【每日必学】微思项目实战案例二
发布作者:微思网络 发布时间:2017-03-23 浏览量:0次
实战需求:
1、 按拓扑要求创建和命名VLAN,并把端口分配到相应VLAN,在access端口启用portfast特性。
配置SW1:
Hostname SW1
Vlan 2
Name IT
Vlan 3
Name HR
Vlan 4
Name Sales
Vlan 5
Name MK
Vlan 7
Name R1toSW1
Vlan 8
Name Server
Vlan 16
Name WIFI-Office
Vlan 17
Name WIFI-Guest
把端口分配到相应VLAN
interface gigabitEthernet 0/4
switchport mode access
switchport access vlan 8
spanning-tree portfast
interface gigabitEthernet 0/5
switchport mode access
switchport access vlan 7
spanning-tree portfast
配置SW2:
Hostname SW2
Vlan 2
Name IT
Vlan 3
Name HR
把端口分配到相应VLAN
interface range fastEthernet 0/3 – 4
switchport mode access
switchport access vlan 2
spanning-tree portfast
interface range fastEthernet 0/5 – 6
switchport mode access
switchport access vlan 3
spanning-tree portfast
配置SW3:
Hostname SW3
Vlan 4
Name Sales
Vlan 5
Name MK
Vlan 16
Name WIFI-Office
Vlan 17
Name WIFI-Guest
把端口分配到相应VLAN
interface range fastEthernet 0/3 – 4
switchport mode access
switchport access vlan 4
spanning-tree portfast
interface range fastEthernet 0/5 – 6
switchport mode access
switchport access vlan 5
spanning-tree portfast
2、 配置SW1到SW2,SW1到SW3,SW2到SW3的Trunk链路,要求用dot1q的封装
配置SW1:
interface range gigabitEthernet 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface range gigabitEthernet 0/2
switchport trunk encapsulation dot1q
switchport mode trunk
配置SW2:
interface range gigabitEthernet 0/1
switchport mode trunk
interface range gigabitEthernet 0/2
switchport mode trunk
配置SW3:
interface range gigabitEthernet 0/1
switchport mode trunk
interface range gigabitEthernet 0/2
switchport mode trunk
interface fastEthernet 0/24
switchport mode trunk
3、 配置SW1,SW2,SW3的Trunk接口,请确保只有VLAN1-5,VLAN16,VLAN17的流量(包括广播)能通过这些Trunk接口,其中SW3的F0/24接口只允许VLAN1,VLAN16,VLAN17的流量(包括广播)通过此接口。
配置SW1:
interface range gigabitEthernet 0/1
switchport trunk allowed vlan 1-5,16,17
interface range gigabitEthernet 0/2
switchport trunk allowed vlan 1-5,16,17
配置SW2:
interface range gigabitEthernet 0/1
switchport trunk allowed vlan 1-5,16,17
interface range gigabitEthernet 0/2
switchport trunk allowed vlan 1-5,16,17
配置SW3:
interface range gigabitEthernet 0/1
switchport trunk allowed vlan 1-5,16,17
interface range gigabitEthernet 0/2
switchport trunk allowed vlan 1-5,16,17
interface fastEthernet 0/24
switchport trunk allowed vlan 16,17
4、 配置SW1的生成树协议STP,使得SW1成为VLAN1-VLAN5,VLAN7-8,VLAN16-17的根。
配置SW1:
spanning-tree vlan 1-5,7-8,16-17 root primary
5、 启用SW1路由功能,配置SVI接口,使得每个VLAN主机可以互相通信.
配置SW1:
Hostname SW1
启用路由功能
Ip routing
配置SVI接口
Interface vlan 2
Ip address 10.1.2.254 255.255.255.0
No shut
Interface vlan 3
Ip address 10.1.3.254 255.255.255.0
No shut
Interface vlan 4
Ip address 10.1.4.254 255.255.255.0
No shut
Interface vlan 5
Ip address 10.1.5.254 255.255.255.0
No shut
Interface vlan 7
Ip address 10.1.7.254 255.255.255.0
No shut
Interface vlan 8
Ip address 10.1.8.254 255.255.255.0
No shut
Interface vlan 16
Ip address 10.1.16.254 255.255.255.0
No shut
Interface vlan 17
Ip address 10.1.17.254 255.255.255.0
No shut
6、 配置交换机管理VLAN1的IP地址,确保可以通过telnet来管理。
配置SW1:
Interface vlan 1
Ip address 10.1.1.254 255.255.255.0
No shutdown
Ip default-gateway 10.1.1.254
配置SW2:
Interface vlan 1
Ip address 10.1.1.253 255.255.255.0
No shutdown
Ip default-gateway 10.1.1.254
配置SW3:
Interface vlan 1
Ip address 10.1.1.252 255.255.255.0
No shutdown
Ip default-gateway 10.1.1.254
配置远程管理每台交换机所需的用户和密码,enable密码
Username cisco secret cisco
Enable secret cisco
Line vty 0 15
Login local
Line con 0
Login local
7、 配置R1连接到Internet,使得每个VLAN主机可以上网,请选择使用PAT端口地址转换技术。
配置R1:
Hostname R1
Username cisco secret cisco
Enable secret cisco
Line vty 0 15
Login local
Line con 0
Login local
配置接口IP和启用接口
Interface F0/1
Ip address 10.1.7.253 255.255.255.0
No shut
Interface F0/0
Ip address 202.101.1.1 255.255.255.248
No shut
配置ACL,定义允许地址转换流量
ip access-list extended nat
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.2.0 0.0.0.255 any
permit ip 10.1.3.0 0.0.0.255 any
permit ip 10.1.4.0 0.0.0.255 any
permit ip 10.1.5.0 0.0.0.255 any
permit ip 10.1.7.0 0.0.0.255 any
permit ip 10.1.8.0 0.0.0.255 any
permit ip 10.1.16.0 0.0.0.255 any
permit ip 10.1.17.0 0.0.0.255 any
关联ACL和接口
ip nat inside source list nat interface FastEthernet0/0 overload
指定Inside,Outside接口
interface F0/0
ip nat outside
interface F0/1
ip nat inside
配置到internet的默认路由
Ip route 0.0.0.0 0.0.0.0 202.101.1.6
配置到内网每个VLAN的静态路由
Ip route 10.1.1.0 255.255.255.0 10.1.7.254
Ip route 10.1.2.0 255.255.255.0 10.1.7.254
Ip route 10.1.3.0 255.255.255.0 10.1.7.254
Ip route 10.1.4.0 255.255.255.0 10.1.7.254
Ip route 10.1.5.0 255.255.255.0 10.1.7.254
Ip route 10.1.8.0 255.255.255.0 10.1.7.254
Ip route 10.1.16.0 255.255.255.0 10.1.7.254
Ip route 10.1.17.0 255.255.255.0 10.1.7.254
8、 使用SW1作为DHCP服务器,确保能为无线接入用户分配IP地址、网关和DNS。
配置SW1:
为VLAN16配置DHCP
Interface vlan 16
Ip address 10.1.16.254 255.255.255.0
No shut
ip dhcp excluded-address 10.1.16.254
service dhcp
ip dhcp pool WIFI-Office
network 10.1.16.0 255.255.255.0
dns-server 218.85.152.88 218.85.157.99
default-router 10.1.16.254
为VLAN17配置DHCP
Interface vlan 17
Ip address 10.1.17.254 255.255.255.0
No shut
ip dhcp excluded-address 10.1.17.254
service dhcp
ip dhcp pool WIFI-Guest
network 10.1.17.0 255.255.255.0
dns-server 218.85.152.88 218.85.157.99
default-router 10.1.17.254
9、 配置AP的无线接入功能,其中SSID分别为WIFI-Office(vlan16)和WIFI-Guest(vlan17),网络身份验证为WPA2-PSK,数据加密使用AES,密钥key为cisco
配置AP:
针对SSID为WIFI-Office的配置
Hostname AP
interface Fast0
no shut
interface Dot11Radio0
no shut
encryption vlan 16 mode ciphers aes-ccm
ssid WIFI-Office
mbssid
exit
interface Dot11Radio0.16
encapsulation dot1Q 16
interface FastEthernet0.16
encapsulation dot1Q 16
dot11 ssid WIFI-Office
vlan 16
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii cisco
针对SSID为WIFI-Guest的配置
interface Fast0
no shut
interface Dot11Radio0
no shut
encryption vlan 17 mode ciphers aes-ccm
ssid WIFI-Guest
mbssid
exit
interface Dot11Radio0.17
encapsulation dot1Q 17
interface FastEthernet0.17
encapsulation dot1Q 17
dot11 ssid WIFI-Guest
vlan 17
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii cisco
配置AP的管理IP地址和网关,以方便远程管理
Interface BVI1
Ip address 10.1.1.251 255.255.255.0
No shutdown
Ip default-gateway 10.1.1.254
Username cisco secret cisco
Enable secret cisco
Line vty 0 15
Login local
Line con 0
Login local
10、 配置广域网的连接,总部R1通过DDN专线和北京分公司相连,通过配置R1和R2,使得北京分公司的用户可以访问总部,要求DDN专线链路上使用ppp的封装方式,并启用chap的验证。
配置R1:
Hostname R1
Username R2 password cisco
Interface serial 0/0/0
Ip address 10.1.10.254 255.255.255.252
encapsulation ppp
ppp authentication chap
No shut
ip route 172.16.1.0 255.255.255.0 10.1.10.253
配置R2:
Hostname R2
Username R1 password cisco
Interface serial 0/0
Ip address 10.1.10.253 255.255.255.252
encapsulation ppp
ppp authentication chap
No shut
Interface F0
Ip address 172.16.1.254 255.255.255.0
No shut
ip route 0.0.0.0 0.0.0.0 10.1.10.254
11、 通过配置,使得北京分公司可以通过总部R1连接到Internet.
配置R1:
Interface serial 0/0/0
Ip nat inside
ip access-list extended nat
permit ip 172.16.1.0 0.0.0.255 any
12、 保存每台设备配置到NVRAM,并使用copy star tftp把每台设备的配置备份到你的电脑。
Ø 保存配置命令: copy run star 或Write memory.
Ø 确保你的电脑上打开TFTP SERVER的功能,可安装cisco tftp或tftp32之类的TFTP服务器端软件.
Ø copy star tftp确保备份成功.