思科校园网搭建及配置综合小型实验

实验拓扑

配置步骤

配置聚合链路

hostname Core_SW1
！
interface Port-channel1 // 进入聚合接口
 switchport trunk encapsulation dot1q  //改变封装模式
 switchport mode trunk  //接口模式改变为trunk
！
interface range FastEthernet0/8-9 //进入多个接口视图下
 channel-group 1 mode on  //绑定聚合端口

hostname Core_SW2
!
interface Port-channel1  // 进入聚合接口
 switchport trunk encapsulation dot1q   //改变封装模式
 switchport mode trunk  //接口模式改变为trunk
！
interface range FastEthernet0/8-9 //进入多个接口视图下
 channel-group 1 mode on  //绑定聚合端口

配置VTP，vlan域模板

core_sw1
vtp domain sike  //配置vtp域
vtp mode server  //服务器模式
vtp password 123456   //认证密码

core_sw2
vtp domain sike  //配置vtp域
vtp mode client  //服务器模式
vtp password 123456   //认证密码
//sw1--->sw6都需要配置以上命令，才可以正常从core_sw1上获取相应的vlan

//show vtp status：查看交换机vtp配置模式

第一步 配置二层VLAN

core_sw1
vlan10
vlan20
vlan30
vlan40
vlan50
vlan60
vlan70
!
interface range FastEthernet0/8-9 //进入多个接口视图下
 switchport trunk encapsulation dot1q //改变封装模式
 switchport mode trunk  //接口模式改变为trunk
!
interface range FastEthernet0/2-7 //进入多个接口视图下
 switchport trunk encapsulation dot1q //改变封装模式
 switchport mode trunk  //接口模式改变为trunk

core_sw2
interface range FastEthernet0/8-9 //进入多个接口视图下
 switchport trunk encapsulation dot1q //改变封装模式
 switchport mode trunk  //接口模式改变为trunk
!
interface range FastEthernet0/2-7 //进入多个接口视图下
 switchport trunk encapsulation dot1q //改变封装模式
 switchport mode trunk  //接口模式改变为trunk
!
interface FastEthernet0/10
 switchport access vlan 70 //将接口划入vlan70
 switchport mode access   //接口模式改变为access

hostname SW_1
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode trunk
!
interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/5
 switchport access vlan 10
 switchport mode access

SW2
hostname SW_2
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode trunk
!
interface FastEthernet0/3
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 20
 switchport mode access

SW3
hostname SW_3
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode trunk
!
interface FastEthernet0/3
 switchport access vlan 30
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 30
 switchport mode access

SW4
hostname SW_4
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode trunk
!
interface FastEthernet0/3
 switchport access vlan 40
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 40
 switchport mode access

SW5
hostname SW_5
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode trunk
!
interface FastEthernet0/3
 switchport access vlan 50
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 50
 switchport mode access

SW6
hostname SW_6
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode trunk
!
interface FastEthernet0/3
 switchport access vlan 60
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 60
 switchport mode access

第二步 配置生成树

core_sw1
spanning-tree mode pvst //生成树模式为pvst 思科私有协议
spanning-tree vlan 10,20,30 priority 24576  //配置成vlan10 20 30 的主根桥
spanning-tree vlan 40,50,60 priority 28672  //配置成vlan40 50 60 为次根桥

core_sw2
spanning-tree mode pvst
spanning-tree vlan 40,50,60 priority 24576
spanning-tree vlan 10,20,30 priority 28672

show spanning-tree active //查看交换机生成树根位置

第三步 配置相关IP地址

core_sw1
!
ip routing   //思科交换机配置IP地址，一定要启用路由功能
!
interface FastEthernet0/1
 no switchport   //启用接口
 ip address 192.168.2.2 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.254 255.255.255.0
！
 interface Vlan30
 ip address 192.168.30.254 255.255.255.0
！
 interface Vlan40
 ip address 192.168.40.254 255.255.255.0
 !
interface Vlan50
 ip address 192.168.50.254 255.255.255.0
！
interface Vlan60
 ip address 192.168.60.254 255.255.255.0


core_sw2
!
ip routing
!
interface FastEthernet0/1
 no switchport 
 ip address 192.168.3.2 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.253 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.253 255.255.255.0
!
interface Vlan30
 ip address 192.168.30.253 255.255.255.0
!
interface Vlan40
 ip address 192.168.40.253 255.255.255.0
!
interface Vlan50
 ip address 192.168.50.253 255.255.255.0
!
interface Vlan60
 ip address 192.168.60.253 255.255.255.0
!
interface Vlan70
 ip address 192.168.70.252 255.255.255.0

FW1
hostname FW1
!
interface GigabitEthernet1/1
 nameif untrust   //划入到那个区域
 security-level 0  //区域等级，大的可以访问小的
 ip address 192.168.4.2 255.255.255.0
!
interface GigabitEthernet1/2
 nameif trust_1
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3
 nameif trust_2
 security-level 100
 ip address 192.168.3.1 255.255.255.0

CK_Router 出口路由器
hostname CK-Router
!
interface GigabitEthernet0/0
 ip address 192.168.4.1 255.255.255.0
!
interface Serial0/0/0
 ip address 200.10.10.1 255.255.255.252
 clock rate 64000  //思科串行链路中，这个时钟配置一定要做

ISP
hostname ISP-R
!
interface FastEthernet0/0
 ip address 200.10.20.1 255.255.255.240
!
interface Serial0/2/0
 ip address 200.10.10.2 255.255.255.252

第四步 配置DHCP及DHCP中继

core_sw1
interface Vlan 20,30,40,50,60
 ip helper-address 192.168.10.1
 //这种是使用DHCP服务器来进行配置的，相对简单很多 下次分享出使用路由器来做DHCP的方法
core_sw2
//上同

• 服务器配置IP地址
  

• 配置DHCP地址池
  

• 完成后点击保存，然后查看PC是否都可以正确的获得到IP地址

第五步 配置三层的网关冗余协议 双机热备及OSPF

core_sw1
!
interface Vlan10
 standby 10 ip 192.168.10.252   //配置双机热备（类似华为的vrrp） 思科的默认优先级也是100
 standby 10 priority 120 //配置优先级
 standby 10 preempt  //配置抢占模式
 standby 10 track FastEthernet0/1  //检查上层接口是否还可用
!
interface Vlan20
 standby 20 ip 192.168.20.252
 standby 20 priority 120
 standby 20 preempt
 standby 20 track FastEthernet0/1
!
interface Vlan30
 standby 30 ip 192.168.30.252
 standby 30 priority 120
 standby 30 preempt
 standby 30 track FastEthernet0/1
!
interface Vlan40
 standby 40 ip 192.168.40.252
 standby 40 track FastEthernet0/1
!
interface Vlan50
 standby 50 ip 192.168.50.252
 standby 50 track FastEthernet0/1
!
interface Vlan60
 standby 60 ip 192.168.60.252
 standby 60 track FastEthernet0/1
!
router ospf 10
 network 192.168.2.0 0.0.0.255 area 0
 network 192.168.10.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0
 network 192.168.30.0 0.0.0.255 area 0
 network 192.168.40.0 0.0.0.255 area 0
 network 192.168.50.0 0.0.0.255 area 0
 network 192.168.60.0 0.0.0.255 area 0

core_sw2

interface Vlan10
 standby 10 ip 192.168.10.252
 standby 10 track FastEthernet0/1
!
interface Vlan20
 standby 20 ip 192.168.20.252
 standby 20 track FastEthernet0/1
!
interface Vlan30
 standby 30 ip 192.168.30.252
 standby 30 track FastEthernet0/1
!
interface Vlan40
 standby 40 ip 192.168.40.252
 standby 40 priority 120
 standby 40 preempt
 standby 40 track FastEthernet0/1
!
interface Vlan50
 standby 50 ip 192.168.50.252
 standby 50 priority 120
 standby 50 preempt
 standby 50 track FastEthernet0/1
!
interface Vlan60
 standby 60 ip 192.168.60.252
 standby 60 priority 120
 standby 60 preempt
 standby 60 track FastEthernet0/1

!
router ospf 10
 network 192.168.3.0 0.0.0.255 area 0
 network 192.168.10.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0
 network 192.168.30.0 0.0.0.255 area 0
 network 192.168.40.0 0.0.0.255 area 0
 network 192.168.50.0 0.0.0.255 area 0
 network 192.168.60.0 0.0.0.255 area 0
 network 192.168.70.0 0.0.0.255 area 0

FW
router ospf 10
 network 192.168.2.0 255.255.255.0 area 0
 network 192.168.3.0 255.255.255.0 area 0
 network 192.168.4.0 255.255.255.0 area 0

CK_Router 出口路由
router ospf 10
 network 192.168.4.0 0.0.0.255 area 0
 default-information originate //路由器可以给下面的设备下发默认路由


//show ip ospf neighbor 查看OSPF邻居关系

第六步 配置静态路由,NAT地址转换及其他配置完善

• 配置防火墙的其他放行的相关命令

access-list fangxing extended permit ip any any
!
access-group fangxing in interface trust_1
access-group fangxing out interface trust_1
access-group fangxing in interface trust_2
access-group fangxing out interface trust_2

• 配置NAT地址转换

CK_Router
!
interface GigabitEthernet0/0
 ip nat inside
!
interface Serial0/0/0
 ip nat outside
!
access-list 1 permit any  //前缀列表匹配所有的地址
！
//
ip nat pool DZC 200.10.10.1 200.10.10.1 netmask 255.255.255.252 //配置地址池
ip nat inside source list 1 pool DZC overload //(端口转换)   使用地址池的地址进行nat转换
//做一个NAT地址一对一映射
ip nat inside source static udp 192.168.10.2 53 200.10.10.100 53 
ip route 0.0.0.0 0.0.0.0 200.10.10.2 //写默认路由，访问外网

//show ip nat translations   查看nat转换记录

• 由于需要做公网的一对一映射，这里ISP就需要写一条默认路由指向自己的网关

ip route 200.10.10.100 255.255.255.255 200.10.10.1 

• 至此内网的设备已经可以全部访问到公网了，自行测试

• 配置让设备可以telnet

core_sw1
line vty 0 4
 password wml
 privilege level 15

core_sw2
line vty 0 4
 password wml
 privilege level 15

FW
line vty 0 4
 password wml
 privilege level 15

优化配置

让食堂不能访问 服务器，教学楼，办公楼，图书馆
core sw2上
access-list 101 deny ip 源ip 反掩码 目标ip 反掩码
access-list 101 permit ip any any  思科默认是拒绝所有的，其他没有匹配上以上规则的则全部放行
进入到接口  int vlan 50 
ip access-group 101 in  进方向调入此规则

配置测试

PC都可以正确获取到ip地址并且可以访问外网用户

PC可以通过域名访问百度服务器

• 一定要配置正确的DNS地址，并且确保DNS服务器是打开并且正常配置的

所有PC之间都可以互相通信

• 其他PC可自行测试

其他说明

• 无线路由器需要手动配置ip地址用于和上联通信
  

• 配置无线路由器的wifi名称和密码
  

• 笔记本需要配置无线网卡，才可以连接无线网
  

• 笔记本连接无线