路由交换基础（中小型网络）

• 接入交换机与核心交换机通过Eth-Trunk组网保证可靠性。
• 每个部门业务划分到一个VLAN中，部门间的业务在CORE上通过VLANIF三层互通。
• 核心交换机作为DHCP Server，为园区用户分配IP地址。
• 接入交换机上配置DHCP Snooping功能，防止内网用户私接小路由器分配IP地址。
• 交换机开启telnet功能，方便后期维护。

交换机A 配置：

[SWA]dhcp enable 

[SWA]dhcp snooping enable 

[SWA]telnet server  enable 

[SWA]stp bpdu-protection 

[SWA]vlan batch 5 10

[SWA]inter Vlanif 5

[SWA-Vlanif5]ip add 172.16.5.2 24

[SWA]inter Eth-Trunk 1 

[SWA-Eth-Trunk1]port link-type trunk 

[SWA-Eth-Trunk1]port trunk allow-pass vlan 5 10

[SWA-Eth-Trunk1]dhcp snooping trusted 

[SWA]inter g0/0/1

[SWA-GigabitEthernet0/0/1]eth-trunk 1

[SWA]inter g0/0/2

[SWA-GigabitEthernet0/0/2]eth-trunk 1

[SWA]inter g0/0/3 (接PC的端口，都要开启dhcp snooping 跟边缘端口)

[SWA-GigabitEthernet0/0/3]dhcp snooping enable 

[SWA-GigabitEthernet0/0/3]stp edged-port enable

[SWA]aaa

[SWA-aaa]local-user admin password cipher Admin@1234 privilege level 15

[SWA-aaa]local-user admin service-type telnet 

[SWA]user-interface vty 0 4

[SWA-ui-vty0-4]authentication-mode aaa

[SWA-ui-vty0-4]protocol  inbound all

交换机B跟交换机A就IP地址，vlan不一样，其他都一样。

核心交换机配置如下：

[SWA]dhcp enable 

[SWA]telnet server  enable 

[CORE]vlan batch 5 10 20 100 

[CORE]inter vlan 5

[CORE-Vlanif5] ip address 172.16.5.1 255.255.255.0

[CORE]inter vlan 10

[CORE-Vlanif10] ip address 172.16.10.1 255.255.255.0

[CORE-Vlanif10] dhcp select global

[CORE]inter vlan 20

[CORE-Vlanif20]ip address 172.16.20.1 255.255.255.0

[CORE-Vlanif20]dhcp select global 

[CORE]inter vlan 100

[CORE-Vlanif100] ip address 192.168.100.1 255.255.255.0

[CORE]inter g0/0/1

[CORE-GigabitEthernet0/0/1] port link-type access

[CORE-GigabitEthernet0/0/1] port default vlan 100

[CORE]interface Eth-Trunk 1 

[CORE-Eth-Trunk1]port link-type trunk

[CORE-Eth-Trunk1]port trunk allow-pass vlan 5 10 

[CORE]inte g0/0/2

[CORE-GigabitEthernet0/0/2] eth-trunk 1

[CORE]inte g0/0/3

[CORE-GigabitEthernet0/0/3] eth-trunk 1

[CORE]interface Eth-Trunk 2

[CORE-Eth-Trunk1]port link-type trunk

[CORE-Eth-Trunk1]port trunk allow-pass vlan 5 20 

[CORE]inte g0/0/4

[CORE-GigabitEthernet0/0/4] eth-trunk 2

[CORE]inte g0/0/5

[CORE-GigabitEthernet0/0/5] eth-trunk 2

[CORE]ip pool vlan10

[CORE-ip-pool-vlan10]ip pool vlan10

[CORE-ip-pool-vlan10]gateway-list 172.16.10.1

[CORE-ip-pool-vlan10]network 172.16.10.0 mask 255.255.255.0

[CORE-ip-pool-vlan10]dns-list 114.114.114.114 223.5.5.5

[CORE]ip pool vlan20

[CORE-ip-pool-vlan20]ip pool vlan20

[CORE-ip-pool-vlan20]gateway-list 172.16.20.1

[CORE-ip-pool-vlan20]network 172.16.20.0 mask 255.255.255.0

[CORE-ip-pool-vlan20]dns-list 114.114.114.114 223.5.5.5

[CORE]ip route-static 0.0.0.0 0.0.0.0 192.168.100.2

telnet 参考前面的配置，聚合端口，查看display  eth-trunk 1

路由器配置：

interface GigabitEthernet0/0/0

ip address 192.168.100.2 255.255.255.0 

interface GigabitEthernet0/0/1

ip address 192.168.56.2 255.255.255.0

nat outbound 2000（报错是因为还没建立ACL 2000，先建立再来端口应用）

[AR1]acl 2000

 rule 5 permit source 172.16.10.0 0.0.0.255

rule 10 permit source 172.16.20.0 0.0.0.255

rule 15 permit source 192.168.100.0 0.0.0.255 

[AR1]ip route-static 0.0.0.0 0.0.0.0 192.168.56.1

因为我的内网都是172.16. 所以我一个大段包含了，你们也可以明细。

ip route-static 172.16.0.0 255.255.0.0 192.168.100.1

测试，vlan10 下的PC 能自动获取地址，能通vlan20 网段， 能ping通 192.168.56.1（这里可以理解成光猫地址）