實驗拓撲圖：

實驗要求：

1,內網IP地址使用172.16.0.0/16分配

2,SW1和SW2之間互為備份

3,VRRP/STP/VLAN/Eth-trunk均使用

4,所有PC均通過DHCP獲取IP地址

5,ISP只能配置IP地址

6,所有電腦可以正常訪問ISP路由器環回

實驗步驟：

步驟1：基礎IP配置

目標：為所有設備接口分配IP地址，確保基礎連通性。

R1配置：

[R1] interface GigabitEthernet0/0/0

[R1-GigabitEthernet0/0/0] ip address 12.0.0.1 255.255.255.0? # 連接ISP的接口

[R1-GigabitEthernet0/0/0] quit

[R1] interface GigabitEthernet0/0/1

[R1-GigabitEthernet0/0/1] ip address 172.16.0.130 255.255.255.192? # 連接SW1的VLAN10

[R1-GigabitEthernet0/0/1] quit

[R1] interface GigabitEthernet0/0/2

[R1-GigabitEthernet0/0/2] ip address 172.16.0.194 255.255.255.192? # 連接SW2的VLAN20

[R1-GigabitEthernet0/0/2] quit

ISP路由器配置：

[ISP] interface GigabitEthernet0/0/0

[ISP-GigabitEthernet0/0/0] ip address 12.0.0.2 255.255.255.0

[ISP-GigabitEthernet0/0/0] quit

[ISP] interface LoopBack0

[ISP-LoopBack0] ip address 2.2.2.2 255.255.255.255? # 環回接口

[ISP-LoopBack0] quit

步驟2：配置Eth-Trunk（SW1與SW2互聯）

目標：通過Eth-Trunk增加帶寬和冗余。

SW1配置：

[SW1] interface Eth-Trunk0

[SW1-Eth-Trunk0] mode lacp? # LACP模式

[SW1-Eth-Trunk0] port link-type trunk

[SW1-Eth-Trunk0] port trunk allow-pass vlan 2 3 10 20? # 允許VLAN2、3、10、20通過

[SW1-Eth-Trunk0] quit

# 將GE0/0/1和GE0/0/2加入Eth-Trunk0

[SW1] interface GigabitEthernet0/0/1

[SW1-GigabitEthernet0/0/1] eth-trunk 0

[SW1-GigabitEthernet0/0/1] quit

[SW1] interface GigabitEthernet0/0/2

[SW1-GigabitEthernet0/0/2] eth-trunk 0

[SW1-GigabitEthernet0/0/2] quit

SW2配置：

[SW2] interface Eth-Trunk0

[SW2-Eth-Trunk0] mode lacp

[SW2-Eth-Trunk0] port link-type trunk

[SW2-Eth-Trunk0] port trunk allow-pass vlan 2 3 10 20

[SW2-Eth-Trunk0] quit

# 將GE0/0/1和GE0/0/2加入Eth-Trunk0

[SW2] interface GigabitEthernet0/0/1

[SW2-GigabitEthernet0/0/1] eth-trunk 0

[SW2-GigabitEthernet0/0/1] quit

[SW2] interface GigabitEthernet0/0/2

[SW2-GigabitEthernet0/0/2] eth-trunk 0

[SW2-GigabitEthernet0/0/2] quit

步驟3：配置VLAN與接口

目標：劃分VLAN，配置Access/Trunk端口。

SW3和SW4（二層交換機）配置

[SW3] vlan batch 2 3? # 創建VLAN2和VLAN3

# PC接入端口配置（Access模式）

[SW3] interface GigabitEthernet0/0/1

[SW3-GigabitEthernet0/0/1] port link-type access

[SW3-GigabitEthernet0/0/1] port default vlan 2? # PC1屬于VLAN2

[SW3-GigabitEthernet0/0/1] quit

[SW3] interface GigabitEthernet0/0/2

[SW3-GigabitEthernet0/0/2] port link-type access

[SW3-GigabitEthernet0/0/2] port default vlan 3? # PC2屬于VLAN3

[SW3-GigabitEthernet0/0/2] quit

# 上聯口配置Trunk（與SW1/SW2互聯）

[SW3] interface GigabitEthernet0/0/3

[SW3-GigabitEthernet0/0/3] port link-type trunk

[SW3-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3? # 允許VLAN2和VLAN3通過

[SW3-GigabitEthernet0/0/3] quit

# SW4的配置（與SW3對稱）

[SW4] vlan batch 2 3

[SW4] interface GigabitEthernet0/0/1

[SW4-GigabitEthernet0/0/1] port link-type access

[SW4-GigabitEthernet0/0/1] port default vlan 2? # PC3屬于VLAN2

[SW4-GigabitEthernet0/0/1] quit

[SW4] interface GigabitEthernet0/0/2

[SW4-GigabitEthernet0/0/2] port link-type access

[SW4-GigabitEthernet0/0/2] port default vlan 3? # PC4屬于VLAN3

[SW4-GigabitEthernet0/0/2] quit

[SW4] interface GigabitEthernet0/0/3

[SW4-GigabitEthernet0/0/3] port link-type trunk

[SW4-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3

[SW4-GigabitEthernet0/0/3] quit

SW1和SW2（三層交換機）配置

[SW1] vlan batch 2 3 10 20? # 創建VLAN2、3、10、20

# 上聯R1的接口（Access模式）

[SW1] interface GigabitEthernet0/0/5

[SW1-GigabitEthernet0/0/5] port link-type access

[SW1-GigabitEthernet0/0/5] port default vlan 10? # 屬于VLAN10

[SW1-GigabitEthernet0/0/5] quit

# 連接到SW3/SW4的接口配置Trunk

[SW1] interface GigabitEthernet0/0/3

[SW1-GigabitEthernet0/0/3] port link-type trunk

[SW1-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3? # 允許VLAN2和VLAN3通過

[SW1-GigabitEthernet0/0/3] quit

# SW2的配置（與SW1對稱）

[SW2] vlan batch 2 3 10 20

[SW2] interface GigabitEthernet0/0/5

[SW2-GigabitEthernet0/0/5] port link-type access

[SW2-GigabitEthernet0/0/5] port default vlan 20? # 屬于VLAN20

[SW2-GigabitEthernet0/0/5] quit

[SW2] interface GigabitEthernet0/0/3

[SW2-GigabitEthernet0/0/3] port link-type trunk

[SW2-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3

[SW2-GigabitEthernet0/0/3] quit

步驟4：配置VRRP（網關冗余）

目標：SW1為主設備，SW2為備設備，實現網關高可用。

SW1配置（主設備）：

# VLAN2的VRRP配置

[SW1] interface Vlanif2

[SW1-Vlanif2] ip address 172.16.0.1 255.255.255.192

[SW1-Vlanif2] vrrp vrid 1 virtual-ip 172.16.0.62? # 虛擬IP

[SW1-Vlanif2] vrrp vrid 1 priority 120? # 主設備優先級高（默認100）

[SW1-Vlanif2] vrrp vrid 1 track interface GigabitEthernet0/0/5 reduced 30? # 跟蹤上聯R1的接口

[SW1-Vlanif2] quit

# VLAN3的VRRP配置

[SW1] interface Vlanif3

[SW1-Vlanif3] ip address 172.16.0.65 255.255.255.192

[SW1-Vlanif3] vrrp vrid 2 virtual-ip 172.16.0.126

[SW1-Vlanif3] vrrp vrid 2 priority 120

[SW1-Vlanif3] quit

SW2配置（備設備）：

# VLAN2的VRRP配置

[SW2] interface Vlanif2

[SW2-Vlanif2] ip address 172.16.0.2 255.255.255.192

[SW2-Vlanif2] vrrp vrid 1 virtual-ip 172.16.0.62? # 虛擬IP需與SW1一致

[SW2-Vlanif2] vrrp vrid 1 priority 100? # 備設備優先級低

[SW2-Vlanif2] quit

# VLAN3的VRRP配置

[SW2] interface Vlanif3

[SW2-Vlanif3] ip address 172.16.0.66 255.255.255.192

[SW2-Vlanif3] vrrp vrid 2 virtual-ip 172.16.0.126

[SW2-Vlanif3] vrrp vrid 2 priority 100

[SW2-Vlanif3] quit

步驟5：配置DHCP服務器

目標：PC通過DHCP獲取IP，網關為VRRP虛擬IP。

SW1配置：

# 啟用DHCP

[SW1] dhcp enable

# VLAN2的DHCP作用域

[SW1] ip pool VLAN2

[SW1-ip-pool-VLAN2] network 172.16.0.0 mask 255.255.255.192

[SW1-ip-pool-VLAN2] gateway-list 172.16.0.62? # VRRP虛擬IP

[SW1-ip-pool-VLAN2] dns-list 8.8.8.8

[SW1-ip-pool-VLAN2] quit

# VLAN3的DHCP作用域

[SW1] ip pool VLAN3

[SW1-ip-pool-VLAN3] network 172.16.0.64 mask 255.255.255.192

[SW1-ip-pool-VLAN3] gateway-list 172.16.0.126

[SW1-ip-pool-VLAN3] dns-list 8.8.8.8

[SW1-ip-pool-VLAN3] quit

# 綁定VLANIF接口

[SW1] interface Vlanif2

[SW1-Vlanif2] dhcp select global

[SW1-Vlanif2] quit

[SW1] interface Vlanif3

[SW1-Vlanif3] dhcp select global

[SW1-Vlanif3] quit

步驟6：配置STP（生成樹協議）

1. SW1（三層交換機）配置

[SW1] stp enable????????? # 全局啟用STP

[SW1] stp mode mstp?????? # 配置為MSTP模式

[SW1] stp region-configuration? # 進入MST區域配置

[SW1-mst-region] region-name MST_DOMAIN? # 設置MST域名稱

[SW1-mst-region] instance 1 vlan 2????? # 將VLAN2映射到實例1

[SW1-mst-region] instance 2 vlan 3????? # 將VLAN3映射到實例2

[SW1-mst-region] active region-configuration? # 激活配置

[SW1-mst-region] quit

# 指定SW1為VLAN2（實例1）的根橋，SW2為VLAN3（實例2）的根橋

[SW1] stp instance 1 root primary? # 實例1（VLAN2）的根橋

[SW1] stp instance 2 root secondary? # 實例2（VLAN3）的非根橋

2. SW2（三層交換機）配置

[SW2] stp enable

[SW2] stp mode mstp

[SW2] stp region-configuration

[SW2-mst-region] region-name MST_DOMAIN

[SW2-mst-region] instance 1 vlan 2

[SW2-mst-region] instance 2 vlan 3

[SW2-mst-region] active region-configuration

[SW2-mst-region] quit

# 指定SW2為VLAN3（實例2）的根橋，SW1為VLAN2（實例1）的根橋

[SW2] stp instance 1 root secondary? # 實例1（VLAN2）的非根橋

[SW2] stp instance 2 root primary??? # 實例2（VLAN3）的根橋

3. SW3（二層交換機）配置

[SW3] stp enable

[SW3] stp mode mstp

[SW3] stp region-configuration

[SW3-mst-region] region-name MST_DOMAIN

[SW3-mst-region] instance 1 vlan 2

[SW3-mst-region] instance 2 vlan 3

[SW3-mst-region] active region-configuration

[SW3-mst-region] quit

4. SW4（二層交換機）配置

[SW4] stp enable

[SW4] stp mode mstp

[SW4] stp region-configuration

[SW4-mst-region] region-name MST_DOMAIN

[SW4-mst-region] instance 1 vlan 2

[SW4-mst-region] instance 2 vlan 3

[SW4-mst-region] active region-configuration

[SW4-mst-region] quit

步驟7：路由器R1配置（內外網通信）

目標：實現內網訪問ISP環回地址和外網。

R1配置：

# 1. 靜態路由到ISP的環回地址（2.2.2.2）

[R1] ip route-static 2.2.2.2 255.255.255.255 12.0.0.2? # 通過ISP路由器的接口

# 2. 配置NAT（內網網段為172.16.0.0/16）

[R1] acl number 2000

[R1-acl-adv-2000] rule 5 permit source 172.16.0.0 0.0.255.255

[R1-acl-adv-2000] quit

[R1] interface GigabitEthernet0/0/0? # 連接ISP的接口

[R1-GigabitEthernet0/0/0] nat outbound 2000? # 啟用NAT

[R1-GigabitEthernet0/0/0] quit

# 3. 配置OSPF（與SW1/SW2互通）

[R1] ospf 1 router-id 1.1.1.1? # 設置Router ID

[R1-ospf-1] area 0.0.0.0

[R1-ospf-1-area-0.0.0.0] network 172.16.0.0 0.0.255.255? # 宣告內網網段

[R1-ospf-1-area-0.0.0.0] network 12.0.0.0 0.0.0.255????? # 宣告連接ISP的網段

[R1-ospf-1-area-0.0.0.0] quit

驗證配置

PC地址

?

?

同一VLAN間可以通信

不同vlan間也能通信

關閉SW1的VLAN2接口，SW2自動接管虛擬IP，PC仍能正常訪問網絡。

?

內外網測試