一、实验要求
1.网络中有3个不同部门,均可自动获取地址
2.各部门可互相访问,也可访问内网服务器172.16.100.1
3.PC1不允许访问互联网,PC2和PC3可以访问互联网
4.内网服务器对外发布的地址为64.1.1.3,互联网用户可以访问这台服务器
5.内网服务器的域名是www.aaa.com,各PC可以通过域名访问
二、实验拓扑图
三、配置步骤
LSW3交换机操作命令:
<Huawei>system-view
Huaweivlan batch 20 30
Huaweiinterface GigabitEthernet 0/0/1
Huawei-GigabitEthernet0/0/1port link-type trunk
Huawei-GigabitEthernet0/0/1port trunk allow-pass vlan all
Huaweiinterface GigabitEthernet 0/0/2
Huawei-GigabitEthernet0/0/2port link-type access
Huawei-GigabitEthernet0/0/2port default vlan 20
Huaweiinterface GigabitEthernet 0/0/3
Huawei-GigabitEthernet0/0/3port link-type access
Huawei-GigabitEthernet0/0/3port default vlan 30
LSW1交换机操作命令:
<Huawei>system-view
Huaweivlan batch 10 20 30 40 //创建vlan
Huaweiinterface Vlanif 10
Huawei-Vlanif10ip address 192.168.10.254 255.255.255.0 //分配IP
Huaweiinterface Vlanif 20
Huawei-Vlanif20ip address 192.168.20.254 255.255.255.0
Huaweiinterface Vlanif 30
Huawei-Vlanif30ip address 192.168.30.254 255.255.255.0
Huaweiinterface Vlanif 40
Huawei-Vlanif40ip address 172.16.100.254 255.255.255.0
Huaweidhcp enable //开启dhcp
Huaweiinterface Vlanif 10
Huawei-Vlanif10dhcp select interface
Huawei-Vlanif10dhcp server dns-list 172.16.100.1
Huaweiinterface Vlanif 20
Huawei-Vlanif10dhcp select interface
Huawei-Vlanif10dhcp server dns-list 172.16.100.1
Huaweiinterface Vlanif 30
Huawei-Vlanif10dhcp select interface
Huawei-Vlanif10dhcp server dns-list 172.16.100.1
Huaweidisplay ip interface brief // 检查vlan网络配置
Huaweiinterface GigabitEthernet 0/0/2
Huawei-GigabitEthernet0/0/2port link-type access
Huawei-GigabitEthernet0/0/2port default vlan 10
Huaweiinterface GigabitEthernet 0/0/3
Huawei-GigabitEthernet0/0/3port link-type trunk
Huawei-GigabitEthernet0/0/3port trunk allow-pass vlan all
Huaweiinterface GigabitEthernet 0/0/4
Huawei-GigabitEthernet0/0/4port link-type access
Huawei-GigabitEthernet0/0/4port default vlan 40
Huaweivlan 100
Huaweiinterface GigabitEthernet 0/0/1
Huawei-GigabitEthernet0/0/1port link-type access
Huawei-GigabitEthernet0/0/1port default vlan 100
Huaweiinterface Vlanif 100
Huawei-Vlanif100ip address 10.10.10.2 24
AR1路由器操作命令:
<Huawei>system-view
Huaweiinterface GigabitEthernet 0/0/0
Huawei-GigabitEthernet0/0/0ip address 10.10.10.1 24
Huaweiinterface GigabitEthernet 0/0/1
Huawei-GigabitEthernet0/0/1ip address 64.1.1.1 24
LSW1交换机操作命令:
Huaweiip route-static 0.0.0.0 0.0.0.0 10.10.10.1 // 出公网路由
AR1路由器操作命令:
Huaweiip route-static 0.0.0.0 0.0.0.0 64.1.1.10 // 出公网路由
Huaweiip route-static 192.168.0.0 255.255.0.0 10.10.10.2 // 回内网路由
Huaweiip route-static 172.16.100.0 255.255.255.0 10.10.10.2 // 回内网服务器路由
AR1路由器NAT上网:
Huaweiacl 2000
Huawei-acl-basic-2000rule permit source 192.168.0.0 0.0.255.255
Huaweinat address-group 1 64.1.1.5 64.1.1.5
Huaweiinterface GigabitEthernet 0/0/1
Huawei-GigabitEthernet0/0/1nat outbound 2000 address-group 1
限制192.168.10.0网段出公网:
Huaweiacl 2001
Huawei-acl-basic-2001rule deny source 192.168.10.0 0.0.0.255
Huawei-acl-basic-2001rule permit source any
Huaweiinterface GigabitEthernet 0/0/0
Huawei-GigabitEthernet0/0/0traffic-filter inbound acl 2001
内网服务器映射:
Huaweiinterface GigabitEthernet 0/0/1
Huawei-GigabitEthernet0/0/1nat server global 64.1.1.3 inside 172.16.100.1
AR2路由器配置:
Huaweiinterface GigabitEthernet 0/0/0
Huawei-GigabitEthernet0/0/0ip address 64.1.1.10 24
Huaweiinterface GigabitEthernet 0/0/1
Huawei-GigabitEthernet0/0/1ip address 8.8.8.254 24
Huaweiinterface GigabitEthernet 0/0/2
Huawei-GigabitEthernet0/0/2ip address 9.9.9.254 24