這個(gè)項(xiàng)目主要實(shí)現(xiàn)思路關(guān)鍵點(diǎn)之獨(dú)孤九劍：

Ip地址的規(guī)范

接口對(duì)應(yīng)表的整理

主次關(guān)系的整理

分清楚什么是二層技術(shù)什么是三層技術(shù)

對(duì)于相同的預(yù)配置先在記事本寫(xiě)好，利用crt直接粘貼復(fù)制，這樣節(jié)省時(shí)間和提高效率。

幾種交換協(xié)議的一句話理解：

Vtp 是用來(lái)簡(jiǎn)化vlan 的配置，思科專有。公有GVRP.

Vtp 配置方法：兩臺(tái)交換機(jī)之間用trunk 相連，配置服務(wù)端與客戶端，配置相同的密碼，

域名，版本。服務(wù)器配置版本高于客戶機(jī)。

Stp pvst mst 生成樹(shù)，快速生成樹(shù)，多生成樹(shù)。

生成樹(shù)是用來(lái)防止二層環(huán)路，三層環(huán)路用路由協(xié)議來(lái)防環(huán)。原理是通過(guò)阻塞一條鏈路來(lái)防環(huán)。

Pvst 工程中主要用來(lái)對(duì)不同vlan 做冗余備份。

Mst 是pvst 的升級(jí)版，通過(guò)不同實(shí)例給vlan 做冗余備分。

HSRR VRRP GLBP 是用來(lái)給網(wǎng)關(guān)提供冗余備份。

通過(guò)使作幾個(gè)不同的組達(dá)到給不同vlan 提供冗余備份作用。

Ospf rip eigrp 將不同的vlan 的子網(wǎng)消息宣告出去。

如果trunk 有兩線，一定要放到二層組中。

具體代碼如下：

1）路由交換預(yù)配置

 en

clock set 8:00:00 28 june 2016   \\記住這個(gè)在現(xiàn)實(shí)生活中非常重要，因?yàn)楹芏鄷r(shí)間不對(duì)的話

查看日志信息可能會(huì)有問(wèn)題

conf t

host r1

clock timezone GTM 8   \\設(shè)置時(shí)區(qū)

line c 0   \\進(jìn)入控制臺(tái)

logg sy   \\日志同步,以免日志把正常輸入打亂

no ip domain-lookup  \\關(guān)掉域名解析功能,不然打錯(cuò)命令會(huì)等待30秒

enable password luliechu@123456  \\明文密碼

enable secret luliechu@147258  \\密文密碼更安全，同時(shí)明文密碼無(wú)效

username luliechu privilege 3 secret luliechu@147258  \\本地用戶名和密碼并且賦予權(quán)限

line vty 0 4  \\開(kāi)啟遠(yuǎn)程終端

password luliechu@123456  \\vty密碼

login  local  \\允許登錄方式為本地用戶驗(yàn)證

end

write  \\保存配置命令

R2

en

clock set 8:00:00 28 june 2016   

conf t

host r2

clock timezone GTM 8   

line c 0   

logg sy   

no ip domain-lookup  

enable password luliechu@123456  

enable secret luliechu@147258  

username luliechu privilege 3 secret luliechu@147258  

line vty 0 4  

password luliechu@123456  

login  local  

end

write 

IOU1

en

clock set 8:00:00 28 june 2016   

conf t

host SW1

clock timezone GTM 8   

line c 0   

logg sy   

no ip domain-lookup  

enable password luliechu@123456  

enable secret luliechu@147258  

username luliechu privilege 3 secret luliechu@147258  

line vty 0 4  

password luliechu@123456  

login  local  

end

write

IOU2

en

clock set 8:00:00 28 june 2016   

conf t

host SW2

clock timezone GTM 8   

line c 0   

logg sy   

no ip domain-lookup  

enable password luliechu@123456  

enable secret luliechu@147258  

username luliechu privilege 3 secret luliechu@147258  

line vty 0 4  

password luliechu@123456  

login  local  

end

write

IOU3

en

clock set 8:00:00 28 june 2016   

conf t

host SW3

clock timezone GTM 8   

line c 0   

logg sy   

no ip domain-lookup  

enable password luliechu@123456  

enable secret luliechu@147258  

username luliechu privilege 3 secret luliechu@147258  

line vty 0 4  

password luliechu@123456  

login  local  

end

write

IOU4

en

clock set 8:00:00 28 june 2016   

conf t

host SW4

clock timezone GTM 8   

line c 0   

logg sy   

no ip domain-lookup  

enable password luliechu@123456  

enable secret luliechu@147258  

username luliechu privilege 3 secret luliechu@147258  

line vty 0 4  

password luliechu@123456  

login  local  

end

write

IOU5

en

clock set 8:00:00 28 june 2016   

conf t

host SW5

clock timezone GTM 8   

line c 0   

logg sy   

no ip domain-lookup  

enable password luliechu@123456  

enable secret luliechu@147258  

username luliechu privilege 3 secret luliechu@147258  

line vty 0 4  

password luliechu@123456  

login  local  

end

write

IOU6

en

clock set 8:00:00 28 june 2016   

conf t

host SW6

clock timezone GTM 8   

line c 0   

logg sy   

no ip domain-lookup  

enable password luliechu@123456  

enable secret luliechu@147258  

username luliechu privilege 3 secret luliechu@147258  

line vty 0 4  

password luliechu@123456  

login  local  

end

write 

2）將交換機(jī)所有需要加入到tr鏈路的端口加入進(jìn)來(lái)

Iou1

//把所需使用vtp協(xié)議的端口線路更改為trunk模式

en

conf t

int rang f0/1-8

sw tr en d   //在pt中不需要，真實(shí)環(huán)境和iou中都要加

sw mo tr

//創(chuàng)建vtp并把這臺(tái)交換機(jī)設(shè)為server模式    

conf t

vtp dom ccie

vtp mod server

vtp pruning  // //在pt中不支持這命令，真實(shí)環(huán)境和iou中都支持這樣節(jié)省帶寬開(kāi)銷

End

//創(chuàng)建vlan

conf t

vlan 10

vlan 20

vlan 30

vlan 40

vlan 50

vlan 60

vlan 70

vlan 80

Vlan 100

End

//創(chuàng)建管理地址，方便管理員管理

conf t

int vlan 100

ip add 192.168.9.1 255.255.255.0

no shut

End

//設(shè)置vtp版本密碼(為了安全起見(jiàn))

conf t

vtp pass lu@123

vtp ver 2

End

//創(chuàng)建二層組，使用以太網(wǎng)端口聚合技術(shù)，實(shí)現(xiàn)高速負(fù)載分流

conf t

int rang f0/1-4

Channel-protocol lacp

channel-g 1 mode active

end

//Mst 是pvst 的升級(jí)版，通過(guò)不同實(shí)例給vlan 做冗余備分。創(chuàng)建了兩個(gè)實(shí)例1 2，分別將vlan10-80加入到對(duì)應(yīng)實(shí)例，并設(shè)置主從，實(shí)現(xiàn)不同實(shí)例的冗余備份

conf t

spanning-tree mode mst      //在pt中不支持mst，只能用rstp來(lái)實(shí)現(xiàn)了，現(xiàn)實(shí)生活和iou上都支持

spanning-tree mst configu

instance 1 vlan 10,20,30,40

revision 1

instance 2 vlan 50,60,70,80

revision 1

exit

spanning-tree mst 1 root primary

spanning-tree mst 2 root secondary

End

En

Conf t

Spanning-tree  mode rap

spanning-tree  vlan 10,20,30,40 root primary

spanning-tree  vlan 50,60,70,80 root seconday

End

//為不同vlan劃分網(wǎng)關(guān)，實(shí)現(xiàn)不同vlan基于三層交換機(jī)的路由互通

conf t

int vlan 10

ip add 192.168.1.2 255.255.255.0

no shut

int vlan 20

ip add 192.168.2.2 255.255.255.0

no shut

int vlan 30

ip add 192.168.3.2 255.255.255.0

no shut

int vlan 40

ip add 192.168.4.2 255.255.255.0

no shut

int vlan 50

ip add 192.168.5.2 255.255.255.0

no shut

int vlan 60

ip add 192.168.6.2 255.255.255.0

no shut

int vlan 70

ip add 192.168.7.2 255.255.255.0

no shut

int vlan 80

ip add 192.168.8.2 255.255.255.0

no shut

End

//配置hsrp實(shí)現(xiàn)網(wǎng)關(guān)高可用性，sw1是vlan10，20,30,40-的主網(wǎng)關(guān)，是50,60,70,80 的備用網(wǎng)關(guān)。

Sw2是vlan50,60,70,80的主網(wǎng)關(guān)，是10，20,30,40 的備網(wǎng)關(guān)。

注意State is Active 為主網(wǎng)關(guān)

State is Standby 為備網(wǎng)關(guān)

conf t

int vlan 10

standby 10 ip 192.168.1.1

standby 10 priority 105

standby 10 preempt

standby 10 track g0/1

end

conf t

int vlan 20

standby 20 ip 192.168.2.1

standby 20 priority 105

standby 20 preempt

standby 20 track g0/1

end

conf t

int vlan 30

standby 30 ip 192.168.3.1

standby 30 priority 105

standby 30 preempt

standby 30 track g0/1

end

conf t

int vlan 40

standby 40 ip 192.168.4.1

standby 40 priority 105

standby 40 preempt

standby 40 track g0/1

end

conf t

int vlan 50

standby 50 ip 192.168.5.1

standby 50 priority 100

standby 50 preempt

standby 50 track g0/1

end

conf t

int vlan 60

standby 60 ip 192.168.6.1

standby 60 priority 100

standby 60 preempt

standby 60 track g0/1

end

conf t

int vlan 70

standby 70 ip 192.168.7.1

standby 70 priority 100

standby 70 preempt

standby 70 track g0/1

end

conf t

int vlan 80

standby 80 ip 192.168.8.1

standby 80 priority 100

standby 80 preempt

standby 80 track g0/1

end

write

3）配置dhcp

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.2

ip dhcp excluded-address 192.168.1.3

ip dhcp pool vlan10

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.1

 dns-server 202.96.128.86

Exit

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.2

ip dhcp excluded-address 192.168.2.3

ip dhcp pool vlan20

 network 192.168.2.0 255.255.255.0

 default-router 192.168.2.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.3.1

ip dhcp excluded-address 192.168.3.2

ip dhcp excluded-address 192.168.3.3

ip dhcp pool vlan30

 network 192.168.3.0 255.255.255.0

 default-router 192.168.3.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.4.1

ip dhcp excluded-address 192.168.4.2

ip dhcp excluded-address 192.168.4.3

ip dhcp pool vlan40

 network 192.168.4.0 255.255.255.0

 default-router 192.168.4.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.5.1

ip dhcp excluded-address 192.168.5.2

ip dhcp excluded-address 192.168.5.3

ip dhcp pool vlan50

 network 192.168.5.0 255.255.255.0

 default-router 192.168.5.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.6.1

ip dhcp excluded-address 192.168.6.2

ip dhcp excluded-address 192.168.6.3

ip dhcp pool vlan60

 network 192.168.6.0 255.255.255.0

 default-router 192.168.6.1

 dns-server 202.96.128.86

ip dhcp excluded-address 192.168.7.1

ip dhcp excluded-address 192.168.7.2

ip dhcp excluded-address 192.168.7.3

ip dhcp pool vlan70

 network 192.168.7.0 255.255.255.0

 default-router 192.168.7.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.8.1

ip dhcp excluded-address 192.168.8.2

ip dhcp excluded-address 192.168.8.3

ip dhcp pool vlan80

 network 192.168.8.0 255.255.255.0

 default-router 192.168.8.1

 dns-server 202.96.128.86

end

4）配置ospf協(xié)議

Conf  t

router ospf 1

 router-id 2.2.2.2

 log-adjacency-changes

 network 22.1.1.2 0.0.0.0 area 0

 network 2.2.2.2 0.0.0.0 area 0

 network 192.168.1.2 0.0.0.0 area 0

 network 192.168.2.2 0.0.0.0 area 0

 network 192.168.3.2 0.0.0.0 area 0

 network 192.168.4.2 0.0.0.0 area 0

 network 192.168.5.2 0.0.0.0 area 0

 network 192.168.6.2 0.0.0.0 area 0

 network 192.168.7.2 0.0.0.0 area 0

 network 192.168.8.2 0.0.0.0 area 0

Iou2

//把所需使用vtp協(xié)議的端口線路更改為trunk模式

en

conf t

int rang f0/1-8

sw tr en d   //在pt中不需要，真實(shí)環(huán)境和iou中都要加

sw mo tr

//創(chuàng)建vtp并把這臺(tái)交換機(jī)設(shè)為server模式    

conf t

vtp dom ccie

vtp mod server

vtp pruning  // //在pt中不支持這命令，真實(shí)環(huán)境和iou中都支持這樣節(jié)省帶寬開(kāi)銷

End

//創(chuàng)建管理地址，方便管理員管理

conf t

int vlan 100

ip add 192.168.9.2 255.255.255.0

no shut

End

//設(shè)置vtp版本密碼(為了安全起見(jiàn))

conf t

vtp pass lu@123

vtp ver 2

End

//創(chuàng)建二層組，使用以太網(wǎng)端口聚合技術(shù)，實(shí)現(xiàn)高速負(fù)載分流

conf t

int rang f0/1-4

Channel-protocol lacp

channel-g 1 mode active

end

//Mst 是pvst 的升級(jí)版，通過(guò)不同實(shí)例給vlan 做冗余備分。創(chuàng)建了兩個(gè)實(shí)例1 2，分別將vlan10-80加入到對(duì)應(yīng)實(shí)例，并設(shè)置主從，實(shí)現(xiàn)不同實(shí)例的冗余備份

conf t

spanning-tree mode mst      //在pt中不支持mst，只能用rstp來(lái)實(shí)現(xiàn)了，現(xiàn)實(shí)生活和iou上都支持

spanning-tree mst configu

instance 1 vlan 10,20,30,40

revision 1

instance 2 vlan 50,60,70,80

revision 1

exit

spanning-tree mst 1 root primary

spanning-tree mst 2 root secondary

End

En

Conf t

Spanning-tree  mode rap

spanning-tree  vlan 50,60,70,80 root primary

spanning-tree  vlan 10,20,30,40 root seconday

End

//為不同vlan劃分網(wǎng)關(guān)，實(shí)現(xiàn)不同vlan基于三層交換機(jī)的路由互通

conf t

int vlan 10

ip add 192.168.1.3 255.255.255.0

no shut

int vlan 20

ip add 192.168.2.3 255.255.255.0

no shut

int vlan 30

ip add 192.168.3.3 255.255.255.0

no shut

int vlan 40

ip add 192.168.4.3 255.255.255.0

no shut

int vlan 50

ip add 192.168.5.3 255.255.255.0

no shut

int vlan 60

ip add 192.168.6.3 255.255.255.0

no shut

int vlan 70

ip add 192.168.7.3 255.255.255.0

no shut

int vlan 80

ip add 192.168.8.3 255.255.255.0

no shut

End

//配置hsrp實(shí)現(xiàn)網(wǎng)關(guān)高可用性，sw1是vlan10，20,30,40-的主網(wǎng)關(guān)，是50,60,70,80 的備用網(wǎng)關(guān)。

Sw2是vlan50,60,70,80的主網(wǎng)關(guān)，是10，20,30,40 的備網(wǎng)關(guān)。

注意State is Active 為主網(wǎng)關(guān)

State is Standby 為備網(wǎng)關(guān)

conf t

int vlan 10

standby 10 ip 192.168.1.1

standby 10 priority 105

standby 10 preempt

standby 10 track g0/1

end

conf t

int vlan 20

standby 20 ip 192.168.2.1

standby 20 priority 105

standby 20 preempt

standby 20 track g0/1

end

conf t

int vlan 30

standby 30 ip 192.168.3.1

standby 30 priority 105

standby 30 preempt

standby 30 track g0/1

end

conf t

int vlan 40

standby 40 ip 192.168.4.1

standby 40 priority 105

standby 40 preempt

standby 40 track g0/1

end

conf t

int vlan 50

standby 50 ip 192.168.5.1

standby 50 priority 100

standby 50 preempt

standby 50 track g0/1

end

conf t

int vlan 60

standby 60 ip 192.168.6.1

standby 60 priority 100

standby 60 preempt

standby 60 track g0/1

end

conf t

int vlan 70

standby 70 ip 192.168.7.1

standby 70 priority 100

standby 70 preempt

standby 70 track g0/1

end

conf t

int vlan 80

standby 80 ip 192.168.8.1

standby 80 priority 100

standby 80 preempt

standby 80 track g0/1

end

write

5）配置dhcp

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.2

ip dhcp excluded-address 192.168.1.3

ip dhcp pool vlan10

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.1

 dns-server 202.96.128.86

Exit

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.2

ip dhcp excluded-address 192.168.2.3

ip dhcp pool vlan20

 network 192.168.2.0 255.255.255.0

 default-router 192.168.2.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.3.1

ip dhcp excluded-address 192.168.3.2

ip dhcp excluded-address 192.168.3.3

ip dhcp pool vlan30

 network 192.168.3.0 255.255.255.0

 default-router 192.168.3.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.4.1

ip dhcp excluded-address 192.168.4.2

ip dhcp excluded-address 192.168.4.3

ip dhcp pool vlan40

 network 192.168.4.0 255.255.255.0

 default-router 192.168.4.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.5.1

ip dhcp excluded-address 192.168.5.2

ip dhcp excluded-address 192.168.5.3

ip dhcp pool vlan50

 network 192.168.5.0 255.255.255.0

 default-router 192.168.5.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.6.1

ip dhcp excluded-address 192.168.6.2

ip dhcp excluded-address 192.168.6.3

ip dhcp pool vlan60

 network 192.168.6.0 255.255.255.0

 default-router 192.168.6.1

 dns-server 202.96.128.86

ip dhcp excluded-address 192.168.7.1

ip dhcp excluded-address 192.168.7.2

ip dhcp excluded-address 192.168.7.3

ip dhcp pool vlan70

 network 192.168.7.0 255.255.255.0

 default-router 192.168.7.1

 dns-server 202.96.128.86

exit

ip dhcp excluded-address 192.168.8.1

ip dhcp excluded-address 192.168.8.2

ip dhcp excluded-address 192.168.8.3

ip dhcp pool vlan80

 network 192.168.8.0 255.255.255.0

 default-router 192.168.8.1

 dns-server 202.96.128.86

end

6）配置ospf協(xié)議

Conf  t

router ospf 1

 router-id 2.2.2.2

 log-adjacency-changes

 network 22.1.1.2 0.0.0.0 area 0

 network 2.2.2.2 0.0.0.0 area 0

 network 192.168.1.3 0.0.0.0 area 0

 network 192.168.2.3 0.0.0.0 area 0

 network 192.168.3.3 0.0.0.0 area 0

 network 192.168.4.3 0.0.0.0 area 0

 network 192.168.5.3 0.0.0.0 area 0

 network 192.168.6.3 0.0.0.0 area 0

 network 192.168.7.3 0.0.0.0 area 0

 network 192.168.8.3 0.0.0.0 area 0

Iou3

conf t

int rang f0/1-2

sw tr en d

sw mo tr

end

conf t

vtp dom ccie

vtp mod c

vtp pruning

end

conf t

int vlan 100

ip add 192.168.9.3 255.255.255.0

no shut

end

conf t

vtp pass lu@123

vtp ver 2

end

write

Iou4

conf t

int rang f0/1-2

sw tr en d

sw mo tr

end

conf t

vtp dom ccie

vtp mod c

vtp pruning

end

conf t

int vlan 100

ip add 192.168.9.4 255.255.255.0

no shut

end

conf t

vtp pass lu@123

vtp ver 2

end

write

Iou5

conf t

int rang f0/1-2

sw tr en d

sw mo tr

end

conf t

vtp dom ccie

vtp mod c

vtp pruning

end

conf t

int vlan 100

ip add 192.168.9.5 255.255.255.0

no shut

end

conf t

vtp pass lu@123

vtp ver 2

end

write

Iou6

conf t

int rang f0/1-2

sw tr en d

sw mo tr

end

conf t

vtp dom ccie

vtp mod c

vtp pruning

end

conf t

int vlan 100

ip add 192.168.9.6 255.255.255.0

no shut

end

conf t

vtp pass lu@123

vtp ver 2

end

write

7）出口配置動(dòng)態(tài)路由協(xié)議讓全網(wǎng)互通，配置nat讓公司內(nèi)部可以上網(wǎng)

RI

En

Conf t

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

No shut

interface FastEthernet0/1

 ip address 21.1.1.1 255.255.255.0

duplex full

 speed auto

No shut

interface FastEthernet0/0

 ip address 22.1.1.1 255.255.255.0

 duplex full

 speed auto

No shut

interface Serial0/0/0

 ip address 113.105.134.85 255.255.255.0

 clock rate 64000

No shut

End

Conf t

router ospf 1

 router-id 1.1.1.1

 network 21.1.1.1 0.0.0.0 area 0

 network 22.1.1.1 0.0.0.0 area 0

 network 113.105.134.85 0.0.0.0 area 0

 network 1.1.1.1 0.0.0.0 area 0

 default-information originate

End

Conf t

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

配置nat

End

Conf t

En

Conf t

Int f0/0

Ip nat inside

Int f0/1

Ip nat inside

Int s0/0/0

Ip nat outside

Exit

Access-list 1 permit 192.168.1.0  0.0.0.255

Access-list 1 permit 192.168.2.0  0.0.0.255

Access-list 1 permit 192.168.3.0  0.0.0.255

Access-list 1 permit 192.168.4.0  0.0.0.255

Access-list 1 permit 192.168.5.0  0.0.0.255

Access-list 1 permit 192.168.6.0  0.0.0.255

Access-list 1 permit 192.168.7.0  0.0.0.255

Access-list 1 permit 192.168.8.0  0.0.0.255

Ip nat inside source list 1 int s0/0/0 overload

End

write

8）在出口路由器和分公司路由器上走ppp協(xié)議實(shí)現(xiàn)全網(wǎng)互通

R1配置

En

Conf t

Username r2 password cisco

Int s0/0/0

Encapsulation ppp

Ppp authentication chap

end

write

R2配置

En

Conf t

Username r1  password cisco

Int s0/0/0

Encapsulation ppp

Ppp authentication chap

End

Conf t

interface Loopback0

 ip address 4.4.4.4 255.255.255.255

No shut

interface Serial0/0/0

Clock rate 64000

 ip address 113.105.134.86 255.255.255.0

No shut

interface FastEthernet0/0

 ip address 218.23.88.1 255.255.255.0

 duplex auto

 speed auto

No shut

Write

9）將公司內(nèi)部接入層交換機(jī)端口加入到對(duì)應(yīng)的vlan，把電腦連接上交換機(jī)，整個(gè)項(xiàng)目完成！

實(shí)例：將iou3當(dāng)做人事辦公室，配置如下

Iou3上

En

Conf t

Int rang f0/3-24

Sw mo acc

Sw acc vlan 10

End

Write

10）發(fā)布web服務(wù)器出去讓外網(wǎng)用戶能夠訪問(wèn)到公司利用web服務(wù)器發(fā)布的消息

在出口路由器上配置

En

Conf t

Ip nat inside source static tcp 192.168.2.5 80 113.105.134.85 80

Access-list 1 permit 192.168.2.0  0.0.0.255

End

Write

驗(yàn)證結(jié)果如下：

11）配置acl8.0網(wǎng)段的用戶只能訪問(wèn)公司ftp服務(wù)器，各vlan部分之間不能互訪,但是網(wǎng)管1點(diǎn)段可以訪問(wèn)任意內(nèi)外網(wǎng)方便管理，公司ftp是可以讓任何人都訪問(wèn)到使用，web服務(wù)器除了8.0的用戶其他用戶都可以訪問(wèn)得到，公司除了8.0網(wǎng)段的用戶，其他用戶都可以訪問(wèn)web服務(wù)器和ftp服務(wù)器以及外網(wǎng)，只是不能訪問(wèn)到其他內(nèi)部部門網(wǎng)段而已。

備注：真實(shí)環(huán)境和iou都是兩邊路由器配置一模一樣，在pt中因?yàn)闆](méi)有做hsrp，所以在

調(diào)用acl時(shí)候，sw1分別只調(diào)用int vlan30 -40   而在sw2上只調(diào)用50-80

access-list 100 deny ip 192.168.8.0 0.0.0.255 192.168.2.5 0.0.0.0

access-list 100 permit ip any any

Int vlan 80

ip access-group 100 in

sw1(config)#access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

sw1(config)#access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255

sw1(config)#access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255

sw1(config)#access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.7.0 0.0.0.255

sw1(config)#access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.8.0 0.0.0.255

sw1(config)#access-list  101 permit ip any any

sw1(config)#access-list 102 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

sw1(config)#access-list 102 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255

sw1(config)#access-list 102 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255

sw1(config)#access-list 102 deny ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255

sw1(config)#access-list 102 deny ip 192.168.4.0 0.0.0.255 192.168.8.0 0.0.0.255

sw1(config)#access-list 102 permit ip any any

sw1(config)#access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255

sw1(config)#access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255

sw1(config)#access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

sw1(config)#access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

sw1(config)#access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.8.0 0.0.0.255

sw1(config)#access-list  103 permit ip any any

sw1(config)#access-list 104 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255

sw1(config)#access-list 104 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

sw1(config)#access-list 104 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255

sw1(config)#access-list 104 deny ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255

sw1(config)#access-list 104 deny ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255

sw1(config)#access-list  104 permit ip any any

sw1(config)#access-list 103 deny ip 192.168.7.0 0.0.0.255 192.168.4.0 0.0.0.255

sw1(config)#access-list 103 deny ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255

sw1(config)#access-list 103 deny ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

sw1(config)#access-list 103 deny ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255

sw1(config)#access-list 103 deny ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255

sw1(config)#access-list  103 permit ip any any

sw1(config)#access-list 104 deny ip 192.168.8.0 0.0.0.255 192.168.4.0 0.0.0.255

sw1(config)#access-list 104 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255

sw1(config)#access-list 104 deny ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255

sw1(config)#access-list 104 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255

sw1(config)#access-list 104 deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255

sw1(config)#access-list  104 permit ip any any

Int vlan 20到80之間分別調(diào)用acl命令如下;因?yàn)檫@里需要vlan10和所有人通訊，服務(wù)器是管理員在管理，并且所有人都可以訪問(wèn)它，所以并沒(méi)有寫(xiě)入acl，實(shí)際上也是這樣，當(dāng)然你可以精確到哪個(gè)ip地址，寫(xiě)法完全一樣

ip access-group 101 in

ip access-group 102 in

ip access-group 103 in

ip access-group 104 in

-----------------------end---------------------------------此致為止公司內(nèi)部網(wǎng)絡(luò)就完全配置完畢，接下來(lái)等同學(xué)們學(xué)完網(wǎng)絡(luò)安全后再配置vpn部分，謝謝大家的耐心聽(tīng)課  作者--------盧烈楚   電話：18096285540  qq：983765387

本文出自 “快樂(lè)學(xué)習(xí)” 博客，請(qǐng)務(wù)必保留此出處http://983865387.blog.51cto.com/9838888/1858617