实验拓扑图:
实验要求:
1,内网IP地址使用172.16.0.0/16分配
2,SW1和SW2之间互为备份
3,VRRP/STP/VLAN/Eth-trunk均使用
4,所有PC均通过DHCP获取IP地址
5,ISP只能配置IP地址
6,所有电脑可以正常访问ISP路由器环回
实验步骤:
步骤1:基础IP配置
目标:为所有设备接口分配IP地址,确保基础连通性。
R1配置:
[R1] interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0] ip address 12.0.0.1 255.255.255.0 # 连接ISP的接口
[R1-GigabitEthernet0/0/0] quit
[R1] interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1] ip address 172.16.0.130 255.255.255.192 # 连接SW1的VLAN10
[R1-GigabitEthernet0/0/1] quit
[R1] interface GigabitEthernet0/0/2
[R1-GigabitEthernet0/0/2] ip address 172.16.0.194 255.255.255.192 # 连接SW2的VLAN20
[R1-GigabitEthernet0/0/2] quit
ISP路由器配置:
[ISP] interface GigabitEthernet0/0/0
[ISP-GigabitEthernet0/0/0] ip address 12.0.0.2 255.255.255.0
[ISP-GigabitEthernet0/0/0] quit
[ISP] interface LoopBack0
[ISP-LoopBack0] ip address 2.2.2.2 255.255.255.255 # 环回接口
[ISP-LoopBack0] quit
步骤2:配置Eth-Trunk(SW1与SW2互联)
目标:通过Eth-Trunk增加带宽和冗余。
SW1配置:
[SW1] interface Eth-Trunk0
[SW1-Eth-Trunk0] mode lacp # LACP模式
[SW1-Eth-Trunk0] port link-type trunk
[SW1-Eth-Trunk0] port trunk allow-pass vlan 2 3 10 20 # 允许VLAN2、3、10、20通过
[SW1-Eth-Trunk0] quit
# 将GE0/0/1和GE0/0/2加入Eth-Trunk0
[SW1] interface GigabitEthernet0/0/1
[SW1-GigabitEthernet0/0/1] eth-trunk 0
[SW1-GigabitEthernet0/0/1] quit
[SW1] interface GigabitEthernet0/0/2
[SW1-GigabitEthernet0/0/2] eth-trunk 0
[SW1-GigabitEthernet0/0/2] quit
SW2配置:
[SW2] interface Eth-Trunk0
[SW2-Eth-Trunk0] mode lacp
[SW2-Eth-Trunk0] port link-type trunk
[SW2-Eth-Trunk0] port trunk allow-pass vlan 2 3 10 20
[SW2-Eth-Trunk0] quit
# 将GE0/0/1和GE0/0/2加入Eth-Trunk0
[SW2] interface GigabitEthernet0/0/1
[SW2-GigabitEthernet0/0/1] eth-trunk 0
[SW2-GigabitEthernet0/0/1] quit
[SW2] interface GigabitEthernet0/0/2
[SW2-GigabitEthernet0/0/2] eth-trunk 0
[SW2-GigabitEthernet0/0/2] quit
步骤3:配置VLAN与接口
目标:划分VLAN,配置Access/Trunk端口。
SW3和SW4(二层交换机)配置
[SW3] vlan batch 2 3 # 创建VLAN2和VLAN3
# PC接入端口配置(Access模式)
[SW3] interface GigabitEthernet0/0/1
[SW3-GigabitEthernet0/0/1] port link-type access
[SW3-GigabitEthernet0/0/1] port default vlan 2 # PC1属于VLAN2
[SW3-GigabitEthernet0/0/1] quit
[SW3] interface GigabitEthernet0/0/2
[SW3-GigabitEthernet0/0/2] port link-type access
[SW3-GigabitEthernet0/0/2] port default vlan 3 # PC2属于VLAN3
[SW3-GigabitEthernet0/0/2] quit
# 上联口配置Trunk(与SW1/SW2互联)
[SW3] interface GigabitEthernet0/0/3
[SW3-GigabitEthernet0/0/3] port link-type trunk
[SW3-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3 # 允许VLAN2和VLAN3通过
[SW3-GigabitEthernet0/0/3] quit
# SW4的配置(与SW3对称)
[SW4] vlan batch 2 3
[SW4] interface GigabitEthernet0/0/1
[SW4-GigabitEthernet0/0/1] port link-type access
[SW4-GigabitEthernet0/0/1] port default vlan 2 # PC3属于VLAN2
[SW4-GigabitEthernet0/0/1] quit
[SW4] interface GigabitEthernet0/0/2
[SW4-GigabitEthernet0/0/2] port link-type access
[SW4-GigabitEthernet0/0/2] port default vlan 3 # PC4属于VLAN3
[SW4-GigabitEthernet0/0/2] quit
[SW4] interface GigabitEthernet0/0/3
[SW4-GigabitEthernet0/0/3] port link-type trunk
[SW4-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3
[SW4-GigabitEthernet0/0/3] quit
SW1和SW2(三层交换机)配置
[SW1] vlan batch 2 3 10 20 # 创建VLAN2、3、10、20
# 上联R1的接口(Access模式)
[SW1] interface GigabitEthernet0/0/5
[SW1-GigabitEthernet0/0/5] port link-type access
[SW1-GigabitEthernet0/0/5] port default vlan 10 # 属于VLAN10
[SW1-GigabitEthernet0/0/5] quit
# 连接到SW3/SW4的接口配置Trunk
[SW1] interface GigabitEthernet0/0/3
[SW1-GigabitEthernet0/0/3] port link-type trunk
[SW1-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3 # 允许VLAN2和VLAN3通过
[SW1-GigabitEthernet0/0/3] quit
# SW2的配置(与SW1对称)
[SW2] vlan batch 2 3 10 20
[SW2] interface GigabitEthernet0/0/5
[SW2-GigabitEthernet0/0/5] port link-type access
[SW2-GigabitEthernet0/0/5] port default vlan 20 # 属于VLAN20
[SW2-GigabitEthernet0/0/5] quit
[SW2] interface GigabitEthernet0/0/3
[SW2-GigabitEthernet0/0/3] port link-type trunk
[SW2-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3
[SW2-GigabitEthernet0/0/3] quit
步骤4:配置VRRP(网关冗余)
目标:SW1为主设备,SW2为备设备,实现网关高可用。
SW1配置(主设备):
# VLAN2的VRRP配置
[SW1] interface Vlanif2
[SW1-Vlanif2] ip address 172.16.0.1 255.255.255.192
[SW1-Vlanif2] vrrp vrid 1 virtual-ip 172.16.0.62 # 虚拟IP
[SW1-Vlanif2] vrrp vrid 1 priority 120 # 主设备优先级高(默认100)
[SW1-Vlanif2] vrrp vrid 1 track interface GigabitEthernet0/0/5 reduced 30 # 跟踪上联R1的接口
[SW1-Vlanif2] quit
# VLAN3的VRRP配置
[SW1] interface Vlanif3
[SW1-Vlanif3] ip address 172.16.0.65 255.255.255.192
[SW1-Vlanif3] vrrp vrid 2 virtual-ip 172.16.0.126
[SW1-Vlanif3] vrrp vrid 2 priority 120
[SW1-Vlanif3] quit
SW2配置(备设备):
# VLAN2的VRRP配置
[SW2] interface Vlanif2
[SW2-Vlanif2] ip address 172.16.0.2 255.255.255.192
[SW2-Vlanif2] vrrp vrid 1 virtual-ip 172.16.0.62 # 虚拟IP需与SW1一致
[SW2-Vlanif2] vrrp vrid 1 priority 100 # 备设备优先级低
[SW2-Vlanif2] quit
# VLAN3的VRRP配置
[SW2] interface Vlanif3
[SW2-Vlanif3] ip address 172.16.0.66 255.255.255.192
[SW2-Vlanif3] vrrp vrid 2 virtual-ip 172.16.0.126
[SW2-Vlanif3] vrrp vrid 2 priority 100
[SW2-Vlanif3] quit
步骤5:配置DHCP服务器
目标:PC通过DHCP获取IP,网关为VRRP虚拟IP。
SW1配置:
# 启用DHCP
[SW1] dhcp enable
# VLAN2的DHCP作用域
[SW1] ip pool VLAN2
[SW1-ip-pool-VLAN2] network 172.16.0.0 mask 255.255.255.192
[SW1-ip-pool-VLAN2] gateway-list 172.16.0.62 # VRRP虚拟IP
[SW1-ip-pool-VLAN2] dns-list 8.8.8.8
[SW1-ip-pool-VLAN2] quit
# VLAN3的DHCP作用域
[SW1] ip pool VLAN3
[SW1-ip-pool-VLAN3] network 172.16.0.64 mask 255.255.255.192
[SW1-ip-pool-VLAN3] gateway-list 172.16.0.126
[SW1-ip-pool-VLAN3] dns-list 8.8.8.8
[SW1-ip-pool-VLAN3] quit
# 绑定VLANIF接口
[SW1] interface Vlanif2
[SW1-Vlanif2] dhcp select global
[SW1-Vlanif2] quit
[SW1] interface Vlanif3
[SW1-Vlanif3] dhcp select global
[SW1-Vlanif3] quit
步骤6:配置STP(生成树协议)
1. SW1(三层交换机)配置
[SW1] stp enable # 全局启用STP
[SW1] stp mode mstp # 配置为MSTP模式
[SW1] stp region-configuration # 进入MST区域配置
[SW1-mst-region] region-name MST_DOMAIN # 设置MST域名称
[SW1-mst-region] instance 1 vlan 2 # 将VLAN2映射到实例1
[SW1-mst-region] instance 2 vlan 3 # 将VLAN3映射到实例2
[SW1-mst-region] active region-configuration # 激活配置
[SW1-mst-region] quit
# 指定SW1为VLAN2(实例1)的根桥,SW2为VLAN3(实例2)的根桥
[SW1] stp instance 1 root primary # 实例1(VLAN2)的根桥
[SW1] stp instance 2 root secondary # 实例2(VLAN3)的非根桥
2. SW2(三层交换机)配置
[SW2] stp enable
[SW2] stp mode mstp
[SW2] stp region-configuration
[SW2-mst-region] region-name MST_DOMAIN
[SW2-mst-region] instance 1 vlan 2
[SW2-mst-region] instance 2 vlan 3
[SW2-mst-region] active region-configuration
[SW2-mst-region] quit
# 指定SW2为VLAN3(实例2)的根桥,SW1为VLAN2(实例1)的根桥
[SW2] stp instance 1 root secondary # 实例1(VLAN2)的非根桥
[SW2] stp instance 2 root primary # 实例2(VLAN3)的根桥
3. SW3(二层交换机)配置
[SW3] stp enable
[SW3] stp mode mstp
[SW3] stp region-configuration
[SW3-mst-region] region-name MST_DOMAIN
[SW3-mst-region] instance 1 vlan 2
[SW3-mst-region] instance 2 vlan 3
[SW3-mst-region] active region-configuration
[SW3-mst-region] quit
4. SW4(二层交换机)配置
[SW4] stp enable
[SW4] stp mode mstp
[SW4] stp region-configuration
[SW4-mst-region] region-name MST_DOMAIN
[SW4-mst-region] instance 1 vlan 2
[SW4-mst-region] instance 2 vlan 3
[SW4-mst-region] active region-configuration
[SW4-mst-region] quit
步骤7:路由器R1配置(内外网通信)
目标:实现内网访问ISP环回地址和外网。
R1配置:
# 1. 静态路由到ISP的环回地址(2.2.2.2)
[R1] ip route-static 2.2.2.2 255.255.255.255 12.0.0.2 # 通过ISP路由器的接口
# 2. 配置NAT(内网网段为172.16.0.0/16)
[R1] acl number 2000
[R1-acl-adv-2000] rule 5 permit source 172.16.0.0 0.0.255.255
[R1-acl-adv-2000] quit
[R1] interface GigabitEthernet0/0/0 # 连接ISP的接口
[R1-GigabitEthernet0/0/0] nat outbound 2000 # 启用NAT
[R1-GigabitEthernet0/0/0] quit
# 3. 配置OSPF(与SW1/SW2互通)
[R1] ospf 1 router-id 1.1.1.1 # 设置Router ID
[R1-ospf-1] area 0.0.0.0
[R1-ospf-1-area-0.0.0.0] network 172.16.0.0 0.0.255.255 # 宣告内网网段
[R1-ospf-1-area-0.0.0.0] network 12.0.0.0 0.0.0.255 # 宣告连接ISP的网段
[R1-ospf-1-area-0.0.0.0] quit
验证配置
PC地址
同一VLAN间可以通信
不同vlan间也能通信
关闭SW1的VLAN2接口,SW2自动接管虚拟IP,PC仍能正常访问网络。
内外网测试
