实验拓扑图:
实验要求:
- ISP路由器仅配置IP地址
- 内网基于192.168.1.0/24网段进行IP划分
- R1.R2之间使用OSPF做到内网全通,单区域
- PC1-PC4使用DHCP获取地址
- PC2-PC4可以访问PC5,PC1不行
- R2出口只拥有一个公网IP
- test-1设备可以登录内网telnet服务器,test-2不行
实验过程:
1.IP地址规划
内网基于所给网段192.168.1.0/24划分,外网的骨干给12.1.1.0/24,用户给5.5.5.0/24
注意在内网划分时有vlan划分广播域,需要给所划分出的广播域分配网段,地址的划分已经在前面说过,在此不再赘述,划分结果见详下图:
2.基础配置(+vlan+子接口)
Lsw1:
[Huawei]vlan batch 2 to 4
[Huawei]interface e0/0/2
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 2
[Huawei-Ethernet0/0/2]q
[Huawei]interface e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 3
[Huawei-Ethernet0/0/3]q
[Huawei]interface e0/0/4
[Huawei-Ethernet0/0/4]port link-type access
[Huawei-Ethernet0/0/4]port default vlan 4
[Huawei-Ethernet0/0/4]q
[Huawei]interface e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]port trunk allow-pass vlan all
[Huawei-Ethernet0/0/1]q
Lsw2:
Huawei]vlan batch 2 to 3
[Huawei]interface e0/0/2
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 2
[Huawei-Ethernet0/0/2]q
[Huawei]interface e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 3
[Huawei-Ethernet0/0/3]q
[Huawei]interface e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]port trunk allow-pass vlan all
[Huawei-Ethernet0/0/1]q
R1:
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192.168.1.129 30
[Huawei-GigabitEthernet0/0/1]q
[Huawei]interface g0/0/0.1
[Huawei-GigabitEthernet0/0/0.1]dot1q termination vid 2
[Huawei-GigabitEthernet0/0/0.1]ip address 192.168.1.1 28
[Huawei-GigabitEthernet0/0/0.1]arp broadcast enable
[Huawei-GigabitEthernet0/0/0.1]q
[Huawei]interface g0/0/0.2
[Huawei-GigabitEthernet0/0/0.2]dot1q termination vid 3
[Huawei-GigabitEthernet0/0/0.2]ip address 192.168.1.17 28
[Huawei-GigabitEthernet0/0/0.2]arp broadcast enable
[Huawei-GigabitEthernet0/0/0.2]q
[Huawei]interface g0/0/0.3
[Huawei-GigabitEthernet0/0/0.3]dot1q termination vid 4
[Huawei-GigabitEthernet0/0/0.3]ip address 192.168.1.33 28
[Huawei-GigabitEthernet0/0/0.3]arp broadcast enable
[Huawei-GigabitEthernet0/0/0.3]q
R2:
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.130 30
[Huawei-GigabitEthernet0/0/0]q
[Huawei]interface g0/0/2
[Huawei-GigabitEthernet0/0/2]ip address 12.1.1.1 24
[Huawei-GigabitEthernet0/0/2]q
[Huawei]interface g0/0/1.1
[Huawei-GigabitEthernet0/0/1.1]dot1q termination vid 2
[Huawei-GigabitEthernet0/0/1.1]ip address 192.168.1.65 27
[Huawei-GigabitEthernet0/0/1.1]arp broadcast enable
[Huawei-GigabitEthernet0/0/1.1]q
[Huawei]interface g0/0/1.2
[Huawei-GigabitEthernet0/0/1.2]dot1q termination vid 3
[Huawei-GigabitEthernet0/0/1.2]ip address 192.168.1.99 27
[Huawei-GigabitEthernet0/0/1.2]arp broadcast enable
[Huawei-GigabitEthernet0/0/1.2]q
ISP:
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 12.1.1.2 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 5.5.5.1 24
[Huawei-GigabitEthernet0/0/1]q
telnet-server:
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.34 28
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.1.33
Test-1:
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 5.5.5.2 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0.0.0.0 5.5.5.1
Test-2:
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 5.5.5.4 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0.0.0.0 5.5.5.1
3.DHCP(让PC1-PC4通过dhcp服务拿到地址)
R1:
Huawei]dhcp enable
[Huawei]ip pool v2
[Huawei-ip-pool-v2]network 192.168.1.0 mask 28
[Huawei-ip-pool-v2]gateway-list 192.168.1.1
[Huawei-ip-pool-v2]dns-list 8.8.8.8
[Huawei-ip-pool-v2]q
[Huawei]interface g0/0/0.1
[Huawei-GigabitEthernet0/0/0.1]dhcp select global
[Huawei-GigabitEthernet0/0/0.1]q
[Huawei]ip pool v3
[Huawei-ip-pool-v3]network 192.168.1.16 mask 28
[Huawei-ip-pool-v3]gateway-list 192.168.1.17
[Huawei-ip-pool-v3]dns-list 8.8.8.8
[Huawei-ip-pool-v3]q
[Huawei]interface g0/0/0.2
[Huawei-GigabitEthernet0/0/0.2]dhcp select global
[Huawei-GigabitEthernet0/0/0.2]q
R2:
[Huawei]dhcp enable
[Huawei]ip pool v2
[Huawei-ip-pool-v2]network 192.168.1.64 mask 27
[Huawei-ip-pool-v2]gateway-list 192.168.1.65
[Huawei-ip-pool-v2]dns-list 8.8.8.8
[Huawei-ip-pool-v2]q
[Huawei]interface g0/0/1.1
[Huawei-GigabitEthernet0/0/1.1]dhcp select global
[Huawei-GigabitEthernet0/0/1.1]q
[Huawei]ip pool v3
[Huawei-ip-pool-v3]network 192.168.1.98 mask 27
[Huawei-ip-pool-v3]gateway-list 192.168.1.99
[Huawei-ip-pool-v3]dns-list 8.8.8.8
[Huawei-ip-pool-v3]q
[Huawei]interface g0/0/1.2
[Huawei-GigabitEthernet0/0/1.2]dhcp select global
[Huawei-GigabitEthernet0/0/1.2]q
[Huawei]
4.OSPF配置(实现内网通)
R1:
[Huawei]ospf 1 router-id 1.1.1.1
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]q
R2:
[Huawei]ospf 1 router-id 2.2.2.2
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]q
此时,内网全通,如下图:
5.写缺省,做NAT,实现内网访问外网(仅在边界路由器R2上做配置)
[Huawei]ospf 1
[Huawei-ospf-1]default-route-advertise always
[Huawei-ospf-1]q
[Huawei]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2000]q
[Huawei]interface g0/0/2
[Huawei-GigabitEthernet0/0/2]nat outbound 2000
[Huawei-GigabitEthernet0/0/2]q
此时内网可正常访问外网,如下图:
6.限0制PC1对PC5的访问(在R1上做配置)
Huawei]acl 3000
[Huawei-acl-adv-3000]rule deny icmp source 192.168.1.14 0.0.0.0 destination 5.5.5.3 0.0.0.0
[Huawei-acl-adv-3000]q
[Huawei]interface g0/0/0.1
[Huawei-GigabitEthernet0/0/0.1]traffic-filter inbound acl 3000
此时PC1无法访问PC5,如图:
7.实现test-1设备可以登录内网telnet服务器,test-2不行
在telnet上开启telnet服务:
[Huawei]aaa
[Huawei-aaa]local-user liong privilege level 15 password cipher 123456
[Huawei-aaa]local-user liong service-type telnet
[Huawei-aaa]q
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa
在边界路由器上做端口映射实现外网对内网服务的访问
Huawei]interface g0/0/2
[Huawei-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 23 inside 192.168.1.34 23
在ISP上做限制:
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule deny tcp source 5.5.5.4 0.0.0.0 destination 12.1.1.1 0.0.0.0 destination-port eq 23
[Huawei-acl-adv-3000]q
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
此时要求实现,如图:
