要求:
1、防火墙 FW1 G1/0/0 接口使用 PPPoE 拨号获取 IP 地址。
2、FW1 配置信任(内网包含服务器)和非信任区域(Internet 外网)。
3、FW1 配置 NAPT 使内网可以上网。
4、核心交换机 LSW1 划分 VLAN 并配置各接口及三层网关地址。
4、核心交换机配置静态路由和 DHCP Server。
5、终端使用 DHCP 自动获取地址,服务器配置静态 IP 地址。
一、防火墙拨号上网
配置方法可参考站内链接:PPPoE 网络拨号配置
PPPoE 服务端配置(一般由运营商提供,这里只为方便测试)
[ISP]ip pool ppppool
[ISP-ip-pool-ppppool]network 6.6.6.0 mask 24
[ISP-ip-pool-ppppool]gateway-list 6.6.6.1
[ISP-ip-pool-ppppool]quit
[ISP]interface Virtual-Template 1
[ISP-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1
[ISP-GigabitEthernet0/0/1]quit
[ISP-Virtual-Template1]ip address 6.6.6.1 24
[ISP-Virtual-Template1]remote address pool ppppool
[ISP-Virtual-Template1]quit
[ISP]interface GigabitEthernet0/0/1
[ISP]aaa
[ISP-aaa]local-user us01 password cipher abcd1234
[ISP-aaa]local-user us01 service-type ppp
防火墙拨号规则
[FW1]dialer-rule 1 ip permit
[FW1]interface Dialer 1
[FW1-Dialer1]link-protocol ppp
[FW1-Dialer1]ppp chap user us01
[FW1-Dialer1]ppp chap password cipher abcd1234
[FW1-Dialer1]ip address ppp-negotiate
[FW1-Dialer1]dialer user us01
[FW1-Dialer1]dialer bundle 1
[FW1-Dialer1]dialer-group 1
[FW1-Dialer1]quit
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1
[FW1-GigabitEthernet1/0/0]quit
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 1.1.1.1 24
二、防火墙 NAT 地址转换配置
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/0
[FW1-zone-untrust]add interface Dialer 1
[FW1-zone-untrust]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1-zone-trust]quit
[FW1]security-policy
[FW1-policy-security]rule name NATInter
[FW1-policy-security-rule-NATInter]source-zone trust
[FW1-policy-security-rule-NATInter]destination-zone untrust
[FW1-policy-security-rule-NATInter]action permit
[FW1-policy-security-rule-NATInter]quit
[FW1-policy-security]quit
[FW1]nat-policy
[FW1-policy-nat]rule name NATPolicy
[FW1-policy-nat-rule-NATPolicy]source-zone trust
[FW1-policy-nat-rule-NATPolicy]destination-zone untrust
[FW1-policy-nat-rule-NATPolicy]action nat easy-ip
静态路由配置
[FW1]ip route-static 0.0.0.0 0 Dialer 1
[FW1]ip route-static 1.1.10.0 255.255.255.0 1.1.1.2
[FW1]ip route-static 1.1.20.0 255.255.255.0 1.1.1.2
[FW1]ip route-static 1.1.100.0 255.255.255.0 1.1.1.2
三、核心交换机 VLAN 划分及接口三层网关等配置
[LSW1]vlan batch 5 10 20 100
[LSW1]interface Vlanif 5
[LSW1-Vlanif5]ip address 1.1.1.2 24
[LSW1-Vlanif5]quit
[LSW1]interface GigabitEthernet 0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 5
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]interface GigabitEthernet 0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]port default vlan 10
[LSW1-GigabitEthernet0/0/2]quit
[LSW1]interface GigabitEthernet 0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type access
[LSW1-GigabitEthernet0/0/3]port default vlan 20
[LSW1-GigabitEthernet0/0/3]quit
[LSW1]interface GigabitEthernet 0/0/4
[LSW1-GigabitEthernet0/0/4]port link-type access
[LSW1-GigabitEthernet0/0/4]port default vlan 100
[LSW1]interface Vlanif 10
[LSW1-Vlanif10]ip add
[LSW1-Vlanif10]ip address 1.1.10.1 24
[LSW1-Vlanif10]quit
[LSW1]interface Vlanif 20
[LSW1-Vlanif20]ip address 1.1.20.1 24
[LSW1-Vlanif20]quit
[LSW1]interface Vlanif 100
[LSW1-Vlanif100]ip address 1.1.100.1 24
[LSW1-Vlanif100]quit
静态路由配置
[LSW1]ip route-static 0.0.0.0 0 1.1.1.1
四、核心交换机 DHCP Server 服务配置
[LSW1]dhcp enable
[LSW1]ip pool pvlan10
[LSW1-ip-pool-pvlan10]network 1.1.10.0 mask 24
[LSW1-ip-pool-pvlan10]gateway-list 1.1.10.1
[LSW1-ip-pool-pvlan10]dns-list 7.7.7.7
[LSW1-ip-pool-pvlan10]quit
[LSW1]interface Vlanif 10
[LSW1-Vlanif10]dhcp select global
[LSW1-Vlanif10]quit
[LSW1]ip pool pvlan20
[LSW1-ip-pool-pvlan20]network 1.1.20.1 mask 24
[LSW1-ip-pool-pvlan20]gateway-list 1.1.20.1
[LSW1-ip-pool-pvlan20]dns-list 7.7.7.7
[LSW1-ip-pool-pvlan20]quit
[LSW1]interface Vlanif 20
[LSW1-Vlanif20]dhcp select global
五、测试
