实验需求
vlan 101 为企业内网用户、通过企业自建骨干网访问总部网络10.113.0.0/24 、不允许访问Internet ;
vlan 201 为IneterNet用户、不允许访问企业总部网络10.113.0.0/24 、允许访问InterNet.
实验拓扑
R4配置
interface GigabitEthernet0/0/0
ip address 10.113.0.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.112.0.254 255.255.255.252
#
interface LoopBack0
ip address 10.100.254.252 255.255.255.255
#
ospf 100 router-id 10.100.254.252
area 0.0.0.0
network 10.112.0.254 0.0.0.0
network 10.113.0.0 0.0.0.255
R3配置
interface GigabitEthernet0/0/0
description to-fenzhi
ip address 10.102.0.253 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 10.112.0.253 255.255.255.252
#
interface LoopBack0
ip address 10.100.254.253 255.255.255.255
#
bgp 65001
router-id 10.100.254.253
peer 10.102.0.254 as-number 65002
peer 10.102.0.254 connect-interface GigabitEthernet0/0/0
#
ipv4-family unicast
undo synchronization
import-route ospf 100
peer 10.102.0.254 enable
#
ospf 100 router-id 10.100.254.253
import-route bgp
area 0.0.0.0
network 10.112.0.253 0.0.0.0
R1配置
interface GigabitEthernet0/0/0
ip address 10.102.0.254 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 10.102.0.1 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 10.102.0.5 255.255.255.252
#
interface LoopBack0
ip address 10.102.0.101 255.255.255.255
#
bgp 65002
router-id 10.102.0.101
peer 10.102.0.253 as-number 65001
peer 10.102.0.253 connect-interface GigabitEthernet0/0/0
#
ipv4-family unicast
undo synchronization
network 10.102.0.0 255.255.0.0
peer 10.102.0.253 enable
#
ospf 102 router-id 10.102.0.101
import-route bgp
area 0.0.0.0
network 10.102.0.1 0.0.0.0
network 10.102.0.5 0.0.0.0
network 10.102.0.101 0.0.0.0
#
ip route-static 10.102.0.0 255.255.0.0 NULL0 preference 255
SW1的配置
vlan batch 10 101 to 104 201 to 204
#
stp instance 1 priority 0
stp instance 2 priority 4096
#
stp region-configuration
region-name name01
instance 1 vlan 101 to 104
instance 2 vlan 201 to 204
active region-configuration
#
interface Vlanif10
ip address 10.102.0.10 255.255.255.248
vrrp vrid 10 virtual-ip 10.102.0.9
vrrp vrid 10 priority 110
#
interface Vlanif101
description neiwang
ip address 10.102.1.2 255.255.255.0
vrrp vrid 101 virtual-ip 10.102.1.1
vrrp vrid 101 priority 120
#
interface Vlanif102
description neiwang
ip address 10.102.0.2 255.255.255.252
#
interface Vlanif201
description to-waiwang
ip address 10.201.1.2 255.255.255.0
vrrp vrid 201 virtual-ip 10.201.1.1
vrrp vrid 201 priority 110
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
description to-r1
port link-type access
port default vlan 102
#
interface GigabitEthernet0/0/3
description to-sw2
port link-type trunk
port trunk allow-pass vlan 10 101 to 104 201 to 204
#
interface GigabitEthernet0/0/4
description to-sw3
port link-type trunk
port trunk allow-pass vlan 101 to 104 201 to 204
#
interface LoopBack0
ip address 10.102.0.102 255.255.255.255
#
ospf 100 router-id 10.102.0.102
silent-interface all
undo silent-interface GigabitEthernet0/0/2
undo silent-interface Vlanif102
area 0.0.0.0
network 10.102.0.2 0.0.0.0
network 10.102.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.102.0.14
SW2配置
vlan batch 10 101 to 104 201 to 204
#
stp instance 1 priority 4096
stp instance 2 priority 0
#
stp region-configuration
region-name name01
instance 1 vlan 101 to 104
instance 2 vlan 201 to 204
active region-configuration
#
interface Vlanif10
ip address 10.102.0.11 255.255.255.248
vrrp vrid 10 virtual-ip 10.102.0.9
vrrp vrid 10 priority 120
#
interface Vlanif101
ip address 10.102.1.3 255.255.255.0
vrrp vrid 101 virtual-ip 10.102.1.1
#
interface Vlanif102
ip address 10.102.0.6 255.255.255.252
#
interface Vlanif201
description to-waiwang
ip address 10.201.1.3 255.255.255.0
vrrp vrid 201 virtual-ip 10.201.1.1
vrrp vrid 201 priority 120
#
interface GigabitEthernet0/0/2
description toR1
port link-type access
port default vlan 102
#
interface GigabitEthernet0/0/3
description to-sw1
port link-type trunk
port trunk allow-pass vlan 10 101 to 104 201 to 204
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/5
description to-sw3
port link-type trunk
port trunk allow-pass vlan 101 to 104 201 to 204
#
interface LoopBack0
ip address 10.102.0.103 255.255.255.255
#
ospf 100 router-id 10.102.0.103
silent-interface all
undo silent-interface Vlanif102
undo silent-interface GigabitEthernet0/0/2
area 0.0.0.0
network 10.102.0.6 0.0.0.0
network 10.102.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.102.0.14
sw3配置
vlan batch 101 201
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 201
#
interface GigabitEthernet0/0/4
description to-sw1
port link-type trunk
port trunk allow-pass vlan 101 to 104 201 to 204
#
interface GigabitEthernet0/0/5
description to-sw2
port link-type trunk
port trunk allow-pass vlan 101 to 104 201 to 204
fw1配置
vlan batch 10
#
interface Vlanif10
ip address 10.102.0.14 255.255.255.248
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 14.0.102.10 255.255.255.248
service-manage ping permit
#
interface GigabitEthernet1/0/1
portswitch
description to-sw1
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/4
portswitch
description to-sw2
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/4
add interface Vlanif10
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 14.0.102.9
ip route-static 10.201.1.0 255.255.255.0 10.102.0.9
#
security-policy
rule name permit-ping
source-zone local
service icmp
action permit
rule name permit-t-u
source-zone trust
destination-zone untrust
source-address 10.201.1.0 mask 255.255.255.0
action permit
#
nat-policy
rule name nat01
source-zone trust
egress-interface GigabitEthernet1/0/0
action source-nat easy-ip
R2配置
#
interface GigabitEthernet0/0/0
ip address 14.0.102.9 255.255.255.0