<b>CCNP</b><b>综合实验2</b>
<b> Top:</b>
<a target="_blank" href="http://blog.51cto.com/attachment/201104/191403431.png"></a>
网络配置需求:
1, sw1与sw2核心交换机之前用VRRP虚拟网关冗余协议来做网关冗余与负载均衡,vlan20走SW1,VLAN30走SW2。
2, SW3与SW4之间做负载均衡,VLAN20流量走上面,VLAN30走下面
3, 企业内网出口通过R17为默认主出口,如果主出口DOWN掉后可以切换掉OA出往外网,保证整个企业网络的高可用性与可靠性
4, 核心与OA网络路由协议使用OSPF,区域可以都使用主干区域
5, 服务器区域有HTTP,DNS等服务器,外网只能访问HTTP服务,允许PING服务器,除此之外,外部网络流量一律deny .
6, 保证内网与外网的上网需求,保证OA企业办公网络能访问服务器与内网的所有服务。
7, 在R17出口路由器上,做一些基本的IOS防火墙设置,减弱外部网络发起的一些DDOS分布式拒绝服务攻击。
8, 申请了三个公网地址,202.103.78.7用于默认主出口路由器上出接口地址,把内网做PAT,服务器做静态NAT,地址是202.103.78.100.
配置如下:
SW1:
hostname sw1
ip cef
track 1 interface Ethernet2/1 line-protocol
delay down 4
!
track 2 interface Ethernet2/0 line-protocol
interface Serial0/0
ip address 192.168.40.1 255.255.255.252
serial restart-delay 0
interface FastEthernet1/0
switchport mode trunk
interface FastEthernet1/1
interface Ethernet2/0
ip address 192.168.40.9 255.255.255.252
half-duplex
interface Ethernet2/1
ip address 192.168.40.13 255.255.255.252
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip helper-address 17.7.7.7
vrrp 1 ip 192.168.20.100
vrrp 1 timers advertise 4
vrrp 1 priority 200
vrrp 1 track 1 decrement 120
vrrp 1 track 2 decremetn 120
interface Vlan30
ip address 192.168.30.1 255.255.255.0
vrrp 2 ip 192.168.30.100
vrrp 2 timers advertise 4
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
ip http server
SW2:
sw2#show run
hostname sw2
ip address 192.168.40.5 255.255.255.252
interface FastEthernet1/2
ip address 192.168.40.21 255.255.255.252
ip address 192.168.40.17 255.255.255.252
ip address 192.168.20.2 255.255.255.0
ip address 192.168.30.2 255.255.255.0
vrrp 2 priority 200
vrrp 2 track 1 decrement 120
vrrp 2 track 2 decrement 120
SW3:
sw3# show run
hostname sw3
switchport access vlan 20
interface FastEthernet1/3
spanning-tree vlan 20 port-priority 40
interface FastEthernet1/4
spanning-tree vlan 30 port-priority 40
end
SW4:
sw4#show run
hostname sw4
switchport access vlan 30
PC1:
pc1#show run
hostname pc1
no ip routing
no ip cef
ip domain name www.pc1.com
ip address dhcp
no ip route-cache
no cdp run
PC2:
pc2#show run
hostname pc2
ip domain name www.pc2.com
interface Ethernet0/0
SERVER:
r7#
hostname r7
ip domain name zengfei.com
ip host www.zengfei.com 17.7.7.7
ip host www.pc1.com 192.168.20.3
ip host www.pc2.com 192.168.30.3
no ip dhcp use vrf connected
ip dhcp pool cisco
network 192.168.20.0 255.255.255.0
default-router 192.168.20.100
dns-server 17.7.7.7
lease 2
ip dhcp pool san
network 192.168.30.0 255.255.255.0
default-router 192.168.30.100
domain-name pc2.com
username cisco password 0 cisco
interface Loopback0
ip address 17.7.7.7 255.255.255.0
ip address 192.168.40.2 255.255.255.252
interface Serial0/1
ip address 192.168.40.6 255.255.255.252
line con 0
line aux 0
line vty 0 4
privilege level 5
no login
R8:
R8#show run
hostname R8
ip address 192.168.40.10 255.255.255.252
interface Ethernet0/2
ip address 192.168.40.18 255.255.255.252
interface Serial2/0
ip address 192.168.40.25 255.255.255.252
encapsulation frame-relay
ip ospf network point-to-multipoint
R9:
R9#show run
hostname R9
frame-relay switching
no ip address
clock rate 64000
frame-relay intf-type dce
frame-relay route 108 interface Serial2/1 810
interface Serial2/1
frame-relay route 810 interface Serial2/0 108
R10:
R10#show run
hostname R10
no ip domain lookup
ip address 10.10.10.10 255.255.255.0
ip address 202.103.77.10 255.255.255.0
ip nat outside
ip virtual-reassembly
ip address 192.168.40.26 255.255.255.252
ip nat inside
network 10.10.10.0 0.0.0.255 area 0
network 192.168.40.24 0.0.0.3 area 0
default-information originate always metric 3
no ip http server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip nat inside source list 101 interface Ethernet0/0 overload
ip nat inside source static 17.7.7.7 202.103.78.100
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
R17
hostname r17
ip inspect max-incomplete high 600
ip inspect tcp finwait-time 40
ip inspect tcp synwait-time 4
ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp
interface FastEthernet0/0
ip address 192.168.40.14 255.255.255.252
duplex half
ip address 192.168.40.22 255.255.255.252
ip address 202.103.78.7 255.255.255.0
ip access-group 102 in
ip inspect CBAC out
rate-limit input 8000 1500 3000 conform-action transmit exceed-action drop
network 192.168.40.12 0.0.0.3 area 0
network 192.168.40.20 0.0.0.3 area 0
default-information originate
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet2/0
ip nat inside source list 101 interface Ethernet2/0 overload
access-list 102 permit tcp any host 202.103.78.100 eq www
access-list 102 permit icmp any any
access-list 102 deny ip any any
R12:
R12#show run
hostname R12
ip address 202.103.77.12 255.255.255.0
ip address 202.103.78.8 255.255.255.0
interface FastEthernet2/0
ip address 202.103.79.12 255.255.255.0
ip route 13.13.13.0 255.255.255.0 FastEthernet2/0
R13:
r13#show run
hostname r13
ip address 13.13.13.13 255.255.255.0
ip address 202.103.79.13 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
需求测试部分:
1,DHCP:
PC1:show ip interface brief
Ethernet2/0 192.168.20.3 YES DHCP up up
PC2:Ethernet0/0 192.168.30.3 YES DHCP up up
2,全网ping:
pc2#ping 192.168.30.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/325/1092 ms
pc2#ping 192.168.20.3
Sending 5, 100-byte ICMP Echos to 192.168.20.3, timeout is 2 seconds:
.!!!!
pc2#ping 13.13.13.13
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 244/382/488 ms
pc2#
pc1#ping 192.168.20.100
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/312/1128 ms
pc1#ping 192.168.30.3
Sending 5, 100-byte ICMP Echos to 192.168.30.3, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 148/229/456 ms
pc1#ping 13.13.13.13
Success rate is 100 percent (5/5), round-trip min/avg/max = 428/484/544 ms
pc1#
VRRP测试:
sw1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl20 1 200 12218 Y Master 192.168.20.1 192.168.20.100
Vl30 2 100 12609 Y Backup 192.168.30.2 192.168.30.100
sw1#
sw2#show vrrp brief
Vl20 1 100 12609 Y Backup 192.168.20.1 192.168.20.100
Vl30 2 200 12531 Y Master 192.168.30.2 192.168.30.100
sw2#
交换机间的负载均衡:
PC1:
VLAN20
Spanning tree enabled protocol ieee
Root ID Priority 32768
Address cc05.0a04.0001
Cost 19
Port 42 (FastEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768
Address cc07.0a04.0001
Aging Time 300
Interface Designated
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/1 128.42 128 19 FWD 0 32768 cc05.0a04.0001 128.43
FastEthernet1/2 128.43 128 19 BLK 19 32768 cc06.0a04.0001 128.43
VLAN30
Address cc05.0a04.0002
Address cc07.0a04.0002
FastEthernet1/1 128.42 128 19 FWD 0 32768 cc05.0a04.0002 128.43
FastEthernet1/2 128.43 128 19 BLK 19 32768 cc06.0a04.0002 128.43
NAT测试:
r11#
*Apr 22 18:05:55.562: NAT*: s=17.7.7.7->202.103.78.100, d=13.13.13.13 [122]
*Apr 22 18:05:55.918: NAT*: s=13.13.13.13, d=202.103.78.100->17.7.7.7 [122]
*Apr 22 18:06:21.326: NAT*: s=13.13.13.13, d=202.103.78.7->192.168.40.2 [130]
*Apr 22 18:06:21.394: NAT*: s=192.168.40.2->202.103.78.7, d=13.13.13.13 [131]
*Apr 22 18:06:21.546: NAT*: s=13.13.13.13, d=202.103.78.7->192.168.40.2 [131]
内网出口备份测试:
默认出口正常:
pc2#traceroute 13.13.13.13
Tracing the route to 13.13.13.13
1 192.168.30.2 276 msec 156 msec 152 msec
2 192.168.40.22 144 msec 208 msec 156 msec
3 202.103.78.8 476 msec 584 msec 364 msec
4 202.103.79.13 300 msec 692 msec *
默认出口DOWN掉后,是否会从OA网络走?
1 192.168.30.2 164 msec 156 msec 136 msec
2 192.168.40.18 208 msec 216 msec 140 msec
3 192.168.40.26 300 msec 592 msec 408 msec
4 *
202.103.77.12 476 msec 584 msec
5 202.103.79.13 792 msec 620 msec 384 msec
内网访问OA网络使用明细路由:
17.0.0.0/32 is subnetted, 1 subnets
O 17.7.7.7 [110/65] via 192.168.40.6, 00:22:15, Serial0/0
O 192.168.40.25/32 [110/10] via 192.168.40.18, 00:23:05, Ethernet2/1
O 192.168.40.26/32 [110/74] via 192.168.40.18, 00:23:05, Ethernet2/1
外网用户只能访问HTTP测试(准予PING):
r13#connect 202.103.78.100
Trying 202.103.78.100 ...
% Destination unreachable; gateway or host down
r13#connect 202.103.78.100 www
Trying 202.103.78.100, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 07:04:31 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 202.103.78.100 closed by foreign host]
r13#ping 202.103.78.100
Sending 5, 100-byte ICMP Echos to 202.103.78.100, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 248/434/604 ms
r13#
OA用户是否能够全部访问内网的服务:
R10#ping 17.7.7.7
Sending 5, 100-byte ICMP Echos to 17.7.7.7, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 240/316/384 m
R10#telnet 17.7.7.7
Trying 17.7.7.7 ... Open
r7#exit
[Connection to 17.7.7.7 closed by foreign host]
R10#coon
R10#connet
R10#con
R10#connect 17.7.7.7 www
Trying 17.7.7.7, 80 ... Open
Date: Fri, 01 Mar 2002 07:05:58 GMT
R10#
限制外网不影响内网用户正常访问外网:
Success rate is 80 percent (4/5), round-trip min/avg/max = 216/322/400 ms
pc2#telnet 13.13.13.13
Trying 13.13.13.13 ... Open
Password required, but none set
[Connection to 13.13.13.13 closed by foreign host]
pc2#connect 13.13.13.13 www
Trying 13.13.13.13, 80 ... Open
Date: Fri, 01 Mar 2002 04:55:01 GMT
内部HTTP服务器防DDOS攻击测试略。
DNS服务器测试由于IOS的问题,我只能给出命令了:
ip dns server
ip domain name cisco.com
匆匆为之,如有不当之处,还望各位指点。
注意:可能在做VRRP实验的时候,PC客户端有PING不通虚拟网关的现象,究竟是什么原因我也不是很清楚,时通时不通。解决方法,可以把VRRP通告计时器时候改长一点,或者在VLAN下做shut再no shutdown就可以了,估计应该在做主备角色状态转换时出现的问题,不知道在真机上面会出现此问题否。
本文转自 Bruce_F5 51CTO博客,原文链接:http://blog.51cto.com/zenfei/551551
![高防服务器、高防IP与高防CDN的区别[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)