综合项目配置方案

技术关键词Vlan、VTP、VRRP、MST、NTP、DHCP、OSPF、ACL、NAT、VPN1、Vlan信息Vlan ID网络地址名 称描 述1/24-本地vlan2/24glb管理部3/24cwb财务部4/24xsb销售部5/24cgb采购部6/24zzb制造部7/24xxzx信息中心127/24Srv服务器组2、VTP 信息设备名称DomainPrunningPasswordMode3550-S-1BenetEnable123Server3550-S-2BenetEnable123Server2950-S-1BenetEnable123Client2950-S-2BenetEnable123Client2950-S-3BenetEnable123Client2950-S-4BenetEnable123Client3、设备IP 地址分配设备名称接口IP地址描述位置BJ-R-1F0/0/24网通WANBJF0/1/24电信WANBJF0/254/24-BJF0/354/24-BJ3550-S-1F0/0/243L-SwitchBJ3550-S-2F0/0/243L-SwitchBJGZ-R-1F0/00/24电信WANGZF0/154/24-GZQD-R-1F0/00/24网通WANQDF0/154/24-QD4、DHCP信息名称IP地址池默认网关默认DNS描述Glb-vlan20 2005管理部Cwb-vlan30 2005财务部Xsb-vlan40 2005销售部Cgb-vlan50 2005采购部Zzb-vlan60 2005制造部Xxzx-vlan70 2005信息中心5、VRRP信息SVI接口组优先级状态IPHSRP IP设备Vlan11200Active543550-S-1Vlan22200Active543550-S-1Vlan33200Active543550-S-1Vlan44100Standby543550-S-1Vlan55100Standby543550-S-1Vlan66100Standby543550-S-1Vlan77100Standby543550-S-1Vlan127127100Standby543550-S-1Vlan11100Standby543550-S-2Vlan22100Standby543550-S-2Vlan33100Standby543550-S-2Vlan44200Active543550-S-2Vlan55200Active543550-S-2Vlan66200Active543550-S-2Vlan76100Active543550-S-2Vlan127127200Active543550-S-26、MST 信息Mst-1：vlan1、vlan2管理部、vlan3财务部Mst-2：vlan4销售部、vlan5采购部Mst-3：vlan6制造部、vlan7信息中心Mst-4：vlan127服务器组 负载均衡mst-1 mst -2 根网桥3550-S-1mst-3 mst -4 根网桥3550-S-2 交换机、路由器详细配置1 IP地址设置 北京BJ-R-1（config）# int F0/0BJ-R-1 (config-if)#ip add BJ-R-1 (config-if)#no shutdown- BJ-R-1（config）# int F0/1BJ-R-1 (config-if)#ip add BJ-R-1 (config-if)#no shutdown-BJ-R-1（config）# int f0/2BJ-R-1 (config-if)#ipadd 54 BJ-R-1 (config-if)#no shutdown-BJ-R-1（config）# int f0/3BJ-R-1 (config-if)#ipadd 54 BJ-R-1 (config-if)#no shutdown3550-S-1 (config) # int vlan 1 3550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 23550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 33550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 43550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 53550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 63550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 73550-S-1 (config-if) # ip add 3550-S-1 (config-if) # int vlan 1273550-S-1 (config-if) # ip add 3550-S-2 (config) # int vlan 1 3550-S-2 (config-if) # ip add 3550-S-2 (config-if) # int vlan 23550-S-2 (config-if) # ip add (略) 广州GZ-R-1（config）# int F0/0GZ-R-1 (config-if) # ip add 定义WAN口GZ-R-1 (config-if) # no shutdownGZ-R-1（config）# int F0/1GZ-R-1 (config-if) # ip add 54 定义LAN口GZ-R-1 (config-if) # no shutdown- 青岛QD-R-1（config）# int F0/0QD-R-1 (config-if) # ip add 定义WAN口QD-R-1 (config-if) # no shutdownQD-R-1（config）# int f0/0QD-R-1 (config-if) # ip add 54 . .定义LAN口QD-R-1 (config-if) # no shutdown2 VTP配置3550-S-1（config）# vlan database vlan数据库模式3550-S-1 (vlan) # vtp domain benet3550-S-1 (vlan) # vtp server 服务器模式3550-S-1 (vlan) # vtp password 123 3550-S-1 (vlan) # vtp pruning 启用修剪按部门划分vlan3550-S-1 (vlan) # vlan 2 name glb 管理部3550-S-1 (vlan) # vlan 3 name cwb 财务部3550-S-1 (vlan) # vlan 4 name xsb 销售部3550-S-1 (vlan) # vlan 5 name cgb 采购部3550-S-1 (vlan) # vlan 6 name zzb 制造部3550-S-1 (vlan) # vlan 7 name xxzx 信息中心3550-S-1 (vlan) # vlan 127 name svr 服务器组-3550-S-2 (config) # vlan database vlan数据库模式3550-S-2 (vlan) # vtp domain benet3550-S-2 (vlan) # vtp server3550-S-2 (vlan) # vtp password 123-2950-S-1 (vlan) #vtp domain benet 2950-S-1 (vlan) #vtp tran 透明模式(配置修改编号清零操作)2950-S-1 (vlan) #vtp client 客户模式2950-S-1 (vlan) #vtp password 1232950-S-2 (vlan) #vtp domain benet 2950-S-2 (vlan) #vtp tran 透明模式(配置修改编号清零操作)2950-S-2 (vlan) #vtp client 客户模式2950-S-2 (vlan) #vtp password 1232950-S-3 (vlan) #vtp domain benet 2950-S-3 (vlan) #vtp tran 透明模式(配置修改编号清零操作)2950-S-3 (vlan) #vtp client 客户模式2950-S-3 (vlan) #vtp password 1232950-S-4 (vlan) #vtp domain benet 2950-S-4 (vlan) #vtp tran 透明模式(配置修改编号清零操作)2950-S-4 (vlan) #vtp client 客户模式2950-S-4 (vlan) #vtp password 1233 MST多生成树配置3550-S-1 (config) # int vlan 13550-S-1 (config) # spanning-tree mode mst 启用mst3550-S-1 (config) #spanning-tree mst configuration 进入mst配置3550-S-1 (config-mst) #name mst 命名为mst3550-S-1 (config-mst) #instance 1 vlan 1-3 定义实例3550-S-1 (config-mst) #instance 2 vlan 4-53550-S-1 (config-mst) #instance 3 vlan 6-73550-S-1 (config-mst) #instance 4 vlan 1273550-S-1 (config-mst) #revision 1 配置版本号3550-S-1 (config-mst) # spanning-tree mst 1 root primary为根交换机3550-S-1 (config-mst) # spanning-tree mst 2 root primary3550-S-1 (config-mst) # spanning-tree mst 3 root secordary 3550-S-1 (config-mst) # spanning-tree mst 4 root secordary 为次根交换机3550-S-2 (config) # spanning-tree mode mst 启用mst3550-S-2 (config) #spanning-tree mst configuration进入mst配置3550-S-2 (config-mst) #name mst 命名为mst3550-S-2 (config-mst) #instance 1 vlan 1-33550-S-2 (config-mst) #instance 2 vlan 4-53550-S-2 (config-mst) #instance 3 vlan 6-73550-S-2 (config-mst) #instance 4 vlan 1273550-S-2 (config-mst) #revision 1配置版本号3550-S-2 (config-mst) # spanning-tree mst 4 root primary 为根交换机3550-S-2 (config-mst) # spanning-tree mst 3 root primary3550-S-2 (config-mst) # spanning-tree mst 2 root secordary3550-S-2 (config-mst) # spanning-tree mst 1 root secordary 为次根交换机4 VRRP虚拟路由冗作协议优先级3550-S-1 (config) # int vlan 13550-S-1 (config-if) # vrrp 1 pri 200 3550-S-1 (config) # int vlan 23550-S-1 (config-if) # vrrp 2 pri 2003550-S-1 (config) # int vlan 33550-S-1 (config-if) # vrrp 3 pri 200(略)3550-S-2 (config) # int vlan 13550-S-2 (config-if) # vrrp 1 pri 100 3550-S-2 (config) # int vlan 23550-S-2 (config-if) # vrrp 2 pri 1003550-S-2 (config) # int vlan 33550-S-2 (config-if) # vrrp 3 pri 100(略)加入vrrp组,占先权，跟踪端口3550-S-2 (config) # int vlan 13550-S-2 (config) # track 1 interface f0/1定义跟踪编号3550-S-2 (config-if) # vrrp 1 ip 54 3550-S-2 (config-if) # vrrp 1 preempt 占先权3550-S-2 (config-if) # vrrp 1 authentication text cisco 明文认证3550-S-2 (config-if) # vrrp 1 track 1 decrement 150端口跟踪 3550-S-2 (config) # int vlan 23550-S-2 (config-if) # vrrp 2 ip 543550-S-2 (config-if) # vrrp 2 preempt 占先权3550-S-2 (config-if) # vrrp 2 track 1 decrement 150端口跟踪3550-S-2 (config) # int vlan 33550-S-2 (config-if) # vrrp 3 ip 543550-S-2 (config-if) # vrrp 3 preempt 占先权3550-S-2 (config-if) # vrrp 3 track 1 decrement 150 (略)3550-S-2 (config) # int vlan 13550-S-2 (config) #track 1 interface f0/1 定义跟踪编号3550-S-2 (config-if) vrrp 1 ip 54 3550-S-2 (config-if) # vrrp 1 preempt 占先权3550-S-2 (config-if) # vrrp 1 authentication text cisco明文认证3550-S-2 (config-if) # vrrp 1 track 1 decrement 150端口跟踪3550-S-2 (config) # int vlan 23550-S-2 (config-if) # standby 2 ip 543550-S-2 (config-if) # standby 2 preempt 占先权3550-S-2 (config-if) # standby 2 track 1 decrement 150 端口跟踪3550-S-2 (config) # int vlan 33550-S-2 (config-if) # standby 3 ip 543550-S-2 (config-if) # standby 3 preempt 占先权3550-S-2 (config-if) # standby 3 track 1 decrement 150 端口跟踪(略)5 以太网通道(优化流量)3550-S-1 (config) # int f0/23 3550-S-1 (config-if) #switchport mode trunk 永久中继模式3550-S-1 (config) # int f0/243550-S-1 (config-if) #switchport mode trunk 永久中继模式3550-S-1 (config) #port-channel load-balance src-dst-mac 基于源和目标MAC负载均衡3550-S-1 (config) # int range f0/23 -243550-S-1 (if-range) # channel-group 1 mode on3550-S-1 (if-range) # no sh 激活端口3550-S-2 (config) # int f0/23 3550-S-2 (config-if) #switchport mode trunk3550-S-2 (config) # int f0/243550-S-2 (config-if) #switchport mode trunk3550-S-2 (config) # int range f0/23 -243550-S-2 (config) #port-channel load-balance src-dst-mac 基于源和目标MAC负载均衡3550-S-2 (if-range) # channel-group 1 mode on3550-S-2 (if-range) # no sh-2950-S-4 (config) # int f0/23 2950-S-4 (config-if) #switchport mode trunk2950-S-4 (config) # int f0/242950-S-4 (config-if) #switchport mode trunk2950-S-4 (config) # int range f0/23 -242950-S-4 (config) #port-channel load-balance src-dst-mac 基于源和目标MAC负载均衡2950-S-4 (config) # int range f0/23 -242950-S-4(if-range) # channel-group 2 mode on2950-S-4 (if-range) # no sh.激活端口3550-S-1 (config) # int f0/8 3550-S-1 (config-if) #switchport mode trunk3550-S-1 (config) # int f0/93550-S-1 (config-if) #switchport mode trunk3550-S-1 (config) # int range f0/8 -93550-S-1 (config) #port-channel load-balance src-dst-mac 基于源和目标MAC负载均衡3550-S-1(if-range) # channel-group 2 mode on3550-S-1 (if-range) # no sh(略)6 DHCP配置3550-S-1 (config) # ip dhcp pool vlan2-glb 管理部 3550-S-1 (dhcp-config) # network 地址池范围3550-S-1 (config) # ip dhcp excluded-address 0保留3550-S-1 (config) # ip dhcp excluded-address 01 543550-S-1 (dhcp-config) # lease 5租约为5天3550-S-1 (dhcp-config) # dns-server DNS服务器3550-S-1 (config) # default-router 54默认网关3550-S-1 (config) # ip dhcp pool vlan3-cwb 财务部 3550-S-1 (dhcp-config) # network 地址池范围3550-S-1 (dhcp-config) # ip dhcp excluded-address 0保留3550-S-1 (dhcp-config) # ip dhcp excluded-address 01 543550-S-1 (dhcp-config) # lease 5租约为5天3550-S-1 (dhcp-config) # dns-server DNS服务器3550-S-1 (dhcp-config) # default-router 54默认网关(略)7 NTP配置将BJ-R-1设为NTP服务器,其余作NTP客户端,实现全网设备时钟同步BJ-R-1（config）# ntp master BJ-R-1（config）# clock set 10:00:00 seq 2007 设置时钟BJ-R-1（config）# ntp authenticate 启用ntp认证 BJ-R-1（config）# ntp trusted-key 1BJ-R-1（config）# ntp authentication-key 1 md5 benet3550-S-1 (config) # ntp server 543550-S-1（config）# ntp authenticate 启用ntp认证3550-S-1（config）# ntp authentication-key 1 md5 benet3550-S-2 (config) # ntp server 543550-S-2（config）# ntp authenticate 启用ntp认证BJ-R-1（config）# ntp trusted-key 13550-S-2（config）# ntp authentication-key 1 md5 benet(略)8 路由、NAT配置 北京总部-ospfBJ-R-1（config）# router ospf 1BJ-R-1（config-router）# network area 0BJ-R-1（config-router）# network area 0BJ-R-1（config-router）# area 0 authentication message-digest启用MD5认证BJ-R-1（config）# interface f0/2BJ-R-1（config-if）# ip ospf message-digest-key 1 md5 benet-md5定义密钥BJ-R-1（config）# interface f0/3BJ-R-1（config-if）# ip ospf message-digest-key 1 md5 benet-md5定义密钥BJ-R-1（config-router）# default-information orig 分发缺省路由tub3550-S-1 (config) # int f0/03550-S-1 (config) # no switchport打开路由端口3550-S-1 (config) # network area 03550-S-1 (config) # area 0 authentication message-digest3550-S-1 (config) # interface f0/03550-S-1 (config) # ip ospf message-digest-key 1 md5 benet-md53550-S-2 (config) # int f0/0 3550-S-2 (config) # no switchport3550-S-2 (config) # router ospf 13550-S-2 (config) # network area 0使用路由策略优化网络流量: 1).内部用户访问网通ISP资源，流量从f0/0出站，当访问电信ISP资源，流量从f0/1出站2).从不同ISP网络上所来的流量，从各自的线路返回网通CNC IP段：、、 (假定)电信CTC IP 段：、、（假定）-关于电信ip 段ACLBJ-R-1（config)# access-list 101deny ip 5555拒绝青岛VPN流量BJ-R-1（config)# access-list 101 deny ip 55 55 拒绝至广州VPN流量BJ-R-1（config)#access-list 101 permit ip 55 55 允许到达电信BJ-R-1（config)#access-list 101 permit ip 55 55 允许到达电信BJ-R-1（config)#access-list 101 permit ip 55 55 允许到达电信BJ-R-1（config)#access-list 101 permit ip 55 55 允许到达电信-关于网通ip 段ACLBJ-R-1（config)#access-list 102 deny ip 55 55 拒绝至青岛VPN流量BJ-R-1（config)#access-list 102 deny ip 55 55 拒绝至广州VPN流量BJ-R-1（config)#access-list 102 permit ip 55 55 允许到达网通BJ-R-1（config）#access-list 102 permit ip 55 55 允许到达网通BJ-R-1（config）#access-list 102 permit ip 55 55 允许到达网通BJ-R-1（config）#access-list 102 permit ip 55 55 允许到达网通Route-map “电信” permit 10Math ip address 101Match interface f0/1Set ip next-hop int f0/1电信CTCRoute-map “网通” permit 20Math ip address 102Match interface f0/0Set ip next-hop int f0/0网通CNCNAT转换BJ-R-1（config）# ip nat inside source route-map “电信” interface0/1 overloadBJ-R-1（config）# ip nat inside source route-map “网通” interface0/0 overloadBJ-R-1（config）# route-map “CTC” permit 10策略调用BJ-R-1（config）# match ip address 101BJ-R-1 (config) # set detfaull interface f0/1 默认从电信转发BJ-R-1（config）# route-map “CNC” permit 10 策略调用BJ-R-1（config）# match ip address 102BJ-R-1（config）# set detfaull interface f0/0默认从网通转发将其他访问列表默认f0/1转发BJ-R-1（config）# route-map “其他” permit 10 策略调用BJ-R-1（config）# set detfaull interface f0/1将map规则应用到接口:BJ-R-1（config）# interface0/3BJ-R-1（config） ip nat insideBJ-R-1（config-if）#ip policy route-map CTC”将map规则应用到接口:BJ-R-1（config）# interface0/4BJ-R-1（config） ip nat insideBJ-R-1（config-if）#ip policy route-map “CNC”端口映射,发布FTP web服务器BJ-R-1（config）# ip nat inside source static tcp 054 eq 80 web服务器BJ-R-1（config）# ip nat inside source static tcp 054 eq 80BJ-R-1（config）# ip nat inside source static tcp 054 eq 21 ftp服务器BJ-R-1（config）# ip nat inside source static tcp 054 eq 21 青岛办事处 NATQD-R-1（config）# access-list 101 deny ip any 55 55QD-R-1（config）# access-list 101 deny ip any 55 55QD-R-1（config）# access-list 101 deny ip any 55 55QD-R-1（config）# access-list 101 permit ip any any 应用接口：QD-R-1（config）#interface 0/0QD-R-1（config-if）#ip nat outsideQD-R-1（config）#interface 0/1QD-R-1（config-if）#ip nat inside端口复用：QD-R-1（config）# ip