1 案例:园区网项目建设 – 网络冗余方案实施
1.1 需求
- 为了增强网关稳定性和冗余性,每个部门都使用了网关冗余技术
- 在交换机之间添加多根链路,提高链路稳定性,提高链路利用率
- 要求每个部门的主机互相访问时,使用的都是最优的转发路径
1.2 方案
使用eNSP搭建实验环境,如图-1所示。
图-1
1.3 步骤
实现此案例需要按照如下步骤进行。[hidecontent type=”payshow”]
在SW5上配置 VLAN10/20/30/40的网关IP
- [SW5]interface vlanif 10
- [SW5–Vlanif10]ip address 192.168.10.252 24
- [SW5–Vlanif10]quit
- [SW5]interface vlanif 20
- [SW5–Vlanif20]ip address 192.168.20.252 24
- [SW5–Vlanif20]quit
- [SW5]interface vlanif 30
- [SW5–Vlanif30]ip address 192.168.30.252 24
- [SW5–Vlanif30]quit
- [SW5]interface vlanif 40
- [SW5–Vlanif40]ip address 192.168.40.252 24
- [SW5–Vlanif40]quit
在DHCP服务器上,排除SW5上的网关IP地址
- [DHCP]ip pool VLAN10
- [DHCP–ip–pool–VLAN10]excluded–ip–address 192.168.10.251
- [DHCP–ip–pool–VLAN10]quit
- [DHCP]ip pool VLAN20
- [DHCP–ip–pool–VLAN20]excluded–ip–address 192.168.20.251
- [DHCP–ip–pool–VLAN20]quit
- [DHCP]ip pool VLAN30
- [DHCP–ip–pool–VLAN30]excluded–ip–address 192.168.30.251
- [DHCP–ip–pool–VLAN30]quit
- [DHCP]ip pool VLAN40
- [DHCP–ip–pool–VLAN40]excluded–ip–address 192.168.40.251
- [DHCP–ip–pool–VLAN40]quit
配置VRRP,SW5是VLAN10/20的主网关,VLAN30/40的备份网关
- [SW5]interface Vlanif 10
- [SW5–Vlanif10]vrrp vrid 10 virtual–ip 192.168.10.254
- [SW5–Vlanif10]vrrp vrid 10 priority 200
- [SW5–Vlanif10]quit
- [SW5]interface Vlanif 20
- [SW5–Vlanif20]vrrp vrid 20 virtual–ip 192.168.20.254
- [SW5–Vlanif20]vrrp vrid 20 priority 200
- [SW5–Vlanif20]quit
- [SW5]interface Vlanif 30
- [SW5–Vlanif30]vrrp vrid 30 virtual–ip 192.168.30.254
- [SW5–Vlanif30]quit
- [SW5]interface Vlanif 40
- [SW5–Vlanif40]vrrp vrid 40 virtual–ip 192.168.40.254
- [SW5–Vlanif40]quit
配置 VRRP,SW6是VLAN30/40的主网关,VLAN10/20的备份网关
- [SW6]interface Vlanif 30
- [SW6–Vlanif30]vrrp vrid 30 virtual–ip 192.168.30.254
- [SW6–Vlanif30]vrrp vrid 30 priority 200
- [SW6–Vlanif30]quit
- [SW6]interface Vlanif 40
- [SW6–Vlanif40]vrrp vrid 40 virtual–ip 192.168.40.254
- [SW6–Vlanif40]vrrp vrid 40 priority 200
- [SW6–Vlanif40]quit
- [SW6]interface Vlanif 10
- [SW6–Vlanif10]vrrp vrid 10 virtual–ip 192.168.10.254
- [SW6–Vlanif10]quit
- [SW6]interface Vlanif 20
- [SW6–Vlanif20]vrrp vrid 20 virtual–ip 192.168.20.254
- [SW6–Vlanif20]quit
配置 SW5 为 DHCP中继,确保与 DHCP 服务器互通
- [SW5]dhcp enable
- [SW5]interface Vlanif 10
- [SW5–Vlanif10]dhcp select relay
- [SW5–Vlanif10]dhcp relay server–ip 192.168.66.1
- [SW5–Vlanif10]quit
- [SW5]interface Vlanif 20
- [SW5–Vlanif20]dhcp select relay
- [SW5–Vlanif20]dhcp relay server–ip 192.168.66.1
- [SW5–Vlanif20]quit
- [SW5]interface Vlanif 30
- [SW5–Vlanif30]dhcp select relay
- [SW5–Vlanif30]dhcp relay server–ip 192.168.66.1
- [SW5–Vlanif30]quit
- [SW5]interface Vlanif 40
- [SW5–Vlanif40]dhcp select relay
- [SW5–Vlanif40]dhcp relay server–ip 192.168.66.1
- [SW5–Vlanif40]quit
- [SW5]interface Vlanif 66 #确保SW5与DHCP服务器互通
- [SW5–Vlanif66]ip address 192.168.66.2 24
- [SW5–Vlanif66]quit
配置SW6的 vlanif 88,确保 VLAN30/40的PC可以访问 Web服务器
- [SW6]interface Vlanif 88
- [SW6–Vlanif88]ip address 192.168.88.2 24
- [SW6–Vlanif88]quit
配置MSTP,确保每个网段的PC互相访问时,数据转发路径最优
- [SW1]stp mode mstp
- [SW1]stp region–configuration
- [SW1–mst–region]region–name HCIP
- [SW1–mst–region]instance 10 vlan 10
- [SW1–mst–region]instance 20 vlan 20
- [SW1–mst–region]instance 30 vlan 30
- [SW1–mst–region]instance 40 vlan 40
- [SW1–mst–region]active region–configuration
- [SW1–mst–region]quit
- [SW2]stp mode mstp
- [SW2]stp region–configuration
- [SW2–mst–region]region–name HCIP
- [SW2–mst–region]instance 10 vlan 10
- [SW2–mst–region]instance 20 vlan 20
- [SW2–mst–region]instance 30 vlan 30
- [SW2–mst–region]instance 40 vlan 40
- [SW2–mst–region]active region–configuration
- [SW2–mst–region]quit
- [SW3]stp mode mstp
- [SW3]stp region–configuration
- [SW3–mst–region]region–name HCIP
- [SW3–mst–region]instance 10 vlan 10
- [SW3–mst–region]instance 20 vlan 20
- [SW3–mst–region]instance 30 vlan 30
- [SW3–mst–region]instance 40 vlan 40
- [SW3–mst–region]active region–configuration
- [SW3–mst–region]quit
- [SW4]stp mode mstp
- [SW4]stp region–configuration
- [SW4–mst–region]region–name HCIP
- [SW4–mst–region]instance 10 vlan 10
- [SW4–mst–region]instance 20 vlan 20
- [SW4–mst–region]instance 30 vlan 30
- [SW4–mst–region]instance 40 vlan 40
- [SW4–mst–region]active region–configuration
- [SW4–mst–region]quit
- [SW5]stp mode mstp
- [SW5]stp region–configuration
- [SW5–mst–region]region–name HCIP
- [SW5–mst–region]instance 10 vlan 10
- [SW5–mst–region]instance 20 vlan 20
- [SW5–mst–region]instance 30 vlan 30
- [SW5–mst–region]instance 40 vlan 40
- [SW5–mst–region]active region–configuration
- [SW5–mst–region]quit
- [SW6]stp mode mstp
- [SW6]stp region–configuration
- [SW6–mst–region]region–name HCIP
- [SW6–mst–region]instance 10 vlan 10
- [SW6–mst–region]instance 20 vlan 20
- [SW6–mst–region]instance 30 vlan 30
- [SW6–mst–region]instance 40 vlan 40
- [SW6–mst–region]active region–configuration
- [SW6–mst–region]quit
- [SW5]stp instance 10 priority 0 #配置SW5为 vlan10的根交换机
- [SW5]stp instance 20 priority 0 #配置SW5为 vlan20的根交换机
- [SW6]stp instance 30 priority 0 #配置SW6为 vlan30的根交换机
- [SW6]stp instance 40 priority 0 #配置SW6为 vlan40的根交换机
2 案例:园区网项目建设 – 弹性路由网络设计
2.1 需求
- 合理配置OSPF区域,确保各部门之间的互相访问
- 不同部门分别属于不同的OSPF区域,要求 web/dhcp 服务器所在的区域不能受到外部链路以及其他区域的链路的影响
- 在骨干区域中,设备之间能够快速建立邻接关系
2.2 方案
使用eNSP搭建实验环境,如图-2所示。
图-2
2.3 步骤
实现此案例需要按照如下步骤进行。
1)现网中添加SW7和SW8,并增加 VLAN 15 和 16,与 R1 相连
- <Huawei>undo terminal monitor
- <Huawei>system–view
- [Huawei]sysname SW7
- [SW7]vlan batch 10 20 30 40 66 88 15 16
- [SW7]port–group group–member gi0/0/10 gi0/0/20 gi0/0/21
- [SW7–port–group]port link–type trunk
- [SW7–port–group]port trunk allow–pass vlan all
- [SW7–port–group]quit
- [SW7]interface GigabitEthernet 0/0/1
- [SW7–GigabitEthernet0/0/1]port link access
- [SW7–GigabitEthernet0/0/1]port default vlan 15
- [SW7–GigabitEthernet0/0/1]quit
- [SW7]stp mode mstp
- [SW7]stp region–configuration
- [SW7–mst–region]region–name HCIP
- [SW7–mst–region]instance 10 vlan 10
- [SW7–mst–region]instance 20 vlan 20
- [SW7–mst–region]instance 30 vlan 30
- [SW7–mst–region]instance 40 vlan 40
- [SW7–mst–region]active region–configuration
- [SW7–mst–region]quit
- <Huawei>undo terminal monitor
- <Huawei>system–view
- [Huawei]sysname SW8
- [SW8]vlan batch 10 20 30 40 66 88 15 16
- [SW8]port–group group–member gi0/0/10 gi0/0/20 gi0/0/21
- [SW8–port–group]port link–type trunk
- [SW8–port–group]port trunk allow–pass vlan all
- [SW8–port–group]quit
- [SW8]interface GigabitEthernet 0/0/2
- [SW8–GigabitEthernet0/0/1]port link access
- [SW8–GigabitEthernet0/0/1]port default vlan 16
- [SW8–GigabitEthernet0/0/1]quit
- [SW8]stp mode mstp
- [SW8]stp region–configuration
- [SW8–mst–region]region–name HCIP
- [SW8–mst–region]instance 10 vlan 10
- [SW8–mst–region]instance 20 vlan 20
- [SW8–mst–region]instance 30 vlan 30
- [SW8–mst–region]instance 40 vlan 40
- [SW8–mst–region]active region–configuration
- [SW8–mst–region]quit
- [SW1]vlan batch 15 16
- [SW2]vlan batch 15 16
- [SW3]vlan batch 15 16
- [SW4]vlan batch 15 16
- [SW5]vlan batch 15 16
- [SW6]vlan batch 15 16
2)配置SW5/6 与 SW7/8 的互联 Trunk 接口
- [SW5]port–group group–member gi0/0/20 gi0/0/21
- [SW5–port–group]port link–type trunk
- [SW5–port–group]port trunk allow–pass vlan all
- [SW5–port–group]quit
- [SW6]port–group group–member gi0/0/20 gi0/0/21
- [SW6–port–group]port link–type trunk
- [SW6–port–group]port trunk allow–pass vlan all
- [SW6–port–group]quit
3)配置R1的接口IP地址,并启用 OSPF以及优化接口网络类型
- <Huawei>undo terminal monitor
- <Huawei>system–view
- [Huawei]sysname R1
- [R1]interface GigabitEthernet 0/0/1
- [R1–GigabitEthernet0/0/1]ip address 192.168.15.1 24
- [R1–GigabitEthernet0/0/1]quit
- [R1]interface GigabitEthernet 0/0/2
- [R1–GigabitEthernet0/0/2]ip address 192.168.16.1 24
- [R1–GigabitEthernet0/0/2]quit
- [R1]ospf 1 router–id 1.1.1.1
- [R1–ospf-1]area 0
- [R1–ospf-1–area-0.0.0.0]network 192.168.15.0 0.0.0.255
- [R1–ospf-1–area-0.0.0.0]network 192.168.16.0 0.0.0.255
- [R1–ospf-1–area-0.0.0.0]quit
- [R1]interface GigabitEthernet 0/0/1
- [R1–GigabitEthernet0/0/1]ospf network–type p2p
- [R1–GigabitEthernet0/0/1]quit
- [R1]interface GigabitEthernet 0/0/2
- [R1–GigabitEthernet0/0/2]ospf network–type p2p
- [R1–GigabitEthernet0/0/2]quit
4)配置SW5/6的接口IP地址,并启用 OSPF以及优化接口网络类型
- [SW5]interface Vlanif 15
- [SW5–Vlanif15]ip address 192.168.15.5 24
- [SW5–Vlanif15]ospf network–type p2p
- [SW5–Vlanif15]quit
- [SW5]ospf 1 router–id 5.5.5.5
- [SW5–ospf-1]area 0
- [SW5–ospf-1–area-0.0.0.0]network 192.168.15.0 0.0.0.255
- [SW5–ospf-1–area-0.0.0.0]quit
- [SW5–ospf-1]area 10
- [SW5–ospf-1–area-0.0.0.10]network 192.168.10.0 0.0.0.255
- [SW5–ospf-1–area-0.0.0.10]quit
- [SW5–ospf-1]area 20
- [SW5–ospf-1–area-0.0.0.20]network 192.168.20.0 0.0.0.255
- [SW5–ospf-1–area-0.0.0.20]quit
- [SW5–ospf-1]area 30
- [SW5–ospf-1–area-0.0.0.30]network 192.168.30.0 0.0.0.255
- [SW5–ospf-1–area-0.0.0.30]quit
- [SW5–ospf-1]area 40
- [SW5–ospf-1–area-0.0.0.40]network 192.168.40.0 0.0.0.255
- [SW5–ospf-1–area-0.0.0.40]quit
- [SW5–ospf-1]area 88
- [SW5–ospf-1–area-0.0.0.88]network 192.168.88.0 0.0.0.255
- [SW5–ospf-1–area-0.0.0.88]stub no–summary
- [SW5–ospf-1–area-0.0.0.88]quit
- [SW6]interface Vlanif 16
- [SW6–Vlanif16]ip address 192.168.16.6 24
- [SW6–Vlanif16]ospf network–type p2p
- [SW6–Vlanif16]quit
- [SW6]ospf 1 router–id 6.6.6.6
- [SW6–ospf-1]area 0
- [SW6–ospf-1–area-0.0.0.0]network 192.168.16.0 0.0.0.255
- [SW6–ospf-1–area-0.0.0.0]quit
- [SW6–ospf-1]area 10
- [SW6–ospf-1–area-0.0.0.10]network 192.168.10.0 0.0.0.255
- [SW6–ospf-1–area-0.0.0.10]quit
- [SW6–ospf-1]area 20
- [SW6–ospf-1–area-0.0.0.20]network 192.168.20.0 0.0.0.255
- [SW6–ospf-1–area-0.0.0.20]quit
- [SW6–ospf-1]area 30
- [SW6–ospf-1–area-0.0.0.30]network 192.168.30.0 0.0.0.255
- [SW6–ospf-1–area-0.0.0.30]quit
- [SW6–ospf-1]area 40
- [SW6–ospf-1–area-0.0.0.40]network 192.168.40.0 0.0.0.255
- [SW6–ospf-1–area-0.0.0.40]quit
- [SW6–ospf-1]area 66
- [SW6–ospf-1–area-0.0.0.66]network 192.168.66.0 0.0.0.255
- [SW6–ospf-1–area-0.0.0.66]stub no–summary
- [SW6–ospf-1–area-0.0.0.66]quit
3 案例:园区网项目建设 – 双出口Internet访问实现
3.1 需求
- 公司有两个出口设备 R1 和 R2,R1是主出口,R2是备份出口
- 内网大量主机都需要访问 Internet ,要求使用最节省IP地址的方案
- 内网中财务部的主机属于敏感业务部门,不能访问互联
3.2 方案
使用eNSP搭建实验环境,如图-3所示。
图-3
3.3 步骤
实现此案例需要按照如下步骤进行。
1)添加备份出口设备 R2,并通过 VLAN25/26 与SW5/6 建立 OSPF邻居
- <Huawei>undo terminal monitor
- <Huawei>system–view
- [Huawei]sysname R2
- [R2]interface GigabitEthernet 0/0/1
- [R2–GigabitEthernet0/0/1]ip address 192.168.25.2 24
- [R2–GigabitEthernet0/0/1]quit
- [R2]interface GigabitEthernet 0/0/2
- [R2–GigabitEthernet0/0/2]ip address 192.168.26.2 24
- [R2–GigabitEthernet0/0/2]quit
- [R2]ospf 1 router–id 2.2.2.2
- [R2–ospf-1]area 0
- [R2–ospf-1–area-0.0.0.0]network 192.168.25.0 0.0.0.255
- [R2–ospf-1–area-0.0.0.0]network 192.168.26.0 0.0.0.255
- [R2–ospf-1–area-0.0.0.0]quit
- [R2]interface GigabitEthernet 0/0/1
- [R2–GigabitEthernet0/0/1]ospf network–type p2p
- [R2–GigabitEthernet0/0/1]quit
- [R2]interface GigabitEthernet 0/0/2
- [R2–GigabitEthernet0/0/2]ospf network–type p2p
- [R2–GigabitEthernet0/0/2]quit
2)在交换机网络中添加 VLAN25/26
- [SW1]vlan batch 25 26
- [SW2]vlan batch 25 26
- [SW3]vlan batch 25 26
- [SW4]vlan batch 25 26
- [SW5]vlan batch 25 26
- [SW6]vlan batch 25 26
- [SW7]vlan batch 25 26
- [SW8]vlan batch 25 26
- [SW7]interface GigabitEthernet 0/0/2
- [SW7–GigabitEthernet0/0/2]port link access
- [SW7–GigabitEthernet0/0/2]port default vlan 25
- [SW7–GigabitEthernet0/0/2]quit
- [SW8]interface GigabitEthernet 0/0/1
- [SW8–GigabitEthernet0/0/1]port link access
- [SW8–GigabitEthernet0/0/1]port default vlan 26
- [SW8–GigabitEthernet0/0/1]quit
3)在SW5/6上通过 VLAN25/26 与 R2 建立 OSPF 邻居关系,优化OSPF
- [SW5]interface Vlanif 25
- [SW5–Vlanif25]ip address 192.168.25.5 24
- [SW5–Vlanif25]ospf network–type p2p
- [SW5–Vlanif25]quit
- [SW5]ospf 1
- [SW5–ospf-1]area 0
- [SW5–ospf-1–area-0.0.0.0]network 192.168.25.0 0.0.0.255
- [SW5–ospf-1–area-0.0.0.0]quit
- [SW6]interface Vlanif 26
- [SW6–Vlanif26]ip address 192.168.26.6 24
- [SW6–Vlanif26]ospf network–type p2p
- [SW6–Vlanif26]quit
- [SW6]ospf 1
- [SW6–ospf-1]area 0
- [SW6–ospf-1–area-0.0.0.0]network 192.168.26.0 0.0.0.255
- [SW6–ospf-1–area-0.0.0.0]quit
4)R1/R2配置默认路由访问外网,并通过 OSPF 下发给内网SW5/6
- [R1]interface GigabitEthernet 0/0/0
- [R1–GigabitEthernet0/0/0]ip address 100.1.1.1 24
- [R1–GigabitEthernet0/0/0]quit
- [R1]ip route–static 0.0.0.0 0 100.1.1.3 # 100.1.1.3是运营商设备的接口IP地址
- [R1]ospf 1
- [R1–ospf-1]default–route–advertise #产生OSPF默认路由,cost 为1
- [R1–ospf-1]quit
- [R2]interface GigabitEthernet 0/0/0
- [R2–GigabitEthernet0/0/0]ip address 200.1.1.2 24
- [R2–GigabitEthernet0/0/0]quit
- [R2]ip route–static 0.0.0.0 0 200.1.1.3 # 200.1.1.3是运营商设备的接口IP地址
- [R2]ospf 1
- [R2–ospf-1]default–route–advertise cost 10 #产生OSPF默认路由,cost为10
- [R2–ospf-1]quit
5)配置R1/R2的 ACL 和 NAT(EasyIP)
- [R1]acl 2000
- [R1–acl–basic-2000]rule 10 deny source 192.168.40.0 0.0.0.255
- [R1–acl–basic-2000]rule 20 permit source any
- [R1–acl–basic-2000]quit
- [R1]interface GigabitEthernet 0/0/0
- [R1–GigabitEthernet0/0/0]nat outbound 2000
- [R1–GigabitEthernet0/0/0]quit
- [R2]acl 2000
- [R2–acl–basic-2000]rule 10 deny source 192.168.40.0 0.0.0.255
- [R2–acl–basic-2000]rule 20 permit source any
- [R2–acl–basic-2000]quit
- [R2]interface GigabitEthernet 0/0/0
- [R2–GigabitEthernet0/0/0]nat outbound 2000
- [R2–GigabitEthernet0/0/0]quit
6)配置运营商的设备以及测试设备
- <Huawei>undo terminal monitor
- <Huawei>system–view
- [Huawei]sysname DianXin
- [DianXin]interface GigabitEthernet 0/0/1
- [DianXin–GigabitEthernet0/0/1]ip address 100.1.1.3 24
- [DianXin–GigabitEthernet0/0/1]quit
- [DianXin]interface GigabitEthernet 0/0/2
- [DianXin–GigabitEthernet0/0/1]ip address 200.1.1.3 24
- [DianXin–GigabitEthernet0/0/1]quit
- [DianXin]interface GigabitEthernet 0/0/0
- [DianXin–GigabitEthernet0/0/1]ip address 110.1.1.254 24
- [DianXin–GigabitEthernet0/0/1]quit
- Client1:
- 110.1.1.11
- 255.255.255.0
- 110.1.1.254
4 案例:园区网项目建设 – 内网服务器发布
4.1 需求
- 内网中 的 web 服务器,可以被互联网设备访问
- 内网中 的 交换机设备,可以被互联网设备远程访问
4.2 方案
使用eNSP搭建实验环境,如图-4所示。
图-4
4.3 步骤
实现此案例需要按照如下步骤进行。
配置 Web服务器IP,开启Web服务
在边界设备 R1 配置 NAT Server
- [R1]interface GigabitEthernet 0/0/0
- [R1–GigabitEthernet0/0/0] nat server protocol tcp global 100.1.1.100 2008 inside 192.168.88.1 80
- [R2]interface GigabitEthernet 0/0/0
- [R2–GigabitEthernet0/0/0] nat server protocol tcp global 200.1.1.200 2008 inside 192.168.88.1 80
5 案例:园区网项目建设 – 设备远程管理
5.1 需求
- 为内网中的交换机单独划分一个IP网段,作为设备的管理IP地址
- 内网中的 交换机设备的远程用户名和密码为:HuaWei / HCIE
- 内网用户中,只有技术部的 PC-2 可以远程登录内网的所有设备
5.2 方案
使用eNSP搭建实验环境,如图-5所示。
图-5
5.3 步骤
实现此案例需要按照如下步骤进行。
1)在交换机上配置管理 vlan 199,并设置管理IP地址,开启远程登录功能
- [SW1]vlan 199
- [SW1–vlan199]quit
- [SW1]interface vlanif 199
- [SW1–Vlanif199]ip address 192.168.199.1 24
- [SW1–Vlanif199]quit
- [SW1]aaa
- [SW1–aaa]local–user HuaWei password cipher HCIE
- [SW1–aaa]local–user HuaWei service–type telnet
- [SW1–aaa]quit
- [SW1]user–interface vty 0 4
- [SW1–ui–vty0-4]authentication–mode aaa
- [SW1–ui–vty0-4]quit
- [SW2]vlan 199
- [SW2–vlan199]quit
- [SW2]interface vlanif 199
- [SW2–Vlanif199]ip address 192.168.199.2 24
- [SW2–Vlanif199]quit
- [SW2]aaa
- [SW2–aaa]local–user HuaWei password cipher HCIE
- [SW2–aaa]local–user HuaWei service–type telnet
- [SW2–aaa]quit
- [SW2]user–interface vty 0 4
- [SW2–ui–vty0-4]authentication–mode aaa
- [SW2–ui–vty0-4]quit
- [SW3]vlan 199
- [SW3–vlan199]quit
- [SW3]interface vlanif 199
- [SW3–Vlanif199]ip address 192.168.199.3 24
- [SW3–Vlanif199]quit
- [SW3]aaa
- [SW3–aaa]local–user HuaWei password cipher HCIE
- [SW3–aaa]local–user HuaWei service–type telnet
- [SW3–aaa]quit
- [SW3]user–interface vty 0 4
- [SW3–ui–vty0-4]authentication–mode aaa
- [SW3–ui–vty0-4]quit
- [SW4]vlan 199
- [SW4–vlan199]quit
- [SW4]interface vlanif 199
- [SW4–Vlanif199]ip address 192.168.199.4 24
- [SW4–Vlanif199]quit
- [SW4]aaa
- [SW4–aaa]local–user HuaWei password cipher HCIE
- [SW4–aaa]local–user HuaWei service–type telnet
- [SW4–aaa]quit
- [SW4]user–interface vty 0 4
- [SW4–ui–vty0-4]authentication–mode aaa
- [SW4–ui–vty0-4]quit
- [SW5]vlan 199
- [SW5–vlan]quit
- [SW6]vlan 199
- [SW6–vlan]quit
- [SW7]vlan 199
- [SW7–vlan]quit
- [SW8]vlan 199
- [SW8–vlan]quit
2)配置 vlan 199 的网关冗余,将SW5配置为主网关,SW6配置为备份网关
- [SW5]interface vlanif 199
- [SW5–Vlanif199]ip address 192.168.199.251 24
- [SW5–Vlanif199]vrrp vrid 199 virtual–ip 192.168.199.254
- [SW5–Vlanif199]vrrp vrid 199 priority 200
- [SW5–Vlanif199]quit
- [SW6]interface vlanif 199
- [SW6–Vlanif199]ip address 192.168.199.252 24
- [SW6–Vlanif199]vrrp vrid 199 virtual–ip 192.168.199.254
- [SW6–Vlanif199]quit
3)为每个交换机添加默认路由,指向 vlan 199 的虚拟网关
- [SW1]ip route–static 0.0.0.0 0.0.0.0 192.168.199.254
- [SW2]ip route–static 0.0.0.0 0.0.0.0 192.168.199.254
- [SW3]ip route–static 0.0.0.0 0.0.0.0 192.168.199.254
- [SW4]ip route–static 0.0.0.0 0.0.0.0 192.168.199.254
4)在SW5和SW6的OSPF协议中,宣告 vlan199 ,通告给 R1和R2
- [SW5]ospf 1
- [SW5–ospf-1]area 199
- [SW5–ospf-1–area-0.0.0.199]network 192.168.199.0 0.0.0.255
- [SW5–ospf-1–area-0.0.0.199]quit
- [SW6]ospf 1
- [SW6–ospf-1]area 199
- [SW6–ospf-1–area-0.0.0.199]network 192.168.199.0 0.0.0.255
- [SW6–ospf-1–area-0.0.0.199]quit
5)在边界设备调整 OSPF cost,确保去往 vlan199 时,优先走 SW5的路径
- [R1]interface GigabitEthernet 0/0/2
- [R1–GigabitEthernet0/0/2]ospf cost 6
- [R1–GigabitEthernet0/0/2]quit
- [R2]interface GigabitEthernet 0/0/1
- [R2–GigabitEthernet0/0/1]ospf cost 6
- [R2–GigabitEthernet0/0/1]quit
6)在边界设备配置 NAT server,确保外网可以远程登录内网交换机
- [R1]interface GigabitEthernet 0/0/0
- [R1–GigabitEthernet0/0/0]nat server protocol tcp global 100.1.1.100 2001 inside 192.168.199.1 23
- [R1–GigabitEthernet0/0/0]nat server protocol tcp global 100.1.1.100 2002 inside 192.168.199.2 23
- [R1–GigabitEthernet0/0/0]nat server protocol tcp global 100.1.1.100 2003 inside 192.168.199.3 23
- [R1–GigabitEthernet0/0/0]nat server protocol tcp global 100.1.1.100 2004 inside 192.168.199.4 23
- [R2]interface GigabitEthernet 0/0/0
- [R2–GigabitEthernet0/0/0]nat server protocol tcp global 200.1.1.200 2001 inside 192.168.199.1 23
- [R2–GigabitEthernet0/0/0]nat server protocol tcp global 200.1.1.200 2002 inside 192.168.199.2 23
- [R2–GigabitEthernet0/0/0]nat server protocol tcp global 200.1.1.200 2003 inside 192.168.199.3 23
- [R2–GigabitEthernet0/0/0]nat server protocol tcp global 200.1.1.200 2004 inside 192.168.199.4 23
7)确保内网用户中,只有 PC2 可以远程登录内网设备
- [DHCP–Server]ip pool VLAN20
- [DHCP–Server–ip–pool–VLAN20]static–bind ip–address 192.168.20.2 mac–address 5489–98F0–74FC # 后面是PC的 MAC地址
- [SW1]acl 2000
- [SW1–acl–basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
- [SW1–acl–basic-2000]rule 20 permit source 110.1.1.11 0.0.0.0
- [SW1–acl–basic-2000]quit
- [SW1]user–interface vty 0 4
- [SW1–ui–vty0-4]acl 2000 inbound
- [SW1–ui–vty0-4]quit
- [SW1]
- [SW2]acl 2000
- [SW2–acl–basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
- [SW2–acl–basic-2000]rule 20 permit source 110.1.1.11 0.0.0.0
- [SW2–acl–basic-2000]quit
- [SW2]user–interface vty 0 4
- [SW2–ui–vty0-4]acl 2000 inbound
- [SW2–ui–vty0-4]quit
- [SW2]
- [SW1]acl 2000
- [SW3–acl–basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
- [SW3–acl–basic-2000]rule 20 permit source 110.1.1.11 0.0.0.0
- [SW3–acl–basic-2000]quit
- [SW3]user–interface vty 0 4
- [SW3–ui–vty0-4]acl 2000 inbound
- [SW3–ui–vty0-4]quit
- [SW3]
- [SW4]acl 2000
- [SW4–acl–basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
- [SW4–acl–basic-2000]rule 20 permit source 110.1.1.11 0.0.0.0
- [SW4–acl–basic-2000]quit
- [SW4]user–interface vty 0 4
- [SW4–ui–vty0-4]acl 2000 inbound
- [SW4–ui–vty0-4]quit
- [SW4][/hidecontent]
