思科中小企業網絡綜合實驗

這是一個典型的中小企業網絡拓撲，實驗要求如下

1.配置VTP域，S1為server

2.添加VLAN，VLAN2-5，啟用VTP修剪（不支持）

3.配置以太通道f0/1 - 2

4.啟用路由轉發ip routing 回環接口

5.啟用生成樹，vlan2，3，127以S1為根網橋；vlan4,5以S2為根網橋，且互為備用根網橋

6.配置HSRP（優先級，占先權），priority為105，track上聯接口，失效減10

7.Vlan2-5,127配置SVI，vlan2-5 配置DHCP

8.加入ospf區域，AREA1為完全末梢，AREA2為完全末梢

9.串行鏈路PPP封裝，PAP認證

10.內網除服務器外都可NAT轉換訪問外網

11.GZ、SH及外網都可訪問公司內網服務器的WWW

 

安全策略：

   禁止訪問總部內網（除服務器的www服務）

   禁止訪問另一個分公司的內網

   禁止SSH遠程登錄R路由器

 

 

開始···

1.創建vlan並設置vtp

Core-1#vlan database

Core-1(vlan)#vlan 2-5,127 PT居然不支持，一個一個來

Core-1(vlan)#vlan 2

VLAN 2 added:

    Name: VLAN0002

Core-1(vlan)#vlan 3

Core-1(vlan)#vlan 4

Core-1(vlan)#vlan 5

Core-1(vlan)#vlan 127

````

Core-1(config)#vtp mode server

Core-1(config)#vtp domain cisco.com

Core-1(config)#vtp passwd huawei

Core-1(config)#vtp prunning --->該交換機不支持

其他三台交換機都為vtp 客戶端,配置一樣

Core-1(config)#vtp mode client

Core-1(config)#vtp domain cisco.com

Core-1(config)#vtp passwd huawei

 

2.配置以太通道及trunk

Core-1(config)#int range fa0/23-24

Core-1(config-if-range)#switchport trunk encapsulation dot1q

Core-1(config-if-range)#switchport mode trunk

Core-1(config-if-range)#channel-group 1 mode on

````

Core-1(config)#int range gigabitEthernet 0/1-2

Core-1(config-if-range)#switchport trunk encapsulation dot1q

Core-1(config-if-range)#switchport mode trunk

````

Core-2配置一樣

`````

S1(config)#int range g0/1-2

S1(config-if-range)#switchport mode trunk

S1(config)#int range fa0/2-5

S1(config-if-range)#switchport mode access

S1(config-if-range)#spanning-tree portfast

S1(config-if-range)#int fa0/2

S1(config-if)#switchport access vlan 2

S1(config-if)#int fa0/3

S1(config-if)#switchport access vlan 3

S1(config-if)#int fa0/4

S1(config-if)#switchport access vlan 4

S1(config-if)#int fa0/5

S1(config-if)#switchport access vlan 5

S2(config)#int range g0/1-2

S2(config-if-range)#switchport mode trunk

S2(config-if-range)#int fa0/1

S2(config-if)#switchport access vlan 127

 

 

 

 

 

3.配各接口SVI，DHCP···

Core-1(config)#int vlan 2

Core-1(config-if)#ip address 192.168.2.254 255.255.255.0

Core-1(config-if)#no shutdown

Core-1(config)#int vlan 3

Core-1(config-if)#ip address 192.168.3.254 255.255.255.0

Core-1(config-if)#no shutdown

Core-1(config)#int vlan 4

Core-1(config-if)#ip address 192.168.4.253 255.255.255.0

Core-1(config-if)#no shutdown

Core-1(config)#int vlan 5

Core-1(config-if)#ip address 192.168.5.253 255.255.255.0

Core-1(config-if)#no shutdown

Core-1(config)#int vlan 127

Core-1(config-if)#ip address 192.168.127.254 255.255.255.0

Core-1(config-if)#no shutdown

```

Core-1(config)#ip dhcp pool 2

Core-1(dhcp-config)#network 192.168.2.0 255.255.255.0

Core-1(dhcp-config)#default-router 192.168.2.1

Core-1(dhcp-config)#dns-server 114.114.114.114

Core-1(config)#ip dhcp pool 3

Core-1(dhcp-config)#network 192.168.3.0 255.255.255.0

Core-1(dhcp-config)#default-router 192.168.3.1

Core-1(dhcp-config)#dns-server 114.114.114.114

Core-1(config)#ip dhcp pool 4

Core-1(dhcp-config)#network 192.168.4.0 255.255.255.0

Core-1(dhcp-config)#default-router 192.168.4.1

Core-1(dhcp-config)#dns-server 114.114.114.114

Core-1(config)#ip dhcp pool 5

Core-1(dhcp-config)#network 192.168.5.0 255.255.255.0

Core-1(dhcp-config)#default-router 192.168.5.1

Core-1(dhcp-config)#dns-server 114.114.114.114

````

Core-1(config)#ip dhcp excluded-address 192.168.2.1

Core-1(config)#ip dhcp excluded-address 192.168.3.1

Core-1(config)#ip dhcp excluded-address 192.168.4.1

Core-1(config)#ip dhcp excluded-address 192.168.5.1

````

Core-1(config)#int fa0/1

Core-1(config)#no switchport

Core-1(config-if)#ip address 192.168.128.1 255.255.255.252

Core-1(config-if)#no shutdown

````

Core-1(config-if)#int loop 0

Core-1(config-if)#ip address 1.1.1.1 255.255.255.255

Core-1(config-if)#no shutdown

 

Core-2與Core-1類似

Core-2(config)#int vlan 2

Core-2(config-if)#ip address 192.168.2.253 255.255.255.0

Core-2(config-if)#no shutdown

Core-2(config)#int vlan 3

Core-2(config-if)#ip address 192.168.3.253 255.255.255.0

Core-2(config-if)#no shutdown

Core-2(config)#int vlan 4

Core-2(config-if)#ip address 192.168.4.254 255.255.255.0

Core-2(config-if)#no shutdown

Core-2(config)#int vlan 5

Core-2(config-if)#ip address 192.168.5.254 255.255.255.0

Core-2(config-if)#no shutdown

Core-2(config)#int vlan 127

Core-2(config-if)#ip address 192.168.127.253 255.255.255.0

Core-2(config-if)#no shutdown

``

Core-2(config)#ip dhcp pool 2

Core-2(dhcp-config)#network 192.168.2.0 255.255.255.0

Core-2(dhcp-config)#default-router 192.168.2.1

Core-2(dhcp-config)#dns-server 114.114.114.114

Core-2(config)#ip dhcp pool 3

Core-2(dhcp-config)#network 192.168.3.0 255.255.255.0

Core-2(dhcp-config)#default-router 192.168.3.1

Core-2(dhcp-config)#dns-server 114.114.114.114

Core-2(config)#ip dhcp pool 4

Core-2(dhcp-config)#network 192.168.4.0 255.255.255.0

Core-2(dhcp-config)#default-router 192.168.4.1

Core-2(dhcp-config)#dns-server 114.114.114.114

Core-2(config)#ip dhcp pool 5

Core-2(dhcp-config)#network 192.168.5.0 255.255.255.0

Core-2(dhcp-config)#default-router 192.168.5.1

Core-2(dhcp-config)#dns-server 114.114.114.114

````

Core-2(config)#ip dhcp excluded-address 192.168.2.1

Core-2(config)#ip dhcp excluded-address 192.168.3.1

Core-2(config)#ip dhcp excluded-address 192.168.4.1

Core-2(config)#ip dhcp excluded-address 192.168.5.1

````

Core-2(config)#int fa0/1

Core-2(config)#no switchport

Core-2(config-if)#ip address 192.168.128.5 255.255.255.252

Core-2(config-if)#no shutdown

````

Core-2(config-if)#int loop 0

Core-2(config-if)#ip address 2.2.2.2 255.255.255.255

Core-2(config-if)#no shutdown

 

 

 

4.配置HSRP

Core-1(config)#spanning-tree vlan 2,3,127 root primary

Core-1(config)#spanning-tree vlan 4,5 root secondary

Core-2(config)#spanning-tree vlan 2,3,127 root secondary

Core-2(config)#spanning-tree vlan 4,5 root primary

````

Core-1(config)#int vlan 2

Core-1(config-if)#standby 2 ip 192.168.2.1

Core-1(config-if)#standby 2 priority 105

Core-1(config-if)#standby 2 preempt

Core-1(config-if)#standby 2 track fa0/1   --->上聯口失效的話優先級減10成為95

Core-1(config)#int vlan 3

Core-1(config-if)#standby 3 ip 192.168.3.1

Core-1(config-if)#standby 3 priority 105

Core-1(config-if)#standby 3 preempt

Core-1(config-if)#standby 3 track fa0/1   --->上聯口失效的話優先級減10成為95

Core-1(config)#int vlan 4

Core-1(config-if)#standby 4 ip 192.168.4.1

Core-1(config)#int vlan 5

Core-1(config-if)#standby 5 ip 192.168.5.1

Core-1(config)#int vlan 127

Core-1(config-if)#standby 127 ip 192.168.127.1

Core-1(config-if)#standby 127 priority 105

Core-1(config-if)#standby 127 preempt

Core-1(config-if)#standby 127 track fa0/1   --->上聯口失效的話優先級減10成為95

````

Core-2與Core-1配置對應

Core-2(config)#int vlan 2

Core-2(config-if)#standby 2 ip 192.168.2.1

Core-2(config)#int vlan 3

Core-2(config-if)#standby 3 ip 192.168.3.1

Core-2(config)#int vlan 4

Core-2(config-if)#standby 4 ip 192.168.4.1

Core-2(config-if)#standby 4 priority 105

Core-2(config-if)#standby 4 preempt

Core-2(config-if)#standby 4 track fa0/1   --->上聯口失效的話優先級減10成為95

Core-2(config)#int vlan 5

Core-2(config-if)#standby 5 ip 192.168.5.1

Core-2(config-if)#standby 5 priority 105

Core-2(config-if)#standby 5 preempt

Core-2(config-if)#standby 5 track fa0/1   --->上聯口失效的話優先級減10成為95

Core-2(config)#int vlan 127

Core-2(config-if)#standby 127 ip 192.168.127.1

 

 

5.啟用OSPF、出口靜態路由，默認路由重分發，設置stub末梢

R(config)#int g0/0

R(config-if)#ip address 192.168.128.2 255.255.255.252

R(config-if)#no shutdown

R(config)#int g0/1

R(config-if)#ip address 192.168.128.6 255.255.255.252

R(config-if)#no shutdown

R(config-if)#int s0/3/0

R(config-if)#ip address 192.168.128.10 255.255.255.252

R(config-if)#encapsulation ppp

R(config-if)#ppp authentication pap

R(config-if)#clock rate 128000

R(config-if)#no shutdown

R(config)#username huawei  password huawei

R(config-if)#int s0/3/1

R(config-if)#ip address 192.168.128.13 255.255.255.252

R(config-if)#encapsulation ppp

R(config-if)#ppp authentication pap

R(config-if)#clock rate 128000

R(config-if)#no shutdown

R(config-if)#int s0/1/0

R(config-if)#ip address 192.168.128.17 255.255.255.252

R(config-if)#encapsulation ppp

R(config-if)#ppp authentication pap

R(config-if)#clock rate 128000

R(config-if)#no shutdown

 R(config-if)#int loop 0

R(config-if)#ip address 3.3.3.3 255.255.255.255

 

···

GZ(config)#int s0/3/0

GZ(config-if)#ip address 192.168.128.9 255.255.255.252

GZ(config-if)#ppp pap sent-username huawei password huawei

GZ(config-if)#no shutdown

GZ(config-if)#int g0/0

GZ(config-if)#ip address 192.168.129.1 255.255.255.0

GZ(config-if)#no shutdown

````

SH(config)#int s0/3/0

SH(config-if)#ip address 192.168.128.14 255.255.255.252

SH(config-if)#ppp pap sent-username huawei password huawei

SH(config-if)#no shutdown

SH(config-if)#int g0/0

SH(config-if)#ip address 192.168.130.1 255.255.255.0

SH(config-if)#no shutdown

````

R(config)#router ospf 1

R(config-router)#router-id 3.3.3.3

R(config-router)#network 3.3.3.3 0.0.0.0 area 0

R(config-router)#network 192.168.128.2 0.0.0.0 area 0

R(config-router)#network 192.168.128.6 0.0.0.0 area 0

R(config-router)#network 192.168.128.10 0.0.0.0 area 1

R(config-router)#network 192.168.128.13 0.0.0.0 area 2

R(config-router)#area 1 stub no-summary

R(config-router)#area 2 stub no-summary

R(config)#ip route 0.0.0.0 0.0.0.0 192.168.128.18

R(config-router)#default-information originate

····

Core-1(config-router)#router-id 1.1.1.1

Core-1(config-router)#network 1.1.1.1 0.0.0.0 area 0

Core-1(config-router)#network 192.168.128.1 0.0.0.0 area 0

Core-1(config-router)#network 192.168.0.0 0.0.255.255 area 0

·····

Core-2(config-router)#router-id 2.2.2.2

Core-2(config-router)#network 2.2.2.2 0.0.0.0 area 0

Core-2(config-router)#network 192.168.128.5 0.0.0.0 area 0

Core-2(config-router)#network 192.168.0.0 0.0.255.255 area 0

 

 

6.內網訪問外網NAT轉換、外網訪問內網WWW服務器

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.5.0 0.0.0.255

ip nat inside source list 1 interface Serial0/1/0 overload  -->內網訪問外網NAT轉換

ip nat inside source static tcp 192.168.127.127 80 192.168.128.17 80  -->外網訪問內網WWW服務器

 

7.在R上設置SSH服務器，禁止外網登錄

R(config)#crypto key generate rsa

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

 R(config)#username root privilege 15 password huawei

R(config)#lin vty 0 4

R(config-line)#transport input ssh

R(config-line)#login local

```

 R(config)#access-list 122 deny tcp any any eq 22

 R(config)#access-list 122 permit ip any any

R(config)#int s0/3/0

R(config-if)#ip access-group 122 in

R(config)#int s0/3/1

R(config-if)#ip access-group 122 in

R(config)#int s0/1/0

R(config-if)#ip access-group 122 in

 

 

 

 8.禁止訪問總部內網（除服務器的www服務）,禁止訪問另一個分公司的內網

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.2.0 0.0.0.255

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.3.0 0.0.0.255

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.4.0 0.0.0.255

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.5.0 0.0.0.255

GZ(config)#access-list 129 deny ip 192.168.129.0 0.0.0.255 192.168.130.0 0.0.0.255

GZ(config)#access-list 129 permit ip any any

GZ(config)#int s0/3/0

GZ(config-if)#ip access-group 129 out

````

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.2.0 0.0.0.255

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.3.0 0.0.0.255

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.4.0 0.0.0.255

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.5.0 0.0.0.255

SH(config)#access-list 130 deny ip 192.168.129.0 0.0.0.255 192.168.130.0 0.0.0.255

SH(config)#access-list 130 permit ip any any

SH(config)#int s0/3/0

SH(config-if)#ip access-group 130 out