实验拓扑 无特殊说明,IP地址按照设备尾号数字标识
i .在S1与S2之间运行Trunk协议使PC1与PC3通信
注:两台交换机之间需要配置Trunk才能实现不同交换机下的同一个VLAN互相访问。
1 2 3 4 5 6 7 8 9 10 11 12 [H3C]sysname S1 [S1]vlan 10 [S1-vlan10]port g1/0/1 [S1-vlan10]vlan 20 [S1-vlan20]port g1/0/2 [S1-vlan20]int g1/0/4 [S1-GigabitEthernet1/0/4]port link-type trunk [S1-GigabitEthernet1/0/4]port trunk permit vlan all [S1-GigabitEthernet1/0/4]int g1/0/3 [S1-GigabitEthernet1/0/3]port link-type trunk [S1-GigabitEthernet1/0/3]port trunk permit vlan all [S1-GigabitEthernet1/0/3]qu
1 2 3 4 5 6 7 [H3C]sysname S2 [S2]vlan 10 [S2-vlan10]port g1/0/2 [S2-vlan10]qu [S2]int g1/0/1 [S2-GigabitEthernet1/0/1]port link-type trunk [S2-GigabitEthernet1/0/1]port trunk permit vlan all
ii .在R1做单臂路由使PC1与PC2通信。注:单臂路由就是在路由器以太网接口下配置若干个子接口,每个子接口对应一个VLAN,这样当路由器的以太网口连接到一个划分VLAN的二层交换机时,可以通过路由器的以太网口,实现二层交换机上多个VLAN之间的互通。而三层交换机的VLAN之间互通,则不需要路由器的配合,可在三层交换机上直接配置VLAN虚接口,每个VLAN一个虚接口,并指定IP,通过VLAN虚接口实现交换机各个VLAN之间的互通。
1 2 3 4 5 6 7 8 [R1]int g0/0.1 [R1-GigabitEthernet0/0.1]vlan-type dotlq vid 10 [R1-GigabitEthernet0/0.1]ip add 192.168.10.254 24 [R1-GigabitEthernet0/0.1]qu [R1] int g0/0.2 [R1-GigabitEthernet0/0.2]vlan-type dotlq vid 20 [R1-GigabitEthernet0/0.2]ip add 192.168.20.254 24 [R1-GigabitEthernet0/0.2]qu
iii .R1与R2之间运行PPP协议采用PAP认证;注:PPP协议是一种点到点在串行链路上传输IP数据包的方法。MP可以增加设备之间的互联带宽,增加设备之间的链路可靠性,提高数据转发的效率。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 R1: [R1]int s1/0 [R1-Serial1/0]ip address 10.19.0.1 24 [R1-Serial1/0]local-user papr2 class network New local user added. [R1-luser-network-papr2]password simple 666 [R1-luser-network-papr2]service-type ppp [R1-luser-network-papr2]qu [R1]int s1/0 [R1-Serial1/0]ppp authentication-mode pap R2: [R2]int s1/0 [R2-Serial1/0] [R2-Serial1/0] [R2-Serial1/0]ip add 10.19.0.2 24 [R2-Serial1/0]ppp pap local-user papr2 password simple 666
iv .R2与R3运行PPP协议采用CHAP双向认证;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 R2: [R2]local-user zhangdaye class network New local user added. [R2-luser-network-r3]password simple 666 [R2-luser-network-r3]service-type ppp [R2-luser-network-r3]qu [R2]int s2/0 [R2-Serial2/0]ip add 10.19.1.1 24 [R2-Serial2/0]ppp authentication-mode chap [R2-Serial2/0]ppp chap user zhangdaye [R2-Serial2/0] R3: [R3]local-user zhangdaye class network New local user added. [R3-luser-network-r2]password simple 666 [R3-luser-network-r2]service-type ppp [R3-luser-network-r2]qu [R3]int s1/0 [R3-Serial1/0]ip add 10.19.1.2 24 [R3-Serial1/0]ppp chap user zhangdaye
v .为了加大带宽R2与RTA之间采用PPP MP捆绑:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 R2: [R2]int mp-group 1 [R2-MP-group1]ip address 19.0.0.1 29 [R2-MP-group1]qu [R2]int s3/0 [R2-Serial3/0]ppp mp mp-group 1 [R2-Serial3/0]int s4/0 [R2-Serial4/0]ppp mp mp-group 1 [R2-Serial4/0]qu RTA: [RTA]int mp-group 1 [RTA-MP-group1]ip add 19.0.0.2 29 [RTA-MP-group1]int s1/0 [RTA-Serial1/0]ppp mp MP-group 1 [RTA-Serial1/0]int s2/0 [RTA-Serial2/0]ppp mp mp-group 1
vi .内部网络采用RIP动态路由使内部网络互通;
注:OSPF多区域有利于改善网络的可扩展性,快速收敛。loopback地址叫回环地址,为了方便管理,会为每一台路由器创建一个loopback接口,并在该接口上单独指定一个IP地址作为管理地址,管理员使用该地址对路由器远程登录。
1 2 3 4 5 6 7 8 9 10 11 12 13 R1: [R1]rip 10 [R1-rip-10] [R1-rip-10]network 10.19.0.0 0.0.0.255 [R1-rip-10]network 192.168.10.0 [R1-rip-10]network 192.168.20.0 R2: [R2]rip 10 [R2-rip-10]network 10.19.0.0 0.0.0.255 [R2-rip-10]network 10.19.1.0 0.0.0.255 R3: [R3]rip 10 [R3-rip-10]network 10.19.1.0 0.0.0.255
vii .RTA,RTB,RTC,RTD之间采用OSPF多区域路由配置loopback地址并宣告;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 RTA: <RTA>sys System View: return to User View with Ctrl+Z. [RTA]int g0/0 [RTA-GigabitEthernet0/0]ip add 19.0.100.1 30 [RTA-GigabitEthernet0/0]qu [RTA]int loopback 0 [RTA-LoopBack0]ip add 1.1.1.1 32 [RTA-LoopBack0]qu [RTA]int g0/1 [RTA-GigabitEthernet0/1]ip add 19.0.100.5 30 [RTA-GigabitEthernet0/1]qu [RTA] RTB: [RTB]int g0/0 [RTB-GigabitEthernet0/0]ip add 19.0.100.2 30 [RTB-GigabitEthernet0/0]int g0/1 [RTB-GigabitEthernet0/1]ip add 19.0.200.1 30 [RTB-GigabitEthernet0/1]qu [RTB]int loopback 0 [RTB-LoopBack0]ip add 1.1.1.2 32 [RTB-LoopBack0]qu [RTB] RTC: [RTC]int g0/0 [RTC-GigabitEthernet0/0]ip add 19.0.100.6 30 [RTC-GigabitEthernet0/0]qu [RTC]int loopback 0 [RTC-LoopBack0]ip add 1.1.1.3 32 [RTC-LoopBack0]qu RTD: [RTD]int g0/0 [RTD-GigabitEthernet0/0]ip add 19.0.200.2 30 [RTD-GigabitEthernet0/0]qu [RTD]int loopback 0 [RTD-LoopBack0]ip add 1.1.1.4 32 [RTD-LoopBack0]qu [RTD] 添加ospf: RTA: [RTA]ospf 100 [RTA-ospf-100]area 0 [RTA-ospf-100-area-0.0.0.0]network 1.1.1.1 0.0.0.0 [RTA-ospf-100-area-0.0.0.0]network 19.0.100.1 0.0.0.3 [RTA-ospf-100-area-0.0.0.0]qu [RTA-ospf-100]area 2 [RTA-ospf-100-area-0.0.0.2]network 19.0.100.5 0.0.0.3 RTB: [RTB]ospf 100 [RTB-ospf-100]area 0 [RTB-ospf-100-area-0.0.0.0]network 1.1.1.2 0.0.0.0 [RTB-ospf-100-area-0.0.0.0]network 19.0.100.2 0.0.0.3 [RTB-ospf-100-area-0.0.0.0]qu [RTB-ospf-100]area 1 [RTB-ospf-100-area-0.0.0.1]network 19.0.200.1 0.0.0.3 [RTB-ospf-100-area-0.0.0.1]qu RTC: [RTC] [RTC]ospf 100 [RTC-ospf-100]area 2 [RTC-ospf-100-area-0.0.0.2]network 1.1.1.3 0.0.0.0 [RTC-ospf-100-area-0.0.0.2]network 19.0.100.6 0.0.0.3 RTD: [RTD]ospf 100 [RTD-ospf-100]area 1 [RTD-ospf-100-area-0.0.0.1]network 1.1.1.4 0.0.0.0 [RTD-ospf-100-area-0.0.0.1]network 19.0.200.2 0.0.0.3 [RTD-ospf-100-area-0.0.0.1]qu R2与RTA之间运行静态路由 静态路由: RTA: [RTA]ip route-static 10.19.0.0 0 19.0.0.1 [RTA]ospf 100 [RTA-ospf-100]import-route static [RTA-ospf-100]import-route direct [RTA-ospf-100] R2: [R2]ip route-static 0.0.0.0 0.0.0.0 19.0.0.2 R1: [R1]ip route-static 0.0.0.0 0.0.0.0 10.19.0.2 R3: [R3]ip route-static 0.0.0.0 0.0.0.0 10.19.1.1
viii .在R3上配置telnet服务不加密认证;在RTD上配置telnet服务并设置密码认证;在RTC上配置telnet服务并设置用户认证。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 R3: [R3]telnet server enable [R3]line vty 0 [R3-line-vty0]authentication-mode none [R3-line-vty0] RTD: [RTD]telnet server enable [RTD]line vty 0 [RTD-line-vty0]authentication-mode password [RTD-line-vty0]set authentication password simple 666 [RTD-line-vty0]user-role telnet-admin [RTD-line-vty0] RTC: [RTC]telnet server enable [RTC]line vty 0 [RTC-line-vty0]authentication-mode scheme [RTC-line-vty0]qu [RTC]local-user telnetrtc New local user added. [RTC-luser-manage-telnetrtc]password simple 666 [RTC-luser-manage-telnetrtc]service-type telnet [RTC-luser-manage-telnetrtc]authorization-attribute user-role telnet-admin
ix .在R2上做NAT服务使内部网络访问Internet;注:NAT网络地址转换,实现内网的IP地址与公网的地址之间的相互转换,将大量的内网IP地址转换为一个或少量的公网IP地址,在一个局域网内,只需要一台计算机连接上Internet,就可以利用NAT共享Internet连接,使局域网内其他计算机也可以上网。使用NAT协议,局域网内的计算机可以访问Internet上的计算机,但Internet上的计算机无法访问局域网内的计算机。一方面减少对公网IP地址的占用,同时隐藏了内部网络结构,降低内部网络受到攻击的风险。
1 2 3 4 5 6 7 8 9 10 11 R2: [R2]acl basic 2000 [R2-acl-ipv4-basic-2000]rule 0 permit source 192.168.0.0 0.0.0.255 [R2-acl-ipv4-basic-2000]rule 1 permit source 10.19.0.0 0.0.0.255 [R2-acl-ipv4-basic-2000]qu [R2]nat address-group 1 [R2-address-group-1]address 19.0.0.3 19.0.0.6 [R2-address-group-1]qu [R2]int mp-group 1 [R2-MP-group1]nat outbound 2000 address-group 1 [R2-MP-group1]qu
x .在R2上配置NAT Server服务使RTD能正常访问R3的telnet服务:
1 2 [R2]interface mp-group 1 [R2-MP-group1]nat server protocol tcp global 19.0.200.2 telnet inside 10.19.1.2 telnet
xi .使用ACL访问控制列表实现:访问控制列表(ACL)是应用在路由器接口的指令列表(即规则),这些指令列表用来告诉路由器,那些数据包可以接受,那些数据包需要拒绝。ACL使用包过滤技术,在路由器上读取OSI七层模型的第3层和第4层包头中的信息。如源地址、目标地址、源端口、目标端口等,根据预先定义好的规则对包进行过滤,从而达到访问控制的目的。
禁止PC2访问RTC所有服务
禁止R1访问RTD的telnet服务
1 2 3 4 5 6 7 8 9 [R2]acl advanced 3000 [R2-acl-ipv4-adv-3000]rule deny ip source 192.168.10.1 0.0.0.0 destination 19.0.200.2 0.0.0.0 [R2-acl-ipv4-adv-3000]no rule 0 [R2-acl-ipv4-adv-3000]rule 0 deny ip source 192.168.20.1 0.0.0.0 destination 19.0.100.6 0.0.0.0 [R2-acl-ipv4-adv-3000]rule 1 deny 23 source 10.19.0.1 0.0.0.0 destination 19.0.200.2 0.0.0.0 [R2-acl-ipv4-adv-3000]qu [R2]int s1/0 [R2-Serial1/0]packet-filter 3000 inbound [R2-Serial1/0]qu
