项目需求:
1.不同的PC属于不同的 VLAN ,如图所示;
2.不同的 VLAN 的IP地址为:192.168.XX.0/24 , XX 是 vlan 号;
3.不同的 VLAN 主机获得IP地址的方式为 DHCP (除特殊需求以外)
每个 VLAN 的主机的网关IP地址,均为:192.168.XX.254/24;
4.vlan88 为 web-server 所在的服务器;网关在 SW5 上;
vlan66 为 dhcp-server所在的服务器;网关在 SW6 上;
5.其他 VLAN 的每个主机所用的网关都使用了高可用性技术,增强了网关
冗余性和稳定性。
6.交换机之间也使用了防环技术,并且能够针对每个 VLAN 实现流量负载
均衡的功能。同时,要求每个 VLAN 的主机,去往主机的网关时,所使用
的转发路径是最优的。
7.在公司内部运行 OSPF ,确保不同 VLAN 之间是互通的。
不同的 VLAN 属于不同的区域。
同时保护 web 和 dhcp 服务器所在的区域不受到外部链路以及其他区域
的不稳定的链路的影响。
8.公司的出口路由器为 R2 和 R4 ,但是永远将 R2 作为主出口,出现故障
后,出网流量才会自动的切换到 R4 。修复以后,会再次从 R2 转发。
9.内网大量主机都存在访问 Internet的需求,要求使用最节省IP地址的
方式实现内网主机上网,但是 vlan 40 属于机密部分,不能访问外网。
10.外网的用户(client-1),可以访问内部的 web 服务器。
11.外网的用户(SW10),可以远程控制内网的交换机网络设备(不包括R2/R4),
远程访问密码均设置为 HCIE 。
(内网中每个设备的管理IP地址,属于管理 VLAN 199)
12.内网的用户中,只能由 vlan 20 中的 PC-2 远程登录管理内网所有设备
其他用户均不可以。
内网4个部门的vlan划分,二层设备的基础配置:
SW1
undo terminal monitor
system-view
sysname SW1
vlan batch 10 20 30 40 66 88 15 16
interface gig0/0/1
port link-type access
port default vlan 10
stp disable
interface gig0/0/2
port link-type access
port default vlan 20
stp disable
interface gig0/0/11
port link-type trunk
port trunk allow-pass vlan all
interface gig0/0/21
port link-type trunk
port trunk allow-pass vlan all
quit
SW2
undo terminal monitor
system-view
sysname SW2
vlan batch 10 20 30 40 66 88 15 16
interface gig0/0/3
port link-type access
port default vlan 10
stp disable
interface gig0/0/4
port link-type access
port default vlan 30
stp disable
interface gig0/0/12
port link-type trunk
port trunk allow-pass vlan all
interface gig0/0/22
port link-type trunk
port trunk allow-pass vlan all
quit
SW3
undo terminal monitor
system-view
sysname SW3
vlan batch 10 20 30 40 66 88 15 16
interface gig0/0/5
port link-type access
port default vlan 20
stp disable
interface gig0/0/6
port link-type access
port default vlan 40
stp disable
interface gig0/0/13
port link-type trunk
port trunk allow-pass vlan all
interface gig0/0/23
port link-type trunk
port trunk allow-pass vlan all
quit
SW4
undo terminal monitor
system-view
sysname SW4
vlan batch 10 20 30 40 66 88 15 16
interface gig0/0/7
port link-type access
port default vlan 40
stp disable
interface gig0/0/8
port link-type access
port default vlan 30
stp disable
interface gig0/0/14
port link-type trunk
port trunk allow-pass vlan all
interface gig0/0/24
port link-type trunk
port trunk allow-pass vlan all
quit
汇聚层交换机的基础配置
SW5
undo terminal monitor
system-view
sysname SW5
vlan batch 10 20 30 40 66 88 15 16
port-group 1
group-member g0/0/10 to g0/0/14
port link-type trunk
port trunk allow-pass vlan all
quit
interface gig0/0/1
port link-type access
port default vlan 15
stp disable
interface gig0/0/8
port link-type access
port default vlan 88
stp disable
quit
SW6
undo terminal monitor
system-view
sysname SW6
vlan batch 10 20 30 40 66 88 15 16
port-group 1
group-member g0/0/10 g0/0/21 to g0/0/24
port link-type trunk
port trunk allow-pass vlan all
quit
interface gig0/0/1
port link-type access
port default vlan 16
stp disable
interface gig0/0/6
port link-type access
port default vlan 66
stp disable
quit
如果要启用SW5/SW6的g0/0/10接口的备份线路
考虑到二层设备容易成环问题,使用MSTP多生成树,实现链路均衡和冗余,可增强链路均衡性。
考虑到SW5和SW6都为网关最好和根网桥在一个设备上,互为不同vlan的根网桥,防止中途设备挂掉,相互做不同vlan的备根网桥。
SW1/SW2/SW3/SW4/SW5/SW6
undo terminal monitor
system-view
stp mode mstp
stp region-configuration
region-name HCIP
instance 10 vlan 10
instance 20 vlan 20
instance 30 vlan 30
instance 40 vlan 40
instance 6 vlan 66
instance 8 vlan 88
active region-configuration
quit
SW5
undo terminal monitor
system-view
stp instance 10 priority 4096
stp instance 20 priority 4096
stp instance 30 priority 8192
stp instance 40 priority 8192
SW6
undo terminal monitor
system-view
stp instance 10 priority 8192
stp instance 20 priority 8192
stp instance 30 priority 4096
stp instance 40 priority 4096
汇聚层交换机设置个部门的网关,VRRP,DHCP中继代理
SW5
undo terminal monitor
system-view
interface vlanif 15
ip address 192.168.15.5 24
quit
interface vlanif 88
ip address 192.168.88.254 24
quit
dhcp enable
interface vlanif 10
ip address 192.168.10.253 24
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 200
dhcp select relay
dhcp relay server-ip 192.168.66.1
quit
interface vlanif 20
ip address 192.168.20.253 24
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 200
dhcp select relay
dhcp relay server-ip 192.168.66.1
quit
interface vlanif 30
ip address 192.168.30.253 24
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 150
dhcp select relay
dhcp relay server-ip 192.168.66.1
quit
interface vlanif 40
ip address 192.168.40.253 24
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 150
dhcp select relay
dhcp relay server-ip 192.168.66.1
quit
SW6
undo terminal monitor
system-view
interface vlanif 16
ip address 192.168.16.6 24
quit
interface vlanif 66
ip address 192.168.66.254 24
quit
dhcp enable
interface vlanif 10
ip address 192.168.10.252 24
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 150
dhcp select relay
dhcp relay server-ip 192.168.66.1
quit
interface vlanif 20
ip address 192.168.20.252 24
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 150
dhcp select relay
dhcp relay server-ip 192.168.66.1
quit
interface vlanif 30
ip address 192.168.30.252 24
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 200
dhcp select relay
dhcp relay server-ip 192.168.66.1
quit
interface vlanif 40
ip address 192.168.40.252 24
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 200
dhcp select relay
dhcp relay server-ip 192.168.66.1
quit
AR1 配置DHCP服务器全局模式,。
AR1
undo terminal monitor
system-view
sysname AR1
ip route-static 0.0.0.0 0.0.0.0 192.168.66.254
dhcp enable
ip pool VLAN10
network 192.168.10.0 mask 24
gateway-list 192.168.10.254
excluded-ip-address 192.168.10.250 192.168.10.253
dns-list 8.8.8.8
lease day 2
quit
ip pool VLAN20
network 192.168.20.0 mask 24
gateway-list 192.168.20.254
excluded-ip-address 192.168.20.250 192.168.20.253
dns-list 8.8.8.8
lease day 2
quit
ip pool VLAN30
network 192.168.30.0 mask 24
gateway-list 192.168.30.254
excluded-ip-address 192.168.30.250 192.168.30.253
dns-list 8.8.8.8
lease day 2
quit
ip pool VLAN40
network 192.168.40.0 mask 24
gateway-list 192.168.40.254
excluded-ip-address 192.168.40.250 192.168.40.253
dns-list 8.8.8.8
lease day 2
quit
interface gig0/0/1
ip address 192.168.66.1 24
dhcp select global
quit
注:以上配置完毕后,4个vlan中的pc机,只有vlan30和vlan40可以正常获取到IP地址。如果想vlan10,vlan20都能获取到,需要在SW5上加一条去往DHCP服务器网段的静态路由,吓一跳指向SW6.