HCIA园区网(VLAN、OSPF、ACL)

1，园区内部全网可达
2，园区内所有办公电脑可以访问外网
3，所有内网设备均可以通过域名访问内部的HTTP服务器，除了教学楼2的设备
4，外网可以访问内部的HTTP服务器
5，所有学生的电脑不允许访问办公室电脑及摄像头
6，园区内使用多区域OSPF网络保证路由可达

1、先做VLAN---教学楼1和教学楼2

教学楼1-接入VLAN

接入-1

[1-L2-a]vl ba 2 3 Info: This operation may take a few seconds. Please wait for a moment...done. [1-L2-a]int g0/0/2 [1-L2-a-GigabitEthernet0/0/2]po li ac [1-L2-a-GigabitEthernet0/0/2]po de vl 2 [1-L2-a-GigabitEthernet0/0/1]int g0/0/24 [1-L2-a-GigabitEthernet0/0/24]po li ac [1-L2-a-GigabitEthernet0/0/24]po de vl 3 [1-L2-a-GigabitEthernet0/0/3]int g0/0/1 [1-L2-a-GigabitEthernet0/0/1]po li tr [1-L2-a-GigabitEthernet0/0/1]po tr al vl 2 3 [1-L2-a-GigabitEthernet0/0/1]undo po tr al vl 1 #最小vlan透传原则，关闭默认的vlan1

接入-2

[1-L2-b]int g0/0/2 [1-L2-b-GigabitEthernet0/0/2]po li ac [1-L2-b-GigabitEthernet0/0/2]po de vl 2 [1-L2-b-GigabitEthernet0/0/2]int g0/0/24 [1-L2-b-GigabitEthernet0/0/24]po li ac [1-L2-b-GigabitEthernet0/0/24]po de vl 3 [1-L2-b-GigabitEthernet0/0/24]int g0/0/1 [1-L2-b-GigabitEthernet0/0/1]po li tr [1-L2-b-GigabitEthernet0/0/1]po tr al vl 2 3

接入-3可以只在连接的三层交换机的接口放通VLAN3即可

教学楼1-汇聚VLAN

[1-L1]int g0/0/1 [1-L1-GigabitEthernet0/0/1]po li tr [1-L1-GigabitEthernet0/0/1]po tr al vl 2 3 [1-L1-GigabitEthernet0/0/1]undo p t a v 1 [1-L1-GigabitEthernet0/0/1]int g0/0/2 [1-L1-GigabitEthernet0/0/2]p l t [1-L1-GigabitEthernet0/0/2]p t a v 2 3 [1-L1-GigabitEthernet0/0/2]undo p t a v 1 [1-L1-GigabitEthernet0/0/2]int g0/0/3 [1-L1-GigabitEthernet0/0/3]p l a [1-L1-GigabitEthernet0/0/3]p d v 3

使用教学楼1的三层交换机做VLAN间路由，使用DHCP自动获取IP地址（教学楼1-汇聚）

[1-L1]int vl 2 [1-L1-Vlanif2]ip add 192.168.2.1 24 [1-L1-Vlanif2]int vl 3 [1-L1-Vlanif3]ip add 192.168.3.1 24 [1-L1]dhcp en Info: The operation may take a few seconds. Please wait for a moment.done. [1-L1]ip pool vlan2 Info:It's successful to create an IP address pool. ' [1-L1-ip-pool-vlan2]net 192.168.2.0 mask 24 [1-L1-ip-pool-vlan2]gat 192.168.2.1 [1-L1-ip-pool-vlan2]q [1-L1]ip poo vlan3 Info:It's successful to create an IP address pool. ' [1-L1-ip-pool-vlan3]net 192.168.3.0 mask 24 [1-L1-ip-pool-vlan3]gat 192.168.3.1 [1-L1-ip-pool-vlan3]q [1-L1]int vl 2 [1-L1-Vlanif2]dhcp se gl [1-L1-Vlanif2]int vl 3 [1-L1-Vlanif3]dh se gl

教学楼2-接入VLAN

接入-1

[2-L2-a]vl ba 4 5 Info: This operation may take a few seconds. Please wait for a moment...done. [2-L2-a-GigabitEthernet0/0/3]int g0/0/2 [2-L2-a-GigabitEthernet0/0/2]po li a [2-L2-a-GigabitEthernet0/0/2]p d v 4 [2-L2-a-GigabitEthernet0/0/2]int g0/0/24 [2-L2-a-GigabitEthernet0/0/24]p l a [2-L2-a-GigabitEthernet0/0/24]p d v 5 [2-L2-a-GigabitEthernet0/0/24]int g0/0/1 [2-L2-a-GigabitEthernet0/0/1]p l t [2-L2-a-GigabitEthernet0/0/1]p t a v 4 5 [2-L2-a-GigabitEthernet0/0/1]undo p t a v 1

接入-2

[2-L2-b]vl ba 4 5 Info: This operation may take a few seconds. Please wait for a moment...done. [2-L2-b]int g0/0/2 [2-L2-b-GigabitEthernet0/0/2]p l a [2-L2-b-GigabitEthernet0/0/2]p d v 4 [2-L2-b-GigabitEthernet0/0/2]int g0/0/24 [2-L2-b-GigabitEthernet0/0/24]p l a [2-L2-b-GigabitEthernet0/0/24]p d v 5 [2-L2-b-GigabitEthernet0/0/24]int g0/0/1 [2-L2-b-GigabitEthernet0/0/1]p l t [2-L2-b-GigabitEthernet0/0/1]p t a v 4 5 [2-L2-b-GigabitEthernet0/0/1]undo p t a v 1

接入-3 同教1接入-3

教学楼2 -接入

[2-L1]vl ba 4 5 Info: This operation may take a few seconds. Please wait for a moment...done. [2-L1]int g0/0/5 [2-L1-GigabitEthernet0/0/5]p l a [2-L1-GigabitEthernet0/0/5]p d v 5 [2-L1-GigabitEthernet0/0/5]int g0/0/3 [2-L1-GigabitEthernet0/0/3]p l t [2-L1-GigabitEthernet0/0/3]p t a v 4 5 [2-L1-GigabitEthernet0/0/3]undo p t a v 1 [2-L1-GigabitEthernet0/0/3]int g0/0/4 [2-L1-GigabitEthernet0/0/4]p l t [2-L1-GigabitEthernet0/0/4]p t a v 4 5 [2-L1-GigabitEthernet0/0/4]undo p t a v 1 [2-L1-GigabitEthernet0/0/4]int g0/0/1 [2-L1-GigabitEthernet0/0/1]p l t [2-L1-GigabitEthernet0/0/1]p t a v 4 5 [2-L1-GigabitEthernet0/0/1]undo p t a v 1

教学楼2-汇聚（AR3）

[2-R1-GigabitEthernet0/0/0]int g0/0/0.2 [2-R1-GigabitEthernet0/0/0.2]ip add 192.168.5.1 24 [2-R1-GigabitEthernet0/0/0.2]do te vi 5 Apr 19 2026 01:21:06-08:00 2-R1 %%01IFNET/4/LINK_STATE(l)[3]:The line protocol I P on the interface GigabitEthernet0/0/0.2 has entered the UP state. [2-R1-GigabitEthernet0/0/0.2]ar br en [2-R1-GigabitEthernet0/0/0]int g0/0/0.1 [2-R1-GigabitEthernet0/0/0.1]ip add 192.168.4.1 24 [2-R1-GigabitEthernet0/0/0.1]do te vid 4 Apr 19 2026 01:08:46-08:00 2-R1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol I P on the interface GigabitEthernet0/0/0.1 has entered the UP state. [2-R1-GigabitEthernet0/0/0.1]arp br en [2-R1-GigabitEthernet0/0/0.1]q

教学楼2-DHCP

[2-R1]dh en Info: The operation may take a few seconds. Please wait for a moment.done. [2-R1]ip poo vlan4 Info: It's successful to create an IP address pool. ' [2-R1-ip-pool-vlan4]net 192.168.4.0 mask 24 [2-R1-ip-pool-vlan4]gat 192.168.4.1 [2-R1-ip-pool-vlan4]q [2-R1]ip po vlan5 Info: It's successful to create an IP address pool. ' [2-R1-ip-pool-vlan5]net 192.168.5.0 mask 24 [2-R1-ip-pool-vlan5]gat 192.168.5.1 [2-R1-ip-pool-vlan5]q [2-R1]int g0/0/1 [2-R1-GigabitEthernet0/0/1]int g0/0/0 [2-R1-GigabitEthernet0/0/0]dh se gl [2-R1-GigabitEthernet0/0/0]int g0/0/0.1 [2-R1-GigabitEthernet0/0/0.1]dh se gl [2-R1-GigabitEthernet0/0/0.2]dh se gl

2、办公楼配置

网关在核心上

服务器接入

[S-L1]vl ba 10 20 30 Info: This operation may take a few seconds. Please wait for a moment...done. [S-L1]int g0/0/1 [S-L1-GigabitEthernet0/0/1]p l a [S-L1-GigabitEthernet0/0/1]p d v 10 [S-L1-GigabitEthernet0/0/1]int g0/0/2 [S-L1-GigabitEthernet0/0/2]p l a [S-L1-GigabitEthernet0/0/2]p d v 20 [S-L1-GigabitEthernet0/0/2]int g0/0/4 [S-L1-GigabitEthernet0/0/4]p l a [S-L1-GigabitEthernet0/0/4]p d v 30 [S-L1-GigabitEthernet0/0/4]int g0/0/3 [S-L1-GigabitEthernet0/0/3]p l t [S-L1-GigabitEthernet0/0/3]p t a v 10 20 30 [S-L1-GigabitEthernet0/0/3]undo p t a v 1

核心

[core]vl ba 10 20 30 Info: This operation may take a few seconds. Please wait for a moment...done. [core]int g0/0/3 [core-GigabitEthernet0/0/3]p l t [core-GigabitEthernet0/0/3]p t a v 10 20 30 [core-GigabitEthernet0/0/3]undo p t a v 1 [core]int vl 10 [core-Vlanif10]ip add 172.16.10.1 24 [core-Vlanif10]int vl 20 [core-Vlanif20]ip add 172.16.20.1 24 [core-Vlanif20]int vl 30 [core-Vlanif30]ip add 172.16.30.1 24

3、做3层，OSPF内网全通

在交换机的虚拟接口上配IP（创建新的VLAN）

核心

[core]vl ba 100 200 300 Info: This operation may take a few seconds. Please wait for a moment...done. [core]int g0/0/4 [core-GigabitEthernet0/0/4]q [core]int vl 100 [core-Vlanif100]ip add 192.168.1.6 30 [core-Vlanif100]int g0/0/2 [core-GigabitEthernet0/0/2]p l a [core-GigabitEthernet0/0/2]p d v 100 [core-GigabitEthernet0/0/2]int vl 200 [core-Vlanif200]ip add 192.168.1.1 30 [core-Vlanif200]int g0/0/1 [core-GigabitEthernet0/0/1]p l a [core-GigabitEthernet0/0/1]p d v 200 [core-GigabitEthernet0/0/1]int vl 300 [core-Vlanif300]ip add 192.168.1.9 30 [core-Vlanif300]int g0/0/4 [core-GigabitEthernet0/0/4]p l a [core-GigabitEthernet0/0/4]p d v 300

其他直连网段

[2-R1]int g0/0/1 [2-R1-GigabitEthernet0/0/1]ip add 192.168.1.5 30 [1-L1]vl 200 [1-L1-vlan200]int vl 200 [1-L1-Vlanif200]ip add 192.168.1.2 30 [1-L1-Vlanif200]int g0/0/4 [1-L1-GigabitEthernet0/0/4]p l a [1-L1-GigabitEthernet0/0/4]p d v 200 [bianjie]int g0/0/0 [bianjie-GigabitEthernet0/0/0]ip add 192.168.1.10 30

做多区域OSPF

核心

[core]ospf 1 ro [core]ospf 1 router-id 2.2.2.2 [core-ospf-1]a 0 [core-ospf-1-area-0.0.0.0]net 192.168.1.8 0.0.0.3 [core-ospf-1-area-0.0.0.0]q [core-ospf-1]a 1 [core-ospf-1-area-0.0.0.1]net 192.168.1.0 0.0.0.3 [core-ospf-1-area-0.0.0.1]q [core-ospf-1]a 2 [core-ospf-1-area-0.0.0.2]net 192.168.1.4 0.0.0.3 [core-ospf-1-area-0.0.0.2]q [core-ospf-1]a 3 [core-ospf-1-area-0.0.0.3]net 172.16.0.0 0.0.255.255

其他

[bianjie]ospf 1 ro [bianjie]ospf 1 router-id 1.1.1.1 [bianjie-ospf-1]a 0 [bianjie-ospf-1-area-0.0.0.0]net 192.168.1.8 0.0.0.3 [bianjie-ospf-1-area-0.0.0.0] Apr 19 2026 01:59:13-08:00 bianjie %%01OSPF/4/NBR_CHANGE_E(l)[0]:Neighbor change s event: neighbor status changed. (ProcessId=256, NeighborAddress=9.1.168.192, N eighborEvent=HelloReceived, NeighborPreviousState=Down, NeighborCurrentState=Ini t) [bianjie-ospf-1-area-0.0.0.0] Apr 19 2026 01:59:16-08:00 bianjie %%01OSPF/4/NBR_CHANGE_E(l)[1]:Neighbor change s event: neighbor status changed. (ProcessId=256, NeighborAddress=9.1.168.192, N eighborEvent=2WayReceived, NeighborPreviousState=Init, NeighborCurrentState=ExSt art) [bianjie-ospf-1-area-0.0.0.0] Apr 19 2026 01:59:16-08:00 bianjie %%01OSPF/4/NBR_CHANGE_E(l)[2]:Neighbor change s event: neighbor status changed. (ProcessId=256, NeighborAddress=9.1.168.192, N eighborEvent=NegotiationDone, NeighborPreviousState=ExStart, NeighborCurrentStat e=Exchange) [bianjie-ospf-1-area-0.0.0.0] Apr 19 2026 01:59:16-08:00 bianjie %%01OSPF/4/NBR_CHANGE_E(l)[3]:Neighbor change s event: neighbor status changed. (ProcessId=256, NeighborAddress=9.1.168.192, N eighborEvent=ExchangeDone, NeighborPreviousState=Exchange, NeighborCurrentState= Loading) [bianjie-ospf-1-area-0.0.0.0] Apr 19 2026 01:59:16-08:00 bianjie %%01OSPF/4/NBR_CHANGE_E(l)[4]:Neighbor change s event: neighbor status changed. (ProcessId=256, NeighborAddress=9.1.168.192, N eighborEvent=LoadingDone, NeighborPreviousState=Loading, NeighborCurrentState=Fu ll) [1-L1]ospf 1 router-id 3.3.3.3 Info: The configuration succeeded. You need to restart the OSPF process to valid ate the new router ID. [1-L1-ospf-1]a 1 [1-L1-ospf-1-area-0.0.0.1]net 192.168.0.0 0.0.255.255 [2-R1]ospf 1 r [2-R1]ospf 1 router-id 4.4.4.4 [2-R1-ospf-1]a 2 [2-R1-ospf-1-area-0.0.0.2]net 192.168.4.0 0.0.0.255 [2-R1-ospf-1-area-0.0.0.2]net 192.168.5.0 0.0.0.255 [2-R1-ospf-1-area-0.0.0.2]net 192.168.1.4 0.0.0.3 [2-R1-ospf-1-area-0.0.0.2] Apr 19 2026 02:07:55-08:00 2-R1 %%01OSPF/4/NBR_CHANGE_E(l)[0]:Neighbor changes e vent: neighbor status changed. (ProcessId=256, NeighborAddress=6.1.168.192, Neig hborEvent=HelloReceived, NeighborPreviousState=Down, NeighborCurrentState=Init) [2-R1-ospf-1-area-0.0.0.2] Apr 19 2026 02:07:55-08:00 2-R1 %%01OSPF/4/NBR_CHANGE_E(l)[1]:Neighbor changes e vent: neighbor status changed. (ProcessId=256, NeighborAddress=6.1.168.192, Neig hborEvent=2WayReceived, NeighborPreviousState=Init, NeighborCurrentState=2Way) [2-R1-ospf-1-area-0.0.0.2] Apr 19 2026 02:07:55-08:00 2-R1 %%01OSPF/4/NBR_CHANGE_E(l)[2]:Neighbor changes e vent: neighbor status changed. (ProcessId=256, NeighborAddress=6.1.168.192, Neig hborEvent=AdjOk?, NeighborPreviousState=2Way, NeighborCurrentState=ExStart) [2-R1-ospf-1-area-0.0.0.2] Apr 19 2026 02:07:55-08:00 2-R1 %%01OSPF/4/NBR_CHANGE_E(l)[3]:Neighbor changes e vent: neighbor status changed. (ProcessId=256, NeighborAddress=6.1.168.192, Neig hborEvent=NegotiationDone, NeighborPreviousState=ExStart, NeighborCurrentState=E xchange) [2-R1-ospf-1-area-0.0.0.2] Apr 19 2026 02:07:55-08:00 2-R1 %%01OSPF/4/NBR_CHANGE_E(l)[4]:Neighbor changes e vent: neighbor status changed. (ProcessId=256, NeighborAddress=6.1.168.192, Neig hborEvent=ExchangeDone, NeighborPreviousState=Exchange, NeighborCurrentState=Loa ding) [2-R1-ospf-1-area-0.0.0.2] Apr 19 2026 02:07:55-08:00 2-R1 %%01OSPF/4/NBR_CHANGE_E(l)[5]:Neighbor changes e vent: neighbor status changed. (ProcessId=256, NeighborAddress=6.1.168.192, Neig hborEvent=LoadingDone, NeighborPreviousState=Loading, NeighborCurrentState=Full)

检查（dis ip routing-table ）

[core]dis ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 18 Routes : 18 Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.16.10.0/24 Direct 0 0 D 172.16.10.1 Vlanif10 172.16.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 172.16.20.0/24 Direct 0 0 D 172.16.20.1 Vlanif20 172.16.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20 172.16.30.0/24 Direct 0 0 D 172.16.30.1 Vlanif30 172.16.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30 192.168.1.0/30 Direct 0 0 D 192.168.1.1 Vlanif200 192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif200 192.168.1.4/30 Direct 0 0 D 192.168.1.6 Vlanif100 192.168.1.6/32 Direct 0 0 D 127.0.0.1 Vlanif100 192.168.1.8/30 Direct 0 0 D 192.168.1.9 Vlanif300 192.168.1.9/32 Direct 0 0 D 127.0.0.1 Vlanif300 192.168.2.0/24 OSPF 10 2 D 192.168.1.2 Vlanif200 192.168.3.0/24 OSPF 10 2 D 192.168.1.2 Vlanif200 192.168.4.0/24 OSPF 10 2 D 192.168.1.5 Vlanif100 192.168.5.0/24 OSPF 10 2 D 192.168.1.5 Vlanif100

4、完成其他需求

（1）外网

边界设备

[bianjie]int g0/0/1 [bianjie-GigabitEthernet0/0/1]ip add 12.0.0.1 24 Apr 19 2026 02:15:29-08:00 bianjie %%01IFNET/4/LINK_STATE(l)[0]:The line protoco l IP on the interface GigabitEthernet0/0/1 has entered the UP state. [bianjie]ip route-static 0.0.0.0 0 12.0.0.2 [bianjie]ospf [bianjie-ospf-1]de [bianjie-ospf-1]default-route-advertise

ISP

[ISP-GigabitEthernet0/0/1]int g0/0/0 [ISP-GigabitEthernet0/0/0]ip add 12.0.0.2 24 Apr 19 2026 02:16:20-08:00 ISP %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state. [ISP-GigabitEthernet0/0/0]int g0/0/1 [ISP-GigabitEthernet0/0/1]ip add 13.0.0.1 24 Apr 19 2026 02:16:35-08:00 ISP %%01IFNET/4/LINK_STATE(l)[3]:The line protocol IP on the interface GigabitEthernet0/0/1 has entered the UP state.

（2）边界设备做NAPT

[bianjie]acl 2000 [bianjie-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 [bianjie-acl-basic-2000]rule permit source 172.16.0.0 0.0.255.255 [bianjie-acl-basic-2000]q [bianjie]int g0/0/1 [bianjie-GigabitEthernet0/0/1]nat ou [bianjie-GigabitEthernet0/0/1]nat outbound 2000

（3）教学楼2设备不能访问内部的HTTP服务器

[2-R1]acl 3000 [2-R1-acl-adv-3000]rule deny ip source 192.168.0.0 0.0.0.255 destination 172.16. 10.0 0.0.0.255 [2-R1-acl-adv-3000]rule deny ip source 192.168.0.0 0.0.0.255 destination 172.16. 20.0 0.0.0.255 [2-R1-acl-adv-3000]int g0/0/0 [2-R1-GigabitEthernet0/0/0]tr [2-R1-GigabitEthernet0/0/0]traffic-filter in [2-R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

（4）外网可以访问内部的HTTP服务器

[bianjie-GigabitEthernet0/0/1]nat server protocol tcp global current-interface 8 0 inside 172.16.10.254 80 Warning:The port 80 is well-known port. If you continue it may cause function fa ilure. Are you sure to continue?[Y/N]:y

（5）所有学生的电脑不允许访问办公室电脑及摄像头

教学楼1

[1-L1]acl 3000 [1-L1-acl-adv-3000]rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168 .3.0 0.0.0.255 [1-L1-acl-adv-3000]int g0/0/1 [1-L1-GigabitEthernet0/0/1]tr [1-L1-GigabitEthernet0/0/1]traffic-filter in [1-L1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000 [1-L1-GigabitEthernet0/0/1]int g0/0/2 [1-L1-GigabitEthernet0/0/2]traffic-filter inbound acl 3000

教学楼2

[2-R1-acl-adv-3000]rule deny ip source 192.168.5.0 0.0.0.255 destination 192.168 .4.0 0.0.0.255

5、测试

内部全网可达

园区内所有办公电脑可以访问外网

所有内网设备均可以通过域名访问内部的HTTP服务器，除了教学楼2的设备

外网可以访问内部的HTTP服务器

所有学生的电脑不允许访问办公室电脑及摄像头

园区内使用多区域OSPF网络保证路由可达