Experiment link at the end
Topology
Configuration requirements
Partial configuration code, experimental topology and complete configuration can be downloaded from the link below.
Layer 2 switch configuration
sysname L2S1
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 70 80
#
stp region-configuration
region-name 22tt02
revision-level 1
instance 1 vlan 10 20 30 40
instance 2 vlan 50 60 70 80
active region-configuration
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
sysname L2S2
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 70 80
#
stp region-configuration
region-name 22tt02
revision-level 1
instance 1 vlan 10 20 30 40
instance 2 vlan 50 60 70 80
active region-configuration
#
interface Ethernet0/0/1
port link-type access
port default vlan 30
#
interface Ethernet0/0/2
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 40
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30 40
sysname L2S3
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 70 80
#
stp region-configuration
region-name 22tt02
revision-level 1
instance 1 vlan 10 20 30 40
instance 2 vlan 50 60 70 80
active region-configuration
#
interface Ethernet0/0/1
port link-type access
port default vlan 50
#
interface Ethernet0/0/2
port link-type access
port default vlan 60
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 50 60
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 50 60
sysname L2S4
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 70 80
#
stp region-configuration
region-name 22tt02
revision-level 1
instance 1 vlan 10 20 30 40
instance 2 vlan 50 60 70 80
active region-configuration
#
interface Ethernet0/0/1
port link-type access
port default vlan 70
#
interface Ethernet0/0/2
port link-type access
port default vlan 80
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 70 80
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 70 80
Layer 3 switch configuration
sysname L3S1
#
undo info-center enable
#
vlan batch 10 to 11 20 30 40 50 60 70 80 90
#
stp instance 1 root primary
stp instance 2 root secondary
#
dhcp enable
#
stp region-configuration
region-name 22tt02
revision-level 1
instance 1 vlan 10 20 30 40
instance 2 vlan 50 60 70 80
active region-configuration
#
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.1 192.168.10.2
dns-list 114.114.114.114
#
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.1 192.168.20.2
dns-list 114.114.114.114
#
ip pool vlan30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.1 192.168.30.2
dns-list 114.114.114.114
#
ip pool vlan40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.40.1 192.168.40.2
dns-list 114.114.114.114
#
ip pool vlan50
gateway-list 192.168.50.254
network 192.168.50.0 mask 255.255.255.0
excluded-ip-address 192.168.50.1 192.168.50.2
dns-list 114.114.114.114
#
ip pool vlan60
gateway-list 192.168.60.254
network 192.168.60.0 mask 255.255.255.0
excluded-ip-address 192.168.60.1 192.168.60.2
dns-list 114.114.114.114
#
ip pool vlan70
gateway-list 192.168.70.254
network 192.168.70.0 mask 255.255.255.0
excluded-ip-address 192.168.70.1 192.168.70.2
dns-list 114.114.114.114
#
ip pool vlan80
gateway-list 192.168.80.254
network 192.168.80.0 mask 255.255.255.0
excluded-ip-address 192.168.80.1 192.168.80.2
dns-list 114.114.114.114
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 200
vrrp vrid 10 track interface Vlanif11 reduced 150
dhcp select global
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 200
vrrp vrid 20 track interface Vlanif11 reduced 150
dhcp select global
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 200
vrrp vrid 30 track interface Vlanif11 reduced 150
dhcp select global
#
interface Vlanif40
ip address 192.168.40.1 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 200
vrrp vrid 40 track interface Vlanif11 reduced 150
dhcp select global
#
interface Vlanif50
ip address 192.168.50.1 255.255.255.0
vrrp vrid 50 virtual-ip 192.168.50.254
dhcp select global
#
interface Vlanif60
ip address 192.168.60.1 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.254
dhcp select global
#
interface Vlanif70
ip address 192.168.70.1 255.255.255.0
vrrp vrid 70 virtual-ip 192.168.70.254
dhcp select global
#
interface Vlanif80
ip address 192.168.80.1 255.255.255.0
vrrp vrid 80 virtual-ip 192.168.80.254
dhcp select global
#
interface Vlanif90
ip address 192.168.90.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 90
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 11
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.11.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.50.0 0.0.0.255
network 192.168.60.0 0.0.0.255
network 192.168.70.0 0.0.0.255
network 192.168.80.0 0.0.0.255
network 192.168.90.0 0.0.0.255
#
port-group 1
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/4
sysname L3S2
#
undo info-center enable
#
vlan batch 10 to 12 20 30 40 50 60 70 80
#
stp instance 1 root secondary
stp instance 2 root primary
#
dhcp enable
#
stp region-configuration
region-name 22tt02
revision-level 1
instance 1 vlan 10 20 30 40
instance 2 vlan 50 60 70 80
active region-configuration
#
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.1 192.168.10.2
dns-list 114.114.114.114
#
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.1 192.168.20.2
dns-list 114.114.114.114
#
ip pool vlan30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.1 192.168.30.2
dns-list 114.114.114.114
#
ip pool vlan40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.40.1 192.168.40.2
dns-list 114.114.114.114
#
ip pool vlan50
gateway-list 192.168.50.254
network 192.168.50.0 mask 255.255.255.0
excluded-ip-address 192.168.50.1 192.168.50.2
dns-list 114.114.114.114
#
ip pool vlan60
gateway-list 192.168.60.254
network 192.168.60.0 mask 255.255.255.0
excluded-ip-address 192.168.60.1 192.168.60.2
dns-list 114.114.114.114
#
ip pool vlan70
gateway-list 192.168.70.254
network 192.168.70.0 mask 255.255.255.0
excluded-ip-address 192.168.70.1 192.168.70.2
dns-list 114.114.114.114
#
ip pool vlan80
gateway-list 192.168.80.254
network 192.168.80.0 mask 255.255.255.0
excluded-ip-address 192.168.80.1 192.168.80.2
dns-list 114.114.114.114
#
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
dhcp select global
#
interface Vlanif12
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
dhcp select global
#
interface Vlanif30
ip address 192.168.30.2 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
dhcp select global
#
interface Vlanif40
ip address 192.168.40.2 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
dhcp select global
#
interface Vlanif50
ip address 192.168.50.2 255.255.255.0
vrrp vrid 50 virtual-ip 192.168.50.254
vrrp vrid 50 priority 200
vrrp vrid 50 track interface Vlanif12 reduced 150
dhcp select global
#
interface Vlanif60
ip address 192.168.60.2 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.254
vrrp vrid 60 priority 200
vrrp vrid 60 track interface Vlanif12 reduced 150
dhcp select global
#
interface Vlanif70
ip address 192.168.70.2 255.255.255.0
vrrp vrid 70 virtual-ip 192.168.70.254
vrrp vrid 70 priority 200
vrrp vrid 70 track interface Vlanif12 reduced 150
dhcp select global
#
interface Vlanif80
ip address 192.168.80.2 255.255.255.0
vrrp vrid 80 virtual-ip 192.168.80.254
vrrp vrid 80 priority 200
vrrp vrid 80 track interface Vlanif12 reduced 150
dhcp select global
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 12
#
interface GigabitEthernet0/0/12
port link-type access
port default vlan 12
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.50.0 0.0.0.255
network 192.168.60.0 0.0.0.255
network 192.168.70.0 0.0.0.255
network 192.168.80.0 0.0.0.255
network 192.168.90.0 0.0.0.255
network 192.168.12.0 0.0.0.255
#
port-group 1
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/4
Router configuration
sysname R1
#
acl number 2000
rule 5 permit source 192.168.10.0 0.0.0.255
rule 10 permit source 192.168.20.0 0.0.0.255
acl number 2001
rule 5 permit source 192.168.30.0 0.0.0.255
rule 10 permit source 192.168.40.0 0.0.0.255
#
aaa
local-user admin password cipher %$%$s_c59+PDm/$he~0>C.fYb%9!%$%$
local-user admin service-type ppp
#
nat address-group 1 99.1.1.3 99.1.1.5
nat address-group 2 99.1.1.6 99.1.1.8
#
interface Serial1/0/0
link-protocol ppp
ip address 99.1.1.1 255.255.255.240
nat server protocol icmp global 99.1.1.10 inside 192.168.90.2
nat outbound 2000 address-group 1
nat outbound 2001 address-group 2
#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap
ip address 172.16.1.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 192.168.11.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 192.168.12.1 255.255.255.0
#
ospf 1
default-route-advertise always
import-route rip 1
area 0.0.0.0
network 192.168.11.0 0.0.0.255
network 192.168.12.0 0.0.0.255
#
rip 1
undo summary
default-route originate
version 2
network 172.16.0.0
import-route ospf 1
#
ip route-static 0.0.0.0 0.0.0.0 99.1.1.2
sysname R2
#
interface Serial1/0/1
link-protocol ppp
ppp chap user admin
ppp chap password cipher %$%$v5s!S5c~c:qdMz33x!%4,"@;%$%$
ip address 172.16.1.2 255.255.255.252
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
network 172.16.0.0
Test verification
pc1 access internet
pc1 accesses the loopback port 10.1.1.1 of R2
Users of VLAN10 and VLAN20 access the FTP server during working hours (9:00~18:00)
This phenomenon is a bug. My current time is Saturday, so the ping should be unreachable, but it can be pinged in the simulator. There must be no problem with the configuration.
VLAN10 and VLAN20 are not allowed to access each other.
Only publish the FTP service of the FTP server (192.168.90.2) to the Internet, and its public IP address is 99.1.1.10
Mapping successful
Packet capture on egress router interface
Intranet server interface packet capture
Experiment link
Link: https://pan.baidu.com/s/18GV_KJ4CXhcRioBuO82ZfA
Extraction code: 6666