1. WAN IP: 10.201.0.0/30
2. LAN IP: 10.201.79.56/28, 203.148.10.0/29
客戶內部信息:
1. 客戶內部網絡:
LAN1:192.168.0.0/24
LAN2:192.168.10.0/24
Router ip:192.168.0.254
Firewall ip: 192.168.0.253
2. 客戶其他點網段: 192.168.60.0/24, 192.168.70.0/24, 192.168.100.0/24
3. 路由器開DHCP
4. ***直接走專線,上網從客戶的Firewall出去.
Building configuration...
Current configuration : 3492 bytes
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname 36128-dddd-sh(0.254)
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$h1k.$O.o6LrM6ezbvh5MapviOh/
#建立3A
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa session-id commo
memory-size iomem 20
clock timezone CN 8
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool DHCP1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 152.104.168.162 152.104.228.251
!
ip dhcp pool DHCP2
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 152.104.168.162 152.104.228.251
!
ip name-server 152.104.168.162
ip name-server 152.104.228.251
multilink bundle-name authenticated
username XXX password 7 14161C070D0D7B7977
username XXX password 7 03004213575D72
archive
log config
hidekeys
!
interface FastEthernet0/0
description to Leased line
ip address 10.201.0.2 255.255.255.252
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description to LAN
ip address 10.201.79.57 255.255.255.240 secondary
ip address 203.148.10.1 255.255.255.248 secondary
ip address 192.168.0.254 255.255.255.0
ip virtual-reassembly
ip policy route-map check-internet #在LAN口上引用一個動作ip policy route-map 叫check-internet,它的優先級高於路由
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 f0/0 10.201.0.1
!
!
No ip http server
!
#建立上外網的ACL
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
route-map check-internet permit 10 #建立route-map 名字叫:check-internet 它的動作是permit 級別是10
macth ip address 101 #選擇類型:ip address (建立的ACL)
set ip next hop 192.168.0.253 #符合ACL規則的丟給:192.168.0.253
!
tacacs-server host 2.2.2.2 #認證服務器地址
tacacs-server directed-request
tacacs-server key 7 03004213575D72
!
control-plane
!
banner motd ^C
----------------------------------------------------------
* Authorized Access Only *
This Router is the property of Anlai.com Limited
Disconnect IMMEDIATELY if you are not an authorized user!
----------------------------------------------------------^C
!
line con 0
line aux 0
line vty 0 4
password 7 14130B135D5679
!
scheduler allocate 20000 1000
ntp server 1.1.1.1
end