计网实验的一个作业,花了半天多的时间把它拿下,特来记录一下。
要求
实验拓扑图 这是实验全部完成后的拓扑图:
实验步骤 利用vlan先建立一栋大楼 先如图建立拓扑图:
PC机 ip 设置如下所示:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 192.168.1.1 255.255.255.0 192.168.1.254 192.168.2.1 255.255.255.0 192.168.2.254 192.168.1.2 255.255.255.0 192.168.1.254 192.168.2.2 255.255.255.0 192.168.2.254
以PC1和PC2为例,现在由于两者不在同一网段,ping不通。
先划分三层交换机S12的vlan,分成 vlan2 和 vlan 3;
三层交换机与二层交换机之间用 trunk;每个端口允许vlan2和vlan3通过;并且配置各自的默认网关:vlan2:
192.168.1.254,vlan 3:192.168.2.254;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [S12]vlan batch 2 3 [S12]int g0/0/1 [S12-GigabitEthernet0/0/1]port link-type trunk [S12-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 [S12]int g0/0/2 [S12-GigabitEthernet0/0/2]port link-type trunk [S12-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 3 [S12]interface Vlanif 2 [S12-Vlanif2]ip add 192.168.1.254 24 [S12-Vlanif2]q [S12]interface Vlanif 3 [S12-Vlanif3]ip add 192.168.2.254 24 [S12-Vlanif3]q
然后在交换机S1和S2上各自划分vlan并在不同端口配置:
S1交换机:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [S1]vlan batch 2 3 Info: This operation may take a few seconds. Please wait for a moment...done. [S1]int g0/0/1 [S1-GigabitEthernet0/0/1]port link-type trunk [S1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 [S1-GigabitEthernet0/0/1]int e0/0/1 [S1-Ethernet0/0/1]port link-type access [S1-Ethernet0/0/1]port default vlan 2 [S1-Ethernet0/0/1]int e0/0/2 [S1-Ethernet0/0/2]port link-type access [S1-Ethernet0/0/2]port default vlan 3 [S1-Ethernet0/0/2]
S2交换机:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [S2]vlan batch 2 3 Info: This operation may take a few seconds. Please wait for a moment...done. [S2]int g0/0/1 [S2-GigabitEthernet0/0/1]port link-type trunk [S2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 [S2-GigabitEthernet0/0/1]int e0/0/1 [S2-Ethernet0/0/1]port link-type access [S2-Ethernet0/0/1]port default vlan 2 [S2-Ethernet0/0/1]int e0/0/2 [S2-Ethernet0/0/2]port link-type access [S2-Ethernet0/0/2]port default vlan 3 [S2-Ethernet0/0/2]q
配置完成之后,PC1、PC2、PC3、PC4之间就全部能互相ping通了!
再建立一栋大楼 有了上面的基础后,其实上面就是配置一个大楼,下面我们直接复制上面的过程,再在eNSP上建立另外一个大楼:
PC5、PC6、PC7、PC8的信息如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 192.168.3.1 255.255.255.0 192.168.3.254 192.168.4.1 255.255.255.0 192.168.4.254 192.168.3.2 255.255.255.0 192.168.3.254 192.168.4.2 255.255.255.0 192.168.4.254
配置的话和上面那一个大楼配置一模一样,只不过ip相关的需要稍微变动一下,如下:
三层交换机S34:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [S34]vlan batch 4 5 Info: This operation may take a few seconds. Please wait for a moment...done. [S34]int g0/0/1 [S34-GigabitEthernet0/0/1]port link-type trunk [S34-GigabitEthernet0/0/1]port trunk allow-pass vlan 4 5 [S34-GigabitEthernet0/0/1]int g0/0/2 [S34-GigabitEthernet0/0/2]port link-type trunk [S34-GigabitEthernet0/0/2]port trunk allow-pass vlan 4 5 [S34-GigabitEthernet0/0/2]q [S34]interface Vlanif 4 [S34-Vlanif4]ip add 192.168.3.254 24 [S34-Vlanif4]q [S34]interface Vlanif 5 [S34-Vlanif5]ip add 192.168.4.254 24 [S34-Vlanif5]q
交换机S3:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 [S3]vlan batch 4 5 Info: This operation may take a few seconds. Please wait for a moment...done. [S3]int g0/0/1 [S3-GigabitEthernet0/0/1]port link-type trunk [S3-GigabitEthernet0/0/1]port trunk allow-pass vlan 4 5 [S3-GigabitEthernet0/0/1]int e0/0/1 [S3-Ethernet0/0/1]port link-type access [S3-Ethernet0/0/1]port default vlan 4 [S3-Ethernet0/0/1]int e0/0/2 [S3-Ethernet0/0/2]port link-type access [S3-Ethernet0/0/2]port default vlan 5 [S3-Ethernet0/0/2]q
交换机S4:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 [S4]vlan batch 4 5 Info: This operation may take a few seconds. Please wait for a moment...done. [S4]int g0/0/1 [S4-GigabitEthernet0/0/1]port link-type trunk [S4-GigabitEthernet0/0/1]port trunk allow-pass vlan 4 5 [S4-GigabitEthernet0/0/1]int e0/0/1 [S4-Ethernet0/0/1]port link-type access [S4-Ethernet0/0/1]port default vlan 4 [S4-Ethernet0/0/1]int e0/0/2 [S4-Ethernet0/0/2]port link-type access [S4-Ethernet0/0/2]port default vlan 5 [S4-Ethernet0/0/2]q
两栋大楼之间利用ospf连通 之后我们在两个三层交换机之上再连接一个三层交换机,下面我们要让这两个大楼之间都互相能ping通:
如何让这两栋大楼能通?
我觉得需要利用ospf,在下面的两个三层交换机和上面的交换机各增加vlan,然后它们三个之间设置一下ospf应该就能成。
先在S12的g0/0/3端口设置vlan:
1 2 3 4 5 6 7 8 9 10 11 12 13 [S12]vlan batch 11 Info: This operation may take a few seconds. Please wait for a moment...done. [S12]int g0/0/3 [S12-GigabitEthernet0/0/3]port link-type trunk [S12-GigabitEthernet0/0/3]port trunk allow-pass vlan 11 [S12-GigabitEthernet0/0/3]q [S12]interface Vlanif 11 [S12-Vlanif11]ip add 192.168.11.1 24 [S12-Vlanif11]q [S12]
接着在S34的g0/0/3端口设置vlan:
1 2 3 4 5 6 7 8 9 10 11 12 13 [S34]vlan batch 12 Info: This operation may take a few seconds. Please wait for a moment...done. [S34]int g0/0/3 [S34-GigabitEthernet0/0/3]port link-type trunk [S34-GigabitEthernet0/0/3]port trunk allow-pass vlan 12 [S34-GigabitEthernet0/0/3]q [S34]interface Vlanif 12 [S34-Vlanif12]ip add 192.168.12.1 24 [S34-Vlanif12]q [S34]
接着在S1234的g0/0/1和g0/0/2设置vlan:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 [S1234]vlan batch 11 12 Info: This operation may take a few seconds. Please wait for a moment...done. [S1234]int g0/0/1 [S1234-GigabitEthernet0/0/1]port link-type trunk [S1234-GigabitEthernet0/0/1]port trunk allow-pass vlan 11 [S1234-GigabitEthernet0/0/1]int g0/0/2 [S1234-GigabitEthernet0/0/2]port link-type trunk [S1234-GigabitEthernet0/0/2]port trunk allow-pass vlan 12 [S1234-GigabitEthernet0/0/2]q [S1234]interface Vlanif 11 [S1234-Vlanif11]ip add 192.168.11.2 24 [S1234-Vlanif11]q [S1234]interface Vlanif 12 [S1234-Vlanif12]ip add 192.168.12.2 24 [S1234-Vlanif12]q [S1234]
接下来通过单区域ospf让它们之间互通:
S12设置:
1 2 3 4 5 6 7 8 # S12单区域ospf [S12]ospf 1 router-id 1.1.1.1 [S12-ospf-1]area 0 [S12-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255 [S12-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255 [S12-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255 [S12-ospf-1-area-0.0.0.0]q [S12-ospf-1]
S34设置:
1 2 3 4 5 6 7 8 [S34]ospf 1 router-id 2.2.2.2 [S34-ospf-1]area 0 [S34-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255 [S34-ospf-1-area-0.0.0.0]network 192.168.4.0 0.0.0.255 [S34-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255 [S34-ospf-1-area-0.0.0.0]q [S34-ospf-1]
S1234设置:
1 2 3 4 5 6 7 [S1234]ospf 1 router-id 3.3.3.3 [S1234-ospf-1]area 0 [S1234-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255 [S1234-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255 [S1234-ospf-1-area-0.0.0.0]q [S1234-ospf-1]
这样设置完成后,两栋大楼的PC就都可以ping通了。
例如PC1 ping PC5:
PC6 ping PC2:
其他同理,都能互相ping通!
继续添加将拓扑图完善 下面我们在这现在的拓扑图的基础上添加剩余部分如下所示:
接着在三层交换机S1234上添加vlan:
1 2 3 4 5 6 7 8 9 [S1234]vlan batch 101 Info: This operation may take a few seconds. Please wait for a moment...done. [S1234]int g0/0/3 [S1234-GigabitEthernet0/0/3]port link-type access [S1234-GigabitEthernet0/0/3]port default vlan 101 [S1234-GigabitEthernet0/0/3]q [S1234]interface Vlanif 101 [S1234-Vlanif101]ip address 192.168.101.2 24 [S1234-Vlanif101]q
接着还要为它添加ospf:
1 2 3 4 [S1234]ospf 1 [S1234-ospf-1]area 0 [S1234-ospf-1-area-0.0.0.0]network 192.168.101.0 0.0.0.255 [S1234-ospf-1-area-0.0.0.0]
路由器R1同样也是如此:
1 2 3 4 5 [R1]vlan batch 101 Info: This operation may take a few seconds. Please wait for a moment...done. [R1]int g0/0/1 [R1-GigabitEthernet0/0/1]ip add 192.168.101.1 24 [R1-GigabitEthernet0/0/1]q
接着为它也添加ospf:
1 2 3 4 [R1]ospf 1 router-id 4.4.4.4 [R1-ospf-1]area 0 [R1-ospf-1-area-0.0.0.0]network 192.168.101.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]network 210.96.100.0 0.0.0.255
在R1路由器右侧端口添加外网出口,建立与外网的连接:
1 2 [R1]int g0/0/0 [R1-GigabitEthernet0/0/0]ip address 210.96.100.1 24
接着让它去pingPC9,可以ping通,结果如下:
接下来要为R1设置nat,这样内网就可以与外网相通了:
1 2 3 4 5 6 7 [R1]nat address-group 1 210.96.100.2 210.96.100.100 [R1]acl 2000 [R1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.255.255 [R1-acl-basic-2000]q [R1]int g0/0/0 [R1-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 no-pat
配置完成之后,内网的PC就可以ping通外网了,如下所示:
先把这条规则删除,之后我们会重新定义:
1 [R1-GigabitEthernet0/0/0]undo rule 5
如果想删除rule xx,则执行[R1-acl-basic-2000] undo rule xx
定义访问规则 请禁止大楼1的部门A访问Internet,禁止大楼1的部门B在工作时间(9:00-17:00)访问Internet,允许其他大楼其他部门访问Internet。
1 2 3 4 5 6 7 8 9 10 [R1]acl 2000 [R1-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255 [R1-acl-basic-2000]q [R1]time-range noB 07:00 to 17:00 daily [R1]acl 2000 [R1-acl-basic-2000]rule deny source 192.168.2.0 0.0.0.255 time-range noB [R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
最有限制的放在前面,因为前面先生效,后面再生效!
这样,部门A不能ping通外网,部门B因为现在时间是19:37,可以ping通外网,其余部门都能ping通外网。
设置Telnet 接着设置Telnet,在路由器R1上如下操作:
1 2 [R1]user-interface vty 0 4 [R1-ui-vty0-4]set authentication password cipher 123456
接着在三层交换机S12上看能不能远程连接上路由器R1:
可以连接上,其他交换机也可以。
接下来把三个三层交换机都按如下设置telnet,密码都是123456,这样各路由器和三层交换机就都能支持远程telnet管理了。
1 2 user-interface vty 0 4 set authentication password cipher 123456
附录 核心配置命令 划分vlan
==[S12]vlan batch 2 3==
允许trunk通过vlan2和vlan3
==[S12]int g0/0/1
vlan增加ip
==[S12]interface Vlanif 2
S12ospf设置
==[S12]ospf 1 router-id 1.1.1.1
S34ospf设置
==[S34]ospf 1 router-id 2.2.2.2
S1234ospf设置
==[S1234]ospf 1 router-id 3.3.3.3
R1设置nat
==[R1]nat address-group 1 210.96.100.2 210.96.100.100
定义访问规则
==[R1]acl 2000==
==#先定义禁止大楼1的部门A访问==
==[R1-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255==
==#再定义禁止大楼1的部门B规定时间访问==
==[R1-acl-basic-2000]q==
==#接着允许所有的内网访问==
==[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255==
设置telnet
==[R1]user-interface vty 0 4
