一、IP 地址规划
| 设备 | 接口 | IP 地址 / 掩码 | 备注 |
|---|---|---|---|
| AR3 | GE0/0/2 | 33.47.33.254/24 | 连接 Client3 |
| AR3 | GE0/0/0 | 1.47.1.2/30 | 连接 AR4 |
| AR3 | GE0/0/1 | 13.47.13.9/29 | 连接 AR1 |
| AR4 | GE0/0/0 | 1.47.1.1/30 | 连接 AR3 |
| AR4 | GE0/0/2 | 44.47.44.254/24 | 连接 DNS-Server |
| AR4 | GE0/0/1 | 24.47.24.2/29 | 连接 AR2 |
| AR1 | GE0/0/0 | 13.47.13.10/29 | 连接 AR3 |
| AR1 | GE0/0/1 | 192.168.47.254/24 | 白云校区内网 |
| AR1 | GE0/0/2 | 172.16.47.1/24 | PC1 网段(禁止上网) |
| AR1 | E1/0/0 | 10.10.47.1/24 | Client1 网段 |
| AR2 | GE0/0/0 | 24.47.24.1/29 | 连接 AR4 |
| AR2 | E1/0/1 | 10.30.47.1/30 | 连接 AR5 |
| AR2 | E1/0/0 | 172.18.47.1/24 | Web-Server2 网段 |
| AR2 | GE0/0/1 | 10.20.47.1/24 | Client2 网段 |
| AR2 | GE0/0/2 | 172.17.47.1/24 | PC2 网段(禁止上网) |
| AR5 | GE0/0/0 | 10.30.47.2/30 | 连接 AR2 |
| AR5 | GE0/0/1 | 10.40.47.254/24 | PC3 网段 |
公网 NAT Server 映射:
- Web-Server1:公网 IP
13.47.13.11/29→ 内网192.168.47.100/24 - Web-Server2:公网 IP
24.47.24.3/29→ 内网172.18.47.254/24
二、所有路由器接口 IP 配置(PC 自动获取除外)
1. AR3 配置
sysname AR3 # interface GigabitEthernet 0/0/2 ip address 33.47.33.254 255.255.255.0 # interface GigabitEthernet 0/0/0 ip address 1.47.1.2 255.255.255.252 # interface GigabitEthernet 0/0/1 ip address 13.47.13.9 255.255.255.248 #2. AR4 配置
sysname AR4 # interface GigabitEthernet 0/0/0 ip address 1.47.1.1 255.255.255.252 # interface GigabitEthernet 0/0/2 ip address 44.47.44.254 255.255.255.0 # interface GigabitEthernet 0/0/1 ip address 24.47.24.2 255.255.255.248 #3. AR1 配置
sysname AR1 # interface GigabitEthernet 0/0/0 ip address 13.47.13.10 255.255.255.248 # interface GigabitEthernet 0/0/1 ip address 192.168.47.254 255.255.255.0 # interface GigabitEthernet 0/0/2 ip address 172.16.47.1 255.255.255.0 # interface Ethernet 1/0/0 ip address 10.10.47.1 255.255.255.0 #4. AR2 配置
sysname AR2 # interface GigabitEthernet 0/0/0 ip address 24.47.24.1 255.255.255.248 # interface Ethernet 1/0/1 ip address 10.30.47.1 255.255.255.252 # interface Ethernet 1/0/0 ip address 172.18.47.1 255.255.255.0 # interface GigabitEthernet 0/0/1 ip address 10.20.47.1 255.255.255.0 # interface GigabitEthernet 0/0/2 ip address 172.17.47.1 255.255.255.0 #5. AR5 配置
sysname AR5 # interface GigabitEthernet 0/0/0 ip address 10.30.47.2 255.255.255.252 # interface GigabitEthernet 0/0/1 ip address 10.40.47.254 255.255.255.0 #配置完后先测试直连链路 ping 通。
三、AR2 & AR5 静态路由(天河校区互通)
AR2 配置
# 去往PC3网段的路由 ip route-static 10.40.47.0 255.255.255.0 10.30.47.2AR5 配置
# 默认路由回AR2 ip route-static 0.0.0.0 0.0.0.0 10.30.47.1四、DHCP 配置(PC1/PC2/PC3 自动获取)
1. AR1:接口 DHCP 给 PC1(172.16.47.0/24)
sysname AR1 # dhcp enable # interface GigabitEthernet 0/0/2 dhcp select interface dhcp server dns-list 44.47.44.1 dhcp server lease day 3 hour 0 minute 0 dhcp server excluded-ip-address 172.16.47.1 #2. AR2:全局 DHCP 给 PC2(172.17.47.0/24)
sysname AR2 # dhcp enable # ip pool pc2_pool gateway-list 172.17.47.1 network 172.17.47.0 mask 255.255.255.0 dns-list 44.47.44.1 lease day 3 hour 0 minute 0 excluded-ip-address 172.17.47.1 # interface GigabitEthernet 0/0/2 dhcp select global #3. AR2+AR5:DHCP 中继给 PC3(10.40.47.0/24)
AR2 配置(全局地址池 + 中继服务器)
sysname AR2 # dhcp enable # ip pool pc3_pool gateway-list 10.40.47.254 network 10.40.47.0 mask 255.255.255.0 dns-list 44.47.44.1 lease day 3 hour 0 minute 0 excluded-ip-address 10.40.47.254 # interface Ethernet 1/0/1 dhcp select global nat server global 24.47.24.3 inside 172.18.47.254 #AR5 配置(DHCP 中继客户端)
sysname AR5 # dhcp enable # interface GigabitEthernet 0/0/1 dhcp select relay dhcp relay server-ip 10.30.47.1 // 指向AR2 #五、NAPT 配置(内网用户上网,排除 PC1/PC2 网段)
1. AR1 NAPT(白云校区,除 172.16.47.0/24 外可上网)
sysname AR1 # acl number 2000 rule deny source 172.16.47.0 0.0.0.255 // 禁止PC1网段 rule permit source 10.10.47.0 0.0.0.255 rule permit source 192.168.47.0 0.0.0.255 # nat address-group 1 13.47.13.12 13.47.13.14 # interface GigabitEthernet 0/0/0 nat outbound 2000 address-group 1 no-pat #2. AR2 NAPT(天河校区,除 172.17.47.0/24 外可上网)
sysname AR2 # acl number 2000 rule deny source 172.17.47.0 0.0.0.255 // 禁止PC2网段 rule permit source 10.20.47.0 0.0.0.255 rule permit source 172.18.47.0 0.0.0.255 rule permit source 10.40.47.0 0.0.0.255 # nat address-group 1 24.47.24.4 24.47.24.6 # interface GigabitEthernet 0/0/0 nat outbound 2000 address-group 1 no-pat #六、因特网 OSPF 配置(所有公网设备宣告 Area 0)
AR3
ospf 1 router-id 3.3.3.3 area 0 network 1.47.1.0 0.0.0.3 network 13.47.13.8 0.0.0.7 network 33.47.33.0 0.0.0.255 #AR4
ospf 1 router-id 4.4.4.4 area 0 network 1.47.1.0 0.0.0.3 network 24.47.24.0 0.0.0.7 network 44.47.44.0 0.0.0.255 #AR1(宣告公网接口和回环,内网网段不用宣告,NAT 后上网)
ospf 1 router-id 1.1.1.1 area 0 network 13.47.13.8 0.0.0.7 #AR2
ospf 1 router-id 2.2.2.2 area 0 network 24.47.24.0 0.0.0.7 #七、NAT Server 配置(内外网访问 Web 服务)
1. AR1 NAT Server(Web-Server1)
sysname AR1 # interface GigabitEthernet 0/0/0 nat server protocol tcp global 13.47.13.11 www inside 192.168.47.100 www nat server protocol icmp global 13.47.13.11 inside 192.168.47.100 # // NAT回流(内网Client1用公网地址访问) interface Ethernet 1/0/0 nat server protocol tcp global 13.47.13.11 www inside 192.168.47.100 www nat server protocol icmp global 13.47.13.11 inside 192.168.47.100 #2. AR2 NAT Server(Web-Server2)
sysname AR2 # interface GigabitEthernet 0/0/0 nat server protocol tcp global 24.47.24.3 www inside 172.18.47.254 www nat server protocol icmp global 24.47.24.3 inside 172.18.47.254 # // NAT回流(内网Client2用公网地址访问) interface GigabitEthernet 0/0/1 nat server protocol tcp global 24.47.24.3 www inside 172.18.47.254 www nat server protocol icmp global 24.47.24.3 inside 172.18.47.254 #八、DNS-Server 配置(域名解析)
在 DNS-Server 上配置静态解析:
www1.gdgm.cn→13.47.13.11www2.gdgm.cn→24.47.24.3所有终端的 DNS 服务器地址设置为44.47.44.1。
九、测试步骤对应验证点
- PC1/PC2/PC3 自动获取 IP:在 PC 上
ipconfig查看,对应网段地址、网关、DNS 都正常。 - PC1/PC2 ping Client3:不通(被 NAT outbound 的 ACL deny)。
- Client1/Client2/PC3 ping 公网 IP(33.47.33.1、13.47.13.11、24.47.24.3):能通。
- Client3 ping
www1.gdgm.cn/www2.gdgm.cn:解析到公网 IP 并能 ping 通。 - 所有 Client 访问
http://www1.gdgm.cn/http://www2.gdgm.cn:能打开 Web 页面。
