Topology
1. SW1 is the DHCP server of PC1 and PC2, AR2 is the DHCP server of PC3 and PC4
2. PC1, PC2, PC3, and PC4 can access the external network
3. The external network can access the HTTP server and FTP server of the internal network
SW1 configuration
system-view
sysname SW1
vlan batch 10 20 50 101
//各vlanif的IP地址配置如下:
[SW1]display ip interface brief
Interface IP Address/Mask Physical Protocol
LoopBack0 44.44.44.44/32 up up(s)
Vlanif10 192.168.10.254/24 up up
Vlanif20 192.168.20.254/24 up up
Vlanif50 192.168.50.254/24 up up
Vlanif101 192.168.101.1/30 up up
//各端口配置
[SW1]interface GigabitEthernet0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 101
[SW1]interface GigabitEthernet0/0/2
[SW1-GigabitEthernet0/0/2]port hybrid pvid vlan 10
[SW1-GigabitEthernet0/0/2]port hybrid untagged vlan 10
[SW1]interface GigabitEthernet0/0/3
[SW1-GigabitEthernet0/0/3]port hybrid pvid vlan 20
[SW1-GigabitEthernet0/0/3]port hybrid untagged vlan 20
[SW1]interface GigabitEthernet0/0/23
[SW1-GigabitEthernet0/0/23]port link-type access
[SW1-GigabitEthernet0/0/23]port default vlan 50
[SW1]interface GigabitEthernet0/0/24
[SW1-GigabitEthernet0/0/24]port link-type access
[SW1-GigabitEthernet0/0/24]port default vlan 50
//DHCP配置
[SW1]dhcp enable
[SW1]ip pool vlanif10
[SW1-ip-pool-vlanif10]gateway-list 192.168.10.254
[SW1-ip-pool-vlanif10]network 192.168.10.0 mask 24
[SW1-ip-pool-vlanif10]lease day 2
[SW1-ip-pool-vlanif10]dns-list 114.114.114.114
[SW1]interface Vlanif10
[SW1-Vlanif10]ip address 192.168.10.254 24
[SW1-Vlanif10]dhcp select global //基于全局DHCP
[SW1]interface Vlanif20
[SW1-Vlanif20]ip address 192.168.20.254 24
[SW1-Vlanif20]dhcp select interface //基于接口DHCP
[SW1-Vlanif20]dhcp server lease day 2
[SW1-Vlanif20]dhcp server dns-list 114.114.114.114
//OSPF配置
[SW1]router id 44.44.44.44
[SW1]ospf 1
[SW2-ospf-1]area 1
[SW2-ospf-1-area-0.0.0.1]network 192.168.101.1 0.0.0.0
[SW2-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.1]network 192.168.20.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.1]network 192.168.50.0 0.0.0.255
SW2 configuration
[SW2]vlan batch 30 40 102
//各vlanif的IP地址配置如下:
[SW2]display ip interface brief
Interface IP Address/Mask Physical Protocol
LoopBack0 55.55.55.55/32 up up(s)
Vlanif30 192.168.30.254/24 up up
Vlanif40 192.168.40.254/24 up up
Vlanif102 192.168.102.1/30 up up
//各端口配置
[SW2]interface GigabitEthernet0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 102
[SW2]interface GigabitEthernet0/0/2
[SW2-GigabitEthernet0/0/2]port hybrid pvid vlan 30
[SW2-GigabitEthernet0/0/2]port hybrid untagged vlan 30
[SW2]interface GigabitEthernet0/0/3
[SW2-GigabitEthernet0/0/3]port hybrid pvid vlan 40
[SW2-GigabitEthernet0/0/3]port hybrid untagged vlan 40
//DHCP中继配置
[SW2]interface Vlanif30
[SW2-Vlanif30]ip address 192.168.30.254 24
[SW2-Vlanif30]dhcp select relay
[SW2-Vlanif30]dhcp relay server-ip 192.168.102.2
[SW2]interface Vlanif40
[SW2-Vlanif40]ip address 192.168.40.254 24
[SW2-Vlanif40]dhcp select relay
[SW2-Vlanif40]dhcp relay server-ip 192.168.102.2
//OSPF配置
[SW2]router id 55.55.55.55
[SW2]ospf 1
[SW2-ospf-1]area 2
[SW2-ospf-1-area-0.0.0.2]network 192.168.102.1 0.0.0.0
[SW2-ospf-1-area-0.0.0.2]network 192.168.30.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.2]network 192.168.40.0 0.0.0.255
AR1 configuration
//各端口IP地址配置如下:
[AR1]display ip interface brief
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 172.16.13.2/30 up up
GigabitEthernet0/0/1 172.16.12.1/30 up up
GigabitEthernet0/0/2 192.168.101.2/30 up up
LoopBack0 11.11.11.11/32 up up(s)
//OSPF配置
[AR1]router id 11.11.11.11
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]authentication-mode hmac-md5 1 plain 123456
[AR1-ospf-1-area-0.0.0.0]network 172.16.12.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]network 172.16.13.2 0.0.0.0
[AR1-ospf-1]area 1
[AR1-ospf-1-area-0.0.0.1]network 192.168.101.2 0.0.0.0
AR2 configuration
//各端口IP地址配置如下:
[AR2]display ip interface brief
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 172.16.23.2/30 up up
GigabitEthernet0/0/1 172.16.12.2/30 up up
GigabitEthernet0/0/2 192.168.102.2/30 up up
LoopBack0 22.22.22.22/32 up up(s)
//DHCP地址池配置:
[AR2]dhcp enable
[AR2]ip pool vlanif30
[AR2-vlanif30]gateway-list 192.168.30.254
[AR2-vlanif30]network 192.168.30.0 mask 24
[AR2-vlanif30]lease day 2
[AR2-vlanif30]dns-list 114.114.114.114
[AR2]ip pool vlanif40
[AR2-vlanif40]gateway-list 192.168.40.254
[AR2-vlanif40]network 192.168.40.0 mask 24
[AR2-vlanif40]lease day 2
[AR2-vlanif40]dns-list 114.114.114.114
[AR2]interface GigabitEthernet0/0/2
[AR2-GigabitEthernet0/0/2]dhcp select global
//OSPF配置
[AR2]router id 22.22.22.22
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]authentication-mode hmac-md5 1 plain 123456
[AR2-ospf-1-area-0.0.0.0]network 172.16.12.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]network 172.16.23.2 0.0.0.0
[AR2-ospf-1]area 2
[AR2-ospf-1-area-0.0.0.2]network 192.168.102.2 0.0.0.0
AR3 configuration
1. Intranet PC1, PC2, PC3, and PC4 can access the external network
2. The client on the external network accesses the HTTP server and FTP server on the internal network through the public network IP
//各端口IP地址配置如下:
[AR3]display ip interface brief
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 100.1.1.2/24 up up
GigabitEthernet0/0/1 172.16.13.1/30 up up
GigabitEthernet0/0/2 172.16.23.1/30 up up
LoopBack0 33.33.33.33/32 up up(s)
//OSPF配置
[AR3]router id 33.33.33.33
[AR3]ospf 1
[AR3-ospf-1]default-route-advertise always //引入静态路由
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]authentication-mode hmac-md5 1 plain 123456 //区域认证
[AR3-ospf-1-area-0.0.0.0]network 172.16.13.1 0.0.0.0
[AR3-ospf-1-area-0.0.0.0]network 172.16.23.1 0.0.0.0
//默认静态路由配置
[AR3]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
//ACL + NAT配置
[AR3]acl number 2000
[AR3-acl-basic-2000]rule 5 permit source 192.168.10.0 0.0.0.255
[AR3-acl-basic-2000]rule 10 permit source 192.168.20.0 0.0.0.255
[AR3-acl-basic-2000]rule 15 permit source 192.168.30.0 0.0.0.255
[AR3-acl-basic-2000]rule 20 permit source 192.168.40.0 0.0.0.255
[AR3-acl-basic-2000]rule 25 deny source any
[AR3]interface GigabitEthernet0/0/0
[AR3-GigabitEthernet0/0/0]ip address 100.1.1.2 24
[AR3-GigabitEthernet0/0/0]nat server protocol tcp global current-interface www inside 192.168.50.1 www //外网Client可以通过IP:100.1.1.2访问内网的HTTP服务器
[AR3-GigabitEthernet0/0/0]nat server protocol tcp global current-interface ftp inside 192.168.50.2 ftp //外网Client可以通过IP:100.1.1.2访问内网的FTP服务器
[AR3-GigabitEthernet0/0/0]nat outbound 2000 //对数据流进行NAT
[AR3]nat alg ftp enable //开启FTP的NAT ALG
ISP configuration
//各端口IP地址配置如下:
[ISP]display ip interface brief
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 100.1.1.1/24 up up
GigabitEthernet0/0/1 200.1.1.1/24 up up
Experimental verification:
View AR3
<AR1>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 23 Routes : 24
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 100.1.1.1 GigabitEthernet0/0/0
33.33.33.33/32 Direct 0 0 D 127.0.0.1 LoopBack0
100.1.1.0/24 Direct 0 0 D 100.1.1.2 GigabitEthernet0/0/0
100.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
100.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.12.0/30 OSPF 10 2 D 172.16.23.2 GigabitEthernet0/0/2
OSPF 10 2 D 172.16.13.2 GigabitEthernet0/0/1
172.16.13.0/30 Direct 0 0 D 172.16.13.1 GigabitEthernet0/0/1
172.16.13.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
172.16.13.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
172.16.23.0/30 Direct 0 0 D 172.16.23.1 GigabitEthernet0/0/2
172.16.23.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
172.16.23.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
192.168.10.0/24 OSPF 10 3 D 172.16.13.2 GigabitEthernet0/0/1
192.168.20.0/24 OSPF 10 3 D 172.16.13.2 GigabitEthernet0/0/1
192.168.30.0/24 OSPF 10 3 D 172.16.23.2 GigabitEthernet0/0/2
192.168.40.0/24 OSPF 10 3 D 172.16.23.2 GigabitEthernet0/0/2
192.168.50.0/24 OSPF 10 3 D 172.16.13.2 GigabitEthernet0/0/1
192.168.101.0/30 OSPF 10 2 D 172.16.13.2 GigabitEthernet0/0/1
192.168.102.0/30 OSPF 10 2 D 172.16.23.2 GigabitEthernet0/0/2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<AR1>
*************************************************************************************
<AR1>display ospf lsdb
OSPF Process 1 with Router ID 33.33.33.33
Link State Database
Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 11.11.11.11 11.11.11.11 1415 48 80000012 1
Router 22.22.22.22 22.22.22.22 1425 48 80000011 1
Router 33.33.33.33 33.33.33.33 908 48 8000000D 1
Network 172.16.23.2 22.22.22.22 1425 32 80000008 0
Network 172.16.13.2 11.11.11.11 1415 32 80000007 0
Network 172.16.12.2 22.22.22.22 1694 32 80000008 0
Sum-Net 192.168.10.0 11.11.11.11 726 28 80000008 2
Sum-Net 192.168.20.0 11.11.11.11 726 28 80000008 2
Sum-Net 192.168.30.0 22.22.22.22 138 28 80000008 2
Sum-Net 192.168.50.0 11.11.11.11 1322 28 80000007 2
Sum-Net 192.168.102.0 22.22.22.22 299 28 80000008 1
Sum-Net 192.168.40.0 22.22.22.22 1678 28 80000008 2
Sum-Net 192.168.101.0 11.11.11.11 727 28 80000008 1
AS External Database
Type LinkState ID AdvRouter Age Len Sequence Metric
External 0.0.0.0 33.33.33.33 908 36 80000007 1
<AR1>
*************************************************************************************
<AR1>display nat server
Nat Server Information:
Interface : GigabitEthernet0/0/0
Global IP/Port : current-interface/80(www) (Real IP : 100.1.1.2)
Inside IP/Port : 192.168.50.1/80(www)
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----
Global IP/Port : current-interface/21(ftp) (Real IP : 100.1.1.2)
Inside IP/Port : 192.168.50.2/21(ftp)
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----
Total : 2
<AR1>
HTTP server
External network client accesses HTTP server
FTP server
External network client accesses the FTP server
PC1
PC2
PC3
PC4