DHCP,VTP,PVST+,HSRP,ACL,NAT,和浮动路由
首先给大家道个歉,这个实验一直没做,最近终于做完了,详细的配置已经发到附件里了,大家解压后就可看了,没有做接入层的配置,那个很简单,就没做了
还有以前的问题是小凡的问题,这实验要用真实设备做,虚拟的会出问题。
第一次打开图片太小的话就刷新下就好了
1、所有VLAN都可以访问FTP、WWW服务
2、除了网管区,其他VLAN不能TELNET设备(路由器、交换机)、服务器
3、只有网管区可以PING设配
4、配置MSL1、MSL2为VTPsever
5、配置HSRP实现路由备份和VLAN负载均衡
6、在路由器上为各VLAN做浮动路由
7、配置NAT使外网可以访问内网WWW服务
8、配置PAT使内网用户可以访问外网
9、左边的3层为MSL1,右边的3层交换为MSL2
2、除了网管区,其他VLAN不能TELNET设备(路由器、交换机)、服务器
3、只有网管区可以PING设配
4、配置MSL1、MSL2为VTPsever
5、配置HSRP实现路由备份和VLAN负载均衡
6、在路由器上为各VLAN做浮动路由
7、配置NAT使外网可以访问内网WWW服务
8、配置PAT使内网用户可以访问外网
9、左边的3层为MSL1,右边的3层交换为MSL2
PS:附件下载有问题,我把配置发上来
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no ip domain lookup
Router(config)#line con 0
Router(config-line)#exec-t 0 0
Router(config-line)#logg sy
Router(config-line)#exit
Router(config)#int e0/0
Router(config-if)#ip add 20.0.0.1 255.255.255.0
Router(config-if)#no
Router(config-if)#int e1/0
Router(config-if)#ip add 192.168.0.1 255.255.255.252
Router(config-if)#no sh
Router(config-if)#int e2/0
Router(config-if)#ip add 192.168.0.5 255.255.255.252
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#ip router 192.168.100.0 255.255.255.0 e1/0 5
Router(config)#ip router 192.168.100.0 255.255.255.0 e2/0
Router(config)#ip router 192.168.2.0 255.255.255.0 e1/0 5
Router(config)#ip router 192.168.2.0 255.255.255.0 e2/0
Router(config)#ip router 192.168.3.0 255.255.255.0 e1/0
Router(config)#ip router 192.168.3.0 255.255.255.0 e2/0 5
Router(config)#ip router 192.168.4.0 255.255.255.0 e1/0
Router(config)#ip router 192.168.4.0 255.255.255.0 e2/0 5
Router(config)#end
//dhcp
Router(config)#ip dhcp pool vlan200
Router(dhcp-config)#network 192.168.100.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.4.254
Router(dhcp-config)#lease 1
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 192.168.2.250 192.168.2.254
Router(config)#ip dhcp pool vlan300
Router(dhcp-config)#network 192.168.2.0 255.255.255.0
Router(dhcp-config)#lease 1
Router(dhcp-config)#default-router 192.168.2.254
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 192.168.3.250 192.168.3.254
Router(config)#ip dhcp pool vlan400
Router(dhcp-config)#network 192.168.4.0 255.255.255.0
Router(dhcp-config)#lease 1
Router(dhcp-config)#default-router 192.168.4.254
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 192.168.4.250 192.168.4.254
Router(config)#access-list 1 permit 192.168.0.0 0.3.255.255 \\定义地址转换的控制列表
Router(config)#ip nat pool isp 20.0.0.1 20.0.0.1 netmask 0.0.0.0 \\定义转换的地址池
Router(config)#ip nat inside source list 1 pool isp \\将指定的内部局部地址与内部全局地址池进行转换
Router(config)#int e0/0
Router(config-if)#ip nat outside
Router(config-if)#int e1/0
Router(config-if)#ip nat inside
Router(config-if)#int e2/0
Router(config-if)#ip nat inside
Router(config-if)#end
Router(config)#ip nat inside source static tcp 192.168.100.100 80 20.0.0.1 80 \\ 端口映射,将内网服务器发布出去
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no ip domain lookup
Router(config)#line con 0
Router(config-line)#exec-t 0 0
Router(config-line)#logg sy
Router(config-line)#exit
Router(config)#int e0/0
Router(config-if)#ip add 20.0.0.1 255.255.255.0
Router(config-if)#no
Router(config-if)#int e1/0
Router(config-if)#ip add 192.168.0.1 255.255.255.252
Router(config-if)#no sh
Router(config-if)#int e2/0
Router(config-if)#ip add 192.168.0.5 255.255.255.252
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#ip router 192.168.100.0 255.255.255.0 e1/0 5
Router(config)#ip router 192.168.100.0 255.255.255.0 e2/0
Router(config)#ip router 192.168.2.0 255.255.255.0 e1/0 5
Router(config)#ip router 192.168.2.0 255.255.255.0 e2/0
Router(config)#ip router 192.168.3.0 255.255.255.0 e1/0
Router(config)#ip router 192.168.3.0 255.255.255.0 e2/0 5
Router(config)#ip router 192.168.4.0 255.255.255.0 e1/0
Router(config)#ip router 192.168.4.0 255.255.255.0 e2/0 5
Router(config)#end
//dhcp
Router(config)#ip dhcp pool vlan200
Router(dhcp-config)#network 192.168.100.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.4.254
Router(dhcp-config)#lease 1
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 192.168.2.250 192.168.2.254
Router(config)#ip dhcp pool vlan300
Router(dhcp-config)#network 192.168.2.0 255.255.255.0
Router(dhcp-config)#lease 1
Router(dhcp-config)#default-router 192.168.2.254
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 192.168.3.250 192.168.3.254
Router(config)#ip dhcp pool vlan400
Router(dhcp-config)#network 192.168.4.0 255.255.255.0
Router(dhcp-config)#lease 1
Router(dhcp-config)#default-router 192.168.4.254
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 192.168.4.250 192.168.4.254
Router(config)#access-list 1 permit 192.168.0.0 0.3.255.255 \\定义地址转换的控制列表
Router(config)#ip nat pool isp 20.0.0.1 20.0.0.1 netmask 0.0.0.0 \\定义转换的地址池
Router(config)#ip nat inside source list 1 pool isp \\将指定的内部局部地址与内部全局地址池进行转换
Router(config)#int e0/0
Router(config-if)#ip nat outside
Router(config-if)#int e1/0
Router(config-if)#ip nat inside
Router(config-if)#int e2/0
Router(config-if)#ip nat inside
Router(config-if)#end
Router(config)#ip nat inside source static tcp 192.168.100.100 80 20.0.0.1 80 \\ 端口映射,将内网服务器发布出去
mls1>
mls1>en
mls1#vlan database
mls1(vlan)#vtp domain cz
mls1(vlan)#vtp password 123.com
mls1(vlan)#vtp server
mls1(vlan)#vtp v2-mode
mls1(vlan)#vtp pr
mls1(vlan)#vtp pruning
mls1(vlan)#vlan 100
mls1(vlan)#vlan 200
mls1(vlan)#vlan 300
mls1(vlan)#vlan 400
mls1(vlan)#exit
mls1#conf t
mls1(config)#int ra f0/1 - 4
mls1(config-if-range)#sw t en d
mls1(config-if-range)#sw m t
mls1(config-if-range)#exit
mls1(config)#int ra f0/12 - 14
mls1(config-if-range)#sw t en d
mls1(config-if-range)#sw m t
mls1(config-if-range)#channel-group 1 mode on
mls1(config-if-range)#exit
mls1(config)#ip access-list lan
mls1(config-ext-nacl)#permit icmp 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 \\允许网管区ping设配
mls1(config-ext-nacl)#deny icmp any 192.168.0.0 0.0.0.255 echo \\不允许其他PING设配
mls1(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 eq telnet \\允许192.168.2.0/24 远程登录192.168.1.0/24
mls1(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 192.168.0.0 eq telnet \\允许192.168.2.0/24 远程登录192.168.0.0/24
mls1(config-ext-nacl)#permit tcp any 192.168.100.0 0.0.3.255 eq 21 \\允许访问FTP
mls1(config-ext-nacl)#permit tcp any 192.168.100.0 0.0.3.255 eq www \\允许访问WWW
mls1(config-ext-nacl)#deny ip any 192.168.0.0 0.0.3.255 \\不允许访问192.168.0.0/22
mls1(config-ext-nacl)#permit ip any any
mls1(config-ext-nacl)end
mls1(config)#int f0/15
mls1(config-if)#no sw
mls1(config-if)#ip add 192.168.0.2 255.255.255.252
mls1(config-if)#no sh
mls1(config-if)#int vlan 100
mls1(config-if)#ip add 192.168.1.251 255.255.255.0
mls1(config-if)#ip helper-address 192.168.0.1
mls1(config-if)#no sh
mls1(config-if)#ip access-group lan in
mls1(config-if)#standby 10 ip 192.168.1.254
mls1(config-if)#standby 10 priority 200
mls1(config-if)#standby 10 preempt
mls1(config-if)#standby 10 track f0/15 100
mls1(config-if)#int vlan 200
mls1(config-if)#ip add 192.168.2.251 255.255.255.0
mls1(config-if)#ip helper-address 192.168.0.1
mls1(config-if)#no sh
mls1(config-if)#ip access-group lan in
mls1(config-if)#standby 20 ip 192.168.2.254
mls1(config-if)#standby 20 priority 200
mls1(config-if)#standby 20 preempt
mls1(config-if)#standby 20 track f0/15 100
mls1(config-if)#int vlan 300
mls1(config-if)#ip add 192.168.3.251 255.255.255.0
mls1(config-if)#ip helper-address 192.168.0.1
mls1(config-if)#no sh
mls1(config-if)#ip access-group lan in
mls1(config-if)#standby 30 ip 192.168.3.254
mls1(config-if)#standby 30 priority 150
mls1(config-if)#standby 30 preempt
mls1(config-if)#standby 30 track f0/15 100
mls1(config-if)#int vlan 400
mls1(config-if)#ip add 192.168.4.251 255.255.255.0
mls1(config-if)#ip helper-address 192.168.0.1
mls1(config-if)#no sh
mls1(config-if)#ip access-group lan in
mls1(config-if)#standby 40 ip 192.168.4.254
mls1(config-if)#standby 40 priority 150
mls1(config-if)#standby 40 preempt
mls1(config-if)#standby 40 track f0/15 100
mls1(config-if)#exit
mls1(config)#spanning-tree vlan 100 priority 4096
mls1(config)#spanning-tree vlan 200 priority 4096
mls1(config)#ip route 0.0.0.0 0.0.0.0 f0/15
mls1>en
mls1#vlan database
mls1(vlan)#vtp domain cz
mls1(vlan)#vtp password 123.com
mls1(vlan)#vtp server
mls1(vlan)#vtp v2-mode
mls1(vlan)#vtp pr
mls1(vlan)#vtp pruning
mls1(vlan)#vlan 100
mls1(vlan)#vlan 200
mls1(vlan)#vlan 300
mls1(vlan)#vlan 400
mls1(vlan)#exit
mls1#conf t
mls1(config)#int ra f0/1 - 4
mls1(config-if-range)#sw t en d
mls1(config-if-range)#sw m t
mls1(config-if-range)#exit
mls1(config)#int ra f0/12 - 14
mls1(config-if-range)#sw t en d
mls1(config-if-range)#sw m t
mls1(config-if-range)#channel-group 1 mode on
mls1(config-if-range)#exit
mls1(config)#ip access-list lan
mls1(config-ext-nacl)#permit icmp 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 \\允许网管区ping设配
mls1(config-ext-nacl)#deny icmp any 192.168.0.0 0.0.0.255 echo \\不允许其他PING设配
mls1(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 eq telnet \\允许192.168.2.0/24 远程登录192.168.1.0/24
mls1(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 192.168.0.0 eq telnet \\允许192.168.2.0/24 远程登录192.168.0.0/24
mls1(config-ext-nacl)#permit tcp any 192.168.100.0 0.0.3.255 eq 21 \\允许访问FTP
mls1(config-ext-nacl)#permit tcp any 192.168.100.0 0.0.3.255 eq www \\允许访问WWW
mls1(config-ext-nacl)#deny ip any 192.168.0.0 0.0.3.255 \\不允许访问192.168.0.0/22
mls1(config-ext-nacl)#permit ip any any
mls1(config-ext-nacl)end
mls1(config)#int f0/15
mls1(config-if)#no sw
mls1(config-if)#ip add 192.168.0.2 255.255.255.252
mls1(config-if)#no sh
mls1(config-if)#int vlan 100
mls1(config-if)#ip add 192.168.1.251 255.255.255.0
mls1(config-if)#ip helper-address 192.168.0.1
mls1(config-if)#no sh
mls1(config-if)#ip access-group lan in
mls1(config-if)#standby 10 ip 192.168.1.254
mls1(config-if)#standby 10 priority 200
mls1(config-if)#standby 10 preempt
mls1(config-if)#standby 10 track f0/15 100
mls1(config-if)#int vlan 200
mls1(config-if)#ip add 192.168.2.251 255.255.255.0
mls1(config-if)#ip helper-address 192.168.0.1
mls1(config-if)#no sh
mls1(config-if)#ip access-group lan in
mls1(config-if)#standby 20 ip 192.168.2.254
mls1(config-if)#standby 20 priority 200
mls1(config-if)#standby 20 preempt
mls1(config-if)#standby 20 track f0/15 100
mls1(config-if)#int vlan 300
mls1(config-if)#ip add 192.168.3.251 255.255.255.0
mls1(config-if)#ip helper-address 192.168.0.1
mls1(config-if)#no sh
mls1(config-if)#ip access-group lan in
mls1(config-if)#standby 30 ip 192.168.3.254
mls1(config-if)#standby 30 priority 150
mls1(config-if)#standby 30 preempt
mls1(config-if)#standby 30 track f0/15 100
mls1(config-if)#int vlan 400
mls1(config-if)#ip add 192.168.4.251 255.255.255.0
mls1(config-if)#ip helper-address 192.168.0.1
mls1(config-if)#no sh
mls1(config-if)#ip access-group lan in
mls1(config-if)#standby 40 ip 192.168.4.254
mls1(config-if)#standby 40 priority 150
mls1(config-if)#standby 40 preempt
mls1(config-if)#standby 40 track f0/15 100
mls1(config-if)#exit
mls1(config)#spanning-tree vlan 100 priority 4096
mls1(config)#spanning-tree vlan 200 priority 4096
mls1(config)#ip route 0.0.0.0 0.0.0.0 f0/15
mls2>
mls2>en
mls2#vlan database
mls2(vlan)#vtp domain cz
mls2(vlan)#vtp password 123.com
mls2(vlan)#vtp server
mls2(vlan)#vtp v2-mode
mls2(vlan)#vtp pr
mls2(vlan)#vtp pruning
mls2(vlan)#vlan 100
mls2(vlan)#vlan 200
mls2(vlan)#vlan 300
mls2(vlan)#vlan 400
mls2(vlan)#exit
mls2#conf t
mls2(config)#int ra f0/1 - 4
mls2(config-if-range)#sw t en d
mls2(config-if-range)#sw m t
mls2(config-if-range)#exit
mls2(config)#int ra f0/12 - 14
mls2(config-if-range)#sw t en d
mls2(config-if-range)#sw m t
mls2(config-if-range)#channel-group 1 mode on
mls2(config-if-range)#exit
mls1(config)#ip access-list lan
mls1(config-ext-nacl)#permit icmp 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 \\允许网管区ping设配
mls1(config-ext-nacl)#deny icmp any 192.168.0.0 0.0.0.255 echo \\不允许其他PING设配
mls1(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 eq telnet \\允许192.168.2.0/24 远程登录192.168.1.0/24
mls1(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 192.168.0.0 eq telnet \\允许192.168.2.0/24 远程登录192.168.0.0/24
mls1(config-ext-nacl)#permit tcp any 192.168.100.0 0.0.3.255 eq 21 \\允许访问FTP
mls1(config-ext-nacl)#permit tcp any 192.168.100.0 0.0.3.255 eq www \\允许访问WWW
mls1(config-ext-nacl)#deny ip any 192.168.0.0 0.0.3.255 \\不允许访问192.168.0.0/22
mls1(config-ext-nacl)#permit ip any any
mls1(config-ext-nacl)end
mls2(config)#int f0/15
mls2(config-if)#no sw
mls2(config-if)#ip add 192.168.0.2 255.255.255.252
mls2(config-if)#no sh
mls2(config-if)#int vlan 100
mls2(config-if)#ip add 192.168.100.252 255.255.255.0
mls2(config-if)#ip helper-address 192.168.0.5
mls2(config-if)#no sh
mls2(config-if)#ip access-group lan in
mls2(config-if)#standby 10 ip 192.168.100.254
mls2(config-if)#standby 10 priority 150
mls2(config-if)#standby 10 preempt
mls2(config-if)#standby 10 track f0/15 100
mls2(config-if)#int vlan 200
mls2(config-if)#ip add 192.168.2.252 255.255.255.0
mls2(config-if)#ip helper-address 192.168.0.5
mls2(config-if)#no sh
mls2(config-if)#ip access-group lan in
mls2(config-if)#standby 20 ip 192.168.2.254
mls2(config-if)#standby 20 priority 150
mls2(config-if)#standby 20 preempt
mls2(config-if)#standby 20 track f0/15 100
mls2(config-if)#int vlan 300
mls2(config-if)#ip add 192.168.3.252 255.255.255.0
mls2(config-if)#ip helper-address 192.168.0.5
mls2(config-if)#no sh
mls2(config-if)#ip access-group lan in
mls2(config-if)#standby 30 ip 192.168.3.254
mls2(config-if)#standby 30 priority 200
mls2(config-if)#standby 30 preempt
mls2(config-if)#standby 30 track f0/15 100
mls2(config-if)#int vlan 400
mls2(config-if)#ip add 192.168.4.252 255.255.255.0
mls2(config-if)#ip helper-address 192.168.0.5
mls2(config-if)#no sh
mls2(config-if)#ip access-group lan in
mls2(config-if)#standby 40 ip 192.168.4.254
mls2(config-if)#standby 40 priority 200
mls2(config-if)#standby 40 preempt
mls2(config-if)#standby 40 track f0/15 100
mls2(config-if)#exit
mls2(config)#spanning-tree vlan 300 priority 4096
mls2(config)#spanning-tree vlan 400 priority 4096
mls2(config)#ip route 0.0.0.0 0.0.0.0 f0/15