HCIA-经典综合实验（一）_hcia综合实验

实验拓扑

配置步骤

第一步：配置二层VLAN

SW5

sysname SW5
#
undo info-center enable
#
vlan batch 40 50
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 40
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 50
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 40 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

SW6

sysname SW6
#
undo info-center enable
#
vlan batch 10 20 30
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

第二步：配置IP地址

R1

sysname R1
#
interface GigabitEthernet0/0/0
 ip address 192.168.12.1 255.255.255.0 
#  //配置单臂路由
interface GigabitEthernet0/0/1.10
 dot1q termination vid 10
 ip address 192.168.10.254 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/1.20
 dot1q termination vid 20
 ip address 192.168.20.254 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/1.30
 dot1q termination vid 30
 ip address 192.168.30.254 255.255.255.0  
 arp broadcast enable
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

R2

sysname R2
#
interface GigabitEthernet0/0/0
 ip address 192.168.12.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 12.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2.40
 dot1q termination vid 40
 ip address 192.168.40.254 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/2.50
 dot1q termination vid 50
 ip address 192.168.50.254 255.255.255.0 
 arp broadcast enable           
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

ISP

sysname ISP
#
interface GigabitEthernet0/0/0
 ip address 12.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 202.1.1.254 255.255.255.0 
1
2
3
4
5
6
7

PC1

sysname PC1
#
dhcp enable
#
interface GigabitEthernet0/0/0
 ip address dhcp-alloc
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.254
1
2
3
4
5
6
7
8

PC2

sysname PC2
#
dhcp enable
#
interface GigabitEthernet0/0/0
 ip address dhcp-alloc
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.254
1
2
3
4
5
6
7
8

第三步：配置DHCP服务

R1

dhcp enable
#
ip pool VLAN10
 gateway-list 192.168.10.254 
 network 192.168.10.0 mask 255.255.255.0 
 excluded-ip-address 192.168.10.230 192.168.10.253 
 lease day 2 hour 0 minute 0 
#
ip pool VLAN20
 gateway-list 192.168.20.254 
 network 192.168.20.0 mask 255.255.255.0 
 excluded-ip-address 192.168.20.230 192.168.20.253 
 lease day 2 hour 0 minute 0 
 #
 interface GigabitEthernet0/0/1.10
 dhcp select global
#
interface GigabitEthernet0/0/1.20
 dhcp select global
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

R2

dhcp enable
#
ip pool VLAN40
 gateway-list 192.168.40.254 
 network 192.168.40.0 mask 255.255.255.0 
 excluded-ip-address 192.168.40.230 192.168.40.253 
 lease day 2 hour 0 minute 0 
#
ip pool VLAN50
 gateway-list 192.168.50.254 
 network 192.168.50.0 mask 255.255.255.0 
 excluded-ip-address 192.168.50.230 192.168.50.253 
 lease day 2 hour 0 minute 0 
#
interface GigabitEthernet0/0/2.40
 dhcp select global
#
interface GigabitEthernet0/0/2.50
 dhcp select global    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

第四步：配置路由协议OSPF

R1

ospf 1 router-id 1.1.1.1 
 area 0.0.0.0 
  authentication-mode md5 1 cipher wml
  network 192.168.10.0 0.0.0.255 
  network 192.168.12.1 0.0.0.0 
  network 192.168.20.0 0.0.0.255 
  network 192.168.30.0 0.0.0.255 
1
2
3
4
5
6
7

R2

ospf 1 router-id 2.2.2.2 
 default-route-advertise   //通过OSPF给R1下发默认路由
 area 0.0.0.0 
  authentication-mode md5 1 cipher wml
  network 192.168.12.2 0.0.0.0 
  network 192.168.40.0 0.0.0.255 
  network 192.168.50.0 0.0.0.255 
1
2
3
4
5
6
7

第五步：配置ACL+NAT+Telnet

R1

acl number 3000  
//配置高级ACL来拒绝PC1访问R1的telnet功能
 rule 5 deny tcp source 192.168.10.229 0 destination 192.168.10.254 0 destination-port eq telnet 
 rule 10 deny tcp source 192.168.10.229 0 destination 192.168.20.254 0 destination-port eq telne 
 rule 15 deny tcp source 192.168.10.229 0 destination 192.168.30.254 0 destination-port eq telne 
 rule 20 deny tcp source 192.168.10.229 0 destination 192.168.12.1 0 destination-port eq telnet 
#
interface GigabitEthernet0/0/1
 traffic-filter inbound acl 3000   //再R1的0/0/1接口的入方向调用此ACL
 #                                    
aaa   //通过AAA的方式配置R1的telnet
 local-user wml password cipher wml idle-timeout 100 0
 local-user wml privilege level 15
 local-user wml service-type telnet
#
user-interface vty 0 4
 authentication-mode aaa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

R2

acl number 2000  
 rule 5 permit source 192.168.10.0 0.0.0.255 
 rule 10 permit source 192.168.20.0 0.0.0.255 
 rule 15 permit source 192.168.30.0 0.0.0.255 
 rule 20 permit source 192.168.40.0 0.0.0.255 
 rule 25 permit source 192.168.50.0 0.0.0.255 
#                                         
interface GigabitEthernet0/0/1 
//配置nat，让公网接口映射内网的web服务器
 nat server protocol tcp global current-interface www inside 192.168.30.100 www
 nat server protocol tcp global current-interface telnet inside 192.168.12.1 telnet
 nat outbound 2000
#   //配置默认路由，通过easy-IP的方式让内网的用户可以访问公网
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
1
2
3
4
5
6
7
8
9
10
11
12
13
14

配置验证

测试PC1能不能telnet登录到R1

PC1不允许telnet到R1

PC2允许telnet到R1

测试所有PC是否都可以ping通公网

其他PC1，PC3，PC4自行测试，是都可以正常访问的

华为模拟器如何配置通过域名访问服务器

启动本地WEB服务器

配置client的DNS域名服务器地址

启动DNS域名服务器，并且配置相关的域名和IP地址

弹出下面这个对话框则表示成功访问到WEB服务器

测试ISP是否可以成功telnet登录到R1

可以成功访问到R1