一、项目设计(拓扑图)
二、AR6120配置PPPOE配置
interface Dialer1
link-protocol ppp
ppp chap user PPPOE账号
ppp chap password cipher password密码
ppp pap local-user 051252297039 password cipher password密码
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1500
tcp adjust-mss 1200
ip address ppp-negotiate
dialer user arweb
dialer bundle 1
dialer-group 1
nat server protocol tcp global interface Dialer 1 6006 inside 10.5.6.251 6006 #端口映射
nat server protocol tcp global interface Dialer 1 6007 inside 10.5.6.251 6007
nat server protocol tcp global interface Dialer 1 6008 inside 10.5.6.251 6008
nat server protocol tcp global interface Dialer 1 6009 inside 10.5.6.251 6009
nat server protocol tcp global interface Dialer 1 6010 inside 10.5.6.251 6010
nat server protocol tcp global interface Dialer 1 6011 inside 10.5.6.251 6011
nat server protocol tcp global interface Dialer 1 6012 inside 10.5.6.251 6012
nat server protocol tcp global current-interface 6668 inside 10.5.6.249 6668
nat server protocol tcp global current-interface 6669 inside 10.5.1.201 6666
nat server protocol tcp global current-interface 6667 inside 10.5.6.251 6666
nat outbound 2999
ddns apply policy 1111 fqdn f3322.net
上网NAT
[500Mdaikuan]acl number 2999
[500Mdaikuan-acl-basic-GigabitEthernet0/0/8]dis th
[V300R019C10SPC300]
#
acl name GigabitEthernet0/0/8 2999
rule 5 permit
#
return
[500Mdaikuan-acl-basic-GigabitEthernet0/0/8]
三、VLAN的设计及配置
三层交换机VLAN间通讯
[HEXIN-SWH]port-group p13579
[HEXIN-SWH-port-group-p13579]group-member g0/0/1 g0/0/3 g0/0/5 g0/0/7 g0/0/9
[HEXIN-SWH-port-group-p13579]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/1]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/3]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/5]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/7]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/9]port link-type access
[HEXIN-SWH-port-group-p13579]port default vlan 10
[HEXIN-SWH-GigabitEthernet0/0/1]port default vlan 10
[HEXIN-SWH-GigabitEthernet0/0/3]port default vlan 10
[HEXIN-SWH-GigabitEthernet0/0/5]port default vlan 10
[HEXIN-SWH-GigabitEthernet0/0/7]port default vlan 10
[HEXIN-SWH-GigabitEthernet0/0/9]port default vlan 10
[HEXIN-SWH-port-group-p13579]dis th
port-group p13579
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/5
group-member GigabitEthernet0/0/7
group-member GigabitEthernet0/0/9
#创建交换机端口组p2468,并加入vlan10
[HEXIN-SWH]port-group p2468
[HEXIN-SWH-port-group-p2468]group-member g0/0/2 g0/0/4 g0/0/6 g0/0/8
[HEXIN-SWH-port-group-p2468]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/2]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/4]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/6]port link-type access
[HEXIN-SWH-GigabitEthernet0/0/8]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HEXIN-SWH-port-group-p2468]port default vlan 20
[HEXIN-SWH-GigabitEthernet0/0/2]port default vlan 20
[HEXIN-SWH-GigabitEthernet0/0/4]port default vlan 20
[HEXIN-SWH-GigabitEthernet0/0/6]port default vlan 20
[HEXIN-SWH-GigabitEthernet0/0/8]port default vlan 20
[HEXIN-SWH-port-group-p2468]dis th
port-group p2468
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/4
group-member GigabitEthernet0/0/6
group-member GigabitEthernet0/0/8
#接口11加入vlan30
interface GigabitEthernet0/0/11
port link-type access
port default vlan 30
#接口10加入vlan60
interface GigabitEthernet0/0/10
port link-type access
port default vlan 60
基于MAC划分VLAN(不可行)
不可行的原因:
- 不可行,原因仅有绑定vlan才可以拿到划分到vlan的IP地址。
- 没绑定拿不到地址。如果这样,万一突然有客人到访需要wifi就麻烦了。-
- 工作量巨大。不推荐。
示例:
[sw1]int g0/0/11
[sw1]port link-type hybrid
[sw1-GigabitEthernet0/0/11]port hybrid untagged vlan 10 20 30 #让g0/01属于多个vlan
[sw1-GigabitEthernet0/0/11]mac-vlan enable #开启基于mac的学习vlan
[HEXIN-SWH-GigabitEthernet0/0/11]dis th
#
interface GigabitEthernet0/0/11
port link-type hybrid
port hybrid untagged vlan 10 20 30
mac-vlan enable
绑定vlan
vlan 20
mac-vlan mac-address 0000-0000-0001
静态路由配置
#回执路由-宽带
ip route-static 10.5.0.0 255.255.0.0 10.5.254.6
默认路由宽带-宽带
ip route-static 0.0.0.0 0 10.5.255.1 preference 60 #默认60,可以不配
默认路由专线-核心
ip route-static 0.0.0.0 0 10.5.255.14 preference 65
杭州服务器-核心
ip route-static 10.1.50.0 255.255.255.0 10.5.256.9 40
四、局域网的DHCP服务器
因为网络比较紧急,好多员工都在等着用。所以这里先采用:交换机基于接口的DHCP
后续改成:《结合server2008来做DHCP服务器》
#vlan10一楼
interface Vlanif10
ip address 10.5.1.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.5.1.1 10.5.1.60
dhcp server excluded-ip-address 10.5.1.200 10.5.1.254
dhcp server static-bind ip-address 10.5.1.98 mac-address dc9c-c521-1215 description guzongxindian
dhcp server static-bind ip-address 10.5.1.131 mac-address 408d-d5cf-2972 description xingzhengdayin
dhcp server static-bind ip-address 10.5.1.181 mac-address 24be-e05e-f4c4 description gongchengdayin
dhcp server static-bind ip-address 10.5.1.183 mac-address 40b0-0342-cda8 description shichangdayin
dhcp server lease day 2 hour 0 minute 0
dhcp server dns-list 114.114.114.114 61.177.7.1
#
return
#vlan20工程
interface Vlanif20
ip address 10.5.2.254 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.5.2.200 10.5.2.254
dhcp server lease day 2 hour 0 minute 0
dhcp server dns-list 114.114.114.114
#vlan1无线AP
#
interface Vlanif1
ip address 10.5.11.1 255.255.255.0
#
return
# vlan30备用
interface Vlanif30
ip address 10.5.3.254 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.5.3.1 10.5.3.100
dhcp server excluded-ip-address 10.5.3.200 10.5.3.254
dhcp server lease day 0 hour 2 minute 0
dhcp server dns-list 114.114.114.114
vlan40、50备用
#vlan60服务器使用
interface Vlanif60
ip address 10.5.6.254 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.5.6.200 10.5.6.254
dhcp server lease day 3 hour 0 minute 0
dhcp server dns-list 114.114.114.114
开启Snooping
接入交换机是傻瓜交换机没发做。
五、NAT的配置
## pppoe线路的NAT
interface Dialer1
#端口映射,门禁server
nat server protocol tcp global interface Dialer 1 6666 inside 10.5.6.250 6666
#ftpserver,6006-6012
nat server protocol tcp global interface Dialer 1 6006 inside 10.5.6.251 6006
nat server protocol tcp global interface Dialer 1 6007 inside 10.5.6.251 6007
nat server protocol tcp global interface Dialer 1 6008 inside 10.5.6.251 6008
nat server protocol tcp global interface Dialer 1 6009 inside 10.5.6.251 6009
nat server protocol tcp global interface Dialer 1 6010 inside 10.5.6.251 6010
nat server protocol tcp global interface Dialer 1 6011 inside 10.5.6.251 6011
nat server protocol tcp global interface Dialer 1 6012 inside 10.5.6.251 6012
#YUANCHENG
nat server protocol tcp global current-interface 6668 inside 10.5.6.249 6668
nat server protocol tcp global current-interface 6669 inside 10.5.1.201 6666
六、QOS限速
#创建acl匹配源IP地址
[HEXIN-SWH]acl 2000
[HEXIN-SWH-acl-basic-2000]rule permit source 10.5.1.0 0.0.0.255
[HEXIN-SWH-acl-basic-2000]dis th
#
acl number 2000
rule 5 permit source 10.5.1.0 0.0.0.255
#
return
[HEXIN-SWH-acl-basic-2000]q
#配置流分类
[HEXIN-SWH]traffic classifier c1
[HEXIN-SWH-classifier-c1]if-match acl 2000
[HEXIN-SWH-classifier-c1]q
#配置流行为
[HEXIN-SWH]traffic behavior b1
[HEXIN-SWH-behavior-b1]car cir 4000 pir 5000
[HEXIN-SWH-behavior-b1]statistic enable
[HEXIN-SWH-behavior-b1]dis th
#
traffic behavior b1
car cir 4000 pir 5000 cbs 500000 pbs 625000 green pass yellow pass red discard
statistic enable
#
return
[HEXIN-SWH-behavior-b1]q
#绑定流行为和流分类
[HEXIN-SWH]traffic policy p1
[HEXIN-SWH-trafficpolicy-p1]classifier c1 behavior b1
[HEXIN-SWH-trafficpolicy-p1]dis th
#
traffic policy p1 match-order config
classifier c1 behavior b1
[HEXIN-SWH-trafficpolicy-p1]q
#挂到接口上去
[HEXIN-SWH]int g0/0/24
[HEXIN-SWH-GigabitEthernet0/0/24]traffic-policy p1 outbound
[HEXIN-SWH-GigabitEthernet0/0/24]traffic-policy p1 inbound
[HEXIN-SWH-GigabitEthernet0/0/24]q
[HEXIN-SWH]int g0/0/23
[HEXIN-SWH-GigabitEthernet0/0/23]traffic-policy p1 outbound
[HEXIN-SWH-GigabitEthernet0/0/23]traffic-policy p1 inbound
[HEXIN-SWH-GigabitEthernet0/0/23]q
[HEXIN-SWH]dis traffic policy statistics interface GigabitEthernet 0/0/24 inbound
Interface: GigabitEthernet0/0/24
Traffic policy inbound: p1
Rule number: 1
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
以上方法不佳,最终采用图形界面
七、相关查看命令
留给客户的查看命令
查看vlan下已经分配的IP
查看vlan10下已经分配的IP
<HEXIN-SWH>display ip pool interface Vlanif10 used
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
10.5.1.1 10.5.1.254 254 4 194(0) 0 56
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
74 10.5.1.75 c03f-d55c-31dd DHCP 165161 Used
130 10.5.1.131 408d-d5cf-2972 DHCP - Static-bind
180 10.5.1.181 24be-e05e-f4c4 DHCP - Static-bind
182 10.5.1.183 40b0-0342-cda8 DHCP - Static-bind
-------------------------------------------------------------------------------------
查看ARP信息
<HEXIN-SWH>dis arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN
------------------------------------------------------------------------------
192.168.1.253 a82b-cd88-dcf1 I - MEth0/0/1
192.168.0.8 a82b-cd88-dcf1 I - Vlanif1
10.5.1.1 a82b-cd88-dcf1 I - Vlanif10
10.5.1.143 1c1b-0d54-c9b9 20 D-0 GE0/0/17
10
10.5.1.182 b00c-d122-3ac9 3 D-0 GE0/0/17
10
10.5.1.20 1c1b-0d83-6759 16 D-0 GE0/0/17
10
10.5.1.53 00e0-4c18-b760 16 D-0 GE0/0/9
10
10.5.1.98 dc9c-521d-1215 13 D-0 GE0/0/9
10
10.5.1.5 d076-e70a-56fc 1 D-0 GE0/0/9
10
查询mac-address
<HEXIN-SWH>dis mac-address
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
00e0-4c01-e5e3 10/-/- GE0/0/7 dynamic
00e0-4c18-b760 10/-/- GE0/0/9 dynamic
00e0-4c21-51e2 10/-/- GE0/0/9 dynamic
1c1b-0d33-6128 10/-/- GE0/0/9 dynamic
1c1b-0d54-c9b9 10/-/- GE0/0/17 dynamic
1c1b-0d83-6759 10/-/- GE0/0/17 dynamic
24be-05ea-f4c4 10/-/- GE0/0/9 dynamic
3c46-d8b9-fc48 10/-/- GE0/0/7 dynamic
40b0-3422-cda8 10/-/- GE0/0/9 dynamic
7845-c41d-0fbf 10/-/- GE0/0/9 dynamic
9c5c-8e7b-f0b0 10/-/- GE0/0/9 dynamic
b00c-d122-3ac9 10/-/- GE0/0/17 dynamic
b8f8-837e-f328 10/-/- GE0/0/7 dynamic
c03f-d55c-31dd 10/-/- GE0/0/17 dynamic
d076-e70a-56fc 10/-/- GE0/0/9 dynamic
查询接口状态
<HEXIN-SWH>dis interface b
<HEXIN-SWH>dis interface brief
PHY: Physical
*down: administratively down
#down: LBDT down
(l): loopback
(s): spoofing
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(lb): LBDT block
(o): Observe-port forwarding down
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet0/0/1 down down 0% 0% 0 0
GigabitEthernet0/0/2 down down 0% 0% 0 0
GigabitEthernet0/0/3 down down 0% 0% 0 0
GigabitEthernet0/0/4 down down 0% 0% 0 0
GigabitEthernet0/0/5 down down 0% 0% 0 0
GigabitEthernet0/0/6 down down 0% 0% 0 0
GigabitEthernet0/0/7 up up 0.02% 0.02% 0 0
GigabitEthernet0/0/8 down down 0% 0% 0 0
GigabitEthernet0/0/9 up up 0.01% 0.02% 0 0
GigabitEthernet0/0/10 up up 0.02% 0.02% 0 0
GigabitEthernet0/0/11 up up 0.02% 0.30% 0 0
GigabitEthernet0/0/12 down down 0% 0% 0 0
GigabitEthernet0/0/13 down down 0% 0% 0 0
GigabitEthernet0/0/14 down down 0% 0% 0 0
GigabitEthernet0/0/15 down down 0% 0% 0 0
GigabitEthernet0/0/16 down down 0% 0% 0 0
GigabitEthernet0/0/17 up up 0% 0% 0 0
GigabitEthernet0/0/18 down down 0% 0% 0 0
GigabitEthernet0/0/19 down down 0% 0% 0 0
GigabitEthernet0/0/20 down down 0% 0% 0 0
GigabitEthernet0/0/21 down down 0% 0% 0 0
GigabitEthernet0/0/22 down down 0% 0% 0 0
GigabitEthernet0/0/23 up up 0% 0% 0 0
GigabitEthernet0/0/24 up up 0.32% 0.03% 0 0
查询所有接口配置信息
display current-configuration interface
查询接口信息
<HEXIN-SWH>display ip interface description
Codes:
Ana(Analogmodem), Asy(Async), Cell(Cellular),
Dia(Dialer), Eth(Ethernet) GE(GigabitEthernet),
H(Hssi), Ima(Ima-group), Loop(LoopBack),
MTun(MTunnel), S(Serial), Tun(Tunnel),
VE(Virtual-Ethernet), VT(Virtual-Template)
d(dampened), D(down), *D(administratively down),
^D(standby), l(loopback), s(spoofing),
U(up), E(E-Trunk down)
------------------------------------------------------------------------------
Number of interfaces whose physical status is Up: 7
Number of interfaces whose physical status is Down: 5
Number of interfaces whose protocol status is Up: 7
Number of interfaces whose protocol status is Down: 5
Interface IP Address/Mask Phy Prot Description
Loop0 2.2.2.2/32 U U(s)
MEth0/0/1 192.168.1.253/24 D D
NULL0 unassigned U U(s)
Vlanif1 192.168.0.8/22 D D
Vlanif10 10.5.1.1/24 U U
Vlanif20 10.5.2.254/24 D D
Vlanif30 10.5.3.254/24 U U
Vlanif40 unassigned D D
Vlanif50 unassigned D D
Vlanif60 10.5.6.254/24 U U
Vlanif254 10.5.254.14/29 U U
Vlanif255 10.5.255.6/29 U U
查看接口流量的统计数据
display counters 查看接口流量的统计数据
display counters rate 查看接口的入方向或出方向流量速率
八、遗留问题及后续工作
VLAN间互通
此处有诸多问题,后续需要解决
A、调整办公网IP地址2楼地址
- 财务有固定IP没法调整,暂放到vlan10
- vlan20调整到工程部(后续调整)
B、无线AP异常、无法ping通vlan10下的打印机,原因是AP是傻瓜式的无法配置,默认在vlan1下,本征vlan无法更改。(已解决)
解决办法:
- 将所有AP调整到vlan10下面(采用)
- 将AP调整到和市场打印机一个vlan下,但是2楼的戴总如果要打印财务打印机就会出现类似情况。