琴院专属:
2、初始化
根据拓扑修改设备名称,特权加密密码network,本地用户信息用户名student加密密码net123,防止配置错误解析等待,线路平台超时时间10分50秒,开启光标跟踪,con口采用cisco密码登陆,vty采用本地用户信息登陆。
3、VTP
VTP域名netcisco,VTP密码123cisco。
SW2是服务器,SW3、4是客户机;SW5、6是服务器,SW7、8是客户机。
4、生成树
SW2是vlan1、6、10、30的根桥,SW3是vlan6、30次根桥,SW4是vlan10的次根桥,采用直接指定的方式实现。
SW5是vlan1、20、25、99的根桥,SW6是vlan1、20、25、99的次根桥,采用直接指定的方式实现。
为了用户接入后能够直接接收数据,采用接入端口快速启动模式。
5、为了底层的网络数据传输没有瓶颈,在SW3和SW4之间采用链路捆绑技术。
6、HSRP
SW5和SW6之间采用热备份技术,可以保证网络的可用性。优先级为110,采用抢占模式。虚拟的网关地址:20.1、25.1、99.254。
7、整网采用EIGRP动态路由协议,自治系统为1。为了方便内网用户访问互联网,利用动态路由协议传播默认路由。
8、为了保证数据的私密性在R1与R2、R3之间做了IPsec VPN和GRE隧道技术。参数如下(对端的方法一致):
R1-R2
第一阶段:策略为1,数据的认证方式是共享,加密方式是aes,DH采用2。传输的密钥为cisco。
第二阶段:传输的转换加密环境是esp-aes esp-sha-hmac,名字为VPN。
加密映射命名为R1-R2,应用到相应的接口。
R1-R3
第一阶段:策略为2,数据的认证方式是共享,加密方式是aes,DH采用2。传输的密钥为cisco01。
第二阶段:传输的转换加密环境是esp-aes esp-sha-hmac,名字为VPN-1。
加密映射命名为R1-R3,应用到相应的接口。
(注意兴趣流的命名与加密映射的一致,R2和R3的内网地址访问R1的0网段,在R2的书写过程中顺序为6、30、10,其他区域都是由小到达的顺序)
9、为了能够在隧道中使用动态路由协议,采用GRE隧道技术。使其通过GRE隧道传输IP流量。
10、在整网中PC采用动态获取地址的方式。不同的区域地址分配情况如下:
XSB:6段地址,从1开始分配地址,最大分配50个地址;
CWB:10段地址,从10开始分配地址,最大分配20个地址;
RSB:30段地址,从1开始分配地址,最大分配30个地址;
OFFICE-1:20段地址,从3开始分配地址,最大分配30个地址;
OFFICE-2:25段地址,从3开始分配地址,最大分配30个地址。
11、为了方便宣传公司产品以及用户访问页面更快捷,公司内部搭建了DNS服务和HTTP服务,为了节省成本放在了一台服务器上。公司域名为network.com。
12、为了内网更加的安全,用户决定在R2的区域下部署ACL过滤攻击端口,让内网的用户无法通过以下端口与外网互联:命名为anti-vrius
Tcp、udp的445和tcp、udp的3389。
13、测试连通性以及应用的服务内容。
注意:涉及到vtp vlan ACL 的相关配置自己配置
SW1配置:
service password-encryption
hostname SW1
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
ip routing
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
no ip domain-lookup
spanning-tree mode pvst
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
spanning-tree portfast
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
spanning-tree portfast
interface FastEthernet0/24
no switchport
ip address 192.168.0.1 255.255.255.0
interface Vlan99
ip address 192.168.99.1 255.255.255.0
interface Vlan100
ip address 192.168.100.254 255.255.255.0
router eigrp 1
passive-interface Vlan100
network 192.168.0.0
network 192.168.100.0
network 192.168.99.0
no auto-summary
ip default-gateway 192.168.0.254
line con 0
exec-timeout 10 50
password 7 0822455D0A16
logging synchronous
login
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
end
SW2配置:
service password-encryption
hostname SW2
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
no ip domain-lookup
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
spanning-tree vlan 1,6,10,30 priority 24576
interface FastEthernet0/4
switchport mode trunk
interface FastEthernet0/5
switchport mode trunk
interface FastEthernet0/24
switchport mode trunk
interface Vlan99
ip address 192.168.99.2 255.255.255.0
ip default-gateway 192.168.99.254
line con 0
password 7 0822455D0A16
logging synchronous
login
exec-timeout 10 50
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
SW3配置:
service password-encryption
hostname SW3
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
no ip domain-lookup
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
spanning-tree vlan 6,30 priority 28672
interface Port-channel1
switchport mode trunk
interface FastEthernet0/1
switchport mode trunk
channel-group 1 mode on
shutdown
interface FastEthernet0/2
switchport access vlan 6
switchport mode access
spanning-tree portfast
interface FastEthernet0/3
switchport mode trunk
channel-group 1 mode on
shutdown
interface FastEthernet0/4
switchport access vlan 30
switchport mode access
spanning-tree portfast
interface FastEthernet0/5
switchport mode trunk
interface Vlan99
ip address 192.168.99.3 255.255.255.0
ip default-gateway 192.168.99.254
line con 0
password 7 0822455D0A16
logging synchronous
login
exec-timeout 10 50
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
SW4配置:
service password-encryption
hostname SW4
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
no ip domain-lookup
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
spanning-tree vlan 10 priority 28672
interface Port-channel1
switchport mode trunk
interface FastEthernet0/1
switchport mode trunk
channel-group 1 mode on
shutdown
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface FastEthernet0/3
switchport mode trunk
channel-group 1 mode on
shutdown
interface FastEthernet0/4
switchport mode trunk
interface Vlan99
ip address 192.168.99.4 255.255.255.0
ip default-gateway 192.168.99.254
line con 0
password 7 0822455D0A16
logging synchronous
login
exec-timeout 10 50
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
SW5配置:
service password-encryption
hostname SW5
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
ip routing
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
no ip domain-lookup
spanning-tree mode pvst
spanning-tree vlan 1,20,25,99 priority 24576
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/24
no switchport
ip address 192.168.3.2 255.255.255.0
interface Vlan20
mac-address 0000.0c03.4201
ip address 192.168.20.2 255.255.255.248
ip helper-address 192.168.100.1
standby 1 ip 192.168.20.1
standby 1 priority 110
standby 1 preempt
interface Vlan25
mac-address 0000.0c03.4202
ip address 192.168.25.2 255.255.255.0
ip helper-address 192.168.100.1
standby 1 ip 192.168.25.1
standby 1 priority 110
standby 1 preempt
interface Vlan99
mac-address 0000.0c03.4203
ip address 192.168.99.253 255.255.255.0
standby 1 ip 192.168.99.254
standby 1 priority 110
standby 1 preempt
router eigrp 1
passive-interface Vlan20
passive-interface Vlan25
passive-interface Vlan99
network 192.168.3.0
network 192.168.20.0 0.0.0.7
network 192.168.25.0
network 192.168.99.0
no auto-summary
line con 0
exec-timeout 10 50
password 7 0822455D0A16
logging synchronous
login
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
SW6配置:
service password-encryption
hostname SW6
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
ip routing
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
no ip domain-lookup
spanning-tree vlan 1,20,25,99 priority 28672
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/24
no switchport
ip address 192.168.33.2 255.255.255.0
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface Vlan1
no ip address
shutdown
interface Vlan20
mac-address 000c.cf44.6701
ip address 192.168.20.3 255.255.255.248
standby 1 ip 192.168.20.1
standby 1 preempt
interface Vlan25
mac-address 000c.cf44.6702
ip address 192.168.25.3 255.255.255.0
standby 1 ip 192.168.25.1
standby 1 preempt
interface Vlan99
mac-address 000c.cf44.6703
ip address 192.168.99.252 255.255.255.0
standby 1 ip 192.168.99.254
standby 1 preempt
router eigrp 1
passive-interface Vlan20
passive-interface Vlan25
passive-interface Vlan99
network 192.168.20.0 0.0.0.7
network 192.168.25.0
network 192.168.33.0
network 192.168.99.0
no auto-summary
line con 0
exec-timeout 10 50
password 7 0822455D0A16
logging synchronous
login
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
SW7配置:
service password-encryption
hostname SW7
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
no ip domain-lookup
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface FastEthernet0/3
switchport mode trunk
interface FastEthernet0/24
switchport mode trunk
interface Vlan99
ip address 192.168.99.7 255.255.255.0
ip default-gateway 192.168.99.254
line con 0
password 7 0822455D0A16
logging synchronous
login
exec-timeout 10 50
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
SW8配置:
service password-encryption
hostname SW8
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
no ip domain-lookup
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
interface FastEthernet0/1
switchport access vlan 25
switchport mode access
spanning-tree portfast
interface FastEthernet0/3
switchport mode trunk
interface FastEthernet0/24
switchport mode trunk
interface Vlan99
ip address 192.168.99.8 255.255.255.0
ip default-gateway 192.168.99.254
line con 0
password 7 0822455D0A16
logging synchronous
login
exec-timeout 10 50
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
R1配置:
service password-encryption
hostname R
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp key cisco address 100.200.1.2
crypto isakmp key cisco01 address 107.1.20.2
!
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
crypto ipsec transform-set VPN-1 esp-aes esp-sha-hmac
!
crypto map R1-R2 1 ipsec-isakmp
! Incomplete
set peer 100.200.1.2
set transform-set VPN
match address R1-R2
!
!
crypto map R1-R3 1 ipsec-isakmp
! Incomplete
set peer 107.1.20.2
set transform-set VPN-1
match address R1-R3
!
!
no ip domain-lookup
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
mtu 1476
tunnel source Serial0/0/0
tunnel destination 100.200.1.2
!
interface Tunnel2
ip address 10.1.1.1 255.255.255.0
mtu 1476
tunnel source Serial0/0/0
tunnel destination 107.1.20.2
!
interface FastEthernet0/0
ip address 192.168.0.254 255.255.255.0
interface Serial0/0/0
ip address 200.100.1.2 255.255.255.252
crypto map R1-R3
!
router eigrp 1
redistribute static
network 192.168.0.0
network 172.16.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip flow-export version 9
!
!
ip access-list extended R1-R2
ip access-list extended R1-R3
!
line con 0
exec-timeout 10 50
password 7 0822455D0A16
logging synchronous
login
!
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
R2配置:
service password-encryption
hostname R2
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key cisco address 200.100.1.2
!
!
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
!
crypto map R1-R2 1 ipsec-isakmp
! Incomplete
set peer 200.100.1.2
set transform-set VPN
!
!
crypto map R2-R1 1 ipsec-isakmp
! Incomplete
set peer 200.100.1.2
set transform-set VPN
match address R2-R1
no ip domain-lookup
interface Tunnel1
ip address 172.16.1.2 255.255.255.0
mtu 1476
tunnel source Serial0/0/0
tunnel destination 200.100.1.2
interface FastEthernet0/0.6
encapsulation dot1Q 6
ip address 192.168.6.254 255.255.255.0
ip helper-address 192.168.100.1
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.224
ip helper-address 192.168.100.1
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip helper-address 192.168.100.1
!
interface FastEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.99.254 255.255.255.0
interface Serial0/0/0
ip address 100.200.1.2 255.255.255.252
crypto map R2-R1
router eigrp 1
redistribute static
passive-interface FastEthernet0/0.6
passive-interface FastEthernet0/0.10
passive-interface FastEthernet0/0.30
passive-interface FastEthernet0/0.99
network 192.168.6.0
network 192.168.10.0 0.0.0.31
network 192.168.30.0
network 192.168.99.0
network 172.16.1.0 0.0.0.255
no auto-summary
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip access-list extended anti-vrius
ip access-list extended R2R1
ip access-list extended R2-R1
!
line con 0
exec-timeout 10 50
password 7 0822455D0A16
logging synchronous
login
!
line aux 0
!
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
R3配置:
service password-encryption
hostname R3
enable secret 5 $1$mERr$h8fNeuzwQ5F8joeWZbJYw1
username student secret 5 $1$mERr$5c0qAIC.VH5k7AMxpHtlC1
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp key cisco01 address 200.100.1.2
!
crypto ipsec transform-set VPN-1 esp-aes esp-sha-hmac
!
crypto map R1-R3 1 ipsec-isakmp
! Incomplete
set peer 200.100.1.2
set transform-set VPN-1
!
!
crypto map R3-R1 1 ipsec-isakmp
! Incomplete
set peer 200.100.1.2
set transform-set VPN-1
match address R3-R1
no ip domain-lookup
interface Tunnel2
ip address 10.1.1.2 255.255.255.0
mtu 1476
tunnel source Serial0/0/0
tunnel destination 200.100.1.2
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
interface FastEthernet0/1
ip address 192.168.33.1 255.255.255.0
interface Serial0/0/0
ip address 107.1.20.2 255.255.255.252
crypto map R3-R1
router eigrp 1
redistribute static
network 192.168.3.0
network 192.168.33.0
network 10.1.1.0 0.0.0.255
no auto-summary
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip access-list extended R3-R1
line con 0
exec-timeout 10 50
password 7 0822455D0A16
logging synchronous
login
line vty 0 4
exec-timeout 10 50
logging synchronous
login local
line vty 5 15
exec-timeout 10 50
logging synchronous
login local
PC获取IP方式为:DHCP