lab environment:
eNSP device configuration
Experimental topology:
Experimental requirements:
1, in accordance with the network-wide interconnected network planning embodiment, the address management of network switches SW to address SVI port Vlanif10
192.168.1.100, Server, PC belong vlan10, vlan20, using DHCP for IP
2, disposed on the gateway routing-arm, from the respective sub-interface g0 / 0 / 0.10 and g0 / 0 / 0.20, corresponding to the address as shown above. in
DHCP interface address pool, experiment PC, Ser ver can obtain an IP address, required to achieve sub-interface vlan10
And communication between vlan20, PC can access the internal Server.
. 3, R2, R3 over the WAN router, corresponding to FIG IP planning, R2 and R3 on the requirements from the OSPF protocol,
The default is area0, implement learning routes between R2 and R3. R1 and GW within the network, run RIPV2,
ISP-Server is an external server address is 112.18.1.1, testing R2 has access to ISP-Server.
4, in the GW configuration to a default route to R1 extranet, also sets the default route to the external network R1
(R2), and the use of the Easy IP manner R1. Write the corresponding configuration. Requirements PC can access the ISP-Server
server. And view the conversion table.
5, disposed at the NAT server is configured on R1, mapped network GW port 23 to port 23 R1 external network interface, such that the outer can telnet to the internal address 112.18.3.1 through a GW device.
6, arranged on the GW advanced ACL, so that the internal Server can ping the PC, but the PC can not ping Server.
7, configure advanced ACL on R2, R1 can make telnet to R3, R3 can not telnet to R1
Content Experiments
ip address planning
| device |
IP addresses |
port |
| PC |
192.168.1.253/24 |
E0 / 0/1 |
| Server |
192.168.2.253/24 |
E0 / 0/1 |
| SW |
192.168.1.100/24 |
ALL |
|
GW |
192.168.16.2/24 192.168.1.254/24 192.168.2.254/24 |
G0/0/0 G0/0/0.1 G0/0/0.2 |
| R1 |
192.168.16.1/24 112.18.3.1/24 |
G0/0/1 G0/0/0 |
| R2 |
112.18.3.2/24 112.18.2.2/24 |
G0/0/0 G0/0/1 |
| R3 |
112.18.2.3/24 112.18.1.3/24 |
G0/0/1 G0/0/0 |
| ISP-lovers |
112.18.1.1/24 |
E0 / 0/0 |
1, in accordance with the network-wide interconnected network planning embodiment, the switch SW management network address port vlanif10 SVI address 192.168.1.100, server, pc belong vlan10, vlan20, use DHCP for IP.
Experimental Procedure
[sw] vlan batch 10 20 in SW1 divided on two different vlan respectively 10 and 20
[SW]int vlanif10
[SW-Vlanif10] ip address 192.168.1.100 24 in SW of SVI set its port IP address
[SW] display ip int brief to view the interface brief ip information
发现刚刚设置的IP为down未开启,因为SW和PC之间的连线是hybrid类型
[SW-Ethernet0/0/2]port link-type access 把SW和server的链路类型改为access
[SW-Ethernet0/0/2]port default vlan 10 并将vlan10划分给它
把SW和PC链路类型改为access,方法与上面类似
[SW-Ethernet0/0/1]port link-type trunk
[SW-Ethernet0/0/1]port trunk allow-pass vlan 10 20
手动在PC和server上开启dhcp
2、在网关上配置单臂路由,起相应子接口g0/0/0.1和g0/0/0.2,对应地址如上图。在子接口上配置DHCP地址池,实验PC、server能够获取到IP地址,要求实现vlan10和vlan20之间的通信,PC可以正常访问内部server。
实验步骤
[GW-GigabitEthernet0/0/0.2]ip address 192.168.2.254 24
[GW-GigabitEthernet0/0/0.2]dot1q termination vid 20 设置该子接口在收到有vlan tag报文时将封装tag进行三层转发
[GW-GigabitEthernet0/0/0.2]arp broadcast enable 开启arp广播报文
[GW-GigabitEthernet0/0/0.2]display current-configuration int g0/0/0.2
[GW]dhcp enable dhcp是默认关闭的,要手动开启
[GW-GigabitEthernet0/0/0.1]dhcp select int 开启地址池
可以看到,PC自动获取了ip地址。
可以实现了vlan10和vlan20之间的通信。
3、R2、R3为广域网上的路由器,对应IP地址规划如图,要求在R2和R3上起OSPF协议,默认为area0,实现R2和R3之间的路由学习。R1和GW为内网路由器,运行RIPV2,ISP-server为外部服务器,地址为112.18.1.1,测试R2能够访问ISP-server。
实验步骤
配置各设备的IP地址,ISP-server的IP地址手动配置并且要配置网关地址为R3的g/0/0/0接口的ip地址。
[R2]ospf
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 112.18.2.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 112.18.3.0 0.0.0.255 在R2上起ospf协议,将两个接口的地址都通告进ospf
R3上的配置类似。
[R1]rip
[R1-rip-1]version 2
[R1-rip-1]network 192.168.16.0 在R1上运行RIPv2
测试在R2上可以访问到外部服务器。
4、在GW上配置一条默认路由指向R1去往外网,同时R1上也设置默认路由指向外网R2,且在R1上采用easy ip的方式,写出相应配置,要求pc可以正常访问外部服务器。并查看转换表。
实验步骤
[R1]ip route-static 0.0.0.0 0.0.0.0 112.18.3.2 在R1上配置默认路由指向外网
查看路由表默认路由配置成功。
[R1]acl 2000 用标准acl实现easy ip
[R1-acl-basic-2000]rule permit source 192.168.2.254 0
[R1-GigabitEthernet0/0/0]nat outbound 2000 在端口上开启nat
测试PC可以访问ISP-server。
[R1-GigabitEthernet0/0/0]display nat session all 在测试过程中查看转换表
转换表中截第一次通信来看,通信的协议是ICMP,原地址是192.168.2.253,目的地址是112.18.1.1。
5、在R1上配置NAT服务器配置,将内网GW的23端口映射到外网R1接口的23端口,使得外部可以通过112.18.3.1这个地址telnet登录内部GW设备。
实验步骤
[GW]user-int vty 0 4
[GW-ui-vty0-4]authentication-mode password 在GW上设置密码登录方式
[R1-GigabitEthernet0/0/0]nat server protocol tcp globalcurrent-interface telnet
inside 192.168.16.2 telnet 在R1上配置nat服务器配置允许远程登录GW
在R2上测试telnet112.18.3.1,然后输入密码连接上了GW。
6、在GW上配置高级ACL,使得内部server可以ping通PC,但是PC不能ping通server
实验步骤
[GW]acl 3000
[GW-acl-adv-3000]rule deny icmp icmp-type echo source 192.168.2.253 0 destination 192.168.1.253 0 设置不允许PC向server通信
[GW-GigabitEthernet0/0/1.2]traffic-filter inbound acl 3000 开启接口调用
[GW]display current-configuration section acl 查看当前的acl配置
实验结果
在pc上ping server不通,server可以ping通pc。
7、在R2上配置高级ACL,使得R1可以telnet登录R3,R3无法telnet登录R1。
实验步骤
[R1-GigabitEthernet0/0/0]ip address 112.18.3.5 24 这个步骤和步骤六冲突,所以将R1的ip地址换掉
[R1-GigabitEthernet0/0/0]undo nat server protocol tcp global current-interface telnet
inside 192.168.16.2 telnet
将之前的命令undo掉因为之前用的ip地址是当前R1上存在的ip地址,然后另外写一条通往112.18.3.1的命令,测试R2还是可以telnet到GW。
[R1-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):cww 在R1和R3上设置用密码登录
[R2-acl-adv-3000]rule deny tcp source 112.18.2.3 0 destination 112.18.3.1 0 destination-port eq 23 在R2上配置高级acl
[R2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000 开启接口调用
实验结果
R1可以远程登录到R3,R3不能远程登录到R1。