二层架构的综合实验

二层架构的综合实验_第1张图片

①用户的网关配置在核心交换机
接入层交换机配置VLAN,并将用户划入相应的VLAN
配置好Trunk链路
核心上面配置VLAN和SVI虚拟接口
②企业内网划分多个VLAN,减少广播域大小,提高网络稳定性
VLAN10
VLAN30      //财务部
VLAN200    //服务器
VLAN800    //连接出口R1
VLAN999    //管理VLAN
③所有设备,在任何位置都可以telnet远程管理
aaa
 local-user admin password cipher admin@123
 local-user admin privilege level 3
 local-user admin service-type telnet
user-interface vty 0 4
 authentication-mode aaa
配置管理VLAN 999
管理地址段:192.168.255.X
④出口配置NAT
[R1]acl number 2000     //创建acl2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255     //允许源地址192.168.0.0
[R1-acl-basic-2000]quit     //退出
[R1]interface g0/0/1     //进入接口     
[R1-GigabitEthernet0/0/1]nat outbound 2000     //应用于出接口
[R1-GigabitEthernet0/0/1]quit     //退出
[R1]ip route-s 0.0.0.0 0 12.1.1.6     出包
[R1]ip route-s 192.168.0.0 255.255.0.0 192.168.254.1     将回包交给核心层SW1

⑤STP运行RSTP模式,确保核心交换机为根桥。并将接入用户的接口配置为边缘端口加快收敛

stp mode rstp      //运行RSTP 
stp priority 0     //将优先级设为0,最小最优先
port-group g e0/0/2 to e0/0/3     //创建接口组
stp edged-port enable     //启用边缘接口,加快收敛   
⑥配置根桥保护措施,确保根桥不被抢占
接入层SW1和接入层SW3
stp bpdu-protection     //边缘端口保护
⑦所有用户均为自动获取IP地址
[hexinSW1]dhcp enable     //开启DHCP服务 
[hexinSW1]ip pool VLAN_10     //创建VLAN_10的地址池
[hexinSW1-ip-pool-vlan_10]network 192.168.10.0 mask 24     //网段和子网掩码
[hexinSW1-ip-pool-vlan_10]gateway-list 192.168.10.1     //网关地址
[hexinSW1-ip-pool-vlan_10]dns-list  8.8.8.8     //DNS地址
[hexinSW1-ip-pool-vlan_10]quit     //退出
[hexinSW1]ip pool VLAN_30     //创建VLAN_30的地址池
[hexinSW1-ip-pool-vlan_30]network 192.168.30.0 mask 24     //网段和子网掩码
[hexinSW1-ip-pool-vlan_30]gateway-list 192.168.30.1     //网关地址
[hexinSW1-ip-pool-vlan_30]dns-list 8.8.8.8     //DNS地址
[hexinSW1-ip-pool-vlan_30]quit     //退出
[hexinSW1]int Vlan10     //进入VLAN10
[hexinSW1-Vlanif10]dhcp select global     //选择全局的地址池给DHCP客户端 
[hexinSW1-Vlanif10]quit     //退出
[hexinSW1]int vlan30     //进入VLAN30
[hexinSW1-Vlanif30]dhcp select global     //选择全局的地址池给DHCP客户端 
[hexinSW1-Vlanif30]quit     //退出
[hexinSW1]
⑧在企业出口将内网服务器的80端口映射出去,允许外网用户访问
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www inside 192.168.200.10 www    
⑨企业财务服务器,之允许财务部(VLAN30)的员工访问
[hexinSW1]acl number 3000	
[hexinSW1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0
[hexinSW1-acl-adv-3000]rule deny ip destination 192.168.200.20 0
[hexinSW1-acl-adv-3000]quit
[hexinSW1]interface g0/0/2
[hexinSW1-GigabitEthernet0/0/2]traffic-filter outbound acl 3000
[hexinSW1-GigabitEthernet0/0/2]quit
[hexinSW1]

实验步骤:

WEB服务器

IP:192.168.200.10
子网:255.255.255.0
网关:192.168.200.1

财务服务器

IP:192.168.200.0
子网:255.255.255.0
网关:192.168.200.1

接入层SW2

system-view     //进入视图模式
[Huawei]undo info-center enable     //关闭信息提示
[Huawei]sysname jrcSW2     //改名
[jrcSW2]vlan 10     //创建VLAN10
[jrcSW2-vlan10]vlan 30     //创建VLAN30
[jrcSW2-vlan30]quit     退出
[jrcSW2]interface g0/0/2	//进入接口
[jrcSW2-GigabitEthernet0/0/2]port link-type access     //配置access链路
[jrcSW2-GigabitEthernet0/0/2]port default vlan 10     //允许VLAN10通过
[jrcSW2-GigabitEthernet0/0/2]quit     //退出
[jrcSW2]interface e0/0/3     //进入接口	
[jrcSW2-Ethernet0/0/3]port link-type access     //配置access链路 	
[jrcSW2-Ethernet0/0/3]port default  vlan 30     //允许VLAN30通过
[jrcSW2-Ethernet0/0/3]quit     //退出
[jrcSW2]interface e0/0/1     //进入接口	
[jrcSW2-Ethernet0/0/1]port link-type trunk     //配置trunk链路 	
[jrcSW2-Ethernet0/0/1]port trunk allow-pass vlan 10 30     允许VLAN10和VLAN30通过
[jrcSW2-Ethernet0/0/1]quit     //退出
[jrcSW2]

接入层SW3

system-view     //进入视图模式 
[Huawei]undo info-center enable     //关闭信息提示 
[Huawei]sysname jrcSW3     //改名
[jrcSW3]vlan 200     //创建VLAN200
[jrcSW3-vlan200]quit     //退出
[jrcSW3]interface e0/0/2     //进入接口	
[jrcSW3-Ethernet0/0/2]port link-type access     //配置access链路  	
[jrcSW3-Ethernet0/0/2]port default vlan 200     //允许VLAN200通过     
[jrcSW3-Ethernet0/0/2]quit     //退出 
[jrcSW3]interface e0/0/3     //进入接口     //进入接口	
[jrcSW3-Ethernet0/0/3]port link-type access     //配置access链路  	
[jrcSW3-Ethernet0/0/3]port default vlan 200     //允许VLAN200通过
[jrcSW3-Ethernet0/0/3]quit     //退出
[jrcSW3]interface e0/0/1     //进入接口	
[jrcSW3-Ethernet0/0/1]port link-type trunk     //配置trunk链路 
[jrcSW3-Ethernet0/0/1]port trunk allow-pass vlan 200     //允许VLAN200通过
[jrcSW3-Ethernet0/0/1]quit     //退出
[jrcSW3]

核心层SW1

system-view     //进入视图模式 
[Huawei]undo info-center enable     //关闭信息提示 
[Huawei]sysname hexinSW1     //改名     //改名
[hexinSW1]vlan batch 10 30 200          //创建VLAN10、VLAN30、VALN200
[hexinSW1]interface g0/0/1     //进入接口
[hexinSW1-GigabitEthernet0/0/1]port link-type trunk     //配置trunk链路 
[hexinSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 30     //允许VLAN10和VLAN20通过
[hexinSW1-GigabitEthernet0/0/1]quit
[hexinSW1]interface g0/0/2     //进入接口
[hexinSW1-GigabitEthernet0/0/2]port link-type trunk     //配置trunk链路 
[hexinSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 200     //允许VLAN200通过
[hexinSW1-GigabitEthernet0/0/2]quit     //退出
[hexinSW1]

核心层SW1(查看VLAN配置)

[hexinSW1]dis vlan     //查看VLAN配置信息
The total number of vlans is : 4
--------------------------------------------------------------------------------
U: Up;         D: Down;         TG: Tagged;         UT: Untagged;
MP: Vlan-mapping;               ST: Vlan-stacking;
#: ProtocolTransparent-vlan;    *: Management-vlan;
--------------------------------------------------------------------------------

VID  Type    Ports                                                          
--------------------------------------------------------------------------------
1    common  UT:GE0/0/1(U)      GE0/0/2(U)      GE0/0/3(U)      GE0/0/4(D)      
                GE0/0/5(D)      GE0/0/6(D)      GE0/0/7(D)      GE0/0/8(D)      
                GE0/0/9(D)      GE0/0/10(D)     GE0/0/11(D)     GE0/0/12(D)     
                GE0/0/13(D)     GE0/0/14(D)     GE0/0/15(D)     GE0/0/16(D)     
                GE0/0/17(D)     GE0/0/18(D)     GE0/0/19(D)     GE0/0/20(D)     
                GE0/0/21(D)     GE0/0/22(D)     GE0/0/23(D)     GE0/0/24(D)     

10   common  TG:GE0/0/1(U)                                                      

30   common  TG:GE0/0/1(U)                                                      

200  common  TG:GE0/0/2(U)                                                      


VID  Status  Property      MAC-LRN Statistics Description      
--------------------------------------------------------------------------------

1    enable  default       enable  disable    VLAN 0001                         
10   enable  default       enable  disable    VLAN 0010                         
30   enable  default       enable  disable    VLAN 0030                         
200  enable  default       enable  disable    VLAN 0200                         
[hexinSW1]

核心层SW1(配置SVI)

[hexinSW1]int vlan 10     //进入VLAN10
[hexinSW1-Vlanif10]ip address 192.168.10.1 24     //设置IP地址
[hexinSW1-Vlanif10]quit     //退出 
[hexinSW1]int vlan 30     //进入VLAN30
[hexinSW1-Vlanif30]ip address 192.168.30.1 24     //设置IP地址
[hexinSW1-Vlanif30]quit     //退出
[hexinSW1]int vlan 200     //进入VLAN200
[hexinSW1-Vlanif200]ip address 192.168.200.1 24     //设置IP地址
[hexinSW1-Vlanif200]quit     //退出
[hexinSW1]

核心层SW1(查看SVI配置)

[hexinSW1]dis ip int brief     //查看SVI配置信息 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 2

Interface                         IP Address/Mask      Physical   Protocol  
MEth0/0/1                         unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Vlanif1                           unassigned           up         down      
Vlanif10                          192.168.10.1/24      up         up        
Vlanif30                          192.168.30.1/24      up         up        
Vlanif200                         192.168.200.1/24     up         up        
[hexinSW1]

核心层SW1(创建地址池)

[hexinSW1]dhcp enable     //开启DHCP服务 
[hexinSW1]ip pool VLAN_10     //创建VLAN_10的地址池
[hexinSW1-ip-pool-vlan_10]network 192.168.10.0 mask 24     //网段和子网掩码
[hexinSW1-ip-pool-vlan_10]gateway-list 192.168.10.1     //网关地址
[hexinSW1-ip-pool-vlan_10]dns-list  8.8.8.8     //DNS地址
[hexinSW1-ip-pool-vlan_10]quit     //退出
[hexinSW1]ip pool VLAN_30     //创建VLAN_30的地址池
[hexinSW1-ip-pool-vlan_30]network 192.168.30.0 mask 24     //网段和子网掩码
[hexinSW1-ip-pool-vlan_30]gateway-list 192.168.30.1     //网关地址
[hexinSW1-ip-pool-vlan_30]dns-list 8.8.8.8     //DNS地址
[hexinSW1-ip-pool-vlan_30]quit     //退出
[hexinSW1]

####核心层SW1(将全局地址池给DHCP客户端)

[hexinSW1]int Vlan10     //进入VLAN10
[hexinSW1-Vlanif10]dhcp select global     //选择全局的地址池给DHCP客户端 
[hexinSW1-Vlanif10]quit     //退出
[hexinSW1]int vlan30     //进入VLAN30
[hexinSW1-Vlanif30]dhcp select global     //选择全局的地址池给DHCP客户端 
[hexinSW1-Vlanif30]quit     //退出
[hexinSW1]

PC1(查看是否自动获取IP地址)

PC>ipconfig     //查看IP地址

Link local IPv6 address...........: fe80::5689:98ff:feae:2f40
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.10.2
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.10.1
Physical address..................: 54-89-98-AE-2F-40
DNS server........................: 8.8.8.8

PC2(查看是否自动获取IP地址)

PC>ipconfig     //查看IP地址

Link local IPv6 address...........: fe80::5689:98ff:fed6:31e8
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.30.2
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.30.1
Physical address..................: 54-89-98-D6-31-E8
DNS server........................: 8.8.8.8

核心层SW1

[hexinSW1]aaa     //进入AAA认证模式
[hexinSW1-aaa] local-user admin password cipher admin@123     //配置用户名和密码 
[hexinSW1-aaa] local-user admin privilege level 3     //配置用户权限
[hexinSW1-aaa]local-user admin service-type telnet     //允许telnet连接
[hexinSW1-aaa]quit     //退出
[hexinSW1]user-interface vty 0 4     //进入vty
[hexinSW1-ui-vty0-4]authentication-mode aaa     使用AAA认证
[hexinSW1-ui-vty0-4]quit     //退出
[hexinSW1]

接入层SW2

[jrcSW2]aaa     //进入AAA认证模式
[jrcSW2-aaa] local-user admin password cipher admin@123     //配置用户名和密码 
[jrcSW2-aaa] local-user admin privilege level 3     //配置用户权限
[jrcSW2-aaa]local-user admin service-type telnet     //允许telnet连接
[jrcSW2-aaa]quit     //退出
[jrcSW2]user-interface vty 0 4     //进入vty
[jrcSW2-ui-vty0-4]authentication-mode aaa     使用AAA认证
[jrcSW2-ui-vty0-4]quitt     //退出
[jrcSW2]

接入层SW3

[jrcSW3]aaa     //进入AAA认证模式
[jrcSW3-aaa] local-user admin password cipher admin@123     //配置用户名和密码 
[jrcSW3-aaa] local-user admin privilege level 3     //配置用户权限
[jrcSW3-aaa]local-user admin service-type telnet     //允许telnet连接
[jrcSW3-aaa]quit     //退出
[jrcSW3]user-interface vty 0 4     //进入vty
[jrcSW3-ui-vty0-4]authentication-mode aaa     使用AAA认证
[jrcSW3-ui-vty0-4]quitt     //退出
[jrcSW3]

出口R1

system-view 
[Huawei]undo info-center enable 
[Huawei]sysname R1
[R1]aaa     //进入AAA认证模式
[R1-aaa] local-user admin password cipher admin@123     //配置用户名和密码 
[R1-aaa] local-user admin privilege level 3     //配置用户权限
[R1-aaa] local-user admin service-type telnet     //允许telnet连接
[R1-aaa]quit     //退出
[R1-aaa]user-interface vty 0 4     //进入vty
[R1-ui-vty0-4] authentication-mode aaa     使用AAA认证
[R1-ui-vty0-4]quit     //退出
[R1]

核心层SW1(配置管理VLAN)

[hexinSW1]vlan 999     //创建管理VLAN999
[hexinSW1-vlan999]quit     //退出
[hexinSW1]int vlan 999     //VLAN999
[hexinSW1-Vlanif999] ip address 192.168.255.1 24     //配置管理地址
[hexinSW1-Vlanif999]quit
[hexinSW1]

接入层SW2(配置管理VLAN)

[jrcSW2]vlan 999     //创建管理VLAN999
[jrcSW2-vlan999]quit     //退出    
[jrcSW2]int vlan 999     //VLAN999
[jrcSW2-Vlanif999]ip address 192.168.255.2 24     //配置管理地址
[jrcSW2-Vlanif999]quit     //退出
[jrcSW2]

接入层SW3(配置管理VLAN)

[jrcSW3]vlan 999     //创建管理VLAN999
[jrcSW3-vlan999]quit     //退出
[jrcSW3]int vlan 999     //VLAN999
[jrcSW3-Vlanif999]ip address 192.168.255.3 24     //配置管理地址
[jrcSW3-Vlanif999]quit     //退出
[jrcSW3]

接入层SW2(回包路由)

[jrcSW2]ip route-static 0.0.0.0 0 192.168.255.1     //给管理流量回包的缺省路由

接入层SW3(回包路由)

[jrcSW3]ip route-static 0.0.0.0 0 192.168.255.1     //给管理流量回包的缺省路由

核心层SW1(允许管理VLAN地址通过)

[hexinSW1]interface g0/0/1     //进入接口   	
[hexinSW1-GigabitEthernet0/0/1]port trunk  allow-pass vlan 999     //允许VLAN999通过
[hexinSW1-GigabitEthernet0/0/1]quit     //退出
[hexinSW1]interface g0/0/2     //进入接口	
[hexinSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 999     //允许VLAN999通过
[hexinSW1-GigabitEthernet0/0/2]quit     //退出
[hexinSW1]

接入层SW2(允许管理VLAN地址通过)

[jrcSW2]interface e0/0/1     //进入接口	
[jrcSW2-Ethernet0/0/1]port trunk allow-pass vlan 999     //允许VLAN999通过
[jrcSW2-Ethernet0/0/1]quit     //退出
[jrcSW2]

接入层SW3(允许管理VLAN地址通过)

[jrcSW3]interface e0/0/1     //进入接口	
[jrcSW3-Ethernet0/0/1]port trunk allow-pass vlan 999     //允许VLAN999通过
[jrcSW3-Ethernet0/0/1]quit     //退出
[jrcSW3]

核心层SW1(测试是否可以telnet接入层两台交换机)

telnet 192.168.255.2     //远程登录接入层SW2交换机
Trying 192.168.255.2 ...
Press CTRL+K to abort
Connected to 192.168.255.2 ...


Login authentication


Username:admin     //输入用户名
Password:          //输入密码     
Info: The max number of VTY users is 5, and the number
      of current VTY users on line is 1.
      The current login time is 2019-12-16 13:43:48.
quit     //退出
Info: The max number of VTY users is 5, and the number
      of current VTY users on line is 0.
Info: The connection was closed by the remote host.
telnet 192.168.255.3     //远程登录接入层SW3交换机
Trying 192.168.255.3 ...
Press CTRL+K to abort
Connected to 192.168.255.3 ...


Login authentication


Username:admin     //输入用户名
Password:          //输入密码
Info: The max number of VTY users is 5, and the number
      of current VTY users on line is 1.
      The current login time is 2019-12-16 13:44:03.
quit
Info: The max number of VTY users is 5, and the number
      of current VTY users on line is 0.
Info: The connection was closed by the remote host.

核心层SW1(配置SVI和出口R1对联)

[hexinSW1]interface g0/0/3     //进入接口	
[hexinSW1-GigabitEthernet0/0/3]port link-type access     //配置access链路   	
[hexinSW1-GigabitEthernet0/0/3]port default vlan 800     //允许VLAN800通过
[hexinSW1-GigabitEthernet0/0/3]quit     //退出
[hexinSW1]int vlan 800     //进入VLAN800
[hexinSW1-Vlanif800]ip address 192.168.254.1 24     //设置IP地址
[hexinSW1-Vlanif800]quit     //退出
[hexinSW1]quit

核心层SW1(配置默认路由)

[hexinSW1]ip route-static 0.0.0.0 0 192.168.254.2     //配置默认路由

出口R1(设置IP地址)

[R1]interface g0/0/0     //进入接口
[R1-GigabitEthernet0/0/0]ip address 192.168.254.2 24     //设置IP地址
[R1-GigabitEthernet0/0/0]qui     //退出
[R1]interface g0/0/1     //进入接口
[R1-GigabitEthernet0/0/1]ip address 12.1.1.1 29     //设置IP地址
[R1-GigabitEthernet0/0/1]quit     //退出
[R1]

R1(测试是否可以ping通核心层SW1)

[R1]ping 192.168.254.1
  PING 192.168.254.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.254.1: bytes=56 Sequence=1 ttl=255 time=90 ms
    Reply from 192.168.254.1: bytes=56 Sequence=2 ttl=255 time=40 ms
    Reply from 192.168.254.1: bytes=56 Sequence=3 ttl=255 time=30 ms
    Reply from 192.168.254.1: bytes=56 Sequence=4 ttl=255 time=20 ms
    Reply from 192.168.254.1: bytes=56 Sequence=5 ttl=255 time=20 ms

  --- 192.168.254.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/40/90 ms

运营商R2

system-view     //进入视图模式 
[Huawei]undo info-center enable     //关闭信息告警提示 
[Huawei]interface g0/0/0     //进入接口
[Huawei-GigabitEthernet0/0/0]ip address 12.1.1.2 29     //设置IP地址
[Huawei-GigabitEthernet0/0/0]quit     //退出
[Huawei]interface LoopBack 0     //进入接口
[Huawei-LoopBack0]ip address 9.9.9.9 24          //设置IP地址
[Huawei-LoopBack0]quit     //退出
[Huawei]

出口R1(配置NAT)

[R1]acl number 2000     //创建acl2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255     //允许源地址192.168.0.0
[R1-acl-basic-2000]quit     //退出
[R1]interface g0/0/1     //进入接口     
[R1-GigabitEthernet0/0/1]nat outbound 2000     //应用于出接口
[R1-GigabitEthernet0/0/1]quit     //退出
[R1]

出口R1(默认路由)

[R1]ip route-static 0.0.0.0 0 12.1.1.6     //出包默认路由     
[R1]ip route-static 192.168.0.0 255.255.0.0 192.168.254.1     //将回包交给核心层SW1

PC1(测试是否可以ping通9.9.9.9)

PC>ping 9.9.9.9     //测试是否可以ping通9.9.9.9

Ping 9.9.9.9: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 9.9.9.9: bytes=32 seq=2 ttl=253 time=78 ms     //ping通
From 9.9.9.9: bytes=32 seq=3 ttl=253 time=63 ms
From 9.9.9.9: bytes=32 seq=4 ttl=253 time=47 ms
From 9.9.9.9: bytes=32 seq=5 ttl=253 time=47 ms

--- 9.9.9.9 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/58/78 ms

PC2(测试是否可以ping通9.9.9.9)

PC>ping 9.9.9.9     //测试是否可以ping通9.9.9.9

Ping 9.9.9.9: 32 data bytes, Press Ctrl_C to break
From 9.9.9.9: bytes=32 seq=1 ttl=253 time=78 ms     //ping通
From 9.9.9.9: bytes=32 seq=2 ttl=253 time=47 ms
From 9.9.9.9: bytes=32 seq=3 ttl=253 time=62 ms
From 9.9.9.9: bytes=32 seq=4 ttl=253 time=47 ms
From 9.9.9.9: bytes=32 seq=5 ttl=253 time=62 ms

--- 9.9.9.9 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 47/59/78 ms

核心层SW1(STP运行RSTP模式)

[hexinSW1]stp mode rstp     //运行RSTP模式

接入层SW2(STP运行RSTP模式)

[jrcSW2]stp mode rstp      //运行RSTP模式

接入层SW3(STP运行RSTP模式)

[jrcSW3]stp mode rstp     //运行RSTP模式

核心层SW1(设置优先级,优先级越小约优先)

[hexinSW1]stp priority 0     //设置优先级

接入层SW2(接入用户的接口配置为边缘端口加快收敛)

[jrcSW2]port-group g e0/0/2 to e0/0/3     //创建接口组
[jrcSW2-port-group]stp edged-port enable     [jrcSW2]port-group g e0/0/2 to e0/0/3     //创建接口组
[jrcSW2-port-group]stp edged-port enable   
[jrcSW2-Ethernet0/0/2]stp edged-port enable     //启用边缘接口
[jrcSW2-Ethernet0/0/3]stp edged-port enable     //启用边缘接口
[jrcSW2-port-group]quit     //退出
[jrcSW2]

接入层SW3(接入用户的接口配置为边缘端口加快收敛)

[jrcSW3]port-group g e0/0/2 to e0/0/3     //创建接口组	
[jrcSW3-port-group]stp edged-port enable     //启用边缘接口 
[jrcSW3-Ethernet0/0/2]stp edged-port enable     //启用边缘接口 
[jrcSW3-Ethernet0/0/3]stp edged-port enable     //启用边缘接口
[jrcSW3-port-group]quit     //退出
[jrcSW3]

接入层SW2(配置根桥保护措施,确保根桥不被抢占)

[jrcSW2]stp bpdu-protection     //边缘端口保护

接入层SW3(配置根桥保护措施,确保根桥不被抢占)

[jrcSW3]stp bpdu-protection     //边缘端口保护

出口R1(在企业出口将内网服务器的80端口映射出去,允许外网用户访问)

[R1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www inside 192.168.200.10 www     //将内网服务器80端口映射出去,允许外网访问 

核心层SW1(企业财务服务器,只允许财务部(VLAN30)的员工访问)

[hexinSW1]acl number 3000     //创建ACL3000	
[hexinSW1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0     //允许源地址192.168.30.0访问192.168.200.20     
[hexinSW1-acl-adv-3000]rule deny ip destination 192.168.200.20 0     //拒绝目的地址为192.168.200.20
[hexinSW1-acl-adv-3000]quit     //退出
[hexinSW1]interface g0/0/2     //进入接口
[hexinSW1-GigabitEthernet0/0/2]traffic-filter outbound acl 3000     //出接口应用ACL3000
[hexinSW1-GigabitEthernet0/0/2]quit     //退出
[hexinSW1]

PC1(测试是否可以ping通财务服务器)

PC>ping 192.168.200.20     //ping财务服务器

Ping 192.168.200.20: 32 data bytes, Press Ctrl_C to break
Request timeout!     //ping不通
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.200.20 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

PC2(测试是否可以ping通财务服务器)

PC>ping 192.168.200.20     //ping财务服务器

Ping 192.168.200.20: 32 data bytes, Press Ctrl_C to break
From 192.168.200.20: bytes=32 seq=1 ttl=254 time=78 ms     //ping通
From 192.168.200.20: bytes=32 seq=2 ttl=254 time=47 ms
From 192.168.200.20: bytes=32 seq=3 ttl=254 time=62 ms
From 192.168.200.20: bytes=32 seq=4 ttl=254 time=62 ms
From 192.168.200.20: bytes=32 seq=5 ttl=254 time=63 ms

--- 192.168.200.20 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 47/62/78 ms

你可能感兴趣的:(数通)