# 使用 eNSP 搭建中小型企业网 局域网内的核心技术: * 利用 VLAN 进行业务隔离; * 通过 STP 技术来防止环路,保证冗余链路的正常通信; * 使用 VRRP 技术来实现负载分担以及防止单点故障; * 利用 OSPF 协议使得总部和分布的网络能够正常通信; * 运用 ACL 和 NAT 对数据流进行控制和去外网通信。 ### 实验拓扑图 ![img](https://cdn.wallleap.cn/img/pic/web-HCL9/pic1.png) 实验目的: 1. 使用 VLAN 进行业务隔离,方便随时切断各部门连接 2. 使用 VLAN 间路由让各 VLAN 之间能够通信 3. PC 能够自动获取 IP 4. 外网主机能够访问服务器 5. 让任意两个 PC 能够访问外网,另外两个不能访问 ### 实验配置 #### (1)vlan 间路由 * **接入层交换机 LSW3** **创建 VLAN** ```sh [LSW3]vlan 10 [LSW3-vlan10]vlan 20 [LSW3-vlan20]quit ``` **配置与主机相连的接口为Access并绑定VLAN** ```sh [LSW3]interface e0/0/1 [LSW3-Ethernet0/0/1]undo shutdown Info: Interface Ethernet0/0/1 is not shutdown. [LSW3-Ethernet0/0/1]port link-type access [LSW3-Ethernet0/0/1]port default vlan 10 [LSW3-Ethernet0/0/1]int e0/0/2 [LSW3-Ethernet0/0/2]port link-t a [LSW3-Ethernet0/0/2]port de vlan 20 ``` **配置与交换机相连的接口为 Trunk 并允许所有 VLAN 通过** ```sh [LSW3-Ethernet0/0/2]int e0/0/3 [LSW3-Ethernet0/0/3]port link-t t [LSW3-Ethernet0/0/3]port t allow vlan all [LSW3-Ethernet0/0/3]int e0/0/4 [LSW3-Ethernet0/0/4]port link-t t [LSW3-Ethernet0/0/4]port t allow vlan all [LSW3-Ethernet0/0/4]quit ``` * **接入层交换机 LSW4** **与 LSW3 类似,创建 VLAN,设置接口即可** ```sh [LSW4]vlan 30 [LSW4-vlan30]vlan 40 [LSW4-vlan40]quit [LSW4]int e0/0/1 [LSW4-Ethernet0/0/1]port link-t a [LSW4-Ethernet0/0/1]port de vlan 30 [LSW4-Ethernet0/0/1]int e0/0/2 [LSW4-Ethernet0/0/2]port link-t a [LSW4-Ethernet0/0/2]port de vlan 40 [LSW4-Ethernet0/0/2]int e0/0/3 [LSW4-Ethernet0/0/3]port link-t t [LSW4-Ethernet0/0/3]port t allow vlan all [LSW4-Ethernet0/0/3]int e0/0/4 [LSW4-Ethernet0/0/4]port link-t t [LSW4-Ethernet0/0/4]port t allow vlan all [LSW4-Ethernet0/0/4]quit ``` * **核心层交换机 LSW1** **创建 VLAN** ```sh [LSW1]vlan 10 [LSW1-vlan10]vlan 20 [LSW1-vlan20]vlan 30 [LSW1-vlan30]vlan 40 [LSW1-vlan40]vlan 50 [LSW1-vlan50]quit ``` **与交换机相连接口设为 Trunk 并允许所有 VLAN 通过** ```sh [LSW1]int g0/0/1 [LSW1-GigabitEthernet0/0/1]port link-t t [LSW1-GigabitEthernet0/0/1]port t allow vlan all [LSW1-GigabitEthernet0/0/1]int g0/0/3 [LSW1-GigabitEthernet0/0/3]port link-t t [LSW1-GigabitEthernet0/0/3]port t allow vlan all [LSW1-GigabitEthernet0/0/3]int g0/0/2 [LSW1-GigabitEthernet0/0/2]port link-t t [LSW1-GigabitEthernet0/0/2]port t allow vlan all ``` **服务器接入 VLAN50,将将与服务器相连的接口设为 Access 口并绑定 VLAN50** ```sh [LSW1-GigabitEthernet0/0/2]int g0/0/5 [LSW1-GigabitEthernet0/0/5]port link-t a [LSW1-GigabitEthernet0/0/5]port de vlan 50 [LSW1-GigabitEthernet0/0/5]quit ``` **给连接路由器的接口绑定 VLAN60,方便配置地址** ```sh [LSW1]vlan 60 [LSW1-vlan60]int g0/0/4 [LSW1-GigabitEthernet0/0/4]port link-t a [LSW1-GigabitEthernet0/0/4]port de vlan 60 [LSW1-GigabitEthernet0/0/4]quit ``` **给 VLAN 分配 IP 地址(配置真实网关)** ```sh [LSW1]int vlan 10 [LSW1-Vlanif10]ip add 192.168.10.1 24 [LSW1-Vlanif10]int vlan 20 [LSW1-Vlanif20]ip add 192.168.20.1 24 [LSW1-Vlanif20]int vlan 30 [LSW1-Vlanif30]ip add 192.168.30.1 24 [LSW1-Vlanif30]int vlan 40 [LSW1-Vlanif40]ip add 192.168.40.1 24 [LSW1-Vlanif40]int vlan 50 [LSW1-Vlanif50]ip add 192.168.50.1 24 [LSW1-Vlanif50]int vlan 60 [LSW1-Vlanif60]ip add 192.168.60.1 24 [LSW1-Vlanif60]quit ``` * **核心层交换机 LSW2** **与 LSW1 类似,创建 VLAN、配置好接口、设置真实网关(与 S1 地址不同)** ```sh [LSW2]vlan 10 [LSW2-vlan10]vlan 20 [LSW2-vlan20]vlan 30 [LSW2-vlan30]vlan 40 [LSW2-vlan40]quit [LSW2]int g0/0/1 [LSW2-GigabitEthernet0/0/1]port link-t t [LSW2-GigabitEthernet0/0/1]port t allow vlan all [LSW2-GigabitEthernet0/0/1]int g0/0/2 [LSW2-GigabitEthernet0/0/2]port link-t t [LSW2-GigabitEthernet0/0/2]port t allow vlan all [LSW2-GigabitEthernet0/0/2]int g0/0/3 [LSW2-GigabitEthernet0/0/3]port link-t t [LSW2-GigabitEthernet0/0/3]port t allow vlan all [LSW2-GigabitEthernet0/0/3]quit [LSW2]vlan 70 [LSW2-vlan70]int g0/0/4 [LSW2-GigabitEthernet0/0/4]port link-t a [LSW2-GigabitEthernet0/0/4]port de vlan 70 [LSW2-GigabitEthernet0/0/4]quit [LSW2]int vlan 10 [LSW2-Vlanif10]ip add 192.168.10.2 24 [LSW2-Vlanif10]int vlan 20 [LSW2-Vlanif20]ip add 192.168.20.2 24 [LSW2-Vlanif20]int vlan 30 [LSW2-Vlanif30]ip add 192.168.30.2 24 [LSW2-Vlanif30]int vlan 40 [LSW2-Vlanif40]ip add 192.168.40.2 24 [LSW2-Vlanif40]int vlan 70 [LSW2-Vlanif70]ip add 192.168.70.2 24 [LSW2-Vlanif70]quit ``` #### (2)DHCP 的搭建 * **客户端开启 DHCP** ![img](https://cdn.wallleap.cn/img/pic/illustration/clip_image002-1596792968009.jpg) * **核心交换机 LSW1 和 LSW2 上配置 DHCP 服务** **开启 DHCP 服务** ```sh [SW1]dhcp enable Info: The operation may take a few seconds. Please wait for a moment.done. ``` **创建地址池 vlan10、vlan20、vlan30、vlan40,其中 `$` 代表 `1`\~`4`,网关使用之后配置的虚拟网关** ```sh [LSW1]ip pool vlan$0 Info:It's successful to create an IP address pool. [LSW1-ip-pool-vlan$0]gateway-list 192.168.10.254 [LSW1-ip-pool-vlan$0]network 192.168.$0.0 mask 255.255.255.0 [LSW1-ip-pool-vlan$0]quit ``` **VLAN 绑定地址池** ```sh [LSW1]int vlan $0 [LSW1-Vlanif$0]dhcp select global [LSW1-Vlanif$0]quit ``` **LSW1 排除地址** ```sh [LSW1-ip-pool-vlan$0]excluded-ip-address 192.168.$0.3 192.168.$0.127 ``` **LSW2 排除地址** ```sh [LSW2-ip-pool-vlan$0]ex 192.168.$0.128 192.168.$0.253 ``` #### (3) STP+VRRP 的配置 * **汇聚层交换机 LSW3、LSW4 只需要开启 STP 即可** ```sh [LSW3]stp mode stp Info: This operation may take a few seconds. Please wait for a moment...done. [LSW4]stp mode stp Info: This operation may take a few seconds. Please wait for a moment...done. ``` * **核心层 LSW1 配置** **开启 STP** ```sh [LSW1]stp mode stp Info: This operation may take a few seconds. Please wait for a moment...done. ``` **设置 LSW1 为根桥** ```sh [LSW1]stp priority 0 ``` 配置 VRRP,LSW1 是 VLAN10、VLAN20 的 Master,当上层接口错误时,自动降低优先级,让 LSW2 成为Master ```sh [LSW1]int vlan 10 [LSW1-Vlanif10]vrrp vrid 10 vi 192.168.10.254 [LSW1-Vlanif10]vrrp vrid 10 prio 120 [LSW1-Vlanif10]vrrp vrid 10 track int g0/0/4 reduce 30 [LSW1-Vlanif10]int vlan 20 [LSW1-Vlanif20]vrrp vrid 20 vi 192.168.20.254 [LSW1-Vlanif20]vrrp vrid 20 prio 120 [LSW1-Vlanif20]vrrp vrid 20 track int g0/0/4 re 30 [LSW1-Vlanif20]int vlan 30 [LSW1-Vlanif30]vrrp vrid 30 vi 192.168.30.254 [LSW1-Vlanif30]int vlan 40 [LSW1-Vlanif40]vrrp vrid 40 vi 192.168.40.254 [LSW1-Vlanif40]quit ``` * **核心层 LSW2 配置** 开启 STP,并将优先级设为 4096 ```sh [LSW2]stp mode stp Info: This operation may take a few seconds. Please wait for a moment...done. [LSW2]stp prio 4096 ``` 配置 VRRP,LSW2 是 VLAN30、VLAN40 的 Master,当上层接口错误时,自动降低优先级,让 LSW1 成为 Master ```sh [LSW2]int vlan 10 [LSW2-Vlanif10]vrrp vrid 10 vi 192.168.10.254 [LSW2-Vlanif10]int vlan 20 [LSW2-Vlanif20]vrrp vrid 20 vi 192.168.20.254 [LSW2-Vlanif20]int vlan 30 [LSW2-Vlanif30]vrrp vrid 30 vi 192.168.30.254 [LSW2-Vlanif30]vrrp vrid 30 prio 120 [LSW2-Vlanif30]vrrp vrid 30 track int g0/0/4 re 30 [LSW2-Vlanif30]int vlan 40 [LSW2-Vlanif40]vrrp vrid 40 vi 192.168.40.254 [LSW2-Vlanif40]vrrp vrid 40 prio 120 [LSW2-Vlanif40]vrrp vrid 40 track int g0/0/4 re 30 [LSW2-Vlanif40]quit ``` #### (4)OSPF 的搭建 * **LSW1 OSPF 配置** **查看接口 IP** ```sh [LSW1]dis ip int br Interface IP Address/Mask Physical Protocol MEth0/0/1 unassigned down down NULL0 unassigned up up(s) Vlanif1 unassigned up down Vlanif10 192.168.10.1/24 up up Vlanif20 192.168.20.1/24 up up Vlanif30 192.168.30.1/24 up up Vlanif40 192.168.40.1/24 up up Vlanif50 192.168.50.1/24 up up Vlanif60 192.168.60.1/24 up up ``` **根据所有 IP 宣告相应网段** ```sh [LSW1]ospf 1 [LSW1-ospf-1]area 0.0.0.0 [LSW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]net 192.168.60.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]quit [LSW1-ospf-1]qu ``` * **LSW2 OSPF 配置** **与 LSW1 类似** ```sh [LSW2]dis ip int br Interface IP Address/Mask Physical Protocol MEth0/0/1 unassigned down down NULL0 unassigned up up(s) Vlanif1 unassigned up down Vlanif10 192.168.10.2/24 up up Vlanif20 192.168.20.2/24 up up Vlanif30 192.168.30.2/24 up up Vlanif40 192.168.40.2/24 up up Vlanif70 192.168.70.2/24 up up [LSW2]ospf 1 [LSW2-ospf-1]area 0.0.0.0 [LSW2-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255 [LSW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255 [LSW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255 [LSW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255 [LSW2-ospf-1-area-0.0.0.0]net 192.168.70.0 0.0.0.255 [LSW2-ospf-1-area-0.0.0.0]quit [LSW2-ospf-1]quit ``` #### (5)ACL+NAT * **AR1 上 ACL+NAT 配置** **Easy IP:** **配置基本 ACL 并添加规则,允许 VLAN10、VLAN30、VLAN50 访问外网,VLAN20、40 不能访问** ```sh [AR1]acl number 2000 [AR1-acl-basic-2000]rule 0 per source 192.168.10.0 0.0.0.255 [AR1-acl-basic-2000]rule 5 per source 192.168.30.0 0.0.0.255 [AR1-acl-basic-2000]rule 10 per source 192.168.50.0 0.0.0.255 [AR1-acl-basic-2000]quit ``` **绑定规则到外网端口** ```sh [AR1]int g0/0/2 [AR1-GigabitEthernet0/0/2]nat outbound 2000 ``` **静态 NAT,将服务器内网地址转为一个专门的公有 IP** ```sh [AR1-GigabitEthernet0/0/2]nat static global 200.200.200.10 inside 192.168.50.253 [AR1-GigabitEthernet0/0/2]quit ``` #### (6)路由器 OSPF 协议的配置 * **AR1 OSPF 配置** **配置接口 IP** ```sh [AR1]int g0/0/0 [AR1-GigabitEthernet0/0/0]ip add 192.168.60.100 24 Sep 26 2019 09:54:53-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state. [AR1-GigabitEthernet0/0/0]int g0/0/1 [AR1-GigabitEthernet0/0/1]ip add 192.168.70.100 24 Sep 26 2019 09:55:16-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP on the interface GigabitEthernet0/0/1 has entered the UP state. [AR1-GigabitEthernet0/0/1]int g0/0/2 [AR1-GigabitEthernet0/0/2]ip add 200.200.200.1 24 Sep 26 2019 09:56:09-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP on the interface GigabitEthernet0/0/2 has entered the UP state. [AR1-GigabitEthernet0/0/2]quit ``` **查看接口地址** ```sh [AR1]dis ip int br Interface IP Address/Mask Physical Protocol GigabitEthernet0/0/0 192.168.60.100/24 up up GigabitEthernet0/0/1 192.168.70.100/24 up up GigabitEthernet0/0/2 200.200.200.1/24 up up NULL0 unassigned up up(s) ``` **宣告地址段** ```sh [AR1]ospf 1 [AR1-ospf-1]area 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]net 192.168.60.0 0.0.0.255 [AR1-ospf-1-area-0.0.0.0]net 192.168.70.0 0.0.0.255 [AR1-ospf-1-area-0.0.0.0]net 200.200.200.0 0.0.0.255 [AR1-ospf-1-area-0.0.0.0]quit [AR1-ospf-1]quit ``` **配置到外网的默认路由,并加入到 OSPF 中** ```sh [AR1]ip route-static 0.0.0.0 0.0.0.0 200.200.200.100 [AR1]ospf 1 [AR1-ospf-1]default-route-advertise [AR1-ospf-1]quit ``` #### (7)路由器 AR2 的配置 ```sh [AR2]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip add 200.200.200.100 24 [AR2-GigabitEthernet0/0/0]int g0/0/1 [AR2-GigabitEthernet0/0/1]ip add 200.200.201.1 24 [AR2-GigabitEthernet0/0/1]quit ``` ### 结果测试 #### 1、内网电脑之间进行通信 ![img](https://cdn.wallleap.cn/img/pic/web-HCL9/pic3.png) PC1 能够 ping 通其他四个 VLAN 内的主机 #### 2、内网主机动态获取 IP 地址 ![img](https://cdn.wallleap.cn/img/pic/web-HCL9/pic2.png) ![img](https://cdn.wallleap.cn/img/pic/web-HCL9/pic4.png) PC 配置 DHCP 能够自动获取 IP #### 3、内网主机访问外网 ![img](https://cdn.wallleap.cn/img/pic/web-HCL9/pic5.png) ![img](https://cdn.wallleap.cn/img/pic/web-HCL9/pic6.png) ![img](https://cdn.wallleap.cn/img/pic/web-HCL9/pic7.png) PC1、PC3 和 Server1 能够 ping 通外网的主机,PC2 和 PC4 ping 通 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wallleap.gitbook.io/blog/ji-shu-za-tan/shi-yong-ensp-da-jian-zhong-xiao-xing-qi-ye-wang.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.