交换机课题实验

发布于 2025-12-23  5 次阅读

一、整体方案分析总结

1)分层与角色

  • 北京总部
    • 核心三层交换机 L3-SW-BJ:负责各 VLAN 的三层网关(SVI)、VLAN 间路由、(可选)DHCP、(可选)部分 ACL、跑 OSPF
    • 接入二层交换机 SW1-BJ / SW2-BJ:负责终端接入(Access 口)与上联 Trunk
    • 边界路由器 R-BJ:连接 ISP,做 NAT (DMZ 静态映射),跑 OSPF(企业内)+ 默认路由(到 ISP),并承担“外网只能进 DMZ”的边界 ACL
    • DMZ(VLAN100):Web/邮件/文件服务器静态 IP,对外发布服务
  • 上海分公司
    • 三层交换机 L3-SW-SH:本地 VLAN 网关、DHCP、OSPF
    • 接入交换机 SW-SH:终端接入 + Trunk 上联
    • 路由器 R-SH:WAN 到北京,跑 OSPF
  • 深圳分公司
    • 三层交换机 L3-SW-SZ:本地 VLAN 网关、DHCP、OSPF
    • 接入交换机 SW-SZ:终端接入 + Trunk 上联
    • 路由器 R-SZ:WAN 到北京,跑 OSPF
  • ISP 路由器:模拟公网(带 loopback 代表“互联网”)

2)VLAN 与地址规划(核心逻辑)

你的文档里 VLAN 与网段规划是(按部门隔离) 交换机:

  • 北京:VLAN10 研发、VLAN20 市场、VLAN30 财务、VLAN40 行政、VLAN100 DMZ
  • 上海:VLAN50 销售、VLAN60 技术支持
  • 深圳:VLAN70 生产管理、VLAN80 质量控制

IP 网段按 /24 分配,并且网关统一使用 .254(便于记忆与运维) 交换机:

  • VLAN10:192.168.10.0/24 网关 192.168.10.254
  • VLAN20:192.168.20.0/24 网关 192.168.20.254
  • VLAN30:192.168.30.0/24 网关 192.168.30.254
  • VLAN40:192.168.40.0/24 网关 192.168.40.254
  • VLAN100(DMZ):192.168.50.0/24 网关 192.168.50.254
  • VLAN50:192.168.60.0/24 网关 192.168.60.254
  • VLAN60:192.168.70.0/24 网关 192.168.70.254
  • VLAN70:192.168.80.0/24 网关 192.168.80.254
  • VLAN80:192.168.90.0/24 网关 192.168.90.254

WAN 链路用 /30(两端点对点,节约地址) 交换机。

三件“能否通”的关键点

  1. 二层能通:Access 口划 VLAN + 上联口 Trunk 允许 VLAN
  2. 三层能通:L3 交换机开 ip routing + 每个 VLAN 配 SVI
  3. 跨站能通:北京/上海/深圳之间跑 OSPF,WAN 口宣告进 OSPF

DHCP(自动发地址)

  • 各 VLAN PC 用 DHCP
  • 服务器静态 IP(建议放在 .10~.20 这类低位)
  • DHCP 排除网关与服务器段,池从 .100 起更稳(你的文档也体现了排除思路) 交换机

NAT(内网出网 + DMZ 对外发布)

  • 内网访问互联网:PAT(overload)
  • DMZ 服务器对外:静态 NAT(端口映射或 1:1)
  • NAT 在 R-BJ 做(边界设备最合理) 交换机

ACL(最小权限)

你的安全目标是 交换机:

  • 财务部(VLAN30)不能访问其他部门,但可以访问 DMZ 文件服务器,并且可以上网
  • DMZ 不能主动访问内网,但可响应内网请求(常用 tcp established 思路)
  • 外网只能访问 DMZ,不能访问内网
  • 其他部门默认互通

通常做法:

  • 财务部 ACL 放在 L3-SW-BJ 的 VLAN30 入方向(就近拦截)
  • 外网到内网的限制放在 R-BJ 外网口入方向
  • DMZ 主动访问内网的限制放在 VLAN100 入方向(拦 DMZ 发起的流量)

二、设备使用

拓扑图

A. 北京核心三层交换机:L3-SW-BJ

enable
conf t
!
hostname L3-SW-BJ
no ip domain-lookup
!
! 关键:启用三层交换机路由能力
ip routing
!
! ========== VLAN 创建 ==========
vlan 10
 name R_AND_D
vlan 20
 name MARKETING
vlan 30
 name FINANCE
vlan 40
 name ADMIN
vlan 100
 name DMZ
!
! ========== SVI 网关(按你的规划:.254) ==========
interface Vlan10
 description GW_R_AND_D
 ip address 192.168.10.254 255.255.255.0
 no shut
interface Vlan20
 description GW_MARKETING
 ip address 192.168.20.254 255.255.255.0
 no shut
interface Vlan30
 description GW_FINANCE
 ip address 192.168.30.254 255.255.255.0
 no shut
interface Vlan40
 description GW_ADMIN
 ip address 192.168.40.254 255.255.255.0
 no shut
interface Vlan100
 description GW_DMZ
 ip address 192.168.50.254 255.255.255.0
 no shut
!
! ========== Trunk 上联到接入交换机 ==========
interface GigabitEthernet0/2
 description TRUNK_TO_SW1-BJ
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40,100
 no shut
interface GigabitEthernet0/3
 description TRUNK_TO_SW2-BJ
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40,100
 no shut
!
! ========== 三层上联到 R-BJ(用 /30 WAN 段,示例) ==========
interface GigabitEthernet0/1
 description L3_LINK_TO_R-BJ
 no switchport
 ip address 10.1.1.2 255.255.255.252
 no shut
!
! ========== DHCP(北京总部在核心上发 DHCP) ==========
! 排除:网关、服务器预留段(可按你需要调整)
ip dhcp excluded-address 192.168.10.1 192.168.10.20
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.20.1 192.168.20.20
ip dhcp excluded-address 192.168.20.254
ip dhcp excluded-address 192.168.30.1 192.168.30.20
ip dhcp excluded-address 192.168.30.254
ip dhcp excluded-address 192.168.40.1 192.168.40.20
ip dhcp excluded-address 192.168.40.254
ip dhcp excluded-address 192.168.50.1 192.168.50.50
ip dhcp excluded-address 192.168.50.254
!
ip dhcp pool VLAN10_RD
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.254
 dns-server 8.8.8.8
ip dhcp pool VLAN20_MKT
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.254
 dns-server 8.8.8.8
ip dhcp pool VLAN30_FIN
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.254
 dns-server 8.8.8.8
ip dhcp pool VLAN40_ADM
 network 192.168.40.0 255.255.255.0
 default-router 192.168.40.254
 dns-server 8.8.8.8
!
! DMZ 通常服务器静态,不建议给 DHCP;如果你一定要也可建池
!
! ========== OSPF(与分公司/路由器互通) ==========
router ospf 1
 router-id 1.1.1.1
 network 192.168.10.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0
 network 192.168.30.0 0.0.0.255 area 0
 network 192.168.40.0 0.0.0.255 area 0
 network 192.168.50.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.3 area 0
!
! ========== ACL:财务部限制(VLAN30 入方向) ==========
! 目标:财务部不能访问其他内网部门,但允许访问 DMZ 文件服务器 + 上网
! 假设文件服务器:192.168.50.12
ip access-list extended ACL_FINANCE_IN
 remark 1) 允许财务访问 DMZ 文件服务器(可按需限定端口)
 permit ip 192.168.30.0 0.0.0.255 host 192.168.50.12
 remark 2) 禁止财务访问其他内网(10/20/40/60/70/80/90 等)
 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
 remark 3) 允许财务访问互联网(由 R-BJ NAT 出口)
 permit ip 192.168.30.0 0.0.0.255 any
!
interface Vlan30
 ip access-group ACL_FINANCE_IN in
!
! ========== ACL:限制 DMZ 主动访问内网(VLAN100 入方向) ==========
ip access-list extended ACL_DMZ_IN
 remark 1) 禁止 DMZ 主动访问内网网段
 deny ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.255.255
 remark 2) 允许 DMZ 其他流量(例如回包、到外网等;更严谨可按需收敛)
 permit ip 192.168.50.0 0.0.0.255 any
!
interface Vlan100
 ip access-group ACL_DMZ_IN in
!
end
wr

B. 北京接入交换机:SW1-BJ / SW2-BJ(模板)

两台接入交换机配置类似:创建 VLAN、上联 Trunk、终端口 Access。

enable
conf t
hostname SW1-BJ
no ip domain-lookup
!
vlan 10
 name R_AND_D
vlan 20
 name MARKETING
vlan 30
 name FINANCE
vlan 40
 name ADMIN
vlan 100
 name DMZ
!
interface GigabitEthernet0/1
 description UPLINK_TO_L3-SW-BJ
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40,100
 no shut
!
! 示例:若 Gi0/2~Gi0/5 接研发
interface range GigabitEthernet0/2 - 5
 description RD_PCs
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 no shut
!
! 示例:Gi0/6~Gi0/8 接市场
interface range GigabitEthernet0/6 - 8
 description MKT_PCs
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
 no shut
!
end
wr

C. 北京边界路由器:R-BJ(OSPF + NAT + 外网ACL)

enable
conf t
hostname R-BJ
no ip domain-lookup
!
! ========== 接 L3-SW-BJ ==========
interface GigabitEthernet0/0
 description TO_L3-SW-BJ
 ip address 10.1.1.1 255.255.255.252
 ip nat inside
 no shut
!
! ========== 接 ISP ==========
interface GigabitEthernet0/1
 description TO_ISP
 ip address 200.1.1.2 255.255.255.252
 ip nat outside
 no shut
!
! ========== 接上海、深圳 WAN(示例 /30) ==========
interface GigabitEthernet0/2
 description TO_R-SH
 ip address 10.1.2.1 255.255.255.252
 no shut
interface GigabitEthernet0/3
 description TO_R-SZ
 ip address 10.1.3.1 255.255.255.252
 no shut
!
! ========== 默认路由到 ISP ==========
ip route 0.0.0.0 0.0.0.0 200.1.1.1
!
! ========== OSPF(企业内部) ==========
router ospf 1
 router-id 2.2.2.2
 network 10.1.1.0 0.0.0.3 area 0
 network 10.1.2.0 0.0.0.3 area 0
 network 10.1.3.0 0.0.0.3 area 0
 default-information originate
!
! ========== NAT:PAT 让全内网出网 ==========
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
! ========== NAT:DMZ 静态发布(示例) ==========
! 方案1:1:1 静态(需要公网地址够用)
! ip nat inside source static 192.168.50.10 200.1.1.10
!
! 方案2:端口映射(更常用)
! Web(80) -> 192.168.50.10:80
ip nat inside source static tcp 192.168.50.10 80 200.1.1.2 80
! Mail(25) -> 192.168.50.11:25
ip nat inside source static tcp 192.168.50.11 25 200.1.1.2 25
! File(445) 示例(如需)
ip nat inside source static tcp 192.168.50.12 445 200.1.1.2 445
!
! ========== 外网 ACL:外部只能访问 DMZ 发布端口,禁止访问内网 ==========
ip access-list extended ACL_OUTSIDE_IN
 remark 允许访问对外发布的 DMZ 服务(按你映射的端口)
 permit tcp any host 200.1.1.2 eq 80
 permit tcp any host 200.1.1.2 eq 25
 permit tcp any host 200.1.1.2 eq 445
 remark 禁止访问内网地址段
 deny ip any 192.168.0.0 0.0.255.255
 permit ip any any
!
interface GigabitEthernet0/1
 ip access-group ACL_OUTSIDE_IN in
!
end
wr

D. 上海:L3-SW-SH + SW-SH + R-SH(模板)

L3-SW-SH(三层交换机)

enable
conf t
hostname L3-SW-SH
no ip domain-lookup
ip routing
!
vlan 50
 name SALE
vlan 60
 name TECH
!
interface Vlan50
 ip address 192.168.60.254 255.255.255.0
 no shut
interface Vlan60
 ip address 192.168.70.254 255.255.255.0
 no shut
!
interface GigabitEthernet0/1
 description TRUNK_TO_SW-SH
 switchport mode trunk
 switchport trunk allowed vlan 50,60
 no shut
!
! 上联到 R-SH(示例:10.2.1.0/30)
interface GigabitEthernet0/2
 description L3_LINK_TO_R-SH
 no switchport
 ip address 10.2.1.2 255.255.255.252
 no shut
!
! DHCP(上海本地发)
ip dhcp excluded-address 192.168.60.1 192.168.60.20
ip dhcp excluded-address 192.168.60.254
ip dhcp excluded-address 192.168.70.1 192.168.70.20
ip dhcp excluded-address 192.168.70.254
ip dhcp pool SH_SALE
 network 192.168.60.0 255.255.255.0
 default-router 192.168.60.254
 dns-server 8.8.8.8
ip dhcp pool SH_TECH
 network 192.168.70.0 255.255.255.0
 default-router 192.168.70.254
 dns-server 8.8.8.8
!
router ospf 1
 router-id 3.3.3.3
 network 192.168.60.0 0.0.0.255 area 0
 network 192.168.70.0 0.0.0.255 area 0
 network 10.2.1.0 0.0.0.3 area 0
end
wr

SW-SH(接入交换机)

enable
conf t
hostname SW-SH
no ip domain-lookup
vlan 50
 name SALE
vlan 60
 name TECH
!
interface GigabitEthernet0/1
 description UPLINK_TO_L3-SW-SH
 switchport mode trunk
 switchport trunk allowed vlan 50,60
 no shut
!
interface range GigabitEthernet0/2 - 10
 switchport mode access
 switchport access vlan 50
 spanning-tree portfast
 no shut
!
interface range GigabitEthernet0/11 - 18
 switchport mode access
 switchport access vlan 60
 spanning-tree portfast
 no shut
end
wr

R-SH(路由器)

enable
conf t
hostname R-SH
no ip domain-lookup
!
interface GigabitEthernet0/0
 description TO_R-BJ
 ip address 10.1.2.2 255.255.255.252
 no shut
!
interface GigabitEthernet0/1
 description TO_L3-SW-SH
 ip address 10.2.1.1 255.255.255.252
 no shut
!
router ospf 1
 router-id 4.4.4.4
 network 10.1.2.0 0.0.0.3 area 0
 network 10.2.1.0 0.0.0.3 area 0
end
wr

E. 深圳:L3-SW-SZ + SW-SZ + R-SZ(模板)

L3-SW-SZ

enable
conf t
hostname L3-SW-SZ
no ip domain-lookup
ip routing
!
vlan 70
 name PRODUCTION
vlan 80
 name QUALITY
!
interface Vlan70
 ip address 192.168.80.254 255.255.255.0
 no shut
interface Vlan80
 ip address 192.168.90.254 255.255.255.0
 no shut
!
interface GigabitEthernet0/1
 description TRUNK_TO_SW-SZ
 switchport mode trunk
 switchport trunk allowed vlan 70,80
 no shut
!
interface GigabitEthernet0/2
 description L3_LINK_TO_R-SZ
 no switchport
 ip address 10.3.1.2 255.255.255.252
 no shut
!
ip dhcp excluded-address 192.168.80.1 192.168.80.20
ip dhcp excluded-address 192.168.80.254
ip dhcp excluded-address 192.168.90.1 192.168.90.20
ip dhcp excluded-address 192.168.90.254
ip dhcp pool SZ_PROD
 network 192.168.80.0 255.255.255.0
 default-router 192.168.80.254
 dns-server 8.8.8.8
ip dhcp pool SZ_QUALITY
 network 192.168.90.0 255.255.255.0
 default-router 192.168.90.254
 dns-server 8.8.8.8
!
router ospf 1
 router-id 5.5.5.5
 network 192.168.80.0 0.0.0.255 area 0
 network 192.168.90.0 0.0.0.255 area 0
 network 10.3.1.0 0.0.0.3 area 0
end
wr

SW-SZ

enable
conf t
hostname SW-SZ
no ip domain-lookup
vlan 70
 name PRODUCTION
vlan 80
 name QUALITY
!
interface GigabitEthernet0/1
 description UPLINK_TO_L3-SW-SZ
 switchport mode trunk
 switchport trunk allowed vlan 70,80
 no shut
!
interface range GigabitEthernet0/2 - 12
 switchport mode access
 switchport access vlan 70
 spanning-tree portfast
 no shut
!
interface range GigabitEthernet0/13 - 18
 switchport mode access
 switchport access vlan 80
 spanning-tree portfast
 no shut
end
wr

R-SZ

enable
conf t
hostname R-SZ
no ip domain-lookup
!
interface GigabitEthernet0/0
 description TO_R-BJ
 ip address 10.1.3.2 255.255.255.252
 no shut
!
interface GigabitEthernet0/1
 description TO_L3-SW-SZ
 ip address 10.3.1.1 255.255.255.252
 no shut
!
router ospf 1
 router-id 6.6.6.6
 network 10.1.3.0 0.0.0.3 area 0
 network 10.3.1.0 0.0.0.3 area 0
end
wr

F. ISP 路由器(模拟互联网)

enable
conf t
hostname ISP
no ip domain-lookup
!
interface GigabitEthernet0/0
 description TO_R-BJ
 ip address 200.1.1.1 255.255.255.252
 no shut
!
! 模拟公网“互联网”地址(随便设一个 loopback)
interface Loopback0
 ip address 8.8.8.8 255.255.255.255
!
! 回指向企业公网口(让 ISP 知道怎么回到你)
ip route 200.1.1.0 255.255.255.252 GigabitEthernet0/0
end
wr

三、命令验收

在交换机/路由器上:

show vlan brief
show interfaces trunk
show ip interface brief
show ip route
show ip ospf neighbor
show access-lists

在 R-BJ 上:

show ip nat translations
show ip nat statistics

一昼一世界,一夜一星河。昼迷天未晓,夜尽终天明。