思科中小企业网络综合实验

这是一个典型的中小企业网络拓扑，实验要求如下

1.配置VTP域，S1为server

2.添加VLAN，VLAN2-5，启用VTP修剪（不支持）

3.配置以太通道f0/1 - 2

4.启用路由转发ip routing 回环接口

5.启用生成树，vlan2，3，127以S1为根网桥；vlan4,5以S2为根网桥，且互为备用根网桥

6.配置HSRP（优先级，占先权），priority为105，track上联接口，失效减10

7.Vlan2-5,127配置SVI，vlan2-5 配置DHCP

8.加入ospf区域，AREA1为完全末梢，AREA2为完全末梢

9.串行链路PPP封装，PAP认证

10.内网除服务器外都可NAT转换访问外网

11.GZ、SH及外网都可访问公司内网服务器的WWW

 

安全策略：

   禁止访问总部内网（除服务器的www服务）

   禁止访问另一个分公司的内网

   禁止SSH远程登录R路由器

 

 

开始···

1.创建vlan并设置vtp

Core-1#vlan database

Core-1(vlan)#vlan 2-5,127 PT居然不支持，一个一个来

Core-1(vlan)#vlan 2

VLAN 2 added:

    Name: VLAN0002

Core-1(vlan)#vlan 3

Core-1(vlan)#vlan 4

Core-1(vlan)#vlan 5

Core-1(vlan)#vlan 127

````

Core-1(config)#vtp mode server

Core-1(config)#vtp domain cisco.com

Core-1(config)#vtp passwd huawei

Core-1(config)#vtp prunning --->该交换机不支持

其他三台交换机都为vtp 客户端,配置一样

Core-1(config)#vtp mode client

Core-1(config)#vtp domain cisco.com

Core-1(config)#vtp passwd huawei

 

2.配置以太通道及trunk

Core-1(config)#int range fa0/23-24

Core-1(config-if-range)#switchport trunk encapsulation dot1q

Core-1(config-if-range)#switchport mode trunk

Core-1(config-if-range)#channel-group 1 mode on

````

Core-1(config)#int range gigabitEthernet 0/1-2

Core-1(config-if-range)#switchport trunk encapsulation dot1q

Core-1(config-if-range)#switchport mode trunk

````

Core-2配置一样

`````

S1(config)#int range g0/1-2

S1(config-if-range)#switchport mode trunk

S1(config)#int range fa0/2-5

S1(config-if-range)#switchport mode access

S1(config-if-range)#spanning-tree portfast

S1(config-if-range)#int fa0/2

S1(config-if)#switchport access vlan 2

S1(config-if)#int fa0/3

S1(config-if)#switchport access vlan 3

S1(config-if)#int fa0/4

S1(config-if)#switchport access vlan 4

S1(config-if)#int fa0/5

S1(config-if)#switchport access vlan 5

S2(config)#int range g0/1-2

S2(config-if-range)#switchport mode trunk

S2(config-if-range)#int fa0/1

S2(config-if)#switchport access vlan 127

 

 

 

 

 

3.配各接口SVI，DHCP···

Core-1(config)#int vlan 2

Core-1(config-if)#ip address 192.168.2.254 255.255.255.0

Core-1(config-if)#no shutdown

Core-1(config)#int vlan 3

Core-1(config-if)#ip address 192.168.3.254 255.255.255.0

Core-1(config-if)#no shutdown

Core-1(config)#int vlan 4

Core-1(config-if)#ip address 192.168.4.253 255.255.255.0

Core-1(config-if)#no shutdown

Core-1(config)#int vlan 5

Core-1(config-if)#ip address 192.168.5.253 255.255.255.0

Core-1(config-if)#no shutdown

Core-1(config)#int vlan 127

Core-1(config-if)#ip address 192.168.127.254 255.255.255.0

Core-1(config-if)#no shutdown

```

Core-1(config)#ip dhcp pool 2

Core-1(dhcp-config)#network 192.168.2.0 255.255.255.0

Core-1(dhcp-config)#default-router 192.168.2.1

Core-1(dhcp-config)#dns-server 114.114.114.114

Core-1(config)#ip dhcp pool 3

Core-1(dhcp-config)#network 192.168.3.0 255.255.255.0

Core-1(dhcp-config)#default-router 192.168.3.1

Core-1(dhcp-config)#dns-server 114.114.114.114

Core-1(config)#ip dhcp pool 4

Core-1(dhcp-config)#network 192.168.4.0 255.255.255.0

Core-1(dhcp-config)#default-router 192.168.4.1

Core-1(dhcp-config)#dns-server 114.114.114.114

Core-1(config)#ip dhcp pool 5

Core-1(dhcp-config)#network 192.168.5.0 255.255.255.0

Core-1(dhcp-config)#default-router 192.168.5.1

Core-1(dhcp-config)#dns-server 114.114.114.114

````

Core-1(config)#ip dhcp excluded-address 192.168.2.1

Core-1(config)#ip dhcp excluded-address 192.168.3.1

Core-1(config)#ip dhcp excluded-address 192.168.4.1

Core-1(config)#ip dhcp excluded-address 192.168.5.1

````

Core-1(config)#int fa0/1

Core-1(config)#no switchport

Core-1(config-if)#ip address 192.168.128.1 255.255.255.252

Core-1(config-if)#no shutdown

````

Core-1(config-if)#int loop 0

Core-1(config-if)#ip address 1.1.1.1 255.255.255.255

Core-1(config-if)#no shutdown

 

Core-2与Core-1类似

Core-2(config)#int vlan 2

Core-2(config-if)#ip address 192.168.2.253 255.255.255.0

Core-2(config-if)#no shutdown

Core-2(config)#int vlan 3

Core-2(config-if)#ip address 192.168.3.253 255.255.255.0

Core-2(config-if)#no shutdown

Core-2(config)#int vlan 4

Core-2(config-if)#ip address 192.168.4.254 255.255.255.0

Core-2(config-if)#no shutdown

Core-2(config)#int vlan 5

Core-2(config-if)#ip address 192.168.5.254 255.255.255.0

Core-2(config-if)#no shutdown

Core-2(config)#int vlan 127

Core-2(config-if)#ip address 192.168.127.253 255.255.255.0

Core-2(config-if)#no shutdown

``

Core-2(config)#ip dhcp pool 2

Core-2(dhcp-config)#network 192.168.2.0 255.255.255.0

Core-2(dhcp-config)#default-router 192.168.2.1

Core-2(dhcp-config)#dns-server 114.114.114.114

Core-2(config)#ip dhcp pool 3

Core-2(dhcp-config)#network 192.168.3.0 255.255.255.0

Core-2(dhcp-config)#default-router 192.168.3.1

Core-2(dhcp-config)#dns-server 114.114.114.114

Core-2(config)#ip dhcp pool 4

Core-2(dhcp-config)#network 192.168.4.0 255.255.255.0

Core-2(dhcp-config)#default-router 192.168.4.1

Core-2(dhcp-config)#dns-server 114.114.114.114

Core-2(config)#ip dhcp pool 5

Core-2(dhcp-config)#network 192.168.5.0 255.255.255.0

Core-2(dhcp-config)#default-router 192.168.5.1

Core-2(dhcp-config)#dns-server 114.114.114.114

````

Core-2(config)#ip dhcp excluded-address 192.168.2.1

Core-2(config)#ip dhcp excluded-address 192.168.3.1

Core-2(config)#ip dhcp excluded-address 192.168.4.1

Core-2(config)#ip dhcp excluded-address 192.168.5.1

````

Core-2(config)#int fa0/1

Core-2(config)#no switchport

Core-2(config-if)#ip address 192.168.128.5 255.255.255.252

Core-2(config-if)#no shutdown

````

Core-2(config-if)#int loop 0

Core-2(config-if)#ip address 2.2.2.2 255.255.255.255

Core-2(config-if)#no shutdown

 

 

 

4.配置HSRP

Core-1(config)#spanning-tree vlan 2,3,127 root primary

Core-1(config)#spanning-tree vlan 4,5 root secondary

Core-2(config)#spanning-tree vlan 2,3,127 root secondary

Core-2(config)#spanning-tree vlan 4,5 root primary

````

Core-1(config)#int vlan 2

Core-1(config-if)#standby 2 ip 192.168.2.1

Core-1(config-if)#standby 2 priority 105

Core-1(config-if)#standby 2 preempt

Core-1(config-if)#standby 2 track fa0/1   --->上联口失效的话优先级减10成为95

Core-1(config)#int vlan 3

Core-1(config-if)#standby 3 ip 192.168.3.1

Core-1(config-if)#standby 3 priority 105

Core-1(config-if)#standby 3 preempt

Core-1(config-if)#standby 3 track fa0/1   --->上联口失效的话优先级减10成为95

Core-1(config)#int vlan 4

Core-1(config-if)#standby 4 ip 192.168.4.1

Core-1(config)#int vlan 5

Core-1(config-if)#standby 5 ip 192.168.5.1

Core-1(config)#int vlan 127

Core-1(config-if)#standby 127 ip 192.168.127.1

Core-1(config-if)#standby 127 priority 105

Core-1(config-if)#standby 127 preempt

Core-1(config-if)#standby 127 track fa0/1   --->上联口失效的话优先级减10成为95

````

Core-2与Core-1配置对应

Core-2(config)#int vlan 2

Core-2(config-if)#standby 2 ip 192.168.2.1

Core-2(config)#int vlan 3

Core-2(config-if)#standby 3 ip 192.168.3.1

Core-2(config)#int vlan 4

Core-2(config-if)#standby 4 ip 192.168.4.1

Core-2(config-if)#standby 4 priority 105

Core-2(config-if)#standby 4 preempt

Core-2(config-if)#standby 4 track fa0/1   --->上联口失效的话优先级减10成为95

Core-2(config)#int vlan 5

Core-2(config-if)#standby 5 ip 192.168.5.1

Core-2(config-if)#standby 5 priority 105

Core-2(config-if)#standby 5 preempt

Core-2(config-if)#standby 5 track fa0/1   --->上联口失效的话优先级减10成为95

Core-2(config)#int vlan 127

Core-2(config-if)#standby 127 ip 192.168.127.1

 

 

5.启用OSPF、出口静态路由，默认路由重分发，设置stub末梢

R(config)#int g0/0

R(config-if)#ip address 192.168.128.2 255.255.255.252

R(config-if)#no shutdown

R(config)#int g0/1

R(config-if)#ip address 192.168.128.6 255.255.255.252

R(config-if)#no shutdown

R(config-if)#int s0/3/0

R(config-if)#ip address 192.168.128.10 255.255.255.252

R(config-if)#encapsulation ppp

R(config-if)#ppp authentication pap

R(config-if)#clock rate 128000

R(config-if)#no shutdown

R(config)#username huawei  password huawei

R(config-if)#int s0/3/1

R(config-if)#ip address 192.168.128.13 255.255.255.252

R(config-if)#encapsulation ppp

R(config-if)#ppp authentication pap

R(config-if)#clock rate 128000

R(config-if)#no shutdown

R(config-if)#int s0/1/0

R(config-if)#ip address 192.168.128.17 255.255.255.252

R(config-if)#encapsulation ppp

R(config-if)#ppp authentication pap

R(config-if)#clock rate 128000

R(config-if)#no shutdown

 R(config-if)#int loop 0

R(config-if)#ip address 3.3.3.3 255.255.255.255

 

···

GZ(config)#int s0/3/0

GZ(config-if)#ip address 192.168.128.9 255.255.255.252

GZ(config-if)#ppp pap sent-username huawei password huawei

GZ(config-if)#no shutdown

GZ(config-if)#int g0/0

GZ(config-if)#ip address 192.168.129.1 255.255.255.0

GZ(config-if)#no shutdown

````

SH(config)#int s0/3/0

SH(config-if)#ip address 192.168.128.14 255.255.255.252

SH(config-if)#ppp pap sent-username huawei password huawei

SH(config-if)#no shutdown

SH(config-if)#int g0/0

SH(config-if)#ip address 192.168.130.1 255.255.255.0

SH(config-if)#no shutdown

````

R(config)#router ospf 1

R(config-router)#router-id 3.3.3.3

R(config-router)#network 3.3.3.3 0.0.0.0 area 0

R(config-router)#network 192.168.128.2 0.0.0.0 area 0

R(config-router)#network 192.168.128.6 0.0.0.0 area 0

R(config-router)#network 192.168.128.10 0.0.0.0 area 1

R(config-router)#network 192.168.128.13 0.0.0.0 area 2

R(config-router)#area 1 stub no-summary

R(config-router)#area 2 stub no-summary

R(config)#ip route 0.0.0.0 0.0.0.0 192.168.128.18

R(config-router)#default-information originate

····

Core-1(config-router)#router-id 1.1.1.1

Core-1(config-router)#network 1.1.1.1 0.0.0.0 area 0

Core-1(config-router)#network 192.168.128.1 0.0.0.0 area 0

Core-1(config-router)#network 192.168.0.0 0.0.255.255 area 0

·····

Core-2(config-router)#router-id 2.2.2.2

Core-2(config-router)#network 2.2.2.2 0.0.0.0 area 0

Core-2(config-router)#network 192.168.128.5 0.0.0.0 area 0

Core-2(config-router)#network 192.168.0.0 0.0.255.255 area 0

 

 

6.内网访问外网NAT转换、外网访问内网WWW服务器

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.5.0 0.0.0.255

ip nat inside source list 1 interface Serial0/1/0 overload  -->内网访问外网NAT转换

ip nat inside source static tcp 192.168.127.127 80 192.168.128.17 80  -->外网访问内网WWW服务器

 

7.在R上设置SSH服务器，禁止外网登录

R(config)#crypto key generate rsa

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

 R(config)#username root privilege 15 password huawei

R(config)#lin vty 0 4

R(config-line)#transport input ssh

R(config-line)#login local

```

 R(config)#access-list 122 deny tcp any any eq 22

 R(config)#access-list 122 permit ip any any

R(config)#int s0/3/0

R(config-if)#ip access-group 122 in

R(config)#int s0/3/1

R(config-if)#ip access-group 122 in

R(config)#int s0/1/0

R(config-if)#ip access-group 122 in

 

 

 

 8.禁止访问总部内网（除服务器的www服务）,禁止访问另一个分公司的内网

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.2.0 0.0.0.255

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.3.0 0.0.0.255

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.4.0 0.0.0.255

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.5.0 0.0.0.255

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.130.0 0.0.0.255

GZ(config)#access-list 129 permit ip any any

GZ(config)#int s0/3/0

GZ(config-if)#ip access-group 129 out

````

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.2.0 0.0.0.255

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.3.0 0.0.0.255

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.4.0 0.0.0.255

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.5.0 0.0.0.255

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.130.0 0.0.0.255

SH(config)#access-list 130 permit ip any any

SH(config)#int s0/3/0

SH(config-if)#ip access-group 130 out