在企业中OSPF和ACL应用特别广泛,本文重点介绍ospf与acl用的实例讲解。
本实例企业拓扑图如下:
项目案例要求:1. Run the OSPF routing protocol corporate network, as shown in Fig regional planning;
regional 2. Financial and R & D are located not affect other regional instability link;
3.R1, R2, R3 are only allowed to log on IT management;
We can not communicate 4.YF and CW, but they can communicate with IT;
5.IT and YF access to Client1, but can not access the CW Client1;
6.YF and CW Server1 can only access the WWW service;
项目规划:Analysis:
CW
can not communicate 1.YF and CW, but they can communicate with IT;
2.CW can not access Client1;
3.CW Server1 can only access the WWW service;
YF
can not communicate 1.YF and CW, but It can communicate with IT;
3.YF Server1 can only access the WWW services;
IT
1.R1, R2, R3 are only allowed to log on IT management;
2.IT can access Client1;
项目实施:
阶段一:配置基本网络;R1
sysname R1
interface GigabitEthernet0/0/0
ip address 1.1.1.254 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.12.1 255.255.255.0
interface GigabitEthernet0/0/2
ip address 192.168.13.1 255.255.255.0
quit
R2
sysname R2
interface GigabitEthernet0/0/0
ip address 192.168.12.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/0/2
ip address 192.168.20.254 255.255.255.0
quit
R3
sysname R3
interface GigabitEthernet0/0/0
ip address 192.168.13.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.30.254 255.255.255.0
interface GigabitEthernet0/0/2
ip address 192.168.40.254 255.255.255.0
quit
阶段二:配置OSPF;R1
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.12.0 0.0.0.255
network 192.168.13.0 0.0.0.255
area 0.0.0.1
network 1.1.1.0 0.0.0.255
quit
R2
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 192.168.12.0 0.0.0.255
area 0.0.0.2
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
stub no-summary
quit
R3
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 192.168.13.0 0.0.0.255
area 0.0.0.3
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
stub no-summary
quit
IT
sysname IT
GigabitEthernet0 interface / 0/0
ip address 255.255.255.0 192.168.10.1
ospf 1
Area 0.0.0.2
Network 192.168.10.0 0.0.0.255
Stub
Stage Three: Configure ACL ,, meet business needs;
the Ministry of Finance set the ACL
R3
acl Number The 2000
rule 10 in permit 192.168.10.0 0.0.0.255 Source
User interface VTY 0. 4-
ACL 2000 inbound
authentication password-MODE
123
ACL name CW
rule 10 0.0.0.255 Where do you want the deny the 192.168.30.0 Source IP 0.0.0.255 1.1.1.0
rule 20 is the deny the 192.168.30.0 Source IP Where do you want 192.168.20.0 0.0.0.255 0.0.0.255
rule TCP Source 30 the permit the 192.168.30.0 192.168.40.1 0.0.0.255 Where do you want EQ 0 Where do you want WWW-Port
rule 40 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.1 0
interface GigabitEthernet0/0/1
traffic-filter inbound acl name cw
研发部ACL设置
R2
acl number 2000
rule 10 permit source 192.168.10.0 0.0.0.255
user-interface vty 0 4
acl 2000 inbound
authentication-mode password
123
acl name yf
rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 20 permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.40.1 0 destination-port eq www
rule 30 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
interface GigabitEthernet0/0/2
traffic-filter inbound acl 3name yf
IT部ACL设置
R1
acl number 2000
rule 10 permit source 192.168.10.0 0.0.0.255
user-interface vty 0 4
acl 2000 inbound
authentication-mode password
123
acl number 3000
rule 10 permit tcp source 1.1.1.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 destination-port eq www
rule 20 deny ip source 1.1.1.0 0.0.0.255 destination 192.168.40.1 0
interface GigabitEthernet0/0/1
traffic-filter inbound acl 3000
项目验证:
验证一:在CW网络进行验证,如下
财务可以访问server1服务器的web服务
But can not ping server server1
验证二:在YF网络进行验证,如下R & D can access server1 web services 
but can not ping server server1
验证三:R1、R2、R3只允许被IT登录管理,如下You can log R2: 
R1 can not log in R2:
所以项目要求验证成功。。。。。。
项目总结:
1.项目在配置ospf时一定要注意特殊区域的配置要完整;
2.在配置acl时要主要序列号和源、目标ip地址配置正确。