题目要求及配置思路
拓扑结构:
需求
--
1.所有PC均需要通过DHCP获取IP地址-地址池名称和设备VLAN一致,例如PC1-ip pool vlan10,其中只有业务B网络用户需要访问互联网web服务-需要DNS信息。
2.交换机配置VLAN需要遵循最小VLAN透传原则
3.利用OSPF协议使内外用户互相访问-全网可达(设备Router-ID需要手工配置,和设备编号一致,例如R1-RID:1.1.1.1),并采用精准宣告的方式进行宣告(例如:172.16.64.1/24接口,宣告:172.16.64.1 0.0.0.0)
4.内网全网可达,并且需要尽可能减小路由表条目数量(汇总采用精确汇总方式),能够利用缺省省去的配置可省略,防止环路,并且保障安全(在OSPF区域0需要配置认证-采用MD5认证,密码为123456),企业内网所有用户网段能够汇总都需要尽量汇总;OSPF网络用户终端不能收到OSPF协议报文。
5.内网所有用户均可访问互联网(边界路由器配置NAT),ACL采用基础ACL,编号为2000,R3-0/0/2接口不允许宣告在内网中(包含静态)。
6.test设备需要远程登陆到内网telnet-server设备,登录账号为 huawei 密码 123456,登录权限为最高。
7.不允许VLAN 40和VLAN 50 用户访问内网B业务,acl编号为2001(在R3设备0/0/0接口配置),不允许PC1访问PC5,ACL编号为3000。
8.R3-R4中间百兆链路作为备份链路,不允许正常情况下数据通过,需要降低优先级数值配置为100。
9.所有设备严格按照拓扑图标识进行配置,注意大小写。
10.图示中所有服务器和client设备均为体现需求,地址固定,不做更改,在配置时需求注意。clinet1用来模拟内网用户访问互联网(ISP-服务器),test设备用来测试互联网用户远程登陆内网telent-server主机。
分析:
先按照区域分块配置,最后配置附加需求
一、企业A内网配置思路:
- 配置路由IP
- 配置vlan
a.创建vlan
b.给接口划分vlan
c.配置trunk接口下发vlan - DHCP获取IP
a.启动DHCP协议
b.创建地址池
c.在相应端口下放地址池 - OSPF宣告路由
a.启动OSPF协议进程,配置RID
b.进入相应区域,network网段
c.查看OSPF领居表和路由表,进行访问测试 - 配置OSPF的区域汇总——ABR汇总,精简路由表的路由条路数量
- 配置静态路由空接口防环
- 配置OSPF区域0 的认证
- 配置easyIP实现内网访问外网
- 让OSPF协议下放缺省,给内网路由器,保证内网设备访问外网
- 配置telnet服务器,配置NATserver实现外网访问内网的服务
- 配置基础ACL和高级ACL实现访问控制
二、企业B内网配置思路
- 配置IP地址
- 配置vlan地址
- 配置DHCP技术,使得PC获得IP地址
- 配置静态路由协议使得全网通(ping)
- 配置静态路由空接口防环
- 配置静态缺省保证内网设备访问
- 配置静态浮动路由,实现正常走千兆,故障走百兆
具体操作步骤:
企业一:
路由器IP接口配置:
[R1-GigabitEthernet0/0/1]int gi 0/0/0
[R1-GigabitEthernet0/0/0]ip add 172.16.67.1 24
[R2]int gi 0/0/0
[R2-GigabitEthernet0/0/0]ip add 172.16.67.2 24
[R2-GigabitEthernet0/0/0]int gi 0/0/2
[R2-GigabitEthernet0/0/2]ip add 172.16.2.1 24
[R3]int gi 0/0/0
[R3-GigabitEthernet0/0/0]ip add 172.16.2.2 24
[R3]int Ethernet 4/0/0
[R3-Ethernet4/0/0]ip add 172.16.129.1 24
[R3]int gi 0/0/1
[R3-GigabitEthernet0/0/1]ip add 172.16.130.1 24
vlan配置
以下的路由器配置命令需要先创建vlan:
交换机配置:
SW1的交换机配置:
创建vlan
创建vlan 并且在相应接划分vlan
[SW1]vlan batch 10 20 30
将vlan划分到相应接口
[SW1]int gi 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port default vlan 10
[SW1]int gi 0/0/3
[SW1-GigabitEthernet0/0/3]port link-ty access
[SW1-GigabitEthernet0/0/3]port default vlan 20
[SW1-GigabitEthernet0/0/3]int gi 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type access
[SW1-GigabitEthernet0/0/4]port default vlan 30
配置trunk
并放行vlan10 20 30
[SW1-GigabitEthernet0/0/4]int gi 0/0/1
SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30
SW2的交换机配置:
[SW2]vlan batch 40 50
[SW2]int gi 0/0/2
[SW2-GigabitEthernet0/0/2]port link-type access
[SW2-GigabitEthernet0/0/2]port default vlan 40
[SW2-GigabitEthernet0/0/2]int gi 0/0/3
[SW2-GigabitEthernet0/0/3]port link-ty acc
[SW2-GigabitEthernet0/0/3]port default vlan 50
配置trunk接口并下放vlan40 50
[SW2-GigabitEthernet0/0/3]int gi 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 40 50
单臂路由配置
R1的逻辑接口配置:
[R1]int gi 0/0/1.10
[R1-GigabitEthernet0/0/1.10]ip add 172.16.64.1 24
[R1-GigabitEthernet0/0/1.10]dot1q termination vid 10
[R1-GigabitEthernet0/0/1.10]arp broadcast enable
[R1]int gi 0/0/1.20
[R1-GigabitEthernet0/0/1.20]ip add 172.16.65.1 24
[R1-GigabitEthernet0/0/1.20]dot1q ter vid 20
[R1-GigabitEthernet0/0/1.20]arp broadcast enable
[R1]int gi 0/0/1.30
[R1-GigabitEthernet0/0/1.30]ip add 172.16.66.1 24
[R1-GigabitEthernet0/0/1.30]dot ter vid 30
[R1-GigabitEthernet0/0/1.30]arp br enable
R2的逻辑接口配置:
[R2]int gi 0/0/1.40
[R2-GigabitEthernet0/0/1.40]ip add 172.16.0.1 24
[R2-GigabitEthernet0/0/1.40]dot ter vid 40
[R2-GigabitEthernet0/0/1.40]arp bro ena
[R2-GigabitEthernet0/0/1.40]int gi 0/0/1.50
[R2-GigabitEthernet0/0/1.50]ip add 172.16.1.1 24
[R2-GigabitEthernet0/0/1.50]dot ter vid 50
[R2-GigabitEthernet0/0/1.50]arp bro en
R1与R2的接口与IP情况
DHCP配置:
R1 的DHCP创建:
启动DHCP服务
[R1]dhcp enable
创建地址池
[R1]ip pool vlan10
Info: It's successful to create an IP address pool.
[R1-ip-pool-vlan10]network 172.16.64.0 mask 24
[R1-ip-pool-vlan10]gateway-list 172.16.64.1
[R1-ip-pool-vlan10]dns 8.8.8.8
[R1]ip pool vlan20
[R1-ip-pool-vlan20]net 172.16.65.0 mask 24
[R1-ip-pool-vlan20]gate 172.16.65.1
[R1-ip-pool-vlan20]dns 8.8.8.8
[R1]ip pool vlan30
[R1-ip-pool-vlan30]net 172.16.66.0 mask 24
[R1-ip-pool-vlan30]gate 172.16.66.1
[R1-ip-pool-vlan30]dns 8.8.8.8
R2 的DHCP创建:
[R2]dhcp enable
[R2]ip pool vlan40
[R2-ip-pool-vlan40]netw 172.16.0.0 mask 24
[R2-ip-pool-vlan40]gate 172.16.0.1
[R2-ip-pool-vlan40]dns 8.8.8.8
[R2]ip pool vlan50
[R2-ip-pool-vlan50]net 172.16.1.0 mask 24
[R2-ip-pool-vlan50]gate 172.16.1.1
[R2-ip-pool-vlan50]dns 8.8.8.8
进入接口下放地址池:
在R1中下放:
[R1]int gi 0/0/1.10
[R1-GigabitEthernet0/0/1.10]dhcp select global
[R1]int gi 0/0/1.20
[R1-GigabitEthernet0/0/1.20]dhcp select global
[R1-GigabitEthernet0/0/1.20]int gi 0/0/1.30
[R1-GigabitEthernet0/0/1.30]dhcp sel gl
在SW2中下放:
[R2]int gi 0/0/1.40
[R2-GigabitEthernet0/0/1.40]dhcp sel global
[R2-GigabitEthernet0/0/1.40]int gi 0/0/1.50
[R2-GigabitEthernet0/0/1.50]dhcp sel gl
[telent-server]dhcp enable
[telent-server]int gi 0/0/0
[telent-server-GigabitEthernet0/0/0]ip add dhcp-alloc
成功获取IP(以PC4为示例):
OSPF配置
创建OSPF的协议进程,配置RID
R1:
[R1]ospf 1 router-id 1.1.1.1
进入相应的area,宣告network网段
[R1-ospf-1]area 1
[R1-ospf-1-area-0.0.0.1]network 172.16.64.1 0.0.0.0
[R1-ospf-1-area-0.0.0.1]network 172.16.67.1 0.0.0.0
[R1-ospf-1-area-0.0.0.1]network 172.16.65.1 0.0.0.0
[R1-ospf-1-area-0.0.0.1]network 172.16.66.1 0.0.0.0
R2:
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 1
[R2-ospf-1-area-0.0.0.1]net 172.16.67.2 0.0.0.0
[R2-ospf-1-area-0.0.0.1]area 0
[R2-ospf-1-area-0.0.0.0]network 172.16.2.1 0.0.0.0
[R2-ospf-1-area-0.0.0.0] network 172.16.0.1 0.0.0.0
[R2-ospf-1-area-0.0.0.0] network 172.16.1.1 0.0.0.0
[R2-ospf-1]default-route-advertise always
R3:
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-3]a 0
[R3-ospf-3-area-0.0.0.0]network 172.16.2.2 0.0.0.0
查看OSPF的领居表,路由表
测试连通性
(PC1pingPC4):
配置OSPF的区域汇总——ABR汇总,精简路由表的路由条目数
区域1的汇总命令
R2-ospf-1]area 1
[R2-ospf-1-area-0.0.0.1]abr-summary 172.16.64.0 255.255.252.0
在ABR【R2】(与骨干区域和非骨干区域相连的设备)上做汇总:
在ABR(R2)上设置汇总
区域0的汇总命令
[R2-ospf-1]area 1
[R2-ospf-1-area-0.0.0.1]abr-summary 172.16.64.0 255.255.252.0
[R2-ospf-1-area-0.0.0.1]q
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]abr-summary 172.16.0.0 255.255.252.0
配置静态路由空接口防环:
企业A:
[R2]ip route-static 172.16.0.0 22 null 0
[R2]ip route-static 172.16.64.0 22 null 0
在OSPF中下放缺省:
[R3]ospf 3
[R3-ospf-3]default-route-advertise always
R2和R1:
配置认证:
[R3]int gi 0/0/0
[R3-GigabitEthernet0/0/0]ospf authentication-mode md5 1 cipher 123456
[R2]int gi 0/0/2
[R2-GigabitEthernet0/0/2]ospf authentication-mode md5 1 cipher 123456
配置easyIP实现内外网互通:
[R3]acl 2000
[R3-acl-basic-2000]rule permit source 172.16.0.0 0.0.255.255
[R3]int gi 0/0/2
[R3-GigabitEthernet0/0/2]nat outbound acl 2000
配置telnet服务器,配置NATserver实现外网访问内网的服务:
telnet服务创建:
[telnet-server]telnet server enable
[telnet-server]aaa
[telnet-server-aaa]local-user wu privilege level 15
[telnet-server-aaa]local-user wu password cipher 12345
[telnet-server-aaa]local-user wu service-type telnet
[telnet-server]user-interface vty 0 4
[telnet-server-ui-vty0-4]authentication-mode aaa(以用户名加密码登录)
使用R2测试telnet:
在R3上做NAT SERVER的地址:
[R3]int gi 0/0/2
[R3-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 23 ins
ide 172.16.66.254 23
test 测试telnet:
配置基础ACL和高级ACL实现访问控制:
使用ACL禁止访问某些网络:
PC3和PC4禁止访问内网B:
[R2]acl 2000
rule 5 deny source 172.16.0.0 0.0.0.255
rule 10 deny source 172.16.1.0 0.0.0.255
[R2]interface gi 0/0/2
[R2-GigabitEthernet0/0/2]traffic-filter outbound acl 2000
【PC3访问企业B的PC5】
【PC1禁止访问PC5】:
ACL 3000
[R1-acl-adv-3000]rule deny icmp source 172.16.64.254 0.0.0.0 destination 172.16.
128.254 0.0.0.0
[R1]int gi 0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter outbound acl 3000
【PC1访问PC5】
企业二:
配置IP地址
R4:
interface Ethernet4/0/0
ip address 172.16.129.2 255.255.255.0
interface GigabitEthernet0/0/0
ip address 172.16.130.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.16.131.1 255.255.255.0
interface GigabitEthernet0/0/2
ip address 172.16.132.1 255.255.255.0
R5:
interface GigabitEthernet0/0/0
ip address 172.16.131.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.16.133.1 255.255.255.0
R6:
interface GigabitEthernet0/0/0
ip address 172.16.132.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.16.134.1 255.255.255.0
R7:
interface GigabitEthernet0/0/0
ip address 172.16.133.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.16.134.2 255.255.255.07
配置vlan
交换机SW3的配置:
Vlan vatch 60 70
Int gi 0/0/2
Port link-type access
Port default access vlan 70
Int gi 0/0/4
Port link-type access
Port default vlan access vlan 60
Int gi 0/0/3
Port link-typr access
Port default vlan access vlan 60
Int gi 0/0/1
Port link-type trunk
Port trunk allow-pass vlan 60 70
逻辑接口配置:
interface GigabitEthernet0/0/2.1
dot1q termination vid 60
[R7-GigabitEthernet0/0/2.1]arp br enable
ip address 172.16.128.1 255.255.255.128
interface GigabitEthernet0/0/2.2
dot1q termination vid 70
[R7-GigabitEthernet0/0/2.1]arp br enable
ip address 172.16.128.129 255.255.255.128
DHCP 配置:
DHCP enable
[R7]ip pool vlan60
[R7-ip-pool-vlan60]network 172.16.128.0 mask 25
[R7-ip-pool-vlan60]gate 172.16.128.1
[R7-ip-pool-vlan60]dns 8.8.8.8
[R7-ip-pool-vlan60]ip pool vlan70
[R7-ip-pool-vlan70]network 172.16.128.128 mask 25
[R7-ip-pool-vlan70]gate 172.16.128.129
[R7-ip-pool-vlan70]dns 8.8.8.8
下放iIP地址池
[R7]int gi 0/0/2.1
[R7-GigabitEthernet0/0/2.1]dhcp select global
[R7]int gi 0/0/2.2
[R7-GigabitEthernet0/0/2.2]dhcp select global
配置静态路由:
R4:
[R4]ip route-static 172.16.134.0 24 172.16.132.2
[R4]ip route-static 172.16.128.0 24 172.16.132.2
[R4]ip route-static 172.16.133.0 24 172.16.131.2
R5:
[R5]ip route-static 172.16.129.0 24 172.16.131.1
[R5]ip route-static 172.16.130.0 24 172.16.131.1
[R5]ip route-static 172.16.132.0 24 172.16.131.1
[R5]ip route-static 172.16.134.0 24 172.16.133.2
[R5]ip route-static 172.16.128.0 24 172.16.133.2
R6:
[R6]ip route-static 172.16.129.0 24 172.16.132.1
[R6]ip route-static 172.16.130.0 24 172.16.132.1
[R6]ip route-static 172.16.131.0 24 172.16.132.1
[R6]ip route-static 172.16.133.0 24 172.16.134.2
[R6]ip route-static 172.16.128.0 24 172.16.134.2
R7:
[R7]ip route-static 172.16.131.0 24 172.16.133.1
[R7]ip route-static 172.16.129.0 24 172.16.133.1
[R7]ip route-static 172.16.130.0 24 172.16.133.1
[R7]ip route-static 172.16.130.0 24 172.16.134.1
[R7]ip route-static 172.16.129.0 24 172.16.134.1
[R7]ip route-static 172.16.132.0 24 172.16.134.1
R3:
[R3]ip route-static 172.16.128.0 24 172.16.130.2
[R3]ip route-static 172.16.134.0 24 172.16.129.2
[R3]ip route-static 172.16.132.0 24 172.16.129.2
[R3]ip route-static 172.16.132.0 24 172.16.130.2
[R3]ip route-static 172.16.134.0 24 172.16.130.2
PC5pingR3测试:
DNS pingR3测试:
配置缺省路由防环:
在每个路由设备上配置通网汇总路由(vlan60和vlan70)的缺省路由
[R3]ip route-static 172.16.128.0 24 null 0
[R4]ip route-static 172.16.128.0 24 null 0
[R5]ip route-static 172.16.128.0 24 null 0
[R6]ip route-static 172.16.128.0 24 null 0
[R7]ip route-static 172.16.128.0 24 null 0
[内网PC5ping公网ISP服务器]
配置缺省路由保证内网设备访问:
[R4]ip route-static 0.0.0.0 0 172.16.129.1
[R4]ip route-static 0.0.0.0 0 172.16.130.1
[R5]ip route-static 0.0.0.0 0 172.16.131.1
[R6]ip route-static 0.0.0.0 0 172.16.132.1
[R7]ip route-static 0.0.0.0 0 172.16.134.1
[R7]ip route-static 0.0.0.0 0 172.16.133.1
配置静态浮动路由,实现正常走千兆,不正常走百兆
R4入方向修改
[R4]ip route-static 0.0.0.0 0 172.16.130.1 preference 100
【不活跃路由】
R3出方向修改
[R3]ip route-static 172.16.128.0 255.255.255.0 172.16.130.2 preference 100
[R3]ip route-static 172.16.131.0 255.255.255.0 172.16.130.2 preference 100
[R3]ip route-static 172.16.132.0 255.255.255.0 172.16.130.2 preference 100
[R3]ip route-static 172.16.133.0 255.255.255.0 172.16.130.2 preference 100
[R3]ip route-static 172.16.134.0 255.255.255.0 172.16.130.2 preference 100
【不活跃路由】
)