静态NAT配置:
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]nat static global 100.1.1.3 inside 192.168.1.1ANPT
[R1]nat address-group 1 100.1.1.3 100.1.1.3
[R1]acl 2000
[R1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
[R1-acl-basic-2000]int g0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1vlan batch 2 3 4
port-group group-member g0/0/2 g0/0/3
port link-type access
port default vlan 4
quit
int g0/0/1
port link-type trunk
port trunk allow-pass vlan all
NAPT实验:
需求:
-公司vlan2/vlan3/vlan4都使用超级vlan10的IP子网网段
-公司内部不同vlan内的主机可以互通(vlan间通信)
-每个vlan内的主机都可以和R1互通
配置步骤:
第一步:配置PC的IP地址,掩码,网关
第二步:创建子VLAN
1)在sw2/sw3/sw4上创建vlan 2 3 4
2)交换机连接PC的接口设置为access模式,并将接口加入指定的vlan
3)交换机互联接口设置为trunk模式,允许vlan 2 3 4 通过
第三步:创建超级VLAN,并开启代理ARP,实现vlan间通信
1)在sw1上创建vlan 2 3 4 10
2)sw1与sw2/sw3/sw4互联接口设置为trunk模式,允许vlan 2 3 4 通过
3)在sw1 上配置超级vlan ,并配置vlanif10 虚接口地址
4)在sw1 上启用super-vlan 的proxy ARP功能
第四步:配置路由,实现VLAN内的主机与R1通信
1)sw1与R1互联的接口设置为access模式,加入vlan20 ,并配置vlanif20 虚接口IP地址
2)在R1中配置去往192.168.10.0/24的静态路由,下一跳指向192.168.20.10
第五步:测试与验证
配置命令:
第一步:配置PC的IP地址,掩码,网关
第二步:创建子VLAN
SW2配置:
[SW2]vlan batch 2 3 4
[SW2]port-group group-member g0/0/2 g0/0/3
[SW2-port-group]port link-type access
[SW2-port-group]port default vlan 2
[SW2-port-group]quit
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
SW3配置:
[SW3]vlan batch 2 3 4
[SW3]port-group group-member g0/0/2 g0/0/3
[SW3-port-group]port link-type access
[SW3-port-group]port default vlan 3
[SW3-port-group]quit
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan all
SW4配置:
[SW4]vlan batch 2 3 4
[SW4]port-group group-member g0/0/2 g0/0/3
[SW4-port-group]port link-type access
[SW4-port-group]port default vlan 4
[SW4-port-group]quit
[SW4]int g0/0/1
[SW4-GigabitEthernet0/0/1]port link-type trunk
[SW4-GigabitEthernet0/0/1]port trunk allow-pass vlan all
第三步:创建超级VLAN,并开启代理ARP,实现vlan间通信(实现PC之间互通)
SW1配置:
[SW1]vlan batch 2 3 4 10
[SW1]vlan 10 //进入vlan10
[SW1-vlan10]aggregate-vlan //配置vlan10为聚合vlan(超级vlan)
[SW1-vlan10]access-vlan 2 to 4 //在聚合vlan10中添加子vlan2/3/4
[SW1-vlan10]quit
[SW1]interface vlanif 10 //进入vlanif 10
[SW1-Vlanif10]ip address 192.168.10.254 24 //配置vlanif10虚接口的IP地址
[SW1-Vlanif10]arp-proxy inter-sub-vlan-proxy enable //在vlanif10下开启vlan间-arp代理
[SW1-Vlanif10]quit
[SW1]port-group group-member g0/0/2 to g0/0/4
[SW1-port-group]port link-type trunk
[SW1-port-group]port trunk allow-pass vlan 2 3 4
第四步:配置R1去往sw1的静态路由
[R1]ip route-static 192.168.10.0 24 192.168.20.10
[R1]int g0/0/0
[R1-Ethernet0/0/0]ip address 192.168.20.20 24
第五步:创建vlan20,并配置虚接口的IP地址,及配置接口g0/0/1的端口模式为access模式并将其加入vlan20
[SW1]vlan 20
[SW1-vlan20]q
[SW1]int vlanif 20
[SW1-Vlanif20]ip address 192.168.20.10 24
[sw1-Vlanif20]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 20大中型园区网络实验:
[DHCP-SERVER]dhcp enable
[DHCP-SERVER]ip pool home1
[DHCP-SERVER-ip-pool-home1]network 192.168.1.0 mask 24
[DHCP-SERVER-ip-pool-home1]gateway-list 192.168.1.254
[DHCP-SERVER-ip-pool-home1]dns-list 8.8.8.8
[DHCP_SERVER-ip-pool-home1]excluded-ip-address 192.168.1.253
[DHCP-SERVER]int GigabitEthernet 0/0/0
[DHCP-SERVER-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[DHCP-SERVER-GigabitEthernet0/0/0]dhcp select global
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 100.1.1.2 29
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip address 200.1.1.1 24
[R1]ip route-static 0.0.0.0 0 100.1.1.2
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/0]quit
[R1]nat address-group 1 100.1.1.3 100.1.1.3
[R1]acl 2000
[R1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
[R1-acl-basic-2000]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 100.1.1.1 24
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
[R1-GigabitEthernet0/0/1]nat server protocol tcp global current-interface 80 inside 192.168.1.253 80OSPF多区域实验
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 12
[R1-ospf-1-area-0.0.0.12]network 192.168.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.12]network 192.168.12.0 0.0.0.255OSPF多区域实验
R1配置
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.12.1 24
[R1-GigabitEthernet0/0/0]int g0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/2]q
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]are 12
[R1-ospf-1-area-0.0.0.12]network 192.168.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.12]network 192.168.12.0 0.0.0.255
R2配置
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.23.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.12.2 24
[R2-GigabitEthernet0/0/1]q
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 12
[R2-ospf-1-area-0.0.0.12]network 192.168.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.12]area 0
[R2-ospf-1-area-0.0.0.0]network 192.168.23.0 0.0.0.255
R3配置
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip address 192.168.34.3 24
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip address 192.168.23.3 24
[R3-GigabitEthernet0/0/1]q
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]are 0
[R3-ospf-1-area-0.0.0.0]network 192.168.23.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 192.168.34.0 0.0.0.255
R4配置
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ip address 192.168.45.4 24
[R4-GigabitEthernet0/0/0]int g0/0/1
[R4-GigabitEthernet0/0/1]ip address 192.168.34.4 24
[R4-GigabitEthernet0/0/1]q
[R4]ospf 1 router-id 4.4.4.4
[R4-ospf-1]are 0
[R4-ospf-1-area-0.0.0.0]network 192.168.34.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network 192.168.45.0 0.0.0.255
R5配置
[R5]int g0/0/1
[R5-GigabitEthernet0/0/1]ip address 192.168.45.5 24
[R5-GigabitEthernet0/0/1]int g0/0/0
[R5-GigabitEthernet0/0/0]ip address 192.168.56.5 24
[R5-GigabitEthernet0/0/0]q
[R5]ospf 1 router-id 5.5.5.5
[R5-ospf-1]are 0
[R5-ospf-1-area-0.0.0.0]network 192.168.45.0 0.0.0.255
[R5-ospf-1-area-0.0.0.0]are 56
[R5-ospf-1-area-0.0.0.56]network 192.168.56.0 0.0.0.255
R6配置
[R6]int g0/0/1
[R6-GigabitEthernet0/0/1]ip address 192.168.56.6 24
[R6-GigabitEthernet0/0/1]int g0/0/2
[R6-GigabitEthernet0/0/2]ip address 192.168.2.254 24
[R6-GigabitEthernet0/0/2]q
[R6]ospf 1 router-id 6.6.6.6
[R6-ospf-1]are 56
[R6-ospf-1-area-0.0.0.56]network 192.168.56.0 0.0.0.255
[R6-ospf-1-area-0.0.0.56]network 192.168.2.0 0.0.0.255高级ACL配置
R1配置
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/2]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.12.1 24
[R1-GigabitEthernet0/0/0]q
[R1]ip route-static 0.0.0.0 0 192.168.12.2
R2配置
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.12.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.3.2 24
[R2-GigabitEthernet0/0/1]int g0/0/2
[R2-GigabitEthernet0/0/2]ip address 192.168.2.254 24
R3配置
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip address 192.168.3.3 24
[R3-GigabitEthernet0/0/0]int g0/0/2
[R3-GigabitEthernet0/0/2]ip address 192.168.3.254 24
[R3-GigabitEthernet0/0/2]q
[R3]ip route-static 0.0.0.0 0 192.168.3.2
[R1]acl 3000
[R1-acl-adv-3000]rule 10 permit tcp source 192.168.1.1 0.0.0.0 destination 192.168.3.1 0.0.0.0 destination-port eq 80
[R1-acl-adv-3000]rule 20 permit ip source 192.168.1.1 0.0.0.0 destination 192.168.2.0 0.0.0.255
[R1-acl-adv-3000]rule 30 deny ip source 192.168.1.1 0.0.0.0 destination any
[R1-acl-adv-3000]int g0/0/2
[R1-GigabitEthernet0/0/2]traffic-filter inbound acl 3000
