网络拓扑图
要求:
1、使用DHCP分配地址
2、内部路由使用OSPF
3、使用VRRP虚拟网关协议 SW1 作为vlan 10 11 12 的主设备 vlan 13 14 15 的备份设备
4、使用VRRP虚拟网关协议 SW2 作为vlan 13 14 15 的主设备 vlan 10 11 12 的备份设备
5、使用MSTP协议,SW1作为实例1的根桥,实例2的备份.SW2作为实例2的根桥实例1的备份
6、使用NAT协议,使内部能够访问外网,将web服务器IP映射
7、配置包过滤防火墙,使其外部只能通过tcp 80端口来访问web服务器
1、配置IP地址(省略)
AR6:
[AR6]int gi 0/0/0
[AR6-GigabitEthernet0/0/0]ip add 12.1.5.6 24
[AR6-GigabitEthernet0/0/0]int gi 0/0/1
[AR6-GigabitEthernet0/0/1]ip add 172.16.10.254 24
[AR6-GigabitEthernet0/0/1]int gi 0/0/2
[AR6-GigabitEthernet0/0/2]ip add 8.8.8.8 24
AR1:
[AR1]int gi 0/0/0
[AR1-GigabitEthernet0/0/0]ip add 10.1.10.1 24
[AR1-GigabitEthernet0/0/0]int gi 0/0/1
[AR1-GigabitEthernet0/0/1]ip add 12.1.5.1 24
AR2:
[AR2]int gi 0/0/0
[AR2-GigabitEthernet0/0/0]ip add 10.1.10.2 24
[AR2-GigabitEthernet0/0/0]int gi 4/0/0
[AR2-GigabitEthernet4/0/0]ip add 192.168.66.254 24
[AR2-GigabitEthernet4/0/0]int gi 6/0/0
[AR2-GigabitEthernet6/0/0]ip add 192.168.33.254 24
[AR2-GigabitEthernet6/0/0]int gi 0/0/1
[AR2-GigabitEthernet0/0/1]ip add 10.1.1.2 24.
[AR2-GigabitEthernet0/0/1]int gi 0/0/2
[AR2-GigabitEthernet0/0/2]ip add 11.1.1.2 24
[AR2-GigabitEthernet0/0/2]int gi 2/0/0
[AR2-GigabitEthernet2/0/0]ip add 192.168.100.254 24
[AR2-GigabitEthernet2/0/0]int gi 3/0/0
[AR2-GigabitEthernet3/0/0]ip add 192.168.99.254 24
[AR2-GigabitEthernet3/0/0]int gi 1/0/0
[AR2-GigabitEthernet1/0/0]ip add 192.168.88.254 24
AR3:
[AR3]int gi 0/0/0
[AR3-GigabitEthernet0/0/0]ip add 192.168.66.1 24
[R3]ip route-static 0.0.0.0 0 192.168.66.254
AR7:
[AR7]int gi 0/0/0
[AR7-GigabitEthernet0/0/0]ip add 192.168.33.1 24
SW1:
[SW1]vlan 100
[SW1-vlan100]q
[SW1]vlan batch 10 to 15
[SW1]int vlan 100
[SW1-Vlanif100]ip add 10.1.1.1 24
[SW1-Vlanif100]q
[SW1]int vlan 10
[SW1-Vlanif10]ip add 192.168.10.1 24
[SW1-Vlanif10]int vlan 11
[SW1-Vlanif11]ip add 192.168.11.1 24
[SW1-Vlanif11]int vlan 12
[SW1-Vlanif12]ip add 192.168.12.1 24
[SW1-Vlanif12]int vlan 13
[SW1-Vlanif13]ip add 192.168.13.1 24
[SW1-Vlanif13]int vlan 14
[SW1-Vlanif14]ip add 192.168.14.1 24
[SW1-Vlanif14]int vlan 15
[SW1-Vlanif15]ip add 192.168.15.1 24
SW2:
[SW2]vlan 200
[SW2-vlan200]q
[SW2]vlan batch 10 to 15
[SW2]int vlan 200
[SW2-Vlanif200]ip add 11.1.1.1 24
[SW2-Vlanif200]q
[SW2]int vlan 10
[SW2-Vlanif10]ip add 192.168.10.2 24
[SW2-Vlanif10]int vlan 11
[SW2-Vlanif11]ip add 192.168.11.2 24
[SW2-Vlanif11]int vlan 12
[SW2-Vlanif12]ip add 192.168.12.2 24
[SW2-Vlanif12]int vlan 13
[SW2-Vlanif13]ip add 192.168.13.2 24
[SW2-Vlanif13]int vlan 14
[SW2-Vlanif14]ip add 192.168.14.2 24
[SW2-Vlanif14]int vlan 15
[SW2-Vlanif15]ip add 192.168.15.2 24
2、给对应的接口打上access或者trunk
SW1:
[SW1-Vlanif15]int gi 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 100
[SW1-GigabitEthernet0/0/1]q
[SW1]port-m
[SW1]port-g
[SW1]port-group g
[SW1]port-group gi2to7
[SW1-port-group-gi2to7]group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/7
[SW1-port-group-gi2to7]port link-type trunk
[SW1-port-group-gi2to7]port trunk allow-pass vlan all
SW2:
[SW2]int gi 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 200
[SW2-GigabitEthernet0/0/1]q
[SW2]port-group gi2to7
[SW2-port-group-gi2to7]group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/7
[SW2-port-group-gi2to7]port link-type trunk
[SW2-port-group-gi2to7]port trunk allow-pass vlan all
SW4:
[SW4]vlan 10
[SW4-vlan10]q
[SW4]int e 0/0/3
[SW4-Ethernet0/0/3]port link-type access
[SW4-Ethernet0/0/3]port default vlan 10
[SW4-Ethernet0/0/3]int e 0/0/1
[SW4-Ethernet0/0/1]port link-type trunk
[SW4-Ethernet0/0/1]port trunk allow-pass vlan all
[SW4-Ethernet0/0/1]int e 0/0/2
[SW4-Ethernet0/0/2]port link-type trunk
[SW4-Ethernet0/0/2]port trunk allow-pass vlan all
SW5:
[SW5]vlan 11
[SW5-vlan11]q
[SW5]int e 0/0/1
[SW5-Ethernet0/0/1]port link-type trunk
[SW5-Ethernet0/0/1]port trunk allow-pass vlan all
[SW5-Ethernet0/0/1]int e 0/0/2
[SW5-Ethernet0/0/2]port link-type trunk
[SW5-Ethernet0/0/2]port trunk allow-pass vlan all
[SW5-Ethernet0/0/2]int e 0/0/3
[SW5-Ethernet0/0/3]port link-type access
[SW5-Ethernet0/0/3]port default vlan 11
SW6:
[SW6]vlan 12
[SW6-vlan12]q
[SW6]int e 0/0/3
[SW6-Ethernet0/0/3]port link-type access
[SW6-Ethernet0/0/3]port default vlan 12
[SW6-Ethernet0/0/3]int e 0/0/1
[SW6-Ethernet0/0/1]port link-type trunk
[SW6-Ethernet0/0/1]port trunk allow-pass vlan all
[SW6-Ethernet0/0/1]int e 0/0/2
[SW6-Ethernet0/0/2]port link-type trunk
[SW6-Ethernet0/0/2]port trunk allow-pass vlan all
SW7:
[SW7]vlan 13
[SW7-vlan13]q
[SW7]int e 0/0/3
[SW7-Ethernet0/0/3]port link-type access
[SW7-Ethernet0/0/3]port default vlan 13
[SW7-Ethernet0/0/3]int e 0/0/1
[SW7-Ethernet0/0/1]port link-type trunk
[SW7-Ethernet0/0/1]port trunk allow-pass vlan all
[SW7-Ethernet0/0/1]int e 0/0/2
[SW7-Ethernet0/0/2]port link-type trunk
[SW7-Ethernet0/0/2]port trunk allow-pass vlan all
SW8:
[SW8]vlan 14
[SW8-vlan14]q
[SW8]int e 0/0/3
[SW8-Ethernet0/0/3]port link-type access
[SW8-Ethernet0/0/3]port default vlan 14
[SW8-Ethernet0/0/3]int e 0/0/1
[SW8-Ethernet0/0/1]port link-type trunk
[SW8-Ethernet0/0/1]port trunk allow-pass vlan all
[SW8-Ethernet0/0/1]int e 0/0/2
[SW8-Ethernet0/0/2]port link-type trunk
[SW8-Ethernet0/0/2]port trunk allow-pass vlan all
SW9:
[SW9]vlan 15
[SW9-vlan15]q
[SW9]int e 0/0/3
[SW9-Ethernet0/0/3]port link-type access
[SW9-Ethernet0/0/3]port default vlan 15
[SW9-Ethernet0/0/3]int e 0/0/1
[SW9-Ethernet0/0/1]port link-type trunk
[SW9-Ethernet0/0/1]port trunk allow-pass vlan all
[SW9-Ethernet0/0/1]int e 0/0/2
[SW9-Ethernet0/0/2]port link-type trunk
[SW9-Ethernet0/0/2]port trunk allow-pass vlan all
3、配置OSPF
AR2:
[AR2]ospf
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 10.1.10.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.66.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.33.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 11.1.1.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.99.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.88.0 0.0.0.255
AR1:
[AR1]ospf
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.1.10.0 0.0.0.255
SW1:
[SW1]OSPF
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 192.168.14.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
SW2:
[SW2]OSPF
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 11.1.1.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 192.168.14.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
4、配置VRRP协议
SW1:
[SW1]int vlan 10
[SW1-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[SW1-Vlanif10]vrrp vrid 1 priority 105
[SW1-Vlanif10]vrrp vrid 1 track interface GigabitEthernet 0/0/1
[SW1]int vlan 11
[SW1-Vlanif11]vrrp vrid 1 virtual-ip 192.168.11.254
[SW1-Vlanif11]vrrp vrid 1 priority 105
[SW1-Vlanif11]vrrp vrid 1 track interface GigabitEthernet 0/0/1
[SW1-Vlanif11]int vlan 12
[SW1-Vlanif12]vrrp vrid 1 virtual-ip 192.168.12.254
[SW1-Vlanif12]vrrp vrid 1 priority 105
[SW1-Vlanif12]vrrp vrid 1 track interface GigabitEthernet 0/0/1
[SW1-Vlanif12]int vlan 13
[SW1-Vlanif13]vrrp vrid 2 virtual-ip 192.168.13.254
[SW1-Vlanif13]int vlan 14
[SW1-Vlanif14]vrrp vrid 2 virtual-ip 192.168.14.254
[SW1-Vlanif14]int vlan 15
[SW1-Vlanif15]vrrp vrid 2 virtual-ip 192.168.15.254
SW2:
[SW2]int vlan 10
[SW2-Vlanif10]vrrp vrid 1 192.168.10.254
[SW2-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[SW2-Vlanif10]int vlan 11
[SW2-Vlanif11]vrrp vrid 1 virtual-ip 192.168.11.254
[SW2-Vlanif11]int vlan 12
[SW2-Vlanif12]vrrp vrid 1 virtual-ip 192.168.12.254
[SW2-Vlanif12]int vlan 13
[SW2-Vlanif13]vrrp vrid 2 virtual-ip 192.168.13.254
[SW2-Vlanif13]vrrp vrid 2 priority 105
[SW2-Vlanif13]vrrp vrid 2 track interface GigabitEthernet 0/0/1
[SW2-Vlanif13]int vlan 14
[SW2-Vlanif14]vrrp vrid 2 virtual-ip 192.168.14.254
[SW2-Vlanif14]vrrp vrid 2 priority 105
[SW2-Vlanif14]vrrp vrid 2 track interface GigabitEthernet 0/0/1
[SW2-Vlanif14]int vlan 15
[SW2-Vlanif15]vrrp vrid 2 virtual-ip 192.168.15.254
[SW2-Vlanif15]vrrp vrid 2 priority 105
[SW2-Vlanif15]vrrp vrid 2 track interface GigabitEthernet 0/0/1
5、配置MSTP协议
SW1:
[SW1]stp region-configuration
[SW1-mst-region]region-name kon
[SW1-mst-region]revision-level 1
[SW1-mst-region]instance 1 vlan 10 to 12
[SW1-mst-region]instance 2 vlan 13 to 15
[SW1-mst-region]active region-configuration
[SW1-mst-region]q
[SW1]stp instance 1 root primary
[SW1]stp instance 2 root secondary
SW2:
[SW2]stp r
[SW2]stp region-configuration
[SW2-mst-region]region-name kon
[SW2-mst-region]revision-level 1
[SW2-mst-region]instance 1 vlan 10 to 12
[SW2-mst-region]instance 2 vlan 13 to 15
[SW2-mst-region]active region-configuration
[SW2-mst-region]q
[SW2]stp instance 1 root secondary
[SW2]stp instance 2 root primary
其他所有交换机都要配置:
[SW4]stp region-configuration
[SW4-mst-region] region-name kon
[SW4-mst-region] revision-level 1
[SW4-mst-region] instance 1 vlan 10 to 12
[SW4-mst-region] instance 2 vlan 13 to 15
[SW4-mst-region] active region-configuration
6、配置DHCP
dhcp server:
[R3]ip pool v10
[R3-ip-pool-v10]network 192.168.10.0 mask 255.255.255.0
[R3-ip-pool-v10]gateway-list 192.168.10.254
[R3-ip-pool-v10]dns-list 192.168.88.1
[R3-ip-pool-v10]ip pool v20
[R3-ip-pool-v20]network 192.168.11.0 mask 255.255.255.0
[R3-ip-pool-v20]gateway-list 192.168.11.254
[R3-ip-pool-v20]dns-list 192.168.88.1
[R3-ip-pool-v20]ip pool v12
[R3-ip-pool-v12]network 192.168.12.0 mask 255.255.255.0
[R3-ip-pool-v12]gateway-list 192.168.12.254
[R3-ip-pool-v12]dns-list 192.168.88.1
[R3-ip-pool-v12]ip pool v13
[R3-ip-pool-v13]network 192.168.13.0 mask 255.255.255.0
[R3-ip-pool-v13]gateway-list 192.168.13.254
[R3-ip-pool-v13]dns-list 192.168.88.1
[R3-ip-pool-v13]ip pool v14
[R3-ip-pool-v14]network 192.168.14.0 mask 255.255.255.0
[R3-ip-pool-v14]gateway-list 192.168.14.254
[R3-ip-pool-v14]dns-list 192.168.88.1
[R3-ip-pool-v14]ip pool v15
[R3-ip-pool-v15]network 192.168.15.0 mask 255.255.255.0
[R3-ip-pool-v15]gateway-list 192.168.15.254
[R3-ip-pool-v15]dns-list 192.168.88.1
[R3-ip-pool-v15]q
[R3]dhcp enable
[R3]int gi 0/0/0
[R3-GigabitEthernet0/0/0]dhcp select global
SW1:
[SW1]dhcp enable
[SW1]int vlan 10
[SW1-Vlanif10]dhcp relay server-ip 192.168.66.1
[SW1-Vlanif10]int vlan 11
[SW1-Vlanif11]dhcp select relay
[SW1-Vlanif11]dhcp relay server-ip 192.168.66.1
[SW1-Vlanif11]int vlan 12
[SW1-Vlanif12]dhcp select relay
[SW1-Vlanif12]dhcp relay server-ip 192.168.66.1
[SW1-Vlanif12]int vlan 13
[SW1-Vlanif13]dhcp select relay
[SW1-Vlanif13]dhcp relay server-ip 192.168.66.1
[SW1-Vlanif13]int vlan 14
[SW1-Vlanif14]dhcp select relay
[SW1-Vlanif14]dhcp relay server-ip 192.168.66.1
[SW1-Vlanif14]int vlan 15
[SW1-Vlanif15]dhcp select relay
[SW1-Vlanif15]dhcp relay server-ip 192.168.66.1
SW2:
和SW1一样的配置
7、配置NAT
[AR1]int gi 0/0/1
[AR1-GigabitEthernet0/0/1]q
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[AR1-acl-basic-2000]q
[AR1]int gi 0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000
[AR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.5.2 80 inside 192.
168.99.1 80 #将web服务器80端口映射出去
8、配置缺省路由
[SW1]ip route-static 0.0.0.0 0 10.1.1.2
[SW2]ip route-static 0.0.0.0 0 11.1.1.2
[AR2]ip route-static 0.0.0.0 0 10.1.10.1
[AR1]ip route-static 0.0.0.0 0 12.1.5.6
9、配置包过滤防火墙
[AR1]firewall zone kon
[AR1-zone-kon]priority 14
[AR1-zone-kon]q
[AR1]firewall zone kan
[AR1-zone-kan]priority 1
[AR1-zone-kan]q
[AR1]firewall interzone kon kan
[AR1-interzone-kon-kan]firewall enable
[AR1-interzone-kon-kan]q
[AR1]firewall interzone kon kan
[AR1-interzone-kon-kan]pa
[AR1-interzone-kon-kan]packet-filter 3002 in
[AR1-interzone-kon-kan]packet-filter 3002 inbound
[AR1-interzone-kon-kan]int gi 0/0/0
[AR1-GigabitEthernet0/0/0]zo
[AR1-GigabitEthernet0/0/0]zone kon
[AR1-GigabitEthernet0/0/0]int gi 0/0/1
[AR1-GigabitEthernet0/0/1]zone kan
[AR1-GigabitEthernet0/0/1]q
[AR1]acl 3002
[AR1-acl-adv-3002]rule permit tcp destination 12.1.5.2 0 destination-port eq 80
[AR1]firewall interzone kon kan
[AR1-interzone-kon-kan]packet-filter 3002 inbound