Hcia综合实验

一.实验拓扑图二.实验需求需求--1.所有PC均需要通过DHCP获取IP地址-地址池名称和设备VLAN一致例如PC1-ip pool vlan10,其中只有业务B网络用户需要访问互联网web服务-需要DNS信息。2.交换机配置VLAN需要遵循最小VLAN透传原则3.利用OSPF协议使内外用户互相访问-全网可达设备Router-ID需要手工配置和设备编号一致例如R1-RID1.1.1.1并采用精准宣告的方式进行宣告例如172.16.64.1/24接口宣告172.16.64.1 0.0.0.04.内网全网可达并且需要尽可能减小路由表条目数量汇总采用精确汇总方式能够利用缺省省去的配置可省略防止环路并且保障安全在OSPF区域0需要配置认证-采用MD5认证密码为123456企业内网所有用户网段能够汇总都需要尽量汇总;OSPF网络用户终端不能收到OSPF协议报文。5.内网所有用户均可访问互联网边界路由器配置NATACL采用基础ACL编号为2000R3-0/0/2接口不允许宣告在内网中包含静态。6.test设备需要远程登陆到内网telnet-server设备,登录账号为 huawei 密码 123456登录权限为最高。7.不允许VLAN 40和VLAN 50 用户访问内网B业务acl编号为2001在R3设备0/0/0接口配置不允许PC1访问PC5ACL编号为3000。8.R3-R4中间百兆链路作为备份链路不允许正常情况下数据通过需要降低优先级数值配置为100。9.所有设备严格按照拓扑图标识进行配置注意大小写。10.图示中所有服务器和client设备均为体现需求地址固定不做更改在配置时需求注意。clinet1用来模拟内网用户访问互联网ISP-服务器test设备用来测试互联网用户远程登陆内网telent-server主机。三.实验思路企业A内网配置思路1、配置IP地址2、配置vlan技术1创建vlan2将接口加到相应vlan3配置trunk链路放行相应vlan4配置单臂路由子接口3、配置DHCP技术1启动DHCP服务2创建地址池3在网关接口下发DHCP服务是的PC获得IP地址4、配置OSPF协议1创建OSPF的协议进程配置RID2进入相应的areanetwork网段接口地址3查看OSPF的邻居表、路由表。做全网通测试---ping测试5、配置OSPF的区域汇总--ABR汇总精简路由表的路由条目数量。6、配置静态路由空接口防环7、配置OPSF区域0的认证8、配置easy ip 实现内网访问外网9、让OSPF协议下发缺省给内网路由器保证内网设备访问外网10、配置telnet服务器配置NAT SERVER实现外网访问内网的服务11、配置基础ACL和高级ACL实现访问控制企业B内网配置思路1、配置IP地址2、配置vlan技术3、配置DHCP技术使得PC获得IP地址4、配置静态路由协议使得全网通PING5、配置静态路由空接口防环6、配置静态缺省保证内网设备访问7、配置静态浮动路由实现正常走千兆千兆故障时走百兆公网通1、配置IP地址四.实验步骤一.基础配置sw1sysname SW1vlan batch 10 20 30interface GigabitEthernet 0/0/2port link-type accessport default vlan 10interface GigabitEthernet 0/0/3port link-type accessport default vlan 20interface GigabitEthernet 0/0/3port link-type accessport default vlan 30interface GigabitEthernet 0/0/1port link-type trunkport trunk allow-pass vlan 10 20 30dhcp enableinterface Vlanif 10ip address 172.16.64.1 255.255.255.0dhcp relay server-ip 172.16.64.254interface Vlanif 20ip address 172.16.65.1 255.255.255.0dhcp relay server-ip 172.16.65.254interface Vlanif 30ip address 172.16.66.1 255.255.255.0dhcp relay server-ip 172.16.66.254sw2sysname SW2vlan batch 40 50interface GigabitEthernet 0/0/2port link-type accessport default vlan 40interface GigabitEthernet 0/0/3port link-type accessport default vlan 50interface GigabitEthernet 0/0/1port link-type trunkport trunk allow-pass vlan 40 50speed 1000interface Vlanif 40ip address 172.16.0.1 255.255.255.0interface Vlanif 50ip address 172.16.1.1 255.255.255.0dhcp relay server-ip 172.16.1.254sw3sysname SW3vlan batch 60 70interface GigabitEthernet 0/0/3port link-type accessport default vlan 60interface GigabitEthernet 0/0/4port link-type accessport default vlan 60interface GigabitEthernet 0/0/2port link-type accessport default vlan 70interface GigabitEthernet 0/0/1port link-type trunkport trunk allow-pass vlan 60 70dhcp enableinterface Vlanif 60ip address 172.16.128.1 255.255.255.128dhcp relay server-ip 172.16.128.125interface Vlanif 70ip address 172.16.128.129 255.255.255.128dhcp relay server-ip 172.16.128.254r1sysname R1router id 1.1.1.1dhcp enableip pool vlan10network 172.16.64.0 mask 24gateway-list 172.16.64.1dns-list 8.8.8.8 114.114.114.114ip pool vlan20network 172.16.65.0 mask 24gateway-list 172.16.65.1dns-list 8.8.8.8 114.114.114.114ip pool vlan30network 172.16.66.0 mask 24gateway-list 172.16.66.1dns-list 8.8.8.8 114.114.114.114interface GigabitEthernet 0/0/0ip address 172.16.67.24 255.255.255.0interface GigabitEthernet 0/0/1ip address 172.16.64.254 255.255.255.0dhcp select globalr2sysname R2router id 2.2.2.2dhcp enableip pool vlan40network 172.16.0.0 mask 255.255.255.0gateway-list 172.16.0.1dns-list 8.8.8.8 114.114.114.114ip pool vlan50network 172.16.1.0 mask 255.255.255.0gateway-list 172.16.1.1dns-list 8.8.8.8 114.114.114.114interface GigabitEthernet 0/0/0ip address 172.16.67.25 255.255.255.0interface GigabitEthernet 0/0/1ip address 172.16.0.254 255.255.255.0dhcp select globalinterface GigabitEthernet 0/0/2ip address 172.16.2.0 255.255.255.252r7sysname R7router id 7.7.7.7dhcp enableip pool vlan60network 172.16.128.0 mask 255.255.255.128gateway-list 172.16.128.1dns-list 172.16.128.126 8.8.8.8ip pool vlan70network 172.16.128.128 mask 25gateway-list 172.16.128.129dns-list 172.16.128.126 8.8.8.8interface GigabitEthernet 0/0/0ip address 172.16.134.0 255.255.255.252interface GigabitEthernet 0/0/1ip address 172.16.128.254 255.255.255.128dhcp select global二ospf协议r1ospf 1 router-id 1.1.1.1area 1network 172.16.67.24 0.0.0.0network 172.16.64.254 0.0.0.0silent-interface GigabitEthernet 0/0/1r2ospf 1 router-id 2.2.2.2area 1network 172.16.67.25 0.0.0.0network 172.16.0.254 0.0.0.0abr-summary 172.16.64.0 255.255.192.0area 0network 172.16.2.0 0.0.0.0authentication-mode md5 1 cipher 123456silent-interface GigabitEthernet 0/0/1r3sysname R3router id 3.3.3.3interface GigabitEthernet 0/0/0ip address 172.16.2.1 255.255.255.252interface GigabitEthernet 0/0/1ip address 172.16.129.0 255.255.255.252interface GigabitEthernet 0/0/2ip address 172.16.129.24 255.255.255.252interface GigabitEthernet 0/0/3ip address 100.0.0.1 255.255.255.0ospf 1 router-id 3.3.3.3area 0network 172.16.2.1 0.0.0.0network 172.16.129.0 0.0.0.0authentication-mode md5 1 cipher 123456abr-summary 172.16.0.0 255.255.128.0ip route-static 0.0.0.0 0.0.0.0 100.0.0.2三静态路由r3ip route-static 172.16.128.0 255.255.128.0 172.16.129.1ip route-static 172.16.128.0 255.255.128.0 172.16.129.25 preference 100r4sysname R4router id 4.4.4.4interface GigabitEthernet 0/0/0ip address 172.16.129.1 24interface GigabitEthernet 4/0/0ip address 172.16.130.0 24interface GigabitEthernet 4/0/1ip address 172.16.131.0 24interface GigabitEthernet 0/0/2ip address 172.16.129.25 255.255.255.252ip route-static 0.0.0.0 0.0.0.0 172.16.129.0ip route-static 172.16.132.0 255.255.255.252 172.16.131.1ip route-static 172.16.134.0 255.255.255.252 172.16.130.1内网b路由sysname R5router id 5.5.5.5interface GigabitEthernet 0/0/0ip address 172.16.131.1 24interface GigabitEthernet 0/0/1ip address 172.16.133.0 24ip route-static 0.0.0.0 0.0.0.0 172.16.131.0sysname R6router id 6.6.6.6interface GigabitEthernet 0/0/0ip address 172.16.132.1 24#interface GigabitEthernet 0/0/1ip address 172.16.134.1 24ip route-static 0.0.0.0 0.0.0.0 172.16.132.0sysname R7interface GigabitEthernet 0/0/2ip address 172.16.133.1 24ip route-static 0.0.0.0 0.0.0.0 172.16.133.0四nat配置R3配置acl number 2000rule 10 permit source 172.16.0.0 0.0.127.255rule 20 permit source 172.16.128.0 0.0.127.255五acl访问控制R3配置acl 2001rule 10 deny source 172.16.0.0 0.0.0.255rule 20 deny source 172.16.1.0 0.0.0.255rule 30 permit source anyacl number 3000rule 10 deny ip source 172.16.64.0 0.0.0.255 destination 172.16.128.128 0.0.0.127rule 20 permit ip source any destination anyinterface GigabitEthernet 0/0/1packet-filter acl 3000 inbound六telnet配置sysname telnet-serverip route-static 0.0.0.0 0.0.0.0 172.16.66.1aaalocal-user wangdaye password cipher 123456local-user wangdaye privilege level 15local-user wangdaye service-type telnetuser-interface vty 0 4authentication-mode aaauser privilege level 15protocol inbound telnet六.实验验证pc1--pc5ospf路由验证nat验证acl访问控制验证确认无法访问内网b确认无法访问pc5确认访问正常