十五 HCIA综合实验
15.1 IP规划
#内网分配网段192.168.1.0 24 #内网包括骨干链路和两个用户网段,素以需要划分三个,借两位就够用了 192.168.1.0 26--骨干 192.168.1.64 26---R1下网络 192.168.1.128 26---R2下网络 192.168.1.192 26--备用 192.168.1.64 26---R1下网络:划分三个,借两位 192.168.1.64 28--vlan 2 192.168.1.80 28--vlan 3 192.168.1.96 28--vlan 4 192.168.1.112 28--备用 192.168.1.128 26---R2下网络:划分两个,借一位 192.168.1.128 27--vlan 2 192.168.1.160 27--vlan 3
# 外网 R2-ISP之间:网段:202.1.1.0 30 ISP下方网络:网段:203.1.1.0 24
15.2 内网的路由交换配置
15.2.1 交换机的配置
#sw1的配置 [sw1]vlan batch 2 to 4 [sw1]int g 0/0/2 [sw1-GigabitEthernet0/0/2]port link-type access [sw1-GigabitEthernet0/0/2]port default vlan 2 [sw1-GigabitEthernet0/0/2]int g 0/0/3 [sw1-GigabitEthernet0/0/3]port link-type access [sw1-GigabitEthernet0/0/3]port default vlan 3 [sw1-GigabitEthernet0/0/3]int g 0/0/4 [sw1-GigabitEthernet0/0/4]port link-type access [sw1-GigabitEthernet0/0/4]port default vlan 4 [sw1]int g 0/0/1 [sw1-GigabitEthernet0/0/1]port link-type trunk [sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 4
#sw2配置 [sw2]vlan batch 2 to 3 [sw2]int g 0/0/2 [sw2-GigabitEthernet0/0/2]port link-type access [sw2-GigabitEthernet0/0/2]port default vlan 2 [sw2-GigabitEthernet0/0/2]int g 0/0/3 [sw2-GigabitEthernet0/0/3]port link-type access [sw2-GigabitEthernet0/0/3]port default vlan 3 [sw2-GigabitEthernet0/0/3]int g 0/0/1 [sw2-GigabitEthernet0/0/1]port link-type trunk [sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
15.2.2 路由器的配置
配置接口IP地址
# AR1上的接口IP地址 [r1]int g 0/0/1 [r1-GigabitEthernet0/0/1]ip add 192.168.1.1 26 [r1]int g 0/0/0.1 [r1-GigabitEthernet0/0/0.1]ip add 192.168.1.65 28 [r1-GigabitEthernet0/0/0.1]dot1q termination vid 2 [r1-GigabitEthernet0/0/0.1]arp broadcast enable [r1-GigabitEthernet0/0/0.1]q [r1]int g 0/0/0.2 [r1-GigabitEthernet0/0/0.2]ip add 192.168.1.81 28 [r1-GigabitEthernet0/0/0.2]dot1q termination vid 3 [r1-GigabitEthernet0/0/0.2]arp broadcast enable [r1-GigabitEthernet0/0/0.2]q [r1]int g 0/0/0.3 [r1-GigabitEthernet0/0/0.3]ip add 192.168.1.97 28 [r1-GigabitEthernet0/0/0.3]dot1q termination vid 4 [r1-GigabitEthernet0/0/0.3]arp broadcast enable [r1-GigabitEthernet0/0/0.3]q
# AR2上的接口IP地址 [r2]int g 0/0/1 [r2-GigabitEthernet0/0/1]ip add 192.168.1.2 26 [r2]int g 0/0/0.1 [r2-GigabitEthernet0/0/0.1]ip add 192.168.1.129 27 [r2-GigabitEthernet0/0/0.1]dot1q termination vid 2 [r2-GigabitEthernet0/0/0.1]arp broadcast enable [r2-GigabitEthernet0/0/0.1]int g 0/0/0.2 [r2-GigabitEthernet0/0/0.2]ip add 192.168.1.161 27 [r2-GigabitEthernet0/0/0.2]dot1q termination vid 3 [r2-GigabitEthernet0/0/0.2]arp broadcast enable [r2]int g 0/0/2 [r2-GigabitEthernet0/0/2]ip add 202.1.1.1 30
#配置ISP路由器接口的IP地址 [ISP]int g 0/0/0 [ISP-GigabitEthernet0/0/0]ip add 202.1.1.2 30 [ISP-GigabitEthernet0/0/0]int g 0/0/1 [ISP-GigabitEthernet0/0/1]ip add 203.1.1.1 24
#telnet服务器上接口ip地址 [telnet server]int g 0/0/0 [telnet server-GigabitEthernet0/0/0]ip add 192.168.1.98 28 #测试一路由器上接口ip地址 [test-1]int g 0/0/0 [test-1-GigabitEthernet0/0/0]ip add 203.1.1.2 24 #测试二路由器上接口ip地址 [Huawei]sysname test-2 [test-2]int g 0/0/0 [test-2-GigabitEthernet0/0/0]ip add 203.1.1.3 24
15.3 用动态路由协议OSPF跑通内网路由
[r1]ospf 1 router-id 1.1.1.1 [r1-ospf-1]area 0 [r1-ospf-1-area-0.0.0.0]network 192.168.1.1 0.0.0.0 [r1-ospf-1-area-0.0.0.0]network 192.168.1.65 0.0.0.0 [r1-ospf-1-area-0.0.0.0]network 192.168.1.81 0.0.0.0 [r1-ospf-1-area-0.0.0.0]network 192.168.1.97 0.0.0.0 [r2]ospf 1 router-id 2.2.2.2 [r2-ospf-1]area 0 [r2-ospf-1-area-0.0.0.0]network 192.168.1.2 0.0.0.0 [r2-ospf-1-area-0.0.0.0]network 192.168.1.129 0.0.0.0 [r2-ospf-1-area-0.0.0.0]network 192.168.1.161 0.0.0.0 # 注意:R2的0/0/2接口时外网接口,不需要宣告
# 让底下终端PC设备用DHCP自动获取地址 [r1]dhcp enable [r1]ip pool yuange Info: It's successful to create an IP address pool. [r1-ip-pool-yuange]network 192.168.1.64 mask 28 [r1-ip-pool-yuange]gateway-list 192.168.1.65 [r1-ip-pool-yuange]dns-list 114.114.114.114 8.8.8.8 [r1]ip pool kunge Info: It's successful to create an IP address pool. [r1-ip-pool-kunge]network 192.168.1.80 mask 28 [r1-ip-pool-kunge]gateway-list 192.168.1.81 [r1-ip-pool-kunge]dns-list 114.114.114.114 8.8.8.8 [r1]int g 0/0/0.1 [r1-GigabitEthernet0/0/0.1]dhcp select global [r1]int g 0/0/0.2 [r1-GigabitEthernet0/0/0.2]dhcp select global
[r2]dhcp enable [r2]ip pool zhenjie Info: It's successful to create an IP address pool. [r2-ip-pool-zhenjie]network 192.168.1.128 mask 27 [r2-ip-pool-zhenjie]gateway-list 192.168.1.129 [r2-ip-pool-zhenjie]dns-list 114.114.114.114 [r2]ip pool sbCHZ Info: It's successful to create an IP address pool. [r2-ip-pool-sbCHZ]network 192.168.1.160 mask 27 [r2-ip-pool-sbCHZ]gateway-list 192.168.1.161 [r2-ip-pool-sbCHZ]dns-list 114.114.114.114 8.8.8.8 [r2]int g 0/0/0.1 [r2-GigabitEthernet0/0/0.1]dhcp select global [r2-GigabitEthernet0/0/0.1]int g 0/0/0.2 [r2-GigabitEthernet0/0/0.2]dhcp select global
检测内网的连通性
15.4 写缺省路由
[r2]ip route-static 0.0.0.0 0 202.1.1.2
此时,前四个需求已经完成
15.5 需求五 PC2到PC4可以访问PC5,PC1不行
[r2]acl 2000 [r2-acl-basic-2000]rule per [r2-acl-basic-2000]rule permit sou [r2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255 [r2-acl-basic-2000]int g 0/0/2 [r2-GigabitEthernet0/0/2]nat outb [r2-GigabitEthernet0/0/2]nat outbound 2000 [r2]ospf 1 [r2-ospf-1]default-route-advertise # PC5:203.1.1.100
此时,检测PC1到PC4都能通往PC5,现在做一个ACL限制流量
[r1]acl 3000 [r1-acl-adv-3000]rule deny ip source 192.168.1.64 0.0.0.15 destination 203.1.1.1 00 0.0.0.0 [r1-acl-adv-3000]q [r1]int g 0/0/0.1 [r1-GigabitEthernet0/0/0.1]traffic-filter inbound acl 3000
15.6 需求六是R2出口只有一个公网IP
前面已经配置过
15.7 test-1设备可以登录内网telnet服务器,test-2不行
15.7.1 开启telnet服务
[telnet server-aaa]local-user chenhaozhensb privilege level 15 password cipher 112301 Info: Add a new user. [telnet server-aaa]local-user chenhaozhensb service-type telnet [telnet server-aaa]q [telnet server]user-interface vty 0 4 [telnet server-ui-vty0-4]authentication-mode aaa
检测,内网设备可以进行telnet远程登录
外网设备想访问内网telnet服务器,必须做端口映射才可以
[r2]int g 0/0/2 [r2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface telnet inside 192.168.1.98 telnet Warning:The port 23 is well-known port. If you continue it may cause function fa ilure. Are you sure to continue?[Y/N]:y
但现在用test-1和test-2设备进行测试,测试不通,因为它俩不认识202.1.1.0 30网段
[test-1]ip route-static 202.1.1.1 32 203.1.1.1 [test-2]ip route-static 202.1.1.1 32 203.1.1.1
测试用test-1可以Ping通202.1.1.1,但不能使用telnet服务
<test-1>telnet 192.168.1.98 Press CTRL_] to quit telnet mode Trying 192.168.1.98 ... Error: Can't connect to the remote host
出现上面的原因是:上面用OSPF协议跑通内网的时候,在R1上宣告的是vlan4的路由,并没有telnet服务器的路由
一般情况下:服务器不会加入到动态路由协议中。
上图中:telnet服务器上只有直连网段的路由信息,数据包回不去。所以,在tennet服务器上加一条缺省路由就可以了.
[telnet server]ip route-static 0.0.0.0 0 192.168.1.97
再进行测试:
<test-1>telnet 202.1.1.1 Press CTRL_] to quit telnet mode Trying 202.1.1.1 ... Connected to 202.1.1.1 ... Login authentication Username:chenhaozhensb Password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: Telnet IP-Address : 203.1.1.3 Time : 2025-02-11 14:45:43-08:00 ----------------------------------------------------------------------------- <telnet server> # 现在test-1和test-2都可以telnet
15.7.2 最后做策略来限制test-2进行访问
[r2]acl 3000 [r2-acl-adv-3000]rule deny tcp source 203.1.1.3 0 destination-port eq 23 # 注意:不能写目标地址,实验要求只是拒绝test-2进行telnet服务,并没有说拒绝通信,只用端口号就行 [r2-acl-adv-3000]int g 0/0/2 [r2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000
最后的测试:
<test-1>telnet 202.1.1.1 Press CTRL_] to quit telnet mode Trying 202.1.1.1 ... Connected to 202.1.1.1 ... Login authentication Username:chenhaozhensb Password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: Telnet IP-Address : 203.1.1.2 Time : 2025-02-11 14:47:46-08:00 ----------------------------------------------------------------------------- <telnet server>
