IP综合实验

1.配置eth-trunk进行绑定

LSW1\]interface Eth-Trunk 0 \[LSW1-Eth-Trunk0\]q \[LSW1\]interface g0/0/2 \[LSW1-GigabitEthernet0/0/2\]eth-trunk 0 \[LSW1-GigabitEthernet0/0/2\]int g0/0/3 \[LSW1-GigabitEthernet0/0/3\]eth-trunk 0 \[LSW1-GigabitEthernet0/0/3\]display eth-trunk 0 2.创建vlan，划分接口类型 \[LSW1\]vlan 2 \[LSW1\]port-group group-member g0/0/4 to g0/0/5 Eth-Trunk 0 \[LSW1-port-group\]port link-type trunk \[LSW1-GigabitEthernet0/0/4\]port link-type trunk \[LSW1-GigabitEthernet0/0/5\]port link-type trunk \[LSW1-port-group\]port trunk allow-pass vlan 2 \[LSW1-GigabitEthernet0/0/4\]port trunk allow-pass vlan 2 \[LSW1-GigabitEthernet0/0/5\]port trunk allow-pass vlan 2 \[LSW1-Eth-Trunk0\]port trunk allow-pass vlan 2  \[LSW2\]vlan 2 \[LSW2-vlan2\]q \[LSW2\]port-group group-member g0/0/4 to g0/0/5 Eth-Trunk 0 \[LSW2-port-group\]port trunk allow-pass vlan 2 \[LSW2-Eth-Trunk0\]port trunk allow-pass vlan 2  \[LSW3\]vlan 2 \[LSW3-vlan2\]q \[LSW3-Ethernet0/0/3\]int e0/0/4 \[LSW3-Ethernet0/0/4\]port link-type access \[LSW3-Ethernet0/0/4\]port default vlan 2 \[LSW3-Ethernet0/0/4\]q \[LSW3\]port-group group-member e0/0/1 to e0/0/2 \[LSW3-port-group\]port link-type trunk \[LSW3-port-group\]port trunk allow-pass vlan 2 \[LSW4\]vlan 2 \[LSW4-vlan2\]q \[LSW4\]int e0/0/4 \[LSW4-Ethernet0/0/4\]port link-type access \[LSW4-Ethernet0/0/4\]port default vlan 2 \[LSW4-Ethernet0/0/4\]q \[LSW4\]port-group group-member e0/0/1 to e0/0/2 \[LSW4-port-group\]port link-type trunk \[LSW4-port-group\]port trunk allow-pass vlan 2 3.配置生成树： \[LSW1\]stp region-configuration \[LSW1-mst-region\]region-name a \[LSW1-mst-region\]instance 1 vlan 1 \[LSW1-mst-region\]instance 2 vlan 2 \[LSW1-mst-region\]active region-configuration \[LSW1\]stp instance 1 root primary \[LSW1\]stp instance 2 root secondary \[LSW1\]stp instance 0 root primary  \[LSW2\]stp region-configuration \[LSW2-mst-region\]instance 1 vlan 1 \[LSW2-mst-region\]instance 2 vlan 2 \[LSW2-mst-region\]active region-configuration \[LSW2\]stp instance 1 root secondary \[LSW2\]stp instance 2 root primary \[LSW2\]stp instance 0 root secondary \[LSW3\]stp region-configuration \[LSW3-mst-region\]region-name a \[LSW3-mst-region\]instance 1 vlan 1 \[LSW3-mst-region\]instance 2 vlan 2 \[LSW3-mst-region\]active region-configuration \[LSW4\]stp region-configuration \[LSW4-mst-region\]region-name a \[LSW4-mst-region\]instance 1 vlan 1 \[LSW4-mst-region\]instance 2 vlan 2 \[LSW4-mst-region\]active region-configuration \[LSW3\]port-group group-member e0/0/1 to e0/0/2 \[LSW3-port-group\]stp edged-port enable \[LSW3\]int e0/0/3 \[LSW3-Ethernet0/0/3\]stp instance 0 port priority 16 5.配置ip地址SVI： \[LSW1\]int vlan 1 \[LSW1-Vlanif1\]ip add \[LSW1-Vlanif1\]ip address 172.16.1.1 25 \[LSW1-Vlanif1\]int vlan 2 \[LSW1-Vlanif2\]ip address 172.16.1.129 25 \[LSW1-Vlanif2\]display ip interface brief  \[LSW2\]int vlan 1 \[LSW2-Vlanif1\]ip address 172.16.1.2 25 \[LSW2-Vlanif1\]int vlan 2 \[LSW2-Vlanif2\]ip address 172.16.1.130 25 \[LSW2-Vlanif2\]display ip interface brief  6.进行网关冗余VRRP： \[LSW1\]int vlan 1 \[LSW1-Vlanif1\]vrrp vrid 1 virtual-ip 172.16.1.126 \[LSW1-Vlanif1\]vrrp vrid 1 priority 110 \[LSW1-Vlanif1\]vrrp vrid 1 track interface g0/0/1 reduced 20 \[LSW1\]int vlan 2 \[LSW1-Vlanif2\]vrrp vrid 1 virtual-ip 172.16.1.254  \[LSW2\]int vlan 1 \[LSW2-Vlanif1\]vrrp vrid 1 virtual-ip 172.16.1.126（vrid、virtual-ip需和LSW1保持一致） \[LSW2\]int vlan 2 \[LSW2-Vlanif2\]vrrp vrid 1 virtual-ip 172.16.1.254 \[LSW2-Vlanif2\]vrrp vrid 1 priority 110 \[LSW2-Vlanif2\]vrrp vrid 1 track int g0/0/1 reduced 20 7.配置DHCP获取IP地址： \[LSW1\]dhcp enable \[LSW1\]ip pool a1 \[LSW1-ip-pool-a1\]net 172.16.1.0 mask 25 \[LSW1-ip-pool-a1\]gateway-list 172.16.1.126 \[LSW1-ip-pool-a1\]dns-list 114.114.114.114 \[LSW1-ip-pool-a1\]q \[LSW1\]ip pool a2 \[LSW1-ip-pool-a2\]net 172.16.1.128 mask 25 \[LSW1-ip-pool-a2\]gateway-list 172.16.1.254 \[LSW1-ip-pool-a2\]dns-list 114.114.114.114 \[LSW1-ip-pool-a2\]q \[LSW1\]int vlan 1 \[LSW1-Vlanif1\]dhcp select global \[LSW1-Vlanif1\]int vlan 2 \[LSW1-Vlanif2\]dhcp select global \[SW2\]dhcp enable \[SW2\]ip pool a1 Info:It's successful to create an IP address pool. \[SW2-ip-pool-a1\]net 172.16.1.0 mask 25 \[SW2-ip-pool-a1\]gateway-list 172.16.1.126 \[SW2-ip-pool-a1\]dns-list 114.114.114.114 \[SW2-ip-pool-a1\]q \[SW2\]ip pool a2 Info:It's successful to create an IP address pool. \[SW2-ip-pool-a2\]net 172.16.1.128 mask 25 \[SW2-ip-pool-a2\]gateway-list 172.16.1.254 \[SW2-ip-pool-a2\]dns-list 114.114.114.114 \[SW2-ip-pool-a2\]q \[SW2\]int vlan 1 \[SW2-Vlanif1\]dhcp select global \[SW2-Vlanif1\]int vlan 2 \[SW2-Vlanif2\]dhcp select global 8.对于上层路由器进行连接 \[SW1\]vlan 99 \[SW1-GigabitEthernet0/0/2\]int g0/0/1 \[SW1-GigabitEthernet0/0/1\]port link-type access \[SW1-GigabitEthernet0/0/1\]port default vlan 99 \[SW1\]int vlan 99 \[SW1-Vlanif99\]ip add 172.16.0.2 30 \[SW2\]vlan 99 \[SW2-vlan99\]int g0/0/1 \[SW2-GigabitEthernet0/0/1\]port link-type access \[SW2-GigabitEthernet0/0/1\]q \[SW2\]int vlan 99 \[SW2-Vlanif99\]ip add 172.16.0.6 30 9.配置沉默接口： \[LSW1\]ospf 1 \[SW1-ospf-1\]silent-interface all \[SW1-ospf-1\]undo silent-interface GigabitEthernet 0/0/1 \[SW1-ospf-1\]undo silent-interface Vlanif 99 \[SW1-ospf-1\]undo silent-interface Eth-Trunk 0 \[SW1-ospf-1\]undo silent-interface Vlanif 1 \[SW2\]ospf 1 \[SW2-ospf-1\]silent-interface all \[SW2-ospf-1\]undo silent-interface GigabitEthernet 0/0/1 \[SW2-ospf-1\]undo silent-interface Vlanif 99 \[SW2-ospf-1\]undo silent-interface Eth-Trunk 0 \[SW2-ospf-1\]undo silent-interface Vlanif 1 三、配置路由器部分： 1.配置ospf协议 \[R2\]ospf 1 router-id 2.2.2.2 \[R2-ospf-1\]area 0 \[R2-ospf-1-area-0.0.0.0\]net 172.16.0.0 0.0.0.255 \[SW1\]ospf 1 router-id 3.3.3.3 \[SW1-ospf-1\]area 0 \[SW1-ospf-1-area-0.0.0.0\]net 172.16.0.2 0.0.0.0 \[SW1-ospf-1\]area 1 \[SW1-ospf-1-area-0.0.0.1\]net 172.16.1.0 0.0.0.255 \[SW1-ospf-1-area-0.0.0.1

SW2\]ospf 1 router-id 4.4.4.4 \[SW2-ospf-1\]area 0 \[SW2-ospf-1-area-0.0.0.0\]net 172.16.0.6 0.0.0.0 \[SW2-ospf-1-area-0.0.0.0\]q \[SW2-ospf-1\]area 1 \[SW2-ospf-1-area-0.0.0.1\]net 172.16.1.0 0.0.0.255 2.配置缺省路由 \[R2\]ip route-static 0.0.0.0 0 12.1.1.1 \[R2\]ospf 1 router-id 2.2.2.2 \[R2-ospf-1\]default-route-advertise 3.进行路由汇总： \[SW1\]ospf 1 \[SW1-ospf-1\]area 1 \[SW1-ospf-1-area-0.0.0.1\]abr-summary 172.16.1.0 255.255.255.0 \[SW2\]ospf 1 \[SW2-ospf-1\]area 1 \[SW2-ospf-1-area-0.0.0.1\]abr-summary 172.16.1.0 255.255.255.0 4.防止路由黑洞 \[SW1\]ip route-static 172.16.1.0 24 NULL 0 \[SW2\]ip route-static 172.16.1.0 24 NULL 0 5.配置nat，进行上网： \[R2\]acl 2000 \[R2-acl-basic-2000\]rule permit source 172.16.0.0 0.0.255.255 \[R2-acl-basic-2000\]q \[R2\]int g0/0/0 \[R2-GigabitEthernet0/0/0\]nat outbound 2000     #### 确定 ISP 连接接口及 IP 配置 1. 明确 R1 与 ISP 相连的接口（假设为 `GE 0/0/0` ） ，在 R1上仅进行 IP 地址相关配置。若已知 ISP 侧 IP 地址为 `12.1.1.1` ，则在 R1 设备上配置： plaintext [R1]interface GE0/0/0 [R1-GigabitEthernet0/0/0]ip address 12.1.1.2 30 此配置仅为接口设置 IP 地址，符合 "只能配置 IP 地址" 的要求 。 #### 确保连接及路由可达 1. **链路连通性测试** ：在 R1 上使用 `ping` 命令测试与 ISP 的连通性，如 `ping 12.1.1.1` ，确保物理链路和 IP 层连通正常。 2. **路由配置** ：在 R1 及相关网络设备（如 LSW1、LSW2 等 ）上，通过 OSPF 等动态路由协议（已配置情况下 ）或静态路由，保证内网到 ISP 方向路由可达。例如在 R1 上，已配置缺省路由 `[R1]ip route-static 0.0.0.0 0 12.1.1.1` ，将所有未知流量导向 ISP ；在 LSW1 和 LSW2 上，通过 OSPF 学习到前往 R2 及 ISP 方向的路由。 #### 安全策略限制 为进一步确保 ISP 只能配置 IP 地址，可在 R2 上配置访问控制列表（ACL ） ，限制对 ISP 设备的其他访问操作（假设 ISP 设备不允许除 IP 配置外的其他远程管理等操作 ）。例如： plaintext [R1]acl 3000 [R1-acl-adv-3000]rule deny ip source any destination 12.1.1.1 0.0.0.0 （禁止内网主动访问 ISP 除 IP 相关配置外的其他服务 ） [R1-acl-adv-3000]rule permit ip source 12.1.1.2 0.0.0.0 destination any （允许 R2 与 ISP 正常通信 ） [R1-acl-adv-3000]quit [R1]interface GE0/0/0 [R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 （在入方向应用 ACL 策略 ） 通过以上操作，在网络连接和安全控制层面实现 ISP 仅进行 IP 地址配置的要求 。 ping 12.1.1.1