实战拓扑:

实战需求:

1、 按拓扑要求创建和命名VLAN,并把端口分配到相应VLAN,在access端口启用portfast特性。

配置SW1:

Hostname SW1

Vlan 2

Name IT

Vlan 3

Name HR

Vlan 4

Name Sales

Vlan 5

Name MK

Vlan 6

Name SW1toR1

Vlan 7

Name R1toSW1

把端口分配到相应VLAN

interface gigabitEthernet 0/3

switchport mode access

switchport access vlan 6

spanning-tree portfast

配置SW2:

Hostname SW2

Vlan 2

Name IT

Vlan 3

Name HR

把端口分配到相应VLAN

interface range fastEthernet 0/3 – 4

switchport mode access

switchport access vlan 2

spanning-tree portfast

interface range fastEthernet 0/5 – 6

switchport mode access

switchport access vlan 3

spanning-tree portfast

配置SW3:

Hostname SW3

Vlan 4

Name Sales

Vlan 5

Name MK

把端口分配到相应VLAN

interface range fastEthernet 0/3 – 4

switchport mode access

switchport access vlan 4

spanning-tree portfast

interface range fastEthernet 0/5 – 6

switchport mode access

switchport access vlan 5

spanning-tree portfast

2、 配置SW1到SW2,SW1到SW3,SW2到SW3的Trunk链路,要求用dot1q的封装

配置SW1:

interface range gigabitEthernet 0/1

switchport trunk encapsulation dot1q

switchport mode trunk

interface range gigabitEthernet 0/2

switchport trunk encapsulation dot1q

switchport mode trunk

配置SW2:

interface range gigabitEthernet 0/1

switchport mode trunk

interface range gigabitEthernet 0/2

switchport mode trunk

配置SW3:

interface range gigabitEthernet 0/1

switchport mode trunk

interface range gigabitEthernet 0/2

switchport mode trunk

interface fastEthernet 0/24

switchport mode trunk

3、 配置SW1的生成树协议STP,使得SW1成为VLAN1-VLAN5的根。

配置SW1:

spanning-tree vlan 1-5 root primary

4、 启用SW1路由功能,配置SVI接口,使得每个VLAN主机可以互相通信.

配置SW1:

Hostname SW1

启用路由功能

Ip routing

配置SVI接口

Interface vlan 2

Ip address 10.1.2.254 255.255.255.0

No shut

Interface vlan 3

Ip address 10.1.3.254 255.255.255.0

No shut

Interface vlan 4

Ip address 10.1.4.254 255.255.255.0

No shut

Interface vlan 5

Ip address 10.1.5.254 255.255.255.0

No shut

5、 配置交换机管理VLAN1的IP地址,确保可以通过telnet来管理。

配置SW1:

Interface vlan 1

Ip address 10.1.1.254 255.255.255.0

No shutdown

Ip default-gateway 10.1.1.254

配置SW2:

Interface vlan 1

Ip address 10.1.1.253 255.255.255.0

No shutdown

Ip default-gateway 10.1.1.254

配置SW3:

Interface vlan 1

Ip address 10.1.1.252 255.255.255.0

No shutdown

Ip default-gateway 10.1.1.254

配置远程管理每台交换机所需的用户和密码,enable密码

Username cisco secret cisco

Enable secret cisco

Line vty 0 15

Login local

Line con 0

Login local

6、 配置R1连接到Internet,使得每个VLAN主机可以上网,请选择使用PAT端口地址转换技术。

配置R1:

Hostname R1

Username cisco secret cisco

Enable secret cisco

Line vty 0 15

Login local

Line con 0

Login local

配置接口IP和启用接口

Interface F0/1

Ip address 10.1.7.253 255.255.255.0

No shut

Interface F0/0

Ip address 202.101.1.1 255.255.255.248

No shut

配置ACL,定义允许地址转换流量

ip access-list extended nat

permit ip 10.1.1.0 0.0.0.255 any

permit ip 10.1.2.0 0.0.0.255 any

permit ip 10.1.3.0 0.0.0.255 any

permit ip 10.1.4.0 0.0.0.255 any

permit ip 10.1.5.0 0.0.0.255 any

permit ip 10.1.6.0 0.0.0.255 any

关联ACL和接口

ip nat inside source list nat interface FastEthernet0/0 overload

指定Inside,Outside接口

interface F0/0

ip nat outside

interface F0/1

ip nat inside

配置到internet的默认路由

Ip route 0.0.0.0 0.0.0.0 202.101.1.6

配置到内网每个VLAN的静态路由

Ip route 10.1.1.0 255.255.255.0 10.1.7.254

Ip route 10.1.2.0 255.255.255.0 10.1.7.254

Ip route 10.1.3.0 255.255.255.0 10.1.7.254

Ip route 10.1.4.0 255.255.255.0 10.1.7.254

Ip route 10.1.5.0 255.255.255.0 10.1.7.254

7、 配置上海分部SW4,按拓扑创建VLAN,并把端口分配到相应VLAN,并启用portfast特性

配置SW4:

创建和命令VLAN

Vlan 2

Name QA

Vlan 3

Name Support

把端口分配到VLAN

interface range fastEthernet 0/2 - 10

switchport mode access

switchport access vlan 2

spanning-tree portfast

interface range fastEthernet 0/11 - 24

switchport mode access

switchport access vlan 3

spanning-tree portfast

8、 单臂路由:通过配置R2和SW4,使得VLAN2和VLAN3可以互相通信

配置SW4:

interface fastEthernet 0/1

description ###Connect to R1###

switchport mode trunk

配置R2:

interface fastEthernet 0/1

no shut

interface FastEthernet0/1.2

description ###FOR VLAN2###

encapsulation dot1Q 2

ip address 10.2.2.126 255.255.255.128

interface FastEthernet0/1.3

description ###FOR VLAN3###

encapsulation dot1Q 3

ip address 10.2.2.254 255.255.255.128

9、 配置SW4网管功能,使得可以通过telnet或是ssh管理SW4

配置SW4:

配置IP地址

Interface vlan 1

No shut

Interface vlan 2

Ip address 10.2.2.125 255.255.255.128

No shut

Ip default-gateway 10.2.2.126

配置ssh:

ip domain-name xmws.cn

crypto key generate rsa

配置用户名和密码,并启用本地验证

Username cisco secret cisco

Enable secret cisco

Line vty 0 15

Login local

transport input telnet ssh

10、 配置R2连接到Internet,使得VLAN2,VLAN3主机可以上网,请选择使用PAT端口地址转换技术。

配置R2:

Hostname R2

Username cisco secret cisco

Enable secret cisco

Line vty 0 15

Login local

Line con 0

Login local

配置接口IP和启用接口

Interface F0/0

description ###Connect to Internet###

Ip address 202.100.1.1 255.255.255.248

No shut

配置ACL,定义允许地址转换流量

ip access-list extended nat

permit ip 10.2.2.0 0.0.0.127 any

permit ip 10.2.2.128 0.0.0.127 any

关联ACL和接口

ip nat inside source list nat interface FastEthernet0/0 overload

指定Inside,Outside接口

interface F0/0

ip nat outside

interface F0/1.2

ip nat inside

interface F0/1.3

ip nat inside

配置R2到internet的默认路由

Ip route 0.0.0.0 0.0.0.0 202.100.1.6

11、 在R1和R2上配置IPSEC VPN,使用总部和分部之间通过VPN技术实现安全的通信.

配置R1:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 202.100.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

ip access-list extended vpn

permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

permit ip 10.1.2.0 0.0.0.255 10.2.2.0 0.0.0.255

permit ip 10.1.3.0 0.0.0.255 10.2.2.0 0.0.0.255

permit ip 10.1.4.0 0.0.0.255 10.2.2.0 0.0.0.255

permit ip 10.1.5.0 0.0.0.255 10.2.2.0 0.0.0.255

permit ip 10.1.6.0 0.0.0.255 10.2.2.0 0.0.0.255

crypto map mymap 10 ipsec-isakmp

set peer 202.100.1.1

set transform-set myset

match address vpn

interface FastEthernet0/0

crypto map mymap

在R1上更改NAT的配置,确保VPN的流量不做NAT

ip access-list extended nat

5 deny ip 10.1.0.0 0.0.255.255 10.2.2.0 0.0.0.255

配置R2:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 202.101.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

ip access-list extended vpn

permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 10.2.2.0 0.0.0.255 10.1.2.0 0.0.0.255

permit ip 10.2.2.0 0.0.0.255 10.1.3.0 0.0.0.255 

permit ip 10.2.2.0 0.0.0.255 10.1.4.0 0.0.0.255

permit ip 10.2.2.0 0.0.0.255 10.1.5.0 0.0.0.255

permit ip 10.2.2.0 0.0.0.255 10.1.6.0 0.0.0.255

crypto map mymap 10 ipsec-isakmp

set peer 202.101.1.1

set transform-set myset

match address vpn

interface FastEthernet0/0

crypto map mymap

在R2上更改NAT的配置,确保VPN的流量不做NAT

ip access-list extended nat

5 deny ip 10.2.2.0 0.0.0.255 10.1.0.0 0.0.255.255

12、 保存每台设备配置到NVRAM,并使用copy star tftp把每台设备的配置备份到你的电脑。

Ø 保存配置命令: copy run star 或Write memory.

Ø 确保你的电脑上打开TFTP SERVER的功能,可安装cisco tftp或tftp32之类的TFTP服务器端软件.

Ø copy star tftp确保备份成功.


微思郭仔
31 声望2 粉丝

微思IT认证培训-思科、华为、红帽、oracle、VMware、PMP、CISP等,一切为了成为更好的自己,加油!!!