十五 HCIA综合实验
15.1 IP规划
#内网分配网段192.168.1.0 24
#内网包括骨干链路和两个用户网段,素以需要划分三个,借两位就够用了
192.168.1.0 26--骨干
192.168.1.64 26---R1下网络
192.168.1.128 26---R2下网络
192.168.1.192 26--备用
192.168.1.64 26---R1下网络:划分三个,借两位
192.168.1.64 28--vlan 2
192.168.1.80 28--vlan 3
192.168.1.96 28--vlan 4
192.168.1.112 28--备用
192.168.1.128 26---R2下网络:划分两个,借一位
192.168.1.128 27--vlan 2
192.168.1.160 27--vlan 3 # 外网
R2-ISP之间:网段:202.1.1.0 30
ISP下方网络:网段:203.1.1.0 2415.2 内网的路由交换配置
15.2.1 交换机的配置
#sw1的配置
[sw1]vlan batch 2 to 4
[sw1]int g 0/0/2
[sw1-GigabitEthernet0/0/2]port link-type access
[sw1-GigabitEthernet0/0/2]port default vlan 2
[sw1-GigabitEthernet0/0/2]int g 0/0/3
[sw1-GigabitEthernet0/0/3]port link-type access
[sw1-GigabitEthernet0/0/3]port default vlan 3
[sw1-GigabitEthernet0/0/3]int g 0/0/4
[sw1-GigabitEthernet0/0/4]port link-type access
[sw1-GigabitEthernet0/0/4]port default vlan 4
[sw1]int g 0/0/1
[sw1-GigabitEthernet0/0/1]port link-type trunk
[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 4 #sw2配置
[sw2]vlan batch 2 to 3
[sw2]int g 0/0/2
[sw2-GigabitEthernet0/0/2]port link-type access
[sw2-GigabitEthernet0/0/2]port default vlan 2
[sw2-GigabitEthernet0/0/2]int g 0/0/3
[sw2-GigabitEthernet0/0/3]port link-type access
[sw2-GigabitEthernet0/0/3]port default vlan 3
[sw2-GigabitEthernet0/0/3]int g 0/0/1
[sw2-GigabitEthernet0/0/1]port link-type trunk
[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 315.2.2 路由器的配置
配置接口IP地址
# AR1上的接口IP地址
[r1]int g 0/0/1
[r1-GigabitEthernet0/0/1]ip add 192.168.1.1 26
[r1]int g 0/0/0.1
[r1-GigabitEthernet0/0/0.1]ip add 192.168.1.65 28
[r1-GigabitEthernet0/0/0.1]dot1q termination vid 2
[r1-GigabitEthernet0/0/0.1]arp broadcast enable
[r1-GigabitEthernet0/0/0.1]q
[r1]int g 0/0/0.2
[r1-GigabitEthernet0/0/0.2]ip add 192.168.1.81 28
[r1-GigabitEthernet0/0/0.2]dot1q termination vid 3
[r1-GigabitEthernet0/0/0.2]arp broadcast enable
[r1-GigabitEthernet0/0/0.2]q
[r1]int g 0/0/0.3
[r1-GigabitEthernet0/0/0.3]ip add 192.168.1.97 28
[r1-GigabitEthernet0/0/0.3]dot1q termination vid 4
[r1-GigabitEthernet0/0/0.3]arp broadcast enable
[r1-GigabitEthernet0/0/0.3]q # AR2上的接口IP地址
[r2]int g 0/0/1
[r2-GigabitEthernet0/0/1]ip add 192.168.1.2 26
[r2]int g 0/0/0.1
[r2-GigabitEthernet0/0/0.1]ip add 192.168.1.129 27
[r2-GigabitEthernet0/0/0.1]dot1q termination vid 2
[r2-GigabitEthernet0/0/0.1]arp broadcast enable
[r2-GigabitEthernet0/0/0.1]int g 0/0/0.2
[r2-GigabitEthernet0/0/0.2]ip add 192.168.1.161 27
[r2-GigabitEthernet0/0/0.2]dot1q termination vid 3
[r2-GigabitEthernet0/0/0.2]arp broadcast enable
[r2]int g 0/0/2
[r2-GigabitEthernet0/0/2]ip add 202.1.1.1 30 #配置ISP路由器接口的IP地址
[ISP]int g 0/0/0
[ISP-GigabitEthernet0/0/0]ip add 202.1.1.2 30
[ISP-GigabitEthernet0/0/0]int g 0/0/1
[ISP-GigabitEthernet0/0/1]ip add 203.1.1.1 24 #telnet服务器上接口ip地址
[telnet server]int g 0/0/0
[telnet server-GigabitEthernet0/0/0]ip add 192.168.1.98 28
#测试一路由器上接口ip地址
[test-1]int g 0/0/0
[test-1-GigabitEthernet0/0/0]ip add 203.1.1.2 24
#测试二路由器上接口ip地址
[Huawei]sysname test-2
[test-2]int g 0/0/0
[test-2-GigabitEthernet0/0/0]ip add 203.1.1.3 2415.3 用动态路由协议OSPF跑通内网路由
[r1]ospf 1 router-id 1.1.1.1
[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]network 192.168.1.1 0.0.0.0
[r1-ospf-1-area-0.0.0.0]network 192.168.1.65 0.0.0.0
[r1-ospf-1-area-0.0.0.0]network 192.168.1.81 0.0.0.0
[r1-ospf-1-area-0.0.0.0]network 192.168.1.97 0.0.0.0
[r2]ospf 1 router-id 2.2.2.2
[r2-ospf-1]area 0
[r2-ospf-1-area-0.0.0.0]network 192.168.1.2 0.0.0.0
[r2-ospf-1-area-0.0.0.0]network 192.168.1.129 0.0.0.0
[r2-ospf-1-area-0.0.0.0]network 192.168.1.161 0.0.0.0
# 注意:R2的0/0/2接口时外网接口,不需要宣告 # 让底下终端PC设备用DHCP自动获取地址
[r1]dhcp enable
[r1]ip pool yuange
Info: It's successful to create an IP address pool.
[r1-ip-pool-yuange]network 192.168.1.64 mask 28
[r1-ip-pool-yuange]gateway-list 192.168.1.65
[r1-ip-pool-yuange]dns-list 114.114.114.114 8.8.8.8
[r1]ip pool kunge
Info: It's successful to create an IP address pool.
[r1-ip-pool-kunge]network 192.168.1.80 mask 28
[r1-ip-pool-kunge]gateway-list 192.168.1.81
[r1-ip-pool-kunge]dns-list 114.114.114.114 8.8.8.8
[r1]int g 0/0/0.1
[r1-GigabitEthernet0/0/0.1]dhcp select global
[r1]int g 0/0/0.2
[r1-GigabitEthernet0/0/0.2]dhcp select global
[r2]dhcp enable
[r2]ip pool zhenjie
Info: It's successful to create an IP address pool.
[r2-ip-pool-zhenjie]network 192.168.1.128 mask 27
[r2-ip-pool-zhenjie]gateway-list 192.168.1.129
[r2-ip-pool-zhenjie]dns-list 114.114.114.114
[r2]ip pool sbCHZ
Info: It's successful to create an IP address pool.
[r2-ip-pool-sbCHZ]network 192.168.1.160 mask 27
[r2-ip-pool-sbCHZ]gateway-list 192.168.1.161
[r2-ip-pool-sbCHZ]dns-list 114.114.114.114 8.8.8.8
[r2]int g 0/0/0.1
[r2-GigabitEthernet0/0/0.1]dhcp select global
[r2-GigabitEthernet0/0/0.1]int g 0/0/0.2
[r2-GigabitEthernet0/0/0.2]dhcp select global
检测内网的连通性
15.4 写缺省路由
[r2]ip route-static 0.0.0.0 0 202.1.1.2此时,前四个需求已经完成
15.5 需求五 PC2到PC4可以访问PC5,PC1不行
[r2]acl 2000
[r2-acl-basic-2000]rule per
[r2-acl-basic-2000]rule permit sou
[r2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[r2-acl-basic-2000]int g 0/0/2
[r2-GigabitEthernet0/0/2]nat outb
[r2-GigabitEthernet0/0/2]nat outbound 2000
[r2]ospf 1
[r2-ospf-1]default-route-advertise
# PC5:203.1.1.100
此时,检测PC1到PC4都能通往PC5,现在做一个ACL限制流量
[r1]acl 3000
[r1-acl-adv-3000]rule deny ip source 192.168.1.64 0.0.0.15 destination 203.1.1.1
00 0.0.0.0
[r1-acl-adv-3000]q
[r1]int g 0/0/0.1
[r1-GigabitEthernet0/0/0.1]traffic-filter inbound acl 300015.6 需求六是R2出口只有一个公网IP
前面已经配置过
15.7 test-1设备可以登录内网telnet服务器,test-2不行
15.7.1 开启telnet服务
[telnet server-aaa]local-user chenhaozhensb privilege level 15 password cipher 112301
Info: Add a new user.
[telnet server-aaa]local-user chenhaozhensb service-type telnet
[telnet server-aaa]q
[telnet server]user-interface vty 0 4
[telnet server-ui-vty0-4]authentication-mode aaa检测,内网设备可以进行telnet远程登录
外网设备想访问内网telnet服务器,必须做端口映射才可以
[r2]int g 0/0/2
[r2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface telnet inside 192.168.1.98 telnet
Warning:The port 23 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y但现在用test-1和test-2设备进行测试,测试不通,因为它俩不认识202.1.1.0 30网段
[test-1]ip route-static 202.1.1.1 32 203.1.1.1
[test-2]ip route-static 202.1.1.1 32 203.1.1.1测试用test-1可以Ping通202.1.1.1,但不能使用telnet服务
<test-1>telnet 192.168.1.98
Press CTRL_] to quit telnet mode
Trying 192.168.1.98 ...
Error: Can't connect to the remote host出现上面的原因是:上面用OSPF协议跑通内网的时候,在R1上宣告的是vlan4的路由,并没有telnet服务器的路由
一般情况下:服务器不会加入到动态路由协议中。
上图中:telnet服务器上只有直连网段的路由信息,数据包回不去。所以,在tennet服务器上加一条缺省路由就可以了.
[telnet server]ip route-static 0.0.0.0 0 192.168.1.97再进行测试:
<test-1>telnet 202.1.1.1
Press CTRL_] to quit telnet mode
Trying 202.1.1.1 ...
Connected to 202.1.1.1 ...
Login authentication
Username:chenhaozhensb
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 203.1.1.3
Time : 2025-02-11 14:45:43-08:00
-----------------------------------------------------------------------------
<telnet server>
# 现在test-1和test-2都可以telnet15.7.2 最后做策略来限制test-2进行访问
[r2]acl 3000
[r2-acl-adv-3000]rule deny tcp source 203.1.1.3 0 destination-port eq 23
# 注意:不能写目标地址,实验要求只是拒绝test-2进行telnet服务,并没有说拒绝通信,只用端口号就行
[r2-acl-adv-3000]int g 0/0/2
[r2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000最后的测试:
<test-1>telnet 202.1.1.1
Press CTRL_] to quit telnet mode
Trying 202.1.1.1 ...
Connected to 202.1.1.1 ...
Login authentication
Username:chenhaozhensb
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 203.1.1.2
Time : 2025-02-11 14:47:46-08:00
-----------------------------------------------------------------------------
<telnet server>