實驗拓撲:
R3爲網關,R4爲出口路由器,並且爲DHCP路由器,R5爲外網一臺路由器
實驗要求:1.三臺PC屬於3個vlan
2.R1,R2做鏈路聚合
3.網關終結在R3,實現vlan間路由
4.c1,c2,c3通過dhcp服務器獲得IP
5.只允許外網路由器R5來遠程管理R3,R1,R2
實驗步驟:
首先配置R1
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no ip routing
R1(config)#vlan 10,20,30 建立vlan10,vlan20,vlan30
R1(config-vlan)#ex
R1(config)#int f1/1
R1(config-if)#switchport access vlan 10 f1/1劃分爲vlan 10
R1(config-if)#int f1/2
R1(config-if)#switchport access vlan 20 f1/2劃分爲vlan 20
R1(config-if)#int range f1/14 -15
R1(config-if-range)#channel-group 1 mode on 建立鏈路聚合組
Creating a port-channel interface Port-channel1
*Mar 1 00:05:31.643: %EC-5-BUNDLE: Interface Fa1/14 joined port-channel Po1
*Mar 1 00:05:31.715: %EC-5-BUNDLE: Interface Fa1/15 joined port-channel Po1
R1(config-if-range)#ex
*Mar 1 00:05:34.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
R1(config)#int port-channel 1
R1(config-if)#switchport mode trunk 改爲trunk口
R1(config-if)#ex
R1(config)#
*Mar 1 00:05:43.063: %EC-5-UNBUNDLE: Interface Fa1/14 left the port-channel Po1
*Mar 1 00:05:43.095: %EC-5-UNBUNDLE: Interface Fa1/15 left the port-channel Po1
*Mar 1 00:05:43.107: %EC-5-BUNDLE: Interface Fa1/15 joined port-channel Po1
*Mar 1 00:05:43.155: %EC-5-BUNDLE: Interface Fa1/14 joined port-channel Po1
*Mar 1 00:05:43.587: %DTP-5-TRUNKPORTON: Port Fa1/14-15 has become dot1q trunk
*Mar 1 00:05:45.091: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
R1(config)#int f1/3
R1(config-if)#switchport mode trunk 上行口也改爲trunk
*Mar 1 00:05:59.855: %DTP-5-TRUNKPORTON: Port Fa1/3 has become dot1q trunk
2.配置R2
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no ip routing
R2(config)#vlan 10,20,30
R2(config-vlan)#ex
R2(config)#int f1/3
R2(config-if)#switchport access vlan 30
R2(config)#int range f1/14 -15
R2(config-if-range)#channel-group 1 mode on 與R1做相同配置
Creating a port-channel interface Port-channel1
*Mar 1 00:07:29.195: %EC-5-BUNDLE: Interface Fa1/14 joined port-channel Po1
*Mar 1 00:07:29.263: %EC-5-BUNDLE: Interface Fa1/15 joined port-channel Po1
*Mar 1 00:07:29.463: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk Port-channel1 VLAN1.
*Mar 1 00:07:29.463: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking Port-channel1 on VLAN1. Inconsistent port type.PVST+: restarted the forward delay timer for Port-channel1
R2(config-if-range)#ex
*Mar 1 00:07:32.147: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
R2(config)#int port-channel 1
R2(config-if)#switchport mode trunk
R2(config-if)#ex
*Mar 1 00:07:39.463: %EC-5-UNBUNDLE: Interface Fa1/14 left the port-channel Po1
*Mar 1 00:07:39.503: %EC-5-UNBUNDLE: Interface Fa1/15 left the port-channel Po1
*Mar 1 00:07:39.523: %EC-5-BUNDLE: Interface Fa1/15 joined port-channel Po1
*Mar 1 00:07:39.563: %EC-5-BUNDLE: Interface Fa1/14 joined port-channel Po1
*Mar 1 00:07:39.991: %DTP-5-TRUNKPORTON: Port Fa1/14-15 has become dot1q trunk
*Mar 1 00:07:41.503: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
3.配置R3
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip routing
R3(config)#int f1/1
R3(config-if)#no sh
R3(config-if)#switchport mode trunk
R3(config-if)#ex
*Mar 1 00:08:56.415: %DTP-5-TRUNKPORTON: Port Fa1/1 has become dot1q trunk
R3(config)#vlan 10,20,30
R3(config-vlan)#ex
R3(config)#int vlan 10
*Mar 1 00:09:12.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
R3(config-if)#ip add 192.168.10.1 255.255.255.0 vlan10網關
R3(config-if)#no sh
R3(config-if)#ip helper-address 192.168.34.4 設置DHCP中繼,目標爲R4接口地址
R3(config-if)#int vlan 20
R3(config-if)#ip add 192.168.10.1 255.255.255.0 vlan20網關
*Mar 1 00:09:59.099: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
R3(config-if)#ip add 192.168.20.1 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ip helper-address 192.168.34.4
R3(config-if)#int vlan 30
*Mar 1 00:10:13.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan30, changed state to up
R3(config-if)#ip add 192.168.30.1 255.255.255.0 vlan30網關
R3(config-if)#no sh
R3(config-if)#ip helper-address 192.168.34.4
R3(config-if)#
R3(config-if)#ex
配置上行口f1/2
R3(config)#int f1/2
R3(config-if)#no switchport
*Mar 1 00:10:42.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/2, changed state to up
R3(config-if)#ip add 192.168.34.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ex
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.34.4 指一條默認路由給出口路由器
4.配置R4
R4(config)#int f0/1
R4(config-if)#ip add 192.168.34.4 255.255.255.0
R4(config-if)#no sh
R4(config-if)#ex
*Mar 1 00:11:44.315: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:11:45.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
做3個DHCP地址池來爲3個vlan 分配IP
R4(config)#ip dhcp pool v10
R4(dhcp-config)#network 192.168.10.0 /24
R4(dhcp-config)#default-router 192.168.10.1
R4(dhcp-config)#ip dhcp pool v20
R4(dhcp-config)#network 192.168.20.0 /24
R4(dhcp-config)#default-router 192.168.20.1
R4(dhcp-config)#ip dhcp pool v30
R4(dhcp-config)#network 192.168.30.0 /24
R4(dhcp-config)#default-router 192.168.30.1
R4(dhcp-config)#ex
R4(config)#int f0/0
R4(config-if)#ip add 12.0.0.1 255.255.255.0
R4(config-if)#no sh
R4(config-if)#ex
R4(config)#ip route 192.168.10.0 255.255.255.0 192.168.34.3
R4(config)#ip route 192.168.20.0 255.255.255.0 192.168.34.3
R4(config)#ip route 192.168.30.0 255.255.255.0 192.168.34.3
可以驗證pc是否已分配到地址
IP已經獲得
配置NAT,用R4外網口上網
R4(config)#int f0/1
R4(config-if)#ip nat inside 設置內網口
*Mar 1 01:30:41.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R4(config-if)#int f0/0
R4(config-if)#ip nat outside 設置外網口
R4(config-if)#ex
R4(config)#access-list 10 permit 192.168.10.0 0.0.0.255 訪問列表
R4(config)#access-list 11 permit 192.168.20.0 0.0.0.255
R4(config)#access-list 12 permit 192.168.30.0 0.0.0.255
R4(config)#ip nat inside source list 10 int f0/1 overload 應用列表
R4(config)#ip nat inside source list 11 int f0/1 overload
R4(config)#ip nat inside source list 12 int f0/1 overload
5.配置R5
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#int f0/0
R5(config-if)#ip add 12.0.0.2 255.255.255.0
R5(config-if)#no sh
R5(config-if)#ex
測試下pc能否訪問外網路由器
是通的
下面,通過R5來管理R3,R2,R1,可以選擇端口映射在R4的外網口來實現,但是在現網中,這種方法不是很合適,因爲需要記住多個端口號。
所以,可以使用“跳板”的辦法,先遠程登錄R4,再以R4爲跳板,遠程登錄R3,接着R1,R2。
首先在R1,R2上做管理vlan1的IP,便於訪問。
R1(config)#int vlan 1
R1(config-if)#ip add 192.168.1.10 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ex
R1(config)#ip default-gateway 192.168.1.1
R1(config)#line vty 0 4
R1(config-line)#password abc
R1(config-line)#login
R2(config)#int vlan 1
R2(config-if)#ip add 192.168.1.20 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ex
R2(config)#ip default-gateway 192.168.1.1
R2(config)#line vty 0 4
R2(config-line)#password abc
R2(config-line)#login
R3(config)#line vty 0 4
R3(config-line)#password abc
R3(config-line)#login
R3(config-line)#end
R3#conf t
*Mar 1 00:56:21.135: %SYS-5-CONFIG_I: Configured from console by console
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#vlan 1
R3(config-vlan)#int vlan 1
R3(config-if)#ip add 192.168.1.1 255.255.255.0
R3(config-if)#no sh
注意,爲安全考慮,要在R4遠程登錄上做ACL訪問控制列表,只允許R5訪問。
R4(config)#access-list 1 permit host 12.0.0.2
R4(config)#line vty 0 4
R4(config-line)#access-class 1 in
R4(config-line)#password abc
R4(config-line)#login
R4(config-line)#ex
下面可以測試了
先登錄R4
繼續登錄R3
下面可以登錄R1,R2了
都成功登錄了,實驗目的達到。