Comprehensive Experimental configuration of ACL-NAT-VLAN-DHCP

Experiment topology:
 

Objective: To: (1) Disable pc3 access without affecting hosts on other LAN
(2) enable all hosts in the LAN to access the Internet. (Only one public address is available)
(3) automatically obtain the Host IP address in the LAN.
(4) r1 provides single-arm routing and dhcp functions to implement inter-vlan Communication
In accordance with the above requirements, to allow all hosts to access the Internet with only one public IP address, you must use NAT. To disable pc3 from accessing the internet, you must configure the ACL, because the IP addresses of all hosts are automatically obtained from dhcp, pc3 cannot be based on the IP address (if it is a static IP address, the IP address of pc3 can also be changed), and vlan can be implemented.
To disable pc3, separate pc3 into vlan2. Then disable all vlan2 members and disable pc3, even if pc3 changes the IP address, it cannot access the Internet.
Basic information configuration (omitted)
R1 (config) # in f0/0
R1 (config-if) # no ip add // The Master interface cannot have an ip address
R1 (config-if) # no shut // the primary interface must be activated; otherwise, the subinterface cannot be activated.
R1 (config-if) # in f0/0.1 // enter the subinterface
R1 (config-subif) # encapsulation dot1Q 1 // The encapsulation type is dot1q and is used for vlan1
R1 (config-subif) # ip add 192.168.1.1 255.255.255.0 // configure an ip address, which is also the vlan gateway address
R1 (config-subif) # no shut // activate the subinterface
R1 (config-subif) # in f0/0.2
R1 (config-subif) # encapsulation dot1Q 2 // The encapsulation type is dot1q and is used for vlan2

R1 (config-subif) # ip add 192.168.2.1 255.255.255.0
R1 (config-subif) # no shut
R1 (config-subif) # in f0/0.3
R1 (config-subif) # encapsulation d 3 // The encapsulation type is dot1q and is used for vlan3
R1 (config-subif) # ip add 192.168.3.1 255.255.255.0
R1 (config-subif) # no shut
R1 (config-subif) # exir1 (config) # ip dhcp pool v1 // create an ip address pool named v1
R1 (dhcp-config) # network 192.168.1.0/24 // ip address pool to be allocated
R1 (dhcp-config) # default-router 192.168.1.1 // gateway address
R1 (dhcp-config) # lease 4 // The lease is for 4 days
R1 (dhcp-config) # exi
R1 (config) # ip dhcp pool v2
R1 (dhcp-config) # netw 192.168.2.0/25

R1 (dhcp-config) # default-router 192.168.2.1
R1 (dhcp-config) # lease 4
R1 (dhcp-config) # exi
R1 (config) # ip dhcp pool v3
R1 (dhcp-config) # netw 192.168.3.0/24
R1 (dhcp-config) # default-router 192.168.3.1
R1 (dhcp-config) # lease 4
R1 (dhcp-config) # exi
R1 (config) # ip dhcp excluded-address 192.168.1.1 // specify the ip address that is not distributed
R1 (config) # ip dhcp excluded-address 192.168.2.1
R1 (config) # ip dhcp excluded-address 192.168.3.1
Vlan Division planning: vlan1 (sw1 and sw3) vlan2 (pc3) vlan3 (pc2 and pc4)
Sw1 (config) # in vlan 1
Sw1 (config-if) # ip add dhcp // ip address obtained from dhcp
Sw1 (config-if) # exi
Sw1 (config) # vlan 2 // create vlan2
Sw1 (config-vlan) # name v2 // name vlan2
Sw1 (config-vlan) # vlan 3
Sw1 (config-vlan) # name v3
Sw1 (config-vlan) # exi
Sw1 (config) # in f1/2
Sw1 (config-if) # switchport mode access // set the interface mode to the access port
Sw1 (config-if) # switchport access vlan 3 // Add the interface to vlan 3
Sw1 (config-if) # exi

Sw1 (config) # in f1/0
Sw1 (config-if) # swi m trunk // The interface mode is the relay Port
Sw1 (config-if) # swi t en d // The encapsulation type is dot1q
Sw1 (config-if) # exi
Sw1 (config) # in f1/15
Sw1 (config-if) # swi m t
Sw1 (config-if) # swi t en d // The encapsulation type must be the same as that of the Peer end
Sw1 (config-if) # exi
Sw1 (config) # vtp m server // vtp server
Sw1 (config) # vtp domain sw // vtp domain Name
Sw1 (config) # vtp pass abc // vtp Password
Sw1 (config) # vtp pruning // vtp trim
Sw2 (config) # in f1/15
Sw2 (config-if) # swi m t
Sw2 (config-if) # swi t en d
Sw2 (config-if) # exi
Sw2 (config) # in vlan 1
Sw2 (config-if) # ip add dhcp
Sw2 (config-if) # exi
Sw2 (config) # vtp m c
Sw2 (config) # vtp domain sw
Sw2 (config) # vtp pass abc
Sw2 (config) # vtp prusw2 (config) # in f1/1
Sw2 (config-if) # swi m
Sw2 (config-if) # swi a v 3
Sw2 (config-if) # exi
Sw2 (config) # in f1/0
Sw2 (config-if) # swi m
Sw2 (config-if) # swi a v 2
Sw2 (config-if) # exi
All PCs are configured as follows:
Pc2 (config) # in f0/0
Pc2 (config-if) # ip add dhcp // obtain from dhcp
Pc2 (config-if) # no shut
Pc2 (config-if) # exi
Test:
Pc2 (config) # do p 192.168.3.3Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/26/64 mspc2 (config) # do p 192.168.2.2Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/41/76 ms can communicate with each other in the same vlan, and different VLANs can also communicate with each other.
R1 (config) # in s1/0
R1 (config-if) # ip add 219.146.0.1 255.255.255.0
R1 (config-if) # no shut
R1 (config-if) # exir2 (config) # in s1/0
R2 (config-if) # ip add 219.146.0.2 255.255.255.0
R2 (config-if) # no shut
R2 (config-if) # exi
Test the connectivity between pc2 and the Internet:
Pc2 (config) # do p 219.146.0.2Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Cannot communicate because the route does not have a route table with a private address
R1 (config) # access-list 10 permit 192.168.1.0 0.0.255 // create a list 10 that allows the IP address of the 192.168.1.0 CIDR Block
R1 (config) # access-list 10 permit 192.168.2.0 0.0.255 // Add the item in list 10. Allow IP addresses of 192.168.2.0 CIDR blocks
R1 (config) # access-list 10 permit 192.168.3.0 0.0.255 // Add the item in list 10. Allow IP addresses of 192.168.3.0 CIDR blocks
R1 (config) # in s1/0
R1 (config-if) # ip nat out // mark as an external interface
R1 (config-if) # in f0/0.1 // you must enter the subinterface. The application does not work on the primary interface.
R1 (config-subif) # ip nat in // mark as an internal interface
R1 (config-subif) # in f0/0.2
R1 (config-subif) # ip nat in
R1 (config-subif) # in f0/0.3
R1 (config-subif) # ip nat in
R1 (config-subif) # exi
Test:
R1 (config) # ip nat inside source list 10 interface s1/0 overloadpc2 (config) # do p 219.146.0.2Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/113/188 MS
Pc3 (config) # do p 219.146.0.2Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/65/148 ms now All Intranet hosts can communicate with the Internet.
Now we want to disable the online service of pc3. Here we use telnet as an example: r1 (config) # access-list 110 deny tcp 192.168.2.0 0.0.255 any eq telnet // reject the host of the 192.168.2.0 network segment and anyone telnet.
R1 (config) # access-list 110 permit ip a // allow all services of everyone r1 (config) # in f0/0.2
R1 (config-subif) # ip access-group 110 in // the sub-interface must be used.
R1 (config-subif) # exi
Test: pc3 (config) # do telnet 219.146.0.2
Trying 219.146.0.2...
% Destination unreachable; gateway or host down can no longer be used for telnet. Test Other services: pc3 (config) # do p 219.146.0.2Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/113/220 ms, indicating that the operation has been successful.
Test other hosts: pc2 (config) # do telnet 219.146.0.2
Trying 219.146.0.2... Open
User Access VerificationPassword:
R2>
R2>
R2> exi [Connection to 219.146.0.2 closed by foreign host] No problem. The experiment is complete.
Common Debugging commands:
Show vtp status: View vtp status
Show vlan-switch brief view vlan Information
Show ip access-lists view ip access list
Show access-lists View All access lists
Show ip nat translations view all active translation entries
Show ip nat statisics view all static conversion entries
Clear ip nat translation * clear all dynamic conversion entries