文章目錄
ARP代理
實驗:如下配置兩台PC,要求實現兩台PC的互相通信。
為PC各自配置IP,網關設置為G0/0/0口和G0/0/1接口的IP
配置AR3的接口IP,並開啟相關的服務
[R1-GigabitEthernet0/0/0]undo info en //不會提示信息
[R1-GigabitEthernet0/0/0]arp-proxy enable //開啟ARP代理
[R1-GigabitEthernet0/0/1]arp-proxy enable
[R1-GigabitEthernet0/0/1]dis ip int bri //查看所有的接口信息,檢查IP地址是否配上以及接口是否雙up
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.10.254/24 up up
GigabitEthernet0/0/1 192.168.20.254/24 up up
[R1-GigabitEthernet0/0/1]dis arp all //查看ARP表項
# 在PC上做連通性測試
- 可以通過配置網關實現互通,網關地址為路由器與PC接口的IP
- 通過ARP代理實現互通,需要改變子網掩碼使不同網段的IP處於同一網段,如本題中的可以將子網掩碼修改為255.255.192.0,即可不通過網關實現互通
划分VLAN
實驗:如下圖配置PC的IP地址,需求相同VLAN可以互通,不同VLAN不能互通。
[SW1]dis vlan //查看VLAN
[SW1]vlan batch 10 20 //創建VLAN10、VLAN20
[SW1]int e0/0/2
[SW1-Ethernet0/0/2]port link-type access //設置接口類型為Access
[SW1-Ethernet0/0/2]port default vlan 10 //默認划分進VLAN10
# 同樣方法配置e0/0/3接口,划分進VLAN 20
[SW1]int g0/0/1 //進入g0/0/1接口
[SW1-GigabitEthernet0/0/1]port link-type trunk //配置接口類型為Trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 //設置允許通過的VLAN為10 20 ,VLAN1默認允許通過
#SW2相同的配置
#做連通性測試
hybrid
按照如下拓撲,配置相關IP地址。需求:
- 不同樓層的HR部門和市場部門實現部門內部通信
- 兩部門之間不允許通信
- IT部門可以訪問任意部門
[SW1]vlan batch 10 20 30 //創建VLAN10、20、30
[SW1]dis vlan //查看是否創建
[SW1]int e0/0/3 //進入e0/0/3接口
[SW1-Ethernet0/0/3]port hybrid untagged vlan 20 30 //設置允許通信的VLAN
[SW1-Ethernet0/0/3]port hybrid pvid vlan 20 //設置PVID
[SW1-Ethernet0/0/3]dis th //查看當前接口下的命令
#同樣方法配置e0/0/2接口
port hybrid pvid vlan 10
port hybrid untagged vlan 10 30
#配置e0/0/4接口
port hybrid pvid vlan 30
port hybrid untagged vlan 10 20 30
#配置e/0/1接口
port hybrid tagged vlan 10 20 30
默認PVID是VLAN 1
#SW2同樣的配置
#進行連通性測試
VLAN間路由
單臂路由
- 把PC划分到相應的VLAN
- 把g0/0/1接口配置成trunk,並允許所有VLAN通過
- 配置路由器的子接口配置IP地址
- 子接口配置VLAN ID封裝(
dot1q termination vid 10) - 接口開啟arp廣播(
arp broadcast enable)
如下拓撲圖,為PC配置IP地址。配置單臂路由,實現PC間互通。
#先給PC配置相應的IP地址,網關254
[SW1]vlan batch 10 20 30 //創建VLAN
[SW1]dis vlan //查看VLAN是否創建成功
[SW1]int g0/0/2 //進入g0/0/2接口
[SW1-GigabitEthernet0/0/2]port link-type access //配置接口類型為access
[SW1-GigabitEthernet0/0/2]port default vlan 10 //划分默認VLAN
#同樣的方法配置g0/0/3、g0/0/4接口
#配置trunk接口,並允許所有VLAN通過
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk //配置接口類型為trunk
[SW1-GigabitEthernet0/0/1]port trunk all vlan all //允許所有VLAN通過
#在R1上配置子接口
[R1]int g0/0/0.1 //配置子接口
[R1-GigabitEthernet0/0/0.1]ip add 192.168.10.254 24 //為子接口配置IP
#同樣方法配置其他子接口
[R1]dis ip int br //查看所有接口詳細信息
#封裝VLAN號
[R1]int g0/0/0.1
[R1-GigabitEthernet0/0/0.1]dot1q termination vid 10 //指定vid,即這個接口對應的VLAN ID
[R1-GigabitEthernet0/0/0.1]arp broadcast enable //開啟ARP的廣播功能
#同樣方法配置其他的子接口
#進行連通性測試
三層交換
實驗:如下拓撲圖,配置相應IP地址。配置三層交換,使PC間互通。
[SW1]int Vlanif 10 //創建VLAN10
[SW1-Vlanif10]ip add 192.168.10.254 24 //配置IP地址
[SW1-Vlanif10]int vlanif 20
[SW1-Vlanif20]ip add 192.168.20.254 24
[SW1-Vlanif20]int vlanif 30
[SW1-Vlanif30]ip add 192.168.30.254 24
#進行連通性測試
STP配置
SW1:4c1f-cc5c-74c7
SW2:4c1f-cc2d-7013
SW3:4c1f-cc80-7370
SW4:4c1f-cc6f-1691
- 選舉根橋
- 交換BPDU,比較BPDU,相同
- 比較MAC地址,SW2的MAC最小,選舉為根橋
- 選舉根端口
- 比較路徑開銷,SW1在1號線路到達根橋路徑開銷最小,所以SW1的1接口為RP(同理SW3的1接口、SW4的1接口都為RP)
- 如果路徑開銷相同,比較BID(優先級、MAC地址)
- 如果BID也相同,則比較PID(優先級、端口號)
- 選舉指定端口
- 在網絡上(每條線路上)選舉指定端口
- 根橋開銷為0,所以SW2的1、2、3接口都為DP
- 4號線路上走1、3線路開銷相同,比較BID(優先級、MAC地址),SW1的MAC地址小,則SW1的2接口為DP,SW3的3接口為AP
- 5號線路上走2、3線路開銷相同,比較BID(優先級、MAC地址),SW4的MAC地址小,則SW4的2接口為DP,SW3的2接口為AP
# 查看MAC地址
[SW1]dis stp //查看MAC地址
[SW1]dis stp bri //查看SW1的STP
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/2 DESI FORWARDING NONE
# Ethernet0/0/1為RP,FORWARDING為正常轉發數據,Ethernet0/0/2為DP
[SW2]dis stp bri //查看SW2的STP
MSTID Port Role STP State Protection
0 Ethernet0/0/1 DESI FORWARDING NONE
0 Ethernet0/0/2 DESI FORWARDING NONE
0 Ethernet0/0/3 DESI FORWARDING NONE
0 Ethernet0/0/4 DESI FORWARDING NONE
0 Ethernet0/0/5 DESI FORWARDING NONE
[SW3]dis stp bri //查看SW3的STP
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/2 ALTE DISCARDING NONE
0 Ethernet0/0/3 ALTE DISCARDING NONE
# Ethernet0/0/1為RP,數據正常轉發,Ethernet0/0/2和Ethernet0/0/3為AP,DISCARDING端口關閉,不轉發數據
[SW4]dis stp bri //查看SW4的STP
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/2 DESI FORWARDING NONE
拓展:使SW1為根橋,SW3位次根橋
[SW1]stp root primary //使SW1成為主根橋
[SW1]dis stp //查看cost優先級為0
[SW3]stp root secondary //使SW3成為次根橋
[SW3]dis stp //查看cost優先級為4096
# 增長為12次方增長,下一個是8192,一次類推
[SW1]int e0/0/1
[SW1-Ethernet0/0/1]stp cost ? //修改接口開銷
INTEGER<1-200000000> Port path cost
[SW1-Ethernet0/0/1]stp cost 55
靜態路由協議
實驗:如下拓撲,按照圖上要求配置IP。
# 配置本地環回口地址
[R1]int LoopBack 1
[R1-LoopBack1]ip ad 4.4.4.4 32
# R1上的靜態路由配置
ip route-static 2.2.2.2 255.255.255.255 192.168.12.2
ip route-static 3.3.3.3 255.255.255.255 192.168.13.3
ip route-static 4.4.4.4 255.255.255.255 192.168.12.2 preference 10
ip route-static 4.4.4.4 255.255.255.255 192.168.13.3 preference 100
ip route-static 192.168.24.0 255.255.255.0 192.168.12.2
ip route-static 192.168.34.0 255.255.255.0 192.168.12.2
# R2上的靜態路由配置
ip route-static 1.1.1.1 255.255.255.255 192.168.12.1
ip route-static 3.3.3.3 255.255.255.255 192.168.12.1
ip route-static 4.4.4.4 255.255.255.255 192.168.24.4
ip route-static 192.168.13.0 255.255.255.0 192.168.12.1
ip route-static 192.168.34.0 255.255.255.0 192.168.24.4
# R3上的靜態路由配置
ip route-static 1.1.1.1 255.255.255.255 192.168.13.1
ip route-static 2.2.2.2 255.255.255.255 192.168.13.1
ip route-static 4.4.4.4 255.255.255.255 192.168.34.4
ip route-static 192.168.12.0 255.255.255.0 192.168.13.1
ip route-static 192.168.24.0 255.255.255.0 192.168.34.4
# R4上的靜態路由配置
ip route-static 1.1.1.1 255.255.255.255 192.168.34.3 preference 10
ip route-static 2.2.2.2 255.255.255.255 192.168.24.2
ip route-static 3.3.3.3 255.255.255.255 192.168.34.3
ip route-static 192.168.12.0 255.255.255.0 192.168.34.3 preference 10
ip route-static 192.168.12.0 255.255.255.0 192.168.24.2
ip route-static 192.168.13.0 255.255.255.0 192.168.34.3 preference 10
#進行連通性測試,Tracer跟蹤查看數據轉發路徑
save保存配置,重啟后配置依舊生效- 用戶視圖下執行
reset saved-configuration(清空所有配置),然后reboot重啟
動態路由協議
RIP配置
實驗:如圖配置IP地址
# 配置環回接口地址與物理接口地址
[R1]int LoopBack 1
[R1-LoopBack1]ip ad 1.1.1.1 24
[R1-LoopBack1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip ad 12.1.1.1 24
# 相同方法配置其他路由器
# 配置RIP,對外宣告主網(宣告的為自身已知的主網)
[R1]rip 1
[R1-rip-1]network 1.0.0.0
[R1-rip-1]network 12.0.0.0
#相同方法配置其他路由器
# 連通性測試
# 配置RIP認證方式
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]rip authentication-mode simple cipher huawei
[R1-GigabitEthernet0/0/0]q
[R1]
RIP環路
- 網絡發生故障時,RIP網絡有可能會產生環路
- 環路避免:
- 水平分割:路由器從某個接口學到的路由,不會從該接口再發回給領居路由
- 毒性逆轉:路由從某個接口學到路由后,將該路由的跳數設置為16,並從原接收接口發回給領居路由器
- 觸發更新:當路由信息發生變化時,立即向鄰居設備發送觸發更新報文(避免環路產生)
# RIP配置
[R1]rip //進入RIP協議視圖
[R1-rip-1]version 2 //更改V2的版本
[R1-rip-1]network 10.0.0.0 //對外宣告主網
# 配置Metricin(度量值)
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]rip metricin 2 //更改進接口的度量值
[R1-GigabitEthernet0/0/0]rip metricout 2 //更改出接口的度量值
# 水平分割 & 毒性逆轉
[R1-GigabitEthernet0/0/0]rip split-horizon //配置水平分割,默認開啟
[R1-GigabitEthernet0/0/0]rip poison-reverse //配置毒性逆轉,默認開啟
# 當兩個特性都配置時,只有毒性逆轉會生效
# 配置RIP報文的收發
[R1-GigabitEthernet0/0/0]undo rip output //禁止發送RIP報文
[R1-GigabitEthernet0/0/0]undo rip input //禁止接收RIP報文
# 抑制接口,命令優先級大於rip in/output
[R1]rip //進入接口視圖
[R1-rip-1]silent-interface g0/0/0 //抑制接口,只接受RIP報文,不發送
OSPF
實驗一:如圖配置IP,配置OSPF,要求R1、R2、R3互通。
[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-LN66KOA6-1587904658768)(E:%5CBad%5CPictures%5CTypora%20Picture%5C1586189592841.png)]
# R1
[R1]ospf 1 //指定OSPF的進程號1
[R1-ospf-1]area 0 //進入骨干區域
[R1-ospf-1-area-0.0.0.0]network 12.1.1.0 0.0.0.255 //宣告網段
[R1-ospf-1-area-0.0.0.0]net 1.1.1.1 0.0.0.0 //宣告精確地址
# R2
[R2]ospf 1
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]net 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 12.1.1.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 23.1.1.2
[R2-ospf-1-area-0.0.0.0]net 23.1.1.2 0.0.0.0
# 查看鄰居關系
[R1]dis ospf peer bri //查看鄰居關系
# R3
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 23.1.1.3 0.0.0.0
# 連通性測試
- 指定Router-id
# 如果沒有手動指定router-id會自動選取
[R2]router id 12.1.1.2 //手動指定Router-ID
<R2>reset ospf process //重新啟動OSPF進程
[R2]dis ospf peer bri //查看鄰居關系,Router-ID變成了指定的12.1.1.2
[R2]dis ospf int g0/0/0 //查看接口下的OSPF
OSPF單區域
如圖配置IP地址,需求使用OSPF配置,實現全網互通。
- 配置OSPF
# R1
[R1]ospf router-id 1.1.1.1 //手動指定Router-id
[R1-ospf-1]area 0 //進入骨干區域
[R1-ospf-1-area-0.0.0.0]net 1.1.1.1 0.0.0.0 //精確宣告1.1.1.1
[R1-ospf-1-area-0.0.0.0]net 172.16.1.254 0.0.0.0 //精確宣告172.16.1.254
[R1-ospf-1-area-0.0.0.0]net 172.16.13.1 0.0.0.0 //精確宣告172.16.13.1
[R1-ospf-1-area-0.0.0.0]net 172.16.12.1 0.0.0.0 //精確宣告172.16.12.1
# R2
[R2]ospf router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]net 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 172.16.2.254 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 172.16.23.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 172.16.12.2 0.0.0.0
# R3
[R3]ospf router-id 3.3.3.3
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 172.16.3.254 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 172.16.23.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 172.16.13.3 0.0.0.0
[R1]dis cu conf ospf //查看OSPF的所有配置
[R1]dis ospf peer bri //查看OSPF的鄰居狀態
[R1]dis ip routing-table protocol ospf //查看OSPF學習到的路由表
# 連通性測試
OSPF多區域
OSPF多區域配置,需求全網互通
- 配置OSPF
# R1
[R1]ospf router-id 1.1.1.1 //手動指定Router-id
[R1-ospf-1]area 0 //進入骨干區域
[R1-ospf-1-area-0.0.0.0]net 1.1.1.1 0.0.0.0 //精確宣告1.1.1.1
[R1-ospf-1-area-0.0.0.0]net 172.16.1.254 0.0.0.0 //精確宣告172.16.1.254
[R1-ospf-1-area-0.0.0.0]net 172.16.13.1 0.0.0.0 //精確宣告172.16.13.1
[R1-ospf-1-area-0.0.0.0]net 172.16.12.1 0.0.0.0 //精確宣告172.16.12.1
# R2
[R2]ospf router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]net 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 172.16.2.254 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 172.16.23.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 172.16.12.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]q
[R2-ospf-1]area 1
[R2-ospf-1-area-0.0.0.1]net 172.16.24.2 0.0.0.0
# R3
[R3]ospf router-id 3.3.3.3
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 172.16.3.254 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 172.16.23.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 172.16.13.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]q
[R3-ospf-1]area 2
[R3-ospf-1-area-0.0.0.2]net 172.16.35.3 0.0.0.0
# R4
[R4]ospf 1 //進入OSPF進程
[R4-ospf-1]area 1 //進入區域1
[R4-ospf-1-area-0.0.0.1]net 4.4.4.4 0.0.0.0 //精確宣告IP地址
[R4-ospf-1-area-0.0.0.1]net 172.16.24.4 0.0.0.0
# R5
[R5]ospf 1
[R5-ospf-1]area 2 //進入區域2
[R5-ospf-1-area-0.0.0.2]net 5.5.5.5 0.0.0.0 //精確宣告
[R5-ospf-1-area-0.0.0.2]net 172.16.35.5 0.0.0.0
# 顯示當前學習到的LSA信息
[R2]dis ospf lsdb //查看連接的數據庫
# 連通性測試
OSPF開銷&認證
# 修改cost值
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ospf cost 20
# 修改帶寬
[R1]ospf
[R1-ospf-1]bandwidth-reference 10000
# 基於接口認證
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ospf authentication-mode md5 1 cipher huawei
HDLC配置
如圖配置IP地址,使用HDLC接口調用配置接口。
# R1修改端口協議
[R1]int s1/0/0
[R1-Serial1/0/0]link-protocol hdlc //修改為hdlc協議
# R2修改端口協議
[R2]int s1/0/0
[R2-Serial1/0/0]link-protocol hdlc
# 配置環回口地址
[R1]int lo 1
[R1-LoopBack1]ip ad 12.1.1.1 32 //配置環回口地址
[R1]int s1/0/0
[R1-Serial1/0/0]ip address unnumbered interface LoopBack 1 //接口借用
# 添加靜態路由
[R1]ip route-static 12.1.1.0 30 s1/0/0
# 連通性測試
PPP
PAP認證
如圖拓撲,配置IP地址,配置PPP的PAP認證。
[R1]int s1/0/0
[R1-Serial1/0/0]ppp authentication-mode pap //PPP認證模式修改為PAP
# AAA認證
[R1]aaa
[R1-aaa]local-user bad password cipher huawei123 //配置用戶名和密碼
[R1-aaa]local-user bad service-type ppp //配置用戶用於PPP
# R2上配置
[R2]int s1/0/0
[R2-Serial1/0/0]ppp pap local-user bad password cipher huawei123 //被認證方認證
# 連通性測試
Chap認證
如圖配合IP地址,配置PPP的Chap認證。
- R1、R2配置接口IP地址
# 配置Chap認證
[R1]int s1/0/0
[R1-Serial1/0/0]ppp authentication-mode chap
# 配置AAA認證
[R1]aaa
[R1-aaa]local-user bad password cipher huawei123 //配置用戶名和密碼
[R1-aaa]local-user bad service-type ppp //配置用戶用於PPP
#
[R2]int s1/0/0
[R2-Serial1/0/0]ppp chap user bad
[R2-Serial1/0/0]ppp chap password cipher huawei123
# 連通性測試
PPPoE配置
- PPPoE Server配置步驟
- 創建Dialer接口並通過配置IP地址
- 配置PAP認證
- 綁定撥號接口
- 查看被分配的IP地址
如下拓撲,配置PPPoE,使PC與PPPoE Server互通
- PPPoE Server配置
# 創建並配置虛擬模板
[PPPoE Server]int Virtual-Template 1 //創建虛擬模板
[PPPoE Server-Virtual-Template1]ip ad 100.100.100.254 24 //虛擬模板配置IP地址
[PPPoE Server-Virtual-Template1]ppp ipcp dns 8.8.8.8 //配置DNS
# 創建並配置地址池
[PPPoE Server]ip pool pppoe //創建地址池
[PPPoE Server-ip-pool-pppoe]network 100.100.100.0 mask 24 //分配網段
[PPPoE Server-ip-pool-pppoe]gateway-list 100.100.100.254 //設置網關
# 虛擬模板調用地址池並配置認證
[PPPoE Server]int Virtual-Template 1 //進入虛擬模板接口
[PPPoE Server-Virtual-Template1]remote address pool pppoe //調用地址池
[PPPoE Server-Virtual-Template1]ppp authentication-mode pap //配置認證模式
# 物理接口綁定虛擬模板接口
[PPPoE Server]int g0/0/0
[PPPoE Server-GigabitEthernet0/0/0]pppoe-server bind virtual-template 1 //物理接口綁定虛擬模板
# 配置AAA認證
[PPPoE Server]aaa
[PPPoE Server-aaa]local-user bad password cipher huawei123
[PPPoE Server-aaa]local-user bad service-type ppp
- PPPoE Client配置
# 創建Dialer接口並通過配置IP地址
[PPPoE Client]int Dialer 1 //創建Dialer接口
[PPPoE Client-Dialer1]dialer user bad //指定Dialer用戶(可配可不配)
[PPPoE Client-Dialer1]dialer bundle 1 //接口綁定
[PPPoE Client-Dialer1]ip ad ppp-negotiate //通過鄰居分配獲得IP地址
[PPPoE Client-Dialer1]ppp ipcp dns request //配置接受DNS服務器
# 配置PAP認證
[PPPoE Client-Dialer1]ppp pap local-user bad password cipher huawei123
# 綁定撥號接口
[PPPoE Client]int g0/0/1
[PPPoE Client-GigabitEthernet0/0/1]pppoe-client dial-bundle-number 1
# 查看被分配的IP地址,進行連通性測試
[PPPoE Client]ping 100.100.100.254
# 客戶端物理接口配置IP地址並配置靜態路由
[PPPoE Client]ip route-static 0.0.0.0 0 Dialer 1
[PPPoE Client]int g0/0/0
[PPPoE Client-GigabitEthernet0/0/0]ip ad 192.168.43.254 24
# PPPoE服務器配置靜態路由(實際情況中無需配置靜態路由)
[PPPoE Server]ip route-static 0.0.0.0 0 100.100.100.253
# PC上連通性測試
DHCP配置
如下拓撲,配置DHCP,使PC1與PC2自動獲取IP地址
- 配置接口地址池
- 配合全局地址池
- 配置DHCP,使兩台PC獲得不同網段的IP地址
接口地址池
[DHCP Server]dhcp enable //開啟DHCP服務
[DHCP Server]int g0/0/0
[DHCP Server-GigabitEthernet0/0/0]ip ad 192.168.43.254 24 //配置地址
[DHCP Server-GigabitEthernet0/0/0]dhcp select interface //接口調用
[DHCP Server-GigabitEthernet0/0/0]dhcp server dns-list 8.8.8.8 //配置DNS
[DHCP Server-GigabitEthernet0/0/0]dhcp server excluded-ip-address 192.168.43.244 192.168.43.253 //不參與分配的IP地址
[DHCP Server-GigabitEthernet0/0/0]dhcp server lease day 3 //IP地址租約
# PC使用DHCP獲取IP地址,查看IP地址
全局地址池
[DHCP Server]dhcp enable //開啟DHCP服務
[DHCP Server]ip pool bad //創建全局地址池
[DHCP Server-ip-pool-bad]net 192.168.43.0 mask 24 //添加一個網段
[DHCP Server-ip-pool-bad]gateway-list 192.168.43.254 //配置網關
[DHCP Server-ip-pool-bad]dns-list 114.114.114.114 //配置DNS
[DHCP Server-ip-pool-bad]excluded-ip-address 192.168.43.250 192.168.43.253 //不參與分配的IP地址
[DHCP Server-ip-pool-bad]lease day 5 //IP地址租約時間
[DHCP Server-ip-pool-bad]dis ip pool //查看地址池的相關信息
# 將接口使用本地地址池
[DHCP Server]int g0/0/0
[DHCP Server-GigabitEthernet0/0/0]dhcp select global //調用本地的地址池
[DHCP Server-GigabitEthernet0/0/0]ip ad 192.168.43.254 24 //接口添加IP地址(與地址池的地址同一網段)
# PC查看獲取的IP地址
- 拓展:兩台PC分配不同網段的IP(此處的配置是繼續上面的實驗)
方法一:配置單臂路由,配置子接口
# 交換機上的配置
[SW1]vlan 10
[SW1-vlan10]vlan 20
[SW1-vlan20]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port default vlan 10
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 20
[SW1-GigabitEthernet0/0/3]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
# 路由器上配置
[DHCP Server]int g0/0/0
[DHCP Server-GigabitEthernet0/0/0]undo dhcp select global //刪除DHCP的配置
[DHCP Server-GigabitEthernet0/0/0]undo ip add //刪除IP地址
# 配置子接口
[DHCP Server]int g0/0/0.1
[DHCP Server-GigabitEthernet0/0/0.1]dot1q termination vid 10 //封裝VLAN ID
[DHCP Server-GigabitEthernet0/0/0.1]arp broadcast enable //開啟ARP轉發
[DHCP Server-GigabitEthernet0/0/0.1]ip add 192.168.43.254 24 //配置IP地址
[DHCP Server-GigabitEthernet0/0/0.1]int g0/0/0.2
[DHCP Server-GigabitEthernet0/0/0.2]dot1q termination vid 20
[DHCP Server-GigabitEthernet0/0/0.2]arp broadcast enable
[DHCP Server-GigabitEthernet0/0/0.2]ip add 192.168.53.254 24
# 查看地址池
[DHCP Server]dis ip pool
# 創建地址池
[DHCP Server]ip pool boy
[DHCP Server-ip-pool-boy]net 192.168.53.0 mask 24 //分配的網段
[DHCP Server-ip-pool-boy]gateway-list 192.168.53.254 //網關
[DHCP Server-ip-pool-boy]lease day 3 //IP地址租約
[DHCP Server-ip-pool-boy]dns-list 8.8.8.8 //DNS服務器
[DHCP Server-ip-pool-boy]excluded-ip-address 192.168.53.200 192.168.53.253 //不參與分配的IP地址
# 查看地址池
[DHCP Server]dis ip pool
# 接口調用地址池
[DHCP Server]int g0/0/0.1
[DHCP Server-GigabitEthernet0/0/0.1]dhcp select global //調用全局地址池
[DHCP Server-GigabitEthernet0/0/0.1]int g0/0/0.2
[DHCP Server-GigabitEthernet0/0/0.2]dhcp select global //調用地址池
# PC查看獲取的IP地址
- 方法二:DHCP中繼
# 配置DHCP中繼
[SW1]dhcp enable
[SW1]int Vlanif 10
[SW1-Vlanif10]dhcp select relay
[SW1-Vlanif10]dhcp relay server-ip 192.168.43.254 //DHCP服務器的出接口地址
[SW1-Vlanif10]q
[SW1]int Vlanif 20
[SW1-Vlanif20]dhcp select relay
[SW1-Vlanif20]dhcp relay server-ip 192.168.43.254
AAA
- 配置AAA步驟:
- 起aaa(
aaa) - 配置本地用戶和密碼(
local-user bad password cipher huawei@123) - 應用的服務類型(
local-user bad service-type telnet) - 設置權限(
local-user bad privilege level 5) - 允許同時登錄的用戶數量(
user-interface vty 0 4) - 修改認證模式(
authentication-mode aaa)
- 起aaa(
配置Telnet和Stelnet登錄
[AC1]telnet server enable //開啟Telnet服務
[AC1]aaa //配置aaa
[AC1-aaa]local-user bad password cipher huawei@123 //創建用戶並設置密碼
[AC1-aaa]local-user bad service-type telnet //設置賬戶類型
[AC1-aaa]local-user bad privilege level 5 //設置等級
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[AC1-aaa]q
[AC1]user-interface vty 0 4
[AC1-ui-vty0-4]protocol inbound all // 允許登錄接入用戶類型的協議
[AC1-ui-vty0-4]authentication-mode aaa //修改aaa認證模式
[AC1-ui-vty0-4]return
<AC1>telnet 192.168.43.120 //Telnet登錄
Stelnet登錄
# 生本地rsa密鑰
[FWQ]rsa local-key-pair create //創建密鑰
The key name will be: Host
% RSA keys defined for Host already exist.
Confirm to replace them? (y/n)[n]:y //y確認
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:512 //密鑰長度
Generating keys...
# 配置AAA認證
[FWQ]aaa
[FWQ-aaa]local-user bad password cipher huawei@123 //創建用戶及密碼
[FWQ-aaa]local-user bad service-type ssh //配置用戶允許登錄方式
[FWQ-aaa]local-user bad privilege level 5 //設置賬戶等級
[FWQ-aaa]q
[FWQ]user-interface vty 0 4 //配置允許用戶登錄
[FWQ-ui-vty0-4]authentication-mode aaa //用戶登錄的方式
[FWQ-ui-vty0-4]protocol inbound ssh //允許通過ssh登錄
# 在系統視圖下創建一個用戶,指定ssh登錄方式為密碼登錄
[FWQ]ssh user bad authentication-type password //配置密碼登錄
[FWQ]stelnet server enable //開啟Stelnet服務
- 客戶端配置
# 開啟首次認證
[KH]ssh client first-time enable
# Stelnet登錄
[KH]stelnet 2.2.2.29
Please input the username:bad //用戶名
Trying 2.2.2.29 ...
Press CTRL+K to abort
Connected to 2.2.2.29 ...
The server is not authenticated. Continue to access it? (y/n)[n]:y //y確認
Apr 2 2020 20:25:28-08:00 KH %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[0]:The server had not been authenticated in the process of exchanging keys. When deciding whether to continue, the user chose Y.
[KH]
Save the server's public key? (y/n)[n]:y //y確認 The server's public key will be saved with the name 2.2.2.29. Please wait...
Apr 2 2020 20:25:30-08:00 KH %%01SSH/4/SAVE_PUBLICKEY(l)[1]:When deciding whether to save the server's public key 2.2.2.29, the user chose Y.
[KH]
Enter password: //密碼
<FWQ>
ACL配置
基本ACL配置
acl 2000
rule deny source 192.168.1.0 0.0.0.255
interface GigabitEthernet 0/0/0
traffic-filter outbound acl 2000 //出方向調用2000規則
高級ACL配置
acl 3000
# 拒絕192.168.1.0網段主機訪問172.16.10.1的FTP(21端口)
rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0.0.0.0 destination-port eq 21
# 拒絕192.168.2.0主機訪問172.16.10.2的所有服務
rule deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0
rule permit ip //允許其它,默認為拒絕
traffic-filter outbound acl 3000 //接口出方向調用此ACL
實驗:如下拓撲圖,配置IP地址,配置RIP,使PC間互通,通過配置ACL,阻止PC互通。
- AR2上配置ACL
[AR2]acl 2000
[AR2-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255 //配置ACL
[AR2-acl-basic-2000]rule permit //放行其他的IP
[AR2-acl-basic-2000]q
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 2000 //接口入方向調用ACL
ACL控制訪問FTP服務器
[AR3]acl 3000 //配置ACL
# 禁止192.168.1.0訪問192.168.2.100的FTP服務器
[AR3-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 destination 192.168.2.100 0 destination-port eq 21
[AR3-acl-adv-3000]q
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 //接口入方向調用ACL
NAT配置
如下拓撲,完成相關IP地址配置,完成相關需求。
靜態NAT
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat static global 202.169.10.3 inside 172.16.1.1 //建立公網地址與私網地址的映射關系
Easy IP
# 刪除靜態NAT
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]undo nat static global 202.169.10.3 inside 172.16.1.1
# 調用ACL
[R1]acl 2000 //配置ACL
[R1-acl-basic-2000]rule permit //配置允許所有通過
[R1-acl-basic-2000]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 2000 //接口調用ACL
[R1-GigabitEthernet0/0/0]q
[R1]dis nat outbound //查看
動態NAT
# 刪除Easy IP配置
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]undo nat outbound 2000
[R1-GigabitEthernet0/0/0]q
[R1]undo acl 2000
# 創建公網地址池
# 創建名為1范圍為202.169.10.2-202.169.10.50的地址池
[R1]nat address-group 1 202.169.10.2 202.169.10.50
# 創建名為2范圍為202.169.10.100-202.169.10.200的地址池
[R1]nat address-group 2 202.169.10.100 202.169.10.200
# 配置ACL
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 172.16.1.0 0.0.0.255
[R1-acl-basic-2000]q
[R1]acl 2001
[R1-acl-basic-2001]rule permit source 172.17.1.0 0.0.0.255
# 公網地址池調用ACL
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 no-pat
[R1-GigabitEthernet0/0/0]nat outbound 2001 address-group 2 no-pat
# 查看地址池
[R1]dis nat outbound
NAT Outbound Information:
-----------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
-----------------------------------------------------------------------
GigabitEthernet0/0/0 2000 1 no-pat
GigabitEthernet0/0/0 2001 2 no-pat
-----------------------------------------------------------------------
Total : 2
NAT Server
# 刪除動態NAT配置
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]undo nat outbound 2000 address-group 1 no-pat
[R1-GigabitEthernet0/0/0]undo nat outbound 2001 address-group 2 no-pat
[R1-GigabitEthernet0/0/0]q
[R1]undo acl 2000
[R1]undo acl 2001
# 重新配置ACL,並調用
[R1]acl 2000
[R1-acl-basic-2000]rule permit
[R1-acl-basic-2000]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 2000
- 配置NAT Server
# 配置ftp端口映射
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat server protocol tcp global current-interface ftp inside 172.16.1.3 ftp
以上內容均屬原創,如有不詳或錯誤,敬請指出。
本文鏈接: https://blog.csdn.net/qq_45668124/article/details/105776541
版權聲明: 本博客所有文章除特別聲明外,均采用
CC BY-NC-SA 4.0 許可協議。轉載請注明出處!