该案例中,左边的SW1、SW2和SW3配置MSTP服务;SW1和SW2配置VRRP服务;SW3和R6配置DHCP服务;R1、R2、R3配置BGP服务;R1和R3配置NAPT、IPSec服务;SW4配置PVLAN服务。
NAPT的作用在于将内网地址转换为公网地址,IPSec VPN的作用在于将内网可以直接访问内网,达到左右两边的PC互相通信的作用。
R1、R2、R3分别充当公网,除该三个路由器外,其余设备都是内网设备。在公网里不注入内网路由,模拟真实环境,即内网地址无论怎么设置,都不影响到公网地址。
SW1(config)#vlan 10
SW1(config-vlan)#vlan 20
SW1(config)#inter range e0/1-2
SW1(config-if-range)#sw tr enc dot
SW1(config-if-range)#sw mo tr
SW1(config)#spanning-tree mode mst
SW1(config)#spanning-tree mst configuration
SW1(config-mst)#revision 1
SW1(config-mst)#name a1
SW1(config-mst)#instance 1 vlan 10
SW1(config-mst)#instance 2 vlan 20
SW1(config)#spanning-tree mst 1 priority 4096
SW1(config)#spanning-tree mst 2 priority 8192
---
SW2(config)#vlan 10
SW2(config-vlan)#vlan 20
SW2(config)#inter range e0/1-2
SW2(config-if-range)#sw tr enc dot
SW2(config-if-range)#sw mo tr
SW2(config)#spanning-tree mode mst
SW2(config)#spanning-tree mst configuration
SW2(config-mst)#revision 1
SW2(config-mst)#name a1
SW2(config-mst)#instance 1 vlan 10
SW2(config-mst)#instance 2 vlan 20
SW2(config)#spanning-tree mst 1 priority 8192
SW2(config)#spanning-tree mst 2 priority 4096
---
SW3(config)#vlan 10
SW3(config-vlan)#vlan 20
SW3(config)#inter range e0/0-1
SW3(config-if-range)#sw tr enc dot
SW3(config-if-range)#sw mo tr
SW3(config)#spanning-tree mode mst
SW3(config)#spanning-tree mst configuration
SW3(config-mst)#revision 1
SW3(config-mst)#name a1
SW3(config-mst)#instance 1 vlan 10
SW3(config-mst)#instance 2 vlan 20
SW1(config)#inter vlan 10
SW1(config-if)#vrrp 10 ip 192.34.1.254
SW1(config-if)#vrrp 10 priority 120
SW1(config)#inter vlan 20
SW1(config-if)#vrrp 20 ip 192.34.2.254
---
SW2(config)#inter vlan 10
SW2(config-if)#vrrp 10 ip 192.34.1.254
SW2(config)#inter vlan 20
SW2(config-if)#vrrp 20 ip 192.34.2.254
SW2(config-if)#vrrp 20 priority 120
SW3(config)#service dhcp
SW3(config)#inter vlan 10
SW3(config-if)#no shut
SW3(config-if)#ip add 192.34.1.100 255.255.255.0
SW3(config-if)#ip helper-address 200.34.4.2
SW3(config)#inter vlan 20
SW3(config-if)#no shut
SW3(config-if)#ip add 192.34.2.100 255.255.255.0
SW3(config-if)#ip helper-address 200.34.4.2
SW3(config)#inter e1/0
SW3(config-if)#no sw
SW3(config-if)#ip add 200.34.4.1 255.255.255.0
SW3(config)#ip route 0.0.0.0 0.0.0.0 200.34.4.2
---
R6(config)#service dhcp
R6(config)#ip dhcp pool vlan10
R6(dhcp-config)#network 192.34.1.0 255.255.255.0
R6(dhcp-config)#default-router 192.34.1.254
R6(config)#ip dhcp pool vlan20
R6(dhcp-config)#network 192.34.2.0 255.255.255.0
R6(dhcp-config)#default-router 192.34.2.254
R6(config)#ip dhcp excluded-address 192.34.1.1 192.34.1.9
R6(config)#ip dhcp excluded-address 192.34.2.1 192.34.2.9
R6(config)#ip route 192.34.1.0 255.255.255.0 200.34.4.1
R6(config)#ip route 192.34.2.0 255.255.255.0 200.34.4.1
SW4(config)#vtp mode transparent
SW4(config)#vlan 10
SW4(config-vlan)#private-vlan primary
SW4(config)#vlan 20
SW4(config-vlan)#private-vlan community
SW4(config)#vlan 30
SW4(config-vlan)#private-vlan isolated
SW4(config)#vlan 10
SW4(config-vlan)#private-vlan association 20,30
SW4(config)#inter range e0/0-1
SW4(config-if-range)#sw mode private-vlan host
SW4(config-if-range)#sw private-vlan host-association 10 20
SW4(config)#inter range e0/2-3
SW4(config-if-range)#sw mode private-vlan host
SW4(config-if-range)#sw private-vlan host-association 10 30
SW4(config)#inter e1/0
SW4(config-if)#sw mode private-vlan promiscuous
SW4(config)#inter e1/0
SW4(config-if)#sw private-vlan mapping 10 add 20,30
R4(config)#router rip
R4(config-router)#version 2
R4(config-router)#network 200.34.1.0
R4(config-router)#network 200.34.2.0
R4(config-router)#network 200.34.3.0
R4(config-router)#no auto-summary
---
R5(config)#router rip
R5(config-router)#version 2
R5(config-router)#network 192.34.3.0
R5(config-router)#network 192.34.4.0
R5(config-router)#no auto-summary
R1(config)#router bgp 1
R1(config-router)#neighbor 1.1.1.2 remote-as 2
---
R2(config)#router bgp 2
R2(config-router)#neighbor 1.1.1.1 remote-as 1
R2(config-router)#neighbor 2.2.2.2 remote-as 3
---
R3(config)#router bgp 3
R3(config-router)#neighbor 2.2.2.1 remote-as 2
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 2
R1(config)#crypto isakmp key 0 abc123 address 2.2.2.2
R1(config)#crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
R1(config)#ip access-list extended VPN
R1(config-ext-nacl)#permit ip 192.34.1.0 0.0.0.255 192.34.4.0 0.0.0.255
R1(config-ext-nacl)#permit ip 192.34.2.0 0.0.0.255 192.34.4.0 0.0.0.255
R1(config)#crypto map to_r3 1 ipsec-isakmp
R1(config-crypto-map)#match address VPN
R1(config-crypto-map)#set transform-set 3des_sha
R1(config-crypto-map)#set peer 2.2.2.2
R1(config)#inter s1/0
R1(config-if)#crypto map to_r3
---
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 2
R3(config)#crypto isakmp key 0 abc123 address 1.1.1.1
R3(config)#crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac
R3(cfg-crypto-trans)#mode transport
R3(config)#ip access-list extended VPN
R3(config-ext-nacl)#permit ip 192.34.4.0 0.0.0.255 192.34.1.0 0.0.0.255
R3(config-ext-nacl)#permit ip 192.34.4.0 0.0.0.255 192.34.2.0 0.0.0.255
R3(config)#crypto map to_r1 1 ipsec-isakmp
R3(config-crypto-map)#match address VPN
R3(config-crypto-map)#set transform-set 3des_sha
R3(config-crypto-map)#set peer 1.1.1.1
R3(config)#inter s1/1
R3(config-if)#crypto map to_r1
R1(config)#ip access-list extended NAT
R1(config-ext-nacl)#deny ip 192.34.1.0 0.0.0.255 192.34.4.0 0.0.0.255
R1(config-ext-nacl)#deny ip 192.34.2.0 0.0.0.255 192.34.4.0 0.0.0.255
R1(config-ext-nacl)#permit ip any any
R1(config)#ip nat inside source list NAT inter s1/0
R1(config)#inter f0/0
R1(config-if)#ip nat inside
R1(config)#inter s1/0
R1(config-if)#ip nat outside
R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 200.34.1.0
R1(config-router)#default-information originate
R1(config-router)#no auto-summary
---
R3(config)#ip access-list extended NAT
R3(config-ext-nacl)#deny ip 192.34.4.0 0.0.0.255 192.34.1.0 0.0.0.255
R3(config-ext-nacl)#deny ip 192.34.4.0 0.0.0.255 192.34.2.0 0.0.0.255
R3(config-ext-nacl)#permit ip any any
R3(config)#ip nat inside source list NAT inter s1/1
R3(config)#inter f0/0
R3(config-if)#ip nat inside
R3(config)#inter s1/1
R3(config-if)#ip nat outside
R3(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.1
R3(config)#router rip
R3(config-router)#version 2
R3(config-router)#network 192.34.3.0
R3(config-router)#default-information originate
R3(config-router)#no auto-summary
▼实验配置完成,查看结果▼
1、查看DHCP服务。
PC1> ip dhcp
DDORA IP 192.34.1.10/24 GW 192.34.1.254
---
PC2> ip dhcp
DDORA IP 192.34.2.10/24 GW 192.34.1.254
2、查看MSTP服务。
SW3#show spanning-tree mst 1
##### MST1 vlans mapped: 10
Bridge address aabb.cc00.0300 priority 32769 (32768 sysid 1)
Root address aabb.cc00.0100 priority 4097 (4096 sysid 1)
port Et0/0 cost 2000000 rem hops 19
Interface Role Sts Cost Prio.Nbr Type
---
Et0/0 Root FWD 2000000 128.1 P2p
Et0/1 Altn BLK 2000000 128.2 P2p
Et0/2 Desg FWD 2000000 128.3 P2p
=============================================================================
SW3#show spanning-tree mst 2
##### MST2 vlans mapped: 20
Bridge address aabb.cc00.0300 priority 32770 (32768 sysid 2)
Root address aabb.cc00.0200 priority 4098 (4096 sysid 2)
port Et0/1 cost 2000000 rem hops 19
Interface Role Sts Cost Prio.Nbr Type
---
Et0/0 Altn BLK 2000000 128.1 P2p
Et0/1 Root FWD 2000000 128.2 P2p
Et0/3 Desg FWD 2000000 128.4 P2p
3、查看VRRP服务。
SW1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 10 120 3531 Y Master 192.34.1.1 192.34.1.254
Vl20 20 100 3609 Y Backup 192.34.2.2 192.34.2.254
---
SW2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 10 100 3609 Y Backup 192.34.1.1 192.34.1.254
Vl20 20 120 3531 Y Master 192.34.2.2 192.34.2.254
4、查看PVLAN服务。
PC3> ping 192.34.4.2 <----团体VLAN
84 bytes from 192.34.4.2 icmp_seq=1 ttl=64 time=0.202 ms
84 bytes from 192.34.4.2 icmp_seq=2 ttl=64 time=0.508 ms
^C
PC3> ping 192.34.4.3 <----隔离VLAN
host (192.34.4.3) not reachable
---
PC5> ping 192.34.4.4 <----隔离VLAN
host (192.34.4.4) not reachable
PC5> ping 192.34.4.1 <----团体VLAN
host (192.34.4.1) not reachable
5、查看NAT服务。
PC1或其它PC与外界通信(需通过R1或R3),然后到R1或R3上查看。
R1#show ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 1.1.1.1:4 1.1.1.1:179 1.1.1.2:56577 1.1.1.2:56577
tcp 1.1.1.1:1111 1.1.1.1:1110 1.1.1.2:179 1.1.1.2:179
tcp 1.1.1.1:1113 1.1.1.1:1112 1.1.1.2:179 1.1.1.2:179
tcp 1.1.1.1:1115 1.1.1.1:1114 1.1.1.2:179 1.1.1.2:179
tcp 1.1.1.1:1112 1.1.1.1:18315 1.1.1.2:179 1.1.1.2:179
tcp 1.1.1.1:1110 1.1.1.1:37984 1.1.1.2:179 1.1.1.2:179
tcp 1.1.1.1:1114 1.1.1.1:51548 1.1.1.2:179 1.1.1.2:179
udp 1.1.1.1:520 200.34.1.1:520 224.0.0.9:520 224.0.0.9:520
R1#
6、查看IPSec服务。
在R1或R3上查看,QM状态即生效,MM状态为未生效(第二层级状态)。
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2\.2.2.2 1.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#
7、PC-1与外部任一台PC通信。
PC1> ping 192.34.2.10
84 bytes from 192.34.2.10 icmp_seq=1 ttl=63 time=0.576 ms
84 bytes from 192.34.2.10 icmp_seq=2 ttl=63 time=0.565 ms
^C
PC1> ping 192.34.4.1
84 bytes from 192.34.4.1 icmp_seq=1 ttl=59 time=73.188 ms
84 bytes from 192.34.4.1 icmp_seq=2 ttl=59 time=67.311 ms
^C
PC1> ping 192.34.4.2
192\.34.4.2 icmp_seq=1 timeout
84 bytes from 192.34.4.2 icmp_seq=2 ttl=59 time=68.508 ms
84 bytes from 192.34.4.2 icmp_seq=3 ttl=59 time=66.327 ms
^C
PC1> ping 192.34.4.3
192\.34.4.3 icmp_seq=1 timeout
84 bytes from 192.34.4.3 icmp_seq=2 ttl=59 time=183.248 ms
^C
PC1> ping 192.34.4.4
192\.34.4.4 icmp_seq=1 timeout
84 bytes from 192.34.4.4 icmp_seq=2 ttl=59 time=165.533 ms
^C
PC1>
实验已经全部完成,内外网转换正常,内网通信正常,PVLAN隔离正常。
