在之前都是通过一些理论知识来学习数通,可能很鼓噪乏味。今天通过一个实验拓扑把之前的所学的知识都串联起来。加以巩固。有什么不足之前请大家多多指教。
拓扑图
需求:
PC主机通过DHCP获取IP地址。通过NAT方式实现内网实现访问互联网采用VRRP实现虚拟网关设置VLAN11流量从CE1->SW1->AR1->Internet。VLAN12流量从CE2->SW2->AR1->Internet。
配置步骤
在SW1做基本配置
1、在SW1 上把G0/0/23和G0/0/24加入e-trunk 1,并把e-trunk1配置成trunk,允许vlan11和vlan12
[SW1]interface Eth-Trunk 1
[SW1-Eth-Trunk1]q
[SW1]interface GigabitEthernet 0/0/23
[SW1-GigabitEthernet0/0/23]eth-trunk 1
[SW1]interface GigabitEthernet 0/0/24
[SW1-GigabitEthernet0/0/24]eth-trunk 1
[SW1-Eth-Trunk1]port link-type trunk
[SW1-Eth-Trunk1]port trunk allow-pass vlan 11 to 12
2、在SW1的G0/0/2和G0/0/3 配置成trunk,允许vlan11和vlan12
[SW1]port-group group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/3
[SW1-port-group]port link-type trunk
[SW1-port-group]port trunk allow-pass vlan 11 to 12
在SW2做基本配置
1、在SW2 上把G0/0/23和G0/0/24加入e-trunk 1,并把e-trunk1配置成trunk,允许vlan11和vlan12
[SW2]interface Eth-Trunk 1
[SW2-Eth-Trunk1]q
[SW2]interface GigabitEthernet 0/0/23
[SW2-GigabitEthernet0/0/23]eth-trunk 1
[SW2]interface GigabitEthernet 0/0/24
[SW2-GigabitEthernet0/0/24]eth-trunk 1
[SW2-Eth-Trunk1]port link-type trunk
[SW2-Eth-Trunk1]port trunk allow-pass vlan 11 to 12
2、在SW2的G0/0/2和G0/0/3 配置成trunk,允许vlan11和vlan12
[SW2]port-group group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/3
[SW2-port-group]port link-type trunk
[SW2-port-group]port trunk allow-pass vlan 11 to 12
在CE1做基本配置
1、在CE1上把G1/0/1和G1/0/0配置成trunk,允许vlan11和vlan12。
[*CE1]port-group group-member GigabitEthernet 1/0/0 to GigabitEthernet 1/0/1
[*CE1-port-group]port link-type trunk
[*CE1-port-group]port trunk allow-pass vlan 11 to 12
[*CE1-port-group]commit
2、在CE1上把G1/0/2和G1/0/3配置成access,分别把它添加vlan11和vlan12。
[*CE1]interface GE 1/0/2
[*CE1-GE1/0/2]port link-type access
[*CE1-GE1/0/2]port default vlan 11
[*CE1]interface GE 1/0/3
[*CE1-GE1/0/2]port link-type access
[*CE1-GE1/0/2]port default vlan 12
[*CE1-GE1/0/2]commit
在CE2做基本配置
1、在CE2上把G1/0/1和G1/0/0配置成trunk,允许vlan11和vlan12。
[*CE2]port-group group-member GigabitEthernet 1/0/0 to GigabitEthernet 1/0/1
[*CE2-port-group]port link-type trunk
[*CE2-port-group]port trunk allow-pass vlan 11 to 12
[*CE2-port-group]commit
2、在CE2上把G1/0/2和G1/0/3配置成access,分别把它添加vlan11和vlan12。
[*CE2]interface GE 1/0/2
[*CE2-GE1/0/2]port link-type access
[*CE2-GE1/0/2]port default vlan 11
[*CE2]interface GE 1/0/3
[*CE2-GE1/0/2]port link-type access
[*CE2-GE1/0/2]port default vlan 12
[*CE2-GE1/0/2]commit
配置MSTP、VRRP和DHCP
在SW1、SW2、CE1和CE2配置MSTP模式
[SW1]vlan batch 11 to 12
[SW1]stp mode mstp
[SW1]stp instance 11 priority 4096 #把SW1设置为vlan11的根交换机
[SW1]stp instance 12 priority 8192 #把SW1设置为vlan12的备根交换机
[SW1]stp region-configuration
[SW1-mst-region]region-name huawei
[SW1-mst-region]revision-level 1
[SW1-mst-region]instance 11 vlan 11
[SW1-mst-region]instance 12 vlan 12
[SW1-mst-region]active region-configuration
在SW2上做如下配置
[SW2]vlan batch 11 to 12
[SW2]stp mode mstp
[SW2]stp instance 11 priority 8192 #把SW2设置为vlan11的备根交换机
[SW2]stp instance 12 priority 4096#把SW2设置为vlan12的根交换机
[SW2]stp region-configuration
[SW2-mst-region]region-name huawei
[SW2-mst-region]revision-level 1
[SW2-mst-region]instance 11 vlan 11
[SW2-mst-region]instance 12 vlan 12
[SW2-mst-region]active region-configuration
在CE1和CE2做如下配置
[*CE1]stp mode mstp
[*CE1]stp region-configuration
[*CE1-mst-region]region-name huawei
[*CE1-mst-region]revision-level 1
[*CE1-mst-region]instance 11 vlan 11
[*CE1-mst-region]instance 12 vlan 12
[*CE1-mst-region]commit
在SW1和SW2上配置DHCP地址池
[SW1]ip pool vlan11
[SW1-ip-pool-vlan11]gateway-list 192.168.11.1
[SW1-ip-pool-vlan11] network 192.168.11.0 mask 255.255.255.0
[SW1-ip-pool-vlan11] excluded-ip-address 192.168.11.200 192.168.11.254
[SW1-ip-pool-vlan11] dns-list 114.114.114.114
[SW1]ip pool vlan12
[SW1-ip-pool-vlan12]gateway-list 192.168.12.1
[SW1-ip-pool-vlan12]network 192.168.12.0 mask 255.255.255.0
[SW1-ip-pool-vlan12]excluded-ip-address 192.168.12.200 192.168.12.254
[SW1-ip-pool-vlan12]dns-list 114.114.114.114
SW2上的配置也类似,由于篇幅问题,这里就不贴配置了。
在SW1和SW2上配置VRRP
[SW1]interface Vlanif 11
[SW1-Vlanif11]ip address 192.168.11.254 255.255.255.0
[SW1-Vlanif11]vrrp vrid 11 virtual-ip 192.168.11.1
[SW1-Vlanif11]vrrp vrid 11 priority 111
[SW1-Vlanif11]dhcp select global
[SW1]interface Vlanif 12
[SW1-Vlanif12]ip address 192.168.12.254 255.255.255.0
[SW1-Vlanif12]vrrp vrid 12 virtual-ip 192.168.12.1
[SW1-Vlanif12]dhcp select global
#在SW2上配置
[SW2]interface Vlanif 11
[SW2-Vlanif11]ip address 192.168.11.254 255.255.255.0
[SW2-Vlanif11]vrrp vrid 11 virtual-ip 192.168.11.1
[SW2-Vlanif11]dhcp select global
[SW2]interface Vlanif 12
[SW2-Vlanif12]ip address 192.168.12.254 255.255.255.0
[SW2-Vlanif12]vrrp vrid 12 priority 111
[SW2-Vlanif12]vrrp vrid 12 virtual-ip 192.168.12.1
[SW2-Vlanif12]dhcp select global
配置内部网络通过NAT去访问互联网
AR1的g0/0/0是通过dhcp获取本机物理网卡实现上网,这一步可以参考之前的文章。
在SW1上做如下配置
[SW1]vlan 99
[SW1]interface Vlanif 99
[SW1-Vlanif99] ip address 192.168.99.100 255.255.255.0
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 99
[SW1] ip route-static 0.0.0.0 0.0.0.0 192.168.99.103
在SW2上做如下配置
[SW2]vlan 98
[SW2]interface Vlanif 98
[SW2-Vlanif98] ip address 192.168.98.100 255.255.255.0
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 98
[SW2] ip route-static 0.0.0.0 0.0.0.0 192.168.98.103
在AR1上做如下配置
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.99.103 255.255.255.0
[AR1]interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address 192.168.98.103 255.255.255.0
[AR1] nat address-group 1 192.168.35.202 192.168.35.205
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000 address-group 1
验证结果
VLAN11流量从CE1->SW1->AR1->Internet。
VLAN12流量从CE2->SW2->AR1->Internet
通过NAT方式实现内网实现访问互联网
此实验拓扑遗留了一个问题就是,当核心SW1或者SW2其中一台交换机上联到AR1的链路down有个vlan流量就无法访问互联网。希望有大神能在下方留言指导一下。