NTD PROJECT2 DAY01
- 1 案例1：园区网项目建设

NTD PROJECT2 DAY01

案例1：园区网项目建设

1 案例1：园区网项目建设

1.1 问题

基于项目需求，完成项目建设
实现内网与外网的互相访问
1.2 方案
使用eNSP搭建实验环境，如图-1所示。

图-1
1.3 步骤
实现此案例需要按照如下步骤进行。
1）配置终端设备 - PC1~PC8 为 DHCP 客户端
2）配置网络设备 – 每个交换机配置相同的vlan
undo terminal monitor
system-view
[Huawei]sysname SW1

[SW1]vlan batch 10 20 30 40 66 88 //批量创建 VLAN

undo terminal monitor
system-view
[Huawei]sysname SW2
[SW2]vlan batch 10 20 30 40 66 88 //批量创建 VLAN

undo terminal monitor
system-view
[Huawei]sysname SW3
[SW3]vlan batch 10 20 30 40 66 88 //批量创建 VLAN

undo terminal monitor
system-view
[Huawei]sysname SW4
[SW4]vlan batch 10 20 30 40 66 88 //批量创建 VLAN

undo terminal monitor
system-view
[Huawei]sysname SW5
[SW5]vlan batch 10 20 30 40 66 88 //批量创建 VLAN

undo terminal monitor
system-view
[Huawei]sysname SW6
[SW6]vlan batch 10 20 30 40 66 88 //批量创建 VLAN

3）配置网络设备 – 配置交换机之间的Trunk链路
[SW1]port-group group-member gi0/0/11 gi0/0/21 //进入端口组
[SW1-port-group]port link-type trunk //将接口配置为 trunk
[SW1-port-group]port trunk allow-pass vlan all //接口允许所有的VLAN通过
[SW1-port-group]quit

[SW2]port-group group-member gi0/0/12 gi0/0/22 //进入端口组
[SW2-port-group]port link-type trunk //将接口配置为 trunk
[SW2-port-group]port trunk allow-pass vlan all //接口允许所有的VLAN通过
[SW2-port-group]quit

[SW3]port-group group-member gi0/0/13 gi0/0/23 //进入端口组
[SW3-port-group]port link-type trunk //将接口配置为 trunk
[SW3-port-group]port trunk allow-pass vlan all //接口允许所有的VLAN通过
[SW3-port-group]quit

[SW4]port-group group-member gi0/0/14 gi0/0/24 //进入端口组
[SW4-port-group]port link-type trunk //将接口配置为 trunk
[SW4-port-group]port trunk allow-pass vlan all //接口允许所有的VLAN通过
[SW4-port-group]quit

[SW5]port-group group-member gi0/0/11 gi0/0/12 gi0/0/13 gi0/0/14 //进入端口组
[SW5-port-group]port link-type trunk //将接口配置为 trunk
[SW5-port-group]port trunk allow-pass vlan all //接口允许所有的VLAN通过
[SW5-port-group]quit

[SW6]port-group group-member gi0/0/21 gi0/0/22 gi0/0/23 gi0/0/24 //进入端口组
[SW6-port-group]port link-type trunk //将接口配置为 trunk
[SW6-port-group]port trunk allow-pass vlan all //接口允许所有的VLAN通过
[SW6-port-group]quit

4）配置网络设备 – 交换机与终端设备之间的access链路
[SW1]interface gi0/0/1 //连接PC1所用的接口
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/1]quit

[SW1]interface gi0/0/2 //连接PC2所用的接口
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port default vlan 20
[SW1-GigabitEthernet0/0/2]quit

[SW2]interface gi0/0/3 //连接PC3所用的接口
[SW2-GigabitEthernet0/0/3]port link-type access
[SW2-GigabitEthernet0/0/3]port default vlan 10
[SW2-GigabitEthernet0/0/3]quit

[SW2]interface gi0/0/4 //连接PC4所用的接口
[SW2-GigabitEthernet0/0/4]port link-type access
[SW2-GigabitEthernet0/0/4]port default vlan 30
[SW2-GigabitEthernet0/0/4]quit

[SW3]interface gi0/0/5 //连接PC5所用的接口
[SW3-GigabitEthernet0/0/5]port link-type access
[SW3-GigabitEthernet0/0/5]port default vlan 20
[SW3-GigabitEthernet0/0/5]quit

[SW3]interface gi0/0/6 //连接PC6所用的接口
[SW3-GigabitEthernet0/0/6]port link-type access
[SW3-GigabitEthernet0/0/6]port default vlan 40
[SW3-GigabitEthernet0/0/6]quit

[SW4]interface gi0/0/7 //连接PC7所用的接口
[SW4-GigabitEthernet0/0/7]port link-type access
[SW4-GigabitEthernet0/0/7]port default vlan 40
[SW4-GigabitEthernet0/0/7]quit

[SW4]interface gi0/0/8 //连接PC8所用的接口
[SW4-GigabitEthernet0/0/8]port link-type access
[SW4-GigabitEthernet0/0/8]port default vlan 30
[SW4-GigabitEthernet0/0/8]quit

[SW5]interface GigabitEthernet0/0/8 //连接Web服务器所用的接口
[SW5-GigabitEthernet0/0/8]port link-type access
[SW5-GigabitEthernet0/0/8]port default vlan 88
[SW5-GigabitEthernet0/0/8]quit

[SW6]interface GigabitEthernet 0/0/6 //连接DHCP服务器所用的接口
[SW6-GigabitEthernet0/0/6]port link-type access
[SW6-GigabitEthernet0/0/6]port default vlan 66
[SW6-GigabitEthernet0/0/6]quit

5）配置DHCP服务器
undo terminal monitor
system-view
[Huawei]sysname DHCP-Server

[DHCP-Server]interface gi0/0/0 //连接 SW6 所用的接口
[DHCP-Server-GigabitEthernet0/0/0]ip address 192.168.66.1 24
[DHCP-Server-GigabitEthernet0/0/0]quit

[DHCP-Server]ip route-static 0.0.0.0 0.0.0.0 192.168.66.254 //配置默认路由

[DHCP-Server]dhcp enable //开启DHCP功能

[DHCP-Server]ip pool VLAN10 //配置 VLAN 10 的 DHCP 地址池
[DHCP-Server-ip-pool-VLAN10]network 192.168.10.0 mask 24
[DHCP-Server-ip-pool-VLAN10]gateway-list 192.168.10.254
[DHCP-Server-ip-pool-VLAN10]quit

[DHCP-Server]ip pool VLAN20 //配置 VLAN 20 的 DHCP 地址池
[DHCP-Server-ip-pool-VLAN20]network 192.168.20.0 mask 24
[DHCP-Server-ip-pool-VLAN20]gateway-list 192.168.20.254
[DHCP-Server-ip-pool-VLAN20]quit

[DHCP-Server]ip pool VLAN30 //配置 VLAN 30 的 DHCP 地址池
[DHCP-Server-ip-pool-VLAN30]network 192.168.30.0 mask 24
[DHCP-Server-ip-pool-VLAN30]gateway-list 192.168.30.254
[DHCP-Server-ip-pool-VLAN30]quit

[DHCP-Server]ip pool VLAN40 //配置 VLAN 40 的 DHCP 地址池
[DHCP-Server-ip-pool-VLAN40]network 192.168.40.0 mask 24
[DHCP-Server-ip-pool-VLAN40]gateway-list 192.168.40.254
[DHCP-Server-ip-pool-VLAN40]quit

[DHCP-Server]interface gi0/0/0
[DHCP-Server-GigabitEthernet0/0/0]dhcp select global //配置DHCP的选择模式
[DHCP-Server-GigabitEthernet0/0/0]quit

6）配置DHCP中继
[SW5]dhcp enable //开启DHCP功能

[SW5]interface Vlanif 10 //配置 VLAN 10 的 DHCP 中继
[SW5-Vlanif10]ip address 192.168.10.251 255.255.255.0
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.66.1
[SW5-Vlanif10]quit

[SW5]interface Vlanif 20 //配置 VLAN 20 的 DHCP 中继

[SW5-Vlanif20]ip address 192.168.20.251 255.255.255.0
[SW5-Vlanif20]dhcp select relay
[SW5-Vlanif20]dhcp relay server-ip 192.168.66.1
[SW5-Vlanif20]quit

[SW5]interface Vlanif 30 //配置 VLAN 30 的 DHCP 中继

[SW5-Vlanif30]ip address 192.168.30.251 255.255.255.0
[SW5-Vlanif30]dhcp select relay
[SW5-Vlanif30]dhcp relay server-ip 192.168.66.1
[SW5-Vlanif30]quit

[SW5]interface Vlanif 40 //配置 VLAN 40 的 DHCP 中继

[SW5-Vlanif40]ip address 192.168.40.251 255.255.255.0
[SW5-Vlanif40]dhcp select relay
[SW5-Vlanif40]dhcp relay server-ip 192.168.66.1
[SW5-Vlanif40]quit

[SW5]interface Vlanif 66 //配置 VLAN 66 的接口IP地址
[SW5-Vlanif66]ip address 192.168.66.253 255.255.255.0
[SW5-Vlanif66]quit

[SW6]dhcp enable //开启DHCP功能

[SW6]interface Vlanif 10 //配置 VLAN 10 的 DHCP 中继
[SW6-Vlanif10]ip address 192.168.10.252 255.255.255.0
[SW6-Vlanif10]dhcp select relay
[SW6-Vlanif10]dhcp relay server-ip 192.168.66.1
[SW6-Vlanif10]quit

[SW6]interface Vlanif 20 //配置 VLAN 20 的 DHCP 中继
[SW6-Vlanif20]ip address 192.168.20.252 255.255.255.0
[SW6-Vlanif20]dhcp select relay
[SW6-Vlanif20]dhcp relay server-ip 192.168.66.1
[SW6-Vlanif20]quit

[SW6]interface Vlanif 30 //配置 VLAN 30 的 DHCP 中继
[SW6-Vlanif30]ip address 192.168.30.252 255.255.255.0
[SW6-Vlanif30]dhcp select relay
[SW6-Vlanif30]dhcp relay server-ip 192.168.66.1
[SW6-Vlanif30]quit

[SW6]interface Vlanif 40 //配置 VLAN 40 的 DHCP 中继
[SW6-Vlanif40]ip address 192.168.40.252 255.255.255.0
[SW6-Vlanif40]dhcp select relay
[SW6-Vlanif40]dhcp relay server-ip 192.168.66.1
[SW6-Vlanif40]quit

[SW6]interface Vlanif 66 //配置 VLAN 66 的接口IP地址
[SW6-Vlanif66]ip address 192.168.66.254 255.255.255.0
[SW6-Vlanif66]quit

7）配设置vlan10和vlan20 的主网关为SW5，备份网关为SW6
[SW5]interface Vlanif 10 //配置 VLAN 10 的 VRRP
[SW5-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW5-Vlanif10]vrrp vrid 10 priority 200
[SW5-Vlanif10]quit

[SW5]interface Vlanif 20 //配置 VLAN20 的 VRRP
[SW5-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW5-Vlanif20]vrrp vrid 20 priority 200
[SW5-Vlanif20]quit

[SW6]interface Vlanif 10 //配置 VLAN 10 的 VRRP
[SW6-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW6-Vlanif10]quit

[SW6]interface Vlanif 20 //配置 VLAN 20 的 VRRP
[SW6-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW6-Vlanif20]quit

8）设置vlan30和vlan40 的主网关为SW6，备份网关为SW5
[SW6]interface Vlanif 30 //配置 VLAN 30 的 VRRP
[SW6-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW6-Vlanif30]vrrp vrid 30 priority 200
[SW6-Vlanif30]quit

[SW6]interface Vlanif 40 //配置 VLAN 40 的 VRRP
[SW6-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[SW6-Vlanif40]vrrp vrid 40 priority 200
[SW6-Vlanif40]quit

[SW5]interface Vlanif 30 //配置 VLAN 30 的 VRRP
[SW5-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW5-Vlanif30]quit

[SW5]interface Vlanif 40 //配置 VLAN 40 的 VRRP
[SW5-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[SW5-Vlanif40]quit

9）配置MSTP，优化数据转发路径
[SW1]stp mode mstp //配置 STP 的模式为 MSTP

[SW1]stp region-configuration //进入 MSTP的配置模式
[SW1-mst-region]region-name HCIP //配置MSTP的域名为 HCIP
[SW1-mst-region]instance 10 vlan 10 //创建实例10
[SW1-mst-region]instance 20 vlan 20 //创建实例20
[SW1-mst-region]instance 30 vlan 30 //创建实例30
[SW1-mst-region]instance 40 vlan 40 //创建实例40
[SW1-mst-region]active region-configuration //激活MSTP配置
[SW1-mst-region]quit

[SW2]stp mode mstp

[SW2]stp region-configuration
[SW2-mst-region]region-name HCIP
[SW2-mst-region]instance 10 vlan 10
[SW2-mst-region]instance 20 vlan 20
[SW2-mst-region]instance 30 vlan 30
[SW2-mst-region]instance 40 vlan 40
[SW2-mst-region]active region-configuration
[SW2-mst-region]quit

[SW3]stp mode mstp

[SW3]stp region-configuration
[SW3-mst-region]region-name HCIP
[SW3-mst-region]instance 10 vlan 10
[SW3-mst-region]instance 20 vlan 20
[SW3-mst-region]instance 30 vlan 30
[SW3-mst-region]instance 40 vlan 40
[SW3-mst-region]active region-configuration
[SW3-mst-region]quit

[SW4]stp mode mstp

[SW4]stp region-configuration
[SW4-mst-region]region-name HCIP
[SW4-mst-region]instance 10 vlan 10
[SW4-mst-region]instance 20 vlan 20
[SW4-mst-region]instance 30 vlan 30
[SW4-mst-region]instance 40 vlan 40
[SW4-mst-region]active region-configuration
[SW4-mst-region]quit

[SW5]stp mode mstp

[SW5]stp region-configuration
[SW5-mst-region]region-name HCIP
[SW5-mst-region]instance 10 vlan 10
[SW5-mst-region]instance 20 vlan 20
[SW5-mst-region]instance 30 vlan 30
[SW5-mst-region]instance 40 vlan 40
[SW5-mst-region]active region-configuration
[SW5-mst-region]quit

[SW5]stp instance 10 priority 0 //配置SW5为实例10的根交换机
[SW5]stp instance 20 priority 0 //配置SW5为实例20的根交换机

[SW6]stp mode mstp

[SW6]stp region-configuration
[SW6-mst-region]region-name HCIP
[SW6-mst-region]instance 10 vlan 10
[SW6-mst-region]instance 20 vlan 20
[SW6-mst-region]instance 30 vlan 30
[SW6-mst-region]instance 40 vlan 40
[SW6-mst-region]active region-configuration
[SW6-mst-region]quit

[SW6]stp instance 30 priority 0 //配置SW6为实例10的根交换机
[SW6]stp instance 40 priority 0 //配置SW6为实例10的根交换机

10）创建vlan15和vlan16，用于R1与SW5和SW6相连
[SW5]vlan batch 15 16 //批量创建 VLAN
[SW6]vlan batch 15 16 //批量创建 VLAN

11）配置R1，与SW5和SW6运行 OSPF，属于区域0，且不允许有2类LSA
[SW5]interface vlanif 15 //用于与R1相连的IP接口
[SW5-Vlanif15]ip address 192.168.15.5 24
[SW5-Vlanif15]quit

[SW6]interface vlanif 16 //用于与R1相连的IP接口
[SW6-Vlanif16]ip address 192.168.16.6 24
[SW6-Vlanif16]quit

undo terminal monitor
system-view
[Huawei]sysname R1

[R1]interface gi0/0/0 //用于与SW5相连的IP接口
[R1-GigabitEthernet0/0/0]ip address 192.168.15.1 24
[R1-GigabitEthernet0/0/0]quit

[R1]interface gi0/0/2 //用于与SW6相连的IP接口
[R1-GigabitEthernet0/0/2]ip address 192.168.16.1 24
[R1-GigabitEthernet0/0/2]quit

[R1]ospf 1 router-id 1.1.1.1 //启用OSPF协议，配置router-id为1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]quit
[R1-ospf-1]quit

[SW5]ospf 1 router-id 5.5.5.5 //启用OSPF协议，配置router-id为5.5.5.5
[SW5-ospf-1]area 0
[SW5-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.0]quit
[SW5-ospf-1]area 10
[SW5-ospf-1-area-0.0.0.10]network 192.168.10.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.10]quit
[SW5-ospf-1]area 20
[SW5-ospf-1-area-0.0.0.20]network 192.168.20.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.20]quit
[SW5-ospf-1]area 30
[SW5-ospf-1-area-0.0.0.30]network 192.168.30.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.30]quit
[SW5-ospf-1]area 40
[SW5-ospf-1-area-0.0.0.40]network 192.168.40.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.40]quit
[SW5-ospf-1]area 88
[SW5-ospf-1-area-0.0.0.88]network 192.168.88.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.88]quit

[SW6]ospf 1 router-id 6.6.6.6 //启用OSPF协议，配置router-id为6.6.6.6
[SW6-ospf-1]area 0
[SW6-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.0]quit
[SW6-ospf-1]area 10
[SW6-ospf-1-area-0.0.0.10]network 192.168.10.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.10]quit
[SW6-ospf-1]area 20
[SW6-ospf-1-area-0.0.0.20]network 192.168.20.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.20]quit
[SW6-ospf-1]area 30
[SW6-ospf-1-area-0.0.0.30]network 192.168.30.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.30]quit
[SW6-ospf-1]area 40
[SW6-ospf-1-area-0.0.0.40]network 192.168.40.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.40]quit
[SW6-ospf-1]area 66
[SW6-ospf-1-area-0.0.0.66]network 192.168.66.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.66]quit

[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ospf network-type p2p //修改接口网络类型为 P2P
[R1-GigabitEthernet0/0/1]quit

[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]ospf network-type p2p //修改接口网络类型为 P2P
[R1-GigabitEthernet0/0/2]quit

[SW5]interface vlanif 15
[SW5-vlanif15]ospf network-type p2p //修改接口网络类型为 P2P
[SW5-vlanif15]quit

[SW6]interface vlanif 16
[SW6-vlanif16]ospf network-type p2p //修改接口网络类型为 P2P
[SW6-vlanif16]quit

12）创建vlan25和vlan26，用于R2与SW5和SW6相连
[SW5]vlan batch 25 26
[SW6]vlan batch 25 26

13）配置R2，与SW5和SW6运行OSPF，属于区域0，且不允许有2类LSA
[SW5]interface vlanif 25 //用于与R2相连的IP接口
[SW5-Vlanif25]ip address 192.168.25.5 24
[SW5-Vlanif25]quit

[SW6]interface vlanif 26 //用于与R2相连的IP接口
[SW6-Vlanif26]ip address 192.168.26.6 24
[SW6-Vlanif26]quit

undo terminal monitor
system-view
[Huawei]sysname R2
[R2]interface gi0/0/0 //用于与SW5相连的IP接口
[R2-GigabitEthernet0/0/0]ip address 192.168.25.2 24
[R2-GigabitEthernet0/0/0]quit

[R2]interface gi0/0/1 //用于与SW6相连的IP接口
[R2-GigabitEthernet0/0/1]ip address 192.168.26.2 24
[R2-GigabitEthernet0/0/1]quit

[R2]ospf 1 router-id 2.2.2.2 //启用OSPF协议，配置router-id为2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 192.168.25.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 192.168.26.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]quit
[R2-ospf-1]quit

[SW5]ospf 1
[SW5-ospf-1]area 0
[SW5-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255 //互联链路宣告进区域0
[SW5-ospf-1-area-0.0.0.0]quit

[SW6]ospf 1
[SW6-ospf-1]area 0
[SW6-ospf-1-area-0.0.0.0]network 192.168.26.0 0.0.0.255 //互联链路宣告进区域0
[SW6-ospf-1-area-0.0.0.0]quit

[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ospf network-type p2p //修改接口网络类型为 P2P
[R2-GigabitEthernet0/0/0]quit

[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ospf network-type p2p //修改接口网络类型为 P2P
[R2-GigabitEthernet0/0/1]quit

[SW5]interface vlanif 25
[SW5-vlanif25]ospf network-type p2p //修改接口网络类型为 P2P
[SW5-vlanif25]quit

[SW6]interface vlanif 26
[SW6-vlanif26]ospf network-type p2p //修改接口网络类型为 P2P
[SW6-vlanif26]quit

14）配置OSPF特殊区域
[SW5]ospf 1
[SW5-ospf-1]area 88
[SW5-ospf-1-area-0.0.0.88]stub no-summary //配置区域88为完全stub区域
[SW5-ospf-1-area-0.0.0.88]quit

[SW6]ospf 1
[SW6-ospf-1]area 66
[SW6-ospf-1-area-0.0.0.66] stub no-summary //配置区域66为完全stub区域
[SW6-ospf-1-area-0.0.0.66]quit

15）设置总公司的边缘设备的公网IP地址
undo terminal monitor
system-view
[Huawei]sysname R1

[R1]interface gi0/0/1
[R1-GigabitEthernet0/0/1]ip address 100.1.1.2 24 //连接公网的接口IP地址
[R1-GigabitEthernet0/0/1]quit

undo terminal monitor
system-view
[Huawei]sysname R2

[R2]interface gi0/0/2
[R2-GigabitEthernet0/0/2]ip address 200.1.1.2 24 //连接公网的接口IP地址
[R2-GigabitEthernet0/0/2]quit

16）配置边界设备上的NAT
[R1]acl 2040 //配置ACL，指定内部用户的上网权限
[R1-acl-basic-2040]rule 10 deny source 192.168.40.0 0.0.0.255 //拒绝vlan 40的主机访问外部网络
[R1-acl-basic-2040]rule 20 permit source any //允许其他 VLAN的所有主机
[R1-acl-basic-2040]quit

[R1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1 //去往公网的默认路由

[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2040 //配置 EasyIP
[R1-GigabitEthernet0/0/1]quit

[R2]acl 2040
[R2-acl-basic-2040]rule 10 deny source 192.168.40.0 0.0.0.255 //拒绝vlan 40的主机访问外部网络
[R2-acl-basic-2040]rule 20 permit source any //允许其他 VLAN的所有主机
[R2-acl-basic-2040]quit
[R2]ip route-static 0.0.0.0 0.0.0.0 200.1.1.1//去往公网的默认路由

[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]nat outbound 2040 //配置 EasyIP

[R2-GigabitEthernet0/0/2]quit

18）配置边缘设备之间的备份–R1是主出口，R2是备份出口
[R1]ospf 1
[R1-ospf-1]default-route-advertise //主出口设备，产生OSPF默认路由
[R1-ospf-1]quit

[R2]ospf 1
[R2-ospf-1]default-route-advertise cost 2 //主出口设备，产生OSPF默认路由并修改开销为2
[R2-ospf-1]quit

19）配置NAT Server，实现外网对内网Web服务器的访问
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]nat server protocol tcp global 100.1.1.8 80 inside 192.168.88.1 80 //当外网用户访问 100.1.1.8 的 TCP 80 端口时，将数据转发给 192.168.88.1的 TCP 80端口
[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 80 inside 192.168.88.1 80 //当外网用户访问 200.1.1.8 的 TCP 80 端口时，将数据转发给 192.168.88.1的 TCP 80端口

20）为交换机配置管理vlan199，并设置管理IP地址，开启远程登录功能
[SW1]vlan 199 //创建 VLAN 199
[SW1-vlan199]quit

[SW1]interface vlanif 199 //配置 VLAN 199 的管理IP地址
[SW1-Vlanif199]ip address 192.168.199.1 24
[SW1-Vlanif199]quit

[SW1]aaa //进入 AAA 模式
[SW1-aaa]local-user HuaWei password cipher HCIE //创建用户名和密码
[SW1-aaa]local-user HuaWei service-type telnet //指定用户的服务类型为 telnet
[SW1-aaa]quit

[SW1]user-interface vty 0 4
[SW1-ui-vty0-4]authentication-mode aaa //进入VTY线路，指定认证模式为 AAA
[SW1-ui-vty0-4]quit

[SW2]vlan 199
[SW2-vlan199]quit
[SW2]interface vlanif 199
[SW2-Vlanif199]ip address 192.168.199.2 24
[SW2-Vlanif199]quit
[SW2]aaa
[SW2-aaa]local-user HuaWei password cipher HCIE
[SW2-aaa]local-user HuaWei service-type telnet
[SW2-aaa]quit
[SW2]user-interface vty 0 4
[SW2-ui-vty0-4]authentication-mode aaa
[SW2-ui-vty0-4]quit

[SW3]vlan 199
[SW3-vlan199]quit
[SW3]interface vlanif 199
[SW3-Vlanif199]ip address 192.168.199.3 24
[SW3-Vlanif199]quit
[SW3]aaa
[SW3-aaa]local-user HuaWei password cipher HCIE
[SW3-aaa]local-user HuaWei service-type telnet
[SW3-aaa]quit
[SW3]user-interface vty 0 4
[SW3-ui-vty0-4]authentication-mode aaa
[SW3-ui-vty0-4]quit

[SW4]vlan 199
[SW4-vlan199]quit
[SW4]interface vlanif 199
[SW4-Vlanif199]ip address 192.168.199.4 24
[SW4-Vlanif199]quit
[SW4]aaa
[SW4-aaa]local-user HuaWei password cipher HCIE
[SW4-aaa]local-user HuaWei service-type telnet
[SW4-aaa]quit
[SW4]user-interface vty 0 4
[SW4-ui-vty0-4]authentication-mode aaa
[SW4-ui-vty0-4]quit

[SW5]vlan 199
[SW5-vlan199]quit
[SW5]interface vlanif 199
[SW5-Vlanif199]ip address 192.168.199.5 24
[SW5-Vlanif199]quit
[SW5]aaa
[SW5-aaa]local-user HuaWei password cipher HCIE
[SW5-aaa]local-user HuaWei service-type telnet
[SW5-aaa]quit
[SW5]user-interface vty 0 4
[SW5-ui-vty0-4]authentication-mode aaa
[SW5-ui-vty0-4]quit

[SW6]vlan 199
[SW6-vlan199]quit
[SW6]interface vlanif 199
[SW6-Vlanif199]ip address 192.168.199.6 24
[SW6-Vlanif199]quit
[SW6]aaa
[SW6-aaa]local-user HuaWei password cipher HCIE
[SW6-aaa]local-user HuaWei service-type telnet
[SW6-aaa]quit
[SW6]user-interface vty 0 4
[SW6-ui-vty0-4]authentication-mode aaa
[SW6-ui-vty0-4]quit

21）配置vlan199的网关冗余，将SW5配置为主网关，SW6配置为备份网关
[SW5]interface vlanif 199 //为 vlan 199配置 VRRP，SW5为主网关
[SW5-Vlanif199]vrrp vrid 199 virtual-ip 192.168.199.254
[SW5-Vlanif199]vrrp vrid 199 priority 200
[SW5-Vlanif199]quit

[SW6]interface vlanif 199 //为 vlan 199配置 VRRP，SW6为备份网关
[SW6-Vlanif199]vrrp vrid 199 virtual-ip 192.168.199.254
[SW6-Vlanif199]quit

22）为每个交换机添加默认路由，指向vlan199的虚拟网关
[SW1]ip route-static 0.0.0.0 0.0.0.0 192.168.199.254 //去往其他网段的路由条目
[SW2]ip route-static 0.0.0.0 0.0.0.0 192.168.199.254 //去往其他网段的路由条目
[SW3]ip route-static 0.0.0.0 0.0.0.0 192.168.199.254 //去往其他网段的路由条目
[SW4]ip route-static 0.0.0.0 0.0.0.0 192.168.199.254 //去往其他网段的路由条目

23）在SW5和SW6的OSPF协议中，宣告vlan199 ，通告给R1和R2
[SW5]ospf 1
[SW5-ospf-1]area 199
[SW5-ospf-1-area-0.0.0.199]network 192.168.199.0 0.0.0.255 //宣告管理VLAN进入OSPF
[SW5-ospf-1-area-0.0.0.199]quit

[SW6]ospf 1
[SW6-ospf-1]area 199
[SW6-ospf-1-area-0.0.0.199]network 192.168.199.0 0.0.0.255 //宣告管理VLAN进入OSPF
[SW6-ospf-1-area-0.0.0.199]quit

24）在边界设备调整OSPF cost，确保去往vlan199 时，优先走 SW5的路径
[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]ospf cost 6 //修改接口的OSPF 开销值为6
[R1-GigabitEthernet0/0/2]quit

[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ospf cost 6 //修改接口的OSPF 开销值为6
[R2-GigabitEthernet0/0/1]quit

25）在边界设备配置 NAT Server，确保外网可以远程登录内网交换机
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 2001 inside 192.168.199.1 23
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 2002 inside 192.168.199.2 23
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 2003 inside 192.168.199.3 23
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 2004 inside 192.168.199.4 23
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 2005 inside 192.168.199.5 23
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 2006 inside 192.168.199.6 23
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 2007 inside 192.168.199.7 23
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 2008 inside 192.168.199.8 23
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.8 20010 inside 192.168.199.10 23
[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 2001 inside 192.168.199.1 23
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 2002 inside 192.168.199.2 23
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 2003 inside 192.168.199.3 23
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 2004 inside 192.168.199.4 23
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 2005 inside 192.168.199.5 23
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 2006 inside 192.168.199.6 23
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 2007 inside 192.168.199.7 23
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 2008 inside 192.168.199.8 23
[R2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.8 20010 inside 192.168.199.10 23

26）确保内网用户中，只有 PC2 可以远程登录内网设备
[DHCP-Server]ip pool VLAN20
[DHCP-Server-ip-pool-VLAN20]static-bind ip-address 192.168.20.2 mac-address 5489-98F0-74FC //MAC 地址为 PC2 的物理地址

[SW1]acl 2000
[SW1-acl-basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
[SW1-acl-basic-2000]rule 20 permit source 100.1.1.1 0.0.0.0
[SW1-acl-basic-2000]rule 30 permit source 200.1.1.1 0.0.0.0
[SW1-acl-basic-2000]quit

[SW1]user-interface vty 0 4
[SW1-ui-vty0-4]acl 2000 inbound //为 VTY 配置入向ACL
[SW1-ui-vty0-4]quit

[SW2]acl 2000
[SW2-acl-basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
[SW2-acl-basic-2000]rule 20 permit source 100.1.1.1 0.0.0.0
[SW2-acl-basic-2000]rule 30 permit source 200.1.1.1 0.0.0.0
[SW2-acl-basic-2000]quit
[SW2]user-interface vty 0 4
[SW2-ui-vty0-4]acl 2000 inbound
[SW2-ui-vty0-4]quit

[SW3]acl 2000
[SW3-acl-basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
[SW3-acl-basic-2000]rule 20 permit source 100.1.1.1 0.0.0.0
[SW3-acl-basic-2000]rule 30 permit source 200.1.1.1 0.0.0.0
[SW3-acl-basic-2000]quit
[SW3]user-interface vty 0 4
[SW3-ui-vty0-4]acl 2000 inbound
[SW3-ui-vty0-4]quit

[SW4]acl 2000
[SW4-acl-basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
[SW4-acl-basic-2000]rule 20 permit source 100.1.1.1 0.0.0.0
[SW4-acl-basic-2000]rule 30 permit source 200.1.1.1 0.0.0.0
[SW4-acl-basic-2000]quit
[SW4]user-interface vty 0 4
[SW4-ui-vty0-4]acl 2000 inbound
[SW4-ui-vty0-4]quit

[SW5]acl 2000
[SW5-acl-basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
[SW5-acl-basic-2000]rule 20 permit source 100.1.1.1 0.0.0.0
[SW5-acl-basic-2000]rule 30 permit source 200.1.1.1 0.0.0.0
[SW5-acl-basic-2000]quit
[SW5]user-interface vty 0 4
[SW5-ui-vty0-4]acl 2000 inbound
[SW5-ui-vty0-4]quit

[SW6]acl 2000
[SW6-acl-basic-2000]rule 10 permit source 192.168.20.2 0.0.0.255
[SW6-acl-basic-2000]rule 20 permit source 100.1.1.1 0.0.0.0
[SW6-acl-basic-2000]rule 30 permit source 200.1.1.1 0.0.0.0
[SW6-acl-basic-2000]quit
[SW6]user-interface vty 0 4
[SW6-ui-vty0-4]acl 2000 inbound
[SW6-ui-vty0-4]quit

PROJECT2 DAY01

NTD PROJECT2 DAY01

1 案例1：园区网项目建设

1.1 问题

1.2 方案

1.3 步骤