中小型企業內網模擬

一．需求：
1.不同的PC屬於不同的 VLAN ，如圖所示；

2.不同的 VLAN 的IP地址爲： 192.168.XX.0/24 , XX 是 vlan 號；

3.不同的 VLAN 主機獲得IP地址的方式爲 DHCP (除特殊需求以外)每個 VLAN 的主機的網關IP地址，均爲： 192.168.XX.254/24;

4.vlan88 爲 web-server 所在的服務器；網關在 SW5 上；vlan66 爲 dhcp-server所在的服務器；網關在 SW6 上；

5.其他 VLAN 的每個主機所用的網關都使用了高可用性技術，增強了網關冗餘性和穩定性。

6.交換機之間也使用了防環技術，並且能夠針對每個 VLAN 實現流量負載均衡的功能。同時，要求每個 VLAN 的主機，去往主機的網關時，所使用的轉發路徑是最優的。

7.在公司內部運行 OSPF ，確保不同 VLAN 之間是互通的。不同的 VLAN 屬於不同的區域。同時保護 web 和 dhcp 服務器所在的區域不受到外部鏈路以及其他區域的不穩定的鏈路的影響。

8.公司的出口路由器爲 R1 和 R2 ，但是永遠將 R1 作爲主出口，出現故障後，出網流量纔會自動的切換到 R2 。修復以後，會再次從 R1 轉發。

9.內網大量主機都存在訪問 Internet的需求，要求使用最節省IP地址的方式實現內網主機上網，但是 vlan 40 屬於機密部分，不能訪問外網。

10.外網的用戶(client-1)，可以訪問內部的 web 服務器。

11.外網的用戶(SW9)，可以遠程控制內網的所有網絡設備(不包括R1/R2)，遠程訪問密碼均設置爲 HCIE 。(內網中每個設備的管理IP地址，屬於管理 VLAN 199)

12.內網的用戶中，只能由 vlan 20 中的 PC-2 遠程登錄管理內網所有設備其他用戶均不可以。

二．拓撲圖

(一)．二層交換機

lsw1
UNDO T M
SYS
SYS S1
vlan batch 10 20 30 40 66 88
vlan batch 17 27 18 28 199
int e0/0/1
port link-type access
port default vlan 10
q
int e0/0/2
port link-type access
port default vlan 20
q
int e0/0/15
port link-type trunk
port trunk allow-pass vlan all
q
int e0/0/16
port link-type trunk
port trunk allow-pass vlan all
q
生成樹
stp mode mstp
stp region-configuration
region-name vlan
instance 1 vlan 10 20
instance 3 vlan 30 40
active region-configuration
q
配置遠程登錄
int vlanif 199
ip addr 192.168.199.1 24
q
user-interface vty 0 4
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher HCIE
local-user jing service-type telnet
q
交換機默認
ip route-static 0.0.0.0 0.0.0.0 192.168.199.7
ip route-static 0.0.0.0 0.0.0.0 192.168.199.8 preference 80

lsw2
UNDO T M
SYS
SYS S2
vlan batch 10 20 30 40 66 88
vlan batch 17 27 18 28 199
int e0/0/3
port link-type access
port default vlan 10
q
int e0/0/4
port link-type access
port default vlan 30
q
int e0/0/5
port link-type trunk
port trunk allow-pass vlan all
q
int e0/0/6
port link-type trunk
port trunk allow-pass vlan all
q
生成樹
stp mode mstp
stp region-configuration
region-name vlan
instance 1 vlan 10 20
instance 3 vlan 30 40
active region-configuration
q
配置遠程登錄
int vlanif 199
ip addr 192.168.199.2 24
q
user-interface vty 0 4
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher HCIE
local-user jing service-type telnet
q

交換機默認
ip route-static 0.0.0.0 0.0.0.0 192.168.199.7
ip route-static 0.0.0.0 0.0.0.0 192.168.199.8 preference 80

lsw3
UNDO T M
SYS
SYS S3
vlan batch 10 20 30 40 66 88
vlan batch 17 27 18 28 199
int e0/0/5
port link-type access
port default vlan 20
q
int e0/0/6
port link-type access
port default vlan 40
q
int e0/0/13
port link-type trunk
port trunk allow-pass vlan all
q
int e0/0/14
port link-type trunk
port trunk allow-pass vlan all
q
生成樹
stp mode mstp
stp region-configuration
region-name vlan
instance 1 vlan 10 20
instance 3 vlan 30 40
active region-configuration
q
配置遠程登錄
int vlanif 199
ip addr 192.168.199.3 24
q
user-interface vty 0 4
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher HCIE
local-user jing service-type telnet
q

交換機默認
ip route-static 0.0.0.0 0.0.0.0 192.168.199.7 preference 80
ip route-static 0.0.0.0 0.0.0.0 192.168.199.8

lsw4
UNDO T M
SYS
SYS S4
vlan batch 10 20 30 40 66 88
vlan batch 17 27 18 28 199
int e0/0/7
port link-type access
port default vlan 40
q
int e0/0/8
port link-type access
port default vlan 30
q
int e0/0/17
port link-type trunk
port trunk allow-pass vlan all
q
int e0/0/18
port link-type trunk
port trunk allow-pass vlan all
q
生成樹
stp mode mstp
stp region-configuration
region-name vlan
instance 1 vlan 10 20
instance 3 vlan 30 40
active region-configuration
q
配置遠程登錄
int vlanif 199
ip addr 192.168.199.4 24
q
user-interface vty 0 4
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher HCIE
local-user jing service-type telnet
q

交換機默認
ip route-static 0.0.0.0 0.0.0.0 192.168.199.8
ip route-static 0.0.0.0 0.0.0.0 192.168.199.7 preference 80

lsw5
UNDO T M
SYS
SYS sw5
vlan batch 10 20 30 40 66 88
vlan batch 17 27 18 28 199
int vlanif 88
ip addr 192.168.88.254 24
undo sh
q
int vlanif 10
ip addr 192.168.10.5 24
undo sh
q
int vlanif 20
ip addr 192.168.20.5 24
undo sh
q
int vlanif 30
ip addr 192.168.30.5 24
undo sh
q
int vlanif 40
ip addr 192.168.40.5 24
undo sh
q
int vlanif 66
ip addr 192.168.66.5 24
undo sh
q
int g0/0/8
port link-type access
port default vlan 88
q
port-group 1
group- g0/0/1 g0/0/2 g0/0/24 g0/0/17 g0/0/5 g0/0/13 g0/0/15
port link-type trunk
port trunk allow-pass vlan all
q
生成樹
stp mode mstp
stp region-configuration
region-name vlan
instance 1 vlan 10 20
instance 3 vlan 30 40
active region-configuration
q
stp instance 1 priority 8192
stp instance 3 priority 12288
配置遠程登錄
int vlanif 199
ip addr 192.168.199.5 24
q
user-interface vty 0 4
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher HCIE
local-user jing service-type telnet
q

lsw6
UNDO T M
SYS
SYS sw6
vlan batch 10 20 30 40 66 88
vlan batch 17 27 18 28 199
int vlanif 66
ip addr 192.168.66.254 24
undo sh
q
int vlanif 10
ip addr 192.168.10.6 24
undo sh
q
int vlanif 20
ip addr 192.168.20.6 24
undo sh
q
int vlanif 30
ip addr 192.168.30.6 24
undo sh
q
int vlanif 40
ip addr 192.168.40.6 24
undo sh
q
int g0/0/8
port link-type access
port default vlan 66
q
port-group 1
group- g0/0/3 g0/0/4 g0/0/24 g0/0/16 g0/0/6 g0/0/14 g0/0/18
port link-type trunk
port trunk allow-pass vlan all
q
生成樹
stp mode mstp
stp region-configuration
region-name vlan
instance 1 vlan 10 20
instance 3 vlan 30 40
active region-configuration
q
stp instance 1 priority 12288
stp instance 3 priority 8192
配置遠程登錄
int vlanif 199
ip addr 192.168.199.6 24
q
user-interface vty 0 4
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher HCIE
local-user jing service-type telnet
q

lsw7
UNDO T M
SYS
SYS sw7
vlan batch 10 20 30 40 66 88
vlan batch 17 27 18 28 199
int vlanif 66
ip addr 192.168.66.7 24
undo sh
q
int vlanif 10
ip addr 192.168.10.7 24
undo sh
q
int vlanif 20
ip addr 192.168.20.7 24
undo sh
q
int vlanif 30
ip addr 192.168.30.7 24
undo sh
q
int vlanif 40
ip addr 192.168.40.7 24
undo sh
q
port-group 1
group- g0/0/1 g0/0/3 g0/0/24
port link-type trunk
port trunk allow-pass vlan all
q
生成樹
stp mode mstp
stp region-configuration
region-name vlan
instance 1 vlan 10 20
instance 3 vlan 30 40
active region-configuration
q
stp instance 1 priority 0
stp instance 3 priority 4096
配置遠程登錄
int vlanif 199
ip addr 192.168.199.7 24
q
user-interface vty 0 4
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher HCIE
local-user jing service-type telnet
q

虛擬網關
int vlanif 10
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 200

q
int vlanif 20
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 200
q
int vlanif 30
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 150
q
int vlanif 40
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 150
q

lsw8
UNDO T M
SYS
SYS sw8
vlan batch 10 20 30 40 66 88
vlan batch 17 27 18 28 199
int vlanif 66
ip addr 192.168.66.8 24
undo sh
q
int vlanif 10
ip addr 192.168.10.8 24
undo sh
q
int vlanif 20
ip addr 192.168.20.8 24
undo sh
q
int vlanif 30
ip addr 192.168.30.8 24
undo sh
q
int vlanif 40
ip addr 192.168.40.8 24
undo sh
q
port-group 1
group- g0/0/2 g0/0/24 g0/0/4
port link-type trunk
port trunk allow-pass vlan all
q
生成樹
stp mode mstp
stp region-configuration
region-name vlan
instance 1 vlan 10 20
instance 3 vlan 30 40
active region-configuration
q
stp instance 1 priority 4096
stp instance 3 priority 0
配置遠程登錄
int vlanif 199
ip addr 192.168.199.8 24
q
user-interface vty 0 4
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher HCIE
local-user jing service-type telnet
q

虛擬網關
int vlanif 10
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 150
q
int vlanif 20
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 150
q
int vlanif 30
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 200
q
int vlanif 40
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 200
q

(二)．dhcp配置
dhcp
UNDO T M
SYS
SYS dhcp
int g0/0/0
ip address 192.168.66.6 24
undo shutdown
q
動態地址分配地址池配置
dhcp enable
ip pool 1
network 192.168.10.0 mask 24
gateway-list 192.168.10.254
dns-list 8.8.8.8
lease day 3
excluded-ip-address 192.168.10.1 192.168.10.100
ip pool 2
network 192.168.20.0 mask 24
gateway-list 192.168.20.254
dns-list 8.8.8.8
excluded-ip-address 192.168.20.1 192.168.20.100
lease day 3
ip pool 3
network 192.168.30.0 mask 24
gateway-list 192.168.30.254
dns-list 8.8.8.8
lease day 3
excluded-ip-address 192.168.30.1 192.168.30.100
ip pool 4
network 192.168.40.0 mask 24
gateway-list 192.168.40.254
dns-list 8.8.8.8
lease day 3
excluded-ip-address 192.168.40.1 192.168.40.100
q
動態地址分配啓用配置
int g0/0/0
dhcp select global
q
ip route-static 0.0.0.0 0.0.0.0 192.168.66.254

sw7動態地址分配配置
dhcp enable
interface Vlanif10
dhcp select relay
dhcp relay server-ip 192.168.66.6
q
interface Vlanif20
dhcp select relay
dhcp relay server-ip 192.168.66.6
q
interface Vlanif30
dhcp select relay
dhcp relay server-ip 192.168.66.6
q
interface Vlanif40
dhcp select relay
dhcp relay server-ip 192.168.66.6
q

sw8動態地址分配配置
dhcp enable
interface Vlanif10
dhcp select relay
dhcp relay server-ip 192.168.66.6
q
interface Vlanif20
dhcp select relay
dhcp relay server-ip 192.168.66.6
q
interface Vlanif30
dhcp select relay
dhcp relay server-ip 192.168.66.6
q
interface Vlanif40
dhcp select relay
dhcp relay server-ip 192.168.66.6
q

(三)．動態路由
Dhcp
ospf 1 router-id 10.10.10.10
area 66
network 192.168.66.0 0.0.0.255
stub
q
q

lsw5
ospf 1 router-id 5.5.5.5
area 88
network 192.168.88.0 0.0.0.255
stub
q
area 0
network 192.168.199.0 0.0.0.255
q
q

lsw 6
ospf 1 router-id 6.6.6.6
area 66
network 192.168.66.0 0.0.0.255
stub
q
area 0
network 192.168.199.0 0.0.0.255
q
q
lsw 7
int g0/0/2
port link-type access
port default vlan 17
q
int g0/0/4
port link-type access
port default vlan 27
q
int vlanif 17
ip addr 192.168.17.7 24
q
int vlanif 27
ip addr 192.168.27.7 24
q
ospf 1 router-id 7.7.7.7
area 1278
network 192.168.17.0 0.0.0.255
network 192.168.27.0 0.0.0.255
q
area 0
network 192.168.199.0 0.0.0.255
q
area 10
network 192.168.10.0 0.0.0.255
q
area 20
network 192.168.20.0 0.0.0.255
q
area 30
network 192.168.30.0 0.0.0.255
q
area 40
network 192.168.40.0 0.0.0.255
q
q
lsw 8
int g0/0/5
port link-type access
port default vlan 28
q
int g0/0/3
port link-type access
port default vlan 18
q
int vlanif 18
ip addr 192.168.18.8 24
q
int vlanif 28
ip addr 192.168.28.8 24
q
ospf 1 router-id 8.8.8.8
area 1278
network 192.168.18.0 0.0.0.255
network 192.168.28.0 0.0.0.255
q
area 0
network 192.168.199.0 0.0.0.255
q
area 10
network 192.168.10.0 0.0.0.255
q
area 20
network 192.168.20.0 0.0.0.255
q
area 30
network 192.168.30.0 0.0.0.255
q
area 40
network 192.168.40.0 0.0.0.255
q
q

內網出口路由器r1
undo t m
sys
sys r1
int g0/0/0
ip addr 192.168.17.1 24
undo sh
q
int g0/0/1
ip addr 192.168.18.1 24
undo sh
q
int g0/0/2
ip addr 100.100.100.1 24
undo sh
q
ip route-static 0.0.0.0 0.0.0.0 100.100.100.254
ospf 1 router-id 11.11.11.1
default-route-advertise
default type 1
area 1278
network 192.168.17.0 0.0.0.255
network 192.168.18.0 0.0.0.255
q
q

內網出口路由器r2
undo t m
sys
sys r2
int g0/0/0
ip addr 192.168.27.2 24
undo sh
q
int g0/0/1
ip addr 192.168.28.2 24
undo sh
q
int g0/0/2
ip addr 100.100.200.2 24
undo sh
q
ip route-static 0.0.0.0 0.0.0.0 100.100.200.254
ospf 1 router-id 11.11.11.1
default-route-advertise
area 1278
network 192.168.27.0 0.0.0.255
network 192.168.28.0 0.0.0.255
q
q

(四)．外部路由器
isp
undo t m
sys
sys isp
int g0/0/0
ip addr 100.100.100.254 24
undo sh
q
int g0/0/1
ip addr 100.100.200.254 24
undo sh
q
int g0/0/2
ip addr 100.100.1.254 24
q

外部交換機
undo t m
sys
sys sw9
vlan 199
q
interface vlanif199
ip address 100.100.1.199 24
q
ip route-static 100.100.100.2 24 100.100.1.254

?
port-group 1
group-member g0/0/1 g0/0/2 g0/0/3
port link-type access
port default vlan 199

(五)．上網控制
r1
acl 2000
rule 10 deny source 192.168.40.0 0.0.0.255
rule 20 permit source any
int g0/0/2
nat outbound 2000
nat server protocol tcp global 100.100.100.2 12345 inside 192.168.88.8 80
nat server protocol tcp global 100.100.100.2 10001 inside 192.168.199.1 23
nat server protocol tcp global 100.100.100.2 10002 inside 192.168.199.2 23
nat server protocol tcp global 100.100.100.2 10003 inside 192.168.199.3 23
nat server protocol tcp global 100.100.100.2 10004 inside 192.168.199.4 23
nat server protocol tcp global 100.100.100.2 10005 inside 192.168.199.5 23
nat server protocol tcp global 100.100.100.2 10006 inside 192.168.199.6 23
nat server protocol tcp global 100.100.100.2 10007 inside 192.168.199.7 23
nat server protocol tcp global 100.100.100.2 10008 inside 192.168.199.8 23
靜態路由 r1
ip route-static 192.168.88.0 24 192.168.17.7 preference 5
ip route-static 192.168.88.0 24 192.168.18.8 preference 8
ip route-static 192.168.199.0 24 192.168.17.7 preference 5
ip route-static 192.168.199.0 24 192.168.18.8 preference 8

r2
acl 2000
rule 10 deny source 192.168.40.0 0.0.0.255
rule 20 permit source any
int g0/0/2
nat outbound 2000
nat server protocol tcp global 100.100.200.1 12345 inside 192.168.88.8 80
nat server protocol tcp global 100.100.200.1 10001 inside 192.168.199.1 23
nat server protocol tcp global 100.100.200.1 10002 inside 192.168.199.2 23
nat server protocol tcp global 100.100.200.1 10003 inside 192.168.199.3 23
nat server protocol tcp global 100.100.200.1 10004 inside 192.168.199.4 23
nat server protocol tcp global 100.100.200.1 10005 inside 192.168.199.5 23
nat server protocol tcp global 100.100.200.1 10006 inside 192.168.199.6 23
nat server protocol tcp global 100.100.200.1 10007 inside 192.168.199.7 23
nat server protocol tcp global 100.100.200.1 10008 inside 192.168.199.8 23
靜態路由 r2
ip route-static 192.168.88.0 24 192.168.27.7 preference 5
ip route-static 192.168.88.0 24 192.168.28.8 preference 8
ip route-static 192.168.199.0 24 192.168.27.7 preference 5
ip route-static 192.168.199.0 24 192.168.28.8 preference 8

(六)．內網登錄限制
Lsw1
Acl 3000
rule 10 deny tcp source-port eq 23
interface e0/0/1
traffic-filter inbound acl 3000
Lsw2
Acl 3000
rule 10 deny tcp source-port eq 23
interface e0/0/3
traffic-filter inbound acl 3000
interface e0/0/4
traffic-filter inbound acl 3000

Lsw3
Acl 3000
rule 10 deny tcp source-port eq 23
interface e0/0/5
traffic-filter inbound acl 3000
interface e0/0/6
traffic-filter inbound acl 3000

Lsw4
Acl 3000
rule 10 deny tcp source-port eq 23
interface e0/0/7
traffic-filter inbound acl 3000
interface e0/0/8
traffic-filter inbound acl 3000

四．測試
1．內向外
PC1屬於vlan10可以自動獲得IP，並ping通外網
PC2屬於vlan20可以自動獲得IP，並ping通外網
PC3屬於vlan10可以自動獲得IP，並ping通外網
PC4屬於vlan30可以自動獲得IP，並ping通外網

PC5屬於vlan20可以自動獲得IP，並ping通外網
PC6屬於vlan40可以自動獲得IP， ping不通外網
PC7屬於vlan40可以自動獲得IP， ping不通外網
PC8屬於vlan30可以自動獲得IP，並ping通外網

2．外向內
Client1可以訪問內網server的www服務

sw9 Telnet遠程登錄sw1

sw9 Telnet遠程登錄sw2

sw9 Telnet遠程登錄sw3

sw9 Telnet遠程登錄sw4

sw9 Telnet遠程登錄sw5

sw9 Telnet遠程登錄sw6

sw9 Telnet遠程登錄sw7

sw9 Telnet遠程登錄sw8

重點：
dhcp中繼要在vrrp的master上
vrrp的master要在mstp的root根上
dhcp的前提條件是全網聯通
每個交換機的VLAN配置和mstp配置要一樣(mstp的優先級不同)
acl和nat以及traffic-filter 配合使用。
未解決問題：
在R1處ospf無法自動選擇路由使得外網訪問內網。零時解決方法設置靜態路由並且優先級小於ospf的優先級10