一.拓扑图如下:
二.配置要求:
1.所有PC均需要通过DHCP获取IP地址-地址池名称和设备VLAN一致,例如PC1-ip pool vlan10,其中只有业务B网络用户需要访问互联网web服务-需要DNS信息。
2.交换机配置VLAN需要遵循最小VLAN透传原则
3.利用OSPF协议使内外用户互相访问-全网可达(设备Router-ID需要手工配置,和设备编号一致,例如R1-RID:1.1.1.1),并采用精准宣告的方式进行宣告(例如:172.16.64.1/24接口,宣告:172.16.64.1 0.0.0.0)
4.内网全网可达,并且需要尽可能减小路由表条目数量(汇总采用精确汇总方式),能够利用缺省省去的配置可省略,防止环路,并且保障安全(在OSPF区域0需要配置认证-采用MD5认证,密码为123456)
5.内网所有用户均可访问互联网(边界路由器配置NAT),ACL采用基础ACL,编号为2000,R3-0/0/2接口不允许宣告在内网中(包含静态)。
6.test设备需要远程登陆到内网telnet-server设备,登录账号为 huawei 密码 123456,登录权限为最高。
7.不允许VLAN 40和VLAN 50 用户访问内网B业务,acl编号为2001,不允许PC1访问PC5,ACL编号为3000。
8.R3-R4中间百兆链路作为备份链路,不允许正常情况下数据通过,需要降低优先级数值配置为100。
9.所有设备严格按照拓扑图标识进行配置,注意大小写。
10.图示中所有服务器和client设备均为体现需求,地址固定,不做更改,在配置时需求注意。clinet1用来模拟内网用户访问互联网(ISP-服务器),test设备用来测试互联网用户远程登陆内网telent-server主机。
三.各设备IP地址如下:
四.解题思路:
1.交换机SW1/SW2/SW3:创建VLAN,交换机与终端PC之间的链路配置成Access链路,划分出该链路的VID;交换机与路由器之间的链路配置成Trunk链路,通行本广播域内的VLAN。
2.路由器R1/R2/R7:配置子接口的IP地址,划分到相应的VLAN中,开启DHCP服务,并在各子接口中创建以接口VLAN命名的地址池(如:地址池为VLAN10),在各子接口上应用DHCP服务向VLAN中的PC发放地址。
3.路由器R1/R2/R3:创建OSPF进程1,手工配置设备Router-ID,和设备编号一致,例如R1-RID:1.1.1.1,R2-RID:2.2.2.2, 并采用精准宣告的方式进行宣告,例如:172.16.64.1/24接口,宣告: 172.16.64.1 0.0.0.0,在R3上下发缺省路由指向边界路由器R3。
4.路由器R3/R4/R5/R6/R7:配置静态路由,并做路由汇总,防止路由环路和路由黑洞
5.路由器R3:创建ACL2000,在R3的公网出接口上配置ACL2000抓取内网感兴趣流,并使用NAT技术将内网地址转换为公网地址再发出;让内网用户访问公网;创建ACL2001,在R3的业务B网络出口上配置ACL2001,拒绝VLAN40和VLAN50用户访问业务B;创建ACL3000,在PC1的网关进口上配置ACL3000,拒绝PC1访问PC5。
6.路由器 telnet- server:开启Telnet服务,配置账户密码,配置一条静态缺省路由指向R1。
7.全网络验证:连通性+策略生效。
五.各设备配置内容:
**1.sysname SW1
创建所需VLAN
vlan batch 10 20 30
接入口配置:连接PC1/PC2/telnet-server,Access模式
interface GigabitEthernet 0/0/2
port link-type access
port default vlan 10
interface GigabitEthernet 0/0/3
port link-type access
port access vlan 20
interface GigabitEthernet 0/0/4
port link-type access
port access vlan 30
Trunk口配置:连接R1的G0/0/1,仅透传VLAN10/20/30,禁止VLAN1透传
interface GigabitEthernet 0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
undo port trunk allow-pass vlan 1
保存配置
save**
**2.sysname SW2
vlan batch 40 50
接入口
interface GigabitEthernet 0/0/2
port link-type access
port default vlan 40
interface GigabitEthernet 0/0/3
port link-type access
port access vlan 50
Trunk口连R2
interface GigabitEthernet 0/0/1
port link-type trunk
port trunk allow-pass vlan 40 50
undo port trunk allow-pass vlan 1
保存配置
save**
**3.sysname SW3
vlan batch 60 70
接入口
interface GigabitEthernet 0/0/2
port link-type access
port default vlan 70
interface GigabitEthernet 0/0/3
port link-type access
port access vlan 60
interface GigabitEthernet 0/0/4
port link-type access
port access vlan 60
Trunk口连R7
interface GigabitEthernet 0/0/1
port link-type trunk
port trunk allow-pass vlan 60 70
undo port trunk allow-pass vlan 1
保存配置
save**
4. **sysname SW4
所有接口为普通接入口,无需配置VLAN
保存配置
save**
**5.sysname R1
1. 配置Router-ID(按要求,R1=1.1.1.1)
ospf 1 router-id 1.1.1.1
2. 启用DHCP(所有PC自动获取,地址池名与VLAN一致)
dhcp enable
地址池vlan10:匹配PC1,网关172.16.64.1,网段172.16.64.0/24
ip pool vlan10
network 172.16.64.0 mask 255.255.255.0
gateway-list 172.16.64.1
地址池vlan20:匹配PC2,网关172.16.65.1
ip pool vlan20
network 172.16.65.0 mask 255.255.255.0
gateway-list 172.16.65.1
3. 配置子接口(连接SW1,802.1Q封装,DHCP全局选择)
interface GigabitEthernet 0/0/1.1
dot1q termination vid 10
ip address 172.16.64.1 255.255.255.0
dhcp select global
arp broadcast enable # 子接口必须开启ARP广播
interface GigabitEthernet 0/0/1.2
dot1q termination vid 20
ip address 172.16.65.1 255.255.255.0
dhcp select global
arp broadcast enable
interface GigabitEthernet 0/0/1.3
dot1q termination vid 30
ip address 172.16.66.1 255.255.255.0
dhcp select global
arp broadcast enable
4. 配置R1-R2互联接口(172.16.67.0/24)
interface GigabitEthernet 0/0/0
ip address 172.16.67.1 255.255.255.0
5. OSPF精准宣告(按要求,宣告具体接口IP,0.0.0.0为主机位)
ospf 1
area 1
network 172.16.64.1 0.0.0.0
network 172.16.65.1 0.0.0.0
network 172.16.66.1 0.0.0.0
network 172.16.67.1 0.0.0.0
6.ACL3000:高级ACL,禁止PC1(172.16.64.254)访问PC5(172.16.128.254)
acl number 3000
rule deny ip source 172.16.64.254 0.0.0.0 destination 172.16.128.254 0.0.0.0
rule permit ip source any destination any
interface GigabitEthernet 0/0/0
traffic-filter outbound acl 3000
7.保存配置
save**
**6.sysname R2
1. OSPF Router-ID(2.2.2.2)
ospf 1 router-id 2.2.2.2
2. DHCP启用+地址池(vlan40/vlan50,名与VLAN一致)
dhcp enable
ip pool vlan40
network 172.16.0.0 mask 255.255.255.0
gateway-list 172.16.0.1
ip pool vlan50
network 172.16.1.0 mask 255.255.255.0
gateway-list 172.16.1.1
3. 子接口(连接SW2,VLAN40/50)
interface GigabitEthernet 0/0/1.1
dot1q termination vid 40
ip address 172.16.0.1 255.255.255.0
dhcp select global
arp broadcast enable
interface GigabitEthernet 0/0/1.2
dot1q termination vid 50
ip address 172.16.1.1 255.255.255.0
dhcp select global
arp broadcast enable
4. 互联接口:R1-R2(G0/0/0)、R2-R3(G0/0/2)
interface GigabitEthernet 0/0/0
ip address 172.16.67.2 255.255.255.0
interface GigabitEthernet 0/0/2
ip address 172.16.2.1 255.255.255.0
5. OSPF配置:Area1(连R1)、Area0(连R3,MD5认证)+ 精准宣告
ospf 1
area 1
network 172.16.67.2 0.0.0.0
area 0
authentication-mode md5 1 plain 123456 # Area0 MD5认证,密码123456
network 172.16.0.1 0.0.0.0
network 172.16.1.1 0.0.0.0
network 172.16.2.1 0.0.0.0
6. 保存配置
save**
**7.sysname R3
undo info-center enable
1. OSPF Router-ID(3.3.3.3)
ospf 1 router-id 3.3.3.3
2. 启用DHCP(无直连PC,仅做中继,可省略,此处保留一致性)
dhcp enable
3. 配置互联接口:R2-R3、R3-R4千兆/百兆、外网出口
R2-R3(172.16.2.0/24)
interface GigabitEthernet 0/0/0
ip address 172.16.2.2 255.255.255.0
R3-R4千兆链路(172.16.129.0/24,主链路,默认优先级)
interface GigabitEthernet 0/0/1
ip address 172.16.129.1 255.255.255.0
R3-R4百兆备份链路(172.16.130.0/24,优先级100,实验要求)
interface GigabitEthernet 0/0/3
ip address 172.16.130.1 255.255.255.0
ospf cost 100 # 降低优先级,数值越大优先级越低,作为备份
外网出口(100.0.0.0/24,禁止宣告到内网,实验要求)
interface GigabitEthernet 0/0/2
ip address 100.0.0.1 255.255.255.0
4. OSPF配置:Area0 MD5认证+精准宣告,禁止宣告外网口
ospf 1
default-route-advertise always # 下发缺省路由指向R3
area 0
authentication-mode md5 1 plain 123456
network 172.16.2.2 0.0.0.0
network 172.16.129.1 0.0.0.0
network 172.16.130.1 0.0.0.0
5. ACL配置(实验要求的3个ACL)
ACL2000:基础ACL,放行业务B网段访问外网(NAT用)
acl number 2000
rule permit source 172.16.0.0 0.0.255.255
ACL2001:基础ACL,禁止VLAN40/50(172.16.0.0/24、172.16.1.0/24)访问业务B
acl number 2001
rule deny source 172.16.0.0 0.0.0.255
rule deny source 172.16.1.0 0.0.0.255
rule permit source any
应用ACL:在出接口G0/0/1应用ACL2001和3000
interface GigabitEthernet 0/0/1
traffic-filter outbound acl 2001
interface Ethernet 4/0/0
traffic-filter outbound acl 2001
6. NAT配置:源NAT,仅放行ACL2000,外网口G0/0/2做出口
nat address-group 1 100.0.0.11 100.0.0.20 # 地址池(外网网段)
interface GigabitEthernet 0/0/2
nat outbound 2000 address-group 1 no-pat
7. 静态路由配置:指向业务B网段(172.16.128.0/17),重分发到OSPF
ip route-static 172.16.128.0 255.255.128.0 172.16.129.2
ip route-static 172.16.128.0 255.255.128.0 172.16.130.2 # 备份链路静态路由
9. 保存配置
save**
**8.sysname R4
互联接口配置
interface GigabitEthernet 0/0/0 # R3-R4千兆
ip address 172.16.129.2 255.255.255.0
interface GigabitEthernet 0/0/1 # R3-R4百兆
ip address 172.16.130.2 255.255.255.0
ospf cost 100
interface GigabitEthernet 0/0/2 # R4-R5
ip address 172.16.131.1 255.255.255.0
interface GigabitEthernet 0/0/3 # R4-R6
ip address 172.16.132.1 255.255.255.0
静态路由:全网可达+汇总,指向OSPF和业务B网段
ip route-static 172.16.0.0 255.255.128.0 172.16.129.1 # 汇总OSPF网段
ip route-static 172.16.0.0 255.255.128.0 172.16.130.1 # 汇总OSPF网段(备份链路)
ip route-static 172.16.133.0 255.255.255.0 172.16.131.2
ip route-static 172.16.134.0 255.255.255.0 172.16.132.2
ip route-static 172.16.128.0 255.255.255.0 172.16.131.2
保存配置
save**
**9.sysname R5
互联接口
interface GigabitEthernet 0/0/0 # R4-R5
ip address 172.16.131.2 255.255.255.0
interface GigabitEthernet 0/0/1 # R5-R7
ip address 172.16.133.1 255.255.255.0
静态路由
ip route-static 172.16.0.0 255.255.128.0 172.16.131.1
ip route-static 172.16.128.0 255.255.255.0 172.16.133.2
ip route-static 172.16.134.0 255.255.255.0 172.16.133.2
保存配置
save**
**10.sysname R6
互联接口
interface GigabitEthernet 0/0/0 # R4-R6
ip address 172.16.132.2 255.255.255.0
interface GigabitEthernet 0/0/1 # R6-R7
ip address 172.16.134.1 255.255.255.0
静态路由
ip route-static 172.16.0.0 255.255.128.0 172.16.132.1
ip route-static 172.16.128.0 255.255.255.0 172.16.134.2
ip route-static 172.16.133.0 255.255.255.0 172.16.134.2
保存配置
save**
**11.sysname R7
dhcp enable
地址池vlan60/vlan70(名与VLAN一致,业务B核心网关)
ip pool vlan70
network 172.16.128.128 mask 255.255.255.128
gateway-list 172.16.128.129
dns-list 172.16.128.126(本地DNS)
子接口(连接SW3,VLAN60/70)
interface GigabitEthernet 0/0/2.1
dot1q termination vid 60
ip address 172.16.128.1 255.255.255.128
dhcp select global
arp broadcast enable
interface GigabitEthernet 0/0/2.2
dot1q termination vid 70
ip address 172.16.128.129 255.255.255.128
dhcp select global
arp broadcast enable
互联接口
interface GigabitEthernet 0/0/0 # R5-R7
ip address 172.16.133.2 255.255.255.0
interface GigabitEthernet 0/0/1 # R6-R7
ip address 172.16.134.2 255.255.255.0
静态路由:汇总指向OSPF网段,全网可达
ip route-static 172.16.0.0 255.255.128.0 172.16.133.1
ip route-static 0.0.0.0 0.0.0.0 172.16.134.1
保存配置
save**
**12.sysname ISP
互联接口:连接LSW4(100.0.0.254)
interface GigabitEthernet 0/0/0
ip address 100.0.0.2 255.255.255.0
缺省路由:指向内网,实现外网访问内网
ip route-static 0.0.0.0 0.0.0.0 100.0.0.1
保存配置
save**
**13.sysname Telnet-Server
互联接口:连接R1的0.3子接口(172.16.66.1)
interface GigabitEthernet 0/0/0
ip address 172.16.66.254 255.255.255.0
缺省路由:指向R1
ip route-static 0.0.0.0 0.0.0.0 172.16.66.1
配置Telnet服务:
aaa #进入aaa服务
local-user huawei privilege level 15 password cipher 123456 #创建账号huawei 权限为15 该账号密码为123456
local-user huawei service-type telnet #定义huawei这个账号类型为telnet
user-interface vty 0 4 #开创5个虚拟通道
authentication-mode aaa #该虚拟通道认证模式为aaa
保存配置
save**
六.自行按照要求进行验证即可
实验到此结束!