综合实验测试

in 默认分类 with 0 comment

2024-09-18T07:18:47.png

实验要求:

1)内网IP地址均可互相访问;

2)内网IP地址自动获取IP地址,内网IP地址可访问www.yorickbao.cn;

3)部门2及部门3使用NAT转换后可访问Internet网络,但部门1无法访问;

4)内网服务器对外发布地址为64.1.1.3,互联网用户可ping通此设备。

配置思路:

根据要求配置各个接口,特殊的DHCP,ACL,静态路由及NAT分批次设置即可。

SW1为核心交换机,此处有三个部门和一台服务器,内网需划分4个VLAN,因交换机无法单独配置IP地址,所以对接到AR1的端口需设置为access接口并使用VLANIF绑定。各个VLAN分配IP地址,充当网关使用。因为部门2,部门3访问Internet,则需使用NAT将内网IP地址转换为外网IP地址。部门1设备无法访问Internet,则需要使用ACL进行控制流量。由于服务器需固定一个公网IP地址,则使用静态NAT将私网IP转换为固定IP地址。全部设备路由均由两台路由器完成。

SW1配置

<Huawei>sys
[Huawei]vlan batch 10 20 30 172 1010  
[Huawei]dhcp enable 
[Huawei]int vlan10
[Huawei-Vlanif10]ip add 192.168.10.254 24
[Huawei-Vlanif10]dhcp select global 

[Huawei]int vlan20
[Huawei-Vlanif20]ip add 192.168.20.254 24
[Huawei-Vlanif20]dhcp select global

[Huawei]int vlan30
[Huawei-Vlanif30]ip add 192.168.30.254 24
[Huawei-Vlanif30]dhcp select global

[Huawei]int vlan172
[Huawei-Vlanif172]ip add 172.16.100.254 24
[Huawei-Vlanif172]dhcp select global

[Huawei]int vlan1010    /*此VLAN为交换机对接路由器vlan*/
[Huawei-Vlanif1010]ip add 10.10.10.1 24

[Huawei]ip pool 10
[Huawei-ip-pool-10]network 192.168.10.0 mask 24
[Huawei-ip-pool-10]gateway-list 192.168.10.254
[Huawei-ip-pool-10]dns-list 114.114.114.114 172.16.100.1  /*需写入172.16.100.1,否则无法ping通 www.yorickbao.cn,以下同理*/

[Huawei]ip pool 20
[Huawei-ip-pool-20]network 192.168.20.0 mask 24
[Huawei-ip-pool-20]gateway-list 192.168.20.254
[Huawei-ip-pool-20]dns-list 114.114.114.114 172.16.100.1

[Huawei]ip pool 30
[Huawei-ip-pool-30]network 192.168.30.0 mask 24
[Huawei-ip-pool-30]gateway-list 192.168.30.254
[Huawei-ip-pool-30]dns-list 114.114.114.114 172.16.100.1

[Huawei]ip pool 172
[Huawei-ip-pool-172]network 172.16.100.0 mask 24
[Huawei-ip-pool-172]gateway-list 172.16.100.254
[Huawei-ip-pool-172]dns-list 114.114.114.114 172.16.100.1

[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access  /*对端所接设备为服务器,需使用access接口*/
[Huawei-GigabitEthernet0/0/4]port default vlan 172

[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan all

[Huawei]int g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type trunk
[Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan all

[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access    /*此实验中对接AR1接口需设置为access*/
[Huawei-GigabitEthernet0/0/1]port default vlan 1010

[Huawei]ip route-static 10.10.10.0 24 10.10.10.2 
[Huawei]ip route-static 64.1.1.0 24 10.10.10.2
[Huawei]ip route-static 8.8.8.0 24 10.10.10.2
[Huawei]ip route-static 9.9.9.0 24 10.10.10.2

SW2配置

<Huawei>sys
[Huawei]vlan batch 10 20 30 172 1010

[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all

[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access 
[Huawei-GigabitEthernet0/0/2]port default vlan 10

SW3配置

<Huawei>sys
[Huawei]vlan batch 10 20 30 172 1010
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk     
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all

[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access 
[Huawei-GigabitEthernet0/0/2]port default vlan 20

[Huawei]int g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access 
[Huawei-GigabitEthernet0/0/3]port default vlan 30

AR1配置

<Huawei>sys
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 10.10.10.2 24
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 64.1.1.1 24
[Huawei]ip route-static 8.8.8.0 24 64.1.1.10
[Huawei]ip route-static 9.9.9.0 24 64.1.1.10
[Huawei]ip route-static 192.168.10.0 24 10.10.10.1
[Huawei]ip route-static 192.168.20.0 24 10.10.10.1
[Huawei]ip route-static 192.168.30.0 24 10.10.10.1
[Huawei]ip route-static 172.16.100.0 24 10.10.10.1

[Huawei]nat address-group 1 64.1.1.5 64.1.1.5 
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 4 deny source 192.168.10.0 0.0.0.255
[Huawei-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.255.255
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]nat static global 64.1.1.3 inside 172.16.100.1
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 2000 address-group 1

AR2配置

<Huawei>sys
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 64.1.1.10 24
[Huawei]int g1/0/0
[Huawei-GigabitEthernet1/0/0]ip add 8.8.8.254 24
[Huawei]int g2/0/0
[Huawei-GigabitEthernet2/0/0]ip add 9.9.9.254 24

内网机器配置
PC1 至PC3均设置DHCP 自动获取,可获得所在VLAN网段中的IP地址。
2024-09-18T07:45:54.png
2024-09-18T07:47:29.png
服务器地址及网关信息等设置如下,在添加域名后需点击启动,使服务器生效。
2024-09-18T07:48:13.png
2024-09-18T07:48:43.png

外网机器配置
外网服务器及台式机均手动配置IP地址即可。
2024-09-18T07:50:07.png
2024-09-18T07:51:30.png

最终结果
内网
1)内网设备ping www.yorickbao.cn时均可ping通;
2024-09-18T07:53:40.png
2)部门1机器无法ping通外网设备,部门2及部门3设备ping 外网时可正常ping通;
2024-09-18T07:52:52.png
2024-09-18T07:55:27.png
2024-09-18T07:56:30.png
外网
2024-09-18T07:58:38.png
2024-09-18T07:58:01.png
Q&A
Q:为什么8.8.8.8及9.9.9.9无法ping通64.1.1.5
A:此处在路由器AR1中使用的NAT转换为动态NAT,只支持内网地址转换为公网地址,通过此公网地址与Internet进行通信。公网地址无法ping通此IP地址。

本文由 yorickbao 创作,采用 知识共享署名4.0 国际许可协议进行许可。
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名。

Responses