綜合項(xiàng)目配置方案.doc

技術(shù)關(guān)鍵詞Vlan、VTP、VRRP、MST、NTP、DHCP、OSPF、ACL、NAT、VPN1、Vlan信息Vlan ID網(wǎng)絡(luò)地址名 稱描 述1/24-本地vlan2/24glb管理部3/24cwb財(cái)務(wù)部4/24xsb銷售部5/24cgb采購(gòu)部6/24zzb制造部7/24xxzx信息中心127/24Srv服務(wù)器組2、VTP 信息設(shè)備名稱DomainPrunningPasswordMode3550-S-1BenetEnable123Server3550-S-2BenetEnable123Server2950-S-1BenetEnable123Client2950-S-2BenetEnable123Client2950-S-3BenetEnable123Client2950-S-4BenetEnable123Client3、設(shè)備IP 地址分配設(shè)備名稱接口IP地址描述位置BJ-R-1F0/0/24網(wǎng)通WANBJF0/1/24電信WANBJF0/254/24-BJF0/354/24-BJ3550-S-1F0/0/243L-SwitchBJ3550-S-2F0/0/243L-SwitchBJGZ-R-1F0/00/24電信WANGZF0/154/24-GZQD-R-1F0/00/24網(wǎng)通WANQDF0/154/24-QD4、DHCP信息名稱IP地址池默認(rèn)網(wǎng)關(guān)默認(rèn)DNS描述Glb-vlan20 2005管理部Cwb-vlan30 2005財(cái)務(wù)部Xsb-vlan40 2005銷售部Cgb-vlan50 2005采購(gòu)部Zzb-vlan60 2005制造部Xxzx-vlan70 2005信息中心5、VRRP信息SVI接口組優(yōu)先級(jí)狀態(tài)IPHSRP IP設(shè)備Vlan11200Active543550-S-1Vlan22200Active543550-S-1Vlan33200Active543550-S-1Vlan44100Standby543550-S-1Vlan55100Standby543550-S-1Vlan66100Standby543550-S-1Vlan77100Standby543550-S-1Vlan127127100Standby543550-S-1Vlan11100Standby543550-S-2Vlan22100Standby543550-S-2Vlan33100Standby543550-S-2Vlan44200Active543550-S-2Vlan55200Active543550-S-2Vlan66200Active543550-S-2Vlan76100Active543550-S-2Vlan127127200Active543550-S-26、MST 信息Mst-1：vlan1、vlan2管理部、vlan3財(cái)務(wù)部Mst-2：vlan4銷售部、vlan5采購(gòu)部Mst-3：vlan6制造部、vlan7信息中心Mst-4：vlan127服務(wù)器組 負(fù)載均衡mst-1 mst -2 根網(wǎng)橋3550-S-1mst-3 mst -4 根網(wǎng)橋3550-S-2 交換機(jī)、路由器詳細(xì)配置1 IP地址設(shè)置 北京BJ-R-1（config）# int F0/0BJ-R-1 (config-if)#ip add BJ-R-1 (config-if)#no shutdown- BJ-R-1（config）# int F0/1BJ-R-1 (config-if)#ip add BJ-R-1 (config-if)#no shutdown-BJ-R-1（config）# int f0/2BJ-R-1 (config-if)#ipadd 54 BJ-R-1 (config-if)#no shutdown-BJ-R-1（config）# int f0/3BJ-R-1 (config-if)#ipadd 54 BJ-R-1 (config-if)#no shutdown3550-S-1 (config) # int vlan 1 3550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 23550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 33550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 43550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 53550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 63550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 73550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 1273550-S-1 (config-if) # ip add 3550-S-2 (config) # int vlan 1 3550-S-2 (config-if) # ip add 3550-S-2 (config-if) # int vlan 23550-S-2 (config-if) # ip add (略) 廣州GZ-R-1（config）# int F0/0GZ-R-1 (config-if) # ip add 定義WAN口GZ-R-1 (config-if) # no shutdownGZ-R-1（config）# int F0/1GZ-R-1 (config-if) # ip add 54 定義LAN口GZ-R-1 (config-if) # no shutdown- 青島QD-R-1（config）# int F0/0QD-R-1 (config-if) # ip add 定義WAN口QD-R-1 (config-if) # no shutdownQD-R-1（config）# int f0/0QD-R-1 (config-if) # ip add 54 . .定義LAN口QD-R-1 (config-if) # no shutdown2 VTP配置3550-S-1（config）# vlan database vlan數(shù)據(jù)庫(kù)模式3550-S-1 (vlan) # vtp domain benet3550-S-1 (vlan) # vtp server 服務(wù)器模式3550-S-1 (vlan) # vtp password 123 3550-S-1 (vlan) # vtp pruning 啟用修剪按部門(mén)劃分vlan3550-S-1 (vlan) # vlan 2 name glb 管理部3550-S-1 (vlan) # vlan 3 name cwb 財(cái)務(wù)部3550-S-1 (vlan) # vlan 4 name xsb 銷售部3550-S-1 (vlan) # vlan 5 name cgb 采購(gòu)部3550-S-1 (vlan) # vlan 6 name zzb 制造部3550-S-1 (vlan) # vlan 7 name xxzx 信息中心3550-S-1 (vlan) # vlan 127 name svr 服務(wù)器組-3550-S-2 (config) # vlan database vlan數(shù)據(jù)庫(kù)模式3550-S-2 (vlan) # vtp domain benet3550-S-2 (vlan) # vtp server3550-S-2 (vlan) # vtp password 123-2950-S-1 (vlan) #vtp domain benet 2950-S-1 (vlan) #vtp tran 透明模式(配置修改編號(hào)清零操作)2950-S-1 (vlan) #vtp client 客戶模式2950-S-1 (vlan) #vtp password 1232950-S-2 (vlan) #vtp domain benet 2950-S-2 (vlan) #vtp tran 透明模式(配置修改編號(hào)清零操作)2950-S-2 (vlan) #vtp client 客戶模式2950-S-2 (vlan) #vtp password 1232950-S-3 (vlan) #vtp domain benet 2950-S-3 (vlan) #vtp tran 透明模式(配置修改編號(hào)清零操作)2950-S-3 (vlan) #vtp client 客戶模式2950-S-3 (vlan) #vtp password 1232950-S-4 (vlan) #vtp domain benet 2950-S-4 (vlan) #vtp tran 透明模式(配置修改編號(hào)清零操作)2950-S-4 (vlan) #vtp client 客戶模式2950-S-4 (vlan) #vtp password 1233 MST多生成樹(shù)配置3550-S-1 (config) # int vlan 13550-S-1 (config) # spanning-tree mode mst 啟用mst3550-S-1 (config) #spanning-tree mst configuration 進(jìn)入mst配置3550-S-1 (config-mst) #name mst 命名為mst3550-S-1 (config-mst) #instance 1 vlan 1-3 定義實(shí)例3550-S-1 (config-mst) #instance 2 vlan 4-53550-S-1 (config-mst) #instance 3 vlan 6-73550-S-1 (config-mst) #instance 4 vlan 1273550-S-1 (config-mst) #revision 1 配置版本號(hào)3550-S-1 (config-mst) # spanning-tree mst 1 root primary為根交換機(jī)3550-S-1 (config-mst) # spanning-tree mst 2 root primary3550-S-1 (config-mst) # spanning-tree mst 3 root secordary 3550-S-1 (config-mst) # spanning-tree mst 4 root secordary 為次根交換機(jī)3550-S-2 (config) # spanning-tree mode mst 啟用mst3550-S-2 (config) #spanning-tree mst configuration進(jìn)入mst配置3550-S-2 (config-mst) #name mst 命名為mst3550-S-2 (config-mst) #instance 1 vlan 1-33550-S-2 (config-mst) #instance 2 vlan 4-53550-S-2 (config-mst) #instance 3 vlan 6-73550-S-2 (config-mst) #instance 4 vlan 1273550-S-2 (config-mst) #revision 1配置版本號(hào)3550-S-2 (config-mst) # spanning-tree mst 4 root primary 為根交換機(jī)3550-S-2 (config-mst) # spanning-tree mst 3 root primary3550-S-2 (config-mst) # spanning-tree mst 2 root secordary3550-S-2 (config-mst) # spanning-tree mst 1 root secordary 為次根交換機(jī)4 VRRP虛擬路由冗作協(xié)議優(yōu)先級(jí)3550-S-1 (config) # int vlan 13550-S-1 (config-if) # vrrp 1 pri 200 3550-S-1 (config) # int vlan 23550-S-1 (config-if) # vrrp 2 pri 2003550-S-1 (config) # int vlan 33550-S-1 (config-if) # vrrp 3 pri 200(略)3550-S-2 (config) # int vlan 13550-S-2 (config-if) # vrrp 1 pri 100 3550-S-2 (config) # int vlan 23550-S-2 (config-if) # vrrp 2 pri 1003550-S-2 (config) # int vlan 33550-S-2 (config-if) # vrrp 3 pri 100(略)加入vrrp組,占先權(quán)，跟蹤端口3550-S-2 (config) # int vlan 13550-S-2 (config) # track 1 interface f0/1定義跟蹤編號(hào)3550-S-2 (config-if) # vrrp 1 ip 54 3550-S-2 (config-if) # vrrp 1 preempt 占先權(quán)3550-S-2 (config-if) # vrrp 1 authentication text cisco 明文認(rèn)證3550-S-2 (config-if) # vrrp 1 track 1 decrement 150端口跟蹤 3550-S-2 (config) # int vlan 23550-S-2 (config-if) # vrrp 2 ip 543550-S-2 (config-if) # vrrp 2 preempt 占先權(quán)3550-S-2 (config-if) # vrrp 2 track 1 decrement 150端口跟蹤3550-S-2 (config) # int vlan 33550-S-2 (config-if) # vrrp 3 ip 543550-S-2 (config-if) # vrrp 3 preempt 占先權(quán)3550-S-2 (config-if) # vrrp 3 track 1 decrement 150 (略)3550-S-2 (config) # int vlan 13550-S-2 (config) #track 1 interface f0/1 定義跟蹤編號(hào)3550-S-2 (config-if) vrrp 1 ip 54 3550-S-2 (config-if) # vrrp 1 preempt 占先權(quán)3550-S-2 (config-if) # vrrp 1 authentication text cisco明文認(rèn)證3550-S-2 (config-if) # vrrp 1 track 1 decrement 150端口跟蹤3550-S-2 (config) # int vlan 23550-S-2 (config-if) # standby 2 ip 543550-S-2 (config-if) # standby 2 preempt 占先權(quán)3550-S-2 (config-if) # standby 2 track 1 decrement 150 端口跟蹤3550-S-2 (config) # int vlan 33550-S-2 (config-if) # standby 3 ip 543550-S-2 (config-if) # standby 3 preempt 占先權(quán)3550-S-2 (config-if) # standby 3 track 1 decrement 150 端口跟蹤(略)5 以太網(wǎng)通道(優(yōu)化流量)3550-S-1 (config) # int f0/23 3550-S-1 (config-if) #switchport mode trunk 永久中繼模式3550-S-1 (config) # int f0/243550-S-1 (config-if) #switchport mode trunk 永久中繼模式3550-S-1 (config) #port-channel load-balance src-dst-mac 基于源和目標(biāo)MAC負(fù)載均衡3550-S-1 (config) # int range f0/23 -243550-S-1 (if-range) # channel-group 1 mode on3550-S-1 (if-range) # no sh 激活端口3550-S-2 (config) # int f0/23 3550-S-2 (config-if) #switchport mode trunk3550-S-2 (config) # int f0/243550-S-2 (config-if) #switchport mode trunk3550-S-2 (config) # int range f0/23 -243550-S-2 (config) #port-channel load-balance src-dst-mac 基于源和目標(biāo)MAC負(fù)載均衡3550-S-2 (if-range) # channel-group 1 mode on3550-S-2 (if-range) # no sh-2950-S-4 (config) # int f0/23 2950-S-4 (config-if) #switchport mode trunk2950-S-4 (config) # int f0/242950-S-4 (config-if) #switchport mode trunk2950-S-4 (config) # int range f0/23 -242950-S-4 (config) #port-channel load-balance src-dst-mac 基于源和目標(biāo)MAC負(fù)載均衡2950-S-4 (config) # int range f0/23 -242950-S-4(if-range) # channel-group 2 mode on2950-S-4 (if-range) # no sh.激活端口3550-S-1 (config) # int f0/8 3550-S-1 (config-if) #switchport mode trunk3550-S-1 (config) # int f0/93550-S-1 (config-if) #switchport mode trunk3550-S-1 (config) # int range f0/8 -93550-S-1 (config) #port-channel load-balance src-dst-mac 基于源和目標(biāo)MAC負(fù)載均衡3550-S-1(if-range) # channel-group 2 mode on3550-S-1 (if-range) # no sh(略)6 DHCP配置3550-S-1 (config) # ip dhcp pool vlan2-glb 管理部 3550-S-1 (dhcp-config) # network 地址池范圍3550-S-1 (config) # ip dhcp excluded-address 0保留3550-S-1 (config) # ip dhcp excluded-address 01 543550-S-1 (dhcp-config) # lease 5租約為5天3550-S-1 (dhcp-config) # dns-server DNS服務(wù)器3550-S-1 (config) # default-router 54默認(rèn)網(wǎng)關(guān)3550-S-1 (config) # ip dhcp pool vlan3-cwb 財(cái)務(wù)部 3550-S-1 (dhcp-config) # network 地址池范圍3550-S-1 (dhcp-config) # ip dhcp excluded-address 0保留3550-S-1 (dhcp-config) # ip dhcp excluded-address 01 543550-S-1 (dhcp-config) # lease 5租約為5天3550-S-1 (dhcp-config) # dns-server DNS服務(wù)器3550-S-1 (dhcp-config) # default-router 54默認(rèn)網(wǎng)關(guān)(略)7 NTP配置將BJ-R-1設(shè)為NTP服務(wù)器,其余作NTP客戶端,實(shí)現(xiàn)全網(wǎng)設(shè)備時(shí)鐘同步BJ-R-1（config）# ntp master BJ-R-1（config）# clock set 10:00:00 seq 2007 設(shè)置時(shí)鐘BJ-R-1（config）# ntp authenticate 啟用ntp認(rèn)證 BJ-R-1（config）# ntp trusted-key 1BJ-R-1（config）# ntp authentication-key 1 md5 benet3550-S-1 (config) # ntp server 543550-S-1（config）# ntp authenticate 啟用ntp認(rèn)證3550-S-1（config）# ntp authentication-key 1 md5 benet3550-S-2 (config) # ntp server 543550-S-2（config）# ntp authenticate 啟用ntp認(rèn)證BJ-R-1（config）# ntp trusted-key 13550-S-2（config）# ntp authentication-key 1 md5 benet(略)8 路由、NAT配置 北京總部-ospfBJ-R-1（config）# router ospf 1BJ-R-1（config-router）# network area 0BJ-R-1（config-router）# network area 0BJ-R-1（config-router）# area 0 authentication message-digest啟用MD5認(rèn)證BJ-R-1（config）# interface f0/2BJ-R-1（config-if）# ip ospf message-digest-key 1 md5 benet-md5定義密鑰BJ-R-1（config）# interface f0/3BJ-R-1（config-if）# ip ospf message-digest-key 1 md5 benet-md5定義密鑰BJ-R-1（config-router）# default-information orig 分發(fā)缺省路由tub3550-S-1 (config) # int f0/03550-S-1 (config) # no switchport打開(kāi)路由端口3550-S-1 (config) # network area 03550-S-1 (config) # area 0 authentication message-digest3550-S-1 (config) # interface f0/03550-S-1 (config) # ip ospf message-digest-key 1 md5 benet-md53550-S-2 (config) # int f0/0 3550-S-2 (config) # no switchport3550-S-2 (config) # router ospf 13550-S-2 (config) # network area 0使用路由策略優(yōu)化網(wǎng)絡(luò)流量: 1).內(nèi)部用戶訪問(wèn)網(wǎng)通ISP資源，流量從f0/0出站，當(dāng)訪問(wèn)電信ISP資源，流量從f0/1出站2).從不同ISP網(wǎng)絡(luò)上所來(lái)的流量，從各自的線路返回網(wǎng)通CNC IP段：、、 (假定)電信CTC IP 段：、、（假定）-關(guān)于電信ip 段ACLBJ-R-1（config)# access-list 101deny ip 5555拒絕青島VPN流量BJ-R-1（config)# access-list 101 deny ip 55 55 拒絕至廣州VPN流量BJ-R-1（config)#access-list 101 permit ip 55 55 允許到達(dá)電信BJ-R-1（config)#access-list 101 permit ip 55 55 允許到達(dá)電信BJ-R-1（config)#access-list 101 permit ip 55 55 允許到達(dá)電信BJ-R-1（config)#access-list 101 permit ip 55 55 允許到達(dá)電信-關(guān)于網(wǎng)通ip 段ACLBJ-R-1（config)#access-list 102 deny ip 55 55 拒絕至青島VPN流量BJ-R-1（config)#access-list 102 deny ip 55 55 拒絕至廣州VPN流量BJ-R-1（config)#access-list 102 permit ip 55 55 允許到達(dá)網(wǎng)通BJ-R-1（config）#access-list 102 permit ip 55 55 允許到達(dá)網(wǎng)通BJ-R-1（config）#access-list 102 permit ip 55 55 允許到達(dá)網(wǎng)通BJ-R-1（config）#access-list 102 permit ip 55 55 允許到達(dá)網(wǎng)通Route-map “電信” permit 10Math ip address 101Match interface f0/1Set ip next-hop int f0/1電信CTCRoute-map “網(wǎng)通” permit 20Math ip address 102Match interface f0/0Set ip next-hop int f0/0網(wǎng)通CNCNAT轉(zhuǎn)換BJ-R-1（config）# ip nat inside source route-map “電信” interface0/1 overloadBJ-R-1（config）# ip nat inside source route-map “網(wǎng)通” interface0/0 overloadBJ-R-1（config）# route-map “CTC” permit 10策略調(diào)用BJ-R-1（config）# match ip address 101BJ-R-1 (config) # set detfaull interface f0/1 默認(rèn)從電信轉(zhuǎn)發(fā)BJ-R-1（config）# route-map “CNC” permit 10 策略調(diào)用BJ-R-1（config）# match ip address 102BJ-R-1（config）# set detfaull interface f0/0默認(rèn)從網(wǎng)通轉(zhuǎn)發(fā)將其他訪問(wèn)列表默認(rèn)f0/1轉(zhuǎn)發(fā)BJ-R-1（config）# route-map “其他” permit 10 策略調(diào)用BJ-R-1（config）# set detfaull interface f0/1將map規(guī)則應(yīng)用到接口:BJ-R-1（config）# interface0/3BJ-R-1（config） ip nat insideBJ-R-1（config-if）#ip policy route-map CTC”將map規(guī)則應(yīng)用到接口:BJ-R-1（config）# interface0/4BJ-R-1（config） ip nat insideBJ-R-1（config-if）#ip policy route-map “CNC”端口映射,發(fā)布FTP web服務(wù)器BJ-R-1（config）# ip nat inside source static tcp 054 eq 80 web服務(wù)器BJ-R-1（config）# ip nat inside source static tcp 054 eq 80BJ-R-1（config）# ip nat inside source static tcp 054 eq 21 ftp服務(wù)器BJ-R-1（config）# ip nat inside source static tcp 054 eq 21 青島辦事處 NATQD-R-1（config）# access-list 101 deny ip any 55 55QD-R-1（config）# access-list 101 deny ip any 55 55QD-R-1（config）# access-list 101 deny ip any 55 55QD-R-1（config）# access-list 101 permit ip any any 應(yīng)用接口：QD-R-1（config）#interface 0/0QD-R-1（config-if）#ip nat outsideQD-R-1（config）#interface 0/1QD-R-1（config-if）#ip nat inside端口復(fù)用：QD-R-1（config）# ip