实验要求:
①用户的网关配置在核心交换机
②企业内网划分多个vlan ,减少广播域大小,提高网络稳定性
③在连接移动外网出口配置NAT
④所有用户均为自动获取ip地址
⑤企业总部和分支采用VPN互联,使企业总部和分支员工可以互相访问,并且分支可以访问企业总部服务器
⑥在企业出口将内网服务器的80端口映射出去,允许外网用户访问
7企业分支所有设备,在企业总部都可以用telnet远程管理
配置步骤:
步骤一、各设备的基础ip配置
总部出口R1:
[R1]int gi 0/0/0
[R1-GigabitEthernet0/0/0]ip add 172.16.254.2 24
[R1]int gi 0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.1.1.1 29
[R1]int gi 0/0/2
[R1-GigabitEthernet0/0/2]ip add 13.1.1.1 29
移动运营商R2:
[R2]int gi 0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.1.1.6 29
[R2-GigabitEthernet0/0/0]q
[R2]int loop 0
[R2-LoopBack0]ip add 9.9.9.9 24
[R2]int gi0/0/1
[R2-GigabitEthernet0/0/1]ip add 7.7.7.1 24
联通运营商R3:
[R3]int gi 0/0/0
[R3-GigabitEthernet0/0/0]ip add 13.1.1.1 29
[R3]int gi 0/0/1
[R3-GigabitEthernet0/0/1]ip add 34.1.1.2 29
分支出口R4:
[R4]int gi 0/0/0
[R4-GigabitEthernet0/0/0]ip add 34.1.1.1 29
[R4]int gi 0/0/1
[R4-GigabitEthernet0/0/1]ip add 192.168.254.2 24
步骤二、总部和分支交换机vlan和trunk配置
总部接入交换机sw3:
[sw3]vlan batch 10 20 99
[sw3]int e0/0/2
[sw3-Ethernet0/0/2]port link-type access
[sw3-Ethernet0/0/2]port default vlan 10
[sw3]int e0/0/3
[sw3-Ethernet0/0/3]port link-type access
[sw3-Ethernet0/0/3]port default vlan 20
[sw3]int gi 0/0/1
[sw3-GigabitEthernet0/0/1]port link-type trunk
[sw3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 99
总部接入交换机sw4:
[sw4]vlan batch 200 99
[sw4-vlan200]int gi 0/0/2
[sw4-GigabitEthernet0/0/2]port link-type access
[sw4-GigabitEthernet0/0/2]port default vlan 200
[sw4]int gi 0/0/1
[sw4-GigabitEthernet0/0/1]port link-type trunk
[sw4-GigabitEthernet0/0/1]port trunk allow-pass vlan 200 99
总部核心交换机sw1:
[sw1]vlan batch 10 20 200 100 99
[sw1]int gi 0/0/1
[sw1-GigabitEthernet0/0/1]port link-type trunk
[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 99
[sw1]int gi 0/0/2
[sw1-GigabitEthernet0/0/2]port link-type trunk
[sw1-GigabitEthernet0/0/2]port trunk allow-pass vlan 200 99
[sw1]int vlanif 100
[sw1-Vlanif100]ip add 172.16.254.1 24
[sw1]int gi 0/0/3
[sw1-GigabitEthernet0/0/3]port link-type access
[sw1-GigabitEthernet0/0/3]port default vlan 100
分支接入交换机sw5:
[sw5]vlan batch 30 99
[sw5]int e0/0/1
[sw5-Ethernet0/0/1]port link-type access
[sw5-Ethernet0/0/1]port default vlan 30
[sw5]int gi 0/0/1
[sw5-GigabitEthernet0/0/1]port link-type trunk
[sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan 30 99
分支接入交换机sw6;
[sw6]vlan batch 40 50 99
[sw6]int e 0/0/1
[sw6-Ethernet0/0/1]port link-type access
[sw6-Ethernet0/0/1]port default vlan 40
[sw6]int gi 0/0/2
[sw6-GigabitEthernet0/0/2]port link-type access
[sw6-GigabitEthernet0/0/2]port default vlan 50
[sw6]int gi 0/0/1
[sw6-GigabitEthernet0/0/1]port link-type trunk
[sw6-GigabitEthernet0/0/1]port trunk allow-pass vlan 40 50 99
分支核心交换机sw2:
[sw2]vlan batch 30 40 50 100 99
[sw2]int gi 0/0/2
[sw2-GigabitEthernet0/0/2]port link-type trunk
[sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 30 99
[sw2]int gi 0/0/3
[sw2-GigabitEthernet0/0/3]port link-type trunk
[sw2-GigabitEthernet0/0/3]port trunk allow-pass vlan 40 50 99
[sw2]int gi 0/0/1
[sw2-GigabitEthernet0/0/1]port link-type access
[sw2-GigabitEthernet0/0/1]port default vlan 100
[sw2]int vlanif 100
[sw2-Vlanif100]ip add 192.168.254.1 24
步骤三、配置vlanif接口,使不同vlan间三层互通
总部核心交换机sw1:
[sw1]int vlanif 10
[sw1-Vlanif10]ip add 10.10.10.1 24
[sw1]int vlanif 20
[sw1-Vlanif20]ip add 10.10.20.1 24
[sw1]int vlanif 200
[sw1-Vlanif200]ip add 10.10.200.1 24
[sw1]int vlanif 99
[sw1-Vlanif99]ip add 10.10.255.1 24
分支核心交换机sw2:
[sw2]int vlanif 30
[sw2-Vlanif30]ip add 10.10.30.1 24
[sw2]int vlanif 40
[sw2-Vlanif40]ip add 10.10.40.1 24
[sw2]int vlanif 50
[sw2-Vlanif50]ip add 10.10.50.1 24
[sw2]int vlanif 99
[sw2-Vlanif99]ip add 10.10.254.2 24
总部接入sw3:
[sw3]int vlanif 99
[sw3-Vlanif99]ip add 10.10.255.3 24
总部接入sw4:
[sw4]int vlanif 99
[sw4-Vlanif99]ip add 10.10.255.4 24
分支接入sw5:
[sw5]int vlanif 99
[sw5-Vlanif99]ip add 10.10.254.5 24
分支接入sw6:
[sw6]int vlanif 99
[sw6-Vlanif99]ip add 10.10.254.6 24
步骤四、核心交换机上配置DHCP,使客户pc可以自动获取到ip地址
总部核心交换机sw1:
[sw1]ip pool 10
[sw1-ip-pool-10]gateway 10.10.10.1
[sw1-ip-pool-10]network 10.10.10.0 mask 24
[sw1-ip-pool-10]DNS-list 114.114.114.114 8.8.8.8
[sw1]ip pool 20
[sw1-ip-pool-20]gateway 10.10.20.1
[sw1-ip-pool-20]network 10.10.20.0 mask 24
[sw1-ip-pool-20]dns-list 114.114.114.114 8.8.8.8
[sw1]int vlanif 10
[sw1-Vlanif10]dhcp select gl
[sw1-Vlanif10]dhcp select global
[sw1]int vlanif 20
[sw1-Vlanif20]dhcp select glo
[sw1-Vlanif20]dhcp select global
查看:
分支核心交换机sw2:
[sw2]int vlanif 30
[sw2-Vlanif30]dhcp select global
[sw2]int vlanif 40
[sw2-Vlanif40]dhcp select global
[sw2]int vlanif 30
[sw2-Vlanif30]dhcp select global
[sw2]int vlanif 40
[sw2-Vlanif40]dhcp select global
[sw2]int vlanif 30
[sw2-Vlanif30]dhcp select global
[sw2]int vlanif 40
[sw2-Vlanif40]dhcp select global
查看:
步骤五、在连接移动外网出口路由器上配置NAT地址转换
总部出口路由器R1:
[R1]int gi 0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2000//移动外网
[R1]int gi 0/0/2
[R1-GigabitEthernet0/0/2]nat outbound 2000//联通外网
[R1]int gi 0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2000//移动外网
[R1]int gi 0/0/2
[R1-GigabitEthernet0/0/2]nat outbound 2000//联通外网
分支出口R4:
[R4]int gi 0/0/0
[R4-GigabitEthernet0/0/0]nat outbound 2000
[R4]int gi 0/0/0
[R4-GigabitEthernet0/0/0]nat outbound 2000
步骤六、出口和运营商路由
移动运营商R2:
[R2]ip route-static 0.0.0.0 0 12.1.1.1
总部出口路由器R1:
[R1]ip route-static 0.0.0.0 0 12.1.1.6//移动外网
[R1]ip route-static 0.0.0.0 0 13.1.1.2 //联通外网(vpn备份)
分支出口路由器R4:
[R4]ip route-static 0.0.0.0 0 34.1.1.2//联通外网
步骤七、企业内部运行ospf协议
总部核心交换机sw1:
[sw1]ospf 1 router-id 1.1.1.1
[sw1-ospf-1]area 0
[sw1-ospf-1-area-0.0.0.0]net 10.10.10.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]net 10.10.20.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]net 10.10.200.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]net 172.16.254.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]net 10.10.255.0 0.0.0.255//宣告telnet管理网段
总部出口路由器R1:
[R1]ospf 1 router-id 2.2.2.2
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]net 172.16.254.2 0.0.0.0
[R1-ospf-1-area-0.0.0.0]net10.10.14.0 0.0.0.255
[R1]ospf 1
[R1-ospf-1]default-route-advertise always//引入缺省路由
分部核心交换机sw2:
[R4]ospf 1 router-id 4.4.4.4
[R4-ospf-1]area 0
[R4-ospf-1-area-0.0.0.0]net 192.168.254.2 0.0.0.0
[R4-ospf-1-area-0.0.0.0]net 10.10.14.0 0.0.0.255
分支出口路由器R4:
[R4]ospf 1 router-id 4.4.4.4
[R4-ospf-1]area 0
[R4-ospf-1-area-0.0.0.0]net 192.168.254.2 0.0.0.0
[R4-ospf-1-area-0.0.0.0]net 10.10.14.0 0.0.0.255
步骤八、企业总部和分支之间采用vpn通信,这里我们用GRE VPN配置
① 总部出口和分支出口路由器,配置缺省路由,使得两边的公网地址可以ping通(这些配置以上都配好了,这里重新展示一下)
总部出口路由器R1:
[R1]ip route-static 10.10.0.0 16 10.10.14.4
分支出口路由器R4:
[R4]ip route-static 0.0.0.0 0 34.1.1.2//联通外网
查看是否ping通:
② 配置vpn
总部出口路由器R1:
[R1]ip route-static 10.10.0.0 16 10.10.14.4
分支出口路由器R4:
[R4]ip route-static 10.10.0.0 16 10.10.14.1
③ 配置vpn tunnel静态路由
总部出口路由器R1:
[R1]ip route-static 10.10.0.0 16 10.10.14.4
分支出口路由器R4:
[R4]ip route-static 10.10.0.0 16 10.10.14.1
④ 查看
⑤ 验证vpn是否连通,pc1 ping PC4
这里顺便抓一个GRE的报文,让大家看看报文长得什么样子?
步骤九:把企业总部内网web服务器的80端口映射出去,使外网可以访问公司的www服务器,我们在连接移动外网的出口路由器R1上配
①出口R1:
[sw2]telnet server enable
[sw2]aaa
[sw2-aaa]local-user huawei privilege level 3 password cipher huawei@123
[sw2-aaa]local-user huawei service-type telnet
[sw2]user-interface vty 0 4
[sw2-ui-vty0-4]authentication-mode aaa
[sw2-ui-vty0-4]protocol inbound telnet
查看:
②分支员工访问企业总部的服务器,可以直接用服务器的私有ip地址访问即可
查看:
步骤十、企业分支所有设备,在企业总部都可以用telnet远程管理
① 开启telnet命令
接入sw3:
[R1]telnet server enable
[R1]aaa
[R1-aaa]local-user huawei privilege level 3 password cipher huawei@123
[R1-aaa]local-user huawei service-type telnet
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
[R1-ui-vty0-4]protocol inbound telnet
接入sw4:
[R4]telnet server enable
接入sw5:
[R4]aaa
[R4-aaa]local-user huawei privilege level 3 password cipher huawei@123
[R4-aaa]local-user huawei service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode aaa
[R4-ui-vty0-4]protocol inbound telnet
接入sw6:
[R4]aaa
[R4-aaa]local-user huawei privilege level 3 password cipher huawei@123
[R4-aaa]local-user huawei service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode aaa
[R4-ui-vty0-4]protocol inbound telnet
总部核心sw1:
[R4]aaa
[R4-aaa]local-user huawei privilege level 3 password cipher huawei@123
[R4-aaa]local-user huawei service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode aaa
[R4-ui-vty0-4]protocol inbound telnet
分支核心sw2:
[R4]aaa
[R4-aaa]local-user huawei privilege level 3 password cipher huawei@123
[R4-aaa]local-user huawei service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode aaa
[R4-ui-vty0-4]protocol inbound telnet
企业总部出口R1:
[R4]aaa
[R4-aaa]local-user huawei privilege level 3 password cipher huawei@123
[R4-aaa]local-user huawei service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode aaa
[R4-ui-vty0-4]protocol inbound telnet
分支出口R4:
[R4]aaa
[R4-aaa]local-user huawei privilege level 3 password cipher huawei@123
[R4-aaa]local-user huawei service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode aaa
[R4-ui-vty0-4]protocol inbound telnet
[R4]aaa
[R4-aaa]local-user huawei privilege level 3 password cipher huawei@123
[R4-aaa]local-user huawei service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]authentication-mode aaa
[R4-ui-vty0-4]protocol inbound telnet
② 总部和分支接入交换机配一条到核心交换机的回包路由
总部接入交换机:
[R4]telnet server enable
分支接入交换机:
[sw5]ip route-static 0.0.0.0 0 10.10.254.2
[sw6]ip route-static 0.0.0.0 0 10.10.254.2
查看:
京公网安备 11010802035086号