网络综合实验拓扑VLAN+TRUNK（链路聚合）+MSTP+VRRP+DHCP+OSPF+静态路由+ACL+地址转换

1、企业背景

某集团经过业务发展，总公司在广州市体育中心附近，在海珠区和白云区有二个分公司，为了实现快捷的信息交流和资源共享，需要构建统一网络，整合公司所有相关业务流程。总公司采用双核心的网络架构模式，采用专线接入互联网，二个分公司分别租用二条专线光纤线路进行连接，特向ISP供应商取得如下公网IP地址：202.16.10.5~20/24，现要求组建网络，总体要求如下：

1、保证整个网络的稳定性、可靠性。

2、各单位部门能通过地址转换连接上互联网。

3、各部门划分VLAN，只有经理室才能访问分公司。

4、要求集团各部门能通过FTP服务器进行文件传输。

5、内网和外网均能访问公司的主页(WEB1 服务器)。

6、只有财务部和经理部的人员才能访问(WEB2 服务器)

2、网络拓扑结构图

图1 网络拓扑结构图

3、 IP地址规划

序号	部门名称	IP地址	子网掩码	默认网关	备注
1	销售部1	192.168.110.254	255.255.255.0	192.168.110.1	DHCP分配
2	管理部1	192.168.100.254	255.255.255.0	192.168.110.1	DHCP分配
3	经理室	192.168.10.254	255.255.255.0	192.168.10.1	DHCP分配
4	财务部	192.168.20.254	255.255.255.0	192.168.20.1	DHCP分配
5	人事部	192.168.30.254	255.255.255.0	192.168.30.1	DHCP分配
6	开发部	192.168.40.254	255.255.255.0	192.168.40.1	DHCP分配
7	销售部2	192.168.210.254	255.255.255.0	192.168.210.1	DHCP分配
8	管理部2	192.168.200.254	255.255.255.0	192.168.200.1	DHCP分配
9	DHCP	172.16.1.1	255.255.255.0	172.16.1.1
10	HTTP	172.16.1.2	255.255.255.0	172.16.1.1
11	FTP	172.16.1.3	255.255.255.0	172.16.1.1
12	ZJnet09-ZB-LSW1	12.12.12.1	255.255.255.0
13	ZJnet09-ZB-LSW2	13.13.13.1	255.255.255.0
14	ZJnet09-ZB-R1	10.10.20.2/12.12.12.2 13.13.13.2/10.10.10.1 14.14.14.1/202.16.10.5	255.255.255.0 255.255.255.252
15	ZJnet09-FB1-R2	10.10.20.1	255.255.255.252
16	ZJnet09-FB2-R3	10.10.10.2	255.255.255.252

表1  IP地址规划表

4、网络设备命名与设备连接表

序号	部门	设备名	接口	连接至	部门名称	设备名	接口	备注
1	外网	ZJne09-WW-R4	S0/0/0	→	总部	ZJnet09-ZB-R1	S2/0/0
2	总部	ZJnet09-ZB-R1	G0/0/0	→	分部1	ZJnet09-FB1-R2	G0/0/0
3	总部	ZJnet09-ZB-R1	G0/0/1	→	总部	ZJnet09-ZB-LSW1	G0/0/1
4	总部	ZJnet09-ZB-R1	G0/0/2	→	总部	ZJnet09-ZB-LSW2	G0/0/2
5	总部	ZJnet09-ZB-R1	G4/0/1	→	服务器区	ZJnet09-FB-LSW3	G0/0/1
6	总部	ZJnet09-ZB-R1	G4/0/0	→	分部2	ZJnet09-FB2-R3	G0/0/0
7	分部1	ZJnet09-FB1-R2	G0/0/1	→	分部1	ZJnet09-FB1-SW8	G0/0/1
8	分部1	ZJnet09-FB1-SW8	E0/0/1	→	销售部1	ZJnet09-FB1-PC1	E0/0/1
9	分部1	ZJnet09-FB1-SW8	E0/0/2	→	管理部1	ZJnet09-FB1-PC2	E0/0/1
10	总部	ZJnet09-ZB-LSW1	G0/0/21 G0/0/22 G0/0/23 G0/0/24	→	总部	ZJnet09-ZB-LSW2	G0/0/21 G0/0/22 G0/0/23 G0/0/24
11	总部	ZJnet09-ZB-LSW1	G0/0/2	→	经理部	ZJnet09-ZB-SW4	G0/0/1
12	总部	ZJnet09-ZB-LSW1	G0/0/3	→	财务部	ZJnet09-ZB-SW5	G0/0/1
13	总部	ZJnet09-ZB-LSW1	G0/0/4	→	人事部	ZJnet09-ZB-SW6	G0/0/1
14	总部	ZJnet09-ZB-LSW1	G0/0/5	→	开发部	ZJnet09-ZB-SW7	G0/0/1
15	总部	ZJnet09-ZB-LSW2	G0/0/2	→	经理室	ZJnet09-ZB-SW4	G0/0/2
16	总部	ZJnet09-ZB-LSW2	G0/0/3	→	财务部	ZJnet09-ZB-SW5	G0/0/2
17	总部	ZJnet09-ZB-LSW2	G0/0/4	→	人事部	ZJnet09-ZB-SW6	G0/0/2
18	总部	ZJnet09-ZB-LSW2	G0/0/5	→	开发部	ZJnet09-ZB-SW7	G0/0/2
19	经理室	ZJnet09-ZB-SW4	E0/0/1	→	经理部	ZJnet09-ZB-PC3	E0/0/1
20	财务部	ZJnet09-ZB-SW5	E0/0/1	→	财务部	ZJnet09-ZB-PC4	E0/0/1
21	人事部	ZJnet09-ZB-SW6	E0/0/1	→	人事部	ZJnet09-ZB-PC5	E0/0/1
22	开发部	ZJnet09-ZB-SW7	E0/0/1	→	开发部	ZJnet09-ZB-PC6	E0/0/1
23	服务器区	ZJnet09-FB-LSW3	G0/0/2	→	DHCP	ZJnet09-FB-DHCP	G0/0/2
24	服务器区	ZJnet09-FB-LSW3	G0/0/3	→	HTTP	ZJnet09-FB-HTTP	E0/0/0
25	服务器区	ZJnet09-FB-LSW3	G0/0/4	→	FTP	ZJnet09-FB-FTP	E0/0/0
26	分部2	ZJnet09-FB2-R3	G0/0/1	→	分部2	ZJnet09-FB2-SW9	G0/0/1
27	分部2	ZJnet09-FB2-SW9	E0/0/1	→	销售部2	ZJnet09-FB2-PC7	E0/0/1
28	分部2	ZJnet09-FB2-SW9	E0/0/2	→	管理部2	ZJnet09-FB2-PC8	E0/0/1

表2  设备命名与设备连接表

5、VLAN规划表

序号	部门名称	设备名称	VLAN编号	VLAN名称	IP地址	子网掩码	备注
1	销售部1	ZJnet09-FB1-PC1	110	110	192.168.110.0	255.255.255.0
2	管理部1	ZJnet09-FB1-PC2	100	100	192.168.100.0	255.255.255.0
3	经理部	ZJnet09-ZB-PC3	10	10	192.168.10.0	255.255.255.0
4	财务部	ZJnet09-ZB-PC4	20	20	192.168.20.0	255.255.255.0
5	人事部	ZJnet09-ZB-PC5	30	30	192.168.30.0	255.255.255.0
6	开发部	ZJnet09-ZB-PC6	40	40	192.168.40.0	255.255.255.0
7	销售部2	ZJnet09-FB2-PC7	210	210	192.168.210.0	255.255.255.0
8	管理部2	ZJnet09-FB2-PC8	200	200	192.168.200.0	255.255.255.0
9	总部	ZJnet09-ZB-LSW1	2	2	12.12.12.1	255.255.255.0
10	总部	ZJnet09-ZB-LSW2	3	3	13.13.13.1	255.255.255.0

表3  Vlan规划表

6、配置各设备的远程登录

各个设备配置远程登陆如下：

二层交换机：

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password simple admin

 local-user admin service-type http

三层交换机和路由器：

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password simple admin

 local-user admin service-type http

 local-user zjnet password cipher zjnet123

 local-user zjnet privilege level 3

 local-user zjnet service-type telnet

7、划分VLAN

ZJnet09-FB1-SW8：

vlan batch 100 110

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 110

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 100

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

ZJnet09-ZB-SW4：

vlan batch 10

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 10

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

ZJnet09-ZB-SW5：

vlan batch 20

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 20

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

ZJnet09-ZB-SW6：

vlan batch 30

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 30

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

ZJnet09-ZB-SW7：

vlan batch 40

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 40

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

ZJnet09-FB2-SW9：

vlan batch 200 210

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 210

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 200

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

ZJnet09-ZB-LSW1：

vlan batch 2 to 3 10 20 30 40

#

interface GigabitEthernet0/0/1

 port link-type access

 port default vlan 2

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/5

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

ZJnet09-ZB-LSW2：

vlan batch 2 to 3 10 20 30 40

#

interface GigabitEthernet0/0/1

 port link-type access

 port default vlan 3

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/5

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

8、核心交换机冗余备份

ZJnet09-ZB-LSW1：

interface Eth-Trunk1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 mode lacp-static

 load-balance src-dst-mac

#

interface GigabitEthernet0/0/21

 eth-trunk 1

#

interface GigabitEthernet0/0/22

 eth-trunk 1

#

interface GigabitEthernet0/0/23

 eth-trunk 1

#

interface GigabitEthernet0/0/24

 eth-trunk 1

ZJnet09-ZB-LSW2：

interface Eth-Trunk1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 mode lacp-static

 load-balance src-dst-mac

#

interface GigabitEthernet0/0/21

 eth-trunk 1

#

interface GigabitEthernet0/0/22

 eth-trunk 1

#

interface GigabitEthernet0/0/23

 eth-trunk 1

#

interface GigabitEthernet0/0/24

 eth-trunk 1

9、交换机配置MSTP

ZJnet09-ZB-LSW1：

#

stp instance 1 root primary

stp instance 2 root primary

stp instance 3 root primary

stp instance 4 root primary

#

stp region-configuration

 region-name mstp1

 instance 1 vlan 10

 instance 2 vlan 20

 instance 3 vlan 30

 instance 4 vlan 40

 active region-configuration

ZJnet09-ZB-LSW2：

#

stp instance 1 root secondary

stp instance 2 root secondary

stp instance 3 root secondary

stp instance 4 root secondary

#

stp region-configuration

 region-name mstp1

 instance 1 vlan 10

 instance 2 vlan 20

 instance 3 vlan 30

 instance 4 vlan 40

 active region-configuration

10、配置DHCP服务

ZJnet09-FB-DHCP：

#

dhcp enable

#

ip pool vlan10

 gateway-list 192.168.10.1

 network 192.168.10.0 mask 255.255.255.0

 dns-list 8.8.8.8

#

ip pool vlan20

 gateway-list 192.168.20.1

 network 192.168.20.0 mask 255.255.255.0

 dns-list 8.8.8.8

#

ip pool vlan30

 gateway-list 192.168.30.1

 network 192.168.30.0 mask 255.255.255.0

 dns-list 8.8.8.8

#

ip pool vlan40

 gateway-list 192.168.40.1

 network 192.168.40.0 mask 255.255.255.0

 dns-list 8.8.8.8

#

ip pool vlan100

 gateway-list 192.168.100.1

 network 192.168.100.0 mask 255.255.255.0

 dns-list 8.8.8.8

#

ip pool vlan110

 gateway-list 192.168.110.1

 network 192.168.110.0 mask 255.255.255.0

 dns-list 8.8.8.8

#

ip pool vlan200

 gateway-list 192.168.200.1

 network 192.168.200.0 mask 255.255.255.0

 dns-list 8.8.8.8

#

ip pool vlan210

 gateway-list 192.168.210.1

 network 192.168.210.0 mask 255.255.255.0

 dns-list 8.8.8.8

ZJnet09-FB1-R2:

dhcp enable

#

interface GigabitEthernet0/0/1.1

 dot1q termination vid 100

 ip address 192.168.100.1 255.255.255.0

 arp broadcast enable

 dhcp select relay

 dhcp relay server-ip 172.16.1.1

#

interface GigabitEthernet0/0/1.2

 dot1q termination vid 110

 ip address 192.168.110.1 255.255.255.0

 arp broadcast enable

 dhcp select relay

 dhcp relay server-ip 172.16.1.1

#

ZJnet09-FB2-R3:

dhcp enable

#

interface GigabitEthernet0/0/1.1

 dot1q termination vid 200

 ip address 192.168.200.1 255.255.255.0

 arp broadcast enable

 dhcp select relay

 dhcp relay server-ip 172.16.1.1

#

interface GigabitEthernet0/0/1.2

 dot1q termination vid 210

 ip address 192.168.210.1 255.255.255.0

 arp broadcast enable

 dhcp select relay

 dhcp relay server-ip 172.16.1.1

#

ZJnet09-ZB-LSW1：

#

interface Vlanif10

 ip address 192.168.10.2 255.255.255.0

 vrrp vrid 1 virtual-ip 192.168.10.1

 vrrp vrid 1 priority 120

 dhcp select relay

 dhcp relay server-ip 172.16.1.1

#

interface Vlanif20

 ip address 192.168.20.2 255.255.255.0

 vrrp vrid 1 virtual-ip 192.168.20.1

 vrrp vrid 1 priority 120

 dhcp select relay

 dhcp relay server-ip 172.16.1.1

#

interface Vlanif30

 ip address 192.168.30.2 255.255.255.0

 vrrp vrid 1 virtual-ip 192.168.30.1

 vrrp vrid 1 priority 120

 dhcp select relay

 dhcp relay server-ip 172.16.1.1

#

interface Vlanif40

 ip address 192.168.40.2 255.255.255.0

 vrrp vrid 1 virtual-ip 192.168.40.1

 vrrp vrid 1 priority 120

 dhcp select relay

 dhcp relay server-ip 172.16.1.1

#

ZJnet09-ZB-LSW2：

#

interface Vlanif10

 ip address 192.168.10.3 255.255.255.0

 vrrp vrid 1 virtual-ip 192.168.10.1

#

interface Vlanif20

 ip address 192.168.20.3 255.255.255.0

 vrrp vrid 1 virtual-ip 192.168.20.1

#

interface Vlanif30

 ip address 192.168.30.3 255.255.255.0

 vrrp vrid 1 virtual-ip 192.168.30.1

#

interface Vlanif40

 ip address 192.168.40.3 255.255.255.0

 vrrp vrid 1 virtual-ip 192.168.40.1

11、配置路由协议

 ZJnet09-ZB-R1:

#

ip route-static 0.0.0.0 0.0.0.0 202.16.10.1

ip route-static 172.16.1.0 255.255.255.0 14.14.14.2

ip route-static 192.168.100.0 255.255.255.0 10.10.20.1

ip route-static 192.168.110.0 255.255.255.0 10.10.20.1

ip route-static 192.168.200.0 255.255.255.0 10.10.10.2

ip route-static 192.168.210.0 255.255.255.0 10.10.10.2

#

 ZJnet09-FB1-R2:

#

ip route-static 0.0.0.0 0.0.0.0 10.10.20.2

#

 ZJnet09-FB2-R3:

#

ip route-static 0.0.0.0 0.0.0.0 10.10.10.1

#

ZJnet09-FB-DHCP:

#

ip route-static 0.0.0.0 0.0.0.0 172.16.1.254

#

ZJnet09-ZB-LSW1:

#

ospf 1

 area 0.0.0.0

  network 192.168.10.0 0.0.0.255

  network 12.12.12.0 0.0.0.255

  network 192.168.20.0 0.0.0.255

  network 192.168.30.0 0.0.0.255

  network 192.168.40.0 0.0.0.255

#

ZJnet09-ZB-LSW2:

#

ospf 1

 area 0.0.0.0

  network 13.13.13.0 0.0.0.255

  network 192.168.10.0 0.0.0.255

  network 192.168.20.0 0.0.0.255

  network 192.168.30.0 0.0.0.255

  network 192.168.40.0 0.0.0.255

12、配置地址转换

 ZJnet09-ZB-R1:

#

 nat address-group 1 202.16.10.6 202.16.10.19

#

interface Serial2/0/0

 link-protocol ppp

 ip address 202.16.10.5 255.255.255.0

 nat server protocol tcp global 202.16.10.20 www inside 172.16.1.2 8080

13、配置访问控制列表

 ZJnet09-FB1-R2:

#

acl number 2000  

 rule 5 permit source 192.168.10.0 0.0.0.255

 rule 10 permit source 172.16.1.0 0.0.0.255

 rule 15 permit source 10.10.10.0 0.0.0.3

 rule 20 permit source 202.16.10.0 0.0.0.255

 rule 25 deny

#

traffic classifier a1 operator or

 if-match acl 2000

#

traffic behavior b1

#

traffic policy 1

 classifier a1 behavior b1

#

interface GigabitEthernet0/0/0

 ip address 10.10.20.1 255.255.255.0

 traffic-policy 1 inbound

#

 ZJnet09-ZB-R1:

#

acl number 2001  

 rule 5 permit source 192.168.10.0 0.0.0.255

 rule 10 permit source 192.168.20.0 0.0.0.255

 rule 15 permit source 192.168.30.0 0.0.0.255

 rule 20 permit source 192.168.40.0 0.0.0.255

 rule 25 permit source 192.168.100.0 0.0.0.255

 rule 30 permit source 192.168.110.0 0.0.0.255

 rule 35 permit source 192.168.200.0 0.0.0.255

 rule 40 permit source 192.168.210.0 0.0.0.255

 rule 45 deny

#

interface Serial2/0/0

 nat outbound 2001 address-group 1 no-pat

 ZJnet09-FB2-R3:

#

acl number 2000  

 rule 5 permit source 192.168.10.0 0.0.0.255

 rule 10 permit source 172.16.1.0 0.0.0.255

 rule 15 permit source 10.10.20.0 0.0.0.3

 rule 20 permit source 202.16.10.0 0.0.0.255

 rule 25 deny

#

traffic classifier a1 operator or

 if-match acl 2000

#

traffic behavior b1

#

traffic policy c1

 classifier a1 behavior b1

#

interface GigabitEthernet0/0/0

 ip address 10.10.10.2 255.255.255.252

 traffic-policy c1 inbound