组网要求:如下拓扑
1、局域网内所有地址均通过DHCP自动获取,网络局域网内可达;
2、办公职能不同的部门为不同的网段,不同网络局域网互通;
3、前台、员工等可以访问互联网,监控(如打卡机,打印机等)不能访问公网;
组网思路如上面拓扑图;
地址规划如下:前台、接待等属于vlan 100 IP地址:192.168.1.X
监控、打印机属于vlan 200 IP地址:192.168.2.X
员工、领导等属于vlan 300 IP地址:192.168.3.X
核心路由器上面搭建DHCP地址池、并做NAT地址转换;
汇聚交换机上面做三个网段的网关、DHCP中继,并使与核心路由器互通;
接入交换机在接口上做隶属哪个网段。
配置如下:
1、公网路由器配置:
interface GigabitEthernet0/0/2
ip address 1.1.1.2 255.255.255.0 —接口互联地址
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255 —模拟公网地址
2、核心路由器配置:
dhcp enable — 全局下是能DHCP
#
acl number 2000 —配置访问策略允许192.168.1-2.X访问公网地址
rule 0 permit source 192.168.1.0 0.0.0.255
rule 5 permit source 192.168.3.0 0.0.0.255
#
ip pool v100 —配置vlan100地址池v100
gateway-list 192.168.1.254 —网关
network 192.168.1.0 mask 255.255.255.0 —网段
excluded-ip-address 192.168.1.253 —将该地址踢出地址池
dns-list 114.114.114.114 —dns服务器
#
ip pool v200 —配置vlan200地址池v200
gateway-list 192.168.2.254
network 192.168.2.0 mask 255.255.255.0
excluded-ip-address 192.168.2.253
dns-list 114.114.114.114
#
ip pool v300 —配置vlan300地址池v300
gateway-list 192.168.3.254
network 192.168.3.0 mask 255.255.255.0
excluded-ip-address 192.168.3.253
dns-list 114.114.114.114
#
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.0 —配置与汇聚交换机互联的地址
dhcp select global —DHCP使用的全局地址池
#
interface GigabitEthernet0/0/2
ip address 1.1.1.1 255.255.255.0 —与公网互联地址
nat outbound 2000 —NAT地址转换(ESAY IP:用该接口的地址作为访问公网的地址IP地址出去)
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 —静态路由
ip route-static 192.168.0.0 255.255.0.0 10.0.0.2
3、汇聚交换机配置:
dhcp enable
interface Vlanif99
ip address 10.0.0.2 255.255.255.0 —配置与核心交换机互联的地址,保证通信
#
interface Vlanif100
ip address 192.168.1.254 255.255.255.0 —vlan 100 网关
dhcp select relay —开启DHCP中继
dhcp relay server-ip 10.0.0.1 —指向DHCP服务器IP(核心路由器地址)
#
interface Vlanif200
ip address 192.168.2.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.0.0.1
#
interface Vlanif300
ip address 192.168.3.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.0.0.1
#
interface GigabitEthernet0/0/1 — 连接“接入交换机1”
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/2 —连接“接入交换机2“
port link-type access
port default vlan 300
#
interface GigabitEthernet0/0/24 —连接”核心路由器“
port link-type access
port default vlan 99
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
4、接入交换机1配置:
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 100 200
5、接入交换机2配置:
interface GigabitEthernet0/0/1
port link-type access
port default vlan 300
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 300
interface GigabitEthernet0/0/24
port link-type access
port default vlan 300
PC配置如下:
测试结果如下:
vlan100的PC已经获得IP地址,并可以访问公网地址
VLAN200的PC已经获得IP地址,但被拒绝访问公网
VLAN300的PC1已经获得IP地址,并且可以访问公网IP
VLAN300的PC2已经获得IP地址,并且可以访问公网IP
局域网其它网段IP可达
局域网其它网段IP可达
测试结果表明:不同网段的PC正确获取到了IP地址,并成功是允许的网段访问公网
支付宝扫一扫
微信扫一扫
.png)
.png)
.png)
