1.公司有4个部分,人力部,研发部,财务部,市场部每个部门有100台办公电脑需要接入公司办公网络,接入带宽不低于100M。为方便管理和安全,需要按部分划分VLAN,公司内网全部使用192.168.X.X 私有IP,自行规划IP地址。
2. 公司有2台S5700用做核心交换设备,为增强网络可靠性和核心链路带宽,需要配置eth-trunk。接入层设备通过Gbit接口分别与其中一台S5700连接。
3.公司有一台服务器,服务器直接接入核心交换机,配置了DNS、FTP、HTTP服务,内网和外网都可访问HTTP服务,FTP只供开发部的员工访问。内网所有终端PC都可以访问DNS服务。除人力部其他部门不可以访问财务部网络,内部网络采用ospf协议。
应网友需求不同,此篇只连接一台核心,经修改,分别连接两台的在下面链接,可自行前去查看下载源topo。
拓扑图如下:
地址分配如下:
S1:
#
vlan batch 10 20 30 40 100
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/23
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 100
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
S2:
#
vlan batch 10 20 30 40 100
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.1.3 255.255.255.0
#
acl number 3000
rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule 15 permit ospf
rule 20 permit ip
acl number 3001
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.1.111 0
rule 10 deny ip destination 192.168.1.111 0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
traffic-filter outbound acl 3001
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 40
traffic-filter outbound acl 3000
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
R1:
#
acl number 2000
rule 5 permit source any
#
nat address-group 1 200.100.100.100 200.100.100.200
#
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.100.100.2 255.255.255.0
nat static global 200.100.100.5 inside 192.168.1.254 netmask 255.255.255.255 %配置静态NAT
nat outbound 2000 address-group 1
#
ospf 1
default-route-advertise %在路由重发布中重新发布静态路由
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 200.100.100.1
R2:
#
interface GigabitEthernet0/0/0
ip address 200.101.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.100.100.1 255.255.255.0
人力部:
#
vlan batch 10
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
研发部:
#
vlan batch 20
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
#
interface Ethernet0/0/3
port link-type access
port default vlan 20
市场部:
#
vlan batch 30
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface Ethernet0/0/2
port link-type access
port default vlan 30
#
interface Ethernet0/0/3
port link-type access
port default vlan 30
财务部:
#
vlan batch 40
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 40
#
interface Ethernet0/0/2
port link-type access
port default vlan 40
#
interface Ethernet0/0/3
port link-type access
port default vlan 40
验证实验
这里我用人力部P2来ping外网,成功ping通如下:
外网ping内网失败:
所有PC终端都可访问DNS服务:
FTP只供研发部访问:
研发部访问成功!
市场部访问失败!
内网和外网都可访问HTTP:
人力部成功ping通财务部:
研发部及市场部ping不通财务部:
可以看到,用P2来ping外网时,在内外网交接处地址经过动态nat地址池转换成公有地址200.100.100.194去通外网。
可以看到,HTTP在ping 外网时,地址通过静态nat转换成公有地址200.100.100.5去链接外网。
这里外网没设客户机。