本文详细介绍了如何通过配置ether-trunk、VRRP、MSTP来确保交换机的安全,并利用DHCP为所有PC分配IP地址,实现对运营商的访问。实验步骤包括建立eth-trunk、配置VLAN、设置trunk和access接口、启用MSTP生成树、配置VRRP主备网关、创建DHCP池以及设置OSPF路由。实验最终实现了所有PC自动获取IP并能访问外部网络的目标。
实验拓扑图如下:
实验要求:
1.使用ether-trunk,vrrp,mstp保证交换安全
2.所有pc都能自动获得IP地址,都能访问运营商
实验步骤:
一、交换部分
建立eth-trunk
LW1
[LW1]interface Eth-Trunk 1
[LW1-Eth-Trunk1]int g0/0/6
[LW1-GigabitEthernet0/0/6]eth-trunk 1
[LW1-Eth-Trunk1]int g0/0/5
[LW1-GigabitEthernet0/0/5]eth-trunk 1
LW2
[LW2]int Eth-Trunk 1
[LW2-Eth-Trunk1]int g0/0/6
[LW2-GigabitEthernet0/0/6]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW2-GigabitEthernet0/0/6]int g0/0/5
[LW2-GigabitEthernet0/0/5]eth-trunk 1
建立vlan
[LW1]vlan 2
[LW1-vlan2]q
[LW2]vlan 2
[LW2-vlan2]q
[LW3]vlan 2
[LW3-vlan2]q
[LW4]vlan 2
[LW4-vlan2]q
[LW5]vlan 2
[LW5-vlan2]q
每台LSW与LSW之间创建trunk允许所有VLAN通过,以及连接PC接口配置为access模式
LW1
[LW1]int g0/0/2
[LW1-GigabitEthernet0/0/2]port link-type trunk
[LW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[LW1-GigabitEthernet0/0/2]q
[LW1]int g0/0/3
[LW1-GigabitEthernet0/0/3]port link-type trunk
[LW1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LW1-GigabitEthernet0/0/3]q
[LW1]int g0/0/4
[LW1-GigabitEthernet0/0/4]port link-type trunk
[LW1-GigabitEthernet0/0/4]port trunk allow-pass vlan all
LW2
[LW2]int g0/0/2
[LW2-GigabitEthernet0/0/2]port link-type trunk
[LW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[LW2-GigabitEthernet0/0/2]q
[LW2]int g0/0/3
[LW2-GigabitEthernet0/0/3]port link-type
[LW2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LW2-GigabitEthernet0/0/3]q
[LW2]int g0/0/4
[LW2-GigabitEthernet0/0/4]port link-type trunk
[LW2-GigabitEthernet0/0/4]port trunk allow-pass vlan all
LW3-5下面都有两台pc
[LW3]int Eth0/0/3
[LW3-Ethernet0/0/3]port link-type access
[LW3-Ethernet0/0/3]port default vlan 1
[LW3]int e0/0/4
[LW3-Ethernet0/0/4]port link-type access
[LW3-Ethernet0/0/4]port default vlan 1
[LW4]int Eth0/0/3
[LW4-Ethernet0/0/3]port link-type access
[LW4-Ethernet0/0/3]port default vlan 1
[LW4]int e0/0/4
[LW4-Ethernet0/0/4]port link-type access
[LW4-Ethernet0/0/4]port default vlan 1
[LW5]int Eth0/0/3
[LW5-Ethernet0/0/3]port link-type access
[LW5-Ethernet0/0/3]port default vlan 1
[LW5]int e0/0/4
[LW5-Ethernet0/0/4]port link-type access
[LW5-Ethernet0/0/4]port default vlan 1
用mstp生成树
[LW1]stp enable
[LW1]stp mode mstp
[LW1]stp region-configuration
[LW1-mst-region]region-name aa
[LW1-mst-region]instance 1 vlan 1
[LW1-mst-region]instance 2 vlan 2
[LW1-mst-region]active region-configuration
查看stp关系,只有一个接口为root
LW1和LW2互为主备
[LW1]stp instance 1 root primary 在组1中为主根
[LW1]stp instance 2 root secondary 在组2中为备份根
[LW2]stp instance 1 root secondary 在组1中为备份根
[LW2]stp instance 2 root primary 在组2中为主根
配置SVI接口
[LW1]interface Vlanif 1
[LW1-Vlanif1]ip address 172.16.1.254 24
[LW1]int Vlanif 2
[LW1-Vlanif2]ip address 172.16.2.254 24
[LW2]int Vlanif 1
[LW2-Vlanif1]ip address 172.16.1.253 24
[LW2-Vlanif1]q
[LW2]int Vlanif 2
[LW2-Vlanif2]ip address 172.16.2.253 24
Vrrp网关冗余
[LW1]interface Vlanif 1
[LW1-Vlanif1]vrrp vrid 1 virtual-ip 172.16.1.100
[LW1-Vlanif1]vrrp vrid 1 priority 101
[LW1-Vlanif1]vrrp vrid 1 track int g0/0/1 reduced 10
[LW1-Vlanif1]q
[LW1]int Vlanif 2
[LW1-Vlanif2]vrrp vrid 1 virtual-ip 172.16.2.100
[LW2]int Vlanif 2
[LW2-Vlanif2]vrrp vrid 1 virtual-ip 172.16.2.100
[LW2-Vlanif2]vrrp vrid 1 priority 101
[LW2-Vlanif2]vrrp vrid 1 track int g0/0/1
[LW2-Vlanif2]q
[LW2]int Vlanif 1
[LW2-Vlanif1]vrrp vrid 1 virtual-ip 172.16.1.100
做DHCP池
[LW1]dhcp enable
[LW1]ip pool 1
[LW1-ip-pool-1]network 172.16.1.0 mask 24
[LW1-ip-pool-1]gateway-list 172.16.1.100
[LW1-ip-pool-1]dns-list 8.8.8.8
[LW1-ip-pool-1]q
[LW1]ip pool 2
[LW1-ip-pool-2]network 172.16.2.0 mask 24
[LW1-ip-pool-2]gateway-list 172.16.2.100
[LW1-ip-pool-2]dns-list 8.8.8.8
[LW1]int Vlanif 2
[LW1-Vlanif2]dhcp select global
[LW1-Vlanif2]q
[LW1]int Vlanif 1
[LW1-Vlanif1]dhcp select global
[LW2]dhcp enable
[LW2-ip-pool-1]ip pool 1
[LW2-ip-pool-1]network 172.16.1.0 mask 24
[LW2-ip-pool-1]gateway-list 172.16.1.100
[LW2-ip-pool-1]dns-list 8.8.8.8
[LW2-ip-pool-1]q
[LW2-ip-pool-2]network 172.16.2.0 mask 24
[LW2-ip-pool-2]gateway-list 172.16.2.100
[LW2-ip-pool-2]dns-list 8.8.8.8
[LW2-ip-pool-2]q
[LW2-Vlanif1]dhcp select global
[LW2-Vlanif1]q
[LW2]int Vlanif 2
[LW2-Vlanif2]dhcp select global
PC1--PC6通过DHCP均自动获取到IP地址
二、路由部分
由于华为模拟器上三层交换机无法配置物理地址,所以可以使用svi虚拟地址,划分VLAN给这个网段专用。
[LW1]vlan 3
[LW1-vlan3]q
[LW1]int Vlanif 3
[LW1-Vlanif3]ip address 172.16.0.1 30
[LW1-Vlanif3]int g0/0/1
[LW1-GigabitEthernet0/0/1]port link-type access
[LW1-GigabitEthernet0/0/1]port default vlan 3
[LW2]vlan 4
[LW2-vlan4]q
[LW2]int Vlanif 4
[LW2-Vlanif4]ip address 172.16.0.5 30
[LW2-Vlanif4]q
[LW2]int g0/0/1
[LW2-GigabitEthernet0/0/1]port link-type access
[LW2-GigabitEthernet0/0/1]port default vlan 4
配置ospf
[LW1]ospf 100
[LW1-ospf-100]area 0
[LW1-ospf-100-area-0.0.0.0]network 0.0.0.0 255.255.255.255
[LW2]ospf 100
[LW2-ospf-100]area 0
[LW2-ospf-100-area-0.0.0.0]network 0.0.0.0 255.255.255.255
[R1]ospf 100 router-id 1.1.1.1
[R1-ospf-100]area 0
[R1-ospf-100-area-0.0.0.0]network 172.16.0.0 0.0.255.255
在LSW1上查看ospf邻居关系
建邻完成
R1做指向R2的缺省
[R1]ip route-static 0.0.0.0 0 12.1.1.2 指向R2的缺省
ospf强制下放
[R1]ospf 100
[R1-ospf-100]default-route-advertise always
acl抓流量
[R1]acl 2000
[R1-acl-basic-2000]rule permit source any
做通向ISP的nat,上外网
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]nat outbound 2000
PC1 ping R2(ISP)
PC2 ping R2(ISP)
pc可以上外网,实验完成
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
