好久没有做网络方面的配置了,有点生疏了。刚好有朋友给了这个拓扑让我来尝试一下,断断续续弄了2天的的时间,里面包含的知识点还是挺全面的,于是把过程整理成一个文档。
拓扑图
需求
- 所有主机通过DHCP获取地址(包括DNS地址);
- SW1为默认STP域的根桥;
- SW1为VLAN10、30、100、101的根桥;
- SW2为VLAN20、40、102的根桥;
- SW1与SW2之间配置Eth-Trunk,模式为LACP;
- SW1为VLAN10、30、100、101的网关;
- SW2为VLAN20、40、102的网关;
- R1、R2、SW1、SW2使用OSPF;
- 配置OSPF,使得内部默认从R1访问外网;
- 配置防火墙外部流量访问内部时默认先走R1、SW1;
- 配置AC,将配置下发至AP;
- 内部可以访问DMZ服务器;
- DMZ区域FTP服务器为Internet用户提供FTP服务;
- DMZ区域DNS服务器为内部用户提供DNS服务;
- FW上配置Easy IP,使内部用户可以访问外网。
配置步骤
配置设备接口地址,并把接口加入对于的VLan中
上述配置先在交换机创建相应的
vlan
,执行如下命令批量创建vlan
vlan batch 10 20 30 40 11 100 101 102
配置所有主机通过DHCP获取IP
首先,需要在DHCP_SERVER
上,为多个vlan创建地址池。关键配置如下:
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.246 192.168.10.253
lease day 0 hour 3 minute 0
dns-list 172.16.1.200
#
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.246 192.168.20.253
lease day 0 hour 3 minute 0
dns-list 172.16.1.200
#
ip pool vlan30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.246 192.168.30.253
lease day 0 hour 3 minute 0
dns-list 172.16.1.200
#
ip pool vlan40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.30.246 192.168.30.253
lease day 0 hour 3 minute 0
dns-list 172.16.1.200
#
ip pool vlan101
gateway-list 192.168.101.254
network 192.168.101.0 mask 255.255.255.0
excluded-ip-address 192.168.101.246 192.168.20.101
lease day 0 hour 3 minute 0
dns-list 172.16.1.200
#
ip pool vlan102
gateway-list 192.168.102.254
network 192.168.102.0 mask 255.255.255.0
excluded-ip-address 192.168.102.246 192.168.102.253
lease day 0 hour 3 minute 0
dns-list 172.16.1.200
#
ip pool vlan100
gateway-list 192.168.100.254
network 192.168.100.0 mask 255.255.255.0
excluded-ip-address 192.168.100.1 192.168.100.10
excluded-ip-address 192.168.100.246 192.168.100.253
lease day 0 hour 3 minute 0
dns-list 172.16.1.200
option 43 sub-option 3 ascii 192.168.22.253
接着在DHCP_SERVER
的GE0/0/0
接口上,并配置启用DHCP
功能。
dhcp enable
interface GigabitEthernet0/0/0
ip address 192.168.11.253 255.255.255.0
dhcp select global
SW1与SW2之间配置Eth-Trunk,模式为LACP
#SW1 SW2
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
eth-trunk 1
配置多生成树和VRRP
- 在
SW1
-SW6
上,开启mstp,并为VLAN10、30、100、101选择SW1为根桥,VLAN20、40、102的根桥,关键代码如下:
# SW1-SW6同样配置
stp region-configuration
region-name gzs
instance 1 vlan 10 30 100 to 101
instance 2 vlan 20 40 102
active region-configuration
MSTP是IEEE 802.1s中提出的一种STP和VLAN结合使用的新协议,它既继承了RSTP端口快速迁移的优点,又解决了RSTP中不同VLAN必须运行在同一棵生成树上的问题
- 为每个
Vlan
配置vrrp
# sw1的配置
interface Vlanif10
ip address 192.168.10.251 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
vrrp vrid 10 preempt-mode timer delay 20
dhcp select relay
dhcp relay server-ip 192.168.11.253
#
interface Vlanif20
ip address 192.168.20.251 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 preempt-mode timer delay 20
dhcp select relay
dhcp relay server-ip 192.168.11.253
#
interface Vlanif30
ip address 192.168.30.251 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 120
vrrp vrid 30 preempt-mode timer delay 20
dhcp select relay
dhcp relay server-ip 192.168.11.253
#
interface Vlanif40
ip address 192.168.40.251 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 preempt-mode timer delay 20
dhcp select relay
dhcp relay server-ip 192.168.11.253
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
vrrp vrid 100 virtual-ip 192.168.100.254
vrrp vrid 100 priority 120
vrrp vrid 100 preempt-mode timer delay 20
dhcp select relay
dhcp relay server-ip 192.168.11.253
#
interface Vlanif101
ip address 192.168.101.251 255.255.255.0
vrrp vrid 101 virtual-ip 192.168.101.254
vrrp vrid 101 priority 120
vrrp vrid 101 preempt-mode timer delay 20
dhcp select relay
dhcp relay server-ip 192.168.11.253
#
interface Vlanif102
ip address 192.168.102.251 255.255.255.0
vrrp vrid 102 virtual-ip 192.168.102.254
vrrp vrid 102 preempt-mode timer delay 20
dhcp select relay
dhcp relay server-ip 192.168.11.253
- 通过
priority
优先级来控制虚拟路由优先选择那个地址作为主路由,值越高优先也高,默认是100,所以通过,控制这个值,把VLAN10、30、100、101的路由优先这种SW1的地址。SW2的配置与SW1基本一样,只需要修改priority
值,把VLAN20、40、102优先选择SW2作为主路由dhcp select relay
是在接口开启dhcp中继功能,并通过dhcp relay server-ip
指定DHCP
的服务器地址。使用之前先在全局模式使能dhcp enable
.VRRP(Virtual Router Redundancy Protocol)是一种网络协议,用于提供在局域网中实现路由器冗余和故障恢复的机制。VRRP允许多个路由器共享一个虚拟IP地址,这样当主要路由器发生故障时,备份路由器可以接管该IP地址并继续提供网络服务,从而实现网络的高可用性和冗余性。
在R1、R2、SW1、SW2上启用OSPF协议
在R1、R2、SW1、SW2上启用OSPF协议,并把R1与R2的默认路由引入到OSPF中,关键代码如下:
#R1
ospf 10 router-id 1.1.1.1
default-route-advertise always
import-route direct
import-route static
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.11.11.0 0.0.0.3
network 10.21.21.0 0.0.0.3
#R2
ospf 10 router-id 2.2.2.2
default-route-advertise always
import-route direct
import-route static
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.12.12.0 0.0.0.3
network 10.22.22.0 0.0.0.3
同样也要在SW1和SW2上宣告网段,关键代码如下:
#SW1
ospf 10 router-id 3.3.3.3
area 0.0.0.0
network 10.11.11.0 0.0.0.3
network 10.12.12.0 0.0.0.3
network 3.3.3.3 0.0.0.0
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.11
network 192.168.11.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
area 0.0.0.40
network 192.168.40.0 0.0.0.255
area 0.0.0.100
network 192.168.100.0 0.0.0.255
area 0.0.0.101
network 192.168.101.0 0.0.0.255
area 0.0.0.102
network 192.168.102.0 0.0.0.255
#SW2
ospf 10 router-id 4.4.4.4
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.21.21.0 0.0.0.3
network 10.22.22.0 0.0.0.3
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
area 0.0.0.22
network 192.168.22.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
area 0.0.0.40
network 192.168.40.0 0.0.0.255
area 0.0.0.101
network 192.168.101.0 0.0.0.255
area 0.0.0.102
network 192.168.102.0 0.0.0.255
配置路由,是使整个网络打通
在DHCP_SERVER
上配置一条回程路由,如下:
ip route-static 0.0.0.0 0.0.0.0 192.168.11.254
在SW3
-SW6
上配置一条默认路由:
ip route-static 0.0.0.0 0.0.0.0 192.168.100.254
在R1
和R2
上配置一条默认路由
#R1
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#2
ip route-static 0.0.0.0 0.0.0.0 10.2.2.2
在防火墙上配置以下几条路由信息:
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
ip route-static 192.168.0.0 255.255.192.0 10.1.1.1 preference 10
ip route-static 192.168.0.0 255.255.192.0 10.2.2.1
ip route-static 192.168.100.0 255.255.252.0 10.1.1.1 preference 10
ip route-static 192.168.100.0 255.255.252.0 10.2.2.1
preference
是设置优先选择这条路由
在AC
上配置一台默认路由:
ip route-static 0.0.0.0 0.0.0.0 192.168.22.254
配置AC,将配置下发至AP
vlan batch 22
#
vlan pool vlan101
vlan 101
vlan pool vlan102
vlan 102
#
interface Vlanif22
ip address 192.168.22.22 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 22
#
capwap source interface vlanif22 #配置信令源
#
regulatory-domain-profile name cfig
country-code CN #配置国家代码
#
ap-group name bg #创建AP组
regulatory-domain-profile cfig
ap-group name guest
regulatory-domain-profile cfig
#配置AP上线
ap authentication-mode mac
ap-id 1 type-id 56 ap-mac 00e0-fcca-4f90 ap-sn 210235448310A8025C2D
ap-name GUEST
ap-group guest
ap-id 2 type-id 56 ap-mac 00e0-fc25-1100 ap-sn 210235448310383BD072
ap-name BanGong
ap-group bg
#
security-profile name bg #创建密码文件,用于办公区域
security wpa2 psk pass-phrase 1234@abcd aes #办公区域WiFi密码为:1234abcd
security-profile name guest #创建密码文件,用于访客区域
security wpa2 psk pass-phrase abcd@1234 aes #访客区域WiFi密码为:abcd1234
#
ssid-profile name bg #创建WiFi名称文件
ssid BanGong #办公区域WiFi名称为“BanGong”
ssid-profile name guest
ssid guest #访客区域WiFi名称为“guest”
#
vap-profile name bg #创建VAP文件,并将对应的密码、SSID文件应用其中。
service-vlan vlan-pool vlan102
ssid-profile bg
security-profile bg
vap-profile name guest
service-vlan vlan-pool vlan101
ssid-profile guest
security-profile guest
#
ap-group name bg #配置AP组‘bg’中的ap设备发射wifi信号
vap-profile bg wlan 1 radio 0
vap-profile bg wlan 1 radio 1
ap-group name guest #配置AP组‘guest’中的ap设备发射wifi信号
vap-profile guest wlan 1 radio 0
vap-profile guest wlan 1 radio 1
放通防火墙策略
- 各接口安全区域的划分
- 内部可以访问DMZ服务器
security-policy
rule name t->dmz
source-zone trust
destination-zone dmz
action permit
- DMZ区域FTP服务器为Internet用户提供FTP服务
nat server ut->dmzftp protocol tcp global 202.1.1.4 2121 inside 172.16.1.100 ftp no-reverse
rule name ut->dmz
source-zone untrust
destination-zone dmz
service ftp
action permit
- FW上配置Easy IP,使内部用户可以访问外网。
rule name tr->untr
source-zone trust
destination-zone untrust
action permit
nat-policy
rule name t->ut
source-zone trust
destination-zone untrust
action source-nat easy-ip
验证
完成上述配置整个拓扑图如下:
- 内网的计算机正确获取到IP地址,并成功访问到外网
- 无线设备正确获取到IP地址,并成功访问到内外的FTP
- 验证域名服务器是否能正确解析。
- 先在域名服务器添加要解析的域名,如下: