IP地址：

R1ip地址配置：
[R1]int l0
[R1-LoopBack0]ip add 1.1.1.1 24
[R1-LoopBack0]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 172.16.64.2 18
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 172.16.0.1 18

R2:
[R2]int l0
[R2-LoopBack0]ip add 2.2.2.2 24
[R2-LoopBack0]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 172.16.0.2 18
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 172.16.128.2 18

R3:
[R3]int l0
[R3-LoopBack0]ip add 3.3.3.3 24
[R3-LoopBack0]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 172.16.0.3 18
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 172.16.192.1 18

R4:
[R4]int l0
[R4-LoopBack0]ip add 4.4.4.4 24
[R4-LoopBack0]int g0/0/0
[R4-GigabitEthernet0/0/0]ip add 172.16.192.2 18
[R4-GigabitEthernet0/0/1]int g0/0/1.1
[R4-GigabitEthernet0/0/1.1]ip add 192.168.3.1 24
[R4-GigabitEthernet0/0/1.1]int g0/0/1.2
[R4-GigabitEthernet0/0/1.2]ip add 192.168.4.1 24

R6:
[R6]int l0
[R6-LoopBack0]ip add 6.6.6.6 24
[R6-LoopBack0]int g0/0/0
[R6-GigabitEthernet0/0/0]ip add 10.1.1.2 24
[R6-GigabitEthernet0/0/0]int g0/0/1
[R6-GigabitEthernet0/0/1]ip add 172.16.64.1 18

R7:
[R7]int l0
[R7-LoopBack0]ip add 7.7.7.7 24
[R7-LoopBack0]int g0/0/0
[R7-GigabitEthernet0/0/0]ip add 10.1.1.1 24
[R7-GigabitEthernet0/0/0]int g0/0/1
[R7-GigabitEthernet0/0/1]ip add 11.1.1.2 24

R8:
[R8]int l0
[R8-LoopBack0]ip add 8.8.8.8 24
[R8-LoopBack0]int g0/0/0
[R8-GigabitEthernet0/0/0]ip add 172.16.128.1 18
[R8-GigabitEthernet0/0/0]int g0/0/1.1
[R8-GigabitEthernet0/0/1.1]ip add 192.168.1.1 24
[R8-GigabitEthernet0/0/1.1]int g0/0/1.2
[R8-GigabitEthernet0/0/1.2]ip add 192.168.2.1 24

2.使用ospf协议合理规划区域保证更新安全

R1配置ospf:
[R1]ospf 100 router-id 1.1.1.1
[R1-ospf-100]a 0
[R1-ospf-100-area-0.0.0.0]netw 1.1.1.1 0.0.0.0
[R1-ospf-100-area-0.0.0.0]netw 172.16.0.0 0.0.255.255
[R1-ospf-100-area-0.0.0.0]area 1
[R1-ospf-100-area-0.0.0.1]netw 172.16.64.2 0.0.0.0
保证更新安全，做区域明文认证：
[R1-ospf-100-area-0.0.0.0]authentication-mode simple cipher 123
[R1-ospf-100-area-0.0.0.0]a 1
[R1-ospf-100-area-0.0.0.1]authentication-mode simple cipher 123
 
R2:
[R2]ospf 100 router-id 2.2.2.2
[R2-ospf-100]a 0
[R2-ospf-100-area-0.0.0.0]netw 2.2.2.2 0.0.0.0
[R2-ospf-100-area-0.0.0.0]net 172.16.0.2 0.0.0.0
[R2-ospf-100-area-0.0.0.0]area 2
[R2-ospf-100-area-0.0.0.2]netw 172.16.128.2 0.0.0.0
区域认证：
[R2-ospf-100-area-0.0.0.0]authentication-mode simple cipher 123
[R2-ospf-100-area-0.0.0.0]a 2
[R2-ospf-100-area-0.0.0.2]authentication-mode simple cipher 123

R3:
[R3]ospf 100 router-id 3.3.3.3
[R3-ospf-100]a 0
[R3-ospf-100-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[R3-ospf-100-area-0.0.0.0]net 172.16.0.3 0.0.0.0
[R3-ospf-100-area-0.0.0.0]area 3
[R3-ospf-100-area-0.0.0.3]netw 172.16.192.1 0.0.0.0
区域认证：
[R3-ospf-100-area-0.0.0.0]authentication-mode simple cipher 123
[R3-ospf-100-area-0.0.0.3]authentication-mode simple cipher 123

R4:
[R4]ospf 100 router-id 4.4.4.4
[R4-ospf-100]a 3
[R4-ospf-100-area-0.0.0.3]netw 4.4.4.4 0.0.0.0
[R4-ospf-100-area-0.0.0.3]netw 172.16.192.2 0.0.0.0
区域认证：
[R4-ospf-100-area-0.0.0.3]authentication-mode simple cipher 123

R6:[R6]ospf 100 router-id 6.6.6.6
[R6-ospf-100]a 1
[R6-ospf-100-area-0.0.0.1]netw 6.6.6.6 0.0.0.0
[R6-ospf-100-area-0.0.0.1]netw 172.16.64.1 0.0.0.0
区域认证：
[R6-ospf-100-area-0.0.0.1]authentication-mode simple cipher 123

R8:
[R8]ospf 100 router-id 8.8.8.8
[R8-ospf-100]a 2
[R8-ospf-100-area-0.0.0.2]netw 8.8.8.8 0.0.0.0
[R8-ospf-100-area-0.0.0.2]netw 172.16.128.1 0.0.0.0
区域认证：
[R8-ospf-100-area-0.0.0.2]authentication-mode simple cipher 123

3.加快收敛速度

R1:
[R1-GigabitEthernet0/0/0]ospf timer hello 5
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ospf timer hello 5

R2:
[R2-GigabitEthernet0/0/0]ospf timer hello 5
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ospf timer hello 5

R3:
[R3-GigabitEthernet0/0/0]ospf timer hello 5
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ospf timer hello 5

R4:
[R4-GigabitEthernet0/0/0]ospf timer hello 5

R6:
[R6-GigabitEthernet0/0/1]ospf timer hello 5

R8:
[R8-GigabitEthernet0/0/0]ospf timer hello 5

4. r1为DR没有BDR

R2:
[R2-GigabitEthernet0/0/0]ospf dr-priority 0

R3:
[R3-GigabitEthernet0/0/0]ospf dr-priority 0

R6:
[R6-GigabitEthernet0/0/1]ospf dr-priority 0

5.PC2，3，4，5自动获取IP地址；

SW2:
[SW2]vlan batch 2 3
[SW2]int e0/0/1
[SW2-Ethernet0/0/1]p l a
[SW2-Ethernet0/0/1]p d v 2
[SW2-Ethernet0/0/1]int e0/0/2
[SW2-Ethernet0/0/2]p l a
[SW2-Ethernet0/0/2]p d v 3
[SW2-Ethernet0/0/2]int e0/0/3
[SW2-Ethernet0/0/3]p l t
[SW2-Ethernet0/0/3]p t a v 2 3

SW3:
[SW3]vlan batch 2 to 3
[SW3-Ethernet0/0/1]p l a
[SW3-Ethernet0/0/1]p d v 2
[SW3-Ethernet0/0/1]int e0/0/2
[SW3-Ethernet0/0/2]p l a
[SW3-Ethernet0/0/2]p d v 3
[SW3-Ethernet0/0/2]int e0/0/3
[SW3-Ethernet0/0/3]p l t
[SW3-Ethernet0/0/3]p t a v 2 3

虚拟子接口+dhcp配置：

R8:
[R8]dhcp enable 
[R8]ip pool 1
[R8-ip-pool-1]netw 192.168.1.0 ma 255.255.255.0
[R8-ip-pool-1]gateway-list 192.168.1.1
[R8-ip-pool-1]dns-list 8.8.8.8
[R8-ip-pool-1]int g0/0/1.1	
[R8-GigabitEthernet0/0/1.1]dhcp select global 
[R8-GigabitEthernet0/0/1.1]dot1q termination vid 2
[R8-GigabitEthernet0/0/1.1]arp broadcast enable 
[R8]ip pool 2
[R8-ip-pool-2]netw 192.168.2.0 ma 24
[R8-ip-pool-2]gateway-list 192.168.2.1
[R8-ip-pool-2]dns-list 8.8.8.8
[R8-ip-pool-2]int g0/0/1.2	
[R8-GigabitEthernet0/0/1.2]dhcp select global 	
[R8-GigabitEthernet0/0/1.2]dot1q termination vid 3
[R8-GigabitEthernet0/0/1.2]arp broadcast en

R4:
[R4]ip pool 1
[R4-ip-pool-1]netw 192.168.3.0 ma 24
[R4-ip-pool-1]gateway-list 192.168.3.1	
[R4-ip-pool-1]dns-list 8.8.8.8
[R4-ip-pool-1]int g0/0/1.1
[R4-GigabitEthernet0/0/1.1]dhcp se global
[R4-GigabitEthernet0/0/1.1]dot1q termination v 2
[R4-GigabitEthernet0/0/1.1]arp broadcast en
[R4]ip pool 2
[R4-ip-pool-2]netw 192.168.4.0 ma 24
[R4-ip-pool-2]gateway-list 192.168.4.1	
[R4-ip-pool-2]dns-list 8.8.8.8
[R4-ip-pool-2]int g0/0/1.2
[R4-GigabitEthernet0/0/1.2]dhcp se global
[R4-GigabitEthernet0/0/1.2]dot1q termination vid 3
[R4-GigabitEthernet0/0/1.2]arp  broadcast enable

PC1为外网，PC要求可互相访问

PC1静态IP地址：11.1.1.1/24，网关：11.1.1.2

R4发布PC的路由信息到ospf中:
[R4-ospf-100]import-route direct

R8:
[R8-ospf-100]import-route direct 

R6下放缺省，做NAT:
[R6]ip route-static 0.0.0.0 0 10.1.1.1
[R6]ospf 100 
[R6-ospf-100]default-route-advertise
[R6]acl 2000
[R6-acl-basic-2000]rule permit source any 
[R6-acl-basic-2000]int g0/0/0
[R6-GigabitEthernet0/0/0]nat outbound 2000
[R6]ip route-static 11.1.1.0 24 10.1.1.1

测试：

PC2pingPC1:

6.PC1远程登陆r7实际登陆r4

由于PC1没有telnet功能，所以换成R7远程登陆R6，实际登陆R4

R6上做telnet转换：
[R6-GigabitEthernet0/0/0]nat server protocol tcp global 10.1.1.3 telnet inside 4
.4.4.4 telnet 

R4上配置远程登陆：
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode password 
Please configure the login password (maximum length 16):

测试：

7.PC4可以ping通r6但不能登陆r6

R6:
[R6]user-interface vty 0 4
[R6-ui-vty0-4]authentication-mode password 
Please configure the login password (maximum length 16):
acl 3000 阻止远程登陆：
[R3-acl-adv-3000]rule deny tcp source 172.16.192.2 0.0.0.0 destination 172.16.64.1 0.0.0.0 destination-port eq telnet 
[R3-acl-adv-3000]int g0/0/1
[R3-GigabitEthernet0/0/1]traffic-filter inbound acl 3000

测试：

8.PC3可以ping通PC5，但PC5不能ping通PC3

R8:
[R8-acl-adv-3000]rule deny icmp source 192.168.2.254 0.0.0.0 destination 192.168
.4.254 0.0.0.0 icmp-type echo-reply
[R8-acl-adv-3000]int G0/0/1
[R8-GigabitEthernet0/0/1]traffic-filter inbound acl 3000