某企业骨干网络拓扑如下图所示:

企业网络要求如下:

实验要求: 1.R1为企业内网设备,R2为ISP供应商网络; 2.企业内网运行MSTP协议保证网络可靠性和负载均衡; 3.PC1、PC2自动获取ip地址且可以互相ping通; 4.R1为企业DHCP服务器; 5.企业内网运行OSPF协议和NAT使得内外网互通; 6.允许Client1所在网络可以访问Server1的所有服务, 且只允许访问Server2的FTP服务; 7.Client2所在的网络仅允许访问server1和Server2的www服务; 8.企业网络设备可以被R2远程管理。

第一步:配置基本网络;

SW1基本配置 sysname SW1 vlan batch 10 20 30 100 interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan all interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan all interface GigabitEthernet0/0/3 port link-type access port default vlan 100 interface Vlanif10 ip address 192.168.10.254 255.255.255.0 interface Vlanif20 ip address 192.168.20.254 255.255.255.0 interface Vlanif100 ip address 192.168.100.2 255.255.255.0 SW2基本配置 sysname SW2 vlan batch 10 20 30 interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan all interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan all interface Ethernet0/0/3 port link-type access port default vlan 10 interface Ethernet0/0/4 port link-type access port default vlan 20 SW3基本配置 sysname SW3 vlan batch 10 20 30 interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan all interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan all interface Ethernet0/0/3 port link-type access port default vlan 20 interface Ethernet0/0/4 port link-type access port default vlan 10 R1配置如下 sysname R1 interface g0/0/1 ip address 100.1.1.2 24 interface g0/0/0 ip address 192.168.100.1 24 interface g0/0/2 ip address 192.168.30.254 24 R2配置如下 sysname R2 interface g0/0/0 ip address 100.1.1.1 24 interface g0/0/1 ip address 200.1.1.254 24

第二步:配置STP;

STP配置 SW1配置如下: stp region-configuration region-name ntd instance 10 vlan 10 instance 20 vlan 20 active region-configuration quit stp instance 10 priority 8192 stp instance 20 priority 8192 SW2配置如下: stp region-configuration region-name ntd instance 10 vlan 10 instance 20 vlan 20 active region-configuration quit stp instance 10 priority 4096 SW3配置如下: stp region-configuration region-name ntd instance 10 vlan 10 instance 20 vlan 20 active region-configuration quit stp instance 20 priority 4096

第三步:配置OSPF

SW1配置如下 ospf 1 area 0.0.0.0 network 192.168.100.0 0.0.0.255 area 0.0.0.10 network 192.168.10.0 0.0.0.255 area 0.0.0.20 network 192.168.20.0 0.0.0.255 R1配置如下 ip route-static 0.0.0.0 0.0.0.0 100.1.1.1 ospf 1 default-route-advertise always area 0.0.0.0 network 192.168.100.0 0.0.0.255 area 0.0.0.30 network 192.168.30.0 0.0.0.255 stub no-summary

第四步:配置DHCP并进行测试;

DHCP配置 R1配置 dhcp enable ip pool p1 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 lease day 7 hour 0 minute 0 dns-list 8.8.8.8 ip pool p2 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 lease day 7 hour 0 minute 0 dns-list 8.8.8.8 interface GigabitEthernet0/0/0 dhcp select global quit SW1配置 dhcp enable interface Vlanif10 dhcp select relay dhcp relay server-ip 192.168.100.1 interface Vlanif20 dhcp select relay dhcp relay server-ip 192.168.100.1 quit 测试如下图:

第五步:配置NAT和ACL,并进行测试;
在企业出口路由器R1进行设置
首先,设置内网acl,使得Client1仅允许访问Server2的FTP服务,Client2仅允许访问Server2的www服务,acl设置如下:

acl number 3000
rule 10 permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.1 0 des tination-port eq ftp rule 15 permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.1 0 des tination-port eq ftp-data rule 20 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.1 0 rule 30 permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.30.1 0 des tination-port eq www rule 40 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.1 0 interface GigabitEthernet0/0/2 traffic-filter outbound acl 3000

如下图Client1可以访问Server2的FTP服务,但不可以访问WWW服务:

如下图Client2可以访问Server2的www服务,但不可以访问FTP服务:

其次,设置外网acl,使得Client1仅允许访问Server1的所有服务,Client2仅允许访问Server2的www服务,acl设置如下:

外网acl设置 acl number 3001
rule 10 permit tcp source 192.168.20.0 0.0.0.255 destination 200.1.1.1 0 destin ation-port eq www rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 200.1.1.1 0 rule 30 permit ip quit interface GigabitEthernet0/0/1 nat outbound 3001 如下图Client2可以访问Server1的www服务,但不可以访问FTP服务,内网中其他设备并不受影响:

至此,企业内网网络配置及验证完成!!!