基础配置:命名与接口IP配置
AR1(边缘路由器)
sys
sysname AR1
# 配置接口IP
interface GigabitEthernet 0/0/0
ip address 172.16.1.1 255.255.255.0
interface GigabitEthernet 0/0/1
ip address 172.16.2.1 255.255.255.0
interface GigabitEthernet 0/0/2
ip address 31.31.31.1 255.255.255.0
quitAR2(局域网路由器)
sys
sysname AR2
# 配置接口IP
interface GigabitEthernet 0/0/0
ip address 172.16.1.2 255.255.255.0
interface GigabitEthernet 0/0/1
ip address 172.16.3.254 255.255.255.0
quitAR3(因特网路由器)
sys
sysname AR3
# 配置接口IP
interface GigabitEthernet 0/0/0
ip address 31.31.31.3 255.255.255.0
interface GigabitEthernet 0/0/1
ip address 13.13.13.254 255.255.255.0
interface GigabitEthernet 0/0/2
ip address 131.131.131.254 255.255.255.0
quit交换机 VLAN 及 vlanif 配置
SW1(三层交换机)
sys
sysname SW1
# 创建VLAN
vlan batch 10 20 30
# 将接口划分到对应VLAN
interface Ethernet 0/0/1
port link-type access
port default vlan 10
interface Ethernet 0/0/2
port link-type access
port default vlan 20
interface g 0/0/2
port link-type access
port default vlan 30
quit
# 配置VLANIF接口IP
interface Vlanif 10
ip address 172.16.2.254 255.255.255.0
interface Vlanif 20
ip address 172.16.4.254 255.255.255.0
interface Vlanif 30
ip address 172.16.5.254 255.255.255.0
quitAR1 上的 NAT 配置(Easy-IP 与 NAT Server)
3. Easy-IP 配置
[AR1] acl 2000
# 匹配企业局域网所有私网网段(172.16.0.0/12 包含所有 172.16.x.x)
[AR1-acl-basic-2000] rule 5 permit source 172.16.0.0 0.15.255.255
[AR1-acl-basic-2000] quit
# 在外网接口 GE 0/0/2 部署 Easy-IP
[AR1] interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2] nat outbound 2000
[AR1-GigabitEthernet0/0/2] quit4. NAT Server 配置
根据拓扑图,内网 Web-Server 的 IP 为 172.16.5.1,公网映射地址为 31.31.31.2(假设开放常用的 HTTP 80 端口)
[AR1] interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2] nat server protocol tcp global 31.31.31.2 80 inside 172.16.5.1 80
[AR1-GigabitEthernet0/0/2] quit5. NAT 回流(Hairpin)配置
为了让企业局域网内部用户(如 PC2)也能通过公网 IP 31.31.31.2 访问 Web-Server,需要在内网接口(GE 0/0/0 和 GE 0/0/1)配置 NAT 回流,Ping使用的是:ICMP。
# 在连接 SW1 的内网接口配置
[AR1] interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1] nat outbound 2000
[AR1-GigabitEthernet0/0/1] nat server protocol tcp global 31.31.31.2 80 inside 172.16.5.1 80
[AR1-GigabitEthernet0/0/1]nat server protocol icmp global 31.31.31.2 inside 172.16.5.1
quit
# 在连接 AR2 的内网接口配置
[AR1] interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0] nat outbound 2000
[AR1-GigabitEthernet0/0/0] nat server protocol tcp global 31.31.31.2 80 inside 172.16.5.1 80
[AR1-GigabitEthernet0/0/0]nat server protocol icmp global 31.31.31.2 inside 172.16.5.1
quit6. 企业局域网 OSPF 动态路由配置
按要求:使用精确宣告(反向掩码为 0.0.0.0),且边缘路由器 AR1 需要向内网强制注入默认路由。
AR1 配置
[AR1] ospf 1 router-id 1.1.1.1
[AR1-ospf-1] default-route-advertise always # 强制引入默认路由
[AR1-ospf-1] area 0
# 精确宣告内网接口IP
[AR1-ospf-1-area-0.0.0.0] network 172.16.1.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] network 172.16.2.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] quit
[AR1-ospf-1] quit
# 不要忘记AR1需要一条指向因特网AR3的静态默认路由
[AR1] ip route-static 0.0.0.0 0.0.0.0 31.31.31.3AR2 配置
[AR2] ospf 1 router-id 2.2.2.2
[AR2-ospf-1] area 0
[AR2-ospf-1-area-0.0.0.0] network 172.16.1.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0] network 172.16.3.254 0.0.0.0
[AR2-ospf-1-area-0.0.0.0] quit
[AR2-ospf-1] quitSW1 配置
[SW1] ospf 1 router-id 3.3.3.3
[SW1-ospf-1] area 0
[SW1-ospf-1-area-0.0.0.0] network 172.16.2.254 0.0.0.0
[SW1-ospf-1-area-0.0.0.0] network 172.16.4.254 0.0.0.0
[SW1-ospf-1-area-0.0.0.0] network 172.16.5.254 0.0.0.0
[SW1-ospf-1-area-0.0.0.0] quit
[SW1-ospf-1] quit注意: 外部的因特网路由器 AR3 属于模拟的公网环境,不需要 运行企业内部的 OSPF 协议。在实际环境或考试中,AR3 通常会配置一条回指公网映射 IP 的静态路由(例如
ip route-static 31.31.31.2 255.255.255.255 31.31.31.1),以确保公网流量能正确返回。