这是一个典型的中小企业网络拓扑,实验要求如下
1.配置VTP域,S1为server
2.添加VLAN,VLAN2-5,启用VTP修剪(不支持)
3.配置以太通道f0/1 - 2
4.启用路由转发ip routing 回环接口
5.启用生成树,vlan2,3,127以S1为根网桥;vlan4,5以S2为根网桥,且互为备用根网桥
6.配置HSRP(优先级,占先权),priority为105,track上联接口,失效减10
7.Vlan2-5,127配置SVI,vlan2-5 配置DHCP
8.加入ospf区域,AREA1为完全末梢,AREA2为完全末梢
9.串行链路PPP封装,PAP认证
10.内网除服务器外都可NAT转换访问外网
11.GZ、SH及外网都可访问公司内网服务器的WWW
安全策略:
禁止访问总部内网(除服务器的www服务)
禁止访问另一个分公司的内网
禁止SSH远程登录R路由器
开始···
1.创建vlan并设置vtp
Core-1#vlan database
Core-1(vlan)#vlan 2-5,127 PT居然不支持,一个一个来
Core-1(vlan)#vlan 2
VLAN 2 added:
Name: VLAN0002
Core-1(vlan)#vlan 3
Core-1(vlan)#vlan 4
Core-1(vlan)#vlan 5
Core-1(vlan)#vlan 127
````
Core-1(config)#vtp mode server
Core-1(config)#vtp domain cisco.com
Core-1(config)#vtp passwd huawei
Core-1(config)#vtp prunning --->该交换机不支持
其他三台交换机都为vtp 客户端,配置一样
Core-1(config)#vtp mode client
Core-1(config)#vtp domain cisco.com
Core-1(config)#vtp passwd huawei
2.配置以太通道及trunk
Core-1(config)#int range fa0/23-24
Core-1(config-if-range)#switchport trunk encapsulation dot1q
Core-1(config-if-range)#switchport mode trunk
Core-1(config-if-range)#channel-group 1 mode on
````
Core-1(config)#int range gigabitEthernet 0/1-2
Core-1(config-if-range)#switchport trunk encapsulation dot1q
Core-1(config-if-range)#switchport mode trunk
````
Core-2配置一样
`````
S1(config)#int range g0/1-2
S1(config-if-range)#switchport mode trunk
S1(config)#int range fa0/2-5
S1(config-if-range)#switchport mode access
S1(config-if-range)#spanning-tree portfast
S1(config-if-range)#int fa0/2
S1(config-if)#switchport access vlan 2
S1(config-if)#int fa0/3
S1(config-if)#switchport access vlan 3
S1(config-if)#int fa0/4
S1(config-if)#switchport access vlan 4
S1(config-if)#int fa0/5
S1(config-if)#switchport access vlan 5
S2(config)#int range g0/1-2
S2(config-if-range)#switchport mode trunk
S2(config-if-range)#int fa0/1
S2(config-if)#switchport access vlan 127
3.配各接口SVI,DHCP···
Core-1(config)#int vlan 2
Core-1(config-if)#ip address 192.168.2.254 255.255.255.0
Core-1(config-if)#no shutdown
Core-1(config)#int vlan 3
Core-1(config-if)#ip address 192.168.3.254 255.255.255.0
Core-1(config-if)#no shutdown
Core-1(config)#int vlan 4
Core-1(config-if)#ip address 192.168.4.253 255.255.255.0
Core-1(config-if)#no shutdown
Core-1(config)#int vlan 5
Core-1(config-if)#ip address 192.168.5.253 255.255.255.0
Core-1(config-if)#no shutdown
Core-1(config)#int vlan 127
Core-1(config-if)#ip address 192.168.127.254 255.255.255.0
Core-1(config-if)#no shutdown
```
Core-1(config)#ip dhcp pool 2
Core-1(dhcp-config)#network 192.168.2.0 255.255.255.0
Core-1(dhcp-config)#default-router 192.168.2.1
Core-1(dhcp-config)#dns-server 114.114.114.114
Core-1(config)#ip dhcp pool 3
Core-1(dhcp-config)#network 192.168.3.0 255.255.255.0
Core-1(dhcp-config)#default-router 192.168.3.1
Core-1(dhcp-config)#dns-server 114.114.114.114
Core-1(config)#ip dhcp pool 4
Core-1(dhcp-config)#network 192.168.4.0 255.255.255.0
Core-1(dhcp-config)#default-router 192.168.4.1
Core-1(dhcp-config)#dns-server 114.114.114.114
Core-1(config)#ip dhcp pool 5
Core-1(dhcp-config)#network 192.168.5.0 255.255.255.0
Core-1(dhcp-config)#default-router 192.168.5.1
Core-1(dhcp-config)#dns-server 114.114.114.114
````
Core-1(config)#ip dhcp excluded-address 192.168.2.1
Core-1(config)#ip dhcp excluded-address 192.168.3.1
Core-1(config)#ip dhcp excluded-address 192.168.4.1
Core-1(config)#ip dhcp excluded-address 192.168.5.1
````
Core-1(config)#int fa0/1
Core-1(config)#no switchport
Core-1(config-if)#ip address 192.168.128.1 255.255.255.252
Core-1(config-if)#no shutdown
````
Core-1(config-if)#int loop 0
Core-1(config-if)#ip address 1.1.1.1 255.255.255.255
Core-1(config-if)#no shutdown
Core-2与Core-1类似
Core-2(config)#int vlan 2
Core-2(config-if)#ip address 192.168.2.253 255.255.255.0
Core-2(config-if)#no shutdown
Core-2(config)#int vlan 3
Core-2(config-if)#ip address 192.168.3.253 255.255.255.0
Core-2(config-if)#no shutdown
Core-2(config)#int vlan 4
Core-2(config-if)#ip address 192.168.4.254 255.255.255.0
Core-2(config-if)#no shutdown
Core-2(config)#int vlan 5
Core-2(config-if)#ip address 192.168.5.254 255.255.255.0
Core-2(config-if)#no shutdown
Core-2(config)#int vlan 127
Core-2(config-if)#ip address 192.168.127.253 255.255.255.0
Core-2(config-if)#no shutdown
``
Core-2(config)#ip dhcp pool 2
Core-2(dhcp-config)#network 192.168.2.0 255.255.255.0
Core-2(dhcp-config)#default-router 192.168.2.1
Core-2(dhcp-config)#dns-server 114.114.114.114
Core-2(config)#ip dhcp pool 3
Core-2(dhcp-config)#network 192.168.3.0 255.255.255.0
Core-2(dhcp-config)#default-router 192.168.3.1
Core-2(dhcp-config)#dns-server 114.114.114.114
Core-2(config)#ip dhcp pool 4
Core-2(dhcp-config)#network 192.168.4.0 255.255.255.0
Core-2(dhcp-config)#default-router 192.168.4.1
Core-2(dhcp-config)#dns-server 114.114.114.114
Core-2(config)#ip dhcp pool 5
Core-2(dhcp-config)#network 192.168.5.0 255.255.255.0
Core-2(dhcp-config)#default-router 192.168.5.1
Core-2(dhcp-config)#dns-server 114.114.114.114
````
Core-2(config)#ip dhcp excluded-address 192.168.2.1
Core-2(config)#ip dhcp excluded-address 192.168.3.1
Core-2(config)#ip dhcp excluded-address 192.168.4.1
Core-2(config)#ip dhcp excluded-address 192.168.5.1
````
Core-2(config)#int fa0/1
Core-2(config)#no switchport
Core-2(config-if)#ip address 192.168.128.5 255.255.255.252
Core-2(config-if)#no shutdown
````
Core-2(config-if)#int loop 0
Core-2(config-if)#ip address 2.2.2.2 255.255.255.255
Core-2(config-if)#no shutdown
4.配置HSRP
Core-1(config)#spanning-tree vlan 2,3,127 root primary
Core-1(config)#spanning-tree vlan 4,5 root secondary
Core-2(config)#spanning-tree vlan 2,3,127 root secondary
Core-2(config)#spanning-tree vlan 4,5 root primary
````
Core-1(config)#int vlan 2
Core-1(config-if)#standby 2 ip 192.168.2.1
Core-1(config-if)#standby 2 priority 105
Core-1(config-if)#standby 2 preempt
Core-1(config-if)#standby 2 track fa0/1 --->上联口失效的话优先级减10成为95
Core-1(config)#int vlan 3
Core-1(config-if)#standby 3 ip 192.168.3.1
Core-1(config-if)#standby 3 priority 105
Core-1(config-if)#standby 3 preempt
Core-1(config-if)#standby 3 track fa0/1 --->上联口失效的话优先级减10成为95
Core-1(config)#int vlan 4
Core-1(config-if)#standby 4 ip 192.168.4.1
Core-1(config)#int vlan 5
Core-1(config-if)#standby 5 ip 192.168.5.1
Core-1(config)#int vlan 127
Core-1(config-if)#standby 127 ip 192.168.127.1
Core-1(config-if)#standby 127 priority 105
Core-1(config-if)#standby 127 preempt
Core-1(config-if)#standby 127 track fa0/1 --->上联口失效的话优先级减10成为95
````
Core-2与Core-1配置对应
Core-2(config)#int vlan 2
Core-2(config-if)#standby 2 ip 192.168.2.1
Core-2(config)#int vlan 3
Core-2(config-if)#standby 3 ip 192.168.3.1
Core-2(config)#int vlan 4
Core-2(config-if)#standby 4 ip 192.168.4.1
Core-2(config-if)#standby 4 priority 105
Core-2(config-if)#standby 4 preempt
Core-2(config-if)#standby 4 track fa0/1 --->上联口失效的话优先级减10成为95
Core-2(config)#int vlan 5
Core-2(config-if)#standby 5 ip 192.168.5.1
Core-2(config-if)#standby 5 priority 105
Core-2(config-if)#standby 5 preempt
Core-2(config-if)#standby 5 track fa0/1 --->上联口失效的话优先级减10成为95
Core-2(config)#int vlan 127
Core-2(config-if)#standby 127 ip 192.168.127.1
5.启用OSPF、出口静态路由,默认路由重分发,设置stub末梢
R(config)#int g0/0
R(config-if)#ip address 192.168.128.2 255.255.255.252
R(config-if)#no shutdown
R(config)#int g0/1
R(config-if)#ip address 192.168.128.6 255.255.255.252
R(config-if)#no shutdown
R(config-if)#int s0/3/0
R(config-if)#ip address 192.168.128.10 255.255.255.252
R(config-if)#encapsulation ppp
R(config-if)#ppp authentication pap
R(config-if)#clock rate 128000
R(config-if)#no shutdown
R(config)#username huawei password huawei
R(config-if)#int s0/3/1
R(config-if)#ip address 192.168.128.13 255.255.255.252
R(config-if)#encapsulation ppp
R(config-if)#ppp authentication pap
R(config-if)#clock rate 128000
R(config-if)#no shutdown
R(config-if)#int s0/1/0
R(config-if)#ip address 192.168.128.17 255.255.255.252
R(config-if)#encapsulation ppp
R(config-if)#ppp authentication pap
R(config-if)#clock rate 128000
R(config-if)#no shutdown
R(config-if)#int loop 0
R(config-if)#ip address 3.3.3.3 255.255.255.255
···
GZ(config)#int s0/3/0
GZ(config-if)#ip address 192.168.128.9 255.255.255.252
GZ(config-if)#ppp pap sent-username huawei password huawei
GZ(config-if)#no shutdown
GZ(config-if)#int g0/0
GZ(config-if)#ip address 192.168.129.1 255.255.255.0
GZ(config-if)#no shutdown
````
SH(config)#int s0/3/0
SH(config-if)#ip address 192.168.128.14 255.255.255.252
SH(config-if)#ppp pap sent-username huawei password huawei
SH(config-if)#no shutdown
SH(config-if)#int g0/0
SH(config-if)#ip address 192.168.130.1 255.255.255.0
SH(config-if)#no shutdown
````
R(config)#router ospf 1
R(config-router)#router-id 3.3.3.3
R(config-router)#network 3.3.3.3 0.0.0.0 area 0
R(config-router)#network 192.168.128.2 0.0.0.0 area 0
R(config-router)#network 192.168.128.6 0.0.0.0 area 0
R(config-router)#network 192.168.128.10 0.0.0.0 area 1
R(config-router)#network 192.168.128.13 0.0.0.0 area 2
R(config-router)#area 1 stub no-summary
R(config-router)#area 2 stub no-summary
R(config)#ip route 0.0.0.0 0.0.0.0 192.168.128.18
R(config-router)#default-information originate
····
Core-1(config-router)#router-id 1.1.1.1
Core-1(config-router)#network 1.1.1.1 0.0.0.0 area 0
Core-1(config-router)#network 192.168.128.1 0.0.0.0 area 0
Core-1(config-router)#network 192.168.0.0 0.0.255.255 area 0
·····
Core-2(config-router)#router-id 2.2.2.2
Core-2(config-router)#network 2.2.2.2 0.0.0.0 area 0
Core-2(config-router)#network 192.168.128.5 0.0.0.0 area 0
Core-2(config-router)#network 192.168.0.0 0.0.255.255 area 0
6.内网访问外网NAT转换、外网访问内网WWW服务器
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
ip nat inside source list 1 interface Serial0/1/0 overload -->内网访问外网NAT转换
ip nat inside source static tcp 192.168.127.127 80 192.168.128.17 80 -->外网访问内网WWW服务器
7.在R上设置SSH服务器,禁止外网登录
R(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R(config)#username root privilege 15 password huawei
R(config)#lin vty 0 4
R(config-line)#transport input ssh
R(config-line)#login local
```
R(config)#access-list 122 deny tcp any any eq 22
R(config)#access-list 122 permit ip any any
R(config)#int s0/3/0
R(config-if)#ip access-group 122 in
R(config)#int s0/3/1
R(config-if)#ip access-group 122 in
R(config)#int s0/1/0
R(config-if)#ip access-group 122 in
8.禁止访问总部内网(除服务器的www服务),禁止访问另一个分公司的内网
GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.2.0 0.0.0.255
GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.3.0 0.0.0.255
GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.4.0 0.0.0.255
GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.5.0 0.0.0.255
GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.130.0 0.0.0.255
GZ(config)#access-list 129 permit ip any any
GZ(config)#int s0/3/0
GZ(config-if)#ip access-group 129 out
````
SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.2.0 0.0.0.255
SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.3.0 0.0.0.255
SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.4.0 0.0.0.255
SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.5.0 0.0.0.255
SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.130.0 0.0.0.255
SH(config)#access-list 130 permit ip any any
SH(config)#int s0/3/0
SH(config-if)#ip access-group 130 out