我要评论
华为-ensp基础实验配置及过程
每个部分下的内容比较多,避免浪费时间翻阅,请根据目录导向查看指定内容
一、静态路由配置
实验拓扑及要求:
配置过程:
(先按照实验要求把pc的ip和网关给配置完毕,此处pc的设置省略)
(router的停止信息泛洪和关闭info的设置可以不做)
router1上:
undo terminal monitor
system-view
[huawei]sysname router1
[router1]undo info-center enable
[router1]int gigabitethernet 0/0/0
[router1-gigabitethernet0/0/0]ip address 192.168.1.254 24
[router1-gigabitethernet0/0/0]q
[router1]int gigabitethernet 0/0/1
[router1-gigabitethernet0/0/1]ip address 1.1.1.1 24
[router1-gigabitethernet0/0/1]q
[router1]ip route-static 192.168.2.0 24 1.1.1.2
router2上:
undo terminal monitor
system-view
[huawei]sysname router1
[router1]undo info-center enable
[router2]int gigabitethernet 0/0/1
[router2-gigabitethernet0/0/1]ip address 192.168.2.254 24
[router2-gigabitethernet0/0/1]q
[router2]int gigabitethernet 0/0/0
[router2-gigabitethernet0/0/0]ip address 1.1.1.2 24
[router2-gigabitethernet0/0/0]q
[router2]ip route-static 192.168.1.0 24 1.1.1.1
(配置完后,可以分别在router上查看路由信息:ip routing-table)
ps:
以下为比较复杂的静态路由配置(其中包括端口port配置、vlan技术等),调配完基础性配置后才能进行静态路由配置。
实验拓扑及要求:
配置过程:
acsw上:
(此处省略停止泛洪信息和info-ceter信息等配置)
system-view
[huawei]sysname acsw
[acsw]vlan batch 10 20
[acsw]int gigabitethernet 0/0/1
[acsw-gigabitethernet0/0/1]port link-type access
[acsw-gigabitethernet0/0/1]port default vlan 10
[acsw-gigabitethernet0/0/1]q
[acsw]int gigabitethernet 0/0/2
[acsw-gigabitethernet0/0/2]port link-type access
[acsw-gigabitethernet0/0/2]port default vlan 10
[acsw-gigabitethernet0/0/2]q
[acsw]int gigabitethernet 0/0/4
[acsw-gigabitethernet0/0/4]port link-type access
[acsw-gigabitethernet0/0/4]port default vlan 20
[acsw-gigabitethernet0/0/4]q
[acsw]int gigabitethernet 0/0/3
[acsw-gigabitethernet0/0/3]port link-type trunk
[acsw-gigabitethernet0/0/3]port trunk allow-pass vlan all
[acsw-gigabitethernet0/0/3]q
coresw上:
system-view
[huawei]sysname coresw
[coresw]vlan batch 10 20
[coresw]int gigabitethernet 0/0/1
[coresw-gigabitethernet0/0/1]port link-type trunk
[coresw-gigabitethernet0/0/1]port trunk allow-pass vlan all
[coresw-gigabitethernet0/0/1]q
[coresw]int vlanif 10
[coresw-vlanif10]ip address 192.168.10.254 24
[coresw-vlanif10]q
[coresw]int vlanif 20
[coresw-vlanif20]ip address 192.168.20.254 24
[coresw-vlanif20]q
[coresw]int gigabitethernet 0/0/2
[coresw-gigabitethernet0/0/2]port link-type access
[coresw-gigabitethernet0/0/2]port default vlan 100
[coresw-gigabitethernet0/0/2]q
[coresw]int vlanif 100
[coresw-vlanif100]ip address 172.16.1.2 24
[coresw-vlanif100]q
router上:
system-view
[huawei]sysname router
[router]int gigabitethernet 0/0/0
[router-gigabitethernet0/0/0]ip address 172.16.1.1 24
[router-gigabitethernet0/0/0]q
[router]ip route-static 192.168.10.0 24 172.16.1.2
[router]ip route-static 192.168.20.0 24 172.16.1.2
(配置完毕后,可以尝试用pc去ping通router)
二、缺省路由和回程路由配置
实验拓扑及要求:
配置过程:
(在上面的配置基础上,添加了“模拟电信宽带”的组网,需要根据需求将router1和router2上指定接口的ip预设完毕,且配置server的ip和网关)
(去往互联网的静态路由在core上配置,使用0.0.0.0 0.0.0.0)
(此处省略新增组网的基础配置过程,只在原有基础上添加新命令)
core上:
[coresw]ip route-static 0.0.0.0 0.0.0.0 172.16.1.1
router1上:
[router]ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
(此阶段配置完毕后,还不能实现内网访问互联网,需要后续做nat配置)
三、nat配置
实验拓扑及要求:
配置过程:
(预设的配置方法与上节一样,以下省略,若ip地址等信息不同,以本节拓扑的地址为主;注意,coresw和router的网段中,首先需要给core配置vlan,并在vlan上配置ip地址;另外,coresw与router相连的上行接口必须配置access-vlan,否则,即使处于同一个网段,互相也无法ping通)
(在内网可以访问外网server的基础上进行以下配置)
router1上:
[router1]acl 2000
[router1-acl-basic-2000]rule permit source any
[router1-gigabitethernet0/0/1]nat outbound 2000
[router1-gigabitethernet0/0/1]q
(注意,本节只进行nat配置、并没有添加其他acl规则,如想添加deny规则,就需要在进口inb ound进行配置)
四、防火墙配置
实验拓扑及要求:
(由于拓扑和之前类似,且配置没有改变,该节不做演示,只做防火墙的简单基本配置,现实情况比这复杂得多)
(usg6000的安装过程此阶段省略,username:admin,password:admin@123,输入密码后系统会提示修改新密码)
配置过程:
(···)
[firewall]firewall zone trust
[firewall-zone-trust]add interface gigabitethernet 0/0/0
[firewall]firewall zone untrust
[firewall-zone-untrust]add interface gigabitethernet 1/0/0
[firewall-zone-untrust]q
[firewall]security-policy
[firewall-policy-security]rule name shangwang
[firewall-policy-security-rule-shangwang]source-zone trust
[firewall-policy-security-rule-shangwang]destination-zone untrust
[firewall-policy-security-rule-shangwang]action permit
[firewall-policy-security-rule-shangwang]q
[firewall-policy-security]q
[firewall]int gigabitethernet 0/0/0
[firewall-gigabitethernet0/0/0]ip address 172.16.1.2 24
[firewall-gigabitethernet0/0/0]q
[firewall]int gigabitethernet 1/0/0
[firewall-gigabitethernet1/0/0]ip address 10.1.1.1 24
[firewall-gigabitethernet1/0/0]q
[firewall]nat-policy
[firewall-policy-nat]rule name shangwang
[firewall-policy-nat-rule-shangwang]source-zone trust
[firewall-policy-nat-rule-shangwang]destination-zone untrust
[firewall-policy-nat-rule-shangwang]action source-nat easy-ip
五、浮动路由配置
实验拓扑及要求:
配置过程:
(预设置过程已省略,以下是router1的浮动路由配置)
[router1]ip route-static 6.6.6.6 32 2.2.2.2 preference 61
[router1]ip route-static 6.6.6.6 32 1.1.1.2 preference 60
(实验结果是1.1.1.0网段为主路由、2.2.2.0网段是备路由)
六、ospf配置
实验拓扑及要求:
配置过程:
(预设置已省略,ip地址按照拓扑演示配置即可,ospf默认的序号是1,、宣告区域是area 0,router1的直连网段:192.168.1.0、router2的直连网段:192.168.2.0)
(···)
router1上:
[router1]ospf
[router1-ospf-1]area 0
[router1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[router1-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255
[router1-ospf-1-area-0.0.0.0]q
router2上:
[router2]ospf
[router2-ospf-1]area 0
[router2-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[router2-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255
[router2-ospf-1-area-0.0.0.0]q
(配置结束、pc去ping后,查看路由表,才会显示有ospf;即,如果不ping,路由表中,不会显示)
ps:
华为官网案例实验:
实验拓扑及要求:
(华为官网hcia课程中的配置案例和上方案例有些许不同,前者案例中,包含了环回口loopback——代替终端pc、还有routerid的配置,本次实验中全程按照指定命令进行配置)
配置过程:
router1上:
[router1]int loopback 0
[router1-loopback0]ip address 1.1.1.1 32
[router1-loopback0]q
[router1]int gigabitethernet 0/0/0
[router1-gigabitethernet0/0/0]ip address 10.1.12.1 30
[router1-gigabitethernet0/0/0]q
[router1]ospf 1 router-id 1.1.1.1
[router1-ospf-1]area 0
[router1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[router1-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.3
[router1-ospf-1-area-0.0.0.0]q
[router1-ospf-1]q
router2上:
[router2]ospf 1 router-id 2.2.2.2
[router2-ospf-1]area 0
[router2-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.3
[router2-ospf-1-area-0.0.0.0]q
[router2-ospf-1]area 1
[router2-ospf-1-area-0.0.0.1]network 10.1.23.0 0.0.0.3
[router2-ospf-1-area-0.0.0.1]q
[router2-ospf-1]q
router3上:
[router3]interface loopback 0
[router3-loopback0]ip address 3.3.3.3 32
[router3-loopback0]q
[router3]int gigabitethernet 0/0/0
[router3-gigabitethernet0/0/0]ip address 10.1.23.2 30
[router3-gigabitethernet0/0/0]q
[router3]ospf 1 router-id 3.3.3.3
[router3-ospf-1]area 1
[router3-ospf-1-area-0.0.0.1]network 3.3.3.3 0.0.0.0
[router3-ospf-1-area-0.0.0.1]network 10.1.23.0 0.0.0.3
[router3-ospf-1-area-0.0.0.1]q
[router3-ospf-1]q
(配置完成后在任意router上执行:display ospf peer brief显示ospf邻居信息,本次实操中,未观察到相关效果…)
ps:
补充实验topo:
(本topo中的配置过程中,以routet1为例,对于loopback 0的ospf配置命令为:network 1.1.1.1 0.0.0.0)
七、单臂路由配置
实验拓扑及要求:
配置过程:
(预设置按照拓扑图的要求进行配置,其中,core交换机上接口应配置trunk)
(以下配置内容不包含划分vlan、配置trunk接口等)
(注意:pc的网关配置在router上)
router上:
[router]int gigabitethernet 0/0/0.1
[router-gigabitethernet0/0/0.1]dot1q termination vid 10
[router-gigabitethernet0/0/0.1]ip address 192.168.1.254 24
[router-gigabitethernet0/0/0.1]arp broadcast enable
[router-gigabitethernet0/0/0.1]q
[router]int gigabitethernet 0/0/0.2
[router-gigabitethernet0/0/0.2]dot1q termination vid 20
[router-gigabitethernet0/0/0.2]ip address 192.168.2.254 24
[router-gigabitethernet0/0/0.2]arp broadcast enable
[router-gigabitethernet0/0/0.2]q
八、vlan间通信(同一核心交换机)
实验拓扑及要求:
配置过程:
acsw上:
[acsw]vlan batch 10 20
[acsw]int gigabitethernet 0/0/1
[acsw-gigabitethernet0/0/1]port link-type access
[acsw-gigabitethernet0/0/1]port default vlan 10
[acsw-gigabitethernet0/0/1]q
[acsw]int gigabitethernet 0/0/3
[acsw-gigabitethernet0/0/3]port link-type access
[acsw-gigabitethernet0/0/3]port default vlan 20
[acsw-gigabitethernet0/0/3]q
[acsw]int gigabitethernet 0/0/2
[acsw-gigabitethernet0/0/2]port link-type trunk
[acsw-gigabitethernet0/0/2]port trunk allow-pass vlan all
[acsw-gigabitethernet0/0/2]q
coresw:
[coresw]vlan batch 10 20
[coresw]int vlanif 10
[coresw-vlanif10]ip address 192.168.1.254 24
[coresw-vlanif10]q
[coresw]int vlanif 20
[coresw-vlanif20]ip address 192.168.2.254 24
[coresw-vlanif20]q
[coresw]int gigabitethernet 0/0/1
[coresw-gigabitethernet0/0/1]port link-type trunk
[coresw-gigabitethernet0/0/1]port trunk allow-pass vlan all
[coresw-gigabitethernet0/0/1]q
(本节实验的网关配置在vlanif上,与上节单臂路由不同的是,单臂路由配置网关是在子接口上)
补充:跨交换机的vlan间访问
实验拓扑及要求:
配置过程:
(该补充内容是:模拟不同区域的pc划分到同一个vlan,实现不同部门的pc不能互相访问,是一个部门、即同一vlan的pc可以互相访问;对左侧组网的配置以下省略,只展示trunk配置过程)
(根据测试,如果pc3和pc1处于不同的网段,即使在一个vlan内,也不能实现通信)
(···)
acsw1上:
[acsw1]int gigabitethernet 0/0/2
[acsw1-gigabitethernet0/0/2]port link-type trunk
[acsw1-gigabitethernet0/0/2]port trunk allow-pass vlan 10 20
acsw2上:
[acsw2]int gigabitethernet 0/0/3
[acsw2-gigabitethernet0/0/3]port link-type trunk
[acsw2-gigabitethernet0/0/3]port trunk allow-pass vlan 10 20
九、核心交换机与边界路由器通信
实验拓扑及要求:
配置过程:
(预设置的内容和上一节相同,该部分本节省略)
(···)
coresw上:
[coresw]vlan 30
[coresw-vlan30]q
[coresw]int vlanif 30
[coresw-vlanif30]ip address 192.168.3.1 24
[coresw-vlanif30]q
[coresw]int gigabitethernet 0/0/2
[coresw-gigabitethernet0/0/2]port link-type access
[coresw-gigabitethernet0/0/2]port default vlan 30
[coresw-gigabitethernet0/0/2]q
router上:
[router]int gigabitethernet 0/0/0
[router-gigabitethernet0/0/0]ip address 192.168.3.2 24
[router-gigabitethernet0/0/0]q
(配置结束后,可以实现边界router和内网coresw的通信,尝试ping同即可;由于未做路由配置,所以还不能实现pc与外界通信)
十、acl(实现端口控制)
实验拓扑及要求:
(前期,通过dhcp配置后,wireshark抓包得到如下)
配置过程:
(预设置过程省略,以下是router上的配置)
[router]acl 3000
[router-acl-adv-3000]rule 5 deny udp source any source-port eq 67
[router-acl-adv-3000]rule 10 permit ip
[router-acl-adv-3000]q
[router]q
[router]port-group group-member gigabitethernet 0/0/1 to gigabitethernet 0/0/2
[router-port-group]traffic-filter inbound acl 3000
十一、telnet远程管理
实验拓扑及要求:
(本topo是:真机主机连接路由器)
本次实验中,涉及到的非命令配置中有:
1、网卡的ip、网关设置,保证cloud连接的网卡地址和后续router
2、cloud上添加虚拟网卡(本次使用的是已经存在的vm8网卡),使其能够与真机互通(即cloud就代表真机主机)
(预设置都结束后,先尝试用真机ping通给router指定端口配置的ip,由于是直连,所以直接就可以ping通)
配置过程:
[router]user-interface vty 0 4
[router-ui-vty0-4]authentication-mode aaa
[router-ui-vty0-4]q
[router]aaa
[router-aaa]local-user xiaohu password cipher 123456
[router-aaa]local-user xiaohu service-type telnet
[router-aaa]local-user xiaohu privilege level 15
[router-aaa]q
[router]telnet server enable
实现结果:
十二、easy-ip配置
实验拓扑及要求:
配置过程:
(由于本节实验是采用easyip方式实现nat,所以只做简化配置,以router2作为连接外网的router,配置完easyip后可实现不用配置路由pc就可与外网连通,预设置已做省略)
router1上:
[router1]acl 2000
[router1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[router1-acl-basic-2000]q
[router1]int gigabitethernet 0/0/1
[router1-gigabitethernet0/0/1]nat outbound 2000
(配置结束后,尝试用pc去ping通router2的接口ip,通过wireshark抓包,可以显示出数据包的源ip地址是router1的0/0/1接口地址)
十三、dhcp配置(interface模式)
实验拓扑及要求:
配置过程:
[router]int gigabitethernet 0/0/0
[router-gigabitethernet0/0/0]ip address 192.168.10.1 24
[router-gigabitethernet0/0/0]q
[router]dhcp enable
[router]int gigabitethernet 0/0/0
[router-gigabitethernet0/0/0]dhcp select interface
配置过程:
(使用wireshark抓包后,显示实验结果)
十四、dns配置(pc作为dns server)
实验拓扑及要求:
配置过程:
(预配置为topo所示:注意server1的网关需要配置成router的接口地址,就是说router0/0/0接口ip地址既作为pc2的网关、也是server网关;网关配置完毕后,可以尝试使用pc2pingrouter的网关地址;设置server上的服务器配置,填入域名,并对应pc2的ip、并启动;pc1上打开dhcp功能)
router上:
[router]dhcp enable
[router]int gigabitethernet 0/0/0
[router-gigabitethernet0/0/0]dhcp select interface
[router-gigabitethernet0/0/0]dhcp server dns-list 192.168.2.10
[router-gigabitethernet0/0/0]q
(配置完毕后,查看pc1分配的ip地址和dns server地址,查看是否是server的ip,并直接ping域名)
十五、vrrp配置(主+备)
实验拓扑及要求:
(根据如图所示topo,实现左侧router1为vrrp master、右侧router2为vrrp backup,且设置的vrrpid都为10,地址都是192.168.10.254;注意,实验前需要将router1和router2的接口都配置好ip)
配置过程:
router1上:
[router1]int gigabitethernet 0/0/0
[router1-gigabitethernet0/0/0]ip address 192.168.10.253 24
[router1-gigabitethernet0/0/0]vrrp vrid 10 virtual-ip 192.168.10.254
[router1-gigabitethernet0/0/0]vrrp vrid 10 priority 105
[router1-gigabitethernet0/0/0]q
router2上:
[router2]int gigabitethernet 0/0/0
[router2-gigabitethernet0/0/0]ip address 192.168.10.252 24
[router2-gigabitethernet0/0/0]vrrp vrid 10 virtual-ip 192.168.10.254
(由于router2的vrrp没有priority没有进行配置,即默认为100、小于router1的priority,所以默认router1是master,router2是backup;且使用pc去ping三个地址:252、253、254都可以ping通)
十六、防火墙(dmz非军事区)
实验拓扑及要求:
配置过程:
(防火墙默认阻挡所有流量通过)
配置ip地址:
lsw1上:
vlan 10
int vlan 10
undo shutdown
port-group group-member eth0/0/1 eth0/0/2
port link-type access
port default vlan 10
ar1上:
int gi0/0/0
ip add 10.1.1.2 24
undo shutdown
int loopback 0
ip add 1.1.1.1 32
fw1上:
vlan 10
int vlan 10
ip add 192.168.10.254 24
undo shutdown
int gi1/0/2
portswitch #转换成二层接口
port link-type access
port default vlan 10
undo shutdown
int gi1/0/1
ip add 10.2.2.2 24
undo shutdown
int gi1/0/0
ip add 10.1.1.1 24
undo shutdown
firewall zone trust #进入安全区域
add int vlan 10 #把安全区域的接口或者vlan划分进去
quit
firewall zone untrust #进入外网区域,这个区域是不能访问内网的
add int gi1/0/0 #添加这个区域的接口
quit
firewall zone dmz #进入dmz区域,这个区域是非军事区域,也就是相当于防火墙里面的第二道防火墙
add int gi1/0/1 #添加这个区域的接口
quit
(默认防火墙所有接口都是在local区域的,所以我们要放行local区域)
security-policy #建立安全策略
rule name local #起个名字为local
source-zone local #默认所有接口的区域在local
action permit #放行流量通过
这样还不算完,这些都做了之后,其它设备还是ping不通防火墙,需要开启连接防火墙的三个接口
int gi1/0/2 #进入gi1/0/2接口
service-manager ping permit #在接口上允许ping,如果不开这个ping,就算策略做了也不能与防火墙通信
quit
int gi1/0/1
service-manager ping permit
quit
int gi1/0/0
service-manager ping permit
(本实验在fw上的配置出现了一些问题,配置topo和命令是借鉴的其他博主的,由结果看方法可行)
十七、acl访问控制(配合单臂路由)
实验拓扑及要求:
配置过程:
core上:
[core]vlan batch 10 20
[core]int gigabitethernet 0/0/1
[core-gigabitethernet0/0/1]port link-type access
[core-gigabitethernet0/0/1]port default vlan 10
[core-gigabitethernet0/0/1]q
[core]int gigabitethernet 0/0/2
[core-gigabitethernet0/0/2]port link-type access
[core-gigabitethernet0/0/2]port default vlan 20
[core-gigabitethernet0/0/2]q
[core]int gigabitethernet 0/0/3
[core-gigabitethernet0/0/3]port link-type trunk
[core-gigabitethernet0/0/3]port trunk allow-pass vlan all
[core-gigabitethernet0/0/3]q
router上:
[router]int gigabitethernet 0/0/1.10
[router-gigabitethernet0/0/1.10]ip address 192.168.10.254 24
[router-gigabitethernet0/0/1.10]dot1q termination vid 10
[router-gigabitethernet0/0/1.10]arp broadcast enable
[router-gigabitethernet0/0/1.10]q
[router]int gigabitethernet 0/0/1.20
[router-gigabitethernet0/0/1.20]ip address 192.168.20.254 24
[router-gigabitethernet0/0/1.20]dot1q termination vid 20
[router-gigabitethernet0/0/1.20]arp broadcast enable
[router-gigabitethernet0/0/1.20]q
[router]int gigabitethernet 0/0/0
[router-gigabitethernet0/0/0]ip address 10.1.1.254 24
[router-gigabitethernet0/0/0]q
[router]acl 2000
[router-acl-basic-2000]rule 5 permit source 192.168.10.0 0.0.0.255
[router-acl-basic-2000]rule 10 deny source 192.168.20.0 0.0.0.255
[router-acl-basic-2000]q
[router]int gigabitethernet 0/0/0
[router-gigabitethernet0/0/0]traffic-filter outbound acl 2000
[router-gigabitethernet0/0/0]display acl 2000
basic acl 2000, 2 rules
acl’s step is 5
rule 5 permit source 192.168.10.0 0.0.0.255
rule 10 deny source 192.168.20.0 0.0.0.255
[router-gigabitethernet0/0/0]q
十八、aaa(telnet远程控制)
实验拓扑及要求:
配置过程:
router1上:
[router1]int gigabitethernet 0/0/0
[router1-gigabitethernet0/0/0]ip address 192.168.1.1 24
[router1-gigabitethernet0/0/0]q
[router1]user-interface vty 0 4
[router1-ui-vty0-4]authentication-mode aaa
[router1-ui-vty0-4]q
[router1]aaa
[router1-aaa]local-user xiaohu password cipher 123456
[router1-aaa]local-user xiaohu privilege level 15
[router1-aaa]local-user xiaohu service-type telnet
[router1-aaa]q
router2上:
[router2]int gigabitethernet 0/0/1
[router2-gigabitethernet0/0/1]ip address 192.168.1.2 24
[router2-gigabitethernet0/0/1]q
[router2]q
telnet 192.168.1.1
press ctrl_] to quit telnet mode
trying 192.168.1.1 …
connected to 192.168.1.1 …
login authentication
username:xiaohu
password:
(配置完成后输入预设好的账号还有密码进行验证结果)
十九、nat配置(静态+动态+napt)
实验拓扑及要求(该topo应用三种nat配置): (静态nat)
配置过程:
router1上:
[router1]int gigabitethernet 0/0/0
[router1-gigabitethernet0/0/0]ip address 192.168.1.254 24
[router1-gigabitethernet0/0/0]q
[router1]int gigabitethernet 0/0/1
[router1-gigabitethernet0/0/1]ip address 100.1.1.1 24
[router1-gigabitethernet0/0/1]q
[router1]ip route-static 0.0.0.0 100.1.1.2
[router1]int gigabitethernet 0/0/1
[router1-gigabitethernet0/0/1]nat static global 12.1.1.1 inside 192.168.1.1
[router1-gigabitethernet0/0/1]nat static global 12.1.1.2 inside 192.168.1.2
[router1-gigabitethernet0/0/1]q
router2上:
[router2]int gigabitethernet 0/0/0
[router2-gigabitethernet0/0/0]ip address 100.1.1.2 24
[router2-gigabitethernet0/0/0]q
[router2]int gigabitethernet 0/0/1
[router2-gigabitethernet0/0/1]ip address 200.1.1.1 24
[router2-gigabitethernet0/0/1]q
[router2]ip route-static 192.168.1.0 24 100.1.1.1
(配置完成后使用wireshark进行抓包,结果显示静态nat可一对一进行地址转换)
(动态nat)
配置过程:
(先前配置过程相同,故省略,直接从动态nat配置开始)
[router1]nat address-group 1 1.1.1.1 1.1.1.3
[router1]acl 2000
[router1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[router1-acl-basic-2000]q
[router1]int gigabitethernet 0/0/1
[router1-gigabitethernet0/0/1]nat outbound 2000 address-group 1 no-pat
[router1-gigabitethernet0/0/1]q
(napt)
(和动态nat配置不同的是,napt后不加no-pat)
二十、ftp配置(server-router-client)
实验拓扑及要求:
配置过程:
(本次实验是以其他topo为例进行整体配置的,其server和client的ip地址和网关按照上图所示进行配置;使ftp server根目录中的文件已经创建好,方便后续调用。本次创建了test.txt,选择后启动ftp server)
router上:
[router]int gigabitethernet 0/0/0
[router-gigabitethernet0/0/0]ip address 10.0.1.254 24
[router-gigabitethernet0/0/0]q
[router]int gigabitethernet 0/0/1
[router-gigabitethernet0/0/1]ip address 10.0.2.254 24
[router-gigabitethernet0/0/1]q
(client、server、router相通后,再进行以下操作)
[router]user-interface vty 0 4
[router-ui-vty0-4]authentication-mode aaa
[router-ui-vty0-4]q
[router]aaa
[router-aaa]local-user ftp password cipher 123456
[router-aaa]local-user ftp privilege level 15
[router-aaa]local-user ftp ftp-directory flash:
[router-aaa]local-user ftp service-type ftp
[router-aaa]q
[router]ftp server enable
(完成该步配置后,在ftp client上进行登录,账号密码和router上配置的相同,ip地址填写router上接口的地址,登录后,选择本地的文件上传至ftp服务器上,结果显示文件上传成功)
发表评论