- 项目拓扑与项目需求
项目需求
某企业网络组网如下:vlan10属于办公网络,vlan20外来人员访客网络,vlan30 属于云桌面网络。还包括公共服务器,所属vlan为100.
需要实现如下需求:
- vlan10 和vlan20 和vlan100属于相同网段,需要在LSW2上部署mux-vlan 实现办公网络之间可以互相网络,访客网络无法互相二层互访,vlan10和vlan20 都可以访问公共服务器,公共服务器属于vlan100。
- vlan30 中的PC5和PC6无法实现二层互访,使用端口对其进行隔离。
- DHCP服务器部署在FW1上,使用DHCP中继的方式给终端分配ip地址。serveAR1 有固定的ip。
- vlan10 和vlan 20 与 vlan30 需要在网关设备上实现三层隔离,如果有互访需求,流量一定需要经过防火墙设备,来保证互访流量的安全性。
- vlan10 和vlan20的设备可以访问共有网络,但是vlan30无法访问公网。
- 实验步骤
步骤1:设备重命名以及IP地址的配置
注意:PC可事先配置静态IP,方便测试,后期使用DHCP
IP网段规划:
vlan10 vlan 20 vlan 100:10.0.100.0/24
vlan30:10.0.30.0/24
vlan 101 :10.0.101.0/24
vlan 102 : 10.0.102.0/24
vlan 103 : 10.0.103.0/24
AR1 – ISP:100.1.1.0/24
步骤2:部署Mux-vlan,实现vlan10内部互相访问,vlan20内部无法互相访问,10 20都可以访问服务器
LSW2的配置:
[LSW2]vlan batch 10 20 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2-vlan100]mux-vlan //创建vlan 使能 使其变成mux的主vlan
配置其他vlan成为互通和隔离型vlan
[LSW2-vlan100]subordinate group 10 //互通
[LSW2-vlan100]subordinate separate 20 //隔离
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 10
[LSW2-GigabitEthernet0/0/2]port mux-vlan enable
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default vlan 10
[LSW2-GigabitEthernet0/0/3]port mux-vlan enable
[LSW2-GigabitEthernet0/0/4]port link-type access
[LSW2-GigabitEthernet0/0/4]port default vlan 20
[LSW2-GigabitEthernet0/0/4]port mux-vlan enable
[LSW2-GigabitEthernet0/0/5]port link-type access
[LSW2-GigabitEthernet0/0/5]port default vlan 20
[LSW2-GigabitEthernet0/0/5]port mux-vlan enable
[LSW2-GigabitEthernet0/0/6]port link-type access
[LSW2-GigabitEthernet0/0/6]port default vlan 100
[LSW2-GigabitEthernet0/0/6]port mux-vlan enable
测试:
PC1pingPC2:
PC>ping 10.0.100.2
Ping 10.0.100.2: 32 data bytes, Press Ctrl_C to break
From 10.0.100.2: bytes=32 seq=1 ttl=128 time=47 ms
From 10.0.100.2: bytes=32 seq=2 ttl=128 time=31 ms
From 10.0.100.2: bytes=32 seq=3 ttl=128 time=32 ms
From 10.0.100.2: bytes=32 seq=4 ttl=128 time=31 ms
From 10.0.100.2: bytes=32 seq=5 ttl=128 time=31 ms
--- 10.0.100.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/34/47 ms
PC1ping服务器:
PC>ping 10.0.100.100
Ping 10.0.100.100: 32 data bytes, Press Ctrl_C to break
From 10.0.100.100: bytes=32 seq=1 ttl=255 time=15 ms
From 10.0.100.100: bytes=32 seq=2 ttl=255 time=16 ms
From 10.0.100.100: bytes=32 seq=3 ttl=255 time=16 ms
From 10.0.100.100: bytes=32 seq=4 ttl=255 time=15 ms
From 10.0.100.100: bytes=32 seq=5 ttl=255 time<1 ms
--- 10.0.100.100 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/12/16 ms
PC1pingPC3:
PC>ping 10.0.100.3
Ping 10.0.100.3: 32 data bytes, Press Ctrl_C to break
From 10.0.100.1: Destination host unreachable
From 10.0.100.1: Destination host unreachable
From 10.0.100.1: Destination host unreachable
From 10.0.100.1: Destination host unreachable
From 10.0.100.1: Destination host unreachable
--- 10.0.100.3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
不通,互通和隔离型的vlan无法互相访问
PC3去访问服务器和PC4
PC>ping 10.0.100.4
Ping 10.0.100.4: 32 data bytes, Press Ctrl_C to break
From 10.0.100.3: Destination host unreachable
From 10.0.100.3: Destination host unreachable
From 10.0.100.3: Destination host unreachable
From 10.0.100.3: Destination host unreachable
From 10.0.100.3: Destination host unreachable
--- 10.0.100.4 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
PC>ping 10.0.100.100
Ping 10.0.100.100: 32 data bytes, Press Ctrl_C to break
From 10.0.100.100: bytes=32 seq=1 ttl=255 time=16 ms
From 10.0.100.100: bytes=32 seq=2 ttl=255 time=16 ms
From 10.0.100.100: bytes=32 seq=3 ttl=255 time=31 ms
From 10.0.100.100: bytes=32 seq=4 ttl=255 time=15 ms
From 10.0.100.100: bytes=32 seq=5 ttl=255 time<1 ms
--- 10.0.100.100 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/15/31 ms
步骤3:配置端口隔离,实现PC5和PC6无法互访
LSW1的配置:
[LSW1]vlan batch 10 20 30 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW1-Vlanif100]ip address 10.0.100.254 24
[LSW1-Vlanif100]interface g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type access
[LSW1-GigabitEthernet0/0/3]port default vlan 100 //使用主vlan通信
LSW2的配置:
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 100
[LSW2-GigabitEthernet0/0/1]port mux-vlan enable
测试vlan10 20 100与LSW1的网络联通性:
PC>ping 10.0.100.254 // PC1 ping LSW1
Ping 10.0.100.254: 32 data bytes, Press Ctrl_C to break
From 10.0.100.254: bytes=32 seq=1 ttl=255 time=63 ms
From 10.0.100.254: bytes=32 seq=2 ttl=255 time=31 ms
From 10.0.100.254: bytes=32 seq=3 ttl=255 time=47 ms
From 10.0.100.254: bytes=32 seq=4 ttl=255 time=47 ms
From 10.0.100.254: bytes=32 seq=5 ttl=255 time=31 ms
--- 10.0.100.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/43/63 ms
配置云桌面
[LSW3-GigabitEthernet0/0/2]port link-type access
[LSW3-GigabitEthernet0/0/2]port default vlan 30
[LSW3-GigabitEthernet0/0/3]port link-type access
[LSW3-GigabitEthernet0/0/3]port default vlan 30
做端口隔离加入同一个组
[LSW3-GigabitEthernet0/0/2]port-isolate enable group 1
[LSW3-GigabitEthernet0/0/2]interface g0/0/3
[LSW3-GigabitEthernet0/0/3]port-isolate enable group 1
[LSW3]display port-isolate group 1
The ports in isolate group 1:
GigabitEthernet0/0/2 GigabitEthernet0/0/3
配置vlan30的网关
[LSW1-GigabitEthernet0/0/4]port link-type trunk
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 30
[LSW1-GigabitEthernet0/0/4]quit
[LSW1]interface Vlanif 30
[LSW1-Vlanif30]ip address 10.0.30.254 24
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 30
测试:PC5 ping网关
PC>ping 10.0.30.254
Ping 10.0.30.254: 32 data bytes, Press Ctrl_C to break
From 10.0.30.254: bytes=32 seq=1 ttl=255 time=47 ms
From 10.0.30.254: bytes=32 seq=2 ttl=255 time=31 ms
From 10.0.30.254: bytes=32 seq=3 ttl=255 time=31 ms
From 10.0.30.254: bytes=32 seq=4 ttl=255 time=31 ms
From 10.0.30.254: bytes=32 seq=5 ttl=255 time=32 ms
--- 10.0.30.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/34/47 ms
步骤4:配置VPN实例,实现三层隔离,并实现互访通过防火墙
1)创建实例A、B并与对应vlan绑定:
[LSW1]ip vpn-instance A
[LSW1-vpn-instance-A]route-distinguisher 100:1
[LSW1]ip vpn-instance B
[LSW1-vpn-instance-B]route-distinguisher 100:2
[LSW1-Vlanif100]ip binding vpn-instance A
[LSW1-Vlanif100]ip address 10.0.100.254 255.255.255.0
[LSW1-Vlanif30]ip binding vpn-instance B
[LSW1-Vlanif30]ip address 10.0.30.254 255.255.255.0
测试:PC5访问PC1:
PC>ping 10.0.100.1
Ping 10.0.100.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 10.0.100.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
可知实现隔离
2)配置静态路由,实现互访经过防火墙,实行流量监控
LSW1的配置:
[LSW1]vlan batch 101 102 //创建互联路由
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW1]interface Vlanif 101
[LSW1-Vlanif101]ip binding vpn-instance A
Info: AL IPv4 related configurations on this interface are removed!
Info: AL IPv6 related configurations on this interface are removed!
[LSW1-Vlanif101]ip address 10.0.101.1 24
[LSW1-Vlanif101]quit
[LSW1]interface Vlanif 102
[LSW1-Vlanif102]ip binding vpn-instance B
Info: AL IPv4 related configurations on this interface are removed!
Info: AL IPv6 related configurations on this interface are removed!
[LSW1-Vlanif102]ip address 10.0.102.1 24
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 101 102 //放行101 102流量
FW1的配置:
[fw1]vlan batch 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[fw1]interfaceVlanif101
[fw1-Vlanif101]ip address 10.0.101.2 24
[fw1]interfaceVlanif102
[fw1-Vlanif102]ip address 10.0.102.2 24
[fw1]Firewall zone trust //加入安全区
[fw1-zone-trust]add interface Vlanif101
[fw1-zone-trust]add interface Vlanif102
[fw1-GigabitEthernet1/0/0]portswitch
[fw1-GigabitEthernet1/0/0]port link-type t
[fw1-GigabitEthernet1/0/0]port link-type trunk
[fw1-GigabitEthernet1/0/0]port trunk allow-pass vlan 101 102
测试:LSW1ping FW1:
[fw1-Vlanif101]service-manage ping permit //开启ping功能
[fw1-Vlanif102]service-manage ping permit
[LSW1]ping -vpn-instance A 10.0.101.2
PING 10.0.101.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.101.2: bytes=56 Sequence=1 ttl=255 time=120 ms
Reply from 10.0.101.2: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 10.0.101.2: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 10.0.101.2: bytes=56 Sequence=4 ttl=255 time=30 ms
Reply from 10.0.101.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 10.0.101.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/44/120 ms
配置静态路由:
[LSW1]ip route-static vpn-instance A 10.0.30.0 24 10.0.101.2 //下一跳为防火墙接口
[fw1]ip route-static 10.0.30.0 24 10.0.102.1//交给LSW1的vlanif 102
回包:
[LSW1]ip route-static vpn-instance B 10.0.100.0 24 10.0.102.2
[fw1]ip route-static 10.0.100.0 24 10.0.101.1
测试:PC5访问PC1:
PC>tracert 10.0.100.1
traceroute to 10.0.100.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.0.30.254 47 ms 47 ms 31 ms
2 * * *
3 10.0.101.1 78 ms 94 ms 78 ms
4 10.0.100.1 141 ms 125 ms 125 ms
PC>
需求实现,PC5通过防火墙访问PC1
步骤5:配置DHCP中继
FW1的配置:
[fw1]ip pool 1
Info: It is Successful to create an Ip address pool.
[fw1-ip-pool-1]network 10.0.100.0 mask 24
[fw1-ip-pool-1]gateway-list 10.0.100.254
[fw1-ip-pool-1]dns-list 114.114.114.114
[fw1]ip pool 2
Info: It is Successful to create an Ip address pool.
[fw1-ip-pool-2]network 10.0.30.0 mask 24
[fw1-ip-pool-2]gateway-list 10.0.30.254
[fw1-ip-pool-2]dns-list 8.8.8.8
[fw1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[fw1-Vlanif101]dhcp select global //对接VPN实例A
[fw1-Vlanif101]interface vlanif102
[fw1-Vlanif102]dhcp select global
LSW1的配置:
[LSW1]dhcp enable
[LSW1-Vlanif100]hcp select relay
[LSW1-Vlanif100]dhcp relay server-ip 10.0.101.2
Vlanif30同理,配置不做赘述
步骤6:vlan10 和vlan20的设备可以访问共有网络,但是vlan30无法访问公网
LSW1的配置:
[LSW1]vlan 103
[LSW1-Vlanif103]ip address 10.0.103.1 24
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 103
[LSW1-Vlanif103]ip binding vpn-instance A //绑定VPN实例A
Info: AL IPv4 related configurations on this interface are removed!
Info: AL IPv6 related configurations on this interface are removed!
[LSW1-Vlanif103]ip address 10.0.103.1 24
[LSW1]ip route-static vpn-instance A 0.0.0.0 0 10.0.103.2
AR1的配置:
[AR1-GigabitEthernet0/0/0]ip address 10.0.103.2 24
[AR1-GigabitEthernet0/0/1]ip address 100.1.1.1 24
[AR1]ip route-static 0.0.0.0 0 100.1.1.2
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source any
[AR1-acl-basic-2000]quit
[AR1]interface g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000 //NAT
[AR1]ip route-static 10.0.100.0 24 10.0.103.1 //回程路由
ISP的配置:
[lsp]interface g0/0/0
[lsp-GigabitEthernet0/0/0]ip address 100.1.1.2 24
[lsp-LoopBack0]ip address 100.100.100.100 32 //模拟公网IP
测试:PC1访问公网:
PC>ping 100.100.100.100
Ping 100.100.100.100: 32 data bytes, Press Ctrl_C to break
From 100.100.100.100: bytes=32 seq=1 ttl=253 time=63 ms
From 100.100.100.100: bytes=32 seq=2 ttl=253 time=62 ms
From 100.100.100.100: bytes=32 seq=3 ttl=253 time=47 ms
From 100.100.100.100: bytes=32 seq=4 ttl=253 time=47 ms
From 100.100.100.100: bytes=32 seq=5 ttl=253 time=47 ms
--- 100.100.100.100 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/53/63 ms
PC5访问公网:
PC>ping 100.100.100.100
Ping 100.100.100.100: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 100.100.100.100 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
可知需求实现。
