HCIA综合项目之多技术的综合应用实验

十五 HCIA综合实验

15.1 IP规划

 #内网分配网段192.168.1.0 24#内网包括骨干链路和两个用户网段，素以需要划分三个，借两位就够用了192.168.1.0 26--骨干192.168.1.64 26---R1下网络192.168.1.128 26---R2下网络192.168.1.192 26--备用​192.168.1.64 26---R1下网络：划分三个，借两位192.168.1.64 28--vlan 2192.168.1.80 28--vlan 3192.168.1.96 28--vlan 4192.168.1.112 28--备用​192.168.1.128 26---R2下网络：划分两个，借一位192.168.1.128 27--vlan 2 192.168.1.160 27--vlan 3

 # 外网R2-ISP之间：网段：202.1.1.0 30ISP下方网络：网段：203.1.1.0 24

15.2 内网的路由交换配置

15.2.1 交换机的配置

 #sw1的配置[sw1]vlan batch 2 to 4[sw1]int g 0/0/2[sw1-GigabitEthernet0/0/2]port link-type access [sw1-GigabitEthernet0/0/2]port default vlan 2[sw1-GigabitEthernet0/0/2]int g 0/0/3[sw1-GigabitEthernet0/0/3]port link-type  access [sw1-GigabitEthernet0/0/3]port default vlan 3[sw1-GigabitEthernet0/0/3]int g 0/0/4[sw1-GigabitEthernet0/0/4]port link-type  access [sw1-GigabitEthernet0/0/4]port default vlan 4​[sw1]int g 0/0/1[sw1-GigabitEthernet0/0/1]port link-type trunk [sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 4

 #sw2配置[sw2]vlan batch 2 to 3[sw2]int g 0/0/2[sw2-GigabitEthernet0/0/2]port link-type  access [sw2-GigabitEthernet0/0/2]port default vlan 2[sw2-GigabitEthernet0/0/2]int g 0/0/3[sw2-GigabitEthernet0/0/3]port link-type access [sw2-GigabitEthernet0/0/3]port default vlan 3[sw2-GigabitEthernet0/0/3]int g 0/0/1[sw2-GigabitEthernet0/0/1]port link-type trunk [sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3

15.2.2 路由器的配置

配置接口IP地址

 # AR1上的接口IP地址[r1]int g 0/0/1[r1-GigabitEthernet0/0/1]ip add 192.168.1.1 26​[r1]int g 0/0/0.1[r1-GigabitEthernet0/0/0.1]ip add 192.168.1.65 28[r1-GigabitEthernet0/0/0.1]dot1q termination vid 2[r1-GigabitEthernet0/0/0.1]arp broadcast enable [r1-GigabitEthernet0/0/0.1]q​[r1]int g 0/0/0.2[r1-GigabitEthernet0/0/0.2]ip add 192.168.1.81 28[r1-GigabitEthernet0/0/0.2]dot1q termination vid 3 [r1-GigabitEthernet0/0/0.2]arp broadcast enable [r1-GigabitEthernet0/0/0.2]q​[r1]int g 0/0/0.3[r1-GigabitEthernet0/0/0.3]ip add 192.168.1.97 28[r1-GigabitEthernet0/0/0.3]dot1q termination vid 4[r1-GigabitEthernet0/0/0.3]arp broadcast enable [r1-GigabitEthernet0/0/0.3]q

 # AR2上的接口IP地址[r2]int g 0/0/1[r2-GigabitEthernet0/0/1]ip add 192.168.1.2 26​[r2]int g 0/0/0.1[r2-GigabitEthernet0/0/0.1]ip add 192.168.1.129 27[r2-GigabitEthernet0/0/0.1]dot1q termination vid 2[r2-GigabitEthernet0/0/0.1]arp broadcast enable ​[r2-GigabitEthernet0/0/0.1]int g 0/0/0.2[r2-GigabitEthernet0/0/0.2]ip add 192.168.1.161 27[r2-GigabitEthernet0/0/0.2]dot1q termination vid 3[r2-GigabitEthernet0/0/0.2]arp broadcast enable ​[r2]int g 0/0/2[r2-GigabitEthernet0/0/2]ip add 202.1.1.1 30

 #配置ISP路由器接口的IP地址[ISP]int g 0/0/0[ISP-GigabitEthernet0/0/0]ip add 202.1.1.2 30[ISP-GigabitEthernet0/0/0]int g 0/0/1[ISP-GigabitEthernet0/0/1]ip add 203.1.1.1 24

 #telnet服务器上接口ip地址[telnet server]int g 0/0/0[telnet server-GigabitEthernet0/0/0]ip add 192.168.1.98 28#测试一路由器上接口ip地址[test-1]int g 0/0/0[test-1-GigabitEthernet0/0/0]ip add 203.1.1.2 24#测试二路由器上接口ip地址[Huawei]sysname test-2[test-2]int g 0/0/0[test-2-GigabitEthernet0/0/0]ip add 203.1.1.3 24

15.3 用动态路由协议OSPF跑通内网路由

 ​[r1]ospf 1 router-id 1.1.1.1[r1-ospf-1]area 0[r1-ospf-1-area-0.0.0.0]network 192.168.1.1 0.0.0.0[r1-ospf-1-area-0.0.0.0]network 192.168.1.65 0.0.0.0[r1-ospf-1-area-0.0.0.0]network 192.168.1.81 0.0.0.0[r1-ospf-1-area-0.0.0.0]network 192.168.1.97 0.0.0.0​[r2]ospf 1 router-id 2.2.2.2[r2-ospf-1]area 0[r2-ospf-1-area-0.0.0.0]network 192.168.1.2 0.0.0.0[r2-ospf-1-area-0.0.0.0]network 192.168.1.129 0.0.0.0[r2-ospf-1-area-0.0.0.0]network 192.168.1.161 0.0.0.0# 注意：R2的0/0/2接口时外网接口，不需要宣告

 # 让底下终端PC设备用DHCP自动获取地址[r1]dhcp enable​[r1]ip pool yuangeInfo: It's successful to create an IP address pool.[r1-ip-pool-yuange]network 192.168.1.64 mask 28[r1-ip-pool-yuange]gateway-list 192.168.1.65[r1-ip-pool-yuange]dns-list 114.114.114.114 8.8.8.8​[r1]ip pool kungeInfo: It's successful to create an IP address pool.[r1-ip-pool-kunge]network 192.168.1.80 mask 28[r1-ip-pool-kunge]gateway-list 192.168.1.81[r1-ip-pool-kunge]dns-list 114.114.114.114 8.8.8.8​[r1]int g 0/0/0.1[r1-GigabitEthernet0/0/0.1]dhcp select global[r1]int g 0/0/0.2[r1-GigabitEthernet0/0/0.2]dhcp select global

 [r2]dhcp enable​[r2]ip pool zhenjieInfo: It's successful to create an IP address pool.[r2-ip-pool-zhenjie]network 192.168.1.128 mask 27[r2-ip-pool-zhenjie]gateway-list 192.168.1.129[r2-ip-pool-zhenjie]dns-list 114.114.114.114​[r2]ip pool sbCHZInfo: It's successful to create an IP address pool.[r2-ip-pool-sbCHZ]network 192.168.1.160 mask 27[r2-ip-pool-sbCHZ]gateway-list 192.168.1.161​[r2-ip-pool-sbCHZ]dns-list 114.114.114.114 8.8.8.8[r2]int g 0/0/0.1[r2-GigabitEthernet0/0/0.1]dhcp select global[r2-GigabitEthernet0/0/0.1]int g 0/0/0.2[r2-GigabitEthernet0/0/0.2]dhcp select global​

检测内网的连通性

15.4 写缺省路由

 [r2]ip route-static 0.0.0.0 0 202.1.1.2

此时，前四个需求已经完成

15.5 需求五 PC2到PC4可以访问PC5，PC1不行

 [r2]acl 2000[r2-acl-basic-2000]rule per [r2-acl-basic-2000]rule permit sou  [r2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255[r2-acl-basic-2000]int g 0/0/2[r2-GigabitEthernet0/0/2]nat outb   [r2-GigabitEthernet0/0/2]nat outbound 2000​[r2]ospf 1[r2-ospf-1]default-route-advertise ​# PC5:203.1.1.100

此时，检测PC1到PC4都能通往PC5，现在做一个ACL限制流量

 [r1]acl 3000[r1-acl-adv-3000]rule deny ip source 192.168.1.64 0.0.0.15 destination 203.1.1.100 0.0.0.0[r1-acl-adv-3000]q[r1]int g 0/0/0.1   [r1-GigabitEthernet0/0/0.1]traffic-filter inbound acl 3000

15.6 需求六是R2出口只有一个公网IP

 前面已经配置过

15.7 test-1设备可以登录内网telnet服务器，test-2不行

15.7.1 开启telnet服务

 [telnet server-aaa]local-user chenhaozhensb privilege level 15 password cipher 112301Info: Add a new user.[telnet server-aaa]local-user chenhaozhensb service-type telnet[telnet server-aaa]q[telnet server]user-interface vty 0 4[telnet server-ui-vty0-4]authentication-mode aaa

检测，内网设备可以进行telnet远程登录

外网设备想访问内网telnet服务器，必须做端口映射才可以

 [r2]int g 0/0/2[r2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface telnet inside 192.168.1.98 telnet Warning:The port 23 is well-known port. If you continue it may cause function failure.Are you sure to continue?[Y/N]:y

但现在用test-1和test-2设备进行测试，测试不通，因为它俩不认识202.1.1.0 30网段

 [test-1]ip route-static 202.1.1.1 32 203.1.1.1[test-2]ip route-static 202.1.1.1 32 203.1.1.1

测试用test-1可以Ping通202.1.1.1，但不能使用telnet服务

 <test-1>telnet 192.168.1.98Press CTRL_] to quit telnet modeTrying 192.168.1.98 ...Error: Can't connect to the remote host

出现上面的原因是：上面用OSPF协议跑通内网的时候，在R1上宣告的是vlan4的路由，并没有telnet服务器的路由

一般情况下：服务器不会加入到动态路由协议中。

上图中：telnet服务器上只有直连网段的路由信息，数据包回不去。所以，在tennet服务器上加一条缺省路由就可以了.

 [telnet server]ip route-static 0.0.0.0 0 192.168.1.97

再进行测试：

 <test-1>telnet 202.1.1.1Press CTRL_] to quit telnet modeTrying 202.1.1.1 ...Connected to 202.1.1.1 ...Login authenticationUsername:chenhaozhensbPassword:----------------------------------------------------------------------------- User last login information:     -----------------------------------------------------------------------------Access Type: Telnet      IP-Address : 203.1.1.3     Time       : 2025-02-11 14:45:43-08:00     -----------------------------------------------------------------------------<telnet server># 现在test-1和test-2都可以telnet

15.7.2 最后做策略来限制test-2进行访问

[r2]acl 3000
[r2-acl-adv-3000]rule deny tcp source 203.1.1.3 0 destination-port eq 23
# 注意：不能写目标地址，实验要求只是拒绝test-2进行telnet服务，并没有说拒绝通信，只用端口号就行
[r2-acl-adv-3000]int g 0/0/2
[r2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000

最后的测试：

 <test-1>telnet 202.1.1.1Press CTRL_] to quit telnet modeTrying 202.1.1.1 ...Connected to 202.1.1.1 ...Login authenticationUsername:chenhaozhensbPassword:----------------------------------------------------------------------------- User last login information:     -----------------------------------------------------------------------------Access Type: Telnet      IP-Address : 203.1.1.2     Time       : 2025-02-11 14:47:46-08:00     -----------------------------------------------------------------------------<telnet server>