一、项目案例要求
1.企业内网运行OSPF路由协议,区域规划如图所示;
2.财务和研发所在的区域不受其他区域链路不稳定性影响;
3.R1、R2、R3只允许被IT登录管理;
4.YF和CW之间不能互通,但都可以与IT互通;
5.IT和YF可以访问Client1,但CW不能访问Client1;
6.YF和CW只能访问Server1的WWW服务;
二、项目规划
CW
1.YF和CW之间不能互通,但都可以与IT互通;
2.CW不能访问Client1;
3.CW只能访问Server1的WWW服务;
YF
1.YF和CW之间不能互通,但都可以与IT互通;
2.YF只能访问Server1的WWW服务;
IT
1.R1、R2、R3只允许被IT登录管理;
2.IT可以访问Client1;
三、项目实施
1.配置基本网络
R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 1.1.1.254 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.12.1 24
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.13.1 24
[R1-GigabitEthernet0/0/2]q
R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.12.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.10.254 24
[R2-GigabitEthernet0/0/1]int g0/0/2
[R2-GigabitEthernet0/0/2]ip address 192.168.20.254 24
[R2-GigabitEthernet0/0/2]q
R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip address 192.168.13.2 24
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip address 192.168.30.254 24
[R3-GigabitEthernet0/0/1]int g0/0/2
[R3-GigabitEthernet0/0/2]ip address 192.168.40.254 24
[R3-GigabitEthernet0/0/2]q
IT
[IT]int g0/0/0
[IT-GigabitEthernet0/0/0]ip address 192.168.10.1 24
[IT-GigabitEthernet0/0/0]q
2.配置OSPF
R1
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]dis th
[V200R003C00]
#
area 0.0.0.0
network 192.168.12.0 0.0.0.255
network 192.168.13.0 0.0.0.255
#
return
[R1-ospf-1-area-0.0.0.0]q
[R1-ospf-1]area 1
[R1-ospf-1-area-0.0.0.1]network 1.1.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.1]dis th
[V200R003C00]
#
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return
[R1-ospf-1-area-0.0.0.1]q
R2
[R2]ospf 1
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]dis th
[V200R003C00]
#
area 0.0.0.0
network 192.168.12.0 0.0.0.255
#
return
[R2-ospf-1-area-0.0.0.0]q
[R2-ospf-1]area 2
[R2-ospf-1-area-0.0.0.2]network 192.168.10.0 0.0.0.255
[R2-ospf-1-area-0.0.0.2]network 192.168.20.0 0.0.0.255
[R2-ospf-1-area-0.0.0.2]dis th
[V200R003C00]
#
area 0.0.0.2
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
return
[R2-ospf-1-area-0.0.0.2]q
R3
[R3]ospf 1
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]dis th
[V200R003C00]
#
area 0.0.0.0
network 192.168.13.0 0.0.0.255
#
return
[R3-ospf-1-area-0.0.0.0]q
[R3-ospf-1]area 3
[R3-ospf-1-area-0.0.0.3]network 192.168.30.0 0.0.0.255
[R3-ospf-1-area-0.0.0.3]network 192.168.40.0 0.0.0.255
[R3-ospf-1-area-0.0.0.3]dis th
[V200R003C00]
#
area 0.0.0.3
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
#
return
[R3-ospf-1-area-0.0.0.3]q
IT
[IT]ospf 1
[IT-ospf-1]area 2
[IT-ospf-1-area-0.0.0.2]network 192.168.10.0 0.0.0.255
[IT-ospf-1-area-0.0.0.2]dis th
[V200R003C00]
#
area 0.0.0.2
network 192.168.10.0 0.0.0.255
#
return
[IT-ospf-1-area-0.0.0.2]q
此时检查网络中都可以互相连通:
3.配置ACL
CW:
[R3]acl 3000
[R3-acl-adv-3000]rule 5 deny ip source 192.168.30.0 0.0.0.255 destination 1.1.1.
0 0.0.0.255
[R3-acl-adv-3000]rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.1
68.20.0 0.0.0.255
[R3-acl-adv-3000]rule 15 permit tcp source 192.168.30.0 0.0.0.255 destination 19
2.168.40.1 0 destination-port eq www
[R3-acl-adv-3000]rule 20 deny ip source 192.168.30.0 0.0.0.255 destination 192.1
68.40.1 0
[R3-acl-adv-3000]q
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
[R3-GigabitEthernet0/0/1]q
YF:
[R2]acl 3001
[R2-acl-adv-3001]rule 5 permit tcp source 192.168.20.0 0.0.0.255 destination 192
.168.40.1 0 destination-port eq www
[R2-acl-adv-3001]rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.1
68.40.1 0
[R2-acl-adv-3001]q
[R2]int g0/0/2
[R2-GigabitEthernet0/0/2]traffic-filter inbound acl 3001
[R2-GigabitEthernet0/0/2]q
IT:
在R1上配置
[R1]acl 2000
[R1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255
[R1-acl-basic-2000]q
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):123
[R1-ui-vty0-4]acl 2000 inbound
[R1-ui-vty0-4]dis th
[V200R003C00]
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
acl 2000 inbound
authentication-mode password
set authentication password cipher %$%$%b|hVM5/mDVFw|~(AMI>,"IGSBN(Nl\h/[email protected])@g#"IJ,%$%$
user-interface vty 16 20
#
return
[R1-ui-vty0-4]q
在R2上配置
[R2]acl 2000
[R2-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255
[R2-acl-basic-2000]q
[R2]user-interface vty 0 4
[R2-ui-vty0-4]acl 2000 inbound
[R2-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):123
[R2-ui-vty0-4]dis th
[V200R003C00]
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
acl 2000 inbound
authentication-mode password
set authentication password cipher %$%[email protected]"R7m2k.8=Fd[3,..2h4=V"fJsdR8ORh=scxlL..5,%$%$
user-interface vty 16 20
#
return
[R2-ui-vty0-4]q
在R3上配置
[R3]acl 2000
[R3-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255
[R3-acl-basic-2000]q
[R3]user-interface vty 0 4
[R3-ui-vty0-4]acl 2000 inbound
[R3-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):123
[R3-ui-vty0-4]dis th
[V200R003C00]
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
acl 2000 inbound
authentication-mode password
set authentication password cipher %$%$eC/~%Q{M>U38eS9fW{hA,.we<>,5(&g1YG#wd3L3jHl1.wh,%$%$
user-interface vty 16 20
#
return
[R3-ui-vty0-4]q
原文地址:https://www.cnblogs.com/zhaihuijie/p/12031117.html