接入层:ASW交换机
汇聚层:由于网络比较简单,此案例没有涉及汇聚层
核心层:CSW01、CSW02两台交换机做IRF虚拟化,即堆叠
如图下图,Host_1是本地主机,PC_1的DHCP与网关在核心上,两边VLAN为98,99,CSW01、CSW02做IRF虚拟化,防火墙及路由器做外网网关设备,ISP为运营商。
由于IRF虚拟化的限制,所以当所有设备没有配置的时候,优先做IRF虚拟化:
chassis convert mode //irf切换irf模式,如果是路由器做堆叠,需要转换为三层模式
CSW01-IRF:
int range ten-g 1/0/52 t1/0/51
shutdown
qu
irf-port 1/1
port group int t1/0/51
port group int t1/0/52
qu
int range t1/0/51 t1/0/52
undo shutdown
save
irf-port-configuration active
CSW02-IRF
irf member 1 renumber 2 #一定要进行这一步
qu #退出到接口视图,重启
reboot
int range t 2/0/51 t2/0/52
shutdown
qu
irf-port 2/2
port group int t2/0/51
port group int t2/0/52
qu
int range t2/0/51 t2/0/52
undo shutdown
save
irf-port-c at
dis irf
dis int brief #此时有2/0/开头的口子说明IRF虚拟化成功了
ASW和CSW01之间的LINK-AGG
#创建BAGG 1 2 3
int Bridge-Aggregation 1
int Bridge-Aggregation 2
int range g1/0/2 g2/0/2
pory link-aggregation group 1
int range g1/0/48 g2/0/48
port link-aggregation group 2
ASW
interface Bridge-Aggregation 1
qu
int range g1/0/47 g1/0/48
interface Bridge-Aggregation 1
port link-Aggregation group 1
CSW01和FW防火墙之间的LINK-AGG
FW
int Route-Aggregation 1
int range g1/0/0 g1/0/1
port link-Aggregation group 1
CSW01配置VLAN、配置接口IP、缺省路由
[CSW01] vlan 98 to 99
Vlan 100
[CSW01]interface Vlan-interface 100
[CSW01]ip address 16.2.1.1 30
[CSW01]ip route-static 0.0.0.0 0 16.2.1.2
CSW01配置DHCP、PC_1和Host_1的网关
dhcp enable
dhcp server ip-pool dhcp
network 16.2.98.0 24
dns-list 114.114.114.114
gateway-list 16.2.98.254
qu
dhcp server forbidden-ip 16.2.98.200 16.2.98.254
int int Vlan-interface 98
ip address 16.2.98.254 24
int int Vlan-interface 99
ip address 16.2.99.254 24
int int Vlan-interface 100
ip address 16.2.1.2 30
FW配置私网路由
[FW]ip route-static 0.0.0.0 0 200.0.0.1
[FW]ip route-static 16.82.0.0 16 16.82.100.1
FW配置ACL和NAT
[FW]interface g1/0/23
[FW-GigabitEthernet1/0/23]nat outbound 2000
[FW-GigabitEthernet1/0/23]qu
[FW]acl basic 2000
[FW-acl-ipv4-basic-2000]rule permit source 16.82.0.0 0.0.255.255
配置安全策略
admin
admin
1、将端口加入安全与域,security-zone
2、配置安装策略 security-pollcy
security-zone name trust
import interface g1/0/0
g1/0/1
RAGG 1
security-zone name untrust
import int g 1/0/23
security-policy ip
rule name trust2untrust
souurce-zone trust
destination-zone untrust
destination-ip 210 #创建210地址池
action pass #动作
dis session table ipv4
destination-ip 210#只能访问210
object-group ip add 210
network host add 210.0.1 #添加可以访问的目标地址
network subnet 16.82.10.0 255.255.255.0 #添加可以访问的子网段
ISP配置LOOKBACK地址、接口地址:
int g0/0
ip address 200.0.0.1 24
int lookback0
ip address 210.0.0.1 30
给PC_1配置,我这里是静态,配置动态获取也可以。
最后,就可以用ping命令测试连通性了
排错:
内网不通:先检查IP地址,检查网关,再检查聚合端口是否允许通过,vlan是否放通,