CCNP综合实验2

本文涉及的产品
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
公网NAT网关,每月750个小时 15CU
全局流量管理 GTM,标准版 1个月
简介:

CCNP 综合实验2
 Top:
 

网络配置需求:
1,         sw1与 sw2核心交换机之前用VRRP虚拟网关冗余协议来做网关冗余与负载均衡,vlan20走SW1,VLAN30走SW2。
2,         SW3与 SW4之间做负载均衡,VLAN20流量走上面,VLAN30走下面
3,         企业内网出口通过 R17为默认主出口,如果主出口DOWN掉后可以切换掉OA出往外网,保证整个企业网络的高可用性与可靠性
4,         核心与 OA网络路由协议使用OSPF,区域可以都使用主干区域
5,         服务器区域有 HTTP,DNS等服务器,外网只能访问HTTP服务,允许PING服务器,除此之外,外部网络流量一律deny .
6,         保证内网与外网的上网需求,保证 OA企业办公网络能访问服务器与内网的所有服务。
7,         R17出口路由器上,做一些基本的IOS防火墙设置,减弱外部网络发起的一些DDOS分布式拒绝服务攻击。
8,         申请了三个公网地址, 202.103.78.7用于默认主出口路由器上出接口地址,把内网做PAT,服务器做静态NAT,地址是202.103.78.100.
配置如下:
SW1:
hostname sw1
ip cef
track 1 interface Ethernet2/1 line-protocol
 delay down 4
!
track 2 interface Ethernet2/0 line-protocol
 delay down 4
interface Serial0/0
 ip address 192.168.40.1 255.255.255.252
 serial restart-delay 0
interface FastEthernet1/0
 switchport mode trunk
!
interface FastEthernet1/1
 switchport mode trunk
!
interface Ethernet2/0
 ip address 192.168.40.9 255.255.255.252
 half-duplex
!
interface Ethernet2/1
 ip address 192.168.40.13 255.255.255.252
 half-duplex
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 17.7.7.7
 vrrp 1 ip 192.168.20.100
 vrrp 1 timers advertise 4
 vrrp 1 priority 200
 vrrp 1 track 1 decrement 120
 vrrp 1 track 2 decremetn 120
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 ip helper-address 17.7.7.7
 vrrp 2 ip 192.168.30.100
 vrrp 2 timers advertise 4
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip http server
 
SW2:
sw2#show run
hostname sw2
ip cef
track 1 interface Ethernet2/1 line-protocol
 delay down 4
!
track 2 interface Ethernet2/0 line-protocol
 delay down 4
interface Serial0/0
 ip address 192.168.40.5 255.255.255.252
 serial restart-delay 0
interface FastEthernet1/1
 switchport mode trunk
!
interface FastEthernet1/2
 switchport mode trunk
!
interface Ethernet2/0
 ip address 192.168.40.21 255.255.255.252
 half-duplex
!
interface Ethernet2/1
 ip address 192.168.40.17 255.255.255.252
 half-duplex
interface Vlan20
 ip address 192.168.20.2 255.255.255.0
 ip helper-address 17.7.7.7
 vrrp 1 ip 192.168.20.100
 vrrp 1 timers advertise 4
!
interface Vlan30
 ip address 192.168.30.2 255.255.255.0
 ip helper-address 17.7.7.7
 vrrp 2 ip 192.168.30.100
 vrrp 2 timers advertise 4
 vrrp 2 priority 200
 vrrp 2 track 1 decrement 120
 vrrp 2 track 2 decrement 120
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip http server
  
SW3:
sw3# show run
hostname sw3
ip cef
interface FastEthernet1/0
 switchport access vlan 20
!
interface FastEthernet1/1
 switchport mode trunk
!
interface FastEthernet1/2
 switchport mode trunk
!
interface FastEthernet1/3
 switchport mode trunk
 spanning-tree vlan 20 port-priority 40
!
interface FastEthernet1/4
 switchport mode trunk
 spanning-tree vlan 30 port-priority 40
end
SW4:
sw4#show run
hostname sw4
ip cef
!
interface FastEthernet1/0
 switchport access vlan 30
!
interface FastEthernet1/1
 switchport mode trunk
!
interface FastEthernet1/2
 switchport mode trunk
!
interface FastEthernet1/3
 switchport mode trunk
 spanning-tree vlan 20 port-priority 40
!
interface FastEthernet1/4
 switchport mode trunk
 spanning-tree vlan 30 port-priority 40
!
ip http server
 
PC1:
pc1#show run
hostname pc1
no ip routing
no ip cef
ip domain name www.pc1.com
interface Ethernet2/0
 ip address dhcp
 no ip route-cache
 half-duplex
ip http server
no cdp run
end
PC2:
pc2#show run
hostname pc2
no ip routing
no ip cef
ip domain name www.pc2.com
interface Ethernet0/0
 ip address dhcp
ip http server
SERVER:
r7#
hostname r7
ip cef
ip domain name zengfei.com
ip host www.zengfei.com 17.7.7.7
ip host www.pc1.com 192.168.20.3
ip host www.pc2.com 192.168.30.3
no ip dhcp use vrf connected
!
ip dhcp pool cisco
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.100
   dns-server 17.7.7.7
   lease 2
!
ip dhcp pool san
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.100
   dns-server 17.7.7.7
   domain-name pc2.com
   lease 2
username cisco password 0 cisco
interface Loopback0
 ip address 17.7.7.7 255.255.255.0
!
interface Serial0/0
 ip address 192.168.40.2 255.255.255.252
 serial restart-delay 0
!
interface Serial0/1
 ip address 192.168.40.6 255.255.255.252
 serial restart-delay 0
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
ip http server
line con 0
line aux 0
line vty 0 4
 privilege level 5
 no login
!
!
end
R8:
R8#show run
hostname R8
ip cef
interface Ethernet0/0
 ip address 192.168.40.10 255.255.255.252
interface Ethernet0/2
 ip address 192.168.40.18 255.255.255.252
 half-duplex
interface Serial2/0
 ip address 192.168.40.25 255.255.255.252
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 serial restart-delay 0
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
R9:
R9#show run
hostname R9
ip cef
frame-relay switching
interface Serial2/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 clock rate 64000
 frame-relay intf-type dce
 frame-relay route 108 interface Serial2/1 810
interface Serial2/1
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 clock rate 64000
 frame-relay intf-type dce
 frame-relay route 810 interface Serial2/0 108
R10:
R10#show run
hostname R10
ip cef
no ip domain lookup
interface Loopback0
 ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0/0
 ip address 202.103.77.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 half-duplex
!
interface Serial2/0
 ip address 192.168.40.26 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 serial restart-delay 0
router ospf 1
 log-adjacency-changes
 network 10.10.10.0 0.0.0.255 area 0
 network 192.168.40.24 0.0.0.3 area 0
 default-information originate always metric 3
no ip http server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip nat inside source list 101 interface Ethernet0/0 overload
ip nat inside source static 17.7.7.7 202.103.78.100
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
R17
hostname r17
!
ip cef
no ip domain lookup
ip inspect max-incomplete high 600
ip inspect tcp finwait-time 40
ip inspect tcp synwait-time 4
ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp
interface FastEthernet0/0
 ip address 192.168.40.14 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex half
!
interface FastEthernet1/0
 ip address 192.168.40.22 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex half
!
interface Ethernet2/0
 ip address 202.103.78.7 255.255.255.0
 ip access-group 102 in
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 rate-limit input 8000 1500 3000 conform-action transmit exceed-action drop
router ospf 1
 log-adjacency-changes
 network 192.168.40.12 0.0.0.3 area 0
 network 192.168.40.20 0.0.0.3 area 0
 default-information originate
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet2/0
ip http server
ip nat inside source list 101 interface Ethernet2/0 overload
ip nat inside source static 17.7.7.7 202.103.78.100
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit tcp any host 202.103.78.100 eq www
access-list 102 permit icmp any any
access-list 102 deny    ip any any
no cdp run
end
R12:
R12#show run
hostname R12
ip cef
interface FastEthernet0/0
 ip address 202.103.77.12 255.255.255.0
interface FastEthernet1/0
 ip address 202.103.78.8 255.255.255.0
interface FastEthernet2/0
 ip address 202.103.79.12 255.255.255.0
ip http server
ip route 13.13.13.0 255.255.255.0 FastEthernet2/0
R13:
r13#show run
hostname r13
ip cef
username cisco password 0 cisco
interface Loopback0
 ip address 13.13.13.13 255.255.255.0
interface FastEthernet0/0
 ip address 202.103.79.13 255.255.255.0
 duplex auto
 speed auto
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
end
 
需求测试部分:
1, DHCP:
   
PC1:show ip interface brief
    Ethernet2/0                192.168.20.3    YES DHCP   up                    up 
PC2: Ethernet0/0                192.168.30.3    YES DHCP   up                    up 
 
2,全网 ping:
pc2#ping 192.168.30.100
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/325/1092 ms
pc2#ping 192.168.20.3
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.3, timeout is 2 seconds:
.!!!!
pc2#ping 13.13.13.13
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 244/382/488 ms
pc2#
PC1:
pc1#ping 192.168.20.100
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/312/1128 ms
pc1#ping 192.168.30.3
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 148/229/456 ms
pc1#ping 13.13.13.13
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 428/484/544 ms
pc1#
 
VRRP测试:
sw1#show vrrp brief
Interface           Grp Pri Time Own Pre State   Master addr     Group addr
Vl20                1   200 12218      Y Master 192.168.20.1    192.168.20.100
Vl30                2   100 12609      Y Backup 192.168.30.2    192.168.30.100
sw1#
 
sw2#show vrrp brief
Interface           Grp Pri Time Own Pre State   Master addr     Group addr
Vl20                1   100 12609      Y Backup 192.168.20.1    192.168.20.100
Vl30                2   200 12531      Y Master 192.168.30.2    192.168.30.100
sw2#
 
交换机间的负载均衡:
PC1:
         
VLAN20
 Spanning tree enabled protocol ieee
 Root ID     Priority    32768
             Address     cc05.0a04.0001
             Cost        19
             Port        42 (FastEthernet1/1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
 
 Bridge ID Priority     32768
             Address     cc07.0a04.0001
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300
 
Interface                                    Designated
Name                  Port ID Prio Cost Sts Cost Bridge ID            Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/1       128.42   128    19 FWD     0 32768 cc05.0a04.0001 128.43
FastEthernet1/2       128.43   128    19 BLK    19 32768 cc06.0a04.0001 128.43
 
         
VLAN30
 Spanning tree enabled protocol ieee
 Root ID     Priority    32768
             Address     cc05.0a04.0002
             Cost        19
             Port        42 (FastEthernet1/1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
 
 Bridge ID Priority     32768
             Address     cc07.0a04.0002
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300
 
Interface                                    Designated
Name                  Port ID Prio Cost Sts Cost Bridge ID            Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/1       128.42   128    19 FWD     0 32768 cc05.0a04.0002 128.43
FastEthernet1/2       128.43   128    19 BLK    19 32768 cc06.0a04.0002 128.43
NAT测试:
r11#
*Apr 22 18:05:55.562: NAT*: s=17.7.7.7->202.103.78.100, d=13.13.13.13 [122]
*Apr 22 18:05:55.918: NAT*: s=13.13.13.13, d=202.103.78.100->17.7.7.7 [122]
 
r11#
*Apr 22 18:06:21.326: NAT*: s=13.13.13.13, d=202.103.78.7->192.168.40.2 [130]
*Apr 22 18:06:21.394: NAT*: s=192.168.40.2->202.103.78.7, d=13.13.13.13 [131]
*Apr 22 18:06:21.546: NAT*: s=13.13.13.13, d=202.103.78.7->192.168.40.2 [131]
r11#
 
内网出口备份测试:
默认出口正常:
pc2#traceroute 13.13.13.13
 
Type escape sequence to abort.
Tracing the route to 13.13.13.13
 
 1 192.168.30.2 276 msec 156 msec 152 msec
 2 192.168.40.22 144 msec 208 msec 156 msec
 3 202.103.78.8 476 msec 584 msec 364 msec
 4 202.103.79.13 300 msec 692 msec *
默认出口 DOWN掉后,是否会从OA网络走?
pc2#traceroute 13.13.13.13
 
Type escape sequence to abort.
Tracing the route to 13.13.13.13
 
 1 192.168.30.2 164 msec 156 msec 136 msec
 2 192.168.40.18 208 msec 216 msec 140 msec
 3 192.168.40.26 300 msec 592 msec 408 msec
 4 *
    202.103.77.12 476 msec 584 msec
 5 202.103.79.13 792 msec 620 msec 384 msec
pc2#
内网访问 OA网络使用明细路由:
 
     17.0.0.0/32 is subnetted, 1 subnets
O        17.7.7.7 [110/65] via 192.168.40.6, 00:22:15, Serial0/0
O        192.168.40.25/32 [110/10] via 192.168.40.18, 00:23:05, Ethernet2/1
O        192.168.40.26/32 [110/74] via 192.168.40.18, 00:23:05, Ethernet2/1
外网用户只能访问 HTTP测试(准予PING):
r13#connect 202.103.78.100
Trying 202.103.78.100 ...
% Destination unreachable; gateway or host down
 
r13#connect 202.103.78.100 www
Trying 202.103.78.100, 80 ... Open
^C
 
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 07:04:31 GMT
Server: cisco-IOS
Accept-Ranges: none
 
400 Bad Request
 
[Connection to 202.103.78.100 closed by foreign host]
r13#ping 202.103.78.100
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.103.78.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 248/434/604 ms
r13#
OA用户是否能够全部访问内网的服务:
R10#ping 17.7.7.7
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 240/316/384 m
 
R10#telnet 17.7.7.7
Trying 17.7.7.7 ... Open
 
r7#exit
 
[Connection to 17.7.7.7 closed by foreign host]
R10#coon           
R10#connet
R10#con   
R10#connect 17.7.7.7 www
Trying 17.7.7.7, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 07:05:58 GMT
Server: cisco-IOS
Accept-Ranges: none
 
400 Bad Request
 
[Connection to 17.7.7.7 closed by foreign host]
R10#
限制外网不影响内网用户正常访问外网:
pc2#ping 13.13.13.13
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 216/322/400 ms
pc2#telnet 13.13.13.13
Trying 13.13.13.13 ... Open
 
 
Password required, but none set
 
[Connection to 13.13.13.13 closed by foreign host]
pc2#
pc2#connect 13.13.13.13 www
Trying 13.13.13.13, 80 ... Open
^C
 
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 04:55:01 GMT
Server: cisco-IOS
Accept-Ranges: none
 
400 Bad Request
 
[Connection to 13.13.13.13 closed by foreign host]
 
内部 HTTP服务器防DDOS攻击测试略。
DNS服务器测试由于 IOS的问题,我只能给出命令了:
ip dns server
ip domain name cisco.com
ip host www.pc1.com 192.168.20.3
ip host www.pc2.com 192.168.30.3
匆匆为之,如有不当之处,还望各位指点。
注意:可能在做 VRRP实验的时候,PC客户端有PING不通虚拟网关的现象,究竟是什么原因我也不是很清楚,时通时不通。解决方法,可以把VRRP通告计时器时候改长一点,或者在VLAN下做shut再no shutdown就可以了,估计应该在做主备角色状态转换时出现的问题,不知道在真机上面会出现此问题否。
 
 
  本文转自 Bruce_F5 51CTO博客,原文链接:http://blog.51cto.com/zenfei/551551


相关文章
|
网络协议 应用服务中间件 Linux
Linux网络综合基础实验
Linux网络综合基础实验
117 0
|
2月前
|
安全 网络协议 网络安全
Cisco-综合网络实验一
Cisco-综合网络实验一
|
网络协议
hcip中BGP的综合实验
hcip中BGP的综合实验
83 0
|
网络虚拟化 网络架构
思科的综合实战练习
思科的综合实战练习
93 0
|
网络协议 数据安全/隐私保护 网络虚拟化
CCNP综合实验
文章目录 实验拓扑 实验要求 实验配置 pc
224 0
CCNP综合实验
|
网络协议 网络虚拟化 网络架构
|
网络协议 网络虚拟化 数据安全/隐私保护
|
网络协议 Shell 网络架构

相关实验场景

更多