要求:
1. 使用172.16.0.0/16划分网络
2.使用ospf协议合理规划区域保证更新安全
3.加快收敛速度
4. r1为DR没有BDR
5.PC2,3,4,5自动获取IP地址;PC1为外网,PC要求可用互相访问
6.r7为运营商,只能配IP地址
7.PC1远程登陆r7实际登陆r4
8.PC4可以ping通r6但不能登陆r6
9.PC3可以ping通PC5,但PC5不能ping通PC3
1. 使用172.16.0.0/16划分网络
area 0: 172.16.0.0/18
area 1:172.16.64.0/18
area 2:172.16.128.0/18
area 3:172.16.192.0/18
配置环回以及接口IP地址:
R1ip地址配置:
[R1]int l0
[R1-LoopBack0]ip add 1.1.1.1 24
[R1-LoopBack0]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 172.16.64.2 18
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 172.16.0.1 18
R2:
[R2]int l0
[R2-LoopBack0]ip add 2.2.2.2 24
[R2-LoopBack0]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 172.16.0.2 18
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 172.16.128.2 18
R3:
[R3]int l0
[R3-LoopBack0]ip add 3.3.3.3 24
[R3-LoopBack0]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 172.16.0.3 18
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 172.16.192.1 18
R4:
[R4]int l0
[R4-LoopBack0]ip add 4.4.4.4 24
[R4-LoopBack0]int g0/0/0
[R4-GigabitEthernet0/0/0]ip add 172.16.192.2 18
[R4-GigabitEthernet0/0/1]int g0/0/1.1
[R4-GigabitEthernet0/0/1.1]ip add 192.168.3.1 24
[R4-GigabitEthernet0/0/1.1]int g0/0/1.2
[R4-GigabitEthernet0/0/1.2]ip add 192.168.4.1 24
R6:
[R6]int l0
[R6-LoopBack0]ip add 6.6.6.6 24
[R6-LoopBack0]int g0/0/0
[R6-GigabitEthernet0/0/0]ip add 10.1.1.2 24
[R6-GigabitEthernet0/0/0]int g0/0/1
[R6-GigabitEthernet0/0/1]ip add 172.16.64.1 18
R7:
[R7]int l0
[R7-LoopBack0]ip add 7.7.7.7 24
[R7-LoopBack0]int g0/0/0
[R7-GigabitEthernet0/0/0]ip add 10.1.1.1 24
[R7-GigabitEthernet0/0/0]int g0/0/1
[R7-GigabitEthernet0/0/1]ip add 11.1.1.2 24
R8:
[R8]int l0
[R8-LoopBack0]ip add 8.8.8.8 24
[R8-LoopBack0]int g0/0/0
[R8-GigabitEthernet0/0/0]ip add 172.16.128.1 18
[R8-GigabitEthernet0/0/0]int g0/0/1.1
[R8-GigabitEthernet0/0/1.1]ip add 192.168.1.1 24
[R8-GigabitEthernet0/0/1.1]int g0/0/1.2
[R8-GigabitEthernet0/0/1.2]ip add 192.168.2.1 24
2.使用ospf协议合理规划区域保证更新安全
R1配置ospf:
[R1]ospf 100 router-id 1.1.1.1
[R1-ospf-100]a 0
[R1-ospf-100-area-0.0.0.0]netw 1.1.1.1 0.0.0.0
[R1-ospf-100-area-0.0.0.0]netw 172.16.0.0 0.0.255.255
[R1-ospf-100-area-0.0.0.0]area 1
[R1-ospf-100-area-0.0.0.1]netw 172.16.64.2 0.0.0.0
保证更新安全,做区域明文认证:
[R1-ospf-100-area-0.0.0.0]authentication-mode simple cipher 123
[R1-ospf-100-area-0.0.0.0]a 1
[R1-ospf-100-area-0.0.0.1]authentication-mode simple cipher 123
R2:
[R2]ospf 100 router-id 2.2.2.2
[R2-ospf-100]a 0
[R2-ospf-100-area-0.0.0.0]netw 2.2.2.2 0.0.0.0
[R2-ospf-100-area-0.0.0.0]net 172.16.0.2 0.0.0.0
[R2-ospf-100-area-0.0.0.0]area 2
[R2-ospf-100-area-0.0.0.2]netw 172.16.128.2 0.0.0.0
区域认证:
[R2-ospf-100-area-0.0.0.0]authentication-mode simple cipher 123
[R2-ospf-100-area-0.0.0.0]a 2
[R2-ospf-100-area-0.0.0.2]authentication-mode simple cipher 123
R3:
[R3]ospf 100 router-id 3.3.3.3
[R3-ospf-100]a 0
[R3-ospf-100-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[R3-ospf-100-area-0.0.0.0]net 172.16.0.3 0.0.0.0
[R3-ospf-100-area-0.0.0.0]area 3
[R3-ospf-100-area-0.0.0.3]netw 172.16.192.1 0.0.0.0
区域认证:
[R3-ospf-100-area-0.0.0.0]authentication-mode simple cipher 123
[R3-ospf-100-area-0.0.0.3]authentication-mode simple cipher 123
R4:
[R4]ospf 100 router-id 4.4.4.4
[R4-ospf-100]a 3
[R4-ospf-100-area-0.0.0.3]netw 4.4.4.4 0.0.0.0
[R4-ospf-100-area-0.0.0.3]netw 172.16.192.2 0.0.0.0
区域认证:
[R4-ospf-100-area-0.0.0.3]authentication-mode simple cipher 123
R6:[R6]ospf 100 router-id 6.6.6.6
[R6-ospf-100]a 1
[R6-ospf-100-area-0.0.0.1]netw 6.6.6.6 0.0.0.0
[R6-ospf-100-area-0.0.0.1]netw 172.16.64.1 0.0.0.0
区域认证:
[R6-ospf-100-area-0.0.0.1]authentication-mode simple cipher 123
R8:
[R8]ospf 100 router-id 8.8.8.8
[R8-ospf-100]a 2
[R8-ospf-100-area-0.0.0.2]netw 8.8.8.8 0.0.0.0
[R8-ospf-100-area-0.0.0.2]netw 172.16.128.1 0.0.0.0
区域认证:
[R8-ospf-100-area-0.0.0.2]authentication-mode simple cipher 123
3.加快收敛速度
R1:
[R1-GigabitEthernet0/0/0]ospf timer hello 5
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ospf timer hello 5
R2:
[R2-GigabitEthernet0/0/0]ospf timer hello 5
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ospf timer hello 5
R3:
[R3-GigabitEthernet0/0/0]ospf timer hello 5
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ospf timer hello 5
R4:
[R4-GigabitEthernet0/0/0]ospf timer hello 5
R6:
[R6-GigabitEthernet0/0/1]ospf timer hello 5
R8:
[R8-GigabitEthernet0/0/0]ospf timer hello 5
4. r1为DR没有BDR
R2:
[R2-GigabitEthernet0/0/0]ospf dr-priority 0
R3:
[R3-GigabitEthernet0/0/0]ospf dr-priority 0
R6:
[R6-GigabitEthernet0/0/1]ospf dr-priority 0
5.PC2,3,4,5自动获取IP地址;
SW2:
[SW2]vlan batch 2 3
[SW2]int e0/0/1
[SW2-Ethernet0/0/1]p l a
[SW2-Ethernet0/0/1]p d v 2
[SW2-Ethernet0/0/1]int e0/0/2
[SW2-Ethernet0/0/2]p l a
[SW2-Ethernet0/0/2]p d v 3
[SW2-Ethernet0/0/2]int e0/0/3
[SW2-Ethernet0/0/3]p l t
[SW2-Ethernet0/0/3]p t a v 2 3
SW3:
[SW3]vlan batch 2 to 3
[SW3-Ethernet0/0/1]p l a
[SW3-Ethernet0/0/1]p d v 2
[SW3-Ethernet0/0/1]int e0/0/2
[SW3-Ethernet0/0/2]p l a
[SW3-Ethernet0/0/2]p d v 3
[SW3-Ethernet0/0/2]int e0/0/3
[SW3-Ethernet0/0/3]p l t
[SW3-Ethernet0/0/3]p t a v 2 3
虚拟子接口+dhcp配置:
R8:
[R8]dhcp enable
[R8]ip pool 1
[R8-ip-pool-1]netw 192.168.1.0 ma 255.255.255.0
[R8-ip-pool-1]gateway-list 192.168.1.1
[R8-ip-pool-1]dns-list 8.8.8.8
[R8-ip-pool-1]int g0/0/1.1
[R8-GigabitEthernet0/0/1.1]dhcp select global
[R8-GigabitEthernet0/0/1.1]dot1q termination vid 2
[R8-GigabitEthernet0/0/1.1]arp broadcast enable
[R8]ip pool 2
[R8-ip-pool-2]netw 192.168.2.0 ma 24
[R8-ip-pool-2]gateway-list 192.168.2.1
[R8-ip-pool-2]dns-list 8.8.8.8
[R8-ip-pool-2]int g0/0/1.2
[R8-GigabitEthernet0/0/1.2]dhcp select global
[R8-GigabitEthernet0/0/1.2]dot1q termination vid 3
[R8-GigabitEthernet0/0/1.2]arp broadcast en
R4:
[R4]ip pool 1
[R4-ip-pool-1]netw 192.168.3.0 ma 24
[R4-ip-pool-1]gateway-list 192.168.3.1
[R4-ip-pool-1]dns-list 8.8.8.8
[R4-ip-pool-1]int g0/0/1.1
[R4-GigabitEthernet0/0/1.1]dhcp se global
[R4-GigabitEthernet0/0/1.1]dot1q termination v 2
[R4-GigabitEthernet0/0/1.1]arp broadcast en
[R4]ip pool 2
[R4-ip-pool-2]netw 192.168.4.0 ma 24
[R4-ip-pool-2]gateway-list 192.168.4.1
[R4-ip-pool-2]dns-list 8.8.8.8
[R4-ip-pool-2]int g0/0/1.2
[R4-GigabitEthernet0/0/1.2]dhcp se global
[R4-GigabitEthernet0/0/1.2]dot1q termination vid 3
[R4-GigabitEthernet0/0/1.2]arp broadcast enable
PC1为外网,PC要求可互相访问
PC1静态IP地址:11.1.1.1/24,网关:11.1.1.2
R4发布PC的路由信息到ospf中:
[R4-ospf-100]import-route direct
R8:
[R8-ospf-100]import-route direct
R6下放缺省,做NAT:
[R6]ip route-static 0.0.0.0 0 10.1.1.1
[R6]ospf 100
[R6-ospf-100]default-route-advertise
[R6]acl 2000
[R6-acl-basic-2000]rule permit source any
[R6-acl-basic-2000]int g0/0/0
[R6-GigabitEthernet0/0/0]nat outbound 2000
[R6]ip route-static 11.1.1.0 24 10.1.1.1
测试:
PC2pingPC1:
6.PC1远程登陆r7实际登陆r4
由于PC1没有telnet功能,所以换成R7远程登陆R6,实际登陆R4
R6上做telnet转换:
[R6-GigabitEthernet0/0/0]nat server protocol tcp global 10.1.1.3 telnet inside 4
.4.4.4 telnet
R4上配置远程登陆:
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):
测试:
7.PC4可以ping通r6但不能登陆r6
R6:
[R6]user-interface vty 0 4
[R6-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):
acl 3000 阻止远程登陆:
[R3-acl-adv-3000]rule deny tcp source 172.16.192.2 0.0.0.0 destination 172.16.64.1 0.0.0.0 destination-port eq telnet
[R3-acl-adv-3000]int g0/0/1
[R3-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
测试:
8.PC3可以ping通PC5,但PC5不能ping通PC3
R8:
[R8-acl-adv-3000]rule deny icmp source 192.168.2.254 0.0.0.0 destination 192.168
.4.254 0.0.0.0 icmp-type echo-reply
[R8-acl-adv-3000]int G0/0/1
[R8-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
测试:
PC3pingPC5:
PC5pingPC3: