苏州CCNP交换综合实验--思朋信息

综合实验

实验目的:

1、熟练配置二层式网络

2、了解交换机安全及配置

实验拓扑图:

实验说明:

此实验为典型的2层式构架网络,中小型网络常采用此构架.

实验要求：

1) core-1与core-2的相互接口做成ethernetchannel 30.

再将ethernetchannel30设置成trunk模式.

Ed-sw,SF-sw与Core-1,Core-2互连的接口也设置成trunk模式,并验证. interface range fa0/23 - 24

switchport trunk encapsulation dot1q

switch mode trunk

channel-group 30 mode on

interface Port-channel 30

switchport trunk encapsulation dot1q

switchport mode trunk

Core1(config)#int range fa0/21-22

Core1(config-if-range)#switchport mode trunk

Core1(config-if-range)#switchport trunk encapsulation dot1q

2) core-1,core-2,edge-sw,FS-sw设置成同一vtp domain,domain name为step-lab,password为step-lab

core-1,core-2设置为vtp server模式

edge-sw,SF-SW设置为vtp client模式

在core-1上增加vlan64,65,66,67,95

在core-2,edge-sw,SF-SW学到vlan信息后,把所有交换机的vtp模式设置成transparent.

Core1(config)#vtp domain step_lab

Core1(config)#vtp mode server

Core1(config)#vlan 64,65,66,67,95

Core1(config)#vtp mode transparent

3) 设置Core-1为vlan1,64,65的STP主根,为vlan66,67,95的备份STP根.

设置Core-2为vlan66,67,95的STP主根,为vlan1,64,65的备份STP根. Core1(config)#spanning-tree vlan 1,64,65 root primary

Core1(config)#spanning-tree vlan 66,67,95 root secondary

Core2(config)#spanning-tree vlan 1,64,65 root secondary

Core2(config)#spanning-tree vlan 66,67,95 root primary

4) core-1的1-5 port划分到vlan 64

core-1的6-10 port划分到vlan 65

core-1的11-15 port划分到vlan 66

core-1的16-20 port划分到vlan 67

把这些port设置成生成树快速转发模式,启用bpduguard,并测试.

启用vlan64,65 port的port-security功能,限制每个port只能学习5个mac地址.

Core1(config)#int range fa0/1-5

Core1(config-if-range)#switchport access vlan 64

Core1(config-if-range)#switchport mode access

Core1(config)#int range fa0/6-10

Core1(config-if-range)#switchport access vlan 65

Core1(config-if-range)#switchport mode access

Core1(config)#int range fa0/11-15

Core1(config-if-range)#switchport access vlan 66

Core1(config-if-range)#switchport mode access

Core1(config)#int range fa0/16-20

Core1(config-if-range)#switchport access vlan 67

Core1(config-if-range)#switchport mode access

Core1(config)#int range fa0/1-20

Core1(config-if-range)#spanning-tree portfast

Core1(config-if-range)#spanning-tree bpduguard enable

Core1(config)#int range fa0/1-10

Core1(config-if-range)#switchport port-security maximum 5

5) core-2的1-5 port划分到vlan 64

core-2的6-10 port划分到vlan 65

core-2的11-15 port划分到vlan 66

core-2的16-20 port划分到vlan 67

把这些port设置成生成树快速转发模式,禁止这些port收发BPDU信息,并测试.

设置这些port只接收1M/s的broadcast数据包,2M/s的multicast数据包. int range fa0/1-5

switchport access vlan 64

switchport mode access

int range fa0/6-10

switchport access vlan 65

switchport mode access

int range fa0/11-15

switchport access vlan 66

switchport mode access

int range fa0/16-20

switchport access vlan 67

switchport mode access

Core2(config)#int range fa0/1-20

Core2(config-if-range)#spanning-tree portfast

Core2(config-if-range)#spanning-tree bpduguard enable

Core2(config-if-range)#storm-control broadcast level pps 1m Core2(config-if-range)#storm-control multicast level pps 2m 6) 设置vlan ip address:

core-1 vlan64: 10.9.64.253/24

core-1 vlan65: 10.9.65.253/24

core-1 vlan66: 10.9.66.253/24

core-1 vlan67: 10.9.67.253/24

core-1 vlan95: 10.9.95.253/24

core-1 loopback0: 10.9.100.1/32

core-1与R1互联的接口: 10.9.96.10/30

int vlan 64

no shut

ip add 10.9.64.253 255.255.255.0

int vlan 65

no shut

ip add 10.9.65.253 255.255.255.0

int vlan 66

no shut

ip add 10.9.66.253 255.255.255.0

no shut

ip add 10.9.67.253 255.255.255.0

int vlan 95

no shut

ip add 10.9.95.253 255.255.255.0

int loopback 0

ip add 10.9.100.1 255.255.255.255

int fa0/3

no switchport

ip add 10.9.96.10 255.255.255.252

no shut

core-2 vlan64: 10.9.64.252/24

core-2 vlan65: 10.9.65.252/24

core-2 vlan66: 10.9.66.252/24

core-2 vlan67: 10.9.67.252/24

core-2 vlan95: 10.9.95.252/24

core-2 loopback0: 10.9.100.2/32

core-2与R1互联的接口: 10.9.96.6/30

int vlan 64

no shut

ip add 10.9.64.252 255.255.255.0

int vlan 65

no shut

ip add 10.9.65.252 255.255.255.0

int vlan 66

no shut

ip add 10.9.66.252 255.255.255.0

no shut

ip add 10.9.67.252 255.255.255.0

int vlan 95

no shut

ip add 10.9.95.252 255.255.255.0

int loopback 0

ip add 10.9.100.2 255.255.255.255

int fa0/4

no switchport

ip add 10.9.96.6 255.255.255.252

no shut

sw2 vlan95: 10.9.95.1/24,缺省网关为10.9.95.254,测试可以相互ping通. int vlan 95

no shut

ip add 10.9.95.1 255.255.255.0

exit

ip default-gateway 10.9.95.254

sw1 vlan95:10.9.95.2/24,缺省网关为10.9.95.254,测试可以相互ping通.

int vlan 95

no shut

ip add 10.9.95.2 255.255.255.0

exit

ip default-gateway 10.9.95.254

7) sw2上启用uplinkfast,并验证.

sw2(config)#spanning-tree uplinkfast

8) Core-1与Core-2的每个vlan接口都做HSRP,

core-1设置成vlan64,65主用设备.

core-2设置成vlan66,67,95主用设备.

虚拟的IP地址为:10.9.xx.254/24,xx为vlan NO.

Core1(config)#int vlan 64

Core1(config-if)#standby 1 ip 10.9.64.254

Core1(config-if)#standby 1 priority 105

Core1(config-if)#standby 1 preempt

Core1(config-if)#standby 1 track fastEthernet 0/3 20 Core1(config-if)#exit

Core1(config)#int vlan 65

Core1(config-if)#standby 1 ip 10.9.65.254

Core1(config-if)#standby 1 priority 105

Core1(config-if)#standby 1 preempt

Core1(config-if)#standby 1 track fastEthernet 0/3 20 Core1(config-if)#exit

Core1(config)#int vlan 66

Core1(config-if)#standby 1 ip 10.9.66.254

Core1(config-if)#standby 1 preempt

Core1(config-if)#exit

Core1(config)#int vlan 67

Core1(config-if)#standby 1 ip 10.9.67.254

Core1(config-if)#standby 1 preempt

Core1(config-if)#exit

Core1(config)#int vlan 95

Core1(config-if)#standby 1 ip 10.9.95.254

Core1(config-if)#standby 1 preempt

Core1(config-if)#exit

Core2中：int vlan 66

standby 1 ip 10.9.66.254

standby 1 priority 105

standby 1 preempt

standby 1 track fastEthernet 0/4 20

exit

int vlan 67

standby 1 ip 10.9.67.254

standby 1 priority 105

standby 1 preempt

standby 1 track fastEthernet 0/4 20

exit

int vlan 95

standby 1 ip 10.9.95.254

standby 1 track fastEthernet 0/4 20

standby 1 preempt

exit

int vlan 64

standby 1 ip 10.9.64.254

standby 1 preempt

exit

int vlan 65

standby 1 ip 10.9.65.254

standby 1 preempt

exit

9) 设置R1:

F0/0:10.9.96.9/30

F0/1:10.9.96.5/30

loopback0:10.9.100.3/32

R1,core-1,core-2启用eigrp路由协议,使所有网络互通,并验证. int fa0/0

ip add 10.9.96.9 255.255.255.252

no shut

exit

int fa0/1

ip add 10.9.96.5 255.255.255.252

no shut

exit

int loopback 0

ip add 10.9.100.3 255.255.255.255

exit

router eigrp 100

network 10.0.0.0

no auto-summary

Core1(config-router)#ip routing

Core1(config-router)#router eigrp 100

Core1(config-router)#network 10.0.0.0

Core1(config-router)#no auto-summary

Core2(config)#ip routing

Core2(config)#router eigrp 100

Core2(config-router)#network 10.0.0.0

Core2(config-router)#no auto-summary

10) R1上启用dhcp server功能,为以下网段提供dhcp服务:

10.9.64.0/24

10.9.65.0/24

10.9.66.0/24

10.9.67.0/24

分配10.9.xx.11-10.9.xx.200,xx为vlan NO

DNS server: 10.9.100.3

Default-gateway: 10.9.xx.254

Domain-name: https://www.doczj.com/doc/c43612676.html,

并在core-1,core-2的VLAN接口上启用DHCP广播重定向功能,从定向到R1这台DHCP Server,使dhcp server能够正常为PC提供IP地址服务//默认arp 请求只会发到core的下层接口，使用ip helper-address **来实现广播重定向R1(config)#ip dhcp pool test

network 10.9.64.0 255.255.255.0

dns-server 10.9.100.3

default-router 10.9.64.254

domain-name https://www.doczj.com/doc/c43612676.html,

exit

ip dhcp pool test1

network 10.9.65.0 255.255.255.0

dns-server 10.9.100.3

default-router 10.9.65.254

domain-name https://www.doczj.com/doc/c43612676.html,

exit

ip dhcp pool test2

network 10.9.66.0 255.255.255.0

dns-server 10.9.100.3

default-router 10.9.66.254

domain-name https://www.doczj.com/doc/c43612676.html,

exit

ip dhcp pool test3

network 10.9.67.0 255.255.255.0

dns-server 10.9.100.3

default-router 10.9.67.254

domain-name https://www.doczj.com/doc/c43612676.html,

exit

ip dhcp excluded-address 10.9.64.201 10.9.64.254 ip dhcp excluded-address 10.9.64.1 10.9.64.10

ip dhcp excluded-address 10.9.65.201 10.9.65.254 ip dhcp excluded-address 10.9.65.1 10.9.65.10

ip dhcp excluded-address 10.9.66.201 10.9.66.254 ip dhcp excluded-address 10.9.66.1 10.9.66.10

ip dhcp excluded-address 10.9.67.201 10.9.67.254 ip dhcp excluded-address 10.9.67.1 10.9.67.10

Core1(config)#int vlan 64

Core1(config-if)#ip helper-address 10.9.96.9 Core1(config-if)#exit

Core1(config)#int vlan 65

Core1(config-if)#ip helper-address 10.9.96.9 Core1(config-if)#exit

Core1(config)#int vlan 66

Core1(config-if)#ip helper-address 10.9.96.9 Core1(config-if)#exit

Core1(config)#int vlan 67

Core1(config-if)#ip helper-address 10.9.96.9 Core1(config-if)#exit

Core2(config)#int vlan 64

Core2(config-if)#ip helper-address 10.9.96.5

Core2(config-if)#exit

Core2(config)#int vlan 65

Core2(config-if)#ip helper-address 10.9.96.5

Core2(config-if)#exit

Core2(config)#int vlan 66

Core2(config-if)#ip helper-address 10.9.96.5

Core2(config-if)#exit

Core2(config)#int vlan 67

Core2(config-if)#ip helper-address 10.9.96.5

11) 启用sw1 vlan 64-67的ip dhcp snooping功能,并只允许F0/23-24的dhcp reply数据包.

Ip dhcp snooping

sw1(config)#ip dhcp snooping vlan 64

sw1(config)#ip dhcp snooping vlan 65

sw1(config)#ip dhcp snooping vlan 66

sw1(config)#ip dhcp snooping vlan 67

int range fa0/23 -24

ip dhcp snooping trust

12) 测试core-1或者core-2断电时,网络可以正常运行.