实验要求:
信息中心网络配置Eth-trunk实现链路冗余
企业内网划分多个vlan,减小广播域,提高网络稳定性
核心交换机作为用户网关实现vlan间路由
所有用户全部配置自动获取IP地址
出口配置NAT实现地址转换
在企业出口将内网服务器的80端口映射出去,允许外网用户访问内网
所有的设备都可以在任意设备进行telnet远程管理配置
说有校区之间都可以互相访问并且出口实现冗余
财务服务器只允许(vlan40)的员工访问
禁止vlan20的员工访问内网并且关键的设备要做好实时的监控
ensp所需实验设备及数量
交换机s5700 6台
交换机s3700 6台
pc机 8台
server 2台
ar2240 4台
client 2台
ar3260 1台
vlan trunk eth-trunk配置
汇聚sw2:
sys
sysname sw2
un in en
vlan batch 200 900
int eth-trunk 1
port link-type trunk
port trunk allow-pass vlan 200 900
mode lacp-static
trunkport gi 0/0/1 0/0/2
int gi0/0/3
port link-type trunk
port trunk allow-pass vlan 200 900
qu
qu
sa
y
sw2.zip
接入sw7:
sys
sysname sw7
un in en
vlan batch 200 900
int gi0/0/1
port link-type trunk
port trunk allow-pass vlan 200 900
qu
int e0/0/1
port link-type access
port aefault vlan200
int e0/0/1
port link-type access
port aefault vlan200
qu
qu
sa
y
sw7.zip
Now saving the current configuration to the slot 0.
Save the configuration successfully.
配置完成一台设备时尽量保存一次以防忘记保存配置成为大冤种出现以上两行英文配置时保存成功
核心sw1:
sys
sysname sw1
un in en
vlan batch 10 20 20 30 40 200 800 900
int eth-trunk 1
port link-type trunk
port trunk allwo-pass vlan 200 900
mode lacp-static
trunkport gi 0/0/2 0/0/7
int gi0/0/1
port link-type access
port default vlan 800
int gi0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20 900
int gi0/0/4
port link-type trunk
port trunk allow-pass vlan 30 900
int gi0/0/4
port link-type trunk
port trunk allow-pass vlan 40 900
qu
qu
sa
y
sw1.zip
汇聚sw3:
sys
sysname sw3
un in en
vlan batch 10 20 900
int gi0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 900
int gi0/0/2
port link-type trunk
port trunk allow-pass vlan 10 900
int gi0/0/3
port link-type trunk
port trunk allow-pass vlan 20 900
qu
qu
sa
y
sw3.zip
接入sw8:
sys
sysname sw8
un in en
vlan batch 10 20 900
int gi0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 900
int e0/0/1
port link-type access
port default vlan 10
int e0/0/2
port link-type access
port default vlan 20
qu
qu
sa
y
sw8.zip
接入sw9
sys
sysname sw9
un in en
vlan batch 30 900
int gi0/0/1
port link-type trunk
port trunk allow-pass vlan 30 900
int e0/0/1
port link-type access
port default vlan 30
qu
qu
sa
y
sw9.zip
后面的汇聚4,接入10,汇聚5,接入11我就不做详细配置了参考前面就可以了,需要注意的是配置时一定要看好配置的接口是连接交换机还是pc
网关SVI配置
核心sw1:
sys
int vlanif10
ip address 192.168.10.1 255.255.255.0
int vlanif20
ip address 192.168.20.1 255.255.255.0
int vlanif30
ip address 192.168.30.1 255.255.255.0
int vlanif40
ip address 192.168.40.1 255.255.255.0
int vlanif200
ip address 192.168.200.1 255.255.255.0
int vlanif800
ip address 192.168.254.2 255.255.255.0
可以使用
dis ip routing-table 查看路由表
dis ip int down 查看接口配置
DHCP配置
sw1:
sys
ip pool syl1_vlan10 gateway-list 192.168.100.1 network 192.168.10.0 mask 255.255.255.0 dns-list 114.114.114.114 8.8.8.8 ip pool syl2_vlan20 gateway-list 192.168.20.1 network 192.168.20.0 mask 255.255.255.0 dns-list 114.114.114.114 8.8.8.8
ip pool jxl-vlan30
gateway-list 192.168.30.1
network 192.168.30.0 mask 255.255.255.0
dns-list 114.114.114.114 8.8.8.8
ip pool xzl-vlan40
gateway-list 192.168.40.1
network 192.168.40.0 mask 255.255.255.0
dns-list 114.114.114.114 8.8.8.8
interface Vlanif10 dhcp select global interface Vlanif20 dhcp select global interface Vlanif30 dhcp select global interface Vlanif40 dhcp select global
qu
qu
sa
OSPF配置
sw1:
int vlanif800
ip addess 192.168.254.2 24
AR2:
sys
sysname AR2
un in en
int gi0/0/0
ip address 12.1.1.6 29
int loopback 0
ip address 9.9.9.9
description baidu
qu
qu
sa
y
AR3:
sys
sysname AR3
un in en
int gi0/0/0
ip address 13.1.1.6 29
int loopback 0
ip address 9.9.9.9
description baidu
qu
qu
sa
y
AR4:
sys
sysname AR4
un in en
int gi0/0/0
ip address 192.168.104.2 30
int gi0/0/1
ip address 192.168.100.1
24
qu
qu
sa
y
AR5:
sys
sysname AR5
un in en
int gi0/0/0
ip address 192.168.105.2 30
int gi0/0/1
ip address 192.168.150.1 30
qu
qu
sa
y
AR1:
sys
sysname AR1
un in en
int gi0/0/1
ip address 12.1.1.1 29
int gi0/0/2
ip address 13.1.1.1 29
int gi0/0/0
ip address 192.168.254.1 24
int gi1/0/0
ip address 192.168.104.1 30
int gi2/0/0
ip address 192.168.105.1 30
qu
sa
y
在AR1上对各个接口进行配置配置完成后可通过dis ip int brief查看配置结果
sw1:
sys
ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 192.168.200.0 0.0.0.255 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255 network 192.168.30.0 0.0.0.255 network 192.168.40.0 0.0.0.255 network 192.168.254.0 0.0.0.255
qu
qu
qu
sa
y
AR1:
sys
ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 192.168.104.1 0.0.0.0 network 192.168.105.1 0.0.0.0 network 192.168.254.0 0.0.0.255
qu
...
新校区1 AR4:
sys
un in en
ospf 1 router-id 4.4.4.4 area 0.0.0.0 network 192.168.104.2 0.0.0.0 network 192.168.100.1 0.0.0.0 qu
...
新校区2 AR5:
sys
un in en
ospf 1 router-id 5.5.5.5
area 0.0.0.0
network 192.168.105.2 0.0.0.0
network 192.168.150.1 0.0.0.0
qu
...
广域网出口选择路线
sw1:
ip route-static 0.0.0.0 0 192.168.254.1
AR1:
ip route-static 0.0.0.0 0.0.0.0 12.1.1.6 ip route-static 0.0.0.0 0.0.0.0 13.1.1.6 preference 70
NAT配置出口同时将web:192.168.200.3映射到外网
AR1:
acl number 2000 rule 5 permit source 192.168.0.0 0.0.255.255 interface Gi0/0/1 ip address 12.1.1.1 255.255.255.248 nat server protocol tcp global current-interface www inside 192.168.200.10 www nat outbound 2000 interface Gi0/0/2 ip address 13.1.1.1 255.255.255.248 nat server protocol tcp global current-interface www inside 192.168.200.10 www nat outbound 2000
telnet远程管理配置
前期规划是就已经给所有设备配置了vlan900作为管理vlan
现在配置192.168.255.x /24作为管理网段
所有的设备都需要进行一个3a认证设置3a账号密码
同时规划每台设备的IP地址方便后期出现问题或者改动
把所有接入和汇聚交换机配置静态路由
telnet账号aa
密码123
aaa local-user aa privilege level 3 password cipher 123 local-user aa service-type telnet
qu user-interface vty 0 4 authentication-mode aaa int vlanif 900 ip add 192.168.255.x 24 IP地址一定要分配合适
qu ip route-s 0.0.0.0 0 192.168.255.1
完成配置以后就可以在任意一台设备上进行telnet远程管理配置
注意:在<>模式下进行
ACL访问控制列表
以达到只有(vlan40)用户可以访问财务服务器
禁止(vlan20)用户访问外网防止泄露实验数据
sw1:
acl number 3000 rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.200.20 0 rule 10 deny ip destination 192.168.200.20 0 qu
interface Eth-Trunk1 traffic-filter outbound acl 3000
AR1:
acl number 3001 rule 5 permit ip destination 192.168.0.0 0.0.255.255 rule 10 deny ip source 192.168.20.0 0.0.0.255 qu
配置完以后一定要及时保持以防出现不必要的麻烦
本次1000人非冗余实验就结束了
最后为大家附上小编的实验拓扑完成图