一实验要求
HCIA综合实验的配置要求:
1.ISP路由器只能配置IP地址,之后不进行任何配置
2.内部整个网络基于192.168.1.0/24进行地址划分
3.R1/2之间启动OSPF协议,单区域
4.PC1-4自动获取IP地址
5.PC1-4,可以访问PC5,R2的公网接口只有一个公用IP地址12.1.1.1
6.外部的client可以通过IP访问http服务
7.ISP路由telnet12.1.1.1,最终成功登录到R1上
拓扑图:
本次所使用到的技术有:划分IP地址、划分VLAN、DHCP、单臂路由、OSPF、AAA、ACL、NAT、默认路由。
HTTP
DNS
Client1
二、实验命令及步骤
划分IP地址的命令
R1命令:
interface G0/0/0
ip address 192.168.1.1 255.255.255.252
R2命令:
interface G0/0/0
ip address 192.168.1.2 255.255.255.252
interface G0/0/1
ip address 12.1.1.1 255.255.255.0
ISP命令:
interface G0/0/0
ip address 12.1.1.2 255.255.255.0
interface G0/0/1
ip address 3.3.3.1 255.255.255.0
划分VLAN的命令
LSW1:
vlan batch 2 to 3 //创建vlan2-3
interface E0/0/1
port link-type access //接口模式为access
port default vlan 2 //接口划入vlan2
interface E0/0/2
port link-type access
port default vlan 2
interface E0/0/3
port link-type access
port default vlan 3
interface G0/0/1 //接口模式为trunk
port link-type trunk
port trunk allow-pass vlan 2 to 3
LSW2:
vlan batch 2 to 3
interface E0/0/1
port link-type access
port default vlan 2
interface E0/0/2
port link-type access
port default vlan 3
interface G0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
DHCP和单臂路由命令
R1命令:
dhcp enable //开启dhcp服务
ip pool v2 //创建IP地址池塘
gateway-list 192.168.1.65 //配置网关地址
network 192.168.1.64 mask 255.255.255.224 //配置地址池
dns-list 114.114.114.114 8.8.8.8 //配置分配的DNS服务器地址
ip pool v3
gateway-list 192.168.1.97
network 192.168.1.96 mask 255.255.255.224
dns-list 114.114.114.114 8.8.8.8
interface G0/0/1.1 //进入子接口(单臂路由)
dot1q termination vid 2 //服务vlan2
arp broadcast enable //开启ARP应答
ip address 192.168.1.65 255.255.255.224 //配置IP地址
dhcp select global //开启dhcp服务
interface G0/0/1.2
dot1q termination vid 3
arp broadcast enable
ip address 192.168.1.97 255.255.255.224
dhcp select global
R2命令:
dhcp enable
ip pool v2
gateway-list 192.168.1.129
network 192.168.1.128 mask 255.255.255.224
dns-list 114.114.114.114 8.8.8.8
ip pool v3
gateway-list 192.168.1.161
network 192.168.1.160 mask 255.255.255.224
dns-list 114.114.114.114 8.8.8.8
interface G0/0/2.1
dot1q termination vid 2
ip address 192.168.1.129 255.255.255.224
arp broadcast enable
dhcp select global
interface G0/0/2.2
dot1q termination vid 3
ip address 192.168.1.161 255.255.255.224
arp broadcast enable
dhcp select global
DHCP的实验测试:
OSPF
R1命令:
ospf 1 router-id 1.1.1.1 //开启ospf协议,给定router-id 1.1.1.1
area 0.0.0.0 //进入区域0
network 192.168.1.0 0.0.0.255 //宣告网段
interface G0/0/0
ospf authentication-mode md5 1 cipher xiaoli123 //在与邻居相连接口上做认证,保障安全
R2命令:
ospf 1 router-id 2.2.2.2
default-route-advertise always
area 0.0.0.0
network 192.168.1.0 0.0.0.255
interface G0/0/0
ospf authentication-mode md5 1 cipher xiaoli123
AAA和ACL命令
R1命令:
aaa
local-user xiaoli password cipher xiaoli123 //通过aaa创建账户
local-user xiaoli service-type telnet //账户对应的服务为telnet
local-user xiaoli privilege level 15 //账户权限1-15,15为最高等级
user-interface vty 0 4 //用于telnet的接口
authentication-mode aaa //接口上调用账户
acl number 3000 //开启ACL 编号为3000
rule 5 deny tcp source 192.168.1.94 0 destination 192.168.1.65 0 destination-port eq telnet //拒绝IP地址为192.168.1.94对192.168.1.65的telnet请求
rule 10 deny tcp source 192.168.1.94 0 destination 192.168.1.97 0 destination-port eq telnet //拒绝IP地址为192.168.1.94对192.168.1.97的telnet请求
rule 10 deny tcp source 192.168.1.94 0 destination 192.168.1.1 0 destination-port eq telnet //拒绝IP地址为192.168.1.94对192.168.1.1的telnet请求
interface G0/0/1.1
traffic-filter inbound acl 3000 //接口上调用ACL
实验测试:
NAT和ACL、默认路由命令
R2命令:
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255 //抓取来自192.168.1.0-255的流量,用于nat地址转换
interface G0/0/1
nat outbound 2000 //在连接外网的接口上启用nat,1对多nat,用来访问外网
nat static protocol tcp global current-interface www inside 192.168.1.98 www netmask 255.255.255.255 //1对1nat,用于固定某一服务所对应的IP地址
nat static protocol tcp global current-interface telnet inside 192.168.1.1 telnet netmask 255.255.255.255
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 //未知的IP地址下一跳为12.1.1.2
实验测试:
