1.配置eth-trunk進行綁定
[LSW1]interface Eth-Trunk 0
[LSW1-Eth-Trunk0]q
[LSW1]interface g0/0/2
[LSW1-GigabitEthernet0/0/2]eth-trunk 0
[LSW1-GigabitEthernet0/0/2]int g0/0/3? ?
[LSW1-GigabitEthernet0/0/3]eth-trunk 0
[LSW1-GigabitEthernet0/0/3]display eth-trunk 0
2.創建vlan,劃分接口類型
[LSW1]vlan 2
[LSW1]port-group group-member g0/0/4 to g0/0/5 Eth-Trunk 0
[LSW1-port-group]port link-type trunk?
[LSW1-GigabitEthernet0/0/4]port link-type trunk?
[LSW1-GigabitEthernet0/0/5]port link-type trunk?
[LSW1-port-group]port trunk allow-pass vlan 2
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 2
[LSW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 2
[LSW1-Eth-Trunk0]port trunk allow-pass vlan 2
[LSW2]vlan 2
[LSW2-vlan2]q
[LSW2]port-group group-member g0/0/4 to g0/0/5 Eth-Trunk 0
[LSW2-port-group]port trunk allow-pass vlan 2
[LSW2-Eth-Trunk0]port trunk allow-pass vlan 2
[LSW3]vlan 2
[LSW3-vlan2]q
[LSW3-Ethernet0/0/3]int e0/0/4
[LSW3-Ethernet0/0/4]port link-type access
[LSW3-Ethernet0/0/4]port default vlan 2
[LSW3-Ethernet0/0/4]q?
[LSW3]port-group group-member e0/0/1 to e0/0/2?
[LSW3-port-group]port link-type trunk
[LSW3-port-group]port trunk allow-pass vlan 2
?
[LSW4]vlan 2
[LSW4-vlan2]q
[LSW4]int e0/0/4
[LSW4-Ethernet0/0/4]port link-type access?
[LSW4-Ethernet0/0/4]port default vlan 2
[LSW4-Ethernet0/0/4]q
[LSW4]port-group group-member e0/0/1 to e0/0/2
[LSW4-port-group]port link-type trunk
[LSW4-port-group]port trunk allow-pass vlan 2
?
3.配置生成樹:
[LSW1]stp region-configuration?
[LSW1-mst-region]region-name a
[LSW1-mst-region]instance 1 vlan 1
[LSW1-mst-region]instance 2 vlan 2
[LSW1-mst-region]active region-configuration?
[LSW1]stp instance 1 root primary
[LSW1]stp instance 2 root secondary?
[LSW1]stp instance 0 root primary?
[LSW2]stp region-configuration?
[LSW2-mst-region]instance 1 vlan 1
[LSW2-mst-region]instance 2 vlan 2
[LSW2-mst-region]active region-configuration?
[LSW2]stp instance 1 root secondary?
[LSW2]stp instance 2 root primary?
[LSW2]stp instance 0 root secondary?
[LSW3]stp region-configuration?
[LSW3-mst-region]region-name a
[LSW3-mst-region]instance 1 vlan 1
[LSW3-mst-region]instance 2 vlan 2
[LSW3-mst-region]active region-configuration?
[LSW4]stp region-configuration?
[LSW4-mst-region]region-name a
[LSW4-mst-region]instance 1 vlan 1
[LSW4-mst-region]instance 2 vlan 2
[LSW4-mst-region]active region-configuration
[LSW3]port-group group-member e0/0/1 to e0/0/2
[LSW3-port-group]stp edged-port enable?
[LSW3]int e0/0/3
[LSW3-Ethernet0/0/3]stp instance 0 port priority 16
5.配置ip地址SVI:
[LSW1]int vlan 1
[LSW1-Vlanif1]ip add?? ?
[LSW1-Vlanif1]ip address 172.16.1.1 25
[LSW1-Vlanif1]int vlan 2
[LSW1-Vlanif2]ip address 172.16.1.129 25
[LSW1-Vlanif2]display ip interface brief
[LSW2]int vlan 1
[LSW2-Vlanif1]ip address 172.16.1.2 25
[LSW2-Vlanif1]int vlan 2
[LSW2-Vlanif2]ip address 172.16.1.130 25
[LSW2-Vlanif2]display ip interface brief
6.進行網關冗余VRRP:
[LSW1]int vlan 1?
[LSW1-Vlanif1]vrrp vrid 1 virtual-ip 172.16.1.126?
[LSW1-Vlanif1]vrrp vrid 1 priority 110?
[LSW1-Vlanif1]vrrp vrid 1 track interface g0/0/1 reduced 20
[LSW1]int vlan 2
[LSW1-Vlanif2]vrrp vrid 1 virtual-ip 172.16.1.254
[LSW2]int vlan 1
[LSW2-Vlanif1]vrrp vrid 1 virtual-ip 172.16.1.126(vrid、virtual-ip需和LSW1保持一致)
[LSW2]int vlan 2
[LSW2-Vlanif2]vrrp vrid 1 virtual-ip 172.16.1.254
[LSW2-Vlanif2]vrrp vrid 1 priority 110
[LSW2-Vlanif2]vrrp vrid 1 track int g0/0/1 reduced ?20
7.配置DHCP獲取IP地址:
[LSW1]dhcp enable?
[LSW1]ip pool a1
[LSW1-ip-pool-a1]net 172.16.1.0 mask 25
[LSW1-ip-pool-a1]gateway-list 172.16.1.126 ?
[LSW1-ip-pool-a1]dns-list 114.114.114.114
[LSW1-ip-pool-a1]q
[LSW1]ip pool a2
[LSW1-ip-pool-a2]net 172.16.1.128 mask 25
[LSW1-ip-pool-a2]gateway-list 172.16.1.254
[LSW1-ip-pool-a2]dns-list 114.114.114.114
[LSW1-ip-pool-a2]q
[LSW1]int vlan 1 ? ?
[LSW1-Vlanif1]dhcp select global?
[LSW1-Vlanif1]int vlan 2
[LSW1-Vlanif2]dhcp select global?
[SW2]dhcp enable
[SW2]ip pool a1
Info:It's successful to create an IP address pool.
[SW2-ip-pool-a1]net 172.16.1.0 mask 25
[SW2-ip-pool-a1]gateway-list 172.16.1.126 ??
[SW2-ip-pool-a1]dns-list 114.114.114.114
[SW2-ip-pool-a1]q
[SW2]ip pool a2
Info:It's successful to create an IP address pool.
[SW2-ip-pool-a2]net 172.16.1.128 mask 25 ??
[SW2-ip-pool-a2]gateway-list 172.16.1.254
[SW2-ip-pool-a2]dns-list 114.114.114.114
[SW2-ip-pool-a2]q
[SW2]int vlan 1
[SW2-Vlanif1]dhcp select global?
[SW2-Vlanif1]int vlan 2
[SW2-Vlanif2]dhcp select global?
8.對于上層路由器進行連接
[SW1]vlan 99
[SW1-GigabitEthernet0/0/2]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access?
[SW1-GigabitEthernet0/0/1]port default vlan 99
[SW1]int vlan 99
[SW1-Vlanif99]ip add 172.16.0.2 30
[SW2]vlan 99
[SW2-vlan99]int g0/0/1?
[SW2-GigabitEthernet0/0/1]port link-type access ?
[SW2-GigabitEthernet0/0/1]q
[SW2]int vlan 99
[SW2-Vlanif99]ip add 172.16.0.6 30
9.配置沉默接口:
[LSW1]ospf 1
[SW1-ospf-1]silent-interface all
[SW1-ospf-1]undo silent-interface GigabitEthernet 0/0/1
[SW1-ospf-1]undo silent-interface Vlanif 99
[SW1-ospf-1]undo silent-interface Eth-Trunk 0
[SW1-ospf-1]undo silent-interface Vlanif 1
[SW2]ospf 1
[SW2-ospf-1]silent-interface all
[SW2-ospf-1]undo silent-interface GigabitEthernet 0/0/1
[SW2-ospf-1]undo silent-interface Vlanif 99
[SW2-ospf-1]undo silent-interface Eth-Trunk 0 ?
[SW2-ospf-1]undo silent-interface Vlanif 1
三、配置路由器部分:
1.配置ospf協議
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]net 172.16.0.0 0.0.0.255
[SW1]ospf 1 router-id 3.3.3.3
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]net 172.16.0.2 0.0.0.0
[SW1-ospf-1]area 1
[SW1-ospf-1-area-0.0.0.1]net 172.16.1.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.1]
[SW2]ospf 1 router-id 4.4.4.4
[SW2-ospf-1]area 0?
[SW2-ospf-1-area-0.0.0.0]net 172.16.0.6 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]q
[SW2-ospf-1]area 1
[SW2-ospf-1-area-0.0.0.1]net 172.16.1.0 0.0.0.255
2.配置缺省路由
[R2]ip route-static 0.0.0.0 0 12.1.1.1
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]default-route-advertise?
3.進行路由匯總:
[SW1]ospf 1
[SW1-ospf-1]area 1
[SW1-ospf-1-area-0.0.0.1]abr-summary 172.16.1.0 255.255.255.0
[SW2]ospf 1
[SW2-ospf-1]area 1
[SW2-ospf-1-area-0.0.0.1]abr-summary 172.16.1.0 255.255.255.0
4.防止路由黑洞
[SW1]ip route-static 172.16.1.0 24 NULL 0
[SW2]ip route-static 172.16.1.0 24 NULL 0
5.配置nat,進行上網:
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 172.16.0.0 0.0.255.255
[R2-acl-basic-2000]q
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]nat outbound 2000
確定 ISP 連接接口及 IP 配置
- 明確 R1?與 ISP 相連的接口(假設為?
GE 0/0/0?) ,在 R1上僅進行 IP 地址相關配置。若已知 ISP 側 IP 地址為?12.1.1.1?,則在 R1?設備上配置:
plaintext
[R1]interface GE0/0/0
[R1-GigabitEthernet0/0/0]ip address 12.1.1.2 30
此配置僅為接口設置 IP 地址,符合 “只能配置 IP 地址” 的要求 。
確保連接及路由可達
- 鏈路連通性測試:在 R1?上使用?
ping?命令測試與 ISP 的連通性,如?ping 12.1.1.1?,確保物理鏈路和 IP 層連通正常。 - 路由配置:在 R1?及相關網絡設備(如 LSW1、LSW2 等 )上,通過 OSPF 等動態路由協議(已配置情況下 )或靜態路由,保證內網到 ISP 方向路由可達。例如在 R1?上,已配置缺省路由?
[R1]ip route-static 0.0.0.0 0 12.1.1.1?,將所有未知流量導向 ISP ;在 LSW1 和 LSW2 上,通過 OSPF 學習到前往 R2 及 ISP 方向的路由。
安全策略限制
為進一步確保 ISP 只能配置 IP 地址,可在 R2 上配置訪問控制列表(ACL ) ,限制對 ISP 設備的其他訪問操作(假設 ISP 設備不允許除 IP 配置外的其他遠程管理等操作 )。例如:
plaintext
[R1]acl 3000
[R1-acl-adv-3000]rule deny ip source any destination 12.1.1.1 0.0.0.0 (禁止內網主動訪問 ISP 除 IP 相關配置外的其他服務 )
[R1-acl-adv-3000]rule permit ip source 12.1.1.2 0.0.0.0 destination any (允許 R2 與 ISP 正常通信 )
[R1-acl-adv-3000]quit
[R1]interface GE0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 (在入方向應用 ACL 策略 )
通過以上操作,在網絡連接和安全控制層面實現 ISP 僅進行 IP 地址配置的要求 。
ping 12.1.1.1
)
的對比,包含配置示例和關鍵差異總結)
-- 使用JAXB,將JavaBean轉換XML文本)
)
