一、实验需求
1.不同的PC属于不同的VLAN,如图所示;
2.不同的VLAN 的IP地址为:192.168.XX.0/24,XX是vlan号;
3.不同的VLAN主机获得IP地址的方式为DHCP(除特殊需求以外)
每个VLAN的主机的网关IP地址,均为:192.168.XX.254/24;
4.vlan88为web-server所在的服务器;网关在SW5上;
vlan66为dhcp-server所在的服务器;网关在SW6上;
5.其他VLAN的每个主机所用的网关都使用了高可用性技术增强了冗余性和稳定性
6.交换机之间也使用了放环技术,并且能够针对每个VLAN实现流量均衡的功能。
同时,要求每个VLAN的主机,去往主机的网关时的转发路径是最优的。
7.在公司内部运行OSPF,确保不同VLAN之间是互通的。
不同的VLAN属于不同的区域。
同时保护web和dhcp服务器所在的区域不受到外部链路以及其他区域的不稳定
的链路的影响。
8.公司的出口路由器为R1和R2,但是永远将R1作为主出口,出现故障后,
出网流量才会自动的切换到R2.修复以后会再次从R1转发。
9.内网大量主机都存在访问Internet的需求,要求使用最节省IP地址的方式
实现内网主机上网,但是vlan40属于机密部分,不能访问外网
10.外网的用户(client-1),可以访问内部的web服务器。
11.外网的用户(sw9),可以远程控制内网的所有网络设备(不包括R1/R2),
远程访问密码均设置为HCIE。
(内网中每个设备的管理IP地址,属于管理VLAN199)
12.内网的用户中,只能由vlan20中的PC-2远程登录管理内网所有设备,
其他用户均不可以。
二、拓扑图
三、实验配置
1.配置所有设备接口及vlan信息
SW1:
vlan batch 10 20 199
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass all
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass all
SW2、SW3、SW4接口配置与SW1一致,只是划分vlan不同。
SW5:
vlan batch 10 20 30 40 66 88 100 199
port-group 1
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/4
group-member GigabitEthernet0/0/5
group-member GigabitEthernet0/0/6
group-member GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan all
interface GigabitEthernet0/0/8
port link-type access
port default vlan 88
interface Vlanif10
ip address 192.168.10.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.3 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.3 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.3 255.255.255.0
#
interface Vlanif88
ip address 192.168.88.254 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
#
interface Vlanif199
ip address 192.168.199.5 255.255.255.0
#
SW6:
vlan batch 10 20 30 40 66 88 110 199
port-group 1
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/4
group-member GigabitEthernet0/0/5
group-member GigabitEthernet0/0/6
group-member GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan all
interface GigabitEthernet0/0/8
port link-type access
port default vlan 66
interface Vlanif10
ip address 192.168.10.4 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.66.1
#
interface Vlanif20
ip address 192.168.20.4 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.66.1
#
interface Vlanif30
ip address 192.168.30.4 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.66.1
#
interface Vlanif40
ip address 192.168.40.4 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.66.1
#
interface Vlanif66
ip address 192.168.66.254 255.255.255.0
#
interface Vlanif110
ip address 192.168.110.2 255.255.255.0
#
interface Vlanif199
ip address 192.168.199.6 255.255.255.0
SW7:
vlan batch 10 20 30 40 66 88 100 103 104 199 200
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 103
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.103.2 255.255.255.0
#
interface Vlanif104
ip address 192.168.104.1 255.255.255.0
#
interface Vlanif199
ip address 192.168.199.7 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.2 255.255.255.0
SW8:
vlan batch 10 20 30 40 102 104 110 199 220
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 102
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 220
#
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.2 255.255.255.0
#
interface Vlanif102
ip address 192.168.102.2 255.255.255.0
#
interface Vlanif104
ip address 192.168.104.2 255.255.255.0
#
interface Vlanif110
ip address 192.168.110.1 255.255.255.0
#
interface Vlanif199
ip address 192.168.199.8 255.255.255.0
#
interface Vlanif220
ip address 192.168.220.2 255.255.255.0
R1:
interface GigabitEthernet0/0/0
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.102.1 255.255.255.0
R2:
interface GigabitEthernet0/0/0
ip address 192.168.103.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.220.1 255.255.255.0
ISP:
interface GigabitEthernet0/0/0
ip address 10.10.10.10 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 20.20.20.20 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 11.11.11.254 255.255.255.0
2.在SW7和SW8上配置VRRP网关备份,配置主备和上行端口追踪
SW7:
interface Vlanif10
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 200
vrrp vrid 10 track interface GigabitEthernet0/0/4 reduced 150
#
interface Vlanif20
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 200
vrrp vrid 20 track interface GigabitEthernet0/0/4 reduced 150
#
interface Vlanif30
vrrp vrid 30 virtual-ip 192.168.30.254
#
interface Vlanif40
vrrp vrid 40 virtual-ip 192.168.40.254
SW8:
interface Vlanif10
vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlanif20
vrrp vrid 20 virtual-ip 192.168.20.254
#
interface Vlanif30
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 200
vrrp vrid 30 track interface GigabitEthernet0/0/5 reduced 150
#
interface Vlanif40
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 200
vrrp vrid 40 track interface GigabitEthernet0/0/5 reduced 150
3.在所有交换机上配置MSTP负载均衡,设置SW5、SW6分别为两个instance实例的主、从跟交换
SW1:
stp region-configuration
region-name tt
instance 1 vlan 10 20 88 100
instance 2 vlan 30 40 66 110
active region-configuration
SW2、SW3、SW4、SW7、SW8配置同上
SW5:
stp instance 1 root primary
stp instance 2 root secondary
SW6:
stp instance 1 root secondary
stp instance 2 root primary
4.Dhcp-server上配置dhcp客户端,在SW6上配置dhcp中继
Dhcp-server:
ip route-static 0.0.0.0 0.0.0.0 192.168.66.254
dhcp enable
#
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.1 192.168.10.4 (地址池中去除10.1-10.4四个地址,防止地址冲突)
dns-list 8.8.8.8
#
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.1 192.168.20.4
#
ip pool vlan30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.1 192.168.30.4
#
ip pool vlan40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.40.1 192.168.40.4
interface GigabitEthernet0/0/0
ip address 192.168.66.1 255.255.255.0
dhcp select global
SW6:
dhcp enable
interface Vlanif10
dhcp select relay
dhcp relay server-ip 192.168.66.1
#
interface Vlanif20
dhcp select relay
dhcp relay server-ip 192.168.66.1
#
interface Vlanif30
dhcp select relay
dhcp relay server-ip 192.168.66.1
#
interface Vlanif40
dhcp select relay
dhcp relay server-ip 192.168.66.1
5.配置OSPF实现网络互通,设置vlan66、vlan88区域为特殊区域,配置R1为主出口
R1:
ospf 1 router-id 10.10.10.10
default-route-advertise
area 0.0.0.0
network 192.168.102.0 0.0.0.255
network 192.168.200.0 0.0.0.255
R2:
ospf 1 router-id 20.20.20.20
default-route-advertise
area 0.0.0.0
network 192.168.103.0 0.0.0.255
network 192.168.220.0 0.0.0.255
SW7:
ospf 1 router-id 7.7.7.7
area 0.0.0.0
network 192.168.200.0 0.0.0.255
network 192.168.103.0 0.0.0.255
network 192.168.104.0 0.0.0.255
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
area 0.0.0.40
network 192.168.40.0 0.0.0.255
area 0.0.0.88
network 192.168.100.0 0.0.0.255
stub no-summary (ABR上声明totally stub区域)
area 0.0.0.199
network 192.168.199.0 0.0.0.255
interface Vlanif103
ip address 192.168.103.2 255.255.255.0
ospf cost 20 (修改开销值,让路由优先以R1为主出口)
SW8:
ospf 1 router-id 8.8.8.8
area 0.0.0.0
network 192.168.102.0 0.0.0.255
network 192.168.220.0 0.0.0.255
network 192.168.104.0 0.0.0.255
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
area 0.0.0.40
network 192.168.40.0 0.0.0.255
area 0.0.0.66
network 192.168.110.0 0.0.0.255
stub no-summary
area 0.0.0.199
network 192.168.199.0 0.0.0.255
interface Vlanif220
ip address 192.168.220.2 255.255.255.0
ospf cost 20
SW5:
ospf 1 router-id 5.5.5.5
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
area 0.0.0.40
network 192.168.40.0 0.0.0.255
area 0.0.0.88
network 192.168.88.0 0.0.0.255
network 192.168.100.0 0.0.0.255
stub
area 0.0.0.199
network 192.168.199.0 0.0.0.255
SW6:
ospf 1 router-id 6.6.6.6
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
area 0.0.0.40
network 192.168.40.0 0.0.0.255
area 0.0.0.66
network 192.168.66.0 0.0.0.255
network 192.168.110.0 0.0.0.255
stub
area 0.0.0.199
network 192.168.199.0 0.0.0.255
6.R1、R2上配置NAT和NAT server,配置ACL和远程登录
R1:
acl number 2000
rule 5 deny source 192.168.40.0 0.0.0.255
rule 10 permit
interface GigabitEthernet0/0/2
ip address 10.10.10.1 255.255.255.0
nat server protocol tcp global 10.10.10.2 www inside 192.168.88.1 www
nat server protocol tcp global 10.10.10.2 201 inside 192.168.199.1 telnet
nat server protocol tcp global 10.10.10.2 202 inside 192.168.199.2 telnet
nat server protocol tcp global 10.10.10.2 203 inside 192.168.199.3 telnet
nat server protocol tcp global 10.10.10.2 204 inside 192.168.199.4 telnet
nat server protocol tcp global 10.10.10.2 205 inside 192.168.199.5 telnet
nat server protocol tcp global 10.10.10.2 206 inside 192.168.199.6 telnet
nat server protocol tcp global 10.10.10.2 207 inside 192.168.199.7 telnet
nat server protocol tcp global 10.10.10.2 208 inside 192.168.199.8 telnet
nat outbound 2000
R2:
acl number 2000
rule 5 deny source 192.168.40.0 0.0.0.255
rule 10 permit
interface GigabitEthernet0/0/2
ip address 20.20.20.1 255.255.255.0
nat server protocol tcp global 20.20.20.2 www inside 192.168.88.1 www
nat server protocol tcp global 20.20.20.2 201 inside 192.168.199.1 telnet
nat server protocol tcp global 20.20.20.2 202 inside 192.168.199.2 telnet
nat server protocol tcp global 20.20.20.2 203 inside 192.168.199.3 telnet
nat server protocol tcp global 20.20.20.2 204 inside 192.168.199.4 telnet
nat server protocol tcp global 20.20.20.2 205 inside 192.168.199.5 telnet
nat server protocol tcp global 20.20.20.2 206 inside 192.168.199.6 telnet
nat server protocol tcp global 20.20.20.2 207 inside 192.168.199.7 telnet
nat server protocol tcp global 20.20.20.2 208 inside 192.168.199.8 telnet
nat outbound 2000
SW1:
acl number 2000
rule 10 permit source 192.168.20.199 0
rule 20 permit source 11.11.11.11 0
interface Vlanif199
ip address 192.168.199.1 255.255.255.0
user-interface vty 0 4
acl 2000 inbound
user privilege level 3
authentication-mode password
set authentication password cipher
ospf 1 router-id 1.1.1.1
area 0.0.0.199
network 192.168.199.0 0.0.0.255
SW2-SW8设备上都如上配置,设置控制接口。
四、实验验证
五、实验总结
1.划分区域要保证区域连续性,让非骨干区域与骨干区域连接。MSTP负载均衡要划分好,防止OSPF邻居建立不成功。
2.出口路由选径要配置好,调整vlan103和vlan220的开销值,让路由优先以R1为出口,防止nat server出现不通 的情况,因为nat server要求出口与入口一致,如果不控制传输路径,会出现外网telnet内网时,时断时续。
3.被远程设备上配置ACL匹配源IP地址为11.11.11.11,因为nat(easy ip)转换的是源地址为出接口地址,nat-server转换的是目标地址为内网地址。
4.SW9和Dhcp-server设备和R1、R2上需要添加默认路由,并且R1、R2上应配置ospf默认路由宣告(default-route-advertise)文章来源:https://www.toymoban.com/news/detail-414964.html
文章来源地址https://www.toymoban.com/news/detail-414964.html
到了这里,关于企业网络拓扑实验的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!