思科校园网搭建及配置综合小型实验
- 实验拓扑
- 配置步骤
- 配置聚合链路
- 配置VTP,vlan域模板
- 第一步 配置二层VLAN
- 第二步 配置生成树
- 第三步 配置相关IP地址
- 第四步 配置DHCP及DHCP中继
- 第五步 配置三层的网关冗余协议 双机热备及OSPF
- 第六步 配置静态路由,NAT地址转换及其他配置完善
- 优化配置
- 配置测试
- PC都可以正确获取到ip地址并且可以访问外网用户
- PC可以通过域名访问百度服务器
- 所有PC之间都可以互相通信
- 其他说明
实验拓扑
配置步骤
配置聚合链路
hostname Core_SW1
!
interface Port-channel1 // 进入聚合接口switchport trunk encapsulation dot1q //改变封装模式switchport mode trunk //接口模式改变为trunk
!
interface range FastEthernet0/8-9 //进入多个接口视图下channel-group 1 mode on //绑定聚合端口hostname Core_SW2
!
interface Port-channel1 // 进入聚合接口switchport trunk encapsulation dot1q //改变封装模式switchport mode trunk //接口模式改变为trunk
!
interface range FastEthernet0/8-9 //进入多个接口视图下channel-group 1 mode on //绑定聚合端口
配置VTP,vlan域模板
core_sw1
vtp domain sike //配置vtp域
vtp mode server //服务器模式
vtp password 123456 //认证密码core_sw2
vtp domain sike //配置vtp域
vtp mode client //服务器模式
vtp password 123456 //认证密码
//sw1--->sw6都需要配置以上命令,才可以正常从core_sw1上获取相应的vlan//show vtp status:查看交换机vtp配置模式
第一步 配置二层VLAN
core_sw1
vlan10
vlan20
vlan30
vlan40
vlan50
vlan60
vlan70
!
interface range FastEthernet0/8-9 //进入多个接口视图下switchport trunk encapsulation dot1q //改变封装模式switchport mode trunk //接口模式改变为trunk
!
interface range FastEthernet0/2-7 //进入多个接口视图下switchport trunk encapsulation dot1q //改变封装模式switchport mode trunk //接口模式改变为trunkcore_sw2
interface range FastEthernet0/8-9 //进入多个接口视图下switchport trunk encapsulation dot1q //改变封装模式switchport mode trunk //接口模式改变为trunk
!
interface range FastEthernet0/2-7 //进入多个接口视图下switchport trunk encapsulation dot1q //改变封装模式switchport mode trunk //接口模式改变为trunk
!
interface FastEthernet0/10switchport access vlan 70 //将接口划入vlan70switchport mode access //接口模式改变为accesshostname SW_1
!
interface FastEthernet0/1switchport mode trunk
!
interface FastEthernet0/2switchport mode trunk
!
interface FastEthernet0/3switchport access vlan 10switchport mode access
!
interface FastEthernet0/4switchport access vlan 10switchport mode access
!
interface FastEthernet0/5switchport access vlan 10switchport mode accessSW2
hostname SW_2
!
interface FastEthernet0/1switchport mode trunk
!
interface FastEthernet0/2switchport mode trunk
!
interface FastEthernet0/3switchport access vlan 20switchport mode access
!
interface FastEthernet0/4switchport access vlan 20switchport mode accessSW3
hostname SW_3
!
interface FastEthernet0/1switchport mode trunk
!
interface FastEthernet0/2switchport mode trunk
!
interface FastEthernet0/3switchport access vlan 30switchport mode access
!
interface FastEthernet0/4switchport access vlan 30switchport mode accessSW4
hostname SW_4
!
interface FastEthernet0/1switchport mode trunk
!
interface FastEthernet0/2switchport mode trunk
!
interface FastEthernet0/3switchport access vlan 40switchport mode access
!
interface FastEthernet0/4switchport access vlan 40switchport mode accessSW5
hostname SW_5
!
interface FastEthernet0/1switchport mode trunk
!
interface FastEthernet0/2switchport mode trunk
!
interface FastEthernet0/3switchport access vlan 50switchport mode access
!
interface FastEthernet0/4switchport access vlan 50switchport mode accessSW6
hostname SW_6
!
interface FastEthernet0/1switchport mode trunk
!
interface FastEthernet0/2switchport mode trunk
!
interface FastEthernet0/3switchport access vlan 60switchport mode access
!
interface FastEthernet0/4switchport access vlan 60switchport mode access
第二步 配置生成树
core_sw1
spanning-tree mode pvst //生成树模式为pvst 思科私有协议
spanning-tree vlan 10,20,30 priority 24576 //配置成vlan10 20 30 的主根桥
spanning-tree vlan 40,50,60 priority 28672 //配置成vlan40 50 60 为次根桥core_sw2
spanning-tree mode pvst
spanning-tree vlan 40,50,60 priority 24576
spanning-tree vlan 10,20,30 priority 28672show spanning-tree active //查看交换机生成树根位置
第三步 配置相关IP地址
core_sw1
!
ip routing //思科交换机配置IP地址,一定要启用路由功能
!
interface FastEthernet0/1no switchport //启用接口ip address 192.168.2.2 255.255.255.0
!
interface Vlan10ip address 192.168.10.254 255.255.255.0
!
interface Vlan20ip address 192.168.20.254 255.255.255.0
!interface Vlan30ip address 192.168.30.254 255.255.255.0
!interface Vlan40ip address 192.168.40.254 255.255.255.0!
interface Vlan50ip address 192.168.50.254 255.255.255.0
!
interface Vlan60ip address 192.168.60.254 255.255.255.0core_sw2
!
ip routing
!
interface FastEthernet0/1no switchport ip address 192.168.3.2 255.255.255.0
!
interface Vlan10ip address 192.168.10.253 255.255.255.0
!
interface Vlan20ip address 192.168.20.253 255.255.255.0
!
interface Vlan30ip address 192.168.30.253 255.255.255.0
!
interface Vlan40ip address 192.168.40.253 255.255.255.0
!
interface Vlan50ip address 192.168.50.253 255.255.255.0
!
interface Vlan60ip address 192.168.60.253 255.255.255.0
!
interface Vlan70ip address 192.168.70.252 255.255.255.0FW1
hostname FW1
!
interface GigabitEthernet1/1nameif untrust //划入到那个区域security-level 0 //区域等级,大的可以访问小的ip address 192.168.4.2 255.255.255.0
!
interface GigabitEthernet1/2nameif trust_1security-level 100ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3nameif trust_2security-level 100ip address 192.168.3.1 255.255.255.0CK_Router 出口路由器
hostname CK-Router
!
interface GigabitEthernet0/0ip address 192.168.4.1 255.255.255.0
!
interface Serial0/0/0ip address 200.10.10.1 255.255.255.252clock rate 64000 //思科串行链路中,这个时钟配置一定要做ISP
hostname ISP-R
!
interface FastEthernet0/0ip address 200.10.20.1 255.255.255.240
!
interface Serial0/2/0ip address 200.10.10.2 255.255.255.252
第四步 配置DHCP及DHCP中继
core_sw1
interface Vlan 20,30,40,50,60ip helper-address 192.168.10.1//这种是使用DHCP服务器来进行配置的,相对简单很多 下次分享出使用路由器来做DHCP的方法
core_sw2
//上同
-
服务器配置IP地址
-
配置DHCP地址池
-
完成后点击保存,然后查看PC是否都可以正确的获得到IP地址
第五步 配置三层的网关冗余协议 双机热备及OSPF
core_sw1
!
interface Vlan10standby 10 ip 192.168.10.252 //配置双机热备(类似华为的vrrp) 思科的默认优先级也是100standby 10 priority 120 //配置优先级standby 10 preempt //配置抢占模式standby 10 track FastEthernet0/1 //检查上层接口是否还可用
!
interface Vlan20standby 20 ip 192.168.20.252standby 20 priority 120standby 20 preemptstandby 20 track FastEthernet0/1
!
interface Vlan30standby 30 ip 192.168.30.252standby 30 priority 120standby 30 preemptstandby 30 track FastEthernet0/1
!
interface Vlan40standby 40 ip 192.168.40.252standby 40 track FastEthernet0/1
!
interface Vlan50standby 50 ip 192.168.50.252standby 50 track FastEthernet0/1
!
interface Vlan60standby 60 ip 192.168.60.252standby 60 track FastEthernet0/1
!
router ospf 10network 192.168.2.0 0.0.0.255 area 0network 192.168.10.0 0.0.0.255 area 0network 192.168.20.0 0.0.0.255 area 0network 192.168.30.0 0.0.0.255 area 0network 192.168.40.0 0.0.0.255 area 0network 192.168.50.0 0.0.0.255 area 0network 192.168.60.0 0.0.0.255 area 0core_sw2interface Vlan10standby 10 ip 192.168.10.252standby 10 track FastEthernet0/1
!
interface Vlan20standby 20 ip 192.168.20.252standby 20 track FastEthernet0/1
!
interface Vlan30standby 30 ip 192.168.30.252standby 30 track FastEthernet0/1
!
interface Vlan40standby 40 ip 192.168.40.252standby 40 priority 120standby 40 preemptstandby 40 track FastEthernet0/1
!
interface Vlan50standby 50 ip 192.168.50.252standby 50 priority 120standby 50 preemptstandby 50 track FastEthernet0/1
!
interface Vlan60standby 60 ip 192.168.60.252standby 60 priority 120standby 60 preemptstandby 60 track FastEthernet0/1!
router ospf 10network 192.168.3.0 0.0.0.255 area 0network 192.168.10.0 0.0.0.255 area 0network 192.168.20.0 0.0.0.255 area 0network 192.168.30.0 0.0.0.255 area 0network 192.168.40.0 0.0.0.255 area 0network 192.168.50.0 0.0.0.255 area 0network 192.168.60.0 0.0.0.255 area 0network 192.168.70.0 0.0.0.255 area 0FW
router ospf 10network 192.168.2.0 255.255.255.0 area 0network 192.168.3.0 255.255.255.0 area 0network 192.168.4.0 255.255.255.0 area 0CK_Router 出口路由
router ospf 10network 192.168.4.0 0.0.0.255 area 0default-information originate //路由器可以给下面的设备下发默认路由//show ip ospf neighbor 查看OSPF邻居关系
第六步 配置静态路由,NAT地址转换及其他配置完善
- 配置防火墙的其他放行的相关命令
access-list fangxing extended permit ip any any
!
access-group fangxing in interface trust_1
access-group fangxing out interface trust_1
access-group fangxing in interface trust_2
access-group fangxing out interface trust_2
- 配置NAT地址转换
CK_Router
!
interface GigabitEthernet0/0ip nat inside
!
interface Serial0/0/0ip nat outside
!
access-list 1 permit any //前缀列表匹配所有的地址
!
//
ip nat pool DZC 200.10.10.1 200.10.10.1 netmask 255.255.255.252 //配置地址池
ip nat inside source list 1 pool DZC overload //(端口转换) 使用地址池的地址进行nat转换
//做一个NAT地址一对一映射
ip nat inside source static udp 192.168.10.2 53 200.10.10.100 53
ip route 0.0.0.0 0.0.0.0 200.10.10.2 //写默认路由,访问外网//show ip nat translations 查看nat转换记录
- 由于需要做公网的一对一映射,这里ISP就需要写一条默认路由指向自己的网关
ip route 200.10.10.100 255.255.255.255 200.10.10.1
-
至此内网的设备已经可以全部访问到公网了,自行测试
-
配置让设备可以telnet
core_sw1
line vty 0 4password wmlprivilege level 15core_sw2
line vty 0 4password wmlprivilege level 15FW
line vty 0 4password wmlprivilege level 15
优化配置
让食堂不能访问 服务器,教学楼,办公楼,图书馆
core sw2上
access-list 101 deny ip 源ip 反掩码 目标ip 反掩码
access-list 101 permit ip any any 思科默认是拒绝所有的,其他没有匹配上以上规则的则全部放行
进入到接口 int vlan 50
ip access-group 101 in 进方向调入此规则
配置测试
PC都可以正确获取到ip地址并且可以访问外网用户
PC可以通过域名访问百度服务器
- 一定要配置正确的DNS地址,并且确保DNS服务器是打开并且正常配置的
所有PC之间都可以互相通信
- 其他PC可自行测试
其他说明
-
无线路由器需要手动配置ip地址用于和上联通信
-
配置无线路由器的wifi名称和密码
-
笔记本需要配置无线网卡,才可以连接无线网
-
笔记本连接无线
