目录
一、路由器上IP地址配置
R1:
[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[r1]interface g0/0/1
[r1-GigabitEthernet0/0/1]ip address 12.1.1.1 24
R2:
[r2]interface g0/0/1
[r2-GigabitEthernet0/0/1]ip address 12.1.1.2 24
[r2]interface g0/0/2
[r2-GigabitEthernet0/0/2]ip address 23.1.1.1 24
[r2]interface g0/0/0
[r2-GigabitEthernet0/0/0]ip address 192.168.2.1 24
R3:
[r3]interface g0/0/1
[r3-GigabitEthernet0/0/1]ip address 23.1.1.2 24
[r3]interface g0/0/0
[r3-GigabitEthernet0/0/0]ip address 192.168.3.1 24
二、路由器地址池的配置
R1:
[r1]ip pool class_A
Info: It’s successful to create an IP address pool.
[r1-ip-pool-class_A]network 192.168.1.0 mask 24
[r1-ip-pool-class_A]gateway-list 192.168.1.1
[r1-ip-pool-class_A]dns-list 8.8.8.8
[r1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]dhcp select global
R2:
[r2]ip pool class_B
Info: It’s successful to create an IP address pool.
[r2-ip-pool-class_B]network 192.168.2.0 mask 24
[r2-ip-pool-class_B]gateway-list 192.168.2.1
[r2-ip-pool-class_B]dns-list 8.8.8.8
[r2]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[r2]interface g0/0/0
[r2-GigabitEthernet0/0/0]dhcp select global
R3:
[r3]ip pool class_C
Info: It’s successful to create an IP address pool.
[r3-ip-pool-class_C]network 192.168.3.0 mask 24
[r3-ip-pool-class_C]gateway-list 192.168.3.1
[r3-ip-pool-class_C]dns-list 8.8.8.8
[r3]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[r3]interface g0/0/0
[r3-GigabitEthernet0/0/0]dhcp select global
三、动态路由RIP协议配置
R1:
[r1]rip 1
[r1-rip-1]version 2
[r1-rip-1]network 192.168.1.0
[r1-rip-1]network 12.0.0.0
R2:
[r2]rip 1
[r2-rip-1]version 2
[r2-rip-1]network 12.0.0.0
[r2-rip-1]network 23.0.0.0
[r2-rip-1]network 192.168.2.0
R3:
[r3]rip 1
[r3-rip-1]version 2
[r3-rip-1]network 23.0.0.0
[r3-rip-1]network 192.168.3.0
四、acl配置
要求PC1不能ping通PC6,但能ping通PC5
说明一下:在第二步DHCP操作中,PC1和PC5拿到的地址分别为:
PC1:192.168.1.253 (很奇怪,竟然不是254) PC2:192.168.3.253
- 首先进行基本ACL配置:
基本ACL使用在靠近目标的地方
[r3]acl 2000
[r3-acl-basic-2000]rule 1 deny source 192.168.1.253 0.0.0.0
[r3]interface g0/0/0
[r3-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
这样我们发现终端PC5和PC6都拒绝被访问,所以我们要进行高级ACL配置 - 高级ACL的配置—高级ACL使用在靠近源端口的地方
删除上边配置的ACL 2000
[r3]undo acl 2000
在进行下边配置:
[r1]acl 3000
[r1-acl-adv-3000]rule 1 deny ip source 192.168.1.253 0 destination 192.168.3.253 0
[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
五、远程登录及icmp配置
- 要求:R1不能ping通R3,但是可以远程登录R3
(1)首先,在R3上进行远程登录配置:
[r3]user-interface vty 0 4
[r3-ui-vty0-4]authentication-mode aaa
[r3-ui-vty0-4]q
[r3]aaa
[r3-aaa]local-user huawei password cipher huawei
Info: Add a new user.
[r3-aaa]local-user huawei privilege level 15
[r3-aaa]local-user huawei service-type telnet
然后在R1上远程登录R3进行验证
(2)在R2上配置高级ACL及icmp(ping)的限制
说明:由于路由器不能限制自己本身产生的流量,所以必须在靠近R1最近的一台设备R2上进行设置,其配置如下:
[r2]acl 3000
[r2-acl-adv-3000]rule 1 deny icmp source 12.1.1.1 0 destination 23.1.1.2 0
[r2-acl-adv-3000]q
[r2]interface g0/0/1
[r2-GigabitEthernet0/0/1]traffic-filter inbound acl
这样,我们就达到了R1能远程登录R3但不能ping通R3的目的 - 对于上边的实验过程,我们也可以反过来操作
所以其要求为:R1可以ping通R3,但是不能远程登录R3
说明:和上边一样要在R2上进行操作,其配置如下:
首先,删除在R2上的ACL配置:
[r2]undo acl 3000
重新配置高级ACL如下:
[r2]acl 3000
[r2-acl-adv-3000]rule 1 deny tcp source 12.1.1.1 0 destination 23.1.1.2 0
destination-port ep 23
[r2-acl-adv-3000]rule 1 deny tcp source 12.1.1.1 0 destination 23.1.1.2 0
destination-port eq 23
[r2-acl-adv-3000]q
[r2]interface g0/0/1
[r2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
Error: A simplified ACL has been applied in this view.
(前边已经调用过acl 3000,所以再次调用会出现错误已经调用警告)
[r2-GigabitEthernet0/0/1]q
[r2]acl 3000
[r2-acl-adv-3000]rule 2 deny tcp source 12.1.1.1 0 destination 192.168.3.1 0
destination-port eq 23
经过以上操作,我们实现了R1的g0/0/1端口不能远程登录R3。但是,在VRP平台上,使用 -a 参数能够让ping程序以指定的IP作为回显请求报文的源地址。操作如下:
telnet -a 192.168.1.1 23.1.1.2
使用上边指令依然能够远程登录R3,所以我们要继续在R2上操作:
[r2]acl 3000
[r2-acl-adv-3000]rule 3 deny tcp source 192.168.1.1 0 destination 23.1.1.2 0
destination-port eq 23
[r2-acl-adv-3000]rule 4 deny tcp source 192.168.1.1 0 destination 192.168.3.1 0
destination-port eq 23
这样,我们就实现了在两个源端口全方位封堵R1远程登录R3的要求
六、公网和私网的地址转换
首先在R3和R5即ISP(运营商)的直连端口上配置IP地址
R3:
[r3]interface g0/0/2
[r3-GigabitEthernet0/0/2]ip address 100.1.1.1 24
R5:
[ISP]interface g0/0/0
[ISP-GigabitEthernet0/0/0]ip address 100.1.1.2 24
为了实现内网互通,给R3下放一条缺省
[r3]rip 1
[r3-rip-1]version 2
[r3-rip-1]default-route originate
为了实现内网流量到达运营商,继续在R3上配置内网到达运营商的缺省
[r3]ip route-static 0.0.0.0 0 100.1.1.2
要求:内网的设备能够实现上网,有三种配制方法,往下看
- 为了使内网实现上网,我们可以使内网中的某一台设备上网:
[r3]nat address-group 1 100.1.1.3 100.1.1.10
[r3]acl 2000
[r3-acl-basic-2000]rule 1 permit source 192.168.1.0 0.0.0.255
[r3-acl-basic-2000]q
[r3]interface g0/0/2
[r3-GigabitEthernet0/0/2]nat outbound 2000 address-group 1 no-pat
也可以使所有设备同时上网:
先删掉上边的规则:
[r3]acl 2000
[r3-acl-basic-2000]undo rule 1
重新设定规则:
[r3-acl-basic-2000]rule 1 permit source any
此方法的弊端:一个私有地址只能转化成一个公有地址。 - 用NAPT进行配置:
当然,要删除上边的规则,重新设定
[r3]nat address-group 1 100.1.1.3 100.1.1.10
[r3]acl 2000
[r3-acl-basic-2000]rule 1 permit source any
[r3]interface g0/0/2
[r3-GigabitEthernet0/0/2]nat outbound 2000 address-group 1 - Easy IP及配置 (此方法只能在华为设备中应用)
[r3]acl 2000
[r3-acl-basic-2000]rule 1 permit source any
[r3-GigabitEthernet0/0/2]nat outbound 2000
七、用外网服务器远程登录内网设备
首先,在R1上远程登录设置:
[r1]user-interface vty 0 4
[r1-ui-vty0-4]authentication-mode aaa
[r1-ui-vty0-4]aaa
[r1-aaa]local-user huawei password cipher huawei
Info: Add a new user.
[r1-aaa]local-user huawei privilege level 15
[r1-aaa]local-user huawei service-type telnet
在内网边界路由器R3的出入端口静态NAT配置
[r3]interface g0/0/2
[r3-GigabitEthernet0/0/2]nat static global 100.1.1.11 inside 12.1.1.1
在运营商R5上远程登录:
telnet 100.1.1.11
就可以进入内网R1设备进面
说明:这样做是不安全的,所以我们用另外一种方法在R3静态NAT配置上
[r3]interface g0/0/2
[r3-GigabitEthernet0/0/2]undo nat static global 100.1.1.11 inside 12.1.1.1 (删掉上边配置,并在下边重新配置)
[r3-GigabitEthernet0/0/2]nat server protocol tcp global 100.1.1.11 23 inside 12.1.1.1 23