CCNP綜合實驗2
Top:
網絡配置需求:
1, sw1與sw2核心交換機之前用VRRP虛擬網關冗餘協議來做網關冗餘與負載均衡,vlan20走SW1,VLAN30走SW2。
2, SW3與SW4之間做負載均衡,VLAN20流量走上面,VLAN30走下面
3, 企業內網出口通過R17爲默認主出口,如果主出口DOWN掉後可以切換掉OA出往外網,保證整個企業網絡的高可用性與可靠性
4, 核心與OA網絡路由協議使用OSPF,區域可以都使用主幹區域
5, 服務器區域有HTTP,DNS等服務器,外網只能訪問HTTP服務,允許PING服務器,除此之外,外部網絡流量一律deny .
6, 保證內網與外網的上網需求,保證OA企業辦公網絡能訪問服務器與內網的所有服務。
7, 在R17出口路由器上,做一些基本的IOS防火牆設置,減弱外部網絡發起的一些DDOS分佈式拒絕服務***。
8, 申請了三個公網地址,202.103.78.7用於默認主出口路由器上出接口地址,把內網做PAT,服務器做靜態NAT,地址是202.103.78.100.
配置如下:
SW1:
hostname sw1
ip cef
track 1 interface Ethernet2/1 line-protocol
delay down 4
!
track 2 interface Ethernet2/0 line-protocol
delay down 4
interface Serial0/0
ip address 192.168.40.1 255.255.255.252
serial restart-delay 0
interface FastEthernet1/0
switchport mode trunk
!
interface FastEthernet1/1
switchport mode trunk
!
interface Ethernet2/0
ip address 192.168.40.9 255.255.255.252
half-duplex
!
interface Ethernet2/1
ip address 192.168.40.13 255.255.255.252
half-duplex
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip helper-address 17.7.7.7
vrrp 1 ip 192.168.20.100
vrrp 1 timers advertise 4
vrrp 1 priority 200
vrrp 1 track 1 decrement 120
vrrp 1 track 2 decremetn 120
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip helper-address 17.7.7.7
vrrp 2 ip 192.168.30.100
vrrp 2 timers advertise 4
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
SW2:
sw2#show run
hostname sw2
ip cef
track 1 interface Ethernet2/1 line-protocol
delay down 4
!
track 2 interface Ethernet2/0 line-protocol
delay down 4
interface Serial0/0
ip address 192.168.40.5 255.255.255.252
serial restart-delay 0
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface Ethernet2/0
ip address 192.168.40.21 255.255.255.252
half-duplex
!
interface Ethernet2/1
ip address 192.168.40.17 255.255.255.252
half-duplex
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip helper-address 17.7.7.7
vrrp 1 ip 192.168.20.100
vrrp 1 timers advertise 4
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip helper-address 17.7.7.7
vrrp 2 ip 192.168.30.100
vrrp 2 timers advertise 4
vrrp 2 priority 200
vrrp 2 track 1 decrement 120
vrrp 2 track 2 decrement 120
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
SW3:
sw3# show run
hostname sw3
ip cef
interface FastEthernet1/0
switchport access vlan 20
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
switchport mode trunk
spanning-tree vlan 20 port-priority 40
!
interface FastEthernet1/4
switchport mode trunk
spanning-tree vlan 30 port-priority 40
end
SW4:
sw4#show run
hostname sw4
ip cef
!
interface FastEthernet1/0
switchport access vlan 30
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
switchport mode trunk
spanning-tree vlan 20 port-priority 40
!
interface FastEthernet1/4
switchport mode trunk
spanning-tree vlan 30 port-priority 40
!
ip http server
PC1:
pc1#show run
hostname pc1
no ip routing
no ip cef
ip domain name www.pc1.com
interface Ethernet2/0
ip address dhcp
no ip route-cache
half-duplex
ip http server
no cdp run
end
PC2:
pc2#show run
hostname pc2
no ip routing
no ip cef
ip domain name www.pc2.com
interface Ethernet0/0
ip address dhcp
ip http server
SERVER:
r7#
hostname r7
ip cef
ip domain name zengfei.com
ip host www.zengfei.com 17.7.7.7
ip host www.pc1.com 192.168.20.3
ip host www.pc2.com 192.168.30.3
no ip dhcp use vrf connected
!
ip dhcp pool cisco
network 192.168.20.0 255.255.255.0
default-router 192.168.20.100
dns-server 17.7.7.7
lease 2
!
ip dhcp pool san
network 192.168.30.0 255.255.255.0
default-router 192.168.30.100
dns-server 17.7.7.7
domain-name pc2.com
lease 2
username cisco password 0 cisco
interface Loopback0
ip address 17.7.7.7 255.255.255.0
!
interface Serial0/0
ip address 192.168.40.2 255.255.255.252
serial restart-delay 0
!
interface Serial0/1
ip address 192.168.40.6 255.255.255.252
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
ip http server
line con 0
line aux 0
line vty 0 4
privilege level 5
no login
!
!
end
R8:
R8#show run
hostname R8
ip cef
interface Ethernet0/0
ip address 192.168.40.10 255.255.255.252
interface Ethernet0/2
ip address 192.168.40.18 255.255.255.252
half-duplex
interface Serial2/0
ip address 192.168.40.25 255.255.255.252
encapsulation frame-relay
ip ospf network point-to-multipoint
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
R9:
R9#show run
hostname R9
ip cef
frame-relay switching
interface Serial2/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay intf-type dce
frame-relay route 108 interface Serial2/1 810
interface Serial2/1
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay intf-type dce
frame-relay route 810 interface Serial2/0 108
R10:
R10#show run
hostname R10
ip cef
no ip domain lookup
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0/0
ip address 202.103.77.10 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
!
interface Serial2/0
ip address 192.168.40.26 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation frame-relay
ip ospf network point-to-multipoint
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 0
network 192.168.40.24 0.0.0.3 area 0
default-information originate always metric 3
no ip http server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip nat inside source list 101 interface Ethernet0/0 overload
ip nat inside source static 17.7.7.7 202.103.78.100
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
R17
hostname r17
!
ip cef
no ip domain lookup
ip inspect max-incomplete high 600
ip inspect tcp finwait-time 40
ip inspect tcp synwait-time 4
ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp
interface FastEthernet0/0
ip address 192.168.40.14 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
!
interface FastEthernet1/0
ip address 192.168.40.22 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
!
interface Ethernet2/0
ip address 202.103.78.7 255.255.255.0
ip access-group 102 in
ip nat outside
ip inspect CBAC out
ip virtual-reassembly
rate-limit input 8000 1500 3000 conform-action transmit exceed-action drop
router ospf 1
log-adjacency-changes
network 192.168.40.12 0.0.0.3 area 0
network 192.168.40.20 0.0.0.3 area 0
default-information originate
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet2/0
ip http server
ip nat inside source list 101 interface Ethernet2/0 overload
ip nat inside source static 17.7.7.7 202.103.78.100
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit tcp any host 202.103.78.100 eq www
access-list 102 permit icmp any any
access-list 102 deny ip any any
no cdp run
end
R12:
R12#show run
hostname R12
ip cef
interface FastEthernet0/0
ip address 202.103.77.12 255.255.255.0
interface FastEthernet1/0
ip address 202.103.78.8 255.255.255.0
interface FastEthernet2/0
ip address 202.103.79.12 255.255.255.0
ip http server
ip route 13.13.13.0 255.255.255.0 FastEthernet2/0
R13:
r13#show run
hostname r13
ip cef
username cisco password 0 cisco
interface Loopback0
ip address 13.13.13.13 255.255.255.0
interface FastEthernet0/0
ip address 202.103.79.13 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
end
需求測試部分:
1,DHCP:
PC1:show ip interface brief
Ethernet2/0 192.168.20.3 YES DHCP up up
PC2:Ethernet0/0 192.168.30.3 YES DHCP up up
2,全網ping:
pc2#ping 192.168.30.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/325/1092 ms
pc2#ping 192.168.20.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.3, timeout is 2 seconds:
.!!!!
pc2#ping 13.13.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 244/382/488 ms
pc2#
PC1:
pc1#ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/312/1128 ms
pc1#ping 192.168.30.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 148/229/456 ms
pc1#ping 13.13.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 428/484/544 ms
pc1#
VRRP測試:
sw1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl20 1 200 12218 Y Master 192.168.20.1 192.168.20.100
Vl30 2 100 12609 Y Backup 192.168.30.2 192.168.30.100
sw1#
sw2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl20 1 100 12609 Y Backup 192.168.20.1 192.168.20.100
Vl30 2 200 12531 Y Master 192.168.30.2 192.168.30.100
sw2#
交換機間的負載均衡:
PC1:
VLAN20
Spanning tree enabled protocol ieee
Root ID Priority 32768
Address cc05.0a04.0001
Cost 19
Port 42 (FastEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768
Address cc07.0a04.0001
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Designated
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/1 128.42 128 19 FWD 0 32768 cc05.0a04.0001 128.43
FastEthernet1/2 128.43 128 19 BLK 19 32768 cc06.0a04.0001 128.43
VLAN30
Spanning tree enabled protocol ieee
Root ID Priority 32768
Address cc05.0a04.0002
Cost 19
Port 42 (FastEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768
Address cc07.0a04.0002
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Designated
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/1 128.42 128 19 FWD 0 32768 cc05.0a04.0002 128.43
FastEthernet1/2 128.43 128 19 BLK 19 32768 cc06.0a04.0002 128.43
NAT測試:
r11#
*Apr 22 18:05:55.562: NAT*: s=17.7.7.7->202.103.78.100, d=13.13.13.13 [122]
*Apr 22 18:05:55.918: NAT*: s=13.13.13.13, d=202.103.78.100->17.7.7.7 [122]
r11#
*Apr 22 18:06:21.326: NAT*: s=13.13.13.13, d=202.103.78.7->192.168.40.2 [130]
*Apr 22 18:06:21.394: NAT*: s=192.168.40.2->202.103.78.7, d=13.13.13.13 [131]
*Apr 22 18:06:21.546: NAT*: s=13.13.13.13, d=202.103.78.7->192.168.40.2 [131]
r11#
內網出口備份測試:
默認出口正常:
pc2#traceroute 13.13.13.13
Type escape sequence to abort.
Tracing the route to 13.13.13.13
1 192.168.30.2 276 msec 156 msec 152 msec
2 192.168.40.22 144 msec 208 msec 156 msec
3 202.103.78.8 476 msec 584 msec 364 msec
4 202.103.79.13 300 msec 692 msec *
默認出口DOWN掉後,是否會從OA網絡走?
pc2#traceroute 13.13.13.13
Type escape sequence to abort.
Tracing the route to 13.13.13.13
1 192.168.30.2 164 msec 156 msec 136 msec
2 192.168.40.18 208 msec 216 msec 140 msec
3 192.168.40.26 300 msec 592 msec 408 msec
4 *
202.103.77.12 476 msec 584 msec
5 202.103.79.13 792 msec 620 msec 384 msec
pc2#
內網訪問OA網絡使用明細路由:
17.0.0.0/32 is subnetted, 1 subnets
O 17.7.7.7 [110/65] via 192.168.40.6, 00:22:15, Serial0/0
O 192.168.40.25/32 [110/10] via 192.168.40.18, 00:23:05, Ethernet2/1
O 192.168.40.26/32 [110/74] via 192.168.40.18, 00:23:05, Ethernet2/1
外網用戶只能訪問HTTP測試(准予PING):
r13#connect 202.103.78.100
Trying 202.103.78.100 ...
% Destination unreachable; gateway or host down
r13#connect 202.103.78.100 www
Trying 202.103.78.100, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 07:04:31 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 202.103.78.100 closed by foreign host]
r13#ping 202.103.78.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.103.78.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 248/434/604 ms
r13#
OA用戶是否能夠全部訪問內網的服務:
R10#ping 17.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 240/316/384 m
R10#telnet 17.7.7.7
Trying 17.7.7.7 ... Open
r7#exit
[Connection to 17.7.7.7 closed by foreign host]
R10#coon
R10#connet
R10#con
R10#connect 17.7.7.7 www
Trying 17.7.7.7, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 07:05:58 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 17.7.7.7 closed by foreign host]
R10#
限制外網不影響內網用戶正常訪問外網:
pc2#ping 13.13.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 216/322/400 ms
pc2#telnet 13.13.13.13
Trying 13.13.13.13 ... Open
Password required, but none set
[Connection to 13.13.13.13 closed by foreign host]
pc2#
pc2#connect 13.13.13.13 www
Trying 13.13.13.13, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 04:55:01 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 13.13.13.13 closed by foreign host]
內部HTTP服務器防DDOS***測試略。
DNS服務器測試由於IOS的問題,我只能給出命令了:
ip dns server
ip domain name cisco.com
ip host www.pc1.com 192.168.20.3
ip host www.pc2.com 192.168.30.3
匆匆爲之,如有不當之處,還望各位指點。
注意:可能在做VRRP實驗的時候,PC客戶端有PING不通虛擬網關的現象,究竟是什麼原因我也不是很清楚,時通時不通。解決方法,可以把VRRP通告計時器時候改長一點,或者在VLAN下做shut再no shutdown就可以了,估計應該在做主備角色狀態轉換時出現的問題,不知道在真機上面會出現此問題否。