NAT+ACL+mstp小综合

三、实验一相关知识点

1，实验：NAT 综合实验

2，拓扑：

3，需求:

1），实现VLAN20 的除了20这台主机以外所有主机上网访问外网
2），实现VLAN30 的主机为奇数电脑上网
3），实现内网VLAN10 的内网服务器可以被外网client1 访问,公有地址为200.1.1.10
4），访问外网要求使用最节省IP地址的方案

4, 配置思路

1），配置终端信息

2），配置二层交换

-创建VLAN

-配置access

3），配置路由器

-配置基本IP地址

-配置路由-静态路由

4），配置NAT 设备

-实现内网访问外网

-easyIP

-实现外网访问内网

-nat server 200.1.1.10

5），验证测试

5，配置步骤

[sw1]vlan batch 10 20 30 100 
[sw1]dis vlan
[sw1]interface g0/0/1
[sw1-GigabitEthernet0/0/1]port link-type access 
[sw1-GigabitEthernet0/0/1]port default vlan 10
[sw1-GigabitEthernet0/0/1]q
[sw1]int g0/0/4
[sw1-GigabitEthernet0/0/4]port link-type access 
[sw1-GigabitEthernet0/0/4]port default vlan 20
[sw1-GigabitEthernet0/0/4]q
[sw1]int g0/0/2
[sw1-GigabitEthernet0/0/2]port link-type access 
[sw1-GigabitEthernet0/0/2]port default vlan 30
[sw1-GigabitEthernet0/0/2]q
[sw1]int g0/0/3
[sw1-GigabitEthernet0/0/3]port link-type access 
[sw1-GigabitEthernet0/0/3]port default vlan 100
[sw1-GigabitEthernet0/0/3]q
[sw1]interface  Vlanif 10
[sw1-Vlanif10]ip add 192.168.10.254 24
[sw1-Vlanif10]q
[sw1]interface  Vlanif 20
[sw1-Vlanif20]ip add 192.168.20.254 24
[sw1-Vlanif20]q
[sw1]int Vlanif 30
[sw1-Vlanif30]ip add 192.168.30.254 24
[sw1-Vlanif30]q
[sw1]int Vlanif 100
[sw1-Vlanif100]ip add 192.168.100.2 24
[sw1-Vlanif100]q
[sw1]dis ip int brief 


[sw1]ip route-static 0.0.0.0 0 192.168.100.1
[NAT]ip route-static 0.0.0.0 0 200.1.1.2
[NAT]ip route-static 192.168.10.0 24 192.168.100.2
[NAT]ip route-static 192.168.20.0 24 192.168.100.2
[NAT]ip route-static 192.168.30.0 24 192.168.100.2

通配符： 0表示严格检查、匹配

1表示任意匹配，忽略检查

192.168.30.0 段匹配奇数 —最后一位为1 ，指的是主机位我只检查最后一位即可，最有一位用0匹配。前面几位用1匹配

192.168.30.1 192.168.30. 0000000 1

192.168.30.3 192.168.30. 0000001 1

192.168.30.5 192.168.30.0000010 1

192.168.30.7 192.168. 30.0000011 1

192.168.30.9 192.168.30 .0000100 1 0.0.0.11111110 0.0.0.254

192.168.30.1 0.0.0.254

[NAT]acl 2000
[NAT-acl-basic-2000]rule  deny source 192.168.20.20 0.0.0.0
[NAT-acl-basic-2000]rule  permit source  192.168.20.0 0.0.0.255
[NAT-acl-basic-2000]rule permit source 192.168.30.1 0.0.0.254
[NAT-acl-basic-2000]rule  permit  source any     //不可以配置，否则偶数也放行啦
[NAT]int g0/0/1 
[NAT-GigabitEthernet0/0/1]nat outbound 2000
[NAT]acl  2000
[NAT-acl-basic-2000]rule  deny source any 
[NAT-acl-basic-2000]dis th  
rule 5 deny source 192.168.20.20 0 
rule 10 permit source 192.168.20.0 0.0.0.255 
rule 15 permit source 192.168.30.1 0.0.0.254 
rule 20 permit 
rule 25 deny 
[NAT-acl-basic-2000]undo  rule 20
[NAT-acl-basic-2000]dis th 
rule 5 deny source 192.168.20.20 0 
rule 10 permit source 192.168.20.0 0.0.0.255 
rule 15 permit source 192.168.30.1 0.0.0.254 
rule 25 deny

验证：在客户端更改奇数偶数地址，进行验证。

实验：一阶段最终测试：VLAN +三层交换+链路聚合+MSTP+ACL+NAT+静态路由+DHCP+Telnet

1，需求：

1，实现VLAN20 的除了20这台主机以外所有主机上网访问外网
2，实现VLAN30 的主机为奇数电脑上网
3，实现内网VLAN10 的内网服务器可以被外网client1 访问,公有地址为200.1.1.10
4，访问外网要求使用最节省IP地址的方案
5，在SW1和SW2 完成增强带宽的操作，同时在SW3和SW1上也完成增强链路带宽的操作，尽量节省成本
6，实现内网的终端在进行数据通信的时候，要求走最优的路径
7，内网各个网段的主机通过DHCP服务器自动获取IP地址信息，将保留的地址进行排除
8, 在ISP 上实现远程登录内网SW1 的Telnet服务

2，拓扑

3，配置思路

1，配置终端信息 10

2，配置二层交换 10

-创建VLAN

-配置access

-配置trunk

-配置链路聚合 10

-配置MSTP 10

3，配置路由器 10

-配置基本IP地址

-配置路由-静态路由

4，配置NAT 设备

-实现内网访问外网 10

-easyIP

-实现外网访问内网

-nat server 200.1.1.10

WEB 10

TELNET 10

5，配置DHCP服务器 20

6，验证测试

4，配置步骤：

1）创建VLAN

[SW1]vlan  batch 10 20 30 100
[SW2]vlan  batch 10 20 30 100
[sw3]vlan  batch 10 20 30 100
2）配置access
[SW1]int  g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access 
[SW1-GigabitEthernet0/0/3]port default vlan 100
[SW2]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type access 
[SW2-GigabitEthernet0/0/2]port default vlan 10
[sw3]int g0/0/1
[sw3-GigabitEthernet0/0/1]port link-type access 
[sw3-GigabitEthernet0/0/1]port default vlan 20
[sw3-GigabitEthernet0/0/1]q
[sw3]int g0/0/4
[sw3-GigabitEthernet0/0/4]port link-type access 
[sw3-GigabitEthernet0/0/4]port default vlan 30
3）配置链路聚合+trunk
[SW1]interface Eth-Trunk 1 
[SW1-Eth-Trunk1]mode lacp-static 
[SW1-Eth-Trunk1]trunkport g0/0/1
[SW1-Eth-Trunk1]trunkport g0/0/5
[SW1-Eth-Trunk1]port link-type  trunk 
[SW1-Eth-Trunk1]port trunk allow-pass vlan all 
[SW1-Eth-Trunk1]q
[SW1]interface  Eth-Trunk 2 
[SW1-Eth-Trunk2]mode lacp-static 
[SW1-Eth-Trunk2]trunkport g0/0/2
[SW1-Eth-Trunk2]trunkport g0/0/6
[SW1-Eth-Trunk2]p l t
[SW1-Eth-Trunk2]p t a v a
[SW2]int Eth-Trunk 1 
[SW2-Eth-Trunk1]mode  lacp-static 
[SW2-Eth-Trunk1]trunkport g0/0/1
[SW2-Eth-Trunk1]trunkport g0/0/5
[SW2-Eth-Trunk1]port l t
[SW2-Eth-Trunk1]p t a v a
[SW2-Eth-Trunk1]q
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]p l t
[SW2-GigabitEthernet0/0/3]p t a v a
[sw3]int Eth-Trunk 2
[sw3-Eth-Trunk2]mode  lacp-static 
[sw3-Eth-Trunk2]trunkport g0/0/2
[sw3-Eth-Trunk2]trunkport g0/0/6
[sw3-Eth-Trunk2]p l t
[sw3-Eth-Trunk2]p t a v a
[sw3-Eth-Trunk2]q
[sw3]int g0/0/3
[sw3-GigabitEthernet0/0/3]p l t
[sw3-GigabitEthernet0/0/3]p t a v a
4）配置MSTP    SW1/SW2/SW3
stp region-configuration
region-name HCIP
instance 1 vlan 10
instance 2 vlan 20 30
active region-configuration
[SW2]stp instance 1 priority 4096
[sw3]stp instance 2 priority 4096
5）配置路由器IP地址 、静态路由
[SW1]interface Vlanif 10 
[SW1-Vlanif10]ip add 192.168.10.254 24
[SW1-Vlanif10]q
[SW1]interface Vlanif 20
[SW1-Vlanif20]ip add 192.168.20.254 24
[SW1-Vlanif20]q
[SW1]int Vlanif 30
[SW1-Vlanif30]ip add 192.168.30.254 24
[SW1-Vlanif30]q
[SW1]int Vlanif 100
[SW1-Vlanif100]ip add 192.168.100.2 24
[SW1-Vlanif100]q
[SW1]ip route-static 0.0.0.0 0 192.168.100.1
[NAT]int g0/0/0
[NAT-GigabitEthernet0/0/0]ip add 192.168.100.1 24
[NAT-GigabitEthernet0/0/0]q
[NAT]int g0/0/1
[NAT-GigabitEthernet0/0/1]ip add 200.1.1.1 24
[NAT-GigabitEthernet0/0/1]q
[NAT]ip route-static 0.0.0.0 0 200.1.1.2
[NAT]ip route-static 192.168.10.0 24 192.168.100.2
[NAT]ip route-static 192.168.20.0 24 192.168.100.2
[NAT]ip route-static 192.168.30.0 24 192.168.100.2
6）配置easyIP
[NAT]acl 2000
[NAT-acl-basic-2000]rule  deny source 192.168.20.20 0
[NAT-acl-basic-2000]rule  permit  source 192.168.20.0 0.0.0.255
[NAT-acl-basic-2000]rule  permit source  192.168.30.1 0.0.0.254
[NAT-acl-basic-2000]q
[NAT]int g0/0/1
[NAT-GigabitEthernet0/0/1]nat outbound 2000
7)配置NAT  SERVER
[SW1]telnet  server enable 
[SW1]user-interface vty 0 4
[SW1-ui-vty0-4]authentication-mode aaa
[SW1-ui-vty0-4]protocol inbound all 
[SW1-ui-vty0-4]q
[SW1]aaa
[SW1-aaa]local-user wy password cipher suibian
[SW1-aaa]local-user wy service-type telnet
[SW1-aaa]local-user wy privilege level 15
[NAT]int g0/0/1
[NAT-GigabitEthernet0/0/1]nat outbound 2000
[NAT-GigabitEthernet0/0/1]nat server protocol tcp global 200.1.1.10 80 inside 192.168.10.1 80
[NAT-GigabitEthernet0/0/1]nat server protocol tcp global 200.1.1.10 23 inside 192.168.100.2 23
8）配置DHCP服务器
[SW1]dhcp enable 
[SW1]ip pool vlan10
[SW1-ip-pool-vlan10]network 192.168.10.0 mask 24
[SW1-ip-pool-vlan10]gateway-list 192.168.10.254
[SW1-ip-pool-vlan10]dns-list 1.1.1.1
[SW1-ip-pool-vlan10]lease day 10
[SW1-ip-pool-vlan10]q
[SW1]interface Vlanif 10
[SW1-Vlanif10]dhcp select global 
[SW1-Vlanif10]q
[SW1]ip pool vlan20
[SW1-ip-pool-vlan20]network 192.168.20.0 mask 24
[SW1-ip-pool-vlan20]gateway-list 192.168.20.254
[SW1-ip-pool-vlan20]dns-list 2.2.2.2
[SW1-ip-pool-vlan20]excluded-ip-address 192.168.20.20
[SW1-ip-pool-vlan20]lease day 0 hour 6
[SW1-ip-pool-vlan20]q
[SW1]interface Vlanif 20
[SW1-Vlanif20]dhcp select global 
[SW1-Vlanif20]q
[SW1]ip pool vlan30
[SW1-ip-pool-vlan30]network 192.168.30.0 mask 24
[SW1-ip-pool-vlan30]gateway-list 192.168.30.254
[SW1-ip-pool-vlan30]dns-list 6.6.6.6
[SW1-ip-pool-vlan30]q
[SW1]int Vlanif 30
[SW1-Vlanif30]dhcp select global

更多资源------>黑凤梨 (zhangwujistudy) - Gitee.com