DHCP与PPP的chap的配置
-
- 第一步 搭建拓扑
- 第二步 划分vlan,配置合理的MSTP
- 第三步 配置IP与VRRP
- 第四步 配置DHCP
- 第五步 在AR2与AR6上配置CHAP
- 第六步 配置OSPF,配置NAT
- 第七步 配置telnet
- 第八步 配置高级acl达成仅PC5可以telnet到AR1
实验条件:
1.合理配置IP地址
2.如图规划VLAN信息,PC1/PC2/PC3属于VLAN103,AR1属于VLAN101
3.需要合理配置MSTP,ETH-TRUNK,VRRP使网络达到最佳可用性
4.配置动态路由协议,使全网互通,私有地址不允许出现在ISP中 要求:AR3不允许配置任何路由
5.将PC5配置成DHCP服务器,所有的PC都需要通过DHCP自动获取地址。
6.AR2和AR6之间的链路上需要上CHAP认证
7.在AR1上配置telnet功能,使PC5可以使用admin1/admin1登陆到AR1上进行远程管理
8.只允许PC5 TELNET到AR1,其余所有设备都不能TELNET到AR1,但是PC5不能ping通AR1,其余的都不爱影响
第一步 搭建拓扑
第二步 划分vlan,配置合理的MSTP
[LSW1]vlan b 10 101 103
[LSW1]interface Eth-Trunk1
[LSW1-Eth-Trunk1]trunkport g 0/0/1 0/0/2
[LSW1-Eth-Trunk1]port link-type trunk
[LSW1-Eth-Trunk1]port trunk allow-pass vlan 101 103
[LSW1-Eth-Trunk1]interface GigabitEthernet0/0/3
[LSW1-GigabitEthernet0/0/3] port link-type trunk
[LSW1-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 103
[LSW1-GigabitEthernet0/0/3]interface GigabitEthernet0/0/4
[LSW1-GigabitEthernet0/0/4] port link-type trunk
[LSW1-GigabitEthernet0/0/4] port trunk allow-pass vlan 101 103
[LSW1-GigabitEthernet0/0/4]interface GigabitEthernet0/0/5
[LSW1-GigabitEthernet0/0/5] port link-type access
[LSW1-GigabitEthernet0/0/5] port default vlan 10
[LSW1-GigabitEthernet0/0/5] quit [LSW1]stp region-configuration //配置MSTP
[LSW1-mst-region] region-name cake
[LSW1-mst-region] revision-level 18
[LSW1-mst-region] instance 1 vlan 101
[LSW1-mst-region] instance 2 vlan 103
[LSW1-mst-region] active region-configuration
[LSW1-mst-region]quit
[LSW1]stp instance 1 root primary
[LSW1]stp instance 2 root secondary
此处命令为:
display current-configuration | begin int
[LSW2]vlan b 20 101 103
[LSW2]interface Eth-Trunk1
[LSW2-Eth-Trunk1]trunkport g 0/0/1 0/0/2
[LSW2-Eth-Trunk1] port link-type trunk
[LSW2-Eth-Trunk1] port trunk allow-pass vlan 101 103
[LSW2-Eth-Trunk1]interface GigabitEthernet0/0/3
[LSW2-GigabitEthernet0/0/3] port link-type trunk
[LSW2-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 103
[LSW2-GigabitEthernet0/0/3]interface GigabitEthernet0/0/4
[LSW2-GigabitEthernet0/0/4] port link-type trunk
[LSW2-GigabitEthernet0/0/4] port trunk allow-pass vlan 101 103
[LSW2-GigabitEthernet0/0/4]interface GigabitEthernet0/0/5
[LSW2-GigabitEthernet0/0/5] port link-type access
[LSW2-GigabitEthernet0/0/5] port default vlan 20
[LSW2-GigabitEthernet0/0/5]q[LSW2]stp region-configuration //配置MSTP
[LSW2-mst-region] region-name cake
[LSW2-mst-region] revision-level 18
[LSW2-mst-region] instance 1 vlan 101
[LSW2-mst-region] instance 2 vlan 103
[LSW2-mst-region] active region-configuration
[LSW2-mst-region]quit
[LSW2]stp instance 2 root primary
[LSW2]stp instance 1 root secondary
[LSW3]vlan b 101 103
[LSW3]interface GigabitEthernet0/0/1
[LSW3-GigabitEthernet0/0/1] port link-type trunk
[LSW3-GigabitEthernet0/0/1] port trunk allow-pass vlan 101 103
[LSW3-GigabitEthernet0/0/1]interface GigabitEthernet0/0/2
[LSW3-GigabitEthernet0/0/2] port link-type trunk
[LSW3-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 103
[LSW3-GigabitEthernet0/0/2]interface GigabitEthernet0/0/3
[LSW3-GigabitEthernet0/0/3] port link-type access
[LSW3-GigabitEthernet0/0/3] port default vlan 101
[LSW3-GigabitEthernet0/0/3]interface GigabitEthernet0/0/4
[LSW3-GigabitEthernet0/0/4] port link-type access
[LSW3-GigabitEthernet0/0/4] port default vlan 103
[LSW3-GigabitEthernet0/0/4]quit
[LSW3]stp region-configuration //配置MSTP
[LSW3-mst-region] region-name cake
[LSW3-mst-region] revision-level 18
[LSW3-mst-region] instance 1 vlan 101
[LSW3-mst-region] instance 2 vlan 103
[LSW3-mst-region] active region-configuration
[LSW3-mst-region]quit
在这里插入图片描述
[LSW4]vlan b 101 103
[LSW4]interface GigabitEthernet0/0/1
[LSW4-GigabitEthernet0/0/1] port link-type trunk
[LSW4-GigabitEthernet0/0/1] port trunk allow-pass vlan 101 103
[LSW4-GigabitEthernet0/0/1]interface GigabitEthernet0/0/2
[LSW4-GigabitEthernet0/0/2] port link-type trunk
[LSW4-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 103
[LSW4-GigabitEthernet0/0/2]interface GigabitEthernet0/0/3
[LSW4-GigabitEthernet0/0/3] port link-type access
[LSW4-GigabitEthernet0/0/3] port default vlan 103
[LSW4-GigabitEthernet0/0/3]interface GigabitEthernet0/0/4
[LSW4-GigabitEthernet0/0/4] port link-type access
[LSW4-GigabitEthernet0/0/4] port default vlan 103
[LSW4-GigabitEthernet0/0/4]quit
[LSW4]stp region-configuration //配置MSTP
[LSW4-mst-region] region-name cake
[LSW4-mst-region] revision-level 18
[LSW4-mst-region] instance 1 vlan 101
[LSW4-mst-region] instance 2 vlan 103
[LSW4-mst-region] active region-configuration
第三步 配置IP与VRRP
[LSW1]interface Vlanif10
[LSW1-Vlanif10] ip address 192.168.10.5 255.255.255.0 //此处ip应与对端(即ar2的0/0/0接口)IP网段相同
[LSW1-Vlanif10] interface Vlanif101
[LSW1-Vlanif101] ip address 192.168.101.252 255.255.255.0
[LSW1-Vlanif101] vrrp vrid 101 virtual-ip 192.168.101.254
[LSW1-Vlanif101] vrrp vrid 101 priority 105 //设置vrrp vrid 101 的优先级为 105(默认为100),此时为了让LSW1成为101的master故有此条命令
[LSW1-Vlanif101]interface Vlanif103
[LSW1-Vlanif103] ip address 192.168.103.252 255.255.255.0
[LSW1-Vlanif103] vrrp vrid 103 virtual-ip 192.168.103.254[LSW2]interface Vlanif20
[LSW2-Vlanif20] ip address 192.168.20.5 255.255.255.0 //此处ip应与对端(即ar2的0/0/1接口)IP网段相同
[LSW2-Vlanif20]interface Vlanif101
[LSW2-Vlanif101] ip address 192.168.101.253 255.255.255.0
[LSW2-Vlanif101] vrrp vrid 101 virtual-ip 192.168.101.254
[LSW2-Vlanif101]interface Vlanif103
[LSW2-Vlanif103] ip address 192.168.103.253 255.255.255.0
[LSW2-Vlanif103] vrrp vrid 103 virtual-ip 192.168.103.254
[LSW2-Vlanif103] vrrp vrid 103 priority 105 //设置vrrp vrid 103 的优先级为 105(默认为100),此时为了让LSW2成为103的master故有此条命令
检查配置
[AR2]interface GigabitEthernet0/0/0
[AR2-GigabitEthernet0/0/0] ip address 192.168.10.2 255.255.255.0
[AR2-GigabitEthernet0/0/0]interface GigabitEthernet0/0/1
[AR2-GigabitEthernet0/0/1] ip address 192.168.20.2 255.255.255.0
[AR2-GigabitEthernet0/0/1]interface GigabitEthernet0/0/2
[AR2-GigabitEthernet0/0/2] ip address 101.1.1.2 255.255.255.0
[AR3]interface GigabitEthernet0/0/0
[AR3-GigabitEthernet0/0/0] ip address 101.1.1.3 255.255.255.0
[AR3-GigabitEthernet0/0/0]interface LoopBack1
[AR3-LoopBack1] ip address 8.8.8.8 255.255.255.255
第四步 配置DHCP
[PC5]dhcp en
[PC5]ip route-static 0.0.0.0 0.0.0.0 192.168.103.254 //指向网关
[PC5]ip pool VLAN101 //创建IP地址池VLAN01
[PC5-ip-pool-VLAN101]gateway-list 192.168.101.254 //dhcp分配地址网关为192.168.101.254
[PC5-ip-pool-VLAN101]network 192.168.101.0 mask 255.255.255.0 //dhcp分配地址网段为192.168.101.0网段
[PC5-ip-pool-VLAN101] excluded-ip-address 192.168.101.252 192.168.101.253 //排除地址 192.168.101.252到192.168.101.253 ----因为LSW1与LSW2已经占用了这两个地址,如果不排除,电脑获取会发生错误
[PC5-ip-pool-VLAN101]q
[PC5]ip pool VLAN103
[PC5-ip-pool-VLAN103]gateway-list 192.168.103.254
[PC5-ip-pool-VLAN103]network 192.168.103.0 mask 255.255.255.0
[PC5-ip-pool-VLAN103]excluded-ip-address 192.168.103.252 192.168.103.253
[PC5-ip-pool-VLAN103]q
[PC5]interface GigabitEthernet0/0/0
[PC5-GigabitEthernet0/0/0]ip address 192.168.103.5 255.255.255.0 //分发地址必须有个人地址
[PC5-GigabitEthernet0/0/0]dhcp select global //启用DHCP全局地址池//为了让AR1获取PC5分发的地址,我们在LSW1和LSW2中配置中继接口
[LSW1]dhcp enable
[LSW1-Vlanif101] dhcp select relay
[LSW1-Vlanif101] dhcp relay server-ip 192.168.103.5[LSW2]dhcp enable
[LSW2-Vlanif101] dhcp select relay
[LSW2-Vlanif101] dhcp relay server-ip 192.168.103.5
此时查看pc有没有分配到IP地址
分配到说明DHCP配置应该没什么毛病
[AR1]dhcp enable
[AR1]interface GigabitEthernet0/0/0
[AR1-GigabitEthernet0/0/0] ip address dhcp-alloc
[AR6]interface GigabitEthernet0/0/0
[AR6-GigabitEthernet0/0/0] ip address 172.16.16.254 255.255.255.0
[AR6-GigabitEthernet0/0/0] dhcp select interface //从接口分配ip,网关为接口ip,网段与接口网段一致
[AR6-GigabitEthernet0/0/0] dhcp server static-bind ip-address 172.16.16.16 mac-address 5489-986f-4cba //dhcp服务器静态绑定ip地址172.16.16.16,绑定的mac地址是5489-986f-4cba
第五步 在AR2与AR6上配置CHAP
[AR2]aaa
[AR2-aaa] local-user admin1 password cipher admin1
[AR2-aaa] local-user admin1 service-type ppp
[AR2-aaa]q
[AR2]interface Serial4/0/0
[AR2-Serial4/0/0] link-protocol ppp
[AR2-Serial4/0/0] ppp chap user admin1 //user与对端aaa中的user一样,此处推荐两方aaa用户名密码保持一致
[AR2-Serial4/0/0] ppp chap password cipher admin1
[AR2-Serial4/0/0] ip address 10.26.26.1 255.255.255.252 [AR6]aaa
[AR6-aaa] local-user admin1 password cipher admin1
[AR6-aaa] local-user admin1 service-type ppp
[AR6-aaa]q
[AR6]interface Serial4/0/0
[AR6-Serial4/0/0] link-protocol ppp
[AR6-Serial4/0/0] ppp chap user admin1
[AR6-Serial4/0/0] ppp chap password cipher admin1
[AR6-Serial4/0/0] ip address 10.26.26.2 255.255.255.252
[AR6-Serial4/0/0]shutdown
[AR6-Serial4/0/0]undo shutdown
//chap成功与否要shutdown看一下,如果shutdown过后还是双up的则配置成功
第六步 配置OSPF,配置NAT
[LSW1]ospf 10
[LSW1-ospf-10] silent-interface Vlanif101
[LSW1-ospf-10] silent-interface Vlanif103
[LSW1-ospf-10] area 0.0.0.0
[LSW1-ospf-10-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.0] network 192.168.101.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.0] network 192.168.103.0 0.0.0.255[LSW2]ospf 10
[LSW2-ospf-10] silent-interface Vlanif101
[LSW2-ospf-10] silent-interface Vlanif103
[LSW2-ospf-10] area 0.0.0.0
[LSW2-ospf-10-area-0.0.0.0] network 192.168.20.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.0] network 192.168.101.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.0] network 192.168.103.0 0.0.0.255[AR2]ip route-static 0.0.0.0 0.0.0.0 101.1.1.3 //配置通往外网的默认路由
//开始配置NAT
[AR2]acl 2000 //进入acl2000。
[AR2-acl-basic-2000]rule permit source 192.168.20.0 0.0.0.255
//允许192.168.10.0/24这个网段的主机通过。
[AR2-acl-basic-2000]rule permit source 192.168.10.0 0.0.0.255
//允许192.168.168.20/24这个网段的主机通过。
[AR2-acl-basic-2000]rule permit source 192.168.101.0 0.0.0.255
//允许192.168.101.0/24 这个网段的主机通过。
[AR2-acl-basic-2000]rule permit source 192.168.103.0 0.0.0.255
//允许192.168.103.0/24 这个网段的主机通过。
[AR2-acl-basic-2000]interface g 0/0/2
[AR2-GigabitEthernet0/0/2]nat outbound 2000
//进入接口0/0/2,将acl2000允许的网段的私有ip地址转换为本接口ip地址。
[AR2-GigabitEthernet0/0/2]q
[AR2]ospf 10
[AR2-ospf-10] default-route-advertise always //宣告默认路由
[AR2-ospf-10] area 0.0.0.0
[AR2-ospf-10-area-0.0.0.0] network 10.26.26.0 0.0.0.3
[AR2-ospf-10-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[AR2-ospf-10-area-0.0.0.0] network 192.168.20.0 0.0.0.255 [AR6]ospf 10
[AR6-ospf-10] area 0.0.0.0
[AR6-ospf-10-area-0.0.0.0] network 10.26.26.0 0.0.0.3
[AR6-ospf-10-area-0.0.0.0] network 172.16.16.0 0.0.0.255
检查邻接关系
测试全网连通性—此处只放了一个图,个人检查要更细致些
测试ip地址是否转换
第七步 配置telnet
[AR1]aaa
[AR1-aaa] local-user admin1 password cipher admin1
[AR1-aaa] local-user admin1 privilege level 3
[AR1-aaa] local-user admin1 service-type telnet
[AR1-aaa]q
[AR1]user-interface vty 0 4
[AR1-ui-vty0-4] authentication-mode aaa
配置完成后测试别的路由是否能够登录到AR1上
第八步 配置高级acl达成仅PC5可以telnet到AR1
[AR1]acl 3000
[AR1-acl-adv-3000] rule permit tcp source 192.168.103.5 0 destination-port eq telnet //允许源ip为192.168.103.5路由telnet
[AR1-acl-adv-3000] rule deny icmp source 192.168.103.5 0 destination 192.168.101.251 0 //不允许源ip为192.168.103.5 ping 目标IP为192.168.101.251
[AR1-acl-adv-3000] rule deny tcp destination-port eq telnet //除了前面允许的ip通过,其余所有想telnet的ip均不通过
[AR1-acl-adv-3000]q
[AR1]interface GigabitEthernet0/0/0
[AR1-GigabitEthernet0/0/0] traffic-filter inbound acl 3000
配置成功后现象应为下图:
实验完成。
若有不足或错误,请帮忙指出,谢谢。