企業級網絡綜合集成實踐：VLAN、Trunk、STP、路由協議(OSPF/RIP)、PPP、服務管理(TELNET/FTP)與安全(ACL)

NE綜合實驗4

一、實驗拓撲

在這里插入圖片描述

二、實驗需求

按照圖示配置IP地址。
Sw7和sw8之間的直連鏈路配置鏈路聚合。
公司內部業務網段為vlan10和vlan20，vlan10是市場部，vlan20是技術部，要求對vlan進行命名以便區分識別；pc10屬于vlan10，pc11屬于vlan20，其中vlan30，vlan40，vlan50，vlan60，vlan70，vlan80，vlan90，vlan100，vlan110用于交換機之間建立rip動態路由協議及互聯vlan。
所有交換機相連的端口配置為trunk，允許相關流量通過。
交換機連接pc的端口配置為邊緣端口。
將sw9選舉為生成樹的根網橋。
在sw9上配置dhcp服務，為vlan10和20的pc動態分配IP地址、網關和dns地址，要求vlan10的網關192.168.1.254，vlan20的網關是192.168.2.254，dns為114.114.114.114，期限為一天。
按照圖示分區域配置ospf協議，環回口宣告進對應區域中。
按照圖示區域配置rip協議，環回口宣告進對應區域中，業務網段不允許出現協議報文。
要求實現內網全網互通。
R1和R2之間通過雙線連接到互聯網配置ppp-mp，并配置雙向chap驗證。
配置easy ip只有業務網段192.168.1.0/24和192.168.2.0/24的數據流可以通過R2和R3訪問互聯網。
R12開啟telent遠程登錄，只允許192.168.1.0/24登錄訪問。
R13開啟ftp服務，只允許192.168.2.0/24登錄訪問。

三、實驗步驟

按照圖示配置IP地址，略

Sw7和sw8之間的直連鏈路配置鏈路聚合

[SW7]int Bridge-Aggregation 1
[SW7-Bridge-Aggregation1]qu
[SW7]int range g1/0/3 to g1/0/5
[SW7-if-range]port link-aggregation group 1
[SW7-if-range]qu

[SW8]int Bridge-Aggregation 1
[SW8-Bridge-Aggregation1]qu
[SW8]int range g1/0/3 to g1/0/5
[SW8-if-range]port link-aggregation group 1
[SW8-if-range]qu

公司內部業務網段vlan10是市場部，vlan20是技術部，pc10屬于vlan10，pc11屬于vlan20

[SW9]vlan10
[SW9-vlan10]port g1/0/3
[SW9-vlan10]name shichangbu
[SW9-vlan10]vlan 20
[SW9-vlan20]port g1/0/4
[SW9-vlan20]name jishubu

給所有相連的交換機的端口配置為 trunk ，允許相關流量通過

[SW6]int g1/0/3
[SW6-GigabitEthernet1/0/3]port link-type trunk 
[SW6-GigabitEthernet1/0/3]port trunk pvid vlan 50
[SW6-GigabitEthernet1/0/3]port trunk permit vlan all[SW6-GigabitEthernet1/0/3]int g1/0/4
[SW6-GigabitEthernet1/0/4]port link-type trunk 
[SW6-GigabitEthernet1/0/4]port trunk pvid vlan 60
[SW6-GigabitEthernet1/0/4]port trunk permit vlan all
[SW6-GigabitEthernet1/0/4]qu

[SW7]int g1/0/1
[SW7-GigabitEthernet1/0/1]port link-type trunk
[SW7-GigabitEthernet1/0/1]port trunk pvid vlan 50 
[SW7-GigabitEthernet1/0/1]port trunk permit vlan all[SW7-GigabitEthernet1/0/1]int g1/0/2 
[SW7-GigabitEthernet1/0/2]port link-type trunk
[SW7-GigabitEthernet1/0/2]port trunk pvid vlan 30
[SW7-GigabitEthernet1/0/2]port trunk permit vlan all[SW7-GigabitEthernet1/0/2]int br 1
[SW7-Bridge-Aggregation1]port link-type trunk
[SW7-Bridge-Aggregation1]port trunk pvid vlan 110 
[SW7-Bridge-Aggregation1]port trunk permit vlan all

[SW8]int g1/0/1 
[SW8-GigabitEthernet1/0/1]port link-type trunk 
[SW8-GigabitEthernet1/0/1]port trunk pvid vlan 60
[SW8-GigabitEthernet1/0/1]port trunk permit vlan all[SW8]int g1/0/2 
[SW8-GigabitEthernet1/0/2]port link-type trunk 
[SW8-GigabitEthernet1/0/2]port trunk pvid vlan 40
[SW8-GigabitEthernet1/0/2]port trunk permit vlan all[SW8]int Bridge-Aggregation 1
[SW8-Bridge-Aggregation1]port link-type trunk 
[SW8-Bridge-Aggregation1]port trunk pvid vlan 110
[SW8-Bridge-Aggregation1]port trunk permit vlan all

[SW9]int g1/0/1
[SW9-GigabitEthernet1/0/1]port link-type trunk 
[SW9-GigabitEthernet1/0/1]port trunk pvid vlan 30
[SW9-GigabitEthernet1/0/1]port trunk permit vlan all[SW9-GigabitEthernet1/0/1]int g1/0/2 
[SW9-GigabitEthernet1/0/2]port link-type trunk 
[SW9-GigabitEthernet1/0/2]port trunk pvid vlan 40
[SW9-GigabitEthernet1/0/2]port trunk permit vlan all

交換機連接pc的端口配置為邊緣端口

[SW9]int g1/0/3 
[SW9-GigabitEthernet1/0/3]stp edged-port 
[SW9-GigabitEthernet1/0/3]int g1/0/4 
[SW9-GigabitEthernet1/0/4]stp edged-port

將sw9選舉為生成樹的根網橋
```
[SW9]stp priority 4096
```

在sw9上配置dhcp服務，為vlan10和20的pc動態分配IP地址、網關和dns地址，要求vlan10的網關192.168.1.254，vlan20的網關是192.168.2.254，dns為114.114.114.114，期限為一天

[SW9]dhcp enable
[SW9]dhcp server ip-pool 1
[SW9-dhcp-pool-1]network 192.168.1.0 24
[SW9-dhcp-pool-1]gateway-list 192.168.1.254 
[SW9-dhcp-pool-1]dns-list 114.114.114.114
[SW9-dhcp-pool-1]expired day 1
[SW9-dhcp-pool-1]quit [SW9]dhcp server ip-pool 2
[SW9-dhcp-pool-2]network 192.168.2.0 24 
[SW9-dhcp-pool-2]gateway-list 192.168.2.254
[SW9-dhcp-pool-1]dns-list 114.114.114.114
[SW9-dhcp-pool-1]expired day 1
[SW9-dhcp-pool-1]quit

在PC_10和PC_11上配置DHCP

[PC_10]int g0/0
[PC_10-GigabitEthernet0/0]ip add dhcp-alloc 
[PC_10-GigabitEthernet0/0]qu

[PC_1]int g0/0
[PC_1-GigabitEthernet0/0]ip add dhcp-alloc 
[PC_1-GigabitEthernet0/0]qu

按照圖示分區域配置ospf協議，環回口宣告進對應區域中

[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]a 0
[R2-ospf-1-area-0.0.0.0]net 172.16.2.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]net 172.16.1.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]net 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]a 1
[R2-ospf-1-area-0.0.0.1]net 172.16.5.0 0.0.0.255
[R2-ospf-1-area-0.0.0.1]qu
[R2-ospf-1]dis th
#
ospf 1 router-id 2.2.2.2area 0.0.0.0network 2.2.2.2 0.0.0.0network 172.16.1.0 0.0.0.255network 172.16.2.0 0.0.0.255area 0.0.0.1network 172.16.5.0 0.0.0.255
#
return
[R2-ospf-1]qu

[R3]ospf 1 router-id 3.3.3.3 
[R3-ospf-1]a 0
[R3-ospf-1-area-0.0.0.0]net 172.16.2.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]net 172.16.3.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.1]a 2
[R3-ospf-1-area-0.0.0.2]net 172.16.7.0 0.0.0.255
[R3-ospf-1-area-0.0.0.2]qu
[R3-ospf-1]dis th
#
ospf 1 router-id 3.3.3.3area 0.0.0.0network 3.3.3.3 0.0.0.0network 172.16.2.0 0.0.0.255network 172.16.3.0 0.0.0.255area 0.0.0.1area 0.0.0.2network 172.16.7.0 0.0.0.255
#
return
[R3-ospf-1]qu

[R4]ospf 1 router-id 4.4.4.4
[R4-ospf-1]a 0
[R4-ospf-1-area-0.0.0.0]net 172.16.1.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]net 172.16.4.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]net 4.4.4.4 0.0.0.0
[R4-ospf-1-area-0.0.0.0]a 1
[R4-ospf-1-area-0.0.0.1]net 172.16.6.0 0.0.0.255
[R4-ospf-1-area-0.0.0.1]qu
[R4-ospf-1]dis th
#
ospf 1 router-id 4.4.4.4area 0.0.0.0network 4.4.4.4 0.0.0.0network 172.16.1.0 0.0.0.255network 172.16.4.0 0.0.0.255area 0.0.0.1network 172.16.6.0 0.0.0.255
#
return
[R4-ospf-1]qu

[R5]ospf 1 router-id 5.5.5.5
[R5-ospf-1]
[R5-ospf-1]a 0
[R5-ospf-1-area-0.0.0.0]net 172.16.3.0 0.0.0.255
[R5-ospf-1-area-0.0.0.0]net 172.16.4.0 0.0.0.255
[R5-ospf-1-area-0.0.0.0]net 5.5.5.5 0.0.0.0
[R5-ospf-1-area-0.0.0.0]a 2
[R5-ospf-1-area-0.0.0.2]net 172.16.8.0 0.0.0.255
[R5-ospf-1-area-0.0.0.2]qu
[R5-ospf-1]dis th
#
ospf 1 router-id 5.5.5.5area 0.0.0.0network 5.5.5.5 0.0.0.0network 172.16.3.0 0.0.0.255network 172.16.4.0 0.0.0.255area 0.0.0.2network 172.16.8.0 0.0.0.255
#
return
[R5-ospf-1]qu

[R12]ospf 1 router-id 12.12.12.12
[R12-ospf-1]a 1
[R12-ospf-1-area-0.0.0.1]net 172.16.5.0 0.0.0.255
[R12-ospf-1-area-0.0.0.1]net 172.16.6.0 0.0.0.255
[R12-ospf-1-area-0.0.0.1]net 12.12.12.12 0.0.0.0
[R12-ospf-1-area-0.0.0.1]qu
[R12-ospf-1]dis th
#
ospf 1 router-id 12.12.12.12area 0.0.0.1network 12.12.12.12 0.0.0.0network 172.16.5.0 0.0.0.255network 172.16.6.0 0.0.0.255
#
return
[R12-ospf-1]qu

[R13]ospf 1 router-id  13.13.13.13
[R13-ospf-1]a 2
[R13-ospf-1-area-0.0.0.2]net 172.16.7.0 0.0.0.255
[R13-ospf-1-area-0.0.0.2]net 172.16.8.0 0.0.0.255
[R13-ospf-1-area-0.0.0.2]net 13.13.13.13 0.0.0.0
[R13-ospf-1-area-0.0.0.2]qu
[R13-ospf-1]dis th
#
ospf 1 router-id 13.13.13.13area 0.0.0.2network 13.13.13.13 0.0.0.0network 172.16.7.0 0.0.0.255network 172.16.8.0 0.0.0.255
#
return
[R13-ospf-1]qu

按照圖示區域配置rip協議，環回口宣告進對應區域中

[R4]rip 1
[R4-rip-1]ver 2
[R4-rip-1]undo su
[R4-rip-1]net 10.1.1.0
[R4-rip-1]dis th
#
rip 1undo summaryversion 2network 10.0.0.0
#
return
[R4-rip-1]qu

[R5]rip 1
[R5-rip-1]ver 2
[R5-rip-1]undo su
[R5-rip-1]net 10.1.4.0
[R5-rip-1]dis th
#
rip 1undo summaryversion 2network 10.0.0.0
#
return
[R5-rip-1]qu

[SW6]rip 1 
[SW6-rip-1]ver 2
[SW6-rip-1]undo su 
[SW6-rip-1]network 10.0.0.0
[SW6-rip-1]network 6.6.6.6
[SW6-rip-1]dis th
#
rip 1undo summaryversion 2network 6.0.0.0network 10.0.0.0
#
return
[SW6-rip-1]qu

[SW7]rip 1
[SW7-rip-1]ver 2
[SW7-rip-1]undo su
[SW7-rip-1]net 10.1.1.0
[SW7-rip-1]net 192.168.3.0
[SW7-rip-1]net 192.168.5.0
[SW7-rip-1]net 7.7.7.7
[SW7-rip-1]dis th
#
rip 1undo summaryversion 2network 7.0.0.0network 10.0.0.0network 192.168.3.0network 192.168.5.0
#
return
[SW7-rip-1]qu

[SW8]rip 1
[SW8-rip-1]ver 2
[SW8-rip-1]undo su
[SW8-rip-1]net 10.1.6.0
[SW8-rip-1]net 192.168.4.0
[SW8-rip-1]net 192.168.5.0
[SW8-rip-1]net 8.8.8.8
[SW8-rip-1]dis th
#
rip 1undo summaryversion 2network 8.0.0.0network 10.0.0.0network 192.168.4.0network 192.168.5.0
#
return
[SW8-rip-1]qu

[SW9]rip 1
[SW9-rip-1]ver 2
[SW9-rip-1]undo su
[SW9-rip-1]net 192.168.1.0
[SW9-rip-1]net 192.168.2.0
[SW9-rip-1]net 192.168.3.0
[SW9-rip-1]net 192.168.4.0
[SW9-rip-1]net 9.9.9.9
[SW8-rip-1]dis th
#
rip 1undo summaryversion 2network 9.0.0.0network 192.168.1.0network 192.168.2.0network 192.168.3.0network 192.168.4.0
#
return
[SW9-rip-1]qu

業務網段不允許出現協議報文

[SW9]rip 1
[SW9-rip-1]silent-interface Vlan-interface 10
[SW9-rip-1]silent-interface Vlan-interface 20
[SW9-rip-1]qu

OSPF和RIP雙向引入

[R4]ospf 1
[R4-ospf-1]import-route rip 1
[R4-ospf-1]import-route direct 
[R4-ospf-1]qu
[R4]rip 1
[R4-rip-1]import-route ospf 1
[R4-rip-1]import-route direct 
[R4-rip-1]qu

[R5]ospf 1
[R5-ospf-1]import-route rip 1
[R5-ospf-1]import-route direct 
[R5-ospf-1]qu
[R5]rip 1
[R5-rip-1]import-route ospf 1
[R5-rip-1]import-route direct 
[R5-rip-1]qu

R1和R2之間通過雙線連接到互聯網配置ppp-mp，并配置雙向chap驗證

[R1]local-user wiltjer class network 
New local user added.
[R1-luser-network-wiltjer]password simple 123456
[R1-luser-network-wiltjer]service-type ppp
[R1-luser-network-wiltjer]qu
[R1]int s1/0
[R1-Serial1/0]ppp authentication-mode chap 
[R1-Serial1/0]ppp chap user wiltjer
[R1-Serial1/0]int s2/0
[R1-Serial2/0]ppp authentication-mode chap 
[R1-Serial2/0]ppp chap user wiltjer
[R1-Serial2/0]qu

[R2]local-user wiltjer class network 
New local user added.
[R2-luser-network-wiltjer]password simple 123456
[R2-luser-network-wiltjer]service-type ppp
[R2-luser-network-wiltjer]qu
[R2]int s1/0
[R2-Serial1/0]ppp authentication-mode chap 
[R2-Serial1/0]ppp chap user wiltjer
[R2-Serial1/0]int s2/0
[R2-Serial2/0]ppp authentication-mode chap 
[R2-Serial2/0]ppp chap user wiltjer
[R2-Serial2/0]qu

配置easy ip只有業務網段192.168.1.0/24和192.168.2.0/24的數據流可以通過R2和R3訪問互聯網

[R2]ip route-static 0.0.0.0 0 202.100.1.1
[R2]ospf 1
[R2-ospf-1]default-route-advertise
[R2-ospf-1]qu[R2]acl basic 2000
[R2-acl-ipv4-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R2-acl-ipv4-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[R2-acl-ipv4-basic-2000]qu
[R2]int MP-group 1
[R2-MP-group1]nat outbound 2000
[R2-MP-group1]qu

[R3]ip route-static 0.0.0.0 0 202.100.2.1
[R3]ospf 1
[R3-ospf-1]default-route-advertise
[R3-ospf-1]qu[R3]acl basic 2000
[R3-acl-ipv4-basic-2000]rule deny source 192.168.1.0 0.0.0.255
[R3-acl-ipv4-basic-2000]rule deny source 192.168.2.0 0.0.0.255
[R3-acl-ipv4-basic-2000]qu
[R3]int MP-group 1
[R3-MP-group1]nat outbound 2000
[R3-MP-group1]qu

R12開啟telent遠程登錄，只允許192.168.1.0/24登錄訪問

[R12]telnet server enable 
[R12]local-user wiltjer class manage 
New local user added.
[R12-luser-manage-wiltjer]password simple 123456.com
[R12-luser-manage-wiltjer]service-type telnet
[R12-luser-manage-wiltjer]authorization-attribute user-role level-15
[R12-luser-manage-wiltjer]qu
[R12]user-interface vty 0 4
[R12-line-vty0-4]authentication-mode scheme 
[R12-line-vty0-4]qu

[R12]acl advanced 3000
[R12-acl-ipv4-adv-3000]rule permit tcp source 192.168.1.0 0.0.0.255 destination-
port eq 23
[R12-acl-ipv4-adv-3000]rule deny tcp source any destination-port eq 23
[R12-acl-ipv4-adv-3000]dis th
#
acl advanced 3000rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination-port eq telnetrule 5 deny tcp destination-port eq telnet
#
return
[R12-acl-ipv4-adv-3000]qu
[R12]int range g0/0 to g0/1
[R12-if-range]packet-filter 3000 inbound 
[R12-if-range]qu

R13開啟ftp服務，只允許192.168.2.0/24登錄訪問

[R13]ftp server enable 
[R13]local-user wiltjer class manage 
New local user added.
[R13-luser-manage-wiltjer]password simple 123456.com
[R13-luser-manage-wiltjer]service-type ftp 
[R13-luser-manage-wiltjer]authorization-attribute user-role level-15
[R13-luser-manage-wiltjer]qu
[R13]user-interface vty 0 4
[R13-line-vty0-4]authentication-mode scheme 
[R13-line-vty0-4]q

[R13]acl advanced 3000
[R13-acl-ipv4-adv-3000]rule permit tcp source 192.168.2.0 0.0.0.255 destination-
port range 20 21
[R13-acl-ipv4-adv-3000]rule deny tcp source any destination-port range 20 21
[R13-acl-ipv4-adv-3000]dis th
#
acl advanced 3000rule 0 permit tcp source 192.168.2.0 0.0.0.255 destination-port range ftp-data ftprule 5 deny tcp destination-port range ftp-data ftp
#
return
[R13-acl-ipv4-adv-3000]qu
[R13]int range g0/0 to g0/1
[R13-if-range]packet-filter 3000 inbound 
[R13-if-range]qu