→b站直通车，感谢大佬←

→eNSP中小型园区网络拓扑搭建（下）←

不带配置命令的拓扑图已上传~

项目背景：

• 某公司准备新建一张网络供企业办公使用。写字楼共3层，一层会客大厅、二层行政部及市场部、三层研发部。一层设有核心机房，其他各楼层均有一个小房间放置网络设备。
• 在网络中终端分部量如下：一层：10台有线终端。二层和三层：均有200台有线终端，50台无线终端。在企业网络内，主要流量为内部流量，保证有线终端至少百兆接入。
• 在网络设计时，二三层网络都需要有一定的冗余与故障切换能力，保证业务不会因故障而中断。出于安全性需求，需要对网络流量做一定程度的管控。在园区出口处，采用静态ip方式接入互联网。

会客大厅、行政部及市场部、研发部、FTP服务器、外网

基础需求：

1. 仅允许访客区可以访问internet，不允许访问其他部门
2. 市场部与行政部之间可以相互访问，但不允许访问研发部
3. .研发部作为公司核心部门，掌握公司核心数据，仅允许其访问ftp服务器，不允许其访问其他部门和访问internet

安全调优：

1. 二层安全

• 在二层网络中确保根桥位置不被抢占（根防护）
• 确保连接终端接口不能接受处理budu（bpdu防护）
• 连接终端的接口要快速进入转发状态（边缘端口）
• 为抵御mac范洪攻击，需要在交换机上限制学习mac地址的数量（端口安全）

2. 三层安全

• 仅允许访客区可以访问Internet，不允许访问其他任何部门

• 市场部与行政部之间可以互相访问，但不允许访问研发部

• 研发部作为公司核心部门，掌握公司核心数据，仅允许其访问FTP服务器，不允许其 访问其他部门和访问Internet

vlan设计

• 核心机房的接入交换机直接连接服务器，所有服务器属于同一个vlan
• 一层访客大厅规划单独的vlan
• 二楼行政部和市场部属于不同的vlan
• 三楼研发部规划到不同的vlan
• 交换机所有互联接口需要明确放行所需vlan（不能放行all）
• 另外注意预留设备互联vlan，设备管理vlan，每台交换设备需要配置一个管理vlan，方便后期进行监控管理

SW1~4，SW7

#
vlan batch 10 20 30 40 100 200
#

SW1

#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10
#

SW2

#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 20
#

SW3

#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/3
  port link-type trunk
 port trunk allow-pass vlan 30
#

SW4

#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 40
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 40
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 40
#

SW7

#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 200
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 200
#

SW5

#
vlan batch 10 20 30 40 51 52 61 62 100 200
#

//链路聚合
[SW5]int Eth-Trunk 1
[SW5-Eth-Trunk1]trunkport g0/0/11
[SW5-Eth-Trunk1]trunkport g0/0/12

#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 40
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/6
 port link-type access
 port default vlan 51
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan 52
#

SW6

#
vlan batch 10 20 30 40 51 52 61 62 100 200
#

//链路聚合
[SW6]int Eth-Trunk 1
[SW6-Eth-Trunk1]trunkport g0/0/11
[SW6-Eth-Trunk1]trunkport g0/0/12

#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 40
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/6
 port link-type access
 port default vlan 62
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan 61
#

SW8

[SW8]v b 18 28 100
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 18
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 28
#

二层环路消除

• 使用mstp防环，所有交换机网络处于相同mstp域，域名为tjise
• 要求生成树的根桥集中在汇聚层，并且考虑未来部署vrrp时，为避免次优路径，vrrp的master与mstp根桥保持一致。
• 对于设备间互联的多条链路，使用链路聚合来消除环路

SW1~7

#
stp region-configuration
 region-name tjise
 instance 1 vlan 10
 instance 2 vlan 20 30
 instance 4 vlan 40
 instance 5 vlan 200
 active region-configuration
#

SW5

[SW5]stp instance 1 root primary 
[SW5]stp instance 2 root primary 
[SW5]stp instance 4 root secondary 
[SW5]stp instance 5 root secondary 

SW6

[SW6]stp instance 1 root  secondary
[SW6]stp instance 2 root  secondary
[SW6]stp instance 4 root primary 
[SW6]stp instance 5 root primary 

三层网络设计

• 网络地址层规划
• ip地址设计要与vlan编号形成对应关系
• 除设备互联vlan、管理vlan以及服务器ip地址外，其他终端的ip地址均用dhcp动态分配

SW5

#
interface Vlanif10
 ip address 192.168.10.5 255.255.255.0
 vrrp vrid 10 virtual-ip 192.168.10.254
 vrrp vrid 10 priority 120
#
interface Vlanif20
 ip address 192.168.20.5 255.255.255.0
 vrrp vrid 20 virtual-ip 192.168.20.254
 vrrp vrid 20 priority 120
#
interface Vlanif30
 ip address 192.168.30.5 255.255.255.0
 vrrp vrid 30 virtual-ip 192.168.30.254
 vrrp vrid 30 priority 120
#
interface Vlanif40
 ip address 192.168.40.5 255.255.255.0
 vrrp vrid 40 virtual-ip 192.168.40.254
#
interface Vlanif51
 ip address 192.168.51.5 255.255.255.0
#
interface Vlanif52
 ip address 192.168.52.5 255.255.255.0
#
interface Vlanif200
 ip address 192.168.200.5 255.255.255.0
 vrrp vrid 200 virtual-ip 192.168.200.254
#

SW6

#
interface Vlanif10
 ip address 192.168.10.6 255.255.255.0
 vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlanif20
 ip address 192.168.20.6 255.255.255.0
 vrrp vrid 20 virtual-ip 192.168.20.254
#
interface Vlanif30
 ip address 192.168.30.6 255.255.255.0
 vrrp vrid 30 virtual-ip 192.168.30.254
#
interface Vlanif40
 ip address 192.168.40.6 255.255.255.0
 vrrp vrid 40 virtual-ip 192.168.40.254
 vrrp vrid 40 priority 120
#
interface Vlanif61
 ip address 192.168.61.6 255.255.255.0
#
interface Vlanif62
 ip address 192.168.62.6 255.255.255.0
#
interface Vlanif200
 ip address 192.168.200.6 255.255.255.0
 vrrp vrid 200 virtual-ip 192.168.200.254
 vrrp vrid 200 priority 120
#

SW8

#
interface Vlanif18
 ip address 192.168.18.8 255.255.255.0
#
interface Vlanif28
 ip address 192.168.28.8 255.255.255.0
#
interface Vlanif100
 ip address 192.168.100.8 255.255.255.0
#

Server-ftp

AR1

#
interface GigabitEthernet0/0/0
 ip address 192.168.51.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 192.168.52.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 192.168.13.1 255.255.255.0 
#
interface GigabitEthernet3/0/0
 ip address 192.168.18.1 255.255.255.0 
#
interface GigabitEthernet4/0/0
 ip address 192.168.12.1 255.255.255.0 
#

AR2

#
interface GigabitEthernet0/0/0
 ip address 192.168.62.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 192.168.61.2 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 192.168.23.2 255.255.255.0 
#
interface GigabitEthernet3/0/0
 ip address 192.168.28.2 255.255.255.0 
#
interface GigabitEthernet4/0/0
 ip address 192.168.12.2 255.255.255.0 
#

AR3

#
interface GigabitEthernet0/0/0
 ip address 123.123.123.3 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 192.168.13.3 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 192.168.23.3 255.255.255.0 
#
interface GigabitEthernet4/0/0
 ip address 123.123.124.3 255.255.255.0 
#

Server2

配置DHCP

AR-DHCP

#
ip pool vlan10
 gateway-list 192.168.10.254 
 network 192.168.10.0 mask 255.255.255.0 
 excluded-ip-address 192.168.10.5 192.168.10.6 
#
ip pool vlan20
 gateway-list 192.168.20.254 
 network 192.168.20.0 mask 255.255.255.0 
 excluded-ip-address 192.168.20.5 192.168.20.6 
#
ip pool vlan30
 gateway-list 192.168.30.254 
 network 192.168.30.0 mask 255.255.255.0 
 excluded-ip-address 192.168.30.5 192.168.30.6 
#
ip pool vlan40
 gateway-list 192.168.40.254 
 network 192.168.40.0 mask 255.255.255.0 
 excluded-ip-address 192.168.40.5 192.168.40.6 
#

[AR-DHCP]dhcp en

#
interface GigabitEthernet0/0/0
 ip address 192.168.200.1 255.255.255.0 
 dhcp select global
#

SW5 SW6

[SW5]dhcp en
[SW5]int vlan 10
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.200.1

[SW5]int vlan 20
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.200.1

[SW5]int vlan 30
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.200.1

[SW5]int vlan 40
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.200.1

PC成功获取到ip地址