苏州CCNP交换综合实验思朋信息.docx
《苏州CCNP交换综合实验思朋信息.docx》由会员分享,可在线阅读,更多相关《苏州CCNP交换综合实验思朋信息.docx(13页珍藏版)》请在冰豆网上搜索。
苏州CCNP交换综合实验思朋信息
综合实验
实验目的:
1、熟练配置二层式网络
2、了解交换机安全及配置
实验拓扑图:
实验说明:
此实验为典型的2层式构架网络,中小型网络常采用此构架.
实验要求:
1)core-1与core-2的相互接口做成ethernetchannel30.
再将ethernetchannel30设置成trunk模式.
Ed-sw,SF-sw与Core-1,Core-2互连的接口也设置成trunk模式,并验证.
interfacerangefa0/23-24
switchporttrunkencapsulationdot1q
switchmodetrunk
channel-group30modeon
interfacePort-channel30
switchporttrunkencapsulationdot1q
switchportmodetrunk
Core1(config)#intrangefa0/21-22
Core1(config-if-range)#switchportmodetrunk
Core1(config-if-range)#switchporttrunkencapsulationdot1q
2)core-1,core-2,edge-sw,FS-sw设置成同一vtpdomain,domainname为step-lab,password为step-lab
core-1,core-2设置为vtpserver模式
edge-sw,SF-SW设置为vtpclient模式
在core-1上增加vlan64,65,66,67,95
在core-2,edge-sw,SF-SW学到vlan信息后,把所有交换机的vtp模式设置成transparent.
Core1(config)#vtpdomainstep_lab
Core1(config)#vtpmodeserver
Core1(config)#vlan64,65,66,67,95
Core1(config)#vtpmodetransparent
3)设置Core-1为vlan1,64,65的STP主根,为vlan66,67,95的备份STP根.
设置Core-2为vlan66,67,95的STP主根,为vlan1,64,65的备份STP根.
Core1(config)#spanning-treevlan1,64,65rootprimary
Core1(config)#spanning-treevlan66,67,95rootsecondary
Core2(config)#spanning-treevlan1,64,65rootsecondary
Core2(config)#spanning-treevlan66,67,95rootprimary
4)core-1的1-5port划分到vlan64
core-1的6-10port划分到vlan65
core-1的11-15port划分到vlan66
core-1的16-20port划分到vlan67
把这些port设置成生成树快速转发模式,启用bpduguard,并测试.
启用vlan64,65port的port-security功能,限制每个port只能学习5个mac地址.
Core1(config)#intrangefa0/1-5
Core1(config-if-range)#switchportaccessvlan64
Core1(config-if-range)#switchportmodeaccess
Core1(config)#intrangefa0/6-10
Core1(config-if-range)#switchportaccessvlan65
Core1(config-if-range)#switchportmodeaccess
Core1(config)#intrangefa0/11-15
Core1(config-if-range)#switchportaccessvlan66
Core1(config-if-range)#switchportmodeaccess
Core1(config)#intrangefa0/16-20
Core1(config-if-range)#switchportaccessvlan67
Core1(config-if-range)#switchportmodeaccess
Core1(config)#intrangefa0/1-20
Core1(config-if-range)#spanning-treeportfast
Core1(config-if-range)#spanning-treebpduguardenable
Core1(config)#intrangefa0/1-10
Core1(config-if-range)#switchportport-securitymaximum5
5)core-2的1-5port划分到vlan64
core-2的6-10port划分到vlan65
core-2的11-15port划分到vlan66
core-2的16-20port划分到vlan67
把这些port设置成生成树快速转发模式,禁止这些port收发BPDU信息,并测试.
设置这些port只接收1M/s的broadcast数据包,2M/s的multicast数据包.
intrangefa0/1-5
switchportaccessvlan64
switchportmodeaccess
intrangefa0/6-10
switchportaccessvlan65
switchportmodeaccess
intrangefa0/11-15
switchportaccessvlan66
switchportmodeaccess
intrangefa0/16-20
switchportaccessvlan67
switchportmodeaccess
Core2(config)#intrangefa0/1-20
Core2(config-if-range)#spanning-treeportfast
Core2(config-if-range)#spanning-treebpduguardenable
Core2(config-if-range)#storm-controlbroadcastlevelpps1m
Core2(config-if-range)#storm-controlmulticastlevelpps2m
6)设置vlanipaddress:
core-1vlan64:
10.9.64.253/24
core-1vlan65:
10.9.65.253/24
core-1vlan66:
10.9.66.253/24
core-1vlan67:
10.9.67.253/24
core-1vlan95:
10.9.95.253/24
core-1loopback0:
10.9.100.1/32
core-1与R1互联的接口:
10.9.96.10/30
intvlan64
noshut
ipadd10.9.64.253255.255.255.0
intvlan65
noshut
ipadd10.9.65.253255.255.255.0
intvlan66
noshut
ipadd10.9.66.253255.255.255.0
intvlan67
noshut
ipadd10.9.67.253255.255.255.0
intvlan95
noshut
ipadd10.9.95.253255.255.255.0
intloopback0
ipadd10.9.100.1255.255.255.255
intfa0/3
noswitchport
ipadd10.9.96.10255.255.255.252
noshut
core-2vlan64:
10.9.64.252/24
core-2vlan65:
10.9.65.252/24
core-2vlan66:
10.9.66.252/24
core-2vlan67:
10.9.67.252/24
core-2vlan95:
10.9.95.252/24
core-2loopback0:
10.9.100.2/32
core-2与R1互联的接口:
10.9.96.6/30
intvlan64
noshut
ipadd10.9.64.252255.255.255.0
intvlan65
noshut
ipadd10.9.65.252255.255.255.0
intvlan66
noshut
ipadd10.9.66.252255.255.255.0
intvlan67
noshut
ipadd10.9.67.252255.255.255.0
intvlan95
noshut
ipadd10.9.95.252255.255.255.0
intloopback0
ipadd10.9.100.2255.255.255.255
intfa0/4
noswitchport
ipadd10.9.96.6255.255.255.252
noshut
sw2vlan95:
10.9.95.1/24,缺省网关为10.9.95.254,测试可以相互ping通.
intvlan95
noshut
ipadd10.9.95.1255.255.255.0
exit
ipdefault-gateway10.9.95.254
sw1vlan95:
10.9.95.2/24,缺省网关为10.9.95.254,测试可以相互ping通.
intvlan95
noshut
ipadd10.9.95.2255.255.255.0
exit
ipdefault-gateway10.9.95.254
7)sw2上启用uplinkfast,并验证.
sw2(config)#spanning-treeuplinkfast
8)Core-1与Core-2的每个vlan接口都做HSRP,
core-1设置成vlan64,65主用设备.
core-2设置成vlan66,67,95主用设备.
虚拟的IP地址为:
10.9.xx.254/24,xx为vlanNO.
Core1(config)#intvlan64
Core1(config-if)#standby1ip10.9.64.254
Core1(config-if)#standby1priority105
Core1(config-if)#standby1preempt
Core1(config-if)#standby1trackfastEthernet0/320
Core1(config-if)#exit
Core1(config)#intvlan65
Core1(config-if)#standby1ip10.9.65.254
Core1(config-if)#standby1priority105
Core1(config-if)#standby1preempt
Core1(config-if)#standby1trackfastEthernet0/320
Core1(config-if)#exit
Core1(config)#intvlan66
Core1(config-if)#standby1ip10.9.66.254
Core1(config-if)#standby1preempt
Core1(config-if)#exit
Core1(config)#intvlan67
Core1(config-if)#standby1ip10.9.67.254
Core1(config-if)#standby1preempt
Core1(config-if)#exit
Core1(config)#intvlan95
Core1(config-if)#standby1ip10.9.95.254
Core1(config-if)#standby1preempt
Core1(config-if)#exit
Core2中:
intvlan66
standby1ip10.9.66.254
standby1priority105
standby1preempt
standby1trackfastEthernet0/420
exit
intvlan67
standby1ip10.9.67.254
standby1priority105
standby1preempt
standby1trackfastEthernet0/420
exit
intvlan95
standby1ip10.9.95.254
standby1trackfastEthernet0/420
standby1preempt
exit
intvlan64
standby1ip10.9.64.254
standby1preempt
exit
intvlan65
standby1ip10.9.65.254
standby1preempt
exit
9)设置R1:
F0/0:
10.9.96.9/30
F0/1:
10.9.96.5/30
loopback0:
10.9.100.3/32
R1,core-1,core-2启用eigrp路由协议,使所有网络互通,并验证.
intfa0/0
ipadd10.9.96.9255.255.255.252
noshut
exit
intfa0/1
ipadd10.9.96.5255.255.255.252
noshut
exit
intloopback0
ipadd10.9.100.3255.255.255.255
exit
routereigrp100
network10.0.0.0
noauto-summary
Core1(config-router)#iprouting
Core1(config-router)#routereigrp100
Core1(config-router)#network10.0.0.0
Core1(config-router)#noauto-summary
Core2(config)#iprouting
Core2(config)#routereigrp100
Core2(config-router)#network10.0.0.0
Core2(config-router)#noauto-summary
10)R1上启用dhcpserver功能,为以下网段提供dhcp服务:
10.9.64.0/24
10.9.65.0/24
10.9.66.0/24
10.9.67.0/24
分配10.9.xx.11-10.9.xx.200,xx为vlanNO
DNSserver:
10.9.100.3
Default-gateway:
10.9.xx.254
Domain-name:
并在core-1,core-2的VLAN接口上启用DHCP广播重定向功能,从定向到R1这台DHCPServer,使dhcpserver能够正常为PC提供IP地址服务//默认arp请求只会发到core的下层接口,使用iphelper-address**来实现广播重定向
R1(config)#ipdhcppooltest
network10.9.64.0255.255.255.0
dns-server10.9.100.3
default-router10.9.64.254
domain-name
exit
ipdhcppooltest1
network10.9.65.0255.255.255.0
dns-server10.9.100.3
default-router10.9.65.254
domain-name
exit
ipdhcppooltest2
network10.9.66.0255.255.255.0
dns-server10.9.100.3
default-router10.9.66.254
domain-name
exit
ipdhcppooltest3
network10.9.67.0255.255.255.0
dns-server10.9.100.3
default-router10.9.67.254
domain-name
exit
ipdhcpexcluded-address10.9.64.20110.9.64.254
ipdhcpexcluded-address10.9.64.110.9.64.10
ipdhcpexcluded-address10.9.65.20110.9.65.254
ipdhcpexcluded-address10.9.65.110.9.65.10
ipdhcpexcluded-address10.9.66.20110.9.66.254
ipdhcpexcluded-address10.9.66.110.9.66.10
ipdhcpexcluded-address10.9.67.20110.9.67.254
ipdhcpexcluded-address10.9.67.110.9.67.10
Core1(config)#intvlan64
Core1(config-if)#iphelper-address10.9.96.9
Core1(config-if)#exit
Core1(config)#intvlan65
Core1(config-if)#iphelper-address10.9.96.9
Core1(config-if)#exit
Core1(config)#intvlan66
Core1(config-if)#iphelper-address10.9.96.9
Core1(config-if)#exit
Core1(config)#intvlan67
Core1(config-if)#iphelper-address10.9.96.9
Core1(config-if)#exit
Core2(config)#intvlan64
Core2(config-if)#iphelper-address10.9.96.5
Core2(config-if)#exit
Core2(config)#intvlan65
Core2(config-if)#iphelper-address10.9.96.5
Core2(config-if)#exit
Core2(config)#intvlan66
Core2(config-if)#iphelper-address10.9.96.5
Core2(config-if)#exit
Core2(config)#intvlan67
Core2(config-if)#iphelper-address10.9.96.5
11)启用sw1vlan64-67的ipdhcpsnooping功能,并只允许F0/23-24的dhcpreply数据包.
Ipdhcpsnooping
sw1(config)#ipdhcpsnoopingvlan64
sw1(config)#ipdhcpsnoopingvlan65
sw1(config)#ipdhcpsnoopingvlan66
sw1(config)#ipdhcpsnoopingvlan67
intrangefa0/23-24
ipdhcpsnoopingtrust
12)测试core-1或者core-2断电时,网络可以正常运行.