CCNP
综合实验2
Top:
网络配置需求:
1, sw1与
sw2核心交换机之前用VRRP虚拟网关冗余协议来做网关冗余与负载均衡,vlan20走SW1,VLAN30走SW2。
2, SW3与
SW4之间做负载均衡,VLAN20流量走上面,VLAN30走下面
3, 企业内网出口通过
R17为默认主出口,如果主出口DOWN掉后可以切换掉OA出往外网,保证整个企业网络的高可用性与可靠性
4, 核心与
OA网络路由协议使用OSPF,区域可以都使用主干区域
5, 服务器区域有
HTTP,DNS等服务器,外网只能访问HTTP服务,允许PING服务器,除此之外,外部网络流量一律deny .
6, 保证内网与外网的上网需求,保证
OA企业办公网络能访问服务器与内网的所有服务。
7, 在
R17出口路由器上,做一些基本的IOS防火墙设置,减弱外部网络发起的一些DDOS分布式拒绝服务攻击。
8, 申请了三个公网地址,
202.103.78.7用于默认主出口路由器上出接口地址,把内网做PAT,服务器做静态NAT,地址是202.103.78.100.
配置如下:
SW1:
hostname sw1
ip cef
track 1 interface Ethernet2/1 line-protocol
delay down 4
!
track 2 interface Ethernet2/0 line-protocol
delay down 4
interface Serial0/0
ip address 192.168.40.1 255.255.255.252
serial restart-delay 0
interface FastEthernet1/0
switchport mode trunk
!
interface FastEthernet1/1
switchport mode trunk
!
interface Ethernet2/0
ip address 192.168.40.9 255.255.255.252
half-duplex
!
interface Ethernet2/1
ip address 192.168.40.13 255.255.255.252
half-duplex
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip helper-address 17.7.7.7
vrrp 1 ip 192.168.20.100
vrrp 1 timers advertise 4
vrrp 1 priority 200
vrrp 1 track 1 decrement 120
vrrp 1 track 2 decremetn 120
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip helper-address 17.7.7.7
vrrp 2 ip 192.168.30.100
vrrp 2 timers advertise 4
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
SW2:
sw2#show run
hostname sw2
ip cef
track 1 interface Ethernet2/1 line-protocol
delay down 4
!
track 2 interface Ethernet2/0 line-protocol
delay down 4
interface Serial0/0
ip address 192.168.40.5 255.255.255.252
serial restart-delay 0
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface Ethernet2/0
ip address 192.168.40.21 255.255.255.252
half-duplex
!
interface Ethernet2/1
ip address 192.168.40.17 255.255.255.252
half-duplex
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip helper-address 17.7.7.7
vrrp 1 ip 192.168.20.100
vrrp 1 timers advertise 4
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip helper-address 17.7.7.7
vrrp 2 ip 192.168.30.100
vrrp 2 timers advertise 4
vrrp 2 priority 200
vrrp 2 track 1 decrement 120
vrrp 2 track 2 decrement 120
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
SW3:
sw3# show run
hostname sw3
ip cef
interface FastEthernet1/0
switchport access vlan 20
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
switchport mode trunk
spanning-tree vlan 20 port-priority 40
!
interface FastEthernet1/4
switchport mode trunk
spanning-tree vlan 30 port-priority 40
end
SW4:
sw4#show run
hostname sw4
ip cef
!
interface FastEthernet1/0
switchport access vlan 30
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
switchport mode trunk
spanning-tree vlan 20 port-priority 40
!
interface FastEthernet1/4
switchport mode trunk
spanning-tree vlan 30 port-priority 40
!
ip http server
PC1:
pc1#show run
hostname pc1
no ip routing
no ip cef
ip domain name www.pc1.com
interface Ethernet2/0
ip address dhcp
no ip route-cache
half-duplex
ip http server
no cdp run
end
PC2:
pc2#show run
hostname pc2
no ip routing
no ip cef
ip domain name www.pc2.com
interface Ethernet0/0
ip address dhcp
ip http server
SERVER:
r7#
hostname r7
ip cef
ip domain name zengfei.com
ip host www.zengfei.com 17.7.7.7
ip host www.pc1.com 192.168.20.3
ip host www.pc2.com 192.168.30.3
no ip dhcp use vrf connected
!
ip dhcp pool cisco
network 192.168.20.0 255.255.255.0
default-router 192.168.20.100
dns-server 17.7.7.7
lease 2
!
ip dhcp pool san
network 192.168.30.0 255.255.255.0
default-router 192.168.30.100
dns-server 17.7.7.7
domain-name pc2.com
lease 2
username cisco password 0 cisco
interface Loopback0
ip address 17.7.7.7 255.255.255.0
!
interface Serial0/0
ip address 192.168.40.2 255.255.255.252
serial restart-delay 0
!
interface Serial0/1
ip address 192.168.40.6 255.255.255.252
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
ip http server
line con 0
line aux 0
line vty 0 4
privilege level 5
no login
!
!
end
R8:
R8#show run
hostname R8
ip cef
interface Ethernet0/0
ip address 192.168.40.10 255.255.255.252
interface Ethernet0/2
ip address 192.168.40.18 255.255.255.252
half-duplex
interface Serial2/0
ip address 192.168.40.25 255.255.255.252
encapsulation frame-relay
ip ospf network point-to-multipoint
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
R9:
R9#show run
hostname R9
ip cef
frame-relay switching
interface Serial2/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay intf-type dce
frame-relay route 108 interface Serial2/1 810
interface Serial2/1
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay intf-type dce
frame-relay route 810 interface Serial2/0 108
R10:
R10#show run
hostname R10
ip cef
no ip domain lookup
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0/0
ip address 202.103.77.10 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
!
interface Serial2/0
ip address 192.168.40.26 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation frame-relay
ip ospf network point-to-multipoint
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 0
network 192.168.40.24 0.0.0.3 area 0
default-information originate always metric 3
no ip http server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip nat inside source list 101 interface Ethernet0/0 overload
ip nat inside source static 17.7.7.7 202.103.78.100
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
R17
hostname r17
!
ip cef
no ip domain lookup
ip inspect max-incomplete high 600
ip inspect tcp finwait-time 40
ip inspect tcp synwait-time 4
ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp
interface FastEthernet0/0
ip address 192.168.40.14 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
!
interface FastEthernet1/0
ip address 192.168.40.22 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
!
interface Ethernet2/0
ip address 202.103.78.7 255.255.255.0
ip access-group 102 in
ip nat outside
ip inspect CBAC out
ip virtual-reassembly
rate-limit input 8000 1500 3000 conform-action transmit exceed-action drop
router ospf 1
log-adjacency-changes
network 192.168.40.12 0.0.0.3 area 0
network 192.168.40.20 0.0.0.3 area 0
default-information originate
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet2/0
ip http server
ip nat inside source list 101 interface Ethernet2/0 overload
ip nat inside source static 17.7.7.7 202.103.78.100
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit tcp any host 202.103.78.100 eq www
access-list 102 permit icmp any any
access-list 102 deny
ip any any
no cdp run
end
R12:
R12#show run
hostname R12
ip cef
interface FastEthernet0/0
ip address 202.103.77.12 255.255.255.0
interface FastEthernet1/0
ip address 202.103.78.8 255.255.255.0
interface FastEthernet2/0
ip address 202.103.79.12 255.255.255.0
ip http server
ip route 13.13.13.0 255.255.255.0 FastEthernet2/0
R13:
r13#show run
hostname r13
ip cef
username cisco password 0 cisco
interface Loopback0
ip address 13.13.13.13 255.255.255.0
interface FastEthernet0/0
ip address 202.103.79.13 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
end
需求测试部分:
1,
DHCP:
PC1:show ip interface brief
Ethernet2/0 192.168.20.3 YES DHCP up up
PC2:
Ethernet0/0 192.168.30.3 YES DHCP up up
2,全网
ping:
pc2#ping 192.168.30.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/325/1092 ms
pc2#ping 192.168.20.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.3, timeout is 2 seconds:
.!!!!
pc2#ping 13.13.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 244/382/488 ms
pc2#
PC1:
pc1#ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/312/1128 ms
pc1#ping 192.168.30.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 148/229/456 ms
pc1#ping 13.13.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 428/484/544 ms
pc1#
VRRP测试:
sw1#show vrrp brief
Interface
Grp Pri Time Own Pre State Master addr Group addr
Vl20
1 200 12218 Y Master 192.168.20.1 192.168.20.100
Vl30
2 100 12609 Y Backup 192.168.30.2 192.168.30.100
sw1#
sw2#show vrrp brief
Interface
Grp Pri Time Own Pre State Master addr Group addr
Vl20
1 100 12609 Y Backup 192.168.20.1 192.168.20.100
Vl30
2 200 12531 Y Master 192.168.30.2 192.168.30.100
sw2#
交换机间的负载均衡:
PC1:
VLAN20
Spanning tree enabled protocol ieee
Root ID
Priority 32768
Address cc05.0a04.0001
Cost 19
Port 42 (FastEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority
32768
Address cc07.0a04.0001
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface
Designated
Name
Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/1
128.42 128 19 FWD 0 32768 cc05.0a04.0001 128.43
FastEthernet1/2
128.43 128 19 BLK 19 32768 cc06.0a04.0001 128.43
VLAN30
Spanning tree enabled protocol ieee
Root ID
Priority 32768
Address cc05.0a04.0002
Cost 19
Port 42 (FastEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority
32768
Address cc07.0a04.0002
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface
Designated
Name
Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/1
128.42 128 19 FWD 0 32768 cc05.0a04.0002 128.43
FastEthernet1/2
128.43 128 19 BLK 19 32768 cc06.0a04.0002 128.43
NAT测试:
r11#
*Apr 22 18:05:55.562: NAT*: s=17.7.7.7->202.103.78.100, d=13.13.13.13 [122]
*Apr 22 18:05:55.918: NAT*: s=13.13.13.13, d=202.103.78.100->17.7.7.7 [122]
r11#
*Apr 22 18:06:21.326: NAT*: s=13.13.13.13, d=202.103.78.7->192.168.40.2 [130]
*Apr 22 18:06:21.394: NAT*: s=192.168.40.2->202.103.78.7, d=13.13.13.13 [131]
*Apr 22 18:06:21.546: NAT*: s=13.13.13.13, d=202.103.78.7->192.168.40.2 [131]
r11#
内网出口备份测试:
默认出口正常:
pc2#traceroute 13.13.13.13
Type escape sequence to abort.
Tracing the route to 13.13.13.13
1 192.168.30.2 276 msec 156 msec 152 msec
2 192.168.40.22 144 msec 208 msec 156 msec
3 202.103.78.8 476 msec 584 msec 364 msec
4 202.103.79.13 300 msec 692 msec *
默认出口
DOWN掉后,是否会从OA网络走?
pc2#traceroute 13.13.13.13
Type escape sequence to abort.
Tracing the route to 13.13.13.13
1 192.168.30.2 164 msec 156 msec 136 msec
2 192.168.40.18 208 msec 216 msec 140 msec
3 192.168.40.26 300 msec 592 msec 408 msec
4 *
202.103.77.12 476 msec 584 msec
5 202.103.79.13 792 msec 620 msec 384 msec
pc2#
内网访问
OA网络使用明细路由:
17.0.0.0/32 is subnetted, 1 subnets
O
17.7.7.7 [110/65] via 192.168.40.6, 00:22:15, Serial0/0
O
192.168.40.25/32 [110/10] via 192.168.40.18, 00:23:05, Ethernet2/1
O
192.168.40.26/32 [110/74] via 192.168.40.18, 00:23:05, Ethernet2/1
外网用户只能访问
HTTP测试(准予PING):
r13#connect 202.103.78.100
Trying 202.103.78.100 ...
% Destination unreachable; gateway or host down
r13#connect 202.103.78.100 www
Trying 202.103.78.100, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 07:04:31 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 202.103.78.100 closed by foreign host]
r13#ping 202.103.78.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.103.78.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 248/434/604 ms
r13#
OA用户是否能够全部访问内网的服务:
R10#ping 17.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 240/316/384 m
R10#telnet 17.7.7.7
Trying 17.7.7.7 ... Open
r7#exit
[Connection to 17.7.7.7 closed by foreign host]
R10#coon
R10#connet
R10#con
R10#connect 17.7.7.7 www
Trying 17.7.7.7, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 07:05:58 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 17.7.7.7 closed by foreign host]
R10#
限制外网不影响内网用户正常访问外网:
pc2#ping 13.13.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 216/322/400 ms
pc2#telnet 13.13.13.13
Trying 13.13.13.13 ... Open
Password required, but none set
[Connection to 13.13.13.13 closed by foreign host]
pc2#
pc2#connect 13.13.13.13 www
Trying 13.13.13.13, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 04:55:01 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 13.13.13.13 closed by foreign host]
内部
HTTP服务器防DDOS攻击测试略。
DNS服务器测试由于
IOS的问题,我只能给出命令了:
ip dns server
ip domain name cisco.com
ip host www.pc1.com 192.168.20.3
ip host www.pc2.com 192.168.30.3
匆匆为之,如有不当之处,还望各位指点。
注意:可能在做
VRRP实验的时候,PC客户端有PING不通虚拟网关的现象,究竟是什么原因我也不是很清楚,时通时不通。解决方法,可以把VRRP通告计时器时候改长一点,或者在VLAN下做shut再no shutdown就可以了,估计应该在做主备角色状态转换时出现的问题,不知道在真机上面会出现此问题否。
本文转自 Bruce_F5 51CTO博客,原文链接:http://blog.51cto.com/zenfei/551551