CCNA企业网综合项目实战（续）

CCNA企业网综合项目实战（续）

接上集，现在给出 Internet 设备的配置（学员不用关心，直接做上去即可）：

Internet(config)#username HQ password cisco

Internet(config)#interface s1/0Internet(config-if)#encapsulation pppInternet(config-if)#ip address 202.100.1.254 255.255.255.0Internet(config-if)#no shutdown Internet(config-if)#ppp authentication chap

Internet(config)#interface loopback 0Internet(config-if)#ip address 1.2.3.4 255.255.255.255

Internet(config)#interface e0/1Internet(config-if)#ip address 61.128.1.254 255.255.255.0Internet(config-if)#no shutdown

Internet(config)#ip local pool HQ_PPPoE 123.45.67.1                Internet(config)#bba-group pppoe HQInternet(config-bba-group)#virtual-template 1Internet(config-bba-group)#interface e0/0

Internet(config-if)#no shutdown Internet(config-if)#pppoe enable group HQInternet(config-if)#exit

Internet(config)#interface virtual-template 1Internet(config)#mtu 1492Internet(config-if)#ip address 123.45.67.254 255.255.255.0Internet(config-if)#peer default ip address pool HQ_PPPoEInternet(config-if)#endInternet#

在R1上做接入互联网

S1/0链路

R1(config)#interface s1/0R1(config-if)#encapsulation pppR1(config-if)#ip add 202.100.1.254 255.255.255.0R1(config-if)#no shutdown R1(config-if)#ppp chap hostname HQR1(config-if)#ppp chap password ciscoR1(config-if)#end

验证：

R1#show ip interface brief s1/0Interface                  IP-Address      OK? Method Status                ProtocolSerial1/0                  202.100.1.254   YES manual up                    up

e0/0链路的PPPoE

R1(config)#interface e0/0

R1(config-if)#no shutdown R1(config-if)# pppoe enable group globalR1(config-if)# pppoe-client dial-pool-number 1R1(config-if)#exitR1(config)#interface Dialer1R1(config-if)# mtu 1492R1(config-if)# ip address negotiatedR1(config-if)# encapsulation pppR1(config-if)# dialer pool 1R1(config-if)# dialer-group 1R1(config-if)# ppp chap hostname HQ

R1(config-if)# ppp chap password ciscoR1(config-if)#End

验证：

R1#show pppoe session       1 client session

Uniq ID  PPPoE  RemMAC          Port                    VT  VA         State            SID  LocMAC                                      VA-st      Type     N/A      1  aabb.cc00.2000  Et0/0                   Di1 Vi2        UP                       aabb.cc00.1000                              UP

R1#show ip interface brief dialer 1Interface                  IP-Address      OK? Method Status                ProtocolDialer1                    123.45.67.1     YES IPCP   up                    up

部署多出口NAT

R1(config)#interface dialer 1R1(config-if)#ip nat outside

R1(config-if)#interface s1/0R1(config-if)#ip nat outside R1(config-if)#interface e0/1R1(config-if)#ip nat inside  R1(config-if)#interface e0/2R1(config-if)#ip nat inside

R1(config)#ip access-list standard natR1(config-std-nacl)#permit 10.1.0.0 0.0.255.255

R1(config)#route-map PPPoE permit R1(config-route-map)#match ip address natR1(config-route-map)#match interface dialer 1

R1(config)#route-map S1/0 permitR1(config-route-map)#match ip address natR1(config-route-map)#match interface s1/0

R1(config)#ip nat inside source route-map PPPoE interface dialer 1 overload

R1(config)#ip nat inside source route-map S1/0 interface s1/0 overload

验证部署：

R1#show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended)Peak translations: 0Outside interfaces:   Serial1/0, Dialer1, Virtual-Access2Inside interfaces:    Ethernet0/1, Ethernet0/2Hits: 0  Misses: 0CEF Translated packets: 0, CEF Punted packets: 0Expired translations: 0Dynamic mappings:-- Inside Source[Id: 2] route-map PPPoE interface Dialer1 refcount 0[Id: 3] route-map S1/0 interface Serial1/0 refcount 0

Total doors: 0Appl doors: 0Normal doors: 0Queued Packets: 0

部署浮动静态路由：

R1(config)#ip route 0.0.0.0 0.0.0.0 dialer 1R1(config)#ip route 0.0.0.0 0.0.0.0 s1/0 5

验证：

R1#show ip route 0.0.0.0 0.0.0.0Routing entry for 0.0.0.0/0, supernet   Known via "static", distance 1, metric 0 (connected), candidate default path   Routing Descriptor Blocks:   * directly connected, via Dialer1       Route metric is 0, traffic share count is 1

R1(config)#interface dialer 1R1(config-if)#shutdownR1(config-if)#*Oct 23 04:59:13.743: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1*Oct 23 04:59:13.743: Di1 DDR: dialer shutdown complete*Oct 23 04:59:13.749: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to downR1(config-if)#*Oct 23 04:59:13.749: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to downR1(config-if)#do show*Oct 23 04:59:15.747: %LINK-5-CHANGED: Interface Dialer1, changed state to administratively downR1(config-if)#do show ip route 0.0.0.0Routing entry for 0.0.0.0/0, supernet   Known via "static", distance 5, metric 0 (connected), candidate default path   Routing Descriptor Blocks:   * directly connected, via Serial1/0       Route metric is 0, traffic share count is 1

验证NAT：

PC1#ping 1.2.3.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms

PC2#ping 1.2.3.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/3 ms

R1#show ip nat translations Pro Inside global      Inside local       Outside local      Outside globalicmp 123.45.67.1:0     10.1.100.1:0       1.2.3.4:0          1.2.3.4:0icmp 123.45.67.1:1     10.1.101.1:0       1.2.3.4:0          1.2.3.4:1R1#show ip access-list      Standard IP access list nat     10 permit 10.1.0.0, wildcard bits 0.0.255.255 (2 matches)

至此，总部基础业务部署完毕，接下来开始部署分支机构的业务：

使能交换机的生成树portfast特性：

SW4(config)#spanning-tree portfast default%Warning: this command enables portfast by default on all interfaces. You  should now disable portfast explicitly on switched ports leading to hubs,  switches and bridges as they may create temporary bridging loops.

划分VLAN

SW4(config)#vlan 100SW4(config-vlan)#vlan 200SW4(config-vlan)#exit

Server2(config)#interface e0/0Server2(config-if)#no shutdownServer2(config-if)#duplex full

PC3(config)#interface e0/0PC3(config-if)#duplex full PC3(config-if)#no shutdown

SW4#show cdp neighbors *Oct 23 05:12:55.222: %SYS-5-CONFIG_I: Configured from console by consoleSW4#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge                   S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,                    D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port IDServer2          Eth 0/2           134               R    Linux Uni Eth 0/0PC3              Eth 0/1           139               R    Linux Uni Eth 0/0

Total cdp entries displayed : 2

SW4(config)#interface e0/1SW4(config-if)#switchport mode access SW4(config-if)#switchport access vlan 100SW4(config-if)#interface e0/2            SW4(config-if)#switchport mode access    SW4(config-if)#switchport access vlan 200

验证：

SW4#show vlan brief

VLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Et0/3100  VLAN0100                         active    Et0/1200  VLAN0200                         active    Et0/2

部署单臂路由：

SW4

interface Ethernet0/0  switchport trunk encapsulation dot1q  switchport mode trunk

R3(config)#interface e0/0R3(config-if)#no shutdown

R3(config-if)#interface e0/0.100R3(config-subif)#encapsulation dot1q 100R3(config-subif)#ip address 10.2.100.254 255.255.255.0R3(config-subif)#interface e0/0.200                   R3(config-subif)#encapsulation dot1q 200              R3(config-subif)#ip address 10.2.200.254 255.255.255.0

配置与ISP的专线链路：

R3(config)#interface e0/1R3(config-if)#ip address 61.128.1.1 255.255.255.0R3(config-if)#no shutdown

R3(config)#ip route 0.0.0.0 0.0.0.0 e0/1 61.128.1.254

验证：

R3#ping 61.128.1.254Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 61.128.1.254, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

部署分支机构的NAT

R3(config)#interface e0/1R3(config-if)#ip nat outside

R3(config-if)#interface e0/0.100R3(config-subif)#ip nat insideR3(config-subif)#interface e0/0.200R3(config-subif)#ip nat inside

R3(config)#ip access-list standard natR3(config-std-nacl)#permit 10.2.0.0 0.0.255.255R3(config-std-nacl)#exit

R3(config)#ip nat inside source list nat interface e0/1 overload

部署总部和分支机构之间的GRE隧道：

R1

interface Tunnel10  ip address 172.16.1.1 255.255.255.0  ip mtu 1400  tunnel source Dialer1  tunnel destination 61.128.1.1

interface Tunnel20  ip address 172.16.2.1 255.255.255.0  ip mtu 1400  tunnel source Serial1/0  tunnel destination 61.128.1.1

R3

interface Tunnel10  ip address 172.16.1.2 255.255.255.0  ip mtu 1400  tunnel source Ethernet0/1  tunnel destination 123.45.67.1

interface Tunnel20  ip address 172.16.2.2 255.255.255.0  ip mtu 1400  tunnel source Ethernet0/1  tunnel destination 202.100.1.1

验证：

R1#ping 172.16.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 msR1#ping 172.16.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

在总部和分支之间将OSPF部署完成，实现私有网络互联互通

R1(config)#interface tunnel 10R1(config-if)#ip ospf 110 area 0R1(config-if)#interface tunnel 20R1(config-if)#ip ospf 110 area 0

R3(config)#interface tunnel 10R3(config-if)#ip ospf 110 area 0R3(config-if)#interface tunnel 20R3(config-if)#ip ospf 110 area 0 R3(config-if)#interface e0/0.100R3(config-subif)#ip ospf 110 area 0R3(config-subif)#interface e0/0.200R3(config-subif)#ip ospf 110 area 0R3(config-subif)#router ospf 110R3(config-router)#passive-interface e0/0.100R3(config-router)#passive-interface e0/0.200

验证：

R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface61.128.1.1        0   FULL/  -        00:00:31    172.16.2.2      Tunnel2061.128.1.1        0   FULL/  -        00:00:36    172.16.1.2      Tunnel1010.1.255.22       1   FULL/DR         00:00:30    10.1.12.2       Ethernet0/210.1.255.11       1   FULL/BDR        00:00:33    10.1.11.2       Ethernet0/1

R1#show ip route ospf | begin GatewayGateway of last resort is 0.0.0.0 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 11 subnets, 2 masksO        10.1.100.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2                        [110/11] via 10.1.11.2, 01:22:19, Ethernet0/1O        10.1.101.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2                        [110/11] via 10.1.11.2, 01:22:19, Ethernet0/1O        10.1.112.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2                        [110/11] via 10.1.11.2, 01:22:19, Ethernet0/1O        10.1.200.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2                        [110/11] via 10.1.11.2, 01:22:19, Ethernet0/1O        10.2.100.0/24 [110/1010] via 172.16.2.2, 00:03:32, Tunnel20                        [110/1010] via 172.16.1.2, 00:03:42, Tunnel10O        10.2.200.0/24 [110/1010] via 172.16.2.2, 00:03:32, Tunnel20                        [110/1010] via 172.16.1.2, 00:03:42, Tunnel10

在总部增加DHCP配置，为分支机构提供DHCP服务：

其中R1为 DHCP Server，R3为 DHCP Relay Agent

为Server2分配固定IP地址 10.2.200.100/24

R1(config)#ip dhcp pool Branch100R1(dhcp-config)#network 10.2.100.0 /24R1(dhcp-config)#default-router 10.2.100.254R1(dhcp-config)#ip dhcp pool Branch200     R1(dhcp-config)#host 10.2.200.100 /24

R1(dhcp-config)#default-router 10.2.200.254R1(dhcp-config)#client-identifier 01aabb.cc00.c000

R3(config)#interface e0/0.100R3(config-subif)#ip helper-address 10.1.255.1R3(config-subif)#interface e0/0.200          R3(config-subif)#ip helper-address 10.1.255.1

PC3(config)#interface e0/0PC3(config-if)#ip address dhcp

Server2(config)#interface e0/0Server2(config-if)#ip address dhcp client-id e0/0

*Oct 23 06:00:23.560: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.2.200.100, mask 255.255.255.0, hostname Server2

测试分支机构与互联网的连通性：

PC3#ping 1.2.3.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

验证NAT：

R3#show ip nat translations Pro Inside global      Inside local       Outside local      Outside globalicmp 61.128.1.1:0      10.2.100.1:0       1.2.3.4:0          1.2.3.4:0

部署访问控制策略：

R1(config)#ip access-list extended HQ-BranchR1(config-ext-nacl)#deny ip 10.1.101.0 0.0.0.255 host 10.2.200.100R1(config-ext-nacl)#permit ip any any

R1(config)#interface e0/1       R1(config-if)#ip access-group HQ-Branch inR1(config-if)#interface e0/2         R1(config-if)#ip access-group HQ-Branch in

R3(config)#ip access-list extended Branch-HQR3(config-ext-nacl)#deny ip 10.2.100.0 0.0.0.255 host 10.1.200.100R3(config-ext-nacl)#permit tcp 10.2.100.0 0.0.0.255 host 10.1.200.100 eq ip 10.2.100.0 0.0.0.255 host 10.1.200.100R3(config-ext-nacl)#permit ip any any

R3(config)#interR3(config)#interface e0/0.100R3(config-subif)#ip access-group Branch-HQ inR3(config-subif)#interface e0/0.200          R3(config-subif)#ip access-group Branch-HQ in

开启Server1的WEB服务，以供测试：

Server1(config)#ip server

测试访问控制策略：

PC1#ping 10.2.200.100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.200.100, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms

PC2#ping 10.2.200.100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.200.100, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)

PC3#ping 10.1.200.100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.200.100, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)

PC3#telnet 10.1.200.100 80Trying 10.1.200.100, 80 ... Open/getHTTP/1.1 400 Bad RequestDate: Tue, 23 Oct 2018 06:29:47 GMTServer: cisco-IOSAccept-Ranges: none

400 Bad Request[Connection to 10.1.200.100 closed by foreign host]PC3#

谢谢大家，我是 达叔。 希望能对您的技术进阶之路有所帮助。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。