项目实战-配置命令
实验1:基础交换网络设计
1、拓扑
2、需求
- 公司有三个部门,财务部,市场部,技术部,为了内网安全,给每个部门单独划分一个VLAN
- 财务部:vlan10、市场部:vlan20、技术部:vlan30
- 公司所有部门,所有VLAN内的主机都通过DHCP服务器分发IP地址
- 每个部门,每个VLAN的网关地址都为,192.168.xx.254
- SW5中每个vlanif 虚接口地址都为 192.168.xx.251
- SW5通过vlanif50 与DHCP进行通信,DHCP服务器管理IP:192.168.50.1
- 所有的PC都通过SW5与DHCP服务器进行通信,获取IP地址,所以SW5是DHCP中继
3、步骤
第一步:配置SW1/SW2/SW3
- 3台交换机创建vlan10/vlan20/vlan30/vlan50
- 与PC互联的接口配置为access,并接入指定的vlan
- 与SW5交换机互联的接口配置为trunk,允许所有vlan通过
第二步:配置SW5-基础配置
- 创建vlan10/vlan20/vlan30/vlan50
- 与SW1/SW2/SW3互联的接口配置trunk,允许所有vlan通过
- 与R3-DHCP 服务器互联的接口配置access ,加入vlan50
第三步:配置DHCP服务器
- 在R3-DHCP系统视图下开启dhcp 功能
- R3-DHCP中创建IP地址池(网段、网关、dns)
- R3-DHCP中配置默认路由,下一跳为192.168.50.251 (配置回程路由,回应DHCP请求)
- 在R3-DHCP-g0/0/1接口下配置IP地址:192.168.50.1
- 在R3-DHCP-g0/0/1接口下开启基于全局的DHCP
第四步:配置SW5-DHCP中继
- 在系统视图下,开启dhcp 功能
- 配置vlanif虚接口地址:192.168.xx.251
4、命令
# 第一步:配置接入层交换机
[SW1]vlan batch 10 20 30 50
[SW1]int g0/0/1
[SW1-G0/0/1]port link-type access
[SW1-Gi0/0/1]port default vlan 10
[SW1-G0/0/1]quit
[SW1]int g0/0/23
[SW1-G0/0/23]port link-type trunk
[SW1-G0/0/23]port trunk allow-pass vlan all
[SW2]vlan batch 10 20 30 50
[SW2]int g0/0/1
[SW2-G0/0/1]port link-type access
[SW2-G0/0/1]port default vlan 20
[SW2-G0/0/1]int g0/0/23
[SW2-G0/0/23]port link-type trunk
[SW2-G0/0/23]port trunk allow-pass vlan all
[SW3]vlan batch 10 20 30
[SW3]int g0/0/1
[SW3-G0/0/1]port link-type access
[SW3-G0/0/1]port default vlan 30
[SW3-Gi0/0/1]int g0/0/23
[SW3-G0/0/23]port link-type trunk
[SW3-G0/0/23]port trunk allow-pass vlan all
# 第二步:HX-SW5基础配置
[HX-SW5]vlan batch 10 20 30 50
[HX-SW5]port-group group-member g0/0/1 to g0/0/3
[HX-SW5-port-group]port link-type trunk
[HX-SW5-port-group]port trunk allow-pass vlan all
[HX-SW5-port-group]quit
[HX-SW5]int g0/0/5
[HX-SW5-G0/0/5]port link-type access
[HX-SW5-G0/0/5]port default vlan 50
# 第三步:配置DHCP服务器
[R3-DHCP]dhcp enable
[R3-DHCP]int g0/0/1
[R3-DHCP-G0/0/1]dhcp select global
[R3-DHCP-G0/0/1]quit
[R3-DHCP]ip pool vlan10
[R3-DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[R3-DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[R3-DHCP-ip-pool-vlan10]dns-list 8.8.8.8
[R3-DHCP-ip-pool-vlan10]ip pool vlan20
[R3-DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
[R3-DHCP-ip-pool-vlan20]gateway-list 192.168.20.254
[R3-DHCP-ip-pool-vlan20]dns-list 8.8.8.8
[R3-DHCP-ip-pool-vlan20]ip pool vlan30
[R3-DHCP-ip-pool-vlan30]network 192.168.30.0 mask 24
[R3-DHCP-ip-pool-vlan30]gateway-list 192.168.30.254
[R3-DHCP-ip-pool-vlan30]dns-list 8.8.8.8
# 重要:在DHCP中配置回程的默认路由
[R3-DHCP]ip route-static 0.0.0.0 0.0.0.0 192.168.50.251
# 第四步:配置DHCP中继
[HX-SW5]dhcp enable
[HX-SW5]int vlan 10
[HX-SW5-Vlanif10]ip add 192.168.10.251 24
[HX-SW5-Vlanif10]dhcp select relay
[HX-SW5-Vlanif10]dhcp relay server-ip 192.168.50.1
[HX-SW5-Vlanif10]int vlan 20
[HX-SW5-Vlanif20]ip add 192.168.20.251 24
[HX-SW5-Vlanif20]dhcp select relay
[HX-SW5-Vlanif20]dhcp relay server-ip 192.168.50.1
[HX-SW5-Vlanif20]int vlan 30
[HX-SW5-Vlanif30]ip add 192.168.30.251 24
[HX-SW5-Vlanif30]dhcp select relay
[HX-SW5-Vlanif30]dhcp relay server-ip 192.168.50.1
# 重要:给vlan50配置IP地址
[HX-SW5]int vlan 50
[HX-SW5-Vlanif10]ip add 192.168.50.251 24
# 验证:所有的PC都可以获取IP地址实验2:内网优化
拓扑
需求
1)为了增强网关稳定性和可靠性,我们部署网关冗余性技术
- 配置VRRP
- HX-SW5是VLAN10和VLAN20的Master ,是VLAN30的Backup
- HX-SW6是VLAN10和VLAN20的Backup,是VLAN30的Master
2)交换机之间存在很多冗余链路,
- 配置MSTP
- HX-SW5是VLAN10和VLAN20的主根 ,是VLAN30/vlan50的备根
- HX-SW6是VLAN10和VLAN20的备根 ,是VLAN30/vlan50的主根
3)VLAN30的主机通过HX-SW6与DHCP服务器通信,获取IP地址,所以HX-SW6也是DHCP中继
步骤
第一步:HX-SW6基础配置
- 创建vlan10/vlan20/vlan30/vlan50
- 与SW1/SW2/SW3互联的接口配置trunk,允许所有vlan通过
- HX-SW5和HX-SW6配置链路聚合
第二步:配置MSTP
- 在所有的交换机中配置MSTP
- 让HX-SW5成为vlan10/vlan20的主根,vlan30/vlan50的备根
- 让HX-SW6成为vlan30/vlan50的主根、vlan10/vlan20的备根
第三步:配置VRRP
在vlanif虚接口下配置VRRP
-让HX-SW5成为vlan10/vlan20的Master,vlan30的Backup
-HX-SW6配置vlanif虚接口地址:192.168.xx.252
-让HX-SW6成为vlan30的Master,vlan10/vlan20的Backup
第四步:配置HX-SW6 的DHCP中继
- 在系统视图下,开启dhcp 功能
- 在每个vlanif虚接口下开启dhcp中继,并配置DHCP服务器IP:192.168.50.1
命令
第一步:HX-SW6基础配置,配置链路聚合
[HX-SW6]vlan batch 10 20 30 50
[HX-SW6]port-group group-member g0/0/1 to g0/0/3
[HX-SW6-port-group]port link-type trunk
[HX-SW6-port-group]port trunk allow-pass vlan all
[HX-SW6]int eth-trunk 1
[HX-SW6-Eth-Trunk1]mode lacp-static
[HX-SW6-Eth-Trunk1]trunkport g 0/0/6 to 0/0/8
[HX-SW6-Eth-Trunk1]port link-type trunk
[HX-SW6-Eth-Trunk1]port trunk allow-pass vlan all
[HX-SW6-Eth-Trunk1]max active-linknumber 2
[HX-SW6-Eth-Trunk1]lacp preempt enable
[HX-SW5]int eth-trunk 1
[HX-SW5-Eth-Trunk1]mode lacp-static
[HX-SW5-Eth-Trunk1]trunkport g 0/0/6 to 0/0/8
[HX-SW5-Eth-Trunk1]port link-type trunk
[HX-SW5-Eth-Trunk1]port trunk allow-pass vlan all
[HX-SW5-Eth-Trunk1]max active-linknumber 2
[HX-SW5-Eth-Trunk1]lacp preempt enable
[HX-SW5]lacp priority 100 :配置HX-SW5为LACP主动端
验证:display eth-trunk 1
第二步:配置多生成树
1) 所有的交换机都复制粘贴这些配置
#
stp region-configuration
region-name ntd2410
instance 5 vlan 50
instance 10 vlan 10
instance 20 vlan 20
instance 30 vlan 30
active region-configuration
2) 指定根交换机
[HX-SW5]stp instance 10 priority 4096
[HX-SW5]stp instance 20 priority 4096
[HX-SW5]stp instance 30 priority 8192
[HX-SW5]stp instance 5 priority 8192
[HX-SW6]stp instance 10 priority 8192
[HX-SW6]stp instance 20 priority 8192
[HX-SW6]stp instance 30 priority 4096
[HX-SW6]stp instance 5 priority 4096
3) SW1/SW2/SW3的g0/0/24口配置trunk
[SW1]int g0/0/24
[SW1-GigabitEthernet0/0/24]port link-type trunk
[SW1-GigabitEthernet0/0/24]port trunk allow-pass vlan all
[SW2]int g0/0/24
[SW2-GigabitEthernet0/0/24]port link-type trunk
[SW2-GigabitEthernet0/0/24]port trunk allow-pass vlan all
[SW3]int g0/0/24
[SW3-GigabitEthernet0/0/24]port link-type trunk
[SW3-GigabitEthernet0/0/24]port trunk allow-pass vlan all
第三步:配置VRRP
[HX-SW5]int vlan 10
[HX-SW5-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[HX-SW5-Vlanif10]vrrp vrid 10 priority 130
[HX-SW5-Vlanif10]int vlan 20
[HX-SW5-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[HX-SW5-Vlanif20]vrrp vrid 20 priority 130
[HX-SW5-Vlanif20]int vlan 30
[HX-SW5-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[HX-SW6]int vlan 10
[HX-SW6-Vlanif10]ip add 192.168.10.252 24
[HX-SW6-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[HX-SW6-Vlanif10]int vlan 20
[HX-SW6-Vlanif20]ip add 192.168.20.252 24
[HX-SW6-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[HX-SW6-Vlanif20]int vlan 30
[HX-SW6-Vlanif30]ip add 192.168.30.252 24
[HX-SW6-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[HX-SW6-Vlanif30]vrrp vrid 30 priority 130
第四步:配置dhcp中继
[HX-SW6]dhcp enable
[HX-SW6]int vlan 10
[HX-SW6-Vlanif10]dhcp select relay
[HX-SW6-Vlanif10]dhcp relay server-ip 192.168.50.1
[HX-SW6-Vlanif10]int vlan 20
[HX-SW6-Vlanif20]dhcp select relay
[HX-SW6-Vlanif20]dhcp relay server-ip 192.168.50.1
[HX-SW6-Vlanif20]int vlan 30
[HX-SW6-Vlanif30]dhcp select relay
[HX-SW6-Vlanif30]dhcp relay server-ip 192.168.50.1
[HX-SW6]int vlan 50
[HX-SW6-Vlanif50]ip add 192.168.50.252 24# 做功能测试
: display port vlan
:display vrrp brief
: display stp instance 10
: display stp instance 20
: display stp instance 30
: display stp instance 5
: display stp instance 10 brief
: display stp instance 20 brief
: display stp instance 30 brief
: display ip pool name vlan10 used
: display ip pool name vlan20 used
: display ip pool name vlan30 used
: display eth-trunk 1# 做业务测试
所有的PC都可以获取IP地址
所有的PC都可以互联互通实验3:内外网互联
拓扑
需求
1)HX-SW5通过vlanif15和出口设备R1互联
2)HX-SW6通过vlanif16和出口设备R1互联
3)在HX-SW5/HX-SW6与出口设备R1中配置路由,实现HX-SW5/HX-SW6与R1的互通
4)公司出口设备 R1连接外网,公司租用的公网网段:100.1.1.0/29
5)公司内网主机有访问外网的需求,所以在R1上配置默认路由,下一跳为公网网关
6)使用ACL来定义允许那些部门和网段访问外网
7)部署地址池NAT,实现内网主机访问外网
8) 配置VRRP的上行接口监控
步骤
第一步: 基础配置
- R1配置接口IP地址
- R2-ISP配置接口IP地址
- Server1 和Client1 配置IP地址
- 在HX-SW5中创建vlan15/vlan16,并将g0/0/9接口加入vlan15
- 在HX-SW5中配置vlanif 15的接口IP地址
- 在HX-SW6中创建vlan15/vlan16,并将g0/0/9接口加入vlan16
- 在HX-SW6中配置vlanif 16的接口IP地址
第二步:配置静态路由和浮动路由器,实现内网互联互通
- 在HX-SW5中配置默认路由,下一跳指向出口设备R1,实现将企业内网数据转发给出口设备
- 在HX-SW6中配置默认路由,下一跳指向出口设备R1,实现将企业内网数据转发给出口设备
- 在R1配置去往vlan10/vlan20/vlan30网段的浮动路由,下一跳分别指SW5和SW6
第三步:R1配置默认路由和NAT
-R1配置默认路由,下一跳指向公网网关
-R1配置NAT地址池
-R1配置ACL,定义允许那些内网网段访问外网
-R1在出接口g0/0/2中配置地址池NAT
第四步:配置VRRP上行接口监控
命令
# 第一步: 基础配置
[R1]int g0/0/0
[R1-G0/0/0]ip add 192.168.15.1 24
[R1-G0/0/0]int g0/0/1
[R1-G0/0/1]ip add 192.168.16.1 24
[R1-G0/0/1]int g0/0/2
[R1-G0/0/2]ip add 100.1.1.1 29
[R2-ISP-dx]int g0/0/0
[R2-ISP-dx-G0/0/0]ip add 100.1.1.2 29
[R2-ISP-dx-G0/0/0]int g0/0/1
[R2-ISP-dx-G0/0/1]ip add 200.1.1.254 24
[HX-SW5]vlan batch 15 16
[HX-SW5]int vlan 15
[HX-SW5-Vlanif15]ip add 192.168.15.5 24
[HX-SW5-Vlanif15]quit
[HX-SW5]int g0/0/9
[HX-SW5-G0/0/9]port link-type access
[HX-SW5-G0/0/9]port default vlan 15
[HX-SW6]vlan batch 15 16
[HX-SW6]int vlan 16
[HX-SW6-Vlanif16]ip add 192.168.16.6 24
[HX-SW6-Vlanif16]quit
[HX-SW6]int g0/0/9
[HX-SW6-G0/0/9]port link-type access
[HX-SW6-G0/0/9]port default vlan 16
# 第二步:配置静态路由和浮动路由,实现内网互联互通
[HX-SW5]ip route-static 0.0.0.0 0.0.0.0 192.168.15.1
[HX-SW6]ip route-static 0.0.0.0 0.0.0.0 192.168.16.1
[R1]ip route-static 192.168.10.0 24 192.168.15.5
[R1]ip route-static 192.168.10.0 24 192.168.16.6 preference 70
[R1]ip route-static 192.168.20.0 24 192.168.15.5
[R1]ip route-static 192.168.20.0 24 192.168.16.6 preference 70
[R1]ip route-static 192.168.30.0 24 192.168.16.6
[R1]ip route-static 192.168.30.0 24 192.168.15.5 preference 70
# 第三步:R1配置默认路由和NAT
[R1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
[R1]nat address-group 1 100.1.1.3 100.1.1.5
[R1]acl 2000
[R1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255
[R1-acl-basic-2000]rule 20 permit source 192.168.20.0 0.0.0.255
[R1-acl-basic-2000]rule 30 permit source 192.168.30.0 0.0.0.255
[R1]int g0/0/2
[R1-G0/0/2]nat outbound 2000 address-group 1
# 第四步:配置VRRP上行接口监控
[HX-SW5]int vlan 10
[HX-SW5-Vlanif10]vrrp vrid 10 track int g0/0/9 re
[HX-SW5-Vlanif10]vrrp vrid 10 track int g0/0/9 reduced 50
[HX-SW5]int vlan 20
[HX-SW5-Vlanif20]vrrp vrid 20 track int g0/0/9 reduced 50
[HX-SW6]int vlan 30
[HX-SW6-Vlanif30]vrrp vrid 30 track int g0/0/9 reduced 50扩展知识
# 第一步:接口加入vlan
[SW1]port-group group-member g0/0/2 to g0/0/4
[SW1-port-group]port link-type access
[SW1-port-group]port default vlan 10
# 存在问题:PC能获取到DNS,但是获取不到IP地址
# 原因: IP地址冲突
192.168.10.252 被SW6的vlanif10占用
192.168.10.251 被SW5的vlanif10占用
# 第一个解决方案: 做地址排除
1) 先关闭PC的DHCP功能,改为静态,点击应用
2) 重置IP地址池
<R3-dhcp> reset ip pool name vlan10 all<R3-dhcp> reset ip pool name vlan20 all<R3-dhcp> reset ip pool name vlan30 all3)做IP地址排除[R3-dhcp]ip pool vlan10[R3-dhcp-ip-pool-vlan10]excluded-ip-address 192.168.10.251 192.168.10.252[R3-dhcp]ip pool vlan20[R3-dhcp-ip-pool-vlan20]excluded-ip-address 192.168.20.251 192.168.20.252[R3-dhcp-ip-pool-vlan20]ip pool vlan30[R3-dhcp-ip-pool-vlan30]excluded-ip-address 192.168.30.251 192.168.30.2524)验证测试PC 按照顺序开启dhcp 功能ipconfig /releaseipconfig /renew# 第二个解决方案: dhcp ping 探测 (实际,企业中有人私自配置IP地址,为了彻底解决IP地冲突的问题,建议用此方法)1) 删除地址排除[R3-dhcp]ip pool vlan10[R3-dhcp-ip-pool-vlan10]undo excluded-ip-address 192.168.10.251 192.168.10.252[R3-dhcp]ip pool vlan20[R3-dhcp-ip-pool-vlan20]undo excluded-ip-address 192.168.20.251 192.168.20.252[R3-dhcp]ip pool vlan30[R3-dhcp-ip-pool-vlan30]undo excluded-ip-address 192.168.30.251 192.168.30.2522)关闭PC的dhcp功能3)重置IP地址池<R3-dhcp> reset ip pool name vlan10 all<R3-dhcp> reset ip pool name vlan20 all<R3-dhcp> reset ip pool name vlan30 all4)保存配置,重启ensp设备5)配置dhcp ping 探测[R3-dhcp]dhcp server ping packet 2[R3-dhcp]dhcp server ping timeout 30# DHCP服务器在通过dhcp offer下发IP地址的时候,为了避免IP地址冲突# 会发icmp请求报文,ping一下要下发的这个IP地址。(packet 2:表示发2个ping包)# 发完ping包后30毫秒内,如果有收到imcp应答报文# 则证明,网络中有主机在使用这个IP地址,# 所以就不能再下发这个IP地址,避免IP地址冲突# 所以就跳过这个IP地址,下发下一个IP地址# 如果发完icmp请求报文后,没有收到icmp应答报文# 则证明,网络中,没有主机使用这个IP地址,可以下发# 注意:先把所有的PC都关闭dhcp功能,充值IP地址池,保存DHCP服务器配置,重启DHCP服务器# :先打开一台PC的dhcp功能,先使用ipconfig /release释放IP地址# :再使用ipconfig /renew 更新IP地址# :成功获取IP地址后,再打开另外一台PC,开启dhcp功能6)验证测试PC 按照顺序开启dhcp 功能ipconfig /releaseipconfig /renew