CCNA企業網綜合項目實戰（續）

接上集，現在給出 Internet 設備的配置（學員不用關心，直接做上去即可）：

Internet(config)#username HQ password cisco

Internet(config)#interface s1/0
Internet(config-if)#encapsulation ppp
Internet(config-if)#ip address 202.100.1.254 255.255.255.0
Internet(config-if)#no shutdown
Internet(config-if)#ppp authentication chap

Internet(config)#interface loopback 0
Internet(config-if)#ip address 1.2.3.4 255.255.255.255

Internet(config)#interface e0/1
Internet(config-if)#ip address 61.128.1.254 255.255.255.0
Internet(config-if)#no shutdown

Internet(config)#ip local pool HQ_PPPoE 123.45.67.1
Internet(config)#bba-group pppoe HQ
Internet(config-bba-group)#virtual-template 1
Internet(config-bba-group)#interface e0/0

Internet(config-if)#no shutdown
Internet(config-if)#pppoe enable group HQ
Internet(config-if)#exit

Internet(config)#interface virtual-template 1
Internet(config)#mtu 1492
Internet(config-if)#ip address 123.45.67.254 255.255.255.0
Internet(config-if)#peer default ip address pool HQ_PPPoE
Internet(config-if)#end
Internet#

在R1上做接入互聯網

S1/0鏈路

R1(config)#interface s1/0
R1(config-if)#encapsulation ppp
R1(config-if)#ip add 202.100.1.254 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#ppp chap hostname HQ
R1(config-if)#ppp chap password cisco
R1(config-if)#end

驗證：

R1#show ip interface brief s1/0
Interface IP-Address OK? Method Status Protocol
Serial1/0 202.100.1.254 YES manual up up

e0/0鏈路的PPPoE

R1(config)#interface e0/0

R1(config-if)#no shutdown
R1(config-if)# pppoe enable group global
R1(config-if)# pppoe-client dial-pool-number 1
R1(config-if)#exit
R1(config)#interface Dialer1
R1(config-if)# mtu 1492
R1(config-if)# ip address negotiated
R1(config-if)# encapsulation ppp
R1(config-if)# dialer pool 1
R1(config-if)# dialer-group 1
R1(config-if)# ppp chap hostname HQ

R1(config-if)# ppp chap password cisco
R1(config-if)#End

驗證：

R1#show pppoe session
1 client session

Uniq ID PPPoE RemMAC          Port                    VT VA         State
            SID LocMAC                                      VA-st      Type
     N/A      1 aabb.cc00.2000 Et0/0                   Di1 Vi2        UP
                 aabb.cc00.1000                              UP

R1#show ip interface brief dialer 1
Interface IP-Address OK? Method Status Protocol
Dialer1 123.45.67.1 YES IPCP up up

部署多出口NAT

R1(config)#interface dialer 1
R1(config-if)#ip nat outside

R1(config-if)#interface s1/0
R1(config-if)#ip nat outside
R1(config-if)#interface e0/1
R1(config-if)#ip nat inside
R1(config-if)#interface e0/2
R1(config-if)#ip nat inside

R1(config)#ip access-list standard nat
R1(config-std-nacl)#permit 10.1.0.0 0.0.255.255

R1(config)#route-map PPPoE permit
R1(config-route-map)#match ip address nat
R1(config-route-map)#match interface dialer 1

R1(config)#route-map S1/0 permit
R1(config-route-map)#match ip address nat
R1(config-route-map)#match interface s1/0

R1(config)#ip nat inside source route-map PPPoE interface dialer 1 overload

R1(config)#ip nat inside source route-map S1/0 interface s1/0 overload

驗證部署：

R1#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
Serial1/0, Dialer1, Virtual-Access2
Inside interfaces:
Ethernet0/1, Ethernet0/2
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 2] route-map PPPoE interface Dialer1 refcount 0
[Id: 3] route-map S1/0 interface Serial1/0 refcount 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

部署浮動靜態路由：

R1(config)#ip route 0.0.0.0 0.0.0.0 dialer 1
R1(config)#ip route 0.0.0.0 0.0.0.0 s1/0 5

驗證：

R1#show ip route 0.0.0.0 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
   Known via "static", distance 1, metric 0 (connected), candidate default path
   Routing Descriptor Blocks:
   * directly connected, via Dialer1
       Route metric is 0, traffic share count is 1

R1(config)#interface dialer 1
R1(config-if)#shutdown
R1(config-if)#
*Oct 23 04:59:13.743: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
*Oct 23 04:59:13.743: Di1 DDR: dialer shutdown complete
*Oct 23 04:59:13.749: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
R1(config-if)#
*Oct 23 04:59:13.749: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R1(config-if)#do show
*Oct 23 04:59:15.747: %LINK-5-CHANGED: Interface Dialer1, changed state to administratively down
R1(config-if)#do show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
   Known via "static", distance 5, metric 0 (connected), candidate default path
   Routing Descriptor Blocks:
   * directly connected, via Serial1/0
       Route metric is 0, traffic share count is 1

驗證NAT：

PC1#ping 1.2.3.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms

PC2#ping 1.2.3.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/3 ms

R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 123.45.67.1:0     10.1.100.1:0       1.2.3.4:0          1.2.3.4:0
icmp 123.45.67.1:1     10.1.101.1:0       1.2.3.4:0          1.2.3.4:1
R1#show ip access-list
Standard IP access list nat
     10 permit 10.1.0.0, wildcard bits 0.0.255.255 (2 matches)

至此，總部基礎業務部署完畢，接下來開始部署分支機構的業務：

使能交換機的生成樹portfast特性：

SW4(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.

劃分VLAN

SW4(config)#vlan 100
SW4(config-vlan)#vlan 200
SW4(config-vlan)#exit

Server2(config)#interface e0/0
Server2(config-if)#no shutdown
Server2(config-if)#duplex full

PC3(config)#interface e0/0
PC3(config-if)#duplex full
PC3(config-if)#no shutdown

SW4#show cdp neighbors
*Oct 23 05:12:55.222: %SYS-5-CONFIG_I: Configured from console by console
SW4#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability Platform Port ID
Server2          Eth 0/2           134               R    Linux Uni Eth 0/0
PC3              Eth 0/1           139               R    Linux Uni Eth 0/0

Total cdp entries displayed : 2

SW4(config)#interface e0/1
SW4(config-if)#switchport mode access
SW4(config-if)#switchport access vlan 100
SW4(config-if)#interface e0/2
SW4(config-if)#switchport mode access
SW4(config-if)#switchport access vlan 200

驗證：

SW4#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/3
100 VLAN0100                         active    Et0/1
200 VLAN0200                         active    Et0/2

部署單臂路由：

SW4

interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk

R3(config)#interface e0/0
R3(config-if)#no shutdown

R3(config-if)#interface e0/0.100
R3(config-subif)#encapsulation dot1q 100
R3(config-subif)#ip address 10.2.100.254 255.255.255.0
R3(config-subif)#interface e0/0.200
R3(config-subif)#encapsulation dot1q 200
R3(config-subif)#ip address 10.2.200.254 255.255.255.0

配置與ISP的專線鏈路：

R3(config)#interface e0/1
R3(config-if)#ip address 61.128.1.1 255.255.255.0
R3(config-if)#no shutdown

R3(config)#ip route 0.0.0.0 0.0.0.0 e0/1 61.128.1.254

驗證：

R3#ping 61.128.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.128.1.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

部署分支機構的NAT

R3(config)#interface e0/1
R3(config-if)#ip nat outside

R3(config-if)#interface e0/0.100
R3(config-subif)#ip nat inside
R3(config-subif)#interface e0/0.200
R3(config-subif)#ip nat inside

R3(config)#ip access-list standard nat
R3(config-std-nacl)#permit 10.2.0.0 0.0.255.255
R3(config-std-nacl)#exit

R3(config)#ip nat inside source list nat interface e0/1 overload

部署總部和分支機構之間的GRE隧道：

interface Tunnel10
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
tunnel source Dialer1
tunnel destination 61.128.1.1

interface Tunnel20
ip address 172.16.2.1 255.255.255.0
ip mtu 1400
tunnel source Serial1/0
tunnel destination 61.128.1.1

interface Tunnel10
ip address 172.16.1.2 255.255.255.0
ip mtu 1400
tunnel source Ethernet0/1
tunnel destination 123.45.67.1

interface Tunnel20
ip address 172.16.2.2 255.255.255.0
ip mtu 1400
tunnel source Ethernet0/1
tunnel destination 202.100.1.1

驗證：

R1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R1#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

在總部和分支之間將OSPF部署完成，實現私有網絡互聯互通

R1(config)#interface tunnel 10
R1(config-if)#ip ospf 110 area 0
R1(config-if)#interface tunnel 20
R1(config-if)#ip ospf 110 area 0

R3(config)#interface tunnel 10
R3(config-if)#ip ospf 110 area 0
R3(config-if)#interface tunnel 20
R3(config-if)#ip ospf 110 area 0
R3(config-if)#interface e0/0.100
R3(config-subif)#ip ospf 110 area 0
R3(config-subif)#interface e0/0.200
R3(config-subif)#ip ospf 110 area 0
R3(config-subif)#router ospf 110
R3(config-router)#passive-interface e0/0.100
R3(config-router)#passive-interface e0/0.200

驗證：

R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
61.128.1.1        0   FULL/ -        00:00:31    172.16.2.2      Tunnel20
61.128.1.1        0   FULL/ -        00:00:36    172.16.1.2      Tunnel10
10.1.255.22       1   FULL/DR         00:00:30    10.1.12.2       Ethernet0/2
10.1.255.11       1   FULL/BDR        00:00:33    10.1.11.2       Ethernet0/1

R1#show ip route ospf | begin Gateway
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O        10.1.100.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2
                        [110/11] via 10.1.11.2, 01:22:19, Ethernet0/1
O        10.1.101.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2
                        [110/11] via 10.1.11.2, 01:22:19, Ethernet0/1
O        10.1.112.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2
                        [110/11] via 10.1.11.2, 01:22:19, Ethernet0/1
O        10.1.200.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2
                        [110/11] via 10.1.11.2, 01:22:19, Ethernet0/1
O        10.2.100.0/24 [110/1010] via 172.16.2.2, 00:03:32, Tunnel20
                        [110/1010] via 172.16.1.2, 00:03:42, Tunnel10
O        10.2.200.0/24 [110/1010] via 172.16.2.2, 00:03:32, Tunnel20
                        [110/1010] via 172.16.1.2, 00:03:42, Tunnel10

在總部增加DHCP配置，爲分支機構提供DHCP服務：

其中R1爲 DHCP Server，R3爲 DHCP Relay Agent

爲Server2分配固定IP地址 10.2.200.100/24

R1(config)#ip dhcp pool Branch100
R1(dhcp-config)#network 10.2.100.0 /24
R1(dhcp-config)#default-router 10.2.100.254
R1(dhcp-config)#ip dhcp pool Branch200
R1(dhcp-config)#host 10.2.200.100 /24

R1(dhcp-config)#default-router 10.2.200.254
R1(dhcp-config)#client-identifier 01aabb.cc00.c000

R3(config)#interface e0/0.100
R3(config-subif)#ip helper-address 10.1.255.1
R3(config-subif)#interface e0/0.200
R3(config-subif)#ip helper-address 10.1.255.1

PC3(config)#interface e0/0
PC3(config-if)#ip address dhcp

Server2(config)#interface e0/0
Server2(config-if)#ip address dhcp client-id e0/0

*Oct 23 06:00:23.560: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.2.200.100, mask 255.255.255.0, hostname Server2

測試分支機構與互聯網的連通性：

PC3#ping 1.2.3.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

驗證NAT：

R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 61.128.1.1:0 10.2.100.1:0 1.2.3.4:0 1.2.3.4:0

部署訪問控制策略：

R1(config)#ip access-list extended HQ-Branch
R1(config-ext-nacl)#deny ip 10.1.101.0 0.0.0.255 host 10.2.200.100
R1(config-ext-nacl)#permit ip any any

R1(config)#interface e0/1
R1(config-if)#ip access-group HQ-Branch in
R1(config-if)#interface e0/2
R1(config-if)#ip access-group HQ-Branch in

R3(config)#ip access-list extended Branch-HQ
R3(config-ext-nacl)#deny ip 10.2.100.0 0.0.0.255 host 10.1.200.100
R3(config-ext-nacl)#permit tcp 10.2.100.0 0.0.0.255 host 10.1.200.100 eq www
R3(config-ext-nacl)#deny ip 10.2.100.0 0.0.0.255 host 10.1.200.100
R3(config-ext-nacl)#permit ip any any

R3(config)#inter
R3(config)#interface e0/0.100
R3(config-subif)#ip access-group Branch-HQ in
R3(config-subif)#interface e0/0.200
R3(config-subif)#ip access-group Branch-HQ in

開啓Server1的WEB服務，以供測試：

Server1(config)#ip http server

測試訪問控制策略：

PC1#ping 10.2.200.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.200.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms

PC2#ping 10.2.200.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.200.100, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

PC3#ping 10.1.200.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.200.100, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

PC3#telnet 10.1.200.100 80
Trying 10.1.200.100, 80 ... Open
/get
HTTP/1.1 400 Bad Request
Date: Tue, 23 Oct 2018 06:29:47 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 10.1.200.100 closed by foreign host]
PC3#

謝謝大家，我是乾頤堂CCIE導師達叔。希望能對您的技術進階之路有所幫助。

CCNA企業網綜合項目實戰（續）

OSPF綜合實驗（題目部分）

最新封裝版EVE模擬器部署和使用說明（圖文版）

靜態IP地址版EVE模擬器部署和使用說明

CCNA企業網綜合項目實戰（續）

CCNA企業網綜合項目實戰

Mac下配置sublime實現LaTeX

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結