项目2路由交换
背景
某学校为满足日常教学生活需求,推动数字校园的建设,学校有办公楼和学生宿舍楼和服务器集群三块区域,请合理规划IP地址和VLAN,实现企业内部能够互联互通现要求外网能通过公网地址访问服务器集群,学生和老师能正常上网。 要求配置VRRP+MSTP达成链路负载分担,解决单点故障问题。同时在出口路由器上实现NAT地址转换,使企业内部主机使用ISP提供的内部全局地址访问外网环境,提高网络整体的安全性。
实验拓扑
配置要求
(1)三种类型主机群分别在不同网段、不同 VLAN,实现 VLAN间通信,其中学生宿舍使用DHCP动态获取IP地址,办公楼和服务群采用静态IP地址;
(2)LSW1和LSW2为接入交换机,LSW3和LSW4为核心交换机,AR1为出口路由器;
(3)学生宿舍楼和办公楼属于MSTP实例1,VRRP主路由器为LSW3,备份路由器为LSW4;
(4)服务器群属于MSTP实例2,VRRP主路由器为 LSW4,备份路由器为 LSW3;
(5)使用LACP模式实现LSW3与LSW4的链路聚合,并设置2条活动链路,1条备份链路;
(6)外网服务器IP地址为100.100.100.100/24;
(7)合理规划核心交换机和路由器之间的互联地址;
(8)访问控制要求:内网访问外网映射为出口路由器接口
IP 地址。
实验配置
链路聚合
常规操作,改模式划分接口,改活动链路
划分vlan
创vlan,交换机相接trunk放行相关,与路由器相接按拓扑划分
V b 10 20 30 40 90
P l t
P t a v 10 20 30 40 90
MSTP
stp region-configuration
region-name hhh
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 90
active region-configuration
可以看到流量被正确引流至VRRP主设备
配置IP
依图配置,省略
、
VRRP设置
SW1为vlan10 20 主vlan90 备
OSPF配置
内网可通
DHCP配置
IP拿到地址dhcp中继正常
NAT配置
内网可通服务器
内网接口:nat server protocol tcp global interface g 0/0/2(外网接口) 80 inside 192.168.2.12 80
acl 3000
rule 5 permit ip source 192.168.90.0 0.0.0.255 destination 100.100.100.0 80
nat outbound 3000
外网接口:nat server protocol tcp global current-interface 80 inside 192.168.90.1 www
静态映射绑定服务器80端口
全局配置
SW1
#
sysname SW1
#
vlan batch 10 20 30 40 90
#
stp instance 1 root primary
stp instance 2 root secondary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name hhh
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 90
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.10.10 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
vrrp vrid 10 track interface GigabitEthernet0/0/2 reduced 40
dhcp select relay
dhcp relay server-ip 192.168.30.2
dhcp relay server-ip 192.168.40.2
#
interface Vlanif20
ip address 192.168.20.10 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 120
vrrp vrid 20 track interface GigabitEthernet0/0/2 reduced 40
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.252
#
interface Vlanif90
ip address 192.168.90.10 255.255.255.0
vrrp vrid 90 virtual-ip 192.168.90.254
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
mode lacp-static
max active-linknumber 2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
eth-trunk 1
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
interface NULL0
#
ospf 1
area 0.0.0.1
network 0.0.0.0 255.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return
SW2
#
sysname SW2
#
vlan batch 10 20 30 40 90
#
stp instance 1 root secondary
stp instance 2 root primary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name hhh
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 90
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.10.11 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
dhcp select relay
dhcp relay server-ip 192.168.30.2
dhcp relay server-ip 192.168.40.2
#
interface Vlanif20
ip address 192.168.20.11 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
#
interface Vlanif40
ip address 192.168.40.1 255.255.255.252
#
interface Vlanif90
ip address 192.168.90.11 255.255.255.0
vrrp vrid 90 virtual-ip 192.168.90.254
vrrp vrid 90 priority 120
vrrp vrid 90 track interface GigabitEthernet0/0/2 reduced 40
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
mode lacp-static
max active-linknumber 2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
eth-trunk 1
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
interface NULL0
#
ospf 1
area 0.0.0.0
area 0.0.0.2
network 0.0.0.0 255.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return
SW3
#
sysname SW3
#
vlan batch 10 20 30 40 90
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name hhh
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 90
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 20
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
SW3
#
sysname SW3
#
vlan batch 10 20 30 40 90
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name hhh
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 90
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 20
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
SW4
#
sysname SW4
#
vlan batch 10 20 30 40 90
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name hhh
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 90
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type access
port default vlan 90
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 90
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
AR1
[V200R003C00]
#
sysname AR1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
dhcp enable
#
ip pool 10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 192.168.30.2 255.255.255.252
dhcp select global
#
interface GigabitEthernet0/0/1
ip address 192.168.60.1 255.255.255.252
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 192.168.60.0 0.0.0.255
area 0.0.0.1
network 192.168.30.0 0.0.0.255
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
AR2
[V200R003C00]
#
sysname AR2
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 100.100.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.60.2 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 16.16.16.2 255.255.255.0
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
AR3
<AR3>DIS current-configuration
[V200R003C00]
#
sysname AR3
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
dhcp enable
#
acl number 2000
rule 5 permit source 192.168.10.0 0.0.0.255
rule 10 permit source 192.168.20.0 0.0.0.255
rule 15 permit source 192.168.90.0 0.0.0.255
#
acl number 3000
rule 5 permit ip source 192.168.90.0 0.0.0.255 destination 16.16.16.0 0.0.0.255
acl number 3001
#
ip pool 10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
dns-list 114.114.114.114
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 192.168.40.2 255.255.255.252
dhcp select global
#
interface GigabitEthernet0/0/1
ip address 192.168.60.2 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 16.16.16.1 255.255.255.0
nat outbound 2000
#
interface NULL0
#
ospf 1
import-route static
area 0.0.0.0
network 16.16.16.0 0.0.0.255
network 192.168.60.0 0.0.0.255
area 0.0.0.2
network 192.168.40.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 16.16.16.2
ip route-static 100.100.100.0 255.255.255.0 16.16.16.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
总结
本项目用到了MSTP+VRRP架构实现上行链路负载分担相互备份,使用DHCP给终端分配地址,中间核心交换机采用链路聚合增加链路带宽,采用easy-IP进行上网