H3C OSPF+NAT+DHCP+PPP综合实验
H3C OSPF+NAT+DHCP+PPP综合实验
实验拓扑
实验需求
1.按照图示配置 IP 地址
2.SW1 和 SW2 之间的直连链路配置链路聚合
3.公司内部业务网段为 Vlan10 和 Vlan20;Vlan10 是市场部,Vlan20 是技术部,要求对 Vlan 进行命名以便识别;PC1属于Vlan10,PC2属于Vlan20,Vlan30用于SW1和SW2建立OSPF邻居;Vlan111 为 SW1和 R1的互联 Vlan,Vlan222 为 SW2 和 R2 的互联 Vlan
4.所有交换机相连的端口配置为 Trunk,允许相关流量通过
5.交换机连接 PC 的端口配置为边缘端口
6.在 SW1 上配置 DHCP 服务,为 Vlan10 和 Van20 的 PC 动态分配 IP 地址、网关和 DNS 地址;要求Vlan10的网关是
192.168.1.252,Vlan20 的网关是192.168.2.2537.按图示分区域配置 OSPF 实现公司内部网络全网互通,ABR 的环回口宣告进骨干区域;业务网段不允许出现协议报文
8.R1上配置默认路由指向互联网,并引入到 OSPF
9.R1 通过双线连接到互联网,配置 PPP-MP,并配置双向 chap 验证
10.配置 EASYIP,只有业务网段
192.168.1.0/24和192.168.2.0/24的数据流可以通过 R1 访问互联网11.R1 开启 TELNET 远程管理,使用用户
abc登录,密码abc ,只允许技术部远程管理 R1
实验步骤
设备IP地址配置
R1 IP配置
#
interface MP-group1
ip address 202.100.1.2 255.255.255.252
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
ip address 10.0.0.5 255.255.255.252
#
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.252
#
interface GigabitEthernet0/2
ip address 10.0.0.14 255.255.255.252
R2 IP配置
#
interface LoopBack0
ip address 10.1.1.2 255.255.255.255
#
interface GigabitEthernet0/0
ip address 10.0.0.9 255.255.255.252
#
interface GigabitEthernet0/1
ip address 10.0.0.2 255.255.255.252
#
interface GigabitEthernet0/2
ip address 10.0.0.18 255.255.255.252
R3 IP配置
#
interface LoopBack0
ip address 10.1.1.3 255.255.255.255
#
interface GigabitEthernet0/0
ip address 10.0.0.13 255.255.255.252
#
interface GigabitEthernet0/1
ip address 192.168.3.254 255.255.255.0
#
interface GigabitEthernet0/2
ip address 10.0.0.17 255.255.255.252
SW1 IP配置
#
vlan 10
description 市场部
#
vlan 20
description 技术部
#
vlan 30
description OSPF邻居VLAN
#
vlan 111
description SW1和R1的互联VLAN
#
interface LoopBack0
ip address 10.1.1.11 255.255.255.255
#
interface Vlan-interface10
ip address 192.168.1.252 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.2.252 255.255.255.0
#
interface Vlan-interface30
ip address 10.1.2.1 255.255.255.252
#
interface Vlan-interface111
ip address 10.0.0.6 255.255.255.252
SW2 IP配置
#
vlan 10
description 市场部
#
vlan 20
description 技术部
#
vlan 30
description OSPF邻居VLAN
#
vlan 222
description SW2和R2的互联VLAN
#
interface LoopBack0
ip address 10.1.1.12 255.255.255.255
#
interface Vlan-interface10
ip address 192.168.1.253 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.2.253 255.255.255.0
#
interface Vlan-interface30
ip address 10.1.2.2 255.255.255.252
#
interface Vlan-interface222
ip address 10.0.0.10 255.255.255.252
Internet IP配置
#
interface MP-group1
ip address 202.100.1.1 255.255.255.252
#
interface LoopBack0
ip address 100.1.1.1 255.255.255.255
PC3 IP配置
业务网段配置
SW1作为DHCP服务器
依据需求配置:在 SW1 上配置 DHCP 服务,为 Vlan10 和 Van20 的 PC 动态分配 IP 地址、网关和 DNS 地址;要求Vlan10的网关是192.168.1.252,Vlan20 的网关是192.168.2.253
#
dhcp server ip-pool 1
gateway-list 192.168.1.252
network 192.168.1.0 mask 255.255.255.0
dns-list 202.101.224.69 202.101.224.68
#
dhcp server ip-pool 2
gateway-list 192.168.2.253
network 192.168.2.0 mask 255.255.255.0
dns-list 202.101.224.69 202.101.224.68
SW1 和 SW2 之间的直连链路配置链路聚合
依据需求配置:SW1 和 SW2 之间的直连链路配置链路聚合
SW1配置链路聚合
#
interface Bridge-Aggregation1
#
interface GigabitEthernet1/0/1
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-aggregation group 1
SW2配置链路聚合
#
interface Bridge-Aggregation1
#
interface GigabitEthernet1/0/1
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-aggregation group 1
所有交换机互联端口放行对应VLAN
依据需求配置:所有交换机相连的端口配置为 Trunk,允许相关流量通过
SW1 端口配置
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 30
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20
#
interface GigabitEthernet1/0/4
port access vlan 111
SW2 端口配置
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 30
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20
#
interface GigabitEthernet1/0/4
port access vlan 222
SW3端口配置
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20
#
interface GigabitEthernet1/0/3
port access vlan 10
#
interface GigabitEthernet1/0/4
port access vlan 20
边缘端口配置
依据需求配置:交换机连接 PC 的端口配置为边缘端口
#
interface GigabitEthernet1/0/3
stp edged-port
#
interface GigabitEthernet1/0/4
stp edged-port
PC1和PC2自动获取IP地址
PC1获取的IP地址
PC2获取的IP地址
骨干区域配置
依据需求配置:按图示分区域配置 OSPF 实现公司内部网络全网互通,ABR 的环回口宣告进骨干区域
R1 OSPF配置
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 10.0.0.1 0.0.0.0
network 10.0.0.14 0.0.0.0
network 10.1.1.1 0.0.0.0
area 0.0.0.1
network 10.0.0.5 0.0.0.0
R2 OSPF配置
#
ospf 1 router-id 10.1.1.2
area 0.0.0.0
network 10.0.0.2 0.0.0.0
network 10.0.0.18 0.0.0.0
network 10.1.1.2 0.0.0.0
area 0.0.0.1
network 10.0.0.9 0.0.0.0
R3 OSPF配置
#
ospf 1 router-id 10.1.1.3
area 0.0.0.0
network 10.0.0.13 0.0.0.0
network 10.0.0.17 0.0.0.0
network 10.1.1.3 0.0.0.0
network 192.168.3.0 0.0.0.255
SW1 OSPF配置
#
ospf 1 router-id 10.1.1.11
area 0.0.0.1
network 10.0.0.6 0.0.0.0
network 10.1.1.11 0.0.0.0
network 10.1.2.1 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
SW2 OSPF配置
#
ospf 1 router-id 10.1.1.12
area 0.0.0.1
network 10.0.0.10 0.0.0.0
network 10.1.1.12 0.0.0.0
network 10.1.2.2 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
业务网段不允许出现协议报文
R3 配置
#
ospf 1 router-id 10.1.1.3
silent-interface GigabitEthernet0/1
SW1 配置
#
ospf 1 router-id 10.1.1.11
silent-interface Vlan-interface10
silent-interface Vlan-interface20
SW2配置
#
ospf 1 router-id 10.1.1.12
silent-interface Vlan-interface10
silent-interface Vlan-interface20
R1上配置默认路由指向互联网,并引入到 OSPF
#
ip route-static 0.0.0.0 0 202.100.1.1
#
ospf 1 router-id 10.1.1.1
default-route-advertise
互联网区域配置
配置 PPP-MP,并配置双向 chap 验证
依据需求配置:R1 通过双线连接到互联网,配置 PPP-MP,并配置双向 chap 验证
R1配置PPP-MP
#
interface MP-group1
#
interface Serial1/0
ppp mp MP-group1
#
interface Serial2/0
ppp mp MP-group1
R1配置双向 chap 验证
#
local-user user1 class network
password simple 123
service-type ppp
#
interface Serial1/0
ppp authentication-mode chap
ppp chap password simple 123
ppp chap user user1
#
interface Serial2/0
ppp authentication-mode chap
ppp chap password simple 123
ppp chap user user1
Internet 配置PPP-MP
#
interface MP-group1
#
interface Serial1/0
ppp mp MP-group1
#
interface Serial2/0
ppp mp MP-group1
Internet 配置双向 chap 验证
#
local-user user1 class network
password simple 123
service-type ppp
#
interface Serial1/0
ppp authentication-mode chap
ppp chap password simple 123
ppp chap user user1
#
interface Serial2/0
ppp authentication-mode chap
ppp chap password simple 123
ppp chap user user1
配置 EASYIP
依据需求配置:配置 EASYIP,只有业务网段192.168.1.0/24和192.168.2.0/24的数据流可以通过 R1 访问互联网
#
acl basic 2000
description NAT
rule 0 permit source 192.168.1.0 0.0.0.255
rule 5 permit source 192.168.2.0 0.0.0.255
#
interface MP-group1
nat outbound 2000
R1 开启 TELNET 远程管理
依据需求配置:R1 开启 TELNET 远程管理,使用用户abc登录,密码abc ,只允许技术部远程管理 R1
#
undo password-control length enable
undo password-control composition enable
undo password-control complexity user-name check
#
local-user abc class manage
password simple abc
service-type telnet
authorization-attribute user-role level-15
#
line vty 0 4
authentication-mode scheme
protocol inbound telnet
#
acl basic 2001
description acl telnet
rule 0 permit source 192.168.2.0 0.0.0.255
#
telnet server enable
telnet server acl 2001
实验验证
测试是否只有业务网段192.168.1.0/24和192.168.2.0/24的数据流可以通过 R1 访问互联网
PC1测试可以访问互联网
<H3C>ping 100.1.1.1
Ping 100.1.1.1 (100.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 100.1.1.1: icmp_seq=0 ttl=253 time=1.386 ms
56 bytes from 100.1.1.1: icmp_seq=1 ttl=253 time=1.077 ms
56 bytes from 100.1.1.1: icmp_seq=2 ttl=253 time=1.382 ms
56 bytes from 100.1.1.1: icmp_seq=3 ttl=253 time=1.437 ms
56 bytes from 100.1.1.1: icmp_seq=4 ttl=253 time=1.503 ms
--- Ping statistics for 100.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.077/1.357/1.503/0.147 ms
<H3C>%Feb 19 13:10:14:705 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 100.1.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.077/1.357/1.503/0.147 ms.
PC2测试可以访问互联网
<H3C>ping 100.1.1.1
Ping 100.1.1.1 (100.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 100.1.1.1: icmp_seq=0 ttl=253 time=2.000 ms
56 bytes from 100.1.1.1: icmp_seq=1 ttl=253 time=3.000 ms
56 bytes from 100.1.1.1: icmp_seq=2 ttl=253 time=2.000 ms
56 bytes from 100.1.1.1: icmp_seq=3 ttl=253 time=2.000 ms
56 bytes from 100.1.1.1: icmp_seq=4 ttl=253 time=3.000 ms
--- Ping statistics for 100.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms
<H3C>%Feb 19 13:10:35:094 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 100.1.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms.
PC3测试不能访问互联网
<H3C>ping 100.1.1.1
Ping 100.1.1.1 (100.1.1.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 100.1.1.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Feb 19 13:13:22:721 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 100.1.1.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
R1 查询nat session 仅有业务网段192.168.1.0/24和192.168.2.0/24的数据流可以通过 R1 访问互联网
[R1]display nat session
Slot 0:
Initiator:
Source IP/port: 192.168.2.1/156
Destination IP/port: 100.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0
Initiator:
Source IP/port: 192.168.1.1/156
Destination IP/port: 100.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0
Total sessions found: 2
测试是否只允许技术部远程管理 R1
技术部PC2 允许远程管理 R1
<H3C>telnet 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Login: abc
Password:
<R1>
SW1 带源IP测试,仅技术部IP可以远程管理R1
<SW1>telnet 10.1.1.1 source ip 192.168.1.252
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Failed to connect to the remote host!
<SW1>telnet 10.1.1.1 source ip 192.168.2.252
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Login: abc
Password:
<R1>
其余不能远程管理R1
PC1:
<H3C>telnet 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Failed to connect to the remote host!
PC3:
<H3C>telnet 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Failed to connect to the remote host!
注意
关于OSPD的路由注入使用import-route命令。
import-route命令只能注入明细路由,直连路由,外部协议路由;但是不能注入缺省路由,默认路由。
AR1有一条默认路由指向外部网络,import-route不能注入缺省路由,内部路由器不能学习到默认路由,即内部网络无法访问外部网络。
通过
default-route-advertise命令注入缺省路由
实验附件
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 使用C#创建一个MCP客户端
· ollama系列1:轻松3步本地部署deepseek,普通电脑可用
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· 按钮权限的设计及实现