①用戶的網關配置在覈心交換機
接入層交換機配置VLAN,並將用戶劃入相應的VLAN
配置好Trunk鏈路
核心上面配置VLAN和SVI虛擬接口
②企業內網劃分多個VLAN,減少廣播域大小,提高網絡穩定性
VLAN10
VLAN30 //財務部
VLAN200 //服務器
VLAN800 //連接出口R1
VLAN999 //管理VLAN
③所有設備,在任何位置都可以telnet遠程管理
aaa
local-user admin password cipher admin@123
local-user admin privilege level 3
local-user admin service-type telnet
user-interface vty 0 4
authentication-mode aaa
配置管理VLAN 999
管理地址段:192.168.255.X
④出口配置NAT
[R1]acl number 2000 //創建acl2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 //允許源地址192.168.0.0
[R1-acl-basic-2000]quit //退出
[R1]interface g0/0/1 //進入接口
[R1-GigabitEthernet0/0/1]nat outbound 2000 //應用於出接口
[R1-GigabitEthernet0/0/1]quit //退出
[R1]ip route-s 0.0.0.0 0 12.1.1.6 出包
[R1]ip route-s 192.168.0.0 255.255.0.0 192.168.254.1 將回包交給核心層SW1
⑤STP運行RSTP模式,確保核心交換機爲根橋。並將接入用戶的接口配置爲邊緣端口加快收斂
stp mode rstp //運行RSTP
stp priority 0 //將優先級設爲0,最小最優先
port-group g e0/0/2 to e0/0/3 //創建接口組
stp edged-port enable //啓用邊緣接口,加快收斂
⑥配置根橋保護措施,確保根橋不被搶佔
接入層SW1和接入層SW3
stp bpdu-protection //邊緣端口保護
⑦所有用戶均爲自動獲取IP地址
[hexinSW1]dhcp enable //開啓DHCP服務
[hexinSW1]ip pool VLAN_10 //創建VLAN_10的地址池
[hexinSW1-ip-pool-vlan_10]network 192.168.10.0 mask 24 //網段和子網掩碼
[hexinSW1-ip-pool-vlan_10]gateway-list 192.168.10.1 //網關地址
[hexinSW1-ip-pool-vlan_10]dns-list 8.8.8.8 //DNS地址
[hexinSW1-ip-pool-vlan_10]quit //退出
[hexinSW1]ip pool VLAN_30 //創建VLAN_30的地址池
[hexinSW1-ip-pool-vlan_30]network 192.168.30.0 mask 24 //網段和子網掩碼
[hexinSW1-ip-pool-vlan_30]gateway-list 192.168.30.1 //網關地址
[hexinSW1-ip-pool-vlan_30]dns-list 8.8.8.8 //DNS地址
[hexinSW1-ip-pool-vlan_30]quit //退出
[hexinSW1]int Vlan10 //進入VLAN10
[hexinSW1-Vlanif10]dhcp select global //選擇全局的地址池給DHCP客戶端
[hexinSW1-Vlanif10]quit //退出
[hexinSW1]int vlan30 //進入VLAN30
[hexinSW1-Vlanif30]dhcp select global //選擇全局的地址池給DHCP客戶端
[hexinSW1-Vlanif30]quit //退出
[hexinSW1]
⑧在企業出口將內網服務器的80端口映射出去,允許外網用戶訪問
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www inside 192.168.200.10 www
⑨企業財務服務器,之允許財務部(VLAN30)的員工訪問
[hexinSW1]acl number 3000
[hexinSW1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0
[hexinSW1-acl-adv-3000]rule deny ip destination 192.168.200.20 0
[hexinSW1-acl-adv-3000]quit
[hexinSW1]interface g0/0/2
[hexinSW1-GigabitEthernet0/0/2]traffic-filter outbound acl 3000
[hexinSW1-GigabitEthernet0/0/2]quit
[hexinSW1]
實驗步驟:
WEB服務器
IP:192.168.200.10
子網:255.255.255.0
網關:192.168.200.1
財務服務器
IP:192.168.200.0
子網:255.255.255.0
網關:192.168.200.1
接入層SW2
<Huawei>system-view //進入視圖模式
[Huawei]undo info-center enable //關閉信息提示
[Huawei]sysname jrcSW2 //改名
[jrcSW2]vlan 10 //創建VLAN10
[jrcSW2-vlan10]vlan 30 //創建VLAN30
[jrcSW2-vlan30]quit 退出
[jrcSW2]interface g0/0/2 //進入接口
[jrcSW2-GigabitEthernet0/0/2]port link-type access //配置access鏈路
[jrcSW2-GigabitEthernet0/0/2]port default vlan 10 //允許VLAN10通過
[jrcSW2-GigabitEthernet0/0/2]quit //退出
[jrcSW2]interface e0/0/3 //進入接口
[jrcSW2-Ethernet0/0/3]port link-type access //配置access鏈路
[jrcSW2-Ethernet0/0/3]port default vlan 30 //允許VLAN30通過
[jrcSW2-Ethernet0/0/3]quit //退出
[jrcSW2]interface e0/0/1 //進入接口
[jrcSW2-Ethernet0/0/1]port link-type trunk //配置trunk鏈路
[jrcSW2-Ethernet0/0/1]port trunk allow-pass vlan 10 30 允許VLAN10和VLAN30通過
[jrcSW2-Ethernet0/0/1]quit //退出
[jrcSW2]
接入層SW3
<Huawei>system-view //進入視圖模式
[Huawei]undo info-center enable //關閉信息提示
[Huawei]sysname jrcSW3 //改名
[jrcSW3]vlan 200 //創建VLAN200
[jrcSW3-vlan200]quit //退出
[jrcSW3]interface e0/0/2 //進入接口
[jrcSW3-Ethernet0/0/2]port link-type access //配置access鏈路
[jrcSW3-Ethernet0/0/2]port default vlan 200 //允許VLAN200通過
[jrcSW3-Ethernet0/0/2]quit //退出
[jrcSW3]interface e0/0/3 //進入接口 //進入接口
[jrcSW3-Ethernet0/0/3]port link-type access //配置access鏈路
[jrcSW3-Ethernet0/0/3]port default vlan 200 //允許VLAN200通過
[jrcSW3-Ethernet0/0/3]quit //退出
[jrcSW3]interface e0/0/1 //進入接口
[jrcSW3-Ethernet0/0/1]port link-type trunk //配置trunk鏈路
[jrcSW3-Ethernet0/0/1]port trunk allow-pass vlan 200 //允許VLAN200通過
[jrcSW3-Ethernet0/0/1]quit //退出
[jrcSW3]
核心層SW1
<Huawei>system-view //進入視圖模式
[Huawei]undo info-center enable //關閉信息提示
[Huawei]sysname hexinSW1 //改名 //改名
[hexinSW1]vlan batch 10 30 200 //創建VLAN10、VLAN30、VALN200
[hexinSW1]interface g0/0/1 //進入接口
[hexinSW1-GigabitEthernet0/0/1]port link-type trunk //配置trunk鏈路
[hexinSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 30 //允許VLAN10和VLAN20通過
[hexinSW1-GigabitEthernet0/0/1]quit
[hexinSW1]interface g0/0/2 //進入接口
[hexinSW1-GigabitEthernet0/0/2]port link-type trunk //配置trunk鏈路
[hexinSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 200 //允許VLAN200通過
[hexinSW1-GigabitEthernet0/0/2]quit //退出
[hexinSW1]
核心層SW1(查看VLAN配置)
[hexinSW1]dis vlan //查看VLAN配置信息
The total number of vlans is : 4
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/3(U) GE0/0/4(D)
GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D)
GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(D) GE0/0/22(D) GE0/0/23(D) GE0/0/24(D)
10 common TG:GE0/0/1(U)
30 common TG:GE0/0/1(U)
200 common TG:GE0/0/2(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
1 enable default enable disable VLAN 0001
10 enable default enable disable VLAN 0010
30 enable default enable disable VLAN 0030
200 enable default enable disable VLAN 0200
[hexinSW1]
核心層SW1(配置SVI)
[hexinSW1]int vlan 10 //進入VLAN10
[hexinSW1-Vlanif10]ip address 192.168.10.1 24 //設置IP地址
[hexinSW1-Vlanif10]quit //退出
[hexinSW1]int vlan 30 //進入VLAN30
[hexinSW1-Vlanif30]ip address 192.168.30.1 24 //設置IP地址
[hexinSW1-Vlanif30]quit //退出
[hexinSW1]int vlan 200 //進入VLAN200
[hexinSW1-Vlanif200]ip address 192.168.200.1 24 //設置IP地址
[hexinSW1-Vlanif200]quit //退出
[hexinSW1]
核心層SW1(查看SVI配置)
[hexinSW1]dis ip int brief //查看SVI配置信息
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned up down
Vlanif10 192.168.10.1/24 up up
Vlanif30 192.168.30.1/24 up up
Vlanif200 192.168.200.1/24 up up
[hexinSW1]
核心層SW1(創建地址池)
[hexinSW1]dhcp enable //開啓DHCP服務
[hexinSW1]ip pool VLAN_10 //創建VLAN_10的地址池
[hexinSW1-ip-pool-vlan_10]network 192.168.10.0 mask 24 //網段和子網掩碼
[hexinSW1-ip-pool-vlan_10]gateway-list 192.168.10.1 //網關地址
[hexinSW1-ip-pool-vlan_10]dns-list 8.8.8.8 //DNS地址
[hexinSW1-ip-pool-vlan_10]quit //退出
[hexinSW1]ip pool VLAN_30 //創建VLAN_30的地址池
[hexinSW1-ip-pool-vlan_30]network 192.168.30.0 mask 24 //網段和子網掩碼
[hexinSW1-ip-pool-vlan_30]gateway-list 192.168.30.1 //網關地址
[hexinSW1-ip-pool-vlan_30]dns-list 8.8.8.8 //DNS地址
[hexinSW1-ip-pool-vlan_30]quit //退出
[hexinSW1]
####核心層SW1(將全局地址池給DHCP客戶端)
[hexinSW1]int Vlan10 //進入VLAN10
[hexinSW1-Vlanif10]dhcp select global //選擇全局的地址池給DHCP客戶端
[hexinSW1-Vlanif10]quit //退出
[hexinSW1]int vlan30 //進入VLAN30
[hexinSW1-Vlanif30]dhcp select global //選擇全局的地址池給DHCP客戶端
[hexinSW1-Vlanif30]quit //退出
[hexinSW1]
PC1(查看是否自動獲取IP地址)
PC>ipconfig //查看IP地址
Link local IPv6 address...........: fe80::5689:98ff:feae:2f40
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.10.2
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.10.1
Physical address..................: 54-89-98-AE-2F-40
DNS server........................: 8.8.8.8
PC2(查看是否自動獲取IP地址)
PC>ipconfig //查看IP地址
Link local IPv6 address...........: fe80::5689:98ff:fed6:31e8
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.30.2
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.30.1
Physical address..................: 54-89-98-D6-31-E8
DNS server........................: 8.8.8.8
核心層SW1
[hexinSW1]aaa //進入AAA認證模式
[hexinSW1-aaa] local-user admin password cipher admin@123 //配置用戶名和密碼
[hexinSW1-aaa] local-user admin privilege level 3 //配置用戶權限
[hexinSW1-aaa]local-user admin service-type telnet //允許telnet連接
[hexinSW1-aaa]quit //退出
[hexinSW1]user-interface vty 0 4 //進入vty
[hexinSW1-ui-vty0-4]authentication-mode aaa 使用AAA認證
[hexinSW1-ui-vty0-4]quit //退出
[hexinSW1]
接入層SW2
[jrcSW2]aaa //進入AAA認證模式
[jrcSW2-aaa] local-user admin password cipher admin@123 //配置用戶名和密碼
[jrcSW2-aaa] local-user admin privilege level 3 //配置用戶權限
[jrcSW2-aaa]local-user admin service-type telnet //允許telnet連接
[jrcSW2-aaa]quit //退出
[jrcSW2]user-interface vty 0 4 //進入vty
[jrcSW2-ui-vty0-4]authentication-mode aaa 使用AAA認證
[jrcSW2-ui-vty0-4]quitt //退出
[jrcSW2]
接入層SW3
[jrcSW3]aaa //進入AAA認證模式
[jrcSW3-aaa] local-user admin password cipher admin@123 //配置用戶名和密碼
[jrcSW3-aaa] local-user admin privilege level 3 //配置用戶權限
[jrcSW3-aaa]local-user admin service-type telnet //允許telnet連接
[jrcSW3-aaa]quit //退出
[jrcSW3]user-interface vty 0 4 //進入vty
[jrcSW3-ui-vty0-4]authentication-mode aaa 使用AAA認證
[jrcSW3-ui-vty0-4]quitt //退出
[jrcSW3]
出口R1
<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname R1
[R1]aaa //進入AAA認證模式
[R1-aaa] local-user admin password cipher admin@123 //配置用戶名和密碼
[R1-aaa] local-user admin privilege level 3 //配置用戶權限
[R1-aaa] local-user admin service-type telnet //允許telnet連接
[R1-aaa]quit //退出
[R1-aaa]user-interface vty 0 4 //進入vty
[R1-ui-vty0-4] authentication-mode aaa 使用AAA認證
[R1-ui-vty0-4]quit //退出
[R1]
核心層SW1(配置管理VLAN)
[hexinSW1]vlan 999 //創建管理VLAN999
[hexinSW1-vlan999]quit //退出
[hexinSW1]int vlan 999 //VLAN999
[hexinSW1-Vlanif999] ip address 192.168.255.1 24 //配置管理地址
[hexinSW1-Vlanif999]quit
[hexinSW1]
接入層SW2(配置管理VLAN)
[jrcSW2]vlan 999 //創建管理VLAN999
[jrcSW2-vlan999]quit //退出
[jrcSW2]int vlan 999 //VLAN999
[jrcSW2-Vlanif999]ip address 192.168.255.2 24 //配置管理地址
[jrcSW2-Vlanif999]quit //退出
[jrcSW2]
接入層SW3(配置管理VLAN)
[jrcSW3]vlan 999 //創建管理VLAN999
[jrcSW3-vlan999]quit //退出
[jrcSW3]int vlan 999 //VLAN999
[jrcSW3-Vlanif999]ip address 192.168.255.3 24 //配置管理地址
[jrcSW3-Vlanif999]quit //退出
[jrcSW3]
接入層SW2(回包路由)
[jrcSW2]ip route-static 0.0.0.0 0 192.168.255.1 //給管理流量回包的缺省路由
接入層SW3(回包路由)
[jrcSW3]ip route-static 0.0.0.0 0 192.168.255.1 //給管理流量回包的缺省路由
核心層SW1(允許管理VLAN地址通過)
[hexinSW1]interface g0/0/1 //進入接口
[hexinSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 999 //允許VLAN999通過
[hexinSW1-GigabitEthernet0/0/1]quit //退出
[hexinSW1]interface g0/0/2 //進入接口
[hexinSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 999 //允許VLAN999通過
[hexinSW1-GigabitEthernet0/0/2]quit //退出
[hexinSW1]
接入層SW2(允許管理VLAN地址通過)
[jrcSW2]interface e0/0/1 //進入接口
[jrcSW2-Ethernet0/0/1]port trunk allow-pass vlan 999 //允許VLAN999通過
[jrcSW2-Ethernet0/0/1]quit //退出
[jrcSW2]
接入層SW3(允許管理VLAN地址通過)
[jrcSW3]interface e0/0/1 //進入接口
[jrcSW3-Ethernet0/0/1]port trunk allow-pass vlan 999 //允許VLAN999通過
[jrcSW3-Ethernet0/0/1]quit //退出
[jrcSW3]
核心層SW1(測試是否可以telnet接入層兩臺交換機)
<hexinSW1>telnet 192.168.255.2 //遠程登錄接入層SW2交換機
Trying 192.168.255.2 ...
Press CTRL+K to abort
Connected to 192.168.255.2 ...
Login authentication
Username:admin //輸入用戶名
Password: //輸入密碼
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
The current login time is 2019-12-16 13:43:48.
<jrcSW2>quit //退出
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 0.
Info: The connection was closed by the remote host.
<hexinSW1>telnet 192.168.255.3 //遠程登錄接入層SW3交換機
Trying 192.168.255.3 ...
Press CTRL+K to abort
Connected to 192.168.255.3 ...
Login authentication
Username:admin //輸入用戶名
Password: //輸入密碼
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
The current login time is 2019-12-16 13:44:03.
<jrcSW3>quit
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 0.
Info: The connection was closed by the remote host.
<hexinSW1>
核心層SW1(配置SVI和出口R1對聯)
[hexinSW1]interface g0/0/3 //進入接口
[hexinSW1-GigabitEthernet0/0/3]port link-type access //配置access鏈路
[hexinSW1-GigabitEthernet0/0/3]port default vlan 800 //允許VLAN800通過
[hexinSW1-GigabitEthernet0/0/3]quit //退出
[hexinSW1]int vlan 800 //進入VLAN800
[hexinSW1-Vlanif800]ip address 192.168.254.1 24 //設置IP地址
[hexinSW1-Vlanif800]quit //退出
[hexinSW1]quit
核心層SW1(配置默認路由)
[hexinSW1]ip route-static 0.0.0.0 0 192.168.254.2 //配置默認路由
出口R1(設置IP地址)
[R1]interface g0/0/0 //進入接口
[R1-GigabitEthernet0/0/0]ip address 192.168.254.2 24 //設置IP地址
[R1-GigabitEthernet0/0/0]qui //退出
[R1]interface g0/0/1 //進入接口
[R1-GigabitEthernet0/0/1]ip address 12.1.1.1 29 //設置IP地址
[R1-GigabitEthernet0/0/1]quit //退出
[R1]
R1(測試是否可以ping通核心層SW1)
[R1]ping 192.168.254.1
PING 192.168.254.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.254.1: bytes=56 Sequence=1 ttl=255 time=90 ms
Reply from 192.168.254.1: bytes=56 Sequence=2 ttl=255 time=40 ms
Reply from 192.168.254.1: bytes=56 Sequence=3 ttl=255 time=30 ms
Reply from 192.168.254.1: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 192.168.254.1: bytes=56 Sequence=5 ttl=255 time=20 ms
--- 192.168.254.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/40/90 ms
運營商R2
<Huawei>system-view //進入視圖模式
[Huawei]undo info-center enable //關閉信息告警提示
[Huawei]interface g0/0/0 //進入接口
[Huawei-GigabitEthernet0/0/0]ip address 12.1.1.2 29 //設置IP地址
[Huawei-GigabitEthernet0/0/0]quit //退出
[Huawei]interface LoopBack 0 //進入接口
[Huawei-LoopBack0]ip address 9.9.9.9 24 //設置IP地址
[Huawei-LoopBack0]quit //退出
[Huawei]
出口R1(配置NAT)
[R1]acl number 2000 //創建acl2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 //允許源地址192.168.0.0
[R1-acl-basic-2000]quit //退出
[R1]interface g0/0/1 //進入接口
[R1-GigabitEthernet0/0/1]nat outbound 2000 //應用於出接口
[R1-GigabitEthernet0/0/1]quit //退出
[R1]
出口R1(默認路由)
[R1]ip route-static 0.0.0.0 0 12.1.1.6 //出包默認路由
[R1]ip route-static 192.168.0.0 255.255.0.0 192.168.254.1 //將回包交給核心層SW1
PC1(測試是否可以ping通9.9.9.9)
PC>ping 9.9.9.9 //測試是否可以ping通9.9.9.9
Ping 9.9.9.9: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 9.9.9.9: bytes=32 seq=2 ttl=253 time=78 ms //ping通
From 9.9.9.9: bytes=32 seq=3 ttl=253 time=63 ms
From 9.9.9.9: bytes=32 seq=4 ttl=253 time=47 ms
From 9.9.9.9: bytes=32 seq=5 ttl=253 time=47 ms
--- 9.9.9.9 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/58/78 ms
PC2(測試是否可以ping通9.9.9.9)
PC>ping 9.9.9.9 //測試是否可以ping通9.9.9.9
Ping 9.9.9.9: 32 data bytes, Press Ctrl_C to break
From 9.9.9.9: bytes=32 seq=1 ttl=253 time=78 ms //ping通
From 9.9.9.9: bytes=32 seq=2 ttl=253 time=47 ms
From 9.9.9.9: bytes=32 seq=3 ttl=253 time=62 ms
From 9.9.9.9: bytes=32 seq=4 ttl=253 time=47 ms
From 9.9.9.9: bytes=32 seq=5 ttl=253 time=62 ms
--- 9.9.9.9 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/59/78 ms
核心層SW1(STP運行RSTP模式)
[hexinSW1]stp mode rstp //運行RSTP模式
接入層SW2(STP運行RSTP模式)
[jrcSW2]stp mode rstp //運行RSTP模式
接入層SW3(STP運行RSTP模式)
[jrcSW3]stp mode rstp //運行RSTP模式
核心層SW1(設置優先級,優先級越小約優先)
[hexinSW1]stp priority 0 //設置優先級
接入層SW2(接入用戶的接口配置爲邊緣端口加快收斂)
[jrcSW2]port-group g e0/0/2 to e0/0/3 //創建接口組
[jrcSW2-port-group]stp edged-port enable [jrcSW2]port-group g e0/0/2 to e0/0/3 //創建接口組
[jrcSW2-port-group]stp edged-port enable
[jrcSW2-Ethernet0/0/2]stp edged-port enable //啓用邊緣接口
[jrcSW2-Ethernet0/0/3]stp edged-port enable //啓用邊緣接口
[jrcSW2-port-group]quit //退出
[jrcSW2]
接入層SW3(接入用戶的接口配置爲邊緣端口加快收斂)
[jrcSW3]port-group g e0/0/2 to e0/0/3 //創建接口組
[jrcSW3-port-group]stp edged-port enable //啓用邊緣接口
[jrcSW3-Ethernet0/0/2]stp edged-port enable //啓用邊緣接口
[jrcSW3-Ethernet0/0/3]stp edged-port enable //啓用邊緣接口
[jrcSW3-port-group]quit //退出
[jrcSW3]
接入層SW2(配置根橋保護措施,確保根橋不被搶佔)
[jrcSW2]stp bpdu-protection //邊緣端口保護
接入層SW3(配置根橋保護措施,確保根橋不被搶佔)
[jrcSW3]stp bpdu-protection //邊緣端口保護
出口R1(在企業出口將內網服務器的80端口映射出去,允許外網用戶訪問)
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 12.1.1.4 www inside 192.168.200.10 www //將內網服務器80端口映射出去,允許外網訪問
核心層SW1(企業財務服務器,只允許財務部(VLAN30)的員工訪問)
[hexinSW1]acl number 3000 //創建ACL3000
[hexinSW1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0 //允許源地址192.168.30.0訪問192.168.200.20
[hexinSW1-acl-adv-3000]rule deny ip destination 192.168.200.20 0 //拒絕目的地址爲192.168.200.20
[hexinSW1-acl-adv-3000]quit //退出
[hexinSW1]interface g0/0/2 //進入接口
[hexinSW1-GigabitEthernet0/0/2]traffic-filter outbound acl 3000 //出接口應用ACL3000
[hexinSW1-GigabitEthernet0/0/2]quit //退出
[hexinSW1]
PC1(測試是否可以ping通財務服務器)
PC>ping 192.168.200.20 //ping財務服務器
Ping 192.168.200.20: 32 data bytes, Press Ctrl_C to break
Request timeout! //ping不通
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.200.20 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
PC2(測試是否可以ping通財務服務器)
PC>ping 192.168.200.20 //ping財務服務器
Ping 192.168.200.20: 32 data bytes, Press Ctrl_C to break
From 192.168.200.20: bytes=32 seq=1 ttl=254 time=78 ms //ping通
From 192.168.200.20: bytes=32 seq=2 ttl=254 time=47 ms
From 192.168.200.20: bytes=32 seq=3 ttl=254 time=62 ms
From 192.168.200.20: bytes=32 seq=4 ttl=254 time=62 ms
From 192.168.200.20: bytes=32 seq=5 ttl=254 time=63 ms
--- 192.168.200.20 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/62/78 ms