实验要求:
1.设置合理的STP优先级、边缘端口、Eth-trunk
2.企业内网划分多个vlan ,减少广播域大小,提高网络稳定性
3.所有设备,在任何位置都可以telnet远程管理
4.出口配置NAT
5.所有用户均为自动获取ip地址
6.在企业出口将内网服务器的80端口映射出去,允许外网用户访问
7.企业财务服务器,只允许财务部(vlan 30)的员工访问.
一、设置合理的STP优先级、边缘端口、Eth-trunk
1..STP
(1)在华为的交换机上,开机默认自动运行stp
查看接口状态
(2)修改STP优先级:
[HX]stp root primary //交换机会自动降低优先级使自己成为根桥。(注意:通常在企业里面,将核心交换机优先级设为最低)
[HX]int eth 1
[HX-Eth-Trunk1]stp cost 1000 //强制这个stp口的开销,设置了可以优化网络,让STP更稳定。如果一条链路断了,stp会重新收敛。 为了避免重新收敛这种,将其捆绑后设定一个固定cost
[HX]int eth 2
[HX-Eth-Trunk2]stp cost 1000
[HX]int eth 3
[HX-Eth-Trunk3]stp cost 1000
[HX]int eth 4
[HX-Eth-Trunk4]stp cost 1000
[s1]int eth 1
[s1-Eth-Trunk1]stp cost 1000
[s2]int eth 2
[s2-Eth-Trunk2]stp cost 1000
[s3]int eth 3
[s3-Eth-Trunk3]stp cost 1000
[s4]int eth 4
[s4-Eth-Trunk4]stp cost 1000
2.设置边缘端口
使用下面命令,设置s1、s2、s3的边缘端口
[s1-Ethernet0/0/2]port link-type access
[s1-Ethernet0/0/2]stp edged-port enable
[s1]int e0/0/1
[s1-Ethernet0/0/1]port link-type access
[s1-Ethernet0/0/1]stp edged-port enable
二.企业内网划分多个vlan ,减少广播域大小,提高网络稳定性
(一)配置接入交换机s4
将接口加入相应vlan,并完成链路聚合
S1配置
[s1]int eth-trunk 1
[s1-Eth-Trunk2]port link-type trunk
[s1-Eth-Trunk2]port trunk allow-pass vlan all
[s1]int e0/0/1
[s1-Ethernet0/0/1]port link-type access
[s1-Ethernet0/0/1]port default vlan 10
[s1]int e0/0/2
[s1-Ethernet0/0/1]port link-type access
[s1-Ethernet0/0/1]port default vlan 20
[s1]int g0/0/1
[s1-GigaitEthernet0/0/1]eth-trunk 1
[s1-GigaitEthernet0/0/2int g0/0/1
[s1-GigaitEthernet0/0/2]eth-trunk 1
s2,s3,s4配置基本相同
s2配置
interface Eth-Trunk2
#
interface Ethernet0/0/1
port link-type access
port default vlan 30
stp edged-port enable
#
interface Ethernet0/0/2
port link-type access
port default vlan 30
stp edged-port enable
#
interface GigabitEthernet0/0/1
eth-trunk 2
#
interface GigabitEthernet0/0/2
eth-trunk 2
s3配置
#
interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/1
port link-type access
port default vlan 40
stp edged-port enable
#
interface Ethernet0/0/2
port link-type access
stp edged-port enable
#
interface GigabitEthernet0/0/1
eth-trunk 3
#
interface GigabitEthernet0/0/2
eth-trunk 3
#
s4配置
#
interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/1
port link-type access
port default vlan 200
#
interface Ethernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/1
eth-trunk 4
#
interface GigabitEthernet0/0/2
eth-trunk 4
(二)配置核心交换机
1.将互联接口加入相应vlan,并完成链路聚合
2.配置vlanif接口和DHCP服务器
3.配置与路由器R1对接
(三)配置R1
1.R1配置(与核心层交换机对接)
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.254.1 24
2.配置到内网网段的路由
[R1]ip route-static 192.168.10.0 255.255.255.0 192.168.254.2
[R1]ip route-static 192.168.20.0 255.255.255.0 192.168.254.2
[R1]ip route-static 192.168.30.0 255.255.255.0 192.168.254.2
[R1]ip route-static 192.168.40.0 255.255.255.0 192.168.254.2
[R1]ip route-static 192.168.200.0 255.255.255.0 192.168.254.2
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.1.1.1 29
3.测试是否可以ping通
(1)在pc1上ping 192.168.254.1
(2)在R1上ping192.168.200.10
(四)配置R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.1.1.6 29
[R2]ip route-static 192.168.10.0 255.255.255.0 12.1.1.1
[R2]ip route-static 192.168.20.0 255.255.255.0 12.1.1.1
[R2]ip route-static 192.168.30.0 255.255.255.0 12.1.1.1
[R2]ip route-static 192.168.40.0 255.255.255.0 12.1.1.1
[R2]ip route-static 192.168.200.0 255.255.255.0 12.1.1.1
[R2]ip route-static 192.168.254.0 255.255.255.0 12.1.1.1
在pc1上Ping 12.1.1.6(通)
三.所有设备,在任何位置都可以telnet远程管理
(一)交换机和路由器配置Telnet用户名和密码(也可以配置ssh)
[HX]interface vlan 999
[HX-Vlanif999]ip address 192.168.255.1 24
[HX]aaa
HX-aaa]local-user liuning password cipher 123456 privilege level 3
[HX-aaa]local-user liuning service-type telnet
[HX]user-interface vty 0 4
[HX-ui-vty0-4]authentication-mode aaa
[HX-ui-vty0-4]dis this
把如下所示的直接复制到S1、S2、S3、S4交换机以及l路由器R1和R2上。路由器不需要创建VLAN。
aaa
local-user liuning password cipher 123456 privilege level 3
local-user liuning service-type telnet
user-interface vty 0 4
authentication-mode aaa
[S1-Vlanif999]ip address 192.168.255.1 24
[S2-Vlanif999]ip address 192.168.255.2 24
[S3-Vlanif999]ip address 192.168.255.3 24
[S4-Vlanif999]ip address 192.168.255.4 24
- 配置缺省路由联通整个网络
[S1]ip route-static 0.0.0.0 0 192.168.255.5 [S2]ip route-static 0.0.0.0 0 192.168.255.5 [S3]ip route-static 0.0.0.0 0 192.168.255.5 [S4]ip route-static 0.0.0.0 0 192.168.255.5
四、出口配置NAT
DHCP中继、DHCP-snoping
配置运营商路由器2
[R2]inter loopback 0
[R2-LoopBack0]ip add 9.9.9.9 24
配置缺省路由联通整个网络
(1)配置去向路由
[HX]ip route- 0.0.0.0 0 192.168.254.1
[R1]ip route-static 0.0.0.0 0 12.1.1.6
(2).配置回向路由,企业总部和分支采用OSPF路由协议连接。
三台设备运行OSPF协议,使得三台设备的8个网段互通,排除运营商
核心交换机HX六个网段: 192.168.10.X;192.168.20.X;192.168.30.X;
192.168.40.X;192.168.200.X;192.168.254.X
管理网段一个网段:192.168.255.X
总部出口路由器R1两个网段:12.1.1.X;192.168.254.X。
[HX]ospf 1
[HX-ospf-1]area 0
[HX-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255 //宣告HX核心直连路由
[HX-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
[HX-ospf-1-area-0.0.0.0]network 192.168.30.0 0.0.0.255
[HX-ospf-1-area-0.0.0.0]network 192.168.40.0 0.0.0.255
[HX-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.255
[HX-ospf-1-area-0.0.0.0]network 192.168.254.0 0.0.0.255
[HX-ospf-1-area-0.0.0.0]network 192.168.255.0 0.0.0.255
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]net 192.168.254.0 0.0.0.255
在总部路由器出口做NAT转接( //内网用户出外网时直接转换成公网接口g0/0/1所在IP地址上外网//内网用户出外网时直接转换成公网接口g0/0/1所在IP地址上外网)
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2000]int g0/0/1
[R1-GigabitEthernet0/0/1] nat static global 12.1.1.4 inside 192.168.254.0 netmask 255.255.255.255
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 192.168.200.0 any inside 12.1.1.3 any
查看路由表
五、将所有用户设置成自动获取
六、在企业出口将内网服务器的80端口映射出去,允许外网用户访问
[R1]interface gi0/0/1
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 inside 192.168.254.0
[R1]acl 3000
[R1-acl-adv-3000]rule permit ip destination 192.168.0.0 0.0.255.255 //允许访问192.168.X.X网段
[R1-acl-adv-3000]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3001//运用在g4/0/0这个接口的入口处
七、企业财务服务器,只允许财务部(vlan 30)的员工访问。
[HX]acl number 3000
[HX-acl-adv-3000]rule 5 permit ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.20 0 //允许30.0这个网段访问财务服务器
[HX-acl-adv-3000]rule 10 deny ip destination 192.168.200.20 0 //其余网段访问20.0财务服务器拒接
[HX]int eth 4
[HX-Eth-Trunk4]traffic-filter outb acl 3000