zoukankan      html  css  js  c++  java
  • OSPF与ACL实验

    1.企业内网运行OSPF路由协议,区域规划如图所示
    2.财务和研发所在的区域不受其他区域链路不稳定性影响
    3.R1、R2、R3只允许被IT登录管理
    4.YF和CW之间不能互通,但都可以与IT互通
    5.IT和YF可以访问Client1,但CW不能访问Client1
    6.YF和CW只能访问Server1的WWW服务

    分析:
    CW
    1.YF和CW之间不能互通,但都可以与IT互通
    2.CW不能访问Client1
    3.CW只能访问Server1的WWW服务
    YF
    1.YF和CW之间不能互通,但都可以与IT互通
    3.YF只能访问Server1的WWW服务
    IT
    1.R1、R2、R3只允许被IT登录管理
    2.IT可以访问Client1

    配置IP:

    R1

    [R1]int g0/0/0

    [R1-GigabitEthernet0/0/0]ip address 1.1.1.254 24

    [R1-GigabitEthernet0/0/0]int g0/0/1

    [R1-GigabitEthernet0/0/1]ip address 192.168.12.1 24

    [R1-GigabitEthernet0/0/1]int g0/0/2

    [R1-GigabitEthernet0/0/2]ip address 192.168.13.1 24

    [R1-GigabitEthernet0/0/2]q

    R2

    [R2]int g0/0/0

    [R2-GigabitEthernet0/0/0]ip address 192.168.12.2 24

    [R2-GigabitEthernet0/0/0]int g0/0/1

    [R2-GigabitEthernet0/0/1]ip address 192.168.10.254 24

    [R2-GigabitEthernet0/0/1]int g0/0/2

    [R2-GigabitEthernet0/0/2]ip address 192.168.20.254 24

    [R2-GigabitEthernet0/0/2]q

    R3

    [R3]int g0/0/0

    [R3-GigabitEthernet0/0/0]ip address 192.168.13.2 24

    [R3-GigabitEthernet0/0/0]int g0/0/1

    [R3-GigabitEthernet0/0/1]ip address 192.168.30.254 24

    [R3-GigabitEthernet0/0/1]int g0/0/2

    [R3-GigabitEthernet0/0/2]ip address 192.168.40.254 24

    [R3-GigabitEthernet0/0/2]q

    IT

    [IT]int g0/0/0

    [IT-GigabitEthernet0/0/0]ip address 192.168.10.1 24

    [IT-GigabitEthernet0/0/0]q

    配置OSPF:

    R1

    [R1]ospf 1

    [R1-ospf-1]area 0

    [R1-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255

    [R1-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255

    [R1-ospf-1-area-0.0.0.0]dis th

    [V200R003C00]

    #

     area 0.0.0.0

      network 192.168.12.0 0.0.0.255

      network 192.168.13.0 0.0.0.255

    #

    return

    [R1-ospf-1-area-0.0.0.0]q

    [R1-ospf-1]area 1

    [R1-ospf-1-area-0.0.0.1]network 1.1.1.0 0.0.0.255

    [R1-ospf-1-area-0.0.0.1]dis th

    [V200R003C00]

    #

     area 0.0.0.1

      network 1.1.1.0 0.0.0.255

    #

    return

    [R1-ospf-1-area-0.0.0.1]q

    R2

    [R2]ospf 1

    [R2-ospf-1]area 0

    [R2-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255

    [R2-ospf-1-area-0.0.0.0]dis th

    [V200R003C00]

    #

     area 0.0.0.0

      network 192.168.12.0 0.0.0.255

    #

    return

    [R2-ospf-1-area-0.0.0.0]q

    [R2-ospf-1]area 2

    [R2-ospf-1-area-0.0.0.2]network 192.168.10.0 0.0.0.255

    [R2-ospf-1-area-0.0.0.2]network 192.168.20.0 0.0.0.255

    [R2-ospf-1-area-0.0.0.2]dis th

    [V200R003C00]

    #

     area 0.0.0.2

      network 192.168.10.0 0.0.0.255

      network 192.168.20.0 0.0.0.255

    #

    return

    [R2-ospf-1-area-0.0.0.2]q

    R3

    [R3]ospf 1

    [R3-ospf-1]area 0 

    [R3-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255

    [R3-ospf-1-area-0.0.0.0]dis th

    [V200R003C00]

    #

     area 0.0.0.0

      network 192.168.13.0 0.0.0.255

    #

    return

    [R3-ospf-1-area-0.0.0.0]q

    [R3-ospf-1]area 3

    [R3-ospf-1-area-0.0.0.3]network 192.168.30.0 0.0.0.255

    [R3-ospf-1-area-0.0.0.3]network 192.168.40.0 0.0.0.255

    [R3-ospf-1-area-0.0.0.3]dis th

    [V200R003C00]

    #

     area 0.0.0.3

      network 192.168.30.0 0.0.0.255

      network 192.168.40.0 0.0.0.255

    #

    return

    [R3-ospf-1-area-0.0.0.3]q

    IT

    [IT]ospf 1

    [IT-ospf-1]area 2

    [IT-ospf-1-area-0.0.0.2]network 192.168.10.0 0.0.0.255

    [IT-ospf-1-area-0.0.0.2]dis th

    [V200R003C00]

    #

     area 0.0.0.2

      network 192.168.10.0 0.0.0.255

    #

    return

    [IT-ospf-1-area-0.0.0.2]q

    此时检查网络中都可以互相连通:

    [IT]ping 1.1.1.1

      PING 1.1.1.1: 56  data bytes, press CTRL_C to break

        Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=253 time=20 ms

        Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=253 time=20 ms

        Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=253 time=30 ms

        Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=253 time=30 ms

        Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=253 time=30 ms

     

      --- 1.1.1.1 ping statistics ---

        5 packet(s) transmitted

        5 packet(s) received

        0.00% packet loss

        round-trip min/avg/max = 20/26/30 ms

     

    [IT]ping 192.168.40.1

      PING 192.168.40.1: 56  data bytes, press CTRL_C to break

        Request time out

        Reply from 192.168.40.1: bytes=56 Sequence=2 ttl=252 time=30 ms

        Reply from 192.168.40.1: bytes=56 Sequence=3 ttl=252 time=30 ms

        Reply from 192.168.40.1: bytes=56 Sequence=4 ttl=252 time=20 ms

        Reply from 192.168.40.1: bytes=56 Sequence=5 ttl=252 time=40 ms

     

      --- 192.168.40.1 ping statistics ---

        5 packet(s) transmitted

        4 packet(s) received

        20.00% packet loss

        round-trip min/avg/max = 20/30/40 ms

    按要求配置ACL:

    CW:

    [R3]acl 3000

    [R3-acl-adv-3000]rule 5 deny ip source 192.168.30.0 0.0.0.255 destination 1.1.1.

    0 0.0.0.255

    [R3-acl-adv-3000]rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.1

    68.20.0 0.0.0.255

    [R3-acl-adv-3000]rule 15 permit tcp source 192.168.30.0 0.0.0.255 destination 19

    2.168.40.1 0 destination-port eq www

    [R3-acl-adv-3000]rule 20 deny ip source 192.168.30.0 0.0.0.255 destination 192.1

    68.40.1 0

    [R3-acl-adv-3000]q

    [R3]int g0/0/1

    [R3-GigabitEthernet0/0/1]traffic-filter inbound acl 3000

    [R3-GigabitEthernet0/0/1]q

     

     

     

     

     

    YF:

    [R2]acl 3001

    [R2-acl-adv-3001]rule 5 permit tcp source 192.168.20.0 0.0.0.255 destination 192

    .168.40.1 0 destination-port eq www

    [R2-acl-adv-3001]rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.1

    68.40.1 0

    [R2-acl-adv-3001]q

    [R2]int g0/0/2

    [R2-GigabitEthernet0/0/2]traffic-filter inbound acl 3001

    [R2-GigabitEthernet0/0/2]q

     

     

     

     

    IT:

    在R1上配置

    [R1]acl 2000

    [R1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255

    [R1-acl-basic-2000]q

    [R1]user-interface vty 0 4

    [R1-ui-vty0-4]authentication-mode password

    Please configure the login password (maximum length 16):123

    [R1-ui-vty0-4]acl 2000 inbound

    [R1-ui-vty0-4]dis th

    [V200R003C00]

    #

    user-interface con 0

     authentication-mode password

    user-interface vty 0 4

     acl 2000 inbound

     authentication-mode password

     set authentication password cipher %$%$%b|hVM5/mDVFw|~(AMI>,"IGSBN(Nlh/TT~eGJ@

    )@g#"IJ,%$%$

    user-interface vty 16 20

    #

    return

    [R1-ui-vty0-4]q

     

    在R2上配置

    [R2]acl 2000

    [R2-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255

    [R2-acl-basic-2000]q

    [R2]user-interface vty 0 4      

    [R2-ui-vty0-4]acl 2000 inbound

    [R2-ui-vty0-4]authentication-mode password

    Please configure the login password (maximum length 16):123

    [R2-ui-vty0-4]dis th

    [V200R003C00]

    #

    user-interface con 0

     authentication-mode password

    user-interface vty 0 4

     acl 2000 inbound

     authentication-mode password

     set authentication password cipher %$%$pZAl@MK"R7m2k.8=Fd[3,..2h4=V"fJsdR8ORh=s

    cxlL..5,%$%$

    user-interface vty 16 20

    #

    return

    [R2-ui-vty0-4]q

     

    在R3上配置

    [R3]acl 2000

    [R3-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255

    [R3-acl-basic-2000]q

    [R3]user-interface vty 0 4

    [R3-ui-vty0-4]acl 2000 inbound

    [R3-ui-vty0-4]authentication-mode password

    Please configure the login password (maximum length 16):123

    [R3-ui-vty0-4]dis th

    [V200R003C00]

    #

    user-interface con 0

     authentication-mode password

    user-interface vty 0 4

     acl 2000 inbound

     authentication-mode password

     set authentication password cipher %$%$eC/~%Q{M>U38eS9fW{hA,.we<>,5(&g1YG#wd3L3

    jHl1.wh,%$%$

    user-interface vty 16 20

    #

    return

    [R3-ui-vty0-4]q

     

  • 相关阅读:
    Netbackup 命令之bplist
    定时任务crond生产实战经验
    数据分析的应用
    数据分析的三个常见误区
    Linux文件系统目录结构
    Linux系统介绍
    两款傻瓜化小白爬虫工具推荐
    时间管理利器之一:RescueTime 自动记录时间
    Lambda 表达式
    IDEA 配置 不需要提交的文件 保证git代码干净
  • 原文地址:https://www.cnblogs.com/hkdong/p/12030227.html
Copyright © 2011-2022 走看看