本文转自:http://xuyi35.blog.51cto.com/359953/94836
实验目的:熟练掌握ACL,NAT和DHCP的原理以及在CISCO IOS上对它们进行配置的方法
实验内容:ACL的配置
NAT的配置
DHCP的配置
实验条件:2600系列路由器两台,2900交换机一台,PC两台
一.ACL的配置
(一)标准ACL
Step 1 在路由器上配置主机名和密码
Step 2 配置以太网段上的PC
a. PC 1
IP address 192.168.14.2
Subnet mask 255.255.255.0
Default gateway 192.168.14.1
b. PC 2
IP address 192.168.14.3
Subnet mask 255.255.255.0
Default gateway 192.168.14.1
Step 3 保存配置
GAD#copy running-config startup-config
Step 4 通过ping命令测试两台PC到缺省网关的连接性
Step 5 阻止PC访问路由器的以太口
GAD(config)#access-list 1 deny 192.168.14.0 0.0.0.255
GAD(config)#access-list 1 permit any
Step 6 从路由器ping两台PC
Step 7 把ACL应用到接口上
GAD(config-if)#ip access-group 1 in
Step 8 从两台PC ping路由器
Step 9 创建新的ACL
access-list 2 permit 192.168.14.1 0.0.0.254
Step 10 把ACL应用的接口上
ip access-group 2 in
Step 11 从两台PC ping路由器
GAD#show running-config
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname GAD
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
interface FastEthernet0/0
ip address 192.168.14.1 255.255.255.0
ip access-group 2 in
no ip directed-broadcast
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial0/1
no ip address
no ip directed-broadcast
shutdown
!
ip classless
no ip http server
!
access-list 1 deny 192.168.14.0 0.0.0.255
access-list 1 permit any
access-list 2 permit 192.168.14.1 0.0.0.254
!
line con 0
transport input none
line aux 0
line vty 0 4
!
end
(二)扩展ACL
Step 1 配置路由器GAD的主机名和密码
Step 2 配置以太网段上的PC
a. PC 1
IP address 192.168.14.2
Subnet mask 255.255.255.0
Default gateway 192.168.14.1
b. PC 2
IP address 192.168.14.3
Subnet mask 255.255.255.0
Default gateway 192.168.14.1
Step 3 保存配置
GAD#copy running-config startup-config
Step 4 通过ping命令测试两台PC到缺省网关的连接性
Step 5 用Web浏览器连接路由器
Step 6 防止通过以太网接入80端口
GAD(config)#access-list 101 deny tcp 192.168.14.0 0.0.0.255 any eq 80
GAD(config)#access-list 101 permit ip any any
Step 7 应用ACL到接口
GAD(config-if)#ip access-group 101 in
Step 8 从PC Ping路由器
Step 9 用Web浏览器连接路由器
Step 10 从PC接入路由器
GAD#show running-config
Building configuration…
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname GAD
!
!
memory-size iomem 10
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
process-max-time 200
!
interface FastEthernet0/0
ip address 192.168.14.1 255.255.255.0
ip access-group 101 in
no ip directed-broadcast
!
interface Serial0/0
ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
!
interface Serial0/1
no ip address
no ip directed-broadcast
shutdown
!
ip classless
ip http server
!
access-list 101 deny tcp 192.168.14.0 0.0.0.255 any eq www
access-list 101 permit ip any any
!
line con 0
password cisco
login
transport input none
line aux 0
line vty 0 4
password cisco
login
!
no scheduler allocate
end
(三)命名ACL
Step 1 配置路由器的主机名和密码
Step 2 配置以太网段上的PC
a. PC 1
IP address 192.168.14.2
Subnet mask 255.255.255.0
Default gateway 192.168.14.1
b. PC 2
IP address 192.168.14.3
Subnet mask 255.255.255.0
Default gateway 192.168.14.1
Step 3 保存配置
GAD#copy running-config startup-config
Step 4 通过ping命令测试两台PC到缺省网关的连接性
Step 5 阻止主机访问以太口
GAD(config)#ip access-list standard no_access
GAD(config-std-nacl)#deny 192.168.14.0 0.0.0.255
GAD(config-std-nacl)#permit any
Step 6 从PC Ping路由器
Step 7 应用ACL到接口上
GAD(config-if)#ip access-group no_access in
Step 8 从PC Ping路由器
GAD#show running-config
Building configuration…
Current configuration : 638 bytes
!
version 12.2
!
hostname GAD
!
enable secret 5 $1$rzr7$l9H/aXmOyxeCAiPAUoGLq.
!
ip subnet-zero
!
interface FastEthernet0/0
ip address 192.168.14.1 255.255.255.0
ip access-group no_access in
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1
no ip address
shutdown
!
ip classless
no ip http server
!
!
ip access-list standard no_access
deny 192.168.14.0 0.0.0.255
permit any
!
line con 0
password cisco
login
line aux 0
password cisco
login
line vty 0 4
password cisco
login
!
end
GAD#show ip access-lists
Standard IP access list no_access
deny 192.168.14.0, wildcard bits 0.0.0.255 (18 matches)
permit any
一.NAT的配置
(一)静态和动态NAT
Step 1 配置路由器
346 – 489 CCNA 4: WAN Technologies v 3.1 – Lab 1.1.4c Copyright 粕 2003, Cisco Systems, Inc.
ISP
Router#configure terminal
Router(config)#hostname ISP
ISP(config)#enable password cisco
ISP(config)#enable secret class
ISP(config)#line console 0
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#line vty 0 4
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#interface loopback 0
ISP(config-if)#ip address 172.16.1.1 255.255.255.255
ISP(config-if)#exit
ISP(config)#interface serial 0
ISP(config-if)#ip address 200.2.2.17 255.255.255.252
ISP(config-if)#clock rate 64000
ISP(config)#ip route 199.99.9.32 255.255.255.224 200.2.2.18
ISP(config)#end
ISP#copy running-config startup-config
Gateway
Router#configure terminal
Router(config)#hostname Gateway
Gateway(config)#enable password cisco
Gateway(config)#enable secret class
Gateway(config)#line console 0
Gateway(config-line)#password cisco
Gateway(config-line)#login
Gateway(config-line)#exit
Gateway(config)#line vty 0 4
Gateway(config-line)#password cisco
Gateway(config-line)#login
Gateway(config-line)#exit
Gateway(config)#interface fastethernet 0
Gateway(config-if)#ip address 10.10.10.1 255.255.255.0
Gateway(config-if)#no shutdown
Gateway(config-if)#exit
Gateway(config)#interface serial 0
Gateway(config-if)#ip address 200.2.2.18 255.255.255.252
Gateway(config-if)#no shutdown
Gateway(config)#ip route 0.0.0.0 0.0.0.0 200.2.2.17
Step 2 保存配置
copy running-config startup-config.
Step 3 为PC配置正确的IP地址,子网掩码和缺省网关
Step 4 测试网络的连通性
Step 5 创建静态路由
ISP(config)#ip route 199.99.9.32 255.255.255.224 200.2.2.18
ISP#show ip route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS
inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route
Gateway of last resort is not set
199.99.9.0/27 is subnetted, 1 subnets
S 199.99.9.32 [1/0] via 200.2.2.18
200.2.2.0/30 is subnetted, 1 subnets
C 200.2.2.16 is directly connected, Serial0/0
172.16.0.0/32 is subnetted, 1 subnets
C 172.16.1.1 is directly connected, Loopback0
Step 6 创建缺省路由
Gateway(config)#ip route 0.0.0.0 0.0.0.0 200.2.2.17
Gateway#show ip route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B –
BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS
inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route
Gateway of last resort is 200.2.2.17 to network 0.0.0.0
200.2.2.0/30 is subnetted, 1 subnets
C 200.2.2.16 is directly connected, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 200.2.2.17
Step 7 定义缺省的公有地址池
Gateway(config)#ip nat pool public_access 199.99.9.40 199.99.9.62
netmask 255.255.255.224
Step 8 创建ACL定义内部私有的IP地址
Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Step 9 定义内部列表到外部地址池的地址转换
Gateway(config)#ip nat inside source list 1 pool public_access
Step 10 确定接口
Gateway(config)#interface fastethernet 0
Gateway(config-if)#ip nat inside
Gateway(config-if)#interface serial 0
Gateway(config-if)#ip nat outside
Step 11 配置静态映射
Gateway(config)#ip nat inside source static 10.10.10.10 199.99.9.33
Gateway#show ip nat translations
Step 12 测试配置
ISP#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
ISP#ping 199.99.9.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 199.99.9.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
ISP#
Gateway#show ip nat translations
Pro Inside global Inside local Outside local Outside global
— 199.99.9.33 10.10.10.10 — —
汇总:
Gateway NAT Configuration
Gateway#configure terminal
Gateway(config)#ip nat pool public_access 199.99.9.40 199.99.9.62 netmask 255.255.255.224
Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Gateway(config)#ip nat inside source list 1 pool public_access
Gateway(config)#interface fa0/0
Gateway(config-if)#ip nat inside
Gateway(config-if)#interface serial 0/0
Gateway(config-if)#ip nat outside
Gateway(config-if)#exit
Gateway(config)#ip nat inside source static 10.10.10.10 199.99.9.33
Gateway(config)#exit
(二)超载NAT
Step 1 配置路由器
ISP
Router#configure terminal
Router(config)#hostname ISP
ISP(config)#enable password cisco
ISP(config)#enable secret class
ISP(config)#line console 0
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#line vty 0 4
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#interface loopback 0
ISP(config-if)#ip address 172.16.1.1 255.255.255.255
ISP(config-if)#exit
ISP(config)#interface serial 0
ISP(config-if)#ip address 200.2.2.17 255.255.255.252
ISP(config-if)#no shutdown
ISP(config-if)#clock rate 64000
ISP(config)#ip route 199.99.9.32 255.255.255.224 200.2.2.18
ISP(config)#end
ISP#copy running-config startup-config
Gateway
Router#configure terminal
Router(config)#hostname Gateway
Gateway(config)#enable password cisco
Gateway(config)#enable secret class
Gateway(config)#line console 0
Gateway(config-line)#password cisco
Gateway(config-line)#login
Gateway(config-line)#exit
Gateway(config)#line vty 0 4
Gateway(config-line)#password cisco
Gateway(config-line)#login
Gateway(config-line)#exit
Gateway(config)#interface fastethernet 0
Gateway(config-if)#ip address 10.10.10.1 255.255.255.0
Gateway(config-if)#no shutdown
Gateway(config-if)#exit
Gateway(config)#interface serial 0
Gateway(config-if)#ip address 200.2.2.18 255.255.255.252
Gateway(config-if)#no shutdown
Gateway(config)#ip route 0.0.0.0 0.0.0.0 200.2.2.17
Step 2 保存配置
copy running-config startup-config.
Step 3 为PC配置正确的IP地址,子网掩码和缺省网关
Step 4 测试网络的连通性
Step 5 创建缺省路由
Gateway(config)#ip route 0.0.0.0 0.0.0.0 serial 0
Gateway#show ip route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B –
BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS
inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route
Gateway of last resort is 200.2.2.17 to network 0.0.0.0
200.2.2.0/30 is subnetted, 1 subnets
C 200.2.2.16 is directly connected, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 200.2.2.17
Step 6 创建ACL定义内部私有的IP地址
Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Step 7 Define the PAT translation from inside list to outside address
Gateway(config)#ip nat inside source list 1 interface serial 0 overload
Step 8 确定接口
Gateway(config)#interface fastethernet 0
Gateway(config-if)#ip nat inside
Gateway(config-if)#interface serial 0
Gateway(config-if)#ip nat outside
Step 9 测试配置
Gateway#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.2.2.18:1086 10.10.10.10:1086 172.16.1.1:23 172.16.1.1:23
icmp 200.2.2.18:768 10.10.10.10:768 172.16.1.1:768 172.16.1.1:768
汇总:
Gateway PAT configuration
Gateway#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Gateway(config)#ip nat inside source list 1 interface serial 0/0 overload
Gateway(config)#interface fa0/0
Gateway(config-if)#ip nat inside
Gateway(config-if)#exit
Gateway(config)#interface serial 0/0
Gateway(config-if)#ip nat outside
Gateway(config-if)#exit
Gateway(config)#exit
Gateway#copy running-config startup-config
一.DHCP的配置
Step 1 配置路由器
Remote router configuration
Router#configure terminal
Router(config)#hostname remote
remote(config)#enable password cisco
remote(config)#enable secret class
remote(config)#line console 0
remote(config-line)#password cisco
remote(config-line)#login
remote(config-line)#exit
remote(config)#line vty 0 4
remote(config-line)#password cisco
remote(config-line)#login
remote(config-line)#exit
remote(config)#interface fastethernet 0/0
remote(config-if)#ip address 172.16.13.1 255.255.255.0
remote(config-if)#no shutdown
remote(config-if)#exit
remote(config)#interface serial 0/0
remote(config-if)#ip address 172.16.1.5 255.255.255.252
remote(config-if)#no shutdown
remote(config-if)#exit
remote(config)#router ospf 1
remote(config-router)#network 172.16.1.0 0.0.0.255 area 0
remote(config-router)#network 172.16.13.0 0.0.0.255 area 0
remote(config-router)#end
remote#copy running-config startup-config
Campus router configuration
Router#configure terminal
Router(config)#hostname campus
campus(config)#enable password cisco
campus(config)#enable secret class
campus(config)#line console 0
campus(config-line)#password cisco
campus(config-line)#login
campus(config-line)#exit
campus(config)#line vty 0 4
campus(config-line)#password cisco
campus(config-line)#login
campus(config-line)#exit
campus(config)#interface fastethernet 0/0
campus(config-if)#ip address 172.16.12.1 255.255.255.0
campus(config-if)#no shutdown
campus(config-if)#exit
campus(config)#interface serial 0/0
campus(config-if)#ip address 172.16.1.6 255.255.255.252
campus(config-if)#clock rate 56000
campus(config-if)#no shutdown
campus(config-if)#exit
campus(config)#router ospf 1
campus(config-router)#network 172.16.1.0 0.0.0.255 area 0
campus(config-router)#network 172.16.12.0 0.0.0.255 area 0
campus(config-router)#end
campus#copy running-config startup-config
Step 2 在路由器remote上启动OSPF
remote(config)#router ospf 1
remote(config-router)#network 172.16.1.0 0.0.0.3 area 0
remote(config-router)#network 172.16.13.0 0.0.0.3 area 0
Step 3 在路由器campus启动OSPF
campus(config)#router ospf 1
campus(config-router)#network 172.16.1.0 0.0.0.255 area 0
campus(config-router)#network 172.16.12.0 0.0.0.255 area 0
remote#show ip route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS
inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O 172.16.12.0/24 [110/65] via 172.16.1.6, 00:00:12, Serial0/0
C 172.16.13.0/24 is directly connected, FastEthernet0/0
C 172.16.1.4/30 is directly connected, Serial0/0
campus#show ip route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS
inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.12.0/24 is directly connected, FastEthernet0/0
O 172.16.13.0/24 [110/65] via 172.16.1.5, 00:00:14, Serial0/0
C 172.16.1.4/30 is directly connected, Serial0/0
Step 4 保存配置
copy running-config startup-config.
Step 5 在路由器campus创建campus地址池
campus(config)#ip dhcp pool campus
campus(dhcp-config)#network 172.16.12.0 255.255.255.0
campus(dhcp-config)#default-router 172.16.12.1
campus(dhcp-config)#dns-server 172.16.12.2
campus(dhcp-config)#domain-name foo.com
campus(dhcp-config)#netbios-name-server 172.16.12.10
Step 6 在路由器campus创建remote地址池
campus(dhcp-config)#ip dhcp pool remote
campus(dhcp-config)#network 172.16.13.0 255.255.255.0
campus(dhcp-config)#default-router 172.16.13.1
campus(dhcp-config)#dns-server 172.16.12.2
campus(dhcp-config)#domain-name foo.com
campus(dhcp-config)#netbios-name-server 172.16.12.10
Step 7 从地址池中排除保留地址
campus(config)#ip dhcp excluded-address 172.16.12.1 172.16.12.11
campus(config)#ip dhcp excluded-address 172.16.13.1 172.16.13.11
Step 8 测试路由器campus的操作
Step 9 配置DHCP中继
remote(config)#interface fastethernet 0
remote(config-if)#ip helper-address 172.16.12.1
Step 10 测试路由器remote的操作
Step 11 查看DHCP帮定
campus#show ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
172.16.12.11 0108.0046.06fb.b6 Mar 02 2003 04:41 PM Automatic
172.16.13.11 0542.0010.0a21.cb Mar 02 2003 04:45 PM Automatic
汇总:
DHCP pool configurations
Campus pool
campus(config)#ip dhcp pool campus
campus(dhcp-config)#network 172.16.12.0 255.255.255.0
campus(dhcp-config)#default-router 172.16.12.1
campus(dhcp-config)#dns-server 172.16.12.2
campus(dhcp-config)#domain-name foo.com
campus(dhcp-config)#netbios-name-server 172.16.12.10
campus(dhcp-config)#exit
Remote pool
campus(config)#ip dhcp pool remote
campus(dhcp-config)#network 172.16.13.0 255.255.255.0
campus(dhcp-config)#default-router 172.16.13.1
campus(dhcp-config)#dns-server 172.16.12.2
campus(dhcp-config)#domain-name foo.com
campus(dhcp-config)#netbios-name-server 172.16.12.10
campus(dhcp-config)#exit
campus(config)#ip dhcp excluded-address 172.16.12.1 172.16.12.10
campus(config)#ip dhcp excluded-address 172.16.13.1 172.16.13.10
campus(config)#exit
campus#copy running-config startup-config
Remote helper address configuration
remote#configure terminal
remote(config)#interface fa0/0
remote(config-if)#ip helper-address 172.16.12.1
remote(config-if)#exit
remote(config)#exit
remote#copy running-config startup-config
评论