NE综合实验2:RIP 与 OSPF 动态路由精细配置及ACL访问控制列表
实验拓扑图
实验需求
1.按照图示配置IP地址
2.按照图示区域划分配置对应的动态路由协议
3.在R7上配置dhcp服务器,能够让pc可以获取IP地址
4.将所有环回⼝宣告进ospf中,将环回⼝7宣告进rip中,将rip路由引⼊ospf
中,ospf路由引⼊rip中
5.要求实现全⽹互通
6.在r3和r6上开启rip的端⼝验证,密码为hyzy
7.在R7上开启rip静默接⼝,要求业务⽹段不允许接收协议报⽂
8.在R5和R4上开启ospf端⼝验证,密码为hyzy
9.要求在R4上配置ftp服务,测试时可以允许所有设备均可登录访问
10.要求在R1上配置telnet服务,测试时可以允许所有设备均可登录访问管理
11.要求拒绝R5访问R1的telnet服务,其他设备均不影响
12.要求拒绝R2访问R4的ftp服务,其他设备均不影响
13.要求拒绝10.1.1.0/24⽹段ping通R1地址
14.要求拒绝10.1.1.1/24地址访问R4地址
15.要求拒绝10.1.1.2/24地址访问R3地址
实验步骤
1 配置IP地址略
2.略
3.在R7上配置dhcp服务器,能够让pc可以获取IP地址
[R7]dhcp enable
[R7]dhcp server ip-pool 1
[R7-dhcp-pool-1]netbios-type
[R7-dhcp-pool-1]network 10.1.1.0 24
[R7-dhcp-pool-1]gateway-list 10.1.1.7
[R7-dhcp-pool-1]dns-list 114.114.114.114
[R7-dhcp-pool-1]expired day 14.将所有环回⼝宣告进ospf中,将环回⼝7宣告进rip中,将rip路由引⼊ospf
中,ospf路由引⼊rip中
在R1
R1 ospf1 在area0中宣告
R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]ar 0
[R1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.3.3.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]%Jul 14 09:27:32:809 2025 R1 OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 192.168.1.2(GigabitEthernet0/0) changed from LOADING to FULL.
%Jul 14 09:29:28:811 2025 R1 OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 192.168.2.3(GigabitEthernet0/1) changed from LOADING to FULL.
在R2
R2 ospf1 在area0中宣告
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]ar 0
[R2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 192.168%Jul 14 09:26:28:606 2025 R2 OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 192.168.1.1(GigabitEthernet0/0) changed from LOADING to FULL.
[R2-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]%Jul 14 09:28:41:649 2025 R2 OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 192.168.3.3(GigabitEthernet0/1) changed from LOADING to FULL.
在R3
R3 ospf1 在area0中宣告 还有R3也在rip 也需要在rip 宣告
[R3]ospf 1 r
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]ar 0
[R3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]n%Jul 14 09:31:00:857 2025 R3 OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 192.168.2.1(GigabitEthernet0/0) changed from LOADING to FULL.
[R3-ospf-1-area-0.0.0.0]net
[R3-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]%Jul 14 09:31:26:127 2025 R3 OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 192.168.3.2(GigabitEthernet0/1) changed from LOADING to FULL.
[R3-ospf-1-area-0.0.0.0]
[R3-ospf-1-area-0.0.0.0]
[R3-ospf-1-area-0.0.0.0]qu
[R3-ospf-1]dis th
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return
[R3-ospf-1]qu
[R3]rip 1
[R3-rip-1]undo summary
[R3-rip-1]version 2
[R3-rip-1]network 200.1.1.0
[R3-rip-1]network 200.2.2.0
在R4
R4 ospf2 在area0中宣告
[R4]ospf 2 router-id 4.4.4.4
[R4-ospf-2]area 0
[R4-ospf-2-area-0.0.0.0]net
[R4-ospf-2-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[R4-ospf-2-area-0.0.0.0]net
[R4-ospf-2-area-0.0.0.0]network 100.3.3.0 0.0.0.255
[R4-ospf-2-area-0.0.0.0]net
[R4-ospf-2-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[R4-ospf-2-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[R4-ospf-2-area-0.0.0.0]%Jul 14 09:35:40:774 2025 R4 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 172.16.1.5(GigabitEthernet0/1) changed from LOADING to FULL.
%Jul 14 09:39:36:773 2025 R4 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 172.16.3.6(GigabitEthernet0/0) changed from LOADING to FULL.
在R5
R5 ospf2 在area0中宣告
[R5]ospf 2 r
[R5]ospf 2 router-id 5.5.5.5
[R5-ospf-2]area 0
[R5-ospf-2-area-0.0.0.0]net
[R5-ospf-2-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[R5-ospf-2-area-0.0.0.0]net
[R5-ospf-2-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[R5-ospf-2-area-0.0.0.0]net
[R5-ospf-2-area-0.0.0.0]network 172.16.2.0 0.0%Jul 14 09:35:49:190 2025 R5 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 172.16.1.4(GigabitEthernet0/0) changed from LOADING to FULL.
network 172.16.1.0 0.0.0.255
[R5-ospf-2-area-0.0.0.0]network 172.16.2.0 0.0.0.255
[R5-ospf-2-area-0.0.0.0]network 100.2.2.0 0.0.0.255
在R6
R6 ospf2 在area0中宣告 还有R6也在rip 也需要在rip 宣告
[R6]ospf 2 router-id 6.6.6.6
[R6-ospf-2]ar 0
[R6-ospf-2-area-0.0.0.0]net
[R6-ospf-2-area-0.0.0.0]network 6.6.6.6 0.0.0.0
[R6-ospf-2-area-0.0.0.0]net
[R6-ospf-2-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[R6-ospf-2-area-0.0.0.0]net
[R6-ospf-2-area-0.0.0.0]network 172.16.%Jul 14 09:39:39:157 2025 R6 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 172.16.3.4(GigabitEthernet0/2) changed from LOADING to FULL.
network 172.16.3.0 0.0.0.255
[R6-ospf-2-area-0.0.0.0]ne
[R6-ospf-2-area-0.0.0.0]network 172.16.2.0 0.0.0.255
[R6-ospf-2-area-0.0.0.0]%Jul 14 09:40:04:693 2025 R6 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 172.16.2.5(GigabitEthernet5/0) changed from LOADING to FULL.
[R6-ospf-2-area-0.0.0.0]
[R6-ospf-2-area-0.0.0.0]di th
#
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 172.16.2.0 0.0.0.255
network 172.16.3.0 0.0.0.255
#
return
[R6-ospf-2-area-0.0.0.0]qu
[R6-ospf-2]qu
[R6]rip 1
[R6-rip-1]undo summary
[R6-rip-1]version 2
[R6-rip-1]network 200.1.1.0
[R6-rip-1]network 200.3.3.0
[R6-rip-1]
在R7
R7 ospf1 ospf2 在area0中宣告 还有R7也在rip 也需要在rip 宣告
[R7]ospf 1
[R7-ospf-1]ar 0
[R7-ospf-1-area-0.0.0.0]net
[R7-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[R7-ospf-1-area-0.0.0.0]qu
[R7-ospf-1]qu
[R7]ospf 2
[R7-ospf-2]%Jul 14 11:04:23:832 2025 R7 OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 100.1.1.2(GigabitEthernet0/2) changed from LOADING to FULL.
[R7-ospf-2]ar 0
[R7-ospf-2-area-0.0.0.0]net
[R7-ospf-2-area-0.0.0.0]network 100.2.2.0 0.0.0.255
[R7-ospf-2-area-0.0.0.0]qu
[R7-ospf-2]qu
[R7]%Jul 14 11:04:54:628 2025 R7 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 100.2.2.5(GigabitEthernet5/0) changed from LOADING to FULL.
[R7]rip 1
[R7-rip-1]undo summary
[R7-rip-1]version
[R7-rip-1]network 7.7.7.7
[R7-rip-1]network 200.2.2.0
[R7-rip-1]network 200.3.3.05.要求实现全⽹互通
分析 要实现全网互通 需要R3 6 7相互引路
在R3
[R3-rip-1]import-route ospf 1
[R3-ospf-1]import-route rip 1
在R6
[R6-ospf-2]import-route rip 1
[R6-rip-1]import-route ospf 2
在R7
[R7-rip-1]import-route ospf 1
[R7-rip-1]import-route ospf 2
[R7-rip-1]qu
[R7]ospf 1
[R7-ospf-1]import-route rip 1
[R7-ospf-1]qu
[R7]ospf 2
[R7-ospf-2]import-route rip 1
[R7-ospf-2]qu6.在r3和r6上开启rip的端⼝验证,密码为hyzy
在R3
[R3]int g5/0
[R3-GigabitEthernet5/0]rip authentication-mode simple plain hyzy
在R6
[R6]int g0/1
[R6-GigabitEthernet0/1]rip authentication-mode simple plain hyzy7.在R7上开启rip静默接⼝,要求业务⽹段不允许接收协议报⽂
[R7]rip 1
[R7-rip-1]silent-interface g5/18.在R5和R4上开启ospf端⼝验证,密码为hyzy
在R5
[R5]int g0/0
[R5-GigabitEthernet0/0]ospf authentication-mode simple plain hyzy
[R5-GigabitEthernet0/0]%Jul 14 11:28:16:526 2025 R5 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 172.16.1.4(GigabitEthernet0/0) changed from FULL to DOWN.
%Jul 14 11:29:46:220 2025 R5 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 172.16.1.4(GigabitEthernet0/0) changed from LOADING to FULL.
在R4
[R4]int g0/1
[R4-GigabitEthernet0/1]ospf authentication-mode simple plain hyzy
[R4-GigabitEthernet0/1]%Jul 14 11:29:10:770 2025 R4 OSPF/5/OSPF_NBR_CHG: OSPF 2 Neighbor 172.16.1.5(GigabitEthernet0/1) changed from LOADING to FULL9.要求在R4上配置ftp服务,测试时可以允许所有设备均可登录访问
[R4]ftp server enable
[R4]local-user ssz class manage
New local user added.
[R4-luser-manage-ssz]password simple 123456.com
[R4-luser-manage-ssz]service-type ftp
[R4-luser-manage-ssz]authorization-attribute user-role level-1510.要求在R1上配置telnet服务,测试时可以允许所有设备均可登录访问管理
[R1]telnet server enable
[R1]local-user ssz class manage
[R1-luser-manage-ssz]password simple 123456.com
[R1-luser-manage-ssz]service-type telnet
[R1-luser-manage-ssz]authorization-attribute user-role level-15
[R1]user-interface vty 0 4
[R1-line-vty0-4]authentication-mode scheme
[R1-line-vty0-4]user-role level-1511.要求拒绝R5访问R1的telnet服务,其他设备均不影响
分析:R5拒绝R1的telnet服务的访问
在R1
[R1]acl advanced 3000
[R1-acl-ipv4-adv-3000]rule deny tcp source 172.16.1.5 0 destination-port eq teln
et
[R1-acl-ipv4-adv-3000]rule deny tcp source 172.16.2.5 0 destination-port eq teln
et
[R1-acl-ipv4-adv-3000]rule deny tcp source 100.2.2.5 0 destination-port eq teln
et
[R1-acl-ipv4-adv-3000]rule deny tcp source 5.5.5.5 0 destination-port eq telnet
[R1]interface range g0/0 to g0/2
[R1-if-range]packet-filter 3000 inbound
<R5>telnet 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
Failed to connect to the remote host! 12.要求拒绝R2访问R4的ftp服务,其他设备均不影响
在R4
[R4]acl advanced 3000
[R4-acl-ipv4-adv-3000]rule deny tcp source 100.1.1.2 0 destination-port eq ftp
[R4-acl-ipv4-adv-3000]rule deny tcp source 192.168.3.2 0 destination-port eq ftp
[R4-acl-ipv4-adv-3000]rule deny tcp source 192.168.1.2 0 destination-port eq ftp
[R4-acl-ipv4-adv-3000]rule deny tcp source 2.2.2.2 0 destination-port eq ftp
[R4]interface range g0/0 to g0/2
[R4-if-range]packet-filter 3000 inbound
<R2>ftp 4.4.4.4
Press CTRL+C to abort.13.要求拒绝10.1.1.0/24⽹段ping通R1地址
在R7
[R7]acl advanced 3000
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 1.1.1
.1 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 100.3
.3.1 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 172.1
68.3.1 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 d
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 172.1
68.1.1 0
[R7]int g5/1
[R7-GigabitEthernet5/1]packet-filter 3000 inbound
在PC9上
<H3C>ping 1.1.1.1
Ping 1.1.1.1 (1.1.1.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 1.1.1.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:46:25:861 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 1.1.1.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
<H3C>ping 100.3.3.1
Ping 100.3.3.1 (100.3.3.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 100.3.3.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:46:43:980 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 100.3.3.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
<H3C>ping 192.168.1.1
Ping 192.168.1.1 (192.168.1.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 192.168.1.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:47:00:810 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
<H3C>ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:47:15:232 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
但R1能ping通PC9
<H3C>ping 10.1.1.2
Ping 10.1.1.2 (10.1.1.2): 56 data bytes, press CTRL+C to break
56 bytes from 10.1.1.2: icmp_seq=0 ttl=252 time=3.080 ms
56 bytes from 10.1.1.2: icmp_seq=1 ttl=252 time=2.399 ms
56 bytes from 10.1.1.2: icmp_seq=2 ttl=252 time=2.930 ms
56 bytes from 10.1.1.2: icmp_seq=3 ttl=252 time=2.656 ms
56 bytes from 10.1.1.2: icmp_seq=4 ttl=252 time=2.184 ms
--- Ping statistics for 10.1.1.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.184/2.650/3.080/0.330 ms
<R1>%Jul 14 15:23:37:341 2025 R1 PING/6/PING_STATISTICS: Ping statistics for 10.1.1.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.184/2.650/3.080/0.330 ms.14.要求拒绝10.1.1.1/24地址访问R4地址
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.1 0 destination 4.4.4.4 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.1 0 destination 172.16.1.4 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.1 0 destination 172.16.3.4 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.1 0 destination 100.3.3.4 0
<H3C>ping 4.4.4.4
Ping 4.4.4.4 (4.4.4.4): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 4.4.4.4 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 15:48:57:588 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 4.4.4.4: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.15.要求拒绝10.1.1.2/24地址访问R3地址
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.2 0 destination 3.3.3.3 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.2 0 destination 192.168.2.3 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.2 0 destination 192.168.3.3 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.2 0 destination 200.1.1.3 0
[R7-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.2 0 destination 200.2.2.3 0
Ping 3.3.3.3 (3.3.3.3): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 3.3.3.3 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 18:03:04:959 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 3.3.3.3: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.