In a twinkling of an eye, IT has been mixed into this line for three years. IT seems boring, but I have never thought about what I want to do before. Why is IT boring? From my personal experience, I have worked in private enterprises and state-owned enterprises. The departments that pay attention to salary increases are at the end. No company is willing to train IT network administrators. We are not very valued by employers. When the network is normal, no one will think of you. When something goes wrong, some people say that your job is not done, and your salary and welfare are not very good !!
Although there are several companies with their work experience, it is still rare for you to engage in network engineering as soon as you enter another company. A lot of Cisco's knowledge is almost forgotten, after a few days, I sorted out my thinking knowledge and some materials and wrote a network case. There may be deficiencies or errors. You are welcome to criticize and correct them.
VLAN and IP address planning
Vlan1 no (vlan name) 192.168.0.0/24 (ip segment) 192.168.0.254 (Default Gateway) Management VLAN
Vlan10 JWC 192.168.1.0/24 192.168.1.254
Vlan20 XSSS 192.168.2.0/24 192.168.2.254
Vlan30 CWC 192.168.3.0/24 192.168.3.254
Vlan40 JGSS 192.168.4.0/24 192.168.4.254
Vlan50 JZX 192.168.5.0/24 192.168.5.254
Vlan60 GLX 192.168.6.0/24 192.168.6.254
Vlan70 JSJX 192.168.7.0/24 192.168.7.254
Vlan100 FWQQ 192.168.100.0/24 192.168.100.254 server group VLAN
I. access layer switch configuration. In this experiment, there are only two access layers. This article only configures AWS1, such as AWS2, AWS3, and AWS4.
Do not write operation commands.
1. Name the access layer switch ASW1
Switch> enable
Switch # config terminal
Switch (config) # hostname ASW1
2. Set the vswitch's encrypted password to 123.
ASW1 (config) # enable secret 123
3. Set the password cisco
ASW1 (config) # line vty 0 15
ASW1 (config-line) # login
ASW1 (config-line) # password cisco
4. Set the terminal line timeout time
ASW1 (config-line) # line vty 0 15
ASW1 (config-line) # exec-timeout 5 30
ASW1 (config-line) # line con 0
ASW1 (config-line) # exec-timeout 5 30
5. Disable IP Address Resolution
ASW1 (config-line) # no ip domain-lookup
6. set to enable message Synchronization
ASW1 (config) # line con 0
ASW1 (config-line) # logging synchronous
ASW1 (config-line) # exit
7. Configure the management IP address and default gateway of the access layer switch ASW1
ASW1 (config) # interface vlan 1
ASW1 (config-if) # ip address 192.168.0.5 255.255.255.0
ASW1 (config-if) # no shutdown
ASW1 (config) # ip default-gateway 192.168.0.254
8. Configure the VLAN and VTP of the access layer ASW1
ASW1 (config) # vtp mode client
ASW1 (config) # interface range fastethernet0/1-24
ASW1 (config-if-range) # duplex full
ASW1 (config-if-range) # speed100
9. Configure the Access Port 1-10 of the access layer switch ASW1
ASW1 (config-if-range) # interface range fastethernet0/1-10
ASW1 (config-if-range) # switchport mode access
ASW1 (config-if-range) # switchport access vlan 10
ASW1 (config-if-range) # exit
10. Configure the access port 11-20 of the access layer switch ASW1
ASW1 (config) # interface range fastethernet0/11-20
ASW1 (config-if-range) # switchport mode access
ASW1 (config-if-range) # switchport access vlan 20
ASW1 (config-if-range) # exit
11. Set the quick Port
ASW1 (config) # interface range fastethernet0/1-20
ASW1 (config-if-range) # spanning-tree portfast
12. Set the main road Port
ASW1 (config-if-range) # interface range fastethernet 0/23-24
ASW1 (config-if-range) # switchport mode trunk
13. The access layer switch ASW2 provides access services for VLAN30 and VLAN40 users. Through F0/23, F0/24
Port F0/24 connecting to the distribution layer switch DSW1 and DSW2
2. Configure basic DSW1 parameters for the distribution layer switch. (Directly write the command without writing instructions)
1. Basic DSW1 parameters. (Directly write the command without writing instructions)
Switch> en
Switch # config terminal
Switch (config) # hostname DSW1
DSW1 (config) # enable secret 456
DSW1 (config) # line con
DSW1 (config) # line console 0
DSW1 (config-line) # logging synchronous
DSW1 (config-line) # exec-timeout 5 30
DSW1 (config-line) # line vty 0 15
DSW1 (config-line) # password cisco
DSW1 (config-line) # login
DSW1 (config-line) # exec-timeout 5 30
DSW1 (config-line) # exit
DSW1 (config) # no ip domain-lookup
2. Configure the management IP address and default gateway of the distribution layer switch DSW1
DSW1 (config) # interface vlan 1
DSW1 (config-if) # ip address 192.168.0.3 255.255.255.0
DSW1 (config-if) # no shutdown
DSW1 (config-if) # exit
DSW1 (config) # ip default-gateway 192.168.0.254
3. Configure The VTP of the distributed layer switch DSW1
(When the number of switches in a network is large, you need to create many duplicate VLANs on each switch. In actual work
To avoid errors, use VLAN relay protocol. In this experiment, set the distribution layer switch DSW1 to a vtp server, and other switches
Is a VTP client)
Each vtp management domain has a common VTP management domain name. VTP notification information is not exchanged between vswitches in different VTP management domains.
DSW1 # config t
DSW1 (config) # vtp domain 51cto -- Define The vtp management domain name as "51cto"
DSW1 (config) # vtp mode server
In a vtp domain, you only need to activate the VTP cropping function on the vtp SERVER. All other vswitches under the domain will also automatically activate the VTP cropping function.
DSW1 (config) # vtp pruning
4. define VLAN on the distribution layer switch DSW1
(In addition to the default VLAN, eight VLANs are added. Using VTP technology, all VLAN information is only required on The vtp server-DSW1, the distribution layer switch DSW1 port F0/1-F0/10 provides access services for the server. F0/23 and F0/24 are connected to access layer switches respectively.
ASW1 port F0/23 and ASW2 port F0/23. The distribution layer switch DSW1 is also connected through its own gigabit port G0/1
To G3/1 of the core switch CSW1. To achieve Redundancy Design, the distribution layer switch DSW1 is also connected through its own gigabit port g/2
The other one goes to the G/2 of the distribution layer switch DSW2.
DSW1 (config) # vlan 10
DSW1 (config-vlan) # name JWC
DSW1 (config-vlan) # EXIT
DSW1 (config) # vlan 20
DSW1 (config-vlan) # name XSSS
DSW1 (config-vlan) # exit
DSW1 (config) # vlan 30
DSW1 (config-vlan) # name CWC
DSW1 (config-vlan) # EXIT
DSW1 (config) # vlan 40
DSW1 (config-vlan) # name JGSS
DSW1 (config-vlan) # exit
DSW1 (config) # vlan 50
DSW1 (config-vlan) # name JZX
DSW1 (config-vlan) # EXIT
DSW1 (config) # vlan 60
DSW1 (config-vlan) # name GLX
DSW1 (config-vlan) # EXIT
DSW1 (config) # VLAN 70
DSW1 (config-vlan) # name JSJX
DSW1 (config-vlan) # EXIT
DSW1 (config) # VLAN 100
DSW1 (config-vlan) # NAME FWQQ
DSW1 (config) # interface range fastethernet 0/1-24
DSW1 (config-if-range) # duplex full
DSW1 (config-if-range) # speed100
DSW1 (config-if-range) # interface range fastethernet 0/1-10
DSW1 (config-if-range) # switchport mode access
DSW1 (config-if-range) # Switch Port access vlan 100
DSW1 (config-if-range) # spanning-tree portfast
DSW1 (config-if-range) # interface range fastethernet 0/23-24
DSW1 (config-if-range) # switchport mode trunk
DSW1 (config-if-range) # interface range gigaoEthernet 0/1-2
DSW1 (config-if-range) # switchport mode trunk
4. Configure the layer-3 switch function of the distribution layer DSW1.
Provides routing for each VLAN in the Network
DSW1 (config) # ip routing
5. Configure the gateway address in each VLAN
DSW1 # config t
DSW1 (config) # interface vlan 10
DSW1 (config-if) # ip address 192.168.1.254 255.255.255.0
DSW1 (config-if) # no shutdown
DSW1 (config-if) # interface vlan 20
DSW1 (config-if) # ip address 192.168.2.254 255.255.255.0
DSW1 (config-if) # no shutdown
DSW1 (config-if) # interface vlan 30
DSW1 (config-if) # ip address 192.168.3.254 255.255.255.0
DSW1 (config-if) # no shutdown
DSW1 (config-if) # interface vlan 40
DSW1 (config-if) # ip address 192.168.4.254 255.255.255.0
DSW1 (config-if) # no shutdown
DSW1 (config-if) # interface vlan 50
DSW1 (config-if) # ip address 192.168.5.254 255.255.255.0
DSW1 (config-if) # no shutdown
DSW1 (config-if) # interface vlan 60
DSW1 (config-if) # ip address 192.168.6.254 255.255.255.0
DSW1 (config-if) # no shutdown
DSW1 (config-if) # interface vlan 70
DSW1 (config-if) # ip address 192.168.7.254 255.255.255.0
DSW1 (config-if) # no shutdown
DSW1 (config-if) # interface vlan 100
DSW1 (config-if) # ip address 192.168.100.254 255.255.255.0
DSW1 (config-if) # no shutdown
6. Define the path to the INTERNET Router. Here, use a default route command.
DSW1 (config) # ip route 0.0.0.0 0.0.0.0 192.168.0.254
7. Configure the distribution layer switch DSW2
DSW2 ports F0/23 and F0/24 are connected to access layer switch ASW1 ports F0/24 and access layer switch ASW2 respectively
Port F0/24.
The distribution layer switch DSW2 also connects to the G3/2 of the core switch CSW1 through its own gigabit port G0/1.
In order to achieve Redundancy Design, the distribution layer switch DSW2 also connects to the distribution layer DSW1 G0/2 through its own gigabit port G0/2
3. Configure the core layer switch
1. Basic parameter configuration
Switch> en
Switch # config t
Switch (config) # hostname CSW1
CSW1 (config) # enable secret 789
CSW1 (config) # line con 0
CSW1 (config-line) # logging synchronous
CSW1 (config-line) # exec-timeout 0 15
CSW1 (config-line) # password abc
CSW1 (config-line) # login
CSW1 (config-line) # exec-timeout 5 30
CSW1 (config-line) # exit
CSW1 (config) # no ip domain-lookup
2. manage IP addresses and default gateways
CSW1 (config) # interface vlan 1
CSW1 (config-if) # ip address 192.168.0.1 255.255.255.0
CSW1 (config-if) # no shutdown
CSW1 (config) # ip default-gateway 192.168.0.254
3. Configure the vlan and vtp of the core layer switch CSW1
Set CSW1 as a VTP Client
CSW1 (config) # vtp mode client
4. Configure the port parameters of the core layer switch CSW1
The core layer switch CSW1 is connected to the WAN Access Module (router) through its own port F4/3. At the same time, CSW1 port G3/1-G3/2
Ports connected to the distribution layer switch DSW1 and DSW2 are GigbitEthernet 0/1 respectively.
CSW1 (config) # interface range fastethernet4/1-32
CSW1 (config-if-range) # duplex full
CSW1 (config-if-range) # speed 100
CSW1 (config-if-range) # switchport mode access
CSW1 (config-if-range) # switchport access vlan 1
CSW1 (config-if-range) # spanning-tree portfast
CSW1 (config-if-range) # interface range fastethernet4/1-2
CSW1 (config-if-range) # switchport mode trunk
5. Bind the Gigabit ports G2/1 and G2/2 of the core switch CSW1 to implement a Mbps Ethernet channel, and then connect
To another core layer switch CSW2
CSW1 (config) # interface port-channel 1
CSW1 (config-if) # switchport
CSW1 (config-if) # interface range gigabitethernet 2/1-2
CSW1 (config-if) # channel-group 1 mode desirable non-silent
CSW1 (config-if) # no shutdowni
6. Configure the CSW1 routing function of the core layer switch
The core layer switch CSW1 is connected to the WAN Access Module through port F4/3. You need to enable the routing function of the core layer switch.
Define the route to the Internet. A default route command is used here. The next hop address is from the internet access router.
The IP address of the Fast Ethernet interface F0/0.
CSW1 (config) # ip routing
CSW1 (config) # ip route 0.0.0.0 0.0.0.0 192.168.0.254
7. Core switch CSW2 Configuration
The configuration command of the core switch CSW2 is similar to that of CSW1, so no configuration is required.
Iv. WAN Access Module Design
1. Configure basic vro Parameters
Follow these steps to configure the basic parameters of a Cisco 3640 router:
Router> enable
Router # config t
Router (config) # hostname R
R (config) # enable secret cisco
R (config) # line con 0
R (config-line) # logging sys
R (config-line) # logging syn
R (config-line) # logging synchronous
R (config-line) # exec-timeout 5 30
R (config-line) # line vty 0 4
R (config-line) # password cisco
R (config-line) # login
R (config-line) # exec
R (config-line) # exec-timeout 5 30
R (config-line) # exit
R (config) # no ip domain-lookup
2. Configure interface parameters for Access Router R
It is mainly used for IP address and subnet mask configuration of interface F0/0 and interface S0/0.
R (config) # interface fastEthernet 0/0
R (config-if) # ip address 192.168.0.254 255.255.255.0
R (config-if) # no shutdown
R (config-if) # interface serial 0/0
R (config-if) # ip address 193.1.1.1 255.255.255.252
R (config-if) # no shutdown
3. Configure the routing function of access route R
You need to define two routes for the R router: static routes to the campus network and static routes to the Internet.
Default route.
The default route to the Internet. The next hop is sent from the R router interface S0/0.
R (config) # ip route 0.0.0.0 0.0.0.0 serial 0/0
Route entries in the campus network can be summarized through routes to form two route entries.
R (config) # ip route 192.168.0.0 255.255.248.0 192.168.0.3
R (config) # ip route 192.168.100.0 255.255.255.0 192.168.0.3
4. Configure NAT on the Access Router R
This campus network applies for nine IP addresses from the local ISP, one of which is allocated to the Internet port 193.1.1.1.
The serial interface of the access router. The other eight 202.205.222.1-202.206.222.8 are used for NAT.
4.1 define NAT Internal and External Interfaces
R (config) # interface fastEthernet 0/0
R (config-if) # ip nat inside
R (config) # interface serial 0/0
R (config-if) # ip nat outside
4.2 define the internal local IP address range of the workstation that allows NAT.
R (config) # ip access-list 1 permit 192.168.0.0 0.0.7.255
4.3 define static address translation for the server
R (config) # ip nat inside source static 192.168.100.1 202.206.222.1
R (config) # ip nat inside source static 192.168.100.2 202.206.222.2
R (config) # ip nat inside source static 192.168.100.3 202.206.222.3
R (config) # ip nat inside source static 192.168.100.4 202.206.222.4
R (config) # ip nat inside source static 192.168.100.5 202.206.222.5
R (config) # ip nat inside source static 192.168.100.6 202.206.222.6
R (config) # ip nat inside source static 192.168.100.7 202.206.222.7
R (config) # ip nat inside source static 192.168.100.8 202.206.222.8
4.4 define multiplexing address translation for other workstations
R (config) # ip nat inside source list 1 interface serial 0/0 overload
5. Configure the ACL on the Access Router R.
5.1 shield the Simple Network Management Protocol (SNMP) from the outside (using this protocol, remote hosts can monitor and control the network
For other network devices, the service type is SNMP and SNMPTRAP)
R (config) # access-list 101 deny udp any eq snmp
R (config) # access-list 101 deny udp any eq snmptrap
R (config) # access-list 101 permit ip any
R (config) # interface serial 0/0
R (config-if) # ip access-group 101 in
5.2 remote logon protocol telnet shielding
R (config) # access-list 101 deny tcp any eq telnet
R (config) # access-list 101 permit ip any
R (config) # interface serial 0/0
R (config-if) # ip access-group 101 in
5.3 shield other insecure protocols
Mainly include sun OS file sharing protocol port 2049, remote execution (rsh), remote login
(Rlogin) and remote command (rcmd) ports 512, 513, 514, Remote Procedure Call (SUNRPC)
Port 111.
R (config) # access-list 101 deny tcp any range 512 514
R (config) # access-list 101 deny tcp any eq 111
R (config) # access-list 101 deny udp any eq 111
R (config) # access-list 101 deny tcp any range 2049
R (config) # access-list 101 permit ip any
R (config) # ip access-group 101 in
5.4 Design for DOS attacks.
R (config) # access-list 101 deny icmp any eq echo-request
R (config) # access-list 101 deny udp any eq echo
R (config) # interface serial 0/0
R (config-if) # ip access-group 101 in
R (config-if) # interface fastethernet 0/0
R (config-if) # no ip directed-broadcast
5.5 protect the security of the router
Only allow IP addresses from the server group to ACCESS and configure the vro. In this case, you can use ACCESS-CLASS
Command to perform VTY access control.
R (config) # line vty 0 4
R (config-line) # access-class 2 in
R (config-line) # exit
R (config) # access-list 2 permit 192.168.100.0 0.0.255
6. Remote Access Module Design
It provides remote and mobile access services for home office users and employees on business trips.
There are three optional service types for remote access: leased line connection, circuit switching, and packet switching. This example
Use asynchronous dialing connection.
6.1 configuration of physical lines includes line speed (speed between DTE and DCE), number of stops, Flow Control
Method, the protocol type of the incoming call connection, and the direction of the permitted traffic.
R (config) # line 97
R (config-line) # modem InOut
R (config-line) # transport input all
R (config-line) # stopbits 1
R (config-line) # speed 115200
R (config-line) # flowcontrol hardware
6.2 interface configuration includes: interface encapsulation protocol type, interface asynchronous mode, IP address
IP Address Allocation Method.
R (config) # interface async97
R (config-if) # ip address 192.168.200.100 255.255.255.0
R (config-if) # encapsulation ppp
R (config-if) # async mode dedicated
R (config-if) # peer default ip address pool rasclients
6.3 create a local IP address pool named rasclients
R (config) # ip local pool rasclients 192.168.200.1 192.168.200.16
6.4 configure Identity Authentication
PPP provides two optional authentication methods: pap password verification and chap question handshake protocol.
PAP is used in this example.
R (config) # username remoteuser password cisco
R (config) # interface
R (config-if) # ppp authentication pap
As for the server configuration, I have time to post it again. 51cto is good!