实验目的:
- 掌握中小型园区网络的基本部署。
- 熟悉中小型园区网络的部署流程、排错思路等。
实验拓扑:
实验要求:
一、设备管理
- 依据图中拓扑,为不同设备定义主机名。
- 全局关闭域名解析
- Console和VTY线路下关闭线路超时并开启输出同步。
- 为实现安全登录,要求创建本地用户名bdqn,密码benet,并将其调用到console和vty线路下;要求设置特权密码benet,并要求加密存储。
- 所有交换机管理vlan为vlan1,所在网段为192.168.1.0/24,其中sw1的管理IP为192.168.1.1/24,sw2为192.168.1.2/24,sw3为192.168.1.3/24,要求能够实现远程管理。
二、交换技术
1、Trunk技术
- 所有交换机之间强制启用Trunk,并采用802.1Q进行封装。
- 全局native vlan定义为vlan10。
- 要求Trunk上只允许vlan1、10、20的数据通过。
2、VTP技术
- sw1为Server,其他交换机为client。
- vtp管理域为bdqn,密码为benet
- 全局开启vtp修剪
- 在sw1上创建vlan10/20,并要求同步
- 将不同用户接口放入相应的vlan中。
3、STP技术
- 部署PVST,要求sw1为vlan10的root,vlan20的secondary,sw2为vlan20的root,vlan10的secondary,实现负载均衡。
- 开启Portfast,加速用户接入网络接口
- 开启Uplinkfast,加速直连链路收敛
- 开启Backbonefast,加速骨干链路收敛
4、L3Switching技术
- sw1作为vlan10的主网关,vlan20的备网关,其中vlan10地址为192.168.10.252/24,vlan20地址为192.168.20.252/24;sw2作为vlan20的主网关,vlan10的备网关,其中vlan10网关为192.168.10.253/24,vlan20网关为192.168.20.253/24.
- 在sw1和sw2上部署HSRP,vlan10的网关为192.168.10.254,vlan20的网关为192.168.20.254.
- 在sw1部署DHCP服务,方便不同vlan的主机接入网络,其中主dns为202.96.128.86,备用dns为119.29.29.29
- 在三层交换机上开启三层路由功能,并要求vlan间主机能够互相通信
5、Ethernetchannel技术
- 为实现链路冗余并提供网络带宽,要求在汇聚层交换机之间部署L2 Ethernetchannel技术。
6、Port-Security技术
- 为实现用户接入安全,要求所有用户接入接口启用端口安全技术。
- 开启地址学习,并定义最大MAC数为1.
- 定义用户违反规则为shutdown模式,并要求在30s后自动恢复
三、路由技术
- 在三层交换机sw1、sw2和R1上部署动态路由协议OSPF,并通告到骨干区域中。
- 在边缘路由器R1上部署默认路由,用于访问互联网。
四、安全策略
- 要求只允许管理员地址192.168.10.1/24能够远程访问边缘路由器R1。
- 为实现内网主机访问互联网,要求部署PAT技术。
实验配置:
(本实验使用GNS3模拟,用路由器模拟PC,默认初始进入特权模式)
设备管理:
config terminal
hostname SW1 //定义主机名
no ip domain-lookup //关闭域名解析
line con 0 //进入console口
logging synchronous //输出同步
exec-timeout 0 0 //关闭线路超时
login local //只允许本地登录
exit
line vty 0 4 //进入vty口
logging synchronous
exec-timeout 0 0
login local
transport input telnet //通过telnet连接
exit
username bdqn privilege 15 password benet //配置用户名、密码
enable secret benet //加密存储密码
(上述代码路由交换设备通用,以SW1举例)
SW1:
interface vlan 1
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
SW2:
interface vlan 1
ip address 192.168.1.2 255.255.255.0
no shutdown
exit
SW3:
interface vlan 1
ip address 192.168.1.3 255.255.255.0
no shutdown
exit
交换技术:
Trun技术:
SW1:
interface range e 0/1 - 3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,10,20 //只允许VLAN1,10,20通过trunk链路
switchport trunk native vlan 10 //配置trunk本征VLAN为VLAN10
exit
SW2:
interface range e 0/1 - 3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,10,20
switchport trunk native vlan 10
exit
SW3:
interface range e 0/0 - 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,10,20
switchport trunk native vlan 10
exit
VTP技术:
SW1:
vlan 10,20 //创建VLAN
vtp domain bdqn //创建域名
vtp mode server //配置vtp 服务器模式
vtp password benet //配置vtp密码
vtp pruning //配置vtp修剪
SW2:
vtp domain bdqn
vtp mode client
vtp password benet
SW3:
vtp domain bdqn
vtp mode client
vtp password benet
查看VLAN,可以看到SW2和SW3学习到VLAN10和VLAN20
STP技术:
SW1:
spanning-tree mode pvst
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root secondary
spanning-tree backbonefast //开启backbonefast
SW2:
spanning-tree mode pvst
spanning-tree vlan 10 root secondary
spanning-tree vlan 20 root primary
spanning-tree backbonefast
SW3:
查看生成树:
show spanning-tree vlan 10
show spanning-tree vlan 20
配置STP:
nterface e0/2
switchport mode access
switchport access vlan 10
spanning-tree portfast edge
exit
interface e0/3
switchport mode access
switchport access vlan 20
spanning-tree portfast edge //配置速端口
exit
spanning-tree uplinkfast //开启uplinkfast
spanning-tree backbonefast
HSRP:
SW1:
track 100 interface e0/0 line-protocol
interface vlan 10
ip address 192.168.10.252 255.255.255.0
standby 10 ip 192.168.10.254
standby 10 priority 110
standby 10 preempt
standby 10 track 100 decrement 30
no shutdown
interface vlan 20
ip address 192.168.20.252 255.255.255.0
standby 20 ip 192.168.20.254
standby 20 priority 90
standby 20 preempt
no shutdown
interface loopback 0
ip address 2.2.2.2 255.255.255.255
no shutdown
exit
SW2:
track 100 interface e0/0 line-protocol
interface vlan 10
ip address 192.168.10.253 255.255.255.0
standby 10 ip 192.168.10.254
standby 10 priority 90
standby 10 preempt
no shutdown
interface vlan 20
ip address 192.168.20.253 255.255.255.0
standby 20 ip 192.168.20.254
standby 20 priority 110
standby 20 preempt
standby 20 track 100 decrement 30
no shutdown
interface loopback 0
ip address 3.3.3.3 255.255.255.255
no shutdown
exit
DHCP:
SW1:
ip dhcp pool vlan10
network 192.168.10.0 /24
default-router 192.168.10.254
dns-server 8.8.8.8
exit
ip dhcp pool vlan20
network 192.168.20.0 /24
default-router 192.168.20.254
dns-server 8.8.8.8
exit
配置路由:
SW1:
interface e0/0
no switchport
ip address 172.16.1.2 255.255.255.0
no shutdown
exit
ip routing
ip route 0.0.0.0 0.0.0.0 172.16.1.1
SW2:
interface e0/0
no switchport
ip address 172.16.2.2 255.255.255.0
no shutdown
exit
ip routing
ip route 0.0.0.0 0.0.0.0 172.16.2.1
Ethernetchannel技术 :
SW1:
interface range e0/1 - 2
channel-group 1 mode on
exit
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 1,10,20
exit
SW2:
interface range e0/1 - 2
channel-group 1 mode on
exit
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 1,10,20
exit
Port-Security技术:
SW3:
interface range e0/2 - 3
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 1 //最大MAC地址为1
switchport port-security violation shutdown //违反则关闭端口
exit
errdisable recovery cause all
errdisable recovery interval 60 //60秒后恢复
路由技术:
端口配置:
R1:
config terminal
interface e0/1
ip address 172.16.1.1 255.255.255.0
duplex full
no shutdown
interface e0/2
ip address 172.16.2.1 255.255.255.0
duplex full
no shutdown
exit
interface e0/0
ip address 100.1.1.1 255.255.255.0
no shutdown
interface loopback 0
ip address 1.1.1.1 255.255.255.255
no shutdown
exit
R2:
config terminal
interface e0/0
ip address 100.1.1.2 255.255.255.0
no shutdown
interface loopback 0
ip address 202.96.128.86 255.255.255.0
no shutdown
exit
配置OSPF:
R1:
router ospf 1
router-id 1.1.1.1
network 172.16.1.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
network 1.1.1.1 0.0.0.0 area 0
default-information originate always //重分发默认路由
exit
ip route 0.0.0.0 0.0.0.0 100.1.1.2
SW1:
router ospf 1
router-id 2.2.2.2
network 172.16.1.0 0.0.0.255 area 0
network 2.2.2.2 0.0.0.0 area 0
redistribute connected subnets //重分发直连路由
exit
SW2:
router ospf 1
router-id 3.3.3.3
network 3.3.3.3 0.0.0.0 area 0
network 172.16.2.0 0.0.0.255 area 0
redistribute connected subnets
exit
安全策略:
R1:
access-list 1 permit host 192.168.10.1 //配置标准ACL
line vty 0 4
access-class 1 in //应用端口
exit
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 192.168.20.9 0.0.0.255
ip nat inside source list 2 interface e0/0 overload
interface e0/0
ip nat outside
interface e0/1
ip nat inside
int e0/2
ip nat inside
exit
测试结果:
配置成功,实验结束
(如有疏漏,还请读者指出)