一 需求
需求:
1) 公司有4个业务vlan,分别是:
财务部-vlan10: 192.168.10.0/24
市场部-vlan20: 192.168.20.0/24
运维部-vlan30: 192.168.30.0/24
信安部-vlan40: 192.168.40.0/24
所有vlan内的PC都通告DHCP获取IP地址
2) 公司有1台业务服务器:
WEB服务器:172.16.71.1/24
3) 部署MSTP-防止二层环路,实现线路备份,实现vlan数据流的负载分担
创建实例10-绑定vlan10
创建实例20-绑定vlan20
创建实例30-绑定vlan30
创建实例40-绑定vlan40
创建实例8 -绑定vlan88
SW5为实例10/20的主根,为实例30/40/8的备根
SW6为实例30/40的主根,为实例10/20/8的备根
SW8为实例8的主根
主根优先级:4096 备根优先级:8192
4)SW5和SW6的心跳线部署eth-trunk-提高链路冗余性和可靠性
部署LACP模式的eth-trunk
让SW5成为主动端-系统优先级为100
5) 部署VRRP-实现网关备份,实现三层流量的负载分担
根据业务vlan,分别创建备份组
vlan10-备份组10
vlan20-备份组20
vlan30-备份组30
vlan40-备份组40
SW5是备份组10和20的master,优先级为130
是备份组30和40的backup,优先级默认
SW5的vlanif的IP地址:192.168.xx.251/24
SW6是备份组30和40的master,优先级为130
是备份组10和20的backup,优先级默认
SW6的vlanif的IP地址:192.168.xx.252/24
虚拟网关都是:192.168.xx.254
在master设备上配置上行接口监控
当发现上行接口down掉后,优先级减去50
6) 部署DHCP,让所有的PC都通过DHCP获取IP地址
R8部署为DHCP服务器:IP地址为192.168.88.88
SW5和SW6为DHCP中继:
SW5的vlanif88:192.168.88.5/24
SW6的vlanif88:192.168.88.6/24
获取PC的IP地址时,使用ipconfig /renew
如果获取IP地址冲突:解决方案:(两种解决方案都做上)
1)做地址排除:排除地址:192.168.xx.240 192.168.xx.253
2)也可以做dhcp server ping 探测,或者地址排除
dhcp server ping packet 2
dhcp server ping timeout 30
然后在重新获取IP地址:
--先关闭所有PC的dhcp功能,改为静态,点击应用
--在R8-DHCP服务器中重置IP地址池:
<R8>reset ip pool name vlan10 all
--在打开PC,一台一台获取IP地址,使用ipconfig /renew
7)部署ospf,让内网互联互通
R8位于区域88:192.168.88.0/24宣告到区域88
R1/SW5/SW6/R3属于骨干区域
192.168.15.0/24
192.168.16.0/24
172.16.13.0/24
宣告到骨干区域
SW5和R1互联的网段:192.168.15.0/24
SW6和R1互联的网段:192.168.16.0/24
SW5/SW6/R3都是ABR设备
R3/R4/R5位于区域100
区域10为Totally NSSA区域
vlan10/vlan20/vlan30/vlan40,每一个vlan都是一个单独的ospf区域
举例:192.168.10.0/24 宣告进区域10
8)部署ACL--在R1中部署ACL-实现流量访问控制
vlan20内的主机访问server1(172.16.71.1/24)的WWW服务,不能访问其他服务
其他vlan没有限制
:规则10 :允许192.168.20.0/24网段访问172.16.71.1的80端口
:规则20 :拒绝192.168.20.0/24网段访问172.16.71.1的任何服务
9)部署NAT-实现内外网互通
所有vlan的内网主机都可以访问外部网络
在R1部署默认路由,并引入默认路由到ospf
二 配置命令
ISP-R6:
interface GigabitEthernet0/0/0
ip address 100.1.1.6 255.255.255.248
interface GigabitEthernet0/0/1
ip address 200.1.1.254 255.255.255.0
R1:
acl number 2000
rule 10 permit source 192.168.10.0 0.0.0.255
rule 20 permit source 192.168.20.0 0.0.0.255
rule 30 permit source 192.168.30.0 0.0.0.255
rule 40 permit source 192.168.40.0 0.0.0.255
acl number 3000
rule 10 permit tcp source 192.168.20.0 0.0.0.255 destination 172.16.71.1 0 destination-port eq www
rule 20 deny ip source 192.168.20.0 0.0.0.255
quit
nat alg ftp enable
nat address-group 1 100.1.1.2 100.1.1.5
interface GigabitEthernet0/0/0
ip address 192.168.15.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.16.1 255.255.255.0
interface GigabitEthernet0/0/2
ip address 172.16.13.1 255.255.255.0
traffic-filter outbound acl 3000
interface GigabitEthernet2/0/0
ip address 100.1.1.1 255.255.255.248
nat outbound 2000 address-group 1
quit
ospf 1 router-id 1.1.1.1
default-route-advertise
area 0.0.0.0
network 172.16.13.0 0.0.0.255
network 192.168.15.0 0.0.0.255
network 192.168.16.0 0.0.0.255
quit
ip route-static 0.0.0.0 0.0.0.0 100.1.1.6
HX-SW5:
vlan batch 10 15 to 16 20 30 40 88
stp instance 8 priority 8192
stp instance 10 priority 4096
stp instance 15 priority 4096
stp instance 16 priority 8192
stp instance 20 priority 4096
stp instance 30 priority 8192
stp instance 40 priority 8192
lacp priority 100
dhcp enable
stp region-configuration
region-name ntd
instance 8 vlan 88
instance 10 vlan 10
instance 15 vlan 15
instance 16 vlan 16
instance 20 vlan 20
instance 30 vlan 30
instance 40 vlan 40
active region-configuration
quit
interface Vlanif10
ip address 192.168.10.251 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 130
vrrp vrid 10 track interface GigabitEthernet0/0/11 reduced 50
dhcp select relay
dhcp relay server-ip 192.168.88.88
interface Vlanif15
ip address 192.168.15.5 255.255.255.0
interface Vlanif20
ip address 192.168.20.251 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 130
vrrp vrid 20 track interface GigabitEthernet0/0/11 reduced 50
dhcp select relay
dhcp relay server-ip 192.168.88.88
interface Vlanif30
ip address 192.168.30.251 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
dhcp select relay
dhcp relay server-ip 192.168.88.88
interface Vlanif40
ip address 192.168.40.251 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.40.254
dhcp select relay
dhcp relay server-ip 192.168.88.88
interface Vlanif88
ip address 192.168.8.5 255.255.255.0
quit
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/11
port link-type access
port default vlan 15
interface GigabitEthernet0/0/21
eth-trunk 1
interface GigabitEthernet0/0/22
eth-trunk 1
quit
ospf 1 router-id 5.5.5.5
area 0.0.0.0
network 192.168.15.0 0.0.0.255
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
area 0.0.0.40
network 192.168.40.0 0.0.0.255
area 0.0.0.88
network 192.168.88.0 0.0.0.255
HX-SW6:
vlan batch 10 15 to 16 20 30 40 88
stp instance 8 priority 8192
stp instance 10 priority 8192
stp instance 15 priority 8192
stp instance 16 priority 4096
stp instance 20 priority 8192
stp instance 30 priority 4096
stp instance 40 priority 4096
dhcp enable
stp region-configuration
region-name ntd
instance 8 vlan 88
instance 10 vlan 10
instance 15 vlan 15
instance 16 vlan 16
instance 20 vlan 20
instance 30 vlan 30
instance 40 vlan 40
active region-configuration
quit
interface Vlanif10
ip address 192.168.10.252 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
dhcp select relay
dhcp relay server-ip 192.168.88.88
interface Vlanif16
ip address 192.168.16.6 255.255.255.0
interface Vlanif20
ip address 192.168.20.252 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
dhcp select relay
dhcp relay server-ip 192.168.88.88
interface Vlanif30
ip address 192.168.30.252 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 130
vrrp vrid 30 track interface GigabitEthernet0/0/11 reduced 50
dhcp select relay
dhcp relay server-ip 192.168.88.88
interface Vlanif40
ip address 192.168.40.252 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 130
vrrp vrid 40 track interface GigabitEthernet0/0/11 reduced 50
dhcp select relay
dhcp relay server-ip 192.168.88.88
interface Vlanif88
ip address 192.168.88.6 255.255.255.0
quit
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
quit
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/11
port link-type access
port default vlan 16
interface GigabitEthernet0/0/21
eth-trunk 1
interface GigabitEthernet0/0/22
eth-trunk 1
quit
ospf 1 router-id 6.6.6.6
area 0.0.0.0
network 192.168.16.0 0.0.0.255
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
area 0.0.0.40
network 192.168.40.0 0.0.0.255
area 0.0.0.88
network 192.168.88.0 0.0.0.255
SW8:
vlan batch 10 15 to 16 20 30 40 88
stp instance 8 priority 4096
stp region-configuration
region-name ntd
instance 8 vlan 88
instance 10 vlan 10
instance 15 vlan 15
instance 16 vlan 16
instance 20 vlan 20
instance 30 vlan 30
instance 40 vlan 40
active region-configuration
quit
interface GigabitEthernet0/0/1
port link-type access
port default vlan 88
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
R8-DHCP
dhcp enable
dhcp server ping packet 2
dhcp server ping timeout 30
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.251 192.168.10.252
dns-list 8.8.8.8
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.251 192.168.20.252
dns-list 8.8.8.8
ip pool vlan30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.251 192.168.30.252
dns-list 8.8.8.8
ip pool vlan40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.40.251 192.168.40.252
dns-list 8.8.8.8
quit
interface GigabitEthernet0/0/0
ip address 192.168.88.88 255.255.255.0
dhcp select global
quit
ospf 1 router-id 8.8.8.8
area 0.0.0.88
network 192.168.88.0 0.0.0.255
R3:
interface GigabitEthernet0/0/0
ip address 172.16.13.3 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.16.34.3 255.255.255.0
quit
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 172.16.13.0 0.0.0.255
area 0.0.0.100
network 172.16.34.0 0.0.0.255
nssa no-summary
R4:
interface GigabitEthernet0/0/0
ip address 172.16.34.4 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.16.47.4 255.255.255.0
ospf 1 router-id 4.4.4.4
area 0.0.0.100
network 172.16.34.0 0.0.0.255
network 172.16.47.0 0.0.0.255
nssa
R7:
interface GigabitEthernet0/0/0
ip address 172.16.47.7 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.16.71.254 255.255.255.0
quit
ospf 1 router-id 7.7.7.7
area 0.0.0.100
network 172.16.47.0 0.0.0.255
network 172.16.71.0 0.0.0.255
nssa
SW1:
vlan batch 10 15 to 16 20 30 40 88
stp region-configuration
region-name ntd
instance 8 vlan 88
instance 10 vlan 10
instance 15 vlan 15
instance 16 vlan 16
instance 20 vlan 20
instance 30 vlan 30
instance 40 vlan 40
active region-configuration
quit
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
SW2:
vlan batch 10 15 to 16 20 30 40 88
stp region-configuration
region-name ntd
instance 8 vlan 88
instance 10 vlan 10
instance 15 vlan 15
instance 16 vlan 16
instance 20 vlan 20
instance 30 vlan 30
instance 40 vlan 40
active region-configuration
quit
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/5
port link-type access
port default vlan 20
SW3:
vlan batch 10 15 to 16 20 30 40 88
stp region-configuration
region-name ntd
instance 8 vlan 88
instance 10 vlan 10
instance 15 vlan 15
instance 16 vlan 16
instance 20 vlan 20
instance 30 vlan 30
instance 40 vlan 40
active region-configuration
quit
interface GigabitEthernet0/0/1
port link-type access
port default vlan 30
interface GigabitEthernet0/0/2
port link-type access
port default vlan 40
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094