ensp-两层架构的综合实验

实验拓扑:

ensp-两层架构的综合实验_第1张图片

实验要求:
① 用户的网关配置在核心交换机

② 企业内网划分多个vlan ,减少广播域大小,提高网络稳定性 接入层交换机配置vlan ,并将用户划入相应的vlan 配置好trunk链路 核心上面配置vlan 和SVI 虚拟接口

③ 所有设备,在任何位置都可以telnet远程管理

④ 出口配置NAT

⑤ stp 运行RSTP模式,确保核心交换机为根桥。并将接入用户的接口配置为边缘端口加快收敛。

⑥ 配置根桥保护措施,确保根桥不被抢占

⑦ 所有用户均为自动获取ip地址

⑧ 在企业出口将内网服务器的80端口映射出去,允许外网用户访问

⑨ 企业财务服务器,只允许财务部(vlan 30)的员工访问。

配置命令

SW2:

[SW2]vlan batch 10 30
[SW2]int e0/0/2
[SW2-Ethernet0/0/2]port link-type access 
[SW2-Ethernet0/0/2]port default vlan 10
[SW2-Ethernet0/0/2]int e0/0/3
[SW2-Ethernet0/0/3]port link-type access 
[SW2-Ethernet0/0/3]port default vlan 30
[SW2-Ethernet0/0/3]quit
[SW2]int gi 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk 
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 30

SW3

[SW3]vlan 200
[SW3-vlan200]qu
[SW3]int e0/0/2
[SW3-Ethernet0/0/2]port link-type access 
[SW3-Ethernet0/0/2]port default vlan 200
[SW3-Ethernet0/0/2]qu
[SW3]int e0/0/3
[SW3-Ethernet0/0/3]port link-type access 
[SW3-Ethernet0/0/3]port default vlan 200
[SW3-Ethernet0/0/3]qu
[SW3]int gi0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk 
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 200

SW1

[SW1]int gi0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk #链路模式为trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 30  #该链路允许通过vlan 10和30
[SW1-GigabitEthernet0/0/1]qu
[SW1]vlan batch 10 30 200  #创建3个vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]int gi0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk 
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 200
[SW1]int vlan 10
[SW1-Vlanif10]ip add 192.168.10.1 24
[SW1-Vlanif10]int vlan 30
[SW1-Vlanif30]ip add 192.168.30.1 24
[SW1-Vlanif30]qu
[SW1]int vlan 200
[SW1-Vlanif200]ip add	
[SW1-Vlanif200]ip address 192.168.200.1 24

[SW1]ip pool vlan_10  #在核心交换机上配置地址池
Info:It's successful to create an IP address pool.
[SW1-ip-pool-vlan_10]network 192.168.10.0 mask 24
[SW1-ip-pool-vlan_10]gateway-list 192.168.10.1 #配置网关
[SW1-ip-pool-vlan_10]dns-list 8.8.8.8  #配置dns地址
[SW1-ip-pool-vlan_10]qu
[SW1]ip pool vlan_30
Info:It's successful to create an IP address pool.
[SW1-ip-pool-vlan_30]gateway-list 192.168.30.1
[SW1-ip-pool-vlan_30]network 192.168.30.0 mask 24
[SW1-ip-pool-vlan_30]dns-list 8.8.8.8
[SW1]dhcp enable #开启dhcp服务
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW1]int vlan10
[SW1-Vlanif10]dhcp select global 

ensp-两层架构的综合实验_第2张图片

配置telnet远程管理

以SW1为例:

[SW1]aaa
[SW1-aaa]local-user hcnp password simple hcnp123 #添加一个账户并设置密码
Info: Add a new user.
[SW1-aaa]local-user hcnp privilege level 3 
[SW1-aaa]local-user hcnp service-type telnet #设置这个用户的服务类型为tellnet远程登陆
[SW1-aaa]qu
[SW1]user-interface vty 0 4 #设置最大连接数为5
[SW1-ui-vty0-4]authentication-mode aaa

配置管理vlan999

管理地址段: 192.168.255.x
因为要对交换机进行配置,但是交换机的物理接口不能配置ip地址,所以设置vlan来添加特定的ip地址进行管理
SW1:

[SW1]vlan 999
[SW1-vlan999]qu
[SW1]interface Vlanif 999
[SW1-Vlanif999]ip address 192.168.255.1 24
[SW1]int gi0/0/1 
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 999
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 999

SW2:

[SW2]vlan 999
[SW2-vlan999]qu
[SW2]interface Vlanif 999
[SW2-Vlanif999]ip address 192.168.255.2 24
[SW2]ip route-static 0.0.0.0 0 192.168.255.1

[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 999

SW3:

[SW3]vlan 999
[SW3-vlan999]qu
[SW3]interface Vlanif 999
[SW3-Vlanif999]ip address 192.168.255.3 24
[SW3]ip route-static 0.0.0.0 0 192.168.255.1
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 999

ensp-两层架构的综合实验_第3张图片

出口配置NAT

SW1:

[SW1]vlan 800
[SW1-vlan800]qu
[SW1]interface g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access  #设置链路为access模式
[SW1-GigabitEthernet0/0/3]port default vlan 800
[SW1-GigabitEthernet0/0/3]qu
[SW1]interface Vlanif 800
[SW1-Vlanif800]ip address 192.168.254.1 24
[SW1]ip route-static 0.0.0.0 0 192.168.254.2

R1:

[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.254.2 24
[R1-GigabitEthernet0/0/0]qu
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 12.1.1.1 29
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2000]int gi0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2000
[R1]ip route-static 0.0.0.0 0 12.1.1.6
[R1]ip route-static 192.168.0.0 255.255.0.0 192.168.254.1

R2:

[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 12.1.1.6 29
[R2-GigabitEthernet0/0/0]qu
[R2]int loo 0
[R2-LoopBack0]ip address 9.9.9.9 24  #设置环回地址

交换机配置rstp

在三个交换机上配置rstp

[SW1]stp mode rstp
[SW2]stp mode rstp
[SW3]stp mode rstp

确定核心交换机为根桥:

[SW1]stp priority 0   #修改SW1的优先级为0

设置边缘端口

[SW2]port g e0/0/2 to e0/0/3 #将e/0/2和e0/0/3设置为一个组
[SW2-port-group]stp edged-port enable #命令对于一个组都起作用
[SW3]port g e0/0/2 to e0/0/3
[SW3-port-group]stp edged-port enable 

配置根桥不被抢占

若有人抢占根桥的位置则断开根桥上的指定端口,这种方式对网络的影响很大不建议使用

[SW1]int gi0/0/1
[SW1-GigabitEthernet0/0/1]stp root-protection 
[SW1-GigabitEthernet0/0/1]int gi0/0/2
[SW1-GigabitEthernet0/0/2]stp root-protection 

或者在接入交换机上配置

stp bpdu-protection  #这种方式对网络的影响性较小

将内网的服务器映射出去

在R1的出接口配置

[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www inside  192
.168.200.10 www   #将80端口映射出去

配置acl只允许财务部的人访问财务服务器

在核心交换机SW1配置acl

[SW1]acl number 3000
[SW1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.1
[SW1-acl-adv-3000]rule deny ip source any destination 192.168.200.20 0
[SW1]interface g0/0/2
[SW1-GigabitEthernet0/0/2]traffic-filter outbound acl 3000  #调用acl 3000

你可能感兴趣的:(网络工程)