思科CCNA培训之-CCNA企业网综合项目实战
文档提供:乾颐堂CCIE讲师:达叔
刚刚学完CCNA的小伙伴们,是不是已经迫不及待的想动手大干一场了呐?
呐,花花送给你们。
拓扑如下:
业务简介:
总部
交换机使用标准生成树协议
SW1为10.1.100.0/24和10.1.200.0/24网段的根,SW2为备份根
SW2为10.1.101.0/24网段的根,SW1为备份根
在连接终端的接口部署portfast特性;
划分四个vlan,为两个部门、一个服务集群、以及一个SVI接口服务;
其中SW1为 VTP Server,其它两台为 Client,VTP域名为QCNA,密码为 qytang.com;
两台核心交换机通过二层以太通道相连,使用HSRP为下联业务网段提供透明的网关冗余服务;
两台核心交换机使用 SVI 接口做三层互联,与网关路由器(R1)使用物理接口做三层互联;
网关路由器为DHCP服务器,核心交换机为DHCP中继代理,使用DHCP为Server1指派固定IP地址10.1.200.100/24;
核心交换机和网关路由器之间使用OSPF作为动态路由协议,创建环回口(10.1.255.X/32)做为OSPF的router-id,并由网关路由器对内下发默认路由;
网关路由器使用S1/0与运营商专线相连,使用用户名HQ和密码cisco与ISP做CHAP认证;
网关路由器使用e0/0接口与ISP做专线互联,部署PPPoE,使用用户名HQ和密码cisco与ISP做CHAP认证;
网关路由器做NAT,为私网主机提供互联网访问服务;
在两个连接互联网的接口上部署浮动静态路由,主要走PPPoE链路;
分支
交换机使用标准生成树协议,在连接终端的接口部署portfast特性;
划分两个vlan,为两个部门服务;
网关路由器做单臂路由,为两个部门服务;
网关路由器做NAT,为私网主机提供互联网访问服务;
使用专线与ISP连接;
总体规划
总部和分支之间使用GRE隧道技术建立简单的×××,并能够根据浮动静态路由实现冗余(做两个隧道);
允许总部的10.1.100.0/24网段通过×××访问 Server 2;
禁止总部的10.1.101.0/24网段通过×××访问 Server 2;
允许分支的10.2.100.0/24网段通过×××访问Server 1 的Web业务;
禁止分支的10.2.100.0/24网段通过×××访问Server 1 的所有其它业务;
总部和分支的网关路由器通过GRE隧道做OSPF动态路由协议;
实战部署:
配置总部交换机的trunk
SW1(config)#interface range e0/3,e1/2-3
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
SW2(config)#interface range e1/0,e1/2-3
SW2(config-if-range)# switchport trunk encapsulation dot1q
SW2(config-if-range)# switchport mode trunk
SW3(config)#interface range e0/3,e1/0
SW3(config-if-range)# switchport trunk encapsulation dot1q
SW3(config-if-range)# switchport mode trunk
配置总部交换机的以太通道
SW1(config)#interface range e1/2-3
SW1(config-if-range)#shutdown
SW2(config)#interface range e1/2-3
SW2(config-if-range)#shutdown
SW1(config-if-range)#channel-group 12 mode on
Creating a port-channel interface Port-channel 12
SW2(config-if-range)#channel-group 12 mode on
Creating a port-channel interface Port-channel 12
SW1(config-if-range)#no shutdown
SW2(config-if-range)#no shutdown
验证: SW1\SW2\SW3
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Et0/3 on 802.1q trunking 1
Po12 on 802.1q trunking 1
Port Vlans allowed on trunk
Et0/3 1-4094
Po12 1-4094
Port Vlans allowed and active in management domain
Et0/3 1
Po12 1
Port Vlans in spanning tree forwarding state and not pruned
Et0/3 1
Po12 1
SW1#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator
M - not in use, minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
A - formed by Auto LAG
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) - Et1/2(P) Et1/3(P)
配置总部交换机的VTP
SW1(config)#vtp mode server
Device mode already VTP Server for VLANS.
SW1(config)#vtp password qytang.com
Setting device VTP password to qytang.com
SW1(config)#vtp domain QCNA
Changing VTP domain name from NULL to QCNA
*Oct 22 07:23:21.865: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to QCNA.
SW2(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
SW2(config)#vtp password qytang.com
Setting device VTP password to qytang.com
SW3(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
SW3(config)#vtp password qytang.com
Setting device VTP password to qytang.com
配置VLAN:
SW1(config)#vlan 100
SW1(config-vlan)#vlan 101
SW1(config-vlan)#vlan 200
SW1(config-vlan)#vlan 12
// 其中:vlan 100服务于 10.1.100.0/24网段;vlan101服务于 10.1.101.0/24网段;vlan200服务于 10.1.200.0/24网段;vlan12服务于SW1和SW2之间互联;//
验证:
SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : QCNA
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc80.4000
Configuration last modified by 0.0.0.0 at 10-22-18 07:33:56
Local updater ID is 0.0.0.0 (no valid interface found)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
Configuration Revision : 4
MD5 digest : 0x21 0x09 0xA2 0xA4 0xEF 0xEE 0xBF 0xFE
0xE0 0xC8 0xA3 0x0A 0x5B 0x83 0x28 0xE1
SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : QCNA
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc80.5000
Configuration last modified by 0.0.0.0 at 10-22-18 07:33:56
Feature VLAN:
--------------
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
Configuration Revision : 4
MD5 digest : 0x21 0x09 0xA2 0xA4 0xEF 0xEE 0xBF 0xFE
0xE0 0xC8 0xA3 0x0A 0x5B 0x83 0x28 0xE1
SW3#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : QCNA
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc80.6000
Configuration last modified by 0.0.0.0 at 10-22-18 07:33:56
Feature VLAN:
--------------
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
Configuration Revision : 4
MD5 digest : 0x21 0x09 0xA2 0xA4 0xEF 0xEE 0xBF 0xFE
0xE0 0xC8 0xA3 0x0A 0x5B 0x83 0x28 0xE1
配置生成树:
SW1(config)#spanning-tree vlan 100,200 priority 0
SW1(config)#spanning-tree vlan 101 priority 4096
SW2(config)#spanning-tree vlan 100,200 priority 4096
SW2(config)#spanning-tree vlan 101 priority 0
SW1(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
SW2(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
SW3(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
将接口指派到VLAN:
将PC1、PC2、Server1的e0/0接口开启,在交换机上通过CDP发现终端所连接的接口;
SW3#show cdp neighbors //在接入交换机上查看CDP邻居信息,并根据内容将接口指派到VLAN
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
Server1 Eth 0/2 135 R Linux Uni Eth 0/0
PC2 Eth 0/1 173 R Linux Uni Eth 0/0
PC1 Eth 0/0 158 R Linux Uni Eth 0/0
SW1 Eth 0/3 169 R S I Linux Uni Eth 0/3
SW2 Eth 1/0 154 R S I Linux Uni Eth 1/0
Total cdp entries displayed : 5
SW3(config)#interface range e0/0-2
SW3(config-if-range)#switchport mode access
SW3(config-if-range)#interface e0/0
SW3(config-if)#switchport access vlan 100
SW3(config-if)#interface e0/1
SW3(config-if)#switchport access vlan 101
SW3(config-if)#interface e0/2
SW3(config-if)#switchport access vlan 200
验证:
SW3#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et1/1, Et1/2, Et1/3
12 VLAN0012 active
100 VLAN0100 active Et0/0
101 VLAN0101 active Et0/1
200 VLAN0200 active Et0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
配置核心交换机之间互联
SW1(config)#interface vlan 12
SW1(config-if)#ip address 10.1.112.1 255.255.255.0
SW1(config-if)#no shutdown
SW2(config)#interface vlan 12
SW2(config-if)#ip address 10.1.112.2 255.255.255.0
SW2(config-if)#no shutdown
验证与测试:
SW2#show ip interface brief vlan12
Interface IP-Address OK? Method Status Protocol
Vlan12 10.1.112.2 YES manual up up
SW2#ping 10.1.112.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.112.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
配置核心交换机与网关路由器的互联:
R1(config)#interface e0/1
R1(config-if)#ip address 10.1.11.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#interface e0/2
R1(config-if)#ip address 10.1.12.1 255.255.255.0
R1(config-if)#no shutdown
SW1(config)#interface e0/1
SW1(config-if)#no switchport
SW1(config-if)#ip address 10.1.11.2 255.255.255.0
SW2(config)#interface e0/2
SW2(config-if)#no switchport
SW2(config-if)#ip address 10.1.12.2 255.255.255.0
测试:
R1#ping 10.1.11.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.11.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
R1#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
在核心交换机上创建SVI接口为业务网段服务:
SW1(config-if)#interface vlan 100
SW1(config-if)#ip address 10.1.100.252 255.255.255.0
SW1(config-if)#no shutdown
SW1(config-if)#interface vlan 101
SW1(config-if)#ip address 10.1.101.252 255.255.255.0
SW1(config-if)#no shutdown
SW1(config-if)#interface vlan 200
SW1(config-if)#ip address 10.1.200.252 255.255.255.0
SW1(config-if)#no shutdown
SW2(config-if)#interface vlan 100
SW2(config-if)#ip address 10.1.100.253 255.255.255.0
SW2(config-if)#no shutdown
SW2(config-if)#interface vlan 101
SW2(config-if)#ip address 10.1.101.253 255.255.255.0
SW2(config-if)#no shutdown
SW2(config-if)#interface vlan 200
SW2(config-if)#ip address 10.1.200.253 255.255.255.0
SW2(config-if)#no shutdown
验证:
SW1#show ip interface brief | include Vlan
Vlan12 10.1.112.1 YES manual up up
Vlan100 10.1.100.252 YES manual up up
Vlan101 10.1.101.252 YES manual up up
Vlan200 10.1.200.252 YES manual up up
SW2#show ip interface brief | include Vlan
Vlan12 10.1.112.2 YES manual up up
Vlan100 10.1.100.253 YES manual up up
Vlan101 10.1.101.253 YES manual up up
Vlan200 10.1.200.253 YES manual up up
配置总部的动态路由协议OSPF
R1(config)#interface loopback 0
R1(config-if)#ip address 10.1.255.1 255.255.255.255
R1(config-if)#ip ospf 110 area 0
R1(config)#interface e0/1
R1(config-if)#ip ospf 110 area 0
R1(config-if)#interface e0/2
R1(config-if)#ip ospf 110 area 0
R1(config)#router ospf 110
R1(config-router)#default-information originate //此命令的验证现象需要做完互联网接入才有效果//
SW1(config)#interface loopback 0
SW1(config-if)#ip address 10.1.255.11 255.255.255.255
SW1(config-if)#interface e0/1
SW1(config-if)#ip ospf 110 area 0
SW1(config-if)#interface vlan 12
SW1(config-if)#ip ospf 110 area 0
SW1(config-if)#interface vlan 100
SW1(config-if)#ip ospf 110 area 0
SW1(config-if)#interface vlan 101
SW1(config-if)#ip ospf 110 area 0
SW1(config-if)#interface vlan 200
SW1(config-if)#ip ospf 110 area 0
SW2(config)#interface loopback 0
SW2(config-if)#ip address 10.1.255.22 255.255.255.255
SW2(config-if)#interface e0/2
SW2(config-if)#ip ospf 110 area 0
SW2(config-if)#interface vlan 100
SW2(config-if)#ip ospf 110 area 0
SW2(config-if)#interface vlan 101
SW2(config-if)#ip ospf 110 area 0
SW2(config-if)#ip ospf 110 area 0
SW2(config-if)#interface vlan 200
SW2(config-if)#ip ospf 110 area 0
SW2(config-if)#interface vlan 12
SW2(config-if)#ip ospf 110 area 0
SW1(config)#router ospf 110
SW1(config-router)#passive-interface vlan 100
SW1(config-router)#passive-interface vlan 101
SW1(config-router)#passive-interface vlan 200
SW2(config)#router ospf 110
SW2(config-router)#passive-interface vlan 100
SW2(config-router)#passive-interface vlan 101
SW2(config-router)#passive-interface vlan 200
验证:
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.1.255.22 1 FULL/DR 00:00:38 10.1.12.2 Ethernet0/2
10.1.255.11 1 FULL/DR 00:00:37 10.1.11.2 Ethernet0/1
R1#show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O 10.1.100.0/24 [110/11] via 10.1.12.2, 00:09:39, Ethernet0/2
[110/11] via 10.1.11.2, 00:11:04, Ethernet0/1
O 10.1.101.0/24 [110/11] via 10.1.12.2, 00:09:29, Ethernet0/2
[110/11] via 10.1.11.2, 00:10:03, Ethernet0/1
O 10.1.112.0/24 [110/11] via 10.1.12.2, 00:10:54, Ethernet0/2
[110/11] via 10.1.11.2, 00:11:04, Ethernet0/1
O 10.1.200.0/24 [110/11] via 10.1.12.2, 00:09:29, Ethernet0/2
[110/11] via 10.1.11.2, 00:10:03, Ethernet0/1
配置网关冗余协议: HSRP
SW1(config)#interface vlan 100
SW1(config-if)#standby 100 ip 10.1.100.254
SW1(config-if)#standby 100 priority 200
SW1(config)#interface vlan 101
SW1(config-if)#standby 101 ip 10.1.101.254
SW1(config-if)#standby 101 priority 150
SW1(config)#interface vlan 200
SW1(config-if)#standby 200 ip 10.1.200.254
SW2(config)#interface vlan 100
SW2(config-if)#standby 100 ip 10.1.100.254
SW2(config-if)#standby 100 priority 150
SW2(config)#interface vlan 101
SW2(config-if)#standby 101 ip 10.1.101.254
SW2(config-if)#standby 101 priority 200
SW2(config)#interface vlan 200
SW2(config-if)#standby 200 ip 10.1.200.254
验证:
SW1#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl100 100 200 Active local 10.1.100.253 10.1.100.254
Vl101 101 150 Standby 10.1.101.253 local 10.1.101.254
Vl200 200 100 Standby 10.1.200.253 local 10.1.200.254
SW2#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl100 100 150 Standby 10.1.100.252 local 10.1.100.254
Vl101 101 200 Active local 10.1.101.252 10.1.101.254
Vl200 200 100 Active local 10.1.200.252 10.1.200.254
配置DHCP服务:
R1(config)#ip dhcp pool vlan100
R1(dhcp-config)#network 10.1.100.0 /24
R1(dhcp-config)#default-router 10.1.100.254
R1(dhcp-config)#ip dhcp pool vlan101
R1(dhcp-config)#network 10.1.101.0 /24
R1(dhcp-config)#default-router 10.1.101.254
R1(dhcp-config)#ip dhcp pool vlan200
R1(dhcp-config)#host 10.1.200.100 /24
R1(dhcp-config)#default-router 10.1.200.254
R1(dhcp-config)#client-identifier 01aabb.cc00.b000
配置DHCP中继
SW1(config)#interface vlan 100
SW1(config-if)#ip helper-address 10.1.255.1
SW1(config-if)#interface vlan 101
SW1(config-if)#ip helper-address 10.1.255.1
SW1(config-if)#interface vlan 200
SW1(config-if)#ip helper-address 10.1.255.1
SW2(config)#interface vlan 100
SW2(config-if)#ip helper-address 10.1.255.1
SW2(config-if)#interface vlan 101
SW2(config-if)#ip helper-address 10.1.255.1
SW2(config-if)#interface vlan 200
SW2(config-if)#ip helper-address 10.1.255.1
配置客户端
PC1(config)#interface e0/0
PC1(config-if)#ip address dhcp
PC2(config)#interface e0/0
PC2(config-if)#ip address dhcp
Server1(config)#interface e0/0
Server1(config-if)#ip address dhcp client-id e0/0
*Oct 22 08:54:01.377: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.1.200.100, mask 255.255.255.0, hostname Server1
现在给出 Internet 设备的配置(学员不用关心,直接做上去即可):
Internet(config)#username HQ password cisco
Internet(config)#interface s1/0
Internet(config-if)#encapsulation ppp
Internet(config-if)#ip address 202.100.1.254 255.255.255.0
Internet(config-if)#no shutdown
Internet(config-if)#ppp authentication chap
Internet(config)#interface loopback 0
Internet(config-if)#ip address 1.2.3.4 255.255.255.255
Internet(config)#interface e0/1
Internet(config-if)#ip address 61.128.1.254 255.255.255.0
Internet(config-if)#no shutdown
Internet(config)#ip local pool HQ_PPPoE 123.45.67.1
Internet(config)#bba-group pppoe HQ
Internet(config-bba-group)#virtual-template 1
Internet(config-bba-group)#interface e0/0
Internet(config-if)#no shutdown
Internet(config-if)#pppoe enable group HQ
Internet(config-if)#exit
Internet(config)#interface virtual-template 1
Internet(config)#mtu 1492
Internet(config-if)#ip address 123.45.67.254 255.255.255.0
Internet(config-if)#peer default ip address pool HQ_PPPoE
Internet(config-if)#end
Internet#
在R1上做接入互联网
S1/0链路
R1(config)#interface s1/0
R1(config-if)#encapsulation ppp
R1(config-if)#ip add 202.100.1.254 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#ppp chap hostname HQ
R1(config-if)#ppp chap password cisco
R1(config-if)#end
验证:
R1#show ip interface brief s1/0
Interface IP-Address OK? Method Status Protocol
Serial1/0 202.100.1.254 YES manual up up
e0/0链路的PPPoE
R1(config)#interface e0/0
R1(config-if)#no shutdown
R1(config-if)# pppoe enable group global
R1(config-if)# pppoe-client dial-pool-number 1
R1(config-if)#exit
R1(config)#interface Dialer1
R1(config-if)# mtu 1492
R1(config-if)# ip address negotiated
R1(config-if)# encapsulation ppp
R1(config-if)# dialer pool 1
R1(config-if)# dialer-group 1
R1(config-if)# ppp chap hostname HQ
R1(config-if)# ppp chap password cisco
R1(config-if)#End
验证:
R1#show pppoe session
1 client session
Uniq ID PPPoE RemMAC Port VT VA State
SID LocMAC VA-st Type
N/A 1 aabb.cc00.2000 Et0/0 Di1 Vi2 UP
aabb.cc00.1000 UP
R1#show ip interface brief dialer 1
Interface IP-Address OK? Method Status Protocol
Dialer1 123.45.67.1 YES IPCP up up
部署多出口NAT
R1(config)#interface dialer 1
R1(config-if)#ip nat outside
R1(config-if)#interface s1/0
R1(config-if)#ip nat outside
R1(config-if)#interface e0/1
R1(config-if)#ip nat inside
R1(config-if)#interface e0/2
R1(config-if)#ip nat inside
R1(config)#ip access-list standard nat
R1(config-std-nacl)#permit 10.1.0.0 0.0.255.255
R1(config)#route-map PPPoE permit
R1(config-route-map)#match ip address nat
R1(config-route-map)#match interface dialer 1
R1(config)#route-map S1/0 permit
R1(config-route-map)#match ip address nat
R1(config-route-map)#match interface s1/0
R1(config)#ip nat inside source route-map PPPoE interface dialer 1 overload
R1(config)#ip nat inside source route-map S1/0 interface s1/0 overload
验证部署:
R1#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
Serial1/0, Dialer1, Virtual-Access2
Inside interfaces:
Ethernet0/1, Ethernet0/2
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 2] route-map PPPoE interface Dialer1 refcount 0
[Id: 3] route-map S1/0 interface Serial1/0 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
部署浮动静态路由:
R1(config)#ip route 0.0.0.0 0.0.0.0 dialer 1
R1(config)#ip route 0.0.0.0 0.0.0.0 s1/0 5
验证:
R1#show ip route 0.0.0.0 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0 (connected), candidate default path
Routing Descriptor Blocks:
* directly connected, via Dialer1
Route metric is 0, traffic share count is 1
R1(config)#interface dialer 1
R1(config-if)#shutdown
R1(config-if)#
*Oct 23 04:59:13.743: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
*Oct 23 04:59:13.743: Di1 DDR: dialer shutdown complete
*Oct 23 04:59:13.749: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
R1(config-if)#
*Oct 23 04:59:13.749: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R1(config-if)#do show
*Oct 23 04:59:15.747: %LINK-5-CHANGED: Interface Dialer1, changed state to administratively down
R1(config-if)#do show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 5, metric 0 (connected), candidate default path
Routing Descriptor Blocks:
* directly connected, via Serial1/0
Route metric is 0, traffic share count is 1
验证NAT:
PC1#ping 1.2.3.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms
PC2#ping 1.2.3.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/3 ms
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 123.45.67.1:0 10.1.100.1:0 1.2.3.4:0 1.2.3.4:0
icmp 123.45.67.1:1 10.1.101.1:0 1.2.3.4:0 1.2.3.4:1
R1#show ip access-list
Standard IP access list nat
10 permit 10.1.0.0, wildcard bits 0.0.255.255 (2 matches)
至此,总部基础业务部署完毕,接下来开始部署分支机构的业务:
使能交换机的生成树portfast特性:
SW4(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
划分VLAN
SW4(config)#vlan 100
SW4(config-vlan)#vlan 200
SW4(config-vlan)#exit
Server2(config)#interface e0/0
Server2(config-if)#no shutdown
Server2(config-if)#duplex full
PC3(config)#interface e0/0
PC3(config-if)#duplex full
PC3(config-if)#no shutdown
SW4#show cdp neighbors
*Oct 23 05:12:55.222: %SYS-5-CONFIG_I: Configured from console by console
SW4#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
Server2 Eth 0/2 134 R Linux Uni Eth 0/0
PC3 Eth 0/1 139 R Linux Uni Eth 0/0
Total cdp entries displayed : 2
SW4(config)#interface e0/1
SW4(config-if)#switchport mode access
SW4(config-if)#switchport access vlan 100
SW4(config-if)#interface e0/2
SW4(config-if)#switchport mode access
SW4(config-if)#switchport access vlan 200
验证:
SW4#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/3
100 VLAN0100 active Et0/1
200 VLAN0200 active Et0/2
部署单臂路由:
SW4
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
R3(config)#interface e0/0
R3(config-if)#no shutdown
R3(config-if)#interface e0/0.100
R3(config-subif)#encapsulation dot1q 100
R3(config-subif)#ip address 10.2.100.254 255.255.255.0
R3(config-subif)#interface e0/0.200
R3(config-subif)#encapsulation dot1q 200
R3(config-subif)#ip address 10.2.200.254 255.255.255.0
配置与ISP的专线链路:
R3(config)#interface e0/1
R3(config-if)#ip address 61.128.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config)#ip route 0.0.0.0 0.0.0.0 e0/1 61.128.1.254
验证:
R3#ping 61.128.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.128.1.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
部署分支机构的NAT
R3(config)#interface e0/1
R3(config-if)#ip nat outside
R3(config-if)#interface e0/0.100
R3(config-subif)#ip nat inside
R3(config-subif)#interface e0/0.200
R3(config-subif)#ip nat inside
R3(config)#ip access-list standard nat
R3(config-std-nacl)#permit 10.2.0.0 0.0.255.255
R3(config-std-nacl)#exit
R3(config)#ip nat inside source list nat interface e0/1 overload
部署总部和分支机构之间的GRE隧道:
R1
interface Tunnel10
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
tunnel source Dialer1
tunnel destination 61.128.1.1
interface Tunnel20
ip address 172.16.2.1 255.255.255.0
ip mtu 1400
tunnel source Serial1/0
tunnel destination 61.128.1.1
R3
interface Tunnel10
ip address 172.16.1.2 255.255.255.0
ip mtu 1400
tunnel source Ethernet0/1
tunnel destination 123.45.67.1
interface Tunnel20
ip address 172.16.2.2 255.255.255.0
ip mtu 1400
tunnel source Ethernet0/1
tunnel destination 202.100.1.1
验证:
R1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R1#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
在总部和分支之间将OSPF部署完成,实现私有网络互联互通
R1(config)#interface tunnel 10
R1(config-if)#ip ospf 110 area 0
R1(config-if)#interface tunnel 20
R1(config-if)#ip ospf 110 area 0
R3(config)#interface tunnel 10
R3(config-if)#ip ospf 110 area 0
R3(config-if)#interface tunnel 20
R3(config-if)#ip ospf 110 area 0
R3(config-if)#interface e0/0.100
R3(config-subif)#ip ospf 110 area 0
R3(config-subif)#interface e0/0.200
R3(config-subif)#ip ospf 110 area 0
R3(config-subif)#router ospf 110
R3(config-router)#passive-interface e0/0.100
R3(config-router)#passive-interface e0/0.200
验证:
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
61.128.1.1 0 FULL/ - 00:00:31 172.16.2.2 Tunnel20
61.128.1.1 0 FULL/ - 00:00:36 172.16.1.2 Tunnel10
10.1.255.22 1 FULL/DR 00:00:30 10.1.12.2 Ethernet0/2
10.1.255.11 1 FULL/BDR 00:00:33 10.1.11.2 Ethernet0/1
R1#show ip route ospf | begin Gateway
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O 10.1.100.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2
[110/11] via 10.1.11.2, 01:22:19, Ethernet0/1
O 10.1.101.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2
[110/11] via 10.1.11.2, 01:22:19, Ethernet0/1
O 10.1.112.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2
[110/11] via 10.1.11.2, 01:22:19, Ethernet0/1
O 10.1.200.0/24 [110/11] via 10.1.12.2, 01:20:16, Ethernet0/2
[110/11] via 10.1.11.2, 01:22:19, Ethernet0/1
O 10.2.100.0/24 [110/1010] via 172.16.2.2, 00:03:32, Tunnel20
[110/1010] via 172.16.1.2, 00:03:42, Tunnel10
O 10.2.200.0/24 [110/1010] via 172.16.2.2, 00:03:32, Tunnel20
[110/1010] via 172.16.1.2, 00:03:42, Tunnel10
在总部增加DHCP配置,为分支机构提供DHCP服务:
其中R1为 DHCP Server,R3为 DHCP Relay Agent
为Server2分配固定IP地址 10.2.200.100/24
R1(config)#ip dhcp pool Branch100
R1(dhcp-config)#network 10.2.100.0 /24
R1(dhcp-config)#default-router 10.2.100.254
R1(dhcp-config)#ip dhcp pool Branch200
R1(dhcp-config)#host 10.2.200.100 /24
R1(dhcp-config)#default-router 10.2.200.254
R1(dhcp-config)#client-identifier 01aabb.cc00.c000
R3(config)#interface e0/0.100
R3(config-subif)#ip helper-address 10.1.255.1
R3(config-subif)#interface e0/0.200
R3(config-subif)#ip helper-address 10.1.255.1
PC3(config)#interface e0/0
PC3(config-if)#ip address dhcp
Server2(config)#interface e0/0
Server2(config-if)#ip address dhcp client-id e0/0
*Oct 23 06:00:23.560: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.2.200.100, mask 255.255.255.0, hostname Server2
测试分支机构与互联网的连通性:
PC3#ping 1.2.3.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
验证NAT:
R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 61.128.1.1:0 10.2.100.1:0 1.2.3.4:0 1.2.3.4:0
部署访问控制策略:
R1(config)#ip access-list extended HQ-Branch
R1(config-ext-nacl)#deny ip 10.1.101.0 0.0.0.255 host 10.2.200.100
R1(config-ext-nacl)#permit ip any any
R1(config)#interface e0/1
R1(config-if)#ip access-group HQ-Branch in
R1(config-if)#interface e0/2
R1(config-if)#ip access-group HQ-Branch in
R3(config)#ip access-list extended Branch-HQ
R3(config-ext-nacl)#deny ip 10.2.100.0 0.0.0.255 host 10.1.200.100
R3(config-ext-nacl)#permit tcp 10.2.100.0 0.0.0.255 host 10.1.200.100 eq www
R3(config-ext-nacl)#deny ip 10.2.100.0 0.0.0.255 host 10.1.200.100
R3(config-ext-nacl)#permit ip any any
R3(config)#inter
R3(config)#interface e0/0.100
R3(config-subif)#ip access-group Branch-HQ in
R3(config-subif)#interface e0/0.200
R3(config-subif)#ip access-group Branch-HQ in
开启Server1的WEB服务,以供测试:
Server1(config)#ip http server
测试访问控制策略:
PC1#ping 10.2.200.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.200.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
PC2#ping 10.2.200.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.200.100, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC3#ping 10.1.200.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.200.100, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC3#telnet 10.1.200.100 80
Trying 10.1.200.100, 80 ... Open
/get
HTTP/1.1 400 Bad Request
Date: Tue, 23 Oct 2018 06:29:47 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 10.1.200.100 closed by foreign host]
PC3#
谢谢大家,我是 达叔。 希望能对您的技术进阶之路有所帮助。
思科CCNA培训之-CCNA企业网综合项目实战
文档提供:乾颐堂CCIE讲师:达叔
思科CCNA培训咨询可联系乾颐堂官网客服.
咨询QQ及电话:4006188070
乾颐堂官网:www.qytang.com
乾颐堂网络实验室 我们为您想的更多
|
姓名:
Q Q:
电话:
|
400-618-8070
